Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
POC-DUMP/PayMoney/
POC-DUMP/PayMoney/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

CVE-2022-37140

# Exploit Title: PayMoney 3.3 is vulnerable to Client Side Remote Code Execution (RCE).
# Date: 24/07/2022
# Exploit Author: saitamang
# Vendor Homepage: https://paymoney.techvill.org/
# Software Link: https://paymoney.techvill.org/
# Version: 3.3

Description

The paymoney.techvill.org system suffers from Client Side Remote Code Execution (RCE) from uploading malicious RTF file. The vulnerability exist on reply ticket function and upload the malicious file. A calculator will open when the victim who download the file open the RTF file.

Attack Vector

  1. The attacker create the malicious macro file

  1. The file is then uploaded

  1. If the user download the file, the file can be executed and gain the client side RCE.

  1. The RCE executed on client side.

CVE-2022-37137

# Exploit Title: PayMoney 3.3 is vulnerable to Stored Cross-Site Scripting (XSS) during replying the ticket
# Date: 24/07/2022
# Exploit Author: saitamang
# Vendor Homepage: https://paymoney.techvill.org/
# Software Link: https://paymoney.techvill.org/
# Version: 3.3

Description

The XSS can be obtain from injecting under "Message" field with "description" parameter with the specially crafted payload to gain Stored XSS. The XSS then will prompt after that or can be access from the view ticket function.

Attack Vector

  1. The user first must created a ticket.

  1. Then on the replying the ticket under "Message" field with "description" parameter, inject the payload below to gain Stored Cross-Site Scripting(XSS).
"><svg/onload=alert(document.cookie)>

  1. The XSS will prompt or can be access from the view ticket function